Merge branch 'dev' of https://github.com/AFLplusplus/AFLplusplus into dev

2025-06-15 11:28:08 +00:00 · 2021-03-18 01:37:40 -07:00
parent 62508c3b44 94312796f9
commit c397becd81
431 changed files with 59475 additions and 21263 deletions
--- a/.custom-format.py
+++ b/.custom-format.py
@ -29,30 +29,30 @@ CLANG_FORMAT_BIN = os.getenv("CLANG_FORMAT_BIN")
 if CLANG_FORMAT_BIN is None:
    o = 0
    try:
-        p = subprocess.Popen(["clang-format-10", "--version"], stdout=subprocess.PIPE)
+        p = subprocess.Popen(["clang-format-11", "--version"], stdout=subprocess.PIPE)
        o, _ = p.communicate()
        o = str(o, "utf-8")
        o = re.sub(r".*ersion ", "", o)
-        #o = o[len("clang-format version "):].strip()
+        # o = o[len("clang-format version "):].strip()
-        o = o[:o.find(".")]
+        o = o[: o.find(".")]
        o = int(o)
    except:
-        print ("clang-format-10 is needed. Aborted.")
+        print("clang-format-11 is needed. Aborted.")
        exit(1)
-    #if o < 7:
+    # if o < 7:
    #    if subprocess.call(['which', 'clang-format-7'], stdout=subprocess.PIPE) == 0:
    #        CLANG_FORMAT_BIN = 'clang-format-7'
    #    elif subprocess.call(['which', 'clang-format-8'], stdout=subprocess.PIPE) == 0:
    #        CLANG_FORMAT_BIN = 'clang-format-8'
    #    elif subprocess.call(['which', 'clang-format-9'], stdout=subprocess.PIPE) == 0:
    #        CLANG_FORMAT_BIN = 'clang-format-9'
-    #    elif subprocess.call(['which', 'clang-format-10'], stdout=subprocess.PIPE) == 0:
+    #    elif subprocess.call(['which', 'clang-format-11'], stdout=subprocess.PIPE) == 0:
-    #        CLANG_FORMAT_BIN = 'clang-format-10'
+    #        CLANG_FORMAT_BIN = 'clang-format-11'
    #    else:
    #        print ("clang-format 7 or above is needed. Aborted.")
    #        exit(1)
    else:
-        CLANG_FORMAT_BIN = 'clang-format-10'
+        CLANG_FORMAT_BIN = "clang-format-11"
 COLUMN_LIMIT = 80
 for line in fmt.split("\n"):
@ -72,23 +72,44 @@ def custom_format(filename):
    for line in src.split("\n"):
        if line.lstrip().startswith("#"):
-            if line[line.find("#")+1:].lstrip().startswith("define"):
+            if line[line.find("#") + 1 :].lstrip().startswith("define"):
                in_define = True
-        if "/*" in line and not line.strip().startswith("/*") and line.endswith("*/") and len(line) < (COLUMN_LIMIT-2):
+        if (
            "/*" in line
            and not line.strip().startswith("/*")
            and line.endswith("*/")
            and len(line) < (COLUMN_LIMIT - 2)
        ):
            cmt_start = line.rfind("/*")
-            line = line[:cmt_start] + " " * (COLUMN_LIMIT-2 - len(line)) + line[cmt_start:]
+            line = (
                line[:cmt_start]
                + " " * (COLUMN_LIMIT - 2 - len(line))
                + line[cmt_start:]
            )
        define_padding = 0
        if last_line is not None and in_define and last_line.endswith("\\"):
            last_line = last_line[:-1]
-            define_padding = max(0, len(last_line[last_line.rfind("\n")+1:]))
+            define_padding = max(0, len(last_line[last_line.rfind("\n") + 1 :]))
-        if last_line is not None and last_line.strip().endswith("{") and line.strip() != "":
+        if (
            last_line is not None
            and last_line.strip().endswith("{")
            and line.strip() != ""
        ):
            line = (" " * define_padding + "\\" if in_define else "") + "\n" + line
-        elif last_line is not None and last_line.strip().startswith("}") and line.strip() != "":
+        elif (
            last_line is not None
            and last_line.strip().startswith("}")
            and line.strip() != ""
        ):
            line = (" " * define_padding + "\\" if in_define else "") + "\n" + line
-        elif line.strip().startswith("}") and last_line is not None and last_line.strip() != "":
+        elif (
            line.strip().startswith("}")
            and last_line is not None
            and last_line.strip() != ""
        ):
            line = (" " * define_padding + "\\" if in_define else "") + "\n" + line
        if not line.endswith("\\"):
@ -97,14 +118,15 @@ def custom_format(filename):
        out += line + "\n"
        last_line = line
-    return (out)
+    return out
 args = sys.argv[1:]
 if len(args) == 0:
-    print ("Usage: ./format.py [-i] <filename>")
+    print("Usage: ./format.py [-i] <filename>")
-    print ()
+    print()
-    print (" The -i option, if specified, let the script to modify in-place")
+    print(" The -i option, if specified, let the script to modify in-place")
-    print (" the source files. By default the results are written to stdout.")
+    print(" the source files. By default the results are written to stdout.")
    print()
    exit(1)
@ -120,4 +142,3 @@ for filename in args:
            f.write(code)
    else:
        print(code)
--- a/.dockerignore
+++ b/.dockerignore
@ -0,0 +1,65 @@
 .test
 .test2
 .sync_tmp
 *.o
 *.so
 *.pyc
 *.dSYM
 as
 ld
 in
 out
 core*
 afl-analyze
 afl-as
 afl-clang
 afl-clang\+\+
 afl-clang-fast
 afl-clang-fast\+\+
 afl-clang-lto
 afl-clang-lto\+\+
 afl-fuzz
 afl-g\+\+
 afl-gcc
 afl-gcc-fast
 afl-g\+\+-fast
 afl-gotcpu
 afl-ld
 afl-ld-lto
 afl-qemu-trace
 afl-showmap
 afl-tmin
 afl-analyze.8
 afl-as.8
 afl-clang-fast\+\+.8
 afl-clang-fast.8
 afl-clang-lto.8
 afl-clang-lto\+\+.8
 afl-cmin.8
 afl-cmin.bash.8
 afl-fuzz.8
 afl-gcc.8
 afl-gcc-fast.8
 afl-g\+\+-fast.8
 afl-gotcpu.8
 afl-plot.8
 afl-showmap.8
 afl-system-config.8
 afl-tmin.8
 afl-whatsup.8
 qemu_mode/libcompcov/compcovtest
 qemu_mode/qemu-*
 unicorn_mode/samples/*/\.test-*
 unicorn_mode/samples/*/output
 unicorn_mode/unicornafl
 test/unittests/unit_maybe_alloc
 test/unittests/unit_preallocable
 test/unittests/unit_list
 test/unittests/unit_rand
 test/unittests/unit_hash
 examples/afl_network_proxy/afl-network-server
 examples/afl_network_proxy/afl-network-client
 examples/afl_frida/afl-frida
 examples/afl_frida/libtestinstr.so
 examples/afl_frida/frida-gum-example.c
 examples/afl_frida/frida-gum.h
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@ -0,0 +1,31 @@
 ---
 name: Bug report
 about: Create a report to help us improve
 title: ''
 labels: ''
 assignees: ''
 ---
 **IMPORTANT**
 1. You have verified that the issue to be present in the current `dev` branch
 2. Please supply the command line options and relevant environment variables, e.g. a copy-paste of the contents of `out/default/fuzzer_setup`
 Thank you for making afl++ better!
 **Describe the bug**
 A clear and concise description of what the bug is.
 **To Reproduce**
 Steps to reproduce the behavior:
 1. ...
 2. ...
 **Expected behavior**
 A clear and concise description of what you expected to happen.
 **Screen output/Screenshots**
 If applicable, add copy-paste of the screen output or screenshot that shows the issue. Please ensure the output is in **English** and not in Chinese, Russian, German, etc.
 **Additional context**
 Add any other context about the problem here.
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@ -0,0 +1,20 @@
 ---
 name: Feature request
 about: Suggest an idea for this project
 title: ''
 labels: ''
 assignees: ''
 ---
 **Is your feature request related to a problem? Please describe.**
 A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
 **Describe the solution you'd like**
 A clear and concise description of what you want to happen.
 **Describe alternatives you've considered**
 A clear and concise description of any alternative solutions or features you've considered.
 **Additional context**
 Add any other context or screenshots about the feature request here.
--- a/.github/workflows/build_aflplusplus_docker.yaml
+++ b/.github/workflows/build_aflplusplus_docker.yaml
@ -0,0 +1,27 @@
 name: Publish Docker Images
 on:
  push:
    branches: [ stable ]
    paths:
    - Dockerfile
  pull_request:
    branches: [ stable ]
    paths:
    - Dockerfile
 jobs:
  push_to_registry:
    name: Push Docker images to Dockerhub
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@master
    - name: Login to Dockerhub
      uses: docker/login-action@v1
      with:
        username: ${{ secrets.DOCKER_USERNAME }}
        password: ${{ secrets.DOCKER_TOKEN }}
    - name: Publish aflpp to Registry
      uses: docker/build-push-action@v2
      with:
        context: .
        push: true
        tags: aflplusplus/aflplusplus:latest
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -0,0 +1,28 @@
 name: CI
 on:
  push:
    branches: [ stable, dev ]
 #  pull_request:
 #    branches: [ stable, dev ]
 jobs:
  build:
    runs-on: '${{ matrix.os }}'
    strategy:
      matrix:
        os: [ubuntu-20.04, ubuntu-18.04]
    steps:
      - uses: actions/checkout@v2
      - name: debug
        run: apt-cache search plugin-dev | grep gcc- ; echo ; apt-cache search clang-format- | grep clang-format-
      - name: install packages
        run: sudo apt-get install -y -m -f --install-suggests build-essential git libtool libtool-bin automake bison libglib2.0-0 clang llvm-dev libc++-dev findutils libcmocka-dev python3-dev python3-setuptools
      - name: compiler installed
        run: gcc -v ; echo ; clang -v
      - name: install gcc plugin
        run: sudo apt-get install -y -m -f --install-suggests $(readlink /usr/bin/gcc)-plugin-dev
      - name: build afl++
        run: make distrib ASAN_BUILD=1
      - name: run tests
        run: sudo -E ./afl-system-config ; export AFL_SKIP_CPUFREQ=1 ; make tests
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@ -0,0 +1,32 @@
 name: "CodeQL"
 on:
  push:
    branches: [ stable, dev ]
 #  pull_request:
 #    branches: [ stable, dev ]
 jobs:
  analyze:
    name: Analyze
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        language: [ 'cpp' ]
    steps:
    - name: Checkout repository
      uses: actions/checkout@v2
    - name: Initialize CodeQL
      uses: github/codeql-action/init@v1
      with:
        languages: ${{ matrix.language }}
    - name: Autobuild
      uses: github/codeql-action/autobuild@v1
    - name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@v1
--- a/.github/workflows/rust_custom_mutator.yml
+++ b/.github/workflows/rust_custom_mutator.yml
@ -0,0 +1,30 @@
 name: Rust Custom Mutators
 on:
  push:
    branches: [ stable, dev ]
  pull_request:
    branches: [ stable, dev ]
 jobs:
  test:
    name: Test Rust Custom Mutator Support
    runs-on: '${{ matrix.os }}'
    defaults:
      run:
        working-directory: custom_mutators/rust
    strategy:
      matrix:
        os: [ubuntu-20.04]
    steps:
      - uses: actions/checkout@v2
      - name: Install Rust Toolchain
        uses: actions-rs/toolchain@v1
        with:
          toolchain: stable
      - name: Check Code Compiles
        run: cargo check
      - name: Run General Tests
        run: cargo test
      - name: Run Tests for afl_internals feature flag
        run: cd custom_mutator && cargo test --features=afl_internals
--- a/.gitignore
+++ b/.gitignore
@ -1,15 +1,19 @@
 .test
 .test2
 .sync_tmp
 .vscode
 *.o
 *.so
 *.swp
 *.pyc
 *.dSYM
 as
 a.out
 ld
 in
 out
 core*
 compile_commands.json
 afl-analyze
 afl-as
 afl-clang
@ -38,7 +42,10 @@ afl-clang-lto++.8
 afl-cmin.8
 afl-cmin.bash.8
 afl-fuzz.8
 afl-c++.8
 afl-cc.8
 afl-gcc.8
 afl-g++.8
 afl-gcc-fast.8
 afl-g++-fast.8
 afl-gotcpu.8
@ -47,11 +54,17 @@ afl-showmap.8
 afl-system-config.8
 afl-tmin.8
 afl-whatsup.8
 afl-c++
 afl-cc
 afl-lto
 afl-lto++
 afl-lto++.8
 afl-lto.8
 qemu_mode/libcompcov/compcovtest
 qemu_mode/qemu-*
 qemu_mode/qemuafl
 unicorn_mode/samples/*/\.test-*
 unicorn_mode/samples/*/output/
 unicorn_mode/unicornafl
 test/unittests/unit_maybe_alloc
 test/unittests/unit_preallocable
 test/unittests/unit_list
@ -63,3 +76,9 @@ examples/afl_frida/afl-frida
 examples/afl_frida/libtestinstr.so
 examples/afl_frida/frida-gum-example.c
 examples/afl_frida/frida-gum.h
 examples/aflpp_driver/libAFLDriver.a
 examples/aflpp_driver/libAFLQemuDriver.a
 libAFLDriver.a
 libAFLQemuDriver.a
 test/.afl_performance
 gmon.out
--- a/.gitmodules
+++ b/.gitmodules
@ -1,3 +1,9 @@
 [submodule "unicorn_mode/unicornafl"]
 	path = unicorn_mode/unicornafl
-	url = https://github.com/AFLplusplus/unicornafl.git
+	url = https://github.com/aflplusplus/unicornafl
 [submodule "custom_mutators/grammar_mutator"]
 	path = custom_mutators/grammar_mutator/grammar_mutator
 	url = https://github.com/AFLplusplus/Grammar-Mutator
 [submodule "qemu_mode/qemuafl"]
 	path = qemu_mode/qemuafl
 	url = https://github.com/AFLplusplus/qemuafl
--- a/.travis.yml
+++ b/.travis.yml
@ -1,60 +0,0 @@
 language: c
 sudo: required
 branches:
  only:
    - master
    - dev
 matrix:
  include:
 #  - os: linux	# focal errors every run with a timeout while installing packages
 #    dist: focal
 #    env: NAME="focal-amd64" MODERN="yes" GCC="9"
  - os: linux
    dist: bionic
    env: NAME="bionic-amd64" MODERN="yes" GCC="7"
  - os: linux
    dist: xenial
    env: NAME="xenial-amd64" MODERN="no" GCC="5" EXTRA="libtool-bin clang-6.0"
  - os: linux
    dist: trusty
    env: NAME="trusty-amd64" MODERN="no" GCC="4.8"
 #  - os: linux # until travis can fix this!
 #    dist: xenial
 #    arch: arm64
 #    env: NAME="xenial-arm64" MODERN="no" GCC="5" EXTRA="libtool-bin clang-6.0" AFL_NO_X86="1" CPU_TARGET="aarch64"
 #  - os: osx
 #    osx_image: xcode11.2
 #    env: NAME="osx" HOMEBREW_NO_ANALYTICS="1" LINK="http://releases.llvm.org/9.0.0/" NAME="clang+llvm-9.0.0-x86_64-darwin-apple"
 jobs:
  allow_failures:
    - os: osx
    - arch: arm64
 env:
  - AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 AFL_NO_UI=1
 # - AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 AFL_NO_UI=1 AFL_EXIT_WHEN_DONE=1
 # TODO: test AFL_BENCH_UNTIL_CRASH once we have a target that crashes
 # - AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 AFL_NO_UI=1 AFL_BENCH_JUST_ONE=1
 before_install:
  # export LLVM_DIR=${TRAVIS_BUILD_DIR}/${LLVM_PACKAGE}
  - echo Testing on $NAME
  - if [ "$TRAVIS_OS_NAME" = "osx" ]; then wget "$LINK""$NAME".tar.xz ; export LLVM_CONFIG=`pwd`/"$NAME" ; tar xJf "$NAME".tar.xz ; fi
  - if [ "$MODERN" = "yes" ]; then sudo apt update ; sudo apt upgrade ; sudo apt install -y git libtool libtool-bin automake bison libglib2.0-0 build-essential clang gcc-"$GCC" gcc-"$GCC"-plugin-dev libc++-"$GCC"-dev findutils libcmocka-dev python3-setuptools ; fi
  - if [ "$MODERN" = "no" ]; then sudo apt update ; sudo apt install -y git libtool $EXTRA libpixman-1-dev automake bison libglib2.0 build-essential gcc-"$GCC" gcc-"$GCC"-plugin-dev libc++-dev findutils libcmocka-dev python3-setuptools ; fi
 script:
  - gcc -v
  - clang -v
  - sudo -E ./afl-system-config
  - sudo sysctl -w kernel.shmmax=10000000000
  - free ; sudo sysctl -a|grep -i shm ; ipcs -m -l ; ipcs -m
  - if [ "$TRAVIS_OS_NAME" = "osx" ]; then export LLVM_CONFIG=`pwd`/"$NAME" ; make source-only ASAN_BUILD=1 ; fi
  - if [ "$TRAVIS_OS_NAME" = "linux" -a "$TRAVIS_CPU_ARCH" = "amd64" ]; then make distrib ASAN_BUILD=1 ; fi
  - if [ "$TRAVIS_CPU_ARCH" = "arm64" ] ; then echo DEBUG ; find / -name llvm-config.h 2>/dev/null; apt-cache search clang | grep clang- ; apt-cache search llvm | grep llvm- ; dpkg -l | egrep 'clang|llvm'; echo DEBUG ; export LLVM_CONFIG=llvm-config-6.0 ; make ASAN_BUILD=1 ; cd qemu_mode && sh ./build_qemu_support.sh ; cd .. ; fi
  - make tests
 #  - travis_terminate 0
--- a/Android.bp
+++ b/Android.bp
@ -1,7 +1,16 @@
 cc_defaults {
  name: "afl-defaults",
  sanitize: {
    never: true,
  },
  local_include_dirs: [
    "include",
    "instrumentation",
  ],
  cflags: [
    "-flto=full",
    "-funroll-loops",
    "-Wno-pointer-sign",
    "-Wno-pointer-arith",
@ -10,24 +19,35 @@ cc_defaults {
    "-Wno-unused-function",
    "-Wno-format",
    "-Wno-user-defined-warnings",
-    "-DUSE_TRACE_PC=1",
+    "-DAFL_LLVM_USE_TRACE_PC=1",
    "-DBIN_PATH=\"out/host/linux-x86/bin\"",
    "-DDOC_PATH=\"out/host/linux-x86/shared/doc/afl\"",
    "-D__USE_GNU",
    "-D__aarch64__",
    "-DDEBUG_BUILD",
    "-U_FORTIFY_SOURCE",
    "-ggdb3",
    "-g",
    "-O0",
    "-fno-omit-frame-pointer",
  ],
 }
 cc_binary {
  name: "afl-fuzz",
  static_executable: true,
  host_supported: true,
  compile_multilib: "64",
  defaults: [
    "afl-defaults",
  ],
  srcs: [
-    "afl-fuzz.c",
+    "src/afl-fuzz*.c",
    "src/afl-common.c",
    "src/afl-sharedmem.c",
    "src/afl-forkserver.c",
    "src/afl-performance.c",
  ],
 }
@ -41,7 +61,11 @@ cc_binary {
  ],
  srcs: [
-    "afl-showmap.c",
+    "src/afl-showmap.c",
    "src/afl-common.c",
    "src/afl-sharedmem.c",
    "src/afl-forkserver.c",
    "src/afl-performance.c",
  ],
 }
@ -55,7 +79,11 @@ cc_binary {
  ],
  srcs: [
-    "afl-tmin.c",
+    "src/afl-tmin.c",
    "src/afl-common.c",
    "src/afl-sharedmem.c",
    "src/afl-forkserver.c",
    "src/afl-performance.c",
  ],
 }
@ -69,7 +97,10 @@ cc_binary {
  ],
  srcs: [
-    "afl-analyze.c",
+    "src/afl-analyze.c",
    "src/afl-common.c",
    "src/afl-sharedmem.c",
    "src/afl-performance.c",
  ],
 }
@ -83,12 +114,13 @@ cc_binary {
  ],
  srcs: [
-    "afl-gotcpu.c",
+    "src/afl-gotcpu.c",
    "src/afl-common.c",
  ],
 }
 cc_binary_host {
-  name: "afl-clang-fast",
+  name: "afl-cc",
  static_executable: true,
  defaults: [
@ -98,44 +130,144 @@ cc_binary_host {
  cflags: [
    "-D__ANDROID__",
    "-DAFL_PATH=\"out/host/linux-x86/lib64\"",
    "-DAFL_CLANG_FLTO=\"-flto=full\"",
    "-DUSE_BINDIR=1",
    "-DLLVM_BINDIR=\"prebuilts/clang/host/linux-x86/clang-r383902b/bin\"",
    "-DLLVM_LIBDIR=\"prebuilts/clang/host/linux-x86/clang-r383902b/lib64\"",
    "-DCLANGPP_BIN=\"prebuilts/clang/host/linux-x86/clang-r383902b/bin/clang++\"",
    "-DAFL_REAL_LD=\"prebuilts/clang/host/linux-x86/clang-r383902b/bin/ld.lld\"",
    "-DLLVM_LTO=1",
    "-DLLVM_MAJOR=11",
    "-DLLVM_MINOR=2",
  ],
  srcs: [
-    "llvm_mode/afl-clang-fast.c",
+    "src/afl-cc.c",
-  ],
+    "src/afl-common.c",
 }
 cc_binary_host {
  name: "afl-clang-fast++",
  static_executable: true,
  defaults: [
    "afl-defaults",
  ],
-  cflags: [
+  symlinks: [
-    "-D__ANDROID__",
+    "afl-clang-fast",
-    "-DAFL_PATH=\"out/host/linux-x86/lib64\"",
+    "afl-clang-fast++",
  ],
  srcs: [
    "llvm_mode/afl-clang-fast.c",
  ],
 }
 cc_library_static {
  name: "afl-llvm-rt",
-  compile_multilib: "both",
+  compile_multilib: "64",
  vendor_available: true,
  host_supported: true,
  recovery_available: true,
  sdk_version: "9",
  apex_available: [
    "com.android.adbd",
    "com.android.appsearch",
    "com.android.art",
    "com.android.bluetooth.updatable",
    "com.android.cellbroadcast",
    "com.android.conscrypt",
    "com.android.extservices",
    "com.android.cronet",
    "com.android.neuralnetworks",
    "com.android.media",
    "com.android.media.swcodec",
    "com.android.mediaprovider",
    "com.android.permission",
    "com.android.runtime",
    "com.android.resolv",
    "com.android.tethering",
    "com.android.wifi",
    "com.android.sdkext",
    "com.android.os.statsd",
    "//any",
  ],
  defaults: [
    "afl-defaults",
  ],
  srcs: [
-    "llvm_mode/afl-llvm-rt.o.c",
+    "instrumentation/afl-compiler-rt.o.c",
  ],
 }
 cc_library_headers {
  name: "libafl_headers",
  vendor_available: true,
  host_supported: true,
  export_include_dirs: [
    "include",
  ],
 }
 cc_prebuilt_library_static {
  name: "libfrida-gum",
  compile_multilib: "64",
  strip: {
    none: true,
  },
  srcs: [
    "utils/afl_frida/android/libfrida-gum.a",
  ],
  export_include_dirs: [
    "utils/afl_frida/android",
  ],
 }
 cc_library_shared {
  name: "libtestinstr",
  srcs: [
    "utils/afl_frida/libtestinstr.c",
  ],
  cflags: [
    "-O0",
    "-fPIC",
  ],
 }
 cc_binary {
  name: "afl-frida",
  compile_multilib: "64",
  defaults: [
    "afl-defaults",
  ],
  cflags: [
    "-g",
    "-O0",
    "-Wno-format",
    "-Wno-pointer-sign",
    "-fpermissive",
    "-fPIC",
  ],
  static_libs: [
    "afl-llvm-rt",
    "libfrida-gum",
  ],
  shared_libs: [
    "libdl",
    "liblog",
  ],
  srcs: [
    "utils/afl_frida/afl-frida.c",
  ],
  local_include_dirs: [
    "utils/afl_frida",
    "utils/afl_frida/android",
  ],
 }
 subdirs = [
  "custom_mutators",
 ]
--- a/Android.mk
+++ b/Android.mk
@ -1 +0,0 @@
 Makefile
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -16,9 +16,9 @@ project, or added a file in a directory we already format, otherwise run:
 ```
 Regarding the coding style, please follow the AFL style.
-No camel case at all and use the AFL's macros wherever possible 
+No camel case at all and use AFL's macros wherever possible
 (e.g. WARNF, FATAL, MAP_SIZE, ...).
 Remember that AFLplusplus has to build and run on many platforms, so
 generalize your Makefiles/GNUmakefile (or your patches to our pre-existing
-Makefiles) to be as much generic as possible.
+Makefiles) to be as generic as possible.
--- a/62
+++ b/62
@ -2,59 +2,69 @@
 # This Dockerfile for AFLplusplus uses Ubuntu 20.04 focal and
 # installs LLVM 11 from llvm.org for afl-clang-lto support :-)
 # It also installs gcc/g++ 10 from the Ubuntu development platform
-# has focal has gcc-10 but not g++-10 ...
+# since focal has gcc-10 but not g++-10 ...
 #
 FROM ubuntu:20.04 AS aflplusplus
-MAINTAINER afl++ team <afl@aflplus.plus>
+LABEL "maintainer"="afl++ team <afl@aflplus.plus>"
 LABEL "about"="AFLplusplus docker image"
 ARG DEBIAN_FRONTEND=noninteractive
-RUN apt-get update && apt-get upgrade -y && \
+env NO_ARCH_OPT 1
 RUN apt-get update && \
    apt-get -y install --no-install-suggests --no-install-recommends \
    automake \
    ninja-build \
    bison flex \
    build-essential \
    git \
    python3 python3-dev python3-setuptools python-is-python3 \
    libtool libtool-bin \
    libglib2.0-dev \
-    wget vim jupp nano bash-completion \
+    wget vim jupp nano bash-completion less \
    apt-utils apt-transport-https ca-certificates gnupg dialog \
-    libpixman-1-dev
+    libpixman-1-dev \
    gnuplot-nox \
    && rm -rf /var/lib/apt/lists/*
-RUN echo deb http://apt.llvm.org/focal/ llvm-toolchain-focal main >> /etc/apt/sources.list && \
+RUN echo "deb http://apt.llvm.org/focal/ llvm-toolchain-focal-12 main" >> /etc/apt/sources.list && \
-    wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | apt-key add - 
+    wget -qO - https://apt.llvm.org/llvm-snapshot.gpg.key | apt-key add -
-RUN echo deb http://ppa.launchpad.net/ubuntu-toolchain-r/test/ubuntu focal main >> /etc/apt/sources.list && \
+RUN echo "deb http://ppa.launchpad.net/ubuntu-toolchain-r/test/ubuntu focal main" >> /etc/apt/sources.list && \
    apt-key adv --recv-keys --keyserver keyserver.ubuntu.com 1E9377A2BA9EF27F
-RUN apt-get update && apt-get upgrade -y
+RUN apt-get update && apt-get full-upgrade -y && \
-
+    apt-get -y install --no-install-suggests --no-install-recommends \
-RUN apt-get install -y gcc-10 g++-10 gcc-10-plugin-dev gcc-10-multilib \
+    gcc-10 g++-10 gcc-10-plugin-dev gcc-10-multilib gdb lcov \
-    libc++-10-dev gdb lcov
+    clang-12 clang-tools-12 libc++1-12 libc++-12-dev \
-
+    libc++abi1-12 libc++abi-12-dev libclang1-12 libclang-12-dev \
-RUN apt-get install -y clang-11 clang-tools-11 libc++1-11 libc++-11-dev \
+    libclang-common-12-dev libclang-cpp12 libclang-cpp12-dev liblld-12 \
-    libc++abi1-11 libc++abi-11-dev libclang1-11 libclang-11-dev \
+    liblld-12-dev liblldb-12 liblldb-12-dev libllvm12 libomp-12-dev \
-    libclang-common-11-dev libclang-cpp11 libclang-cpp11-dev liblld-11 \
+    libomp5-12 lld-12 lldb-12 llvm-12 llvm-12-dev llvm-12-runtime llvm-12-tools \
-    liblld-11-dev liblldb-11 liblldb-11-dev libllvm11 libomp-11-dev \
+    && rm -rf /var/lib/apt/lists/*
    libomp5-11 lld-11 lldb-11 llvm-11 llvm-11-dev llvm-11-runtime llvm-11-tools
 RUN update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-10 0
 RUN update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-10 0
-RUN rm -rf /var/cache/apt/archives/*
+ENV LLVM_CONFIG=llvm-config-12
 ENV LLVM_CONFIG=llvm-config-11
 ENV AFL_SKIP_CPUFREQ=1
 ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1
-RUN git clone https://github.com/AFLplusplus/AFLplusplus /AFLplusplus
+RUN git clone --depth=1 https://github.com/vanhauser-thc/afl-cov /afl-cov
-RUN cd /AFLplusplus && export REAL_CXX=g++-10 && export CC=gcc-10 && \
+RUN cd /afl-cov && make install && cd ..
    export CXX=g++-10 && make distrib && make install && make clean
-RUN git clone https://github.com/vanhauser-thc/afl-cov /afl-cov
+COPY . /AFLplusplus
-RUN cd /afl-cov && make install
+WORKDIR /AFLplusplus
 RUN export CC=gcc-10 && export CXX=g++-10 && make clean && \
    make distrib && make install && make clean
 RUN echo 'alias joe="jupp --wordwrap"' >> ~/.bashrc
 RUN echo 'export PS1="[afl++]$PS1"' >> ~/.bashrc
 ENV IS_DOCKER="1"
 # Disabled until we have the container ready
 #COPY --from=aflplusplus/afl-dyninst /usr/local/lib/libdyninstAPI_RT.so /usr/local/lib/libdyninstAPI_RT.so
 #COPY --from=aflplusplus/afl-dyninst /afl-dyninst/libAflDyninst.so /usr/local/lib/libAflDyninst.so
--- a/346
+++ b/346
@ -24,18 +24,39 @@ BIN_PATH    = $(PREFIX)/bin
 HELPER_PATH = $(PREFIX)/lib/afl
 DOC_PATH    = $(PREFIX)/share/doc/afl
 MISC_PATH   = $(PREFIX)/share/afl
-MAN_PATH    = $(PREFIX)/man/man8
+MAN_PATH    = $(PREFIX)/share/man/man8
 PROGNAME    = afl
 VERSION     = $(shell grep '^$(HASH)define VERSION ' ../config.h | cut -d '"' -f2)
 # PROGS intentionally omit afl-as, which gets installed elsewhere.
-PROGS       = afl-gcc afl-fuzz afl-showmap afl-tmin afl-gotcpu afl-analyze
+PROGS       = afl-fuzz afl-showmap afl-tmin afl-gotcpu afl-analyze
 SH_PROGS    = afl-plot afl-cmin afl-cmin.bash afl-whatsup afl-system-config
 MANPAGES=$(foreach p, $(PROGS) $(SH_PROGS), $(p).8) afl-as.8
 ASAN_OPTIONS=detect_leaks=0
 ifdef NO_SPLICING
  override CFLAGS += -DNO_SPLICING
 endif
 ifdef ASAN_BUILD
  $(info Compiling ASAN version of binaries)
  override CFLAGS += $(ASAN_CFLAGS)
  LDFLAGS += $(ASAN_LDFLAGS)
 endif
 ifdef UBSAN_BUILD
  $(info Compiling UBSAN version of binaries)
  override CFLAGS += -fsanitize=undefined -fno-omit-frame-pointer
  override LDFLAGS += -fsanitize=undefined
 endif
 ifdef MSAN_BUILD
  $(info Compiling MSAN version of binaries)
  CC := clang
  override CFLAGS += -fsanitize=memory -fno-omit-frame-pointer
  override LDFLAGS += -fsanitize=memory
 endif
 ifeq "$(findstring android, $(shell $(CC) --version 2>/dev/null))" ""
 ifeq "$(shell echo 'int main() {return 0; }' | $(CC) $(CFLAGS) -Werror -x c - -flto=full -o .test 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1"
 	CFLAGS_FLTO ?= -flto=full
@ -54,28 +75,34 @@ ifeq "$(shell echo 'int main() {return 0; }' | $(CC) -fno-move-loop-invariants -
 	SPECIAL_PERFORMANCE += -fno-move-loop-invariants -fdisable-tree-cunrolli
 endif
 #ifeq "$(shell echo 'int main() {return 0; }' | $(CC) $(CFLAGS) -Werror -x c - -march=native -o .test 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1"
 #  ifndef SOURCE_DATE_EPOCH
 #    HAVE_MARCHNATIVE = 1
 #    CFLAGS_OPT += -march=native
 #  endif
 #endif
 ifneq "$(shell uname)" "Darwin"
- ifeq "$(shell echo 'int main() {return 0; }' | $(CC) $(CFLAGS) -Werror -x c - -march=native -o .test 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1"
+  #ifeq "$(HAVE_MARCHNATIVE)" "1"
-   ifndef SOURCE_DATE_EPOCH
+  #  SPECIAL_PERFORMANCE += -march=native
- 	#CFLAGS_OPT += -march=native
+  #endif
 	SPECIAL_PERFORMANCE += -march=native
   endif
 endif
 # OS X does not like _FORTIFY_SOURCE=2
- CFLAGS_OPT += -D_FORTIFY_SOURCE=2
+  ifndef DEBUG
    CFLAGS_OPT += -D_FORTIFY_SOURCE=2
  endif
 endif
 ifeq "$(shell uname)" "SunOS"
- CFLAGS_OPT += -Wno-format-truncation
+  CFLAGS_OPT += -Wno-format-truncation
- LDFLAGS=-lkstat -lrt
+  LDFLAGS = -lkstat -lrt
 endif
 ifdef STATIC
  $(info Compiling static version of binaries, disabling python though)
  # Disable python for static compilation to simplify things
-  PYTHON_OK=0
+  PYTHON_OK = 0
  PYFLAGS=
-  PYTHON_INCLUDE=/
+  PYTHON_INCLUDE = /
  CFLAGS_OPT += -static
  LDFLAGS += -lm -lpthread -lz -lutil
@ -87,6 +114,12 @@ ifdef PROFILING
  LDFLAGS += -pg
 endif
 ifdef INTROSPECTION
  $(info Compiling with introspection documentation)
  CFLAGS_OPT += -DINTROSPECTION=1
 endif
 ifneq "$(shell uname -m)" "x86_64"
 ifneq "$(patsubst i%86,i386,$(shell uname -m))" "i386"
  ifneq "$(shell uname -m)" "amd64"
@ -97,8 +130,14 @@ ifneq "$(shell uname -m)" "x86_64"
 endif
 endif
-CFLAGS     ?= -O3 -funroll-loops $(CFLAGS_OPT)
+ifdef DEBUG
-override CFLAGS += -Wall -g -Wno-pointer-sign -Wmissing-declarations -Wno-unused-result \
+  $(info Compiling DEBUG version of binaries)
  CFLAGS += -ggdb3 -O0 -Wall -Wextra -Werror
 else
  CFLAGS ?= -O3 -funroll-loops $(CFLAGS_OPT)
 endif
 override CFLAGS += -g -Wno-pointer-sign -Wno-variadic-macros -Wall -Wextra -Wpointer-arith \
 			  -I include/ -DAFL_PATH=\"$(HELPER_PATH)\" \
 			  -DBIN_PATH=\"$(BIN_PATH)\" -DDOC_PATH=\"$(DOC_PATH)\"
@ -198,7 +237,10 @@ else
 endif
 ifneq "$(filter Linux GNU%,$(shell uname))" ""
-  LDFLAGS += -ldl -lrt
+ ifndef DEBUG
  override CFLAGS += -D_FORTIFY_SOURCE=2
 endif
  LDFLAGS += -ldl -lrt -lm
 endif
 ifneq "$(findstring FreeBSD, $(shell uname))" ""
@ -211,10 +253,9 @@ ifneq "$(findstring NetBSD, $(shell uname))" ""
  LDFLAGS += -lpthread
 endif
-ifeq "$(findstring clang, $(shell $(CC) --version 2>/dev/null))" ""
+ifneq "$(findstring OpenBSD, $(shell uname))" ""
-  TEST_CC  = afl-gcc
+  override CFLAGS  += -pthread
-else
+  LDFLAGS += -lpthread
  TEST_CC  = afl-clang
 endif
 COMM_HDR    = include/alloc-inl.h include/config.h include/debug.h include/types.h
@ -241,16 +282,10 @@ ifeq "$(shell command -v svn >/dev/null && svn proplist . 2>/dev/null && echo 1
 endif
 ifeq "$(shell echo 'int main() { return 0;}' | $(CC) $(CFLAGS) -fsanitize=address -x c - -o .test2 2>/dev/null && echo 1 || echo 0 ; rm -f .test2 )" "1"
-	ASAN_CFLAGS=-fsanitize=address -fstack-protector-all -fno-omit-frame-pointer
+	ASAN_CFLAGS=-fsanitize=address -fstack-protector-all -fno-omit-frame-pointer -DASAN_BUILD
 	ASAN_LDFLAGS=-fsanitize=address -fstack-protector-all -fno-omit-frame-pointer
 endif
 ifdef ASAN_BUILD
  $(info Compiling ASAN version of binaries)
  override CFLAGS+=$(ASAN_CFLAGS)
  LDFLAGS+=$(ASAN_LDFLAGS)
 endif
 ifeq "$(shell echo '$(HASH)include <sys/ipc.h>@$(HASH)include <sys/shm.h>@int main() { int _id = shmget(IPC_PRIVATE, 65536, IPC_CREAT | IPC_EXCL | 0600); shmctl(_id, IPC_RMID, 0); return 0;}' | tr @ '\n' | $(CC) $(CFLAGS) -x c - -o .test2 2>/dev/null && echo 1 || echo 0 ; rm -f .test2 )" "1"
 	SHMAT_OK=1
 else
@ -265,28 +300,47 @@ ifdef TEST_MMAP
 	LDFLAGS += -Wno-deprecated-declarations
 endif
-all:	test_x86 test_shm test_python ready $(PROGS) afl-as test_build all_done
+.PHONY: all
 all:	test_x86 test_shm test_python ready $(PROGS) afl-as llvm gcc_plugin test_build all_done
 .PHONY: llvm
 llvm:
 	-$(MAKE) -j -f GNUmakefile.llvm
 	@test -e afl-cc || { echo "[-] Compiling afl-cc failed. You seem not to have a working compiler." ; exit 1; }
 .PHONY: gcc_plugin
 gcc_plugin:
 	-$(MAKE) -f GNUmakefile.gcc_plugin
 .PHONY: man
 man:    $(MANPAGES)
 .PHONY: test
 test:	tests
 .PHONY: tests
 tests:	source-only
-	@cd test ; ./test.sh
+	@cd test ; ./test-all.sh
 	@rm -f test/errors
 .PHONY: performance-tests
 performance-tests:	performance-test
 .PHONY: test-performance
 test-performance:	performance-test
 .PHONY: performance-test
 performance-test:	source-only
 	@cd test ; ./test-performance.sh
 # hint: make targets are also listed in the top level README.md
 .PHONY: help
 help:
 	@echo "HELP --- the following make targets exist:"
 	@echo "=========================================="
 	@echo "all: just the main afl++ binaries"
 	@echo "binary-only: everything for binary-only fuzzing: qemu_mode, unicorn_mode, libdislocator, libtokencap"
-	@echo "source-only: everything for source code fuzzing: llvm_mode, gcc_plugin, libdislocator, libtokencap"
+	@echo "source-only: everything for source code fuzzing: gcc_plugin, libdislocator, libtokencap"
 	@echo "distrib: everything (for both binary-only and source code fuzzing)"
 	@echo "man: creates simple man pages from the help option of the programs"
 	@echo "install: installs everything you have compiled with the build option above"
@ -304,13 +358,18 @@ help:
 	@echo "=========================================="
 	@echo STATIC - compile AFL++ static
 	@echo ASAN_BUILD - compiles with memory sanitizer for debug purposes
 	@echo DEBUG - no optimization, -ggdb3, all warnings and -Werror
 	@echo PROFILING - compile afl-fuzz with profiling information
 	@echo INTROSPECTION - compile afl-fuzz with mutation introspection
 	@echo NO_PYTHON - disable python support
 	@echo NO_SPLICING - disables splicing mutation in afl-fuzz, not recommended for normal fuzzing
 	@echo AFL_NO_X86 - if compiling on non-intel/amd platforms
 	@echo "LLVM_CONFIG - if your distro doesn't use the standard name for llvm-config (e.g. Debian)"
 	@echo "=========================================="
 	@echo e.g.: make ASAN_BUILD=1
 .PHONY: test_x86
 ifndef AFL_NO_X86
 test_x86:
 	@echo "[*] Checking for the default compiler cc..."
 	@type $(CC) >/dev/null || ( echo; echo "Oops, looks like there is no compiler '"$(CC)"' in your path."; echo; echo "Don't panic! You can restart with '"$(_)" CC=<yourCcompiler>'."; echo; exit 1 )
@ -319,56 +378,41 @@ test_x86:
 	@echo "[*] Checking for the ability to compile x86 code..."
 	@echo 'main() { __asm__("xorb %al, %al"); }' | $(CC) $(CFLAGS) -w -x c - -o .test1 || ( echo; echo "Oops, looks like your compiler can't generate x86 code."; echo; echo "Don't panic! You can use the LLVM or QEMU mode, but see docs/INSTALL first."; echo "(To ignore this error, set AFL_NO_X86=1 and try again.)"; echo; exit 1 )
 	@rm -f .test1
 else
 test_x86:
 	@echo "[!] Note: skipping x86 compilation checks (AFL_NO_X86 set)."
 endif
-
+.PHONY: test_shm
 ifeq "$(SHMAT_OK)" "1"
 test_shm:
 	@echo "[+] shmat seems to be working."
 	@rm -f .test2
 else
 test_shm:
 	@echo "[-] shmat seems not to be working, switching to mmap implementation"
 endif
-
+.PHONY: test_python
 ifeq "$(PYTHON_OK)" "1"
 test_python:
 	@rm -f .test 2> /dev/null
 	@echo "[+] $(PYTHON_VERSION) support seems to be working."
 else
 test_python:
 	@echo "[-] You seem to need to install the package python3-dev, python2-dev or python-dev (and perhaps python[23]-apt), but it is optional so we continue"
 endif
-
+.PHONY: ready
 ready:
 	@echo "[+] Everything seems to be working, ready to compile."
 afl-gcc: src/afl-gcc.c $(COMM_HDR) | test_x86
 	$(CC) $(CFLAGS) src/$@.c -o $@ $(LDFLAGS)
 	set -e; for i in afl-g++ afl-clang afl-clang++; do ln -sf afl-gcc $$i; done
 afl-as: src/afl-as.c include/afl-as.h $(COMM_HDR) | test_x86
 	$(CC) $(CFLAGS) src/$@.c -o $@ $(LDFLAGS)
-	ln -sf afl-as as
+	@ln -sf afl-as as
 src/afl-performance.o : $(COMM_HDR) src/afl-performance.c include/hash.h
-	$(CC) -Iinclude $(SPECIAL_PERFORMANCE) -O3 -fno-unroll-loops -c src/afl-performance.c -o src/afl-performance.o
+	$(CC) $(CFLAGS) -Iinclude $(SPECIAL_PERFORMANCE) -O3 -fno-unroll-loops -c src/afl-performance.c -o src/afl-performance.o
 src/afl-common.o : $(COMM_HDR) src/afl-common.c include/common.h
 	$(CC) $(CFLAGS) $(CFLAGS_FLTO) -c src/afl-common.c -o src/afl-common.o
@ -380,10 +424,10 @@ src/afl-sharedmem.o : $(COMM_HDR) src/afl-sharedmem.c include/sharedmem.h
 	$(CC) $(CFLAGS) $(CFLAGS_FLTO) -c src/afl-sharedmem.c -o src/afl-sharedmem.o
 afl-fuzz: $(COMM_HDR) include/afl-fuzz.h $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o | test_x86
-	$(CC) $(CFLAGS) $(COMPILE_STATIC) $(CFLAGS_FLTO) $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o -o $@ $(PYFLAGS) $(LDFLAGS)
+	$(CC) $(CFLAGS) $(COMPILE_STATIC) $(CFLAGS_FLTO) $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o -o $@ $(PYFLAGS) $(LDFLAGS) -lm
-afl-showmap: src/afl-showmap.c src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o $(COMM_HDR) | test_x86
+afl-showmap: src/afl-showmap.c src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o $(COMM_HDR) | test_x86
-	$(CC) $(CFLAGS) $(COMPILE_STATIC) $(CFLAGS_FLTO) src/$@.c src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o -o $@ $(LDFLAGS)
+	$(CC) $(CFLAGS) $(COMPILE_STATIC) $(CFLAGS_FLTO) src/$@.c src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o -o $@ $(LDFLAGS)
 afl-tmin: src/afl-tmin.c src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o $(COMM_HDR) | test_x86
 	$(CC) $(CFLAGS) $(COMPILE_STATIC) $(CFLAGS_FLTO) src/$@.c src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o -o $@ $(LDFLAGS)
@ -394,9 +438,11 @@ afl-analyze: src/afl-analyze.c src/afl-common.o src/afl-sharedmem.o src/afl-perf
 afl-gotcpu: src/afl-gotcpu.c src/afl-common.o $(COMM_HDR) | test_x86
 	$(CC) $(CFLAGS) $(COMPILE_STATIC) $(CFLAGS_FLTO) src/$@.c src/afl-common.o -o $@ $(LDFLAGS)
 .PHONY: document
 document:	afl-fuzz-document
 # document all mutations and only do one run (use with only one input file!)
-document: $(COMM_HDR) include/afl-fuzz.h $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-performance.o | test_x86
+afl-fuzz-document: $(COMM_HDR) include/afl-fuzz.h $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-performance.o | test_x86
 	$(CC) -D_DEBUG=\"1\" -D_AFL_DOCUMENT_MUTATIONS $(CFLAGS) $(CFLAGS_FLTO) $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.c src/afl-performance.o -o afl-fuzz-document $(PYFLAGS) $(LDFLAGS)
 test/unittests/unit_maybe_alloc.o : $(COMM_HDR) include/alloc-inl.h test/unittests/unit_maybe_alloc.c $(AFL_FUZZ_FILES)
@ -434,126 +480,138 @@ unit_preallocable: test/unittests/unit_preallocable.o
 	@$(CC) $(CFLAGS) $(ASAN_CFLAGS) -Wl,--wrap=exit -Wl,--wrap=printf test/unittests/unit_preallocable.o -o test/unittests/unit_preallocable $(LDFLAGS) $(ASAN_LDFLAGS) -lcmocka
 	./test/unittests/unit_preallocable
 .PHONY: unit_clean
 unit_clean:
 	@rm -f ./test/unittests/unit_preallocable ./test/unittests/unit_list ./test/unittests/unit_maybe_alloc test/unittests/*.o
 .PHONY: unit
 ifneq "$(shell uname)" "Darwin"
-
+unit:	unit_maybe_alloc unit_preallocable unit_list unit_clean unit_rand unit_hash
 unit: unit_maybe_alloc unit_preallocable unit_list unit_clean unit_rand unit_hash
 else
 unit:
 	@echo [-] unit tests are skipped on Darwin \(lacks GNU linker feature --wrap\)
 endif
 .PHONY: code-format
 code-format:
 	./.custom-format.py -i src/*.c
 	./.custom-format.py -i include/*.h
-	./.custom-format.py -i libdislocator/*.c
+	./.custom-format.py -i instrumentation/*.h
-	./.custom-format.py -i libtokencap/*.c
+	./.custom-format.py -i instrumentation/*.cc
-	./.custom-format.py -i llvm_mode/*.c
+	./.custom-format.py -i instrumentation/*.c
-	./.custom-format.py -i llvm_mode/*.h
+	@#./.custom-format.py -i custom_mutators/*/*.c* # destroys libfuzzer :-(
-	./.custom-format.py -i llvm_mode/*.cc
+	@#./.custom-format.py -i custom_mutators/*/*.h # destroys honggfuzz :-(
-	./.custom-format.py -i gcc_plugin/*.c
+	./.custom-format.py -i utils/*/*.c*
-	@#./.custom-format.py -i gcc_plugin/*.h
+	./.custom-format.py -i utils/*/*.h
 	./.custom-format.py -i gcc_plugin/*.cc
 	./.custom-format.py -i custom_mutators/*/*.c
 	@#./.custom-format.py -i custom_mutators/*/*.h # destroys input.h :-(
 	./.custom-format.py -i examples/*/*.c
 	./.custom-format.py -i examples/*/*.h
 	./.custom-format.py -i test/*.c
 	./.custom-format.py -i qemu_mode/patches/*.h
 	./.custom-format.py -i qemu_mode/libcompcov/*.c
 	./.custom-format.py -i qemu_mode/libcompcov/*.cc
 	./.custom-format.py -i qemu_mode/libcompcov/*.h
-	./.custom-format.py -i qbdi_mode/*.c
+	./.custom-format.py -i qemu_mode/libqasan/*.c
-	./.custom-format.py -i qbdi_mode/*.cpp
+	./.custom-format.py -i qemu_mode/libqasan/*.h
 	./.custom-format.py -i *.h
 	./.custom-format.py -i *.c
 .PHONY: test_build
 ifndef AFL_NO_X86
-
+test_build: afl-cc afl-gcc afl-as afl-showmap
-test_build: afl-gcc afl-as afl-showmap
+	@echo "[*] Testing the CC wrapper afl-cc and its instrumentation output..."
-	@echo "[*] Testing the CC wrapper and instrumentation output..."
+	@unset AFL_MAP_SIZE AFL_USE_UBSAN AFL_USE_CFISAN AFL_USE_ASAN AFL_USE_MSAN; ASAN_OPTIONS=detect_leaks=0 AFL_INST_RATIO=100 AFL_PATH=. ./afl-cc test-instr.c -o test-instr 2>&1 || (echo "Oops, afl-cc failed"; exit 1 )
 	@unset AFL_USE_ASAN AFL_USE_MSAN AFL_CC; AFL_DEBUG=1 AFL_INST_RATIO=100 AFL_PATH=. ./$(TEST_CC) $(CFLAGS) test-instr.c -o test-instr $(LDFLAGS) 2>&1 | grep 'afl-as' >/dev/null || (echo "Oops, afl-as did not get called from "$(TEST_CC)". This is normally achieved by "$(CC)" honoring the -B option."; exit 1 )
 	ASAN_OPTIONS=detect_leaks=0 ./afl-showmap -m none -q -o .test-instr0 ./test-instr < /dev/null
 	echo 1 | ASAN_OPTIONS=detect_leaks=0 ./afl-showmap -m none -q -o .test-instr1 ./test-instr
 	@rm -f test-instr
-	@cmp -s .test-instr0 .test-instr1; DR="$$?"; rm -f .test-instr0 .test-instr1; if [ "$$DR" = "0" ]; then echo; echo "Oops, the instrumentation does not seem to be behaving correctly!"; echo; echo "Please post to https://github.com/AFLplusplus/AFLplusplus/issues to troubleshoot the issue."; echo; exit 1; fi
+	@cmp -s .test-instr0 .test-instr1; DR="$$?"; rm -f .test-instr0 .test-instr1; if [ "$$DR" = "0" ]; then echo; echo "Oops, the instrumentation of afl-cc does not seem to be behaving correctly!"; echo; echo "Please post to https://github.com/AFLplusplus/AFLplusplus/issues to troubleshoot the issue."; echo; exit 1; fi
-	@echo "[+] All right, the instrumentation seems to be working!"
+	@echo
-
+	@echo "[+] All right, the instrumentation of afl-cc seems to be working!"
 #	@echo "[*] Testing the CC wrapper afl-gcc and its instrumentation output..."
 #	@unset AFL_MAP_SIZE AFL_USE_UBSAN AFL_USE_CFISAN AFL_USE_ASAN AFL_USE_MSAN; AFL_CC=$(CC) ASAN_OPTIONS=detect_leaks=0 AFL_INST_RATIO=100 AFL_PATH=. ./afl-gcc test-instr.c -o test-instr 2>&1 || (echo "Oops, afl-gcc failed"; exit 1 )
 #	ASAN_OPTIONS=detect_leaks=0 ./afl-showmap -m none -q -o .test-instr0 ./test-instr < /dev/null
 #	echo 1 | ASAN_OPTIONS=detect_leaks=0 ./afl-showmap -m none -q -o .test-instr1 ./test-instr
 #	@rm -f test-instr
 #	@cmp -s .test-instr0 .test-instr1; DR="$$?"; rm -f .test-instr0 .test-instr1; if [ "$$DR" = "0" ]; then echo; echo "Oops, the instrumentation of afl-gcc does not seem to be behaving correctly!"; \
 #		gcc -v 2>&1 | grep -q -- --with-as= && ( echo; echo "Gcc is configured not to use an external assembler with the -B option."; echo "See docs/INSTALL.md section 5 how to build a -B enabled gcc." ) || \
 #		( echo; echo "Please post to https://github.com/AFLplusplus/AFLplusplus/issues to troubleshoot the issue." ); echo; exit 0; fi
 #	@echo
 #	@echo "[+] All right, the instrumentation of afl-gcc seems to be working!"
 else
-
+test_build: afl-cc afl-as afl-showmap
 test_build: afl-gcc afl-as afl-showmap
 	@echo "[!] Note: skipping build tests (you may need to use LLVM or QEMU mode)."
 endif
-
+.PHONY: all_done
 all_done: test_build
-	@if [ ! "`type clang 2>/dev/null`" = "" ]; then echo "[+] LLVM users: see llvm_mode/README.md for a faster alternative to afl-gcc."; fi
+	@test -e afl-cc && echo "[+] Main compiler 'afl-cc' successfully built!" || { echo "[-] Main compiler 'afl-cc' failed to build, set up a working build environment first!" ; exit 1 ; }
 	@test -e cmplog-instructions-pass.so && echo "[+] LLVM mode for 'afl-cc' successfully built!" || echo "[-] LLVM mode for 'afl-cc'  failed to build, likely you either don't have llvm installed, or you need to set LLVM_CONFIG, to point to e.g. llvm-config-11. See instrumentation/README.llvm.md how to do this. Highly recommended!"
 	@test -e SanitizerCoverageLTO.so && echo "[+] LLVM LTO mode for 'afl-cc' successfully built!" || echo "[-] LLVM LTO mode for 'afl-cc'  failed to build, this would need LLVM 11+, see instrumentation/README.lto.md how to build it"
 	@test -e afl-gcc-pass.so && echo "[+] gcc_plugin for 'afl-cc' successfully built!" || echo "[-] gcc_plugin for 'afl-cc'  failed to build, unless you really need it that is fine - or read instrumentation/README.gcc_plugin.md how to build it"
 	@echo "[+] All done! Be sure to review the README.md - it's pretty short and useful."
 	@if [ "`uname`" = "Darwin" ]; then printf "\nWARNING: Fuzzing on MacOS X is slow because of the unusually high overhead of\nfork() on this OS. Consider using Linux or *BSD. You can also use VirtualBox\n(virtualbox.org) to put AFL inside a Linux or *BSD VM.\n\n"; fi
 	@! tty <&1 >/dev/null || printf "\033[0;30mNOTE: If you can read this, your terminal probably uses white background.\nThis will make the UI hard to read. See docs/status_screen.md for advice.\033[0m\n" 2>/dev/null
 .NOTPARALLEL: clean all
 .PHONY: clean
 clean:
-	rm -f $(PROGS) libradamsa.so afl-fuzz-document afl-as as afl-g++ afl-clang afl-clang++ *.o src/*.o *~ a.out core core.[1-9][0-9]* *.stackdump .test .test1 .test2 test-instr .test-instr0 .test-instr1 afl-qemu-trace afl-gcc-fast afl-gcc-pass.so afl-gcc-rt.o afl-g++-fast ld *.so *.8 test/unittests/*.o test/unittests/unit_maybe_alloc test/unittests/preallocable .afl-*
+	rm -f $(PROGS) libradamsa.so afl-fuzz-document afl-as as afl-g++ afl-clang afl-clang++ *.o src/*.o *~ a.out core core.[1-9][0-9]* *.stackdump .test .test1 .test2 test-instr .test-instr0 .test-instr1 afl-qemu-trace afl-gcc-fast afl-gcc-pass.so afl-g++-fast ld *.so *.8 test/unittests/*.o test/unittests/unit_maybe_alloc test/unittests/preallocable .afl-* afl-gcc afl-g++ afl-clang afl-clang++ test/unittests/unit_hash test/unittests/unit_rand
-	rm -rf out_dir qemu_mode/qemu-3.1.1 *.dSYM */*.dSYM
+	-$(MAKE) -f GNUmakefile.llvm clean
-	-$(MAKE) -C llvm_mode clean
+	-$(MAKE) -f GNUmakefile.gcc_plugin clean
-	-$(MAKE) -C gcc_plugin clean
+	$(MAKE) -C utils/libdislocator clean
-	$(MAKE) -C libdislocator clean
+	$(MAKE) -C utils/libtokencap clean
-	$(MAKE) -C libtokencap clean
+	$(MAKE) -C utils/afl_network_proxy clean
-	$(MAKE) -C examples/afl_network_proxy clean
+	$(MAKE) -C utils/socket_fuzzing clean
-	$(MAKE) -C examples/socket_fuzzing clean
+	$(MAKE) -C utils/argv_fuzzing clean
 	$(MAKE) -C examples/argv_fuzzing clean
 	$(MAKE) -C qemu_mode/unsigaction clean
 	$(MAKE) -C qemu_mode/libcompcov clean
-	rm -rf qemu_mode/qemu-3.1.1
+	$(MAKE) -C qemu_mode/libqasan clean
 ifeq "$(IN_REPO)" "1"
-	test -d unicorn_mode/unicornafl && $(MAKE) -C unicorn_mode/unicornafl clean || true
+	test -e qemu_mode/qemuafl/Makefile && $(MAKE) -C qemu_mode/qemuafl clean || true
 	test -e unicorn_mode/unicornafl/Makefile && $(MAKE) -C unicorn_mode/unicornafl clean || true
 else
-	rm -rf qemu_mode/qemu-3.1.1.tar.xz
+	rm -rf qemu_mode/qemuafl
 	rm -rf unicorn_mode/unicornafl
 endif
 .PHONY: deepclean
 deepclean:	clean
 	rm -rf qemu_mode/qemu-3.1.1.tar.xz
 	rm -rf unicorn_mode/unicornafl
-	git reset --hard >/dev/null 2>&1 || true
+	rm -rf qemu_mode/qemuafl
 ifeq "$(IN_REPO)" "1"
 # NEVER EVER ACTIVATE THAT!!!!! git reset --hard >/dev/null 2>&1 || true
 	git checkout unicorn_mode/unicornafl
 	git checkout qemu_mode/qemuafl
 endif
 .PHONY: distrib
 distrib: all
-	-$(MAKE) -C llvm_mode
+	-$(MAKE) -j -f GNUmakefile.llvm
-	-$(MAKE) -C gcc_plugin
+	-$(MAKE) -f GNUmakefile.gcc_plugin
-	$(MAKE) -C libdislocator
+	$(MAKE) -C utils/libdislocator
-	$(MAKE) -C libtokencap
+	$(MAKE) -C utils/libtokencap
-	$(MAKE) -C examples/afl_network_proxy
+	-$(MAKE) -C utils/aflpp_driver
-	$(MAKE) -C examples/socket_fuzzing
+	$(MAKE) -C utils/afl_network_proxy
-	$(MAKE) -C examples/argv_fuzzing
+	$(MAKE) -C utils/socket_fuzzing
 	$(MAKE) -C utils/argv_fuzzing
 	-cd qemu_mode && sh ./build_qemu_support.sh
-	cd unicorn_mode && unset CFLAGS && sh ./build_unicorn_support.sh
+	-cd unicorn_mode && unset CFLAGS && sh ./build_unicorn_support.sh
-binary-only: all
+.PHONY: binary-only
-	$(MAKE) -C libdislocator
+binary-only: test_shm test_python ready $(PROGS)
-	$(MAKE) -C libtokencap
+	$(MAKE) -C utils/libdislocator
-	$(MAKE) -C examples/afl_network_proxy
+	$(MAKE) -C utils/libtokencap
-	$(MAKE) -C examples/socket_fuzzing
+	$(MAKE) -C utils/afl_network_proxy
-	$(MAKE) -C examples/argv_fuzzing
+	$(MAKE) -C utils/socket_fuzzing
 	$(MAKE) -C utils/argv_fuzzing
 	-cd qemu_mode && sh ./build_qemu_support.sh
-	cd unicorn_mode && unset CFLAGS && sh ./build_unicorn_support.sh
+	-cd unicorn_mode && unset CFLAGS && sh ./build_unicorn_support.sh
 .PHONY: source-only
 source-only: all
-	-$(MAKE) -C llvm_mode
+	-$(MAKE) -j -f GNUmakefile.llvm
-	-$(MAKE) -C gcc_plugin
+	-$(MAKE) -f GNUmakefile.gcc_plugin
-	$(MAKE) -C libdislocator
+	$(MAKE) -C utils/libdislocator
-	$(MAKE) -C libtokencap
+	$(MAKE) -C utils/libtokencap
-	#$(MAKE) -C examples/afl_network_proxy
+	-$(MAKE) -C utils/aflpp_driver
 	#$(MAKE) -C examples/socket_fuzzing
 	#$(MAKE) -C examples/argv_fuzzing
 %.8:	%
 	@echo .TH $* 8 $(BUILD_DATE) "afl++" > $@
@ -574,28 +632,32 @@ source-only: all
 	@echo .SH LICENSE >> $@
 	@echo Apache License Version 2.0, January 2004 >> $@
 .PHONY: install
 install: all $(MANPAGES)
-	install -d -m 755 $${DESTDIR}$(BIN_PATH) $${DESTDIR}$(HELPER_PATH) $${DESTDIR}$(DOC_PATH) $${DESTDIR}$(MISC_PATH)
+	@install -d -m 755 $${DESTDIR}$(BIN_PATH) $${DESTDIR}$(HELPER_PATH) $${DESTDIR}$(DOC_PATH) $${DESTDIR}$(MISC_PATH)
-	rm -f $${DESTDIR}$(BIN_PATH)/afl-plot.sh
+	@rm -f $${DESTDIR}$(BIN_PATH)/afl-plot.sh
 	@rm -f $${DESTDIR}$(BIN_PATH)/afl-as
 	@rm -f $${DESTDIR}$(HELPER_PATH)/afl-llvm-rt.o $${DESTDIR}$(HELPER_PATH)/afl-llvm-rt-32.o $${DESTDIR}$(HELPER_PATH)/afl-llvm-rt-64.o $${DESTDIR}$(HELPER_PATH)/afl-gcc-rt.o
 	install -m 755 $(PROGS) $(SH_PROGS) $${DESTDIR}$(BIN_PATH)
-	rm -f $${DESTDIR}$(BIN_PATH)/afl-as
+	@if [ -f afl-qemu-trace ]; then install -m 755 afl-qemu-trace $${DESTDIR}$(BIN_PATH); fi
-	if [ -f afl-qemu-trace ]; then install -m 755 afl-qemu-trace $${DESTDIR}$(BIN_PATH); fi
+	@if [ -f libdislocator.so ]; then set -e; install -m 755 libdislocator.so $${DESTDIR}$(HELPER_PATH); fi
-	if [ -f afl-gcc-fast ]; then set e; install -m 755 afl-gcc-fast $${DESTDIR}$(BIN_PATH); ln -sf afl-gcc-fast $${DESTDIR}$(BIN_PATH)/afl-g++-fast; install -m 755 afl-gcc-pass.so afl-gcc-rt.o $${DESTDIR}$(HELPER_PATH); fi
+	@if [ -f libtokencap.so ]; then set -e; install -m 755 libtokencap.so $${DESTDIR}$(HELPER_PATH); fi
-	if [ -f afl-clang-fast ]; then $(MAKE) -C llvm_mode install; fi
+	@if [ -f libcompcov.so ]; then set -e; install -m 755 libcompcov.so $${DESTDIR}$(HELPER_PATH); fi
-	if [ -f libdislocator.so ]; then set -e; install -m 755 libdislocator.so $${DESTDIR}$(HELPER_PATH); fi
+	@if [ -f libqasan.so ]; then set -e; install -m 755 libqasan.so $${DESTDIR}$(HELPER_PATH); fi
-	if [ -f libtokencap.so ]; then set -e; install -m 755 libtokencap.so $${DESTDIR}$(HELPER_PATH); fi
+	@if [ -f afl-fuzz-document ]; then set -e; install -m 755 afl-fuzz-document $${DESTDIR}$(BIN_PATH); fi
-	if [ -f libcompcov.so ]; then set -e; install -m 755 libcompcov.so $${DESTDIR}$(HELPER_PATH); fi
+	@if [ -f socketfuzz32.so -o -f socketfuzz64.so ]; then $(MAKE) -C utils/socket_fuzzing install; fi
-	if [ -f afl-fuzz-document ]; then set -e; install -m 755 afl-fuzz-document $${DESTDIR}$(BIN_PATH); fi
+	@if [ -f argvfuzz32.so -o -f argvfuzz64.so ]; then $(MAKE) -C utils/argv_fuzzing install; fi
-	if [ -f socketfuzz32.so -o -f socketfuzz64.so ]; then $(MAKE) -C examples/socket_fuzzing install; fi
+	@if [ -f utils/afl_network_proxy/afl-network-server ]; then $(MAKE) -C utils/afl_network_proxy install; fi
-	if [ -f argvfuzz32.so -o -f argvfuzz64.so ]; then $(MAKE) -C examples/argv_fuzzing install; fi
+	@if [ -f utils/aflpp_driver/libAFLDriver.a ]; then set -e; install -m 644 utils/aflpp_driver/libAFLDriver.a $${DESTDIR}$(HELPER_PATH); fi
-	if [ -f examples/afl_network_proxy/afl-network-server ]; then $(MAKE) -C examples/afl_network_proxy install; fi
+	@if [ -f utils/aflpp_driver/libAFLQemuDriver.a ]; then set -e; install -m 644 utils/aflpp_driver/libAFLQemuDriver.a $${DESTDIR}$(HELPER_PATH); fi
-
+	-$(MAKE) -f GNUmakefile.llvm install
-	set -e; ln -sf afl-gcc $${DESTDIR}$(BIN_PATH)/afl-g++
+	-$(MAKE) -f GNUmakefile.gcc_plugin install
-	set -e; if [ -f afl-clang-fast ] ; then ln -sf afl-clang-fast $${DESTDIR}$(BIN_PATH)/afl-clang ; ln -sf afl-clang-fast $${DESTDIR}$(BIN_PATH)/afl-clang++ ; else ln -sf afl-gcc $${DESTDIR}$(BIN_PATH)/afl-clang ; ln -sf afl-gcc $${DESTDIR}$(BIN_PATH)/afl-clang++; fi
+	ln -sf afl-cc $${DESTDIR}$(BIN_PATH)/afl-gcc
-
+	ln -sf afl-cc $${DESTDIR}$(BIN_PATH)/afl-g++
-	mkdir -m 0755 -p ${DESTDIR}$(MAN_PATH)
+	ln -sf afl-cc $${DESTDIR}$(BIN_PATH)/afl-clang
 	ln -sf afl-cc $${DESTDIR}$(BIN_PATH)/afl-clang++
 	@mkdir -m 0755 -p ${DESTDIR}$(MAN_PATH)
 	install -m0644 *.8 ${DESTDIR}$(MAN_PATH)
 	install -m 755 afl-as $${DESTDIR}$(HELPER_PATH)
 	ln -sf afl-as $${DESTDIR}$(HELPER_PATH)/as
 	install -m 644 docs/*.md $${DESTDIR}$(DOC_PATH)
--- a/GNUmakefile.gcc_plugin
+++ b/GNUmakefile.gcc_plugin
@ -19,24 +19,24 @@
 #
 #   http://www.apache.org/licenses/LICENSE-2.0
 #
-
+#TEST_MMAP=1
 PREFIX      ?= /usr/local
 HELPER_PATH ?= $(PREFIX)/lib/afl
 BIN_PATH    ?= $(PREFIX)/bin
 DOC_PATH    ?= $(PREFIX)/share/doc/afl
-MAN_PATH    ?= $(PREFIX)/man/man8
+MAN_PATH    ?= $(PREFIX)/share/man/man8
-VERSION     = $(shell grep '^$(HASH)define VERSION ' ../config.h | cut -d '"' -f2)
+VERSION     = $(shell grep '^$(HASH)define VERSION ' ./config.h | cut -d '"' -f2)
 CFLAGS          ?= -O3 -g -funroll-loops -D_FORTIFY_SOURCE=2
-CFLAGS_SAFE     := -Wall -I../include -Wno-pointer-sign \
+CFLAGS_SAFE     := -Wall -Iinclude -Wno-pointer-sign \
                   -DAFL_PATH=\"$(HELPER_PATH)\" -DBIN_PATH=\"$(BIN_PATH)\" \
                   -DGCC_VERSION=\"$(GCCVER)\" -DGCC_BINDIR=\"$(GCCBINDIR)\" \
                   -Wno-unused-function
 override CFLAGS += $(CFLAGS_SAFE)
 CXXFLAGS    ?= -O3 -g -funroll-loops -D_FORTIFY_SOURCE=2
-CXXEFLAGS   := $(CXXFLAGS) -Wall
+CXXEFLAGS   := $(CXXFLAGS) -Wall -std=c++11
 CC          ?= gcc
 CXX         ?= g++
@ -51,7 +51,13 @@ ifeq "clang++" "$(CXX)"
        CXX = g++
 endif
-PLUGIN_FLAGS = -fPIC -fno-rtti -I"$(shell $(CC) -print-file-name=plugin)/include"
+ifeq "$(findstring Foundation,$(shell $(CC) --version))" ""
        CC  = gcc
        CXX = g++
 endif
 PLUGIN_BASE = "$(shell $(CC) -print-file-name=plugin)"
 PLUGIN_FLAGS = -fPIC -fno-rtti -I$(PLUGIN_BASE)/include -I$(PLUGIN_BASE)
 HASH=\#
 GCCVER    = $(shell $(CC) --version 2>/dev/null | awk 'NR == 1 {print $$NF}')
@ -61,110 +67,119 @@ ifeq "$(shell echo '$(HASH)include <sys/ipc.h>@$(HASH)include <sys/shm.h>@int ma
 	SHMAT_OK=1
 else
 	SHMAT_OK=0
-	override CFLAGS += -DUSEMMAP=1
+	override CFLAGS_SAFE += -DUSEMMAP=1
 endif
 ifeq "$(TEST_MMAP)" "1"
 	SHMAT_OK=0
-	override CFLAGS += -DUSEMMAP=1
+	override CFLAGS_SAFE += -DUSEMMAP=1
 endif
 ifneq "$(shell uname -s)" "Haiku"
 ifneq "$(shell uname -s)" "OpenBSD"
  	LDFLAGS += -lrt
 endif
 else
 	CFLAGS_SAFE += -DUSEMMAP=1
 endif
 ifeq "$(shell uname -s)" "OpenBSD"
    CC  = egcc
    CXX = eg++
    PLUGIN_FLAGS += -I/usr/local/include
 endif
 ifeq "$(shell uname -s)" "DragonFly"
  	PLUGIN_FLAGS += -I/usr/local/include
 endif
 ifeq "$(shell uname -s)" "SunOS"
  	PLUGIN_FLAGS += -I/usr/include/gmp
 endif
-PROGS        = ../afl-gcc-fast ../afl-gcc-pass.so ../afl-gcc-rt.o
+PROGS        = ./afl-gcc-pass.so
 .PHONY: all
 all: test_shm test_deps $(PROGS) test_build all_done
-all: test_shm test_deps $(PROGS) afl-gcc-fast.8 test_build all_done
+.PHONY: test_shm
 ifeq "$(SHMAT_OK)" "1"
 test_shm:
 	@echo "[+] shmat seems to be working."
 	@rm -f .test2
 else
 test_shm:
 	@echo "[-] shmat seems not to be working, switching to mmap implementation"
 endif
-
+.PHONY: test_deps
 test_deps:
 	@echo "[*] Checking for working '$(CC)'..."
-	@type $(CC) >/dev/null 2>&1 || ( echo "[-] Oops, can't find '$(CC)'. Make sure that it's in your \$$PATH (or set \$$CC and \$$CXX)."; exit 1 )
+	@command -v $(CC) >/dev/null 2>&1 || ( echo "[-] Oops, can't find '$(CC)'. Make sure that it's in your \$$PATH (or set \$$CC and \$$CXX)."; exit 1 )
 #	@echo "[*] Checking for gcc for plugin support..."
 #	@$(CC) -v 2>&1 | grep -q -- --enable-plugin || ( echo "[-] Oops, this gcc has not been configured with plugin support."; exit 1 )
 	@echo "[*] Checking for gcc plugin development header files..."
 	@test -d `$(CC) -print-file-name=plugin`/include || ( echo "[-] Oops, can't find gcc header files. Be sure to install 'gcc-X-plugin-dev'."; exit 1 )
-	@echo "[*] Checking for '../afl-showmap'..."
+	@echo "[*] Checking for './afl-showmap'..."
-	@test -f ../afl-showmap || ( echo "[-] Oops, can't find '../afl-showmap'. Be sure to compile AFL first."; exit 1 )
+	@test -f ./afl-showmap || ( echo "[-] Oops, can't find './afl-showmap'. Be sure to compile AFL first."; exit 1 )
 	@echo "[+] All set and ready to build."
-afl-common.o: ../src/afl-common.c
+afl-common.o: ./src/afl-common.c
-	$(CC) $(CFLAGS) -c $< -o $@ $(LDFLAGS)
+	$(CC) $(CFLAGS) $(CPPFLAGS) -c $< -o $@ $(LDFLAGS)
-../afl-gcc-fast: afl-gcc-fast.c afl-common.o | test_deps
+./afl-gcc-pass.so: instrumentation/afl-gcc-pass.so.cc | test_deps
 	$(CC) -DAFL_GCC_CC=\"$(CC)\" -DAFL_GCC_CXX=\"$(CXX)\" $(CFLAGS) $< afl-common.o -o $@ $(LDFLAGS)
 	ln -sf afl-gcc-fast ../afl-g++-fast
 ../afl-gcc-pass.so: afl-gcc-pass.so.cc | test_deps
 	$(CXX) $(CXXEFLAGS) $(PLUGIN_FLAGS) -shared $< -o $@
 	ln -sf afl-cc afl-gcc-fast
 	ln -sf afl-cc afl-g++-fast
 	ln -sf afl-cc.8 afl-gcc-fast.8
 	ln -sf afl-cc.8 afl-g++-fast.8
-../afl-gcc-rt.o: afl-gcc-rt.o.c | test_deps
+.PHONY: test_build
 	$(CC) $(CFLAGS_SAFE) -fPIC -c $< -o $@
 test_build: $(PROGS)
 	@echo "[*] Testing the CC wrapper and instrumentation output..."
-	unset AFL_USE_ASAN AFL_USE_MSAN; AFL_QUIET=1 AFL_INST_RATIO=100 AFL_PATH=. AFL_CC=$(CC) ../afl-gcc-fast $(CFLAGS) ../test-instr.c -o test-instr $(LDFLAGS)
+	unset AFL_USE_ASAN AFL_USE_MSAN; ASAN_OPTIONS=detect_leaks=0 AFL_QUIET=1 AFL_INST_RATIO=100 AFL_PATH=. AFL_CC=$(CC) ./afl-gcc-fast $(CFLAGS) $(CPPFLAGS) ./test-instr.c -o test-instr $(LDFLAGS)
-#	unset AFL_USE_ASAN AFL_USE_MSAN;             AFL_INST_RATIO=100 AFL_PATH=. AFL_CC=$(CC) ../afl-gcc-fast $(CFLAGS) ../test-instr.c -o test-instr $(LDFLAGS)
+	ASAN_OPTIONS=detect_leaks=0 ./afl-showmap -m none -q -o .test-instr0 ./test-instr </dev/null
-	ASAN_OPTIONS=detect_leaks=0 ../afl-showmap -m none -q -o .test-instr0 ./test-instr </dev/null
+	echo 1 | ASAN_OPTIONS=detect_leaks=0 ./afl-showmap -m none -q -o .test-instr1 ./test-instr
 	echo 1 | ASAN_OPTIONS=detect_leaks=0 ../afl-showmap -m none -q -o .test-instr1 ./test-instr
 	@rm -f test-instr
 	@cmp -s .test-instr0 .test-instr1; DR="$$?"; rm -f .test-instr0 .test-instr1; if [ "$$DR" = "0" ]; then echo; echo "Oops, the instrumentation does not seem to be behaving correctly!"; echo; echo "Please post to https://github.com/AFLplusplus/AFLplusplus/issues to troubleshoot the issue."; echo; exit 1; fi
 	@echo "[+] All right, the instrumentation seems to be working!"
 .PHONY: all_done
 all_done: test_build
-	@echo "[+] All done! You can now use '../afl-gcc-fast' to compile programs."
+	@echo "[+] All done! You can now use './afl-gcc-fast' to compile programs."
 .NOTPARALLEL: clean
 vpath  % ..
 %.8: %
-	@echo .TH $* 8 `date "+%Y-%m-%d"` "afl++" > ../$@
+	@echo .TH $* 8 `date "+%Y-%m-%d"` "afl++" > ./$@
-	@echo .SH NAME >> ../$@
+	@echo .SH NAME >> ./$@
-	@echo .B $* >> ../$@
+	@echo .B $* >> ./$@
-	@echo >> ../$@
+	@echo >> ./$@
-	@echo .SH SYNOPSIS >> ../$@
+	@echo .SH SYNOPSIS >> ./$@
-	@../$* -h 2>&1 | head -n 3 | tail -n 1 | sed 's/^\.\///' >> ../$@
+	@./$* -h 2>&1 | head -n 3 | tail -n 1 | sed 's/^\.\///' >> ./$@
-	@echo >> ../$@
+	@echo >> ./$@
-	@echo .SH OPTIONS >> ../$@
+	@echo .SH OPTIONS >> ./$@
-	@echo .nf >> ../$@
+	@echo .nf >> ./$@
-	@../$* -h 2>&1 | tail -n +4 >> ../$@
+	@./$* -h 2>&1 | tail -n +4 >> ./$@
-	@echo >> ../$@
+	@echo >> ./$@
-	@echo .SH AUTHOR >> ../$@
+	@echo .SH AUTHOR >> ./$@
-	@echo "afl++ was written by Michal \"lcamtuf\" Zalewski and is maintained by Marc \"van Hauser\" Heuse <mh@mh-sec.de>, Heiko \"hexcoder-\" Eissfeldt <heiko.eissfeldt@hexco.de>, Andrea Fioraldi <andreafioraldi@gmail.com> and Dominik Maier <domenukk@gmail.com>" >> ../$@
+	@echo "afl++ was written by Michal \"lcamtuf\" Zalewski and is maintained by Marc \"van Hauser\" Heuse <mh@mh-sec.de>, Heiko \"hexcoder-\" Eissfeldt <heiko.eissfeldt@hexco.de>, Andrea Fioraldi <andreafioraldi@gmail.com> and Dominik Maier <domenukk@gmail.com>" >> ./$@
-	@echo  The homepage of afl++ is: https://github.com/AFLplusplus/AFLplusplus >> ../$@
+	@echo  The homepage of afl++ is: https://github.com/AFLplusplus/AFLplusplus >> ./$@
-	@echo >> ../$@
+	@echo >> ./$@
-	@echo .SH LICENSE >> ../$@
+	@echo .SH LICENSE >> ./$@
-	@echo Apache License Version 2.0, January 2004 >> ../$@
+	@echo Apache License Version 2.0, January 2004 >> ./$@
-	ln -sf afl-gcc-fast.8 ../afl-g++-fast.8
+	ln -sf afl-cc.8 ./afl-g++-fast.8
 .PHONY: install
 install: all
-	install -m 755 ../afl-gcc-fast $${DESTDIR}$(BIN_PATH)
+	ln -sf afl-cc $${DESTDIR}$(BIN_PATH)/afl-gcc-fast
-	install -m 755 ../afl-gcc-pass.so ../afl-gcc-rt.o $${DESTDIR}$(HELPER_PATH)
+	ln -sf afl-c++ $${DESTDIR}$(BIN_PATH)/afl-g++-fast
-	install -m 644 -T README.md $${DESTDIR}$(DOC_PATH)/README.gcc_plugin.md
+	ln -sf afl-compiler-rt.o $${DESTDIR}$(HELPER_PATH)/afl-gcc-rt.o
-	install -m 644 -T README.instrument_file.md $${DESTDIR}$(DOC_PATH)/README.gcc_plugin.instrument_file.md
+	install -m 755 ./afl-gcc-pass.so $${DESTDIR}$(HELPER_PATH)
 	install -m 644 -T instrumentation/README.gcc_plugin.md $${DESTDIR}$(DOC_PATH)/README.gcc_plugin.md
 .PHONY: clean
 clean:
 	rm -f *.o *.so *~ a.out core core.[1-9][0-9]* test-instr .test-instr0 .test-instr1 .test2
-	rm -f $(PROGS) afl-common.o ../afl-g++-fast ../afl-g*-fast.8
+	rm -f $(PROGS) afl-common.o ./afl-g++-fast ./afl-g*-fast.8 instrumentation/*.o
--- a/GNUmakefile.llvm
+++ b/GNUmakefile.llvm
@ -0,0 +1,522 @@
 # american fuzzy lop++ - LLVM instrumentation
 # -----------------------------------------
 #
 # Written by Laszlo Szekeres <lszekeres@google.com> and
 #            Michal Zalewski
 #
 # LLVM integration design comes from Laszlo Szekeres.
 #
 # Copyright 2015, 2016 Google Inc. All rights reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at:
 #
 #   http://www.apache.org/licenses/LICENSE-2.0
 #
 # For Heiko:
 #TEST_MMAP=1
 HASH=\#
 PREFIX      ?= /usr/local
 HELPER_PATH ?= $(PREFIX)/lib/afl
 BIN_PATH    ?= $(PREFIX)/bin
 DOC_PATH    ?= $(PREFIX)/share/doc/afl
 MISC_PATH   ?= $(PREFIX)/share/afl
 MAN_PATH    ?= $(PREFIX)/share/man/man8
 BUILD_DATE  ?= $(shell date -u -d "@$(SOURCE_DATE_EPOCH)" "+%Y-%m-%d" 2>/dev/null || date -u -r "$(SOURCE_DATE_EPOCH)" "+%Y-%m-%d" 2>/dev/null || date -u "+%Y-%m-%d")
 VERSION     = $(shell grep '^$(HASH)define VERSION ' ./config.h | cut -d '"' -f2)
 ifeq "$(shell uname)" "OpenBSD"
  LLVM_CONFIG ?= $(BIN_PATH)/llvm-config
  HAS_OPT = $(shell test -x $(BIN_PATH)/opt && echo 0 || echo 1)
  ifeq "$(HAS_OPT)" "1"
    $(warning llvm_mode needs a complete llvm installation (versions 3.4 up to 12) -> e.g. "pkg_add llvm-7.0.1p9")
  endif
 else
  LLVM_CONFIG ?= llvm-config
 endif
 LLVMVER  = $(shell $(LLVM_CONFIG) --version 2>/dev/null | sed 's/git//' | sed 's/svn//' )
 LLVM_MAJOR = $(shell $(LLVM_CONFIG) --version 2>/dev/null | sed 's/\..*//' )
 LLVM_MINOR = $(shell $(LLVM_CONFIG) --version 2>/dev/null | sed 's/.*\.//' | sed 's/git//' | sed 's/svn//' | sed 's/ .*//' )
 LLVM_UNSUPPORTED = $(shell $(LLVM_CONFIG) --version 2>/dev/null | egrep -q '^3\.[0-3]|^[0-2]\.' && echo 1 || echo 0 )
 LLVM_TOO_NEW = $(shell $(LLVM_CONFIG) --version 2>/dev/null | egrep -q '^1[3-9]' && echo 1 || echo 0 )
 LLVM_NEW_API = $(shell $(LLVM_CONFIG) --version 2>/dev/null | egrep -q '^1[0-9]' && echo 1 || echo 0 )
 LLVM_10_OK = $(shell $(LLVM_CONFIG) --version 2>/dev/null | egrep -q '^1[1-9]|^10\.[1-9]|^10\.0.[1-9]' && echo 1 || echo 0 )
 LLVM_HAVE_LTO = $(shell $(LLVM_CONFIG) --version 2>/dev/null | egrep -q '^1[1-9]' && echo 1 || echo 0 )
 LLVM_BINDIR = $(shell $(LLVM_CONFIG) --bindir 2>/dev/null)
 LLVM_LIBDIR = $(shell $(LLVM_CONFIG) --libdir 2>/dev/null)
 LLVM_STDCXX = gnu++11
 LLVM_APPLE_XCODE = $(shell clang -v 2>&1 | grep -q Apple && echo 1 || echo 0)
 LLVM_LTO   = 0
 ifeq "$(LLVMVER)" ""
  $(warning [!] llvm_mode needs llvm-config, which was not found)
 endif
 ifeq "$(LLVM_UNSUPPORTED)" "1"
  $(error llvm_mode only supports llvm from version 3.4 onwards)
 endif
 ifeq "$(LLVM_TOO_NEW)" "1"
  $(warning you are using an in-development llvm version - this might break llvm_mode!)
 endif
 LLVM_TOO_OLD=1
 ifeq "$(LLVM_MAJOR)" "9"
  $(info [+] llvm_mode detected llvm 9, enabling neverZero implementation)
  LLVM_TOO_OLD=0
 endif
 ifeq "$(LLVM_NEW_API)" "1"
  $(info [+] llvm_mode detected llvm 10+, enabling neverZero implementation and c++14)
  LLVM_STDCXX = c++14
  LLVM_TOO_OLD=0
 endif
 ifeq "$(LLVM_TOO_OLD)" "1"
  $(info [!] llvm_mode detected an old version of llvm, upgrade to at least 9 or preferable 11!)
  $(shell sleep 1)
 endif
 ifeq "$(LLVM_HAVE_LTO)" "1"
  $(info [+] llvm_mode detected llvm 11+, enabling afl-lto LTO implementation)
  LLVM_LTO = 1
  #TEST_MMAP = 1
 endif
 ifeq "$(LLVM_LTO)" "0"
  $(info [+] llvm_mode detected llvm < 11, afl-lto LTO will not be build.)
 endif
 ifeq "$(LLVM_APPLE_XCODE)" "1"
  $(warning llvm_mode will not compile with Xcode clang...)
 endif
 # We were using llvm-config --bindir to get the location of clang, but
 # this seems to be busted on some distros, so using the one in $PATH is
 # probably better.
 CC         = $(LLVM_BINDIR)/clang
 CXX        = $(LLVM_BINDIR)/clang++
 # llvm-config --bindir may not providing a valid path, so ...
 ifeq "$(shell test -e $(CC) || echo 1 )" "1"
  # however we must ensure that this is not a "CC=gcc make"
  ifeq "$(shell command -v $(CC) 2> /dev/null)" ""
    # we do not have a valid CC variable so we try alternatives
    ifeq "$(shell test -e '$(BIN_DIR)/clang' && echo 1)" "1"
      # we found one in the local install directory, lets use these
      CC         = $(BIN_DIR)/clang
    else
      # hope for the best
      $(warning we have trouble finding clang - llvm-config is not helping us)
      CC         = clang
    endif
  endif
 endif
 # llvm-config --bindir may not providing a valid path, so ...
 ifeq "$(shell test -e $(CXX) || echo 1 )" "1"
  # however we must ensure that this is not a "CXX=g++ make"
  ifeq "$(shell command -v $(CXX) 2> /dev/null)" ""
    # we do not have a valid CXX variable so we try alternatives
    ifeq "$(shell test -e '$(BIN_DIR)/clang++' && echo 1)" "1"
      # we found one in the local install directory, lets use these
      CXX        = $(BIN_DIR)/clang++
    else
      # hope for the best
      $(warning we have trouble finding clang++ - llvm-config is not helping us)
      CXX        = clang++
    endif
  endif
 endif
 # sanity check.
 # Are versions of clang --version and llvm-config --version equal?
 CLANGVER = $(shell $(CC) --version | sed -E -ne '/^.*version\ (1?[0-9]\.[0-9]\.[0-9]).*/s//\1/p')
 # I disable this because it does not make sense with what we did before (marc)
 # We did exactly set these 26 lines above with these values, and it would break
 # "CC=gcc make" etc. usages
 ifeq "$(findstring clang, $(shell $(CC) --version 2>/dev/null))" ""
  CC_SAVE := $(LLVM_BINDIR)/clang
 else
  CC_SAVE := $(CC)
 endif
 ifeq "$(findstring clang, $(shell $(CXX) --version 2>/dev/null))" ""
  CXX_SAVE := $(LLVM_BINDIR)/clang++
 else
  CXX_SAVE := $(CXX)
 endif
 CLANG_BIN := $(CC_SAVE)
 CLANGPP_BIN := $(CXX_SAVE)
 ifeq "$(CC_SAVE)" "$(LLVM_BINDIR)/clang"
  USE_BINDIR = 1
 else
  ifeq "$(CXX_SAVE)" "$(LLVM_BINDIR)/clang++"
    USE_BINDIR = 1
  else
    USE_BINDIR = 0
  endif
 endif
 # On old platform we cannot compile with clang because std++ libraries are too
 # old. For these we need to use gcc/g++, so if we find REAL_CC and REAL_CXX
 # variable we override the compiler variables here
 ifneq "$(REAL_CC)" ""
  CC  = $(REAL_CC)
 endif
 ifneq "$(REAL_CXX)" ""
  CXX = $(REAL_CXX)
 endif
 #
 # Now it can happen that CC points to clang - but there is no clang on the
 # system. Then we fall back to cc
 #
 ifeq "$(shell command -v $(CC) 2>/dev/null)" ""
  CC = cc
 endif
 ifeq "$(shell command -v $(CXX) 2>/dev/null)" ""
  CXX = c++
 endif
 # After we set CC/CXX we can start makefile magic tests
 #ifeq "$(shell echo 'int main() {return 0; }' | $(CC) -x c - -march=native -o .test 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1"
 #	CFLAGS_OPT = -march=native
 #endif
 ifeq "$(shell echo 'int main() {return 0; }' | $(CLANG_BIN) -x c - -flto=full -o .test 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1"
        AFL_CLANG_FLTO ?= -flto=full
 else
 ifeq "$(shell echo 'int main() {return 0; }' | $(CLANG_BIN) -x c - -flto=thin -o .test 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1"
        AFL_CLANG_FLTO ?= -flto=thin
 else
  ifeq "$(shell echo 'int main() {return 0; }' | $(CLANG_BIN) -x c - -flto -o .test 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1"
        AFL_CLANG_FLTO ?= -flto
  endif
 endif
 endif
 ifeq "$(LLVM_LTO)" "1"
  ifneq "$(AFL_CLANG_FLTO)" ""
    ifeq "$(AFL_REAL_LD)" ""
      ifneq "$(shell readlink $(LLVM_BINDIR)/ld.lld 2>&1)" ""
        AFL_REAL_LD = $(LLVM_BINDIR)/ld.lld
      else
        $(warning ld.lld not found, cannot enable LTO mode)
        LLVM_LTO = 0
      endif
    endif
  else
    $(warning clang option -flto is not working - maybe LLVMgold.so not found - cannot enable LTO mode)
    LLVM_LTO = 0
  endif
 endif
 AFL_CLANG_FUSELD=
 ifeq "$(LLVM_LTO)" "1"
  ifeq "$(shell echo 'int main() {return 0; }' | $(CLANG_BIN) -x c - -fuse-ld=`command -v ld` -o .test 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1"
    AFL_CLANG_FUSELD=1
    ifeq "$(shell echo 'int main() {return 0; }' | $(CLANG_BIN) -x c - -fuse-ld=ld.lld --ld-path=$(LLVM_BINDIR)/ld.lld -o .test 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1"
      AFL_CLANG_LDPATH=1
    endif
  else
    $(warning -fuse-ld is not working, cannot enable LTO mode)
    LLVM_LTO = 0
  endif
 endif
 ifeq "$(shell echo 'int main() {return 0; }' | $(CLANG_BIN) -x c - -fdebug-prefix-map=$(CURDIR)=llvm_mode -o .test 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1"
        AFL_CLANG_DEBUG_PREFIX = -fdebug-prefix-map="$(CURDIR)=llvm_mode"
 else
        AFL_CLANG_DEBUG_PREFIX =
 endif
 CFLAGS          ?= -O3 -funroll-loops -fPIC -D_FORTIFY_SOURCE=2
 CFLAGS_SAFE     := -Wall -g -Wno-cast-qual -Wno-variadic-macros -Wno-pointer-sign -I ./include/ -I ./instrumentation/ \
                   -DAFL_PATH=\"$(HELPER_PATH)\" -DBIN_PATH=\"$(BIN_PATH)\" \
                   -DLLVM_BINDIR=\"$(LLVM_BINDIR)\" -DVERSION=\"$(VERSION)\" \
                   -DLLVM_LIBDIR=\"$(LLVM_LIBDIR)\" -DLLVM_VERSION=\"$(LLVMVER)\" \
                   -Wno-deprecated -DAFL_CLANG_FLTO=\"$(AFL_CLANG_FLTO)\" \
                   -DAFL_REAL_LD=\"$(AFL_REAL_LD)\" \
                   -DAFL_CLANG_LDPATH=\"$(AFL_CLANG_LDPATH)\" \
                   -DAFL_CLANG_FUSELD=\"$(AFL_CLANG_FUSELD)\" \
                   -DCLANG_BIN=\"$(CLANG_BIN)\" -DCLANGPP_BIN=\"$(CLANGPP_BIN)\" -DUSE_BINDIR=$(USE_BINDIR) -Wno-unused-function \
                   $(AFL_CLANG_DEBUG_PREFIX)
 override CFLAGS += $(CFLAGS_SAFE)
 ifdef AFL_TRACE_PC
  $(info Compile option AFL_TRACE_PC is deprecated, just set AFL_LLVM_INSTRUMENT=PCGUARD to activate when compiling targets )
 endif
 CXXFLAGS          ?= -O3 -funroll-loops -fPIC -D_FORTIFY_SOURCE=2
 override CXXFLAGS += -Wall -g -I ./include/ \
                     -DVERSION=\"$(VERSION)\" -Wno-variadic-macros \
                     -DLLVM_MINOR=$(LLVM_MINOR) -DLLVM_MAJOR=$(LLVM_MAJOR)
 ifneq "$(shell $(LLVM_CONFIG) --includedir) 2> /dev/null" ""
  CLANG_CFL  = -I$(shell $(LLVM_CONFIG) --includedir)
 endif
 ifneq "$(LLVM_CONFIG)" ""
  CLANG_CFL += -I$(shell dirname $(LLVM_CONFIG))/../include
 endif
 CLANG_CPPFL  = `$(LLVM_CONFIG) --cxxflags` -fno-rtti -fPIC $(CXXFLAGS) -Wno-deprecated-declarations
 CLANG_LFL    = `$(LLVM_CONFIG) --ldflags` $(LDFLAGS)
 # User teor2345 reports that this is required to make things work on MacOS X.
 ifeq "$(shell uname)" "Darwin"
  CLANG_LFL += -Wl,-flat_namespace -Wl,-undefined,suppress
 else
  CLANG_CPPFL += -Wl,-znodelete
 endif
 ifeq "$(shell uname)" "OpenBSD"
  CLANG_LFL += `$(LLVM_CONFIG) --libdir`/libLLVM.so
  CLANG_CPPFL += -mno-retpoline
  CFLAGS += -mno-retpoline
  # Needed for unwind symbols
  LDFLAGS += -lc++abi -lpthread
 endif
 ifeq "$(shell echo '$(HASH)include <sys/ipc.h>@$(HASH)include <sys/shm.h>@int main() { int _id = shmget(IPC_PRIVATE, 65536, IPC_CREAT | IPC_EXCL | 0600); shmctl(_id, IPC_RMID, 0); return 0;}' | tr @ '\n' | $(CC) -x c - -o .test2 2>/dev/null && echo 1 || echo 0 ; rm -f .test2 )" "1"
        SHMAT_OK=1
 else
        SHMAT_OK=0
        CFLAGS_SAFE += -DUSEMMAP=1
        LDFLAGS += -Wno-deprecated-declarations
 endif
 ifeq "$(TEST_MMAP)" "1"
        SHMAT_OK=0
        CFLAGS_SAFE += -DUSEMMAP=1
        LDFLAGS += -Wno-deprecated-declarations
 endif
 PROGS_ALWAYS = ./afl-cc ./afl-compiler-rt.o ./afl-compiler-rt-32.o ./afl-compiler-rt-64.o 
 PROGS        = $(PROGS_ALWAYS) ./afl-llvm-pass.so ./SanitizerCoveragePCGUARD.so ./split-compares-pass.so ./split-switches-pass.so ./cmplog-routines-pass.so ./cmplog-instructions-pass.so ./afl-llvm-dict2file.so ./compare-transform-pass.so ./libLLVMInsTrim.so ./afl-ld-lto ./afl-llvm-lto-instrumentlist.so ./afl-llvm-lto-instrumentation.so ./SanitizerCoverageLTO.so
 # If prerequisites are not given, warn, do not build anything, and exit with code 0
 ifeq "$(LLVMVER)" ""
  NO_BUILD = 1
 endif
 ifneq "$(LLVM_UNSUPPORTED)$(LLVM_APPLE_XCODE)" "00"
  NO_BUILD = 1
 endif
 ifeq "$(NO_BUILD)" "1"
  TARGETS = test_shm $(PROGS_ALWAYS) afl-cc.8
 else
  TARGETS = test_shm test_deps $(PROGS) afl-cc.8 test_build all_done
 endif
 LLVM_MIN_4_0_1 = $(shell awk 'function tonum(ver, a) {split(ver,a,"."); return a[1]*1000000+a[2]*1000+a[3]} BEGIN { exit tonum(ARGV[1]) >= tonum(ARGV[2]) }' $(LLVMVER) 4.0.1; echo $$?)
 .PHONY: all
 all: $(TARGETS)
 .PHONY: test_shm
 ifeq "$(SHMAT_OK)" "1"
 test_shm:
 	@echo "[+] shmat seems to be working."
 	@rm -f .test2
 else
 test_shm:
 	@echo "[-] shmat seems not to be working, switching to mmap implementation"
 endif
 .PHONY: no_build
 no_build:
 	@printf "%b\\n" "\\033[0;31mPrerequisites are not met, skipping build llvm_mode\\033[0m"
 .PHONY: test_deps
 test_deps:
 	@echo "[*] Checking for working 'llvm-config'..."
 ifneq "$(LLVM_APPLE_XCODE)" "1"
 	@type $(LLVM_CONFIG) >/dev/null 2>&1 || ( echo "[-] Oops, can't find 'llvm-config'. Install clang or set \$$LLVM_CONFIG or \$$PATH beforehand."; echo "    (Sometimes, the binary will be named llvm-config-3.5 or something like that.)"; exit 1 )
 endif
 	@echo "[*] Checking for working '$(CC)'..."
 	@type $(CC) >/dev/null 2>&1 || ( echo "[-] Oops, can't find '$(CC)'. Make sure that it's in your \$$PATH (or set \$$CC and \$$CXX)."; exit 1 )
 	@echo "[*] Checking for matching versions of '$(CC)' and '$(LLVM_CONFIG)'"
 ifneq "$(CLANGVER)" "$(LLVMVER)"
 	@echo "[!] WARNING: we have llvm-config version $(LLVMVER) and a clang version $(CLANGVER)"
 else
 	@echo "[*] We have llvm-config version $(LLVMVER) with a clang version $(CLANGVER), good."
 endif
 	@echo "[*] Checking for './afl-showmap'..."
 	@test -f ./afl-showmap || ( echo "[-] Oops, can't find './afl-showmap'. Be sure to compile AFL first."; exit 1 )
 	@echo "[+] All set and ready to build."
 instrumentation/afl-common.o: ./src/afl-common.c
 	$(CC) $(CFLAGS) $(CPPFLAGS) -c $< -o $@ $(LDFLAGS)
 ./afl-cc: src/afl-cc.c instrumentation/afl-common.o
 	$(CC) $(CLANG_CFL) $(CFLAGS) $(CPPFLAGS) $< instrumentation/afl-common.o -o $@ -DLLVM_MINOR=$(LLVM_MINOR) -DLLVM_MAJOR=$(LLVM_MAJOR) $(LDFLAGS) -DCFLAGS_OPT=\"$(CFLAGS_OPT)\" -lm
 	@ln -sf afl-cc ./afl-c++
 	@ln -sf afl-cc ./afl-gcc
 	@ln -sf afl-cc ./afl-g++
 	@ln -sf afl-cc ./afl-clang
 	@ln -sf afl-cc ./afl-clang++
 	@ln -sf afl-cc ./afl-clang-fast
 	@ln -sf afl-cc ./afl-clang-fast++
 ifneq "$(AFL_CLANG_FLTO)" ""
 ifeq "$(LLVM_LTO)" "1"
 	@ln -sf afl-cc ./afl-clang-lto
 	@ln -sf afl-cc ./afl-clang-lto++
 	@ln -sf afl-cc ./afl-lto
 	@ln -sf afl-cc ./afl-lto++
 endif
 endif
 instrumentation/afl-llvm-common.o: instrumentation/afl-llvm-common.cc instrumentation/afl-llvm-common.h
 	$(CXX) $(CFLAGS) $(CPPFLAGS) `$(LLVM_CONFIG) --cxxflags` -fno-rtti -fPIC -std=$(LLVM_STDCXX) -c $< -o $@ 
 ./libLLVMInsTrim.so: instrumentation/LLVMInsTrim.so.cc instrumentation/MarkNodes.cc instrumentation/afl-llvm-common.o | test_deps
 	-$(CXX) $(CLANG_CPPFL) -DLLVMInsTrim_EXPORTS -fno-rtti -fPIC -std=$(LLVM_STDCXX) -shared $< instrumentation/MarkNodes.cc -o $@ $(CLANG_LFL) instrumentation/afl-llvm-common.o
 ./afl-llvm-pass.so: instrumentation/afl-llvm-pass.so.cc instrumentation/afl-llvm-common.o | test_deps
 ifeq "$(LLVM_MIN_4_0_1)" "0"
 	$(info [!] N-gram branch coverage instrumentation is not available for llvm version $(LLVMVER))
 endif
 	$(CXX) $(CLANG_CPPFL) -DLLVMInsTrim_EXPORTS -fno-rtti -fPIC -std=$(LLVM_STDCXX) -shared $< -o $@ $(CLANG_LFL) instrumentation/afl-llvm-common.o
 ./SanitizerCoveragePCGUARD.so: instrumentation/SanitizerCoveragePCGUARD.so.cc instrumentation/afl-llvm-common.o | test_deps
 ifeq "$(LLVM_10_OK)" "1"
 	-$(CXX) $(CLANG_CPPFL) -fno-rtti -fPIC -std=$(LLVM_STDCXX) -shared $< -o $@ $(CLANG_LFL) instrumentation/afl-llvm-common.o
 endif
 ./afl-llvm-lto-instrumentlist.so: instrumentation/afl-llvm-lto-instrumentlist.so.cc instrumentation/afl-llvm-common.o
 ifeq "$(LLVM_LTO)" "1"
 	$(CXX) $(CLANG_CPPFL) -fno-rtti -fPIC -std=$(LLVM_STDCXX) -shared $< -o $@ $(CLANG_LFL) instrumentation/afl-llvm-common.o
 endif
 ./afl-ld-lto: src/afl-ld-lto.c
 ifeq "$(LLVM_LTO)" "1"
 	$(CC) $(CFLAGS) $(CPPFLAGS) $< -o $@
 endif
 ./SanitizerCoverageLTO.so: instrumentation/SanitizerCoverageLTO.so.cc
 ifeq "$(LLVM_LTO)" "1"
 	$(CXX) $(CLANG_CPPFL) -Wno-writable-strings -fno-rtti -fPIC -std=$(LLVM_STDCXX) -shared $< -o $@ $(CLANG_LFL) instrumentation/afl-llvm-common.o
 endif
 ./afl-llvm-lto-instrumentation.so: instrumentation/afl-llvm-lto-instrumentation.so.cc instrumentation/afl-llvm-common.o
 ifeq "$(LLVM_LTO)" "1"
 	$(CXX) $(CLANG_CPPFL) -Wno-writable-strings -fno-rtti -fPIC -std=$(LLVM_STDCXX) -shared $< -o $@ $(CLANG_LFL) instrumentation/afl-llvm-common.o
 	$(CLANG_BIN) $(CFLAGS_SAFE) $(CPPFLAGS) -Wno-unused-result -O0 $(AFL_CLANG_FLTO) -fPIC -c instrumentation/afl-llvm-rt-lto.o.c -o ./afl-llvm-rt-lto.o
 	@$(CLANG_BIN) $(CFLAGS_SAFE) $(CPPFLAGS) -Wno-unused-result -O0 $(AFL_CLANG_FLTO) -m64 -fPIC -c instrumentation/afl-llvm-rt-lto.o.c -o ./afl-llvm-rt-lto-64.o 2>/dev/null; if [ "$$?" = "0" ]; then : ; fi
 	@$(CLANG_BIN) $(CFLAGS_SAFE) $(CPPFLAGS) -Wno-unused-result -O0 $(AFL_CLANG_FLTO) -m32 -fPIC -c instrumentation/afl-llvm-rt-lto.o.c -o ./afl-llvm-rt-lto-32.o 2>/dev/null; if [ "$$?" = "0" ]; then : ; fi
 endif
 # laf
 ./split-switches-pass.so:	instrumentation/split-switches-pass.so.cc instrumentation/afl-llvm-common.o | test_deps
 	$(CXX) $(CLANG_CPPFL) -shared $< -o $@ $(CLANG_LFL) instrumentation/afl-llvm-common.o
 ./compare-transform-pass.so:	instrumentation/compare-transform-pass.so.cc instrumentation/afl-llvm-common.o | test_deps
 	$(CXX) $(CLANG_CPPFL) -shared $< -o $@ $(CLANG_LFL) instrumentation/afl-llvm-common.o
 ./split-compares-pass.so:	instrumentation/split-compares-pass.so.cc instrumentation/afl-llvm-common.o | test_deps
 	$(CXX) $(CLANG_CPPFL) -shared $< -o $@ $(CLANG_LFL) instrumentation/afl-llvm-common.o
 # /laf
 ./cmplog-routines-pass.so:	instrumentation/cmplog-routines-pass.cc instrumentation/afl-llvm-common.o | test_deps
 	$(CXX) $(CLANG_CPPFL) -shared $< -o $@ $(CLANG_LFL) instrumentation/afl-llvm-common.o
 ./cmplog-instructions-pass.so:	instrumentation/cmplog-instructions-pass.cc instrumentation/afl-llvm-common.o | test_deps
 	$(CXX) $(CLANG_CPPFL) -shared $< -o $@ $(CLANG_LFL) instrumentation/afl-llvm-common.o
 afl-llvm-dict2file.so:	instrumentation/afl-llvm-dict2file.so.cc instrumentation/afl-llvm-common.o | test_deps
 	$(CXX) $(CLANG_CPPFL) -shared $< -o $@ $(CLANG_LFL) instrumentation/afl-llvm-common.o
 .PHONY: document
 document:
 	$(CLANG_BIN) -D_AFL_DOCUMENT_MUTATIONS $(CFLAGS_SAFE) $(CPPFLAGS) $(CLANG_CFL) -O3 -Wno-unused-result -fPIC -c instrumentation/afl-compiler-rt.o.c -o ./afl-compiler-rt.o
 	@$(CLANG_BIN) -D_AFL_DOCUMENT_MUTATIONS $(CFLAGS_SAFE) $(CPPFLAGS) $(CLANG_CFL) -O3 -Wno-unused-result -m32 -fPIC -c instrumentation/afl-compiler-rt.o.c -o ./afl-compiler-rt-32.o 2>/dev/null; if [ "$$?" = "0" ]; then echo "success!"; else echo "failed (that's fine)"; fi
 	@$(CLANG_BIN) -D_AFL_DOCUMENT_MUTATIONS $(CFLAGS_SAFE) $(CPPFLAGS) $(CLANG_CFL) -O3 -Wno-unused-result -m64 -fPIC -c instrumentation/afl-compiler-rt.o.c -o ./afl-compiler-rt-64.o 2>/dev/null; if [ "$$?" = "0" ]; then echo "success!"; else echo "failed (that's fine)"; fi
 ./afl-compiler-rt.o: instrumentation/afl-compiler-rt.o.c
 	$(CC) $(CLANG_CFL) $(CFLAGS_SAFE) $(CPPFLAGS) -O3 -Wno-unused-result -fPIC -c $< -o $@
 ./afl-compiler-rt-32.o: instrumentation/afl-compiler-rt.o.c
 	@printf "[*] Building 32-bit variant of the runtime (-m32)... "
 	@$(CC) $(CLANG_CFL) $(CFLAGS_SAFE) $(CPPFLAGS) -O3 -Wno-unused-result -m32 -fPIC -c $< -o $@ 2>/dev/null; if [ "$$?" = "0" ]; then echo "success!"; ln -sf afl-compiler-rt-32.o afl-llvm-rt-32.o; else echo "failed (that's fine)"; fi
 ./afl-compiler-rt-64.o: instrumentation/afl-compiler-rt.o.c
 	@printf "[*] Building 64-bit variant of the runtime (-m64)... "
 	@$(CC) $(CLANG_CFL) $(CFLAGS_SAFE) $(CPPFLAGS) -O3 -Wno-unused-result -m64 -fPIC -c $< -o $@ 2>/dev/null; if [ "$$?" = "0" ]; then echo "success!"; ln -sf afl-compiler-rt-64.o afl-llvm-rt-64.o; else echo "failed (that's fine)"; fi
 .PHONY: test_build
 test_build: $(PROGS)
 	@echo "[*] Testing the CC wrapper and instrumentation output..."
 	unset AFL_USE_ASAN AFL_USE_MSAN AFL_INST_RATIO; ASAN_OPTIONS=detect_leaks=0 AFL_QUIET=1 AFL_PATH=. AFL_LLVM_LAF_ALL=1 ./afl-cc $(CFLAGS) $(CPPFLAGS) ./test-instr.c -o test-instr $(LDFLAGS)
 	ASAN_OPTIONS=detect_leaks=0 ./afl-showmap -m none -q -o .test-instr0 ./test-instr < /dev/null
 	echo 1 | ASAN_OPTIONS=detect_leaks=0 ./afl-showmap -m none -q -o .test-instr1 ./test-instr
 	@rm -f test-instr
 	@cmp -s .test-instr0 .test-instr1; DR="$$?"; rm -f .test-instr0 .test-instr1; if [ "$$DR" = "0" ]; then echo; echo "Oops, the instrumentation does not seem to be behaving correctly!"; echo; echo "Please post to https://github.com/AFLplusplus/AFLplusplus/issues to troubleshoot the issue."; echo; exit 1; fi
 	@echo "[+] All right, the instrumentation seems to be working!"
 .PHONY: all_done
 all_done: test_build
 	@echo "[+] All done! You can now use './afl-cc' to compile programs."
 .NOTPARALLEL: clean
 .PHONY: install
 install: all
 	@install -d -m 755 $${DESTDIR}$(BIN_PATH) $${DESTDIR}$(HELPER_PATH) $${DESTDIR}$(DOC_PATH) $${DESTDIR}$(MISC_PATH)
 	@if [ -f ./afl-cc ]; then set -e; install -m 755 ./afl-cc $${DESTDIR}$(BIN_PATH); ln -sf afl-cc $${DESTDIR}$(BIN_PATH)/afl-c++; fi
 	@rm -f $${DESTDIR}$(HELPER_PATH)/afl-llvm-rt*.o $${DESTDIR}$(HELPER_PATH)/afl-gcc-rt*.o
 	@if [ -f ./afl-compiler-rt.o ]; then set -e; install -m 755 ./afl-compiler-rt.o $${DESTDIR}$(HELPER_PATH); ln -sf afl-compiler-rt.o $${DESTDIR}$(HELPER_PATH)/afl-llvm-rt.o ;fi
 	@if [ -f ./afl-lto ]; then set -e; ln -sf afl-cc $${DESTDIR}$(BIN_PATH)/afl-lto; ln -sf afl-cc $${DESTDIR}$(BIN_PATH)/afl-lto++; ln -sf afl-cc $${DESTDIR}$(BIN_PATH)/afl-clang-lto; ln -sf afl-cc $${DESTDIR}$(BIN_PATH)/afl-clang-lto++; install -m 755 ./afl-llvm-lto-instrumentation.so ./afl-llvm-rt-lto*.o ./afl-llvm-lto-instrumentlist.so $${DESTDIR}$(HELPER_PATH); fi
 	@if [ -f ./afl-ld-lto ]; then set -e; install -m 755 ./afl-ld-lto $${DESTDIR}$(BIN_PATH); fi
 	@if [ -f ./afl-compiler-rt-32.o ]; then set -e; install -m 755 ./afl-compiler-rt-32.o $${DESTDIR}$(HELPER_PATH); ln -sf afl-compiler-rt-32.o $${DESTDIR}$(HELPER_PATH)/afl-llvm-rt-32.o ;fi
 	@if [ -f ./afl-compiler-rt-64.o ]; then set -e; install -m 755 ./afl-compiler-rt-64.o $${DESTDIR}$(HELPER_PATH); ln -sf afl-compiler-rt-64.o $${DESTDIR}$(HELPER_PATH)/afl-llvm-rt-64.o ; fi
 	@if [ -f ./compare-transform-pass.so ]; then set -e; install -m 755 ./*.so $${DESTDIR}$(HELPER_PATH); fi
 	@if [ -f ./compare-transform-pass.so ]; then set -e; ln -sf afl-cc $${DESTDIR}$(BIN_PATH)/afl-clang-fast ; ln -sf ./afl-c++ $${DESTDIR}$(BIN_PATH)/afl-clang-fast++ ; ln -sf afl-cc $${DESTDIR}$(BIN_PATH)/afl-clang ; ln -sf ./afl-c++ $${DESTDIR}$(BIN_PATH)/afl-clang++ ; fi
 	@if [ -f ./SanitizerCoverageLTO.so ]; then set -e; ln -sf afl-cc $${DESTDIR}$(BIN_PATH)/afl-clang-lto ; ln -sf ./afl-c++ $${DESTDIR}$(BIN_PATH)/afl-clang-lto++ ; fi
 	set -e; install -m 644 ./dynamic_list.txt $${DESTDIR}$(HELPER_PATH)
 	install -m 644 instrumentation/README.*.md $${DESTDIR}$(DOC_PATH)/
 %.8: %
 	@echo .TH $* 8 $(BUILD_DATE) "afl++" > ./$@
 	@echo .SH NAME >> ./$@
 	@printf "%s" ".B $* \- " >> ./$@
 	@./$* -h 2>&1 | head -n 1 | sed -e "s/$$(printf '\e')[^m]*m//g" >> ./$@
 	@echo .B $* >> ./$@
 	@echo >> ./$@
 	@echo .SH SYNOPSIS >> ./$@
 	@./$* -h 2>&1 | head -n 3 | tail -n 1 | sed 's/^\.\///' >> ./$@
 	@echo >> ./$@
 	@echo .SH OPTIONS >> ./$@
 	@echo .nf >> ./$@
 	@./$* -h 2>&1 | tail -n +4 >> ./$@
 	@echo >> ./$@
 	@echo .SH AUTHOR >> ./$@
 	@echo "afl++ was written by Michal \"lcamtuf\" Zalewski and is maintained by Marc \"van Hauser\" Heuse <mh@mh-sec.de>, Heiko \"hexcoder-\" Eissfeldt <heiko.eissfeldt@hexco.de>, Andrea Fioraldi <andreafioraldi@gmail.com> and Dominik Maier <domenukk@gmail.com>" >> ./$@
 	@echo  The homepage of afl++ is: https://github.com/AFLplusplus/AFLplusplus >> ./$@
 	@echo >> ./$@
 	@echo .SH LICENSE >> ./$@
 	@echo Apache License Version 2.0, January 2004 >> ./$@
 	@ln -sf afl-cc.8 ./afl-c++.8
 ifneq "$(AFL_CLANG_FLTO)" ""
 ifeq "$(LLVM_LTO)" "1"
 	@ln -sf afl-cc.8 ./afl-clang-lto.8
 	@ln -sf afl-cc.8 ./afl-clang-lto++.8
 	@ln -sf afl-cc.8 ./afl-lto.8
 	@ln -sf afl-cc.8 ./afl-lto++.8
 endif
 endif
 .PHONY: clean
 clean:
 	rm -f *.o *.so *~ a.out core core.[1-9][0-9]* .test2 test-instr .test-instr0 .test-instr1 *.dwo
 	rm -f $(PROGS) afl-common.o ./afl-c++ ./afl-lto ./afl-lto++ ./afl-clang-lto* ./afl-clang-fast* ./afl-clang*.8 ./ld ./afl-ld ./afl-llvm-rt*.o instrumentation/*.o
--- a/README.md
+++ b/README.md
--- a/TODO.md
+++ b/TODO.md
@ -1,31 +1,23 @@
 # TODO list for AFL++
-## Roadmap 2.67+
+## Roadmap 3.00+
 - expand on AFL_LLVM_INSTRUMENT_FILE to also support sancov allowlist format
 - AFL_MAP_SIZE for qemu_mode and unicorn_mode
 - CPU affinity for many cores? There seems to be an issue > 96 cores
 - afl-plot to support multiple plot_data
 - afl_custom_fuzz_splice_optin()
 - afl_custom_splice()
 - intel-pt tracer
 - better autodetection of shifting runtime timeout values
 - cmplog: use colorization input for havoc?
 - cmplog: too much tainted bytes, directly add to dict and skip?
 ## Further down the road
 afl-fuzz:
 - setting min_len/max_len/start_offset/end_offset limits for mutation output
 llvm_mode:
 - LTO - imitate sancov
 gcc_plugin:
 - (wait for submission then decide)
 - laf-intel
 - better instrumentation (seems to be better with gcc-9+)
 better documentation:
 - flow graph
 - short intro
 - faq (how to increase stability, speed, many parallel ...)
 qemu_mode:
 - update to 5.x (if the performance bug if gone)
 - non colliding instrumentation
 - rename qemu specific envs to AFL_QEMU (AFL_ENTRYPOINT, AFL_CODE_START/END,
   AFL_COMPCOV_LEVEL?)
@ -33,3 +25,13 @@ qemu_mode:
   persistent mode
 - add/implement AFL_QEMU_INST_LIBLIST and AFL_QEMU_NOINST_PROGRAM
 - add/implement AFL_QEMU_INST_REGIONS as a list of _START/_END addresses
 ## Ideas
 - LTO/sancov: write current edge to prev_loc and use that information when
   using cmplog or __sanitizer_cov_trace_cmp*. maybe we can deduct by follow
   up edge numbers that both following cmp paths have been found and then
   disable working on this edge id -> cmplog_intelligence branch
 - use cmplog colorization taint result for havoc locations?
--- a/111
+++ b/111
@ -113,13 +113,16 @@ function usage() {
 "  -C            - keep crashing inputs, reject everything else\n" \
 "  -e            - solve for edge coverage only, ignore hit counts\n" \
 "\n" \
-"For additional tips, please consult docs/README.md\n" \
+"For additional tips, please consult README.md\n" \
 "\n" \
 "Environment variables used:\n" \
 "AFL_ALLOW_TMP: allow unsafe use of input/output directories under {/var}/tmp\n" \
 "AFL_CRASH_EXITCODE: optional child exit code to be interpreted as crash\n" \
 "AFL_FORKSRV_INIT_TMOUT: time the fuzzer waits for the target to come up, initially\n" \
 "AFL_KEEP_TRACES: leave the temporary <out_dir>/.traces directory\n" \
-"AFL_PATH: path for the afl-showmap binary\n" \
+"AFL_KILL_SIGNAL: Signal ID delivered to child processes on timeout, etc. (default: SIGKILL)\n"
-"AFL_SKIP_BIN_CHECK: skip check for target binary\n" \
+"AFL_PATH: path for the afl-showmap binary if not found anywhere else\n" \
-"AFL_ALLOW_TMP: allow unsafe use of input/output directories under {/var}/tmp\n"
+"AFL_SKIP_BIN_CHECK: skip check for target binary\n"
   exit 1
 }
@ -132,6 +135,8 @@ BEGIN {
  # defaults
  extra_par = ""
  AFL_CMIN_CRASHES_ONLY = ""
  # process options
  Opterr = 1    # default is to diagnose
  Optind = 1    # skip ARGV[0]
@ -168,7 +173,7 @@ BEGIN {
      continue
    } else 
    if (_go_c == "C") {
-      ENVIRON["AFL_CMIN_CRASHES_ONLY"] = 1
+      AFL_CMIN_CRASHES_ONLY = "AFL_CMIN_CRASHES_ONLY=1 "
      continue
    } else 
    if (_go_c == "e") {
@ -178,14 +183,12 @@ BEGIN {
    if (_go_c == "Q") {
      if (qemu_mode) { print "Option "_go_c" is only allowed once" > "/dev/stderr"}
      extra_par = extra_par " -Q"
      if ( !mem_limit_given ) mem_limit = "250"
      qemu_mode = 1
      continue
    } else 
    if (_go_c == "U") {
      if (unicorn_mode) { print "Option "_go_c" is only allowed once" > "/dev/stderr"}
      extra_par = extra_par " -U"
      if ( !mem_limit_given ) mem_limit = "250"
      unicorn_mode = 1
      continue
    } else 
@ -195,7 +198,7 @@ BEGIN {
      usage()
  } # while options
-  if (!mem_limit) mem_limit = 200
+  if (!mem_limit) mem_limit = "none"
  if (!timeout) timeout = "none"
  # get program args
@ -284,6 +287,10 @@ BEGIN {
    exit 1
  }
  if (0 == system( "test -d "in_dir"/default" )) {
    in_dir = in_dir "/default"
  }
  if (0 == system( "test -d "in_dir"/queue" )) {
    in_dir = in_dir "/queue"
  }
@ -309,14 +316,18 @@ BEGIN {
    close( stdin_file )
  }
-  if (!ENVIRON["AFL_PATH"]) {
+  # First we look in PATH
-    if (0 == system("test -f afl-cmin")) {
+  if (0 == system("command -v afl-showmap >/dev/null 2>&1")) {
    "command -v afl-showmap 2>/dev/null" | getline showmap
  } else {
    # then we look in the current directory
    if (0 == system("test -x ./afl-showmap")) {
      showmap = "./afl-showmap"
    } else {
-      "command -v afl-showmap 2>/dev/null" | getline showmap
+      if (ENVIRON["AFL_PATH"]) {
        showmap = ENVIRON["AFL_PATH"] "/afl-showmap"
      }
    }
  } else {
    showmap = ENVIRON["AFL_PATH"] "/afl-showmap"
  }
  if (!showmap || 0 != system("test -x "showmap )) {
@ -335,8 +346,10 @@ BEGIN {
  } else {
    stat_format = "-f '%z %N'" # *BSD, MacOS
  }
-  cmdline = "cd "in_dir" && find . \\( ! -name . -a -type d -prune \\) -o -type f -exec stat "stat_format" \\{\\} \\; | sort -k1n -k2r"
+  cmdline = "(cd "in_dir" && find . \\( ! -name . -a -type d -prune \\) -o -type f -exec stat "stat_format" \\{\\} + | sort -k1n -k2r)"
-  cmdline = "ls "in_dir" | (cd "in_dir" && xargs stat "stat_format") | sort -k1n -k2r"
+  #cmdline = "ls "in_dir" | (cd "in_dir" && xargs stat "stat_format" 2>/dev/null) | sort -k1n -k2r"
  #cmdline = "(cd "in_dir" && stat "stat_format" *) | sort -k1n -k2r"
  #cmdline = "(cd "in_dir" && ls | xargs stat "stat_format" ) | sort -k1n -k2r"
  while (cmdline | getline) {
    sub(/^[0-9]+ (\.\/)?/,"",$0)
    infilesSmallToBig[i++] = $0
@ -347,44 +360,46 @@ BEGIN {
  # Make sure that we're not dealing with a directory.
-  if (0 == system("test -d "in_dir"/"first_file)) {
+  if (0 == system("test -d ""\""in_dir"/"first_file"\"")) {
-    print "[-] Error: The input directory contains subdirectories - please fix." > "/dev/stderr"
+    print "[-] Error: The input directory is empty or contains subdirectories - please fix." > "/dev/stderr"
    exit 1
  }
-  if (0 == system("ln "in_dir"/"first_file" "trace_dir"/.link_test")) {
+  if (0 == system("ln \""in_dir"/"first_file"\" "trace_dir"/.link_test")) {
    cp_tool = "ln"
  } else {
    cp_tool = "cp"
  }
-  # Make sure that we can actually get anything out of afl-showmap before we
+  if (!ENVIRON["AFL_SKIP_BIN_CHECK"]) {
-  # waste too much time.
+    # Make sure that we can actually get anything out of afl-showmap before we
    # waste too much time.
-  print "[*] Testing the target binary..."
+    print "[*] Testing the target binary..."
-  if (!stdin_file) {
+    if (!stdin_file) {
-    system( "AFL_CMIN_ALLOW_ANY=1 \""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"/.run_test\" -Z "extra_par" -- \""target_bin"\" "prog_args_string" <\""in_dir"/"first_file"\"")
+      system( "AFL_CMIN_ALLOW_ANY=1 "AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"/.run_test\" -Z "extra_par" -- \""target_bin"\" "prog_args_string" <\""in_dir"/"first_file"\"")
-  } else {
+    } else {
-    system("cp "in_dir"/"first_file" "stdin_file)
+      system("cp \""in_dir"/"first_file"\" "stdin_file)
-    system( "AFL_CMIN_ALLOW_ANY=1 \""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"/.run_test\" -Z "extra_par" -A \""stdin_file"\" -- \""target_bin"\" "prog_args_string" </dev/null")
+      system( "AFL_CMIN_ALLOW_ANY=1 "AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"/.run_test\" -Z "extra_par" -A \""stdin_file"\" -- \""target_bin"\" "prog_args_string" </dev/null")
-  }
+    }
-
+
-  first_count = 0
+    first_count = 0
-
+
-  runtest = trace_dir"/.run_test"
+    runtest = trace_dir"/.run_test"
-  while ((getline < runtest) > 0) {
+    while ((getline < runtest) > 0) {
-    ++first_count
+      ++first_count
-  }
+    }
-
+
-  if (first_count) {
+    if (first_count) {
-    print "[+] OK, "first_count" tuples recorded."
+      print "[+] OK, "first_count" tuples recorded."
-  } else {
+    } else {
-    print "[-] Error: no instrumentation output detected (perhaps crash or timeout)." > "/dev/stderr"
+      print "[-] Error: no instrumentation output detected (perhaps crash or timeout)." > "/dev/stderr"
-    if (!ENVIRON["AFL_KEEP_TRACES"]) {
+      if (!ENVIRON["AFL_KEEP_TRACES"]) {
-      system("rm -rf "trace_dir" 2>/dev/null")
+        system("rm -rf "trace_dir" 2>/dev/null")
      }
      exit 1
    }
    exit 1
  }
  # Let's roll!
@ -398,14 +413,16 @@ BEGIN {
  cur = 0;
  if (!stdin_file) {
    print "    Processing "in_count" files (forkserver mode)..."
-    retval = system( "AFL_CMIN_ALLOW_ANY=1 \""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"\" -Z "extra_par" -i \""in_dir"\" -- \""target_bin"\" "prog_args_string)
+#    print AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"\" -Z "extra_par" -i \""in_dir"\" -- \""target_bin"\" "prog_args_string
    retval = system( AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"\" -Z "extra_par" -i \""in_dir"\" -- \""target_bin"\" "prog_args_string)
  } else {
    print "    Processing "in_count" files (forkserver mode)..."
-    retval = system( "AFL_CMIN_ALLOW_ANY=1 \""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"\" -Z "extra_par" -i \""in_dir"\" -- \""target_bin"\" "prog_args_string" </dev/null")
+#    print AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"\" -Z "extra_par" -i \""in_dir"\" -A \""stdin_file"\" -- \""target_bin"\" "prog_args_string" </dev/null"
    retval = system( AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"\" -Z "extra_par" -i \""in_dir"\" -A \""stdin_file"\" -- \""target_bin"\" "prog_args_string" </dev/null")
  }
-  if (retval) {
+  if (retval && !AFL_CMIN_CRASHES_ONLY) {
-    print "[!]Exit code != 0 received from afl-showmap, terminating..."
+    print "[!] Exit code "retval" != 0 received from afl-showmap, terminating..."
    if (!ENVIRON["AFL_KEEP_TRACES"]) {
      system("rm -rf "trace_dir" 2>/dev/null")
@ -485,7 +502,7 @@ BEGIN {
    # copy file unless already done
    if (! (fn in file_already_copied)) {
-      system(cp_tool" "in_dir"/"fn" "out_dir"/"fn)
+      system(cp_tool" \""in_dir"/"fn"\" \""out_dir"/"fn"\"")
      file_already_copied[fn] = ""
      ++out_count
      #printf "tuple nr %d (%d cnt=%d) -> %s\n",tcnt,key,key_count[key],fn > trace_dir"/.log"
--- a/afl-cmin.bash
+++ b/afl-cmin.bash
@ -45,7 +45,7 @@ echo
 # Process command-line options...
-MEM_LIMIT=200
+MEM_LIMIT=none
 TIMEOUT=none
 unset IN_DIR OUT_DIR STDIN_FILE EXTRA_PAR MEM_LIMIT_GIVEN \
@ -85,12 +85,10 @@ while getopts "+i:o:f:m:t:eQUCh" opt; do
         ;;
    "Q")
         EXTRA_PAR="$EXTRA_PAR -Q"
         test "$MEM_LIMIT_GIVEN" = "" && MEM_LIMIT=250
         QEMU_MODE=1
         ;;
    "U")
         EXTRA_PAR="$EXTRA_PAR -U"
         test "$MEM_LIMIT_GIVEN" = "" && MEM_LIMIT=250
         UNICORN_MODE=1
         ;;    
    "?")
@ -128,11 +126,11 @@ Minimization settings:
  -C            - keep crashing inputs, reject everything else
  -e            - solve for edge coverage only, ignore hit counts
-For additional tips, please consult docs/README.md.
+For additional tips, please consult README.md.
 Environment variables used:
 AFL_KEEP_TRACES: leave the temporary <out_dir>\.traces directory
-AFL_PATH: path for the afl-showmap binary
+AFL_PATH: last resort location to find the afl-showmap binary
 AFL_SKIP_BIN_CHECK: skip check for target binary
 _EOF_
  exit 1
@ -225,6 +223,7 @@ if [ ! -d "$IN_DIR" ]; then
  exit 1
 fi
 test -d "$IN_DIR/default" && IN_DIR="$IN_DIR/default"
 test -d "$IN_DIR/queue" && IN_DIR="$IN_DIR/queue"
 find "$OUT_DIR" -name 'id[:_]*' -maxdepth 1 -exec rm -- {} \; 2>/dev/null
@ -244,10 +243,21 @@ if [ ! "$STDIN_FILE" = "" ]; then
  touch "$STDIN_FILE" || exit 1
 fi
-if [ "$AFL_PATH" = "" ]; then
+SHOWMAP=`command -v afl-showmap 2>/dev/null`
-  SHOWMAP="${0%/afl-cmin.bash}/afl-showmap"
+
 if [ -z "$SHOWMAP" ]; then
  TMP="${0%/afl-cmin.bash}/afl-showmap"
  if [ -x "$TMP" ]; then
    SHOWMAP=$TMP
  fi
 fi
 if [ -z "$SHOWMAP" -a -x "./afl-showmap" ]; then
  SHOWMAP="./afl-showmap"
 else
-  SHOWMAP="$AFL_PATH/afl-showmap"
+  if [ -n "$AFL_PATH" ]; then
    SHOWMAP="$AFL_PATH/afl-showmap"
  fi
 fi
 if [ ! -x "$SHOWMAP" ]; then
--- a/11
+++ b/11
@ -99,7 +99,7 @@ if [ ! -d "$outputdir" ]; then
 fi
-rm -f "$outputdir/high_freq.png" "$outputdir/low_freq.png" "$outputdir/exec_speed.png"
+rm -f "$outputdir/high_freq.png" "$outputdir/low_freq.png" "$outputdir/exec_speed.png" "$outputdir/edges.png"
 mv -f "$outputdir/index.html" "$outputdir/index.html.orig" 2>/dev/null
 echo "[*] Generating plots..."
@ -152,6 +152,12 @@ set ytics auto
 plot '$inputdir/plot_data' using 1:11 with filledcurve x1 title '' linecolor rgb '#0090ff' fillstyle transparent solid 0.2 noborder, \\
     '$inputdir/plot_data' using 1:11 with lines title '    execs/sec' linecolor rgb '#0090ff' linewidth 3 smooth bezier;
 set terminal png truecolor enhanced size 1000,300 butt
 set output '$outputdir/edges.png'
 set ytics auto
 plot '$inputdir/plot_data' using 1:13 with lines title '        edges' linecolor rgb '#0090ff' linewidth 3
 _EOF_
 ) | gnuplot 
@ -172,6 +178,7 @@ cat >"$outputdir/index.html" <<_EOF_
 <tr><td><b>Generated on:</b></td><td>`date`</td></tr>
 </table>
 <p>
 <img src="edges.png" width=1000 height=300>
 <img src="high_freq.png" width=1000 height=300><p>
 <img src="low_freq.png" width=1000 height=200><p>
 <img src="exec_speed.png" width=1000 height=200>
@ -183,7 +190,7 @@ _EOF_
 # sensitive, this seems like a reasonable trade-off.
 chmod 755 "$outputdir"
-chmod 644 "$outputdir/high_freq.png" "$outputdir/low_freq.png" "$outputdir/exec_speed.png" "$outputdir/index.html"
+chmod 644 "$outputdir/high_freq.png" "$outputdir/low_freq.png" "$outputdir/exec_speed.png" "$outputdir/edges.png" "$outputdir/index.html"
 echo "[+] All done - enjoy your charts!"
--- a/31
+++ b/31
@ -34,11 +34,12 @@ if [ "$PLATFORM" = "Linux" ] ; then
  test -e /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor && echo performance | tee /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor
  test -e /sys/devices/system/cpu/intel_pstate/no_turbo && echo 0 > /sys/devices/system/cpu/intel_pstate/no_turbo
  test -e /sys/devices/system/cpu/cpufreq/boost && echo 1 > /sys/devices/system/cpu/cpufreq/boost
  test -e /sys/devices/system/cpu/intel_pstate/max_perf_pct && echo 100 > /sys/devices/system/cpu/intel_pstate/max_perf_pct
 } > /dev/null
  echo Settings applied.
  dmesg | egrep -q 'nospectre_v2|spectre_v2=off' || {
    echo It is recommended to boot the kernel with lots of security off - if you are running a machine that is in a secured network - so set this:
-    echo '  /etc/default/grub:GRUB_CMDLINE_LINUX_DEFAULT="ibpb=off ibrs=off kpti=off l1tf=off mds=off mitigations=off no_stf_barrier noibpb noibrs nopcid nopti nospec_store_bypass_disable nospectre_v1 nospectre_v2 pcid=off pti=off spec_store_bypass_disable=off spectre_v2=off stf_barrier=off"'
+    echo '  /etc/default/grub:GRUB_CMDLINE_LINUX_DEFAULT="ibpb=off ibrs=off kpti=0 l1tf=off mds=off mitigations=off no_stf_barrier noibpb noibrs nopcid nopti nospec_store_bypass_disable nospectre_v1 nospectre_v2 pcid=off pti=off spec_store_bypass_disable=off spectre_v2=off stf_barrier=off srbds=off noexec=off noexec32=off tsx=on tsx_async_abort=off arm64.nopauth audit=0 hardened_usercopy=off ssbd=force-off"'
  }
  DONE=1
 fi
@ -48,6 +49,12 @@ if [ "$PLATFORM" = "FreeBSD" ] ; then
  sysctl kern.elf64.aslr.enable=0
 } > /dev/null
  echo Settings applied.
  cat <<EOF
 In order to suppress core file generation during fuzzing it is recommended to set
 me:\\
 	:coredumpsize=0:
 in the ~/.login_conf file for the user used for fuzzing.
 EOF
  echo It is recommended to boot the kernel with lots of security off - if you are running a machine that is in a secured network - so set this:
  echo '  sysctl hw.ibrs_disable=1'
  echo 'Setting kern.pmap.pg_ps_enabled=0 into /boot/loader.conf might be helpful too.'
@ -58,6 +65,17 @@ if [ "$PLATFORM" = "OpenBSD" ] ; then
  echo 'System security features cannot be disabled on OpenBSD.'
  DONE=1
 fi
 if [ "$PLATFORM" = "DragonFly" ] ; then
  #/sbin/sysctl kern.corefile=/dev/null
  #echo Settings applied.
  cat <<EOF
 In order to suppress core file generation during fuzzing it is recommended to set
 me:\\
 	:coredumpsize=0:
 in the ~/.login_conf file for the user used for fuzzing.
 EOF
  DONE=1
 fi
 if [ "$PLATFORM" = "NetBSD" ] ; then
 {
  #echo It is recommended to enable unprivileged users to set cpu affinity
@ -79,5 +97,14 @@ if [ "$PLATFORM" = "Darwin" ] ; then
  fi
  DONE=1
 fi
 if [ "$PLATFORM" = "Haiku" ] ; then
  SETTINGS=~/config/settings/system/debug_server/settings
  [ -r ${SETTINGS} ] && grep -qE "default_action\s+kill" ${SETTINGS} && { echo "Nothing to do"; } || { \
    echo We change the debug_server default_action from user to silently kill; \
    [ ! -r ${SETTINGS} ] && echo "default_action kill" >${SETTINGS} || { mv ${SETTINGS} s.tmp; sed -e "s/default_action\s\s*user/default_action kill/" s.tmp > ${SETTINGS}; rm s.tmp; }; \
    echo Settings applied.; \
  }
  DONE=1
 fi
 test -z "$DONE" && echo Error: Unknown platform: $PLATFORM
-test -z "$AFL_TMPDIR" && echo Also use AFL_TMPDIR and point it to a tmpfs for the input file caching
+exit 0
--- a/8
+++ b/8
@ -99,7 +99,7 @@ fi
 fmt_duration()
 {
  DUR_STRING=
-  if [ $1 -eq 0 ]; then
+  if [ $1 -le 0 ]; then
    return 1
  fi
@ -109,7 +109,11 @@ fmt_duration()
  local minutes=$(((duration / 60) % 60))
  local seconds=$((duration % 60))
-  if [ $days -gt 0 ]; then
+  if [ $duration -le 0 ]; then
    DUR_STRING="0 seconds"
  elif [ $duration -eq 1 ]; then
    DUR_STRING="1 second"
  elif [ $days -gt 0 ]; then
    DUR_STRING="$days days, $hours hours"
  elif [ $hours -gt 0 ]; then
    DUR_STRING="$hours hours, $minutes minutes"
--- a/4
+++ b/4
@ -28,9 +28,9 @@ if not os.getenv("AFL_INST_LIBS"):
        os.environ["AFL_CODE_END"] = "0x%x" % (pe.OPTIONAL_HEADER.ImageBase + pe.OPTIONAL_HEADER.BaseOfCode + pe.OPTIONAL_HEADER.SizeOfCode)
 if pe.FILE_HEADER.Machine == pefile.MACHINE_TYPE["IMAGE_FILE_MACHINE_AMD64"] or pe.FILE_HEADER.Machine == pefile.MACHINE_TYPE["IMAGE_FILE_MACHINE_IA64"]:
-    os.environ["LD_PRELOAD"] = os.path.join(my_dir, "qemu_mode/unsigaction/unsigaction64.so")
+    os.environ["QEMU_SET_ENV"] = "LD_PRELOAD=" + os.path.join(my_dir, "qemu_mode/unsigaction/unsigaction64.so") + ",WINEARCH=win64"
 else:
-    os.environ["LD_PRELOAD"] = os.path.join(my_dir, "qemu_mode/unsigaction/unsigaction32.so")
+    os.environ["QEMU_SET_ENV"] = "LD_PRELOAD=" + os.path.join(my_dir, "qemu_mode/unsigaction/unsigaction32.so") + ",WINEARCH=win32"
 if os.getenv("WINECOV_QEMU_PATH"):
    qemu_path = os.getenv("WINECOV_QEMU_PATH")
--- a/custom_mutators/Android.bp
+++ b/custom_mutators/Android.bp
@ -0,0 +1,115 @@
 cc_library_shared {
  name: "libfuzzer-mutator",
  vendor_available: true,
  host_supported: true,
  cflags: [
    "-g",
    "-O0",
    "-funroll-loops",
    "-fPIC",
    "-fpermissive",
    "-std=c++11",
  ],
  srcs: [
    "libfuzzer/FuzzerCrossOver.cpp",
    "libfuzzer/FuzzerDataFlowTrace.cpp",
    "libfuzzer/FuzzerDriver.cpp",
    "libfuzzer/FuzzerExtFunctionsDlsym.cpp",
    "libfuzzer/FuzzerExtFunctionsWeak.cpp",
    "libfuzzer/FuzzerExtFunctionsWindows.cpp",
    "libfuzzer/FuzzerExtraCounters.cpp",
    "libfuzzer/FuzzerFork.cpp",
    "libfuzzer/FuzzerIO.cpp",
    "libfuzzer/FuzzerIOPosix.cpp",
    "libfuzzer/FuzzerIOWindows.cpp",
    "libfuzzer/FuzzerLoop.cpp",
    "libfuzzer/FuzzerMerge.cpp",
    "libfuzzer/FuzzerMutate.cpp",
    "libfuzzer/FuzzerSHA1.cpp",
    "libfuzzer/FuzzerTracePC.cpp",
    "libfuzzer/FuzzerUtil.cpp",
    "libfuzzer/FuzzerUtilDarwin.cpp",
    "libfuzzer/FuzzerUtilFuchsia.cpp",
    "libfuzzer/FuzzerUtilLinux.cpp",
    "libfuzzer/FuzzerUtilPosix.cpp",
    "libfuzzer/FuzzerUtilWindows.cpp",
    "libfuzzer/libfuzzer.cpp",
  ],
  header_libs: [
    "libafl_headers",
  ],
 }
 /*cc_library_shared {
  name: "honggfuzz-mutator",
  vendor_available: true,
  host_supported: true,
  cflags: [
    "-g",
    "-O0",
    "-funroll-loops",
    "-fPIC",
    "-Wl,-Bsymbolic",
  ],
  srcs: [
    "honggfuzz/honggfuzz.c",
    "honggfuzz/mangle.c",
 //    "../src/afl-perfomance.c",
  ],
  header_libs: [
    "libafl_headers",
  ],
 }*/
 cc_library_shared {
  name: "radamsa-mutator",
  vendor_available: true,
  host_supported: true,
  cflags: [
    "-g",
    "-O0",
    "-funroll-loops",
    "-fPIC",
  ],
  srcs: [
    "radamsa/libradamsa.c",
    "radamsa/radamsa-mutator.c",
  ],
  header_libs: [
    "libafl_headers",
  ],
 }
 cc_library_shared {
  name: "symcc-mutator",
  vendor_available: true,
  host_supported: true,
  cflags: [
    "-g",
    "-O0",
    "-funroll-loops",
    "-fPIC",
  ],
  srcs: [
    "symcc/symcc.c",
  ],
  header_libs: [
    "libafl_headers",
  ],
 }
 subdirs = [
  "libprotobuf-mutator-example",
 ]
--- a/custom_mutators/README.md
+++ b/custom_mutators/README.md
@ -1,4 +1,21 @@
-# production ready custom mutators
+# Custom Mutators
 Custom mutators enhance and alter the mutation strategies of afl++.
 For further information and documentation on how to write your own, read [the docs](../docs/custom_mutators.md).
 ## The afl++ Grammar Mutator
 If you use git to clone afl++, then the following will incorporate our
 excellent grammar custom mutator:
 ```sh
 git submodule update --init
 ```
 Read the README in the [Grammar-Mutator] repository on how to use it.
 [Grammar-Mutator]: https://github.com/AFLplusplus/Grammar-Mutator
 ## Production-Ready Custom Mutators
 This directory holds ready to use custom mutators.
 Just type "make" in the individual subdirectories.
@ -11,15 +28,15 @@ and add `AFL_CUSTOM_MUTATOR_ONLY=1` if you only want to use the custom mutator.
 Multiple custom mutators can be used by separating their paths with `:` in the environment variable.
-# Other custom mutators
+## 3rd Party Custom Mutators
-## Superion port
+### Superion Mutators
 Adrian Tiron ported the Superion grammar fuzzer to afl++, it is WIP and
 requires cmake (among other things):
 [https://github.com/adrian-rt/superion-mutator](https://github.com/adrian-rt/superion-mutator)
-## Protobuf
+### libprotobuf Mutators
 There are two WIP protobuf projects, that require work to be working though:
--- a/custom_mutators/grammar_mutator/GRAMMAR_VERSION
+++ b/custom_mutators/grammar_mutator/GRAMMAR_VERSION
@ -0,0 +1 @@
 b3c4fcf
--- a/custom_mutators/grammar_mutator/README.md
+++ b/custom_mutators/grammar_mutator/README.md
@ -0,0 +1,6 @@
 # Grammar-Mutator
 This is just a stub directory that will clone the real grammar mutator
 directory.
 Execute `./build_grammar_mutator.sh` to set everything up.
--- a/custom_mutators/grammar_mutator/build_grammar_mutator.sh
+++ b/custom_mutators/grammar_mutator/build_grammar_mutator.sh
@ -0,0 +1,140 @@
 #!/bin/sh
 #
 # american fuzzy lop++ - unicorn mode build script
 # ------------------------------------------------
 #
 # Originally written by Nathan Voss <njvoss99@gmail.com>
 #
 # Adapted from code by Andrew Griffiths <agriffiths@google.com> and
 #                      Michal Zalewski
 #
 # Adapted for AFLplusplus by Dominik Maier <mail@dmnk.co>
 #
 # CompareCoverage and NeverZero counters by Andrea Fioraldi
 #                                <andreafioraldi@gmail.com>
 #
 # Copyright 2017 Battelle Memorial Institute. All rights reserved.
 # Copyright 2019-2020 AFLplusplus Project. All rights reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at:
 #
 #   http://www.apache.org/licenses/LICENSE-2.0
 #
 # This script downloads, patches, and builds a version of Unicorn with
 # minor tweaks to allow Unicorn-emulated binaries to be run under
 # afl-fuzz.
 #
 # The modifications reside in patches/*. The standalone Unicorn library
 # will be written to /usr/lib/libunicornafl.so, and the Python bindings
 # will be installed system-wide.
 #
 # You must make sure that Unicorn Engine is not already installed before
 # running this script. If it is, please uninstall it first.
 GRAMMAR_VERSION="$(cat ./GRAMMAR_VERSION)"
 GRAMMAR_REPO="https://github.com/AFLplusplus/grammar-mutator"
 echo "================================================="
 echo "Grammar Mutator build script"
 echo "================================================="
 echo
 echo "[*] Performing basic sanity checks..."
 PLT=`uname -s`
 if [ ! -f "../../config.h" ]; then
  echo "[-] Error: key files not found - wrong working directory?"
  exit 1
 fi
 PYTHONBIN=`command -v python3 || command -v python || command -v python2 || echo python3`
 MAKECMD=make
 TARCMD=tar
 if [ "$PLT" = "Darwin" ]; then
  CORES=`sysctl -n hw.ncpu`
  TARCMD=tar
 fi
 if [ "$PLT" = "FreeBSD" ]; then
  MAKECMD=gmake
  CORES=`sysctl -n hw.ncpu`
  TARCMD=gtar
 fi
 if [ "$PLT" = "NetBSD" ] || [ "$PLT" = "OpenBSD" ]; then
  MAKECMD=gmake
  CORES=`sysctl -n hw.ncpu`
  TARCMD=gtar
 fi
 PREREQ_NOTFOUND=
 for i in git $MAKECMD $TARCMD; do
  T=`command -v "$i" 2>/dev/null`
  if [ "$T" = "" ]; then
    echo "[-] Error: '$i' not found. Run 'sudo apt-get install $i' or similar."
    PREREQ_NOTFOUND=1
  fi
 done
 if echo "$CC" | grep -qF /afl-; then
  echo "[-] Error: do not use afl-gcc or afl-clang to compile this tool."
  PREREQ_NOTFOUND=1
 fi
 if [ "$PREREQ_NOTFOUND" = "1" ]; then
  exit 1
 fi
 echo "[+] All checks passed!"
 echo "[*] Making sure grammar mutator is checked out"
 git status 1>/dev/null 2>/dev/null
 if [ $? -eq 0 ]; then
  echo "[*] initializing grammar mutator submodule"
  git submodule init || exit 1
  git submodule update ./grammar-mutator 2>/dev/null # ignore errors
 else
  echo "[*] cloning grammar mutator"
  test -d grammar-mutator || {
    CNT=1
    while [ '!' -d grammar-mutator -a "$CNT" -lt 4 ]; do
      echo "Trying to clone grammar-mutator (attempt $CNT/3)"
      git clone "$GRAMMAR_REPO" 
      CNT=`expr "$CNT" + 1`
    done
  }
 fi
 test -d grammar-mutator || { echo "[-] not checked out, please install git or check your internet connection." ; exit 1 ; }
 echo "[+] Got grammar mutator."
 cd "grammar-mutator" || exit 1
 echo "[*] Checking out $GRAMMAR_VERSION"
 sh -c 'git stash && git stash drop' 1>/dev/null 2>/dev/null
 git checkout "$GRAMMAR_VERSION" || exit 1
 echo "[*] Downloading antlr..."
 wget -c https://www.antlr.org/download/antlr-4.8-complete.jar
 cd ..
 echo
 echo
 echo "[+] All successfully prepared!"
 echo "[!] To build for your grammar just do:"
 echo "      cd grammar-mutator"
 echo "      make GRAMMAR_FILE=/path/to/your/grammar"
 echo "[+] You will find a JSON and RUBY grammar in grammar-mutator/grammars to play with."
 echo
--- a/custom_mutators/grammar_mutator/grammar_mutator
+++ b/custom_mutators/grammar_mutator/grammar_mutator
--- a/custom_mutators/grammar_mutator/update_grammar_ref.sh
+++ b/custom_mutators/grammar_mutator/update_grammar_ref.sh
@ -0,0 +1,50 @@
 #!/bin/sh
 ##################################################
 # AFL++ tool to update a git ref.
 # Usage: ./<script>.sh <new commit hash>
 # If no commit hash was provided, it'll take HEAD.
 ##################################################
 TOOL="grammar mutator"
 VERSION_FILE='./GRAMMAR_VERSION'
 REPO_FOLDER='./grammar_mutator'
 THIS_SCRIPT=`basename $0`
 BRANCH="stable"
 NEW_VERSION="$1"
 if [ "$NEW_VERSION" = "-h" ]; then
  echo "Internal script to update bound $TOOL version."
  echo
  echo "Usage: $THIS_SCRIPT <new commit hash>"
  echo "If no commit hash is provided, will use HEAD."
  echo "-h to show this help screen."
  exit 1
 fi
 git submodule init && git submodule update ./grammar_mutator || exit 1
 cd "$REPO_FOLDER" || exit 1
 git fetch origin $BRANCH 1>/dev/null || exit 1
 git stash 1>/dev/null 2>/dev/null
 git stash drop 1>/dev/null 2>/dev/null
 git checkout $BRANCH
 if [ -z "$NEW_VERSION" ]; then
  # No version provided, take HEAD.
  NEW_VERSION=$(git rev-parse --short HEAD)
 fi
 if [ -z "$NEW_VERSION" ]; then
  echo "Error getting version."
  exit 1
 fi
 git checkout "$NEW_VERSION" || exit 1
 cd ..
 rm "$VERSION_FILE"
 echo "$NEW_VERSION" > "$VERSION_FILE"
 echo "Done. New $TOOL version is $NEW_VERSION."
--- a/custom_mutators/honggfuzz/Makefile
+++ b/custom_mutators/honggfuzz/Makefile
@ -1,12 +1,14 @@
 CFLAGS = -O3 -funroll-loops -fPIC -Wl,-Bsymbolic
-all: honggfuzz.so
+all: honggfuzz-mutator.so
-honggfuzz.so:	honggfuzz.c input.h mangle.c ../../src/afl-performance.c
+honggfuzz-mutator.so:	honggfuzz.c input.h mangle.c ../../src/afl-performance.c
-	$(CC) $(CFLAGS) -I../../include -I. -shared -o honggfuzz.so honggfuzz.c mangle.c ../../src/afl-performance.c
+	$(CC) $(CFLAGS) -I../../include -I. -shared -o honggfuzz-mutator.so honggfuzz.c mangle.c ../../src/afl-performance.c
 update:
 	@# seriously? --unlink is a dud option? sigh ...
 	rm -f mangle.c mangle.h honggfuzz.h
 	wget --unlink https://github.com/google/honggfuzz/raw/master/mangle.c
 	wget --unlink https://github.com/google/honggfuzz/raw/master/mangle.h
 	wget --unlink https://github.com/google/honggfuzz/raw/master/honggfuzz.h
--- a/custom_mutators/honggfuzz/README.md
+++ b/custom_mutators/honggfuzz/README.md
@ -1,12 +1,12 @@
 # custum mutator: honggfuzz mangle
-this is the very good honggfuzz mutator in mangle.c as a custom mutator
+this is the honggfuzz mutator in mangle.c as a custom mutator
 module for afl++. It is the original mangle.c, mangle.h and honggfuzz.h
 with a lot of mocking around it :-)
 just type `make` to build
-```AFL_CUSTOM_MUTATOR_LIBRARY=custom_mutators/honggfuzz/honggfuzz.so afl-fuzz ...```
+```AFL_CUSTOM_MUTATOR_LIBRARY=custom_mutators/honggfuzz/honggfuzz-mutator.so afl-fuzz ...```
 > Original repository: https://github.com/google/honggfuzz
 > Source commit: d0fbcb0373c32436b8fb922e6937da93b17291f5
--- a/custom_mutators/honggfuzz/common.h
+++ b/custom_mutators/honggfuzz/common.h
--- a/custom_mutators/honggfuzz/honggfuzz.c
+++ b/custom_mutators/honggfuzz/honggfuzz.c
@ -37,6 +37,7 @@ my_mutator_t *afl_custom_init(afl_state_t *afl, unsigned int seed) {
  if ((data->mutator_buf = malloc(MAX_FILE)) == NULL) {
    free(data);
    perror("mutator_buf alloc");
    return NULL;
--- a/custom_mutators/honggfuzz/honggfuzz.h
+++ b/custom_mutators/honggfuzz/honggfuzz.h
@ -38,18 +38,17 @@
 #include "libhfcommon/util.h"
-#define PROG_NAME "honggfuzz"
+#define PROG_NAME    "honggfuzz"
-#define PROG_VERSION "2.2"
+#define PROG_VERSION "2.4"
-/* Name of the template which will be replaced with the proper name of the file
+/* Name of the template which will be replaced with the proper name of the file */
 */
 #define _HF_FILE_PLACEHOLDER "___FILE___"
 /* Default name of the report created with some architectures */
 #define _HF_REPORT_FILE "HONGGFUZZ.REPORT.TXT"
 /* Default stack-size of created threads. */
-#define _HF_PTHREAD_STACKSIZE (1024ULL * 1024ULL * 2ULL)             /* 2MB */
+#define _HF_PTHREAD_STACKSIZE (1024ULL * 1024ULL * 2ULL) /* 2MB */
 /* Name of envvar which indicates sequential number of fuzzer */
 #define _HF_THREAD_NO_ENV "HFUZZ_THREAD_NO"
@ -63,12 +62,11 @@
 /* Number of crash verifier iterations before tag crash as stable */
 #define _HF_VERIFIER_ITER 5
-/* Size (in bytes) for report data to be stored in stack before written to file
+/* Size (in bytes) for report data to be stored in stack before written to file */
 */
 #define _HF_REPORT_SIZE 32768
 /* Perf bitmap size */
-#define _HF_PERF_BITMAP_SIZE_16M (1024U * 1024U * 16U)
+#define _HF_PERF_BITMAP_SIZE_16M   (1024U * 1024U * 16U)
 #define _HF_PERF_BITMAP_BITSZ_MASK 0x7FFFFFFULL
 /* Maximum number of PC guards (=trace-pc-guard) we support */
 #define _HF_PC_GUARD_MAX (1024ULL * 1024ULL * 64ULL)
@ -89,7 +87,7 @@
 #define _HF_INPUT_FD 1021
 /* FD used to pass coverage feedback from the fuzzed process */
 #define _HF_COV_BITMAP_FD 1022
-#define _HF_BITMAP_FD _HF_COV_BITMAP_FD   /* Old name for _HF_COV_BITMAP_FD */
+#define _HF_BITMAP_FD     _HF_COV_BITMAP_FD /* Old name for _HF_COV_BITMAP_FD */
 /* FD used to pass data to a persistent process */
 #define _HF_PERSISTENT_FD 1023
@ -105,356 +103,284 @@ static const uint8_t HFReadyTag = 'R';
 /* Maximum number of active fuzzing threads */
 #define _HF_THREAD_MAX 1024U
-/* Persistent-binary signature - if found within file, it means it's a
+/* Persistent-binary signature - if found within file, it means it's a persistent mode binary */
 * persistent mode binary */
 #define _HF_PERSISTENT_SIG "\x01_LIBHFUZZ_PERSISTENT_BINARY_SIGNATURE_\x02\xFF"
-/* HF NetDriver signature - if found within file, it means it's a
+/* HF NetDriver signature - if found within file, it means it's a NetDriver-based binary */
 * NetDriver-based binary */
 #define _HF_NETDRIVER_SIG "\x01_LIBHFUZZ_NETDRIVER_BINARY_SIGNATURE_\x02\xFF"
-/* printf() nonmonetary separator. According to MacOSX's man it's supported
+/* printf() nonmonetary separator. According to MacOSX's man it's supported there as well */
 * there as well */
 #define _HF_NONMON_SEP "'"
 typedef enum {
-
+    _HF_DYNFILE_NONE         = 0x0,
-  _HF_DYNFILE_NONE = 0x0,
+    _HF_DYNFILE_INSTR_COUNT  = 0x1,
-  _HF_DYNFILE_INSTR_COUNT = 0x1,
+    _HF_DYNFILE_BRANCH_COUNT = 0x2,
-  _HF_DYNFILE_BRANCH_COUNT = 0x2,
+    _HF_DYNFILE_BTS_EDGE     = 0x10,
-  _HF_DYNFILE_BTS_EDGE = 0x10,
+    _HF_DYNFILE_IPT_BLOCK    = 0x20,
-  _HF_DYNFILE_IPT_BLOCK = 0x20,
+    _HF_DYNFILE_SOFT         = 0x40,
  _HF_DYNFILE_SOFT = 0x40,
 } dynFileMethod_t;
 typedef struct {
-
+    uint64_t cpuInstrCnt;
-  uint64_t cpuInstrCnt;
+    uint64_t cpuBranchCnt;
-  uint64_t cpuBranchCnt;
+    uint64_t bbCnt;
-  uint64_t bbCnt;
+    uint64_t newBBCnt;
-  uint64_t newBBCnt;
+    uint64_t softCntPc;
-  uint64_t softCntPc;
+    uint64_t softCntEdge;
-  uint64_t softCntEdge;
+    uint64_t softCntCmp;
  uint64_t softCntCmp;
 } hwcnt_t;
 typedef enum {
-
+    _HF_STATE_UNSET = 0,
-  _HF_STATE_UNSET = 0,
+    _HF_STATE_STATIC,
-  _HF_STATE_STATIC,
+    _HF_STATE_DYNAMIC_DRY_RUN,
-  _HF_STATE_DYNAMIC_DRY_RUN,
+    _HF_STATE_DYNAMIC_MAIN,
-  _HF_STATE_DYNAMIC_MAIN,
+    _HF_STATE_DYNAMIC_MINIMIZE,
  _HF_STATE_DYNAMIC_MINIMIZE,
 } fuzzState_t;
 typedef enum {
-
+    HF_MAYBE = -1,
-  HF_MAYBE = -1,
+    HF_NO    = 0,
-  HF_NO = 0,
+    HF_YES   = 1,
  HF_YES = 1,
 } tristate_t;
 struct _dynfile_t {
-
+    size_t             size;
-  size_t             size;
+    uint64_t           cov[4];
-  uint64_t           cov[4];
+    size_t             idx;
-  size_t             idx;
+    int                fd;
-  int                fd;
+    uint64_t           timeExecUSecs;
-  uint64_t           timeExecUSecs;
+    char               path[PATH_MAX];
-  char               path[PATH_MAX];
+    struct _dynfile_t* src;
-  struct _dynfile_t *src;
+    uint32_t           refs;
-  uint32_t           refs;
+    uint8_t*           data;
-  uint8_t *          data;
+    TAILQ_ENTRY(_dynfile_t) pointers;
  TAILQ_ENTRY(_dynfile_t) pointers;
 };
 typedef struct _dynfile_t dynfile_t;
 struct strings_t {
-
+    size_t len;
-  size_t len;
+    TAILQ_ENTRY(strings_t) pointers;
-  TAILQ_ENTRY(strings_t) pointers;
+    char s[];
  char s[];
 };
 typedef struct {
-
+    uint8_t  pcGuardMap[_HF_PC_GUARD_MAX];
-  uint8_t  pcGuardMap[_HF_PC_GUARD_MAX];
+    uint8_t  bbMapPc[_HF_PERF_BITMAP_SIZE_16M];
-  uint8_t  bbMapPc[_HF_PERF_BITMAP_SIZE_16M];
+    uint32_t bbMapCmp[_HF_PERF_BITMAP_SIZE_16M];
-  uint32_t bbMapCmp[_HF_PERF_BITMAP_SIZE_16M];
+    uint64_t pidNewPC[_HF_THREAD_MAX];
-  uint64_t pidNewPC[_HF_THREAD_MAX];
+    uint64_t pidNewEdge[_HF_THREAD_MAX];
-  uint64_t pidNewEdge[_HF_THREAD_MAX];
+    uint64_t pidNewCmp[_HF_THREAD_MAX];
-  uint64_t pidNewCmp[_HF_THREAD_MAX];
+    uint64_t guardNb;
-  uint64_t guardNb;
+    uint64_t pidTotalPC[_HF_THREAD_MAX];
-  uint64_t pidTotalPC[_HF_THREAD_MAX];
+    uint64_t pidTotalEdge[_HF_THREAD_MAX];
-  uint64_t pidTotalEdge[_HF_THREAD_MAX];
+    uint64_t pidTotalCmp[_HF_THREAD_MAX];
  uint64_t pidTotalCmp[_HF_THREAD_MAX];
 } feedback_t;
 typedef struct {
-
+    uint32_t cnt;
-  uint32_t cnt;
+    struct {
-  struct {
+        uint8_t  val[32];
-
+        uint32_t len;
-    uint8_t  val[32];
+    } valArr[1024 * 16];
    uint32_t len;
  } valArr[1024 * 16];
 } cmpfeedback_t;
 typedef struct {
  struct {
    size_t    threadsMax;
    size_t    threadsFinished;
    uint32_t  threadsActiveCnt;
    pthread_t mainThread;
    pid_t     mainPid;
    pthread_t threads[_HF_THREAD_MAX];
  } threads;
  struct {
    const char *inputDir;
    const char *outputDir;
    DIR *       inputDirPtr;
    size_t      fileCnt;
    size_t      testedFileCnt;
    const char *fileExtn;
    size_t      maxFileSz;
    size_t      newUnitsAdded;
    char        workDir[PATH_MAX];
    const char *crashDir;
    const char *covDirNew;
    bool        saveUnique;
    size_t      dynfileqMaxSz;
    size_t      dynfileqCnt;
    dynfile_t * dynfileqCurrent;
    dynfile_t * dynfileq2Current;
    TAILQ_HEAD(dyns_t, _dynfile_t) dynfileq;
    bool exportFeedback;
  } io;
  struct {
    int                argc;
    const char *const *cmdline;
    bool               nullifyStdio;
    bool               fuzzStdin;
    const char *       externalCommand;
    const char *       postExternalCommand;
    const char *       feedbackMutateCommand;
    bool               netDriver;
    bool               persistent;
    uint64_t           asLimit;
    uint64_t           rssLimit;
    uint64_t           dataLimit;
    uint64_t           coreLimit;
    uint64_t           stackLimit;
    bool               clearEnv;
    char *             env_ptrs[128];
    char               env_vals[128][4096];
    sigset_t           waitSigSet;
  } exe;
  struct {
    time_t  timeStart;
    time_t  runEndTime;
    time_t  tmOut;
    time_t  lastCovUpdate;
    int64_t timeOfLongestUnitUSecs;
    bool    tmoutVTALRM;
  } timing;
  struct {
    struct {
        size_t    threadsMax;
        size_t    threadsFinished;
        uint32_t  threadsActiveCnt;
        pthread_t mainThread;
        pid_t     mainPid;
        pthread_t threads[_HF_THREAD_MAX];
    } threads;
    struct {
        const char* inputDir;
        const char* outputDir;
        DIR*        inputDirPtr;
        size_t      fileCnt;
        size_t      testedFileCnt;
        const char* fileExtn;
        size_t      maxFileSz;
        size_t      newUnitsAdded;
        char        workDir[PATH_MAX];
        const char* crashDir;
        const char* covDirNew;
        bool        saveUnique;
        bool        saveSmaller;
        size_t      dynfileqMaxSz;
        size_t      dynfileqCnt;
        dynfile_t*  dynfileqCurrent;
        dynfile_t*  dynfileq2Current;
        TAILQ_HEAD(dyns_t, _dynfile_t) dynfileq;
        bool exportFeedback;
    } io;
    struct {
        int                argc;
        const char* const* cmdline;
        bool               nullifyStdio;
        bool               fuzzStdin;
        const char*        externalCommand;
        const char*        postExternalCommand;
        const char*        feedbackMutateCommand;
        bool               netDriver;
        bool               persistent;
        uint64_t           asLimit;
        uint64_t           rssLimit;
        uint64_t           dataLimit;
        uint64_t           coreLimit;
        uint64_t           stackLimit;
        bool               clearEnv;
        char*              env_ptrs[128];
        char               env_vals[128][4096];
        sigset_t           waitSigSet;
    } exe;
    struct {
        time_t  timeStart;
        time_t  runEndTime;
        time_t  tmOut;
        time_t  lastCovUpdate;
        int64_t timeOfLongestUnitUSecs;
        bool    tmoutVTALRM;
    } timing;
    struct {
        struct {
            uint8_t val[256];
            size_t  len;
        } dictionary[1024];
        size_t      dictionaryCnt;
        const char* dictionaryFile;
        size_t      mutationsMax;
        unsigned    mutationsPerRun;
        size_t      maxInputSz;
    } mutate;
    struct {
        bool    useScreen;
        char    cmdline_txt[65];
        int64_t lastDisplayUSecs;
    } display;
    struct {
        bool        useVerifier;
        bool        exitUponCrash;
        const char* reportFile;
        size_t      dynFileIterExpire;
        bool        only_printable;
        bool        minimize;
        bool        switchingToFDM;
    } cfg;
    struct {
        bool enable;
        bool del_report;
    } sanitizer;
    struct {
        fuzzState_t     state;
        feedback_t*     covFeedbackMap;
        int             covFeedbackFd;
        cmpfeedback_t*  cmpFeedbackMap;
        int             cmpFeedbackFd;
        bool            cmpFeedback;
        const char*     blocklistFile;
        uint64_t*       blocklist;
        size_t          blocklistCnt;
        bool            skipFeedbackOnTimeout;
        uint64_t        maxCov[4];
        dynFileMethod_t dynFileMethod;
        hwcnt_t         hwCnts;
    } feedback;
    struct {
        size_t mutationsCnt;
        size_t crashesCnt;
        size_t uniqueCrashesCnt;
        size_t verifiedCrashesCnt;
        size_t blCrashesCnt;
        size_t timeoutedCnt;
    } cnts;
    struct {
        bool enabled;
        int  serverSocket;
        int  clientSocket;
    } socketFuzzer;
    struct {
        pthread_rwlock_t dynfileq;
        pthread_mutex_t  feedback;
        pthread_mutex_t  report;
        pthread_mutex_t  state;
        pthread_mutex_t  input;
        pthread_mutex_t  timing;
    } mutex;
-      uint8_t val[256];
+    /* For the Linux code */
-      size_t  len;
+    struct {
-
+        int         exeFd;
-    } dictionary[1024];
+        uint64_t    dynamicCutOffAddr;
-
+        bool        disableRandomization;
-    size_t      dictionaryCnt;
+        void*       ignoreAddr;
-    const char *dictionaryFile;
+        const char* symsBlFile;
-    size_t      mutationsMax;
+        char**      symsBl;
-    unsigned    mutationsPerRun;
+        size_t      symsBlCnt;
-    size_t      maxInputSz;
+        const char* symsWlFile;
-
+        char**      symsWl;
-  } mutate;
+        size_t      symsWlCnt;
-
+        uintptr_t   cloneFlags;
-  struct {
+        tristate_t  useNetNs;
-
+        bool        kernelOnly;
-    bool    useScreen;
+        bool        useClone;
-    char    cmdline_txt[65];
+    } arch_linux;
-    int64_t lastDisplayUSecs;
+    /* For the NetBSD code */
-
+    struct {
-  } display;
+        void*       ignoreAddr;
-
+        const char* symsBlFile;
-  struct {
+        char**      symsBl;
-
+        size_t      symsBlCnt;
-    bool        useVerifier;
+        const char* symsWlFile;
-    bool        exitUponCrash;
+        char**      symsWl;
-    const char *reportFile;
+        size_t      symsWlCnt;
-    size_t      dynFileIterExpire;
+    } arch_netbsd;
    bool        only_printable;
    bool        minimize;
    bool        switchingToFDM;
  } cfg;
  struct {
    bool enable;
    bool del_report;
  } sanitizer;
  struct {
    fuzzState_t     state;
    feedback_t *    covFeedbackMap;
    int             covFeedbackFd;
    cmpfeedback_t * cmpFeedbackMap;
    int             cmpFeedbackFd;
    bool            cmpFeedback;
    const char *    blacklistFile;
    uint64_t *      blacklist;
    size_t          blacklistCnt;
    bool            skipFeedbackOnTimeout;
    uint64_t        maxCov[4];
    dynFileMethod_t dynFileMethod;
    hwcnt_t         hwCnts;
  } feedback;
  struct {
    size_t mutationsCnt;
    size_t crashesCnt;
    size_t uniqueCrashesCnt;
    size_t verifiedCrashesCnt;
    size_t blCrashesCnt;
    size_t timeoutedCnt;
  } cnts;
  struct {
    bool enabled;
    int  serverSocket;
    int  clientSocket;
  } socketFuzzer;
  struct {
    pthread_rwlock_t dynfileq;
    pthread_mutex_t  feedback;
    pthread_mutex_t  report;
    pthread_mutex_t  state;
    pthread_mutex_t  input;
    pthread_mutex_t  timing;
  } mutex;
  /* For the Linux code */
  struct {
    int         exeFd;
    uint64_t    dynamicCutOffAddr;
    bool        disableRandomization;
    void *      ignoreAddr;
    const char *symsBlFile;
    char **     symsBl;
    size_t      symsBlCnt;
    const char *symsWlFile;
    char **     symsWl;
    size_t      symsWlCnt;
    uintptr_t   cloneFlags;
    tristate_t  useNetNs;
    bool        kernelOnly;
    bool        useClone;
  } arch_linux;
  /* For the NetBSD code */
  struct {
    void *      ignoreAddr;
    const char *symsBlFile;
    char **     symsBl;
    size_t      symsBlCnt;
    const char *symsWlFile;
    char **     symsWl;
    size_t      symsWlCnt;
  } arch_netbsd;
 } honggfuzz_t;
 typedef enum {
-
+    _HF_RS_UNKNOWN                   = 0,
-  _HF_RS_UNKNOWN = 0,
+    _HF_RS_WAITING_FOR_INITIAL_READY = 1,
-  _HF_RS_WAITING_FOR_INITIAL_READY = 1,
+    _HF_RS_WAITING_FOR_READY         = 2,
-  _HF_RS_WAITING_FOR_READY = 2,
+    _HF_RS_SEND_DATA                 = 3,
  _HF_RS_SEND_DATA = 3,
 } runState_t;
 typedef struct {
-
+    honggfuzz_t* global;
-  honggfuzz_t *global;
+    pid_t        pid;
-  pid_t        pid;
+    int64_t      timeStartedUSecs;
-  int64_t      timeStartedUSecs;
+    char         crashFileName[PATH_MAX];
-  char         crashFileName[PATH_MAX];
+    uint64_t     pc;
-  uint64_t     pc;
+    uint64_t     backtrace;
-  uint64_t     backtrace;
+    uint64_t     access;
-  uint64_t     access;
+    int          exception;
-  int          exception;
+    char         report[_HF_REPORT_SIZE];
-  char         report[_HF_REPORT_SIZE];
+    bool         mainWorker;
-  bool         mainWorker;
+    unsigned     mutationsPerRun;
-  unsigned     mutationsPerRun;
+    dynfile_t*   dynfile;
-  dynfile_t *  dynfile;
+    bool         staticFileTryMore;
-  bool         staticFileTryMore;
+    uint32_t     fuzzNo;
-  uint32_t     fuzzNo;
+    int          persistentSock;
-  int          persistentSock;
+    runState_t   runState;
-  runState_t   runState;
+    bool         tmOutSignaled;
-  bool         tmOutSignaled;
+    char*        args[_HF_ARGS_MAX + 1];
-  char *       args[_HF_ARGS_MAX + 1];
+    int          perThreadCovFeedbackFd;
-  int          perThreadCovFeedbackFd;
+    unsigned     triesLeft;
-  unsigned     triesLeft;
+    dynfile_t*   current;
  dynfile_t *  current;
 #if !defined(_HF_ARCH_DARWIN)
-  timer_t timerId;
+    timer_t timerId;
-#endif  // !defined(_HF_ARCH_DARWIN)
+#endif    // !defined(_HF_ARCH_DARWIN)
-  hwcnt_t hwCnts;
+    hwcnt_t hwCnts;
  struct {
    /* For Linux code */
    uint8_t *perfMmapBuf;
    uint8_t *perfMmapAux;
    int      cpuInstrFd;
    int      cpuBranchFd;
    int      cpuIptBtsFd;
  } arch_linux;
    struct {
        /* For Linux code */
        uint8_t* perfMmapBuf;
        uint8_t* perfMmapAux;
        int      cpuInstrFd;
        int      cpuBranchFd;
        int      cpuIptBtsFd;
    } arch_linux;
 } run_t;
 #endif
--- a/custom_mutators/honggfuzz/input.h
+++ b/custom_mutators/honggfuzz/input.h
@ -77,11 +77,11 @@ static inline uint64_t util_rndGet(uint64_t min, uint64_t max) {
 }
 static inline uint64_t util_rnd64() { return rand_below(afl_struct, 1 << 30); }
-static inline size_t input_getRandomInputAsBuf(run_t *run, const uint8_t **buf) {
+static inline const uint8_t* input_getRandomInputAsBuf(run_t* run, size_t* len) {
-  *buf = queue_input;
+  *len = queue_input_size;
  run->dynfile->data = queue_input;
  run->dynfile->size = queue_input_size;
-  return queue_input_size;
+  return queue_input;
 }
 static inline void input_setSize(run_t* run, size_t sz) {
  run->dynfile->size = sz;
--- a/custom_mutators/honggfuzz/libhfcommon
+++ b/custom_mutators/honggfuzz/libhfcommon
@ -1 +0,0 @@
 .
--- a/custom_mutators/honggfuzz/libhfcommon/common.h
+++ b/custom_mutators/honggfuzz/libhfcommon/common.h
@ -0,0 +1,3 @@
 #ifndef LOG_E
  #define LOG_E LOG_F
 #endif
--- a/custom_mutators/honggfuzz/libhfcommon/log.h
+++ b/custom_mutators/honggfuzz/libhfcommon/log.h
--- a/custom_mutators/honggfuzz/libhfcommon/util.h
+++ b/custom_mutators/honggfuzz/libhfcommon/util.h
--- a/custom_mutators/honggfuzz/mangle.c
+++ b/custom_mutators/honggfuzz/mangle.c
--- a/custom_mutators/honggfuzz/mangle.h
+++ b/custom_mutators/honggfuzz/mangle.h
@ -26,7 +26,6 @@
 #include "honggfuzz.h"
-extern void mangle_mangleContent(run_t *run, int speed_factor);
+extern void mangle_mangleContent(run_t* run, int speed_factor);
 #endif
--- a/custom_mutators/libfuzzer/FuzzerBuiltins.h
+++ b/custom_mutators/libfuzzer/FuzzerBuiltins.h
@ -0,0 +1,35 @@
 //===- FuzzerBuiltins.h - Internal header for builtins ----------*- C++ -* ===//
 //
 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
 // See https://llvm.org/LICENSE.txt for license information.
 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
 //
 //===----------------------------------------------------------------------===//
 // Wrapper functions and macros around builtin functions.
 //===----------------------------------------------------------------------===//
 #ifndef LLVM_FUZZER_BUILTINS_H
 #define LLVM_FUZZER_BUILTINS_H
 #include "FuzzerPlatform.h"
 #if !LIBFUZZER_MSVC
 #include <cstdint>
 #define GET_CALLER_PC() __builtin_return_address(0)
 namespace fuzzer {
 inline uint8_t  Bswap(uint8_t x)  { return x; }
 inline uint16_t Bswap(uint16_t x) { return __builtin_bswap16(x); }
 inline uint32_t Bswap(uint32_t x) { return __builtin_bswap32(x); }
 inline uint64_t Bswap(uint64_t x) { return __builtin_bswap64(x); }
 inline uint32_t Clzll(unsigned long long X) { return __builtin_clzll(X); }
 inline uint32_t Clz(unsigned long long X) { return __builtin_clz(X); }
 inline int Popcountll(unsigned long long X) { return __builtin_popcountll(X); }
 }  // namespace fuzzer
 #endif  // !LIBFUZZER_MSVC
 #endif  // LLVM_FUZZER_BUILTINS_H
--- a/custom_mutators/libfuzzer/FuzzerBuiltinsMsvc.h
+++ b/custom_mutators/libfuzzer/FuzzerBuiltinsMsvc.h
@ -0,0 +1,72 @@
 //===- FuzzerBuiltinsMSVC.h - Internal header for builtins ------*- C++ -* ===//
 //
 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
 // See https://llvm.org/LICENSE.txt for license information.
 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
 //
 //===----------------------------------------------------------------------===//
 // Wrapper functions and macros that use intrinsics instead of builtin functions
 // which cannot be compiled by MSVC.
 //===----------------------------------------------------------------------===//
 #ifndef LLVM_FUZZER_BUILTINS_MSVC_H
 #define LLVM_FUZZER_BUILTINS_MSVC_H
 #include "FuzzerPlatform.h"
 #if LIBFUZZER_MSVC
 #include <intrin.h>
 #include <cstdint>
 #include <cstdlib>
 // __builtin_return_address() cannot be compiled with MSVC. Use the equivalent
 // from <intrin.h>
 #define GET_CALLER_PC() _ReturnAddress()
 namespace fuzzer {
 inline uint8_t  Bswap(uint8_t x)  { return x; }
 // Use alternatives to __builtin functions from <stdlib.h> and <intrin.h> on
 // Windows since the builtins are not supported by MSVC.
 inline uint16_t Bswap(uint16_t x) { return _byteswap_ushort(x); }
 inline uint32_t Bswap(uint32_t x) { return _byteswap_ulong(x); }
 inline uint64_t Bswap(uint64_t x) { return _byteswap_uint64(x); }
 // The functions below were mostly copied from
 // compiler-rt/lib/builtins/int_lib.h which defines the __builtin functions used
 // outside of Windows.
 inline uint32_t Clzll(uint64_t X) {
  unsigned long LeadZeroIdx = 0;
 #if !defined(_M_ARM) && !defined(_M_X64)
  // Scan the high 32 bits.
  if (_BitScanReverse(&LeadZeroIdx, static_cast<unsigned long>(X >> 32)))
    return static_cast<int>(63 - (LeadZeroIdx + 32)); // Create a bit offset from the MSB.
  // Scan the low 32 bits.
  if (_BitScanReverse(&LeadZeroIdx, static_cast<unsigned long>(X)))
    return static_cast<int>(63 - LeadZeroIdx);
 #else
  if (_BitScanReverse64(&LeadZeroIdx, X)) return 63 - LeadZeroIdx;
 #endif
  return 64;
 }
 inline uint32_t Clz(uint32_t X) {
  unsigned long LeadZeroIdx = 0;
  if (_BitScanReverse(&LeadZeroIdx, X)) return 31 - LeadZeroIdx;
  return 32;
 }
 inline int Popcountll(unsigned long long X) {
 #if !defined(_M_ARM) && !defined(_M_X64)
  return __popcnt(X) + __popcnt(X >> 32);
 #else
  return __popcnt64(X);
 #endif
 }
 }  // namespace fuzzer
 #endif  // LIBFUZER_MSVC
 #endif  // LLVM_FUZZER_BUILTINS_MSVC_H
--- a/custom_mutators/libfuzzer/FuzzerCommand.h
+++ b/custom_mutators/libfuzzer/FuzzerCommand.h
@ -0,0 +1,178 @@
 //===- FuzzerCommand.h - Interface representing a process -------*- C++ -* ===//
 //
 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
 // See https://llvm.org/LICENSE.txt for license information.
 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
 //
 //===----------------------------------------------------------------------===//
 // FuzzerCommand represents a command to run in a subprocess.  It allows callers
 // to manage command line arguments and output and error streams.
 //===----------------------------------------------------------------------===//
 #ifndef LLVM_FUZZER_COMMAND_H
 #define LLVM_FUZZER_COMMAND_H
 #include "FuzzerDefs.h"
 #include "FuzzerIO.h"
 #include <algorithm>
 #include <sstream>
 #include <string>
 #include <vector>
 namespace fuzzer {
 class Command final {
 public:
  // This command line flag is used to indicate that the remaining command line
  // is immutable, meaning this flag effectively marks the end of the mutable
  // argument list.
  static inline const char *ignoreRemainingArgs() {
    return "-ignore_remaining_args=1";
  }
  Command() : CombinedOutAndErr(false) {}
  explicit Command(const Vector<std::string> &ArgsToAdd)
      : Args(ArgsToAdd), CombinedOutAndErr(false) {}
  explicit Command(const Command &Other)
      : Args(Other.Args), CombinedOutAndErr(Other.CombinedOutAndErr),
        OutputFile(Other.OutputFile) {}
  Command &operator=(const Command &Other) {
    Args = Other.Args;
    CombinedOutAndErr = Other.CombinedOutAndErr;
    OutputFile = Other.OutputFile;
    return *this;
  }
  ~Command() {}
  // Returns true if the given Arg is present in Args.  Only checks up to
  // "-ignore_remaining_args=1".
  bool hasArgument(const std::string &Arg) const {
    auto i = endMutableArgs();
    return std::find(Args.begin(), i, Arg) != i;
  }
  // Gets all of the current command line arguments, **including** those after
  // "-ignore-remaining-args=1".
  const Vector<std::string> &getArguments() const { return Args; }
  // Adds the given argument before "-ignore_remaining_args=1", or at the end
  // if that flag isn't present.
  void addArgument(const std::string &Arg) {
    Args.insert(endMutableArgs(), Arg);
  }
  // Adds all given arguments before "-ignore_remaining_args=1", or at the end
  // if that flag isn't present.
  void addArguments(const Vector<std::string> &ArgsToAdd) {
    Args.insert(endMutableArgs(), ArgsToAdd.begin(), ArgsToAdd.end());
  }
  // Removes the given argument from the command argument list.  Ignores any
  // occurrences after "-ignore_remaining_args=1", if present.
  void removeArgument(const std::string &Arg) {
    auto i = endMutableArgs();
    Args.erase(std::remove(Args.begin(), i, Arg), i);
  }
  // Like hasArgument, but checks for "-[Flag]=...".
  bool hasFlag(const std::string &Flag) const {
    std::string Arg("-" + Flag + "=");
    auto IsMatch = [&](const std::string &Other) {
      return Arg.compare(0, std::string::npos, Other, 0, Arg.length()) == 0;
    };
    return std::any_of(Args.begin(), endMutableArgs(), IsMatch);
  }
  // Returns the value of the first instance of a given flag, or an empty string
  // if the flag isn't present.  Ignores any occurrences after
  // "-ignore_remaining_args=1", if present.
  std::string getFlagValue(const std::string &Flag) const {
    std::string Arg("-" + Flag + "=");
    auto IsMatch = [&](const std::string &Other) {
      return Arg.compare(0, std::string::npos, Other, 0, Arg.length()) == 0;
    };
    auto i = endMutableArgs();
    auto j = std::find_if(Args.begin(), i, IsMatch);
    std::string result;
    if (j != i) {
      result = j->substr(Arg.length());
    }
    return result;
  }
  // Like AddArgument, but adds "-[Flag]=[Value]".
  void addFlag(const std::string &Flag, const std::string &Value) {
    addArgument("-" + Flag + "=" + Value);
  }
  // Like RemoveArgument, but removes "-[Flag]=...".
  void removeFlag(const std::string &Flag) {
    std::string Arg("-" + Flag + "=");
    auto IsMatch = [&](const std::string &Other) {
      return Arg.compare(0, std::string::npos, Other, 0, Arg.length()) == 0;
    };
    auto i = endMutableArgs();
    Args.erase(std::remove_if(Args.begin(), i, IsMatch), i);
  }
  // Returns whether the command's stdout is being written to an output file.
  bool hasOutputFile() const { return !OutputFile.empty(); }
  // Returns the currently set output file.
  const std::string &getOutputFile() const { return OutputFile; }
  // Configures the command to redirect its output to the name file.
  void setOutputFile(const std::string &FileName) { OutputFile = FileName; }
  // Returns whether the command's stderr is redirected to stdout.
  bool isOutAndErrCombined() const { return CombinedOutAndErr; }
  // Sets whether to redirect the command's stderr to its stdout.
  void combineOutAndErr(bool combine = true) { CombinedOutAndErr = combine; }
  // Returns a string representation of the command.  On many systems this will
  // be the equivalent command line.
  std::string toString() const {
    std::stringstream SS;
    for (auto arg : getArguments())
      SS << arg << " ";
    if (hasOutputFile())
      SS << ">" << getOutputFile() << " ";
    if (isOutAndErrCombined())
      SS << "2>&1 ";
    std::string result = SS.str();
    if (!result.empty())
      result = result.substr(0, result.length() - 1);
    return result;
  }
 private:
  Command(Command &&Other) = delete;
  Command &operator=(Command &&Other) = delete;
  Vector<std::string>::iterator endMutableArgs() {
    return std::find(Args.begin(), Args.end(), ignoreRemainingArgs());
  }
  Vector<std::string>::const_iterator endMutableArgs() const {
    return std::find(Args.begin(), Args.end(), ignoreRemainingArgs());
  }
  // The command arguments.  Args[0] is the command name.
  Vector<std::string> Args;
  // True indicates stderr is redirected to stdout.
  bool CombinedOutAndErr;
  // If not empty, stdout is redirected to the named file.
  std::string OutputFile;
 };
 } // namespace fuzzer
 #endif // LLVM_FUZZER_COMMAND_H
--- a/custom_mutators/libfuzzer/FuzzerCorpus.h
+++ b/custom_mutators/libfuzzer/FuzzerCorpus.h
@ -0,0 +1,581 @@
 //===- FuzzerCorpus.h - Internal header for the Fuzzer ----------*- C++ -* ===//
 //
 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
 // See https://llvm.org/LICENSE.txt for license information.
 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
 //
 //===----------------------------------------------------------------------===//
 // fuzzer::InputCorpus
 //===----------------------------------------------------------------------===//
 #ifndef LLVM_FUZZER_CORPUS
 #define LLVM_FUZZER_CORPUS
 #include "FuzzerDataFlowTrace.h"
 #include "FuzzerDefs.h"
 #include "FuzzerIO.h"
 #include "FuzzerRandom.h"
 #include "FuzzerSHA1.h"
 #include "FuzzerTracePC.h"
 #include <algorithm>
 #include <chrono>
 #include <numeric>
 #include <random>
 #include <unordered_set>
 namespace fuzzer {
 struct InputInfo {
  Unit U;  // The actual input data.
  std::chrono::microseconds TimeOfUnit;
  uint8_t Sha1[kSHA1NumBytes];  // Checksum.
  // Number of features that this input has and no smaller input has.
  size_t NumFeatures = 0;
  size_t Tmp = 0; // Used by ValidateFeatureSet.
  // Stats.
  size_t NumExecutedMutations = 0;
  size_t NumSuccessfullMutations = 0;
  bool NeverReduce = false;
  bool MayDeleteFile = false;
  bool Reduced = false;
  bool HasFocusFunction = false;
  Vector<uint32_t> UniqFeatureSet;
  Vector<uint8_t> DataFlowTraceForFocusFunction;
  // Power schedule.
  bool NeedsEnergyUpdate = false;
  double Energy = 0.0;
  size_t SumIncidence = 0;
  Vector<std::pair<uint32_t, uint16_t>> FeatureFreqs;
  // Delete feature Idx and its frequency from FeatureFreqs.
  bool DeleteFeatureFreq(uint32_t Idx) {
    if (FeatureFreqs.empty())
      return false;
    // Binary search over local feature frequencies sorted by index.
    auto Lower = std::lower_bound(FeatureFreqs.begin(), FeatureFreqs.end(),
                                  std::pair<uint32_t, uint16_t>(Idx, 0));
    if (Lower != FeatureFreqs.end() && Lower->first == Idx) {
      FeatureFreqs.erase(Lower);
      return true;
    }
    return false;
  }
  // Assign more energy to a high-entropy seed, i.e., that reveals more
  // information about the globally rare features in the neighborhood of the
  // seed. Since we do not know the entropy of a seed that has never been
  // executed we assign fresh seeds maximum entropy and let II->Energy approach
  // the true entropy from above. If ScalePerExecTime is true, the computed
  // entropy is scaled based on how fast this input executes compared to the
  // average execution time of inputs. The faster an input executes, the more
  // energy gets assigned to the input.
  void UpdateEnergy(size_t GlobalNumberOfFeatures, bool ScalePerExecTime,
                    std::chrono::microseconds AverageUnitExecutionTime) {
    Energy = 0.0;
    SumIncidence = 0;
    // Apply add-one smoothing to locally discovered features.
    for (auto F : FeatureFreqs) {
      size_t LocalIncidence = F.second + 1;
      Energy -= LocalIncidence * logl(LocalIncidence);
      SumIncidence += LocalIncidence;
    }
    // Apply add-one smoothing to locally undiscovered features.
    //   PreciseEnergy -= 0; // since logl(1.0) == 0)
    SumIncidence += (GlobalNumberOfFeatures - FeatureFreqs.size());
    // Add a single locally abundant feature apply add-one smoothing.
    size_t AbdIncidence = NumExecutedMutations + 1;
    Energy -= AbdIncidence * logl(AbdIncidence);
    SumIncidence += AbdIncidence;
    // Normalize.
    if (SumIncidence != 0)
      Energy = (Energy / SumIncidence) + logl(SumIncidence);
    if (ScalePerExecTime) {
      // Scaling to favor inputs with lower execution time.
      uint32_t PerfScore = 100;
      if (TimeOfUnit.count() > AverageUnitExecutionTime.count() * 10)
        PerfScore = 10;
      else if (TimeOfUnit.count() > AverageUnitExecutionTime.count() * 4)
        PerfScore = 25;
      else if (TimeOfUnit.count() > AverageUnitExecutionTime.count() * 2)
        PerfScore = 50;
      else if (TimeOfUnit.count() * 3 > AverageUnitExecutionTime.count() * 4)
        PerfScore = 75;
      else if (TimeOfUnit.count() * 4 < AverageUnitExecutionTime.count())
        PerfScore = 300;
      else if (TimeOfUnit.count() * 3 < AverageUnitExecutionTime.count())
        PerfScore = 200;
      else if (TimeOfUnit.count() * 2 < AverageUnitExecutionTime.count())
        PerfScore = 150;
      Energy *= PerfScore;
    }
  }
  // Increment the frequency of the feature Idx.
  void UpdateFeatureFrequency(uint32_t Idx) {
    NeedsEnergyUpdate = true;
    // The local feature frequencies is an ordered vector of pairs.
    // If there are no local feature frequencies, push_back preserves order.
    // Set the feature frequency for feature Idx32 to 1.
    if (FeatureFreqs.empty()) {
      FeatureFreqs.push_back(std::pair<uint32_t, uint16_t>(Idx, 1));
      return;
    }
    // Binary search over local feature frequencies sorted by index.
    auto Lower = std::lower_bound(FeatureFreqs.begin(), FeatureFreqs.end(),
                                  std::pair<uint32_t, uint16_t>(Idx, 0));
    // If feature Idx32 already exists, increment its frequency.
    // Otherwise, insert a new pair right after the next lower index.
    if (Lower != FeatureFreqs.end() && Lower->first == Idx) {
      Lower->second++;
    } else {
      FeatureFreqs.insert(Lower, std::pair<uint32_t, uint16_t>(Idx, 1));
    }
  }
 };
 struct EntropicOptions {
  bool Enabled;
  size_t NumberOfRarestFeatures;
  size_t FeatureFrequencyThreshold;
  bool ScalePerExecTime;
 };
 class InputCorpus {
  static const uint32_t kFeatureSetSize = 1 << 21;
  static const uint8_t kMaxMutationFactor = 20;
  static const size_t kSparseEnergyUpdates = 100;
  size_t NumExecutedMutations = 0;
  EntropicOptions Entropic;
 public:
  InputCorpus(const std::string &OutputCorpus, EntropicOptions Entropic)
      : Entropic(Entropic), OutputCorpus(OutputCorpus) {
    memset(InputSizesPerFeature, 0, sizeof(InputSizesPerFeature));
    memset(SmallestElementPerFeature, 0, sizeof(SmallestElementPerFeature));
  }
  ~InputCorpus() {
    for (auto II : Inputs)
      delete II;
  }
  size_t size() const { return Inputs.size(); }
  size_t SizeInBytes() const {
    size_t Res = 0;
    for (auto II : Inputs)
      Res += II->U.size();
    return Res;
  }
  size_t NumActiveUnits() const {
    size_t Res = 0;
    for (auto II : Inputs)
      Res += !II->U.empty();
    return Res;
  }
  size_t MaxInputSize() const {
    size_t Res = 0;
    for (auto II : Inputs)
        Res = std::max(Res, II->U.size());
    return Res;
  }
  void IncrementNumExecutedMutations() { NumExecutedMutations++; }
  size_t NumInputsThatTouchFocusFunction() {
    return std::count_if(Inputs.begin(), Inputs.end(), [](const InputInfo *II) {
      return II->HasFocusFunction;
    });
  }
  size_t NumInputsWithDataFlowTrace() {
    return std::count_if(Inputs.begin(), Inputs.end(), [](const InputInfo *II) {
      return !II->DataFlowTraceForFocusFunction.empty();
    });
  }
  bool empty() const { return Inputs.empty(); }
  const Unit &operator[] (size_t Idx) const { return Inputs[Idx]->U; }
  InputInfo *AddToCorpus(const Unit &U, size_t NumFeatures, bool MayDeleteFile,
                         bool HasFocusFunction, bool NeverReduce,
                         std::chrono::microseconds TimeOfUnit,
                         const Vector<uint32_t> &FeatureSet,
                         const DataFlowTrace &DFT, const InputInfo *BaseII) {
    assert(!U.empty());
    if (FeatureDebug)
      Printf("ADD_TO_CORPUS %zd NF %zd\n", Inputs.size(), NumFeatures);
    Inputs.push_back(new InputInfo());
    InputInfo &II = *Inputs.back();
    II.U = U;
    II.NumFeatures = NumFeatures;
    II.NeverReduce = NeverReduce;
    II.TimeOfUnit = TimeOfUnit;
    II.MayDeleteFile = MayDeleteFile;
    II.UniqFeatureSet = FeatureSet;
    II.HasFocusFunction = HasFocusFunction;
    // Assign maximal energy to the new seed.
    II.Energy = RareFeatures.empty() ? 1.0 : log(RareFeatures.size());
    II.SumIncidence = RareFeatures.size();
    II.NeedsEnergyUpdate = false;
    std::sort(II.UniqFeatureSet.begin(), II.UniqFeatureSet.end());
    ComputeSHA1(U.data(), U.size(), II.Sha1);
    auto Sha1Str = Sha1ToString(II.Sha1);
    Hashes.insert(Sha1Str);
    if (HasFocusFunction)
      if (auto V = DFT.Get(Sha1Str))
        II.DataFlowTraceForFocusFunction = *V;
    // This is a gross heuristic.
    // Ideally, when we add an element to a corpus we need to know its DFT.
    // But if we don't, we'll use the DFT of its base input.
    if (II.DataFlowTraceForFocusFunction.empty() && BaseII)
      II.DataFlowTraceForFocusFunction = BaseII->DataFlowTraceForFocusFunction;
    DistributionNeedsUpdate = true;
    PrintCorpus();
    // ValidateFeatureSet();
    return &II;
  }
  // Debug-only
  void PrintUnit(const Unit &U) {
    if (!FeatureDebug) return;
    for (uint8_t C : U) {
      if (C != 'F' && C != 'U' && C != 'Z')
        C = '.';
      Printf("%c", C);
    }
  }
  // Debug-only
  void PrintFeatureSet(const Vector<uint32_t> &FeatureSet) {
    if (!FeatureDebug) return;
    Printf("{");
    for (uint32_t Feature: FeatureSet)
      Printf("%u,", Feature);
    Printf("}");
  }
  // Debug-only
  void PrintCorpus() {
    if (!FeatureDebug) return;
    Printf("======= CORPUS:\n");
    int i = 0;
    for (auto II : Inputs) {
      if (std::find(II->U.begin(), II->U.end(), 'F') != II->U.end()) {
        Printf("[%2d] ", i);
        Printf("%s sz=%zd ", Sha1ToString(II->Sha1).c_str(), II->U.size());
        PrintUnit(II->U);
        Printf(" ");
        PrintFeatureSet(II->UniqFeatureSet);
        Printf("\n");
      }
      i++;
    }
  }
  void Replace(InputInfo *II, const Unit &U) {
    assert(II->U.size() > U.size());
    Hashes.erase(Sha1ToString(II->Sha1));
    DeleteFile(*II);
    ComputeSHA1(U.data(), U.size(), II->Sha1);
    Hashes.insert(Sha1ToString(II->Sha1));
    II->U = U;
    II->Reduced = true;
    DistributionNeedsUpdate = true;
  }
  bool HasUnit(const Unit &U) { return Hashes.count(Hash(U)); }
  bool HasUnit(const std::string &H) { return Hashes.count(H); }
  InputInfo &ChooseUnitToMutate(Random &Rand) {
    InputInfo &II = *Inputs[ChooseUnitIdxToMutate(Rand)];
    assert(!II.U.empty());
    return II;
  }
  InputInfo &ChooseUnitToCrossOverWith(Random &Rand, bool UniformDist) {
    if (!UniformDist) {
      return ChooseUnitToMutate(Rand);
    }
    InputInfo &II = *Inputs[Rand(Inputs.size())];
    assert(!II.U.empty());
    return II;
  }
  // Returns an index of random unit from the corpus to mutate.
  size_t ChooseUnitIdxToMutate(Random &Rand) {
    UpdateCorpusDistribution(Rand);
    size_t Idx = static_cast<size_t>(CorpusDistribution(Rand));
    assert(Idx < Inputs.size());
    return Idx;
  }
  void PrintStats() {
    for (size_t i = 0; i < Inputs.size(); i++) {
      const auto &II = *Inputs[i];
      Printf("  [% 3zd %s] sz: % 5zd runs: % 5zd succ: % 5zd focus: %d\n", i,
             Sha1ToString(II.Sha1).c_str(), II.U.size(),
             II.NumExecutedMutations, II.NumSuccessfullMutations, II.HasFocusFunction);
    }
  }
  void PrintFeatureSet() {
    for (size_t i = 0; i < kFeatureSetSize; i++) {
      if(size_t Sz = GetFeature(i))
        Printf("[%zd: id %zd sz%zd] ", i, SmallestElementPerFeature[i], Sz);
    }
    Printf("\n\t");
    for (size_t i = 0; i < Inputs.size(); i++)
      if (size_t N = Inputs[i]->NumFeatures)
        Printf(" %zd=>%zd ", i, N);
    Printf("\n");
  }
  void DeleteFile(const InputInfo &II) {
    if (!OutputCorpus.empty() && II.MayDeleteFile)
      RemoveFile(DirPlusFile(OutputCorpus, Sha1ToString(II.Sha1)));
  }
  void DeleteInput(size_t Idx) {
    InputInfo &II = *Inputs[Idx];
    DeleteFile(II);
    Unit().swap(II.U);
    II.Energy = 0.0;
    II.NeedsEnergyUpdate = false;
    DistributionNeedsUpdate = true;
    if (FeatureDebug)
      Printf("EVICTED %zd\n", Idx);
  }
  void AddRareFeature(uint32_t Idx) {
    // Maintain *at least* TopXRarestFeatures many rare features
    // and all features with a frequency below ConsideredRare.
    // Remove all other features.
    while (RareFeatures.size() > Entropic.NumberOfRarestFeatures &&
           FreqOfMostAbundantRareFeature > Entropic.FeatureFrequencyThreshold) {
      // Find most and second most abbundant feature.
      uint32_t MostAbundantRareFeatureIndices[2] = {RareFeatures[0],
                                                    RareFeatures[0]};
      size_t Delete = 0;
      for (size_t i = 0; i < RareFeatures.size(); i++) {
        uint32_t Idx2 = RareFeatures[i];
        if (GlobalFeatureFreqs[Idx2] >=
            GlobalFeatureFreqs[MostAbundantRareFeatureIndices[0]]) {
          MostAbundantRareFeatureIndices[1] = MostAbundantRareFeatureIndices[0];
          MostAbundantRareFeatureIndices[0] = Idx2;
          Delete = i;
        }
      }
      // Remove most abundant rare feature.
      RareFeatures[Delete] = RareFeatures.back();
      RareFeatures.pop_back();
      for (auto II : Inputs) {
        if (II->DeleteFeatureFreq(MostAbundantRareFeatureIndices[0]))
          II->NeedsEnergyUpdate = true;
      }
      // Set 2nd most abundant as the new most abundant feature count.
      FreqOfMostAbundantRareFeature =
          GlobalFeatureFreqs[MostAbundantRareFeatureIndices[1]];
    }
    // Add rare feature, handle collisions, and update energy.
    RareFeatures.push_back(Idx);
    GlobalFeatureFreqs[Idx] = 0;
    for (auto II : Inputs) {
      II->DeleteFeatureFreq(Idx);
      // Apply add-one smoothing to this locally undiscovered feature.
      // Zero energy seeds will never be fuzzed and remain zero energy.
      if (II->Energy > 0.0) {
        II->SumIncidence += 1;
        II->Energy += logl(II->SumIncidence) / II->SumIncidence;
      }
    }
    DistributionNeedsUpdate = true;
  }
  bool AddFeature(size_t Idx, uint32_t NewSize, bool Shrink) {
    assert(NewSize);
    Idx = Idx % kFeatureSetSize;
    uint32_t OldSize = GetFeature(Idx);
    if (OldSize == 0 || (Shrink && OldSize > NewSize)) {
      if (OldSize > 0) {
        size_t OldIdx = SmallestElementPerFeature[Idx];
        InputInfo &II = *Inputs[OldIdx];
        assert(II.NumFeatures > 0);
        II.NumFeatures--;
        if (II.NumFeatures == 0)
          DeleteInput(OldIdx);
      } else {
        NumAddedFeatures++;
        if (Entropic.Enabled)
          AddRareFeature((uint32_t)Idx);
      }
      NumUpdatedFeatures++;
      if (FeatureDebug)
        Printf("ADD FEATURE %zd sz %d\n", Idx, NewSize);
      SmallestElementPerFeature[Idx] = Inputs.size();
      InputSizesPerFeature[Idx] = NewSize;
      return true;
    }
    return false;
  }
  // Increment frequency of feature Idx globally and locally.
  void UpdateFeatureFrequency(InputInfo *II, size_t Idx) {
    uint32_t Idx32 = Idx % kFeatureSetSize;
    // Saturated increment.
    if (GlobalFeatureFreqs[Idx32] == 0xFFFF)
      return;
    uint16_t Freq = GlobalFeatureFreqs[Idx32]++;
    // Skip if abundant.
    if (Freq > FreqOfMostAbundantRareFeature ||
        std::find(RareFeatures.begin(), RareFeatures.end(), Idx32) ==
            RareFeatures.end())
      return;
    // Update global frequencies.
    if (Freq == FreqOfMostAbundantRareFeature)
      FreqOfMostAbundantRareFeature++;
    // Update local frequencies.
    if (II)
      II->UpdateFeatureFrequency(Idx32);
  }
  size_t NumFeatures() const { return NumAddedFeatures; }
  size_t NumFeatureUpdates() const { return NumUpdatedFeatures; }
 private:
  static const bool FeatureDebug = false;
  size_t GetFeature(size_t Idx) const { return InputSizesPerFeature[Idx]; }
  void ValidateFeatureSet() {
    if (FeatureDebug)
      PrintFeatureSet();
    for (size_t Idx = 0; Idx < kFeatureSetSize; Idx++)
      if (GetFeature(Idx))
        Inputs[SmallestElementPerFeature[Idx]]->Tmp++;
    for (auto II: Inputs) {
      if (II->Tmp != II->NumFeatures)
        Printf("ZZZ %zd %zd\n", II->Tmp, II->NumFeatures);
      assert(II->Tmp == II->NumFeatures);
      II->Tmp = 0;
    }
  }
  // Updates the probability distribution for the units in the corpus.
  // Must be called whenever the corpus or unit weights are changed.
  //
  // Hypothesis: inputs that maximize information about globally rare features
  // are interesting.
  void UpdateCorpusDistribution(Random &Rand) {
    // Skip update if no seeds or rare features were added/deleted.
    // Sparse updates for local change of feature frequencies,
    // i.e., randomly do not skip.
    if (!DistributionNeedsUpdate &&
        (!Entropic.Enabled || Rand(kSparseEnergyUpdates)))
      return;
    DistributionNeedsUpdate = false;
    size_t N = Inputs.size();
    assert(N);
    Intervals.resize(N + 1);
    Weights.resize(N);
    std::iota(Intervals.begin(), Intervals.end(), 0);
    std::chrono::microseconds AverageUnitExecutionTime(0);
    for (auto II : Inputs) {
      AverageUnitExecutionTime += II->TimeOfUnit;
    }
    AverageUnitExecutionTime /= N;
    bool VanillaSchedule = true;
    if (Entropic.Enabled) {
      for (auto II : Inputs) {
        if (II->NeedsEnergyUpdate && II->Energy != 0.0) {
          II->NeedsEnergyUpdate = false;
          II->UpdateEnergy(RareFeatures.size(), Entropic.ScalePerExecTime,
                           AverageUnitExecutionTime);
        }
      }
      for (size_t i = 0; i < N; i++) {
        if (Inputs[i]->NumFeatures == 0) {
          // If the seed doesn't represent any features, assign zero energy.
          Weights[i] = 0.;
        } else if (Inputs[i]->NumExecutedMutations / kMaxMutationFactor >
                   NumExecutedMutations / Inputs.size()) {
          // If the seed was fuzzed a lot more than average, assign zero energy.
          Weights[i] = 0.;
        } else {
          // Otherwise, simply assign the computed energy.
          Weights[i] = Inputs[i]->Energy;
        }
        // If energy for all seeds is zero, fall back to vanilla schedule.
        if (Weights[i] > 0.0)
          VanillaSchedule = false;
      }
    }
    if (VanillaSchedule) {
      for (size_t i = 0; i < N; i++)
        Weights[i] = Inputs[i]->NumFeatures
                         ? (i + 1) * (Inputs[i]->HasFocusFunction ? 1000 : 1)
                         : 0.;
    }
    if (FeatureDebug) {
      for (size_t i = 0; i < N; i++)
        Printf("%zd ", Inputs[i]->NumFeatures);
      Printf("SCORE\n");
      for (size_t i = 0; i < N; i++)
        Printf("%f ", Weights[i]);
      Printf("Weights\n");
    }
    CorpusDistribution = std::piecewise_constant_distribution<double>(
        Intervals.begin(), Intervals.end(), Weights.begin());
  }
  std::piecewise_constant_distribution<double> CorpusDistribution;
  Vector<double> Intervals;
  Vector<double> Weights;
  std::unordered_set<std::string> Hashes;
  Vector<InputInfo*> Inputs;
  size_t NumAddedFeatures = 0;
  size_t NumUpdatedFeatures = 0;
  uint32_t InputSizesPerFeature[kFeatureSetSize];
  uint32_t SmallestElementPerFeature[kFeatureSetSize];
  bool DistributionNeedsUpdate = true;
  uint16_t FreqOfMostAbundantRareFeature = 0;
  uint16_t GlobalFeatureFreqs[kFeatureSetSize] = {};
  Vector<uint32_t> RareFeatures;
  std::string OutputCorpus;
 };
 }  // namespace fuzzer
 #endif  // LLVM_FUZZER_CORPUS
--- a/custom_mutators/libfuzzer/FuzzerCrossOver.cpp
+++ b/custom_mutators/libfuzzer/FuzzerCrossOver.cpp
@ -0,0 +1,60 @@
 //===- FuzzerCrossOver.cpp - Cross over two test inputs -------------------===//
 //
 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
 // See https://llvm.org/LICENSE.txt for license information.
 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
 //
 //===----------------------------------------------------------------------===//
 // Cross over test inputs.
 //===----------------------------------------------------------------------===//
 #include "FuzzerDefs.h"
 #include "FuzzerMutate.h"
 #include "FuzzerRandom.h"
 #include <cstring>
 namespace fuzzer {
 // Cross Data1 and Data2, store the result (up to MaxOutSize bytes) in Out.
 size_t MutationDispatcher::CrossOver(const uint8_t *Data1, size_t Size1,
                                     const uint8_t *Data2, size_t Size2,
                                     uint8_t *Out, size_t MaxOutSize) {
  assert(Size1 || Size2);
  MaxOutSize = Rand(MaxOutSize) + 1;
  size_t         OutPos = 0;
  size_t         Pos1 = 0;
  size_t         Pos2 = 0;
  size_t *       InPos = &Pos1;
  size_t         InSize = Size1;
  const uint8_t *Data = Data1;
  bool           CurrentlyUsingFirstData = true;
  while (OutPos < MaxOutSize && (Pos1 < Size1 || Pos2 < Size2)) {
    // Merge a part of Data into Out.
    size_t OutSizeLeft = MaxOutSize - OutPos;
    if (*InPos < InSize) {
      size_t InSizeLeft = InSize - *InPos;
      size_t MaxExtraSize = std::min(OutSizeLeft, InSizeLeft);
      size_t ExtraSize = Rand(MaxExtraSize) + 1;
      memcpy(Out + OutPos, Data + *InPos, ExtraSize);
      OutPos += ExtraSize;
      (*InPos) += ExtraSize;
    }
    // Use the other input data on the next iteration.
    InPos = CurrentlyUsingFirstData ? &Pos2 : &Pos1;
    InSize = CurrentlyUsingFirstData ? Size2 : Size1;
    Data = CurrentlyUsingFirstData ? Data2 : Data1;
    CurrentlyUsingFirstData = !CurrentlyUsingFirstData;
  }
  return OutPos;
 }
 }  // namespace fuzzer
--- a/custom_mutators/libfuzzer/FuzzerDataFlowTrace.cpp
+++ b/custom_mutators/libfuzzer/FuzzerDataFlowTrace.cpp
@ -0,0 +1,344 @@
 //===- FuzzerDataFlowTrace.cpp - DataFlowTrace                ---*- C++ -* ===//
 //
 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
 // See https://llvm.org/LICENSE.txt for license information.
 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
 //
 //===----------------------------------------------------------------------===//
 // fuzzer::DataFlowTrace
 //===----------------------------------------------------------------------===//
 #include "FuzzerDataFlowTrace.h"
 #include "FuzzerCommand.h"
 #include "FuzzerIO.h"
 #include "FuzzerRandom.h"
 #include "FuzzerSHA1.h"
 #include "FuzzerUtil.h"
 #include <cstdlib>
 #include <fstream>
 #include <numeric>
 #include <queue>
 #include <sstream>
 #include <string>
 #include <unordered_map>
 #include <unordered_set>
 #include <vector>
 namespace fuzzer {
 static const char *kFunctionsTxt = "functions.txt";
 bool BlockCoverage::AppendCoverage(const std::string &S) {
  std::stringstream SS(S);
  return AppendCoverage(SS);
 }
 // Coverage lines have this form:
 // CN X Y Z T
 // where N is the number of the function, T is the total number of instrumented
 // BBs, and X,Y,Z, if present, are the indecies of covered BB.
 // BB #0, which is the entry block, is not explicitly listed.
 bool BlockCoverage::AppendCoverage(std::istream &IN) {
  std::string L;
  while (std::getline(IN, L, '\n')) {
    if (L.empty()) continue;
    std::stringstream SS(L.c_str() + 1);
    size_t            FunctionId = 0;
    SS >> FunctionId;
    if (L[0] == 'F') {
      FunctionsWithDFT.insert(FunctionId);
      continue;
    }
    if (L[0] != 'C') continue;
    Vector<uint32_t> CoveredBlocks;
    while (true) {
      uint32_t BB = 0;
      SS >> BB;
      if (!SS) break;
      CoveredBlocks.push_back(BB);
    }
    if (CoveredBlocks.empty()) return false;
    uint32_t NumBlocks = CoveredBlocks.back();
    CoveredBlocks.pop_back();
    for (auto BB : CoveredBlocks)
      if (BB >= NumBlocks) return false;
    auto  It = Functions.find(FunctionId);
    auto &Counters =
        It == Functions.end()
            ? Functions.insert({FunctionId, Vector<uint32_t>(NumBlocks)})
                  .first->second
            : It->second;
    if (Counters.size() != NumBlocks) return false;  // wrong number of blocks.
    Counters[0]++;
    for (auto BB : CoveredBlocks)
      Counters[BB]++;
  }
  return true;
 }
 // Assign weights to each function.
 // General principles:
 //   * any uncovered function gets weight 0.
 //   * a function with lots of uncovered blocks gets bigger weight.
 //   * a function with a less frequently executed code gets bigger weight.
 Vector<double> BlockCoverage::FunctionWeights(size_t NumFunctions) const {
  Vector<double> Res(NumFunctions);
  for (auto It : Functions) {
    auto FunctionID = It.first;
    auto Counters = It.second;
    assert(FunctionID < NumFunctions);
    auto &Weight = Res[FunctionID];
    // Give higher weight if the function has a DFT.
    Weight = FunctionsWithDFT.count(FunctionID) ? 1000. : 1;
    // Give higher weight to functions with less frequently seen basic blocks.
    Weight /= SmallestNonZeroCounter(Counters);
    // Give higher weight to functions with the most uncovered basic blocks.
    Weight *= NumberOfUncoveredBlocks(Counters) + 1;
  }
  return Res;
 }
 void DataFlowTrace::ReadCoverage(const std::string &DirPath) {
  Vector<SizedFile> Files;
  GetSizedFilesFromDir(DirPath, &Files);
  for (auto &SF : Files) {
    auto Name = Basename(SF.File);
    if (Name == kFunctionsTxt) continue;
    if (!CorporaHashes.count(Name)) continue;
    std::ifstream IF(SF.File);
    Coverage.AppendCoverage(IF);
  }
 }
 static void DFTStringAppendToVector(Vector<uint8_t> *  DFT,
                                    const std::string &DFTString) {
  assert(DFT->size() == DFTString.size());
  for (size_t I = 0, Len = DFT->size(); I < Len; I++)
    (*DFT)[I] = DFTString[I] == '1';
 }
 // converts a string of '0' and '1' into a Vector<uint8_t>
 static Vector<uint8_t> DFTStringToVector(const std::string &DFTString) {
  Vector<uint8_t> DFT(DFTString.size());
  DFTStringAppendToVector(&DFT, DFTString);
  return DFT;
 }
 static bool ParseError(const char *Err, const std::string &Line) {
  Printf("DataFlowTrace: parse error: %s: Line: %s\n", Err, Line.c_str());
  return false;
 }
 // TODO(metzman): replace std::string with std::string_view for
 // better performance. Need to figure our how to use string_view on Windows.
 static bool ParseDFTLine(const std::string &Line, size_t *FunctionNum,
                         std::string *DFTString) {
  if (!Line.empty() && Line[0] != 'F') return false;  // Ignore coverage.
  size_t SpacePos = Line.find(' ');
  if (SpacePos == std::string::npos)
    return ParseError("no space in the trace line", Line);
  if (Line.empty() || Line[0] != 'F')
    return ParseError("the trace line doesn't start with 'F'", Line);
  *FunctionNum = std::atol(Line.c_str() + 1);
  const char *Beg = Line.c_str() + SpacePos + 1;
  const char *End = Line.c_str() + Line.size();
  assert(Beg < End);
  size_t Len = End - Beg;
  for (size_t I = 0; I < Len; I++) {
    if (Beg[I] != '0' && Beg[I] != '1')
      return ParseError("the trace should contain only 0 or 1", Line);
  }
  *DFTString = Beg;
  return true;
 }
 bool DataFlowTrace::Init(const std::string &DirPath, std::string *FocusFunction,
                         Vector<SizedFile> &CorporaFiles, Random &Rand) {
  if (DirPath.empty()) return false;
  Printf("INFO: DataFlowTrace: reading from '%s'\n", DirPath.c_str());
  Vector<SizedFile> Files;
  GetSizedFilesFromDir(DirPath, &Files);
  std::string         L;
  size_t              FocusFuncIdx = SIZE_MAX;
  Vector<std::string> FunctionNames;
  // Collect the hashes of the corpus files.
  for (auto &SF : CorporaFiles)
    CorporaHashes.insert(Hash(FileToVector(SF.File)));
  // Read functions.txt
  std::ifstream IF(DirPlusFile(DirPath, kFunctionsTxt));
  size_t        NumFunctions = 0;
  while (std::getline(IF, L, '\n')) {
    FunctionNames.push_back(L);
    NumFunctions++;
    if (*FocusFunction == L) FocusFuncIdx = NumFunctions - 1;
  }
  if (!NumFunctions) return false;
  if (*FocusFunction == "auto") {
    // AUTOFOCUS works like this:
    // * reads the coverage data from the DFT files.
    // * assigns weights to functions based on coverage.
    // * chooses a random function according to the weights.
    ReadCoverage(DirPath);
    auto           Weights = Coverage.FunctionWeights(NumFunctions);
    Vector<double> Intervals(NumFunctions + 1);
    std::iota(Intervals.begin(), Intervals.end(), 0);
    auto Distribution = std::piecewise_constant_distribution<double>(
        Intervals.begin(), Intervals.end(), Weights.begin());
    FocusFuncIdx = static_cast<size_t>(Distribution(Rand));
    *FocusFunction = FunctionNames[FocusFuncIdx];
    assert(FocusFuncIdx < NumFunctions);
    Printf("INFO: AUTOFOCUS: %zd %s\n", FocusFuncIdx,
           FunctionNames[FocusFuncIdx].c_str());
    for (size_t i = 0; i < NumFunctions; i++) {
      if (!Weights[i]) continue;
      Printf("  [%zd] W %g\tBB-tot %u\tBB-cov %u\tEntryFreq %u:\t%s\n", i,
             Weights[i], Coverage.GetNumberOfBlocks(i),
             Coverage.GetNumberOfCoveredBlocks(i), Coverage.GetCounter(i, 0),
             FunctionNames[i].c_str());
    }
  }
  if (FocusFuncIdx == SIZE_MAX || Files.size() <= 1)
    return false;
  // Read traces.
  size_t NumTraceFiles = 0;
  size_t NumTracesWithFocusFunction = 0;
  for (auto &SF : Files) {
    auto Name = Basename(SF.File);
    if (Name == kFunctionsTxt) continue;
    if (!CorporaHashes.count(Name)) continue;  // not in the corpus.
    NumTraceFiles++;
    // Printf("=== %s\n", Name.c_str());
    std::ifstream IF2(SF.File);
    while (std::getline(IF2, L, '\n')) {
      size_t      FunctionNum = 0;
      std::string DFTString;
      if (ParseDFTLine(L, &FunctionNum, &DFTString) &&
          FunctionNum == FocusFuncIdx) {
        NumTracesWithFocusFunction++;
        if (FunctionNum >= NumFunctions)
          return ParseError("N is greater than the number of functions", L);
        Traces[Name] = DFTStringToVector(DFTString);
        // Print just a few small traces.
        if (NumTracesWithFocusFunction <= 3 && DFTString.size() <= 16)
          Printf("%s => |%s|\n", Name.c_str(), std::string(DFTString).c_str());
        break;  // No need to parse the following lines.
      }
    }
  }
  Printf(
      "INFO: DataFlowTrace: %zd trace files, %zd functions, "
      "%zd traces with focus function\n",
      NumTraceFiles, NumFunctions, NumTracesWithFocusFunction);
  return NumTraceFiles > 0;
 }
 int CollectDataFlow(const std::string &DFTBinary, const std::string &DirPath,
                    const Vector<SizedFile> &CorporaFiles) {
  Printf("INFO: collecting data flow: bin: %s dir: %s files: %zd\n",
         DFTBinary.c_str(), DirPath.c_str(), CorporaFiles.size());
  if (CorporaFiles.empty()) {
    Printf("ERROR: can't collect data flow without corpus provided.");
    return 1;
  }
  static char DFSanEnv[] = "DFSAN_OPTIONS=warn_unimplemented=0";
  putenv(DFSanEnv);
  MkDir(DirPath);
  for (auto &F : CorporaFiles) {
    // For every input F we need to collect the data flow and the coverage.
    // Data flow collection may fail if we request too many DFSan tags at once.
    // So, we start from requesting all tags in range [0,Size) and if that fails
    // we then request tags in [0,Size/2) and [Size/2, Size), and so on.
    // Function number => DFT.
    auto OutPath = DirPlusFile(DirPath, Hash(FileToVector(F.File)));
 //    std::unordered_map<size_t, Vector<uint8_t>> DFTMap;
 //    std::unordered_set<std::string>             Cov;
    Command                                     Cmd;
    Cmd.addArgument(DFTBinary);
    Cmd.addArgument(F.File);
    Cmd.addArgument(OutPath);
    Printf("CMD: %s\n", Cmd.toString().c_str());
    ExecuteCommand(Cmd);
  }
  // Write functions.txt if it's currently empty or doesn't exist.
  auto FunctionsTxtPath = DirPlusFile(DirPath, kFunctionsTxt);
  if (FileToString(FunctionsTxtPath).empty()) {
    Command Cmd;
    Cmd.addArgument(DFTBinary);
    Cmd.setOutputFile(FunctionsTxtPath);
    ExecuteCommand(Cmd);
  }
  return 0;
 }
 }  // namespace fuzzer
--- a/custom_mutators/libfuzzer/FuzzerDataFlowTrace.h
+++ b/custom_mutators/libfuzzer/FuzzerDataFlowTrace.h
@ -0,0 +1,135 @@
 //===- FuzzerDataFlowTrace.h - Internal header for the Fuzzer ---*- C++ -* ===//
 //
 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
 // See https://llvm.org/LICENSE.txt for license information.
 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
 //
 //===----------------------------------------------------------------------===//
 // fuzzer::DataFlowTrace; reads and handles a data-flow trace.
 //
 // A data flow trace is generated by e.g. dataflow/DataFlow.cpp
 // and is stored on disk in a separate directory.
 //
 // The trace dir contains a file 'functions.txt' which lists function names,
 // oner per line, e.g.
 // ==> functions.txt <==
 // Func2
 // LLVMFuzzerTestOneInput
 // Func1
 //
 // All other files in the dir are the traces, see dataflow/DataFlow.cpp.
 // The name of the file is sha1 of the input used to generate the trace.
 //
 // Current status:
 //   the data is parsed and the summary is printed, but the data is not yet
 //   used in any other way.
 //===----------------------------------------------------------------------===//
 #ifndef LLVM_FUZZER_DATA_FLOW_TRACE
 #define LLVM_FUZZER_DATA_FLOW_TRACE
 #include "FuzzerDefs.h"
 #include "FuzzerIO.h"
 #include <unordered_map>
 #include <unordered_set>
 #include <vector>
 #include <string>
 namespace fuzzer {
 int CollectDataFlow(const std::string &DFTBinary, const std::string &DirPath,
                    const Vector<SizedFile> &CorporaFiles);
 class BlockCoverage {
 public:
  bool AppendCoverage(std::istream &IN);
  bool AppendCoverage(const std::string &S);
  size_t NumCoveredFunctions() const { return Functions.size(); }
  uint32_t GetCounter(size_t FunctionId, size_t BasicBlockId) {
    auto It = Functions.find(FunctionId);
    if (It == Functions.end()) return 0;
    const auto &Counters = It->second;
    if (BasicBlockId < Counters.size())
      return Counters[BasicBlockId];
    return 0;
  }
  uint32_t GetNumberOfBlocks(size_t FunctionId) {
    auto It = Functions.find(FunctionId);
    if (It == Functions.end()) return 0;
    const auto &Counters = It->second;
    return Counters.size();
  }
  uint32_t GetNumberOfCoveredBlocks(size_t FunctionId) {
    auto It = Functions.find(FunctionId);
    if (It == Functions.end()) return 0;
    const auto &Counters = It->second;
    uint32_t Result = 0;
    for (auto Cnt: Counters)
      if (Cnt)
        Result++;
    return Result;
  }
  Vector<double> FunctionWeights(size_t NumFunctions) const;
  void clear() { Functions.clear(); }
 private:
  typedef Vector<uint32_t> CoverageVector;
  uint32_t NumberOfCoveredBlocks(const CoverageVector &Counters) const {
    uint32_t Res = 0;
    for (auto Cnt : Counters)
      if (Cnt)
        Res++;
    return Res;
  }
  uint32_t NumberOfUncoveredBlocks(const CoverageVector &Counters) const {
    return Counters.size() - NumberOfCoveredBlocks(Counters);
  }
  uint32_t SmallestNonZeroCounter(const CoverageVector &Counters) const {
    assert(!Counters.empty());
    uint32_t Res = Counters[0];
    for (auto Cnt : Counters)
      if (Cnt)
        Res = Min(Res, Cnt);
    assert(Res);
    return Res;
  }
  // Function ID => vector of counters.
  // Each counter represents how many input files trigger the given basic block.
  std::unordered_map<size_t, CoverageVector> Functions;
  // Functions that have DFT entry.
  std::unordered_set<size_t> FunctionsWithDFT;
 };
 class DataFlowTrace {
 public:
  void ReadCoverage(const std::string &DirPath);
  bool Init(const std::string &DirPath, std::string *FocusFunction,
            Vector<SizedFile> &CorporaFiles, Random &Rand);
  void Clear() { Traces.clear(); }
  const Vector<uint8_t> *Get(const std::string &InputSha1) const {
    auto It = Traces.find(InputSha1);
    if (It != Traces.end())
      return &It->second;
    return nullptr;
  }
 private:
  // Input's sha1 => DFT for the FocusFunction.
  std::unordered_map<std::string, Vector<uint8_t> > Traces;
  BlockCoverage Coverage;
  std::unordered_set<std::string> CorporaHashes;
 };
 }  // namespace fuzzer
 #endif // LLVM_FUZZER_DATA_FLOW_TRACE
--- a/custom_mutators/libfuzzer/FuzzerDefs.h
+++ b/custom_mutators/libfuzzer/FuzzerDefs.h
@ -0,0 +1,75 @@
 //===- FuzzerDefs.h - Internal header for the Fuzzer ------------*- C++ -* ===//
 //
 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
 // See https://llvm.org/LICENSE.txt for license information.
 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
 //
 //===----------------------------------------------------------------------===//
 // Basic definitions.
 //===----------------------------------------------------------------------===//
 #ifndef LLVM_FUZZER_DEFS_H
 #define LLVM_FUZZER_DEFS_H
 #include <cassert>
 #include <cstddef>
 #include <cstdint>
 #include <cstring>
 #include <memory>
 #include <set>
 #include <string>
 #include <vector>
 namespace fuzzer {
 template <class T> T Min(T a, T b) { return a < b ? a : b; }
 template <class T> T Max(T a, T b) { return a > b ? a : b; }
 class Random;
 class Dictionary;
 class DictionaryEntry;
 class MutationDispatcher;
 struct FuzzingOptions;
 class InputCorpus;
 struct InputInfo;
 struct ExternalFunctions;
 // Global interface to functions that may or may not be available.
 extern ExternalFunctions *EF;
 // We are using a custom allocator to give a different symbol name to STL
 // containers in order to avoid ODR violations.
 template<typename T>
  class fuzzer_allocator: public std::allocator<T> {
    public:
      fuzzer_allocator() = default;
      template<class U>
      explicit fuzzer_allocator(const fuzzer_allocator<U>&) {}
      template<class Other>
      struct rebind { typedef fuzzer_allocator<Other> other;  };
  };
 template<typename T>
 using Vector = std::vector<T, fuzzer_allocator<T>>;
 template<typename T>
 using Set = std::set<T, std::less<T>, fuzzer_allocator<T>>;
 typedef Vector<uint8_t> Unit;
 typedef Vector<Unit> UnitVector;
 typedef int (*UserCallback)(const uint8_t *Data, size_t Size);
 int FuzzerDriver(int *argc, char ***argv, UserCallback Callback);
 uint8_t *ExtraCountersBegin();
 uint8_t *ExtraCountersEnd();
 void ClearExtraCounters();
 extern bool RunningUserCallback;
 }  // namespace fuzzer
 #endif  // LLVM_FUZZER_DEFS_H
--- a/custom_mutators/libfuzzer/FuzzerDictionary.h
+++ b/custom_mutators/libfuzzer/FuzzerDictionary.h
@ -0,0 +1,118 @@
 //===- FuzzerDictionary.h - Internal header for the Fuzzer ------*- C++ -* ===//
 //
 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
 // See https://llvm.org/LICENSE.txt for license information.
 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
 //
 //===----------------------------------------------------------------------===//
 // fuzzer::Dictionary
 //===----------------------------------------------------------------------===//
 #ifndef LLVM_FUZZER_DICTIONARY_H
 #define LLVM_FUZZER_DICTIONARY_H
 #include "FuzzerDefs.h"
 #include "FuzzerIO.h"
 #include "FuzzerUtil.h"
 #include <algorithm>
 #include <limits>
 namespace fuzzer {
 // A simple POD sized array of bytes.
 template <size_t kMaxSizeT> class FixedWord {
 public:
  static const size_t kMaxSize = kMaxSizeT;
  FixedWord() {}
  FixedWord(const uint8_t *B, uint8_t S) { Set(B, S); }
  void Set(const uint8_t *B, uint8_t S) {
    assert(S <= kMaxSize);
    memcpy(Data, B, S);
    Size = S;
  }
  bool operator==(const FixedWord<kMaxSize> &w) const {
    return Size == w.Size && 0 == memcmp(Data, w.Data, Size);
  }
  static size_t GetMaxSize() { return kMaxSize; }
  const uint8_t *data() const { return Data; }
  uint8_t size() const { return Size; }
 private:
  uint8_t Size = 0;
  uint8_t Data[kMaxSize];
 };
 typedef FixedWord<64> Word;
 class DictionaryEntry {
 public:
  DictionaryEntry() {}
  explicit DictionaryEntry(Word W) : W(W) {}
  DictionaryEntry(Word W, size_t PositionHint) : W(W), PositionHint(PositionHint) {}
  const Word &GetW() const { return W; }
  bool HasPositionHint() const { return PositionHint != std::numeric_limits<size_t>::max(); }
  size_t GetPositionHint() const {
    assert(HasPositionHint());
    return PositionHint;
  }
  void IncUseCount() { UseCount++; }
  void IncSuccessCount() { SuccessCount++; }
  size_t GetUseCount() const { return UseCount; }
  size_t GetSuccessCount() const {return SuccessCount; }
  void Print(const char *PrintAfter = "\n") {
    PrintASCII(W.data(), W.size());
    if (HasPositionHint())
      Printf("@%zd", GetPositionHint());
    Printf("%s", PrintAfter);
  }
 private:
  Word W;
  size_t PositionHint = std::numeric_limits<size_t>::max();
  size_t UseCount = 0;
  size_t SuccessCount = 0;
 };
 class Dictionary {
 public:
  static const size_t kMaxDictSize = 1 << 14;
  bool ContainsWord(const Word &W) const {
    return std::any_of(begin(), end(), [&](const DictionaryEntry &DE) {
      return DE.GetW() == W;
    });
  }
  const DictionaryEntry *begin() const { return &DE[0]; }
  const DictionaryEntry *end() const { return begin() + Size; }
  DictionaryEntry & operator[] (size_t Idx) {
    assert(Idx < Size);
    return DE[Idx];
  }
  void push_back(const DictionaryEntry &DE) {
    if (Size < kMaxDictSize)
      this->DE[Size++] = DE;
  }
  void clear() { Size = 0; }
  bool empty() const { return Size == 0; }
  size_t size() const { return Size; }
 private:
  DictionaryEntry DE[kMaxDictSize];
  size_t Size = 0;
 };
 // Parses one dictionary entry.
 // If successful, write the enty to Unit and returns true,
 // otherwise returns false.
 bool ParseOneDictionaryEntry(const std::string &Str, Unit *U);
 // Parses the dictionary file, fills Units, returns true iff all lines
 // were parsed successfully.
 bool ParseDictionaryFile(const std::string &Text, Vector<Unit> *Units);
 }  // namespace fuzzer
 #endif  // LLVM_FUZZER_DICTIONARY_H
--- a/custom_mutators/libfuzzer/FuzzerDriver.cpp
+++ b/custom_mutators/libfuzzer/FuzzerDriver.cpp
--- a/custom_mutators/libfuzzer/FuzzerExtFunctions.def
+++ b/custom_mutators/libfuzzer/FuzzerExtFunctions.def
@ -0,0 +1,50 @@
 //===- FuzzerExtFunctions.def - External functions --------------*- C++ -* ===//
 //
 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
 // See https://llvm.org/LICENSE.txt for license information.
 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
 //
 //===----------------------------------------------------------------------===//
 // This defines the external function pointers that
 // ``fuzzer::ExternalFunctions`` should contain and try to initialize.  The
 // EXT_FUNC macro must be defined at the point of inclusion. The signature of
 // the macro is:
 //
 // EXT_FUNC(<name>, <return_type>, <function_signature>, <warn_if_missing>)
 //===----------------------------------------------------------------------===//
 // Optional user functions
 EXT_FUNC(LLVMFuzzerInitialize, int, (int *argc, char ***argv), false);
 EXT_FUNC(LLVMFuzzerCustomMutator, size_t,
         (uint8_t *Data, size_t Size, size_t MaxSize, unsigned int Seed),
         false);
 EXT_FUNC(LLVMFuzzerCustomCrossOver, size_t,
         (const uint8_t *Data1, size_t Size1,
          const uint8_t *Data2, size_t Size2,
          uint8_t *Out, size_t MaxOutSize, unsigned int Seed),
         false);
 // Sanitizer functions
 EXT_FUNC(__lsan_enable, void, (), false);
 EXT_FUNC(__lsan_disable, void, (), false);
 EXT_FUNC(__lsan_do_recoverable_leak_check, int, (), false);
 EXT_FUNC(__sanitizer_acquire_crash_state, int, (), true);
 EXT_FUNC(__sanitizer_install_malloc_and_free_hooks, int,
         (void (*malloc_hook)(const volatile void *, size_t),
          void (*free_hook)(const volatile void *)),
         false);
 EXT_FUNC(__sanitizer_log_write, void, (const char *buf, size_t len), false);
 EXT_FUNC(__sanitizer_purge_allocator, void, (), false);
 EXT_FUNC(__sanitizer_print_memory_profile, void, (size_t, size_t), false);
 EXT_FUNC(__sanitizer_print_stack_trace, void, (), true);
 EXT_FUNC(__sanitizer_symbolize_pc, void,
         (void *, const char *fmt, char *out_buf, size_t out_buf_size), false);
 EXT_FUNC(__sanitizer_get_module_and_offset_for_pc, int,
         (void *pc, char *module_path,
         size_t module_path_len,void **pc_offset), false);
 EXT_FUNC(__sanitizer_set_death_callback, void, (void (*)(void)), true);
 EXT_FUNC(__sanitizer_set_report_fd, void, (void*), false);
 EXT_FUNC(__msan_scoped_disable_interceptor_checks, void, (), false);
 EXT_FUNC(__msan_scoped_enable_interceptor_checks, void, (), false);
 EXT_FUNC(__msan_unpoison, void, (const volatile void *, size_t size), false);
 EXT_FUNC(__msan_unpoison_param, void, (size_t n), false);
--- a/custom_mutators/libfuzzer/FuzzerExtFunctions.h
+++ b/custom_mutators/libfuzzer/FuzzerExtFunctions.h
@ -0,0 +1,34 @@
 //===- FuzzerExtFunctions.h - Interface to external functions ---*- C++ -* ===//
 //
 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
 // See https://llvm.org/LICENSE.txt for license information.
 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
 //
 //===----------------------------------------------------------------------===//
 // Defines an interface to (possibly optional) functions.
 //===----------------------------------------------------------------------===//
 #ifndef LLVM_FUZZER_EXT_FUNCTIONS_H
 #define LLVM_FUZZER_EXT_FUNCTIONS_H
 #include <stddef.h>
 #include <stdint.h>
 namespace fuzzer {
 struct ExternalFunctions {
  // Initialize function pointers. Functions that are not available will be set
  // to nullptr.  Do not call this constructor  before ``main()`` has been
  // entered.
  ExternalFunctions();
 #define EXT_FUNC(NAME, RETURN_TYPE, FUNC_SIG, WARN)                            \
  RETURN_TYPE(*NAME) FUNC_SIG = nullptr
 #include "FuzzerExtFunctions.def"
 #undef EXT_FUNC
 };
 } // namespace fuzzer
 #endif
--- a/custom_mutators/libfuzzer/FuzzerExtFunctionsDlsym.cpp
+++ b/custom_mutators/libfuzzer/FuzzerExtFunctionsDlsym.cpp
@ -0,0 +1,60 @@
 //===- FuzzerExtFunctionsDlsym.cpp - Interface to external functions ------===//
 //
 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
 // See https://llvm.org/LICENSE.txt for license information.
 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
 //
 //===----------------------------------------------------------------------===//
 // Implementation for operating systems that support dlsym(). We only use it on
 // Apple platforms for now. We don't use this approach on Linux because it
 // requires that clients of LibFuzzer pass ``--export-dynamic`` to the linker.
 // That is a complication we don't wish to expose to clients right now.
 //===----------------------------------------------------------------------===//
 #include "FuzzerPlatform.h"
 #if LIBFUZZER_APPLE
  #include "FuzzerExtFunctions.h"
  #include "FuzzerIO.h"
  #include <dlfcn.h>
 using namespace fuzzer;
 template <typename T>
 static T GetFnPtr(const char *FnName, bool WarnIfMissing) {
  dlerror();  // Clear any previous errors.
  void *Fn = dlsym(RTLD_DEFAULT, FnName);
  if (Fn == nullptr) {
    if (WarnIfMissing) {
      const char *ErrorMsg = dlerror();
      Printf("WARNING: Failed to find function \"%s\".", FnName);
      if (ErrorMsg) Printf(" Reason %s.", ErrorMsg);
      Printf("\n");
    }
  }
  return reinterpret_cast<T>(Fn);
 }
 namespace fuzzer {
 ExternalFunctions::ExternalFunctions() {
 \
  #define EXT_FUNC(NAME, RETURN_TYPE, FUNC_SIG, WARN) \
    this->NAME = GetFnPtr<decltype(ExternalFunctions::NAME)>(#NAME, WARN)
  #include "FuzzerExtFunctions.def"
  #undef EXT_FUNC
 }
 }  // namespace fuzzer
 #endif  // LIBFUZZER_APPLE
--- a/custom_mutators/libfuzzer/FuzzerExtFunctionsWeak.cpp
+++ b/custom_mutators/libfuzzer/FuzzerExtFunctionsWeak.cpp
@ -0,0 +1,63 @@
 //===- FuzzerExtFunctionsWeak.cpp - Interface to external functions -------===//
 //
 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
 // See https://llvm.org/LICENSE.txt for license information.
 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
 //
 //===----------------------------------------------------------------------===//
 // Implementation for Linux. This relies on the linker's support for weak
 // symbols. We don't use this approach on Apple platforms because it requires
 // clients of LibFuzzer to pass ``-U _<symbol_name>`` to the linker to allow
 // weak symbols to be undefined. That is a complication we don't want to expose
 // to clients right now.
 //===----------------------------------------------------------------------===//
 #include "FuzzerPlatform.h"
 #if LIBFUZZER_LINUX || LIBFUZZER_NETBSD || LIBFUZZER_FUCHSIA || \
    LIBFUZZER_FREEBSD || LIBFUZZER_OPENBSD || LIBFUZZER_EMSCRIPTEN
  #include "FuzzerExtFunctions.h"
  #include "FuzzerIO.h"
 extern "C" {
  // Declare these symbols as weak to allow them to be optionally defined.
  #define EXT_FUNC(NAME, RETURN_TYPE, FUNC_SIG, WARN) \
    __attribute__((weak, visibility("default"))) RETURN_TYPE NAME FUNC_SIG
  #include "FuzzerExtFunctions.def"
  #undef EXT_FUNC
 }
 using namespace fuzzer;
 static void CheckFnPtr(void *FnPtr, const char *FnName, bool WarnIfMissing) {
  if (FnPtr == nullptr && WarnIfMissing) {
    Printf("WARNING: Failed to find function \"%s\".\n", FnName);
  }
 }
 namespace fuzzer {
 ExternalFunctions::ExternalFunctions() {
 \
  #define EXT_FUNC(NAME, RETURN_TYPE, FUNC_SIG, WARN)                         \
    this->NAME = ::NAME;                                                      \
    CheckFnPtr(reinterpret_cast<void *>(reinterpret_cast<uintptr_t>(::NAME)), \
               #NAME, WARN);
  #include "FuzzerExtFunctions.def"
  #undef EXT_FUNC
 }
 }  // namespace fuzzer
 #endif
--- a/custom_mutators/libfuzzer/FuzzerExtFunctionsWindows.cpp
+++ b/custom_mutators/libfuzzer/FuzzerExtFunctionsWindows.cpp
@ -0,0 +1,95 @@
 //=== FuzzerExtWindows.cpp - Interface to external functions --------------===//
 //
 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
 // See https://llvm.org/LICENSE.txt for license information.
 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
 //
 //===----------------------------------------------------------------------===//
 // Implementation of FuzzerExtFunctions for Windows. Uses alternatename when
 // compiled with MSVC. Uses weak aliases when compiled with clang. Unfortunately
 // the method each compiler supports is not supported by the other.
 //===----------------------------------------------------------------------===//
 #include "FuzzerPlatform.h"
 #if LIBFUZZER_WINDOWS
  #include "FuzzerExtFunctions.h"
  #include "FuzzerIO.h"
 using namespace fuzzer;
  // Intermediate macro to ensure the parameter is expanded before stringified.
  #define STRINGIFY_(A) #A
  #define STRINGIFY(A) STRINGIFY_(A)
  #if LIBFUZZER_MSVC
    // Copied from compiler-rt/lib/sanitizer_common/sanitizer_win_defs.h
    #if defined(_M_IX86) || defined(__i386__)
      #define WIN_SYM_PREFIX "_"
    #else
      #define WIN_SYM_PREFIX
    #endif
    // Declare external functions as having alternativenames, so that we can
    // determine if they are not defined.
    #define EXTERNAL_FUNC(Name, Default)                              \
      __pragma(                                                       \
          comment(linker, "/alternatename:" WIN_SYM_PREFIX STRINGIFY( \
                              Name) "=" WIN_SYM_PREFIX STRINGIFY(Default)))
  #else
    // Declare external functions as weak to allow them to default to a
    // specified function if not defined explicitly. We must use weak symbols
    // because clang's support for alternatename is not 100%, see
    // https://bugs.llvm.org/show_bug.cgi?id=40218 for more details.
    #define EXTERNAL_FUNC(Name, Default) \
      __attribute__((weak, alias(STRINGIFY(Default))))
  #endif  // LIBFUZZER_MSVC
 extern "C" {
 \
  #define EXT_FUNC(NAME, RETURN_TYPE, FUNC_SIG, WARN)         \
    RETURN_TYPE NAME##Def FUNC_SIG {                          \
                                                              \
      Printf("ERROR: Function \"%s\" not defined.\n", #NAME); \
      exit(1);                                                \
                                                              \
    }                                                         \
    EXTERNAL_FUNC(NAME, NAME##Def) RETURN_TYPE NAME FUNC_SIG
  #include "FuzzerExtFunctions.def"
  #undef EXT_FUNC
 }
 template <typename T>
 static T *GetFnPtr(T *Fun, T *FunDef, const char *FnName, bool WarnIfMissing) {
  if (Fun == FunDef) {
    if (WarnIfMissing)
      Printf("WARNING: Failed to find function \"%s\".\n", FnName);
    return nullptr;
  }
  return Fun;
 }
 namespace fuzzer {
 ExternalFunctions::ExternalFunctions() {
 \
  #define EXT_FUNC(NAME, RETURN_TYPE, FUNC_SIG, WARN) \
    this->NAME = GetFnPtr<decltype(::NAME)>(::NAME, ::NAME##Def, #NAME, WARN);
  #include "FuzzerExtFunctions.def"
  #undef EXT_FUNC
 }
 }  // namespace fuzzer
 #endif  // LIBFUZZER_WINDOWS
--- a/custom_mutators/libfuzzer/FuzzerExtraCounters.cpp
+++ b/custom_mutators/libfuzzer/FuzzerExtraCounters.cpp
@ -0,0 +1,71 @@
 //===- FuzzerExtraCounters.cpp - Extra coverage counters ------------------===//
 //
 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
 // See https://llvm.org/LICENSE.txt for license information.
 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
 //
 //===----------------------------------------------------------------------===//
 // Extra coverage counters defined by user code.
 //===----------------------------------------------------------------------===//
 #include "FuzzerPlatform.h"
 #include <cstdint>
 #if LIBFUZZER_LINUX || LIBFUZZER_NETBSD || LIBFUZZER_FREEBSD || \
    LIBFUZZER_OPENBSD || LIBFUZZER_FUCHSIA || LIBFUZZER_EMSCRIPTEN
 __attribute__((weak)) extern uint8_t __start___libfuzzer_extra_counters;
 __attribute__((weak)) extern uint8_t __stop___libfuzzer_extra_counters;
 namespace fuzzer {
 uint8_t *ExtraCountersBegin() {
  return &__start___libfuzzer_extra_counters;
 }
 uint8_t *ExtraCountersEnd() {
  return &__stop___libfuzzer_extra_counters;
 }
 ATTRIBUTE_NO_SANITIZE_ALL
 void ClearExtraCounters() {  // hand-written memset, don't asan-ify.
  uintptr_t *Beg = reinterpret_cast<uintptr_t *>(ExtraCountersBegin());
  uintptr_t *End = reinterpret_cast<uintptr_t *>(ExtraCountersEnd());
  for (; Beg < End; Beg++) {
    *Beg = 0;
    __asm__ __volatile__("" : : : "memory");
  }
 }
 }  // namespace fuzzer
 #else
 // TODO: implement for other platforms.
 namespace fuzzer {
 uint8_t *ExtraCountersBegin() {
  return nullptr;
 }
 uint8_t *ExtraCountersEnd() {
  return nullptr;
 }
 void ClearExtraCounters() {
 }
 }  // namespace fuzzer
 #endif
--- a/custom_mutators/libfuzzer/FuzzerFlags.def
+++ b/custom_mutators/libfuzzer/FuzzerFlags.def
@ -0,0 +1,198 @@
 //===- FuzzerFlags.def - Run-time flags -------------------------*- C++ -* ===//
 //
 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
 // See https://llvm.org/LICENSE.txt for license information.
 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
 //
 //===----------------------------------------------------------------------===//
 // Flags. FUZZER_FLAG_INT/FUZZER_FLAG_STRING macros should be defined at the
 // point of inclusion. We are not using any flag parsing library for better
 // portability and independence.
 //===----------------------------------------------------------------------===//
 FUZZER_FLAG_INT(verbosity, 1, "Verbosity level.")
 FUZZER_FLAG_UNSIGNED(seed, 0, "Random seed. If 0, seed is generated.")
 FUZZER_FLAG_INT(runs, -1,
            "Number of individual test runs (-1 for infinite runs).")
 FUZZER_FLAG_INT(max_len, 0, "Maximum length of the test input. "
    "If 0, libFuzzer tries to guess a good value based on the corpus "
    "and reports it. ")
 FUZZER_FLAG_INT(len_control, 100, "Try generating small inputs first, "
  "then try larger inputs over time.  Specifies the rate at which the length "
  "limit is increased (smaller == faster).  If 0, immediately try inputs with "
  "size up to max_len. Default value is 0, if LLVMFuzzerCustomMutator is used.")
 FUZZER_FLAG_STRING(seed_inputs, "A comma-separated list of input files "
  "to use as an additional seed corpus. Alternatively, an \"@\" followed by "
  "the name of a file containing the comma-separated list.")
 FUZZER_FLAG_INT(keep_seed, 0, "If 1, keep seed inputs in the corpus even if "
  "they do not produce new coverage. When used with |reduce_inputs==1|, the "
  "seed inputs will never be reduced. This option can be useful when seeds are"
  "not properly formed for the fuzz target but still have useful snippets.")
 FUZZER_FLAG_INT(cross_over, 1, "If 1, cross over inputs.")
 FUZZER_FLAG_INT(cross_over_uniform_dist, 0, "Experimental. If 1, use a "
  "uniform probability distribution when choosing inputs to cross over with. "
  "Some of the inputs in the corpus may never get chosen for mutation "
  "depending on the input mutation scheduling policy. With this flag, all "
  "inputs, regardless of the input mutation scheduling policy, can be chosen "
  "as an input to cross over with. This can be particularly useful with "
  "|keep_seed==1|; all the initial seed inputs, even though they do not "
  "increase coverage because they are not properly formed, will still be "
  "chosen as an input to cross over with.")
 FUZZER_FLAG_INT(mutate_depth, 5,
            "Apply this number of consecutive mutations to each input.")
 FUZZER_FLAG_INT(reduce_depth, 0, "Experimental/internal. "
                "Reduce depth if mutations lose unique features")
 FUZZER_FLAG_INT(shuffle, 1, "Shuffle inputs at startup")
 FUZZER_FLAG_INT(prefer_small, 1,
    "If 1, always prefer smaller inputs during the corpus shuffle.")
 FUZZER_FLAG_INT(
    timeout, 1200,
    "Timeout in seconds (if positive). "
    "If one unit runs more than this number of seconds the process will abort.")
 FUZZER_FLAG_INT(error_exitcode, 77, "When libFuzzer itself reports a bug "
  "this exit code will be used.")
 FUZZER_FLAG_INT(timeout_exitcode, 70, "When libFuzzer reports a timeout "
  "this exit code will be used.")
 FUZZER_FLAG_INT(max_total_time, 0, "If positive, indicates the maximal total "
                                   "time in seconds to run the fuzzer.")
 FUZZER_FLAG_INT(help, 0, "Print help.")
 FUZZER_FLAG_INT(fork, 0, "Experimental mode where fuzzing happens "
                "in a subprocess")
 FUZZER_FLAG_INT(ignore_timeouts, 1, "Ignore timeouts in fork mode")
 FUZZER_FLAG_INT(ignore_ooms, 1, "Ignore OOMs in fork mode")
 FUZZER_FLAG_INT(ignore_crashes, 0, "Ignore crashes in fork mode")
 FUZZER_FLAG_INT(merge, 0, "If 1, the 2-nd, 3-rd, etc corpora will be "
  "merged into the 1-st corpus. Only interesting units will be taken. "
  "This flag can be used to minimize a corpus.")
 FUZZER_FLAG_STRING(stop_file, "Stop fuzzing ASAP if this file exists")
 FUZZER_FLAG_STRING(merge_inner, "internal flag")
 FUZZER_FLAG_STRING(merge_control_file,
                   "Specify a control file used for the merge process. "
                   "If a merge process gets killed it tries to leave this file "
                   "in a state suitable for resuming the merge. "
                   "By default a temporary file will be used."
                   "The same file can be used for multistep merge process.")
 FUZZER_FLAG_INT(minimize_crash, 0, "If 1, minimizes the provided"
  " crash input. Use with -runs=N or -max_total_time=N to limit "
  "the number attempts."
  " Use with -exact_artifact_path to specify the output."
  " Combine with ASAN_OPTIONS=dedup_token_length=3 (or similar) to ensure that"
  " the minimized input triggers the same crash."
  )
 FUZZER_FLAG_INT(cleanse_crash, 0, "If 1, tries to cleanse the provided"
  " crash input to make it contain fewer original bytes."
  " Use with -exact_artifact_path to specify the output."
  )
 FUZZER_FLAG_INT(minimize_crash_internal_step, 0, "internal flag")
 FUZZER_FLAG_STRING(features_dir, "internal flag. Used to dump feature sets on disk."
  "Every time a new input is added to the corpus, a corresponding file in the features_dir"
  " is created containing the unique features of that input."
  " Features are stored in binary format.")
 FUZZER_FLAG_STRING(mutation_graph_file, "Saves a graph (in DOT format) to"
  " mutation_graph_file. The graph contains a vertex for each input that has"
  " unique coverage; directed edges are provided between parents and children"
  " where the child has unique coverage, and are recorded with the type of"
  " mutation that caused the child.")
 FUZZER_FLAG_INT(use_counters, 1, "Use coverage counters")
 FUZZER_FLAG_INT(use_memmem, 1,
                "Use hints from intercepting memmem, strstr, etc")
 FUZZER_FLAG_INT(use_value_profile, 0,
                "Experimental. Use value profile to guide fuzzing.")
 FUZZER_FLAG_INT(use_cmp, 1, "Use CMP traces to guide mutations")
 FUZZER_FLAG_INT(shrink, 0, "Experimental. Try to shrink corpus inputs.")
 FUZZER_FLAG_INT(reduce_inputs, 1,
  "Try to reduce the size of inputs while preserving their full feature sets")
 FUZZER_FLAG_UNSIGNED(jobs, 0, "Number of jobs to run. If jobs >= 1 we spawn"
                          " this number of jobs in separate worker processes"
                          " with stdout/stderr redirected to fuzz-JOB.log.")
 FUZZER_FLAG_UNSIGNED(workers, 0,
            "Number of simultaneous worker processes to run the jobs."
            " If zero, \"min(jobs,NumberOfCpuCores()/2)\" is used.")
 FUZZER_FLAG_INT(reload, 1,
                "Reload the main corpus every <N> seconds to get new units"
                " discovered by other processes. If 0, disabled")
 FUZZER_FLAG_INT(report_slow_units, 10,
    "Report slowest units if they run for more than this number of seconds.")
 FUZZER_FLAG_INT(only_ascii, 0,
                "If 1, generate only ASCII (isprint+isspace) inputs.")
 FUZZER_FLAG_STRING(dict, "Experimental. Use the dictionary file.")
 FUZZER_FLAG_STRING(artifact_prefix, "Write fuzzing artifacts (crash, "
                                    "timeout, or slow inputs) as "
                                    "$(artifact_prefix)file")
 FUZZER_FLAG_STRING(exact_artifact_path,
                   "Write the single artifact on failure (crash, timeout) "
                   "as $(exact_artifact_path). This overrides -artifact_prefix "
                   "and will not use checksum in the file name. Do not "
                   "use the same path for several parallel processes.")
 FUZZER_FLAG_INT(print_pcs, 0, "If 1, print out newly covered PCs.")
 FUZZER_FLAG_INT(print_funcs, 2, "If >=1, print out at most this number of "
                                "newly covered functions.")
 FUZZER_FLAG_INT(print_final_stats, 0, "If 1, print statistics at exit.")
 FUZZER_FLAG_INT(print_corpus_stats, 0,
  "If 1, print statistics on corpus elements at exit.")
 FUZZER_FLAG_INT(print_coverage, 0, "If 1, print coverage information as text"
                                   " at exit.")
 FUZZER_FLAG_INT(dump_coverage, 0, "Deprecated.")
 FUZZER_FLAG_INT(handle_segv, 1, "If 1, try to intercept SIGSEGV.")
 FUZZER_FLAG_INT(handle_bus, 1, "If 1, try to intercept SIGBUS.")
 FUZZER_FLAG_INT(handle_abrt, 1, "If 1, try to intercept SIGABRT.")
 FUZZER_FLAG_INT(handle_ill, 1, "If 1, try to intercept SIGILL.")
 FUZZER_FLAG_INT(handle_fpe, 1, "If 1, try to intercept SIGFPE.")
 FUZZER_FLAG_INT(handle_int, 1, "If 1, try to intercept SIGINT.")
 FUZZER_FLAG_INT(handle_term, 1, "If 1, try to intercept SIGTERM.")
 FUZZER_FLAG_INT(handle_xfsz, 1, "If 1, try to intercept SIGXFSZ.")
 FUZZER_FLAG_INT(handle_usr1, 1, "If 1, try to intercept SIGUSR1.")
 FUZZER_FLAG_INT(handle_usr2, 1, "If 1, try to intercept SIGUSR2.")
 FUZZER_FLAG_INT(close_fd_mask, 0, "If 1, close stdout at startup; "
    "if 2, close stderr; if 3, close both. "
    "Be careful, this will also close e.g. stderr of asan.")
 FUZZER_FLAG_INT(detect_leaks, 1, "If 1, and if LeakSanitizer is enabled "
    "try to detect memory leaks during fuzzing (i.e. not only at shut down).")
 FUZZER_FLAG_INT(purge_allocator_interval, 1, "Purge allocator caches and "
    "quarantines every <N> seconds. When rss_limit_mb is specified (>0), "
    "purging starts when RSS exceeds 50% of rss_limit_mb. Pass "
    "purge_allocator_interval=-1 to disable this functionality.")
 FUZZER_FLAG_INT(trace_malloc, 0, "If >= 1 will print all mallocs/frees. "
    "If >= 2 will also print stack traces.")
 FUZZER_FLAG_INT(rss_limit_mb, 2048, "If non-zero, the fuzzer will exit upon"
    "reaching this limit of RSS memory usage.")
 FUZZER_FLAG_INT(malloc_limit_mb, 0, "If non-zero, the fuzzer will exit "
    "if the target tries to allocate this number of Mb with one malloc call. "
    "If zero (default) same limit as rss_limit_mb is applied.")
 FUZZER_FLAG_STRING(exit_on_src_pos, "Exit if a newly found PC originates"
    " from the given source location. Example: -exit_on_src_pos=foo.cc:123. "
    "Used primarily for testing libFuzzer itself.")
 FUZZER_FLAG_STRING(exit_on_item, "Exit if an item with a given sha1 sum"
    " was added to the corpus. "
    "Used primarily for testing libFuzzer itself.")
 FUZZER_FLAG_INT(ignore_remaining_args, 0, "If 1, ignore all arguments passed "
                "after this one. Useful for fuzzers that need to do their own "
                "argument parsing.")
 FUZZER_FLAG_STRING(focus_function, "Experimental. "
     "Fuzzing will focus on inputs that trigger calls to this function. "
     "If -focus_function=auto and -data_flow_trace is used, libFuzzer "
     "will choose the focus functions automatically. Disables -entropic when "
     "specified.")
 FUZZER_FLAG_INT(entropic, 1, "Enables entropic power schedule.")
 FUZZER_FLAG_INT(entropic_feature_frequency_threshold, 0xFF, "Experimental. If "
     "entropic is enabled, all features which are observed less often than "
     "the specified value are considered as rare.")
 FUZZER_FLAG_INT(entropic_number_of_rarest_features, 100, "Experimental. If "
     "entropic is enabled, we keep track of the frequencies only for the "
     "Top-X least abundant features (union features that are considered as "
     "rare).")
 FUZZER_FLAG_INT(entropic_scale_per_exec_time, 0, "Experimental. If 1, "
     "the Entropic power schedule gets scaled based on the input execution "
     "time. Inputs with lower execution time get scheduled more (up to 30x). "
     "Note that, if 1, fuzzer stops from being deterministic even if a "
     "non-zero random seed is given.")
 FUZZER_FLAG_INT(analyze_dict, 0, "Experimental")
 FUZZER_DEPRECATED_FLAG(use_clang_coverage)
 FUZZER_FLAG_STRING(data_flow_trace, "Experimental: use the data flow trace")
 FUZZER_FLAG_STRING(collect_data_flow,
                   "Experimental: collect the data flow trace")
 FUZZER_FLAG_INT(create_missing_dirs, 0, "Automatically attempt to create "
     "directories for arguments that would normally expect them to already "
     "exist (i.e. artifact_prefix, exact_artifact_path, features_dir, corpus)")
--- a/custom_mutators/libfuzzer/FuzzerFork.cpp
+++ b/custom_mutators/libfuzzer/FuzzerFork.cpp
@ -0,0 +1,501 @@
 //===- FuzzerFork.cpp - run fuzzing in separate subprocesses --------------===//
 //
 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
 // See https://llvm.org/LICENSE.txt for license information.
 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
 //
 //===----------------------------------------------------------------------===//
 // Spawn and orchestrate separate fuzzing processes.
 //===----------------------------------------------------------------------===//
 #include "FuzzerCommand.h"
 #include "FuzzerFork.h"
 #include "FuzzerIO.h"
 #include "FuzzerInternal.h"
 #include "FuzzerMerge.h"
 #include "FuzzerSHA1.h"
 #include "FuzzerTracePC.h"
 #include "FuzzerUtil.h"
 #include <atomic>
 #include <chrono>
 #include <condition_variable>
 #include <fstream>
 #include <memory>
 #include <mutex>
 #include <queue>
 #include <sstream>
 #include <thread>
 namespace fuzzer {
 struct Stats {
  size_t number_of_executed_units = 0;
  size_t peak_rss_mb = 0;
  size_t average_exec_per_sec = 0;
 };
 static Stats ParseFinalStatsFromLog(const std::string &LogPath) {
  std::ifstream In(LogPath);
  std::string   Line;
  Stats         Res;
  struct {
    const char *Name;
    size_t *    Var;
  } NameVarPairs[] = {
      {"stat::number_of_executed_units:", &Res.number_of_executed_units},
      {"stat::peak_rss_mb:", &Res.peak_rss_mb},
      {"stat::average_exec_per_sec:", &Res.average_exec_per_sec},
      {nullptr, nullptr},
  };
  while (std::getline(In, Line, '\n')) {
    if (Line.find("stat::") != 0) continue;
    std::istringstream ISS(Line);
    std::string        Name;
    size_t             Val;
    ISS >> Name >> Val;
    for (size_t i = 0; NameVarPairs[i].Name; i++)
      if (Name == NameVarPairs[i].Name) *NameVarPairs[i].Var = Val;
  }
  return Res;
 }
 struct FuzzJob {
  // Inputs.
  Command     Cmd;
  std::string CorpusDir;
  std::string FeaturesDir;
  std::string LogPath;
  std::string SeedListPath;
  std::string CFPath;
  size_t      JobId;
  int DftTimeInSeconds = 0;
  // Fuzzing Outputs.
  int ExitCode;
  ~FuzzJob() {
    RemoveFile(CFPath);
    RemoveFile(LogPath);
    RemoveFile(SeedListPath);
    RmDirRecursive(CorpusDir);
    RmDirRecursive(FeaturesDir);
  }
 };
 struct GlobalEnv {
  Vector<std::string>                   Args;
  Vector<std::string>                   CorpusDirs;
  std::string                           MainCorpusDir;
  std::string                           TempDir;
  std::string                           DFTDir;
  std::string                           DataFlowBinary;
  Set<uint32_t>                         Features, Cov;
  Set<std::string>                      FilesWithDFT;
  Vector<std::string>                   Files;
  Random *                              Rand;
  std::chrono::system_clock::time_point ProcessStartTime;
  int                                   Verbosity = 0;
  size_t NumTimeouts = 0;
  size_t NumOOMs = 0;
  size_t NumCrashes = 0;
  size_t NumRuns = 0;
  std::string StopFile() {
    return DirPlusFile(TempDir, "STOP");
  }
  size_t secondsSinceProcessStartUp() const {
    return std::chrono::duration_cast<std::chrono::seconds>(
               std::chrono::system_clock::now() - ProcessStartTime)
        .count();
  }
  FuzzJob *CreateNewJob(size_t JobId) {
    Command Cmd(Args);
    Cmd.removeFlag("fork");
    Cmd.removeFlag("runs");
    Cmd.removeFlag("collect_data_flow");
    for (auto &C : CorpusDirs)  // Remove all corpora from the args.
      Cmd.removeArgument(C);
    Cmd.addFlag("reload", "0");  // working in an isolated dir, no reload.
    Cmd.addFlag("print_final_stats", "1");
    Cmd.addFlag("print_funcs", "0");  // no need to spend time symbolizing.
    Cmd.addFlag("max_total_time", std::to_string(std::min((size_t)300, JobId)));
    Cmd.addFlag("stop_file", StopFile());
    if (!DataFlowBinary.empty()) {
      Cmd.addFlag("data_flow_trace", DFTDir);
      if (!Cmd.hasFlag("focus_function")) Cmd.addFlag("focus_function", "auto");
    }
    auto        Job = new FuzzJob;
    std::string Seeds;
    if (size_t CorpusSubsetSize =
            std::min(Files.size(), (size_t)sqrt(Files.size() + 2))) {
      auto Time1 = std::chrono::system_clock::now();
      for (size_t i = 0; i < CorpusSubsetSize; i++) {
        auto &SF = Files[Rand->SkewTowardsLast(Files.size())];
        Seeds += (Seeds.empty() ? "" : ",") + SF;
        CollectDFT(SF);
      }
      auto Time2 = std::chrono::system_clock::now();
      Job->DftTimeInSeconds = duration_cast<seconds>(Time2 - Time1).count();
    }
    if (!Seeds.empty()) {
      Job->SeedListPath =
          DirPlusFile(TempDir, std::to_string(JobId) + ".seeds");
      WriteToFile(Seeds, Job->SeedListPath);
      Cmd.addFlag("seed_inputs", "@" + Job->SeedListPath);
    }
    Job->LogPath = DirPlusFile(TempDir, std::to_string(JobId) + ".log");
    Job->CorpusDir = DirPlusFile(TempDir, "C" + std::to_string(JobId));
    Job->FeaturesDir = DirPlusFile(TempDir, "F" + std::to_string(JobId));
    Job->CFPath = DirPlusFile(TempDir, std::to_string(JobId) + ".merge");
    Job->JobId = JobId;
    Cmd.addArgument(Job->CorpusDir);
    Cmd.addFlag("features_dir", Job->FeaturesDir);
    for (auto &D : {Job->CorpusDir, Job->FeaturesDir}) {
      RmDirRecursive(D);
      MkDir(D);
    }
    Cmd.setOutputFile(Job->LogPath);
    Cmd.combineOutAndErr();
    Job->Cmd = Cmd;
    if (Verbosity >= 2)
      Printf("Job %zd/%p Created: %s\n", JobId, Job,
             Job->Cmd.toString().c_str());
    // Start from very short runs and gradually increase them.
    return Job;
  }
  void RunOneMergeJob(FuzzJob *Job) {
    auto Stats = ParseFinalStatsFromLog(Job->LogPath);
    NumRuns += Stats.number_of_executed_units;
    Vector<SizedFile> TempFiles, MergeCandidates;
    // Read all newly created inputs and their feature sets.
    // Choose only those inputs that have new features.
    GetSizedFilesFromDir(Job->CorpusDir, &TempFiles);
    std::sort(TempFiles.begin(), TempFiles.end());
    for (auto &F : TempFiles) {
      auto FeatureFile = F.File;
      FeatureFile.replace(0, Job->CorpusDir.size(), Job->FeaturesDir);
      auto FeatureBytes = FileToVector(FeatureFile, 0, false);
      assert((FeatureBytes.size() % sizeof(uint32_t)) == 0);
      Vector<uint32_t> NewFeatures(FeatureBytes.size() / sizeof(uint32_t));
      memcpy(NewFeatures.data(), FeatureBytes.data(), FeatureBytes.size());
      for (auto Ft : NewFeatures) {
        if (!Features.count(Ft)) {
          MergeCandidates.push_back(F);
          break;
        }
      }
    }
    // if (!FilesToAdd.empty() || Job->ExitCode != 0)
    Printf(
        "#%zd: cov: %zd ft: %zd corp: %zd exec/s %zd "
        "oom/timeout/crash: %zd/%zd/%zd time: %zds job: %zd dft_time: %d\n",
        NumRuns, Cov.size(), Features.size(), Files.size(),
        Stats.average_exec_per_sec, NumOOMs, NumTimeouts, NumCrashes,
        secondsSinceProcessStartUp(), Job->JobId, Job->DftTimeInSeconds);
    if (MergeCandidates.empty()) return;
    Vector<std::string> FilesToAdd;
    Set<uint32_t>       NewFeatures, NewCov;
    CrashResistantMerge(Args, {}, MergeCandidates, &FilesToAdd, Features,
                        &NewFeatures, Cov, &NewCov, Job->CFPath, false);
    for (auto &Path : FilesToAdd) {
      auto U = FileToVector(Path);
      auto NewPath = DirPlusFile(MainCorpusDir, Hash(U));
      WriteToFile(U, NewPath);
      Files.push_back(NewPath);
    }
    Features.insert(NewFeatures.begin(), NewFeatures.end());
    Cov.insert(NewCov.begin(), NewCov.end());
    for (auto Idx : NewCov)
      if (auto *TE = TPC.PCTableEntryByIdx(Idx))
        if (TPC.PcIsFuncEntry(TE))
          PrintPC("  NEW_FUNC: %p %F %L\n", "",
                  TPC.GetNextInstructionPc(TE->PC));
  }
  void CollectDFT(const std::string &InputPath) {
    if (DataFlowBinary.empty()) return;
    if (!FilesWithDFT.insert(InputPath).second) return;
    Command Cmd(Args);
    Cmd.removeFlag("fork");
    Cmd.removeFlag("runs");
    Cmd.addFlag("data_flow_trace", DFTDir);
    Cmd.addArgument(InputPath);
    for (auto &C : CorpusDirs)  // Remove all corpora from the args.
      Cmd.removeArgument(C);
    Cmd.setOutputFile(DirPlusFile(TempDir, "dft.log"));
    Cmd.combineOutAndErr();
    // Printf("CollectDFT: %s\n", Cmd.toString().c_str());
    ExecuteCommand(Cmd);
  }
 };
 struct JobQueue {
  std::queue<FuzzJob *>   Qu;
  std::mutex              Mu;
  std::condition_variable Cv;
  void Push(FuzzJob *Job) {
    {
      std::lock_guard<std::mutex> Lock(Mu);
      Qu.push(Job);
    }
    Cv.notify_one();
  }
  FuzzJob *Pop() {
    std::unique_lock<std::mutex> Lk(Mu);
    // std::lock_guard<std::mutex> Lock(Mu);
    Cv.wait(Lk, [&] { return !Qu.empty(); });
    assert(!Qu.empty());
    auto Job = Qu.front();
    Qu.pop();
    return Job;
  }
 };
 void WorkerThread(JobQueue *FuzzQ, JobQueue *MergeQ) {
  while (auto Job = FuzzQ->Pop()) {
    // Printf("WorkerThread: job %p\n", Job);
    Job->ExitCode = ExecuteCommand(Job->Cmd);
    MergeQ->Push(Job);
  }
 }
 // This is just a skeleton of an experimental -fork=1 feature.
 void FuzzWithFork(Random &Rand, const FuzzingOptions &Options,
                  const Vector<std::string> &Args,
                  const Vector<std::string> &CorpusDirs, int NumJobs) {
  Printf("INFO: -fork=%d: fuzzing in separate process(s)\n", NumJobs);
  GlobalEnv Env;
  Env.Args = Args;
  Env.CorpusDirs = CorpusDirs;
  Env.Rand = &Rand;
  Env.Verbosity = Options.Verbosity;
  Env.ProcessStartTime = std::chrono::system_clock::now();
  Env.DataFlowBinary = Options.CollectDataFlow;
  Vector<SizedFile> SeedFiles;
  for (auto &Dir : CorpusDirs)
    GetSizedFilesFromDir(Dir, &SeedFiles);
  std::sort(SeedFiles.begin(), SeedFiles.end());
  Env.TempDir = TempPath("FuzzWithFork", ".dir");
  Env.DFTDir = DirPlusFile(Env.TempDir, "DFT");
  RmDirRecursive(Env.TempDir);  // in case there is a leftover from old runs.
  MkDir(Env.TempDir);
  MkDir(Env.DFTDir);
  if (CorpusDirs.empty())
    MkDir(Env.MainCorpusDir = DirPlusFile(Env.TempDir, "C"));
  else
    Env.MainCorpusDir = CorpusDirs[0];
  if (Options.KeepSeed) {
    for (auto &File : SeedFiles)
      Env.Files.push_back(File.File);
  } else {
    auto CFPath = DirPlusFile(Env.TempDir, "merge.txt");
    CrashResistantMerge(Env.Args, {}, SeedFiles, &Env.Files, {}, &Env.Features,
                        {}, &Env.Cov, CFPath, false);
    RemoveFile(CFPath);
  }
  Printf("INFO: -fork=%d: %zd seed inputs, starting to fuzz in %s\n", NumJobs,
         Env.Files.size(), Env.TempDir.c_str());
  int ExitCode = 0;
  JobQueue FuzzQ, MergeQ;
  auto StopJobs = [&]() {
    for (int i = 0; i < NumJobs; i++)
      FuzzQ.Push(nullptr);
    MergeQ.Push(nullptr);
    WriteToFile(Unit({1}), Env.StopFile());
  };
  size_t              JobId = 1;
  Vector<std::thread> Threads;
  for (int t = 0; t < NumJobs; t++) {
    Threads.push_back(std::thread(WorkerThread, &FuzzQ, &MergeQ));
    FuzzQ.Push(Env.CreateNewJob(JobId++));
  }
  while (true) {
    std::unique_ptr<FuzzJob> Job(MergeQ.Pop());
    if (!Job) break;
    ExitCode = Job->ExitCode;
    if (ExitCode == Options.InterruptExitCode) {
      Printf("==%lu== libFuzzer: a child was interrupted; exiting\n", GetPid());
      StopJobs();
      break;
    }
    Fuzzer::MaybeExitGracefully();
    Env.RunOneMergeJob(Job.get());
    // Continue if our crash is one of the ignorred ones.
    if (Options.IgnoreTimeouts && ExitCode == Options.TimeoutExitCode)
      Env.NumTimeouts++;
    else if (Options.IgnoreOOMs && ExitCode == Options.OOMExitCode)
      Env.NumOOMs++;
    else if (ExitCode != 0) {
      Env.NumCrashes++;
      if (Options.IgnoreCrashes) {
        std::ifstream In(Job->LogPath);
        std::string   Line;
        while (std::getline(In, Line, '\n'))
          if (Line.find("ERROR:") != Line.npos ||
              Line.find("runtime error:") != Line.npos)
            Printf("%s\n", Line.c_str());
      } else {
        // And exit if we don't ignore this crash.
        Printf("INFO: log from the inner process:\n%s",
               FileToString(Job->LogPath).c_str());
        StopJobs();
        break;
      }
    }
    // Stop if we are over the time budget.
    // This is not precise, since other threads are still running
    // and we will wait while joining them.
    // We also don't stop instantly: other jobs need to finish.
    if (Options.MaxTotalTimeSec > 0 &&
        Env.secondsSinceProcessStartUp() >= (size_t)Options.MaxTotalTimeSec) {
      Printf("INFO: fuzzed for %zd seconds, wrapping up soon\n",
             Env.secondsSinceProcessStartUp());
      StopJobs();
      break;
    }
    if (Env.NumRuns >= Options.MaxNumberOfRuns) {
      Printf("INFO: fuzzed for %zd iterations, wrapping up soon\n",
             Env.NumRuns);
      StopJobs();
      break;
    }
    FuzzQ.Push(Env.CreateNewJob(JobId++));
  }
  for (auto &T : Threads)
    T.join();
  // The workers have terminated. Don't try to remove the directory before they
  // terminate to avoid a race condition preventing cleanup on Windows.
  RmDirRecursive(Env.TempDir);
  // Use the exit code from the last child process.
  Printf("INFO: exiting: %d time: %zds\n", ExitCode,
         Env.secondsSinceProcessStartUp());
  exit(ExitCode);
 }
 }  // namespace fuzzer
--- a/custom_mutators/libfuzzer/FuzzerFork.h
+++ b/custom_mutators/libfuzzer/FuzzerFork.h
@ -0,0 +1,24 @@
 //===- FuzzerFork.h - run fuzzing in sub-processes --------------*- C++ -* ===//
 //
 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
 // See https://llvm.org/LICENSE.txt for license information.
 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
 //
 //===----------------------------------------------------------------------===//
 #ifndef LLVM_FUZZER_FORK_H
 #define LLVM_FUZZER_FORK_H
 #include "FuzzerDefs.h"
 #include "FuzzerOptions.h"
 #include "FuzzerRandom.h"
 #include <string>
 namespace fuzzer {
 void FuzzWithFork(Random &Rand, const FuzzingOptions &Options,
                  const Vector<std::string> &Args,
                  const Vector<std::string> &CorpusDirs, int NumJobs);
 } // namespace fuzzer
 #endif // LLVM_FUZZER_FORK_H
--- a/custom_mutators/libfuzzer/FuzzerIO.cpp
+++ b/custom_mutators/libfuzzer/FuzzerIO.cpp
@ -0,0 +1,255 @@
 //===- FuzzerIO.cpp - IO utils. -------------------------------------------===//
 //
 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
 // See https://llvm.org/LICENSE.txt for license information.
 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
 //
 //===----------------------------------------------------------------------===//
 // IO functions.
 //===----------------------------------------------------------------------===//
 #include "FuzzerDefs.h"
 #include "FuzzerExtFunctions.h"
 #include "FuzzerIO.h"
 #include "FuzzerUtil.h"
 #include <algorithm>
 #include <cstdarg>
 #include <fstream>
 #include <iterator>
 #include <sys/stat.h>
 #include <sys/types.h>
 namespace fuzzer {
 static FILE *OutputFile = stderr;
 long GetEpoch(const std::string &Path) {
  struct stat St;
  if (stat(Path.c_str(), &St)) return 0;  // Can't stat, be conservative.
  return St.st_mtime;
 }
 Unit FileToVector(const std::string &Path, size_t MaxSize, bool ExitOnError) {
  std::ifstream T(Path, std::ios::binary);
  if (ExitOnError && !T) {
    Printf("No such directory: %s; exiting\n", Path.c_str());
    exit(1);
  }
  T.seekg(0, T.end);
  auto EndPos = T.tellg();
  if (EndPos < 0) return {};
  size_t FileLen = EndPos;
  if (MaxSize) FileLen = std::min(FileLen, MaxSize);
  T.seekg(0, T.beg);
  Unit Res(FileLen);
  T.read(reinterpret_cast<char *>(Res.data()), FileLen);
  return Res;
 }
 std::string FileToString(const std::string &Path) {
  std::ifstream T(Path, std::ios::binary);
  return std::string((std::istreambuf_iterator<char>(T)),
                     std::istreambuf_iterator<char>());
 }
 void CopyFileToErr(const std::string &Path) {
  Printf("%s", FileToString(Path).c_str());
 }
 void WriteToFile(const Unit &U, const std::string &Path) {
  WriteToFile(U.data(), U.size(), Path);
 }
 void WriteToFile(const std::string &Data, const std::string &Path) {
  WriteToFile(reinterpret_cast<const uint8_t *>(Data.c_str()), Data.size(),
              Path);
 }
 void WriteToFile(const uint8_t *Data, size_t Size, const std::string &Path) {
  return;
  // Use raw C interface because this function may be called from a sig handler.
  FILE *Out = fopen(Path.c_str(), "wb");
  if (!Out) return;
  fwrite(Data, sizeof(Data[0]), Size, Out);
  fclose(Out);
 }
 void AppendToFile(const std::string &Data, const std::string &Path) {
  return;
  AppendToFile(reinterpret_cast<const uint8_t *>(Data.data()), Data.size(),
               Path);
 }
 void AppendToFile(const uint8_t *Data, size_t Size, const std::string &Path) {
  return;
  FILE *Out = fopen(Path.c_str(), "a");
  if (!Out) return;
  fwrite(Data, sizeof(Data[0]), Size, Out);
  fclose(Out);
 }
 void ReadDirToVectorOfUnits(const char *Path, Vector<Unit> *V, long *Epoch,
                            size_t MaxSize, bool ExitOnError) {
  long                E = Epoch ? *Epoch : 0;
  Vector<std::string> Files;
  ListFilesInDirRecursive(Path, Epoch, &Files, /*TopDir*/ true);
  size_t NumLoaded = 0;
  for (size_t i = 0; i < Files.size(); i++) {
    auto &X = Files[i];
    if (Epoch && GetEpoch(X) < E) continue;
    NumLoaded++;
    if ((NumLoaded & (NumLoaded - 1)) == 0 && NumLoaded >= 1024)
      Printf("Loaded %zd/%zd files from %s\n", NumLoaded, Files.size(), Path);
    auto S = FileToVector(X, MaxSize, ExitOnError);
    if (!S.empty()) V->push_back(S);
  }
 }
 void GetSizedFilesFromDir(const std::string &Dir, Vector<SizedFile> *V) {
  Vector<std::string> Files;
  ListFilesInDirRecursive(Dir, 0, &Files, /*TopDir*/ true);
  for (auto &File : Files)
    if (size_t Size = FileSize(File)) V->push_back({File, Size});
 }
 std::string DirPlusFile(const std::string &DirPath,
                        const std::string &FileName) {
  return DirPath + GetSeparator() + FileName;
 }
 void DupAndCloseStderr() {
  int OutputFd = DuplicateFile(2);
  if (OutputFd >= 0) {
    FILE *NewOutputFile = OpenFile(OutputFd, "w");
    if (NewOutputFile) {
      OutputFile = NewOutputFile;
      if (EF->__sanitizer_set_report_fd)
        EF->__sanitizer_set_report_fd(
            reinterpret_cast<void *>(GetHandleFromFd(OutputFd)));
      DiscardOutput(2);
    }
  }
 }
 void CloseStdout() {
  DiscardOutput(1);
 }
 void Printf(const char *Fmt, ...) {
  va_list ap;
  va_start(ap, Fmt);
  vfprintf(OutputFile, Fmt, ap);
  va_end(ap);
  fflush(OutputFile);
 }
 void VPrintf(bool Verbose, const char *Fmt, ...) {
  return;
  if (!Verbose) return;
  va_list ap;
  va_start(ap, Fmt);
  vfprintf(OutputFile, Fmt, ap);
  va_end(ap);
  fflush(OutputFile);
 }
 static bool MkDirRecursiveInner(const std::string &Leaf) {
  // Prevent chance of potential infinite recursion
  if (Leaf == ".") return true;
  const std::string &Dir = DirName(Leaf);
  if (IsDirectory(Dir)) {
    MkDir(Leaf);
    return IsDirectory(Leaf);
  }
  bool ret = MkDirRecursiveInner(Dir);
  if (!ret) {
    // Give up early if a previous MkDir failed
    return ret;
  }
  MkDir(Leaf);
  return IsDirectory(Leaf);
 }
 bool MkDirRecursive(const std::string &Dir) {
  if (Dir.empty()) return false;
  if (IsDirectory(Dir)) return true;
  return MkDirRecursiveInner(Dir);
 }
 void RmDirRecursive(const std::string &Dir) {
  IterateDirRecursive(
      Dir, [](const std::string &Path) {},
      [](const std::string &Path) { RmDir(Path); },
      [](const std::string &Path) { RemoveFile(Path); });
 }
 std::string TempPath(const char *Prefix, const char *Extension) {
  return DirPlusFile(TmpDir(), std::string("libFuzzerTemp.") + Prefix +
                                   std::to_string(GetPid()) + Extension);
 }
 }  // namespace fuzzer
--- a/custom_mutators/libfuzzer/FuzzerIO.h
+++ b/custom_mutators/libfuzzer/FuzzerIO.h
@ -0,0 +1,112 @@
 //===- FuzzerIO.h - Internal header for IO utils ----------------*- C++ -* ===//
 //
 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
 // See https://llvm.org/LICENSE.txt for license information.
 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
 //
 //===----------------------------------------------------------------------===//
 // IO interface.
 //===----------------------------------------------------------------------===//
 #ifndef LLVM_FUZZER_IO_H
 #define LLVM_FUZZER_IO_H
 #include "FuzzerDefs.h"
 namespace fuzzer {
 long GetEpoch(const std::string &Path);
 Unit FileToVector(const std::string &Path, size_t MaxSize = 0,
                  bool ExitOnError = true);
 std::string FileToString(const std::string &Path);
 void CopyFileToErr(const std::string &Path);
 void WriteToFile(const uint8_t *Data, size_t Size, const std::string &Path);
 // Write Data.c_str() to the file without terminating null character.
 void WriteToFile(const std::string &Data, const std::string &Path);
 void WriteToFile(const Unit &U, const std::string &Path);
 void AppendToFile(const uint8_t *Data, size_t Size, const std::string &Path);
 void AppendToFile(const std::string &Data, const std::string &Path);
 void ReadDirToVectorOfUnits(const char *Path, Vector<Unit> *V,
                            long *Epoch, size_t MaxSize, bool ExitOnError);
 // Returns "Dir/FileName" or equivalent for the current OS.
 std::string DirPlusFile(const std::string &DirPath,
                        const std::string &FileName);
 // Returns the name of the dir, similar to the 'dirname' utility.
 std::string DirName(const std::string &FileName);
 // Returns path to a TmpDir.
 std::string TmpDir();
 std::string TempPath(const char *Prefix, const char *Extension);
 bool IsInterestingCoverageFile(const std::string &FileName);
 void DupAndCloseStderr();
 void CloseStdout();
 void Printf(const char *Fmt, ...);
 void VPrintf(bool Verbose, const char *Fmt, ...);
 // Print using raw syscalls, useful when printing at early init stages.
 void RawPrint(const char *Str);
 // Platform specific functions:
 bool IsFile(const std::string &Path);
 bool IsDirectory(const std::string &Path);
 size_t FileSize(const std::string &Path);
 void ListFilesInDirRecursive(const std::string &Dir, long *Epoch,
                             Vector<std::string> *V, bool TopDir);
 bool MkDirRecursive(const std::string &Dir);
 void RmDirRecursive(const std::string &Dir);
 // Iterate files and dirs inside Dir, recursively.
 // Call DirPreCallback/DirPostCallback on dirs before/after
 // calling FileCallback on files.
 void IterateDirRecursive(const std::string &Dir,
                         void (*DirPreCallback)(const std::string &Dir),
                         void (*DirPostCallback)(const std::string &Dir),
                         void (*FileCallback)(const std::string &Dir));
 struct SizedFile {
  std::string File;
  size_t Size;
  bool operator<(const SizedFile &B) const { return Size < B.Size; }
 };
 void GetSizedFilesFromDir(const std::string &Dir, Vector<SizedFile> *V);
 char GetSeparator();
 bool IsSeparator(char C);
 // Similar to the basename utility: returns the file name w/o the dir prefix.
 std::string Basename(const std::string &Path);
 FILE* OpenFile(int Fd, const char *Mode);
 int CloseFile(int Fd);
 int DuplicateFile(int Fd);
 void RemoveFile(const std::string &Path);
 void RenameFile(const std::string &OldPath, const std::string &NewPath);
 intptr_t GetHandleFromFd(int fd);
 void MkDir(const std::string &Path);
 void RmDir(const std::string &Path);
 const std::string &getDevNull();
 }  // namespace fuzzer
 #endif  // LLVM_FUZZER_IO_H
--- a/custom_mutators/libfuzzer/FuzzerIOPosix.cpp
+++ b/custom_mutators/libfuzzer/FuzzerIOPosix.cpp
@ -0,0 +1,223 @@
 //===- FuzzerIOPosix.cpp - IO utils for Posix. ----------------------------===//
 //
 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
 // See https://llvm.org/LICENSE.txt for license information.
 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
 //
 //===----------------------------------------------------------------------===//
 // IO functions implementation using Posix API.
 //===----------------------------------------------------------------------===//
 #include "FuzzerPlatform.h"
 #if LIBFUZZER_POSIX || LIBFUZZER_FUCHSIA
  #include "FuzzerExtFunctions.h"
  #include "FuzzerIO.h"
  #include <cstdarg>
  #include <cstdio>
  #include <dirent.h>
  #include <fstream>
  #include <iterator>
  #include <libgen.h>
  #include <sys/stat.h>
  #include <sys/types.h>
  #include <unistd.h>
 namespace fuzzer {
 bool IsFile(const std::string &Path) {
  struct stat St;
  if (stat(Path.c_str(), &St)) return false;
  return S_ISREG(St.st_mode);
 }
 bool IsDirectory(const std::string &Path) {
  struct stat St;
  if (stat(Path.c_str(), &St)) return false;
  return S_ISDIR(St.st_mode);
 }
 size_t FileSize(const std::string &Path) {
  struct stat St;
  if (stat(Path.c_str(), &St)) return 0;
  return St.st_size;
 }
 std::string Basename(const std::string &Path) {
  size_t Pos = Path.rfind(GetSeparator());
  if (Pos == std::string::npos) return Path;
  assert(Pos < Path.size());
  return Path.substr(Pos + 1);
 }
 void ListFilesInDirRecursive(const std::string &Dir, long *Epoch,
                             Vector<std::string> *V, bool TopDir) {
  auto E = GetEpoch(Dir);
  if (Epoch)
    if (E && *Epoch >= E) return;
  DIR *D = opendir(Dir.c_str());
  if (!D) {
    Printf("%s: %s; exiting\n", strerror(errno), Dir.c_str());
    exit(1);
  }
  while (auto E = readdir(D)) {
    std::string Path = DirPlusFile(Dir, E->d_name);
    if (E->d_type == DT_REG || E->d_type == DT_LNK ||
        (E->d_type == DT_UNKNOWN && IsFile(Path)))
      V->push_back(Path);
    else if ((E->d_type == DT_DIR ||
              (E->d_type == DT_UNKNOWN && IsDirectory(Path))) &&
             *E->d_name != '.')
      ListFilesInDirRecursive(Path, Epoch, V, false);
  }
  closedir(D);
  if (Epoch && TopDir) *Epoch = E;
 }
 void IterateDirRecursive(const std::string &Dir,
                         void (*DirPreCallback)(const std::string &Dir),
                         void (*DirPostCallback)(const std::string &Dir),
                         void (*FileCallback)(const std::string &Dir)) {
  DirPreCallback(Dir);
  DIR *D = opendir(Dir.c_str());
  if (!D) return;
  while (auto E = readdir(D)) {
    std::string Path = DirPlusFile(Dir, E->d_name);
    if (E->d_type == DT_REG || E->d_type == DT_LNK ||
        (E->d_type == DT_UNKNOWN && IsFile(Path)))
      FileCallback(Path);
    else if ((E->d_type == DT_DIR ||
              (E->d_type == DT_UNKNOWN && IsDirectory(Path))) &&
             *E->d_name != '.')
      IterateDirRecursive(Path, DirPreCallback, DirPostCallback, FileCallback);
  }
  closedir(D);
  DirPostCallback(Dir);
 }
 char GetSeparator() {
  return '/';
 }
 bool IsSeparator(char C) {
  return C == '/';
 }
 FILE *OpenFile(int Fd, const char *Mode) {
  return fdopen(Fd, Mode);
 }
 int CloseFile(int fd) {
  return close(fd);
 }
 int DuplicateFile(int Fd) {
  return dup(Fd);
 }
 void RemoveFile(const std::string &Path) {
  unlink(Path.c_str());
 }
 void RenameFile(const std::string &OldPath, const std::string &NewPath) {
  rename(OldPath.c_str(), NewPath.c_str());
 }
 intptr_t GetHandleFromFd(int fd) {
  return static_cast<intptr_t>(fd);
 }
 std::string DirName(const std::string &FileName) {
  char *Tmp = new char[FileName.size() + 1];
  memcpy(Tmp, FileName.c_str(), FileName.size() + 1);
  std::string Res = dirname(Tmp);
  delete[] Tmp;
  return Res;
 }
 std::string TmpDir() {
  if (auto Env = getenv("TMPDIR")) return Env;
  return "/tmp";
 }
 bool IsInterestingCoverageFile(const std::string &FileName) {
  if (FileName.find("compiler-rt/lib/") != std::string::npos)
    return false;  // sanitizer internal.
  if (FileName.find("/usr/lib/") != std::string::npos) return false;
  if (FileName.find("/usr/include/") != std::string::npos) return false;
  if (FileName == "<null>") return false;
  return true;
 }
 void RawPrint(const char *Str) {
  write(2, Str, strlen(Str));
 }
 void MkDir(const std::string &Path) {
  mkdir(Path.c_str(), 0700);
 }
 void RmDir(const std::string &Path) {
  rmdir(Path.c_str());
 }
 const std::string &getDevNull() {
  static const std::string devNull = "/dev/null";
  return devNull;
 }
 }  // namespace fuzzer
 #endif  // LIBFUZZER_POSIX
--- a/custom_mutators/libfuzzer/FuzzerIOWindows.cpp
+++ b/custom_mutators/libfuzzer/FuzzerIOWindows.cpp
@ -0,0 +1,513 @@
 //===- FuzzerIOWindows.cpp - IO utils for Windows. ------------------------===//
 //
 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
 // See https://llvm.org/LICENSE.txt for license information.
 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
 //
 //===----------------------------------------------------------------------===//
 // IO functions implementation for Windows.
 //===----------------------------------------------------------------------===//
 #include "FuzzerPlatform.h"
 #if LIBFUZZER_WINDOWS
  #include "FuzzerExtFunctions.h"
  #include "FuzzerIO.h"
  #include <cstdarg>
  #include <cstdio>
  #include <fstream>
  #include <io.h>
  #include <iterator>
  #include <sys/stat.h>
  #include <sys/types.h>
  #include <windows.h>
 namespace fuzzer {
 static bool IsFile(const std::string &Path, const DWORD &FileAttributes) {
  if (FileAttributes & FILE_ATTRIBUTE_NORMAL) return true;
  if (FileAttributes & FILE_ATTRIBUTE_DIRECTORY) return false;
  HANDLE FileHandle(CreateFileA(Path.c_str(), 0, FILE_SHARE_READ, NULL,
                                OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS, 0));
  if (FileHandle == INVALID_HANDLE_VALUE) {
    Printf("CreateFileA() failed for \"%s\" (Error code: %lu).\n", Path.c_str(),
           GetLastError());
    return false;
  }
  DWORD FileType = GetFileType(FileHandle);
  if (FileType == FILE_TYPE_UNKNOWN) {
    Printf("GetFileType() failed for \"%s\" (Error code: %lu).\n", Path.c_str(),
           GetLastError());
    CloseHandle(FileHandle);
    return false;
  }
  if (FileType != FILE_TYPE_DISK) {
    CloseHandle(FileHandle);
    return false;
  }
  CloseHandle(FileHandle);
  return true;
 }
 bool IsFile(const std::string &Path) {
  DWORD Att = GetFileAttributesA(Path.c_str());
  if (Att == INVALID_FILE_ATTRIBUTES) {
    Printf("GetFileAttributesA() failed for \"%s\" (Error code: %lu).\n",
           Path.c_str(), GetLastError());
    return false;
  }
  return IsFile(Path, Att);
 }
 static bool IsDir(DWORD FileAttrs) {
  if (FileAttrs == INVALID_FILE_ATTRIBUTES) return false;
  return FileAttrs & FILE_ATTRIBUTE_DIRECTORY;
 }
 bool IsDirectory(const std::string &Path) {
  DWORD Att = GetFileAttributesA(Path.c_str());
  if (Att == INVALID_FILE_ATTRIBUTES) {
    Printf("GetFileAttributesA() failed for \"%s\" (Error code: %lu).\n",
           Path.c_str(), GetLastError());
    return false;
  }
  return IsDir(Att);
 }
 std::string Basename(const std::string &Path) {
  size_t Pos = Path.find_last_of("/\\");
  if (Pos == std::string::npos) return Path;
  assert(Pos < Path.size());
  return Path.substr(Pos + 1);
 }
 size_t FileSize(const std::string &Path) {
  WIN32_FILE_ATTRIBUTE_DATA attr;
  if (!GetFileAttributesExA(Path.c_str(), GetFileExInfoStandard, &attr)) {
    DWORD LastError = GetLastError();
    if (LastError != ERROR_FILE_NOT_FOUND)
      Printf("GetFileAttributesExA() failed for \"%s\" (Error code: %lu).\n",
             Path.c_str(), LastError);
    return 0;
  }
  ULARGE_INTEGER size;
  size.HighPart = attr.nFileSizeHigh;
  size.LowPart = attr.nFileSizeLow;
  return size.QuadPart;
 }
 void ListFilesInDirRecursive(const std::string &Dir, long *Epoch,
                             Vector<std::string> *V, bool TopDir) {
  auto E = GetEpoch(Dir);
  if (Epoch)
    if (E && *Epoch >= E) return;
  std::string Path(Dir);
  assert(!Path.empty());
  if (Path.back() != '\\') Path.push_back('\\');
  Path.push_back('*');
  // Get the first directory entry.
  WIN32_FIND_DATAA FindInfo;
  HANDLE           FindHandle(FindFirstFileA(Path.c_str(), &FindInfo));
  if (FindHandle == INVALID_HANDLE_VALUE) {
    if (GetLastError() == ERROR_FILE_NOT_FOUND) return;
    Printf("No such file or directory: %s; exiting\n", Dir.c_str());
    exit(1);
  }
  do {
    std::string FileName = DirPlusFile(Dir, FindInfo.cFileName);
    if (FindInfo.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) {
      size_t FilenameLen = strlen(FindInfo.cFileName);
      if ((FilenameLen == 1 && FindInfo.cFileName[0] == '.') ||
          (FilenameLen == 2 && FindInfo.cFileName[0] == '.' &&
           FindInfo.cFileName[1] == '.'))
        continue;
      ListFilesInDirRecursive(FileName, Epoch, V, false);
    } else if (IsFile(FileName, FindInfo.dwFileAttributes))
      V->push_back(FileName);
  } while (FindNextFileA(FindHandle, &FindInfo));
  DWORD LastError = GetLastError();
  if (LastError != ERROR_NO_MORE_FILES)
    Printf("FindNextFileA failed (Error code: %lu).\n", LastError);
  FindClose(FindHandle);
  if (Epoch && TopDir) *Epoch = E;
 }
 void IterateDirRecursive(const std::string &Dir,
                         void (*DirPreCallback)(const std::string &Dir),
                         void (*DirPostCallback)(const std::string &Dir),
                         void (*FileCallback)(const std::string &Dir)) {
  // TODO(metzman): Implement ListFilesInDirRecursive via this function.
  DirPreCallback(Dir);
  DWORD DirAttrs = GetFileAttributesA(Dir.c_str());
  if (!IsDir(DirAttrs)) return;
  std::string TargetDir(Dir);
  assert(!TargetDir.empty());
  if (TargetDir.back() != '\\') TargetDir.push_back('\\');
  TargetDir.push_back('*');
  WIN32_FIND_DATAA FindInfo;
  // Find the directory's first file.
  HANDLE FindHandle = FindFirstFileA(TargetDir.c_str(), &FindInfo);
  if (FindHandle == INVALID_HANDLE_VALUE) {
    DWORD LastError = GetLastError();
    if (LastError != ERROR_FILE_NOT_FOUND) {
      // If the directory isn't empty, then something abnormal is going on.
      Printf("FindFirstFileA failed for %s (Error code: %lu).\n", Dir.c_str(),
             LastError);
    }
    return;
  }
  do {
    std::string Path = DirPlusFile(Dir, FindInfo.cFileName);
    DWORD       PathAttrs = FindInfo.dwFileAttributes;
    if (IsDir(PathAttrs)) {
      // Is Path the current directory (".") or the parent ("..")?
      if (strcmp(FindInfo.cFileName, ".") == 0 ||
          strcmp(FindInfo.cFileName, "..") == 0)
        continue;
      IterateDirRecursive(Path, DirPreCallback, DirPostCallback, FileCallback);
    } else if (PathAttrs != INVALID_FILE_ATTRIBUTES) {
      FileCallback(Path);
    }
  } while (FindNextFileA(FindHandle, &FindInfo));
  DWORD LastError = GetLastError();
  if (LastError != ERROR_NO_MORE_FILES)
    Printf("FindNextFileA failed for %s (Error code: %lu).\n", Dir.c_str(),
           LastError);
  FindClose(FindHandle);
  DirPostCallback(Dir);
 }
 char GetSeparator() {
  return '\\';
 }
 FILE *OpenFile(int Fd, const char *Mode) {
  return _fdopen(Fd, Mode);
 }
 int CloseFile(int Fd) {
  return _close(Fd);
 }
 int DuplicateFile(int Fd) {
  return _dup(Fd);
 }
 void RemoveFile(const std::string &Path) {
  _unlink(Path.c_str());
 }
 void RenameFile(const std::string &OldPath, const std::string &NewPath) {
  rename(OldPath.c_str(), NewPath.c_str());
 }
 intptr_t GetHandleFromFd(int fd) {
  return _get_osfhandle(fd);
 }
 bool IsSeparator(char C) {
  return C == '\\' || C == '/';
 }
 // Parse disk designators, like "C:\". If Relative == true, also accepts: "C:".
 // Returns number of characters considered if successful.
 static size_t ParseDrive(const std::string &FileName, const size_t Offset,
                         bool Relative = true) {
  if (Offset + 1 >= FileName.size() || FileName[Offset + 1] != ':') return 0;
  if (Offset + 2 >= FileName.size() || !IsSeparator(FileName[Offset + 2])) {
    if (!Relative)  // Accept relative path?
      return 0;
    else
      return 2;
  }
  return 3;
 }
 // Parse a file name, like: SomeFile.txt
 // Returns number of characters considered if successful.
 static size_t ParseFileName(const std::string &FileName, const size_t Offset) {
  size_t       Pos = Offset;
  const size_t End = FileName.size();
  for (; Pos < End && !IsSeparator(FileName[Pos]); ++Pos)
    ;
  return Pos - Offset;
 }
 // Parse a directory ending in separator, like: `SomeDir\`
 // Returns number of characters considered if successful.
 static size_t ParseDir(const std::string &FileName, const size_t Offset) {
  size_t       Pos = Offset;
  const size_t End = FileName.size();
  if (Pos >= End || IsSeparator(FileName[Pos])) return 0;
  for (; Pos < End && !IsSeparator(FileName[Pos]); ++Pos)
    ;
  if (Pos >= End) return 0;
  ++Pos;  // Include separator.
  return Pos - Offset;
 }
 // Parse a servername and share, like: `SomeServer\SomeShare\`
 // Returns number of characters considered if successful.
 static size_t ParseServerAndShare(const std::string &FileName,
                                  const size_t       Offset) {
  size_t Pos = Offset, Res;
  if (!(Res = ParseDir(FileName, Pos))) return 0;
  Pos += Res;
  if (!(Res = ParseDir(FileName, Pos))) return 0;
  Pos += Res;
  return Pos - Offset;
 }
 // Parse the given Ref string from the position Offset, to exactly match the
 // given string Patt. Returns number of characters considered if successful.
 static size_t ParseCustomString(const std::string &Ref, size_t Offset,
                                const char *Patt) {
  size_t Len = strlen(Patt);
  if (Offset + Len > Ref.size()) return 0;
  return Ref.compare(Offset, Len, Patt) == 0 ? Len : 0;
 }
 // Parse a location, like:
 // \\?\UNC\Server\Share\  \\?\C:\  \\Server\Share\  \  C:\  C:
 // Returns number of characters considered if successful.
 static size_t ParseLocation(const std::string &FileName) {
  size_t Pos = 0, Res;
  if ((Res = ParseCustomString(FileName, Pos, R"(\\?\)"))) {
    Pos += Res;
    if ((Res = ParseCustomString(FileName, Pos, R"(UNC\)"))) {
      Pos += Res;
      if ((Res = ParseServerAndShare(FileName, Pos))) return Pos + Res;
      return 0;
    }
    if ((Res = ParseDrive(FileName, Pos, false))) return Pos + Res;
    return 0;
  }
  if (Pos < FileName.size() && IsSeparator(FileName[Pos])) {
    ++Pos;
    if (Pos < FileName.size() && IsSeparator(FileName[Pos])) {
      ++Pos;
      if ((Res = ParseServerAndShare(FileName, Pos))) return Pos + Res;
      return 0;
    }
    return Pos;
  }
  if ((Res = ParseDrive(FileName, Pos))) return Pos + Res;
  return Pos;
 }
 std::string DirName(const std::string &FileName) {
  size_t LocationLen = ParseLocation(FileName);
  size_t DirLen = 0, Res;
  while ((Res = ParseDir(FileName, LocationLen + DirLen)))
    DirLen += Res;
  size_t FileLen = ParseFileName(FileName, LocationLen + DirLen);
  if (LocationLen + DirLen + FileLen != FileName.size()) {
    Printf("DirName() failed for \"%s\", invalid path.\n", FileName.c_str());
    exit(1);
  }
  if (DirLen) {
    --DirLen;        // Remove trailing separator.
    if (!FileLen) {  // Path ended in separator.
      assert(DirLen);
      // Remove file name from Dir.
      while (DirLen && !IsSeparator(FileName[LocationLen + DirLen - 1]))
        --DirLen;
      if (DirLen)  // Remove trailing separator.
        --DirLen;
    }
  }
  if (!LocationLen) {  // Relative path.
    if (!DirLen) return ".";
    return std::string(".\\").append(FileName, 0, DirLen);
  }
  return FileName.substr(0, LocationLen + DirLen);
 }
 std::string TmpDir() {
  std::string Tmp;
  Tmp.resize(MAX_PATH + 1);
  DWORD Size = GetTempPathA(Tmp.size(), &Tmp[0]);
  if (Size == 0) {
    Printf("Couldn't get Tmp path.\n");
    exit(1);
  }
  Tmp.resize(Size);
  return Tmp;
 }
 bool IsInterestingCoverageFile(const std::string &FileName) {
  if (FileName.find("Program Files") != std::string::npos) return false;
  if (FileName.find("compiler-rt\\lib\\") != std::string::npos)
    return false;  // sanitizer internal.
  if (FileName == "<null>") return false;
  return true;
 }
 void RawPrint(const char *Str) {
  _write(2, Str, strlen(Str));
 }
 void MkDir(const std::string &Path) {
  if (CreateDirectoryA(Path.c_str(), nullptr)) return;
  Printf("CreateDirectoryA failed for %s (Error code: %lu).\n", Path.c_str(),
         GetLastError());
 }
 void RmDir(const std::string &Path) {
  if (RemoveDirectoryA(Path.c_str())) return;
  Printf("RemoveDirectoryA failed for %s (Error code: %lu).\n", Path.c_str(),
         GetLastError());
 }
 const std::string &getDevNull() {
  static const std::string devNull = "NUL";
  return devNull;
 }
 }  // namespace fuzzer
 #endif  // LIBFUZZER_WINDOWS
--- a/custom_mutators/libfuzzer/FuzzerInterceptors.cpp
+++ b/custom_mutators/libfuzzer/FuzzerInterceptors.cpp
@ -0,0 +1,290 @@
 //===-- FuzzerInterceptors.cpp --------------------------------------------===//
 //
 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
 // See https://llvm.org/LICENSE.txt for license information.
 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
 //
 //===----------------------------------------------------------------------===//
 // Intercept certain libc functions to aid fuzzing.
 // Linked only when other RTs that define their own interceptors are not linked.
 //===----------------------------------------------------------------------===//
 #include "FuzzerPlatform.h"
 #if LIBFUZZER_LINUX
  #define GET_CALLER_PC() __builtin_return_address(0)
  #define PTR_TO_REAL(x) real_##x
  #define REAL(x) __interception::PTR_TO_REAL(x)
  #define FUNC_TYPE(x) x##_type
  #define DEFINE_REAL(ret_type, func, ...)            \
    typedef ret_type (*FUNC_TYPE(func))(__VA_ARGS__); \
    namespace __interception {                        \
                                                      \
    FUNC_TYPE(func) PTR_TO_REAL(func);                \
                                                      \
    }
  #include <cassert>
  #include <cstdint>
  #include <dlfcn.h>  // for dlsym()
 static void *getFuncAddr(const char *name, uintptr_t wrapper_addr) {
  void *addr = dlsym(RTLD_NEXT, name);
  if (!addr) {
    // If the lookup using RTLD_NEXT failed, the sanitizer runtime library is
    // later in the library search order than the DSO that we are trying to
    // intercept, which means that we cannot intercept this function. We still
    // want the address of the real definition, though, so look it up using
    // RTLD_DEFAULT.
    addr = dlsym(RTLD_DEFAULT, name);
    // In case `name' is not loaded, dlsym ends up finding the actual wrapper.
    // We don't want to intercept the wrapper and have it point to itself.
    if (reinterpret_cast<uintptr_t>(addr) == wrapper_addr) addr = nullptr;
  }
  return addr;
 }
 static int  FuzzerInited = 0;
 static bool FuzzerInitIsRunning;
 static void fuzzerInit();
 static void ensureFuzzerInited() {
  assert(!FuzzerInitIsRunning);
  if (!FuzzerInited) { fuzzerInit(); }
 }
 static int internal_strcmp_strncmp(const char *s1, const char *s2, bool strncmp,
                                   size_t n) {
  size_t i = 0;
  while (true) {
    if (strncmp) {
      if (i == n) break;
      i++;
    }
    unsigned c1 = *s1;
    unsigned c2 = *s2;
    if (c1 != c2) return (c1 < c2) ? -1 : 1;
    if (c1 == 0) break;
    s1++;
    s2++;
  }
  return 0;
 }
 static int internal_strncmp(const char *s1, const char *s2, size_t n) {
  return internal_strcmp_strncmp(s1, s2, true, n);
 }
 static int internal_strcmp(const char *s1, const char *s2) {
  return internal_strcmp_strncmp(s1, s2, false, 0);
 }
 static int internal_memcmp(const void *s1, const void *s2, size_t n) {
  const uint8_t *t1 = static_cast<const uint8_t *>(s1);
  const uint8_t *t2 = static_cast<const uint8_t *>(s2);
  for (size_t i = 0; i < n; ++i, ++t1, ++t2)
    if (*t1 != *t2) return *t1 < *t2 ? -1 : 1;
  return 0;
 }
 static size_t internal_strlen(const char *s) {
  size_t i = 0;
  while (s[i])
    i++;
  return i;
 }
 static char *internal_strstr(const char *haystack, const char *needle) {
  // This is O(N^2), but we are not using it in hot places.
  size_t len1 = internal_strlen(haystack);
  size_t len2 = internal_strlen(needle);
  if (len1 < len2) return nullptr;
  for (size_t pos = 0; pos <= len1 - len2; pos++) {
    if (internal_memcmp(haystack + pos, needle, len2) == 0)
      return const_cast<char *>(haystack) + pos;
  }
  return nullptr;
 }
 extern "C" {
 // Weak hooks forward-declared to avoid dependency on
 // <sanitizer/common_interface_defs.h>.
 void __sanitizer_weak_hook_memcmp(void *called_pc, const void *s1,
                                  const void *s2, size_t n, int result);
 void __sanitizer_weak_hook_strncmp(void *called_pc, const char *s1,
                                   const char *s2, size_t n, int result);
 void __sanitizer_weak_hook_strncasecmp(void *called_pc, const char *s1,
                                       const char *s2, size_t n, int result);
 void __sanitizer_weak_hook_strcmp(void *called_pc, const char *s1,
                                  const char *s2, int result);
 void __sanitizer_weak_hook_strcasecmp(void *called_pc, const char *s1,
                                      const char *s2, int result);
 void __sanitizer_weak_hook_strstr(void *called_pc, const char *s1,
                                  const char *s2, char *result);
 void __sanitizer_weak_hook_strcasestr(void *called_pc, const char *s1,
                                      const char *s2, char *result);
 void __sanitizer_weak_hook_memmem(void *called_pc, const void *s1, size_t len1,
                                  const void *s2, size_t len2, void *result);
 DEFINE_REAL(int, bcmp, const void *, const void *, size_t)
 DEFINE_REAL(int, memcmp, const void *, const void *, size_t)
 DEFINE_REAL(int, strncmp, const char *, const char *, size_t)
 DEFINE_REAL(int, strcmp, const char *, const char *)
 DEFINE_REAL(int, strncasecmp, const char *, const char *, size_t)
 DEFINE_REAL(int, strcasecmp, const char *, const char *)
 DEFINE_REAL(char *, strstr, const char *, const char *)
 DEFINE_REAL(char *, strcasestr, const char *, const char *)
 DEFINE_REAL(void *, memmem, const void *, size_t, const void *, size_t)
 ATTRIBUTE_INTERFACE int bcmp(const char *s1, const char *s2, size_t n) {
  if (!FuzzerInited) return internal_memcmp(s1, s2, n);
  int result = REAL(bcmp)(s1, s2, n);
  __sanitizer_weak_hook_memcmp(GET_CALLER_PC(), s1, s2, n, result);
  return result;
 }
 ATTRIBUTE_INTERFACE int memcmp(const void *s1, const void *s2, size_t n) {
  if (!FuzzerInited) return internal_memcmp(s1, s2, n);
  int result = REAL(memcmp)(s1, s2, n);
  __sanitizer_weak_hook_memcmp(GET_CALLER_PC(), s1, s2, n, result);
  return result;
 }
 ATTRIBUTE_INTERFACE int strncmp(const char *s1, const char *s2, size_t n) {
  if (!FuzzerInited) return internal_strncmp(s1, s2, n);
  int result = REAL(strncmp)(s1, s2, n);
  __sanitizer_weak_hook_strncmp(GET_CALLER_PC(), s1, s2, n, result);
  return result;
 }
 ATTRIBUTE_INTERFACE int strcmp(const char *s1, const char *s2) {
  if (!FuzzerInited) return internal_strcmp(s1, s2);
  int result = REAL(strcmp)(s1, s2);
  __sanitizer_weak_hook_strcmp(GET_CALLER_PC(), s1, s2, result);
  return result;
 }
 ATTRIBUTE_INTERFACE int strncasecmp(const char *s1, const char *s2, size_t n) {
  ensureFuzzerInited();
  int result = REAL(strncasecmp)(s1, s2, n);
  __sanitizer_weak_hook_strncasecmp(GET_CALLER_PC(), s1, s2, n, result);
  return result;
 }
 ATTRIBUTE_INTERFACE int strcasecmp(const char *s1, const char *s2) {
  ensureFuzzerInited();
  int result = REAL(strcasecmp)(s1, s2);
  __sanitizer_weak_hook_strcasecmp(GET_CALLER_PC(), s1, s2, result);
  return result;
 }
 ATTRIBUTE_INTERFACE char *strstr(const char *s1, const char *s2) {
  if (!FuzzerInited) return internal_strstr(s1, s2);
  char *result = REAL(strstr)(s1, s2);
  __sanitizer_weak_hook_strstr(GET_CALLER_PC(), s1, s2, result);
  return result;
 }
 ATTRIBUTE_INTERFACE char *strcasestr(const char *s1, const char *s2) {
  ensureFuzzerInited();
  char *result = REAL(strcasestr)(s1, s2);
  __sanitizer_weak_hook_strcasestr(GET_CALLER_PC(), s1, s2, result);
  return result;
 }
 ATTRIBUTE_INTERFACE
 void *memmem(const void *s1, size_t len1, const void *s2, size_t len2) {
  ensureFuzzerInited();
  void *result = REAL(memmem)(s1, len1, s2, len2);
  __sanitizer_weak_hook_memmem(GET_CALLER_PC(), s1, len1, s2, len2, result);
  return result;
 }
 __attribute__((section(".preinit_array"),
               used)) static void (*__local_fuzzer_preinit)(void) = fuzzerInit;
 }  // extern "C"
 static void fuzzerInit() {
  assert(!FuzzerInitIsRunning);
  if (FuzzerInited) return;
  FuzzerInitIsRunning = true;
  REAL(bcmp) = reinterpret_cast<memcmp_type>(
      getFuncAddr("bcmp", reinterpret_cast<uintptr_t>(&bcmp)));
  REAL(memcmp) = reinterpret_cast<memcmp_type>(
      getFuncAddr("memcmp", reinterpret_cast<uintptr_t>(&memcmp)));
  REAL(strncmp) = reinterpret_cast<strncmp_type>(
      getFuncAddr("strncmp", reinterpret_cast<uintptr_t>(&strncmp)));
  REAL(strcmp) = reinterpret_cast<strcmp_type>(
      getFuncAddr("strcmp", reinterpret_cast<uintptr_t>(&strcmp)));
  REAL(strncasecmp) = reinterpret_cast<strncasecmp_type>(
      getFuncAddr("strncasecmp", reinterpret_cast<uintptr_t>(&strncasecmp)));
  REAL(strcasecmp) = reinterpret_cast<strcasecmp_type>(
      getFuncAddr("strcasecmp", reinterpret_cast<uintptr_t>(&strcasecmp)));
  REAL(strstr) = reinterpret_cast<strstr_type>(
      getFuncAddr("strstr", reinterpret_cast<uintptr_t>(&strstr)));
  REAL(strcasestr) = reinterpret_cast<strcasestr_type>(
      getFuncAddr("strcasestr", reinterpret_cast<uintptr_t>(&strcasestr)));
  REAL(memmem) = reinterpret_cast<memmem_type>(
      getFuncAddr("memmem", reinterpret_cast<uintptr_t>(&memmem)));
  FuzzerInitIsRunning = false;
  FuzzerInited = 1;
 }
 #endif
--- a/custom_mutators/libfuzzer/FuzzerInterface.h
+++ b/custom_mutators/libfuzzer/FuzzerInterface.h
@ -0,0 +1,79 @@
 //===- FuzzerInterface.h - Interface header for the Fuzzer ------*- C++ -* ===//
 //
 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
 // See https://llvm.org/LICENSE.txt for license information.
 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
 //
 //===----------------------------------------------------------------------===//
 // Define the interface between libFuzzer and the library being tested.
 //===----------------------------------------------------------------------===//
 // NOTE: the libFuzzer interface is thin and in the majority of cases
 // you should not include this file into your target. In 95% of cases
 // all you need is to define the following function in your file:
 // extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size);
 // WARNING: keep the interface in C.
 #ifndef LLVM_FUZZER_INTERFACE_H
 #define LLVM_FUZZER_INTERFACE_H
 #include <stddef.h>
 #include <stdint.h>
 #ifdef __cplusplus
 extern "C" {
 #endif  // __cplusplus
 // Define FUZZER_INTERFACE_VISIBILITY to set default visibility in a way that
 // doesn't break MSVC.
 #if defined(_WIN32)
 #define FUZZER_INTERFACE_VISIBILITY __declspec(dllexport)
 #else
 #define FUZZER_INTERFACE_VISIBILITY __attribute__((visibility("default")))
 #endif
 // Mandatory user-provided target function.
 // Executes the code under test with [Data, Data+Size) as the input.
 // libFuzzer will invoke this function *many* times with different inputs.
 // Must return 0.
 FUZZER_INTERFACE_VISIBILITY int
 LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size);
 // Optional user-provided initialization function.
 // If provided, this function will be called by libFuzzer once at startup.
 // It may read and modify argc/argv.
 // Must return 0.
 FUZZER_INTERFACE_VISIBILITY int LLVMFuzzerInitialize(int *argc, char ***argv);
 // Optional user-provided custom mutator.
 // Mutates raw data in [Data, Data+Size) inplace.
 // Returns the new size, which is not greater than MaxSize.
 // Given the same Seed produces the same mutation.
 FUZZER_INTERFACE_VISIBILITY size_t
 LLVMFuzzerCustomMutator(uint8_t *Data, size_t Size, size_t MaxSize,
                        unsigned int Seed);
 // Optional user-provided custom cross-over function.
 // Combines pieces of Data1 & Data2 together into Out.
 // Returns the new size, which is not greater than MaxOutSize.
 // Should produce the same mutation given the same Seed.
 FUZZER_INTERFACE_VISIBILITY size_t
 LLVMFuzzerCustomCrossOver(const uint8_t *Data1, size_t Size1,
                          const uint8_t *Data2, size_t Size2, uint8_t *Out,
                          size_t MaxOutSize, unsigned int Seed);
 // Experimental, may go away in future.
 // libFuzzer-provided function to be used inside LLVMFuzzerCustomMutator.
 // Mutates raw data in [Data, Data+Size) inplace.
 // Returns the new size, which is not greater than MaxSize.
 FUZZER_INTERFACE_VISIBILITY size_t
 LLVMFuzzerMutate(uint8_t *Data, size_t Size, size_t MaxSize);
 #undef FUZZER_INTERFACE_VISIBILITY
 #ifdef __cplusplus
 }  // extern "C"
 #endif  // __cplusplus
 #endif  // LLVM_FUZZER_INTERFACE_H
--- a/custom_mutators/libfuzzer/FuzzerInternal.h
+++ b/custom_mutators/libfuzzer/FuzzerInternal.h
@ -0,0 +1,173 @@
 //===- FuzzerInternal.h - Internal header for the Fuzzer --------*- C++ -* ===//
 //
 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
 // See https://llvm.org/LICENSE.txt for license information.
 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
 //
 //===----------------------------------------------------------------------===//
 // Define the main class fuzzer::Fuzzer and most functions.
 //===----------------------------------------------------------------------===//
 #ifndef LLVM_FUZZER_INTERNAL_H
 #define LLVM_FUZZER_INTERNAL_H
 #include "FuzzerDataFlowTrace.h"
 #include "FuzzerDefs.h"
 #include "FuzzerExtFunctions.h"
 #include "FuzzerInterface.h"
 #include "FuzzerOptions.h"
 #include "FuzzerSHA1.h"
 #include "FuzzerValueBitMap.h"
 #include <algorithm>
 #include <atomic>
 #include <chrono>
 #include <climits>
 #include <cstdlib>
 #include <string.h>
 namespace fuzzer {
 using namespace std::chrono;
 class Fuzzer {
 public:
  Fuzzer(UserCallback CB, InputCorpus &Corpus, MutationDispatcher &MD,
         FuzzingOptions Options);
  ~Fuzzer();
  void Loop(Vector<SizedFile> &CorporaFiles);
  void ReadAndExecuteSeedCorpora(Vector<SizedFile> &CorporaFiles);
  void MinimizeCrashLoop(const Unit &U);
  void RereadOutputCorpus(size_t MaxSize);
  size_t secondsSinceProcessStartUp() {
    return duration_cast<seconds>(system_clock::now() - ProcessStartTime)
        .count();
  }
  bool TimedOut() {
    return Options.MaxTotalTimeSec > 0 &&
           secondsSinceProcessStartUp() >
               static_cast<size_t>(Options.MaxTotalTimeSec);
  }
  size_t execPerSec() {
    size_t Seconds = secondsSinceProcessStartUp();
    return Seconds ? TotalNumberOfRuns / Seconds : 0;
  }
  size_t getTotalNumberOfRuns() { return TotalNumberOfRuns; }
  static void StaticAlarmCallback();
  static void StaticCrashSignalCallback();
  static void StaticExitCallback();
  static void StaticInterruptCallback();
  static void StaticFileSizeExceedCallback();
  static void StaticGracefulExitCallback();
  void ExecuteCallback(const uint8_t *Data, size_t Size);
  bool RunOne(const uint8_t *Data, size_t Size, bool MayDeleteFile = false,
              InputInfo *II = nullptr, bool ForceAddToCorpus = false,
              bool *FoundUniqFeatures = nullptr);
  // Merge Corpora[1:] into Corpora[0].
  void Merge(const Vector<std::string> &Corpora);
  void CrashResistantMergeInternalStep(const std::string &ControlFilePath);
  MutationDispatcher &GetMD() { return MD; }
  void PrintFinalStats();
  void SetMaxInputLen(size_t MaxInputLen);
  void SetMaxMutationLen(size_t MaxMutationLen);
  void RssLimitCallback();
  bool InFuzzingThread() const { return IsMyThread; }
  size_t GetCurrentUnitInFuzzingThead(const uint8_t **Data) const;
  void TryDetectingAMemoryLeak(const uint8_t *Data, size_t Size,
                               bool DuringInitialCorpusExecution);
  void HandleMalloc(size_t Size);
  static void MaybeExitGracefully();
  std::string WriteToOutputCorpus(const Unit &U);
 private:
  void AlarmCallback();
  void CrashCallback();
  void ExitCallback();
  void CrashOnOverwrittenData();
  void InterruptCallback();
  void MutateAndTestOne();
  void PurgeAllocator();
  void ReportNewCoverage(InputInfo *II, const Unit &U);
  void PrintPulseAndReportSlowInput(const uint8_t *Data, size_t Size);
  void WriteUnitToFileWithPrefix(const Unit &U, const char *Prefix);
  void PrintStats(const char *Where, const char *End = "\n", size_t Units = 0,
                  size_t Features = 0);
  void PrintStatusForNewUnit(const Unit &U, const char *Text);
  void CheckExitOnSrcPosOrItem();
  static void StaticDeathCallback();
  void DumpCurrentUnit(const char *Prefix);
  void DeathCallback();
  void AllocateCurrentUnitData();
  uint8_t *CurrentUnitData = nullptr;
  std::atomic<size_t> CurrentUnitSize;
  uint8_t BaseSha1[kSHA1NumBytes];  // Checksum of the base unit.
  bool GracefulExitRequested = false;
  size_t TotalNumberOfRuns = 0;
  size_t NumberOfNewUnitsAdded = 0;
  size_t LastCorpusUpdateRun = 0;
  bool HasMoreMallocsThanFrees = false;
  size_t NumberOfLeakDetectionAttempts = 0;
  system_clock::time_point LastAllocatorPurgeAttemptTime = system_clock::now();
  UserCallback CB;
  InputCorpus &Corpus;
  MutationDispatcher &MD;
  FuzzingOptions Options;
  DataFlowTrace DFT;
  system_clock::time_point ProcessStartTime = system_clock::now();
  system_clock::time_point UnitStartTime, UnitStopTime;
  long TimeOfLongestUnitInSeconds = 0;
  long EpochOfLastReadOfOutputCorpus = 0;
  size_t MaxInputLen = 0;
  size_t MaxMutationLen = 0;
  size_t TmpMaxMutationLen = 0;
  Vector<uint32_t> UniqFeatureSetTmp;
  // Need to know our own thread.
  static thread_local bool IsMyThread;
 };
 struct ScopedEnableMsanInterceptorChecks {
  ScopedEnableMsanInterceptorChecks() {
    if (EF->__msan_scoped_enable_interceptor_checks)
      EF->__msan_scoped_enable_interceptor_checks();
  }
  ~ScopedEnableMsanInterceptorChecks() {
    if (EF->__msan_scoped_disable_interceptor_checks)
      EF->__msan_scoped_disable_interceptor_checks();
  }
 };
 struct ScopedDisableMsanInterceptorChecks {
  ScopedDisableMsanInterceptorChecks() {
    if (EF->__msan_scoped_disable_interceptor_checks)
      EF->__msan_scoped_disable_interceptor_checks();
  }
  ~ScopedDisableMsanInterceptorChecks() {
    if (EF->__msan_scoped_enable_interceptor_checks)
      EF->__msan_scoped_enable_interceptor_checks();
  }
 };
 } // namespace fuzzer
 #endif // LLVM_FUZZER_INTERNAL_H
--- a/custom_mutators/libfuzzer/FuzzerLoop.cpp
+++ b/custom_mutators/libfuzzer/FuzzerLoop.cpp
--- a/custom_mutators/libfuzzer/FuzzerMain.cpp
+++ b/custom_mutators/libfuzzer/FuzzerMain.cpp
@ -0,0 +1,26 @@
 //===- FuzzerMain.cpp - main() function and flags -------------------------===//
 //
 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
 // See https://llvm.org/LICENSE.txt for license information.
 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
 //
 //===----------------------------------------------------------------------===//
 // main() and flags.
 //===----------------------------------------------------------------------===//
 #include "FuzzerDefs.h"
 #include "FuzzerPlatform.h"
 extern "C" {
 // This function should be defined by the user.
 int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size);
 }  // extern "C"
 ATTRIBUTE_INTERFACE int main(int argc, char **argv) {
  return fuzzer::FuzzerDriver(&argc, &argv, LLVMFuzzerTestOneInput);
 }
--- a/custom_mutators/libfuzzer/FuzzerMerge.cpp
+++ b/custom_mutators/libfuzzer/FuzzerMerge.cpp
@ -0,0 +1,485 @@
 //===- FuzzerMerge.cpp - merging corpora ----------------------------------===//
 //
 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
 // See https://llvm.org/LICENSE.txt for license information.
 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
 //
 //===----------------------------------------------------------------------===//
 // Merging corpora.
 //===----------------------------------------------------------------------===//
 #include "FuzzerCommand.h"
 #include "FuzzerMerge.h"
 #include "FuzzerIO.h"
 #include "FuzzerInternal.h"
 #include "FuzzerTracePC.h"
 #include "FuzzerUtil.h"
 #include <fstream>
 #include <iterator>
 #include <set>
 #include <sstream>
 #include <unordered_set>
 namespace fuzzer {
 bool Merger::Parse(const std::string &Str, bool ParseCoverage) {
  std::istringstream SS(Str);
  return Parse(SS, ParseCoverage);
 }
 void Merger::ParseOrExit(std::istream &IS, bool ParseCoverage) {
  if (!Parse(IS, ParseCoverage)) {
    Printf("MERGE: failed to parse the control file (unexpected error)\n");
    exit(1);
  }
 }
 // The control file example:
 //
 // 3 # The number of inputs
 // 1 # The number of inputs in the first corpus, <= the previous number
 // file0
 // file1
 // file2  # One file name per line.
 // STARTED 0 123  # FileID, file size
 // FT 0 1 4 6 8  # FileID COV1 COV2 ...
 // COV 0 7 8 9 # FileID COV1 COV1
 // STARTED 1 456  # If FT is missing, the input crashed while processing.
 // STARTED 2 567
 // FT 2 8 9
 // COV 2 11 12
 bool Merger::Parse(std::istream &IS, bool ParseCoverage) {
  LastFailure.clear();
  std::string Line;
  // Parse NumFiles.
  if (!std::getline(IS, Line, '\n')) return false;
  std::istringstream L1(Line);
  size_t             NumFiles = 0;
  L1 >> NumFiles;
  if (NumFiles == 0 || NumFiles > 10000000) return false;
  // Parse NumFilesInFirstCorpus.
  if (!std::getline(IS, Line, '\n')) return false;
  std::istringstream L2(Line);
  NumFilesInFirstCorpus = NumFiles + 1;
  L2 >> NumFilesInFirstCorpus;
  if (NumFilesInFirstCorpus > NumFiles) return false;
  // Parse file names.
  Files.resize(NumFiles);
  for (size_t i = 0; i < NumFiles; i++)
    if (!std::getline(IS, Files[i].Name, '\n')) return false;
  // Parse STARTED, FT, and COV lines.
  size_t           ExpectedStartMarker = 0;
  const size_t     kInvalidStartMarker = -1;
  size_t           LastSeenStartMarker = kInvalidStartMarker;
  Vector<uint32_t> TmpFeatures;
  Set<uint32_t>    PCs;
  while (std::getline(IS, Line, '\n')) {
    std::istringstream ISS1(Line);
    std::string        Marker;
    size_t             N;
    ISS1 >> Marker;
    ISS1 >> N;
    if (Marker == "STARTED") {
      // STARTED FILE_ID FILE_SIZE
      if (ExpectedStartMarker != N) return false;
      ISS1 >> Files[ExpectedStartMarker].Size;
      LastSeenStartMarker = ExpectedStartMarker;
      assert(ExpectedStartMarker < Files.size());
      ExpectedStartMarker++;
    } else if (Marker == "FT") {
      // FT FILE_ID COV1 COV2 COV3 ...
      size_t CurrentFileIdx = N;
      if (CurrentFileIdx != LastSeenStartMarker) return false;
      LastSeenStartMarker = kInvalidStartMarker;
      if (ParseCoverage) {
        TmpFeatures.clear();  // use a vector from outer scope to avoid resizes.
        while (ISS1 >> N)
          TmpFeatures.push_back(N);
        std::sort(TmpFeatures.begin(), TmpFeatures.end());
        Files[CurrentFileIdx].Features = TmpFeatures;
      }
    } else if (Marker == "COV") {
      size_t CurrentFileIdx = N;
      if (ParseCoverage)
        while (ISS1 >> N)
          if (PCs.insert(N).second) Files[CurrentFileIdx].Cov.push_back(N);
    } else {
      return false;
    }
  }
  if (LastSeenStartMarker != kInvalidStartMarker)
    LastFailure = Files[LastSeenStartMarker].Name;
  FirstNotProcessedFile = ExpectedStartMarker;
  return true;
 }
 size_t Merger::ApproximateMemoryConsumption() const {
  size_t Res = 0;
  for (const auto &F : Files)
    Res += sizeof(F) + F.Features.size() * sizeof(F.Features[0]);
  return Res;
 }
 // Decides which files need to be merged (add those to NewFiles).
 // Returns the number of new features added.
 size_t Merger::Merge(const Set<uint32_t> &InitialFeatures,
                     Set<uint32_t> *      NewFeatures,
                     const Set<uint32_t> &InitialCov, Set<uint32_t> *NewCov,
                     Vector<std::string> *NewFiles) {
  NewFiles->clear();
  assert(NumFilesInFirstCorpus <= Files.size());
  Set<uint32_t> AllFeatures = InitialFeatures;
  // What features are in the initial corpus?
  for (size_t i = 0; i < NumFilesInFirstCorpus; i++) {
    auto &Cur = Files[i].Features;
    AllFeatures.insert(Cur.begin(), Cur.end());
  }
  // Remove all features that we already know from all other inputs.
  for (size_t i = NumFilesInFirstCorpus; i < Files.size(); i++) {
    auto &           Cur = Files[i].Features;
    Vector<uint32_t> Tmp;
    std::set_difference(Cur.begin(), Cur.end(), AllFeatures.begin(),
                        AllFeatures.end(), std::inserter(Tmp, Tmp.begin()));
    Cur.swap(Tmp);
  }
  // Sort. Give preference to
  //   * smaller files
  //   * files with more features.
  std::sort(Files.begin() + NumFilesInFirstCorpus, Files.end(),
            [&](const MergeFileInfo &a, const MergeFileInfo &b) -> bool {
              if (a.Size != b.Size) return a.Size < b.Size;
              return a.Features.size() > b.Features.size();
            });
  // One greedy pass: add the file's features to AllFeatures.
  // If new features were added, add this file to NewFiles.
  for (size_t i = NumFilesInFirstCorpus; i < Files.size(); i++) {
    auto &Cur = Files[i].Features;
    // Printf("%s -> sz %zd ft %zd\n", Files[i].Name.c_str(),
    //       Files[i].Size, Cur.size());
    bool FoundNewFeatures = false;
    for (auto Fe : Cur) {
      if (AllFeatures.insert(Fe).second) {
        FoundNewFeatures = true;
        NewFeatures->insert(Fe);
      }
    }
    if (FoundNewFeatures) NewFiles->push_back(Files[i].Name);
    for (auto Cov : Files[i].Cov)
      if (InitialCov.find(Cov) == InitialCov.end()) NewCov->insert(Cov);
  }
  return NewFeatures->size();
 }
 Set<uint32_t> Merger::AllFeatures() const {
  Set<uint32_t> S;
  for (auto &File : Files)
    S.insert(File.Features.begin(), File.Features.end());
  return S;
 }
 // Inner process. May crash if the target crashes.
 void Fuzzer::CrashResistantMergeInternalStep(const std::string &CFPath) {
  Printf("MERGE-INNER: using the control file '%s'\n", CFPath.c_str());
  Merger        M;
  std::ifstream IF(CFPath);
  M.ParseOrExit(IF, false);
  IF.close();
  if (!M.LastFailure.empty())
    Printf("MERGE-INNER: '%s' caused a failure at the previous merge step\n",
           M.LastFailure.c_str());
  Printf(
      "MERGE-INNER: %zd total files;"
      " %zd processed earlier; will process %zd files now\n",
      M.Files.size(), M.FirstNotProcessedFile,
      M.Files.size() - M.FirstNotProcessedFile);
  std::ofstream OF(CFPath, std::ofstream::out | std::ofstream::app);
  Set<size_t>   AllFeatures;
  auto          PrintStatsWrapper = [this, &AllFeatures](const char *Where) {
    this->PrintStats(Where, "\n", 0, AllFeatures.size());
  };
  Set<const TracePC::PCTableEntry *> AllPCs;
  for (size_t i = M.FirstNotProcessedFile; i < M.Files.size(); i++) {
    Fuzzer::MaybeExitGracefully();
    auto U = FileToVector(M.Files[i].Name);
    if (U.size() > MaxInputLen) {
      U.resize(MaxInputLen);
      U.shrink_to_fit();
    }
    // Write the pre-run marker.
    OF << "STARTED " << i << " " << U.size() << "\n";
    OF.flush();  // Flush is important since Command::Execute may crash.
    // Run.
    TPC.ResetMaps();
    ExecuteCallback(U.data(), U.size());
    // Collect coverage. We are iterating over the files in this order:
    // * First, files in the initial corpus ordered by size, smallest first.
    // * Then, all other files, smallest first.
    // So it makes no sense to record all features for all files, instead we
    // only record features that were not seen before.
    Set<size_t> UniqFeatures;
    TPC.CollectFeatures([&](size_t Feature) {
      if (AllFeatures.insert(Feature).second) UniqFeatures.insert(Feature);
    });
    TPC.UpdateObservedPCs();
    // Show stats.
    if (!(TotalNumberOfRuns & (TotalNumberOfRuns - 1)))
      PrintStatsWrapper("pulse ");
    if (TotalNumberOfRuns == M.NumFilesInFirstCorpus)
      PrintStatsWrapper("LOADED");
    // Write the post-run marker and the coverage.
    OF << "FT " << i;
    for (size_t F : UniqFeatures)
      OF << " " << F;
    OF << "\n";
    OF << "COV " << i;
    TPC.ForEachObservedPC([&](const TracePC::PCTableEntry *TE) {
      if (AllPCs.insert(TE).second) OF << " " << TPC.PCTableEntryIdx(TE);
    });
    OF << "\n";
    OF.flush();
  }
  PrintStatsWrapper("DONE  ");
 }
 static size_t WriteNewControlFile(const std::string &          CFPath,
                                  const Vector<SizedFile> &    OldCorpus,
                                  const Vector<SizedFile> &    NewCorpus,
                                  const Vector<MergeFileInfo> &KnownFiles) {
  std::unordered_set<std::string> FilesToSkip;
  for (auto &SF : KnownFiles)
    FilesToSkip.insert(SF.Name);
  Vector<std::string> FilesToUse;
  auto                MaybeUseFile = [=, &FilesToUse](std::string Name) {
    if (FilesToSkip.find(Name) == FilesToSkip.end()) FilesToUse.push_back(Name);
  };
  for (auto &SF : OldCorpus)
    MaybeUseFile(SF.File);
  auto FilesToUseFromOldCorpus = FilesToUse.size();
  for (auto &SF : NewCorpus)
    MaybeUseFile(SF.File);
  RemoveFile(CFPath);
  std::ofstream ControlFile(CFPath);
  ControlFile << FilesToUse.size() << "\n";
  ControlFile << FilesToUseFromOldCorpus << "\n";
  for (auto &FN : FilesToUse)
    ControlFile << FN << "\n";
  if (!ControlFile) {
    Printf("MERGE-OUTER: failed to write to the control file: %s\n",
           CFPath.c_str());
    exit(1);
  }
  return FilesToUse.size();
 }
 // Outer process. Does not call the target code and thus should not fail.
 void CrashResistantMerge(const Vector<std::string> &Args,
                         const Vector<SizedFile> &  OldCorpus,
                         const Vector<SizedFile> &  NewCorpus,
                         Vector<std::string> *      NewFiles,
                         const Set<uint32_t> &      InitialFeatures,
                         Set<uint32_t> *            NewFeatures,
                         const Set<uint32_t> &InitialCov, Set<uint32_t> *NewCov,
                         const std::string &CFPath, bool V /*Verbose*/) {
  if (NewCorpus.empty() && OldCorpus.empty()) return;  // Nothing to merge.
  size_t                NumAttempts = 0;
  Vector<MergeFileInfo> KnownFiles;
  if (FileSize(CFPath)) {
    VPrintf(V, "MERGE-OUTER: non-empty control file provided: '%s'\n",
            CFPath.c_str());
    Merger        M;
    std::ifstream IF(CFPath);
    if (M.Parse(IF, /*ParseCoverage=*/true)) {
      VPrintf(V,
              "MERGE-OUTER: control file ok, %zd files total,"
              " first not processed file %zd\n",
              M.Files.size(), M.FirstNotProcessedFile);
      if (!M.LastFailure.empty())
        VPrintf(V,
                "MERGE-OUTER: '%s' will be skipped as unlucky "
                "(merge has stumbled on it the last time)\n",
                M.LastFailure.c_str());
      if (M.FirstNotProcessedFile >= M.Files.size()) {
        // Merge has already been completed with the given merge control file.
        if (M.Files.size() == OldCorpus.size() + NewCorpus.size()) {
          VPrintf(
              V,
              "MERGE-OUTER: nothing to do, merge has been completed before\n");
          exit(0);
        }
        // Number of input files likely changed, start merge from scratch, but
        // reuse coverage information from the given merge control file.
        VPrintf(
            V,
            "MERGE-OUTER: starting merge from scratch, but reusing coverage "
            "information from the given control file\n");
        KnownFiles = M.Files;
      } else {
        // There is a merge in progress, continue.
        NumAttempts = M.Files.size() - M.FirstNotProcessedFile;
      }
    } else {
      VPrintf(V, "MERGE-OUTER: bad control file, will overwrite it\n");
    }
  }
  if (!NumAttempts) {
    // The supplied control file is empty or bad, create a fresh one.
    VPrintf(V,
            "MERGE-OUTER: "
            "%zd files, %zd in the initial corpus, %zd processed earlier\n",
            OldCorpus.size() + NewCorpus.size(), OldCorpus.size(),
            KnownFiles.size());
    NumAttempts = WriteNewControlFile(CFPath, OldCorpus, NewCorpus, KnownFiles);
  }
  // Execute the inner process until it passes.
  // Every inner process should execute at least one input.
  Command BaseCmd(Args);
  BaseCmd.removeFlag("merge");
  BaseCmd.removeFlag("fork");
  BaseCmd.removeFlag("collect_data_flow");
  for (size_t Attempt = 1; Attempt <= NumAttempts; Attempt++) {
    Fuzzer::MaybeExitGracefully();
    VPrintf(V, "MERGE-OUTER: attempt %zd\n", Attempt);
    Command Cmd(BaseCmd);
    Cmd.addFlag("merge_control_file", CFPath);
    Cmd.addFlag("merge_inner", "1");
    if (!V) {
      Cmd.setOutputFile(getDevNull());
      Cmd.combineOutAndErr();
    }
    auto ExitCode = ExecuteCommand(Cmd);
    if (!ExitCode) {
      VPrintf(V, "MERGE-OUTER: succesfull in %zd attempt(s)\n", Attempt);
      break;
    }
  }
  // Read the control file and do the merge.
  Merger        M;
  std::ifstream IF(CFPath);
  IF.seekg(0, IF.end);
  VPrintf(V, "MERGE-OUTER: the control file has %zd bytes\n",
          (size_t)IF.tellg());
  IF.seekg(0, IF.beg);
  M.ParseOrExit(IF, true);
  IF.close();
  VPrintf(V,
          "MERGE-OUTER: consumed %zdMb (%zdMb rss) to parse the control file\n",
          M.ApproximateMemoryConsumption() >> 20, GetPeakRSSMb());
  M.Files.insert(M.Files.end(), KnownFiles.begin(), KnownFiles.end());
  M.Merge(InitialFeatures, NewFeatures, InitialCov, NewCov, NewFiles);
  VPrintf(V,
          "MERGE-OUTER: %zd new files with %zd new features added; "
          "%zd new coverage edges\n",
          NewFiles->size(), NewFeatures->size(), NewCov->size());
 }
 }  // namespace fuzzer
--- a/custom_mutators/libfuzzer/FuzzerMerge.h
+++ b/custom_mutators/libfuzzer/FuzzerMerge.h
@ -0,0 +1,87 @@
 //===- FuzzerMerge.h - merging corpa ----------------------------*- C++ -* ===//
 //
 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
 // See https://llvm.org/LICENSE.txt for license information.
 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
 //
 //===----------------------------------------------------------------------===//
 // Merging Corpora.
 //
 // The task:
 //   Take the existing corpus (possibly empty) and merge new inputs into
 //   it so that only inputs with new coverage ('features') are added.
 //   The process should tolerate the crashes, OOMs, leaks, etc.
 //
 // Algorithm:
 //   The outer process collects the set of files and writes their names
 //   into a temporary "control" file, then repeatedly launches the inner
 //   process until all inputs are processed.
 //   The outer process does not actually execute the target code.
 //
 //   The inner process reads the control file and sees a) list of all the inputs
 //   and b) the last processed input. Then it starts processing the inputs one
 //   by one. Before processing every input it writes one line to control file:
 //   STARTED INPUT_ID INPUT_SIZE
 //   After processing an input it writes the following lines:
 //   FT INPUT_ID Feature1 Feature2 Feature3 ...
 //   COV INPUT_ID Coverage1 Coverage2 Coverage3 ...
 //   If a crash happens while processing an input the last line in the control
 //   file will be "STARTED INPUT_ID" and so the next process will know
 //   where to resume.
 //
 //   Once all inputs are processed by the inner process(es) the outer process
 //   reads the control files and does the merge based entirely on the contents
 //   of control file.
 //   It uses a single pass greedy algorithm choosing first the smallest inputs
 //   within the same size the inputs that have more new features.
 //
 //===----------------------------------------------------------------------===//
 #ifndef LLVM_FUZZER_MERGE_H
 #define LLVM_FUZZER_MERGE_H
 #include "FuzzerDefs.h"
 #include <istream>
 #include <ostream>
 #include <set>
 #include <vector>
 namespace fuzzer {
 struct MergeFileInfo {
  std::string Name;
  size_t Size = 0;
  Vector<uint32_t> Features, Cov;
 };
 struct Merger {
  Vector<MergeFileInfo> Files;
  size_t NumFilesInFirstCorpus = 0;
  size_t FirstNotProcessedFile = 0;
  std::string LastFailure;
  bool Parse(std::istream &IS, bool ParseCoverage);
  bool Parse(const std::string &Str, bool ParseCoverage);
  void ParseOrExit(std::istream &IS, bool ParseCoverage);
  size_t Merge(const Set<uint32_t> &InitialFeatures, Set<uint32_t> *NewFeatures,
               const Set<uint32_t> &InitialCov, Set<uint32_t> *NewCov,
               Vector<std::string> *NewFiles);
  size_t ApproximateMemoryConsumption() const;
  Set<uint32_t> AllFeatures() const;
 };
 void CrashResistantMerge(const Vector<std::string> &Args,
                         const Vector<SizedFile> &OldCorpus,
                         const Vector<SizedFile> &NewCorpus,
                         Vector<std::string> *NewFiles,
                         const Set<uint32_t> &InitialFeatures,
                         Set<uint32_t> *NewFeatures,
                         const Set<uint32_t> &InitialCov,
                         Set<uint32_t> *NewCov,
                         const std::string &CFPath,
                         bool Verbose);
 }  // namespace fuzzer
 #endif  // LLVM_FUZZER_MERGE_H
--- a/custom_mutators/libfuzzer/FuzzerMutate.cpp
+++ b/custom_mutators/libfuzzer/FuzzerMutate.cpp
@ -0,0 +1,747 @@
 //===- FuzzerMutate.cpp - Mutate a test input -----------------------------===//
 //
 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
 // See https://llvm.org/LICENSE.txt for license information.
 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
 //
 //===----------------------------------------------------------------------===//
 // Mutate a test input.
 //===----------------------------------------------------------------------===//
 #include "FuzzerDefs.h"
 #include "FuzzerExtFunctions.h"
 #include "FuzzerIO.h"
 #include "FuzzerMutate.h"
 #include "FuzzerOptions.h"
 #include "FuzzerTracePC.h"
 #include <random>
 #include <chrono>
 namespace fuzzer {
 const size_t        Dictionary::kMaxDictSize;
 static const size_t kMaxMutationsToPrint = 10;
 static void PrintASCII(const Word &W, const char *PrintAfter) {
  PrintASCII(W.data(), W.size(), PrintAfter);
 }
 MutationDispatcher::MutationDispatcher(Random &              Rand,
                                       const FuzzingOptions &Options)
    : Rand(Rand), Options(Options) {
  DefaultMutators.insert(
      DefaultMutators.begin(),
      {
          {&MutationDispatcher::Mutate_EraseBytes, "EraseBytes"},
          {&MutationDispatcher::Mutate_InsertByte, "InsertByte"},
          {&MutationDispatcher::Mutate_InsertRepeatedBytes,
           "InsertRepeatedBytes"},
          {&MutationDispatcher::Mutate_ChangeByte, "ChangeByte"},
          {&MutationDispatcher::Mutate_ChangeBit, "ChangeBit"},
          {&MutationDispatcher::Mutate_ShuffleBytes, "ShuffleBytes"},
          {&MutationDispatcher::Mutate_ChangeASCIIInteger, "ChangeASCIIInt"},
          {&MutationDispatcher::Mutate_ChangeBinaryInteger, "ChangeBinInt"},
          {&MutationDispatcher::Mutate_CopyPart, "CopyPart"},
          {&MutationDispatcher::Mutate_CrossOver, "CrossOver"},
          {&MutationDispatcher::Mutate_AddWordFromManualDictionary,
           "ManualDict"},
          {&MutationDispatcher::Mutate_AddWordFromPersistentAutoDictionary,
           "PersAutoDict"},
      });
  if (Options.UseCmp)
    DefaultMutators.push_back(
        {&MutationDispatcher::Mutate_AddWordFromTORC, "CMP"});
  if (EF->LLVMFuzzerCustomMutator)
    Mutators.push_back({&MutationDispatcher::Mutate_Custom, "Custom"});
  else
    Mutators = DefaultMutators;
  if (EF->LLVMFuzzerCustomCrossOver)
    Mutators.push_back(
        {&MutationDispatcher::Mutate_CustomCrossOver, "CustomCrossOver"});
 }
 static char RandCh(Random &Rand) {
  if (Rand.RandBool()) return Rand(256);
  const char Special[] = "!*'();:@&=+$,/?%#[]012Az-`~.\xff\x00";
  return Special[Rand(sizeof(Special) - 1)];
 }
 size_t MutationDispatcher::Mutate_Custom(uint8_t *Data, size_t Size,
                                         size_t MaxSize) {
  return EF->LLVMFuzzerCustomMutator(Data, Size, MaxSize, Rand.Rand());
 }
 size_t MutationDispatcher::Mutate_CustomCrossOver(uint8_t *Data, size_t Size,
                                                  size_t MaxSize) {
  if (Size == 0) return 0;
  if (!CrossOverWith) return 0;
  const Unit &Other = *CrossOverWith;
  if (Other.empty()) return 0;
  CustomCrossOverInPlaceHere.resize(MaxSize);
  auto & U = CustomCrossOverInPlaceHere;
  size_t NewSize = EF->LLVMFuzzerCustomCrossOver(
      Data, Size, Other.data(), Other.size(), U.data(), U.size(), Rand.Rand());
  if (!NewSize) return 0;
  assert(NewSize <= MaxSize && "CustomCrossOver returned overisized unit");
  memcpy(Data, U.data(), NewSize);
  return NewSize;
 }
 size_t MutationDispatcher::Mutate_ShuffleBytes(uint8_t *Data, size_t Size,
                                               size_t MaxSize) {
  if (Size > MaxSize || Size == 0) return 0;
  size_t ShuffleAmount =
      Rand(std::min(Size, (size_t)8)) + 1;  // [1,8] and <= Size.
  size_t ShuffleStart = Rand(Size - ShuffleAmount);
  assert(ShuffleStart + ShuffleAmount <= Size);
  unsigned num = std::chrono::system_clock::now().time_since_epoch().count();
  std::shuffle(Data + ShuffleStart, Data + ShuffleStart + ShuffleAmount, std::default_random_engine(num));
  //std::shuffle(Data + ShuffleStart, Data + ShuffleStart + ShuffleAmount, Rand);
  return Size;
 }
 size_t MutationDispatcher::Mutate_EraseBytes(uint8_t *Data, size_t Size,
                                             size_t MaxSize) {
  if (Size <= 1) return 0;
  size_t N = Rand(Size / 2) + 1;
  assert(N < Size);
  size_t Idx = Rand(Size - N + 1);
  // Erase Data[Idx:Idx+N].
  memmove(Data + Idx, Data + Idx + N, Size - Idx - N);
  // Printf("Erase: %zd %zd => %zd; Idx %zd\n", N, Size, Size - N, Idx);
  return Size - N;
 }
 size_t MutationDispatcher::Mutate_InsertByte(uint8_t *Data, size_t Size,
                                             size_t MaxSize) {
  if (Size >= MaxSize) return 0;
  size_t Idx = Rand(Size + 1);
  // Insert new value at Data[Idx].
  memmove(Data + Idx + 1, Data + Idx, Size - Idx);
  Data[Idx] = RandCh(Rand);
  return Size + 1;
 }
 size_t MutationDispatcher::Mutate_InsertRepeatedBytes(uint8_t *Data,
                                                      size_t   Size,
                                                      size_t   MaxSize) {
  const size_t kMinBytesToInsert = 3;
  if (Size + kMinBytesToInsert >= MaxSize) return 0;
  size_t MaxBytesToInsert = std::min(MaxSize - Size, (size_t)128);
  size_t N = Rand(MaxBytesToInsert - kMinBytesToInsert + 1) + kMinBytesToInsert;
  assert(Size + N <= MaxSize && N);
  size_t Idx = Rand(Size + 1);
  // Insert new values at Data[Idx].
  memmove(Data + Idx + N, Data + Idx, Size - Idx);
  // Give preference to 0x00 and 0xff.
  uint8_t Byte = Rand.RandBool() ? Rand(256) : (Rand.RandBool() ? 0 : 255);
  for (size_t i = 0; i < N; i++)
    Data[Idx + i] = Byte;
  return Size + N;
 }
 size_t MutationDispatcher::Mutate_ChangeByte(uint8_t *Data, size_t Size,
                                             size_t MaxSize) {
  if (Size > MaxSize) return 0;
  size_t Idx = Rand(Size);
  Data[Idx] = RandCh(Rand);
  return Size;
 }
 size_t MutationDispatcher::Mutate_ChangeBit(uint8_t *Data, size_t Size,
                                            size_t MaxSize) {
  if (Size > MaxSize) return 0;
  size_t Idx = Rand(Size);
  Data[Idx] ^= 1 << Rand(8);
  return Size;
 }
 size_t MutationDispatcher::Mutate_AddWordFromManualDictionary(uint8_t *Data,
                                                              size_t   Size,
                                                              size_t MaxSize) {
  return AddWordFromDictionary(ManualDictionary, Data, Size, MaxSize);
 }
 size_t MutationDispatcher::ApplyDictionaryEntry(uint8_t *Data, size_t Size,
                                                size_t           MaxSize,
                                                DictionaryEntry &DE) {
  const Word &W = DE.GetW();
  bool        UsePositionHint = DE.HasPositionHint() &&
                         DE.GetPositionHint() + W.size() < Size &&
                         Rand.RandBool();
  if (Rand.RandBool()) {  // Insert W.
    if (Size + W.size() > MaxSize) return 0;
    size_t Idx = UsePositionHint ? DE.GetPositionHint() : Rand(Size + 1);
    memmove(Data + Idx + W.size(), Data + Idx, Size - Idx);
    memcpy(Data + Idx, W.data(), W.size());
    Size += W.size();
  } else {  // Overwrite some bytes with W.
    if (W.size() > Size) return 0;
    size_t Idx = UsePositionHint ? DE.GetPositionHint() : Rand(Size - W.size());
    memcpy(Data + Idx, W.data(), W.size());
  }
  return Size;
 }
 // Somewhere in the past we have observed a comparison instructions
 // with arguments Arg1 Arg2. This function tries to guess a dictionary
 // entry that will satisfy that comparison.
 // It first tries to find one of the arguments (possibly swapped) in the
 // input and if it succeeds it creates a DE with a position hint.
 // Otherwise it creates a DE with one of the arguments w/o a position hint.
 DictionaryEntry MutationDispatcher::MakeDictionaryEntryFromCMP(
    const void *Arg1, const void *Arg2, const void *Arg1Mutation,
    const void *Arg2Mutation, size_t ArgSize, const uint8_t *Data,
    size_t Size) {
  bool           HandleFirst = Rand.RandBool();
  const void *   ExistingBytes, *DesiredBytes;
  Word           W;
  const uint8_t *End = Data + Size;
  for (int Arg = 0; Arg < 2; Arg++) {
    ExistingBytes = HandleFirst ? Arg1 : Arg2;
    DesiredBytes = HandleFirst ? Arg2Mutation : Arg1Mutation;
    HandleFirst = !HandleFirst;
    W.Set(reinterpret_cast<const uint8_t *>(DesiredBytes), ArgSize);
    const size_t kMaxNumPositions = 8;
    size_t       Positions[kMaxNumPositions];
    size_t       NumPositions = 0;
    for (const uint8_t *Cur = Data;
         Cur < End && NumPositions < kMaxNumPositions; Cur++) {
      Cur =
          (const uint8_t *)SearchMemory(Cur, End - Cur, ExistingBytes, ArgSize);
      if (!Cur) break;
      Positions[NumPositions++] = Cur - Data;
    }
    if (!NumPositions) continue;
    return DictionaryEntry(W, Positions[Rand(NumPositions)]);
  }
  DictionaryEntry DE(W);
  return DE;
 }
 template <class T>
 DictionaryEntry MutationDispatcher::MakeDictionaryEntryFromCMP(
    T Arg1, T Arg2, const uint8_t *Data, size_t Size) {
  if (Rand.RandBool()) Arg1 = Bswap(Arg1);
  if (Rand.RandBool()) Arg2 = Bswap(Arg2);
  T Arg1Mutation = Arg1 + Rand(-1, 1);
  T Arg2Mutation = Arg2 + Rand(-1, 1);
  return MakeDictionaryEntryFromCMP(&Arg1, &Arg2, &Arg1Mutation, &Arg2Mutation,
                                    sizeof(Arg1), Data, Size);
 }
 DictionaryEntry MutationDispatcher::MakeDictionaryEntryFromCMP(
    const Word &Arg1, const Word &Arg2, const uint8_t *Data, size_t Size) {
  return MakeDictionaryEntryFromCMP(Arg1.data(), Arg2.data(), Arg1.data(),
                                    Arg2.data(), Arg1.size(), Data, Size);
 }
 size_t MutationDispatcher::Mutate_AddWordFromTORC(uint8_t *Data, size_t Size,
                                                  size_t MaxSize) {
  Word            W;
  DictionaryEntry DE;
  switch (Rand(4)) {
    case 0: {
      auto X = TPC.TORC8.Get(Rand.Rand());
      DE = MakeDictionaryEntryFromCMP(X.A, X.B, Data, Size);
    } break;
    case 1: {
      auto X = TPC.TORC4.Get(Rand.Rand());
      if ((X.A >> 16) == 0 && (X.B >> 16) == 0 && Rand.RandBool())
        DE = MakeDictionaryEntryFromCMP((uint16_t)X.A, (uint16_t)X.B, Data,
                                        Size);
      else
        DE = MakeDictionaryEntryFromCMP(X.A, X.B, Data, Size);
    } break;
    case 2: {
      auto X = TPC.TORCW.Get(Rand.Rand());
      DE = MakeDictionaryEntryFromCMP(X.A, X.B, Data, Size);
    } break;
    case 3:
      if (Options.UseMemmem) {
        auto X = TPC.MMT.Get(Rand.Rand());
        DE = DictionaryEntry(X);
      }
      break;
    default:
      assert(0);
  }
  if (!DE.GetW().size()) return 0;
  Size = ApplyDictionaryEntry(Data, Size, MaxSize, DE);
  if (!Size) return 0;
  DictionaryEntry &DERef =
      CmpDictionaryEntriesDeque[CmpDictionaryEntriesDequeIdx++ %
                                kCmpDictionaryEntriesDequeSize];
  DERef = DE;
  CurrentDictionaryEntrySequence.push_back(&DERef);
  return Size;
 }
 size_t MutationDispatcher::Mutate_AddWordFromPersistentAutoDictionary(
    uint8_t *Data, size_t Size, size_t MaxSize) {
  return AddWordFromDictionary(PersistentAutoDictionary, Data, Size, MaxSize);
 }
 size_t MutationDispatcher::AddWordFromDictionary(Dictionary &D, uint8_t *Data,
                                                 size_t Size, size_t MaxSize) {
  if (Size > MaxSize) return 0;
  if (D.empty()) return 0;
  DictionaryEntry &DE = D[Rand(D.size())];
  Size = ApplyDictionaryEntry(Data, Size, MaxSize, DE);
  if (!Size) return 0;
  DE.IncUseCount();
  CurrentDictionaryEntrySequence.push_back(&DE);
  return Size;
 }
 // Overwrites part of To[0,ToSize) with a part of From[0,FromSize).
 // Returns ToSize.
 size_t MutationDispatcher::CopyPartOf(const uint8_t *From, size_t FromSize,
                                      uint8_t *To, size_t ToSize) {
  // Copy From[FromBeg, FromBeg + CopySize) into To[ToBeg, ToBeg + CopySize).
  size_t ToBeg = Rand(ToSize);
  size_t CopySize = Rand(ToSize - ToBeg) + 1;
  assert(ToBeg + CopySize <= ToSize);
  CopySize = std::min(CopySize, FromSize);
  size_t FromBeg = Rand(FromSize - CopySize + 1);
  assert(FromBeg + CopySize <= FromSize);
  memmove(To + ToBeg, From + FromBeg, CopySize);
  return ToSize;
 }
 // Inserts part of From[0,ToSize) into To.
 // Returns new size of To on success or 0 on failure.
 size_t MutationDispatcher::InsertPartOf(const uint8_t *From, size_t FromSize,
                                        uint8_t *To, size_t ToSize,
                                        size_t MaxToSize) {
  if (ToSize >= MaxToSize) return 0;
  size_t AvailableSpace = MaxToSize - ToSize;
  size_t MaxCopySize = std::min(AvailableSpace, FromSize);
  size_t CopySize = Rand(MaxCopySize) + 1;
  size_t FromBeg = Rand(FromSize - CopySize + 1);
  assert(FromBeg + CopySize <= FromSize);
  size_t ToInsertPos = Rand(ToSize + 1);
  assert(ToInsertPos + CopySize <= MaxToSize);
  size_t TailSize = ToSize - ToInsertPos;
  if (To == From) {
    MutateInPlaceHere.resize(MaxToSize);
    memcpy(MutateInPlaceHere.data(), From + FromBeg, CopySize);
    memmove(To + ToInsertPos + CopySize, To + ToInsertPos, TailSize);
    memmove(To + ToInsertPos, MutateInPlaceHere.data(), CopySize);
  } else {
    memmove(To + ToInsertPos + CopySize, To + ToInsertPos, TailSize);
    memmove(To + ToInsertPos, From + FromBeg, CopySize);
  }
  return ToSize + CopySize;
 }
 size_t MutationDispatcher::Mutate_CopyPart(uint8_t *Data, size_t Size,
                                           size_t MaxSize) {
  if (Size > MaxSize || Size == 0) return 0;
  // If Size == MaxSize, `InsertPartOf(...)` will
  // fail so there's no point using it in this case.
  if (Size == MaxSize || Rand.RandBool())
    return CopyPartOf(Data, Size, Data, Size);
  else
    return InsertPartOf(Data, Size, Data, Size, MaxSize);
 }
 size_t MutationDispatcher::Mutate_ChangeASCIIInteger(uint8_t *Data, size_t Size,
                                                     size_t MaxSize) {
  if (Size > MaxSize) return 0;
  size_t B = Rand(Size);
  while (B < Size && !isdigit(Data[B]))
    B++;
  if (B == Size) return 0;
  size_t E = B;
  while (E < Size && isdigit(Data[E]))
    E++;
  assert(B < E);
  // now we have digits in [B, E).
  // strtol and friends don't accept non-zero-teminated data, parse it manually.
  uint64_t Val = Data[B] - '0';
  for (size_t i = B + 1; i < E; i++)
    Val = Val * 10 + Data[i] - '0';
  // Mutate the integer value.
  switch (Rand(5)) {
    case 0:
      Val++;
      break;
    case 1:
      Val--;
      break;
    case 2:
      Val /= 2;
      break;
    case 3:
      Val *= 2;
      break;
    case 4:
      Val = Rand(Val * Val);
      break;
    default:
      assert(0);
  }
  // Just replace the bytes with the new ones, don't bother moving bytes.
  for (size_t i = B; i < E; i++) {
    size_t Idx = E + B - i - 1;
    assert(Idx >= B && Idx < E);
    Data[Idx] = (Val % 10) + '0';
    Val /= 10;
  }
  return Size;
 }
 template <class T>
 size_t ChangeBinaryInteger(uint8_t *Data, size_t Size, Random &Rand) {
  if (Size < sizeof(T)) return 0;
  size_t Off = Rand(Size - sizeof(T) + 1);
  assert(Off + sizeof(T) <= Size);
  T Val;
  if (Off < 64 && !Rand(4)) {
    Val = Size;
    if (Rand.RandBool()) Val = Bswap(Val);
  } else {
    memcpy(&Val, Data + Off, sizeof(Val));
    T Add = Rand(21);
    Add -= 10;
    if (Rand.RandBool())
      Val = Bswap(T(Bswap(Val) + Add));  // Add assuming different endiannes.
    else
      Val = Val + Add;                // Add assuming current endiannes.
    if (Add == 0 || Rand.RandBool())  // Maybe negate.
      Val = -Val;
  }
  memcpy(Data + Off, &Val, sizeof(Val));
  return Size;
 }
 size_t MutationDispatcher::Mutate_ChangeBinaryInteger(uint8_t *Data,
                                                      size_t   Size,
                                                      size_t   MaxSize) {
  if (Size > MaxSize) return 0;
  switch (Rand(4)) {
    case 3:
      return ChangeBinaryInteger<uint64_t>(Data, Size, Rand);
    case 2:
      return ChangeBinaryInteger<uint32_t>(Data, Size, Rand);
    case 1:
      return ChangeBinaryInteger<uint16_t>(Data, Size, Rand);
    case 0:
      return ChangeBinaryInteger<uint8_t>(Data, Size, Rand);
    default:
      assert(0);
  }
  return 0;
 }
 size_t MutationDispatcher::Mutate_CrossOver(uint8_t *Data, size_t Size,
                                            size_t MaxSize) {
  if (Size > MaxSize) return 0;
  if (Size == 0) return 0;
  if (!CrossOverWith) return 0;
  const Unit &O = *CrossOverWith;
  if (O.empty()) return 0;
  size_t NewSize = 0;
  switch (Rand(3)) {
    case 0:
      MutateInPlaceHere.resize(MaxSize);
      NewSize = CrossOver(Data, Size, O.data(), O.size(),
                          MutateInPlaceHere.data(), MaxSize);
      memcpy(Data, MutateInPlaceHere.data(), NewSize);
      break;
    case 1:
      NewSize = InsertPartOf(O.data(), O.size(), Data, Size, MaxSize);
      if (!NewSize) NewSize = CopyPartOf(O.data(), O.size(), Data, Size);
      break;
    case 2:
      NewSize = CopyPartOf(O.data(), O.size(), Data, Size);
      break;
    default:
      assert(0);
  }
  assert(NewSize > 0 && "CrossOver returned empty unit");
  assert(NewSize <= MaxSize && "CrossOver returned overisized unit");
  return NewSize;
 }
 void MutationDispatcher::StartMutationSequence() {
  CurrentMutatorSequence.clear();
  CurrentDictionaryEntrySequence.clear();
 }
 // Copy successful dictionary entries to PersistentAutoDictionary.
 void MutationDispatcher::RecordSuccessfulMutationSequence() {
  for (auto DE : CurrentDictionaryEntrySequence) {
    // PersistentAutoDictionary.AddWithSuccessCountOne(DE);
    DE->IncSuccessCount();
    assert(DE->GetW().size());
    // Linear search is fine here as this happens seldom.
    if (!PersistentAutoDictionary.ContainsWord(DE->GetW()))
      PersistentAutoDictionary.push_back({DE->GetW(), 1});
  }
 }
 void MutationDispatcher::PrintRecommendedDictionary() {
  Vector<DictionaryEntry> V;
  for (auto &DE : PersistentAutoDictionary)
    if (!ManualDictionary.ContainsWord(DE.GetW())) V.push_back(DE);
  if (V.empty()) return;
  Printf("###### Recommended dictionary. ######\n");
  for (auto &DE : V) {
    assert(DE.GetW().size());
    Printf("\"");
    PrintASCII(DE.GetW(), "\"");
    Printf(" # Uses: %zd\n", DE.GetUseCount());
  }
  Printf("###### End of recommended dictionary. ######\n");
 }
 const char *MutationDispatcher::WriteMutationSequence() {
  static std::string buf;
  buf = "";
  for (size_t i = 0; i < CurrentMutatorSequence.size(); i++) {
    buf = buf + " " + CurrentMutatorSequence[i].Name;
  }
  return buf.c_str();
 }
 void MutationDispatcher::PrintMutationSequence(bool Verbose) {
  return;
  Printf("MS: %zd ", CurrentMutatorSequence.size());
  size_t EntriesToPrint =
      Verbose ? CurrentMutatorSequence.size()
              : std::min(kMaxMutationsToPrint, CurrentMutatorSequence.size());
  for (size_t i = 0; i < EntriesToPrint; i++)
    Printf("%s-", CurrentMutatorSequence[i].Name);
  if (!CurrentDictionaryEntrySequence.empty()) {
    Printf(" DE: ");
    EntriesToPrint = Verbose ? CurrentDictionaryEntrySequence.size()
                             : std::min(kMaxMutationsToPrint,
                                        CurrentDictionaryEntrySequence.size());
    for (size_t i = 0; i < EntriesToPrint; i++) {
      Printf("\"");
      PrintASCII(CurrentDictionaryEntrySequence[i]->GetW(), "\"-");
    }
  }
 }
 std::string MutationDispatcher::MutationSequence() {
  std::string MS;
  for (auto M : CurrentMutatorSequence) {
    MS += M.Name;
    MS += "-";
  }
  return MS;
 }
 size_t MutationDispatcher::Mutate(uint8_t *Data, size_t Size, size_t MaxSize) {
  return MutateImpl(Data, Size, MaxSize, Mutators);
 }
 size_t MutationDispatcher::DefaultMutate(uint8_t *Data, size_t Size,
                                         size_t MaxSize) {
  return MutateImpl(Data, Size, MaxSize, DefaultMutators);
 }
 // Mutates Data in place, returns new size.
 size_t MutationDispatcher::MutateImpl(uint8_t *Data, size_t Size,
                                      size_t           MaxSize,
                                      Vector<Mutator> &Mutators) {
  assert(MaxSize > 0);
  // Some mutations may fail (e.g. can't insert more bytes if Size == MaxSize),
  // in which case they will return 0.
  // Try several times before returning un-mutated data.
  for (int Iter = 0; Iter < 100; Iter++) {
    auto   M = Mutators[Rand(Mutators.size())];
    size_t NewSize = (this->*(M.Fn))(Data, Size, MaxSize);
    if (NewSize && NewSize <= MaxSize) {
      if (Options.OnlyASCII) ToASCII(Data, NewSize);
      CurrentMutatorSequence.push_back(M);
      return NewSize;
    }
  }
  *Data = ' ';
  return 1;  // Fallback, should not happen frequently.
 }
 // Mask represents the set of Data bytes that are worth mutating.
 size_t MutationDispatcher::MutateWithMask(uint8_t *Data, size_t Size,
                                          size_t                 MaxSize,
                                          const Vector<uint8_t> &Mask) {
  size_t MaskedSize = std::min(Size, Mask.size());
  // * Copy the worthy bytes into a temporary array T
  // * Mutate T
  // * Copy T back.
  // This is totally unoptimized.
  auto &T = MutateWithMaskTemp;
  if (T.size() < Size) T.resize(Size);
  size_t OneBits = 0;
  for (size_t I = 0; I < MaskedSize; I++)
    if (Mask[I]) T[OneBits++] = Data[I];
  if (!OneBits) return 0;
  assert(!T.empty());
  size_t NewSize = Mutate(T.data(), OneBits, OneBits);
  assert(NewSize <= OneBits);
  (void)NewSize;
  // Even if NewSize < OneBits we still use all OneBits bytes.
  for (size_t I = 0, J = 0; I < MaskedSize; I++)
    if (Mask[I]) Data[I] = T[J++];
  return Size;
 }
 void MutationDispatcher::AddWordToManualDictionary(const Word &W) {
  ManualDictionary.push_back({W, std::numeric_limits<size_t>::max()});
 }
 }  // namespace fuzzer
--- a/custom_mutators/libfuzzer/FuzzerMutate.h
+++ b/custom_mutators/libfuzzer/FuzzerMutate.h
@ -0,0 +1,160 @@
 //===- FuzzerMutate.h - Internal header for the Fuzzer ----------*- C++ -* ===//
 //
 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
 // See https://llvm.org/LICENSE.txt for license information.
 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
 //
 //===----------------------------------------------------------------------===//
 // fuzzer::MutationDispatcher
 //===----------------------------------------------------------------------===//
 #ifndef LLVM_FUZZER_MUTATE_H
 #define LLVM_FUZZER_MUTATE_H
 #include "FuzzerDefs.h"
 #include "FuzzerDictionary.h"
 #include "FuzzerOptions.h"
 #include "FuzzerRandom.h"
 namespace fuzzer {
 class MutationDispatcher {
 public:
  MutationDispatcher(Random &Rand, const FuzzingOptions &Options);
  ~MutationDispatcher() {}
  /// Indicate that we are about to start a new sequence of mutations.
  void StartMutationSequence();
  /// Print the current sequence of mutations. Only prints the full sequence
  /// when Verbose is true.
  const char *WriteMutationSequence();
  void PrintMutationSequence(bool Verbose = true);
  /// Return the current sequence of mutations.
  std::string MutationSequence();
  /// Indicate that the current sequence of mutations was successful.
  void RecordSuccessfulMutationSequence();
  /// Mutates data by invoking user-provided mutator.
  size_t Mutate_Custom(uint8_t *Data, size_t Size, size_t MaxSize);
  /// Mutates data by invoking user-provided crossover.
  size_t Mutate_CustomCrossOver(uint8_t *Data, size_t Size, size_t MaxSize);
  /// Mutates data by shuffling bytes.
  size_t Mutate_ShuffleBytes(uint8_t *Data, size_t Size, size_t MaxSize);
  /// Mutates data by erasing bytes.
  size_t Mutate_EraseBytes(uint8_t *Data, size_t Size, size_t MaxSize);
  /// Mutates data by inserting a byte.
  size_t Mutate_InsertByte(uint8_t *Data, size_t Size, size_t MaxSize);
  /// Mutates data by inserting several repeated bytes.
  size_t Mutate_InsertRepeatedBytes(uint8_t *Data, size_t Size, size_t MaxSize);
  /// Mutates data by chanding one byte.
  size_t Mutate_ChangeByte(uint8_t *Data, size_t Size, size_t MaxSize);
  /// Mutates data by chanding one bit.
  size_t Mutate_ChangeBit(uint8_t *Data, size_t Size, size_t MaxSize);
  /// Mutates data by copying/inserting a part of data into a different place.
  size_t Mutate_CopyPart(uint8_t *Data, size_t Size, size_t MaxSize);
  /// Mutates data by adding a word from the manual dictionary.
  size_t Mutate_AddWordFromManualDictionary(uint8_t *Data, size_t Size,
                                            size_t MaxSize);
  /// Mutates data by adding a word from the TORC.
  size_t Mutate_AddWordFromTORC(uint8_t *Data, size_t Size, size_t MaxSize);
  /// Mutates data by adding a word from the persistent automatic dictionary.
  size_t Mutate_AddWordFromPersistentAutoDictionary(uint8_t *Data, size_t Size,
                                                    size_t MaxSize);
  /// Tries to find an ASCII integer in Data, changes it to another ASCII int.
  size_t Mutate_ChangeASCIIInteger(uint8_t *Data, size_t Size, size_t MaxSize);
  /// Change a 1-, 2-, 4-, or 8-byte integer in interesting ways.
  size_t Mutate_ChangeBinaryInteger(uint8_t *Data, size_t Size, size_t MaxSize);
  /// CrossOver Data with CrossOverWith.
  size_t Mutate_CrossOver(uint8_t *Data, size_t Size, size_t MaxSize);
  /// Applies one of the configured mutations.
  /// Returns the new size of data which could be up to MaxSize.
  size_t Mutate(uint8_t *Data, size_t Size, size_t MaxSize);
  /// Applies one of the configured mutations to the bytes of Data
  /// that have '1' in Mask.
  /// Mask.size() should be >= Size.
  size_t MutateWithMask(uint8_t *Data, size_t Size, size_t MaxSize,
                        const Vector<uint8_t> &Mask);
  /// Applies one of the default mutations. Provided as a service
  /// to mutation authors.
  size_t DefaultMutate(uint8_t *Data, size_t Size, size_t MaxSize);
  /// Creates a cross-over of two pieces of Data, returns its size.
  size_t CrossOver(const uint8_t *Data1, size_t Size1, const uint8_t *Data2,
                   size_t Size2, uint8_t *Out, size_t MaxOutSize);
  void AddWordToManualDictionary(const Word &W);
  void PrintRecommendedDictionary();
  void SetCrossOverWith(const Unit *U) { CrossOverWith = U; }
  Random &GetRand() { return Rand; }
 private:
  struct Mutator {
    size_t (MutationDispatcher::*Fn)(uint8_t *Data, size_t Size, size_t Max);
    const char *Name;
  };
  size_t AddWordFromDictionary(Dictionary &D, uint8_t *Data, size_t Size,
                               size_t MaxSize);
  size_t MutateImpl(uint8_t *Data, size_t Size, size_t MaxSize,
                    Vector<Mutator> &Mutators);
  size_t InsertPartOf(const uint8_t *From, size_t FromSize, uint8_t *To,
                      size_t ToSize, size_t MaxToSize);
  size_t CopyPartOf(const uint8_t *From, size_t FromSize, uint8_t *To,
                    size_t ToSize);
  size_t ApplyDictionaryEntry(uint8_t *Data, size_t Size, size_t MaxSize,
                              DictionaryEntry &DE);
  template <class T>
  DictionaryEntry MakeDictionaryEntryFromCMP(T Arg1, T Arg2,
                                             const uint8_t *Data, size_t Size);
  DictionaryEntry MakeDictionaryEntryFromCMP(const Word &Arg1, const Word &Arg2,
                                             const uint8_t *Data, size_t Size);
  DictionaryEntry MakeDictionaryEntryFromCMP(const void *Arg1, const void *Arg2,
                                             const void *Arg1Mutation,
                                             const void *Arg2Mutation,
                                             size_t ArgSize,
                                             const uint8_t *Data, size_t Size);
  Random &Rand;
  const FuzzingOptions Options;
  // Dictionary provided by the user via -dict=DICT_FILE.
  Dictionary ManualDictionary;
  // Temporary dictionary modified by the fuzzer itself,
  // recreated periodically.
  Dictionary TempAutoDictionary;
  // Persistent dictionary modified by the fuzzer, consists of
  // entries that led to successful discoveries in the past mutations.
  Dictionary PersistentAutoDictionary;
  Vector<DictionaryEntry *> CurrentDictionaryEntrySequence;
  static const size_t kCmpDictionaryEntriesDequeSize = 16;
  DictionaryEntry CmpDictionaryEntriesDeque[kCmpDictionaryEntriesDequeSize];
  size_t CmpDictionaryEntriesDequeIdx = 0;
  const Unit *CrossOverWith = nullptr;
  Vector<uint8_t> MutateInPlaceHere;
  Vector<uint8_t> MutateWithMaskTemp;
  // CustomCrossOver needs its own buffer as a custom implementation may call
  // LLVMFuzzerMutate, which in turn may resize MutateInPlaceHere.
  Vector<uint8_t> CustomCrossOverInPlaceHere;
  Vector<Mutator> Mutators;
  Vector<Mutator> DefaultMutators;
  Vector<Mutator> CurrentMutatorSequence;
 };
 }  // namespace fuzzer
 #endif  // LLVM_FUZZER_MUTATE_H
--- a/custom_mutators/libfuzzer/FuzzerOptions.h
+++ b/custom_mutators/libfuzzer/FuzzerOptions.h
@ -0,0 +1,90 @@
 //
 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
 // See https://llvm.org/LICENSE.txt for license information.
 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
 //
 //===----------------------------------------------------------------------===//
 // fuzzer::FuzzingOptions
 //===----------------------------------------------------------------------===//
 #ifndef LLVM_FUZZER_OPTIONS_H
 #define LLVM_FUZZER_OPTIONS_H
 #include "FuzzerDefs.h"
 namespace fuzzer {
 struct FuzzingOptions {
  int Verbosity = 1;
  size_t MaxLen = 0;
  size_t LenControl = 1000;
  bool KeepSeed = false;
  int UnitTimeoutSec = 300;
  int TimeoutExitCode = 70;
  int OOMExitCode = 71;
  int InterruptExitCode = 72;
  int ErrorExitCode = 77;
  bool IgnoreTimeouts = true;
  bool IgnoreOOMs = true;
  bool IgnoreCrashes = false;
  int MaxTotalTimeSec = 0;
  int RssLimitMb = 0;
  int MallocLimitMb = 0;
  bool DoCrossOver = true;
  bool CrossOverUniformDist = false;
  int MutateDepth = 5;
  bool ReduceDepth = false;
  bool UseCounters = false;
  bool UseMemmem = true;
  bool UseCmp = false;
  int UseValueProfile = false;
  bool Shrink = false;
  bool ReduceInputs = false;
  int ReloadIntervalSec = 1;
  bool ShuffleAtStartUp = true;
  bool PreferSmall = true;
  size_t MaxNumberOfRuns = -1L;
  int ReportSlowUnits = 10;
  bool OnlyASCII = false;
  bool Entropic = true;
  size_t EntropicFeatureFrequencyThreshold = 0xFF;
  size_t EntropicNumberOfRarestFeatures = 100;
  bool EntropicScalePerExecTime = false;
  std::string OutputCorpus;
  std::string ArtifactPrefix = "./";
  std::string ExactArtifactPath;
  std::string ExitOnSrcPos;
  std::string ExitOnItem;
  std::string FocusFunction;
  std::string DataFlowTrace;
  std::string CollectDataFlow;
  std::string FeaturesDir;
  std::string MutationGraphFile;
  std::string StopFile;
  bool SaveArtifacts = true;
  bool PrintNEW = true; // Print a status line when new units are found;
  bool PrintNewCovPcs = false;
  int PrintNewCovFuncs = 0;
  bool PrintFinalStats = false;
  bool PrintCorpusStats = false;
  bool PrintCoverage = false;
  bool DumpCoverage = false;
  bool DetectLeaks = true;
  int PurgeAllocatorIntervalSec = 1;
  int  TraceMalloc = 0;
  bool HandleAbrt = false;
  bool HandleAlrm = false;
  bool HandleBus = false;
  bool HandleFpe = false;
  bool HandleIll = false;
  bool HandleInt = false;
  bool HandleSegv = false;
  bool HandleTerm = false;
  bool HandleXfsz = false;
  bool HandleUsr1 = false;
  bool HandleUsr2 = false;
 };
 }  // namespace fuzzer
 #endif  // LLVM_FUZZER_OPTIONS_H
--- a/custom_mutators/libfuzzer/FuzzerPlatform.h
+++ b/custom_mutators/libfuzzer/FuzzerPlatform.h
@ -0,0 +1,163 @@
 //===-- FuzzerPlatform.h --------------------------------------------------===//
 //
 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
 // See https://llvm.org/LICENSE.txt for license information.
 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
 //
 //===----------------------------------------------------------------------===//
 // Common platform macros.
 //===----------------------------------------------------------------------===//
 #ifndef LLVM_FUZZER_PLATFORM_H
 #define LLVM_FUZZER_PLATFORM_H
 // Platform detection.
 #ifdef __linux__
 #define LIBFUZZER_APPLE 0
 #define LIBFUZZER_FUCHSIA 0
 #define LIBFUZZER_LINUX 1
 #define LIBFUZZER_NETBSD 0
 #define LIBFUZZER_FREEBSD 0
 #define LIBFUZZER_OPENBSD 0
 #define LIBFUZZER_WINDOWS 0
 #define LIBFUZZER_EMSCRIPTEN 0
 #elif __APPLE__
 #define LIBFUZZER_APPLE 1
 #define LIBFUZZER_FUCHSIA 0
 #define LIBFUZZER_LINUX 0
 #define LIBFUZZER_NETBSD 0
 #define LIBFUZZER_FREEBSD 0
 #define LIBFUZZER_OPENBSD 0
 #define LIBFUZZER_WINDOWS 0
 #define LIBFUZZER_EMSCRIPTEN 0
 #elif __NetBSD__
 #define LIBFUZZER_APPLE 0
 #define LIBFUZZER_FUCHSIA 0
 #define LIBFUZZER_LINUX 0
 #define LIBFUZZER_NETBSD 1
 #define LIBFUZZER_FREEBSD 0
 #define LIBFUZZER_OPENBSD 0
 #define LIBFUZZER_WINDOWS 0
 #define LIBFUZZER_EMSCRIPTEN 0
 #elif __FreeBSD__
 #define LIBFUZZER_APPLE 0
 #define LIBFUZZER_FUCHSIA 0
 #define LIBFUZZER_LINUX 0
 #define LIBFUZZER_NETBSD 0
 #define LIBFUZZER_FREEBSD 1
 #define LIBFUZZER_OPENBSD 0
 #define LIBFUZZER_WINDOWS 0
 #define LIBFUZZER_EMSCRIPTEN 0
 #elif __OpenBSD__
 #define LIBFUZZER_APPLE 0
 #define LIBFUZZER_FUCHSIA 0
 #define LIBFUZZER_LINUX 0
 #define LIBFUZZER_NETBSD 0
 #define LIBFUZZER_FREEBSD 0
 #define LIBFUZZER_OPENBSD 1
 #define LIBFUZZER_WINDOWS 0
 #define LIBFUZZER_EMSCRIPTEN 0
 #elif _WIN32
 #define LIBFUZZER_APPLE 0
 #define LIBFUZZER_FUCHSIA 0
 #define LIBFUZZER_LINUX 0
 #define LIBFUZZER_NETBSD 0
 #define LIBFUZZER_FREEBSD 0
 #define LIBFUZZER_OPENBSD 0
 #define LIBFUZZER_WINDOWS 1
 #define LIBFUZZER_EMSCRIPTEN 0
 #elif __Fuchsia__
 #define LIBFUZZER_APPLE 0
 #define LIBFUZZER_FUCHSIA 1
 #define LIBFUZZER_LINUX 0
 #define LIBFUZZER_NETBSD 0
 #define LIBFUZZER_FREEBSD 0
 #define LIBFUZZER_OPENBSD 0
 #define LIBFUZZER_WINDOWS 0
 #define LIBFUZZER_EMSCRIPTEN 0
 #elif __EMSCRIPTEN__
 #define LIBFUZZER_APPLE 0
 #define LIBFUZZER_FUCHSIA 0
 #define LIBFUZZER_LINUX 0
 #define LIBFUZZER_NETBSD 0
 #define LIBFUZZER_FREEBSD 0
 #define LIBFUZZER_OPENBSD 0
 #define LIBFUZZER_WINDOWS 0
 #define LIBFUZZER_EMSCRIPTEN 1
 #else
 #error "Support for your platform has not been implemented"
 #endif
 #if defined(_MSC_VER) && !defined(__clang__)
 // MSVC compiler is being used.
 #define LIBFUZZER_MSVC 1
 #else
 #define LIBFUZZER_MSVC 0
 #endif
 #ifndef __has_attribute
 #define __has_attribute(x) 0
 #endif
 #define LIBFUZZER_POSIX                                                        \
  (LIBFUZZER_APPLE || LIBFUZZER_LINUX || LIBFUZZER_NETBSD ||                   \
   LIBFUZZER_FREEBSD || LIBFUZZER_OPENBSD || LIBFUZZER_EMSCRIPTEN)
 #ifdef __x86_64
 #if __has_attribute(target)
 #define ATTRIBUTE_TARGET_POPCNT __attribute__((target("popcnt")))
 #else
 #define ATTRIBUTE_TARGET_POPCNT
 #endif
 #else
 #define ATTRIBUTE_TARGET_POPCNT
 #endif
 #ifdef __clang__ // avoid gcc warning.
 #if __has_attribute(no_sanitize)
 #define ATTRIBUTE_NO_SANITIZE_MEMORY __attribute__((no_sanitize("memory")))
 #else
 #define ATTRIBUTE_NO_SANITIZE_MEMORY
 #endif
 #define ALWAYS_INLINE __attribute__((always_inline))
 #else
 #define ATTRIBUTE_NO_SANITIZE_MEMORY
 #define ALWAYS_INLINE
 #endif // __clang__
 #if LIBFUZZER_WINDOWS
 #define ATTRIBUTE_NO_SANITIZE_ADDRESS
 #else
 #define ATTRIBUTE_NO_SANITIZE_ADDRESS __attribute__((no_sanitize_address))
 #endif
 #if LIBFUZZER_WINDOWS
 #define ATTRIBUTE_ALIGNED(X) __declspec(align(X))
 #define ATTRIBUTE_INTERFACE __declspec(dllexport)
 // This is used for __sancov_lowest_stack which is needed for
 // -fsanitize-coverage=stack-depth. That feature is not yet available on
 // Windows, so make the symbol static to avoid linking errors.
 #define ATTRIBUTES_INTERFACE_TLS_INITIAL_EXEC static
 #define ATTRIBUTE_NOINLINE __declspec(noinline)
 #else
 #define ATTRIBUTE_ALIGNED(X) __attribute__((aligned(X)))
 #define ATTRIBUTE_INTERFACE __attribute__((visibility("default")))
 #define ATTRIBUTES_INTERFACE_TLS_INITIAL_EXEC                                  \
  ATTRIBUTE_INTERFACE __attribute__((tls_model("initial-exec"))) thread_local
 #define ATTRIBUTE_NOINLINE __attribute__((noinline))
 #endif
 #if defined(__has_feature)
 #if __has_feature(address_sanitizer)
 #define ATTRIBUTE_NO_SANITIZE_ALL ATTRIBUTE_NO_SANITIZE_ADDRESS
 #elif __has_feature(memory_sanitizer)
 #define ATTRIBUTE_NO_SANITIZE_ALL ATTRIBUTE_NO_SANITIZE_MEMORY
 #else
 #define ATTRIBUTE_NO_SANITIZE_ALL
 #endif
 #else
 #define ATTRIBUTE_NO_SANITIZE_ALL
 #endif
 #endif // LLVM_FUZZER_PLATFORM_H
--- a/custom_mutators/libfuzzer/FuzzerRandom.h
+++ b/custom_mutators/libfuzzer/FuzzerRandom.h
@ -0,0 +1,38 @@
 //===- FuzzerRandom.h - Internal header for the Fuzzer ----------*- C++ -* ===//
 //
 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
 // See https://llvm.org/LICENSE.txt for license information.
 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
 //
 //===----------------------------------------------------------------------===//
 // fuzzer::Random
 //===----------------------------------------------------------------------===//
 #ifndef LLVM_FUZZER_RANDOM_H
 #define LLVM_FUZZER_RANDOM_H
 #include <random>
 namespace fuzzer {
 class Random : public std::minstd_rand {
 public:
  explicit Random(unsigned int seed) : std::minstd_rand(seed) {}
  result_type operator()() { return this->std::minstd_rand::operator()(); }
  size_t Rand() { return this->operator()(); }
  size_t RandBool() { return Rand() % 2; }
  size_t SkewTowardsLast(size_t n) {
    size_t T = this->operator()(n * n);
    size_t Res = sqrt(T);
    return Res;
  }
  size_t operator()(size_t n) { return n ? Rand() % n : 0; }
  intptr_t operator()(intptr_t From, intptr_t To) {
    assert(From < To);
    intptr_t RangeSize = To - From + 1;
    return operator()(RangeSize) + From;
  }
 };
 }  // namespace fuzzer
 #endif  // LLVM_FUZZER_RANDOM_H
--- a/custom_mutators/libfuzzer/FuzzerSHA1.cpp
+++ b/custom_mutators/libfuzzer/FuzzerSHA1.cpp
@ -0,0 +1,269 @@
 //===- FuzzerSHA1.h - Private copy of the SHA1 implementation ---*- C++ -* ===//
 //
 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
 // See https://llvm.org/LICENSE.txt for license information.
 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
 //
 //===----------------------------------------------------------------------===//
 // This code is taken from public domain
 // (http://oauth.googlecode.com/svn/code/c/liboauth/src/sha1.c)
 // and modified by adding anonymous namespace, adding an interface
 // function fuzzer::ComputeSHA1() and removing unnecessary code.
 //
 // lib/Fuzzer can not use SHA1 implementation from openssl because
 // openssl may not be available and because we may be fuzzing openssl itself.
 // For the same reason we do not want to depend on SHA1 from LLVM tree.
 //===----------------------------------------------------------------------===//
 #include "FuzzerSHA1.h"
 #include "FuzzerDefs.h"
 #include "FuzzerPlatform.h"
 /* This code is public-domain - it is based on libcrypt
 * placed in the public domain by Wei Dai and other contributors.
 */
 #include <iomanip>
 #include <sstream>
 #include <stdint.h>
 #include <string.h>
 namespace {  // Added for LibFuzzer
 #ifdef __BIG_ENDIAN__
  #define SHA_BIG_ENDIAN
 // Windows is always little endian and MSVC doesn't have <endian.h>
 #elif defined __LITTLE_ENDIAN__ || LIBFUZZER_WINDOWS
 /* override */
 #elif defined __BYTE_ORDER
  #if __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__
    #define SHA_BIG_ENDIAN
  #endif
 #else                  // ! defined __LITTLE_ENDIAN__
  #include <endian.h>  // machine/endian.h
  #if __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__
    #define SHA_BIG_ENDIAN
  #endif
 #endif
 /* header */
 #define HASH_LENGTH 20
 #define BLOCK_LENGTH 64
 typedef struct sha1nfo {
  uint32_t buffer[BLOCK_LENGTH / 4];
  uint32_t state[HASH_LENGTH / 4];
  uint32_t byteCount;
  uint8_t  bufferOffset;
  uint8_t  keyBuffer[BLOCK_LENGTH];
  uint8_t  innerHash[HASH_LENGTH];
 } sha1nfo;
 /* public API - prototypes - TODO: doxygen*/
 /**
 */
 void sha1_init(sha1nfo *s);
 /**
 */
 void sha1_writebyte(sha1nfo *s, uint8_t data);
 /**
 */
 void sha1_write(sha1nfo *s, const char *data, size_t len);
 /**
 */
 uint8_t *sha1_result(sha1nfo *s);
 /* code */
 #define SHA1_K0 0x5a827999
 #define SHA1_K20 0x6ed9eba1
 #define SHA1_K40 0x8f1bbcdc
 #define SHA1_K60 0xca62c1d6
 void sha1_init(sha1nfo *s) {
  s->state[0] = 0x67452301;
  s->state[1] = 0xefcdab89;
  s->state[2] = 0x98badcfe;
  s->state[3] = 0x10325476;
  s->state[4] = 0xc3d2e1f0;
  s->byteCount = 0;
  s->bufferOffset = 0;
 }
 uint32_t sha1_rol32(uint32_t number, uint8_t bits) {
  return ((number << bits) | (number >> (32 - bits)));
 }
 void sha1_hashBlock(sha1nfo *s) {
  uint8_t  i;
  uint32_t a, b, c, d, e, t;
  a = s->state[0];
  b = s->state[1];
  c = s->state[2];
  d = s->state[3];
  e = s->state[4];
  for (i = 0; i < 80; i++) {
    if (i >= 16) {
      t = s->buffer[(i + 13) & 15] ^ s->buffer[(i + 8) & 15] ^
          s->buffer[(i + 2) & 15] ^ s->buffer[i & 15];
      s->buffer[i & 15] = sha1_rol32(t, 1);
    }
    if (i < 20) {
      t = (d ^ (b & (c ^ d))) + SHA1_K0;
    } else if (i < 40) {
      t = (b ^ c ^ d) + SHA1_K20;
    } else if (i < 60) {
      t = ((b & c) | (d & (b | c))) + SHA1_K40;
    } else {
      t = (b ^ c ^ d) + SHA1_K60;
    }
    t += sha1_rol32(a, 5) + e + s->buffer[i & 15];
    e = d;
    d = c;
    c = sha1_rol32(b, 30);
    b = a;
    a = t;
  }
  s->state[0] += a;
  s->state[1] += b;
  s->state[2] += c;
  s->state[3] += d;
  s->state[4] += e;
 }
 void sha1_addUncounted(sha1nfo *s, uint8_t data) {
  uint8_t *const b = (uint8_t *)s->buffer;
 #ifdef SHA_BIG_ENDIAN
  b[s->bufferOffset] = data;
 #else
  b[s->bufferOffset ^ 3] = data;
 #endif
  s->bufferOffset++;
  if (s->bufferOffset == BLOCK_LENGTH) {
    sha1_hashBlock(s);
    s->bufferOffset = 0;
  }
 }
 void sha1_writebyte(sha1nfo *s, uint8_t data) {
  ++s->byteCount;
  sha1_addUncounted(s, data);
 }
 void sha1_write(sha1nfo *s, const char *data, size_t len) {
  for (; len--;)
    sha1_writebyte(s, (uint8_t)*data++);
 }
 void sha1_pad(sha1nfo *s) {
  // Implement SHA-1 padding (fips180-2 §5.1.1)
  // Pad with 0x80 followed by 0x00 until the end of the block
  sha1_addUncounted(s, 0x80);
  while (s->bufferOffset != 56)
    sha1_addUncounted(s, 0x00);
  // Append length in the last 8 bytes
  sha1_addUncounted(s, 0);  // We're only using 32 bit lengths
  sha1_addUncounted(s, 0);  // But SHA-1 supports 64 bit lengths
  sha1_addUncounted(s, 0);  // So zero pad the top bits
  sha1_addUncounted(s, s->byteCount >> 29);  // Shifting to multiply by 8
  sha1_addUncounted(
      s, s->byteCount >> 21);  // as SHA-1 supports bitstreams as well as
  sha1_addUncounted(s, s->byteCount >> 13);  // byte.
  sha1_addUncounted(s, s->byteCount >> 5);
  sha1_addUncounted(s, s->byteCount << 3);
 }
 uint8_t *sha1_result(sha1nfo *s) {
  // Pad to complete the last block
  sha1_pad(s);
 #ifndef SHA_BIG_ENDIAN
  // Swap byte order back
  int i;
  for (i = 0; i < 5; i++) {
    s->state[i] = (((s->state[i]) << 24) & 0xff000000) |
                  (((s->state[i]) << 8) & 0x00ff0000) |
                  (((s->state[i]) >> 8) & 0x0000ff00) |
                  (((s->state[i]) >> 24) & 0x000000ff);
  }
 #endif
  // Return pointer to hash (20 characters)
  return (uint8_t *)s->state;
 }
 }  // namespace
 namespace fuzzer {
 // The rest is added for LibFuzzer
 void ComputeSHA1(const uint8_t *Data, size_t Len, uint8_t *Out) {
  sha1nfo s;
  sha1_init(&s);
  sha1_write(&s, (const char *)Data, Len);
  memcpy(Out, sha1_result(&s), HASH_LENGTH);
 }
 std::string Sha1ToString(const uint8_t Sha1[kSHA1NumBytes]) {
  std::stringstream SS;
  for (int i = 0; i < kSHA1NumBytes; i++)
    SS << std::hex << std::setfill('0') << std::setw(2) << (unsigned)Sha1[i];
  return SS.str();
 }
 std::string Hash(const Unit &U) {
  uint8_t Hash[kSHA1NumBytes];
  ComputeSHA1(U.data(), U.size(), Hash);
  return Sha1ToString(Hash);
 }
 }  // namespace fuzzer
--- a/custom_mutators/libfuzzer/FuzzerSHA1.h
+++ b/custom_mutators/libfuzzer/FuzzerSHA1.h
@ -0,0 +1,32 @@
 //===- FuzzerSHA1.h - Internal header for the SHA1 utils --------*- C++ -* ===//
 //
 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
 // See https://llvm.org/LICENSE.txt for license information.
 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
 //
 //===----------------------------------------------------------------------===//
 // SHA1 utils.
 //===----------------------------------------------------------------------===//
 #ifndef LLVM_FUZZER_SHA1_H
 #define LLVM_FUZZER_SHA1_H
 #include "FuzzerDefs.h"
 #include <cstddef>
 #include <stdint.h>
 namespace fuzzer {
 // Private copy of SHA1 implementation.
 static const int kSHA1NumBytes = 20;
 // Computes SHA1 hash of 'Len' bytes in 'Data', writes kSHA1NumBytes to 'Out'.
 void ComputeSHA1(const uint8_t *Data, size_t Len, uint8_t *Out);
 std::string Sha1ToString(const uint8_t Sha1[kSHA1NumBytes]);
 std::string Hash(const Unit &U);
 }  // namespace fuzzer
 #endif  // LLVM_FUZZER_SHA1_H
--- a/custom_mutators/libfuzzer/FuzzerTracePC.cpp
+++ b/custom_mutators/libfuzzer/FuzzerTracePC.cpp
@ -0,0 +1,819 @@
 //===- FuzzerTracePC.cpp - PC tracing--------------------------------------===//
 //
 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
 // See https://llvm.org/LICENSE.txt for license information.
 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
 //
 //===----------------------------------------------------------------------===//
 // Trace PCs.
 // This module implements __sanitizer_cov_trace_pc_guard[_init],
 // the callback required for -fsanitize-coverage=trace-pc-guard instrumentation.
 //
 //===----------------------------------------------------------------------===//
 #include "FuzzerTracePC.h"
 #include "FuzzerBuiltins.h"
 #include "FuzzerBuiltinsMsvc.h"
 #include "FuzzerCorpus.h"
 #include "FuzzerDefs.h"
 #include "FuzzerDictionary.h"
 #include "FuzzerExtFunctions.h"
 #include "FuzzerIO.h"
 #include "FuzzerPlatform.h"
 #include "FuzzerUtil.h"
 #include "FuzzerValueBitMap.h"
 #include <set>
 // Used by -fsanitize-coverage=stack-depth to track stack depth
 ATTRIBUTES_INTERFACE_TLS_INITIAL_EXEC uintptr_t __sancov_lowest_stack;
 namespace fuzzer {
 TracePC TPC;
 size_t TracePC::GetTotalPCCoverage() {
  return ObservedPCs.size();
 }
 void TracePC::HandleInline8bitCountersInit(uint8_t *Start, uint8_t *Stop) {
  if (Start == Stop) return;
  if (NumModules && Modules[NumModules - 1].Start() == Start) return;
  assert(NumModules < sizeof(Modules) / sizeof(Modules[0]));
  auto &   M = Modules[NumModules++];
  uint8_t *AlignedStart = RoundUpByPage(Start);
  uint8_t *AlignedStop = RoundDownByPage(Stop);
  size_t   NumFullPages = AlignedStop > AlignedStart
                            ? (AlignedStop - AlignedStart) / PageSize()
                            : 0;
  bool NeedFirst = Start < AlignedStart || !NumFullPages;
  bool NeedLast = Stop > AlignedStop && AlignedStop >= AlignedStart;
  M.NumRegions = NumFullPages + NeedFirst + NeedLast;
  ;
  assert(M.NumRegions > 0);
  M.Regions = new Module::Region[M.NumRegions];
  assert(M.Regions);
  size_t R = 0;
  if (NeedFirst)
    M.Regions[R++] = {Start, std::min(Stop, AlignedStart), true, false};
  for (uint8_t *P = AlignedStart; P < AlignedStop; P += PageSize())
    M.Regions[R++] = {P, P + PageSize(), true, true};
  if (NeedLast) M.Regions[R++] = {AlignedStop, Stop, true, false};
  assert(R == M.NumRegions);
  assert(M.Size() == (size_t)(Stop - Start));
  assert(M.Stop() == Stop);
  assert(M.Start() == Start);
  NumInline8bitCounters += M.Size();
 }
 void TracePC::HandlePCsInit(const uintptr_t *Start, const uintptr_t *Stop) {
  const PCTableEntry *B = reinterpret_cast<const PCTableEntry *>(Start);
  const PCTableEntry *E = reinterpret_cast<const PCTableEntry *>(Stop);
  if (NumPCTables && ModulePCTable[NumPCTables - 1].Start == B) return;
  assert(NumPCTables < sizeof(ModulePCTable) / sizeof(ModulePCTable[0]));
  ModulePCTable[NumPCTables++] = {B, E};
  NumPCsInPCTables += E - B;
 }
 void TracePC::PrintModuleInfo() {
  if (NumModules) {
    Printf("INFO: Loaded %zd modules   (%zd inline 8-bit counters): ",
           NumModules, NumInline8bitCounters);
    for (size_t i = 0; i < NumModules; i++)
      Printf("%zd [%p, %p), ", Modules[i].Size(), Modules[i].Start(),
             Modules[i].Stop());
    Printf("\n");
  }
  if (NumPCTables) {
    Printf("INFO: Loaded %zd PC tables (%zd PCs): ", NumPCTables,
           NumPCsInPCTables);
    for (size_t i = 0; i < NumPCTables; i++) {
      Printf("%zd [%p,%p), ", ModulePCTable[i].Stop - ModulePCTable[i].Start,
             ModulePCTable[i].Start, ModulePCTable[i].Stop);
    }
    Printf("\n");
    if (NumInline8bitCounters && NumInline8bitCounters != NumPCsInPCTables) {
      Printf(
          "ERROR: The size of coverage PC tables does not match the\n"
          "number of instrumented PCs. This might be a compiler bug,\n"
          "please contact the libFuzzer developers.\n"
          "Also check https://bugs.llvm.org/show_bug.cgi?id=34636\n"
          "for possible workarounds (tl;dr: don't use the old GNU ld)\n");
      _Exit(1);
    }
  }
  if (size_t NumExtraCounters = ExtraCountersEnd() - ExtraCountersBegin())
    Printf("INFO: %zd Extra Counters\n", NumExtraCounters);
 }
 ATTRIBUTE_NO_SANITIZE_ALL
 void TracePC::HandleCallerCallee(uintptr_t Caller, uintptr_t Callee) {
  const uintptr_t kBits = 12;
  const uintptr_t kMask = (1 << kBits) - 1;
  uintptr_t       Idx = (Caller & kMask) | ((Callee & kMask) << kBits);
  ValueProfileMap.AddValueModPrime(Idx);
 }
 /// \return the address of the previous instruction.
 /// Note: the logic is copied from `sanitizer_common/sanitizer_stacktrace.h`
 inline ALWAYS_INLINE uintptr_t GetPreviousInstructionPc(uintptr_t PC) {
 #if defined(__arm__)
  // T32 (Thumb) branch instructions might be 16 or 32 bit long,
  // so we return (pc-2) in that case in order to be safe.
  // For A32 mode we return (pc-4) because all instructions are 32 bit long.
  return (PC - 3) & (~1);
 #elif defined(__powerpc__) || defined(__powerpc64__) || defined(__aarch64__)
  // PCs are always 4 byte aligned.
  return PC - 4;
 #elif defined(__sparc__) || defined(__mips__)
  return PC - 8;
 #else
  return PC - 1;
 #endif
 }
 /// \return the address of the next instruction.
 /// Note: the logic is copied from `sanitizer_common/sanitizer_stacktrace.cpp`
 ALWAYS_INLINE uintptr_t TracePC::GetNextInstructionPc(uintptr_t PC) {
 #if defined(__mips__)
  return PC + 8;
 #elif defined(__powerpc__) || defined(__sparc__) || defined(__arm__) || \
    defined(__aarch64__)
  return PC + 4;
 #else
  return PC + 1;
 #endif
 }
 void TracePC::UpdateObservedPCs() {
  Vector<uintptr_t> CoveredFuncs;
  auto              ObservePC = [&](const PCTableEntry *TE) {
    if (ObservedPCs.insert(TE).second && DoPrintNewPCs) {
      PrintPC("\tNEW_PC: %p %F %L", "\tNEW_PC: %p",
              GetNextInstructionPc(TE->PC));
      Printf("\n");
    }
  };
  auto Observe = [&](const PCTableEntry *TE) {
    if (PcIsFuncEntry(TE))
      if (++ObservedFuncs[TE->PC] == 1 && NumPrintNewFuncs)
        CoveredFuncs.push_back(TE->PC);
    ObservePC(TE);
  };
  if (NumPCsInPCTables) {
    if (NumInline8bitCounters == NumPCsInPCTables) {
      for (size_t i = 0; i < NumModules; i++) {
        auto &M = Modules[i];
        assert(M.Size() ==
               (size_t)(ModulePCTable[i].Stop - ModulePCTable[i].Start));
        for (size_t r = 0; r < M.NumRegions; r++) {
          auto &R = M.Regions[r];
          if (!R.Enabled) continue;
          for (uint8_t *P = R.Start; P < R.Stop; P++)
            if (*P) Observe(&ModulePCTable[i].Start[M.Idx(P)]);
        }
      }
    }
  }
  for (size_t i = 0, N = Min(CoveredFuncs.size(), NumPrintNewFuncs); i < N;
       i++) {
    Printf("\tNEW_FUNC[%zd/%zd]: ", i + 1, CoveredFuncs.size());
    PrintPC("%p %F %L", "%p", GetNextInstructionPc(CoveredFuncs[i]));
    Printf("\n");
  }
 }
 uintptr_t TracePC::PCTableEntryIdx(const PCTableEntry *TE) {
  size_t TotalTEs = 0;
  for (size_t i = 0; i < NumPCTables; i++) {
    auto &M = ModulePCTable[i];
    if (TE >= M.Start && TE < M.Stop) return TotalTEs + TE - M.Start;
    TotalTEs += M.Stop - M.Start;
  }
  assert(0);
  return 0;
 }
 const TracePC::PCTableEntry *TracePC::PCTableEntryByIdx(uintptr_t Idx) {
  for (size_t i = 0; i < NumPCTables; i++) {
    auto & M = ModulePCTable[i];
    size_t Size = M.Stop - M.Start;
    if (Idx < Size) return &M.Start[Idx];
    Idx -= Size;
  }
  return nullptr;
 }
 static std::string GetModuleName(uintptr_t PC) {
  char  ModulePathRaw[4096] = "";  // What's PATH_MAX in portable C++?
  void *OffsetRaw = nullptr;
  if (!EF->__sanitizer_get_module_and_offset_for_pc(
          reinterpret_cast<void *>(PC), ModulePathRaw, sizeof(ModulePathRaw),
          &OffsetRaw))
    return "";
  return ModulePathRaw;
 }
 template <class CallBack>
 void TracePC::IterateCoveredFunctions(CallBack CB) {
  for (size_t i = 0; i < NumPCTables; i++) {
    auto &M = ModulePCTable[i];
    assert(M.Start < M.Stop);
    auto ModuleName = GetModuleName(M.Start->PC);
    for (auto NextFE = M.Start; NextFE < M.Stop;) {
      auto FE = NextFE;
      assert(PcIsFuncEntry(FE) && "Not a function entry point");
      do {
        NextFE++;
      } while (NextFE < M.Stop && !(PcIsFuncEntry(NextFE)));
      CB(FE, NextFE, ObservedFuncs[FE->PC]);
    }
  }
 }
 void TracePC::SetFocusFunction(const std::string &FuncName) {
  // This function should be called once.
  assert(!FocusFunctionCounterPtr);
  // "auto" is not a valid function name. If this function is called with "auto"
  // that means the auto focus functionality failed.
  if (FuncName.empty() || FuncName == "auto") return;
  for (size_t M = 0; M < NumModules; M++) {
    auto & PCTE = ModulePCTable[M];
    size_t N = PCTE.Stop - PCTE.Start;
    for (size_t I = 0; I < N; I++) {
      if (!(PcIsFuncEntry(&PCTE.Start[I]))) continue;  // not a function entry.
      auto Name = DescribePC("%F", GetNextInstructionPc(PCTE.Start[I].PC));
      if (Name[0] == 'i' && Name[1] == 'n' && Name[2] == ' ')
        Name = Name.substr(3, std::string::npos);
      if (FuncName != Name) continue;
      Printf("INFO: Focus function is set to '%s'\n", Name.c_str());
      FocusFunctionCounterPtr = Modules[M].Start() + I;
      return;
    }
  }
  Printf(
      "ERROR: Failed to set focus function. Make sure the function name is "
      "valid (%s) and symbolization is enabled.\n",
      FuncName.c_str());
  exit(1);
 }
 bool TracePC::ObservedFocusFunction() {
  return FocusFunctionCounterPtr && *FocusFunctionCounterPtr;
 }
 void TracePC::PrintCoverage() {
  if (!EF->__sanitizer_symbolize_pc ||
      !EF->__sanitizer_get_module_and_offset_for_pc) {
    Printf(
        "INFO: __sanitizer_symbolize_pc or "
        "__sanitizer_get_module_and_offset_for_pc is not available,"
        " not printing coverage\n");
    return;
  }
  Printf("COVERAGE:\n");
  auto CoveredFunctionCallback = [&](const PCTableEntry *First,
                                     const PCTableEntry *Last,
                                     uintptr_t           Counter) {
    assert(First < Last);
    auto        VisualizePC = GetNextInstructionPc(First->PC);
    std::string FileStr = DescribePC("%s", VisualizePC);
    if (!IsInterestingCoverageFile(FileStr)) return;
    std::string FunctionStr = DescribePC("%F", VisualizePC);
    if (FunctionStr.find("in ") == 0) FunctionStr = FunctionStr.substr(3);
    std::string       LineStr = DescribePC("%l", VisualizePC);
    size_t            NumEdges = Last - First;
    Vector<uintptr_t> UncoveredPCs;
    for (auto TE = First; TE < Last; TE++)
      if (!ObservedPCs.count(TE)) UncoveredPCs.push_back(TE->PC);
    Printf("%sCOVERED_FUNC: hits: %zd", Counter ? "" : "UN", Counter);
    Printf(" edges: %zd/%zd", NumEdges - UncoveredPCs.size(), NumEdges);
    Printf(" %s %s:%s\n", FunctionStr.c_str(), FileStr.c_str(),
           LineStr.c_str());
    if (Counter)
      for (auto PC : UncoveredPCs)
        Printf("  UNCOVERED_PC: %s\n",
               DescribePC("%s:%l", GetNextInstructionPc(PC)).c_str());
  };
  IterateCoveredFunctions(CoveredFunctionCallback);
 }
 // Value profile.
 // We keep track of various values that affect control flow.
 // These values are inserted into a bit-set-based hash map.
 // Every new bit in the map is treated as a new coverage.
 //
 // For memcmp/strcmp/etc the interesting value is the length of the common
 // prefix of the parameters.
 // For cmp instructions the interesting value is a XOR of the parameters.
 // The interesting value is mixed up with the PC and is then added to the map.
 ATTRIBUTE_NO_SANITIZE_ALL
 void TracePC::AddValueForMemcmp(void *caller_pc, const void *s1, const void *s2,
                                size_t n, bool StopAtZero) {
  if (!n) return;
  size_t         Len = std::min(n, Word::GetMaxSize());
  const uint8_t *A1 = reinterpret_cast<const uint8_t *>(s1);
  const uint8_t *A2 = reinterpret_cast<const uint8_t *>(s2);
  uint8_t        B1[Word::kMaxSize];
  uint8_t        B2[Word::kMaxSize];
  // Copy the data into locals in this non-msan-instrumented function
  // to avoid msan complaining further.
  size_t Hash = 0;  // Compute some simple hash of both strings.
  for (size_t i = 0; i < Len; i++) {
    B1[i] = A1[i];
    B2[i] = A2[i];
    size_t T = B1[i];
    Hash ^= (T << 8) | B2[i];
  }
  size_t  I = 0;
  uint8_t HammingDistance = 0;
  for (; I < Len; I++) {
    if (B1[I] != B2[I] || (StopAtZero && B1[I] == 0)) {
      HammingDistance = Popcountll(B1[I] ^ B2[I]);
      break;
    }
  }
  size_t PC = reinterpret_cast<size_t>(caller_pc);
  size_t Idx = (PC & 4095) | (I << 12);
  Idx += HammingDistance;
  ValueProfileMap.AddValue(Idx);
  TORCW.Insert(Idx ^ Hash, Word(B1, Len), Word(B2, Len));
 }
 template <class T>
 ATTRIBUTE_TARGET_POPCNT ALWAYS_INLINE ATTRIBUTE_NO_SANITIZE_ALL void
 TracePC::HandleCmp(uintptr_t PC, T Arg1, T Arg2) {
  uint64_t ArgXor = Arg1 ^ Arg2;
  if (sizeof(T) == 4)
    TORC4.Insert(ArgXor, Arg1, Arg2);
  else if (sizeof(T) == 8)
    TORC8.Insert(ArgXor, Arg1, Arg2);
  uint64_t HammingDistance = Popcountll(ArgXor);  // [0,64]
  uint64_t AbsoluteDistance = (Arg1 == Arg2 ? 0 : Clzll(Arg1 - Arg2) + 1);
  ValueProfileMap.AddValue(PC * 128 + HammingDistance);
  ValueProfileMap.AddValue(PC * 128 + 64 + AbsoluteDistance);
 }
 static size_t InternalStrnlen(const char *S, size_t MaxLen) {
  size_t Len = 0;
  for (; Len < MaxLen && S[Len]; Len++) {}
  return Len;
 }
 // Finds min of (strlen(S1), strlen(S2)).
 // Needed bacause one of these strings may actually be non-zero terminated.
 static size_t InternalStrnlen2(const char *S1, const char *S2) {
  size_t Len = 0;
  for (; S1[Len] && S2[Len]; Len++) {}
  return Len;
 }
 void TracePC::ClearInlineCounters() {
  IterateCounterRegions([](const Module::Region &R) {
    if (R.Enabled) memset(R.Start, 0, R.Stop - R.Start);
  });
 }
 ATTRIBUTE_NO_SANITIZE_ALL
 void TracePC::RecordInitialStack() {
  int stack;
  __sancov_lowest_stack = InitialStack = reinterpret_cast<uintptr_t>(&stack);
 }
 uintptr_t TracePC::GetMaxStackOffset() const {
  return InitialStack - __sancov_lowest_stack;  // Stack grows down
 }
 void WarnAboutDeprecatedInstrumentation(const char *flag) {
  // Use RawPrint because Printf cannot be used on Windows before OutputFile is
  // initialized.
  RawPrint(flag);
  RawPrint(
      " is no longer supported by libFuzzer.\n"
      "Please either migrate to a compiler that supports -fsanitize=fuzzer\n"
      "or use an older version of libFuzzer\n");
  exit(1);
 }
 }  // namespace fuzzer
 extern "C" {
 ATTRIBUTE_INTERFACE
 ATTRIBUTE_NO_SANITIZE_ALL
 void __sanitizer_cov_trace_pc_guard(uint32_t *Guard) {
  fuzzer::WarnAboutDeprecatedInstrumentation(
      "-fsanitize-coverage=trace-pc-guard");
 }
 // Best-effort support for -fsanitize-coverage=trace-pc, which is available
 // in both Clang and GCC.
 ATTRIBUTE_INTERFACE
 ATTRIBUTE_NO_SANITIZE_ALL
 void __sanitizer_cov_trace_pc() {
  fuzzer::WarnAboutDeprecatedInstrumentation("-fsanitize-coverage=trace-pc");
 }
 ATTRIBUTE_INTERFACE
 void __sanitizer_cov_trace_pc_guard_init(uint32_t *Start, uint32_t *Stop) {
  fuzzer::WarnAboutDeprecatedInstrumentation(
      "-fsanitize-coverage=trace-pc-guard");
 }
 ATTRIBUTE_INTERFACE
 void __sanitizer_cov_8bit_counters_init(uint8_t *Start, uint8_t *Stop) {
  fuzzer::TPC.HandleInline8bitCountersInit(Start, Stop);
 }
 ATTRIBUTE_INTERFACE
 void __sanitizer_cov_pcs_init(const uintptr_t *pcs_beg,
                              const uintptr_t *pcs_end) {
  fuzzer::TPC.HandlePCsInit(pcs_beg, pcs_end);
 }
 ATTRIBUTE_INTERFACE
 ATTRIBUTE_NO_SANITIZE_ALL
 void __sanitizer_cov_trace_pc_indir(uintptr_t Callee) {
  uintptr_t PC = reinterpret_cast<uintptr_t>(GET_CALLER_PC());
  fuzzer::TPC.HandleCallerCallee(PC, Callee);
 }
 ATTRIBUTE_INTERFACE
 ATTRIBUTE_NO_SANITIZE_ALL
 ATTRIBUTE_TARGET_POPCNT
 void __sanitizer_cov_trace_cmp8(uint64_t Arg1, uint64_t Arg2) {
  uintptr_t PC = reinterpret_cast<uintptr_t>(GET_CALLER_PC());
  fuzzer::TPC.HandleCmp(PC, Arg1, Arg2);
 }
 ATTRIBUTE_INTERFACE
 ATTRIBUTE_NO_SANITIZE_ALL
 ATTRIBUTE_TARGET_POPCNT
 // Now the __sanitizer_cov_trace_const_cmp[1248] callbacks just mimic
 // the behaviour of __sanitizer_cov_trace_cmp[1248] ones. This, however,
 // should be changed later to make full use of instrumentation.
 void __sanitizer_cov_trace_const_cmp8(uint64_t Arg1, uint64_t Arg2) {
  uintptr_t PC = reinterpret_cast<uintptr_t>(GET_CALLER_PC());
  fuzzer::TPC.HandleCmp(PC, Arg1, Arg2);
 }
 ATTRIBUTE_INTERFACE
 ATTRIBUTE_NO_SANITIZE_ALL
 ATTRIBUTE_TARGET_POPCNT
 void __sanitizer_cov_trace_cmp4(uint32_t Arg1, uint32_t Arg2) {
  uintptr_t PC = reinterpret_cast<uintptr_t>(GET_CALLER_PC());
  fuzzer::TPC.HandleCmp(PC, Arg1, Arg2);
 }
 ATTRIBUTE_INTERFACE
 ATTRIBUTE_NO_SANITIZE_ALL
 ATTRIBUTE_TARGET_POPCNT
 void __sanitizer_cov_trace_const_cmp4(uint32_t Arg1, uint32_t Arg2) {
  uintptr_t PC = reinterpret_cast<uintptr_t>(GET_CALLER_PC());
  fuzzer::TPC.HandleCmp(PC, Arg1, Arg2);
 }
 ATTRIBUTE_INTERFACE
 ATTRIBUTE_NO_SANITIZE_ALL
 ATTRIBUTE_TARGET_POPCNT
 void __sanitizer_cov_trace_cmp2(uint16_t Arg1, uint16_t Arg2) {
  uintptr_t PC = reinterpret_cast<uintptr_t>(GET_CALLER_PC());
  fuzzer::TPC.HandleCmp(PC, Arg1, Arg2);
 }
 ATTRIBUTE_INTERFACE
 ATTRIBUTE_NO_SANITIZE_ALL
 ATTRIBUTE_TARGET_POPCNT
 void __sanitizer_cov_trace_const_cmp2(uint16_t Arg1, uint16_t Arg2) {
  uintptr_t PC = reinterpret_cast<uintptr_t>(GET_CALLER_PC());
  fuzzer::TPC.HandleCmp(PC, Arg1, Arg2);
 }
 ATTRIBUTE_INTERFACE
 ATTRIBUTE_NO_SANITIZE_ALL
 ATTRIBUTE_TARGET_POPCNT
 void __sanitizer_cov_trace_cmp1(uint8_t Arg1, uint8_t Arg2) {
  uintptr_t PC = reinterpret_cast<uintptr_t>(GET_CALLER_PC());
  fuzzer::TPC.HandleCmp(PC, Arg1, Arg2);
 }
 ATTRIBUTE_INTERFACE
 ATTRIBUTE_NO_SANITIZE_ALL
 ATTRIBUTE_TARGET_POPCNT
 void __sanitizer_cov_trace_const_cmp1(uint8_t Arg1, uint8_t Arg2) {
  uintptr_t PC = reinterpret_cast<uintptr_t>(GET_CALLER_PC());
  fuzzer::TPC.HandleCmp(PC, Arg1, Arg2);
 }
 ATTRIBUTE_INTERFACE
 ATTRIBUTE_NO_SANITIZE_ALL
 ATTRIBUTE_TARGET_POPCNT
 void __sanitizer_cov_trace_switch(uint64_t Val, uint64_t *Cases) {
  uint64_t  N = Cases[0];
  uint64_t  ValSizeInBits = Cases[1];
  uint64_t *Vals = Cases + 2;
  // Skip the most common and the most boring case: all switch values are small.
  // We may want to skip this at compile-time, but it will make the
  // instrumentation less general.
  if (Vals[N - 1] < 256) return;
  // Also skip small inputs values, they won't give good signal.
  if (Val < 256) return;
  uintptr_t PC = reinterpret_cast<uintptr_t>(GET_CALLER_PC());
  size_t    i;
  uint64_t  Smaller = 0;
  uint64_t  Larger = ~(uint64_t)0;
  // Find two switch values such that Smaller < Val < Larger.
  // Use 0 and 0xfff..f as the defaults.
  for (i = 0; i < N; i++) {
    if (Val < Vals[i]) {
      Larger = Vals[i];
      break;
    }
    if (Val > Vals[i]) Smaller = Vals[i];
  }
  // Apply HandleCmp to {Val,Smaller} and {Val, Larger},
  // use i as the PC modifier for HandleCmp.
  if (ValSizeInBits == 16) {
    fuzzer::TPC.HandleCmp(PC + 2 * i, static_cast<uint16_t>(Val),
                          (uint16_t)(Smaller));
    fuzzer::TPC.HandleCmp(PC + 2 * i + 1, static_cast<uint16_t>(Val),
                          (uint16_t)(Larger));
  } else if (ValSizeInBits == 32) {
    fuzzer::TPC.HandleCmp(PC + 2 * i, static_cast<uint32_t>(Val),
                          (uint32_t)(Smaller));
    fuzzer::TPC.HandleCmp(PC + 2 * i + 1, static_cast<uint32_t>(Val),
                          (uint32_t)(Larger));
  } else {
    fuzzer::TPC.HandleCmp(PC + 2 * i, Val, Smaller);
    fuzzer::TPC.HandleCmp(PC + 2 * i + 1, Val, Larger);
  }
 }
 ATTRIBUTE_INTERFACE
 ATTRIBUTE_NO_SANITIZE_ALL
 ATTRIBUTE_TARGET_POPCNT
 void __sanitizer_cov_trace_div4(uint32_t Val) {
  uintptr_t PC = reinterpret_cast<uintptr_t>(GET_CALLER_PC());
  fuzzer::TPC.HandleCmp(PC, Val, (uint32_t)0);
 }
 ATTRIBUTE_INTERFACE
 ATTRIBUTE_NO_SANITIZE_ALL
 ATTRIBUTE_TARGET_POPCNT
 void __sanitizer_cov_trace_div8(uint64_t Val) {
  uintptr_t PC = reinterpret_cast<uintptr_t>(GET_CALLER_PC());
  fuzzer::TPC.HandleCmp(PC, Val, (uint64_t)0);
 }
 ATTRIBUTE_INTERFACE
 ATTRIBUTE_NO_SANITIZE_ALL
 ATTRIBUTE_TARGET_POPCNT
 void __sanitizer_cov_trace_gep(uintptr_t Idx) {
  uintptr_t PC = reinterpret_cast<uintptr_t>(GET_CALLER_PC());
  fuzzer::TPC.HandleCmp(PC, Idx, (uintptr_t)0);
 }
 ATTRIBUTE_INTERFACE ATTRIBUTE_NO_SANITIZE_MEMORY void
 __sanitizer_weak_hook_memcmp(void *caller_pc, const void *s1, const void *s2,
                             size_t n, int result) {
  if (!fuzzer::RunningUserCallback) return;
  if (result == 0) return;  // No reason to mutate.
  if (n <= 1) return;       // Not interesting.
  fuzzer::TPC.AddValueForMemcmp(caller_pc, s1, s2, n, /*StopAtZero*/ false);
 }
 ATTRIBUTE_INTERFACE ATTRIBUTE_NO_SANITIZE_MEMORY void
 __sanitizer_weak_hook_strncmp(void *caller_pc, const char *s1, const char *s2,
                              size_t n, int result) {
  if (!fuzzer::RunningUserCallback) return;
  if (result == 0) return;  // No reason to mutate.
  size_t Len1 = fuzzer::InternalStrnlen(s1, n);
  size_t Len2 = fuzzer::InternalStrnlen(s2, n);
  n = std::min(n, Len1);
  n = std::min(n, Len2);
  if (n <= 1) return;  // Not interesting.
  fuzzer::TPC.AddValueForMemcmp(caller_pc, s1, s2, n, /*StopAtZero*/ true);
 }
 ATTRIBUTE_INTERFACE ATTRIBUTE_NO_SANITIZE_MEMORY void
 __sanitizer_weak_hook_strcmp(void *caller_pc, const char *s1, const char *s2,
                             int result) {
  if (!fuzzer::RunningUserCallback) return;
  if (result == 0) return;  // No reason to mutate.
  size_t N = fuzzer::InternalStrnlen2(s1, s2);
  if (N <= 1) return;  // Not interesting.
  fuzzer::TPC.AddValueForMemcmp(caller_pc, s1, s2, N, /*StopAtZero*/ true);
 }
 ATTRIBUTE_INTERFACE ATTRIBUTE_NO_SANITIZE_MEMORY void
 __sanitizer_weak_hook_strncasecmp(void *called_pc, const char *s1,
                                  const char *s2, size_t n, int result) {
  if (!fuzzer::RunningUserCallback) return;
  return __sanitizer_weak_hook_strncmp(called_pc, s1, s2, n, result);
 }
 ATTRIBUTE_INTERFACE ATTRIBUTE_NO_SANITIZE_MEMORY void
 __sanitizer_weak_hook_strcasecmp(void *called_pc, const char *s1,
                                 const char *s2, int result) {
  if (!fuzzer::RunningUserCallback) return;
  return __sanitizer_weak_hook_strcmp(called_pc, s1, s2, result);
 }
 ATTRIBUTE_INTERFACE ATTRIBUTE_NO_SANITIZE_MEMORY void
 __sanitizer_weak_hook_strstr(void *called_pc, const char *s1, const char *s2,
                             char *result) {
  if (!fuzzer::RunningUserCallback) return;
  fuzzer::TPC.MMT.Add(reinterpret_cast<const uint8_t *>(s2), strlen(s2));
 }
 ATTRIBUTE_INTERFACE ATTRIBUTE_NO_SANITIZE_MEMORY void
 __sanitizer_weak_hook_strcasestr(void *called_pc, const char *s1,
                                 const char *s2, char *result) {
  if (!fuzzer::RunningUserCallback) return;
  fuzzer::TPC.MMT.Add(reinterpret_cast<const uint8_t *>(s2), strlen(s2));
 }
 ATTRIBUTE_INTERFACE ATTRIBUTE_NO_SANITIZE_MEMORY void
 __sanitizer_weak_hook_memmem(void *called_pc, const void *s1, size_t len1,
                             const void *s2, size_t len2, void *result) {
  if (!fuzzer::RunningUserCallback) return;
  fuzzer::TPC.MMT.Add(reinterpret_cast<const uint8_t *>(s2), len2);
 }
 }  // extern "C"
--- a/custom_mutators/libfuzzer/FuzzerTracePC.h
+++ b/custom_mutators/libfuzzer/FuzzerTracePC.h
@ -0,0 +1,291 @@
 //===- FuzzerTracePC.h - Internal header for the Fuzzer ---------*- C++ -* ===//
 //
 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
 // See https://llvm.org/LICENSE.txt for license information.
 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
 //
 //===----------------------------------------------------------------------===//
 // fuzzer::TracePC
 //===----------------------------------------------------------------------===//
 #ifndef LLVM_FUZZER_TRACE_PC
 #define LLVM_FUZZER_TRACE_PC
 #include "FuzzerDefs.h"
 #include "FuzzerDictionary.h"
 #include "FuzzerValueBitMap.h"
 #include <set>
 #include <unordered_map>
 namespace fuzzer {
 // TableOfRecentCompares (TORC) remembers the most recently performed
 // comparisons of type T.
 // We record the arguments of CMP instructions in this table unconditionally
 // because it seems cheaper this way than to compute some expensive
 // conditions inside __sanitizer_cov_trace_cmp*.
 // After the unit has been executed we may decide to use the contents of
 // this table to populate a Dictionary.
 template<class T, size_t kSizeT>
 struct TableOfRecentCompares {
  static const size_t kSize = kSizeT;
  struct Pair {
    T A, B;
  };
  ATTRIBUTE_NO_SANITIZE_ALL
  void Insert(size_t Idx, const T &Arg1, const T &Arg2) {
    Idx = Idx % kSize;
    Table[Idx].A = Arg1;
    Table[Idx].B = Arg2;
  }
  Pair Get(size_t I) { return Table[I % kSize]; }
  Pair Table[kSize];
 };
 template <size_t kSizeT>
 struct MemMemTable {
  static const size_t kSize = kSizeT;
  Word MemMemWords[kSize];
  Word EmptyWord;
  void Add(const uint8_t *Data, size_t Size) {
    if (Size <= 2) return;
    Size = std::min(Size, Word::GetMaxSize());
    size_t Idx = SimpleFastHash(Data, Size) % kSize;
    MemMemWords[Idx].Set(Data, Size);
  }
  const Word &Get(size_t Idx) {
    for (size_t i = 0; i < kSize; i++) {
      const Word &W = MemMemWords[(Idx + i) % kSize];
      if (W.size()) return W;
    }
    EmptyWord.Set(nullptr, 0);
    return EmptyWord;
  }
 };
 class TracePC {
 public:
  void HandleInline8bitCountersInit(uint8_t *Start, uint8_t *Stop);
  void HandlePCsInit(const uintptr_t *Start, const uintptr_t *Stop);
  void HandleCallerCallee(uintptr_t Caller, uintptr_t Callee);
  template <class T> void HandleCmp(uintptr_t PC, T Arg1, T Arg2);
  size_t GetTotalPCCoverage();
  void SetUseCounters(bool UC) { UseCounters = UC; }
  void SetUseValueProfileMask(uint32_t VPMask) { UseValueProfileMask = VPMask; }
  void SetPrintNewPCs(bool P) { DoPrintNewPCs = P; }
  void SetPrintNewFuncs(size_t P) { NumPrintNewFuncs = P; }
  void UpdateObservedPCs();
  template <class Callback> void CollectFeatures(Callback CB) const;
  void ResetMaps() {
    ValueProfileMap.Reset();
    ClearExtraCounters();
    ClearInlineCounters();
  }
  void ClearInlineCounters();
  void UpdateFeatureSet(size_t CurrentElementIdx, size_t CurrentElementSize);
  void PrintFeatureSet();
  void PrintModuleInfo();
  void PrintCoverage();
  template<class CallBack>
  void IterateCoveredFunctions(CallBack CB);
  void AddValueForMemcmp(void *caller_pc, const void *s1, const void *s2,
                         size_t n, bool StopAtZero);
  TableOfRecentCompares<uint32_t, 32> TORC4;
  TableOfRecentCompares<uint64_t, 32> TORC8;
  TableOfRecentCompares<Word, 32> TORCW;
  MemMemTable<1024> MMT;
  void RecordInitialStack();
  uintptr_t GetMaxStackOffset() const;
  template<class CallBack>
  void ForEachObservedPC(CallBack CB) {
    for (auto PC : ObservedPCs)
      CB(PC);
  }
  void SetFocusFunction(const std::string &FuncName);
  bool ObservedFocusFunction();
  struct PCTableEntry {
    uintptr_t PC, PCFlags;
  };
  uintptr_t PCTableEntryIdx(const PCTableEntry *TE);
  const PCTableEntry *PCTableEntryByIdx(uintptr_t Idx);
  static uintptr_t GetNextInstructionPc(uintptr_t PC);
  bool PcIsFuncEntry(const PCTableEntry *TE) { return TE->PCFlags & 1; }
 private:
  bool UseCounters = false;
  uint32_t UseValueProfileMask = false;
  bool DoPrintNewPCs = false;
  size_t NumPrintNewFuncs = 0;
  // Module represents the array of 8-bit counters split into regions
  // such that every region, except maybe the first and the last one, is one
  // full page.
  struct Module {
    struct Region {
      uint8_t *Start, *Stop;
      bool Enabled;
      bool OneFullPage;
    };
    Region *Regions;
    size_t NumRegions;
    uint8_t *Start() const { return Regions[0].Start; }
    uint8_t *Stop()  const { return Regions[NumRegions - 1].Stop; }
    size_t Size()    const { return Stop() - Start(); }
    size_t  Idx(uint8_t *P) const {
      assert(P >= Start() && P < Stop());
      return P - Start();
    }
  };
  Module Modules[4096];
  size_t NumModules;  // linker-initialized.
  size_t NumInline8bitCounters;
  template <class Callback>
  void IterateCounterRegions(Callback CB) {
    for (size_t m = 0; m < NumModules; m++)
      for (size_t r = 0; r < Modules[m].NumRegions; r++)
        CB(Modules[m].Regions[r]);
  }
  struct { const PCTableEntry *Start, *Stop; } ModulePCTable[4096];
  size_t NumPCTables;
  size_t NumPCsInPCTables;
  Set<const PCTableEntry*> ObservedPCs;
  std::unordered_map<uintptr_t, uintptr_t> ObservedFuncs;  // PC => Counter.
  uint8_t *FocusFunctionCounterPtr = nullptr;
  ValueBitMap ValueProfileMap;
  uintptr_t InitialStack;
 };
 template <class Callback>
 // void Callback(size_t FirstFeature, size_t Idx, uint8_t Value);
 ATTRIBUTE_NO_SANITIZE_ALL
 size_t ForEachNonZeroByte(const uint8_t *Begin, const uint8_t *End,
                        size_t FirstFeature, Callback Handle8bitCounter) {
  typedef uintptr_t LargeType;
  const size_t Step = sizeof(LargeType) / sizeof(uint8_t);
  const size_t StepMask = Step - 1;
  auto P = Begin;
  // Iterate by 1 byte until either the alignment boundary or the end.
  for (; reinterpret_cast<uintptr_t>(P) & StepMask && P < End; P++)
    if (uint8_t V = *P)
      Handle8bitCounter(FirstFeature, P - Begin, V);
  // Iterate by Step bytes at a time.
  for (; P < End; P += Step)
    if (LargeType Bundle = *reinterpret_cast<const LargeType *>(P)) {
      Bundle = HostToLE(Bundle);
      for (size_t I = 0; I < Step; I++, Bundle >>= 8)
        if (uint8_t V = Bundle & 0xff)
          Handle8bitCounter(FirstFeature, P - Begin + I, V);
    }
  // Iterate by 1 byte until the end.
  for (; P < End; P++)
    if (uint8_t V = *P)
      Handle8bitCounter(FirstFeature, P - Begin, V);
  return End - Begin;
 }
 // Given a non-zero Counter returns a number in the range [0,7].
 template<class T>
 unsigned CounterToFeature(T Counter) {
    // Returns a feature number by placing Counters into buckets as illustrated
    // below.
    //
    // Counter bucket: [1] [2] [3] [4-7] [8-15] [16-31] [32-127] [128+]
    // Feature number:  0   1   2    3     4       5       6       7
    //
    // This is a heuristic taken from AFL (see
    // http://lcamtuf.coredump.cx/afl/technical_details.txt).
    //
    // This implementation may change in the future so clients should
    // not rely on it.
    assert(Counter);
    unsigned Bit = 0;
    /**/ if (Counter >= 128) Bit = 7;
    else if (Counter >= 32) Bit = 6;
    else if (Counter >= 16) Bit = 5;
    else if (Counter >= 8) Bit = 4;
    else if (Counter >= 4) Bit = 3;
    else if (Counter >= 3) Bit = 2;
    else if (Counter >= 2) Bit = 1;
    return Bit;
 }
 template <class Callback>  // void Callback(size_t Feature)
 ATTRIBUTE_NO_SANITIZE_ADDRESS
 ATTRIBUTE_NOINLINE
 void TracePC::CollectFeatures(Callback HandleFeature) const {
  auto Handle8bitCounter = [&](size_t FirstFeature,
                               size_t Idx, uint8_t Counter) {
    if (UseCounters)
      HandleFeature(FirstFeature + Idx * 8 + CounterToFeature(Counter));
    else
      HandleFeature(FirstFeature + Idx);
  };
  size_t FirstFeature = 0;
  for (size_t i = 0; i < NumModules; i++) {
    for (size_t r = 0; r < Modules[i].NumRegions; r++) {
      if (!Modules[i].Regions[r].Enabled) continue;
      FirstFeature += 8 * ForEachNonZeroByte(Modules[i].Regions[r].Start,
                                             Modules[i].Regions[r].Stop,
                                             FirstFeature, Handle8bitCounter);
    }
  }
  FirstFeature +=
      8 * ForEachNonZeroByte(ExtraCountersBegin(), ExtraCountersEnd(),
                             FirstFeature, Handle8bitCounter);
  if (UseValueProfileMask) {
    ValueProfileMap.ForEach([&](size_t Idx) {
      HandleFeature(FirstFeature + Idx);
    });
    FirstFeature += ValueProfileMap.SizeInBits();
  }
  // Step function, grows similar to 8 * Log_2(A).
  auto StackDepthStepFunction = [](uint32_t A) -> uint32_t {
    if (!A) return A;
    uint32_t Log2 = Log(A);
    if (Log2 < 3) return A;
    Log2 -= 3;
    return (Log2 + 1) * 8 + ((A >> Log2) & 7);
  };
  assert(StackDepthStepFunction(1024) == 64);
  assert(StackDepthStepFunction(1024 * 4) == 80);
  assert(StackDepthStepFunction(1024 * 1024) == 144);
  if (auto MaxStackOffset = GetMaxStackOffset())
    HandleFeature(FirstFeature + StackDepthStepFunction(MaxStackOffset / 8));
 }
 extern TracePC TPC;
 }  // namespace fuzzer
 #endif  // LLVM_FUZZER_TRACE_PC
--- a/custom_mutators/libfuzzer/FuzzerUtil.cpp
+++ b/custom_mutators/libfuzzer/FuzzerUtil.cpp
@ -0,0 +1,314 @@
 //===- FuzzerUtil.cpp - Misc utils ----------------------------------------===//
 //
 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
 // See https://llvm.org/LICENSE.txt for license information.
 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
 //
 //===----------------------------------------------------------------------===//
 // Misc utils.
 //===----------------------------------------------------------------------===//
 #include "FuzzerUtil.h"
 #include "FuzzerIO.h"
 #include "FuzzerInternal.h"
 #include <cassert>
 #include <chrono>
 #include <cstring>
 #include <errno.h>
 #include <mutex>
 #include <signal.h>
 #include <sstream>
 #include <stdio.h>
 #include <sys/types.h>
 #include <thread>
 namespace fuzzer {
 void PrintHexArray(const uint8_t *Data, size_t Size, const char *PrintAfter) {
  for (size_t i = 0; i < Size; i++)
    Printf("0x%x,", (unsigned)Data[i]);
  Printf("%s", PrintAfter);
 }
 void Print(const Unit &v, const char *PrintAfter) {
  PrintHexArray(v.data(), v.size(), PrintAfter);
 }
 void PrintASCIIByte(uint8_t Byte) {
  if (Byte == '\\')
    Printf("\\\\");
  else if (Byte == '"')
    Printf("\\\"");
  else if (Byte >= 32 && Byte < 127)
    Printf("%c", Byte);
  else
    Printf("\\x%02x", Byte);
 }
 void PrintASCII(const uint8_t *Data, size_t Size, const char *PrintAfter) {
  for (size_t i = 0; i < Size; i++)
    PrintASCIIByte(Data[i]);
  Printf("%s", PrintAfter);
 }
 void PrintASCII(const Unit &U, const char *PrintAfter) {
  PrintASCII(U.data(), U.size(), PrintAfter);
 }
 bool ToASCII(uint8_t *Data, size_t Size) {
  bool Changed = false;
  for (size_t i = 0; i < Size; i++) {
    uint8_t &X = Data[i];
    auto     NewX = X;
    NewX &= 127;
    if (!isspace(NewX) && !isprint(NewX)) NewX = ' ';
    Changed |= NewX != X;
    X = NewX;
  }
  return Changed;
 }
 bool IsASCII(const Unit &U) {
  return IsASCII(U.data(), U.size());
 }
 bool IsASCII(const uint8_t *Data, size_t Size) {
  for (size_t i = 0; i < Size; i++)
    if (!(isprint(Data[i]) || isspace(Data[i]))) return false;
  return true;
 }
 bool ParseOneDictionaryEntry(const std::string &Str, Unit *U) {
  U->clear();
  if (Str.empty()) return false;
  size_t L = 0, R = Str.size() - 1;  // We are parsing the range [L,R].
  // Skip spaces from both sides.
  while (L < R && isspace(Str[L]))
    L++;
  while (R > L && isspace(Str[R]))
    R--;
  if (R - L < 2) return false;
  // Check the closing "
  if (Str[R] != '"') return false;
  R--;
  // Find the opening "
  while (L < R && Str[L] != '"')
    L++;
  if (L >= R) return false;
  assert(Str[L] == '\"');
  L++;
  assert(L <= R);
  for (size_t Pos = L; Pos <= R; Pos++) {
    uint8_t V = (uint8_t)Str[Pos];
    if (!isprint(V) && !isspace(V)) return false;
    if (V == '\\') {
      // Handle '\\'
      if (Pos + 1 <= R && (Str[Pos + 1] == '\\' || Str[Pos + 1] == '"')) {
        U->push_back(Str[Pos + 1]);
        Pos++;
        continue;
      }
      // Handle '\xAB'
      if (Pos + 3 <= R && Str[Pos + 1] == 'x' && isxdigit(Str[Pos + 2]) &&
          isxdigit(Str[Pos + 3])) {
        char Hex[] = "0xAA";
        Hex[2] = Str[Pos + 2];
        Hex[3] = Str[Pos + 3];
        U->push_back(strtol(Hex, nullptr, 16));
        Pos += 3;
        continue;
      }
      return false;  // Invalid escape.
    } else {
      // Any other character.
      U->push_back(V);
    }
  }
  return true;
 }
 bool ParseDictionaryFile(const std::string &Text, Vector<Unit> *Units) {
  if (Text.empty()) {
    Printf("ParseDictionaryFile: file does not exist or is empty\n");
    return false;
  }
  std::istringstream ISS(Text);
  Units->clear();
  Unit        U;
  int         LineNo = 0;
  std::string S;
  while (std::getline(ISS, S, '\n')) {
    LineNo++;
    size_t Pos = 0;
    while (Pos < S.size() && isspace(S[Pos]))
      Pos++;                        // Skip spaces.
    if (Pos == S.size()) continue;  // Empty line.
    if (S[Pos] == '#') continue;    // Comment line.
    if (ParseOneDictionaryEntry(S, &U)) {
      Units->push_back(U);
    } else {
      Printf("ParseDictionaryFile: error in line %d\n\t\t%s\n", LineNo,
             S.c_str());
      return false;
    }
  }
  return true;
 }
 // Code duplicated (and tested) in llvm/include/llvm/Support/Base64.h
 std::string Base64(const Unit &U) {
  static const char Table[] =
      "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
      "abcdefghijklmnopqrstuvwxyz"
      "0123456789+/";
  std::string Buffer;
  Buffer.resize(((U.size() + 2) / 3) * 4);
  size_t i = 0, j = 0;
  for (size_t n = U.size() / 3 * 3; i < n; i += 3, j += 4) {
    uint32_t x = ((unsigned char)U[i] << 16) | ((unsigned char)U[i + 1] << 8) |
                 (unsigned char)U[i + 2];
    Buffer[j + 0] = Table[(x >> 18) & 63];
    Buffer[j + 1] = Table[(x >> 12) & 63];
    Buffer[j + 2] = Table[(x >> 6) & 63];
    Buffer[j + 3] = Table[x & 63];
  }
  if (i + 1 == U.size()) {
    uint32_t x = ((unsigned char)U[i] << 16);
    Buffer[j + 0] = Table[(x >> 18) & 63];
    Buffer[j + 1] = Table[(x >> 12) & 63];
    Buffer[j + 2] = '=';
    Buffer[j + 3] = '=';
  } else if (i + 2 == U.size()) {
    uint32_t x = ((unsigned char)U[i] << 16) | ((unsigned char)U[i + 1] << 8);
    Buffer[j + 0] = Table[(x >> 18) & 63];
    Buffer[j + 1] = Table[(x >> 12) & 63];
    Buffer[j + 2] = Table[(x >> 6) & 63];
    Buffer[j + 3] = '=';
  }
  return Buffer;
 }
 static std::mutex SymbolizeMutex;
 std::string DescribePC(const char *SymbolizedFMT, uintptr_t PC) {
  std::unique_lock<std::mutex> l(SymbolizeMutex, std::try_to_lock);
  if (!EF->__sanitizer_symbolize_pc || !l.owns_lock())
    return "<can not symbolize>";
  char PcDescr[1024] = {};
  EF->__sanitizer_symbolize_pc(reinterpret_cast<void *>(PC), SymbolizedFMT,
                               PcDescr, sizeof(PcDescr));
  PcDescr[sizeof(PcDescr) - 1] = 0;  // Just in case.
  return PcDescr;
 }
 void PrintPC(const char *SymbolizedFMT, const char *FallbackFMT, uintptr_t PC) {
  if (EF->__sanitizer_symbolize_pc)
    Printf("%s", DescribePC(SymbolizedFMT, PC).c_str());
  else
    Printf(FallbackFMT, PC);
 }
 void PrintStackTrace() {
  std::unique_lock<std::mutex> l(SymbolizeMutex, std::try_to_lock);
  if (EF->__sanitizer_print_stack_trace && l.owns_lock())
    EF->__sanitizer_print_stack_trace();
 }
 void PrintMemoryProfile() {
  std::unique_lock<std::mutex> l(SymbolizeMutex, std::try_to_lock);
  if (EF->__sanitizer_print_memory_profile && l.owns_lock())
    EF->__sanitizer_print_memory_profile(95, 8);
 }
 unsigned NumberOfCpuCores() {
  unsigned N = std::thread::hardware_concurrency();
  if (!N) {
    Printf(
        "WARNING: std::thread::hardware_concurrency not well defined for "
        "your platform. Assuming CPU count of 1.\n");
    N = 1;
  }
  return N;
 }
 size_t SimpleFastHash(const uint8_t *Data, size_t Size) {
  size_t Res = 0;
  for (size_t i = 0; i < Size; i++)
    Res = Res * 11 + Data[i];
  return Res;
 }
 }  // namespace fuzzer
--- a/custom_mutators/libfuzzer/FuzzerUtil.h
+++ b/custom_mutators/libfuzzer/FuzzerUtil.h
@ -0,0 +1,117 @@
 //===- FuzzerUtil.h - Internal header for the Fuzzer Utils ------*- C++ -* ===//
 //
 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
 // See https://llvm.org/LICENSE.txt for license information.
 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
 //
 //===----------------------------------------------------------------------===//
 // Util functions.
 //===----------------------------------------------------------------------===//
 #ifndef LLVM_FUZZER_UTIL_H
 #define LLVM_FUZZER_UTIL_H
 #include "FuzzerBuiltins.h"
 #include "FuzzerBuiltinsMsvc.h"
 #include "FuzzerCommand.h"
 #include "FuzzerDefs.h"
 namespace fuzzer {
 void PrintHexArray(const Unit &U, const char *PrintAfter = "");
 void PrintHexArray(const uint8_t *Data, size_t Size,
                   const char *PrintAfter = "");
 void PrintASCII(const uint8_t *Data, size_t Size, const char *PrintAfter = "");
 void PrintASCII(const Unit &U, const char *PrintAfter = "");
 // Changes U to contain only ASCII (isprint+isspace) characters.
 // Returns true iff U has been changed.
 bool ToASCII(uint8_t *Data, size_t Size);
 bool IsASCII(const Unit &U);
 bool IsASCII(const uint8_t *Data, size_t Size);
 std::string Base64(const Unit &U);
 void PrintPC(const char *SymbolizedFMT, const char *FallbackFMT, uintptr_t PC);
 std::string DescribePC(const char *SymbolizedFMT, uintptr_t PC);
 void PrintStackTrace();
 void PrintMemoryProfile();
 unsigned NumberOfCpuCores();
 // Platform specific functions.
 void SetSignalHandler(const FuzzingOptions& Options);
 void SleepSeconds(int Seconds);
 unsigned long GetPid();
 size_t GetPeakRSSMb();
 int ExecuteCommand(const Command &Cmd);
 bool ExecuteCommand(const Command &Cmd, std::string *CmdOutput);
 // Fuchsia does not have popen/pclose.
 FILE *OpenProcessPipe(const char *Command, const char *Mode);
 int CloseProcessPipe(FILE *F);
 const void *SearchMemory(const void *haystack, size_t haystacklen,
                         const void *needle, size_t needlelen);
 std::string CloneArgsWithoutX(const Vector<std::string> &Args,
                              const char *X1, const char *X2);
 inline std::string CloneArgsWithoutX(const Vector<std::string> &Args,
                                     const char *X) {
  return CloneArgsWithoutX(Args, X, X);
 }
 inline std::pair<std::string, std::string> SplitBefore(std::string X,
                                                       std::string S) {
  auto Pos = S.find(X);
  if (Pos == std::string::npos)
    return std::make_pair(S, "");
  return std::make_pair(S.substr(0, Pos), S.substr(Pos));
 }
 void DiscardOutput(int Fd);
 std::string DisassembleCmd(const std::string &FileName);
 std::string SearchRegexCmd(const std::string &Regex);
 size_t SimpleFastHash(const uint8_t *Data, size_t Size);
 inline uint32_t Log(uint32_t X) { return 32 - Clz(X) - 1; }
 inline size_t PageSize() { return 4096; }
 inline uint8_t *RoundUpByPage(uint8_t *P) {
  uintptr_t X = reinterpret_cast<uintptr_t>(P);
  size_t Mask = PageSize() - 1;
  X = (X + Mask) & ~Mask;
  return reinterpret_cast<uint8_t *>(X);
 }
 inline uint8_t *RoundDownByPage(uint8_t *P) {
  uintptr_t X = reinterpret_cast<uintptr_t>(P);
  size_t Mask = PageSize() - 1;
  X = X & ~Mask;
  return reinterpret_cast<uint8_t *>(X);
 }
 #if __BYTE_ORDER == __LITTLE_ENDIAN
 template <typename T> T HostToLE(T X) { return X; }
 #else
 template <typename T> T HostToLE(T X) { return Bswap(X); }
 #endif
 }  // namespace fuzzer
 #endif  // LLVM_FUZZER_UTIL_H
--- a/custom_mutators/libfuzzer/FuzzerUtilDarwin.cpp
+++ b/custom_mutators/libfuzzer/FuzzerUtilDarwin.cpp
@ -0,0 +1,205 @@
 //===- FuzzerUtilDarwin.cpp - Misc utils ----------------------------------===//
 //
 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
 // See https://llvm.org/LICENSE.txt for license information.
 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
 //
 //===----------------------------------------------------------------------===//
 // Misc utils for Darwin.
 //===----------------------------------------------------------------------===//
 #include "FuzzerPlatform.h"
 #if LIBFUZZER_APPLE
  #include "FuzzerCommand.h"
  #include "FuzzerIO.h"
  #include <mutex>
  #include <signal.h>
  #include <spawn.h>
  #include <stdlib.h>
  #include <string.h>
  #include <sys/wait.h>
  #include <unistd.h>
 // There is no header for this on macOS so declare here
 extern "C" char **environ;
 namespace fuzzer {
 static std::mutex SignalMutex;
 // Global variables used to keep track of how signal handling should be
 // restored. They should **not** be accessed without holding `SignalMutex`.
 static int              ActiveThreadCount = 0;
 static struct sigaction OldSigIntAction;
 static struct sigaction OldSigQuitAction;
 static sigset_t         OldBlockedSignalsSet;
 // This is a reimplementation of Libc's `system()`. On Darwin the Libc
 // implementation contains a mutex which prevents it from being used
 // concurrently. This implementation **can** be used concurrently. It sets the
 // signal handlers when the first thread enters and restores them when the last
 // thread finishes execution of the function and ensures this is not racey by
 // using a mutex.
 int ExecuteCommand(const Command &Cmd) {
  std::string       CmdLine = Cmd.toString();
  posix_spawnattr_t SpawnAttributes;
  if (posix_spawnattr_init(&SpawnAttributes)) return -1;
  // Block and ignore signals of the current process when the first thread
  // enters.
  {
    std::lock_guard<std::mutex> Lock(SignalMutex);
    if (ActiveThreadCount == 0) {
      static struct sigaction IgnoreSignalAction;
      sigset_t                BlockedSignalsSet;
      memset(&IgnoreSignalAction, 0, sizeof(IgnoreSignalAction));
      IgnoreSignalAction.sa_handler = SIG_IGN;
      if (sigaction(SIGINT, &IgnoreSignalAction, &OldSigIntAction) == -1) {
        Printf("Failed to ignore SIGINT\n");
        (void)posix_spawnattr_destroy(&SpawnAttributes);
        return -1;
      }
      if (sigaction(SIGQUIT, &IgnoreSignalAction, &OldSigQuitAction) == -1) {
        Printf("Failed to ignore SIGQUIT\n");
        // Try our best to restore the signal handlers.
        (void)sigaction(SIGINT, &OldSigIntAction, NULL);
        (void)posix_spawnattr_destroy(&SpawnAttributes);
        return -1;
      }
      (void)sigemptyset(&BlockedSignalsSet);
      (void)sigaddset(&BlockedSignalsSet, SIGCHLD);
      if (sigprocmask(SIG_BLOCK, &BlockedSignalsSet, &OldBlockedSignalsSet) ==
          -1) {
        Printf("Failed to block SIGCHLD\n");
        // Try our best to restore the signal handlers.
        (void)sigaction(SIGQUIT, &OldSigQuitAction, NULL);
        (void)sigaction(SIGINT, &OldSigIntAction, NULL);
        (void)posix_spawnattr_destroy(&SpawnAttributes);
        return -1;
      }
    }
    ++ActiveThreadCount;
  }
  // NOTE: Do not introduce any new `return` statements past this
  // point. It is important that `ActiveThreadCount` always be decremented
  // when leaving this function.
  // Make sure the child process uses the default handlers for the
  // following signals rather than inheriting what the parent has.
  sigset_t DefaultSigSet;
  (void)sigemptyset(&DefaultSigSet);
  (void)sigaddset(&DefaultSigSet, SIGQUIT);
  (void)sigaddset(&DefaultSigSet, SIGINT);
  (void)posix_spawnattr_setsigdefault(&SpawnAttributes, &DefaultSigSet);
  // Make sure the child process doesn't block SIGCHLD
  (void)posix_spawnattr_setsigmask(&SpawnAttributes, &OldBlockedSignalsSet);
  short SpawnFlags = POSIX_SPAWN_SETSIGDEF | POSIX_SPAWN_SETSIGMASK;
  (void)posix_spawnattr_setflags(&SpawnAttributes, SpawnFlags);
  pid_t       Pid;
  char **     Environ = environ;  // Read from global
  const char *CommandCStr = CmdLine.c_str();
  char *const Argv[] = {strdup("sh"), strdup("-c"), strdup(CommandCStr), NULL};
  int         ErrorCode = 0, ProcessStatus = 0;
  // FIXME: We probably shouldn't hardcode the shell path.
  ErrorCode =
      posix_spawn(&Pid, "/bin/sh", NULL, &SpawnAttributes, Argv, Environ);
  (void)posix_spawnattr_destroy(&SpawnAttributes);
  if (!ErrorCode) {
    pid_t SavedPid = Pid;
    do {
      // Repeat until call completes uninterrupted.
      Pid = waitpid(SavedPid, &ProcessStatus, /*options=*/0);
    } while (Pid == -1 && errno == EINTR);
    if (Pid == -1) {
      // Fail for some other reason.
      ProcessStatus = -1;
    }
  } else if (ErrorCode == ENOMEM || ErrorCode == EAGAIN) {
    // Fork failure.
    ProcessStatus = -1;
  } else {
    // Shell execution failure.
    ProcessStatus = W_EXITCODE(127, 0);
  }
  for (unsigned i = 0, n = sizeof(Argv) / sizeof(Argv[0]); i < n; ++i)
    free(Argv[i]);
  // Restore the signal handlers of the current process when the last thread
  // using this function finishes.
  {
    std::lock_guard<std::mutex> Lock(SignalMutex);
    --ActiveThreadCount;
    if (ActiveThreadCount == 0) {
      bool FailedRestore = false;
      if (sigaction(SIGINT, &OldSigIntAction, NULL) == -1) {
        Printf("Failed to restore SIGINT handling\n");
        FailedRestore = true;
      }
      if (sigaction(SIGQUIT, &OldSigQuitAction, NULL) == -1) {
        Printf("Failed to restore SIGQUIT handling\n");
        FailedRestore = true;
      }
      if (sigprocmask(SIG_BLOCK, &OldBlockedSignalsSet, NULL) == -1) {
        Printf("Failed to unblock SIGCHLD\n");
        FailedRestore = true;
      }
      if (FailedRestore) ProcessStatus = -1;
    }
  }
  return ProcessStatus;
 }
 void DiscardOutput(int Fd) {
  FILE *Temp = fopen("/dev/null", "w");
  if (!Temp) return;
  dup2(fileno(Temp), Fd);
  fclose(Temp);
 }
 }  // namespace fuzzer
 #endif  // LIBFUZZER_APPLE
--- a/custom_mutators/libfuzzer/FuzzerUtilFuchsia.cpp
+++ b/custom_mutators/libfuzzer/FuzzerUtilFuchsia.cpp
@ -0,0 +1,658 @@
 //===- FuzzerUtilFuchsia.cpp - Misc utils for Fuchsia. --------------------===//
 //
 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
 // See https://llvm.org/LICENSE.txt for license information.
 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
 //
 //===----------------------------------------------------------------------===//
 // Misc utils implementation using Fuchsia/Zircon APIs.
 //===----------------------------------------------------------------------===//
 #include "FuzzerPlatform.h"
 #if LIBFUZZER_FUCHSIA
  #include "FuzzerInternal.h"
  #include "FuzzerUtil.h"
  #include <cassert>
  #include <cerrno>
  #include <cinttypes>
  #include <cstdint>
  #include <fcntl.h>
  #include <lib/fdio/fdio.h>
  #include <lib/fdio/spawn.h>
  #include <string>
  #include <sys/select.h>
  #include <thread>
  #include <unistd.h>
  #include <zircon/errors.h>
  #include <zircon/process.h>
  #include <zircon/sanitizer.h>
  #include <zircon/status.h>
  #include <zircon/syscalls.h>
  #include <zircon/syscalls/debug.h>
  #include <zircon/syscalls/exception.h>
  #include <zircon/syscalls/object.h>
  #include <zircon/types.h>
  #include <vector>
 namespace fuzzer {
 // Given that Fuchsia doesn't have the POSIX signals that libFuzzer was written
 // around, the general approach is to spin up dedicated threads to watch for
 // each requested condition (alarm, interrupt, crash).  Of these, the crash
 // handler is the most involved, as it requires resuming the crashed thread in
 // order to invoke the sanitizers to get the needed state.
 // Forward declaration of assembly trampoline needed to resume crashed threads.
 // This appears to have external linkage to  C++, which is why it's not in the
 // anonymous namespace.  The assembly definition inside MakeTrampoline()
 // actually defines the symbol with internal linkage only.
 void CrashTrampolineAsm() __asm__("CrashTrampolineAsm");
 namespace {
 // Helper function to handle Zircon syscall failures.
 void ExitOnErr(zx_status_t Status, const char *Syscall) {
  if (Status != ZX_OK) {
    Printf("libFuzzer: %s failed: %s\n", Syscall,
           _zx_status_get_string(Status));
    exit(1);
  }
 }
 void AlarmHandler(int Seconds) {
  while (true) {
    SleepSeconds(Seconds);
    Fuzzer::StaticAlarmCallback();
  }
 }
 void InterruptHandler() {
  fd_set readfds;
  // Ctrl-C sends ETX in Zircon.
  do {
    FD_ZERO(&readfds);
    FD_SET(STDIN_FILENO, &readfds);
    select(STDIN_FILENO + 1, &readfds, nullptr, nullptr, nullptr);
  } while (!FD_ISSET(STDIN_FILENO, &readfds) || getchar() != 0x03);
  Fuzzer::StaticInterruptCallback();
 }
  // CFAOffset is used to reference the stack pointer before entering the
  // trampoline (Stack Pointer + CFAOffset = prev Stack Pointer). Before jumping
  // to the trampoline we copy all the registers onto the stack. We need to make
  // sure that the new stack has enough space to store all the registers.
  //
  // The trampoline holds CFI information regarding the registers stored in the
  // stack, which is then used by the unwinder to restore them.
  #if defined(__x86_64__)
 // In x86_64 the crashing function might also be using the red zone (128 bytes
 // on top of their rsp).
 constexpr size_t CFAOffset = 128 + sizeof(zx_thread_state_general_regs_t);
  #elif defined(__aarch64__)
 // In aarch64 we need to always have the stack pointer aligned to 16 bytes, so
 // we make sure that we are keeping that same alignment.
 constexpr size_t CFAOffset =
    (sizeof(zx_thread_state_general_regs_t) + 15) & -(uintptr_t)16;
  #endif
  // For the crash handler, we need to call Fuzzer::StaticCrashSignalCallback
  // without POSIX signal handlers.  To achieve this, we use an assembly
  // function to add the necessary CFI unwinding information and a C function to
  // bridge from that back into C++.
  // FIXME: This works as a short-term solution, but this code really shouldn't
  // be architecture dependent. A better long term solution is to implement
  // remote unwinding and expose the necessary APIs through sanitizer_common
  // and/or ASAN to allow the exception handling thread to gather the crash
  // state directly.
  //
  // Alternatively, Fuchsia may in future actually implement basic signal
  // handling for the machine trap signals.
  #if defined(__x86_64__)
    #define FOREACH_REGISTER(OP_REG, OP_NUM) \
      OP_REG(rax)                            \
      OP_REG(rbx)                            \
      OP_REG(rcx)                            \
      OP_REG(rdx)                            \
      OP_REG(rsi)                            \
      OP_REG(rdi)                            \
      OP_REG(rbp)                            \
      OP_REG(rsp)                            \
      OP_REG(r8)                             \
      OP_REG(r9)                             \
      OP_REG(r10)                            \
      OP_REG(r11)                            \
      OP_REG(r12)                            \
      OP_REG(r13)                            \
      OP_REG(r14)                            \
      OP_REG(r15)                            \
      OP_REG(rip)
  #elif defined(__aarch64__)
    #define FOREACH_REGISTER(OP_REG, OP_NUM) \
      OP_NUM(0)                              \
      OP_NUM(1)                              \
      OP_NUM(2)                              \
      OP_NUM(3)                              \
      OP_NUM(4)                              \
      OP_NUM(5)                              \
      OP_NUM(6)                              \
      OP_NUM(7)                              \
      OP_NUM(8)                              \
      OP_NUM(9)                              \
      OP_NUM(10)                             \
      OP_NUM(11)                             \
      OP_NUM(12)                             \
      OP_NUM(13)                             \
      OP_NUM(14)                             \
      OP_NUM(15)                             \
      OP_NUM(16)                             \
      OP_NUM(17)                             \
      OP_NUM(18)                             \
      OP_NUM(19)                             \
      OP_NUM(20)                             \
      OP_NUM(21)                             \
      OP_NUM(22)                             \
      OP_NUM(23)                             \
      OP_NUM(24)                             \
      OP_NUM(25)                             \
      OP_NUM(26)                             \
      OP_NUM(27)                             \
      OP_NUM(28)                             \
      OP_NUM(29)                             \
      OP_REG(sp)
  #else
    #error "Unsupported architecture for fuzzing on Fuchsia"
  #endif
  // Produces a CFI directive for the named or numbered register.
  // The value used refers to an assembler immediate operand with the same name
  // as the register (see ASM_OPERAND_REG).
  #define CFI_OFFSET_REG(reg) ".cfi_offset " #reg ", %c[" #reg "]\n"
  #define CFI_OFFSET_NUM(num) CFI_OFFSET_REG(x##num)
  // Produces an assembler immediate operand for the named or numbered register.
  // This operand contains the offset of the register relative to the CFA.
  #define ASM_OPERAND_REG(reg) \
    [reg] "i"(offsetof(zx_thread_state_general_regs_t, reg) - CFAOffset),
  #define ASM_OPERAND_NUM(num) \
    [x##num] "i"(offsetof(zx_thread_state_general_regs_t, r[num]) - CFAOffset),
 // Trampoline to bridge from the assembly below to the static C++ crash
 // callback.
 __attribute__((noreturn)) static void StaticCrashHandler() {
  Fuzzer::StaticCrashSignalCallback();
  for (;;) {
    _Exit(1);
  }
 }
 // Creates the trampoline with the necessary CFI information to unwind through
 // to the crashing call stack:
 //  * Defining the CFA so that it points to the stack pointer at the point
 //    of crash.
 //  * Storing all registers at the point of crash in the stack and refer to them
 //    via CFI information (relative to the CFA).
 //  * Setting the return column so the unwinder knows how to continue unwinding.
 //  * (x86_64) making sure rsp is aligned before calling StaticCrashHandler.
 //  * Calling StaticCrashHandler that will trigger the unwinder.
 //
 // The __attribute__((used)) is necessary because the function
 // is never called; it's just a container around the assembly to allow it to
 // use operands for compile-time computed constants.
 __attribute__((used)) void MakeTrampoline() {
  __asm__(".cfi_endproc\n"
    ".pushsection .text.CrashTrampolineAsm\n"
    ".type CrashTrampolineAsm,STT_FUNC\n"
 "CrashTrampolineAsm:\n"
    ".cfi_startproc simple\n"
    ".cfi_signal_frame\n"
  #if defined(__x86_64__)
    ".cfi_return_column rip\n"
    ".cfi_def_cfa rsp, %c[CFAOffset]\n"
    FOREACH_REGISTER(CFI_OFFSET_REG, CFI_OFFSET_NUM)
    "mov %%rsp, %%rbp\n"
    ".cfi_def_cfa_register rbp\n"
    "andq $-16, %%rsp\n"
    "call %c[StaticCrashHandler]\n"
    "ud2\n"
  #elif defined(__aarch64__)
    ".cfi_return_column 33\n"
    ".cfi_def_cfa sp, %c[CFAOffset]\n"
    FOREACH_REGISTER(CFI_OFFSET_REG, CFI_OFFSET_NUM)
    ".cfi_offset 33, %c[pc]\n"
    ".cfi_offset 30, %c[lr]\n"
    "bl %c[StaticCrashHandler]\n"
    "brk 1\n"
  #else
    #error "Unsupported architecture for fuzzing on Fuchsia"
  #endif
    ".cfi_endproc\n"
    ".size CrashTrampolineAsm, . - CrashTrampolineAsm\n"
    ".popsection\n"
    ".cfi_startproc\n"
    : // No outputs
    : FOREACH_REGISTER(ASM_OPERAND_REG, ASM_OPERAND_NUM)
  #if defined(__aarch64__)
      ASM_OPERAND_REG(pc)
      ASM_OPERAND_REG(lr)
  #endif
      [StaticCrashHandler] "i" (StaticCrashHandler),
      [CFAOffset] "i" (CFAOffset));
 }
 void CrashHandler(zx_handle_t *Event) {
  // This structure is used to ensure we close handles to objects we create in
  // this handler.
  struct ScopedHandle {
    ~ScopedHandle() {
      _zx_handle_close(Handle);
    }
    zx_handle_t Handle = ZX_HANDLE_INVALID;
  };
  // Create the exception channel.  We need to claim to be a "debugger" so the
  // kernel will allow us to modify and resume dying threads (see below). Once
  // the channel is set, we can signal the main thread to continue and wait
  // for the exception to arrive.
  ScopedHandle Channel;
  zx_handle_t  Self = _zx_process_self();
  ExitOnErr(_zx_task_create_exception_channel(
                Self, ZX_EXCEPTION_CHANNEL_DEBUGGER, &Channel.Handle),
            "_zx_task_create_exception_channel");
  ExitOnErr(_zx_object_signal(*Event, 0, ZX_USER_SIGNAL_0),
            "_zx_object_signal");
  // This thread lives as long as the process in order to keep handling
  // crashes.  In practice, the first crashed thread to reach the end of the
  // StaticCrashHandler will end the process.
  while (true) {
    ExitOnErr(_zx_object_wait_one(Channel.Handle, ZX_CHANNEL_READABLE,
                                  ZX_TIME_INFINITE, nullptr),
              "_zx_object_wait_one");
    zx_exception_info_t ExceptionInfo;
    ScopedHandle        Exception;
    ExitOnErr(
        _zx_channel_read(Channel.Handle, 0, &ExceptionInfo, &Exception.Handle,
                         sizeof(ExceptionInfo), 1, nullptr, nullptr),
        "_zx_channel_read");
    // Ignore informational synthetic exceptions.
    if (ZX_EXCP_THREAD_STARTING == ExceptionInfo.type ||
        ZX_EXCP_THREAD_EXITING == ExceptionInfo.type ||
        ZX_EXCP_PROCESS_STARTING == ExceptionInfo.type) {
      continue;
    }
    // At this point, we want to get the state of the crashing thread, but
    // libFuzzer and the sanitizers assume this will happen from that same
    // thread via a POSIX signal handler. "Resurrecting" the thread in the
    // middle of the appropriate callback is as simple as forcibly setting the
    // instruction pointer/program counter, provided we NEVER EVER return from
    // that function (since otherwise our stack will not be valid).
    ScopedHandle Thread;
    ExitOnErr(_zx_exception_get_thread(Exception.Handle, &Thread.Handle),
              "_zx_exception_get_thread");
    zx_thread_state_general_regs_t GeneralRegisters;
    ExitOnErr(
        _zx_thread_read_state(Thread.Handle, ZX_THREAD_STATE_GENERAL_REGS,
                              &GeneralRegisters, sizeof(GeneralRegisters)),
        "_zx_thread_read_state");
    // To unwind properly, we need to push the crashing thread's register state
    // onto the stack and jump into a trampoline with CFI instructions on how
    // to restore it.
  #if defined(__x86_64__)
    uintptr_t StackPtr = GeneralRegisters.rsp - CFAOffset;
    __unsanitized_memcpy(reinterpret_cast<void *>(StackPtr), &GeneralRegisters,
                         sizeof(GeneralRegisters));
    GeneralRegisters.rsp = StackPtr;
    GeneralRegisters.rip = reinterpret_cast<zx_vaddr_t>(CrashTrampolineAsm);
  #elif defined(__aarch64__)
    uintptr_t StackPtr = GeneralRegisters.sp - CFAOffset;
    __unsanitized_memcpy(reinterpret_cast<void *>(StackPtr), &GeneralRegisters,
                         sizeof(GeneralRegisters));
    GeneralRegisters.sp = StackPtr;
    GeneralRegisters.pc = reinterpret_cast<zx_vaddr_t>(CrashTrampolineAsm);
  #else
    #error "Unsupported architecture for fuzzing on Fuchsia"
  #endif
    // Now force the crashing thread's state.
    ExitOnErr(
        _zx_thread_write_state(Thread.Handle, ZX_THREAD_STATE_GENERAL_REGS,
                               &GeneralRegisters, sizeof(GeneralRegisters)),
        "_zx_thread_write_state");
    // Set the exception to HANDLED so it resumes the thread on close.
    uint32_t ExceptionState = ZX_EXCEPTION_STATE_HANDLED;
    ExitOnErr(_zx_object_set_property(Exception.Handle, ZX_PROP_EXCEPTION_STATE,
                                      &ExceptionState, sizeof(ExceptionState)),
              "zx_object_set_property");
  }
 }
 }  // namespace
 // Platform specific functions.
 void SetSignalHandler(const FuzzingOptions &Options) {
  // Make sure information from libFuzzer and the sanitizers are easy to
  // reassemble. `__sanitizer_log_write` has the added benefit of ensuring the
  // DSO map is always available for the symbolizer.
  // A uint64_t fits in 20 chars, so 64 is plenty.
  char Buf[64];
  memset(Buf, 0, sizeof(Buf));
  snprintf(Buf, sizeof(Buf), "==%lu== INFO: libFuzzer starting.\n", GetPid());
  if (EF->__sanitizer_log_write) __sanitizer_log_write(Buf, sizeof(Buf));
  Printf("%s", Buf);
  // Set up alarm handler if needed.
  if (Options.HandleAlrm && Options.UnitTimeoutSec > 0) {
    std::thread T(AlarmHandler, Options.UnitTimeoutSec / 2 + 1);
    T.detach();
  }
  // Set up interrupt handler if needed.
  if (Options.HandleInt || Options.HandleTerm) {
    std::thread T(InterruptHandler);
    T.detach();
  }
  // Early exit if no crash handler needed.
  if (!Options.HandleSegv && !Options.HandleBus && !Options.HandleIll &&
      !Options.HandleFpe && !Options.HandleAbrt)
    return;
  // Set up the crash handler and wait until it is ready before proceeding.
  zx_handle_t Event;
  ExitOnErr(_zx_event_create(0, &Event), "_zx_event_create");
  std::thread T(CrashHandler, &Event);
  zx_status_t Status =
      _zx_object_wait_one(Event, ZX_USER_SIGNAL_0, ZX_TIME_INFINITE, nullptr);
  _zx_handle_close(Event);
  ExitOnErr(Status, "_zx_object_wait_one");
  T.detach();
 }
 void SleepSeconds(int Seconds) {
  _zx_nanosleep(_zx_deadline_after(ZX_SEC(Seconds)));
 }
 unsigned long GetPid() {
  zx_status_t            rc;
  zx_info_handle_basic_t Info;
  if ((rc = _zx_object_get_info(_zx_process_self(), ZX_INFO_HANDLE_BASIC, &Info,
                                sizeof(Info), NULL, NULL)) != ZX_OK) {
    Printf("libFuzzer: unable to get info about self: %s\n",
           _zx_status_get_string(rc));
    exit(1);
  }
  return Info.koid;
 }
 size_t GetPeakRSSMb() {
  zx_status_t          rc;
  zx_info_task_stats_t Info;
  if ((rc = _zx_object_get_info(_zx_process_self(), ZX_INFO_TASK_STATS, &Info,
                                sizeof(Info), NULL, NULL)) != ZX_OK) {
    Printf("libFuzzer: unable to get info about self: %s\n",
           _zx_status_get_string(rc));
    exit(1);
  }
  return (Info.mem_private_bytes + Info.mem_shared_bytes) >> 20;
 }
 template <typename Fn>
 class RunOnDestruction {
 public:
  explicit RunOnDestruction(Fn fn) : fn_(fn) {
  }
  ~RunOnDestruction() {
    fn_();
  }
 private:
  Fn fn_;
 };
 template <typename Fn>
 RunOnDestruction<Fn> at_scope_exit(Fn fn) {
  return RunOnDestruction<Fn>(fn);
 }
 static fdio_spawn_action_t clone_fd_action(int localFd, int targetFd) {
  return {
      .action = FDIO_SPAWN_ACTION_CLONE_FD,
      .fd =
          {
              .local_fd = localFd,
              .target_fd = targetFd,
          },
  };
 }
 int ExecuteCommand(const Command &Cmd) {
  zx_status_t rc;
  // Convert arguments to C array
  auto   Args = Cmd.getArguments();
  size_t Argc = Args.size();
  assert(Argc != 0);
  std::unique_ptr<const char *[]> Argv(new const char *[Argc + 1]);
  for (size_t i = 0; i < Argc; ++i)
    Argv[i] = Args[i].c_str();
  Argv[Argc] = nullptr;
  // Determine output.  On Fuchsia, the fuzzer is typically run as a component
  // that lacks a mutable working directory. Fortunately, when this is the case
  // a mutable output directory must be specified using "-artifact_prefix=...",
  // so write the log file(s) there.
  // However, we don't want to apply this logic for absolute paths.
  int  FdOut = STDOUT_FILENO;
  bool discardStdout = false;
  bool discardStderr = false;
  if (Cmd.hasOutputFile()) {
    std::string Path = Cmd.getOutputFile();
    if (Path == getDevNull()) {
      // On Fuchsia, there's no "/dev/null" like-file, so we
      // just don't copy the FDs into the spawned process.
      discardStdout = true;
    } else {
      bool IsAbsolutePath = Path.length() > 1 && Path[0] == '/';
      if (!IsAbsolutePath && Cmd.hasFlag("artifact_prefix"))
        Path = Cmd.getFlagValue("artifact_prefix") + "/" + Path;
      FdOut = open(Path.c_str(), O_WRONLY | O_CREAT | O_TRUNC, 0);
      if (FdOut == -1) {
        Printf("libFuzzer: failed to open %s: %s\n", Path.c_str(),
               strerror(errno));
        return ZX_ERR_IO;
      }
    }
  }
  auto CloseFdOut = at_scope_exit([FdOut]() {
    if (FdOut != STDOUT_FILENO) close(FdOut);
  });
  // Determine stderr
  int FdErr = STDERR_FILENO;
  if (Cmd.isOutAndErrCombined()) {
    FdErr = FdOut;
    if (discardStdout) discardStderr = true;
  }
  // Clone the file descriptors into the new process
  std::vector<fdio_spawn_action_t> SpawnActions;
  SpawnActions.push_back(clone_fd_action(STDIN_FILENO, STDIN_FILENO));
  if (!discardStdout)
    SpawnActions.push_back(clone_fd_action(FdOut, STDOUT_FILENO));
  if (!discardStderr)
    SpawnActions.push_back(clone_fd_action(FdErr, STDERR_FILENO));
  // Start the process.
  char        ErrorMsg[FDIO_SPAWN_ERR_MSG_MAX_LENGTH];
  zx_handle_t ProcessHandle = ZX_HANDLE_INVALID;
  rc = fdio_spawn_etc(ZX_HANDLE_INVALID,
                      FDIO_SPAWN_CLONE_ALL & (~FDIO_SPAWN_CLONE_STDIO), Argv[0],
                      Argv.get(), nullptr, SpawnActions.size(),
                      SpawnActions.data(), &ProcessHandle, ErrorMsg);
  if (rc != ZX_OK) {
    Printf("libFuzzer: failed to launch '%s': %s, %s\n", Argv[0], ErrorMsg,
           _zx_status_get_string(rc));
    return rc;
  }
  auto CloseHandle = at_scope_exit([&]() { _zx_handle_close(ProcessHandle); });
  // Now join the process and return the exit status.
  if ((rc = _zx_object_wait_one(ProcessHandle, ZX_PROCESS_TERMINATED,
                                ZX_TIME_INFINITE, nullptr)) != ZX_OK) {
    Printf("libFuzzer: failed to join '%s': %s\n", Argv[0],
           _zx_status_get_string(rc));
    return rc;
  }
  zx_info_process_t Info;
  if ((rc = _zx_object_get_info(ProcessHandle, ZX_INFO_PROCESS, &Info,
                                sizeof(Info), nullptr, nullptr)) != ZX_OK) {
    Printf("libFuzzer: unable to get return code from '%s': %s\n", Argv[0],
           _zx_status_get_string(rc));
    return rc;
  }
  return Info.return_code;
 }
 bool ExecuteCommand(const Command &BaseCmd, std::string *CmdOutput) {
  auto    LogFilePath = TempPath("SimPopenOut", ".txt");
  Command Cmd(BaseCmd);
  Cmd.setOutputFile(LogFilePath);
  int Ret = ExecuteCommand(Cmd);
  *CmdOutput = FileToString(LogFilePath);
  RemoveFile(LogFilePath);
  return Ret == 0;
 }
 const void *SearchMemory(const void *Data, size_t DataLen, const void *Patt,
                         size_t PattLen) {
  return memmem(Data, DataLen, Patt, PattLen);
 }
 // In fuchsia, accessing /dev/null is not supported. There's nothing
 // similar to a file that discards everything that is written to it.
 // The way of doing something similar in fuchsia is by using
 // fdio_null_create and binding that to a file descriptor.
 void DiscardOutput(int Fd) {
  fdio_t *fdio_null = fdio_null_create();
  if (fdio_null == nullptr) return;
  int nullfd = fdio_bind_to_fd(fdio_null, -1, 0);
  if (nullfd < 0) return;
  dup2(nullfd, Fd);
 }
 }  // namespace fuzzer
 #endif  // LIBFUZZER_FUCHSIA
--- a/custom_mutators/libfuzzer/FuzzerUtilLinux.cpp
+++ b/custom_mutators/libfuzzer/FuzzerUtilLinux.cpp
@ -0,0 +1,43 @@
 //===- FuzzerUtilLinux.cpp - Misc utils for Linux. ------------------------===//
 //
 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
 // See https://llvm.org/LICENSE.txt for license information.
 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
 //
 //===----------------------------------------------------------------------===//
 // Misc utils for Linux.
 //===----------------------------------------------------------------------===//
 #include "FuzzerPlatform.h"
 #if LIBFUZZER_LINUX || LIBFUZZER_NETBSD || LIBFUZZER_FREEBSD || \
    LIBFUZZER_OPENBSD || LIBFUZZER_EMSCRIPTEN
  #include "FuzzerCommand.h"
  #include <stdlib.h>
  #include <sys/types.h>
  #include <sys/wait.h>
  #include <unistd.h>
 namespace fuzzer {
 int ExecuteCommand(const Command &Cmd) {
  std::string CmdLine = Cmd.toString();
  int         exit_code = system(CmdLine.c_str());
  if (WIFEXITED(exit_code)) return WEXITSTATUS(exit_code);
  return exit_code;
 }
 void DiscardOutput(int Fd) {
  FILE *Temp = fopen("/dev/null", "w");
  if (!Temp) return;
  dup2(fileno(Temp), Fd);
  fclose(Temp);
 }
 }  // namespace fuzzer
 #endif
--- a/custom_mutators/libfuzzer/FuzzerUtilPosix.cpp
+++ b/custom_mutators/libfuzzer/FuzzerUtilPosix.cpp
@ -0,0 +1,239 @@
 //===- FuzzerUtilPosix.cpp - Misc utils for Posix. ------------------------===//
 //
 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
 // See https://llvm.org/LICENSE.txt for license information.
 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
 //
 //===----------------------------------------------------------------------===//
 // Misc utils implementation using Posix API.
 //===----------------------------------------------------------------------===//
 #include "FuzzerPlatform.h"
 #if LIBFUZZER_POSIX
  #include "FuzzerIO.h"
  #include "FuzzerInternal.h"
  #include "FuzzerTracePC.h"
  #include <cassert>
  #include <chrono>
  #include <cstring>
  #include <errno.h>
  #include <iomanip>
  #include <signal.h>
  #include <stdio.h>
  #include <sys/mman.h>
  #include <sys/resource.h>
  #include <sys/syscall.h>
  #include <sys/time.h>
  #include <sys/types.h>
  #include <thread>
  #include <unistd.h>
 namespace fuzzer {
 static void AlarmHandler(int, siginfo_t *, void *) {
  Fuzzer::StaticAlarmCallback();
 }
 static void (*upstream_segv_handler)(int, siginfo_t *, void *);
 static void SegvHandler(int sig, siginfo_t *si, void *ucontext) {
  assert(si->si_signo == SIGSEGV);
  if (upstream_segv_handler) return upstream_segv_handler(sig, si, ucontext);
  Fuzzer::StaticCrashSignalCallback();
 }
 static void CrashHandler(int, siginfo_t *, void *) {
  Fuzzer::StaticCrashSignalCallback();
 }
 static void InterruptHandler(int, siginfo_t *, void *) {
  Fuzzer::StaticInterruptCallback();
 }
 static void GracefulExitHandler(int, siginfo_t *, void *) {
  Fuzzer::StaticGracefulExitCallback();
 }
 static void FileSizeExceedHandler(int, siginfo_t *, void *) {
  Fuzzer::StaticFileSizeExceedCallback();
 }
 static void SetSigaction(int signum,
                         void (*callback)(int, siginfo_t *, void *)) {
  struct sigaction sigact = {};
  if (sigaction(signum, nullptr, &sigact)) {
    Printf("libFuzzer: sigaction failed with %d\n", errno);
    exit(1);
  }
  if (sigact.sa_flags & SA_SIGINFO) {
    if (sigact.sa_sigaction) {
      if (signum != SIGSEGV) return;
      upstream_segv_handler = sigact.sa_sigaction;
    }
  } else {
    if (sigact.sa_handler != SIG_DFL && sigact.sa_handler != SIG_IGN &&
        sigact.sa_handler != SIG_ERR)
      return;
  }
  sigact = {};
  sigact.sa_flags = SA_SIGINFO;
  sigact.sa_sigaction = callback;
  if (sigaction(signum, &sigact, 0)) {
    Printf("libFuzzer: sigaction failed with %d\n", errno);
    exit(1);
  }
 }
 // Return true on success, false otherwise.
 bool ExecuteCommand(const Command &Cmd, std::string *CmdOutput) {
  FILE *Pipe = popen(Cmd.toString().c_str(), "r");
  if (!Pipe) return false;
  if (CmdOutput) {
    char TmpBuffer[128];
    while (fgets(TmpBuffer, sizeof(TmpBuffer), Pipe))
      CmdOutput->append(TmpBuffer);
  }
  return pclose(Pipe) == 0;
 }
 void SetTimer(int Seconds) {
  struct itimerval T {
    {Seconds, 0}, {
      Seconds, 0
    }
  };
  if (setitimer(ITIMER_REAL, &T, nullptr)) {
    Printf("libFuzzer: setitimer failed with %d\n", errno);
    exit(1);
  }
  SetSigaction(SIGALRM, AlarmHandler);
 }
 void SetSignalHandler(const FuzzingOptions &Options) {
  // setitimer is not implemented in emscripten.
  if (Options.HandleAlrm && Options.UnitTimeoutSec > 0 && !LIBFUZZER_EMSCRIPTEN)
    SetTimer(Options.UnitTimeoutSec / 2 + 1);
  if (Options.HandleInt) SetSigaction(SIGINT, InterruptHandler);
  if (Options.HandleTerm) SetSigaction(SIGTERM, InterruptHandler);
  if (Options.HandleSegv) SetSigaction(SIGSEGV, SegvHandler);
  if (Options.HandleBus) SetSigaction(SIGBUS, CrashHandler);
  if (Options.HandleAbrt) SetSigaction(SIGABRT, CrashHandler);
  if (Options.HandleIll) SetSigaction(SIGILL, CrashHandler);
  if (Options.HandleFpe) SetSigaction(SIGFPE, CrashHandler);
  if (Options.HandleXfsz) SetSigaction(SIGXFSZ, FileSizeExceedHandler);
  if (Options.HandleUsr1) SetSigaction(SIGUSR1, GracefulExitHandler);
  if (Options.HandleUsr2) SetSigaction(SIGUSR2, GracefulExitHandler);
 }
 void SleepSeconds(int Seconds) {
  sleep(Seconds);  // Use C API to avoid coverage from instrumented libc++.
 }
 unsigned long GetPid() {
  return (unsigned long)getpid();
 }
 size_t GetPeakRSSMb() {
  struct rusage usage;
  if (getrusage(RUSAGE_SELF, &usage)) return 0;
  if (LIBFUZZER_LINUX || LIBFUZZER_FREEBSD || LIBFUZZER_NETBSD ||
      LIBFUZZER_OPENBSD || LIBFUZZER_EMSCRIPTEN) {
    // ru_maxrss is in KiB
    return usage.ru_maxrss >> 10;
  } else if (LIBFUZZER_APPLE) {
    // ru_maxrss is in bytes
    return usage.ru_maxrss >> 20;
  }
  assert(0 && "GetPeakRSSMb() is not implemented for your platform");
  return 0;
 }
 FILE *OpenProcessPipe(const char *Command, const char *Mode) {
  return popen(Command, Mode);
 }
 int CloseProcessPipe(FILE *F) {
  return pclose(F);
 }
 const void *SearchMemory(const void *Data, size_t DataLen, const void *Patt,
                         size_t PattLen) {
  return memmem(Data, DataLen, Patt, PattLen);
 }
 std::string DisassembleCmd(const std::string &FileName) {
  return "objdump -d " + FileName;
 }
 std::string SearchRegexCmd(const std::string &Regex) {
  return "grep '" + Regex + "'";
 }
 }  // namespace fuzzer
 #endif  // LIBFUZZER_POSIX
--- a/custom_mutators/libfuzzer/FuzzerUtilWindows.cpp
+++ b/custom_mutators/libfuzzer/FuzzerUtilWindows.cpp
@ -0,0 +1,279 @@
 //===- FuzzerUtilWindows.cpp - Misc utils for Windows. --------------------===//
 //
 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
 // See https://llvm.org/LICENSE.txt for license information.
 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
 //
 //===----------------------------------------------------------------------===//
 // Misc utils implementation for Windows.
 //===----------------------------------------------------------------------===//
 #include "FuzzerPlatform.h"
 #if LIBFUZZER_WINDOWS
  #include "FuzzerCommand.h"
  #include "FuzzerIO.h"
  #include "FuzzerInternal.h"
  #include <cassert>
  #include <chrono>
  #include <cstring>
  #include <errno.h>
  #include <io.h>
  #include <iomanip>
  #include <signal.h>
  #include <stdio.h>
  #include <sys/types.h>
  #include <windows.h>
  // This must be included after windows.h.
  #include <psapi.h>
 namespace fuzzer {
 static const FuzzingOptions *HandlerOpt = nullptr;
 static LONG CALLBACK ExceptionHandler(PEXCEPTION_POINTERS ExceptionInfo) {
  switch (ExceptionInfo->ExceptionRecord->ExceptionCode) {
    case EXCEPTION_ACCESS_VIOLATION:
    case EXCEPTION_ARRAY_BOUNDS_EXCEEDED:
    case EXCEPTION_STACK_OVERFLOW:
      if (HandlerOpt->HandleSegv) Fuzzer::StaticCrashSignalCallback();
      break;
    case EXCEPTION_DATATYPE_MISALIGNMENT:
    case EXCEPTION_IN_PAGE_ERROR:
      if (HandlerOpt->HandleBus) Fuzzer::StaticCrashSignalCallback();
      break;
    case EXCEPTION_ILLEGAL_INSTRUCTION:
    case EXCEPTION_PRIV_INSTRUCTION:
      if (HandlerOpt->HandleIll) Fuzzer::StaticCrashSignalCallback();
      break;
    case EXCEPTION_FLT_DENORMAL_OPERAND:
    case EXCEPTION_FLT_DIVIDE_BY_ZERO:
    case EXCEPTION_FLT_INEXACT_RESULT:
    case EXCEPTION_FLT_INVALID_OPERATION:
    case EXCEPTION_FLT_OVERFLOW:
    case EXCEPTION_FLT_STACK_CHECK:
    case EXCEPTION_FLT_UNDERFLOW:
    case EXCEPTION_INT_DIVIDE_BY_ZERO:
    case EXCEPTION_INT_OVERFLOW:
      if (HandlerOpt->HandleFpe) Fuzzer::StaticCrashSignalCallback();
      break;
      // TODO: handle (Options.HandleXfsz)
  }
  return EXCEPTION_CONTINUE_SEARCH;
 }
 BOOL WINAPI CtrlHandler(DWORD dwCtrlType) {
  switch (dwCtrlType) {
    case CTRL_C_EVENT:
      if (HandlerOpt->HandleInt) Fuzzer::StaticInterruptCallback();
      return TRUE;
    case CTRL_BREAK_EVENT:
      if (HandlerOpt->HandleTerm) Fuzzer::StaticInterruptCallback();
      return TRUE;
  }
  return FALSE;
 }
 void CALLBACK AlarmHandler(PVOID, BOOLEAN) {
  Fuzzer::StaticAlarmCallback();
 }
 class TimerQ {
  HANDLE TimerQueue;
 public:
  TimerQ() : TimerQueue(NULL) {
  }
  ~TimerQ() {
    if (TimerQueue) DeleteTimerQueueEx(TimerQueue, NULL);
  }
  void SetTimer(int Seconds) {
    if (!TimerQueue) {
      TimerQueue = CreateTimerQueue();
      if (!TimerQueue) {
        Printf("libFuzzer: CreateTimerQueue failed.\n");
        exit(1);
      }
    }
    HANDLE Timer;
    if (!CreateTimerQueueTimer(&Timer, TimerQueue, AlarmHandler, NULL,
                               Seconds * 1000, Seconds * 1000, 0)) {
      Printf("libFuzzer: CreateTimerQueueTimer failed.\n");
      exit(1);
    }
  }
 };
 static TimerQ Timer;
 static void CrashHandler(int) {
  Fuzzer::StaticCrashSignalCallback();
 }
 void SetSignalHandler(const FuzzingOptions &Options) {
  HandlerOpt = &Options;
  if (Options.HandleAlrm && Options.UnitTimeoutSec > 0)
    Timer.SetTimer(Options.UnitTimeoutSec / 2 + 1);
  if (Options.HandleInt || Options.HandleTerm)
    if (!SetConsoleCtrlHandler(CtrlHandler, TRUE)) {
      DWORD LastError = GetLastError();
      Printf("libFuzzer: SetConsoleCtrlHandler failed (Error code: %lu).\n",
             LastError);
      exit(1);
    }
  if (Options.HandleSegv || Options.HandleBus || Options.HandleIll ||
      Options.HandleFpe)
    SetUnhandledExceptionFilter(ExceptionHandler);
  if (Options.HandleAbrt)
    if (SIG_ERR == signal(SIGABRT, CrashHandler)) {
      Printf("libFuzzer: signal failed with %d\n", errno);
      exit(1);
    }
 }
 void SleepSeconds(int Seconds) {
  Sleep(Seconds * 1000);
 }
 unsigned long GetPid() {
  return GetCurrentProcessId();
 }
 size_t GetPeakRSSMb() {
  PROCESS_MEMORY_COUNTERS info;
  if (!GetProcessMemoryInfo(GetCurrentProcess(), &info, sizeof(info))) return 0;
  return info.PeakWorkingSetSize >> 20;
 }
 FILE *OpenProcessPipe(const char *Command, const char *Mode) {
  return _popen(Command, Mode);
 }
 int CloseProcessPipe(FILE *F) {
  return _pclose(F);
 }
 int ExecuteCommand(const Command &Cmd) {
  std::string CmdLine = Cmd.toString();
  return system(CmdLine.c_str());
 }
 bool ExecuteCommand(const Command &Cmd, std::string *CmdOutput) {
  FILE *Pipe = _popen(Cmd.toString().c_str(), "r");
  if (!Pipe) return false;
  if (CmdOutput) {
    char TmpBuffer[128];
    while (fgets(TmpBuffer, sizeof(TmpBuffer), Pipe))
      CmdOutput->append(TmpBuffer);
  }
  return _pclose(Pipe) == 0;
 }
 const void *SearchMemory(const void *Data, size_t DataLen, const void *Patt,
                         size_t PattLen) {
  // TODO: make this implementation more efficient.
  const char *Cdata = (const char *)Data;
  const char *Cpatt = (const char *)Patt;
  if (!Data || !Patt || DataLen == 0 || PattLen == 0 || DataLen < PattLen)
    return NULL;
  if (PattLen == 1) return memchr(Data, *Cpatt, DataLen);
  const char *End = Cdata + DataLen - PattLen + 1;
  for (const char *It = Cdata; It < End; ++It)
    if (It[0] == Cpatt[0] && memcmp(It, Cpatt, PattLen) == 0) return It;
  return NULL;
 }
 std::string DisassembleCmd(const std::string &FileName) {
  Vector<std::string> command_vector;
  command_vector.push_back("dumpbin /summary > nul");
  if (ExecuteCommand(Command(command_vector)) == 0)
    return "dumpbin /disasm " + FileName;
  Printf("libFuzzer: couldn't find tool to disassemble (dumpbin)\n");
  exit(1);
 }
 std::string SearchRegexCmd(const std::string &Regex) {
  return "findstr /r \"" + Regex + "\"";
 }
 void DiscardOutput(int Fd) {
  FILE *Temp = fopen("nul", "w");
  if (!Temp) return;
  _dup2(_fileno(Temp), Fd);
  fclose(Temp);
 }
 }  // namespace fuzzer
 #endif  // LIBFUZZER_WINDOWS
--- a/custom_mutators/libfuzzer/FuzzerValueBitMap.h
+++ b/custom_mutators/libfuzzer/FuzzerValueBitMap.h
@ -0,0 +1,73 @@
 //===- FuzzerValueBitMap.h - INTERNAL - Bit map -----------------*- C++ -* ===//
 //
 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
 // See https://llvm.org/LICENSE.txt for license information.
 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
 //
 //===----------------------------------------------------------------------===//
 // ValueBitMap.
 //===----------------------------------------------------------------------===//
 #ifndef LLVM_FUZZER_VALUE_BIT_MAP_H
 #define LLVM_FUZZER_VALUE_BIT_MAP_H
 #include "FuzzerPlatform.h"
 #include <cstdint>
 namespace fuzzer {
 // A bit map containing kMapSizeInWords bits.
 struct ValueBitMap {
  static const size_t kMapSizeInBits = 1 << 16;
  static const size_t kMapPrimeMod = 65371;  // Largest Prime < kMapSizeInBits;
  static const size_t kBitsInWord = (sizeof(uintptr_t) * 8);
  static const size_t kMapSizeInWords = kMapSizeInBits / kBitsInWord;
 public:
  // Clears all bits.
  void Reset() { memset(Map, 0, sizeof(Map)); }
  // Computes a hash function of Value and sets the corresponding bit.
  // Returns true if the bit was changed from 0 to 1.
  ATTRIBUTE_NO_SANITIZE_ALL
  inline bool AddValue(uintptr_t Value) {
    uintptr_t Idx = Value % kMapSizeInBits;
    uintptr_t WordIdx = Idx / kBitsInWord;
    uintptr_t BitIdx = Idx % kBitsInWord;
    uintptr_t Old = Map[WordIdx];
    uintptr_t New = Old | (1ULL << BitIdx);
    Map[WordIdx] = New;
    return New != Old;
  }
  ATTRIBUTE_NO_SANITIZE_ALL
  inline bool AddValueModPrime(uintptr_t Value) {
    return AddValue(Value % kMapPrimeMod);
  }
  inline bool Get(uintptr_t Idx) {
    assert(Idx < kMapSizeInBits);
    uintptr_t WordIdx = Idx / kBitsInWord;
    uintptr_t BitIdx = Idx % kBitsInWord;
    return Map[WordIdx] & (1ULL << BitIdx);
  }
  size_t SizeInBits() const { return kMapSizeInBits; }
  template <class Callback>
  ATTRIBUTE_NO_SANITIZE_ALL
  void ForEach(Callback CB) const {
    for (size_t i = 0; i < kMapSizeInWords; i++)
      if (uintptr_t M = Map[i])
        for (size_t j = 0; j < sizeof(M) * 8; j++)
          if (M & ((uintptr_t)1 << j))
            CB(i * sizeof(M) * 8 + j);
  }
 private:
  ATTRIBUTE_ALIGNED(512) uintptr_t Map[kMapSizeInWords];
 };
 }  // namespace fuzzer
 #endif  // LLVM_FUZZER_VALUE_BIT_MAP_H
--- a/custom_mutators/libfuzzer/Makefile
+++ b/custom_mutators/libfuzzer/Makefile
@ -0,0 +1,86 @@
 CFLAGS = -g -O3 -funroll-loops -fPIC -fpermissive -std=c++11
 #CFLAGS = -g -O0 -fPIC -fpermissive -std=c++11
 CXX ?= clang++
 ifdef INTROSPECTION
  $(info Compiling with introspection documentation)
  CFLAGS += -DINTROSPECTION=1
 endif
 all: libfuzzer-mutator.so
 FuzzerCrossOver.o:	FuzzerCrossOver.cpp
 	$(CXX) $(CFLAGS) -I../../include -I. -c $^
 FuzzerDataFlowTrace.o:	FuzzerDataFlowTrace.cpp
 	$(CXX) $(CFLAGS) -I../../include -I. -c $^
 FuzzerDriver.o:	FuzzerDriver.cpp
 	$(CXX) $(CFLAGS) -I../../include -I. -c $^
 FuzzerExtFunctionsDlsym.o:	FuzzerExtFunctionsDlsym.cpp
 	$(CXX) $(CFLAGS) -I../../include -I. -c $^
 FuzzerExtFunctionsWeak.o:	FuzzerExtFunctionsWeak.cpp
 	$(CXX) $(CFLAGS) -I../../include -I. -c $^
 FuzzerExtFunctionsWindows.o:	FuzzerExtFunctionsWindows.cpp
 	$(CXX) $(CFLAGS) -I../../include -I. -c $^
 FuzzerExtraCounters.o:	FuzzerExtraCounters.cpp
 	$(CXX) $(CFLAGS) -I../../include -I. -c $^
 FuzzerFork.o:	FuzzerFork.cpp
 	$(CXX) $(CFLAGS) -I../../include -I. -c $^
 FuzzerIO.o:	FuzzerIO.cpp
 	$(CXX) $(CFLAGS) -I../../include -I. -c $^
 FuzzerIOPosix.o:	FuzzerIOPosix.cpp
 	$(CXX) $(CFLAGS) -I../../include -I. -c $^
 FuzzerIOWindows.o:	FuzzerIOWindows.cpp
 	$(CXX) $(CFLAGS) -I../../include -I. -c $^
 FuzzerLoop.o:	FuzzerLoop.cpp
 	$(CXX) $(CFLAGS) -I../../include -I. -c $^
 FuzzerMerge.o:	FuzzerMerge.cpp
 	$(CXX) $(CFLAGS) -I../../include -I. -c $^
 FuzzerMutate.o:	FuzzerMutate.cpp
 	$(CXX) $(CFLAGS) -I../../include -I. -c $^
 FuzzerSHA1.o:	FuzzerSHA1.cpp
 	$(CXX) $(CFLAGS) -I../../include -I. -c $^
 FuzzerTracePC.o:	FuzzerTracePC.cpp
 	$(CXX) $(CFLAGS) -I../../include -I. -c $^
 FuzzerUtil.o:	FuzzerUtil.cpp
 	$(CXX) $(CFLAGS) -I../../include -I. -c $^
 FuzzerUtilDarwin.o:	FuzzerUtilDarwin.cpp
 	$(CXX) $(CFLAGS) -I../../include -I. -c $^
 FuzzerUtilFuchsia.o:	FuzzerUtilFuchsia.cpp
 	$(CXX) $(CFLAGS) -I../../include -I. -c $^
 FuzzerUtilLinux.o:	FuzzerUtilLinux.cpp
 	$(CXX) $(CFLAGS) -I../../include -I. -c $^
 FuzzerUtilPosix.o:	FuzzerUtilPosix.cpp
 	$(CXX) $(CFLAGS) -I../../include -I. -c $^
 FuzzerUtilWindows.o:	FuzzerUtilWindows.cpp
 	$(CXX) $(CFLAGS) -I../../include -I. -c $^
 libfuzzer.o:	libfuzzer.cpp
 	$(CXX) $(CFLAGS) -I../../include -I. -c $^
 libfuzzer-mutator.so:	FuzzerCrossOver.o FuzzerDataFlowTrace.o FuzzerDriver.o FuzzerExtFunctionsDlsym.o FuzzerExtFunctionsWeak.o FuzzerExtFunctionsWindows.o FuzzerExtraCounters.o FuzzerFork.o FuzzerIO.o FuzzerIOPosix.o FuzzerIOWindows.o FuzzerLoop.o FuzzerMerge.o FuzzerMutate.o FuzzerSHA1.o FuzzerTracePC.o FuzzerUtil.o FuzzerUtilDarwin.o FuzzerUtilFuchsia.o FuzzerUtilLinux.o FuzzerUtilPosix.o FuzzerUtilWindows.o libfuzzer.o
 	$(CXX) $(CFLAGS) -I../../include -I. -shared -o libfuzzer-mutator.so *.o
 clean:
 	rm -f *.o *~ *.so core
--- a/custom_mutators/libfuzzer/README.md
+++ b/custom_mutators/libfuzzer/README.md
@ -0,0 +1,24 @@
 # custum mutator: libfuzzer LLVMFuzzerMutate()
 This uses the libfuzzer LLVMFuzzerMutate() function in llvm 12.
 just type `make` to build
 ```AFL_CUSTOM_MUTATOR_LIBRARY=custom_mutators/libfuzzer/libfuzzer-mutator.so afl-fuzz ...```
 Note that this is currently a simple implementation and it is missing two features:
  * Splicing ("Crossover")
  * Dictionary support
 To update the source, all that is needed is that FuzzerDriver.cpp has to receive
 ```
 #include "libfuzzer.inc"
 ```
 before the closing namespace bracket.
 It is also libfuzzer.inc where the configuration of the libfuzzer mutations
 are done.
 > Original repository: https://github.com/llvm/llvm-project
 > Path: compiler-rt/lib/fuzzer/*.{h|cpp}
 > Source commit: df3e903655e2499968fc7af64fb5fa52b2ee79bb
--- a/custom_mutators/libfuzzer/libfuzzer.cpp
+++ b/custom_mutators/libfuzzer/libfuzzer.cpp
@ -0,0 +1,160 @@
 #include <stdio.h>
 #include <stdint.h>
 #include <stdlib.h>
 #include <string.h>
 //#include "config.h"
 //#include "debug.h"
 #include "afl-fuzz.h"
 #ifdef  INTROSPECTION
  const char *introspection_ptr;
 #endif
 afl_state_t *afl_struct;
 extern "C" size_t LLVMFuzzerMutate(uint8_t *Data, size_t Size, size_t MaxSize);
 extern "C" int    LLVMFuzzerRunDriver(int *argc, char ***argv,
                                      int (*UserCb)(const uint8_t *Data,
                                                 size_t         Size));
 extern "C" void   LLVMFuzzerMyInit(int (*UserCb)(const uint8_t *Data,
                                               size_t         Size),
                                   unsigned int Seed);
 typedef struct my_mutator {
  afl_state_t *afl;
  u8 *         mutator_buf;
  unsigned int seed;
  unsigned int extras_cnt, a_extras_cnt;
 } my_mutator_t;
 extern "C" int dummy(const uint8_t *Data, size_t Size) {
  (void)(Data);
  (void)(Size);
  fprintf(stderr, "dummy() called\n");
  return 0;
 }
 extern "C" my_mutator_t *afl_custom_init(afl_state_t *afl, unsigned int seed) {
  my_mutator_t *data = (my_mutator_t *)calloc(1, sizeof(my_mutator_t));
  if (!data) {
    perror("afl_custom_init alloc");
    return NULL;
  }
  if ((data->mutator_buf = (u8 *)malloc(MAX_FILE)) == NULL) {
    free(data);
    perror("mutator_buf alloc");
    return NULL;
  }
  data->afl = afl;
  data->seed = seed;
  afl_struct = afl;
  /*
    char **argv;
    argv = (char**)malloc(sizeof(size_t) * 2);
    argv[0] = (char*)"foo";
    argv[1] = NULL;
    int eins = 1;
    LLVMFuzzerRunDriver(&eins, &argv, dummy);
  */
  LLVMFuzzerMyInit(dummy, seed);
  return data;
 }
 /* When a new queue entry is added we check if there are new dictionary
   entries to add to honggfuzz structure */
 #if 0
 extern "C" void afl_custom_queue_new_entry(my_mutator_t * data,
                                           const uint8_t *filename_new_queue,
                                           const uint8_t *filename_orig_queue) {
  while (data->extras_cnt < afl_struct->extras_cnt) {
    /*
        memcpy(run.global->mutate.dictionary[run.global->mutate.dictionaryCnt].val,
               afl_struct->extras[data->extras_cnt].data,
               afl_struct->extras[data->extras_cnt].len);
        run.global->mutate.dictionary[run.global->mutate.dictionaryCnt].len =
            afl_struct->extras[data->extras_cnt].len;
        run.global->mutate.dictionaryCnt++;
    */
    data->extras_cnt++;
  }
  while (data->a_extras_cnt < afl_struct->a_extras_cnt) {
    /*
        memcpy(run.global->mutate.dictionary[run.global->mutate.dictionaryCnt].val,
               afl_struct->a_extras[data->a_extras_cnt].data,
               afl_struct->a_extras[data->a_extras_cnt].len);
        run.global->mutate.dictionary[run.global->mutate.dictionaryCnt].len =
            afl_struct->a_extras[data->a_extras_cnt].len;
        run.global->mutate.dictionaryCnt++;
        data->a_extras_cnt++;
    */
  }
 }
 #endif
 /* we could set only_printable if is_ascii is set ... let's see
 uint8_t afl_custom_queue_get(void *data, const uint8_t *filename) {
  //run.global->cfg.only_printable = ...
 }
 */
 /* here we run the honggfuzz mutator, which is really good */
 extern "C" size_t afl_custom_fuzz(my_mutator_t *data, uint8_t *buf,
                                  size_t buf_size, u8 **out_buf,
                                  uint8_t *add_buf, size_t add_buf_size,
                                  size_t max_size) {
  memcpy(data->mutator_buf, buf, buf_size);
  size_t ret = LLVMFuzzerMutate(data->mutator_buf, buf_size, max_size);
  /* return size of mutated data */
  *out_buf = data->mutator_buf;
  return ret;
 }
 #ifdef  INTROSPECTION
 extern "C" const char* afl_custom_introspection(my_mutator_t *data) {
  return introspection_ptr;
 }
 #endif
 /**
 * Deinitialize everything
 *
 * @param data The data ptr from afl_custom_init
 */
 extern "C" void afl_custom_deinit(my_mutator_t *data) {
  free(data->mutator_buf);
  free(data);
 }
--- a/custom_mutators/libfuzzer/libfuzzer.inc
+++ b/custom_mutators/libfuzzer/libfuzzer.inc
@ -0,0 +1,36 @@
 extern "C" ATTRIBUTE_INTERFACE void
 LLVMFuzzerMyInit(int (*Callback)(const uint8_t *Data, size_t Size), unsigned int Seed) {
  Random Rand(Seed);
  FuzzingOptions Options;
  Options.Verbosity = 3;
  Options.MaxLen = 1024000;
  Options.LenControl = true;
  Options.DoCrossOver = false;
  Options.MutateDepth = 6;
  Options.UseCounters = false;
  Options.UseMemmem = false;
  Options.UseCmp = false;
  Options.UseValueProfile = false;
  Options.Shrink = false;
  Options.ReduceInputs = false;
  Options.PreferSmall = false;
  Options.ReloadIntervalSec = 0;
  Options.OnlyASCII = false;
  Options.DetectLeaks = false;
  Options.PurgeAllocatorIntervalSec = 0;
  Options.TraceMalloc = false;
  Options.RssLimitMb = 100;
  Options.MallocLimitMb = 100;
  Options.MaxNumberOfRuns = 0;
  Options.ReportSlowUnits = false;
  Options.Entropic = false;
  struct EntropicOptions Entropic;
  Entropic.Enabled = Options.Entropic;
  EF = new ExternalFunctions();
  auto *MD = new MutationDispatcher(Rand, Options);
  auto *Corpus = new InputCorpus(Options.OutputCorpus, Entropic);
  auto *F = new Fuzzer(Callback, *Corpus, *MD, Options);
 }
--- a/custom_mutators/libprotobuf-mutator-example/Android.bp
+++ b/custom_mutators/libprotobuf-mutator-example/Android.bp
@ -0,0 +1,32 @@
 cc_library_shared {
  name: "libprotobuf-mutator-example-afl",
  vendor_available: true,
  host_supported: true,
  cflags: [
    "-g",
    "-O0",
    "-fPIC",
    "-Wall",
  ],
  srcs: [
    "lpm_aflpp_custom_mutator_input.cc",
    "test.proto",
  ],
  shared_libs: [
    "libprotobuf-cpp-full",
    "libprotobuf-mutator",
  ],
 }
 cc_binary {
  name: "libprotobuf-mutator-vuln",
  vendor_available: true,
  host_supported: true,
  srcs: [
    "vuln.c",
  ],
 }
--- a/custom_mutators/libprotobuf-mutator-example/README.md
+++ b/custom_mutators/libprotobuf-mutator-example/README.md
@ -0,0 +1 @@
 Ported from [https://github.com/bruce30262/libprotobuf-mutator_fuzzing_learning/tree/master/5_libprotobuf_aflpp_custom_mutator_input](https://github.com/bruce30262/libprotobuf-mutator_fuzzing_learning/tree/master/5_libprotobuf_aflpp_custom_mutator_input)
--- a/custom_mutators/libprotobuf-mutator-example/lpm_aflpp_custom_mutator_input.cc
+++ b/custom_mutators/libprotobuf-mutator-example/lpm_aflpp_custom_mutator_input.cc
@ -0,0 +1,118 @@
 #include "lpm_aflpp_custom_mutator_input.h"
 #include <iostream>
 #include <sstream>
 #include <fstream>
 using std::cin;
 using std::cout;
 using std::endl;
 std::string ProtoToData(const TEST &test_proto) {
    std::stringstream all;
    const auto &aa = test_proto.a();
    const auto &bb = test_proto.b();
    all.write((const char*)&aa, sizeof(aa));
    if(bb.size() != 0) {
        all.write(bb.c_str(), bb.size());
    }
    std::string res = all.str();
    if (bb.size() != 0 && res.size() != 0) {
        // set PROTO_FUZZER_DUMP_PATH env to dump the serialized protobuf
        if (const char *dump_path = getenv("PROTO_FUZZER_DUMP_PATH")) {
            std::ofstream of(dump_path);
            of.write(res.data(), res.size());
        }
    }
    return res;
 }
 /**
 * Initialize this custom mutator
 *
 * @param[in] afl a pointer to the internal state object. Can be ignored for
 * now.
 * @param[in] seed A seed for this mutator - the same seed should always mutate
 * in the same way.
 * @return Pointer to the data object this custom mutator instance should use.
 *         There may be multiple instances of this mutator in one afl-fuzz run!
 *         Return NULL on error.
 */
 extern "C" MyMutator *afl_custom_init(void *afl, unsigned int seed) {
    MyMutator *mutator = new MyMutator();
    mutator->RegisterPostProcessor(
        TEST::descriptor(),
        [](google::protobuf::Message* message, unsigned int seed) {
            // libprotobuf-mutator's built-in mutator is kind of....crappy :P
            // Even a dumb fuzz like `TEST.a = rand();` is better in this case... Q_Q
            // We register a post processor to apply our dumb fuzz
            TEST *t = static_cast<TEST *>(message);
            t->set_a(rand());
        });
    srand(seed);
    return mutator;
 }
 /**
 * Perform custom mutations on a given input
 *
 * @param[in] data pointer returned in afl_custom_init for this fuzz case
 * @param[in] buf Pointer to input data to be mutated
 * @param[in] buf_size Size of input data
 * @param[out] out_buf the buffer we will work on. we can reuse *buf. NULL on
 * error.
 * @param[in] add_buf Buffer containing the additional test case
 * @param[in] add_buf_size Size of the additional test case
 * @param[in] max_size Maximum size of the mutated output. The mutation must not
 *     produce data larger than max_size.
 * @return Size of the mutated output.
 */
 extern "C" size_t afl_custom_fuzz(MyMutator *mutator, // return value from afl_custom_init
                       uint8_t *buf, size_t buf_size, // input data to be mutated
                       uint8_t **out_buf, // output buffer
                       uint8_t *add_buf, size_t add_buf_size,  // add_buf can be NULL
                       size_t max_size) {
    // This function can be named either "afl_custom_fuzz" or "afl_custom_mutator"
    // A simple test shows that "buf" will be the content of the current test case
    // "add_buf" will be the next test case ( from AFL++'s input queue )
    TEST input;
    // parse input data to TEST
    // Notice that input data should be a serialized protobuf data
    // Check ./in/ii and test_protobuf_serializer for more detail
    bool parse_ok = input.ParseFromArray(buf, buf_size);
    if(!parse_ok) {
        // Invalid serialize protobuf data. Don't mutate.
        // Return a dummy buffer. Also mutated_size = 0
        static uint8_t *dummy = new uint8_t[10]; // dummy buffer with no data
        *out_buf = dummy;
        return 0;
    }
    // mutate the protobuf
    mutator->Mutate(&input, max_size);
    // Convert protobuf to raw data
    const TEST *p = &input;
    std::string s = ProtoToData(*p);
    // Copy to a new buffer ( mutated_out )
    size_t mutated_size = s.size() <= max_size ? s.size() : max_size; // check if raw data's size is larger than max_size
    uint8_t *mutated_out = new uint8_t[mutated_size+1];
    memcpy(mutated_out, s.c_str(), mutated_size); // copy the mutated data
    // Assign the mutated data and return mutated_size
    *out_buf = mutated_out;
    return mutated_size;
 }
 /**
 * Deinitialize everything
 *
 * @param data The data ptr from afl_custom_init
 */
 extern "C" void afl_custom_deinit(void *data) {
    // Honestly I don't know what to do with this...
    return;
 }
--- a/custom_mutators/libprotobuf-mutator-example/lpm_aflpp_custom_mutator_input.h
+++ b/custom_mutators/libprotobuf-mutator-example/lpm_aflpp_custom_mutator_input.h
@ -0,0 +1,5 @@
 #include <src/mutator.h>
 #include "test.pb.h"
 class MyMutator : public protobuf_mutator::Mutator {
 };
--- a/Show More
+++ b/Show More
		`@ -0,0 +1 @@`
							`Ported from [https://github.com/bruce30262/libprotobuf-mutator_fuzzing_learning/tree/master/5_libprotobuf_aflpp_custom_mutator_input](https://github.com/bruce30262/libprotobuf-mutator_fuzzing_learning/tree/master/5_libprotobuf_aflpp_custom_mutator_input)`