final touches before 2.60

Update README.md
added testcases for afl-tmin and afl-cmin
2025-06-24 22:53:24 +00:00 · 2019-12-31 12:52:10 +01:00 · 2019-12-30 23:38:50 +01:00 · 2019-12-30 22:21:51 +01:00 · 2019-12-30 22:01:36 +01:00 · 2019-12-30 20:09:57 +01:00
157 changed files with 40708 additions and 3145 deletions
--- a/.custom-format.py
+++ b/.custom-format.py
@ -1,4 +1,19 @@
 #!/usr/bin/env python3
+#
+# american fuzzy lop++ - custom code formatter
+# --------------------------------------------
+#
+# Written and maintaned by Andrea Fioraldi <andreafioraldi@gmail.com>
+#
+# Copyright 2015, 2016, 2017 Google Inc. All rights reserved.
+# Copyright 2019 AFLplusplus Project. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at:
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#

 import subprocess
 import sys
@ -12,12 +27,15 @@ with open(".clang-format") as f:

 CLANG_FORMAT_BIN = os.getenv("CLANG_FORMAT_BIN")
 if CLANG_FORMAT_BIN is None:
-    p = subprocess.Popen(["clang-format", "--version"], stdout=subprocess.PIPE)
-    o, _ = p.communicate()
-    o = str(o, "utf-8")
-    o = o[len("clang-format version "):].strip()
-    o = o[:o.find(".")]
-    o = int(o)
+    o = 0
+    try:
+        p = subprocess.Popen(["clang-format", "--version"], stdout=subprocess.PIPE)
+        o, _ = p.communicate()
+        o = str(o, "utf-8")
+        o = o[len("clang-format version "):].strip()
+        o = o[:o.find(".")]
+        o = int(o)
+    except: pass
    if o < 7:
        if subprocess.call(['which', 'clang-format-7'], stdout=subprocess.PIPE) == 0:
            CLANG_FORMAT_BIN = 'clang-format-7'
--- a/.gitignore
+++ b/.gitignore
@ -1,3 +1,5 @@
+.test
+.test2
 *.o
 *.so
 afl-analyze
@ -15,9 +17,21 @@ afl-gotcpu
 afl-qemu-trace
 afl-showmap
 afl-tmin
+afl-analyze.8
+afl-clang-fast++.8
+afl-clang-fast.8
+afl-cmin.8
+afl-fuzz.8
+afl-gcc.8
+afl-gcc-fast.8
+afl-g++-fast.8
+afl-gotcpu.8
+afl-plot.8
+afl-showmap.8
+afl-system-config.8
+afl-tmin.8
+afl-whatsup.8
+qemu_mode/libcompcov/compcovtest
 as
-qemu_mode/qemu-3.1.0
-qemu_mode/qemu-3.1.0.tar.xz
-unicorn_mode/unicorn
-unicorn_mode/unicorn-*
-unicorn_mode/*.tar.gz
+qemu_mode/qemu-*
+core\.*
--- a/.travis.yml
+++ b/.travis.yml
@ -1,11 +1,49 @@
 language: c

+branches:
+  only:
+    - master
+
+matrix:
+  include:
+  - os: linux
+    dist: bionic
+    env: NAME="bionic-amd64" MODERN="yes" GCC="7"
+  - os: linux
+    dist: xenial
+    env: NAME="xenial-amd64" MODERN="no" GCC="5" EXTRA="libtool-bin clang-6.0"
+  - os: linux
+    dist: trusty
+    env: NAME="trusty-amd64" MODERN="no" GCC="4.8"
+  - os: linux
+    dist: xenial
+    arch: arm64
+    env: NAME="xenial-arm64" MODERN="no" GCC="5" EXTRA="libtool-bin clang-6.0" AFL_NO_X86="1" CPU_TARGET="aarch64"
+#  - os: osx
+#    osx_image: xcode11.2
+#    env: NAME="osx" HOMEBREW_NO_ANALYTICS="1" LINK="http://releases.llvm.org/9.0.0/" NAME="clang+llvm-9.0.0-x86_64-darwin-apple"
+
+jobs:
+  allow_failures:
+    - os: osx
+
 env:
-  - AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 AFL_NO_UI=1
+  - AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 AFL_NO_UI=1 AFL_STOP_MANUALLY=1
+ # - AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 AFL_NO_UI=1 AFL_EXIT_WHEN_DONE=1
+ # TODO: test AFL_BENCH_UNTIL_CRASH once we have a target that crashes
+ # - AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 AFL_NO_UI=1 AFL_BENCH_JUST_ONE=1
+
+before_install:
+  # export LLVM_DIR=${TRAVIS_BUILD_DIR}/${LLVM_PACKAGE}
+  - echo Testing on $NAME
+  - if [ "$TRAVIS_OS_NAME" = "osx" ]; then wget "$LINK""$NAME".tar.xz ; export LLVM_CONFIG=`pwd`/"$NAME" ; tar xJf "$NAME".tar.xz ; fi
+  - if [ "$MODERN" = "yes" ]; then sudo apt update ; sudo apt upgrade ; sudo apt install -y libtool libtool-bin automake bison libglib2.0 build-essential clang gcc-"$GCC" gcc-"$GCC"-plugin-dev libc++-"$GCC"-dev ; fi
+  - if [ "$MODERN" = "no" ]; then sudo apt update ; sudo apt install -y libtool $EXTRA libpixman-1-dev automake bison libglib2.0 build-essential gcc-"$GCC" gcc-"$GCC"-plugin-dev libc++-dev ; fi

 script:
-  - make
-  - ./afl-gcc ./test-instr.c -o test-instr
-  - mkdir seeds; mkdir out
-  - echo "" > seeds/nil_seed
-  - timeout --preserve-status 5s ./afl-fuzz -i seeds -o out/ -- ./test-instr
+  - gcc -v
+  - clang -v
+  - if [ "$TRAVIS_OS_NAME" = "osx" ]; then export LLVM_CONFIG=`pwd`/"$NAME" ; make source-only ; fi
+  - if [ "$TRAVIS_OS_NAME" = "linux" -a "$TRAVIS_CPU_ARCH" = "amd64" ]; then make distrib ; fi
+  - if [ "$TRAVIS_CPU_ARCH" = "arm64" ] ; then make ; cd qemu_mode && sh ./build_qemu_support.sh ; cd .. ; fi
+  - make tests
--- a/Android.bp
+++ b/Android.bp
@ -0,0 +1,140 @@
+cc_defaults {
+  name: "afl-defaults",
+
+  cflags: [
+    "-funroll-loops",
+    "-Wno-pointer-sign",
+    "-Wno-pointer-arith",
+    "-Wno-sign-compare",
+    "-Wno-unused-parameter",
+    "-Wno-unused-function",
+    "-Wno-format",
+    "-Wno-user-defined-warnings",
+    "-DUSE_TRACE_PC=1",
+    "-DBIN_PATH=\"out/host/linux-x86/bin\"",
+    "-DDOC_PATH=\"out/host/linux-x86/shared/doc/afl\"",
+    "-D__USE_GNU",
+  ],
+}
+
+cc_binary {
+  name: "afl-fuzz",
+  static_executable: true,
+  host_supported: true,
+
+  defaults: [
+    "afl-defaults",
+  ],
+
+  srcs: [
+    "afl-fuzz.c",
+  ],
+}
+
+cc_binary {
+  name: "afl-showmap",
+  static_executable: true,
+  host_supported: true,
+
+  defaults: [
+    "afl-defaults",
+  ],
+
+  srcs: [
+    "afl-showmap.c",
+  ],
+}
+
+cc_binary {
+  name: "afl-tmin",
+  static_executable: true,
+  host_supported: true,
+
+  defaults: [
+    "afl-defaults",
+  ],
+
+  srcs: [
+    "afl-tmin.c",
+  ],
+}
+
+cc_binary {
+  name: "afl-analyze",
+  static_executable: true,
+  host_supported: true,
+
+  defaults: [
+    "afl-defaults",
+  ],
+
+  srcs: [
+    "afl-analyze.c",
+  ],
+}
+
+cc_binary {
+  name: "afl-gotcpu",
+  static_executable: true,
+  host_supported: true,
+
+  defaults: [
+    "afl-defaults",
+  ],
+
+  srcs: [
+    "afl-gotcpu.c",
+  ],
+}
+
+cc_binary_host {
+  name: "afl-clang-fast",
+  static_executable: true,
+
+  defaults: [
+    "afl-defaults",
+  ],
+
+  cflags: [
+    "-D__ANDROID__",
+    "-DAFL_PATH=\"out/host/linux-x86/lib64\"",
+  ],
+
+  srcs: [
+    "llvm_mode/afl-clang-fast.c",
+  ],
+}
+
+cc_binary_host {
+  name: "afl-clang-fast++",
+  static_executable: true,
+
+  defaults: [
+    "afl-defaults",
+  ],
+
+  cflags: [
+    "-D__ANDROID__",
+    "-DAFL_PATH=\"out/host/linux-x86/lib64\"",
+  ],
+
+  srcs: [
+    "llvm_mode/afl-clang-fast.c",
+  ],
+}
+
+cc_library_static {
+  name: "afl-llvm-rt",
+  compile_multilib: "both",
+  vendor_available: true,
+  host_supported: true,
+  recovery_available: true,
+
+  defaults: [
+    "afl-defaults",
+  ],
+
+  srcs: [
+    "llvm_mode/afl-llvm-rt.o.c",
+  ],
+}
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -6,9 +6,14 @@ Each modified source file, before merging, must be formatted.
 make code-formatter
 ```

-This should be fine if you modified one of the file already present in the
+This should be fine if you modified one of the files already present in the
 project, otherwise run:

 ```
 ./.custom-format.py -i file-that-you-have-created.c
 ```
+
+Regarding the coding style, please follow the AFL style.
+No camel case at all and use the AFL's macros when possible (e.g. WARNF, FATAL, ...).
+
+Remember that AFLplusplus has to build and run on many platforms, so generalize your Makefiles (or your patches to our pre-existing Makefiles) to be as much general as possible.
--- a/32
+++ b/32
@ -0,0 +1,32 @@
+FROM ubuntu:eoan
+MAINTAINER David Carlier <devnexen@gmail.com>
+LABEL "about"="AFLplusplus docker image"
+RUN apt-get update && apt-get install -y \
+    --no-install-suggests --no-install-recommends \
+    automake \
+    bison \
+    build-essential \
+    clang \
+    clang-9 \
+    flex \
+    gcc-9 \
+    gcc-9-plugin-dev \
+    gcc-9-multilib \
+    libc++-9-dev \
+    libtool \
+    libtool-bin \
+    libglib2.0-dev \
+    llvm-9-dev \
+    python-setuptools \
+    python2.7-dev \
+    wget \
+    ca-certificates \
+    libpixman-1-dev \
+    && rm -rf /var/lib/apt/lists/*
+ARG CC=gcc-9
+ARG CXX=g++-9
+ARG LLVM_CONFIG=llvm-config-9
+COPY . /app
+RUN cd /app && make clean && make distrib && \
+    make install && cd .. && rm -rf /app
+WORKDIR /work
--- a/222
+++ b/222
@ -2,7 +2,7 @@
 # american fuzzy lop - makefile
 # -----------------------------
 #
-# Written and maintained by Michal Zalewski <lcamtuf@google.com>
+# Written by Michal Zalewski
 # 
 # Copyright 2013, 2014, 2015, 2016, 2017 Google Inc. All rights reserved.
 # 
@ -16,9 +16,6 @@
 # For Heiko:
 #TEST_MMAP=1

-PROGNAME    = afl
-VERSION     = $(shell grep '^\#define VERSION ' include/config.h | cut -d '"' -f2)
-
 PREFIX     ?= /usr/local
 BIN_PATH    = $(PREFIX)/bin
 HELPER_PATH = $(PREFIX)/lib/afl
@ -26,6 +23,9 @@ DOC_PATH    = $(PREFIX)/share/doc/afl
 MISC_PATH   = $(PREFIX)/share/afl
 MAN_PATH    = $(PREFIX)/man/man8

+PROGNAME    = afl
+VERSION     = $(shell grep '^\#define VERSION ' ../config.h | cut -d '"' -f2)
+
 # PROGS intentionally omit afl-as, which gets installed elsewhere.

 PROGS       = afl-gcc afl-fuzz afl-showmap afl-tmin afl-gotcpu afl-analyze
@ -34,17 +34,67 @@ MANPAGES=$(foreach p, $(PROGS) $(SH_PROGS), $(p).8)

 CFLAGS     ?= -O3 -funroll-loops
 CFLAGS     += -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -I include/ \
-	      -DAFL_PATH=\"$(HELPER_PATH)\" -DDOC_PATH=\"$(DOC_PATH)\" \
-	      -DBIN_PATH=\"$(BIN_PATH)\" -Wno-unused-function
+	      -DAFL_PATH=\"$(HELPER_PATH)\" -DBIN_PATH=\"$(BIN_PATH)\" \
+              -DDOC_PATH=\"$(DOC_PATH)\" -Wno-unused-function

 AFL_FUZZ_FILES = $(wildcard src/afl-fuzz*.c)

-PYTHON_INCLUDE	?= /usr/include/python2.7
+ifneq "($filter %3.7m, $(shell python3.7m-config --includes 2>/dev/null)" ""
+  PYTHON_INCLUDE  ?= $(shell python3.7m-config --includes)
+  PYTHON_LIB      ?= $(shell python3.7m-config --ldflags)
+  PYTHON_VERSION   = 3.7m
+else
+  ifneq "($filter %3.7, $(shell python3.7-config --includes) 2> /dev/null" ""
+    PYTHON_INCLUDE  ?= $(shell python3.7-config --includes)
+    PYTHON_LIB      ?= $(shell python3.7-config --ldflags)
+    PYTHON_VERSION   = 3.7
+  else
+    ifneq "($filter %2.7, $(shell python2.7-config --includes) 2> /dev/null" ""
+      PYTHON_INCLUDE  ?= $(shell python2.7-config --includes)
+      PYTHON_LIB      ?= $(shell python2.7-config --ldflags)
+      PYTHON_VERSION   = 2.7
+    endif
+  endif
+endif
+
+PYTHON_INCLUDE	?= $(shell test -e /usr/include/python3.7m && echo /usr/include/python3.7m)
+PYTHON_INCLUDE	?= $(shell test -e /usr/include/python3.7 && echo /usr/include/python3.7)
+PYTHON_INCLUDE	?= $(shell test -e /usr/include/python2.7 && echo /usr/include/python2.7)
+
+ifneq "($filter %3.7m, $(PYTHON_INCLUDE))" ""
+    PYTHON_VERSION ?= 3.7m
+    PYTHON_LIB  ?= -lpython3.7m
+else
+    ifneq "($filter %3.7, $(PYTHON_INCLUDE))" ""
+        PYTHON_VERSION ?= 3.7
+    else
+        ifneq "($filter %2.7, $(PYTHON_INCLUDE))" ""
+            PYTHON_VERSION ?= 2.7
+            PYTHON_LIB     ?= -lpython2.7
+        else
+            PYTHON_VERSION ?= none
+        endif
+    endif
+endif
+
+ifdef SOURCE_DATE_EPOCH
+    BUILD_DATE ?= $(shell date -u -d "@$(SOURCE_DATE_EPOCH)" -I 2>/dev/null || date -u -r "$(SOURCE_DATE_EPOCH)" -I 2>/dev/null || date -u -I)
+else
+    BUILD_DATE ?= $(shell date -I)
+endif

 ifneq "$(filter Linux GNU%,$(shell uname))" ""
  LDFLAGS  += -ldl
 endif

+ifneq "$(findstring FreeBSD, $(shell uname))" ""
+  CFLAGS += -pthread
+endif
+
+ifneq "$(findstring NetBSD, $(shell uname))" ""
+  CFLAGS += -pthread
+endif
+
 ifeq "$(findstring clang, $(shell $(CC) --version 2>/dev/null))" ""
  TEST_CC   = afl-gcc
 else
@ -54,16 +104,25 @@ endif
 COMM_HDR    = include/alloc-inl.h include/config.h include/debug.h include/types.h


-ifeq "$(shell echo '\#include <Python.h>@int main() {return 0; }' | tr @ '\n' | $(CC) -x c - -o .test -I$(PYTHON_INCLUDE) -lpython2.7 2>/dev/null && echo 1 || echo 0 )" "1"
+ifeq "$(shell echo '\#include <Python.h>@int main() {return 0; }' | tr @ '\n' | $(CC) -x c - -o .test -I$(PYTHON_INCLUDE) $(LDFLAGS) $(PYTHON_LIB) 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1"
 	PYTHON_OK=1
-	PYFLAGS=-DUSE_PYTHON -I$(PYTHON_INCLUDE) -lpython2.7
+	PYFLAGS=-DUSE_PYTHON -I$(PYTHON_INCLUDE) $(LDFLAGS) $(PYTHON_LIB)
 else
 	PYTHON_OK=0
 	PYFLAGS=
 endif

+ifdef STATIC
+  $(info Compiling static version of binaries)
+  # Disable python for static compilation to simplify things
+  PYTHON_OK=0
+  PYFLAGS=

-ifeq "$(shell echo '\#include <sys/ipc.h>@\#include <sys/shm.h>@int main() { int _id = shmget(IPC_PRIVATE, 65536, IPC_CREAT | IPC_EXCL | 0600); shmctl(_id, IPC_RMID, 0); return 0;}' | tr @ '\n' | $(CC) -x c - -o .test2 2>/dev/null && echo 1 || echo 0 )" "1"
+  CFLAGS += -static
+  LDFLAGS += -lm -lrt -lpthread -lz -lutil
+endif
+
+ifeq "$(shell echo '\#include <sys/ipc.h>@\#include <sys/shm.h>@int main() { int _id = shmget(IPC_PRIVATE, 65536, IPC_CREAT | IPC_EXCL | 0600); shmctl(_id, IPC_RMID, 0); return 0;}' | tr @ '\n' | $(CC) -x c - -o .test2 2>/dev/null && echo 1 || echo 0 ; rm -f .test2 )" "1"
 	SHMAT_OK=1
 else
 	SHMAT_OK=0
@ -80,10 +139,44 @@ endif

 all:	test_x86 test_shm test_python27 ready $(PROGS) afl-as test_build all_done

+man:    $(MANPAGES) 
+	-$(MAKE) -C llvm_mode
+	-$(MAKE) -C gcc_plugin
+
+tests:	source-only
+	@cd test ; ./test.sh
+	@rm -f test/errors
+
+performance-tests:	performance-test
+test-performance:	performance-test
+
+performance-test:	source-only
+	@cd test ; ./test-performance.sh
+
+
+help:
+	@echo "HELP --- the following make targets exist:"
+	@echo "=========================================="
+	@echo "all: just the main afl++ binaries"
+	@echo "binary-only: everything for binary-only fuzzing: qemu_mode, unicorn_mode, libdislocator, libtokencap, radamsa"
+	@echo "source-only: everything for source code fuzzing: llvm_mode, gcc_plugin, libdislocator, libtokencap, radamsa"
+	@echo "distrib: everything (for both binary-only and source code fuzzing)"
+	@echo "man: creates simple man pages from the help option of the programs"
+	@echo "install: installs everything you have compiled with the build option above"
+	@echo "clean: cleans everything. for qemu_mode it means it deletes all downloads as well"
+	@echo "code-format: format the code, do this before you commit and send a PR please!"
+	@echo "tests: this runs the test framework. It is more catered for the developers, but if you run into problems this helps pinpointing the problem"
+	@echo "document: creates afl-fuzz-document which will only do one run and save all manipulated inputs into out/queue/mutations"
+	@echo "help: shows these build options :-)"
+	@echo "=========================================="
+	@echo "Recommended: \"distrib\" or \"source-only\", then \"install\""
+

 ifndef AFL_NO_X86

 test_x86:
+	@echo "[*] Checking for the default compiler cc..."
+	@which $(CC) >/dev/null || ( echo; echo "Oops, looks like there is no compiler '"$(CC)"' in your path."; echo; echo "Don't panic! You can restart with '"$(_)" CC=<yourCcompiler>'."; echo; exit 1 )
 	@echo "[*] Checking for the ability to compile x86 code..."
 	@echo 'main() { __asm__("xorb %al, %al"); }' | $(CC) -w -x c - -o .test1 || ( echo; echo "Oops, looks like your compiler can't generate x86 code."; echo; echo "Don't panic! You can use the LLVM or QEMU mode, but see docs/INSTALL first."; echo "(To ignore this error, set AFL_NO_X86=1 and try again.)"; echo; exit 1 )
 	@rm -f .test1
@ -114,12 +207,12 @@ ifeq "$(PYTHON_OK)" "1"

 test_python27:
 	@rm -f .test 2> /dev/null
-	@echo "[+] Python 2.7 support seems to be working."
+	@echo "[+] Python $(PYTHON_VERSION) support seems to be working."

 else

 test_python27:
-	@echo "[-] You seem to need to install the package python2.7-dev, but it is optional so we continue"
+	@echo "[-] You seem to need to install the package python3.7-dev or python2.7-dev (and perhaps python[23]-apt), but it is optional so we continue"

 endif

@ -135,31 +228,42 @@ afl-as: src/afl-as.c include/afl-as.h $(COMM_HDR) | test_x86
 	$(CC) $(CFLAGS) src/$@.c -o $@ $(LDFLAGS)
 	ln -sf afl-as as

-afl-common.o : src/afl-common.c include/common.h
-	$(CC) $(CFLAGS) -c src/afl-common.c
+src/afl-common.o : src/afl-common.c include/common.h
+	$(CC) $(CFLAGS) -c src/afl-common.c -o src/afl-common.o

-afl-forkserver.o : src/afl-forkserver.c include/forkserver.h
-	$(CC) $(CFLAGS) -c src/afl-forkserver.c
+src/afl-forkserver.o : src/afl-forkserver.c include/forkserver.h
+	$(CC) $(CFLAGS) -c src/afl-forkserver.c -o src/afl-forkserver.o

-afl-sharedmem.o : src/afl-sharedmem.c include/sharedmem.h
-	$(CC) $(CFLAGS) -c src/afl-sharedmem.c
+src/afl-sharedmem.o : src/afl-sharedmem.c include/sharedmem.h
+	$(CC) $(CFLAGS) -c src/afl-sharedmem.c -o src/afl-sharedmem.o

-afl-fuzz: include/afl-fuzz.h $(AFL_FUZZ_FILES) afl-common.o afl-sharedmem.o afl-forkserver.o $(COMM_HDR) | test_x86
-	$(CC) $(CFLAGS) $(AFL_FUZZ_FILES) afl-common.o afl-sharedmem.o afl-forkserver.o -o $@ $(LDFLAGS) $(PYFLAGS)
+radamsa: src/third_party/libradamsa/libradamsa.so
+	cp src/third_party/libradamsa/libradamsa.so .

-afl-showmap: src/afl-showmap.c afl-common.o afl-sharedmem.o $(COMM_HDR) | test_x86
-	$(CC) $(CFLAGS) src/$@.c afl-common.o afl-sharedmem.o -o $@ $(LDFLAGS)
+src/third_party/libradamsa/libradamsa.so: src/third_party/libradamsa/libradamsa.c src/third_party/libradamsa/radamsa.h
+	$(MAKE) -C src/third_party/libradamsa/

-afl-tmin: src/afl-tmin.c afl-common.o afl-sharedmem.o afl-forkserver.o $(COMM_HDR) | test_x86
-	$(CC) $(CFLAGS) src/$@.c afl-common.o afl-sharedmem.o afl-forkserver.o -o $@ $(LDFLAGS)
+afl-fuzz: include/afl-fuzz.h $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o $(COMM_HDR) | test_x86
+	$(CC) $(CFLAGS) $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o -o $@ $(PYFLAGS) $(LDFLAGS)

-afl-analyze: src/afl-analyze.c afl-common.o afl-sharedmem.o $(COMM_HDR) | test_x86
-	$(CC) $(CFLAGS) src/$@.c afl-common.o afl-sharedmem.o -o $@ $(LDFLAGS)
+afl-showmap: src/afl-showmap.c src/afl-common.o src/afl-sharedmem.o $(COMM_HDR) | test_x86
+	$(CC) $(CFLAGS) src/$@.c src/afl-common.o src/afl-sharedmem.o -o $@ $(LDFLAGS)
+
+afl-tmin: src/afl-tmin.c src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o $(COMM_HDR) | test_x86
+	$(CC) $(CFLAGS) src/$@.c src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o -o $@ $(LDFLAGS)
+
+afl-analyze: src/afl-analyze.c src/afl-common.o src/afl-sharedmem.o $(COMM_HDR) | test_x86
+	$(CC) $(CFLAGS) src/$@.c src/afl-common.o src/afl-sharedmem.o -o $@ $(LDFLAGS)

 afl-gotcpu: src/afl-gotcpu.c $(COMM_HDR) | test_x86
 	$(CC) $(CFLAGS) src/$@.c -o $@ $(LDFLAGS)


+# document all mutations and only do one run (use with only one input file!)
+document: include/afl-fuzz.h $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o $(COMM_HDR) | test_x86
+	$(CC) $(CFLAGS) $(AFL_FUZZ_FILES) -D_AFL_DOCUMENT_MUTATIONS src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o -o afl-fuzz-document $(LDFLAGS) $(PYFLAGS)
+
+
 code-format:
 	./.custom-format.py -i src/*.c
 	./.custom-format.py -i include/*.h
@ -168,11 +272,17 @@ code-format:
 	./.custom-format.py -i llvm_mode/*.c
 	./.custom-format.py -i llvm_mode/*.h
 	./.custom-format.py -i llvm_mode/*.cc
+	./.custom-format.py -i gcc_plugin/*.c
+	#./.custom-format.py -i gcc_plugin/*.h
+	./.custom-format.py -i gcc_plugin/*.cc
+	./.custom-format.py -i experimental/*/*.c
+	./.custom-format.py -i experimental/*/*.h
 	./.custom-format.py -i qemu_mode/patches/*.h
 	./.custom-format.py -i qemu_mode/libcompcov/*.c
 	./.custom-format.py -i qemu_mode/libcompcov/*.cc
 	./.custom-format.py -i qemu_mode/libcompcov/*.h
-	./.custom-format.py -i unicorn_mode/patches/*.h
+	./.custom-format.py -i qbdi_mode/*.c
+	./.custom-format.py -i qbdi_mode/*.cpp
 	./.custom-format.py -i *.h
 	./.custom-format.py -i *.c

@ -181,7 +291,7 @@ ifndef AFL_NO_X86

 test_build: afl-gcc afl-as afl-showmap
 	@echo "[*] Testing the CC wrapper and instrumentation output..."
-	unset AFL_USE_ASAN AFL_USE_MSAN AFL_CC; AFL_QUIET=1 AFL_INST_RATIO=100 AFL_PATH=. ./$(TEST_CC) $(CFLAGS) test-instr.c -o test-instr $(LDFLAGS)
+	@unset AFL_USE_ASAN AFL_USE_MSAN AFL_CC; AFL_INST_RATIO=100 AFL_PATH=. ./$(TEST_CC) $(CFLAGS) test-instr.c -o test-instr $(LDFLAGS) 2>&1 | grep 'afl-as' >/dev/null || (echo "Oops, afl-as did not get called from "$(TEST_CC)". This is normally achieved by "$(CC)" honoring the -B option."; exit 1 )
 	./afl-showmap -m none -q -o .test-instr0 ./test-instr < /dev/null
 	echo 1 | ./afl-showmap -m none -q -o .test-instr1 ./test-instr
 	@rm -f test-instr
@ -205,15 +315,45 @@ all_done: test_build
 .NOTPARALLEL: clean

 clean:
-	rm -f $(PROGS) afl-as as afl-g++ afl-clang afl-clang++ *.o *~ a.out core core.[1-9][0-9]* *.stackdump test .test .test1 .test2 test-instr .test-instr0 .test-instr1 qemu_mode/qemu-3.1.0.tar.xz afl-qemu-trace afl-gcc-fast afl-gcc-pass.so afl-gcc-rt.o afl-g++-fast *.so unicorn_mode/24f55a7973278f20f0de21b904851d99d4716263.tar.gz *.8
-	rm -rf out_dir qemu_mode/qemu-3.1.0 unicorn_mode/unicorn
-	$(MAKE) -C llvm_mode clean
+	rm -f $(PROGS) libradamsa.so afl-fuzz-document afl-as as afl-g++ afl-clang afl-clang++ *.o src/*.o *~ a.out core core.[1-9][0-9]* *.stackdump .test .test1 .test2 test-instr .test-instr0 .test-instr1 qemu_mode/qemu-3.1.1.tar.xz afl-qemu-trace afl-gcc-fast afl-gcc-pass.so afl-gcc-rt.o afl-g++-fast *.so *.8
+	rm -rf out_dir qemu_mode/qemu-3.1.1 *.dSYM */*.dSYM
+	-$(MAKE) -C llvm_mode clean
+	-$(MAKE) -C gcc_plugin clean
 	$(MAKE) -C libdislocator clean
 	$(MAKE) -C libtokencap clean
+	$(MAKE) -C experimental/socket_fuzzing clean
+	$(MAKE) -C experimental/argv_fuzzing clean
+	$(MAKE) -C qemu_mode/unsigaction clean
 	$(MAKE) -C qemu_mode/libcompcov clean
+	$(MAKE) -C src/third_party/libradamsa/ clean
+	-rm -rf unicorn_mode/unicorn
+
+distrib: all radamsa
+	-$(MAKE) -C llvm_mode
+	-$(MAKE) -C gcc_plugin
+	$(MAKE) -C libdislocator
+	$(MAKE) -C libtokencap
+	$(MAKE) -C experimental/socket_fuzzing
+	$(MAKE) -C experimental/argv_fuzzing
+	cd qemu_mode && sh ./build_qemu_support.sh
+	cd unicorn_mode && sh ./build_unicorn_support.sh
+
+binary-only: all radamsa
+	$(MAKE) -C libdislocator
+	$(MAKE) -C libtokencap
+	$(MAKE) -C experimental/socket_fuzzing
+	$(MAKE) -C experimental/argv_fuzzing
+	cd qemu_mode && sh ./build_qemu_support.sh
+	cd unicorn_mode && sh ./build_unicorn_support.sh
+
+source-only: all radamsa
+	-$(MAKE) -C llvm_mode
+	-$(MAKE) -C gcc_plugin
+	$(MAKE) -C libdislocator
+	$(MAKE) -C libtokencap

 %.8:	%
-	@echo .TH $* 8 `date --iso-8601` "afl++" > $@
+	@echo .TH $* 8 $(BUILD_DATE) "afl++" > $@
 	@echo .SH NAME >> $@
 	@echo .B $* >> $@
 	@echo >> $@
@ -225,19 +365,19 @@ clean:
 	@./$* -h 2>&1 | tail -n +4 >> $@
 	@echo >> $@
 	@echo .SH AUTHOR >> $@
-	@echo "afl++ was written by Michal \"lcamtuf\" Zalewski and is maintained by Marc \"van Hauser\" Heuse <mh@mh-sec.de>, Heiko \"hexc0der\" Eissfeldt <heiko.eissfeldt@hexco.de> and Andrea Fioraldi <andreafioraldi@gmail.com>" >> $@
+	@echo "afl++ was written by Michal \"lcamtuf\" Zalewski and is maintained by Marc \"van Hauser\" Heuse <mh@mh-sec.de>, Heiko \"hexcoder-\" Eissfeldt <heiko.eissfeldt@hexco.de> and Andrea Fioraldi <andreafioraldi@gmail.com>" >> $@
 	@echo  The homepage of afl++ is: https://github.com/vanhauser-thc/AFLplusplus >> $@
 	@echo >> $@
 	@echo .SH LICENSE >> $@
 	@echo Apache License Version 2.0, January 2004 >> $@

 install: all $(MANPAGES)
-	mkdir -p -m 755 $${DESTDIR}$(BIN_PATH) $${DESTDIR}$(HELPER_PATH) $${DESTDIR}$(DOC_PATH) $${DESTDIR}$(MISC_PATH)
+	install -d -m 755 $${DESTDIR}$(BIN_PATH) $${DESTDIR}$(HELPER_PATH) $${DESTDIR}$(DOC_PATH) $${DESTDIR}$(MISC_PATH)
 	rm -f $${DESTDIR}$(BIN_PATH)/afl-plot.sh
 	install -m 755 $(PROGS) $(SH_PROGS) $${DESTDIR}$(BIN_PATH)
 	rm -f $${DESTDIR}$(BIN_PATH)/afl-as
 	if [ -f afl-qemu-trace ]; then install -m 755 afl-qemu-trace $${DESTDIR}$(BIN_PATH); fi
-	#if [ -f afl-gcc-fast ]; then set e; install -m 755 afl-gcc-fast $${DESTDIR}$(BIN_PATH); ln -sf afl-gcc-fast $${DESTDIR}$(BIN_PATH)/afl-g++-fast; install -m 755 afl-gcc-pass.so afl-gcc-rt.o $${DESTDIR}$(HELPER_PATH); fi
+	if [ -f afl-gcc-fast ]; then set e; install -m 755 afl-gcc-fast $${DESTDIR}$(BIN_PATH); ln -sf afl-gcc-fast $${DESTDIR}$(BIN_PATH)/afl-g++-fast; install -m 755 afl-gcc-pass.so afl-gcc-rt.o $${DESTDIR}$(HELPER_PATH); fi
 ifndef AFL_TRACE_PC
 	if [ -f afl-clang-fast -a -f libLLVMInsTrim.so -a -f afl-llvm-rt.o ]; then set -e; install -m 755 afl-clang-fast $${DESTDIR}$(BIN_PATH); ln -sf afl-clang-fast $${DESTDIR}$(BIN_PATH)/afl-clang-fast++; install -m 755 libLLVMInsTrim.so afl-llvm-pass.so afl-llvm-rt.o $${DESTDIR}$(HELPER_PATH); fi
 else
@ -248,13 +388,19 @@ endif
 	if [ -f compare-transform-pass.so ]; then set -e; install -m 755 compare-transform-pass.so $${DESTDIR}$(HELPER_PATH); fi
 	if [ -f split-compares-pass.so ]; then set -e; install -m 755 split-compares-pass.so $${DESTDIR}$(HELPER_PATH); fi
 	if [ -f split-switches-pass.so ]; then set -e; install -m 755 split-switches-pass.so $${DESTDIR}$(HELPER_PATH); fi
+	if [ -f libdislocator.so ]; then set -e; install -m 755 libdislocator.so $${DESTDIR}$(HELPER_PATH); fi
+	if [ -f libtokencap.so ]; then set -e; install -m 755 libtokencap.so $${DESTDIR}$(HELPER_PATH); fi
 	if [ -f libcompcov.so ]; then set -e; install -m 755 libcompcov.so $${DESTDIR}$(HELPER_PATH); fi
+	if [ -f libradamsa.so ]; then set -e; install -m 755 libradamsa.so $${DESTDIR}$(HELPER_PATH); fi
+	if [ -f afl-fuzz-document ]; then set -e; install -m 755 afl-fuzz-document $${DESTDIR}$(BIN_PATH); fi
+	$(MAKE) -C experimental/socket_fuzzing install
+	$(MAKE) -C experimental/argv_fuzzing install

 	set -e; ln -sf afl-gcc $${DESTDIR}$(BIN_PATH)/afl-g++
 	set -e; if [ -f afl-clang-fast ] ; then ln -sf afl-clang-fast $${DESTDIR}$(BIN_PATH)/afl-clang ; ln -sf afl-clang-fast $${DESTDIR}$(BIN_PATH)/afl-clang++ ; else ln -sf afl-gcc $${DESTDIR}$(BIN_PATH)/afl-clang ; ln -sf afl-gcc $${DESTDIR}$(BIN_PATH)/afl-clang++; fi

-	mkdir -m 0755 -p $(MAN_PATH)
-	install -m0644 -D *.8 $(MAN_PATH)
+	mkdir -m 0755 -p ${DESTDIR}$(MAN_PATH)
+	install -m0644 -D *.8 ${DESTDIR}$(MAN_PATH)

 	install -m 755 afl-as $${DESTDIR}$(HELPER_PATH)
 	ln -sf afl-as $${DESTDIR}$(HELPER_PATH)/as
@ -262,7 +408,7 @@ endif
 	cp -r testcases/ $${DESTDIR}$(MISC_PATH)
 	cp -r dictionaries/ $${DESTDIR}$(MISC_PATH)

-publish: clean
+#publish: clean
 #	test "`basename $$PWD`" = "afl" || exit 1
 #	test -f ~/www/afl/releases/$(PROGNAME)-$(VERSION).tgz; if [ "$$?" = "0" ]; then echo; echo "Change program version in config.h, mmkay?"; echo; exit 1; fi
 #	cd ..; rm -rf $(PROGNAME)-$(VERSION); cp -pr $(PROGNAME) $(PROGNAME)-$(VERSION); \
--- a/README.md
+++ b/README.md
@ -1,8 +1,12 @@
 # american fuzzy lop plus plus (afl++)

-  Release Version: 2.54c 
+  ![Travis State](https://api.travis-ci.com/vanhauser-thc/AFLplusplus.svg?branch=master)

-  Github Version: 2.54d
+  Release Version: 2.59c 
+
+  Github Version: 2.59d
+
+  includes all necessary/interesting changes from Google's afl 2.56b


  Originally developed by Michal "lcamtuf" Zalewski.
@ -10,7 +14,7 @@
  Repository: [https://github.com/vanhauser-thc/AFLplusplus](https://github.com/vanhauser-thc/AFLplusplus)

  afl++ is maintained by Marc "van Hauser" Heuse <mh@mh-sec.de>,
-  Heiko "hexc0der" Eißfeldt <heiko.eissfeldt@hexco.de> and
+  Heiko "hexcoder-" Eißfeldt <heiko.eissfeldt@hexco.de> and
  Andrea Fioraldi <andreafioraldi@gmail.com>.

  Note that although afl now has a Google afl repository [https://github.com/Google/afl](https://github.com/Google/afl),
@ -20,19 +24,19 @@
 ## The enhancements compared to the original stock afl

  Many improvements were made over the official afl release - which did not
-  get any improvements since November 2017.
+  get any feature improvements since November 2017.

-  Among others afl++ has a more performant llvm_mode, supporting
-  llvm up to version 9, Qemu 3.1, more speed and crashfixes for Qemu,
+  Among other changes afl++ has a more performant llvm_mode, supports
+  llvm up to version 10, QEMU 3.1, more speed and crashfixes for QEMU,
  better *BSD and Android support and much, much more.

-  Additionally the following patches have been integrated:
+  Additionally the following features and patches have been integrated:

  * AFLfast's power schedules by Marcel Böhme: [https://github.com/mboehme/aflfast](https://github.com/mboehme/aflfast)

-  * the new excellent MOpt mutator: [https://github.com/puppet-meteor/MOpt-AFL](https://github.com/puppet-meteor/MOpt-AFL)
+  * The new excellent MOpt mutator: [https://github.com/puppet-meteor/MOpt-AFL](https://github.com/puppet-meteor/MOpt-AFL)

-  * instrim, a very effective CFG llvm_mode instrumentation implementation for large targets: [https://github.com/csienslab/instrim](https://github.com/csienslab/instrim)
+  * InsTrim, a very effective CFG llvm_mode instrumentation implementation for large targets: [https://github.com/csienslab/instrim](https://github.com/csienslab/instrim)

  * C. Holler's afl-fuzz Python mutator module and llvm_mode whitelist support: [https://github.com/choller/afl](https://github.com/choller/afl)

@ -40,12 +44,35 @@

  * unicorn_mode which allows fuzzing of binaries from completely different platforms (integration provided by domenukk)

-  * laf-intel (compcov) support for llvm_mode, qemu_mode and unicorn_mode
+  * laf-intel or CompCov support for llvm_mode, qemu_mode and unicorn_mode
+
+  * NeverZero patch for afl-gcc, llvm_mode, qemu_mode and unicorn_mode which prevents a wrapping map value to zero, increases coverage
+  
+  * Persistent mode and deferred forkserver for qemu_mode
+  
+  * Win32 PE binary-only fuzzing with QEMU and Wine
+
+  * Radamsa mutator (enable with `-R` to add or `-RR` to run it exclusivly).
+
+  * qbdi_mode: fuzz android native libraries via QBDI framework

-  * neverZero patch for afl-gcc, llvm_mode, qemu_mode and unicorn_mode which prevents a wrapping map value to zero, increases coverage (by Andrea Fioraldi)

  A more thorough list is available in the PATCHES file.

+  | Feature/Instrumentation | afl-gcc | llvm_mode | gcc_plugin | qemu_mode | unicorn_mode |
+  | ----------------------- |:-------:|:---------:|:----------:|:---------:|:------------:|
+  | laf-intel / CompCov     |         |     x     |            |  x86/arm  |   x86/arm    |
+  | NeverZero               |    x    |     x(1)  |      (2)   |     x     |      x       |
+  | Persistent mode         |         |     x     |     x      |    x86    |      x       |
+  | Whitelist               |         |     x     |     x      |           |              |
+  | InsTrim                 |         |     x     |            |           |              |
+
+  neverZero:
+
+  (1) only in LLVM >= 9.0 due to a bug in llvm in previous versions
+
+  (2) gcc create non-performant code, hence it is disabled in gcc_plugin
+
  So all in all this is the best-of AFL that is currently out there :-)

  For new versions and additional information, check out:
@ -58,6 +85,54 @@
  read this file.


+## 0) Building and installing afl++
+
+afl++ has many build options.
+The easiest is to build and install everything:
+
+```shell
+$ make distrib
+$ sudo make install
+```
+
+Note that "make distrib" also builds llvm_mode, qemu_mode, unicorn_mode and
+more. If you just want plain afl then do "make all", however compiling and
+using at least llvm_mode is highly recommended for much better results -
+hence in this case 
+
+```shell
+$ make source-only
+```
+is what you should choose.
+
+These build options exist:
+
+* all: just the main afl++ binaries
+* binary-only: everything for binary-only fuzzing: qemu_mode, unicorn_mode, libdislocator, libtokencap, radamsa
+* source-only: everything for source code fuzzing: llvm_mode, libdislocator, libtokencap, radamsa
+* distrib: everything (for both binary-only and source code fuzzing)
+* install: installs everything you have compiled with the build options above
+* clean: cleans everything. for qemu_mode and unicorn_mode it means it deletes all downloads as well
+* code-format: format the code, do this before you commit and send a PR please!
+* tests: runs test cases to ensure that all features are still working as they should
+* help: shows these build options
+
+[Unless you are on Mac OS X](https://developer.apple.com/library/archive/qa/qa1118/_index.html) you can also build statically linked versions of the 
+afl++ binaries by passing the STATIC=1 argument to make:
+
+```shell
+$ make all STATIC=1
+```
+
+Note that afl++ is faster and better the newer the compilers used are.
+Hence gcc-9 and especially llvm-9 should be the compilers of choice.
+If your distribution does not have them, you can use the Dockerfile:
+
+```shell
+$ docker build -t aflplusplus
+```
+
+
 ## 1) Challenges of guided fuzzing

 Fuzzing is one of the most powerful and proven strategies for identifying
@ -129,7 +204,7 @@ superior to blind fuzzing or coverage-only tools.
 PLEASE NOTE: llvm_mode compilation with afl-clang-fast/afl-clang-fast++
 instead of afl-gcc/afl-g++ is much faster and has a few cool features.
 See llvm_mode/ - however few code does not compile with llvm.
-We support llvm versions 3.8.0 to 9.
+We support llvm versions 3.8.0 to 10.

 When source code is available, instrumentation can be injected by a companion
 tool that works as a drop-in replacement for gcc or clang in any standard build
@ -151,14 +226,14 @@ For C++ programs, you'd would also want to set `CXX=/path/to/afl/afl-g++`.

 The clang wrappers (afl-clang and afl-clang++) can be used in the same way;
 clang users may also opt to leverage a higher-performance instrumentation mode,
-as described in [llvm_mode/README.llvm](llvm_mode/README.llvm).
-Clang/LLVM has a much better performance and works with LLVM version 3.8.0 to 9.
+as described in [llvm_mode/README.md](llvm_mode/README.md).
+Clang/LLVM has a much better performance and works with LLVM version 3.8.0 to 10.

 Using the LAF Intel performance enhancements are also recommended, see 
-[llvm_mode/README.laf-intel](llvm_mode/README.laf-intel)
+[llvm_mode/README.laf-intel.md](llvm_mode/README.laf-intel.md)

 Using partial instrumentation is also recommended, see
-[llvm_mode/README.whitelist](llvm_mode/README.whitelist)
+[llvm_mode/README.whitelist.md](llvm_mode/README.whitelist.md)

 When testing libraries, you need to find or write a simple program that reads
 data from stdin or from a file and passes it to the tested library. In such a
@ -174,7 +249,7 @@ $ CC=/path/to/afl/afl-gcc ./configure --disable-shared
 Setting `AFL_HARDEN=1` when calling 'make' will cause the CC wrapper to
 automatically enable code hardening options that make it easier to detect
 simple memory bugs. Libdislocator, a helper library included with AFL (see
-[libdislocator/README.dislocator](libdislocator/README.dislocator)) can help uncover heap corruption issues, too.
+[libdislocator/README.md](libdislocator/README.md)) can help uncover heap corruption issues, too.

 PS. ASAN users are advised to review [docs/notes_for_asan.txt](docs/notes_for_asan.txt)
 file for important caveats.
@ -194,7 +269,7 @@ $ cd qemu_mode
 $ ./build_qemu_support.sh
 ```

-For additional instructions and caveats, see [qemu_mode/README.qemu](qemu_mode/README.qemu).
+For additional instructions and caveats, see [qemu_mode/README.md](qemu_mode/README.md).

 The mode is approximately 2-5x slower than compile-time instrumentation, is
 less conductive to parallelization, and may have some other quirks.
@ -210,8 +285,8 @@ A more comprehensive description of these and other options can be found in
 ## 5) Power schedules

 The power schedules were copied from Marcel Böhme's excellent AFLfast
-implementation and expands on the ability to discover new paths and
-therefore the coverage.
+implementation and expand on the ability to discover new paths and
+therefore may increase the code coverage.

 The available schedules are:
 
@ -233,11 +308,7 @@ explore mode.
 made the default mode).

 More details can be found in the paper published at the 23rd ACM Conference on
-Computer and Communications Security (CCS'16):
- 
- (https://www.sigsac.org/ccs/CCS2016/accepted-papers/)[https://www.sigsac.org/ccs/CCS2016/accepted-papers/]
-
-
+Computer and Communications Security [CCS'16](https://www.sigsac.org/ccs/CCS2016/accepted-papers/)
 ## 6) Choosing initial test cases

 To operate correctly, the fuzzer requires one or more starting file that
@ -385,7 +456,7 @@ magic headers, or other special tokens associated with the targeted data type
  [http://lcamtuf.blogspot.com/2015/01/afl-fuzz-making-up-grammar-with.html](http://lcamtuf.blogspot.com/2015/01/afl-fuzz-making-up-grammar-with.html)

 To use this feature, you first need to create a dictionary in one of the two
-formats discussed in [dictionaries/README.dictionaries](ictionaries/README.dictionaries);
+formats discussed in [dictionaries/README.md](dictionaries/README.md);
 and then point the fuzzer to it via the -x option in the command line.

 (Several common dictionaries are already provided in that subdirectory, too.)
@ -403,7 +474,7 @@ parsers and grammars, but isn't nearly as good as the -x mode.

 If a dictionary is really hard to come by, another option is to let AFL run
 for a while, and then use the token capture library that comes as a companion
-utility with AFL. For that, see [libtokencap/README.tokencap](libtokencap/README.tokencap).
+utility with AFL. For that, see [libtokencap/README.md](libtokencap/README.tokencap.md).


 ## 11) Crash triage
@ -569,7 +640,7 @@ without feedback, bug reports, or patches from:
  Jonathan Gray                         Filipe Cabecinhas
  Nico Weber                            Jodie Cunningham
  Andrew Griffiths                      Parker Thompson
-  Jonathan Neuschfer                    Tyler Nighswander
+  Jonathan Neuschaefer                  Tyler Nighswander
  Ben Nagy                              Samir Aguiar
  Aidan Thornton                        Aleksandar Nikolich
  Sam Hakim                             Laszlo Szekeres
@ -588,7 +659,7 @@ without feedback, bug reports, or patches from:
  Austin Seipp                          Daniel Komaromy
  Daniel Binderman                      Jonathan Metzman
  Vegard Nossum                         Jan Kneschke
-  Kurt Roeckx                           Marcel Bohme
+  Kurt Roeckx                           Marcel Boehme
  Van-Thuan Pham                        Abhik Roychoudhury
  Joshua J. Drake                       Toby Hutton
  Rene Freingruber                      Sergey Davidoff
--- a/41
+++ b/41
@ -1,27 +1,31 @@
-Roadmap 2.53d:
-==============
+
+Roadmap 2.60:
+=============

 afl-fuzz:
- - custom mutator lib: example and readme
-
-man:
- - man page for afl-clang-fast
-
-
-Roadmap 2.54d:
-==============
+ - radamsa mutator (via dlopen())

 gcc_plugin:
- - needs to be rewritten
- - whitelist support
- - skip over uninteresting blocks
 - laf-intel
- - neverZero
+
+libdislocator:
+ - add a wrapper for posix_memalign

 qemu_mode:
 - update to 4.x (probably this will be skipped :( )
+ - instrim for QEMU mode via static analysis (with r2pipe? or angr?)
+   Idea: The static analyzer outputs a map in which each edge that must be
+   skipped is marked with 1. QEMU loads it at startup in the parent process.

-unit testing / or large testcase campaign
+custom_mutators:
+ - rip what Superion is doing into custom mutators for js, php, etc.
+
+enhance test/test.sh script for checking if compcov features are working
+correctly (especially float splitting)
+
+
+The far away future:
+====================

 Problem: Average targets (tiff, jpeg, unrar) go through 1500 edges.
         At afl's default map that means ~16 collisions and ~3 wrappings.
@ -52,10 +56,3 @@ Problem: Average targets (tiff, jpeg, unrar) go through 1500 edges.
    Bad: completely changes how afl uses the map and the scheduling.
    Overall another very good solution, Marc Heuse/vanHauser follows this up
    
-qemu_mode:
- - persistent mode patching the return address (WinAFL style)
- - deferred mode with AFL_DEFERRED_QEMU=0xaddress
-   (AFL_ENTRYPOINT let you to specify only a basic block address as starting
-    point. This will be implemented togheter with the logic for persistent
-    mode.)
-
--- a/4
+++ b/4
@ -3,7 +3,7 @@
 # american fuzzy lop - corpus minimization tool
 # ---------------------------------------------
 #
-# Written and maintained by Michal Zalewski <lcamtuf@google.com>
+# Written by Michal Zalewski
 #
 # Copyright 2014, 2015 Google Inc. All rights reserved.
 #
@ -36,7 +36,7 @@
 # array sizes.
 #

-echo "corpus minimization tool for afl-fuzz by <lcamtuf@google.com>"
+echo "corpus minimization tool for afl-fuzz by Michal Zalewski"
 echo

 #########
--- a/4
+++ b/4
@ -3,7 +3,7 @@
 # american fuzzy lop - Advanced Persistent Graphing
 # -------------------------------------------------
 #
-# Written and maintained by Michal Zalewski <lcamtuf@google.com>
+# Written by Michal Zalewski
 # Based on a design & prototype by Michael Rash.
 #
 # Copyright 2014, 2015 Google Inc. All rights reserved.
@ -15,7 +15,7 @@
 #   http://www.apache.org/licenses/LICENSE-2.0
 #

-echo "progress plotting utility for afl-fuzz by <lcamtuf@google.com>"
+echo "progress plotting utility for afl-fuzz by Michal Zalewski"
 echo

 if [ ! "$#" = "2" ]; then
--- a/14
+++ b/14
@ -48,5 +48,19 @@ if [ "$PLATFORM" = "OpenBSD" ] ; then
 echo
 echo 'System security features cannot be disabled on OpenBSD.'
 fi
+if [ "$PLATFORM" = "NetBSD" ] ; then
+echo
+echo It is recommended to enable unprivileged users to set cpu affinity
+echo to be able to use afl-gotcpu meaningfully.
+/sbin/sysctl -w security.models.extensions.user_set_cpu_affinity=1
+fi
+if [ "$PLATFORM" = "Darwin" ] ; then
+  if [ $(launchctl list 2>/dev/null | grep -q '\.ReportCrash$') ] ; then
+echo We unload the default crash reporter here
+SL=/System/Library; PL=com.apple.ReportCrash
+launchctl unload -w ${SL}/LaunchAgents/${PL}.plist
+sudo launchctl unload -w ${SL}/LaunchDaemons/${PL}.Root.plist
+  fi
+fi
 echo
 echo Also use AFL_TMPDIR to use a tmpfs for the input file
--- a/6
+++ b/6
@ -3,7 +3,7 @@
 # american fuzzy lop - status check tool
 # --------------------------------------
 #
-# Written and maintained by Michal Zalewski <lcamtuf@google.com>
+# Written by Michal Zalewski
 #
 # Copyright 2015 Google Inc. All rights reserved.
 #
@ -17,7 +17,7 @@
 # instances of afl-fuzz.
 #

-echo "status check tool for afl-fuzz by <lcamtuf@google.com>"
+echo "status check tool for afl-fuzz by Michal Zalewski"
 echo
 test "$1" = "-h" && {
  echo $0
@ -61,7 +61,7 @@ fi

 CUR_TIME=`date +%s`

-TMP=`mktemp -t .afl-whatsup-XXXXXXXX` || TMP=`mktemp -p /data/local/tmp .afl-whatsup-XXXXXXXX` || exit 1
+TMP=`mktemp -t .afl-whatsup-XXXXXXXX` || TMP=`mktemp -p /data/local/tmp .afl-whatsup-XXXXXXXX` || TMP=`mktemp -p /data/local/tmp .afl-whatsup-XXXXXXXX` || exit 1

 ALIVE_CNT=0
 DEAD_CNT=0
--- a/75
+++ b/75
@ -0,0 +1,75 @@
+#!/usr/bin/env python3
+
+import os
+import sys
+import pefile
+import shutil
+import subprocess
+
+if len(sys.argv) < 2:
+    print("[afl-wine-trace] usage: ./afl-wine-trace binary [args...]\n")
+    exit(1)
+
+if os.getenv("AFL_PATH"):
+    my_dir = os.getenv("AFL_PATH")
+else:
+    my_dir = os.path.dirname(os.path.abspath(__file__))
+
+os.environ["WINELOADERNOEXEC"] = "1"
+
+pe = pefile.PE(sys.argv[1])
+
+if "AFL_ENTRYPOINT" not in os.environ:
+    os.environ["AFL_ENTRYPOINT"] = "0x%x" % (pe.OPTIONAL_HEADER.ImageBase + pe.OPTIONAL_HEADER.AddressOfEntryPoint)
+if not os.getenv("AFL_INST_LIBS"):
+    if "AFL_CODE_START" not in os.environ:
+        os.environ["AFL_CODE_START"] = "0x%x" % (pe.OPTIONAL_HEADER.ImageBase + pe.OPTIONAL_HEADER.BaseOfCode)
+    if "AFL_CODE_END" not in os.environ:
+        os.environ["AFL_CODE_END"] = "0x%x" % (pe.OPTIONAL_HEADER.ImageBase + pe.OPTIONAL_HEADER.BaseOfCode + pe.OPTIONAL_HEADER.SizeOfCode)
+
+if pe.FILE_HEADER.Machine == pefile.MACHINE_TYPE["IMAGE_FILE_MACHINE_AMD64"] or pe.FILE_HEADER.Machine == pefile.MACHINE_TYPE["IMAGE_FILE_MACHINE_IA64"]:
+    os.environ["LD_PRELOAD"] = os.path.join(my_dir, "qemu_mode/unsigaction/unsigaction64.so")
+else:
+    os.environ["LD_PRELOAD"] = os.path.join(my_dir, "qemu_mode/unsigaction/unsigaction32.so")
+
+if os.getenv("WINECOV_QEMU_PATH"):
+    qemu_path = os.getenv("WINECOV_QEMU_PATH")
+elif os.path.exists(os.path.join(my_dir, "afl-qemu-trace")):
+    qemu_path = os.path.join(my_dir, "afl-qemu-trace")
+else:
+    qemu_path = "qemu-"
+    if pe.FILE_HEADER.Machine == pefile.MACHINE_TYPE["IMAGE_FILE_MACHINE_AMD64"] or pe.FILE_HEADER.Machine == pefile.MACHINE_TYPE["IMAGE_FILE_MACHINE_IA64"]:
+        qemu_path += "x86_64"
+    elif pe.FILE_HEADER.Machine == pefile.MACHINE_TYPE["IMAGE_FILE_MACHINE_I386"]:
+        qemu_path += "i386"
+    else:
+        print ("[afl-wine-trace] unsuppoted architecture\n")
+        exit(1)
+    qemu_path = shutil.which(qemu_path)
+
+wine_path = None
+if os.getenv("AFL_WINE_PATH"):
+    wine_path = os.getenv("AFL_WINE_PATH")
+else:
+    if not wine_path and shutil.which("wine"):
+        wine_path = shutil.which("wine")
+    if not wine_path and os.path.exists("/usr/bin/wine"):
+        wine_path = "/usr/bin/wine"
+    if not wine_path and os.path.exists("/usr/lib/wine/wine"):
+        wine_path = "/usr/lib/wine/wine"
+    if pe.FILE_HEADER.Machine == pefile.MACHINE_TYPE["IMAGE_FILE_MACHINE_AMD64"] or pe.FILE_HEADER.Machine == pefile.MACHINE_TYPE["IMAGE_FILE_MACHINE_IA64"]:
+        wine_path += "64"
+    elif pe.FILE_HEADER.Machine == pefile.MACHINE_TYPE["IMAGE_FILE_MACHINE_I386"]:
+        pass
+    else:
+        print ("[afl-wine-trace] unsopported architecture\n")
+        exit(1)
+
+argv = sys.argv[1:]
+for i in range(len(argv)):
+    if ".cur_input" in argv[i]:
+        argv[i] = subprocess.run([os.path.join(os.path.dirname(wine_path), "winepath"), "--windows", argv[i]], universal_newlines=True, stdout=subprocess.PIPE).stdout
+        break
+
+print("[afl-wine-trace] exec:", " ".join([qemu_path, wine_path] + argv))
+os.execve(qemu_path, [qemu_path, wine_path] + argv, os.environ)
--- a/dictionaries/README.dictionaries
+++ b/dictionaries/README.dictionaries
@ -1,19 +1,17 @@
-================
-AFL dictionaries
-================
+# AFL dictionaries

-  (See ../docs/README for the general instruction manual.)
+(See [../docs/README.md](../docs/README.md) for the general instruction manual.)

 This subdirectory contains a set of dictionaries that can be used in
 conjunction with the -x option to allow the fuzzer to effortlessly explore the
 grammar of some of the more verbose data formats or languages. The basic
-principle behind the operation of fuzzer dictionaries is outlined in section 9
-of the "main" README for the project.
+principle behind the operation of fuzzer dictionaries is outlined in section 10
+of the "main" README.md for the project.

 Custom dictionaries can be added at will. They should consist of a
 reasonably-sized set of rudimentary syntax units that the fuzzer will then try
-to clobber together in various ways. Snippets between 2 and 16 bytes are usually
-the sweet spot.
+to clobber together in various ways. Snippets between 2 and 16 bytes are
+usually the sweet spot.

 Custom dictionaries can be created in two ways:

@ -32,12 +30,12 @@ parameter is a file or a directory.

 In the file mode, every name field can be optionally followed by @<num>, e.g.:

-  keyword_foo@1 = "foo"
+  `keyword_foo@1 = "foo"`

 Such entries will be loaded only if the requested dictionary level is equal or
 higher than this number. The default level is zero; a higher value can be set
 by appending @<num> to the dictionary file name, like so:

-  -x path/to/dictionary.dct@2
+  `-x path/to/dictionary.dct@2`

 Good examples of dictionaries can be found in xml.dict and png.dict.
--- a/dictionaries/gif.dict
+++ b/dictionaries/gif.dict
@ -2,7 +2,7 @@
 # AFL dictionary for GIF images
 # -----------------------------
 #
-# Created by Michal Zalewski <lcamtuf@google.com>
+# Created by Michal Zalewski
 #

 header_87a="87a"
--- a/dictionaries/html_tags.dict
+++ b/dictionaries/html_tags.dict
@ -5,7 +5,7 @@
 # A basic collection of HTML tags likely to matter to HTML parsers. Does *not*
 # include any attributes or attribute values.
 #
-# Created by Michal Zalewski <lcamtuf@google.com>
+# Created by Michal Zalewski
 #

 tag_a="<a>"
--- a/dictionaries/jpeg.dict
+++ b/dictionaries/jpeg.dict
@ -2,7 +2,7 @@
 # AFL dictionary for JPEG images
 # ------------------------------
 #
-# Created by Michal Zalewski <lcamtuf@google.com>
+# Created by Michal Zalewski
 #

 header_jfif="JFIF\x00"
--- a/dictionaries/js.dict
+++ b/dictionaries/js.dict
@ -4,7 +4,7 @@
 #
 # Contains basic reserved keywords and syntax building blocks.
 #
-# Created by Michal Zalewski <lcamtuf@google.com>
+# Created by Michal Zalewski
 #

 keyword_arguments="arguments"
--- a/dictionaries/png.dict
+++ b/dictionaries/png.dict
@ -5,7 +5,7 @@
 # Just the basic, standard-originating sections; does not include vendor
 # extensions.
 #
-# Created by Michal Zalewski <lcamtuf@google.com>
+# Created by Michal Zalewski
 #

 header_png="\x89PNG\x0d\x0a\x1a\x0a"
--- a/dictionaries/regexp.dict
+++ b/dictionaries/regexp.dict
@ -0,0 +1,596 @@
+#
+# AFL dictionary for regex
+# --------------------------
+#
+# Contains various regular expressions.
+#
+# Created by Yang Guo <yangguo@chromium.org>
+#
+# Contributed by Dhiraj Mishra <dhiraj@inputzero.io>
+#
+"?"
+"abc"
+"()"
+"[]"
+"abc|def"
+"abc|def|ghi"
+"^xxx$"
+"ab\\b\\d\\bcd"
+"\\w|\\d"
+"a*?"
+"abc+"
+"abc+?"
+"xyz?"
+"xyz??"
+"xyz{0,1}"
+"xyz{0,1}?"
+"xyz{93}"
+"xyz{1,32}"
+"xyz{1,32}?"
+"xyz{1,}"
+"xyz{1,}?"
+"a\\fb\\nc\\rd\\te\\vf"
+"a\\nb\\bc"
+"(?:foo)"
+"(?: foo )"
+"foo|(bar|baz)|quux"
+"foo(?=bar)baz"
+"foo(?!bar)baz"
+"foo(?<=bar)baz"
+"foo(?<!bar)baz"
+"()"
+"(?=)"
+"[]"
+"[x]"
+"[xyz]"
+"[a-zA-Z0-9]"
+"[-123]"
+"[^123]"
+"]"
+"}"
+"[a-b-c]"
+"[x\\dz]"
+"[\\d-z]"
+"[\\d-\\d]"
+"[z-\\d]"
+"\\cj\\cJ\\ci\\cI\\ck\\cK"
+"\\c!"
+"\\c_"
+"\\c~"
+"[\\c!]"
+"[\\c_]"
+"[\\c~]"
+"[\\ca]"
+"[\\cz]"
+"[\\cA]"
+"[\\cZ]"
+"[\\c1]"
+"\\[\\]\\{\\}\\(\\)\\%\\^\\#\\ "
+"[\\[\\]\\{\\}\\(\\)\\%\\^\\#\\ ]"
+"\\8"
+"\\9"
+"\\11"
+"\\11a"
+"\\011"
+"\\118"
+"\\111"
+"\\1111"
+"(x)(x)(x)\\1"
+"(x)(x)(x)\\2"
+"(x)(x)(x)\\3"
+"(x)(x)(x)\\4"
+"(x)(x)(x)\\1*"
+"(x)(x)(x)\\3*"
+"(x)(x)(x)\\4*"
+"(x)(x)(x)(x)(x)(x)(x)(x)(x)(x)\\10"
+"(x)(x)(x)(x)(x)(x)(x)(x)(x)(x)\\11"
+"(a)\\1"
+"(a\\1)"
+"(\\1a)"
+"(\\2)(\\1)"
+"(?=a){0,10}a"
+"(?=a){1,10}a"
+"(?=a){9,10}a"
+"(?!a)?a"
+"\\1(a)"
+"(?!(a))\\1"
+"(?!\\1(a\\1)\\1)\\1"
+"\\1\\2(a(?:\\1(b\\1\\2))\\2)\\1"
+"[\\0]"
+"[\\11]"
+"[\\11a]"
+"[\\011]"
+"[\\00011]"
+"[\\118]"
+"[\\111]"
+"[\\1111]"
+"\\x60"
+"\\x3z"
+"\\c"
+"\\u0034"
+"\\u003z"
+"foo[z]*"
+"\\u{12345}"
+"\\u{12345}\\u{23456}"
+"\\u{12345}{3}"
+"\\u{12345}*"
+"\\ud808\\udf45*"
+"[\\ud808\\udf45-\\ud809\\udccc]"
+"a"
+"a|b"
+"a\\n"
+"a$"
+"a\\b!"
+"a\\Bb"
+"a*?"
+"a?"
+"a??"
+"a{0,1}?"
+"a{1,2}?"
+"a+?"
+"(a)"
+"(a)\\1"
+"(\\1a)"
+"\\1(a)"
+"a\\s"
+"a\\S"
+"a\\D"
+"a\\w"
+"a\\W"
+"a."
+"a\\q"
+"a[a]"
+"a[^a]"
+"a[a-z]"
+"a(?:b)"
+"a(?=b)"
+"a(?!b)"
+"\\x60"
+"\\u0060"
+"\\cA"
+"\\q"
+"\\1112"
+"(a)\\1"
+"(?!a)?a\\1"
+"(?:(?=a))a\\1"
+"a{}"
+"a{,}"
+"a{"
+"a{z}"
+"a{12z}"
+"a{12,"
+"a{12,3b"
+"{}"
+"{,}"
+"{"
+"{z}"
+"{1z}"
+"{12,"
+"{12,3b"
+"a"
+"abc"
+"a[bc]d"
+"a|bc"
+"ab|c"
+"a||bc"
+"(?:ab)"
+"(?:ab|cde)"
+"(?:ab)|cde"
+"(ab)"
+"(ab|cde)"
+"(ab)\\1"
+"(ab|cde)\\1"
+"(?:ab)?"
+"(?:ab)+"
+"a?"
+"a+"
+"a??"
+"a*?"
+"a+?"
+"(?:a?)?"
+"(?:a+)?"
+"(?:a?)+"
+"(?:a*)+"
+"(?:a+)+"
+"(?:a?)*"
+"(?:a*)*"
+"(?:a+)*"
+"a{0}"
+"(?:a+){0,0}"
+"a*b"
+"a+b"
+"a*b|c"
+"a+b|c"
+"(?:a{5,1000000}){3,1000000}"
+"(?:ab){4,7}"
+"a\\bc"
+"a\\sc"
+"a\\Sc"
+"a(?=b)c"
+"a(?=bbb|bb)c"
+"a(?!bbb|bb)c"
+"\xe2\x81\xa3"
+"[\xe2\x81\xa3]"
+"\xed\xb0\x80"
+"\xed\xa0\x80"
+"(\xed\xb0\x80)\x01"
+"((\xed\xa0\x80))\x02"
+"\xf0\x9f\x92\xa9"
+"\x01"
+"\x0f"
+"[-\xf0\x9f\x92\xa9]+"
+"[\xf0\x9f\x92\xa9-\xf4\x8f\xbf\xbf]"
+"(?<=)"
+"(?<=a)"
+"(?<!)"
+"(?<!a)"
+"(?<a>)"
+"(?<a>.)"
+"(?<a>.)\\k<a>"
+"\\p{Script=Greek}"
+"\\P{sc=Greek}"
+"\\p{Script_Extensions=Greek}"
+"\\P{scx=Greek}"
+"\\p{General_Category=Decimal_Number}"
+"\\P{gc=Decimal_Number}"
+"\\p{gc=Nd}"
+"\\P{Decimal_Number}"
+"\\p{Nd}"
+"\\P{Any}"
+"\\p{Changes_When_NFKC_Casefolded}"
+"L~"
+"P{scx=Greek}??"
+"Q~"
+"R??"
+"R!??oo(E=?ar)baz-"
+"Sc?Sc{?{?"
+"U~"
+"V~"
+"W~"
+"Xdtc"
+"X~"
+"X?"
+"[-123],}"
+"[-????]+,}"
+"[00011],}"
+"[011],}"
+"[0],}"
+"[1111],}"
+"[111],}"
+"[118],}"
+"[11],}"
+"[11a],}"
+"[[]{}()%^# ],}"
+"[]"
+"[],}"
+"[]{}()%^# ,}"
+"[^123],}"
+"[a-b-c],}"
+"[a-zA-Z0-9],}"
+"[b"
+"[bfoo(?!bar)baz"
+"[c!],}"
+"[c1],}"
+"[cA],}"
+"[cZ],}"
+"[c_],}"
+"[ca],}"
+"[cz],}"
+"[c~],}"
+"[c~]w"
+"[d-d],}"
+"[d-z],}"
+"[u???[11<([c?]?:u??<a>)dccc]"
+"[ud808udf45-ud809udccc],}"
+"[x"
+"[x],}"
+"[xdz],}"
+"[xyz],}"
+"[x?"
+"[x?n4n4"
+"[x??19?"
+"[z-d],}"
+"[~?"
+"[?????"
+"[?"
+"[???],}"
+"[????-????],}"
+"[????"
+"]"
+"],}"
+"]QrC[w~]Qr"
+"]}"
+"]~"
+"^?000???????????????????????????x60?"
+"^12(a(?:1(b12))2)1dyb?9"
+"^xi!q"
+"^xxx$,}"
+"abc"
+"abc60,0}?{?"
+"aic"
+"b~"
+"c"
+"c!,}"
+"c,}"
+"cA,}"
+"c_,}"
+"cjcJcicIckcK,}"
+"c~"
+"c~,}"
+"d"
+"d?"
+"d??"
+"d(?:ab[]?9}"
+"dpN?(?<a>.)?"
+"duu{123a?"
+"d{1,9"
+"d~"
+"e"
+"e~"
+"e?}"
+"f~"
+"g~"
+"h~"
+"i~"
+"j~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xx?~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxb~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxc~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxd~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxe~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxf~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxg~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxh~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxi~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxj~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxk~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxl~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxm~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxn~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxo~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxp~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxq~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxr~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxs~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxt~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxu~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxv~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxw~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxx~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxy~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxz~"
+"k?@a??=bbC?:!k?x!k0}??@??@a(P=b@??s@xx?~"
+"k?@a??=bbC?:!k?x!k0}??@??@a(P=b@??s@xxn~"
+"k?@a??=bbC?:!k?x!k0}??@??@a(P=b@??s@xxo~"
+"k?@a??=bbC?:!k?x!k0}??@??@a(P=b@??s@xxp~"
+"k?@a??=bbC?:!k?x!k0}??@??@a(P=b@??s@xxq~"
+"k?@a??=bbC?:!k?x!k0}??@??@a(P=b@??s@xxr~"
+"k?@a??=bbC?:!k?x!k0}??@??@a(P=b@??s@xxs~"
+"k?@a??=bbC?:!k?x!k0}??@??@a(P=b@??s@xxt~"
+"k?@a??=bbC?:!k?x!k0}??@??@a(P=b@??s@xxu~"
+"k?@a??=bbC?:!k?x!k0}??@??@a(P=b@??s@xxv~"
+"k?@a??=bbC?:!k?x!k0}??@??@a(P=b@??s@xxw~"
+"k?@a??=bbC?:!k?x!k0}??@??@a(P=b@??s@xxx~"
+"k?@a??=bbC?:!k?x!k0}??@??@a(P=b@??s@xxy~"
+"k?@a??=bbC?:!k?x!k0}??@??@a(P=b@??s@xxz~"
+"k?@a(?=bbb.~"
+"k?@a(?=bbbb~"
+"k?@a(?=bbbc~"
+"k?@a(?=bbbd~"
+"k?@a(?=bbbe~"
+"k?@a(?=bbbf~"
+"k?@a(?=bbbg~"
+"k?@a(?=bbbh~"
+"k?@a(?=bbbi~"
+"k?@a(?=bbbj~"
+"k?@a(?=bbbk~"
+"k?@a(?=bbbl~"
+"k?@a(?=bbbm~"
+"k?@a(?=bbbn~"
+"k?@a(?=bbbo~"
+"k?@a(?=bbbp~"
+"k?@a(?=bbbq~"
+"k?@a(?=bbbr~"
+"k?@a(?=bbbs~"
+"k?@a(?=bbbt~"
+"k?@a(?=bbbu~"
+"k?@a(?=bbbv~"
+"k?@a(?=bbbw~"
+"k?@a(?=bbbx~"
+"k?@a(?=bbby~"
+"k?@a(?=bbbz~"
+"k?@a(?=by?bC?:!k??????????????b~"
+"k?@a(?=by?bC?:!k??????????????c~"
+"k?@a(?=by?bC?:!k??????????????d~"
+"k?@a(?=by?bC?:!k??????????????e~"
+"k?@a(?=by?bC?:!k??????????????f~"
+"k?@a(?=by?bC?:!k??????????????g~"
+"k?@a(?=by?bC?:!k??????????????h~"
+"k?@a(?=by?bC?:!k??????????????i~"
+"k?@a(?=by?bC?:!k??????????????j~"
+"k?@a(?=by?bC?:!k??????????????k~"
+"k?@a(?=by?bC?:!k??????????????l~"
+"k?@a(?=by?bC?:!k??????????????m~"
+"k?@a(?=by?bC?:!k??????????????n~"
+"k?@a(?=by?bC?:!k??????????????o~"
+"k?@a(?=by?bC?:!k??????????????p~"
+"k?@a(?=by?bC?:!k??????????????q~"
+"k?@a(?=by?bC?:!k??????????????r~"
+"k?@a(?=by?bC?:!k??????????????s~"
+"k?@a(?=by?bC?:!k??????????????t~"
+"k?@a(?=by?bC?:!k??????????????u~"
+"k?@a(?=by?bC?:!k??????????????v~"
+"k?@a(?=by?bC?:!k??????????????w~"
+"k?@a(?=by?bC?:!k??????????????x~"
+"k?@a(?=by?bC?:!k??????????????y~"
+"k?@a(?=by?bC?:!k??????????????z~"
+"k?@a(?=by?bC?:!k???????????????~"
+"k?@a(?~"
+"k?@a(b~"
+"k?@a(c~"
+"k?@a(d~"
+"k?@a(e~"
+"k?@a(f~"
+"k?@a(g~"
+"k?@a(h~"
+"k?@a(i~"
+"k?@a(j~"
+"k?@a(k~"
+"k?@a(l~"
+"k?@a(m~"
+"k?@a(n~"
+"k?@a(o~"
+"k?@a(p~"
+"k?@a(q~"
+"k?@a(r~"
+"k?@a(s~"
+"k?@a(t~"
+"k?@a(u~"
+"k?@a(v~"
+"k?@a(w~"
+"k?@a(x~"
+"k?@a(y~"
+"k?@a(z~"
+"k0X@ab~"
+"k0X@ac~"
+"k0X@ad~"
+"k0X@ae~"
+"k0X@af~"
+"k0X@ag~"
+"k0X@ah~"
+"k0X@ai~"
+"k0X@aj~"
+"k0X@ak~"
+"k0X@al~"
+"k0X@am~"
+"k0X@an~"
+"k0X@ao~"
+"k0X@ap~"
+"k0X@aq~"
+"k0X@ar~"
+"k0X@as~"
+"k0X@at~"
+"k0X@au~"
+"k0X@av~"
+"k0X@aw~"
+"k0X@ax~"
+"k0X@ay~"
+"k0X@az~"
+"k0X@a?~"
+"k~"
+"l~"
+"m~"
+"n~"
+"o~"
+"p~"
+"q,}"
+"q~"
+"r~"
+"r?[c~]"
+"s~"
+"t~"
+"u0034,}"
+"u003z,}"
+"u0060,}"
+"ud808udf45*,}"
+"u~"
+"v~"
+"w"
+"w~"
+"x3z,}"
+"x60,}"
+"xyz?9"
+"x~"
+"y~"
+"z~"
+"{"
+"{??"
+"{ ,,?"
+"{-"
+"{0,d?????!"
+"{12345}pu{234:P}?"
+"{1?5"
+"{@"
+"{M,??"
+"{M,P{scx=Greek}???sn"
+"{M,??"
+"{M,??"
+"{M,?M,??"
+"{O"
+"{r~"
+"{s~"
+"{t~"
+"{u~"
+"{v~"
+"{w~"
+"{x~"
+"{y~"
+"{z~"
+"{}"
+"{}~"
+"{??@"
+"{?~"
+"},}"
+"}}"
+"}}}}}?}!}}}}}}}}}}}}}}}}}?},}"
+"}~"
+"}?w~???"
+"~~"
+"?!~"
+"?$"
+"?*?9?nnRnnn?"
+"?.~"
+"?123222222??"
+"?:??"
+"?R"
+"?b~"
+"?c~"
+"?d~"
+"?d???"
+"?e~"
+"?f~"
+"?g~"
+"?h~"
+"?i~"
+"?j~"
+"?k~"
+"?l~"
+"?m~"
+"?n~"
+"?o~"
+"?p~"
+"?q~"
+"?r~"
+"?s~"
+"?t~"
+"?u~"
+"?v~"
+"?v~?v"
+"?w~"
+"?x~"
+"?y~"
+"?z~"
+"?}"
+"??~"
+"?????????dadi(?!bbb"
+"??~"
+"k?@a??=bbC?:!k?x!k0}??@???@a(P=b@??s@xxq~>>>>>>>>>>>>>>>>>>"
+"?f??123222222??"
+"?fP{gc=Decimal_Number}"
+"?f2jq?oo@ooooh??"
+"?[???],}f?"
+"?[???],}nbbc2jocom"
+"?[]"
+"?[],}?"
+"?[],}f?"
+"?[]f?"
+"?[]{}()%^#"
+"?[^123],}f?"
+"?[^123]nbbc2jocom"
+"?[a-b-c],}f?"
+"?[a-b-c]nbbc2jocom"
+"?[a-zA-Z0-9],}f?"
+"?[a-zA-Z0-9],}jocom"
+"?[a-zA-Z0-9]c2jocom"
+"?[bfoo(?!bar)bazcom"
+"?[bfoo(?!bar)bazf?"
--- a/dictionaries/sql.dict
+++ b/dictionaries/sql.dict
@ -11,7 +11,7 @@
 # standpoint, because they are usually not allowed in non-privileged
 # contexts).
 #
-# Created by Michal Zalewski <lcamtuf@google.com>
+# Created by Michal Zalewski
 #

 function_abs=" abs(1)"
--- a/dictionaries/tiff.dict
+++ b/dictionaries/tiff.dict
@ -5,7 +5,7 @@
 # Just the basic, standard-originating sections; does not include vendor
 # extensions.
 #
-# Created by Michal Zalewski <lcamtuf@google.com>
+# Created by Michal Zalewski
 #

 header_ii="II*\x00"
--- a/dictionaries/webp.dict
+++ b/dictionaries/webp.dict
@ -2,7 +2,7 @@
 # AFL dictionary for WebP images
 # ------------------------------
 #
-# Created by Michal Zalewski <lcamtuf@google.com>
+# Created by Michal Zalewski
 #

 header_RIFF="RIFF"
--- a/dictionaries/xml.dict
+++ b/dictionaries/xml.dict
@ -4,7 +4,7 @@
 #
 # Several basic syntax elements and attributes, modeled on libxml2.
 #
-# Created by Michal Zalewski <lcamtuf@google.com>
+# Created by Michal Zalewski
 #

 attr_encoding=" encoding=\"1\""
--- a/docs/ChangeLog
+++ b/docs/ChangeLog
@ -13,6 +13,98 @@ Want to stay in the loop on major new features? Join our mailing list by
 sending a mail to <afl-users+subscribe@googlegroups.com>.


+--------------------------
+Version ++2.59d (develop):
+--------------------------
+
+  - fixed a critical bug in afl-tmin that was introduced during ++2.53d
+  - added test cases for afl-cmin and afl-tmin to test/test.sh
+  - added ./experimental/argv_fuzzing ld_preload library by Kjell Braden
+  - added preeny's desock_dup ld_preload library as
+    ./experimental/socket_fuzzing for network fuzzing
+  - added AFL_AS_FORCE_INSTRUMENT environment variable for afl-as - this is
+    for the retrorewrite project
+  - we now set QEMU_SET_ENV from AFL_PRELOAD when qemu_mode is used
+
+
+--------------------------
+Version ++2.59c (release):
+--------------------------
+
+  - qbdi_mode: fuzz android native libraries via QBDI framework
+  - unicorn_mode: switched to the new unicornafl, thanks domenukk
+                  (see https://github.com/vanhauser-thc/unicorn)
+  - afl-fuzz:
+     - added radamsa as (an optional) mutator stage (-R[R])
+     - added -u command line option to not unlink the fuzz input file
+     - Python3 support (autodetect)
+     - AFL_DISABLE_TRIM env var to disable the trim stage
+     - CPU affinity support for DragonFly
+  - llvm_mode:
+     - float splitting is now configured via AFL_LLVM_LAF_SPLIT_FLOATS
+     - support for llvm 10 included now (thanks to devnexen)
+  - libtokencap:
+     - support for *BSD/OSX/Dragonfly added
+     - hook common *cmp functions from widely used libraries
+  - compcov:
+     - hook common *cmp functions from widely used libraries
+     - floating point splitting support for QEMU on x86 targets
+  - qemu_mode: AFL_QEMU_DISABLE_CACHE env to disable QEMU TranslationBlocks caching
+  - afl-analyze: added AFL_SKIP_BIN_CHECK support
+  - better random numbers for gcc_plugin and llvm_mode (thanks to devnexen)
+  - Dockerfile by courtesy of devnexen
+  - added regex.dictionary
+  - qemu and unicorn download scripts now try to download until the full
+    download succeeded. f*ckin travis fails downloading 40% of the time!
+  - more support for Android (please test!)
+  - added the few Android stuff we didnt have already from Google afl repository
+  - removed unnecessary warnings
+
+
+--------------------------
+Version ++2.58c (release):
+--------------------------
+
+  - reverted patch to not unlink and recreate the input file, it resulted in
+    performance loss of ~10%
+  - added test/test-performance.sh script
+  - (re)added gcc_plugin, fast inline instrumentation is not yet finished,
+    however it includes the whitelisting and persistance feature! by hexcoder-
+  - gcc_plugin tests added to testing framework
+
+
+--------------------------------
+Version ++2.54d-2.57c (release):
+--------------------------------
+
+  - we jump to 2.57 instead of 2.55 to catch up with Google's versioning
+  - persistent mode for QEMU (see qemu_mode/README.md)
+  - custom mutator library is now an additional mutator, to exclusivly use it
+    add AFL_CUSTOM_MUTATOR_ONLY (that will trigger the previous behaviour)
+  - new library qemu_mode/unsigaction which filters sigaction events
+  - afl-fuzz: new command line option -I to execute a command on a new crash
+  - no more unlinking the input file, this way the input file can also be a
+    FIFO or disk partition
+  - setting LLVM_CONFIG for llvm_mode will now again switch to the selected
+    llvm version. If your setup is correct.
+  - fuzzing strategy yields for custom mutator were missing from the UI, added them :)
+  - added "make tests" which will perform checks to see that all functionality
+    is working as expected. this is currently the starting point, its not complete :)
+  - added mutation documentation feature ("make document"), creates afl-fuzz-document
+    and saves all mutations of the first run on the first file into out/queue/mutations
+  - libtokencap and libdislocator now compile to the afl_root directory and are
+    installed to the .../lib/afl directory when present during make install
+  - more BSD support, e.g. free CPU binding code for FreeBSD (thanks to devnexen)
+  - reducing duplicate code in afl-fuzz
+  - added "make help"
+  - removed compile warnings from python internal stuff
+  - added man page for afl-clang-fast[++]
+  - updated documentation
+  - Wine mode to run Win32 binaries with the QEMU instrumentation (-W)
+  - CompareCoverage for ARM target in QEMU/Unicorn
+  - laf-intel in llvm_mode now also handles floating point comparisons
+
+
 --------------------------
 Version ++2.54c (release):
 --------------------------
--- a/docs/QuickStartGuide.txt
+++ b/docs/QuickStartGuide.txt
@ -45,6 +45,8 @@ how to hit the ground running:
 7) compile and use llvm_mode (afl-clang-fast/afl-clang-fast++) as it is way
   faster and has a few cool features

+8) There is a basic docker build with 'docker build -t aflplusplus .'
+
 That's it. Sit back, relax, and - time permitting - try to skim through the
 following files:

--- a/docs/README.radamsa.md
+++ b/docs/README.radamsa.md
@ -0,0 +1 @@
+../src/third_party/libradamsa/README.md
--- a/docs/binaryonly_fuzzing.txt
+++ b/docs/binaryonly_fuzzing.txt
@ -26,6 +26,10 @@ It is the easiest to use alternative and even works for cross-platform binaries.

 As it is included in afl++ this needs no URL.

+WINE+QEMU
+---------
+Wine mode can run Win32 PE with the QEMU instrumentation.
+It needs Wine, python3 and the pefile python package installed.

 UNICORN
 -------
--- a/docs/custom_mutator.txt
+++ b/docs/custom_mutator.txt
@ -18,8 +18,13 @@ environment variable. The library must export the afl_custom_mutator() function
 must be compiled as a shared object. For example:
     $CC -shared -Wall -O3 <lib-name>.c -o <lib-name>.so

-AFL will call the afl_custom_mutator() function every time it needs to mutate
-a test case. For some cases, the format of the mutated data returned from
+Note: unless AFL_CUSTOM_MUTATOR_ONLY is set, its state mutator like any others,
+so it will be used for some test cases, and other mutators for others.
+
+Only if AFL_CUSTOM_MUTATOR_ONLY is set the afl_custom_mutator() function will
+be called every time it needs to mutate test case!
+
+For some cases, the format of the mutated data returned from
 the custom mutator is not suitable to directly execute the target with this input.
 For example, when using libprotobuf-mutator, the data returned is in a protobuf
 format which corresponds to a given grammar. In order to execute the target,
--- a/docs/env_variables.txt
+++ b/docs/env_variables.txt
@ -65,17 +65,21 @@ tools make fairly broad use of environmental variables:
    mkdir assembly_here
    TMPDIR=$PWD/assembly_here AFL_KEEP_ASSEMBLY=1 make clean all

+  - If you are a weird person that wants to compile and instrument asm
+    text files then use the AFL_AS_FORCE_INSTRUMENT variable:
+      AFL_AS_FORCE_INSTRUMENT=1 afl-gcc foo.s -o foo
+
  - Setting AFL_QUIET will prevent afl-cc and afl-as banners from being
    displayed during compilation, in case you find them distracting.

  - Setting AFL_CAL_FAST will speed up the initial calibration, if the
    application is very slow

-2) Settings for afl-clang-fast / afl-clang-fast++
-------------------------------------------------
+2) Settings for afl-clang-fast / afl-clang-fast++ / afl-gcc-fast / afl-g++-fast
+---------------------------------------------------------------------------------

-The native LLVM instrumentation helper accepts a subset of the settings
-discussed in section #1, with the exception of:
+The native instrumentation helpers (llvm_mode and gcc_plugin) accept a subset
+of the settings discussed in section #1, with the exception of:

  - AFL_AS, since this toolchain does not directly invoke GNU as.

@ -97,9 +101,10 @@ Then there are a few specific features that are only available in llvm_mode:

    - Setting AFL_LLVM_LAF_TRANSFORM_COMPARES will split string compare functions

-    - Setting AFL_LLVM_LAF_SPLIT_COMPARES will split > 8 bit CMP instructions
+    - Setting AFL_LLVM_LAF_SPLIT_COMPARES will split all floating point and
+      64, 32 and 16 bit integer CMP instructions

-    See llvm_mode/README.laf-intel for more information. 
+    See llvm_mode/README.laf-intel.md for more information. 

  WHITELIST
  =========
@ -108,7 +113,7 @@ Then there are a few specific features that are only available in llvm_mode:
    - Setting AFL_LLVM_WHITELIST with a filename will only instrument those
      files that match the names listed in this file.

-    See llvm_mode/README.whitelist for more information.
+    See llvm_mode/README.whitelist.md for more information.

  INSTRIM
  =======
@ -121,7 +126,7 @@ Then there are a few specific features that are only available in llvm_mode:
      afl-fuzz will only be able to see the path the loop took, but not how
      many times it was called (unless it is a complex loop).

-    See llvm_mode/README.instrim
+    See llvm_mode/README.instrim.md

  NOT_ZERO
  ========
@ -132,7 +137,18 @@ Then there are a few specific features that are only available in llvm_mode:
      slowdown due a performance issue that is only fixed in llvm 9+.
      This feature increases path discovery by a little bit.

-    See llvm_mode/README.neverzero
+    See llvm_mode/README.neverzero.md
+
+Then there are a few specific features that are only available in the gcc_plugin:
+
+  WHITELIST
+  =========
+    This feature allows selective instrumentation of the source
+
+    - Setting AFL_GCC_WHITELIST with a filename will only instrument those
+      files that match the names listed in this file (one filename per line).
+
+    See gcc_plugin/README.whitelist.md for more information.

 3) Settings for afl-fuzz
 ------------------------
@ -201,6 +217,11 @@ checks or alter some of the more exotic semantics of the tool:
    mutated files - say, to fix up checksums. See experimental/post_library/
    for more.

+  - Setting AFL_CUSTOM_MUTATOR_LIBRARY to a shared library with
+    afl_custom_mutator() export run additional mutations though this library.
+    If AFL_CUSTOM_MUTATOR_ONLY is also set, all mutations will solely be
+    performed with/from the libary. see docs/custom_mutator.txt
+
  - For AFL_PYTHON_MODULE and AFL_PYTHON_ONLY - they require to be compiled
    with -DUSE_PYTHON. Please see docs/python_mutators.txt
    This feature allows to configure custom mutators which can be very helpful
@ -251,7 +272,7 @@ The QEMU wrapper used to instrument binary-only code supports several settings:
  - Setting AFL_COMPCOV_LEVEL enables the CompareCoverage tracing of all cmp
    and sub in x86 and x86_64 and memory comparions functions (e.g. strcmp,
    memcmp, ...) when libcompcov is preloaded using AFL_PRELOAD.
-    More info at qemu_mode/libcompcov/README.compcov.
+    More info at qemu_mode/libcompcov/README.md.
    There are two levels at the moment, AFL_COMPCOV_LEVEL=1 that instruments
    only comparisons with immediate values / read-only memory and
    AFL_COMPCOV_LEVEL=2 that instruments all the comparions. Level 2 is more
@ -312,7 +333,7 @@ of decimal.
 8) Settings for libdislocator.so
 --------------------------------

-The library honors three environmental variables:
+The library honors these environmental variables:

  - AFL_LD_LIMIT_MB caps the size of the maximum heap usage permitted by the
    library, in megabytes. The default value is 1 GB. Once this is exceeded,
--- a/docs/notes_for_asan.txt
+++ b/docs/notes_for_asan.txt
@ -34,7 +34,7 @@ Note that ASAN is incompatible with -static, so be mindful of that.
 There is also the option of generating a corpus using a non-ASAN binary, and
 then feeding it to an ASAN-instrumented one to check for bugs. This is faster,
 and can give you somewhat comparable results. You can also try using
-libdislocator (see libdislocator/README.dislocator in the parent directory) as a
+libdislocator (see libdislocator/README.dislocator.md in the parent directory) as a
 lightweight and hassle-free (but less thorough) alternative.

 2) Long version
--- a/docs/perf_tips.txt
+++ b/docs/perf_tips.txt
@ -50,12 +50,15 @@ Even if you don't have a lightweight harness for a particular target, remember
 that you can always use another, related library to generate a corpus that will
 be then manually fed to a more resource-hungry program later on.

+Also note that reading the fuzzing input via stdin is faster than reading from
+a file.
+
 3) Use LLVM instrumentation
 ---------------------------

-When fuzzing slow targets, you can gain 2x performance improvement by using
-the LLVM-based instrumentation mode described in llvm_mode/README.llvm. Note
-that this mode requires the use of clang and will not work with GCC.
+When fuzzing slow targets, you can gain 20-100% performance improvement by
+using the LLVM-based instrumentation mode described in llvm_mode/README.llvm.
+Note that this mode requires the use of clang and will not work with GCC.

 The LLVM mode also offers a "persistent", in-process fuzzing mode that can
 work well for certain types of self-contained libraries, and for fast targets,
@ -72,6 +75,9 @@ If you are only intested in specific parts of the code being fuzzed, you can
 whitelist the files that are actually relevant. This improves the speed and
 accuracy of afl. See llvm_mode/README.whitelist

+Also use the InsTrim mode on larger binaries, this improves performance and
+coverage a lot.
+
 4) Profile and optimize the binary
 ----------------------------------

@ -161,6 +167,11 @@ and not waste CPU time.

 There are several OS-level factors that may affect fuzzing speed:

+  - If you have no risk of power loss then run your fuzzing on a tmpfs
+    partition. This increases the performance noticably.
+    Alternatively you can use AFL_TMPDIR to point to a tmpfs location to
+    just write the input file to a tmpfs.
+
  - High system load. Use idle machines where possible. Kill any non-essential
    CPU hogs (idle browser windows, media players, complex screensavers, etc).

--- a/docs/power_schedules.txt
+++ b/docs/power_schedules.txt
@ -2,7 +2,7 @@ afl++'s power schedules based on AFLfast

 <a href="https://comp.nus.edu.sg/~mboehme/paper/CCS16.pdf"><img src="https://comp.nus.edu.sg/~mboehme/paper/CCS16.png" align="right" width="250"></a>
 Power schedules implemented by Marcel Böhme \<marcel.boehme@acm.org\>. 
-AFLFast is an extension of AFL which was written by Michal Zalewski \<lcamtuf@google.com\>.
+AFLFast is an extension of AFL which was written by Michal Zalewski.

 AFLfast has helped in the success of Team Codejitsu at the finals of the DARPA Cyber Grand Challenge where their bot Galactica took **2nd place** in terms of #POVs proven (see red bar at https://www.cybergrandchallenge.com/event#results). AFLFast exposed several previously unreported CVEs that could not be exposed by AFL in 24 hours and otherwise exposed vulnerabilities significantly faster than AFL while generating orders of magnitude more unique crashes. 

--- a/docs/python_mutators.txt
+++ b/docs/python_mutators.txt
@ -9,8 +9,9 @@ Adding custom mutators to AFL using Python modules

  Implemented by Christian Holler (:decoder) <choller@mozilla.com>.

-  NOTE: This is for Python 2.7 !
-  Anyone who wants to add Python 3.7 support is happily welcome :)
+  NOTE: Python 3.7 and 2.7 are supported so far (3.8 upcomming).
+  Depending on with which version afl-fuzz was compiled, you must use
+  python2 or python3 syntax in your scripts!

  For an example and a template see ../python_mutators/

@ -56,16 +57,20 @@ further information about this feature.
 3) How to compile AFLFuzz with Python support
 ---------------------------------------------

-You must install the python 2.7 development package of your Linux distribution
-before this will work. On Debian/Ubuntu/Kali this can be done with:
+You must install the python 3.7 or 2.7 development package of your Linux
+distribution before this will work. On Debian/Ubuntu/Kali this can be done
+with either:
+  apt install python3.7-dev
+or
  apt install python2.7-dev
+Note that for some distributions you might also need the package python[23]-apt

 A prerequisite for using this mode is to compile AFLFuzz with Python support.

-The afl Makefile performs some magic and detects Python 2.7 if it is in the
-default path and compiles afl-fuzz with the feature if available (which is
-/usr/include/python2.7 for the Python.h include and /usr/lib/x86_64-linux-gnu
-for the libpython2.7.a library)
+The afl Makefile performs some magic and detects Python 3.7 and 2.7 if it is
+in the default path and compiles afl-fuzz with the feature if available (which
+is /usr/include/python2.7 for the Python.h include and
+/usr/lib/x86_64-linux-gnu for the libpython2.7.a library)

 In case your setup is different set the necessary variables like this:
 PYTHON_INCLUDE=/path/to/python2.7/include LDFLAGS=-L/path/to/python2.7/lib make
--- a/docs/sister_projects.txt
+++ b/docs/sister_projects.txt
@ -319,11 +319,13 @@ Fuzzer shell for SQLite (Richard Hipp)
 Support for Python mutation modules (Christian Holler)
 ------------------------------------------------------

+now integrated in AFL++, originally from here
  https://github.com/choller/afl/blob/master/docs/mozilla/python_modules.txt

 Support for selective instrumentation (Christian Holler)
 --------------------------------------------------------

+now integrated in AFL++, originally from here
  https://github.com/choller/afl/blob/master/docs/mozilla/partial_instrumentation.txt

 Kernel fuzzing (Dmitry Vyukov)
--- a/docs/technical_details.txt
+++ b/docs/technical_details.txt
@ -165,7 +165,7 @@ of new tuples, and the remainder is associated with changes in hit counts.

 The following table compares the relative ability to discover file syntax and
 explore program states when using several different approaches to guided
-fuzzing. The instrumented target was GNU patch 2.7.3 compiled with -O3 and
+fuzzing. The instrumented target was GNU patch 2.7k.3 compiled with -O3 and
 seeded with a dummy text file; the session consisted of a single pass over the
 input queue with afl-fuzz:

--- a/experimental/argv_fuzzing/Makefile
+++ b/experimental/argv_fuzzing/Makefile
@ -0,0 +1,37 @@
+#
+# american fuzzy lop - argvfuzz
+# --------------------------------
+#
+# Copyright 2019 Kjell Braden <afflux@pentabarf.de>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at:
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+
+.PHONY: all install clean
+
+PREFIX     ?= /usr/local
+BIN_PATH    = $(PREFIX)/bin
+HELPER_PATH = $(PREFIX)/lib/afl
+
+CFLAGS = -fPIC -Wall -Wextra
+LDFLAGS = -shared -ldl
+
+all: argvfuzz32.so argvfuzz64.so
+
+argvfuzz32.so: argvfuzz.c
+	-$(CC) -m32 $(CFLAGS) $^ $(LDFLAGS) -o $@ || echo "argvfuzz32 build failure (that's fine)"
+
+argvfuzz64.so: argvfuzz.c
+	-$(CC) $(CFLAGS) $^ $(LDFLAGS) -o $@
+
+install: argvfuzz32.so argvfuzz64.so
+	install -d -m 755 $(DESTDIR)$(HELPER_PATH)/
+	if [ -f argvfuzz32.so ]; then set -e; install -m 755 argvfuzz32.so $(DESTDIR)$(HELPER_PATH)/; fi
+	install -m 755 argvfuzz64.so $(DESTDIR)$(HELPER_PATH)/
+
+clean:
+	rm -f argvfuzz32.so argvfuzz64.so
--- a/experimental/argv_fuzzing/README.md
+++ b/experimental/argv_fuzzing/README.md
@ -0,0 +1,16 @@
+# argvfuzz
+
+afl supports fuzzing file inputs or stdin. When source is available,
+`argv-fuzz-inl.h` can be used to change `main()` to build argv from stdin.
+
+`argvfuzz` tries to provide the same functionality for binaries. When loaded
+using `LD_PRELOAD`, it will hook the call to `__libc_start_main` and replace
+argv using the same logic of `argv-fuzz-inl.h`.
+
+A few conditions need to be fulfilled for this mechanism to work correctly:
+
+1. As it relies on hooking the loader, it cannot work on static binaries.
+2. If the target binary does not use the default libc's `_start` implementation
+   (crt1.o), the hook may not run.
+3. The hook will replace argv with pointers to `.data` of `argvfuzz.so`. If the
+   target binary expects argv to be living on the stack, things may go wrong.
--- a/experimental/argv_fuzzing/argv-fuzz-inl.h
+++ b/experimental/argv_fuzzing/argv-fuzz-inl.h
@ -2,7 +2,7 @@
   american fuzzy lop - sample argv fuzzing wrapper
   ------------------------------------------------

-   Written by Michal Zalewski <lcamtuf@google.com>
+   Written by Michal Zalewski

   Copyright 2015 Google Inc. All rights reserved.

@ -36,12 +36,20 @@

 #include <unistd.h>

-#define AFL_INIT_ARGV() do { argv = afl_init_argv(&argc); } while (0)
-
-#define AFL_INIT_SET0(_p) do { \
+#define AFL_INIT_ARGV()          \
+  do {                           \
+                                 \
    argv = afl_init_argv(&argc); \
-    argv[0] = (_p); \
-    if (!argc) argc = 1; \
+                                 \
+  } while (0)
+
+#define AFL_INIT_SET0(_p)        \
+  do {                           \
+                                 \
+    argv = afl_init_argv(&argc); \
+    argv[0] = (_p);              \
+    if (!argc) argc = 1;         \
+                                 \
  } while (0)

 #define MAX_CMDLINE_LEN 100000
@ -53,9 +61,9 @@ static char** afl_init_argv(int* argc) {
  static char* ret[MAX_CMDLINE_PAR];

  char* ptr = in_buf;
-  int   rc  = 0;
+  int   rc = 0;

-  if (read(0, in_buf, MAX_CMDLINE_LEN - 2) < 0);
+  if (read(0, in_buf, MAX_CMDLINE_LEN - 2) < 0) {}

  while (*ptr) {

@ -63,7 +71,8 @@ static char** afl_init_argv(int* argc) {
    if (ret[rc][0] == 0x02 && !ret[rc][1]) ret[rc]++;
    rc++;

-    while (*ptr) ptr++;
+    while (*ptr)
+      ptr++;
    ptr++;

  }
@ -77,4 +86,5 @@ static char** afl_init_argv(int* argc) {
 #undef MAX_CMDLINE_LEN
 #undef MAX_CMDLINE_PAR

-#endif /* !_HAVE_ARGV_FUZZ_INL */
+#endif                                              /* !_HAVE_ARGV_FUZZ_INL */
+
--- a/experimental/argv_fuzzing/argvfuzz.c
+++ b/experimental/argv_fuzzing/argvfuzz.c
@ -0,0 +1,49 @@
+/*
+   american fuzzy lop - LD_PRELOAD for fuzzing argv in binaries
+   ------------------------------------------------------------
+
+   Copyright 2019 Kjell Braden <afflux@pentabarf.de>
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at:
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ */
+
+#define _GNU_SOURCE                                        /* for RTLD_NEXT */
+#include <dlfcn.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <unistd.h>
+#include "argv-fuzz-inl.h"
+
+int __libc_start_main(int (*main)(int, char **, char **), int argc, char **argv,
+                      void (*init)(void), void (*fini)(void),
+                      void (*rtld_fini)(void), void *stack_end) {
+
+  int (*orig)(int (*main)(int, char **, char **), int argc, char **argv,
+              void (*init)(void), void (*fini)(void), void (*rtld_fini)(void),
+              void *stack_end);
+  int    sub_argc;
+  char **sub_argv;
+
+  (void)argc;
+  (void)argv;
+
+  orig = dlsym(RTLD_NEXT, __func__);
+
+  if (!orig) {
+
+    fprintf(stderr, "hook did not find original %s: %s\n", __func__, dlerror());
+    exit(EXIT_FAILURE);
+
+  }
+
+  sub_argv = afl_init_argv(&sub_argc);
+
+  return orig(main, sub_argc, sub_argv, init, fini, rtld_fini, stack_end);
+
+}
+
--- a/experimental/asan_cgroups/limit_memory.sh
+++ b/experimental/asan_cgroups/limit_memory.sh
@ -7,7 +7,7 @@
 #            David A. Wheeler <dwheeler@ida.org>
 #
 # Edits to bring the script in line with afl-cmin and other companion scripts
-# by Michal Zalewski <lcamtuf@google.com>. All bugs are my fault.
+# by Michal Zalewski. All bugs are my fault.
 #
 # Copyright 2015 Institute for Defense Analyses.
 #
--- a/experimental/canvas_harness/canvas_harness.html
+++ b/experimental/canvas_harness/canvas_harness.html
@ -4,7 +4,7 @@
  american fuzzy lop - <canvas> harness
  -------------------------------------
 
-  Written and maintained by Michal Zalewski <lcamtuf@google.com>
+  Written by Michal Zalewski
 
  Copyright 2013, 2014 Google Inc. All rights reserved.
 
--- a/experimental/clang_asm_normalize/as
+++ b/experimental/clang_asm_normalize/as
@ -3,7 +3,7 @@
 # american fuzzy lop - clang assembly normalizer
 # ----------------------------------------------
 #
-# Written and maintained by Michal Zalewski <lcamtuf@google.com>
+# Written by Michal Zalewski
 # The idea for this wrapper comes from Ryan Govostes.
 #
 # Copyright 2013, 2014 Google Inc. All rights reserved.
--- a/experimental/crash_triage/triage_crashes.sh
+++ b/experimental/crash_triage/triage_crashes.sh
@ -3,7 +3,7 @@
 # american fuzzy lop - crash triage utility
 # -----------------------------------------
 #
-# Written and maintained by Michal Zalewski <lcamtuf@google.com>
+# Written by Michal Zalewski
 #
 # Copyright 2013, 2014, 2017 Google Inc. All rights reserved.
 #
@ -22,7 +22,7 @@
 # necessary.
 #

-echo "crash triage utility for afl-fuzz by <lcamtuf@google.com>"
+echo "crash triage utility for afl-fuzz by Michal Zalewski"
 echo

 ulimit -v 100000 2>/dev/null
--- a/experimental/distributed_fuzzing/sync_script.sh
+++ b/experimental/distributed_fuzzing/sync_script.sh
@ -3,7 +3,7 @@
 # american fuzzy lop - fuzzer synchronization tool
 # ------------------------------------------------
 #
-# Written and maintained by Michal Zalewski <lcamtuf@google.com>
+# Written by Michal Zalewski
 #
 # Copyright 2014 Google Inc. All rights reserved.
 #
--- a/experimental/persistent_demo/persistent_demo.c
+++ b/experimental/persistent_demo/persistent_demo.c
@ -2,7 +2,7 @@
   american fuzzy lop - persistent mode example
   --------------------------------------------

-   Written and maintained by Michal Zalewski <lcamtuf@google.com>
+   Written by Michal Zalewski

   Copyright 2015 Google Inc. All rights reserved.

@ -28,11 +28,11 @@
 #include <signal.h>
 #include <string.h>

-
 /* Main entry point. */

 int main(int argc, char** argv) {

+  ssize_t len;                               /* how much input did we read? */
  char buf[100]; /* Example-only buffer, you'd replace it with other global or
                    local variables appropriate for your use case. */

@ -57,23 +57,34 @@ int main(int argc, char** argv) {
               Beware of reading from buffered FILE* objects such as stdin. Use
               raw file descriptors or call fopen() / fdopen() in every pass. */

-    read(0, buf, 100);
+    len = read(0, buf, 100);

    /* STEP 3: This is where we'd call the tested library on the read data.
               We just have some trivial inline code that faults on 'foo!'. */

+    /* do we have enough data? */
+    if (len < 4) return 0;
+
    if (buf[0] == 'f') {
+
      printf("one\n");
      if (buf[1] == 'o') {
+
        printf("two\n");
        if (buf[2] == 'o') {
+
          printf("three\n");
          if (buf[3] == '!') {
+
            printf("four\n");
            abort();
+
          }
+
        }
+
      }
+
    }

    /*** END PLACEHOLDER CODE ***/
@ -87,3 +98,4 @@ int main(int argc, char** argv) {
  return 0;

 }
+
--- a/experimental/post_library/post_library.so.c
+++ b/experimental/post_library/post_library.so.c
@ -2,7 +2,7 @@
   american fuzzy lop - postprocessor library example
   --------------------------------------------------

-   Written and maintained by Michal Zalewski <lcamtuf@google.com>
+   Written by Michal Zalewski

   Copyright 2015 Google Inc. All rights reserved.

@ -21,9 +21,9 @@
      in the targeted binary (as shown in ../libpng_no_checksum/). One possible
      exception is the process of fuzzing binary-only software in QEMU mode.

-   2) The use of postprocessors for anything other than checksums is questionable
-      and may cause more harm than good. AFL is normally pretty good about
-      dealing with length fields, magic values, etc.
+   2) The use of postprocessors for anything other than checksums is
+   questionable and may cause more harm than good. AFL is normally pretty good
+   about dealing with length fields, magic values, etc.

   3) Postprocessors that do anything non-trivial must be extremely robust to
      gracefully handle malformed data and other error conditions - otherwise,
@ -77,10 +77,10 @@
 /* The actual postprocessor routine called by afl-fuzz: */

 const unsigned char* afl_postprocess(const unsigned char* in_buf,
-                                     unsigned int* len) {
+                                     unsigned int*        len) {

  static unsigned char* saved_buf;
-  unsigned char* new_buf;
+  unsigned char*        new_buf;

  /* Skip execution altogether for buffers shorter than 6 bytes (just to
     show how it's done). We can trust *len to be sane. */
@ -117,3 +117,4 @@ const unsigned char* afl_postprocess(const unsigned char* in_buf,
  return new_buf;

 }
+
--- a/experimental/post_library/post_library_png.so.c
+++ b/experimental/post_library/post_library_png.so.c
@ -2,7 +2,7 @@
   american fuzzy lop - postprocessor for PNG
   ------------------------------------------

-   Written and maintained by Michal Zalewski <lcamtuf@google.com>
+   Written by Michal Zalewski

   Copyright 2015 Google Inc. All rights reserved.

@ -36,13 +36,13 @@
 #define UP4K(_i) ((((_i) >> 12) + 1) << 12)

 const unsigned char* afl_postprocess(const unsigned char* in_buf,
-                                     unsigned int* len) {
+                                     unsigned int*        len) {

  static unsigned char* saved_buf;
  static unsigned int   saved_len;

  unsigned char* new_buf = (unsigned char*)in_buf;
-  unsigned int pos = 8;
+  unsigned int   pos = 8;

  /* Don't do anything if there's not enough room for the PNG header
     (8 bytes). */
@ -111,3 +111,4 @@ const unsigned char* afl_postprocess(const unsigned char* in_buf,
  return new_buf;

 }
+
--- a/experimental/socket_fuzzing/Makefile
+++ b/experimental/socket_fuzzing/Makefile
@ -0,0 +1,35 @@
+#
+# american fuzzy lop++ - socket_fuzz
+# ----------------------------------
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at:
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+
+.PHONY: all install clean
+
+PREFIX     ?= /usr/local
+BIN_PATH    = $(PREFIX)/bin
+HELPER_PATH = $(PREFIX)/lib/afl
+
+CFLAGS = -fPIC -Wall -Wextra
+LDFLAGS = -shared -ldl
+
+all: socketfuzz32.so socketfuzz64.so
+
+socketfuzz32.so: socketfuzz.c
+	-$(CC) -m32 $(CFLAGS) $^ $(LDFLAGS) -o $@ || echo "socketfuzz32 build failure (that's fine)"
+
+socketfuzz64.so: socketfuzz.c
+	-$(CC) $(CFLAGS) $^ $(LDFLAGS) -o $@
+
+install: socketfuzz32.so socketfuzz64.so
+	install -d -m 755 $(DESTDIR)$(HELPER_PATH)/
+	if [ -f socketfuzz32.so ]; then set -e; install -m 755 socketfuzz32.so $(DESTDIR)$(HELPER_PATH)/; fi
+	install -m 755 socketfuzz64.so $(DESTDIR)$(HELPER_PATH)/
+
+clean:
+	rm -f socketfuzz32.so socketfuzz64.so
--- a/experimental/socket_fuzzing/README.md
+++ b/experimental/socket_fuzzing/README.md
@ -0,0 +1,11 @@
+# socketfuzz
+
+when you want to fuzz a network service and you can not/do not want to modify
+the source (or just have a binary), then this LD_PRELOAD library will allow
+for sending input to stdin which the target binary will think is coming from
+a network socket.
+
+This is desock_dup.c from the amazing preeny project
+https://github.com/zardus/preeny
+
+It is packaged in afl++ to have it at hand if needed
--- a/experimental/socket_fuzzing/socketfuzz.c
+++ b/experimental/socket_fuzzing/socketfuzz.c
@ -0,0 +1,110 @@
+/*
+ * This is desock_dup.c from the amazing preeny project
+ * https://github.com/zardus/preeny
+ *
+ * It is packaged in afl++ to have it at hand if needed
+ *
+ */
+
+#define _GNU_SOURCE
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <sys/types.h>   //
+#include <sys/socket.h>  //
+#include <sys/stat.h>    //
+#include <fcntl.h>       //
+#include <netinet/in.h>
+#include <pthread.h>
+#include <signal.h>
+#include <dlfcn.h>
+#include <errno.h>
+#include <stdio.h>
+#include <poll.h>
+//#include "logging.h" // switche from preeny_info() to fprintf(stderr, "Info: "
+
+//
+// originals
+//
+int (*original_close)(int);
+int (*original_dup2)(int, int);
+__attribute__((constructor)) void preeny_desock_dup_orig() {
+
+  original_close = dlsym(RTLD_NEXT, "close");
+  original_dup2 = dlsym(RTLD_NEXT, "dup2");
+
+}
+
+int close(int sockfd) {
+
+  if (sockfd <= 2) {
+
+    fprintf(stderr, "Info: Disabling close on %d\n", sockfd);
+    return 0;
+
+  } else {
+
+    return original_close(sockfd);
+
+  }
+
+}
+
+int dup2(int old, int new) {
+
+  if (new <= 2) {
+
+    fprintf(stderr, "Info: Disabling dup from %d to %d\n", old, new);
+    return 0;
+
+  } else {
+
+    return original_dup2(old, new);
+
+  }
+
+}
+
+int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen) {
+
+  (void)sockfd;
+  (void)addr;
+  (void)addrlen;
+  fprintf(stderr, "Info: Emulating accept on %d\n", sockfd);
+  return 0;
+
+}
+
+int bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen) {
+
+  (void)sockfd;
+  (void)addr;
+  (void)addrlen;
+  fprintf(stderr, "Info: Emulating bind on port %d\n",
+          ntohs(((struct sockaddr_in *)addr)->sin_port));
+  return 0;
+
+}
+
+int listen(int sockfd, int backlog) {
+
+  (void)sockfd;
+  (void)backlog;
+  return 0;
+
+}
+
+int setsockopt(int sockfd, int level, int optid, const void *optdata,
+               socklen_t optdatalen) {
+
+  (void)sockfd;
+  (void)level;
+  (void)optid;
+  (void)optdata;
+  (void)optdatalen;
+  return 0;
+
+}
+
--- a/gcc_plugin/Makefile
+++ b/gcc_plugin/Makefile
@ -0,0 +1,130 @@
+#
+# american fuzzy lop - GCC plugin instrumentation
+# -----------------------------------------------
+#
+# Written by Austin Seipp <aseipp@pobox.com> and
+#            Laszlo Szekeres <lszekeres@google.com> and
+#            Michal Zalewski and
+#            Heiko Eißfeldt  <heiko@hexco.de>
+#
+# GCC integration design is based on the LLVM design, which comes
+# from Laszlo Szekeres.
+#
+# Copyright 2015 Google Inc. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at:
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+
+PREFIX      ?= /usr/local
+HELPER_PATH  = $(PREFIX)/lib/afl
+BIN_PATH     = $(PREFIX)/bin
+
+CFLAGS      ?= -O3 -g -funroll-loops
+CFLAGS      += -Wall -D_FORTIFY_SOURCE=2 -Wno-pointer-sign \
+               -DAFL_PATH=\"$(HELPER_PATH)\" -DBIN_PATH=\"$(BIN_PATH)\" \
+
+CXXFLAGS    ?= -O3 -g -funroll-loops
+CXXEFLAGS   := $(CXXFLAGS) -Wall -D_FORTIFY_SOURCE=2
+
+CC          ?= gcc
+CXX         ?= g++
+
+PLUGIN_FLAGS = -fPIC -fno-rtti -I"$(shell $(CC) -print-file-name=plugin)/include"
+
+ifeq "$(shell echo '\#include <sys/ipc.h>@\#include <sys/shm.h>@int main() { int _id = shmget(IPC_PRIVATE, 65536, IPC_CREAT | IPC_EXCL | 0600); shmctl(_id, IPC_RMID, 0); return 0;}' | tr @ '\n' | $(CC) -x c - -o .test2 2>/dev/null && echo 1 || echo 0 ; rm -f .test2 )" "1"
+	SHMAT_OK=1
+else
+	SHMAT_OK=0
+	CFLAGS+=-DUSEMMAP=1
+	LDFLAGS += -lrt
+endif
+
+ifeq "$(TEST_MMAP)" "1"
+	SHMAT_OK=0
+	CFLAGS+=-DUSEMMAP=1
+	LDFLAGS += -lrt
+endif
+
+PROGS        = ../afl-gcc-fast ../afl-gcc-pass.so ../afl-gcc-rt.o
+
+
+all: test_shm test_deps $(PROGS) afl-gcc-fast.8 test_build all_done
+
+ifeq "$(SHMAT_OK)" "1"
+
+test_shm:
+	@echo "[+] shmat seems to be working."
+	@rm -f .test2
+
+else
+
+test_shm:
+	@echo "[-] shmat seems not to be working, switching to mmap implementation"
+
+endif
+
+
+test_deps:
+	@echo "[*] Checking for working '$(CC)'..."
+	@which $(CC) >/dev/null 2>&1 || ( echo "[-] Oops, can't find '$(CC)'. Make sure that it's in your \$$PATH (or set \$$CC and \$$CXX)."; exit 1 )
+#	@echo "[*] Checking for gcc for plugin support..."
+#	@$(CC) -v 2>&1 | grep -q -- --enable-plugin || ( echo "[-] Oops, this gcc has not been configured with plugin support."; exit 1 )
+	@echo "[*] Checking for gcc plugin development header files..."
+	@test -d `$(CC) -print-file-name=plugin`/include || ( echo "[-] Oops, can't find gcc header files. Be sure to install 'gcc-X-plugin-dev'."; exit 1 )
+	@echo "[*] Checking for '../afl-showmap'..."
+	@test -f ../afl-showmap || ( echo "[-] Oops, can't find '../afl-showmap'. Be sure to compile AFL first."; exit 1 )
+	@echo "[+] All set and ready to build."
+
+../afl-gcc-fast: afl-gcc-fast.c | test_deps
+	$(CC) -DAFL_GCC_CC=\"$(CC)\" -DAFL_GCC_CXX=\"$(CXX)\" $(CFLAGS) $< -o $@ $(LDFLAGS)
+	ln -sf afl-gcc-fast ../afl-g++-fast
+
+../afl-gcc-pass.so: afl-gcc-pass.so.cc | test_deps
+	$(CXX) $(CXXEFLAGS) $(PLUGIN_FLAGS) -shared $< -o $@
+
+../afl-gcc-rt.o: afl-gcc-rt.o.c | test_deps
+	$(CC) $(CFLAGS) -fPIC -c $< -o $@
+
+test_build: $(PROGS)
+	@echo "[*] Testing the CC wrapper and instrumentation output..."
+	unset AFL_USE_ASAN AFL_USE_MSAN; AFL_QUIET=1 AFL_INST_RATIO=100 AFL_PATH=. AFL_CC=$(CC) ../afl-gcc-fast $(CFLAGS) ../test-instr.c -o test-instr $(LDFLAGS)
+#	unset AFL_USE_ASAN AFL_USE_MSAN;             AFL_INST_RATIO=100 AFL_PATH=. AFL_CC=$(CC) ../afl-gcc-fast $(CFLAGS) ../test-instr.c -o test-instr $(LDFLAGS)
+	../afl-showmap -m none -q -o .test-instr0 ./test-instr </dev/null
+	echo 1 | ../afl-showmap -m none -q -o .test-instr1 ./test-instr
+	@rm -f test-instr
+	@cmp -s .test-instr0 .test-instr1; DR="$$?"; rm -f .test-instr0 .test-instr1; if [ "$$DR" = "0" ]; then echo; echo "Oops, the instrumentation does not seem to be behaving correctly!"; echo; echo "Please post to https://github.com/vanhauser-thc/AFLplusplus/issues to troubleshoot the issue."; echo; exit 1; fi
+	@echo "[+] All right, the instrumentation seems to be working!"
+
+all_done: test_build
+	@echo "[+] All done! You can now use '../afl-gcc-fast' to compile programs."
+
+.NOTPARALLEL: clean
+
+vpath  % ..
+%.8: %
+	@echo .TH $* 8 `date "+%Y-%m-%d"` "afl++" > ../$@
+	@echo .SH NAME >> ../$@
+	@echo .B $* >> ../$@
+	@echo >> ../$@
+	@echo .SH SYNOPSIS >> ../$@
+	@../$* -h 2>&1 | head -n 3 | tail -n 1 | sed 's/^\.\///' >> ../$@
+	@echo >> ../$@
+	@echo .SH OPTIONS >> ../$@
+	@echo .nf >> ../$@
+	@../$* -h 2>&1 | tail -n +4 >> ../$@
+	@echo >> ../$@
+	@echo .SH AUTHOR >> ../$@
+	@echo "afl++ was written by Michal \"lcamtuf\" Zalewski and is maintained by Marc \"van Hauser\" Heuse <mh@mh-sec.de>, Heiko \"hexcoder-\" Eissfeldt <heiko.eissfeldt@hexco.de> and Andrea Fioraldi <andreafioraldi@gmail.com>" >> ../$@
+	@echo  The homepage of afl++ is: https://github.com/vanhauser-thc/AFLplusplus >> ../$@
+	@echo >> ../$@
+	@echo .SH LICENSE >> ../$@
+	@echo Apache License Version 2.0, January 2004 >> ../$@
+	ln -sf afl-gcc-fast.8 ../afl-g++-fast.8
+
+clean:
+	rm -f *.o *.so *~ a.out core core.[1-9][0-9]* test-instr .test-instr0 .test-instr1 .test2
+	rm -f $(PROGS) ../afl-g++-fast ../afl-g*-fast.8
--- a/gcc_plugin/README.gcc.md
+++ b/gcc_plugin/README.gcc.md
@ -0,0 +1,160 @@
+===========================================
+GCC-based instrumentation for afl-fuzz
+======================================
+
+  (See ../docs/README.md for the general instruction manual.)
+  (See ../llvm_mode/README.md for the LLVM-based instrumentation.)
+
+!!! TODO items are:
+!!!  => inline instrumentation has to work!
+!!!
+
+
+## 1) Introduction
+
+The code in this directory allows you to instrument programs for AFL using
+true compiler-level instrumentation, instead of the more crude
+assembly-level rewriting approach taken by afl-gcc and afl-clang. This has
+several interesting properties:
+
+  - The compiler can make many optimizations that are hard to pull off when
+    manually inserting assembly. As a result, some slow, CPU-bound programs will
+    run up to around faster.
+
+    The gains are less pronounced for fast binaries, where the speed is limited
+    chiefly by the cost of creating new processes. In such cases, the gain will
+    probably stay within 10%.
+
+  - The instrumentation is CPU-independent. At least in principle, you should
+    be able to rely on it to fuzz programs on non-x86 architectures (after
+    building afl-fuzz with AFL_NOX86=1).
+
+  - Because the feature relies on the internals of GCC, it is gcc-specific
+    and will *not* work with LLVM (see ../llvm_mode for an alternative).
+
+Once this implementation is shown to be sufficiently robust and portable, it
+will probably replace afl-gcc. For now, it can be built separately and
+co-exists with the original code.
+
+The idea and much of the implementation comes from Laszlo Szekeres.
+
+## 2) How to use
+
+In order to leverage this mechanism, you need to have modern enough GCC
+(>= version 4.5.0) and the plugin headers installed on your system. That
+should be all you need. On Debian machines, these headers can be acquired by
+installing the `gcc-<VERSION>-plugin-dev` packages.
+
+To build the instrumentation itself, type 'make'. This will generate binaries
+called afl-gcc-fast and afl-g++-fast in the parent directory. 
+If the CC/CXX have been overridden, those compilers will be used from
+those wrappers without using AFL_CXX/AFL_CC settings.
+Once this is done, you can instrument third-party code in a way similar to the
+standard operating mode of AFL, e.g.:
+
+  CC=/path/to/afl/afl-gcc-fast ./configure [...options...]
+  make
+
+Be sure to also include CXX set to afl-g++-fast for C++ code.
+
+The tool honors roughly the same environmental variables as afl-gcc (see
+../docs/env_variables.txt). This includes AFL_INST_RATIO, AFL_USE_ASAN,
+AFL_HARDEN, and AFL_DONT_OPTIMIZE.
+
+Note: if you want the GCC plugin to be installed on your system for all
+users, you need to build it before issuing 'make install' in the parent
+directory.
+
+## 3) Gotchas, feedback, bugs
+
+This is an early-stage mechanism, so field reports are welcome. You can send bug
+reports to <hexcoder-@github.com>.
+
+## 4) Bonus feature #1: deferred initialization
+
+AFL tries to optimize performance by executing the targeted binary just once,
+stopping it just before main(), and then cloning this "master" process to get
+a steady supply of targets to fuzz.
+
+Although this approach eliminates much of the OS-, linker- and libc-level
+costs of executing the program, it does not always help with binaries that
+perform other time-consuming initialization steps - say, parsing a large config
+file before getting to the fuzzed data.
+
+In such cases, it's beneficial to initialize the forkserver a bit later, once
+most of the initialization work is already done, but before the binary attempts
+to read the fuzzed input and parse it; in some cases, this can offer a 10x+
+performance gain. You can implement delayed initialization in LLVM mode in a
+fairly simple way.
+
+First, locate a suitable location in the code where the delayed cloning can
+take place. This needs to be done with *extreme* care to avoid breaking the
+binary. In particular, the program will probably malfunction if you select
+a location after:
+
+  - The creation of any vital threads or child processes - since the forkserver
+    can't clone them easily.
+
+  - The initialization of timers via setitimer() or equivalent calls.
+
+  - The creation of temporary files, network sockets, offset-sensitive file
+    descriptors, and similar shared-state resources - but only provided that
+    their state meaningfully influences the behavior of the program later on.
+
+  - Any access to the fuzzed input, including reading the metadata about its
+    size.
+
+With the location selected, add this code in the appropriate spot:
+
+```
+#ifdef __AFL_HAVE_MANUAL_CONTROL
+  __AFL_INIT();
+#endif
+```
+
+You don't need the #ifdef guards, but they will make the program still work as
+usual when compiled with a tool other than afl-gcc-fast/afl-clang-fast.
+
+Finally, recompile the program with afl-gcc-fast (afl-gcc or afl-clang will
+*not* generate a deferred-initialization binary) - and you should be all set!
+
+## 5) Bonus feature #2: persistent mode
+
+Some libraries provide APIs that are stateless, or whose state can be reset in
+between processing different input files. When such a reset is performed, a
+single long-lived process can be reused to try out multiple test cases,
+eliminating the need for repeated fork() calls and the associated OS overhead.
+
+The basic structure of the program that does this would be:
+
+```
+  while (__AFL_LOOP(1000)) {
+
+    /* Read input data. */
+    /* Call library code to be fuzzed. */
+    /* Reset state. */
+
+  }
+
+  /* Exit normally */
+```
+
+The numerical value specified within the loop controls the maximum number
+of iterations before AFL will restart the process from scratch. This minimizes
+the impact of memory leaks and similar glitches; 1000 is a good starting point.
+
+A more detailed template is shown in ../experimental/persistent_demo/.
+Similarly to the previous mode, the feature works only with afl-gcc-fast or
+afl-clang-fast; #ifdef guards can be used to suppress it when using other
+compilers.
+
+Note that as with the previous mode, the feature is easy to misuse; if you
+do not reset the critical state fully, you may end up with false positives or
+waste a whole lot of CPU power doing nothing useful at all. Be particularly
+wary of memory leaks and the state of file descriptors.
+
+When running in this mode, the execution paths will inherently vary a bit
+depending on whether the input loop is being entered for the first time or
+executed again. To avoid spurious warnings, the feature implies
+AFL_NO_VAR_CHECK and hides the "variable path" warnings in the UI.
+
--- a/gcc_plugin/README.whitelist.md
+++ b/gcc_plugin/README.whitelist.md
@ -0,0 +1,73 @@
+========================================
+Using afl++ with partial instrumentation
+========================================
+
+  This file describes how you can selectively instrument only the source files
+  that are interesting to you using the gcc instrumentation provided by
+  afl++.
+
+  Plugin by hexcoder-.
+
+
+## 1) Description and purpose
+
+When building and testing complex programs where only a part of the program is
+the fuzzing target, it often helps to only instrument the necessary parts of
+the program, leaving the rest uninstrumented. This helps to focus the fuzzer
+on the important parts of the program, avoiding undesired noise and
+disturbance by uninteresting code being exercised.
+
+For this purpose, I have added a "partial instrumentation" support to the gcc
+plugin of AFLFuzz that allows you to specify on a source file level which files
+should be compiled with or without instrumentation.
+
+
+## 2) Building the gcc plugin
+
+The new code is part of the existing afl++ gcc plugin in the gcc_plugin/
+subdirectory. There is nothing specifically to do :)
+
+
+## 3) How to use the partial instrumentation mode
+
+In order to build with partial instrumentation, you need to build with
+afl-gcc-fast and afl-g++-fast respectively. The only required change is
+that you need to set the environment variable AFL_GCC_WHITELIST when calling
+the compiler.
+
+The environment variable must point to a file containing all the filenames
+that should be instrumented. For matching, the filename that is being compiled
+must end in the filename entry contained in this whitelist (to avoid breaking
+the matching when absolute paths are used during compilation).
+
+For example if your source tree looks like this:
+
+```
+project/
+project/feature_a/a1.cpp
+project/feature_a/a2.cpp
+project/feature_b/b1.cpp
+project/feature_b/b2.cpp
+```
+
+and you only want to test feature_a, then create a whitelist file containing:
+
+```
+feature_a/a1.cpp
+feature_a/a2.cpp
+```
+
+However if the whitelist file contains only this, it works as well:
+
+```
+a1.cpp
+a2.cpp
+```
+
+but it might lead to files being unwantedly instrumented if the same filename
+exists somewhere else in the project directories.
+
+The created whitelist file is then set to AFL_GCC_WHITELIST when you compile
+your program. For each file that didn't match the whitelist, the compiler will
+issue a warning at the end stating that no blocks were instrumented. If you
+didn't intend to instrument that file, then you can safely ignore that warning.
--- a/gcc_plugin/afl-gcc-fast.c
+++ b/gcc_plugin/afl-gcc-fast.c
@ -0,0 +1,357 @@
+/*
+   american fuzzy lop - GCC wrapper for GCC plugin
+   ------------------------------------------------
+
+   Written by Austin Seipp <aseipp@pobox.com> and
+              Laszlo Szekeres <lszekeres@google.com> and
+              Michal Zalewski
+
+   GCC integration design is based on the LLVM design, which comes
+   from Laszlo Szekeres.
+
+   Copyright 2015 Google Inc. All rights reserved.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at:
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+   This program is a drop-in replacement for gcc, similar in most
+   respects to ../afl-gcc, but with compiler instrumentation through a
+   plugin. It tries to figure out compilation mode, adds a bunch of
+   flags, and then calls the real compiler.
+
+ */
+
+#define AFL_MAIN
+
+#include "../config.h"
+#include "../types.h"
+#include "../include/debug.h"
+#include "../include/alloc-inl.h"
+
+#include <stdio.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <string.h>
+
+static u8*  obj_path;                  /* Path to runtime libraries         */
+static u8** cc_params;                 /* Parameters passed to the real CC  */
+static u32  cc_par_cnt = 1;            /* Param count, including argv0      */
+
+/* Try to find the runtime libraries. If that fails, abort. */
+
+static void find_obj(u8* argv0) {
+
+  u8* afl_path = getenv("AFL_PATH");
+  u8 *slash, *tmp;
+
+  if (afl_path) {
+
+    tmp = alloc_printf("%s/afl-gcc-rt.o", afl_path);
+
+    if (!access(tmp, R_OK)) {
+
+      obj_path = afl_path;
+      ck_free(tmp);
+      return;
+
+    }
+
+    ck_free(tmp);
+
+  }
+
+  slash = strrchr(argv0, '/');
+
+  if (slash) {
+
+    u8* dir;
+
+    *slash = 0;
+    dir = ck_strdup(argv0);
+    *slash = '/';
+
+    tmp = alloc_printf("%s/afl-gcc-rt.o", dir);
+
+    if (!access(tmp, R_OK)) {
+
+      obj_path = dir;
+      ck_free(tmp);
+      return;
+
+    }
+
+    ck_free(tmp);
+    ck_free(dir);
+
+  }
+
+  if (!access(AFL_PATH "/afl-gcc-rt.o", R_OK)) {
+
+    obj_path = AFL_PATH;
+    return;
+
+  }
+
+  FATAL(
+      "Unable to find 'afl-gcc-rt.o' or 'afl-gcc-pass.so'. Please set "
+      "AFL_PATH");
+
+}
+
+/* Copy argv to cc_params, making the necessary edits. */
+
+static void edit_params(u32 argc, char** argv) {
+
+  u8  fortify_set = 0, asan_set = 0, x_set = 0, maybe_linking = 1;
+  u8* name;
+
+  cc_params = ck_alloc((argc + 128) * sizeof(u8*));
+
+  name = strrchr(argv[0], '/');
+  if (!name)
+    name = argv[0];
+  else
+    ++name;
+
+  if (!strcmp(name, "afl-g++-fast")) {
+
+    u8* alt_cxx = getenv("AFL_CXX");
+    cc_params[0] = alt_cxx ? alt_cxx : (u8*)AFL_GCC_CXX;
+
+  } else {
+
+    u8* alt_cc = getenv("AFL_CC");
+    cc_params[0] = alt_cc ? alt_cc : (u8*)AFL_GCC_CC;
+
+  }
+
+  char* fplugin_arg = alloc_printf("-fplugin=%s/afl-gcc-pass.so", obj_path);
+  cc_params[cc_par_cnt++] = fplugin_arg;
+
+  /* Detect stray -v calls from ./configure scripts. */
+
+  if (argc == 1 && !strcmp(argv[1], "-v")) maybe_linking = 0;
+
+  while (--argc) {
+
+    u8* cur = *(++argv);
+
+#if defined(__x86_64__)
+    if (!strcmp(cur, "-m32")) FATAL("-m32 is not supported");
+#endif
+
+    if (!strcmp(cur, "-x")) x_set = 1;
+
+    if (!strcmp(cur, "-c") || !strcmp(cur, "-S") || !strcmp(cur, "-E") ||
+        !strcmp(cur, "-v"))
+      maybe_linking = 0;
+
+    if (!strcmp(cur, "-fsanitize=address") || !strcmp(cur, "-fsanitize=memory"))
+      asan_set = 1;
+
+    if (strstr(cur, "FORTIFY_SOURCE")) fortify_set = 1;
+
+    if (!strcmp(cur, "-shared")) maybe_linking = 0;
+
+    cc_params[cc_par_cnt++] = cur;
+
+  }
+
+  if (getenv("AFL_HARDEN")) {
+
+    cc_params[cc_par_cnt++] = "-fstack-protector-all";
+
+    if (!fortify_set) cc_params[cc_par_cnt++] = "-D_FORTIFY_SOURCE=2";
+
+  }
+
+  if (!asan_set) {
+
+    if (getenv("AFL_USE_ASAN")) {
+
+      if (getenv("AFL_USE_MSAN")) FATAL("ASAN and MSAN are mutually exclusive");
+
+      if (getenv("AFL_HARDEN"))
+        FATAL("ASAN and AFL_HARDEN are mutually exclusive");
+
+      cc_params[cc_par_cnt++] = "-U_FORTIFY_SOURCE";
+      cc_params[cc_par_cnt++] = "-fsanitize=address";
+
+    } else if (getenv("AFL_USE_MSAN")) {
+
+      if (getenv("AFL_USE_ASAN")) FATAL("ASAN and MSAN are mutually exclusive");
+
+      if (getenv("AFL_HARDEN"))
+        FATAL("MSAN and AFL_HARDEN are mutually exclusive");
+
+      cc_params[cc_par_cnt++] = "-U_FORTIFY_SOURCE";
+      cc_params[cc_par_cnt++] = "-fsanitize=memory";
+
+    }
+
+  }
+
+  if (!getenv("AFL_DONT_OPTIMIZE")) {
+
+    cc_params[cc_par_cnt++] = "-g";
+    cc_params[cc_par_cnt++] = "-O3";
+    cc_params[cc_par_cnt++] = "-funroll-loops";
+
+  }
+
+  if (getenv("AFL_NO_BUILTIN")) {
+
+    cc_params[cc_par_cnt++] = "-fno-builtin-strcmp";
+    cc_params[cc_par_cnt++] = "-fno-builtin-strncmp";
+    cc_params[cc_par_cnt++] = "-fno-builtin-strcasecmp";
+    cc_params[cc_par_cnt++] = "-fno-builtin-strncasecmp";
+    cc_params[cc_par_cnt++] = "-fno-builtin-memcmp";
+    cc_params[cc_par_cnt++] = "-fno-builtin-bcmp";
+    cc_params[cc_par_cnt++] = "-fno-builtin-strstr";
+    cc_params[cc_par_cnt++] = "-fno-builtin-strcasestr";
+
+  }
+
+#ifdef USEMMAP
+  cc_params[cc_par_cnt++] = "-lrt";
+#endif
+
+  cc_params[cc_par_cnt++] = "-D__AFL_HAVE_MANUAL_CONTROL=1";
+  cc_params[cc_par_cnt++] = "-D__AFL_COMPILER=1";
+  cc_params[cc_par_cnt++] = "-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION=1";
+
+  /* When the user tries to use persistent or deferred forkserver modes by
+     appending a single line to the program, we want to reliably inject a
+     signature into the binary (to be picked up by afl-fuzz) and we want
+     to call a function from the runtime .o file. This is unnecessarily
+     painful for three reasons:
+
+     1) We need to convince the compiler not to optimize out the signature.
+        This is done with __attribute__((used)).
+
+     2) We need to convince the linker, when called with -Wl,--gc-sections,
+        not to do the same. This is done by forcing an assignment to a
+        'volatile' pointer.
+
+     3) We need to declare __afl_persistent_loop() in the global namespace,
+        but doing this within a method in a class is hard - :: and extern "C"
+        are forbidden and __attribute__((alias(...))) doesn't work. Hence the
+        __asm__ aliasing trick.
+
+   */
+
+  cc_params[cc_par_cnt++] =
+      "-D__AFL_LOOP(_A)="
+      "({ static volatile char *_B __attribute__((used)); "
+      " _B = (char*)\"" PERSIST_SIG
+      "\"; "
+#ifdef __APPLE__
+      "int _L(unsigned int) __asm__(\"___afl_persistent_loop\"); "
+#else
+      "int _L(unsigned int) __asm__(\"__afl_persistent_loop\"); "
+#endif                                                        /* ^__APPLE__ */
+      "_L(_A); })";
+
+  cc_params[cc_par_cnt++] =
+      "-D__AFL_INIT()="
+      "do { static volatile char *_A __attribute__((used)); "
+      " _A = (char*)\"" DEFER_SIG
+      "\"; "
+#ifdef __APPLE__
+      "void _I(void) __asm__(\"___afl_manual_init\"); "
+#else
+      "void _I(void) __asm__(\"__afl_manual_init\"); "
+#endif                                                        /* ^__APPLE__ */
+      "_I(); } while (0)";
+
+  if (maybe_linking) {
+
+    if (x_set) {
+
+      cc_params[cc_par_cnt++] = "-x";
+      cc_params[cc_par_cnt++] = "none";
+
+    }
+
+    cc_params[cc_par_cnt++] = alloc_printf("%s/afl-gcc-rt.o", obj_path);
+
+  }
+
+  cc_params[cc_par_cnt] = NULL;
+
+}
+
+/* Main entry point */
+
+int main(int argc, char** argv) {
+
+  if (argc < 2 || strcmp(argv[1], "-h") == 0) {
+
+    printf(
+        cCYA
+        "afl-gcc-fast" VERSION cRST
+        " initially by <aseipp@pobox.com>, maintainer: hexcoder-\n"
+        "\n"
+        "afl-gcc-fast [options]\n"
+        "\n"
+        "This is a helper application for afl-fuzz. It serves as a drop-in "
+        "replacement\n"
+        "for gcc, letting you recompile third-party code with the required "
+        "runtime\n"
+        "instrumentation. A common use pattern would be one of the "
+        "following:\n\n"
+
+        "  CC=%s/afl-gcc-fast ./configure\n"
+        "  CXX=%s/afl-g++-fast ./configure\n\n"
+
+        "In contrast to the traditional afl-gcc tool, this version is "
+        "implemented as\n"
+        "a GCC plugin and tends to offer improved performance with slow "
+        "programs\n"
+        "(similarly to the LLVM plugin used by afl-clang-fast).\n\n"
+
+        "You can specify custom next-stage toolchain via AFL_CC and AFL_CXX. "
+        "Setting\n"
+        "AFL_HARDEN enables hardening optimizations in the compiled code.\n\n",
+        BIN_PATH, BIN_PATH);
+
+    exit(1);
+
+  } else if (isatty(2) && !getenv("AFL_QUIET")) {
+
+    SAYF(cCYA "afl-gcc-fast" VERSION cRST
+              " initially by <aseipp@pobox.com>, maintainer: hexcoder-\n");
+
+    if (getenv("AFL_GCC_WHITELIST") == NULL) {
+
+      SAYF(cYEL "Warning:" cRST
+                " using afl-gcc-fast without using AFL_GCC_WHITELIST currently "
+                "produces worse results than afl-gcc. Even better, use "
+                "llvm_mode for now.\n");
+
+    }
+
+  }
+
+  find_obj(argv[0]);
+
+  edit_params(argc, argv);
+  /*if (isatty(2) && !getenv("AFL_QUIET")) {
+
+            printf("Calling \"%s\" with:\n", cc_params[0]);
+            for(int i=1; i<cc_par_cnt; i++) printf("%s\n", cc_params[i]);
+
+    }
+
+  */
+  execvp(cc_params[0], (char**)cc_params);
+
+  FATAL("Oops, failed to execute '%s' - check your PATH", cc_params[0]);
+
+  return 0;
+
+}
+
--- a/gcc_plugin/afl-gcc-pass.so.cc
+++ b/gcc_plugin/afl-gcc-pass.so.cc
@ -0,0 +1,593 @@
+//
+// There are some TODOs in this file:
+//   - fix instrumentation via external call
+//   - fix inline instrumentation
+//   - implement whitelist feature
+//   - dont instrument blocks that are uninteresting
+//   - implement neverZero
+//
+
+/*
+   american fuzzy lop - GCC instrumentation pass
+   ---------------------------------------------
+
+   Written by Austin Seipp <aseipp@pobox.com> with bits from
+              Emese Revfy <re.emese@gmail.com>
+
+   Fixed by Heiko Eißfeldt 2019 for AFL++
+
+   GCC integration design is based on the LLVM design, which comes
+   from Laszlo Szekeres. Some of the boilerplate code below for
+   afl_pass to adapt to different GCC versions was taken from Emese
+   Revfy's Size Overflow plugin for GCC, licensed under the GPLv2/v3.
+
+   (NOTE: this plugin code is under GPLv3, in order to comply with the
+   GCC runtime library exception, which states that you may distribute
+   "Target Code" from the compiler under a license of your choice, as
+   long as the "Compilation Process" is "Eligible", and contains no
+   GPL-incompatible software in GCC "during the process of
+   transforming high level code to target code". In this case, the
+   plugin will be used to generate "Target Code" during the
+   "Compilation Process", and thus it must be GPLv3 to be "eligible".)
+
+   Copyright (C) 2015 Austin Seipp
+
+   This program is free software: you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation, either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+ */
+
+#define BUILD_INLINE_INST
+
+#include "../config.h"
+#include "../include/debug.h"
+
+/* clear helper AFL types pulls in, which intervene with gcc-plugin geaders from
+ * GCC-8 */
+#ifdef likely
+#undef likely
+#endif
+#ifdef unlikely
+#undef unlikely
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#include <list>
+#include <string>
+#include <fstream>
+
+#include <gcc-plugin.h>
+#include <plugin-version.h>
+#include <diagnostic.h>
+#include <tree.h>
+#include <tree-ssa.h>
+#include <tree-pass.h>
+#include <tree-ssa-alias.h>
+#include <basic-block.h>
+#include <gimple-expr.h>
+#include <gimple.h>
+#include <gimple-iterator.h>
+#include <gimple-ssa.h>
+#include <version.h>
+#include <toplev.h>
+#include <intl.h>
+#include <context.h>
+#include <stringpool.h>
+#include <cgraph.h>
+#include <cfgloop.h>
+
+/* -------------------------------------------------------------------------- */
+/* -- AFL instrumentation pass ---------------------------------------------- */
+
+static int                    be_quiet = 0;
+static unsigned int           inst_ratio = 100;
+static bool                   inst_ext = true;
+static std::list<std::string> myWhitelist;
+
+static unsigned int ext_call_instrument(function *fun) {
+
+  /* Instrument all the things! */
+  basic_block bb;
+  unsigned    finst_blocks = 0;
+  unsigned    fcnt_blocks = 0;
+
+  tree fntype = build_function_type_list(void_type_node,          /* return */
+                                         uint32_type_node,          /* args */
+                                         NULL_TREE);                /* done */
+  tree fndecl = build_fn_decl("__afl_trace", fntype);
+  TREE_STATIC(fndecl) = 1;                             /* Defined elsewhere */
+  TREE_PUBLIC(fndecl) = 1;                                        /* Public */
+  DECL_EXTERNAL(fndecl) = 1;                            /* External linkage */
+  DECL_ARTIFICIAL(fndecl) = 1;                      /* Injected by compiler */
+
+  FOR_EACH_BB_FN(bb, fun) {
+
+    gimple_seq           fcall;
+    gimple_seq           seq = NULL;
+    gimple_stmt_iterator bentry;
+    ++fcnt_blocks;
+
+    // only instrument if this basic block is the destination of a previous
+    // basic block that has multiple successors
+    // this gets rid of ~5-10% of instrumentations that are unnecessary
+    // result: a little more speed and less map pollution
+
+    int           more_than_one = -1;
+    edge          ep;
+    edge_iterator eip;
+
+    FOR_EACH_EDGE(ep, eip, bb->preds) {
+
+      int count = 0;
+      if (more_than_one == -1) more_than_one = 0;
+
+      basic_block   Pred = ep->src;
+      edge          es;
+      edge_iterator eis;
+      FOR_EACH_EDGE(es, eis, Pred->succs) {
+
+        basic_block Succ = es->dest;
+        if (Succ != NULL) count++;
+
+      }
+
+      if (count > 1) more_than_one = 1;
+
+    }
+
+    if (more_than_one != 1) continue;
+
+    /* Bail on this block if we trip the specified ratio */
+    if (R(100) >= inst_ratio) continue;
+
+    /* Make up cur_loc */
+    unsigned int rand_loc = R(MAP_SIZE);
+    tree         cur_loc = build_int_cst(uint32_type_node, rand_loc);
+
+    /* Update bitmap via external call */
+    /* to quote:
+     * /+ Trace a basic block with some ID +/
+     * void __afl_trace(u32 x);
+     */
+
+    fcall = gimple_build_call(
+        fndecl, 1,
+        cur_loc); /* generate the function _call_ to above built reference, with
+                   *1* parameter -> the random const for the location */
+    gimple_seq_add_stmt(&seq, fcall);         /* and insert into a sequence */
+
+    /* Done - grab the entry to the block and insert sequence */
+    bentry = gsi_after_labels(bb);
+    gsi_insert_seq_before(&bentry, seq, GSI_SAME_STMT);
+
+    ++finst_blocks;
+
+  }
+
+  /* Say something nice. */
+  if (!be_quiet) {
+
+    if (!finst_blocks)
+      WARNF(G_("No instrumentation targets found in " cBRI "%s" cRST),
+            function_name(fun));
+    else if (finst_blocks < fcnt_blocks)
+      OKF(G_("Instrumented %2u /%2u locations in " cBRI "%s" cRST),
+          finst_blocks, fcnt_blocks, function_name(fun));
+    else
+      OKF(G_("Instrumented %2u locations in " cBRI "%s" cRST), finst_blocks,
+          function_name(fun));
+
+  }
+
+  return 0;
+
+}
+
+static unsigned int inline_instrument(function *fun) {
+
+  /* Instrument all the things! */
+  basic_block bb;
+  unsigned    finst_blocks = 0;
+  unsigned    fcnt_blocks = 0;
+  tree        one = build_int_cst(unsigned_char_type_node, 1);
+  // tree zero = build_int_cst(unsigned_char_type_node, 0);
+
+  /* Set up global type declarations */
+  tree map_type = build_pointer_type(unsigned_char_type_node);
+  tree map_ptr_g =
+      build_decl(UNKNOWN_LOCATION, VAR_DECL,
+                 get_identifier_with_length("__afl_area_ptr", 14), map_type);
+  TREE_USED(map_ptr_g) = 1;
+  TREE_STATIC(map_ptr_g) = 1;                          /* Defined elsewhere */
+  DECL_EXTERNAL(map_ptr_g) = 1;                         /* External linkage */
+  DECL_PRESERVE_P(map_ptr_g) = 1;
+  DECL_ARTIFICIAL(map_ptr_g) = 1;                   /* Injected by compiler */
+  rest_of_decl_compilation(map_ptr_g, 1, 0);
+
+  tree prev_loc_g = build_decl(UNKNOWN_LOCATION, VAR_DECL,
+                               get_identifier_with_length("__afl_prev_loc", 14),
+                               uint32_type_node);
+  TREE_USED(prev_loc_g) = 1;
+  TREE_STATIC(prev_loc_g) = 1;                         /* Defined elsewhere */
+  DECL_EXTERNAL(prev_loc_g) = 1;                        /* External linkage */
+  DECL_PRESERVE_P(prev_loc_g) = 1;
+  DECL_ARTIFICIAL(prev_loc_g) = 1;                  /* Injected by compiler */
+  set_decl_tls_model(prev_loc_g, TLS_MODEL_REAL);          /* TLS attribute */
+  rest_of_decl_compilation(prev_loc_g, 1, 0);
+
+  FOR_EACH_BB_FN(bb, fun) {
+
+    gimple_seq           seq = NULL;
+    gimple_stmt_iterator bentry;
+    ++fcnt_blocks;
+
+    // only instrument if this basic block is the destination of a previous
+    // basic block that has multiple successors
+    // this gets rid of ~5-10% of instrumentations that are unnecessary
+    // result: a little more speed and less map pollution
+
+    int           more_than_one = -1;
+    edge          ep;
+    edge_iterator eip;
+    FOR_EACH_EDGE(ep, eip, bb->preds) {
+
+      int count = 0;
+      if (more_than_one == -1) more_than_one = 0;
+
+      basic_block   Pred = ep->src;
+      edge          es;
+      edge_iterator eis;
+      FOR_EACH_EDGE(es, eis, Pred->succs) {
+
+        basic_block Succ = es->dest;
+        if (Succ != NULL) count++;
+
+      }
+
+      if (count > 1) more_than_one = 1;
+
+    }
+
+    if (more_than_one != 1) continue;
+
+    /* Bail on this block if we trip the specified ratio */
+    if (R(100) >= inst_ratio) continue;
+
+    /* Make up cur_loc */
+
+    unsigned int rand_loc = R(MAP_SIZE);
+    tree         cur_loc = build_int_cst(uint32_type_node, rand_loc);
+
+    /* Load prev_loc, xor with cur_loc */
+    // gimple_assign <var_decl, prev_loc.0_1, prev_loc, NULL, NULL>
+    tree     prev_loc = create_tmp_var_raw(uint32_type_node, "prev_loc");
+    gassign *g = gimple_build_assign(prev_loc, VAR_DECL, prev_loc_g);
+    gimple_seq_add_stmt(&seq, g);  // load prev_loc
+    update_stmt(g);
+
+    // gimple_assign <bit_xor_expr, _2, prev_loc.0_1, 47231, NULL>
+    tree area_off = create_tmp_var_raw(uint32_type_node, "area_off");
+    g = gimple_build_assign(area_off, BIT_XOR_EXPR, prev_loc, cur_loc);
+    gimple_seq_add_stmt(&seq, g);  // area_off = prev_loc ^ cur_loc
+    update_stmt(g);
+
+    /* Update bitmap */
+
+    // gimple_assign <addr_expr, p_6, &map[_2], NULL, NULL>
+    tree map_ptr = create_tmp_var(map_type, "map_ptr");
+    tree map_ptr2 = create_tmp_var(map_type, "map_ptr2");
+
+    g = gimple_build_assign(map_ptr, map_ptr_g);
+    gimple_seq_add_stmt(&seq, g);  // map_ptr = __afl_area_ptr
+    update_stmt(g);
+
+#if 1
+#if 0
+		tree addr = build2(ADDR_EXPR, map_type, map_ptr, area_off);
+		g = gimple_build_assign(map_ptr2, MODIFY_EXPR, addr);
+		gimple_seq_add_stmt(&seq, g); // map_ptr2 = map_ptr + area_off
+		update_stmt(g);
+#else
+    g = gimple_build_assign(map_ptr2, PLUS_EXPR, map_ptr, area_off);
+    gimple_seq_add_stmt(&seq, g);  // map_ptr2 = map_ptr + area_off
+    update_stmt(g);
+#endif
+
+    // gimple_assign <mem_ref, _3, *p_6, NULL, NULL>
+    tree tmp1 = create_tmp_var_raw(unsigned_char_type_node, "tmp1");
+    g = gimple_build_assign(tmp1, MEM_REF, map_ptr2);
+    gimple_seq_add_stmt(&seq, g);  // tmp1 = *map_ptr2
+    update_stmt(g);
+#else
+    tree atIndex = build2(PLUS_EXPR, uint32_type_node, map_ptr, area_off);
+    tree array_address = build1(ADDR_EXPR, map_type, atIndex);
+    tree array_access = build1(INDIRECT_REF, map_type, array_address);
+    tree tmp1 = create_tmp_var(unsigned_char_type_node, "tmp1");
+    g = gimple_build_assign(tmp1, array_access);
+    gimple_seq_add_stmt(&seq, g);  // tmp1 = *(map_ptr + area_off)
+    update_stmt(g);
+#endif
+    // gimple_assign <plus_expr, _4, _3, 1, NULL>
+    tree tmp2 = create_tmp_var_raw(unsigned_char_type_node, "tmp2");
+    g = gimple_build_assign(tmp2, PLUS_EXPR, tmp1, one);
+    gimple_seq_add_stmt(&seq, g);  // tmp2 = tmp1 + 1
+    update_stmt(g);
+
+    // TODO: neverZero: here we have to check if tmp3 == 0
+    //                  and add 1 if so
+
+    // gimple_assign <ssa_name, *p_6, _4, NULL, NULL>
+    //		tree map_ptr3 = create_tmp_var_raw(map_type, "map_ptr3");
+    g = gimple_build_assign(map_ptr2, INDIRECT_REF, tmp2);
+    gimple_seq_add_stmt(&seq, g);  // *map_ptr2 = tmp2
+    update_stmt(g);
+
+    /* Set prev_loc to cur_loc >> 1 */
+
+    // gimple_assign <integer_cst, prev_loc, 23615, NULL, NULL>
+    tree shifted_loc = build_int_cst(TREE_TYPE(prev_loc_g), rand_loc >> 1);
+    tree prev_loc2 = create_tmp_var_raw(uint32_type_node, "prev_loc2");
+    g = gimple_build_assign(prev_loc2, shifted_loc);
+    gimple_seq_add_stmt(&seq, g);  // __afl_prev_loc = cur_loc >> 1
+    update_stmt(g);
+    g = gimple_build_assign(prev_loc_g, prev_loc2);
+    gimple_seq_add_stmt(&seq, g);  // __afl_prev_loc = cur_loc >> 1
+    update_stmt(g);
+
+    /* Done - grab the entry to the block and insert sequence */
+
+    bentry = gsi_after_labels(bb);
+    gsi_insert_seq_before(&bentry, seq, GSI_NEW_STMT);
+
+    ++finst_blocks;
+
+  }
+
+  /* Say something nice. */
+  if (!be_quiet) {
+
+    if (!finst_blocks)
+      WARNF(G_("No instrumentation targets found in " cBRI "%s" cRST),
+            function_name(fun));
+    else if (finst_blocks < fcnt_blocks)
+      OKF(G_("Instrumented %2u /%2u locations in " cBRI "%s" cRST),
+          finst_blocks, fcnt_blocks, function_name(fun));
+    else
+      OKF(G_("Instrumented   %2u   locations in " cBRI "%s" cRST), finst_blocks,
+          function_name(fun));
+
+  }
+
+  return 0;
+
+}
+
+/* -------------------------------------------------------------------------- */
+/* -- Boilerplate and initialization ---------------------------------------- */
+
+static const struct pass_data afl_pass_data = {
+
+    .type = GIMPLE_PASS,
+    .name = "afl-inst",
+    .optinfo_flags = OPTGROUP_NONE,
+
+    .tv_id = TV_NONE,
+    .properties_required = 0,
+    .properties_provided = 0,
+    .properties_destroyed = 0,
+    .todo_flags_start = 0,
+    // NOTE(aseipp): it's very, very important to include
+    // at least 'TODO_update_ssa' here so that GCC will
+    // properly update the resulting SSA form, e.g., to
+    // include new PHI nodes for newly added symbols or
+    // names. Do not remove this. Do not taunt Happy Fun
+    // Ball.
+    .todo_flags_finish = TODO_update_ssa | TODO_verify_il | TODO_cleanup_cfg,
+
+};
+
+namespace {
+
+class afl_pass : public gimple_opt_pass {
+
+ private:
+  bool do_ext_call;
+
+ public:
+  afl_pass(bool ext_call, gcc::context *g)
+      : gimple_opt_pass(afl_pass_data, g), do_ext_call(ext_call) {
+
+  }
+
+  unsigned int execute(function *fun) override {
+
+    if (!myWhitelist.empty()) {
+
+      bool         instrumentBlock = false;
+      std::string  instFilename;
+      unsigned int instLine = 0;
+
+      /* EXPR_FILENAME
+      This macro returns the name of the file in which the entity was declared,
+      as a char*. For an entity declared implicitly by the compiler (like
+      __builtin_ memcpy), this will be the string "<internal>".
+      */
+      const char *fname = DECL_SOURCE_FILE(fun->decl);
+
+      if (0 != strncmp("<internal>", fname, 10) &&
+          0 != strncmp("<built-in>", fname, 10)) {
+
+        instFilename = fname;
+        instLine = DECL_SOURCE_LINE(fun->decl);
+
+        /* Continue only if we know where we actually are */
+        if (!instFilename.empty()) {
+
+          for (std::list<std::string>::iterator it = myWhitelist.begin();
+               it != myWhitelist.end(); ++it) {
+
+            /* We don't check for filename equality here because
+             * filenames might actually be full paths. Instead we
+             * check that the actual filename ends in the filename
+             * specified in the list. */
+            if (instFilename.length() >= it->length()) {
+
+              if (instFilename.compare(instFilename.length() - it->length(),
+                                       it->length(), *it) == 0) {
+
+                instrumentBlock = true;
+                break;
+
+              }
+
+            }
+
+          }
+
+        }
+
+      }
+
+      /* Either we couldn't figure out our location or the location is
+       * not whitelisted, so we skip instrumentation. */
+      if (!instrumentBlock) {
+
+        if (!be_quiet) {
+
+          if (!instFilename.empty())
+            SAYF(cYEL "[!] " cBRI "Not in whitelist, skipping %s line %u...\n",
+                 instFilename.c_str(), instLine);
+          else
+            SAYF(cYEL "[!] " cBRI "No filename information found, skipping it");
+
+        }
+
+        return 0;
+
+      }
+
+    }
+
+    return do_ext_call ? ext_call_instrument(fun) : inline_instrument(fun);
+
+  }
+
+};                                                        /* class afl_pass */
+
+}  // namespace
+
+static struct opt_pass *make_afl_pass(bool ext_call, gcc::context *ctxt) {
+
+  return new afl_pass(ext_call, ctxt);
+
+}
+
+/* -------------------------------------------------------------------------- */
+/* -- Initialization -------------------------------------------------------- */
+
+int plugin_is_GPL_compatible = 1;
+
+static struct plugin_info afl_plugin_info = {
+
+    .version = "20191015",
+    .help = "AFL++ gcc plugin\n",
+
+};
+
+int plugin_init(struct plugin_name_args *  plugin_info,
+                struct plugin_gcc_version *version) {
+
+  struct register_pass_info afl_pass_info;
+  struct timeval            tv;
+  struct timezone           tz;
+  u32                       rand_seed;
+
+  /* Setup random() so we get Actually Random(TM) outputs from R() */
+  gettimeofday(&tv, &tz);
+  rand_seed = tv.tv_sec ^ tv.tv_usec ^ getpid();
+  SR(rand_seed);
+
+  /* Pass information */
+  afl_pass_info.pass = make_afl_pass(inst_ext, g);
+  afl_pass_info.reference_pass_name = "ssa";
+  afl_pass_info.ref_pass_instance_number = 1;
+  afl_pass_info.pos_op = PASS_POS_INSERT_AFTER;
+
+  if (!plugin_default_version_check(version, &gcc_version)) {
+
+    FATAL(G_("Incompatible gcc/plugin versions!"));
+
+  }
+
+  /* Show a banner */
+  if (isatty(2) && !getenv("AFL_QUIET")) {
+
+    SAYF(G_(cCYA "afl-gcc-pass" VERSION cRST
+                 " initially by <aseipp@pobox.com>, maintainer: hexcoder-\n"));
+
+  } else
+
+    be_quiet = 1;
+
+  /* Decide instrumentation ratio */
+  char *inst_ratio_str = getenv("AFL_INST_RATIO");
+
+  if (inst_ratio_str) {
+
+    if (sscanf(inst_ratio_str, "%u", &inst_ratio) != 1 || !inst_ratio ||
+        inst_ratio > 100)
+      FATAL(G_("Bad value of AFL_INST_RATIO (must be between 1 and 100)"));
+    else {
+
+      if (!be_quiet)
+        ACTF(G_("%s instrumentation at ratio of %u%% in %s mode."),
+             inst_ext ? G_("Call-based") : G_("Inline"), inst_ratio,
+             getenv("AFL_HARDEN") ? G_("hardened") : G_("non-hardened"));
+
+    }
+
+  }
+
+  char *instWhiteListFilename = getenv("AFL_GCC_WHITELIST");
+  if (instWhiteListFilename) {
+
+    std::string   line;
+    std::ifstream fileStream;
+    fileStream.open(instWhiteListFilename);
+    if (!fileStream) fatal_error(0, "Unable to open AFL_GCC_WHITELIST");
+    getline(fileStream, line);
+    while (fileStream) {
+
+      myWhitelist.push_back(line);
+      getline(fileStream, line);
+
+    }
+
+  } else if (!be_quiet && getenv("AFL_LLVM_WHITELIST"))
+
+    SAYF(cYEL "[-] " cRST
+              "AFL_LLVM_WHITELIST environment variable detected - did you mean "
+              "AFL_GCC_WHITELIST?\n");
+
+  /* Go go gadget */
+  register_callback(plugin_info->base_name, PLUGIN_INFO, NULL,
+                    &afl_plugin_info);
+  register_callback(plugin_info->base_name, PLUGIN_PASS_MANAGER_SETUP, NULL,
+                    &afl_pass_info);
+  return 0;
+
+}
+
--- a/gcc_plugin/afl-gcc-rt.o.c
+++ b/gcc_plugin/afl-gcc-rt.o.c
@ -0,0 +1,300 @@
+/*
+   american fuzzy lop - GCC plugin instrumentation bootstrap
+   ---------------------------------------------------------
+
+   Written by Austin Seipp <aseipp@pobox.com> and
+              Laszlo Szekeres <lszekeres@google.com> and
+              Michal Zalewski
+
+   GCC integration design is based on the LLVM design, which comes
+   from Laszlo Szekeres.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at:
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+   This code is the rewrite of afl-as.h's main_payload.
+
+*/
+
+#ifdef __ANDROID__
+#include "android-ashmem.h"
+#endif
+#include "../config.h"
+#include "../types.h"
+
+#include <stdlib.h>
+#include <signal.h>
+#include <unistd.h>
+#include <string.h>
+#include <assert.h>
+
+#include <sys/mman.h>
+#include <sys/shm.h>
+#include <sys/wait.h>
+#include <sys/types.h>
+
+#include <sys/mman.h>
+#include <fcntl.h>
+
+/* Globals needed by the injected instrumentation. The __afl_area_initial region
+   is used for instrumentation output before __afl_map_shm() has a chance to
+   run. It will end up as .comm, so it shouldn't be too wasteful. */
+
+u8  __afl_area_initial[MAP_SIZE];
+u8 *__afl_area_ptr = __afl_area_initial;
+
+#ifdef __ANDROID__
+u32 __afl_prev_loc;
+#else
+__thread u32 __afl_prev_loc;
+#endif
+
+/* Trace a basic block with some ID */
+void __afl_trace(const u32 x) {
+
+#if 1                                      /* enable for neverZero feature. */
+  __afl_area_ptr[__afl_prev_loc ^ x] +=
+      1 + ((u8)(1 + __afl_area_ptr[__afl_prev_loc ^ x]) == 0);
+#else
+  ++__afl_area_ptr[__afl_prev_loc ^ x];
+#endif
+
+  __afl_prev_loc = (x >> 1);
+  return;
+
+}
+
+/* Running in persistent mode? */
+
+static u8 is_persistent;
+
+/* SHM setup. */
+
+static void __afl_map_shm(void) {
+
+  u8 *id_str = getenv(SHM_ENV_VAR);
+
+  /* If we're running under AFL, attach to the appropriate region, replacing the
+     early-stage __afl_area_initial region that is needed to allow some really
+     hacky .init code to work correctly in projects such as OpenSSL. */
+
+  if (id_str) {
+
+#ifdef USEMMAP
+    const char *   shm_file_path = id_str;
+    int            shm_fd = -1;
+    unsigned char *shm_base = NULL;
+
+    /* create the shared memory segment as if it was a file */
+    shm_fd = shm_open(shm_file_path, O_RDWR, 0600);
+    if (shm_fd == -1) {
+
+      printf("shm_open() failed\n");
+      exit(1);
+
+    }
+
+    /* map the shared memory segment to the address space of the process */
+    shm_base = mmap(0, MAP_SIZE, PROT_READ | PROT_WRITE, MAP_SHARED, shm_fd, 0);
+    if (shm_base == MAP_FAILED) {
+
+      close(shm_fd);
+      shm_fd = -1;
+
+      printf("mmap() failed\n");
+      exit(2);
+
+    }
+
+    __afl_area_ptr = shm_base;
+#else
+    u32 shm_id = atoi(id_str);
+
+    __afl_area_ptr = shmat(shm_id, NULL, 0);
+#endif
+
+    /* Whooooops. */
+
+    if (__afl_area_ptr == (void *)-1) exit(1);
+
+    /* Write something into the bitmap so that even with low AFL_INST_RATIO,
+       our parent doesn't give up on us. */
+
+    __afl_area_ptr[0] = 1;
+
+  }
+
+}
+
+/* Fork server logic. */
+
+static void __afl_start_forkserver(void) {
+
+  static u8 tmp[4];
+  s32       child_pid;
+
+  u8 child_stopped = 0;
+
+  void (*old_sigchld_handler)(int) = signal(SIGCHLD, SIG_DFL);
+
+  /* Phone home and tell the parent that we're OK. If parent isn't there,
+     assume we're not running in forkserver mode and just execute program. */
+
+  if (write(FORKSRV_FD + 1, tmp, 4) != 4) return;
+
+  while (1) {
+
+    u32 was_killed;
+    int status;
+
+    /* Wait for parent by reading from the pipe. Abort if read fails. */
+
+    if (read(FORKSRV_FD, &was_killed, 4) != 4) exit(1);
+
+    /* If we stopped the child in persistent mode, but there was a race
+       condition and afl-fuzz already issued SIGKILL, write off the old
+       process. */
+
+    if (child_stopped && was_killed) {
+
+      child_stopped = 0;
+      if (waitpid(child_pid, &status, 0) < 0) exit(1);
+
+    }
+
+    if (!child_stopped) {
+
+      /* Once woken up, create a clone of our process. */
+
+      child_pid = fork();
+      if (child_pid < 0) exit(1);
+
+      /* In child process: close fds, resume execution. */
+
+      if (!child_pid) {
+
+        signal(SIGCHLD, old_sigchld_handler);
+
+        close(FORKSRV_FD);
+        close(FORKSRV_FD + 1);
+        return;
+
+      }
+
+    } else {
+
+      /* Special handling for persistent mode: if the child is alive but
+         currently stopped, simply restart it with SIGCONT. */
+
+      kill(child_pid, SIGCONT);
+      child_stopped = 0;
+
+    }
+
+    /* In parent process: write PID to pipe, then wait for child. */
+
+    if (write(FORKSRV_FD + 1, &child_pid, 4) != 4) exit(1);
+
+    if (waitpid(child_pid, &status, is_persistent ? WUNTRACED : 0) < 0) exit(1);
+
+    /* In persistent mode, the child stops itself with SIGSTOP to indicate
+       a successful run. In this case, we want to wake it up without forking
+       again. */
+
+    if (WIFSTOPPED(status)) child_stopped = 1;
+
+    /* Relay wait status to pipe, then loop back. */
+
+    if (write(FORKSRV_FD + 1, &status, 4) != 4) exit(1);
+
+  }
+
+}
+
+/* A simplified persistent mode handler, used as explained in README.llvm. */
+
+int __afl_persistent_loop(unsigned int max_cnt) {
+
+  static u8  first_pass = 1;
+  static u32 cycle_cnt;
+
+  if (first_pass) {
+
+    /* Make sure that every iteration of __AFL_LOOP() starts with a clean slate.
+       On subsequent calls, the parent will take care of that, but on the first
+       iteration, it's our job to erase any trace of whatever happened
+       before the loop. */
+
+    if (is_persistent) {
+
+      memset(__afl_area_ptr, 0, MAP_SIZE);
+      __afl_area_ptr[0] = 1;
+      __afl_prev_loc = 0;
+
+    }
+
+    cycle_cnt = max_cnt;
+    first_pass = 0;
+    return 1;
+
+  }
+
+  if (is_persistent) {
+
+    if (--cycle_cnt) {
+
+      raise(SIGSTOP);
+
+      __afl_area_ptr[0] = 1;
+      __afl_prev_loc = 0;
+
+      return 1;
+
+    } else {
+
+      /* When exiting __AFL_LOOP(), make sure that the subsequent code that
+         follows the loop is not traced. We do that by pivoting back to the
+         dummy output region. */
+
+      __afl_area_ptr = __afl_area_initial;
+
+    }
+
+  }
+
+  return 0;
+
+}
+
+/* This one can be called from user code when deferred forkserver mode
+    is enabled. */
+
+void __afl_manual_init(void) {
+
+  static u8 init_done;
+
+  if (!init_done) {
+
+    __afl_map_shm();
+    __afl_start_forkserver();
+    init_done = 1;
+
+  }
+
+}
+
+/* Proper initialization routine. */
+
+__attribute__((constructor(101))) void __afl_auto_init(void) {
+
+  is_persistent = !!getenv(PERSIST_ENV_VAR);
+
+  if (getenv(DEFER_ENV_VAR)) return;
+
+  __afl_manual_init();
+
+}
+
--- a/include/afl-as.h
+++ b/include/afl-as.h
@ -2,7 +2,7 @@
   american fuzzy lop++ - injectable parts
   ---------------------------------------

-   Originally written by Michal Zalewski <lcamtuf@google.com>
+   Originally written by Michal Zalewski

   Now maintained by by Marc Heuse <mh@mh-sec.de>,
                        Heiko Eißfeldt <heiko.eissfeldt@hexco.de> and
--- a/include/afl-fuzz.h
+++ b/include/afl-fuzz.h
@ -2,7 +2,7 @@
   american fuzzy lop++ - fuzzer header
   ------------------------------------

-   Originally written by Michal Zalewski <lcamtuf@google.com>
+   Originally written by Michal Zalewski

   Now maintained by by Marc Heuse <mh@mh-sec.de>,
                        Heiko Eißfeldt <heiko.eissfeldt@hexco.de> and
@ -30,7 +30,7 @@
 #define MESSAGES_TO_STDOUT

 #ifndef _GNU_SOURCE
-#define _GNU_SOURCE
+#define _GNU_SOURCE 1
 #endif
 #define _FILE_OFFSET_BITS 64

@ -71,18 +71,35 @@
 #include <sys/ioctl.h>
 #include <sys/file.h>

-#if defined(__APPLE__) || defined(__FreeBSD__) || defined(__OpenBSD__)
+#if defined(__APPLE__) || defined(__FreeBSD__) || defined(__OpenBSD__) || \
+    defined(__NetBSD__) || defined(__DragonFly__)
 #include <sys/sysctl.h>
-#define HAVE_ARC4RANDOM 1
 #endif                           /* __APPLE__ || __FreeBSD__ || __OpenBSD__ */

 /* For systems that have sched_setaffinity; right now just Linux, but one
   can hope... */

-#ifdef __linux__
+#if defined(__linux__) || defined(__FreeBSD__) || defined(__NetBSD__) || \
+    defined(__DragonFly__)
 #define HAVE_AFFINITY 1
+#if defined(__FreeBSD__) || defined(__DragonFly__)
+#include <sys/param.h>
+#if defined(__FreeBSD__)
+#include <sys/cpuset.h>
+#endif
+#include <sys/user.h>
+#include <pthread.h>
+#include <pthread_np.h>
+#define cpu_set_t cpuset_t
+#elif defined(__NetBSD__)
+#include <pthread.h>
+#endif
 #endif                                                         /* __linux__ */

+#ifdef __APPLE__
+#include <TargetConditionals.h>
+#endif
+
 #ifndef SIMPLE_FILES
 #define CASE_PREFIX "id:"
 #else
@ -150,7 +167,8 @@ enum {
  /* 15 */ STAGE_HAVOC,
  /* 16 */ STAGE_SPLICE,
  /* 17 */ STAGE_PYTHON,
-  /* 18 */ STAGE_CUSTOM_MUTATOR
+  /* 18 */ STAGE_RADAMSA,
+  /* 19 */ STAGE_CUSTOM_MUTATOR

 };

@ -242,7 +260,7 @@ extern u8 *in_dir,                      /* Input directory with test cases  */
    *file_extension,                    /* File extension                   */
    *orig_cmdline,                      /* Original command line            */
    *doc_path,                          /* Path to documentation dir        */
-    *target_path,                       /* Path to target binary            */
+    *infoexec,                         /* Command to execute on a new crash */
    *out_file;                          /* File to fuzz, if any             */

 extern u32 exec_tmout;                  /* Configurable exec timeout (ms)   */
@ -251,7 +269,11 @@ extern u32 hang_tmout;                  /* Timeout used for hang det (ms)   */
 extern u64 mem_limit;                   /* Memory cap for child (MB)        */

 extern u8 cal_cycles,                   /* Calibration cycles defaults      */
-    cal_cycles_long, debug,             /* Debug mode                       */
+    cal_cycles_long,                    /* Calibration cycles defaults      */
+    no_unlink,                          /* do not unlink cur_input          */
+    use_stdin,                          /* use stdin for sending data       */
+    debug,                              /* Debug mode                       */
+    custom_only,                        /* Custom mutator only mode         */
    python_only;                        /* Python-only mode                 */

 extern u32 stats_update_freq;           /* Stats update frequency (execs)   */
@ -274,6 +296,9 @@ extern char* power_names[POWER_SCHEDULES_NUM];
 extern u8 schedule;                     /* Power schedule (default: EXPLORE)*/
 extern u8 havoc_max_mult;

+extern u8 use_radamsa;
+extern size_t (*radamsa_mutate_ptr)(u8*, size_t, u8*, size_t, u32);
+
 extern u8 skip_deterministic,           /* Skip deterministic stages?       */
    force_deterministic,                /* Force deterministic stages?      */
    use_splicing,                       /* Recombine input files?           */
@ -294,13 +319,15 @@ extern u8 skip_deterministic,           /* Skip deterministic stages?       */
    bitmap_changed,                     /* Time to update bitmap?           */
    qemu_mode,                          /* Running in QEMU mode?            */
    unicorn_mode,                       /* Running in Unicorn mode?         */
+    use_wine,                           /* Use WINE with QEMU mode          */
    skip_requested,                     /* Skip request, via SIGUSR1        */
    run_over10m,                        /* Run time over 10 minutes?        */
    persistent_mode,                    /* Running in persistent mode?      */
    deferred_mode,                      /* Deferred forkserver mode?        */
    fixed_seed,                         /* do not reseed                    */
    fast_cal,                           /* Try to calibrate faster?         */
-    uses_asan;                          /* Target uses ASAN?                */
+    uses_asan,                          /* Target uses ASAN?                */
+    disable_trim;                       /* Never trim in fuzz_one           */

 extern s32 out_fd,                      /* Persistent fd for out_file       */
 #ifndef HAVE_ARC4RANDOM
@ -388,6 +415,9 @@ extern u64 stage_finds[32],             /* Patterns found per fuzz stage    */
 extern u32 rand_cnt;                    /* Random number counter            */
 #endif

+extern u32 rand_seed[2];
+extern s64 init_seed;
+
 extern u64 total_cal_us,                /* Total calibration time (us)      */
    total_cal_cycles;                   /* Total calibration cycles         */

@ -455,8 +485,31 @@ extern s32
 /* Python stuff */
 #ifdef USE_PYTHON

+// because Python sets stuff it should not ...
+#ifdef _POSIX_C_SOURCE
+#define _SAVE_POSIX_C_SOURCE _POSIX_C_SOURCE
+#undef _POSIX_C_SOURCE
+#endif
+#ifdef _XOPEN_SOURCE
+#define _SAVE_XOPEN_SOURCE _XOPEN_SOURCE
+#undef _XOPEN_SOURCE
+#endif
+
 #include <Python.h>

+#ifdef _SAVE_POSIX_C_SOURCE
+#ifdef _POSIX_C_SOURCE
+#undef _POSIX_C_SOURCE
+#endif
+#define _POSIX_C_SOURCE _SAVE_POSIX_C_SOURCE
+#endif
+#ifdef _SAVE_XOPEN_SOURCE
+#ifdef _XOPEN_SOURCE
+#undef _XOPEN_SOURCE
+#endif
+#define _XOPEN_SOURCE _SAVE_XOPEN_SOURCE
+#endif
+
 extern PyObject* py_module;

 enum {
@ -506,7 +559,7 @@ u8   has_new_bits(u8*);
 u32  count_bits(u8*);
 u32  count_bytes(u8*);
 u32  count_non_255_bytes(u8*);
-#ifdef __x86_64__
+#ifdef WORD_SIZE_64
 void simplify_trace(u64*);
 void classify_counts(u64*);
 #else
@ -589,6 +642,7 @@ void   fix_up_banner(u8*);
 void   check_if_tty(void);
 void   setup_signal_handlers(void);
 char** get_qemu_argv(u8*, char**, int);
+char** get_wine_argv(u8*, char**, int);
 void   save_cmdline(u32, char**);

 /**** Inline routines ****/
@ -607,11 +661,9 @@ static inline u32 UR(u32 limit) {
 #else
  if (!fixed_seed && unlikely(!rand_cnt--)) {

-    u32 seed[2];
-
-    ck_read(dev_urandom_fd, &seed, sizeof(seed), "/dev/urandom");
-    srandom(seed[0]);
-    rand_cnt = (RESEED_RNG / 2) + (seed[1] % RESEED_RNG);
+    ck_read(dev_urandom_fd, &rand_seed, sizeof(rand_seed), "/dev/urandom");
+    srandom(rand_seed[0]);
+    rand_cnt = (RESEED_RNG / 2) + (rand_seed[1] % RESEED_RNG);

  }

@ -620,6 +672,13 @@ static inline u32 UR(u32 limit) {

 }

+static inline u32 get_rand_seed() {
+
+  if (fixed_seed) return (u32)init_seed;
+  return rand_seed[0];
+
+}
+
 /* Find first power of two greater or equal to val (assuming val under
   2^63). */

@ -658,5 +717,10 @@ static u64 get_cur_time_us(void) {

 }

+#ifdef _AFL_DOCUMENT_MUTATIONS
+extern u8  do_document;
+extern u32 document_counter;
+#endif
+
 #endif

--- a/include/alloc-inl.h
+++ b/include/alloc-inl.h
@ -2,7 +2,7 @@
   american fuzzy lop++ - error-checking, memory-zeroing alloc routines
   --------------------------------------------------------------------

-   Originally written by Michal Zalewski <lcamtuf@google.com>
+   Originally written by Michal Zalewski

   Now maintained by by Marc Heuse <mh@mh-sec.de>,
                        Heiko Eißfeldt <heiko.eissfeldt@hexco.de> and
@ -106,39 +106,20 @@
                                                 \
  } while (0)

-/*
-#define CHECK_PTR(_p) do { \
-                           \
-                           \
-                           \
-                           \
+/* #define CHECK_PTR(_p) do { \
    if (_p) { \
-              \
-              \
-              \
-              \
      if (ALLOC_C1(_p) ^ ALLOC_MAGIC_C1) {\
-                                          \
-                                          \
-                                          \
-                                          \
        if (ALLOC_C1(_p) == ALLOC_MAGIC_F) \
          ABORT("Use after free."); \
        else ABORT("Corrupted head alloc canary."); \
-                                                    \
+
      } \
-        \
-        \
-        \
+
      if (ALLOC_C2(_p) ^ ALLOC_MAGIC_C2) \
        ABORT("Corrupted tail alloc canary."); \
-                                               \
+
    } \
-      \
-      \
-      \
-      \
-      \
+
  } while (0)

 */
--- a/include/android-ashmem.h
+++ b/include/android-ashmem.h
@ -2,7 +2,7 @@
   american fuzzy lop++ - android shared memory compatibility layer
   ----------------------------------------------------------------

-   Originally written by Michal Zalewski <lcamtuf@google.com>
+   Originally written by Michal Zalewski

   Now maintained by by Marc Heuse <mh@mh-sec.de>,
                        Heiko Eißfeldt <heiko.eissfeldt@hexco.de> and
@ -52,7 +52,7 @@ static inline int shmctl(int __shmid, int __cmd, struct shmid_ds *__buf) {
  if (__cmd == IPC_RMID) {

    int               length = ioctl(__shmid, ASHMEM_GET_SIZE, NULL);
-    struct ashmem_pin pin = {0, length};
+    struct ashmem_pin pin = {0, (unsigned int)length};
    ret = ioctl(__shmid, ASHMEM_UNPIN, &pin);
    close(__shmid);

@ -64,6 +64,7 @@ static inline int shmctl(int __shmid, int __cmd, struct shmid_ds *__buf) {

 static inline int shmget(key_t __key, size_t __size, int __shmflg) {

+  (void)__shmflg;
  int  fd, ret;
  char ourkey[11];

@ -87,6 +88,7 @@ error:

 static inline void *shmat(int __shmid, const void *__shmaddr, int __shmflg) {

+  (void)__shmflg;
  int   size;
  void *ptr;

--- a/include/common.h
+++ b/include/common.h
@ -2,7 +2,7 @@
   american fuzzy lop++ - common routines header
   ---------------------------------------------

-   Originally written by Michal Zalewski <lcamtuf@google.com>
+   Originally written by Michal Zalewski

   Now maintained by by Marc Heuse <mh@mh-sec.de>,
                        Heiko Eißfeldt <heiko.eissfeldt@hexco.de> and
@ -27,6 +27,11 @@
 #define __AFLCOMMON_H
 #include "types.h"

-void detect_file_args(char **argv, u8 *prog_in);
+extern u8* target_path;                 /* Path to target binary            */
+
+void detect_file_args(char** argv, u8* prog_in);
+
+char** get_qemu_argv(u8* own_loc, char** argv, int argc);
+char** get_wine_argv(u8* own_loc, char** argv, int argc);
 #endif

--- a/include/config.h
+++ b/include/config.h
@ -2,7 +2,7 @@
   american fuzzy lop++ - vaguely configurable bits
   ------------------------------------------------

-   Originally written by Michal Zalewski <lcamtuf@google.com>
+   Originally written by Michal Zalewski

   Now maintained by by Marc Heuse <mh@mh-sec.de>,
                        Heiko Eißfeldt <heiko.eissfeldt@hexco.de> and
@ -26,7 +26,7 @@

 /* Version string: */

-#define VERSION "++2.54c"  // c = release, d = volatile github dev
+#define VERSION "++2.59d"  // c = release, d = volatile github dev

 /******************************************************
 *                                                    *
@ -41,7 +41,9 @@

 /* Comment out to disable fancy ANSI boxes and use poor man's 7-bit UI: */

+#ifndef ANDROID_DISABLE_FANCY  // Fancy boxes are ugly from adb
 #define FANCY_BOXES
+#endif

 /* Default timeout for fuzzed code (milliseconds). This is the upper bound,
   also used for detecting hangs; the actual value is auto-scaled: */
@ -52,13 +54,18 @@

 #define EXEC_TM_ROUND 20

+/* 64bit arch MACRO */
+#if (defined(__x86_64__) || defined(__arm64__) || defined(__aarch64__))
+#define WORD_SIZE_64 1
+#endif
+
 /* Default memory limit for child process (MB): */

-#ifndef __x86_64__
+#ifndef WORD_SIZE_64
 #define MEM_LIMIT 25
 #else
 #define MEM_LIMIT 50
-#endif                                                      /* ^!__x86_64__ */
+#endif                                                    /* ^!WORD_SIZE_64 */

 /* Default memory limit when running in QEMU mode (MB): */

@ -371,5 +378,12 @@

 // #define IGNORE_FINDS

+/* for *BSD: use ARC4RANDOM and save a file descriptor */
+#if defined(__APPLE__) || defined(__FreeBSD__) || defined(__OpenBSD__)
+#ifndef HAVE_ARC4RANDOM
+#define HAVE_ARC4RANDOM 1
+#endif
+#endif                           /* __APPLE__ || __FreeBSD__ || __OpenBSD__ */
+
 #endif                                                  /* ! _HAVE_CONFIG_H */

--- a/include/debug.h
+++ b/include/debug.h
@ -2,7 +2,7 @@
   american fuzzy lop++ - debug / error handling macros
   ----------------------------------------------------

-   Originally written by Michal Zalewski <lcamtuf@google.com>
+   Originally written by Michal Zalewski

   Now maintained by by Marc Heuse <mh@mh-sec.de>,
                        Heiko Eißfeldt <heiko.eissfeldt@hexco.de> and
--- a/include/forkserver.h
+++ b/include/forkserver.h
@ -2,7 +2,7 @@
   american fuzzy lop++ - forkserver header
   ----------------------------------------

-   Originally written by Michal Zalewski <lcamtuf@google.com>
+   Originally written by Michal Zalewski

   Forkserver design by Jann Horn <jannhorn@googlemail.com>

--- a/include/hash.h
+++ b/include/hash.h
@ -12,7 +12,7 @@

   Austin's original code is public domain.

-   Other code written and maintained by Michal Zalewski <lcamtuf@google.com>
+   Other code written by Michal Zalewski

   Copyright 2016 Google Inc. All rights reserved.

--- a/include/sharedmem.h
+++ b/include/sharedmem.h
@ -2,7 +2,7 @@
   american fuzzy lop++ - shared memory related header
   ---------------------------------------------------

-   Originally written by Michal Zalewski <lcamtuf@google.com>
+   Originally written by Michal Zalewski

   Forkserver design by Jann Horn <jannhorn@googlemail.com>

--- a/include/types.h
+++ b/include/types.h
@ -2,7 +2,7 @@
   american fuzzy lop++ - type definitions and minor macros
   --------------------------------------------------------

-   Originally written by Michal Zalewski <lcamtuf@google.com>
+   Originally written by Michal Zalewski

   Now maintained by by Marc Heuse <mh@mh-sec.de>,
                        Heiko Eißfeldt <heiko.eissfeldt@hexco.de> and
@ -79,9 +79,21 @@ typedef int64_t s64;
  })

 #ifdef AFL_LLVM_PASS
+#if defined(__linux__)
+#define AFL_SR(s) (srandom(s))
 #define AFL_R(x) (random() % (x))
 #else
+#define AFL_SR(s) ((void)s)
+#define AFL_R(x) (arc4random_uniform(x))
+#endif
+#else
+#if defined(__linux__)
+#define SR(s) (srandom(s))
 #define R(x) (random() % (x))
+#else
+#define SR(s) ((void)s)
+#define R(x) (arc4random_uniform(x))
+#endif
 #endif                                                    /* ^AFL_LLVM_PASS */

 #define STRINGIFY_INTERNAL(x) #x
--- a/libdislocator/Makefile
+++ b/libdislocator/Makefile
@ -2,7 +2,7 @@
 # american fuzzy lop - libdislocator
 # ----------------------------------
 #
-# Written by Michal Zalewski <lcamtuf@google.com>
+# Written by Michal Zalewski
 #
 # Copyright 2016 Google Inc. All rights reserved.
 #
@ -21,18 +21,24 @@ VERSION     = $(shell grep '^\#define VERSION ' ../config.h | cut -d '"' -f2)
 CFLAGS      ?= -O3 -funroll-loops -I ../include/
 CFLAGS      += -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign

+ifdef USEHUGEPAGE
+	CFLAGS += -DUSEHUGEPAGE
+endif
+
 all: libdislocator.so

+VPATH = ..
 libdislocator.so: libdislocator.so.c ../config.h
-	$(CC) $(CFLAGS) -shared -fPIC $< -o $@ $(LDFLAGS)
+	$(CC) $(CFLAGS) -shared -fPIC $< -o ../$@ $(LDFLAGS)

 .NOTPARALLEL: clean

 clean:
 	rm -f *.o *.so *~ a.out core core.[1-9][0-9]*
-	rm -f libdislocator.so
+	rm -f ../libdislocator.so

 install: all
-	install -m 755 libdislocator.so $${DESTDIR}$(HELPER_PATH)
-	install -m 644 README.dislocator $${DESTDIR}$(HELPER_PATH)
+	install -m 755 -d $${DESTDIR}$(HELPER_PATH)
+	install -m 755 ../libdislocator.so $${DESTDIR}$(HELPER_PATH)
+	install -m 644 README.dislocator.md $${DESTDIR}$(HELPER_PATH)

--- a/libdislocator/README.dislocator.md
+++ b/libdislocator/README.dislocator.md
@ -25,6 +25,8 @@ heap-related security bugs in several ways:
  - It checks for calloc() overflows and can cause soft or hard failures
    of alloc requests past a configurable memory limit (AFL_LD_LIMIT_MB,
    AFL_LD_HARD_FAIL).
+  - Optionally, in platforms supporting it, huge pages can be used by passing
+    USEHUGEPAGE=1 to make.

 Basically, it is inspired by some of the non-default options available for the
 OpenBSD allocator - see malloc.conf(5) on that platform for reference. It is
--- a/libdislocator/libdislocator.so.c
+++ b/libdislocator/libdislocator.so.c
@ -3,7 +3,7 @@
   american fuzzy lop - dislocator, an abusive allocator
   -----------------------------------------------------

-   Written and maintained by Michal Zalewski <lcamtuf@google.com>
+   Written by Michal Zalewski

   Copyright 2016 Google Inc. All rights reserved.

@ -14,7 +14,7 @@
     http://www.apache.org/licenses/LICENSE-2.0

   This is a companion library that can be used as a drop-in replacement
-   for the libc allocator in the fuzzed binaries. See README.dislocator for
+   for the libc allocator in the fuzzed binaries. See README.dislocator.md for
   more info.

 */
@ -23,8 +23,41 @@
 #include <stdlib.h>
 #include <string.h>
 #include <limits.h>
+#include <errno.h>
 #include <sys/mman.h>

+#ifdef __APPLE__
+#include <mach/vm_statistics.h>
+#endif
+
+#ifdef __linux__
+#include <unistd.h>
+#include <sys/syscall.h>
+#ifdef __NR_getrandom
+#define arc4random_buf(p, l)                       \
+  do {                                             \
+                                                   \
+    ssize_t rd = syscall(__NR_getrandom, p, l, 0); \
+    if (rd != l) DEBUGF("getrandom failed");       \
+                                                   \
+  } while (0)
+
+#else
+#include <time.h>
+#define arc4random_buf(p, l)     \
+  do {                           \
+                                 \
+    srand(time(NULL));           \
+    u32 i;                       \
+    u8* ptr = (u8*)p;            \
+    for (i = 0; i < l; i++)      \
+      ptr[i] = rand() % INT_MAX; \
+                                 \
+  } while (0)
+
+#endif
+#endif
+
 #include "config.h"
 #include "types.h"

@ -36,6 +69,8 @@
 #define MAP_ANONYMOUS MAP_ANON
 #endif                                                    /* !MAP_ANONYMOUS */

+#define SUPER_PAGE_SIZE 1 << 21
+
 /* Error / message handling: */

 #define DEBUGF(_x...)                 \
@ -88,9 +123,14 @@ static u8  alloc_verbose,               /* Additional debug messages        */
    hard_fail,                          /* abort() when max_mem exceeded?   */
    no_calloc_over;                     /* abort() on calloc() overflows?   */

+#if defined __OpenBSD__ || defined __APPLE__
+#define __thread
+#warning no thread support available
+#endif
 static __thread size_t total_mem;       /* Currently allocated mem          */

 static __thread u32 call_depth;         /* To avoid recursion via fprintf() */
+static u32          alloc_canary;

 /* This is the main alloc function. It allocates one page more than necessary,
   sets that tailing page to PROT_NONE, and then increments the return address
@ -99,7 +139,9 @@ static __thread u32 call_depth;         /* To avoid recursion via fprintf() */

 static void* __dislocator_alloc(size_t len) {

-  void* ret;
+  void*  ret;
+  size_t tlen;
+  int    flags, fd, sp;

  if (total_mem + len > max_mem || total_mem + len < total_mem) {

@ -111,13 +153,45 @@ static void* __dislocator_alloc(size_t len) {

  }

+  tlen = (1 + PG_COUNT(len + 8)) * PAGE_SIZE;
+  flags = MAP_PRIVATE | MAP_ANONYMOUS;
+  fd = -1;
+#if defined(USEHUGEPAGE)
+  sp = (len >= SUPER_PAGE_SIZE && !(len % SUPER_PAGE_SIZE));
+
+#if defined(__APPLE__)
+  if (sp) fd = VM_FLAGS_SUPERPAGE_SIZE_2MB;
+#elif defined(__linux__)
+  if (sp) flags |= MAP_HUGETLB;
+#elif defined(__FreeBSD__)
+  if (sp) flags |= MAP_ALIGNED_SUPER;
+#endif
+#else
+  (void)sp;
+#endif
+
  /* We will also store buffer length and a canary below the actual buffer, so
     let's add 8 bytes for that. */

-  ret = mmap(NULL, (1 + PG_COUNT(len + 8)) * PAGE_SIZE, PROT_READ | PROT_WRITE,
-             MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+  ret = mmap(NULL, tlen, PROT_READ | PROT_WRITE, flags, fd, 0);
+#if defined(USEHUGEPAGE)
+  /* We try one more time with regular call */
+  if (ret == MAP_FAILED) {

-  if (ret == (void*)-1) {
+#if defined(__APPLE__)
+    fd = -1;
+#elif defined(__linux__)
+    flags &= -MAP_HUGETLB;
+#elif defined(__FreeBSD__)
+    flags &= -MAP_ALIGNED_SUPER;
+#endif
+    ret = mmap(NULL, tlen, PROT_READ | PROT_WRITE, flags, fd, 0);
+
+  }
+
+#endif
+
+  if (ret == MAP_FAILED) {

    if (hard_fail) FATAL("mmap() failed on alloc (OOM?)");

@ -142,7 +216,7 @@ static void* __dislocator_alloc(size_t len) {
  ret += 8;

  PTR_L(ret) = len;
-  PTR_C(ret) = ALLOC_CANARY;
+  PTR_C(ret) = alloc_canary;

  total_mem += len;

@ -184,6 +258,10 @@ void* calloc(size_t elem_len, size_t elem_cnt) {

 }

+/* TODO: add a wrapper for posix_memalign, otherwise apps who use it,
+   will fail when freeing the memory.
+*/
+
 /* The wrapper for malloc(). Roughly the same, also clobbers the returned
   memory (unlike calloc(), malloc() is not guaranteed to return zeroed
   memory). */
@ -214,7 +292,7 @@ void free(void* ptr) {

  if (!ptr) return;

-  if (PTR_C(ptr) != ALLOC_CANARY) FATAL("bad allocator canary on free()");
+  if (PTR_C(ptr) != alloc_canary) FATAL("bad allocator canary on free()");

  len = PTR_L(ptr);

@ -243,7 +321,7 @@ void* realloc(void* ptr, size_t len) {

  if (ret && ptr) {

-    if (PTR_C(ptr) != ALLOC_CANARY) FATAL("bad allocator canary on realloc()");
+    if (PTR_C(ptr) != alloc_canary) FATAL("bad allocator canary on realloc()");

    memcpy(ret, ptr, MIN(len, PTR_L(ptr)));
    free(ptr);
@ -256,17 +334,86 @@ void* realloc(void* ptr, size_t len) {

 }

+/* posix_memalign we mainly check the proper alignment argument
+   if the requested size fits within the alignment we do
+   a normal request */
+
+int posix_memalign(void** ptr, size_t align, size_t len) {
+
+  // if (*ptr == NULL) return EINVAL; // (andrea) Why? I comment it out for now
+  if ((align % 2) || (align % sizeof(void*))) return EINVAL;
+  if (len == 0) {
+
+    *ptr = NULL;
+    return 0;
+
+  }
+
+  size_t rem = len % align;
+  if (rem) len += align - rem;
+
+  *ptr = __dislocator_alloc(len);
+
+  if (*ptr && len) memset(*ptr, ALLOC_CLOBBER, len);
+
+  DEBUGF("posix_memalign(%p %zu, %zu) [*ptr = %p]", ptr, align, len, *ptr);
+
+  return 0;
+
+}
+
+/* just the non-posix fashion */
+
+void* memalign(size_t align, size_t len) {
+
+  void* ret = NULL;
+
+  if (posix_memalign(&ret, align, len)) {
+
+    DEBUGF("memalign(%zu, %zu) failed", align, len);
+
+  }
+
+  return ret;
+
+}
+
+/* sort of C11 alias of memalign only more severe, alignment-wise */
+
+void* aligned_alloc(size_t align, size_t len) {
+
+  void* ret = NULL;
+
+  if ((len % align)) return NULL;
+
+  if (posix_memalign(&ret, align, len)) {
+
+    DEBUGF("aligned_alloc(%zu, %zu) failed", align, len);
+
+  }
+
+  return ret;
+
+}
+
 __attribute__((constructor)) void __dislocator_init(void) {

-  u8* tmp = getenv("AFL_LD_LIMIT_MB");
+  u8* tmp = (u8*)getenv("AFL_LD_LIMIT_MB");

  if (tmp) {

-    max_mem = atoi(tmp) * 1024 * 1024;
-    if (!max_mem) FATAL("Bad value for AFL_LD_LIMIT_MB");
+    u8* tok;
+    s32 mmem = (s32)strtol((char*)tmp, (char**)&tok, 10);
+    if (*tok != '\0' || errno == ERANGE) FATAL("Bad value for AFL_LD_LIMIT_MB");
+    max_mem = mmem * 1024 * 1024;

  }

+  alloc_canary = ALLOC_CANARY;
+  tmp = (u8*)getenv("AFL_RANDOM_ALLOC_CANARY");
+
+  if (tmp) arc4random_buf(&alloc_canary, sizeof(alloc_canary));
+
  alloc_verbose = !!getenv("AFL_LD_VERBOSE");
  hard_fail = !!getenv("AFL_LD_HARD_FAIL");
  no_calloc_over = !!getenv("AFL_LD_NO_CALLOC_OVER");
--- a/libtokencap/Makefile
+++ b/libtokencap/Makefile
@ -2,7 +2,7 @@
 # american fuzzy lop - libtokencap
 # --------------------------------
 #
-# Written by Michal Zalewski <lcamtuf@google.com>
+# Written by Michal Zalewski
 #
 # Copyright 2016 Google Inc. All rights reserved.
 #
@ -21,18 +21,41 @@ VERSION     = $(shell grep '^\#define VERSION ' ../config.h | cut -d '"' -f2)
 CFLAGS      ?= -O3 -funroll-loops -I ../include/
 CFLAGS      += -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign

-all: libtokencap.so
+ifeq "$(shell uname)" "Linux"
+  TARGETS = libtokencap.so
+  LDFLAGS     += -ldl
+endif
+ifeq "$(shell uname)" "Darwin"
+  TARGETS = libtokencap.so
+  LDFLAGS     += -ldl
+endif
+ifeq "$(shell uname)" "FreeBSD"
+  TARGETS = libtokencap.so
+endif
+ifeq "$(shell uname)" "OpenBSD"
+  TARGETS = libtokencap.so
+endif
+ifeq "$(shell uname)" "NetBSD"
+  TARGETS = libtokencap.so
+endif
+ifeq "$(shell uname)" "DragonFly"
+  TARGETS = libtokencap.so
+  LDFLAGS     += -ldl
+endif
+all: $(TARGETS)

+VPATH = ..
 libtokencap.so: libtokencap.so.c ../config.h
-	$(CC) $(CFLAGS) -shared -fPIC $< -o $@ $(LDFLAGS)
+	$(CC) $(CFLAGS) -shared -fPIC $< -o ../$@ $(LDFLAGS)

 .NOTPARALLEL: clean

 clean:
 	rm -f *.o *.so *~ a.out core core.[1-9][0-9]*
-	rm -f libtokencap.so
+	rm -f ../libtokencap.so

 install: all
-	install -m 755 libtokencap.so $${DESTDIR}$(HELPER_PATH)
-	install -m 644 README.tokencap $${DESTDIR}$(HELPER_PATH)
+	install -m 755 -d $${DESTDIR}$(HELPER_PATH)
+	install -m 755 ../libtokencap.so $${DESTDIR}$(HELPER_PATH)
+	install -m 644 README.tokencap.md $${DESTDIR}$(HELPER_PATH)

--- a/libtokencap/README.tokencap.md
+++ b/libtokencap/README.tokencap.md
@ -2,7 +2,7 @@

  (See ../docs/README for the general instruction manual.)

-This Linux-only companion library allows you to instrument `strcmp()`, `memcmp()`,
+This companion library allows you to instrument `strcmp()`, `memcmp()`,
 and related functions to automatically extract syntax tokens passed to any of
 these libcalls. The resulting list of tokens may be then given as a starting
 dictionary to afl-fuzz (the -x option) to improve coverage on subsequent
@ -55,9 +55,10 @@ If you don't get any results, the target library is probably not using strcmp()
 and memcmp() to parse input; or you haven't compiled it with -fno-builtin; or
 the whole thing isn't dynamically linked, and LD_PRELOAD is having no effect.

-PS. The library is Linux-only because there is probably no particularly portable
-and non-invasive way to distinguish between read-only and read-write memory
-mappings. The `__tokencap_load_mappings()` function is the only thing that would
-need to be changed for other OSes. Porting to platforms with /proc/<pid>/maps
-(e.g., FreeBSD) should be trivial.
+Portability hints: There is probably no particularly portable and non-invasive
+way to distinguish between read-only and read-write memory mappings.
+The `__tokencap_load_mappings()` function is the only thing that would
+need to be changed for other OSes.
+
+Current supported OSes are: Linux, Darwin, FreeBSD (thanks to @devnexen)

--- a/libtokencap/libtokencap.so.c
+++ b/libtokencap/libtokencap.so.c
@ -3,7 +3,7 @@
   american fuzzy lop - extract tokens passed to strcmp / memcmp
   -------------------------------------------------------------

-   Written and maintained by Michal Zalewski <lcamtuf@google.com>
+   Written by Michal Zalewski

   Copyright 2016 Google Inc. All rights reserved.

@ -15,20 +15,55 @@

   This Linux-only companion library allows you to instrument strcmp(),
   memcmp(), and related functions to automatically extract tokens.
-   See README.tokencap for more info.
+   See README.tokencap.md for more info.

 */

+#ifndef _GNU_SOURCE
+#define _GNU_SOURCE
+#endif
 #include <stdio.h>
 #include <string.h>
 #include <ctype.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <stdbool.h>

 #include "../types.h"
 #include "../config.h"

-#ifndef __linux__
-#error "Sorry, this library is Linux-specific for now!"
-#endif                                                        /* !__linux__ */
+#if !defined __linux__ && !defined __APPLE__ && !defined __FreeBSD__ && \
+    !defined __OpenBSD__ && !defined __NetBSD__ && !defined __DragonFly__
+#error "Sorry, this library is unsupported in this platform for now!"
+#endif /* !__linux__ && !__APPLE__ && ! __FreeBSD__ && ! __OpenBSD__ && \
+          !__NetBSD__*/
+
+#if defined __APPLE__
+#include <mach/vm_map.h>
+#include <mach/mach_init.h>
+#elif defined __FreeBSD__ || defined __OpenBSD__ || defined __NetBSD__
+#include <sys/types.h>
+#include <sys/sysctl.h>
+#include <sys/user.h>
+#include <sys/mman.h>
+#endif
+
+#include <dlfcn.h>
+
+#ifdef RTLD_NEXT
+/* The libc functions are a magnitude faster than our replacements.
+   Use them when RTLD_NEXT is available. */
+int (*__libc_strcmp)(const char* str1, const char* str2);
+int (*__libc_strncmp)(const char* str1, const char* str2, size_t len);
+int (*__libc_strcasecmp)(const char* str1, const char* str2);
+int (*__libc_strncasecmp)(const char* str1, const char* str2, size_t len);
+int (*__libc_memcmp)(const void* mem1, const void* mem2, size_t len);
+int (*__libc_bcmp)(const void* mem1, const void* mem2, size_t len);
+char* (*__libc_strstr)(const char* haystack, const char* needle);
+char* (*__libc_strcasestr)(const char* haystack, const char* needle);
+void* (*__libc_memmem)(const void* haystack, size_t haystack_len,
+                       const void* needle, size_t needle_len);
+#endif

 /* Mapping data and such */

@ -38,7 +73,8 @@ static struct mapping { void *st, *en; } __tokencap_ro[MAX_MAPPINGS];

 static u32   __tokencap_ro_cnt;
 static u8    __tokencap_ro_loaded;
-static FILE* __tokencap_out_file;
+static int   __tokencap_out_file = -1;
+static pid_t __tokencap_pid = -1;

 /* Identify read-only regions in memory. Only parameters that fall into these
   ranges are worth dumping when passed to strcmp() and so on. Read-write
@ -46,6 +82,8 @@ static FILE* __tokencap_out_file;

 static void __tokencap_load_mappings(void) {

+#if defined __linux__
+
  u8    buf[MAX_LINE];
  FILE* f = fopen("/proc/self/maps", "r");

@ -70,6 +108,124 @@ static void __tokencap_load_mappings(void) {

  fclose(f);

+#elif defined __APPLE__
+
+  struct vm_region_submap_info_64 region;
+  mach_msg_type_number_t          cnt = VM_REGION_SUBMAP_INFO_COUNT_64;
+  vm_address_t                    base = 0;
+  vm_size_t                       size = 0;
+  natural_t                       depth = 0;
+
+  __tokencap_ro_loaded = 1;
+
+  while (1) {
+
+    if (vm_region_recurse_64(mach_task_self(), &base, &size, &depth,
+                             (vm_region_info_64_t)&region,
+                             &cnt) != KERN_SUCCESS)
+      break;
+
+    if (region.is_submap) {
+
+      depth++;
+
+    } else {
+
+      /* We only care of main map addresses and the read only kinds */
+      if ((region.protection & VM_PROT_READ) &&
+          !(region.protection & VM_PROT_WRITE)) {
+
+        __tokencap_ro[__tokencap_ro_cnt].st = (void*)base;
+        __tokencap_ro[__tokencap_ro_cnt].en = (void*)(base + size);
+
+        if (++__tokencap_ro_cnt == MAX_MAPPINGS) break;
+
+      }
+
+    }
+
+  }
+
+#elif defined __FreeBSD__ || defined __OpenBSD__ || defined __NetBSD__
+
+#if defined   __FreeBSD__
+  int    mib[] = {CTL_KERN, KERN_PROC, KERN_PROC_VMMAP, __tokencap_pid};
+#elif defined __OpenBSD__
+  int mib[] = {CTL_KERN, KERN_PROC_VMMAP, __tokencap_pid};
+#elif defined __NetBSD__
+  int mib[] = {CTL_VM, VM_PROC, VM_PROC_MAP, __tokencap_pid,
+               sizeof(struct kinfo_vmentry)};
+#endif
+  char * buf, *low, *high;
+  size_t miblen = sizeof(mib) / sizeof(mib[0]);
+  size_t len;
+
+  if (sysctl(mib, miblen, NULL, &len, NULL, 0) == -1) return;
+
+#if defined __FreeBSD__ || defined __NetBSD__
+  len = len * 4 / 3;
+#elif defined                      __OpenBSD__
+  len -= len % sizeof(struct kinfo_vmentry);
+#endif
+
+  buf = mmap(NULL, len, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANON, -1, 0);
+  if (buf == MAP_FAILED) return;
+
+  if (sysctl(mib, miblen, buf, &len, NULL, 0) == -1) {
+
+    munmap(buf, len);
+    return;
+
+  }
+
+  low = buf;
+  high = low + len;
+
+  __tokencap_ro_loaded = 1;
+
+  while (low < high) {
+
+    struct kinfo_vmentry* region = (struct kinfo_vmentry*)low;
+
+#if defined __FreeBSD__ || defined __NetBSD__
+
+#if defined   __FreeBSD__
+    size_t                size = region->kve_structsize;
+
+    if (size == 0) break;
+#elif defined __NetBSD__
+    size_t size = sizeof(*region);
+#endif
+
+    /* We go through the whole mapping of the process and track read-only
+     * addresses */
+    if ((region->kve_protection & KVME_PROT_READ) &&
+        !(region->kve_protection & KVME_PROT_WRITE)) {
+
+#elif defined __OpenBSD__
+
+    size_t size = sizeof(*region);
+
+    /* We go through the whole mapping of the process and track read-only
+     * addresses */
+    if ((region->kve_protection & KVE_PROT_READ) &&
+        !(region->kve_protection & KVE_PROT_WRITE)) {
+
+#endif
+      __tokencap_ro[__tokencap_ro_cnt].st = (void*)region->kve_start;
+      __tokencap_ro[__tokencap_ro_cnt].en = (void*)region->kve_end;
+
+      if (++__tokencap_ro_cnt == MAX_MAPPINGS) break;
+
+    }
+
+    low += size;
+
+  }
+
+  munmap(buf, len);
+#endif
+
 }

 /* Check an address against the list of read-only mappings. */
@ -96,7 +252,7 @@ static void __tokencap_dump(const u8* ptr, size_t len, u8 is_text) {
  u32 i;
  u32 pos = 0;

-  if (len < MIN_AUTO_EXTRA || len > MAX_AUTO_EXTRA || !__tokencap_out_file)
+  if (len < MIN_AUTO_EXTRA || len > MAX_AUTO_EXTRA || __tokencap_out_file == -1)
    return;

  for (i = 0; i < len; i++) {
@ -122,7 +278,9 @@ static void __tokencap_dump(const u8* ptr, size_t len, u8 is_text) {

  buf[pos] = 0;

-  fprintf(__tokencap_out_file, "\"%s\"\n", buf);
+  int wrt_ok = (1 == write(__tokencap_out_file, "\"", 1));
+  wrt_ok &= (pos == write(__tokencap_out_file, buf, pos));
+  wrt_ok &= (2 == write(__tokencap_out_file, "\"\n", 2));

 }

@ -136,9 +294,13 @@ int strcmp(const char* str1, const char* str2) {
  if (__tokencap_is_ro(str1)) __tokencap_dump(str1, strlen(str1), 1);
  if (__tokencap_is_ro(str2)) __tokencap_dump(str2, strlen(str2), 1);

+#ifdef RTLD_NEXT
+  if (__libc_strcmp) return __libc_strcmp(str1, str2);
+#endif
+
  while (1) {

-    unsigned char c1 = *str1, c2 = *str2;
+    const unsigned char c1 = *str1, c2 = *str2;

    if (c1 != c2) return (c1 > c2) ? 1 : -1;
    if (!c1) return 0;
@ -156,6 +318,10 @@ int strncmp(const char* str1, const char* str2, size_t len) {
  if (__tokencap_is_ro(str1)) __tokencap_dump(str1, len, 1);
  if (__tokencap_is_ro(str2)) __tokencap_dump(str2, len, 1);

+#ifdef RTLD_NEXT
+  if (__libc_strncmp) return __libc_strncmp(str1, str2, len);
+#endif
+
  while (len--) {

    unsigned char c1 = *str1, c2 = *str2;
@ -178,9 +344,13 @@ int strcasecmp(const char* str1, const char* str2) {
  if (__tokencap_is_ro(str1)) __tokencap_dump(str1, strlen(str1), 1);
  if (__tokencap_is_ro(str2)) __tokencap_dump(str2, strlen(str2), 1);

+#ifdef RTLD_NEXT
+  if (__libc_strcasecmp) return __libc_strcasecmp(str1, str2);
+#endif
+
  while (1) {

-    unsigned char c1 = tolower(*str1), c2 = tolower(*str2);
+    const unsigned char c1 = tolower(*str1), c2 = tolower(*str2);

    if (c1 != c2) return (c1 > c2) ? 1 : -1;
    if (!c1) return 0;
@ -198,9 +368,13 @@ int strncasecmp(const char* str1, const char* str2, size_t len) {
  if (__tokencap_is_ro(str1)) __tokencap_dump(str1, len, 1);
  if (__tokencap_is_ro(str2)) __tokencap_dump(str2, len, 1);

+#ifdef RTLD_NEXT
+  if (__libc_strncasecmp) return __libc_strncasecmp(str1, str2, len);
+#endif
+
  while (len--) {

-    unsigned char c1 = tolower(*str1), c2 = tolower(*str2);
+    const unsigned char c1 = tolower(*str1), c2 = tolower(*str2);

    if (!c1) return 0;
    if (c1 != c2) return (c1 > c2) ? 1 : -1;
@ -220,12 +394,46 @@ int memcmp(const void* mem1, const void* mem2, size_t len) {
  if (__tokencap_is_ro(mem1)) __tokencap_dump(mem1, len, 0);
  if (__tokencap_is_ro(mem2)) __tokencap_dump(mem2, len, 0);

+#ifdef RTLD_NEXT
+  if (__libc_memcmp) return __libc_memcmp(mem1, mem2, len);
+#endif
+
+  const char* strmem1 = (const char*)mem1;
+  const char* strmem2 = (const char*)mem2;
+
  while (len--) {

-    unsigned char c1 = *(const char*)mem1, c2 = *(const char*)mem2;
+    const unsigned char c1 = *strmem1, c2 = *strmem2;
    if (c1 != c2) return (c1 > c2) ? 1 : -1;
-    mem1++;
-    mem2++;
+    strmem1++;
+    strmem2++;
+
+  }
+
+  return 0;
+
+}
+
+#undef bcmp
+
+int bcmp(const void* mem1, const void* mem2, size_t len) {
+
+  if (__tokencap_is_ro(mem1)) __tokencap_dump(mem1, len, 0);
+  if (__tokencap_is_ro(mem2)) __tokencap_dump(mem2, len, 0);
+
+#ifdef RTLD_NEXT
+  if (__libc_bcmp) return __libc_bcmp(mem1, mem2, len);
+#endif
+
+  const char* strmem1 = (const char*)mem1;
+  const char* strmem2 = (const char*)mem2;
+
+  while (len--) {
+
+    int diff = *strmem1 ^ *strmem2;
+    if (diff != 0) return 1;
+    strmem1++;
+    strmem2++;

  }

@ -242,6 +450,10 @@ char* strstr(const char* haystack, const char* needle) {

  if (__tokencap_is_ro(needle)) __tokencap_dump(needle, strlen(needle), 1);

+#ifdef RTLD_NEXT
+  if (__libc_strstr) return __libc_strstr(haystack, needle);
+#endif
+
  do {

    const char* n = needle;
@ -267,6 +479,10 @@ char* strcasestr(const char* haystack, const char* needle) {

  if (__tokencap_is_ro(needle)) __tokencap_dump(needle, strlen(needle), 1);

+#ifdef RTLD_NEXT
+  if (__libc_strcasestr) return __libc_strcasestr(haystack, needle);
+#endif
+
  do {

    const char* n = needle;
@ -283,13 +499,235 @@ char* strcasestr(const char* haystack, const char* needle) {

 }

+#undef memmem
+
+void* memmem(const void* haystack, size_t haystack_len, const void* needle,
+             size_t needle_len) {
+
+  if (__tokencap_is_ro(haystack)) __tokencap_dump(haystack, haystack_len, 1);
+
+  if (__tokencap_is_ro(needle)) __tokencap_dump(needle, needle_len, 1);
+
+#ifdef RTLD_NEXT
+  if (__libc_memmem)
+    return __libc_memmem(haystack, haystack_len, needle, needle_len);
+#endif
+
+  const char* n = (const char*)needle;
+  const char* h = (const char*)haystack;
+  if (haystack_len < needle_len) return 0;
+  if (needle_len == 0) return (void*)haystack;
+  if (needle_len == 1) return memchr(haystack, *n, haystack_len);
+
+  const char* end = h + (haystack_len - needle_len);
+
+  do {
+
+    if (*h == *n) {
+
+      if (memcmp(h, n, needle_len) == 0) return (void*)h;
+
+    }
+
+  } while (h++ <= end);
+
+  return 0;
+
+}
+
+/* Common libraries wrappers (from honggfuzz) */
+
+/*
+ * Apache's httpd wrappers
+ */
+int ap_cstr_casecmp(const char* s1, const char* s2) {
+
+  return strcasecmp(s1, s2);
+
+}
+
+int ap_cstr_casecmpn(const char* s1, const char* s2, size_t n) {
+
+  return strncasecmp(s1, s2, n);
+
+}
+
+const char* ap_strcasestr(const char* s1, const char* s2) {
+
+  return strcasestr(s1, s2);
+
+}
+
+int apr_cstr_casecmp(const char* s1, const char* s2) {
+
+  return strcasecmp(s1, s2);
+
+}
+
+int apr_cstr_casecmpn(const char* s1, const char* s2, size_t n) {
+
+  return strncasecmp(s1, s2, n);
+
+}
+
+/*
+ * *SSL wrappers
+ */
+int CRYPTO_memcmp(const void* m1, const void* m2, size_t len) {
+
+  return memcmp(m1, m2, len);
+
+}
+
+int OPENSSL_memcmp(const void* m1, const void* m2, size_t len) {
+
+  return memcmp(m1, m2, len);
+
+}
+
+int OPENSSL_strcasecmp(const char* s1, const char* s2) {
+
+  return strcasecmp(s1, s2);
+
+}
+
+int OPENSSL_strncasecmp(const char* s1, const char* s2, size_t len) {
+
+  return strncasecmp(s1, s2, len);
+
+}
+
+int32_t memcmpct(const void* s1, const void* s2, size_t len) {
+
+  return memcmp(s1, s2, len);
+
+}
+
+/*
+ * libXML wrappers
+ */
+int xmlStrncmp(const char* s1, const char* s2, int len) {
+
+  if (len <= 0) { return 0; }
+  if (s1 == s2) { return 0; }
+  if (s1 == NULL) { return -1; }
+  if (s2 == NULL) { return 1; }
+  return strncmp(s1, s2, (size_t)len);
+
+}
+
+int xmlStrcmp(const char* s1, const char* s2) {
+
+  if (s1 == s2) { return 0; }
+  if (s1 == NULL) { return -1; }
+  if (s2 == NULL) { return 1; }
+  return strcmp(s1, s2);
+
+}
+
+int xmlStrEqual(const char* s1, const char* s2) {
+
+  if (s1 == s2) { return 1; }
+  if (s1 == NULL) { return 0; }
+  if (s2 == NULL) { return 0; }
+  if (strcmp(s1, s2) == 0) { return 1; }
+  return 0;
+
+}
+
+int xmlStrcasecmp(const char* s1, const char* s2) {
+
+  if (s1 == s2) { return 0; }
+  if (s1 == NULL) { return -1; }
+  if (s2 == NULL) { return 1; }
+  return strcasecmp(s1, s2);
+
+}
+
+int xmlStrncasecmp(const char* s1, const char* s2, int len) {
+
+  if (len <= 0) { return 0; }
+  if (s1 == s2) { return 0; }
+  if (s1 == NULL) { return -1; }
+  if (s2 == NULL) { return 1; }
+  return strncasecmp(s1, s2, (size_t)len);
+
+}
+
+const char* xmlStrstr(const char* haystack, const char* needle) {
+
+  if (haystack == NULL) { return NULL; }
+  if (needle == NULL) { return NULL; }
+  return strstr(haystack, needle);
+
+}
+
+const char* xmlStrcasestr(const char* haystack, const char* needle) {
+
+  if (haystack == NULL) { return NULL; }
+  if (needle == NULL) { return NULL; }
+  return strcasestr(haystack, needle);
+
+}
+
+/*
+ * Samba wrappers
+ */
+int memcmp_const_time(const void* s1, const void* s2, size_t n) {
+
+  return memcmp(s1, s2, n);
+
+}
+
+bool strcsequal(const void* s1, const void* s2) {
+
+  if (s1 == s2) { return true; }
+  if (!s1 || !s2) { return false; }
+  return (strcmp(s1, s2) == 0);
+
+}
+
+/* bcmp/memcmp BSD flavors, similar to CRYPTO_memcmp */
+
+int timingsafe_bcmp(const void* mem1, const void* mem2, size_t len) {
+
+  return bcmp(mem1, mem2, len);
+
+}
+
+int timingsafe_memcmp(const void* mem1, const void* mem2, size_t len) {
+
+  return memcmp(mem1, mem2, len);
+
+}
+
 /* Init code to open the output file (or default to stderr). */

 __attribute__((constructor)) void __tokencap_init(void) {

  u8* fn = getenv("AFL_TOKEN_FILE");
-  if (fn) __tokencap_out_file = fopen(fn, "a");
-  if (!__tokencap_out_file) __tokencap_out_file = stderr;
+  if (fn) __tokencap_out_file = open(fn, O_RDWR | O_CREAT | O_APPEND, 0655);
+  if (__tokencap_out_file == -1) __tokencap_out_file = STDERR_FILENO;
+  __tokencap_pid = getpid();
+
+#ifdef RTLD_NEXT
+  __libc_strcmp = dlsym(RTLD_NEXT, "strcmp");
+  __libc_strncmp = dlsym(RTLD_NEXT, "strncmp");
+  __libc_strcasecmp = dlsym(RTLD_NEXT, "strcasecmp");
+  __libc_strncasecmp = dlsym(RTLD_NEXT, "strncasecmp");
+  __libc_memcmp = dlsym(RTLD_NEXT, "memcmp");
+  __libc_bcmp = dlsym(RTLD_NEXT, "bcmp");
+  __libc_strstr = dlsym(RTLD_NEXT, "strstr");
+  __libc_strcasestr = dlsym(RTLD_NEXT, "strcasestr");
+  __libc_memmem = dlsym(RTLD_NEXT, "memmem");
+#endif
+
+}
+
+/* closing as best as we can the tokens file */
+__attribute__((destructor)) void __tokencap_shutdown(void) {
+
+  if (__tokencap_out_file != STDERR_FILENO) close(__tokencap_out_file);

 }

--- a/llvm_mode/LLVMInsTrim.so.cc
+++ b/llvm_mode/LLVMInsTrim.so.cc
@ -13,6 +13,7 @@
 #include "llvm/IR/Module.h"
 #include "llvm/Pass.h"
 #include "llvm/Support/raw_ostream.h"
+#include "llvm/Support/CommandLine.h"
 #include "llvm/Transforms/IPO/PassManagerBuilder.h"
 #include "llvm/Transforms/Utils/BasicBlockUtils.h"
 #include "llvm/IR/DebugInfo.h"
@ -146,6 +147,9 @@ struct InsTrim : public ModulePass {
        M, Int32Ty, false, GlobalValue::ExternalLinkage, 0, "__afl_prev_loc", 0,
        GlobalVariable::GeneralDynamicTLSModel, 0, false);

+    ConstantInt *Zero = ConstantInt::get(Int8Ty, 0);
+    ConstantInt *One = ConstantInt::get(Int8Ty, 1);
+
    u64 total_rs = 0;
    u64 total_hs = 0;

@ -155,9 +159,10 @@ struct InsTrim : public ModulePass {

      if (!myWhitelist.empty()) {

-        bool      instrumentBlock = false;
-        DebugLoc  Loc;
-        StringRef instFilename;
+        bool         instrumentBlock = false;
+        DebugLoc     Loc;
+        StringRef    instFilename;
+        unsigned int instLine = 0;

        for (auto &BB : F) {

@ -171,7 +176,7 @@ struct InsTrim : public ModulePass {

          DILocation *cDILoc = dyn_cast<DILocation>(Loc.getAsMDNode());

-          unsigned int instLine = cDILoc->getLine();
+          instLine = cDILoc->getLine();
          instFilename = cDILoc->getFilename();

          if (instFilename.str().empty()) {
@ -217,11 +222,18 @@ struct InsTrim : public ModulePass {
         * not whitelisted, so we skip instrumentation. */
        if (!instrumentBlock) {

-          if (!instFilename.str().empty())
-            SAYF(cYEL "[!] " cBRI "Not in whitelist, skipping %s ...\n",
-                 instFilename.str().c_str());
-          else
-            SAYF(cYEL "[!] " cBRI "No filename information found, skipping it");
+          if (!be_quiet) {
+
+            if (!instFilename.str().empty())
+              SAYF(cYEL "[!] " cBRI
+                        "Not in whitelist, skipping %s line %u...\n",
+                   instFilename.str().c_str(), instLine);
+            else
+              SAYF(cYEL "[!] " cBRI
+                        "No filename information found, skipping it");
+
+          }
+
          continue;

        }
@ -365,7 +377,7 @@ struct InsTrim : public ModulePass {
        LoadInst *Counter = IRB.CreateLoad(MapPtrIdx);
        Counter->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));

-        Value *Incr = IRB.CreateAdd(Counter, ConstantInt::get(Int8Ty, 1));
+        Value *Incr = IRB.CreateAdd(Counter, One);

 #if LLVM_VERSION_MAJOR < 9
        if (neverZero_counters_str !=
@ -387,7 +399,7 @@ struct InsTrim : public ModulePass {
           * Counter + 1 -> {Counter, OverflowFlag}
           * Counter + OverflowFlag -> Counter
           */
-          auto cf = IRB.CreateICmpEQ(Incr, ConstantInt::get(Int8Ty, 0));
+          auto cf = IRB.CreateICmpEQ(Incr, Zero);
          auto carry = IRB.CreateZExt(cf, Int8Ty);
          Incr = IRB.CreateAdd(Incr, carry);

--- a/llvm_mode/Makefile
+++ b/llvm_mode/Makefile
@ -3,7 +3,7 @@
 # -----------------------------------------
 #
 # Written by Laszlo Szekeres <lszekeres@google.com> and
-#            Michal Zalewski <lcamtuf@google.com>
+#            Michal Zalewski
 #
 # LLVM integration design comes from Laszlo Szekeres.
 #
@ -29,29 +29,45 @@ ifeq "$(shell uname)" "OpenBSD"
  LLVM_CONFIG ?= $(BIN_PATH)/llvm-config
  HAS_OPT = $(shell test -x $(BIN_PATH)/opt && echo 0 || echo 1)
  ifeq "$(HAS_OPT)" "1"
-    $(error llvm_mode needs a complete llvm installation (versions 3.8.0 up to 9) -> e.g. "pkg_add llvm-7.0.1p9")
+    $(error llvm_mode needs a complete llvm installation (versions 3.8.0 up to 10) -> e.g. "pkg_add llvm-7.0.1p9")
  endif
 else
  LLVM_CONFIG ?= llvm-config
 endif

-LLVMVER  = $(shell $(LLVM_CONFIG) --version)
-LLVM_UNSUPPORTED = $(shell $(LLVM_CONFIG) --version | egrep -q '^[12]|^3\.0|^1[0-9]' && echo 1 || echo 0 )
-LLVM_MAJOR = ($shell $(LLVM_CONFIG) --version | sed 's/\..*//')
+LLVMVER  = $(shell $(LLVM_CONFIG) --version 2>/dev/null )
+LLVM_UNSUPPORTED = $(shell $(LLVM_CONFIG) --version 2>/dev/null | egrep -q '^3\.[0-7]|^1[1-9]' && echo 1 || echo 0 )
+LLVM_NEW_API = $(shell $(LLVM_CONFIG) --version 2>/dev/null | egrep -q '^1[0-9]' && echo 1 || echo 0 )
+LLVM_MAJOR = $(shell $(LLVM_CONFIG) --version 2>/dev/null | sed 's/\..*//')
+LLVM_BINDIR = $(shell $(LLVM_CONFIG) --bindir 2>/dev/null)
+LLVM_STDCXX = gnu++11
+LLVM_APPLE = $(shell clang -v 2>&1 | grep -iq apple && echo 1 || echo 0)

-ifeq "$(LLVM_UNSUPPORTED)" "1"
-  $(warn llvm_mode only supports versions 3.8.0 up to 9)
+ifeq "$(LLVMVER)" ""
+  $(warning llvm_mode needs llvm-config, which was not found)
+endif
+
+ifeq "$(LLVM_UNSUPPORTED)" "1"
+  $(warning llvm_mode only supports llvm versions 3.8.0 up to 10)
 endif

-# this is not visible yet:
 ifeq "$(LLVM_MAJOR)" "9"
-  $(info llvm_mode deteted llvm 9, enabling neverZero implementation)
+  $(info llvm_mode detected llvm 9, enabling neverZero implementation)
+endif
+
+ifeq "$(LLVM_NEW_API)" "1"
+  $(info llvm_mode detected llvm 10+, enabling neverZero implementation and c++14)
+  LLVM_STDCXX = c++14
+endif
+
+ifeq "$(LLVM_APPLE)" "1"
+  $(warning llvm_mode will not compile with Xcode clang...)
 endif

 CFLAGS      ?= -O3 -funroll-loops
 CFLAGS      += -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -I ../include/ \
               -DAFL_PATH=\"$(HELPER_PATH)\" -DBIN_PATH=\"$(BIN_PATH)\" \
-               -DVERSION=\"$(VERSION)\"
+               -DLLVM_BINDIR=\"$(LLVM_BINDIR)\" -DVERSION=\"$(VERSION)\"
 ifdef AFL_TRACE_PC
  CFLAGS    += -DUSE_TRACE_PC=1
 endif
@ -77,11 +93,18 @@ endif
 # this seems to be busted on some distros, so using the one in $PATH is
 # probably better.

-ifeq "$(origin CC)" "default"
-  ifeq "$(shell uname)" "OpenBSD"
-    CC         = $(BIN_PATH)/clang
-    CXX        = $(BIN_PATH)/clang++
+CC         = $(LLVM_BINDIR)/clang
+CXX        = $(LLVM_BINDIR)/clang++
+
+ifeq "$(shell test -e $(CC) || echo 1 )" "1"
+  # llvm-config --bindir is not providing a valid path, so ...
+  ifeq "$(shell test -e '$(BIN_DIR)/clang' && echo 1)" "1"
+    # we found one in the local install directory, lets use these
+    CC         = $(BIN_DIR)/clang
+    CXX        = $(BIN_DIR)/clang++
  else
+    # hope for the best
+    $(warning we have trouble finding clang/clang++ - llvm-config is not helping us)
    CC         = clang
    CXX        = clang++
  endif
@ -92,7 +115,7 @@ endif
 CLANGVER = $(shell $(CC) --version | sed -E -ne '/^.*version\ ([0-9]\.[0-9]\.[0-9]).*/s//\1/p')


-ifeq "$(shell echo '\#include <sys/ipc.h>@\#include <sys/shm.h>@int main() { int _id = shmget(IPC_PRIVATE, 65536, IPC_CREAT | IPC_EXCL | 0600); shmctl(_id, IPC_RMID, 0); return 0;}' | tr @ '\n' | $(CC) -x c - -o .test2 2>/dev/null && echo 1 || echo 0 )" "1"
+ifeq "$(shell echo '\#include <sys/ipc.h>@\#include <sys/shm.h>@int main() { int _id = shmget(IPC_PRIVATE, 65536, IPC_CREAT | IPC_EXCL | 0600); shmctl(_id, IPC_RMID, 0); return 0;}' | tr @ '\n' | $(CC) -x c - -o .test2 2>/dev/null && echo 1 || echo 0 ; rm -f .test2 )" "1"
        SHMAT_OK=1
 else
        SHMAT_OK=0
@ -106,7 +129,6 @@ ifeq "$(TEST_MMAP)" "1"
        LDFLAGS += -lrt
 endif

-
 ifndef AFL_TRACE_PC
  PROGS      = ../afl-clang-fast ../afl-llvm-pass.so ../libLLVMInsTrim.so ../afl-llvm-rt.o ../afl-llvm-rt-32.o ../afl-llvm-rt-64.o ../compare-transform-pass.so ../split-compares-pass.so ../split-switches-pass.so
 else
@ -114,12 +136,26 @@ else
 endif

 ifneq "$(CLANGVER)" "$(LLVMVER)"
-  CC = $(shell llvm-config --bindir)/clang
-  CXX = $(shell llvm-config --bindir)/clang++
+  CC = $(shell $(LLVM_CONFIG) --bindir)/clang
+  CXX = $(shell $(LLVM_CONFIG) --bindir)/clang++
 endif

-all: test_shm test_deps $(PROGS) test_build all_done
+# If prerequisites are not given, warn, do not build anything, and exit with code 0
+ifeq "$(LLVMVER)" ""
+  NO_BUILD = 1
+endif

+ifneq "$(LLVM_UNSUPPORTED)$(LLVM_APPLE)" "00"
+  NO_BUILD = 1
+endif
+
+ifeq "$(NO_BUILD)" "1"
+  TARGETS = no_build
+else
+  TARGETS = test_shm test_deps $(PROGS) afl-clang-fast.8 test_build all_done
+endif
+
+all: $(TARGETS)

 ifeq "$(SHMAT_OK)" "1"

@ -134,11 +170,15 @@ test_shm:

 endif

+no_build:
+	@printf "%b\\n" "\\033[0;31mPrerequisites are not met, skipping build llvm_mode\\033[0m"

 test_deps:
 ifndef AFL_TRACE_PC
 	@echo "[*] Checking for working 'llvm-config'..."
+ ifneq "$(LLVM_APPLE)" "1"
 	@which $(LLVM_CONFIG) >/dev/null 2>&1 || ( echo "[-] Oops, can't find 'llvm-config'. Install clang or set \$$LLVM_CONFIG or \$$PATH beforehand."; echo "    (Sometimes, the binary will be named llvm-config-3.5 or something like that.)"; exit 1 )
+ endif
 else
 	@echo "[!] Note: using -fsanitize=trace-pc mode (this will fail with older LLVM)."
 endif
@ -160,10 +200,10 @@ endif
 	ln -sf afl-clang-fast ../afl-clang-fast++

 ../libLLVMInsTrim.so: LLVMInsTrim.so.cc MarkNodes.cc | test_deps
-	$(CXX) $(CLANG_CFL) -DLLVMInsTrim_EXPORTS -fno-rtti -fPIC -std=gnu++11 -shared $< MarkNodes.cc -o $@ $(CLANG_LFL)
+	$(CXX) $(CLANG_CFL) -DLLVMInsTrim_EXPORTS -fno-rtti -fPIC -std=$(LLVM_STDCXX) -shared $< MarkNodes.cc -o $@ $(CLANG_LFL)

 ../afl-llvm-pass.so: afl-llvm-pass.so.cc | test_deps
-	$(CXX) $(CLANG_CFL) -DLLVMInsTrim_EXPORTS -fno-rtti -fPIC -std=gnu++11 -shared $< -o $@ $(CLANG_LFL)
+	$(CXX) $(CLANG_CFL) -DLLVMInsTrim_EXPORTS -fno-rtti -fPIC -std=$(LLVM_STDCXX) -shared $< -o $@ $(CLANG_LFL)

 # laf
 ../split-switches-pass.so:	split-switches-pass.so.cc | test_deps
@ -199,6 +239,27 @@ all_done: test_build

 .NOTPARALLEL: clean

+vpath  % ..
+%.8: %
+	@echo .TH $* 8 `date "+%Y-%m-%d"` "afl++" > ../$@
+	@echo .SH NAME >> ../$@
+	@echo .B $* >> ../$@
+	@echo >> ../$@
+	@echo .SH SYNOPSIS >> ../$@
+	@../$* -h 2>&1 | head -n 3 | tail -n 1 | sed 's/^\.\///' >> ../$@
+	@echo >> ../$@
+	@echo .SH OPTIONS >> ../$@
+	@echo .nf >> ../$@
+	@../$* -h 2>&1 | tail -n +4 >> ../$@
+	@echo >> ../$@
+	@echo .SH AUTHOR >> ../$@
+	@echo "afl++ was written by Michal \"lcamtuf\" Zalewski and is maintained by Marc \"van Hauser\" Heuse <mh@mh-sec.de>, Heiko \"hexcoder-\" Eissfeldt <heiko.eissfeldt@hexco.de> and Andrea Fioraldi <andreafioraldi@gmail.com>" >> ../$@
+	@echo  The homepage of afl++ is: https://github.com/vanhauser-thc/AFLplusplus >> ../$@
+	@echo >> ../$@
+	@echo .SH LICENSE >> ../$@
+	@echo Apache License Version 2.0, January 2004 >> ../$@
+	ln -sf afl-clang-fast.8 ../afl-clang-fast++.8
+
 clean:
 	rm -f *.o *.so *~ a.out core core.[1-9][0-9]* .test2 test-instr .test-instr0 .test-instr1 
-	rm -f $(PROGS) ../afl-clang-fast++
+	rm -f $(PROGS) ../afl-clang-fast++ ../afl-clang-fast*.8
--- a/llvm_mode/README.instrim.md
+++ b/llvm_mode/README.instrim.md
@ -10,7 +10,8 @@ path discovery.

 ## Usage

-Set the environment variable `AFL_LLVM_INSTRIM=1`.
+Set the environment variable `AFL_LLVM_INSTRIM=1` during compilation of
+the target.

 There is also an advanced mode which instruments loops in a way so that
 afl-fuzz can see which loop path has been selected but not being able to
--- a/llvm_mode/README.laf-intel.md
+++ b/llvm_mode/README.laf-intel.md
@ -2,7 +2,7 @@

 ## Usage

-By default the passes will not run when you compile programs using 
+By default these passes will not run when you compile programs using 
 afl-clang-fast. Hence, you can use AFL as usual.
 To enable the passes you must set environment variables before you
 compile the target project.
@ -15,11 +15,25 @@ Enables the split-switches pass.

 `export AFL_LLVM_LAF_TRANSFORM_COMPARES=1`

-Enables the transform-compares pass (strcmp, memcmp, strncmp, strcasecmp, strncasecmp).
+Enables the transform-compares pass (strcmp, memcmp, strncmp,
+strcasecmp, strncasecmp).

 `export AFL_LLVM_LAF_SPLIT_COMPARES=1`

 Enables the split-compares pass.
-By default it will split all compares with a bit width <= 64 bits.
-You can change this behaviour by setting `export AFL_LLVM_LAF_SPLIT_COMPARES_BITW=<bit_width>`.
+By default it will 
+1. simplify operators >= (and <=) into chains of > (<) and == comparisons
+2. change signed integer comparisons to a chain of sign-only comparison
+and unsigned comparisons
+3. split all unsigned integer comparisons with bit widths of
+64, 32 or 16 bits to chains of 8 bits comparisons.

+You can change the behaviour of the last step by setting
+`export AFL_LLVM_LAF_SPLIT_COMPARES_BITW=<bit_width>`, where 
+bit_width may be 64, 32 or 16.
+
+A new experimental feature is splitting floating point comparisons into a
+series of sign, exponent and mantissa comparisons followed by splitting each
+of them into 8 bit comparisons when necessary.
+It is activated with the `AFL_LLVM_LAF_SPLIT_FLOATS` setting, available only
+when `AFL_LLVM_LAF_SPLIT_COMPARES` is set.
--- a/llvm_mode/README.md
+++ b/llvm_mode/README.md
@ -5,7 +5,7 @@

 ## 1) Introduction

-! llvm_mode works with llvm versions 3.8.0 up to 9 !
+! llvm_mode works with llvm versions 3.8.0 up to 10 !

 The code in this directory allows you to instrument programs for AFL using
 true compiler-level instrumentation, instead of the more crude
@ -27,7 +27,8 @@ several interesting properties:
  - The instrumentation can cope a bit better with multi-threaded targets.

  - Because the feature relies on the internals of LLVM, it is clang-specific
-    and will *not* work with GCC (see ../gcc_plugin/ for an alternative).
+    and will *not* work with GCC (see ../gcc_plugin/ for an alternative once
+    it is available).

 Once this implementation is shown to be sufficiently robust and portable, it
 will probably replace afl-clang. For now, it can be built separately and
@ -41,6 +42,10 @@ In order to leverage this mechanism, you need to have clang installed on your
 system. You should also make sure that the llvm-config tool is in your path
 (or pointed to via LLVM_CONFIG in the environment).

+Note that if you have several LLVM versions installed, pointing LLVM_CONFIG
+to the version you want to use will switch compiling to this specific
+version - if you installation is set up correctly :-)
+
 Unfortunately, some systems that do have clang come without llvm-config or the
 LLVM development headers; one example of this is FreeBSD. FreeBSD users will
 also run into problems with clang being built statically and not being able to
@ -82,7 +87,7 @@ Several options are present to make llvm_mode faster or help it rearrange
 the code to make afl-fuzz path discovery easier.

 If you need just to instrument specific parts of the code, you can whitelist
-which C/C++ files to actually intrument. See README.whitelist
+which C/C++ files to actually instrument. See README.whitelist

 For splitting memcmp, strncmp, etc. please see README.laf-intel

@ -94,7 +99,7 @@ See README.instrim

 Finally if your llvm version is 8 or lower, you can activate a mode that
 prevents that a counter overflow result in a 0 value. This is good for
-path discovery, but the llvm implementation for intel for this functionality
+path discovery, but the llvm implementation for x86 for this functionality
 is not optimal and was only fixed in llvm 9.
 You can set this with AFL_LLVM_NOT_ZERO=1
 See README.neverzero
--- a/llvm_mode/README.neverzero.md
+++ b/llvm_mode/README.neverzero.md
@ -2,17 +2,20 @@

 ## Usage

-In larger, complex or reiterative programs the map that collects the edge pairs
-can easily fill up and wrap.
-This is not that much of an issue - unless by chance it wraps just to a 0
-when the program execution ends.
-In this case afl-fuzz is not able to see that the pair has been accessed and
+In larger, complex or reiterative programs the counters that collect the edge
+coverage can easily fill up and wrap around.
+This is not that much of an issue - unless by chance it wraps just to a value
+of zero when the program execution ends.
+In this case afl-fuzz is not able to see that the edge has been accessed and
 will ignore it.

-NeverZero prevents this behaviour. If a counter wraps, it jumps over the 0
-directly to a 1. This improves path discovery (by a very little amount)
+NeverZero prevents this behaviour. If a counter wraps, it jumps over the value
+0 directly to a 1. This improves path discovery (by a very little amount)
 at a very little cost (one instruction per edge).

+(The alternative of saturated counters has been tested also and proved to be
+inferior in terms of path discovery.)
+
 This is implemented in afl-gcc, however for llvm_mode this is optional if
 the llvm version is below 9 - as there is a perfomance bug that is only fixed
 in version 9 and onwards.
--- a/llvm_mode/README.whitelist.md
+++ b/llvm_mode/README.whitelist.md
@ -34,8 +34,8 @@ the compiler.

 The environment variable must point to a file containing all the filenames
 that should be instrumented. For matching, the filename that is being compiled
-must end in the filename contained in this whitelist (to avoid breaking the
-matching when absolute paths are used during compilation).
+must end in the filename entry contained in this whitelist (to avoid breaking
+the matching when absolute paths are used during compilation).

 For example if your source tree looks like this:

@ -47,14 +47,14 @@ project/feature_b/b1.cpp
 project/feature_b/b2.cpp
 ```

-And you only want to test feature_a, then create a whitelist file containing:
+and you only want to test feature_a, then create a whitelist file containing:

 ```
 feature_a/a1.cpp
 feature_a/a2.cpp
 ```

-However if the whitelist file contains this, it works as well:
+However if the whitelist file contains only this, it works as well:

 ```
 a1.cpp
@ -62,9 +62,9 @@ a2.cpp
 ```

 but it might lead to files being unwantedly instrumented if the same filename
-exists somewhere else in the project.
+exists somewhere else in the project directories.

-The created whitelist file is then set to AFL_INST_WHITELIST when you compile
+The created whitelist file is then set to AFL_LLVM_WHITELIST when you compile
 your program. For each file that didn't match the whitelist, the compiler will
 issue a warning at the end stating that no blocks were instrumented. If you
 didn't intend to instrument that file, then you can safely ignore that warning.
@ -72,4 +72,4 @@ didn't intend to instrument that file, then you can safely ignore that warning.
 For old LLVM versions this feature might require to be compiled with debug
 information (-g), however at least from llvm version 6.0 onwards this is not
 required anymore (and might hurt performance and crash detection, so better not
-use -g)
+use -g).
--- a/llvm_mode/afl-clang-fast.c
+++ b/llvm_mode/afl-clang-fast.c
@ -3,7 +3,7 @@
   ------------------------------------------------

   Written by Laszlo Szekeres <lszekeres@google.com> and
-              Michal Zalewski <lcamtuf@google.com>
+              Michal Zalewski

   LLVM integration design comes from Laszlo Szekeres.

@ -32,11 +32,13 @@
 #include <unistd.h>
 #include <stdlib.h>
 #include <string.h>
+#include <limits.h>
 #include <assert.h>

 static u8*  obj_path;                  /* Path to runtime libraries         */
 static u8** cc_params;                 /* Parameters passed to the real CC  */
 static u32  cc_par_cnt = 1;            /* Param count, including argv0      */
+static u8   llvm_fullpath[PATH_MAX];

 /* Try to find the runtime libraries. If that fails, abort. */

@ -47,7 +49,11 @@ static void find_obj(u8* argv0) {

  if (afl_path) {

+#ifdef __ANDROID__
+    tmp = alloc_printf("%s/afl-llvm-rt.so", afl_path);
+#else
    tmp = alloc_printf("%s/afl-llvm-rt.o", afl_path);
+#endif

    if (!access(tmp, R_OK)) {

@ -71,7 +77,11 @@ static void find_obj(u8* argv0) {
    dir = ck_strdup(argv0);
    *slash = '/';

+#ifdef __ANDROID__
+    tmp = alloc_printf("%s/afl-llvm-rt.so", afl_path);
+#else
    tmp = alloc_printf("%s/afl-llvm-rt.o", dir);
+#endif

    if (!access(tmp, R_OK)) {

@ -86,8 +96,14 @@ static void find_obj(u8* argv0) {

  }

+#ifdef __ANDROID__
+  if (!access(AFL_PATH "/afl-llvm-rt.so", R_OK)) {
+
+#else
  if (!access(AFL_PATH "/afl-llvm-rt.o", R_OK)) {

+#endif
+
    obj_path = AFL_PATH;
    return;

@ -104,6 +120,7 @@ static void find_obj(u8* argv0) {
 static void edit_params(u32 argc, char** argv) {

  u8  fortify_set = 0, asan_set = 0, x_set = 0, maybe_linking = 1, bit_mode = 0;
+  u8  has_llvm_config = 0;
  u8* name;

  cc_params = ck_alloc((argc + 128) * sizeof(u8*));
@ -112,23 +129,33 @@ static void edit_params(u32 argc, char** argv) {
  if (!name)
    name = argv[0];
  else
-    name++;
+    ++name;
+
+  has_llvm_config = (strlen(LLVM_BINDIR) > 0);

  if (!strcmp(name, "afl-clang-fast++")) {

    u8* alt_cxx = getenv("AFL_CXX");
-    cc_params[0] = alt_cxx ? alt_cxx : (u8*)"clang++";
+    if (has_llvm_config)
+      snprintf(llvm_fullpath, sizeof(llvm_fullpath), "%s/clang++", LLVM_BINDIR);
+    else
+      sprintf(llvm_fullpath, "clang++");
+    cc_params[0] = alt_cxx ? alt_cxx : (u8*)llvm_fullpath;

  } else {

    u8* alt_cc = getenv("AFL_CC");
-    cc_params[0] = alt_cc ? alt_cc : (u8*)"clang";
+    if (has_llvm_config)
+      snprintf(llvm_fullpath, sizeof(llvm_fullpath), "%s/clang", LLVM_BINDIR);
+    else
+      sprintf(llvm_fullpath, "clang");
+    cc_params[0] = alt_cc ? alt_cc : (u8*)llvm_fullpath;

  }

  /* There are three ways to compile with afl-clang-fast. In the traditional
     mode, we use afl-llvm-pass.so, then there is libLLVMInsTrim.so which is
-     much faster but has less coverage. Finally tere is the experimental
+     much faster but has less coverage. Finally there is the experimental
     'trace-pc-guard' mode, we use native LLVM instrumentation callbacks
     instead. For trace-pc-guard see:
     http://clang.llvm.org/docs/SanitizerCoverage.html#tracing-pcs-with-guards
@ -196,6 +223,7 @@ static void edit_params(u32 argc, char** argv) {
    u8* cur = *(++argv);

    if (!strcmp(cur, "-m32")) bit_mode = 32;
+    if (!strcmp(cur, "armv7a-linux-androideabi")) bit_mode = 32;
    if (!strcmp(cur, "-m64")) bit_mode = 64;

    if (!strcmp(cur, "-x")) x_set = 1;
@ -273,6 +301,9 @@ static void edit_params(u32 argc, char** argv) {
    cc_params[cc_par_cnt++] = "-fno-builtin-strcasecmp";
    cc_params[cc_par_cnt++] = "-fno-builtin-strncasecmp";
    cc_params[cc_par_cnt++] = "-fno-builtin-memcmp";
+    cc_params[cc_par_cnt++] = "-fno-builtin-bcmp";
+    cc_params[cc_par_cnt++] = "-fno-builtin-strstr";
+    cc_params[cc_par_cnt++] = "-fno-builtin-strcasestr";

  }

@ -341,6 +372,7 @@ static void edit_params(u32 argc, char** argv) {

    }

+#ifndef __ANDROID__
    switch (bit_mode) {

      case 0:
@ -365,6 +397,8 @@ static void edit_params(u32 argc, char** argv) {

    }

+#endif
+
  }

  cc_params[cc_par_cnt] = NULL;
@ -375,20 +409,21 @@ static void edit_params(u32 argc, char** argv) {

 int main(int argc, char** argv) {

-  if (isatty(2) && !getenv("AFL_QUIET")) {
+  if (argc < 2 || strcmp(argv[1], "-h") == 0) {

 #ifdef USE_TRACE_PC
-    SAYF(cCYA "afl-clang-fast" VERSION cRST
-              " [tpcg] by <lszekeres@google.com>\n");
+    printf(
+        cCYA
+        "afl-clang-fast" VERSION cRST
+        " [tpcg] by <lszekeres@google.com>\n"
 #else
-    SAYF(cCYA "afl-clang-fast" VERSION cRST " by <lszekeres@google.com>\n");
+    printf(
+        cCYA
+        "afl-clang-fast" VERSION cRST
+        " by <lszekeres@google.com>\n"
 #endif                                                     /* ^USE_TRACE_PC */
-
-  }
-
-  if (argc < 2) {
-
-    SAYF(
+        "\n"
+        "afl-clang-fast[++] [options]\n"
        "\n"
        "This is a helper application for afl-fuzz. It serves as a drop-in "
        "replacement\n"
@ -412,9 +447,20 @@ int main(int argc, char** argv) {

    exit(1);

+  } else if (isatty(2) && !getenv("AFL_QUIET")) {
+
+#ifdef USE_TRACE_PC
+    SAYF(cCYA "afl-clang-fast" VERSION cRST
+              " [tpcg] by <lszekeres@google.com>\n");
+#else
+    SAYF(cCYA "afl-clang-fast" VERSION cRST " by <lszekeres@google.com>\n");
+#endif                                                     /* ^USE_TRACE_PC */
+
  }

+#ifndef __ANDROID__
  find_obj(argv[0]);
+#endif

  edit_params(argc, argv);

--- a/llvm_mode/afl-llvm-pass.so.cc
+++ b/llvm_mode/afl-llvm-pass.so.cc
@ -3,7 +3,7 @@
   ---------------------------------------------------

   Written by Laszlo Szekeres <lszekeres@google.com> and
-              Michal Zalewski <lcamtuf@google.com>
+              Michal Zalewski

   LLVM integration design comes from Laszlo Szekeres. C bits copied-and-pasted
   from afl-as.c are Michal's fault.
@ -34,6 +34,7 @@
 #include <list>
 #include <string>
 #include <fstream>
+#include <sys/time.h>

 #include "llvm/IR/DebugInfo.h"
 #include "llvm/IR/BasicBlock.h"
@ -93,9 +94,17 @@ bool AFLCoverage::runOnModule(Module &M) {

  LLVMContext &C = M.getContext();

-  IntegerType *Int8Ty = IntegerType::getInt8Ty(C);
-  IntegerType *Int32Ty = IntegerType::getInt32Ty(C);
-  unsigned int cur_loc = 0;
+  IntegerType *   Int8Ty = IntegerType::getInt8Ty(C);
+  IntegerType *   Int32Ty = IntegerType::getInt32Ty(C);
+  struct timeval  tv;
+  struct timezone tz;
+  u32             rand_seed;
+  unsigned int    cur_loc = 0;
+
+  /* Setup random() so we get Actually Random(TM) outputs from AFL_R() */
+  gettimeofday(&tv, &tz);
+  rand_seed = tv.tv_sec ^ tv.tv_usec ^ getpid();
+  AFL_SR(rand_seed);

  /* Show a banner */

@ -105,7 +114,7 @@ bool AFLCoverage::runOnModule(Module &M) {

    SAYF(cCYA "afl-llvm-pass" VERSION cRST " by <lszekeres@google.com>\n");

-  } else
+  } else if (getenv("AFL_QUIET"))

    be_quiet = 1;

@ -141,6 +150,8 @@ bool AFLCoverage::runOnModule(Module &M) {
      M, Int32Ty, false, GlobalValue::ExternalLinkage, 0, "__afl_prev_loc", 0,
      GlobalVariable::GeneralDynamicTLSModel, 0, false);
 #endif
+  ConstantInt *Zero = ConstantInt::get(Int8Ty, 0);
+  ConstantInt *One = ConstantInt::get(Int8Ty, 1);

  /* Instrument all the things! */

@ -181,6 +192,8 @@ bool AFLCoverage::runOnModule(Module &M) {

          }

+          (void)instLine;
+
          /* Continue only if we know where we actually are */
          if (!instFilename.str().empty()) {

@ -223,6 +236,11 @@ bool AFLCoverage::runOnModule(Module &M) {
      // cur_loc++;
      cur_loc = AFL_R(MAP_SIZE);

+/* There is a problem with Ubuntu 18.04 and llvm 6.0 (see issue #63).
+   The inline function successors() is not inlined and also not found at runtime
+   :-( As I am unable to detect Ubuntu18.04 heree, the next best thing is to
+   disable this optional optimization for LLVM 6.0.0 and Linux */
+#if !(LLVM_VERSION_MAJOR == 6 && LLVM_VERSION_MINOR == 0) || !defined __linux__
      // only instrument if this basic block is the destination of a previous
      // basic block that has multiple successors
      // this gets rid of ~5-10% of instrumentations that are unnecessary
@ -234,6 +252,7 @@ bool AFLCoverage::runOnModule(Module &M) {
        int count = 0;
        if (more_than_one == -1) more_than_one = 0;
        // fprintf(stderr, " %p=>", Pred);
+
        for (BasicBlock *Succ : successors(Pred)) {

          // if (count > 0)
@ -249,7 +268,7 @@ bool AFLCoverage::runOnModule(Module &M) {

      // fprintf(stderr, " == %d\n", more_than_one);
      if (more_than_one != 1) continue;
-
+#endif
      ConstantInt *CurLoc = ConstantInt::get(Int32Ty, cur_loc);

      /* Load prev_loc */
@ -270,7 +289,7 @@ bool AFLCoverage::runOnModule(Module &M) {
      LoadInst *Counter = IRB.CreateLoad(MapPtrIdx);
      Counter->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));

-      Value *Incr = IRB.CreateAdd(Counter, ConstantInt::get(Int8Ty, 1));
+      Value *Incr = IRB.CreateAdd(Counter, One);

 #if LLVM_VERSION_MAJOR < 9
      if (neverZero_counters_str !=
@ -314,7 +333,7 @@ bool AFLCoverage::runOnModule(Module &M) {
        */
        // this is the solution we choose because llvm9 should do the right
        // thing here
-        auto cf = IRB.CreateICmpEQ(Incr, ConstantInt::get(Int8Ty, 0));
+        auto cf = IRB.CreateICmpEQ(Incr, Zero);
        auto carry = IRB.CreateZExt(cf, Int8Ty);
        Incr = IRB.CreateAdd(Incr, carry);
 /*
--- a/llvm_mode/afl-llvm-rt.o.c
+++ b/llvm_mode/afl-llvm-rt.o.c
@ -3,7 +3,7 @@
   ---------------------------------------------------

   Written by Laszlo Szekeres <lszekeres@google.com> and
-              Michal Zalewski <lcamtuf@google.com>
+              Michal Zalewski

   LLVM integration design comes from Laszlo Szekeres.

--- a/llvm_mode/compare-transform-pass.so.cc
+++ b/llvm_mode/compare-transform-pass.so.cc
@ -234,6 +234,10 @@ bool CompareTransform::transformCmps(Module &M, const bool processStrcmp,
      ConstantInt *ilen = dyn_cast<ConstantInt>(op2);
      sizedLen = ilen->getZExtValue();

+    } else {
+
+      sizedLen = 0;
+
    }

    if (HasStr1) {
--- a/llvm_mode/split-compares-pass.so.cc
+++ b/llvm_mode/split-compares-pass.so.cc
@ -1,5 +1,6 @@
 /*
 * Copyright 2016 laf-intel
+ * extended for floating point by Heiko Eißfeldt
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -49,9 +50,13 @@ class SplitComparesTransform : public ModulePass {
  }

 private:
-  bool splitCompares(Module &M, unsigned bitw);
-  bool simplifyCompares(Module &M);
-  bool simplifySignedness(Module &M);
+  int enableFPSplit;
+
+  size_t splitIntCompares(Module &M, unsigned bitw);
+  size_t splitFPCompares(Module &M);
+  bool   simplifyCompares(Module &M);
+  bool   simplifyIntSignedness(Module &M);
+  size_t nextPowerOfTwo(size_t in);

 };

@ -65,6 +70,7 @@ bool SplitComparesTransform::simplifyCompares(Module &M) {

  LLVMContext &              C = M.getContext();
  std::vector<Instruction *> icomps;
+  std::vector<Instruction *> fcomps;
  IntegerType *              Int1Ty = IntegerType::getInt1Ty(C);

  /* iterate over all functions, bbs and instruction and add
@ -79,25 +85,44 @@ bool SplitComparesTransform::simplifyCompares(Module &M) {

        if ((selectcmpInst = dyn_cast<CmpInst>(&IN))) {

-          if (selectcmpInst->getPredicate() != CmpInst::ICMP_UGE &&
-              selectcmpInst->getPredicate() != CmpInst::ICMP_SGE &&
-              selectcmpInst->getPredicate() != CmpInst::ICMP_ULE &&
-              selectcmpInst->getPredicate() != CmpInst::ICMP_SLE) {
+          if (selectcmpInst->getPredicate() == CmpInst::ICMP_UGE ||
+              selectcmpInst->getPredicate() == CmpInst::ICMP_SGE ||
+              selectcmpInst->getPredicate() == CmpInst::ICMP_ULE ||
+              selectcmpInst->getPredicate() == CmpInst::ICMP_SLE) {

-            continue;
+            auto op0 = selectcmpInst->getOperand(0);
+            auto op1 = selectcmpInst->getOperand(1);
+
+            IntegerType *intTyOp0 = dyn_cast<IntegerType>(op0->getType());
+            IntegerType *intTyOp1 = dyn_cast<IntegerType>(op1->getType());
+
+            /* this is probably not needed but we do it anyway */
+            if (!intTyOp0 || !intTyOp1) { continue; }
+
+            icomps.push_back(selectcmpInst);

          }

-          auto op0 = selectcmpInst->getOperand(0);
-          auto op1 = selectcmpInst->getOperand(1);
+          if (enableFPSplit &&
+              (selectcmpInst->getPredicate() == CmpInst::FCMP_OGE ||
+               selectcmpInst->getPredicate() == CmpInst::FCMP_UGE ||
+               selectcmpInst->getPredicate() == CmpInst::FCMP_OLE ||
+               selectcmpInst->getPredicate() == CmpInst::FCMP_ULE)) {

-          IntegerType *intTyOp0 = dyn_cast<IntegerType>(op0->getType());
-          IntegerType *intTyOp1 = dyn_cast<IntegerType>(op1->getType());
+            auto op0 = selectcmpInst->getOperand(0);
+            auto op1 = selectcmpInst->getOperand(1);

-          /* this is probably not needed but we do it anyway */
-          if (!intTyOp0 || !intTyOp1) { continue; }
+            Type *TyOp0 = op0->getType();
+            Type *TyOp1 = op1->getType();

-          icomps.push_back(selectcmpInst);
+            /* this is probably not needed but we do it anyway */
+            if (TyOp0 != TyOp1) { continue; }
+
+            if (TyOp0->isArrayTy() || TyOp0->isVectorTy()) { continue; }
+
+            fcomps.push_back(selectcmpInst);
+
+          }

        }

@ -107,7 +132,7 @@ bool SplitComparesTransform::simplifyCompares(Module &M) {

  }

-  if (!icomps.size()) { return false; }
+  if (!icomps.size() && !fcomps.size()) { return false; }

  for (auto &IcmpInst : icomps) {

@ -173,18 +198,83 @@ bool SplitComparesTransform::simplifyCompares(Module &M) {

  }

+  /* now for floating point */
+  for (auto &FcmpInst : fcomps) {
+
+    BasicBlock *bb = FcmpInst->getParent();
+
+    auto op0 = FcmpInst->getOperand(0);
+    auto op1 = FcmpInst->getOperand(1);
+
+    /* find out what the new predicate is going to be */
+    auto               pred = dyn_cast<CmpInst>(FcmpInst)->getPredicate();
+    CmpInst::Predicate new_pred;
+    switch (pred) {
+
+      case CmpInst::FCMP_UGE: new_pred = CmpInst::FCMP_UGT; break;
+      case CmpInst::FCMP_OGE: new_pred = CmpInst::FCMP_OGT; break;
+      case CmpInst::FCMP_ULE: new_pred = CmpInst::FCMP_ULT; break;
+      case CmpInst::FCMP_OLE: new_pred = CmpInst::FCMP_OLT; break;
+      default:  // keep the compiler happy
+        continue;
+
+    }
+
+    /* split before the icmp instruction */
+    BasicBlock *end_bb = bb->splitBasicBlock(BasicBlock::iterator(FcmpInst));
+
+    /* the old bb now contains a unconditional jump to the new one (end_bb)
+     * we need to delete it later */
+
+    /* create the ICMP instruction with new_pred and add it to the old basic
+     * block bb it is now at the position where the old IcmpInst was */
+    Instruction *fcmp_np;
+    fcmp_np = CmpInst::Create(Instruction::FCmp, new_pred, op0, op1);
+    bb->getInstList().insert(bb->getTerminator()->getIterator(), fcmp_np);
+
+    /* create a new basic block which holds the new EQ fcmp */
+    Instruction *fcmp_eq;
+    /* insert middle_bb before end_bb */
+    BasicBlock *middle_bb =
+        BasicBlock::Create(C, "injected", end_bb->getParent(), end_bb);
+    fcmp_eq = CmpInst::Create(Instruction::FCmp, CmpInst::FCMP_OEQ, op0, op1);
+    middle_bb->getInstList().push_back(fcmp_eq);
+    /* add an unconditional branch to the end of middle_bb with destination
+     * end_bb */
+    BranchInst::Create(end_bb, middle_bb);
+
+    /* replace the uncond branch with a conditional one, which depends on the
+     * new_pred icmp. True goes to end, false to the middle (injected) bb */
+    auto term = bb->getTerminator();
+    BranchInst::Create(end_bb, middle_bb, fcmp_np, bb);
+    term->eraseFromParent();
+
+    /* replace the old IcmpInst (which is the first inst in end_bb) with a PHI
+     * inst to wire up the loose ends */
+    PHINode *PN = PHINode::Create(Int1Ty, 2, "");
+    /* the first result depends on the outcome of icmp_eq */
+    PN->addIncoming(fcmp_eq, middle_bb);
+    /* if the source was the original bb we know that the icmp_np yielded true
+     * hence we can hardcode this value */
+    PN->addIncoming(ConstantInt::get(Int1Ty, 1), bb);
+    /* replace the old IcmpInst with our new and shiny PHI inst */
+    BasicBlock::iterator ii(FcmpInst);
+    ReplaceInstWithInst(FcmpInst->getParent()->getInstList(), ii, PN);
+
+  }
+
  return true;

 }

 /* this function transforms signed compares to equivalent unsigned compares */
-bool SplitComparesTransform::simplifySignedness(Module &M) {
+bool SplitComparesTransform::simplifyIntSignedness(Module &M) {

  LLVMContext &              C = M.getContext();
  std::vector<Instruction *> icomps;
  IntegerType *              Int1Ty = IntegerType::getInt1Ty(C);

-  /* iterate over all functions, bbs and instruction and add
+  /* iterate over all functions, bbs and instructions and add
   * all signed compares to icomps vector */
  for (auto &F : M) {

@ -196,27 +286,29 @@ bool SplitComparesTransform::simplifySignedness(Module &M) {

        if ((selectcmpInst = dyn_cast<CmpInst>(&IN))) {

-          if (selectcmpInst->getPredicate() != CmpInst::ICMP_SGT &&
-              selectcmpInst->getPredicate() != CmpInst::ICMP_SLT) {
+          if (selectcmpInst->getPredicate() == CmpInst::ICMP_SGT ||
+              selectcmpInst->getPredicate() == CmpInst::ICMP_SLT) {

-            continue;
+            auto op0 = selectcmpInst->getOperand(0);
+            auto op1 = selectcmpInst->getOperand(1);
+
+            IntegerType *intTyOp0 = dyn_cast<IntegerType>(op0->getType());
+            IntegerType *intTyOp1 = dyn_cast<IntegerType>(op1->getType());
+
+            /* see above */
+            if (!intTyOp0 || !intTyOp1) { continue; }
+
+            /* i think this is not possible but to lazy to look it up */
+            if (intTyOp0->getBitWidth() != intTyOp1->getBitWidth()) {
+
+              continue;
+
+            }
+
+            icomps.push_back(selectcmpInst);

          }

-          auto op0 = selectcmpInst->getOperand(0);
-          auto op1 = selectcmpInst->getOperand(1);
-
-          IntegerType *intTyOp0 = dyn_cast<IntegerType>(op0->getType());
-          IntegerType *intTyOp1 = dyn_cast<IntegerType>(op1->getType());
-
-          /* see above */
-          if (!intTyOp0 || !intTyOp1) { continue; }
-
-          /* i think this is not possible but to lazy to look it up */
-          if (intTyOp0->getBitWidth() != intTyOp1->getBitWidth()) { continue; }
-
-          icomps.push_back(selectcmpInst);
-
        }

      }
@ -328,24 +420,43 @@ bool SplitComparesTransform::simplifySignedness(Module &M) {

 }

-/* splits icmps of size bitw into two nested icmps with bitw/2 size each */
-bool SplitComparesTransform::splitCompares(Module &M, unsigned bitw) {
+size_t SplitComparesTransform::nextPowerOfTwo(size_t in) {
+
+  --in;
+  in |= in >> 1;
+  in |= in >> 2;
+  in |= in >> 4;
+  //  in |= in >> 8;
+  //  in |= in >> 16;
+  return in + 1;
+
+}
+
+/* splits fcmps into two nested fcmps with sign compare and the rest */
+size_t SplitComparesTransform::splitFPCompares(Module &M) {
+
+  size_t count = 0;

  LLVMContext &C = M.getContext();

-  IntegerType *Int1Ty = IntegerType::getInt1Ty(C);
-  IntegerType *OldIntType = IntegerType::get(C, bitw);
-  IntegerType *NewIntType = IntegerType::get(C, bitw / 2);
+  const DataLayout &dl = M.getDataLayout();

-  std::vector<Instruction *> icomps;
+  /* define unions with floating point and (sign, exponent, mantissa)  triples
+   */
+  if (dl.isLittleEndian()) {

-  if (bitw % 2) { return false; }
+  } else if (dl.isBigEndian()) {

-  /* not supported yet */
-  if (bitw > 64) { return false; }
+  } else {

-  /* get all EQ, NE, UGT, and ULT icmps of width bitw. if the other two
-   * unctions were executed only these four predicates should exist */
+    return count;
+
+  }
+
+  std::vector<CmpInst *> fcomps;
+
+  /* get all EQ, NE, GT, and LT fcmps. if the other two
+   * functions were executed only these four predicates should exist */
  for (auto &F : M) {

    for (auto &BB : F) {
@ -356,33 +467,28 @@ bool SplitComparesTransform::splitCompares(Module &M, unsigned bitw) {

        if ((selectcmpInst = dyn_cast<CmpInst>(&IN))) {

-          if (selectcmpInst->getPredicate() != CmpInst::ICMP_EQ &&
-              selectcmpInst->getPredicate() != CmpInst::ICMP_NE &&
-              selectcmpInst->getPredicate() != CmpInst::ICMP_UGT &&
-              selectcmpInst->getPredicate() != CmpInst::ICMP_ULT) {
+          if (selectcmpInst->getPredicate() == CmpInst::FCMP_OEQ ||
+              selectcmpInst->getPredicate() == CmpInst::FCMP_ONE ||
+              selectcmpInst->getPredicate() == CmpInst::FCMP_UNE ||
+              selectcmpInst->getPredicate() == CmpInst::FCMP_UGT ||
+              selectcmpInst->getPredicate() == CmpInst::FCMP_OGT ||
+              selectcmpInst->getPredicate() == CmpInst::FCMP_ULT ||
+              selectcmpInst->getPredicate() == CmpInst::FCMP_OLT) {

-            continue;
+            auto op0 = selectcmpInst->getOperand(0);
+            auto op1 = selectcmpInst->getOperand(1);
+
+            Type *TyOp0 = op0->getType();
+            Type *TyOp1 = op1->getType();
+
+            if (TyOp0 != TyOp1) { continue; }
+
+            if (TyOp0->isArrayTy() || TyOp0->isVectorTy()) { continue; }
+
+            fcomps.push_back(selectcmpInst);

          }

-          auto op0 = selectcmpInst->getOperand(0);
-          auto op1 = selectcmpInst->getOperand(1);
-
-          IntegerType *intTyOp0 = dyn_cast<IntegerType>(op0->getType());
-          IntegerType *intTyOp1 = dyn_cast<IntegerType>(op1->getType());
-
-          if (!intTyOp0 || !intTyOp1) { continue; }
-
-          /* check if the bitwidths are the one we are looking for */
-          if (intTyOp0->getBitWidth() != bitw ||
-              intTyOp1->getBitWidth() != bitw) {
-
-            continue;
-
-          }
-
-          icomps.push_back(selectcmpInst);
-
        }

      }
@ -391,7 +497,411 @@ bool SplitComparesTransform::splitCompares(Module &M, unsigned bitw) {

  }

-  if (!icomps.size()) { return false; }
+  if (!fcomps.size()) { return count; }
+
+  IntegerType *Int1Ty = IntegerType::getInt1Ty(C);
+
+  for (auto &FcmpInst : fcomps) {
+
+    BasicBlock *bb = FcmpInst->getParent();
+
+    auto op0 = FcmpInst->getOperand(0);
+    auto op1 = FcmpInst->getOperand(1);
+
+    unsigned op_size;
+    op_size = op0->getType()->getPrimitiveSizeInBits();
+
+    if (op_size != op1->getType()->getPrimitiveSizeInBits()) { continue; }
+
+    const unsigned int sizeInBits = op0->getType()->getPrimitiveSizeInBits();
+    const unsigned int precision =
+        sizeInBits == 32
+            ? 24
+            : sizeInBits == 64
+                  ? 53
+                  : sizeInBits == 128 ? 113
+                                      : sizeInBits == 16 ? 11
+                                                         /* sizeInBits == 80 */
+                                                         : 65;
+
+    const unsigned           shiftR_exponent = precision - 1;
+    const unsigned long long mask_fraction =
+        (1ULL << (shiftR_exponent - 1)) | ((1ULL << (shiftR_exponent - 1)) - 1);
+    const unsigned long long mask_exponent =
+        (1ULL << (sizeInBits - precision)) - 1;
+
+    // round up sizes to the next power of two
+    // this should help with integer compare splitting
+    size_t exTySizeBytes = ((sizeInBits - precision + 7) >> 3);
+    size_t frTySizeBytes = ((precision - 1ULL + 7) >> 3);
+
+    IntegerType *IntExponentTy =
+        IntegerType::get(C, nextPowerOfTwo(exTySizeBytes) << 3);
+    IntegerType *IntFractionTy =
+        IntegerType::get(C, nextPowerOfTwo(frTySizeBytes) << 3);
+
+    //    errs() << "Fractions: IntFractionTy size " <<
+    //     IntFractionTy->getPrimitiveSizeInBits() << ", op_size " << op_size <<
+    //     ", mask " << mask_fraction <<
+    //     ", precision " << precision << "\n";
+
+    BasicBlock *end_bb = bb->splitBasicBlock(BasicBlock::iterator(FcmpInst));
+
+    /* create the integers from floats directly */
+    Instruction *b_op0, *b_op1;
+    b_op0 = CastInst::Create(Instruction::BitCast, op0,
+                             IntegerType::get(C, op_size));
+    bb->getInstList().insert(bb->getTerminator()->getIterator(), b_op0);
+
+    b_op1 = CastInst::Create(Instruction::BitCast, op1,
+                             IntegerType::get(C, op_size));
+    bb->getInstList().insert(bb->getTerminator()->getIterator(), b_op1);
+
+    /* isolate signs of value of floating point type */
+
+    /* create a 1 bit compare for the sign bit. to do this shift and trunc
+     * the original operands so only the first bit remains.*/
+    Instruction *s_s0, *t_s0, *s_s1, *t_s1, *icmp_sign_bit;
+
+    s_s0 =
+        BinaryOperator::Create(Instruction::LShr, b_op0,
+                               ConstantInt::get(b_op0->getType(), op_size - 1));
+    bb->getInstList().insert(bb->getTerminator()->getIterator(), s_s0);
+    t_s0 = new TruncInst(s_s0, Int1Ty);
+    bb->getInstList().insert(bb->getTerminator()->getIterator(), t_s0);
+
+    s_s1 =
+        BinaryOperator::Create(Instruction::LShr, b_op1,
+                               ConstantInt::get(b_op1->getType(), op_size - 1));
+    bb->getInstList().insert(bb->getTerminator()->getIterator(), s_s1);
+    t_s1 = new TruncInst(s_s1, Int1Ty);
+    bb->getInstList().insert(bb->getTerminator()->getIterator(), t_s1);
+
+    /* compare of the sign bits */
+    icmp_sign_bit =
+        CmpInst::Create(Instruction::ICmp, CmpInst::ICMP_EQ, t_s0, t_s1);
+    bb->getInstList().insert(bb->getTerminator()->getIterator(), icmp_sign_bit);
+
+    /* create a new basic block which is executed if the signedness bits are
+     * equal */
+    BasicBlock *signequal_bb =
+        BasicBlock::Create(C, "signequal", end_bb->getParent(), end_bb);
+
+    BranchInst::Create(end_bb, signequal_bb);
+
+    /* create a new bb which is executed if exponents are equal */
+    BasicBlock *middle_bb =
+        BasicBlock::Create(C, "injected", end_bb->getParent(), end_bb);
+
+    BranchInst::Create(end_bb, middle_bb);
+
+    auto term = bb->getTerminator();
+    /* if the signs are different goto end_bb else to signequal_bb */
+    BranchInst::Create(signequal_bb, end_bb, icmp_sign_bit, bb);
+    term->eraseFromParent();
+
+    /* insert code for equal signs */
+
+    /* isolate the exponents */
+    Instruction *s_e0, *m_e0, *t_e0, *s_e1, *m_e1, *t_e1;
+
+    s_e0 = BinaryOperator::Create(
+        Instruction::LShr, b_op0,
+        ConstantInt::get(b_op0->getType(), shiftR_exponent));
+    s_e1 = BinaryOperator::Create(
+        Instruction::LShr, b_op1,
+        ConstantInt::get(b_op1->getType(), shiftR_exponent));
+    signequal_bb->getInstList().insert(
+        signequal_bb->getTerminator()->getIterator(), s_e0);
+    signequal_bb->getInstList().insert(
+        signequal_bb->getTerminator()->getIterator(), s_e1);
+
+    t_e0 = new TruncInst(s_e0, IntExponentTy);
+    t_e1 = new TruncInst(s_e1, IntExponentTy);
+    signequal_bb->getInstList().insert(
+        signequal_bb->getTerminator()->getIterator(), t_e0);
+    signequal_bb->getInstList().insert(
+        signequal_bb->getTerminator()->getIterator(), t_e1);
+
+    if (sizeInBits - precision < exTySizeBytes * 8) {
+
+      m_e0 = BinaryOperator::Create(
+          Instruction::And, t_e0,
+          ConstantInt::get(t_e0->getType(), mask_exponent));
+      m_e1 = BinaryOperator::Create(
+          Instruction::And, t_e1,
+          ConstantInt::get(t_e1->getType(), mask_exponent));
+      signequal_bb->getInstList().insert(
+          signequal_bb->getTerminator()->getIterator(), m_e0);
+      signequal_bb->getInstList().insert(
+          signequal_bb->getTerminator()->getIterator(), m_e1);
+
+    } else {
+
+      m_e0 = t_e0;
+      m_e1 = t_e1;
+
+    }
+
+    /* compare the exponents of the operands */
+    Instruction *icmp_exponent_result;
+    switch (FcmpInst->getPredicate()) {
+
+      case CmpInst::FCMP_OEQ:
+        icmp_exponent_result =
+            CmpInst::Create(Instruction::ICmp, CmpInst::ICMP_EQ, m_e0, m_e1);
+        break;
+      case CmpInst::FCMP_ONE:
+      case CmpInst::FCMP_UNE:
+        icmp_exponent_result =
+            CmpInst::Create(Instruction::ICmp, CmpInst::ICMP_NE, m_e0, m_e1);
+        break;
+      case CmpInst::FCMP_OGT:
+      case CmpInst::FCMP_UGT:
+        Instruction *icmp_exponent;
+        icmp_exponent =
+            CmpInst::Create(Instruction::ICmp, CmpInst::ICMP_UGT, m_e0, m_e1);
+        signequal_bb->getInstList().insert(
+            signequal_bb->getTerminator()->getIterator(), icmp_exponent);
+        icmp_exponent_result =
+            BinaryOperator::Create(Instruction::Xor, icmp_exponent, t_s0);
+        break;
+      case CmpInst::FCMP_OLT:
+      case CmpInst::FCMP_ULT:
+        icmp_exponent =
+            CmpInst::Create(Instruction::ICmp, CmpInst::ICMP_ULT, m_e0, m_e1);
+        signequal_bb->getInstList().insert(
+            signequal_bb->getTerminator()->getIterator(), icmp_exponent);
+        icmp_exponent_result =
+            BinaryOperator::Create(Instruction::Xor, icmp_exponent, t_s0);
+        break;
+      default: continue;
+
+    }
+
+    signequal_bb->getInstList().insert(
+        signequal_bb->getTerminator()->getIterator(), icmp_exponent_result);
+
+    {
+
+      auto term = signequal_bb->getTerminator();
+      /* if the exponents are different do a fraction cmp */
+      BranchInst::Create(middle_bb, end_bb, icmp_exponent_result, signequal_bb);
+      term->eraseFromParent();
+
+    }
+
+    /* isolate the mantissa aka fraction */
+    Instruction *t_f0, *t_f1;
+    bool         needTrunc = IntFractionTy->getPrimitiveSizeInBits() < op_size;
+
+    if (precision - 1 < frTySizeBytes * 8) {
+
+      Instruction *m_f0, *m_f1;
+      m_f0 = BinaryOperator::Create(
+          Instruction::And, b_op0,
+          ConstantInt::get(b_op0->getType(), mask_fraction));
+      m_f1 = BinaryOperator::Create(
+          Instruction::And, b_op1,
+          ConstantInt::get(b_op1->getType(), mask_fraction));
+      middle_bb->getInstList().insert(middle_bb->getTerminator()->getIterator(),
+                                      m_f0);
+      middle_bb->getInstList().insert(middle_bb->getTerminator()->getIterator(),
+                                      m_f1);
+
+      if (needTrunc) {
+
+        t_f0 = new TruncInst(m_f0, IntFractionTy);
+        t_f1 = new TruncInst(m_f1, IntFractionTy);
+        middle_bb->getInstList().insert(
+            middle_bb->getTerminator()->getIterator(), t_f0);
+        middle_bb->getInstList().insert(
+            middle_bb->getTerminator()->getIterator(), t_f1);
+
+      } else {
+
+        t_f0 = m_f0;
+        t_f1 = m_f1;
+
+      }
+
+    } else {
+
+      if (needTrunc) {
+
+        t_f0 = new TruncInst(b_op0, IntFractionTy);
+        t_f1 = new TruncInst(b_op1, IntFractionTy);
+        middle_bb->getInstList().insert(
+            middle_bb->getTerminator()->getIterator(), t_f0);
+        middle_bb->getInstList().insert(
+            middle_bb->getTerminator()->getIterator(), t_f1);
+
+      } else {
+
+        t_f0 = b_op0;
+        t_f1 = b_op1;
+
+      }
+
+    }
+
+    /* compare the fractions of the operands */
+    Instruction *icmp_fraction_result;
+    switch (FcmpInst->getPredicate()) {
+
+      case CmpInst::FCMP_OEQ:
+        icmp_fraction_result =
+            CmpInst::Create(Instruction::ICmp, CmpInst::ICMP_EQ, t_f0, t_f1);
+        break;
+      case CmpInst::FCMP_UNE:
+      case CmpInst::FCMP_ONE:
+        icmp_fraction_result =
+            CmpInst::Create(Instruction::ICmp, CmpInst::ICMP_NE, t_f0, t_f1);
+        break;
+      case CmpInst::FCMP_OGT:
+      case CmpInst::FCMP_UGT:
+        Instruction *icmp_fraction;
+        icmp_fraction =
+            CmpInst::Create(Instruction::ICmp, CmpInst::ICMP_UGT, t_f0, t_f1);
+        middle_bb->getInstList().insert(
+            middle_bb->getTerminator()->getIterator(), icmp_fraction);
+        icmp_fraction_result =
+            BinaryOperator::Create(Instruction::Xor, icmp_fraction, t_s0);
+        break;
+      case CmpInst::FCMP_OLT:
+      case CmpInst::FCMP_ULT:
+        icmp_fraction =
+            CmpInst::Create(Instruction::ICmp, CmpInst::ICMP_ULT, t_f0, t_f1);
+        middle_bb->getInstList().insert(
+            middle_bb->getTerminator()->getIterator(), icmp_fraction);
+        icmp_fraction_result =
+            BinaryOperator::Create(Instruction::Xor, icmp_fraction, t_s0);
+        break;
+      default: continue;
+
+    }
+
+    middle_bb->getInstList().insert(middle_bb->getTerminator()->getIterator(),
+                                    icmp_fraction_result);
+
+    PHINode *PN = PHINode::Create(Int1Ty, 3, "");
+
+    switch (FcmpInst->getPredicate()) {
+
+      case CmpInst::FCMP_OEQ:
+        /* unequal signs cannot be equal values */
+        /* goto false branch */
+        PN->addIncoming(ConstantInt::get(Int1Ty, 0), bb);
+        /* unequal exponents cannot be equal values, too */
+        PN->addIncoming(ConstantInt::get(Int1Ty, 0), signequal_bb);
+        /* fractions comparison */
+        PN->addIncoming(icmp_fraction_result, middle_bb);
+        break;
+      case CmpInst::FCMP_ONE:
+      case CmpInst::FCMP_UNE:
+        /* unequal signs are unequal values */
+        /* goto true branch */
+        PN->addIncoming(ConstantInt::get(Int1Ty, 1), bb);
+        /* unequal exponents are unequal values, too */
+        PN->addIncoming(ConstantInt::get(Int1Ty, 1), signequal_bb);
+        /* fractions comparison */
+        PN->addIncoming(icmp_fraction_result, middle_bb);
+        break;
+      case CmpInst::FCMP_OGT:
+      case CmpInst::FCMP_UGT:
+        /* if op1 is negative goto true branch,
+           else go on comparing */
+        PN->addIncoming(t_s1, bb);
+        PN->addIncoming(icmp_exponent_result, signequal_bb);
+        PN->addIncoming(icmp_fraction_result, middle_bb);
+        break;
+      case CmpInst::FCMP_OLT:
+      case CmpInst::FCMP_ULT:
+        /* if op0 is negative goto true branch,
+           else go on comparing */
+        PN->addIncoming(t_s0, bb);
+        PN->addIncoming(icmp_exponent_result, signequal_bb);
+        PN->addIncoming(icmp_fraction_result, middle_bb);
+        break;
+      default: continue;
+
+    }
+
+    BasicBlock::iterator ii(FcmpInst);
+    ReplaceInstWithInst(FcmpInst->getParent()->getInstList(), ii, PN);
+    ++count;
+
+  }
+
+  return count;
+
+}
+
+/* splits icmps of size bitw into two nested icmps with bitw/2 size each */
+size_t SplitComparesTransform::splitIntCompares(Module &M, unsigned bitw) {
+
+  size_t count = 0;
+
+  LLVMContext &C = M.getContext();
+
+  IntegerType *Int1Ty = IntegerType::getInt1Ty(C);
+  IntegerType *OldIntType = IntegerType::get(C, bitw);
+  IntegerType *NewIntType = IntegerType::get(C, bitw / 2);
+
+  std::vector<Instruction *> icomps;
+
+  if (bitw % 2) { return 0; }
+
+  /* not supported yet */
+  if (bitw > 64) { return 0; }
+
+  /* get all EQ, NE, UGT, and ULT icmps of width bitw. if the
+   * functions simplifyCompares() and simplifyIntSignedness()
+   * were executed only these four predicates should exist */
+  for (auto &F : M) {
+
+    for (auto &BB : F) {
+
+      for (auto &IN : BB) {
+
+        CmpInst *selectcmpInst = nullptr;
+
+        if ((selectcmpInst = dyn_cast<CmpInst>(&IN))) {
+
+          if (selectcmpInst->getPredicate() == CmpInst::ICMP_EQ ||
+              selectcmpInst->getPredicate() == CmpInst::ICMP_NE ||
+              selectcmpInst->getPredicate() == CmpInst::ICMP_UGT ||
+              selectcmpInst->getPredicate() == CmpInst::ICMP_ULT) {
+
+            auto op0 = selectcmpInst->getOperand(0);
+            auto op1 = selectcmpInst->getOperand(1);
+
+            IntegerType *intTyOp0 = dyn_cast<IntegerType>(op0->getType());
+            IntegerType *intTyOp1 = dyn_cast<IntegerType>(op1->getType());
+
+            if (!intTyOp0 || !intTyOp1) { continue; }
+
+            /* check if the bitwidths are the one we are looking for */
+            if (intTyOp0->getBitWidth() != bitw ||
+                intTyOp1->getBitWidth() != bitw) {
+
+              continue;
+
+            }
+
+            icomps.push_back(selectcmpInst);
+
+          }
+
+        }
+
+      }
+
+    }
+
+  }
+
+  if (!icomps.size()) { return 0; }

  for (auto &IcmpInst : icomps) {

@ -482,7 +992,7 @@ bool SplitComparesTransform::splitCompares(Module &M, unsigned bitw) {
      /* transformations for < and > */

      /* create a basic block which checks for the inverse predicate.
-       * if this is true we can go to the end if not we have to got to the
+       * if this is true we can go to the end if not we have to go to the
       * bb which checks the lower half of the operands */
      Instruction *icmp_inv_cmp, *op0_low, *op1_low, *icmp_low;
      BasicBlock * inv_cmp_bb =
@ -529,9 +1039,11 @@ bool SplitComparesTransform::splitCompares(Module &M, unsigned bitw) {

    }

+    ++count;
+
  }

-  return true;
+  return count;

 }

@ -543,28 +1055,39 @@ bool SplitComparesTransform::runOnModule(Module &M) {
  if (!bitw_env) bitw_env = getenv("AFL_LLVM_LAF_SPLIT_COMPARES_BITW");
  if (bitw_env) { bitw = atoi(bitw_env); }

+  enableFPSplit = getenv("AFL_LLVM_LAF_SPLIT_FLOATS") != NULL;
+
  simplifyCompares(M);

-  simplifySignedness(M);
+  simplifyIntSignedness(M);

  if (getenv("AFL_QUIET") == NULL)
-    errs() << "Split-compare-pass by laf.intel@gmail.com\n";
+    errs() << "Split-compare-pass by laf.intel@gmail.com, extended by "
+              "heiko@hexco.de\n";
+
+  if (enableFPSplit)
+    errs() << "Split-floatingpoint-compare-pass: " << splitFPCompares(M)
+           << " FP comparisons splitted\n";

  switch (bitw) {

    case 64:
-      errs() << "Running split-compare-pass " << 64 << "\n";
-      splitCompares(M, 64);
+      errs() << "Split-integer-compare-pass " << bitw
+             << "bit: " << splitIntCompares(M, bitw) << " splitted\n";

+      bitw >>= 1;
      [[clang::fallthrough]]; /*FALLTHRU*/                   /* FALLTHROUGH */
    case 32:
-      errs() << "Running split-compare-pass " << 32 << "\n";
-      splitCompares(M, 32);
+      errs() << "Split-integer-compare-pass " << bitw
+             << "bit: " << splitIntCompares(M, bitw) << " splitted\n";

+      bitw >>= 1;
      [[clang::fallthrough]]; /*FALLTHRU*/                   /* FALLTHROUGH */
    case 16:
-      errs() << "Running split-compare-pass " << 16 << "\n";
-      splitCompares(M, 16);
+      errs() << "Split-integer-compare-pass " << bitw
+             << "bit: " << splitIntCompares(M, bitw) << " splitted\n";
+
+      bitw >>= 1;
      break;

    default:
--- a/python_mutators/README
+++ b/python_mutators/README
@ -1,6 +1,9 @@
 These are example and helper files for the AFL_PYTHON_MODULE feature.
 See docs/python_mutators.txt for more information

+Note that if you compile with python3.7 you must use python3 scripts, and if
+you use pyton2.7 to compile python2 scripts!
+

 example.py	- this is the template you can use, the functions are there
 		  but they are empty
--- a/qbdi_mode/README.md
+++ b/qbdi_mode/README.md
@ -0,0 +1,199 @@
+# qbdi-based binary-only instrumentation for afl-fuzz
+
+## 1) Introduction
+
+The code in ./qbdi_mode allows you to build a standalone feature that
+using the QBDI framework to fuzz android native library.
+
+
+## 2) Build
+
+First download the Android NDK
+
+```
+https://developer.android.com/ndk/downloads
+https://dl.google.com/android/repository/android-ndk-r20-linux-x86_64.zip
+```
+
+Then unzip it and build the standalone-toolchain
+For x86_64 standalone-toolchain
+
+```
+unzip android-ndk-r20-linux-x86_64.zip
+cd android-ndk-r20/
+./build/tools/make_standalone_toolchain.py --arch x86_64 --api 21 --install-dir ../android-standalone-toolchain-x86_64
+```
+
+For x86 standalone-toolchain
+
+```
+./build/tools/make_standalone_toolchain.py --arch x86 --api 21 --install-dir ../android-standalone-toolchain-x86
+```
+
+In alternative you can also use the prebuilt toolchain, in that case make sure to set the proper CC and CXX env variables because there are many different compilers for each API version in the prebuilt toolchain.
+
+For example:
+
+```
+export STANDALONE_TOOLCHAIN_PATH=~/Android/Sdk/ndk/20.1.5948944/toolchains/llvm/prebuilt/linux-x86_64/
+export CC=x86_64-linux-android21-clang
+export CXX=x86_64-linux-android21-clang++
+```
+
+Then download the QBDI SDK from website
+
+```
+https://qbdi.quarkslab.com/
+```
+
+For Android x86_64
+```
+https://github.com/QBDI/QBDI/releases/download/v0.7.0/QBDI-0.7.0-android-X86_64.tar.gz
+```
+
+Then decompress the sdk
+
+```
+mkdir android-qbdi-sdk-x86_64
+cp QBDI-0.7.0-android-X86_64.tar.gz android-qbdi-sdk-x86_64/
+cd android-qbdi-sdk-x86_64/
+tar xvf QBDI-0.7.0-android-X86_64.tar.gz
+```
+
+Now set the `STANDALONE_TOOLCHAIN_PATH` to the path of standalone-toolchain 
+
+```
+export STANDALONE_TOOLCHAIN_PATH=/home/hac425/workspace/android-standalone-toolchain-x86_64
+```
+
+set the `QBDI_SDK_PATH` to the path of QBDI SDK
+
+```
+export QBDI_SDK_PATH=/home/hac425/workspace/AFLplusplus/qbdi_mode/android-qbdi-sdk-x86_64/
+```
+
+Then run the build.sh
+
+```
+./build.sh x86_64
+```
+
+this could build the afl-fuzz and also the qbdi template for android x86_64
+
+
+### Example
+
+The demo-so.c is an vulnerable library, it has a function for test
+
+```c
+int target_func(char *buf, int size) {
+
+  printf("buffer:%p, size:%p\n", buf, size);
+  switch (buf[0]) {
+
+    case 1:
+      puts("222");
+      if (buf[1] == '\x44') {
+
+        puts("null ptr deference");
+        *(char *)(0) = 1;
+
+      }
+
+      break;
+    case 0xff:
+      if (buf[2] == '\xff') {
+
+        if (buf[1] == '\x44') {
+
+          puts("crash....");
+          *(char *)(0xdeadbeef) = 1;
+
+        }
+
+      }
+
+      break;
+    default: puts("default action"); break;
+
+  }
+
+  return 1;
+
+}
+```
+
+This could be build to `libdemo.so`.
+
+Then we should load the library in template.cpp and find the `target` function address.
+```c
+    void *handle = dlopen(lib_path, RTLD_LAZY);
+	..........................................
+	..........................................
+	..........................................
+    p_target_func = (target_func)dlsym(handle, "target_func");
+```
+
+then we read the data from file and call the function in `fuzz_func`
+
+```c
+QBDI_NOINLINE int fuzz_func() {
+
+  if (afl_setup()) { afl_forkserver(); }
+
+  /* Read the input from file */
+  unsigned long len = 0;
+  char *        data = read_file(input_pathname, &len);
+
+  /* Call the target function with the input data */
+  p_target_func(data, len);
+  return 1;
+
+}
+```
+
+Just compile it
+```
+./build.sh x86_64
+```
+
+Then push the `afl-fuzz`, `loader`, `libdemo.so`, the `libQBDI.so` from the QBDI SDK and the `libc++_shared.so` from android-standalone-toolchain to android device
+
+```
+adb push afl-fuzz /data/local/tmp
+adb push libdemo.so /data/local/tmp
+adb push loader /data/local/tmp
+adb push android-qbdi-sdk-x86_64/usr/local/lib/libQBDI.so /data/local/tmp
+adb push ../../android-standalone-toolchain-x86_64/sysroot/usr/lib/x86_64-linux-android/libc++_shared.so
+/data/local/tmp
+```
+
+In android adb shell, run the loader to test if it runs
+```
+cd /data/local/tmp
+export LD_LIBRARY_PATH=/data/local/tmp
+mkdir in
+echo 0000 > in/1
+./loader libdemo.so in/1
+p_target_func:0x716d96a98600
+	offset:0x600
+	offset:0x580
+buffer:0x716d96609050, size:0x5
+	offset:0x628
+	offset:0x646
+	offset:0x64b
+	offset:0x65c
+	offset:0x6df
+	offset:0x590
+default action
+	offset:0x6eb
+```
+
+Now run `afl-fuzz` to fuzz the demo library
+
+```
+./afl-fuzz -i in -o out -- ./loader /data/local/tmp/libdemo.so @@
+```
+
+![screen1](assets/screen1.png)
+
--- a/qbdi_mode/assets/screen1.png
+++ b/qbdi_mode/assets/screen1.png
--- a/qbdi_mode/build.sh
+++ b/qbdi_mode/build.sh
@ -0,0 +1,57 @@
+
+if [ -z ${STANDALONE_TOOLCHAIN_PATH} ]; then
+    echo "please set the android-standalone-toolchain path in STANDALONE_TOOLCHAIN_PATH environmental variable" 
+    echo "for example: "
+    echo "    export STANDALONE_TOOLCHAIN_PATH=/home/android-standalone-toolchain-21/" 
+    exit
+fi
+
+if [ -z ${QBDI_SDK_PATH} ]; then
+    echo "please set the qbdi sdk path in QBDI_SDK_PATH environmental variable" 
+    echo "for example: "
+    echo "    export QBDI_SDK_PATH=/home/QBDI-Android/" 
+    exit
+fi
+
+
+
+if [ "$1" = "x86" ]; then
+  echo "build x86 qbdi"
+  compiler_prefix="${STANDALONE_TOOLCHAIN_PATH}/bin/"
+  if [ -z ${CC} ]; then
+      export CC=i686-linux-android-gcc
+  fi
+  if [ -z ${CXX} ]; then
+      export CXX=i686-linux-android-g++
+  fi
+elif [ "$1" = "x86_64" ]; then
+    echo "build x86_64 qbdi"
+    compiler_prefix="${STANDALONE_TOOLCHAIN_PATH}/bin/"
+    if [ -z ${CC} ]; then
+        export CC=x86_64-linux-android-gcc
+    fi
+    if [ -z ${CXX} ]; then
+        export CXX=x86_64-linux-android-g++
+    fi
+else
+    echo "usage: ./build.sh arch[x86, x86_64]"
+    exit
+fi
+
+
+CFLAGS="-I${QBDI_SDK_PATH}/usr/local/include/ -L${QBDI_SDK_PATH}/usr/local/lib/"
+
+echo "[+] Building the QBDI template"
+# build the qbdi template 
+${compiler_prefix}${CXX} -o loader template.cpp -lQBDI -ldl -w  -g ${CFLAGS}
+
+echo "[+] Building the demo library"
+# build the demo share library
+${compiler_prefix}${CC} -shared -o libdemo.so demo-so.c -w -g
+
+echo "[+] Building afl-fuzz for Android"
+# build afl-fuzz
+cd ..
+${compiler_prefix}${CC} -DANDROID_DISABLE_FANCY=1 -O3 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -I include/ -DAFL_PATH=\"/usr/local/lib/afl\" -DBIN_PATH=\"/usr/local/bin\" -DDOC_PATH=\"/usr/local/share/doc/afl\" -Wno-unused-function src/afl-fuzz-misc.c src/afl-fuzz-extras.c src/afl-fuzz-queue.c src/afl-fuzz-one.c src/afl-fuzz-python.c src/afl-fuzz-stats.c src/afl-fuzz-init.c src/afl-fuzz.c src/afl-fuzz-bitmap.c src/afl-fuzz-run.c src/afl-fuzz-globals.c src/afl-common.c src/afl-sharedmem.c src/afl-forkserver.c -o qbdi_mode/afl-fuzz  -ldl -w
+
+echo "[+] All done. Enjoy!"
--- a/qbdi_mode/demo-so.c
+++ b/qbdi_mode/demo-so.c
@ -0,0 +1,39 @@
+#include <stdio.h>
+
+// gcc -shared -o libdemo.so demo-so.c -w
+int target_func(char *buf, int size) {
+
+  printf("buffer:%p, size:%p\n", buf, size);
+  switch (buf[0]) {
+
+    case 1:
+      puts("222");
+      if (buf[1] == '\x44') {
+
+        puts("null ptr deference");
+        *(char *)(0) = 1;
+
+      }
+
+      break;
+    case 0xff:
+      if (buf[2] == '\xff') {
+
+        if (buf[1] == '\x44') {
+
+          puts("crash....");
+          *(char *)(0xdeadbeef) = 1;
+
+        }
+
+      }
+
+      break;
+    default: puts("default action"); break;
+
+  }
+
+  return 1;
+
+}
+
--- a/qbdi_mode/template.cpp
+++ b/qbdi_mode/template.cpp
@ -0,0 +1,251 @@
+#include <iostream>
+
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/mman.h>
+#include <sys/wait.h>
+#include <fcntl.h>
+#include <dlfcn.h>
+
+#ifdef __ANDROID__
+#include "../include/android-ashmem.h"
+#endif
+
+#include <sys/ipc.h>
+#include <sys/shm.h>
+#include "../config.h"
+
+#include <QBDI.h>
+
+/* NeverZero */
+
+#if (defined(__x86_64__) || defined(__i386__)) && defined(AFL_QEMU_NOT_ZERO)
+#define INC_AFL_AREA(loc)           \
+  asm volatile(                     \
+      "incb (%0, %1, 1)\n"          \
+      "adcb $0, (%0, %1, 1)\n"      \
+      : /* no out */                \
+      : "r"(afl_area_ptr), "r"(loc) \
+      : "memory", "eax")
+#else
+#define INC_AFL_AREA(loc) afl_area_ptr[loc]++
+#endif
+
+using namespace QBDI;
+
+typedef int (*target_func)(char *buf, int size);
+
+static const size_t      STACK_SIZE = 0x100000;  // 1MB
+static const QBDI::rword FAKE_RET_ADDR = 0x40000;
+target_func              p_target_func = NULL;
+rword                    module_base = 0;
+rword                    module_end = 0;
+static unsigned char
+               dummy[MAP_SIZE]; /* costs MAP_SIZE but saves a few instructions */
+unsigned char *afl_area_ptr = NULL;           /* Exported for afl_gen_trace */
+
+unsigned long afl_prev_loc = 0;
+
+char input_pathname[PATH_MAX];
+
+/* Set up SHM region and initialize other stuff. */
+
+int afl_setup(void) {
+
+  char *id_str = getenv(SHM_ENV_VAR);
+  int   shm_id;
+  if (id_str) {
+
+    shm_id = atoi(id_str);
+    afl_area_ptr = (unsigned char *)shmat(shm_id, NULL, 0);
+    if (afl_area_ptr == (void *)-1) return 0;
+    memset(afl_area_ptr, 0, MAP_SIZE);
+
+  }
+
+  return 1;
+
+}
+
+/* Fork server logic, invoked once we hit _start. */
+static void afl_forkserver() {
+
+  static unsigned char tmp[4];
+  pid_t                child_pid;
+
+  if (write(FORKSRV_FD + 1, tmp, 4) != 4) return;
+
+  while (1) {
+
+    int status;
+    u32 was_killed;
+    // wait for afl-fuzz
+    if (read(FORKSRV_FD, &was_killed, 4) != 4) exit(2);
+
+    child_pid = fork();
+    if (child_pid < 0) exit(4);
+
+    if (!child_pid) {
+
+      // child return to execute code
+      close(FORKSRV_FD);
+      close(FORKSRV_FD + 1);
+      return;
+
+    }
+
+    // write child pid to afl-fuzz
+    if (write(FORKSRV_FD + 1, &child_pid, 4) != 4) exit(5);
+
+    // wait child stop
+    if (waitpid(child_pid, &status, 0) < 0) exit(6);
+
+    // send child stop status to afl-fuzz
+    if (write(FORKSRV_FD + 1, &status, 4) != 4) exit(7);
+
+  }
+
+}
+
+void afl_maybe_log(unsigned long cur_loc) {
+
+  if (afl_area_ptr == NULL) { return; }
+  unsigned long afl_idx = cur_loc ^ afl_prev_loc;
+  afl_idx &= MAP_SIZE - 1;
+  INC_AFL_AREA(afl_idx);
+  afl_prev_loc = cur_loc >> 1;
+
+}
+
+char *read_file(char *path, unsigned long *length) {
+
+  unsigned long len;
+  char *        buf;
+
+  FILE *fp = fopen(path, "rb");
+  fseek(fp, 0, SEEK_END);
+  len = ftell(fp);
+  buf = (char *)malloc(len);
+  rewind(fp);
+  fread(buf, 1, len, fp);
+  fclose(fp);
+  *length = len;
+  return buf;
+
+}
+
+QBDI_NOINLINE int fuzz_func() {
+
+  if (afl_setup()) { afl_forkserver(); }
+
+  unsigned long len = 0;
+  char *        data = read_file(input_pathname, &len);
+
+  // printf("In fuzz_func\n");
+  p_target_func(data, len);
+  return 1;
+
+}
+
+static QBDI::VMAction bbcallback(QBDI::VMInstanceRef  vm,
+                                 const QBDI::VMState *state,
+                                 QBDI::GPRState *     gprState,
+                                 QBDI::FPRState *fprState, void *data) {
+
+  // errno = SAVED_ERRNO;
+
+#ifdef __x86_64__
+  unsigned long pc = gprState->rip;
+#elif defined(i386)
+  unsigned long pc = gprState->eip;
+#elif defined(__arm__)
+  unsigned long pc = gprState->pc;
+#endif
+
+  // just log the module path
+  if (pc >= module_base && pc <= module_end) {
+
+    unsigned long offset = pc - module_base;
+    printf("\toffset:%p\n", offset);
+    afl_maybe_log(offset);
+
+  }
+
+  return QBDI::VMAction::CONTINUE;
+
+}
+
+int main(int argc, char **argv) {
+
+  if (argc < 3) {
+
+    puts("usage: ./loader library_path input_file_path");
+    exit(0);
+
+  }
+
+  const char *lib_path;
+  lib_path = argv[1];
+  strcpy(input_pathname, argv[2]);
+  void *handle = dlopen(lib_path, RTLD_LAZY);
+
+  if (handle == nullptr) {
+
+    perror("Cannot load library");
+    exit(EXIT_FAILURE);
+
+  }
+
+  const char *lib_name = lib_path;
+  if (strrchr(lib_name, '/') != nullptr) lib_name = strrchr(lib_name, '/') + 1;
+
+  // printf("library name:%s\n", lib_name);
+  // load library module address for log path
+  for (MemoryMap &map : getCurrentProcessMaps()) {
+
+    // printf("module:%s\n", map.name.c_str());
+    if ((map.permission & PF_EXEC) &&
+        strstr(map.name.c_str(), lib_name) != NULL) {
+
+      module_base = map.range.start;
+      module_end = map.range.end;
+
+    }
+
+  }
+
+  if (module_base == 0) {
+
+    std::cerr << "Fail to find base address" << std::endl;
+    return -1;
+
+  }
+
+  // printf("module base:%p, module end:%p\n", module_base, module_end);
+  p_target_func = (target_func)dlsym(handle, "target_func");
+  // p_target_func = (target_func)(module_base + 0x61a);
+  printf("p_target_func:%p\n", p_target_func);
+
+  VM       vm;
+  uint8_t *fakestack = nullptr;
+
+  GPRState *state = vm.getGPRState();
+  allocateVirtualStack(state, STACK_SIZE, &fakestack);
+  vm.addInstrumentedModuleFromAddr(module_base);
+  vm.addInstrumentedModuleFromAddr((rword)&main);
+
+  vm.addVMEventCB(BASIC_BLOCK_ENTRY, bbcallback, nullptr);
+
+  // QBDI::simulateCall(state, FAKE_RET_ADDR);
+  // vm.run((rword)&fuzz_func, (rword)FAKE_RET_ADDR);
+
+  rword ret;
+  vm.call(&ret, (rword)&fuzz_func, {});
+
+  return 0;
+
+}
+
--- a/qemu_mode/README.md
+++ b/qemu_mode/README.md
@ -19,7 +19,7 @@ Andrea Fioraldi. Special thanks to abiondo that re-enabled TCG chaining.

 ## 2) How to use

-The feature is implemented with a patch to QEMU 3.1.0. The simplest way
+The feature is implemented with a patch to QEMU 3.1.1. The simplest way
 to build it is to run ./build_qemu_support.sh. The script will download,
 configure, and compile the QEMU binary for you.

@ -38,32 +38,94 @@ to 200 MB when specifying -Q to afl-fuzz; be careful when overriding this.
 In principle, if you set CPU_TARGET before calling ./build_qemu_support.sh,
 you should get a build capable of running non-native binaries (say, you
 can try CPU_TARGET=arm). This is also necessary for running 32-bit binaries
-on a 64-bit system (CPU_TARGET=i386).
+on a 64-bit system (CPU_TARGET=i386). If you're trying to run QEMU on a
+different architecture you can also set HOST to the cross-compiler prefix
+to use (for example HOST=arm-linux-gnueabi to use arm-linux-gnueabi-gcc).
+
+You can also compile statically-linked binaries by setting STATIC=1. This
+can be useful when compiling QEMU on a different system than the one you're
+planning to run the fuzzer on and is most often used with the HOST variable.
+
+Note: when targetting the i386 architecture, on some bianries the forkserver
+handshake may fail due to the lack of reversed memory. Fix it with
+
+export QEMU_RESERVED_VA=0x1000000

 Note: if you want the QEMU helper to be installed on your system for all
 users, you need to build it before issuing 'make install' in the parent
 directory.

-## 3) Options
+If you want to specify a different path for libraries (e.g. to run an arm64
+binary on x86_64) use QEMU_LD_PREFIX.

-There is ./libcompcov/ which implements laf-intel (splitting memcmp,
-strncmp, etc. to make these conditions easier solvable by afl-fuzz).
-Highly recommended.
+## 3) Bonus feature #1: deferred initialization

-The option that enables QEMU CompareCoverage is AFL_COMPCOV_LEVEL.
-AFL_COMPCOV_LEVEL=1 is to instrument comparisons with only immediate
-values / read-only memory. AFL_COMPCOV_LEVEL=2 instruments all
-comparison instructions and memory comparison functions when libcompcov
-is preloaded. Comparison instructions are currently instrumented only
-on the x86 and x86_64 targets.
+As for LLVM mode (refer to its README for mode details) QEMU mode supports
+the deferred initialization.

-Another option is the environment variable AFL_ENTRYPOINT which allows
-move the forkserver to a different part, e.g. just before the file is
-opened (e.g. way after command line parsing and config file loading, etc)
+This can be enabled setting the environment variable AFL_ENTRYPOINT which allows
+to move the forkserver to a different part, e.g. just before the file is
+opened (e.g. way after command line parsing and config file loading, etc.)
 which can be a huge speed improvement. Note that the specified address
 must be an address of a basic block.

-## 4) Notes on linking
+## 4) Bonus feature #2: persistent mode
+
+QEMU mode supports also persistent mode for x86 and x86_64 targets.
+The environment variable to enable it is AFL_QEMU_PERSISTENT_ADDR=`start addr`.
+In this variable you must specify the address of the function that
+has to be the body of the persistent loop.
+The code in this function must be stateless like in the LLVM persistent mode.
+The return address on stack is patched like in WinAFL in order to repeat the
+execution of such function.
+Another modality to execute the persistent loop is to specify also the
+AFL_QEMU_PERSISTENT_RET=`end addr` env variable.
+With this variable assigned, instead of patching the return address, the
+specified instruction is transformed to a jump towards `start addr`.
+Note that the format of the addresses in such variables is hex.
+
+Note that the base address of PIE binaries in QEMU user mode is 0x4000000000.
+
+With the env variable AFL_QEMU_PERSISTENT_GPR you can tell QEMU to save the
+original value of general purpose registers and restore them in each cycle.
+This allows to use as persistent loop functions that make use of arguments on 
+x86_64.
+
+With AFL_QEMU_PERSISTENT_RETADDR_OFFSET you can specify the offset from the
+stack pointer in which QEMU can find the return address when `start addr` is
+hitted.
+
+Use this mode with caution, probably it will not work at the first shot.
+
+## 5) Bonus feature #3: CompareCoverage
+
+CompareCoverage is a sub-instrumentation with effects similar to laf-intel.
+
+The option that enables QEMU CompareCoverage is AFL_COMPCOV_LEVEL.
+There is also ./libcompcov/ which implements CompareCoverage for *cmp functions
+(splitting memcmp, strncmp, etc. to make these conditions easier solvable by
+afl-fuzz).
+AFL_COMPCOV_LEVEL=1 is to instrument comparisons with only immediate
+values / read-only memory. AFL_COMPCOV_LEVEL=2 instruments all
+comparison instructions and memory comparison functions when libcompcov
+is preloaded.
+AFL_COMPCOV_LEVEL=3 has the same effects of AFL_COMPCOV_LEVEL=2 but enables also
+the instrumentation of the floating-point comparisons on x86 and x86_64 (experimental).
+
+Integer comparison instructions are currently instrumented only
+on the x86, x86_64 and ARM targets.
+
+Highly recommended.
+
+## 6) Bonus feature #4: Wine mode
+
+AFL++ QEMU can use Wine to fuzz WIn32 PE binaries. Use the -W flag of afl-fuzz.
+
+Note that some binaries require user interaction with the GUI and must be patched.
+
+For examples look [here](https://github.com/andreafioraldi/WineAFLplusplusDEMO).
+
+## 7) Notes on linking

 The feature is supported only on Linux. Supporting BSD may amount to porting
 the changes made to linux-user/elfload.c and applying them to
@ -84,7 +146,7 @@ practice, this means two things:
 Setting AFL_INST_LIBS=1 can be used to circumvent the .text detection logic
 and instrument every basic block encountered.

-## 5) Benchmarking
+## 8) Benchmarking

 If you want to compare the performance of the QEMU instrumentation with that of
 afl-gcc compiled code against the same target, you need to build the
@ -99,7 +161,7 @@ Comparative measurements of execution speed or instrumentation coverage will be
 fairly meaningless if the optimization levels or instrumentation scopes don't
 match.

-## 6) Gotchas, feedback, bugs
+## 9) Gotchas, feedback, bugs

 If you need to fix up checksums or do other cleanup on mutated test cases, see
 experimental/post_library/ for a viable solution.
@ -120,7 +182,7 @@ with -march=core2, can help.
 Beyond that, this is an early-stage mechanism, so fields reports are welcome.
 You can send them to <afl-users@googlegroups.com>.

-## 7) Alternatives: static rewriting
+## 10) Alternatives: static rewriting

 Statically rewriting binaries just once, instead of attempting to translate
 them at run time, can be a faster alternative. That said, static rewriting is
@ -132,6 +194,6 @@ The best implementation is this one:
  https://github.com/vanhauser-thc/afl-dyninst

 The issue however is Dyninst which is not rewriting the binaries so that
-they run stable. a lot of crashes happen, especially in C++ programs that
+they run stable. A lot of crashes happen, especially in C++ programs that
 use throw/catch. Try it first, and if it works for you be happy as it is
 2-3x as fast as qemu_mode.
--- a/qemu_mode/build_qemu_support.sh
+++ b/qemu_mode/build_qemu_support.sh
@ -4,12 +4,12 @@
 # --------------------------------------
 #
 # Originally written by Andrew Griffiths <agriffiths@google.com> and
-#                       Michal Zalewski <lcamtuf@google.com>
+#                       Michal Zalewski
 #
 # TCG instrumentation and block chaining support by Andrea Biondo
 #                                    <andrea.biondo965@gmail.com>
 #
-# QEMU 3.1.0 port, TCG thread-safety, CompareCoverage and NeverZero
+# QEMU 3.1.1 port, TCG thread-safety, CompareCoverage and NeverZero
 # counters by Andrea Fioraldi <andreafioraldi@gmail.com>
 #
 # Copyright 2015, 2016, 2017 Google Inc. All rights reserved.
@ -30,9 +30,9 @@
 #


-VERSION="3.1.0"
+VERSION="3.1.1"
 QEMU_URL="http://download.qemu-project.org/qemu-${VERSION}.tar.xz"
-QEMU_SHA384="0318f2b5a36eafbf17bca0f914567dfa5e8a3cd6ff83bb46fe49a0079cd71ddd3ec4267c6c62a03f9e26e05cc80e6d4b"
+QEMU_SHA384="28ff22ec4b8c957309460aa55d0b3188e971be1ea7dfebfb2ecc7903cd20cfebc2a7c97eedfcc7595f708357f1623f8b"

 echo "================================================="
 echo "AFL binary-only instrumentation QEMU build script"
@ -44,7 +44,7 @@ echo "[*] Performing basic sanity checks..."
 if [ ! "`uname -s`" = "Linux" ]; then

  echo "[-] Error: QEMU instrumentation is supported only on Linux."
-  exit 1
+  exit 0

 fi

@ -100,7 +100,10 @@ if [ ! "$CKSUM" = "$QEMU_SHA384" ]; then

  echo "[*] Downloading QEMU ${VERSION} from the web..."
  rm -f "$ARCHIVE"
-  wget -O "$ARCHIVE" -- "$QEMU_URL" || exit 1
+  OK=
+  while [ -z "$OK" ]; do
+    wget -c -O "$ARCHIVE" -- "$QEMU_URL" && OK=1
+  done

  CKSUM=`sha384sum -- "$ARCHIVE" 2>/dev/null | cut -d' ' -f1`

@ -125,6 +128,13 @@ tar xf "$ARCHIVE" || exit 1

 echo "[+] Unpacking successful."

+if [ -n "$HOST" ]; then
+  echo "[+] Configuring host architecture to $HOST..."
+  CROSS_PREFIX=$HOST-
+else
+  CROSS_PREFIX=
+fi
+
 echo "[*] Configuring QEMU for $CPU_TARGET..."

 ORIG_CPU_TARGET="$CPU_TARGET"
@ -142,15 +152,37 @@ patch -p1 <../patches/syscall.diff || exit 1
 patch -p1 <../patches/translate-all.diff || exit 1
 patch -p1 <../patches/tcg.diff || exit 1
 patch -p1 <../patches/i386-translate.diff || exit 1
+patch -p1 <../patches/arm-translate.diff || exit 1
+patch -p1 <../patches/i386-ops_sse.diff || exit 1
+patch -p1 <../patches/i386-fpu_helper.diff || exit 1
+patch -p1 <../patches/softfloat.diff || exit 1

 echo "[+] Patching done."

-# --enable-pie seems to give a couple of exec's a second performance
-# improvement, much to my surprise. Not sure how universal this is..
+if [ "$STATIC" = "1" ]; then

-CFLAGS="-O3 -ggdb" ./configure --disable-system \
-  --enable-linux-user --disable-gtk --disable-sdl --disable-vnc \
-  --target-list="${CPU_TARGET}-linux-user" --enable-pie --enable-kvm || exit 1
+  CFLAGS="-O3 -ggdb" ./configure --disable-bsd-user --disable-guest-agent --disable-strip --disable-werror \
+	  --disable-gcrypt --disable-debug-info --disable-debug-tcg --disable-tcg-interpreter \
+	  --enable-attr --disable-brlapi --disable-linux-aio --disable-bzip2 --disable-bluez --disable-cap-ng \
+	  --disable-curl --disable-fdt --disable-glusterfs --disable-gnutls --disable-nettle --disable-gtk \
+	  --disable-rdma --disable-libiscsi --disable-vnc-jpeg --enable-kvm --disable-lzo --disable-curses \
+	  --disable-libnfs --disable-numa --disable-opengl --disable-vnc-png --disable-rbd --disable-vnc-sasl \
+	  --disable-sdl --disable-seccomp --disable-smartcard --disable-snappy --disable-spice --disable-libssh2 \
+	  --disable-libusb --disable-usb-redir --disable-vde --disable-vhost-net --disable-virglrenderer \
+	  --disable-virtfs --disable-vnc --disable-vte --disable-xen --disable-xen-pci-passthrough --disable-xfsctl \
+	  --enable-linux-user --disable-system --disable-blobs --disable-tools \
+	  --target-list="${CPU_TARGET}-linux-user" --static --disable-pie --cross-prefix=$CROSS_PREFIX || exit 1
+
+else
+
+  # --enable-pie seems to give a couple of exec's a second performance
+  # improvement, much to my surprise. Not sure how universal this is..
+  
+  CFLAGS="-O3 -ggdb" ./configure --disable-system \
+    --enable-linux-user --disable-gtk --disable-sdl --disable-vnc \
+    --target-list="${CPU_TARGET}-linux-user" --enable-pie --enable-kvm $CROSS_PREFIX || exit 1
+
+fi

 echo "[+] Configuration complete."

@ -211,8 +243,9 @@ else
 fi

 echo "[+] Building libcompcov ..."
-make -C libcompcov
-echo "[+] libcompcov ready"
+make -C libcompcov && echo "[+] libcompcov ready"
+echo "[+] Building unsigaction ..."
+make -C unsigaction && echo "[+] unsigaction ready"
 echo "[+] All done for qemu_mode, enjoy!"

 exit 0
--- a/qemu_mode/libcompcov/Makefile
+++ b/qemu_mode/libcompcov/Makefile
@ -22,7 +22,7 @@ CFLAGS      ?= -O3 -funroll-loops -I ../../include/
 CFLAGS      += -Wall -Wno-unused-result -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign
 LDFLAGS     += -ldl

-all: libcompcov.so compcovtest
+all: libcompcov.so

 libcompcov.so: libcompcov.so.c ../../config.h
 	$(CC) $(CFLAGS) -shared -fPIC $< -o ../../$@ $(LDFLAGS)
@ -34,7 +34,7 @@ clean:
 	rm -f ../../libcompcov.so compcovtest

 compcovtest:	compcovtest.cc
-	$(CXX) $< -o $@ 
+	$(CXX) -std=c++11 $< -o $@ 

 install: all
 	install -m 755 ../../libcompcov.so $${DESTDIR}$(HELPER_PATH)
--- a/qemu_mode/libcompcov/libcompcov.so.c
+++ b/qemu_mode/libcompcov/libcompcov.so.c
@ -19,13 +19,16 @@

 */

+#ifndef _GNU_SOURCE
 #define _GNU_SOURCE
+#endif
 #include <dlfcn.h>
 #include <stdio.h>
 #include <string.h>
 #include <ctype.h>
 #include <sys/types.h>
 #include <sys/shm.h>
+#include <stdbool.h>

 #include "types.h"
 #include "config.h"
@ -148,6 +151,7 @@ static void __compcov_load(void) {

    __compcov_ro[__compcov_ro_cnt].st = maps_tmp->addr_start;
    __compcov_ro[__compcov_ro_cnt].en = maps_tmp->addr_end;
+    ++__compcov_ro_cnt;

  }

@ -334,6 +338,146 @@ int memcmp(const void* mem1, const void* mem2, size_t len) {

 }

+// TODO bcmp
+
+/* Common libraries wrappers (from honggfuzz) */
+
+/*
+ * Apache's httpd wrappers
+ */
+int ap_cstr_casecmp(const char* s1, const char* s2) {
+
+  return strcasecmp(s1, s2);
+
+}
+
+int ap_cstr_casecmpn(const char* s1, const char* s2, size_t n) {
+
+  return strncasecmp(s1, s2, n);
+
+}
+
+int apr_cstr_casecmp(const char* s1, const char* s2) {
+
+  return strcasecmp(s1, s2);
+
+}
+
+int apr_cstr_casecmpn(const char* s1, const char* s2, size_t n) {
+
+  return strncasecmp(s1, s2, n);
+
+}
+
+/*
+ * *SSL wrappers
+ */
+int CRYPTO_memcmp(const void* m1, const void* m2, size_t len) {
+
+  return memcmp(m1, m2, len);
+
+}
+
+int OPENSSL_memcmp(const void* m1, const void* m2, size_t len) {
+
+  return memcmp(m1, m2, len);
+
+}
+
+int OPENSSL_strcasecmp(const char* s1, const char* s2) {
+
+  return strcasecmp(s1, s2);
+
+}
+
+int OPENSSL_strncasecmp(const char* s1, const char* s2, size_t len) {
+
+  return strncasecmp(s1, s2, len);
+
+}
+
+int32_t memcmpct(const void* s1, const void* s2, size_t len) {
+
+  return memcmp(s1, s2, len);
+
+}
+
+/*
+ * libXML wrappers
+ */
+int xmlStrncmp(const char* s1, const char* s2, int len) {
+
+  if (len <= 0) { return 0; }
+  if (s1 == s2) { return 0; }
+  if (s1 == NULL) { return -1; }
+  if (s2 == NULL) { return 1; }
+  return strncmp(s1, s2, (size_t)len);
+
+}
+
+int xmlStrcmp(const char* s1, const char* s2) {
+
+  if (s1 == s2) { return 0; }
+  if (s1 == NULL) { return -1; }
+  if (s2 == NULL) { return 1; }
+  return strcmp(s1, s2);
+
+}
+
+int xmlStrEqual(const char* s1, const char* s2) {
+
+  if (s1 == s2) { return 1; }
+  if (s1 == NULL) { return 0; }
+  if (s2 == NULL) { return 0; }
+  if (strcmp(s1, s2) == 0) { return 1; }
+  return 0;
+
+}
+
+int xmlStrcasecmp(const char* s1, const char* s2) {
+
+  if (s1 == s2) { return 0; }
+  if (s1 == NULL) { return -1; }
+  if (s2 == NULL) { return 1; }
+  return strcasecmp(s1, s2);
+
+}
+
+int xmlStrncasecmp(const char* s1, const char* s2, int len) {
+
+  if (len <= 0) { return 0; }
+  if (s1 == s2) { return 0; }
+  if (s1 == NULL) { return -1; }
+  if (s2 == NULL) { return 1; }
+  return strncasecmp(s1, s2, (size_t)len);
+
+}
+
+const char* xmlStrcasestr(const char* haystack, const char* needle) {
+
+  if (haystack == NULL) { return NULL; }
+  if (needle == NULL) { return NULL; }
+  return strcasestr(haystack, needle);
+
+}
+
+/*
+ * Samba wrappers
+ */
+int memcmp_const_time(const void* s1, const void* s2, size_t n) {
+
+  return memcmp(s1, s2, n);
+
+}
+
+bool strcsequal(const void* s1, const void* s2) {
+
+  if (s1 == s2) { return true; }
+  if (!s1 || !s2) { return false; }
+  return (strcmp(s1, s2) == 0);
+
+}
+
 /* Init code to open init the library. */

 __attribute__((constructor)) void __compcov_init(void) {
--- a/qemu_mode/patches/afl-qemu-common.h
+++ b/qemu_mode/patches/afl-qemu-common.h
@ -3,12 +3,12 @@
   -------------------------------------------------------------------

   Originally written by Andrew Griffiths <agriffiths@google.com> and
-                         Michal Zalewski <lcamtuf@google.com>
+                         Michal Zalewski

   TCG instrumentation and block chaining support by Andrea Biondo
                                      <andrea.biondo965@gmail.com>

-   QEMU 3.1.0 port, TCG thread-safety, CompareCoverage and NeverZero
+   QEMU 3.1.1 port, TCG thread-safety, CompareCoverage and NeverZero
   counters by Andrea Fioraldi <andreafioraldi@gmail.com>

   Copyright 2015, 2016, 2017 Google Inc. All rights reserved.
@ -31,8 +31,17 @@

 */

+#ifndef __AFL_QEMU_COMMON
+#define __AFL_QEMU_COMMON
+
 #include "../../config.h"

+#ifndef CPU_NB_REGS
+#define AFL_REGS_NUM 1000
+#else
+#define AFL_REGS_NUM CPU_NB_REGS
+#endif
+
 /* NeverZero */

 #if (defined(__x86_64__) || defined(__i386__)) && defined(AFL_QEMU_NOT_ZERO)
@ -47,3 +56,58 @@
 #define INC_AFL_AREA(loc) afl_area_ptr[loc]++
 #endif

+/* Declared in afl-qemu-cpu-inl.h */
+
+extern unsigned char *afl_area_ptr;
+extern unsigned int   afl_inst_rms;
+extern abi_ulong      afl_start_code, afl_end_code;
+extern abi_ulong      afl_persistent_addr;
+extern abi_ulong      afl_persistent_ret_addr;
+extern u8             afl_compcov_level;
+extern unsigned char  afl_fork_child;
+extern unsigned char  is_persistent;
+extern target_long    persistent_stack_offset;
+extern unsigned char  persistent_first_pass;
+extern unsigned char  persistent_save_gpr;
+extern target_ulong   persistent_saved_gpr[AFL_REGS_NUM];
+extern int            persisent_retaddr_offset;
+
+extern __thread abi_ulong afl_prev_loc;
+
+void afl_debug_dump_saved_regs();
+
+void afl_persistent_loop();
+
+void tcg_gen_afl_call0(void *func);
+void tcg_gen_afl_compcov_log_call(void *func, target_ulong cur_loc, TCGv arg1,
+                                  TCGv arg2);
+
+void tcg_gen_afl_maybe_log_call(target_ulong cur_loc);
+
+void afl_float_compcov_log_32(target_ulong cur_loc, float32 arg1, float32 arg2,
+                              void *status);
+void afl_float_compcov_log_64(target_ulong cur_loc, float64 arg1, float64 arg2,
+                              void *status);
+void afl_float_compcov_log_80(target_ulong cur_loc, floatx80 arg1,
+                              floatx80 arg2);
+
+/* Check if an address is valid in the current mapping */
+
+static inline int is_valid_addr(target_ulong addr) {
+
+  int          l, flags;
+  target_ulong page;
+  void *       p;
+
+  page = addr & TARGET_PAGE_MASK;
+  l = (page + TARGET_PAGE_SIZE) - addr;
+
+  flags = page_get_flags(page);
+  if (!(flags & PAGE_VALID) || !(flags & PAGE_READ)) return 0;
+
+  return 1;
+
+}
+
+#endif
+
--- a/qemu_mode/patches/afl-qemu-cpu-inl.h
+++ b/qemu_mode/patches/afl-qemu-cpu-inl.h
@ -3,12 +3,12 @@
   -------------------------------------------------------------------

   Originally written by Andrew Griffiths <agriffiths@google.com> and
-                         Michal Zalewski <lcamtuf@google.com>
+                         Michal Zalewski

   TCG instrumentation and block chaining support by Andrea Biondo
                                      <andrea.biondo965@gmail.com>

-   QEMU 3.1.0 port, TCG thread-safety, CompareCoverage and NeverZero
+   QEMU 3.1.1 port, TCG thread-safety, CompareCoverage and NeverZero
   counters by Andrea Fioraldi <andreafioraldi@gmail.com>

   Copyright 2015, 2016, 2017 Google Inc. All rights reserved.
@ -21,7 +21,7 @@
     http://www.apache.org/licenses/LICENSE-2.0

   This code is a shim patched into the separately-distributed source
-   code of QEMU 3.1.0. It leverages the built-in QEMU tracing functionality
+   code of QEMU 3.1.1. It leverages the built-in QEMU tracing functionality
   to implement AFL-style instrumentation and to take care of the remaining
   parts of the AFL fork server logic.

@ -33,6 +33,9 @@

 #include <sys/shm.h>
 #include "../../config.h"
+#include "afl-qemu-common.h"
+
+#define PERSISTENT_DEFAULT_MAX_CNT 1000

 /***************************
 * VARIOUS AUXILIARY STUFF *
@ -71,13 +74,26 @@ abi_ulong afl_entry_point,                      /* ELF entry point (_start) */
    afl_start_code,                             /* .text start pointer      */
    afl_end_code;                               /* .text end pointer        */

+abi_ulong    afl_persistent_addr, afl_persistent_ret_addr;
+unsigned int afl_persistent_cnt;
+
 u8 afl_compcov_level;

+__thread abi_ulong afl_prev_loc;
+
 /* Set in the child process in forkserver mode: */

-static int           forkserver_installed = 0;
-static unsigned char afl_fork_child;
-unsigned int         afl_forksrv_pid;
+static int forkserver_installed = 0;
+static int disable_caching = 0;
+
+unsigned char afl_fork_child;
+unsigned int  afl_forksrv_pid;
+unsigned char is_persistent;
+target_long   persistent_stack_offset;
+unsigned char persistent_first_pass = 1;
+unsigned char persistent_save_gpr;
+target_ulong  persistent_saved_gpr[AFL_REGS_NUM];
+int           persisent_retaddr_offset;

 /* Instrumentation ratio: */

@ -173,6 +189,11 @@ static void afl_setup(void) {

  }

+  if (getenv("AFL_CODE_START"))
+    afl_start_code = strtoll(getenv("AFL_CODE_START"), NULL, 16);
+  if (getenv("AFL_CODE_END"))
+    afl_end_code = strtoll(getenv("AFL_CODE_END"), NULL, 16);
+
  /* Maintain for compatibility */
  if (getenv("AFL_QEMU_COMPCOV")) { afl_compcov_level = 1; }
  if (getenv("AFL_COMPCOV_LEVEL")) {
@ -187,6 +208,45 @@ static void afl_setup(void) {

  rcu_disable_atfork();

+  disable_caching = getenv("AFL_QEMU_DISABLE_CACHE") != NULL;
+
+  is_persistent = getenv("AFL_QEMU_PERSISTENT_ADDR") != NULL;
+
+  if (is_persistent) {
+
+    afl_persistent_addr = strtoll(getenv("AFL_QEMU_PERSISTENT_ADDR"), NULL, 0);
+    if (getenv("AFL_QEMU_PERSISTENT_RET"))
+      afl_persistent_ret_addr =
+          strtoll(getenv("AFL_QEMU_PERSISTENT_RET"), NULL, 0);
+    /* If AFL_QEMU_PERSISTENT_RET is not specified patch the return addr */
+
+  }
+
+  if (getenv("AFL_QEMU_PERSISTENT_GPR")) persistent_save_gpr = 1;
+
+  if (getenv("AFL_QEMU_PERSISTENT_RETADDR_OFFSET"))
+    persisent_retaddr_offset =
+        strtoll(getenv("AFL_QEMU_PERSISTENT_RETADDR_OFFSET"), NULL, 0);
+
+  if (getenv("AFL_QEMU_PERSISTENT_CNT"))
+    afl_persistent_cnt = strtoll(getenv("AFL_QEMU_PERSISTENT_CNT"), NULL, 0);
+  else
+    afl_persistent_cnt = PERSISTENT_DEFAULT_MAX_CNT;
+
+}
+
+static void print_mappings(void) {
+
+  u8    buf[MAX_LINE];
+  FILE *f = fopen("/proc/self/maps", "r");
+
+  if (!f) return;
+
+  while (fgets(buf, MAX_LINE, f))
+    printf("%s", buf);
+
+  fclose(f);
+
 }

 /* Fork server logic, invoked once we hit _start. */
@ -197,8 +257,15 @@ static void afl_forkserver(CPUState *cpu) {

  if (forkserver_installed == 1) return;
  forkserver_installed = 1;
+
+  if (getenv("AFL_QEMU_DEBUG_MAPS")) print_mappings();
+
  // if (!afl_area_ptr) return; // not necessary because of fixed dummy buffer

+  pid_t child_pid;
+  int   t_fd[2];
+  u8    child_stopped = 0;
+
  /* Tell the parent that we're alive. If the parent doesn't want
     to talk, assume that we're not running in forkserver mode. */

@ -210,38 +277,63 @@ static void afl_forkserver(CPUState *cpu) {

  while (1) {

-    pid_t child_pid;
-    int   status, t_fd[2];
+    int status;
+    u32 was_killed;

    /* Whoops, parent dead? */

-    if (read(FORKSRV_FD, tmp, 4) != 4) exit(2);
+    if (read(FORKSRV_FD, &was_killed, 4) != 4) exit(2);

-    /* Establish a channel with child to grab translation commands. We'll
+    /* If we stopped the child in persistent mode, but there was a race
+       condition and afl-fuzz already issued SIGKILL, write off the old
+       process. */
+
+    if (child_stopped && was_killed) {
+
+      child_stopped = 0;
+      if (waitpid(child_pid, &status, 0) < 0) exit(8);
+
+    }
+
+    if (!child_stopped) {
+
+      /* Establish a channel with child to grab translation commands. We'll
       read from t_fd[0], child will write to TSL_FD. */

-    if (pipe(t_fd) || dup2(t_fd[1], TSL_FD) < 0) exit(3);
-    close(t_fd[1]);
+      if (pipe(t_fd) || dup2(t_fd[1], TSL_FD) < 0) exit(3);
+      close(t_fd[1]);

-    child_pid = fork();
-    if (child_pid < 0) exit(4);
+      child_pid = fork();
+      if (child_pid < 0) exit(4);

-    if (!child_pid) {
+      if (!child_pid) {

-      /* Child process. Close descriptors and run free. */
+        /* Child process. Close descriptors and run free. */

-      afl_fork_child = 1;
-      close(FORKSRV_FD);
-      close(FORKSRV_FD + 1);
-      close(t_fd[0]);
-      return;
+        afl_fork_child = 1;
+        close(FORKSRV_FD);
+        close(FORKSRV_FD + 1);
+        close(t_fd[0]);
+        return;
+
+      }
+
+      /* Parent. */
+
+      close(TSL_FD);
+
+    } else {
+
+      /* Special handling for persistent mode: if the child is alive but
+         currently stopped, simply restart it with SIGCONT. */
+
+      kill(child_pid, SIGCONT);
+      child_stopped = 0;

    }

    /* Parent. */

-    close(TSL_FD);
-
    if (write(FORKSRV_FD + 1, &child_pid, 4) != 4) exit(5);

    /* Collect translation requests until child dies and closes the pipe. */
@ -250,13 +342,81 @@ static void afl_forkserver(CPUState *cpu) {

    /* Get and relay exit status to parent. */

-    if (waitpid(child_pid, &status, 0) < 0) exit(6);
+    if (waitpid(child_pid, &status, is_persistent ? WUNTRACED : 0) < 0) exit(6);
+
+    /* In persistent mode, the child stops itself with SIGSTOP to indicate
+       a successful run. In this case, we want to wake it up without forking
+       again. */
+
+    if (WIFSTOPPED(status)) child_stopped = 1;
+
    if (write(FORKSRV_FD + 1, &status, 4) != 4) exit(7);

  }

 }

+/* A simplified persistent mode handler, used as explained in README.llvm. */
+
+void afl_persistent_loop() {
+
+  static u32            cycle_cnt;
+  static struct afl_tsl exit_cmd_tsl = {{-1, 0, 0, 0}, NULL};
+
+  if (!afl_fork_child) return;
+
+  if (persistent_first_pass) {
+
+    /* Make sure that every iteration of __AFL_LOOP() starts with a clean slate.
+       On subsequent calls, the parent will take care of that, but on the first
+       iteration, it's our job to erase any trace of whatever happened
+       before the loop. */
+
+    if (is_persistent) {
+
+      memset(afl_area_ptr, 0, MAP_SIZE);
+      afl_area_ptr[0] = 1;
+      afl_prev_loc = 0;
+
+    }
+
+    cycle_cnt = afl_persistent_cnt;
+    persistent_first_pass = 0;
+    persistent_stack_offset = TARGET_LONG_BITS / 8;
+
+    return;
+
+  }
+
+  if (is_persistent) {
+
+    if (--cycle_cnt) {
+
+      if (write(TSL_FD, &exit_cmd_tsl, sizeof(struct afl_tsl)) !=
+          sizeof(struct afl_tsl)) {
+
+        /* Exit the persistent loop on pipe error */
+        afl_area_ptr = dummy;
+        exit(0);
+
+      }
+
+      raise(SIGSTOP);
+
+      afl_area_ptr[0] = 1;
+      afl_prev_loc = 0;
+
+    } else {
+
+      afl_area_ptr = dummy;
+      exit(0);
+
+    }
+
+  }
+
+}
+
 /* This code is invoked whenever QEMU decides that it doesn't have a
   translation of a particular block and needs to compute it, or when it
   decides to chain two TBs together. When this happens, we tell the parent to
@ -266,6 +426,8 @@ static void afl_request_tsl(target_ulong pc, target_ulong cb, uint32_t flags,
                            uint32_t cf_mask, TranslationBlock *last_tb,
                            int tb_exit) {

+  if (disable_caching) return;
+
  struct afl_tsl   t;
  struct afl_chain c;

@ -295,24 +457,6 @@ static void afl_request_tsl(target_ulong pc, target_ulong cb, uint32_t flags,

 }

-/* Check if an address is valid in the current mapping */
-
-static inline int is_valid_addr(target_ulong addr) {
-
-  int          l, flags;
-  target_ulong page;
-  void *       p;
-
-  page = addr & TARGET_PAGE_MASK;
-  l = (page + TARGET_PAGE_SIZE) - addr;
-
-  flags = page_get_flags(page);
-  if (!(flags & PAGE_VALID) || !(flags & PAGE_READ)) return 0;
-
-  return 1;
-
-}
-
 /* This is the other side of the same channel. Since timeouts are handled by
   afl-fuzz simply killing the child, we can just wait until the pipe breaks. */

@ -330,6 +474,10 @@ static void afl_wait_tsl(CPUState *cpu, int fd) {

    if (read(fd, &t, sizeof(struct afl_tsl)) != sizeof(struct afl_tsl)) break;

+    /* Exit command for persistent */
+
+    if (t.tb.pc == (target_ulong)(-1)) return;
+
    tb = tb_htable_lookup(cpu, t.tb.pc, t.tb.cs_base, t.tb.flags, t.tb.cf_mask);

    if (!tb) {
--- a/qemu_mode/patches/afl-qemu-cpu-translate-inl.h
+++ b/qemu_mode/patches/afl-qemu-cpu-translate-inl.h
@ -3,12 +3,12 @@
   -------------------------------------------------------------------

   Originally written by Andrew Griffiths <agriffiths@google.com> and
-                         Michal Zalewski <lcamtuf@google.com>
+                         Michal Zalewski

   TCG instrumentation and block chaining support by Andrea Biondo
                                      <andrea.biondo965@gmail.com>

-   QEMU 3.1.0 port, TCG thread-safety, CompareCoverage and NeverZero
+   QEMU 3.1.1 port, TCG thread-safety, CompareCoverage and NeverZero
   counters by Andrea Fioraldi <andreafioraldi@gmail.com>

   Copyright 2015, 2016, 2017 Google Inc. All rights reserved.
@ -35,32 +35,27 @@
 #include "tcg.h"
 #include "tcg-op.h"

-/* Declared in afl-qemu-cpu-inl.h */
-extern unsigned char *afl_area_ptr;
-extern unsigned int   afl_inst_rms;
-extern abi_ulong      afl_start_code, afl_end_code;
-extern u8             afl_compcov_level;
-
-void tcg_gen_afl_compcov_log_call(void *func, target_ulong cur_loc,
-                                  TCGv_i64 arg1, TCGv_i64 arg2);
-
 static void afl_compcov_log_16(target_ulong cur_loc, target_ulong arg1,
                               target_ulong arg2) {

-  if ((arg1 & 0xff) == (arg2 & 0xff)) { INC_AFL_AREA(cur_loc); }
+  register uintptr_t idx = cur_loc;
+
+  if ((arg1 & 0xff00) == (arg2 & 0xff00)) { INC_AFL_AREA(idx); }

 }

 static void afl_compcov_log_32(target_ulong cur_loc, target_ulong arg1,
                               target_ulong arg2) {

-  if ((arg1 & 0xff) == (arg2 & 0xff)) {
+  register uintptr_t idx = cur_loc;

-    INC_AFL_AREA(cur_loc);
-    if ((arg1 & 0xffff) == (arg2 & 0xffff)) {
+  if ((arg1 & 0xff000000) == (arg2 & 0xff000000)) {

-      INC_AFL_AREA(cur_loc + 1);
-      if ((arg1 & 0xffffff) == (arg2 & 0xffffff)) { INC_AFL_AREA(cur_loc + 2); }
+    INC_AFL_AREA(idx + 2);
+    if ((arg1 & 0xff0000) == (arg2 & 0xff0000)) {
+
+      INC_AFL_AREA(idx + 1);
+      if ((arg1 & 0xff00) == (arg2 & 0xff00)) { INC_AFL_AREA(idx); }

    }

@ -71,29 +66,27 @@ static void afl_compcov_log_32(target_ulong cur_loc, target_ulong arg1,
 static void afl_compcov_log_64(target_ulong cur_loc, target_ulong arg1,
                               target_ulong arg2) {

-  if ((arg1 & 0xff) == (arg2 & 0xff)) {
+  register uintptr_t idx = cur_loc;

-    INC_AFL_AREA(cur_loc);
-    if ((arg1 & 0xffff) == (arg2 & 0xffff)) {
+  if ((arg1 & 0xff00000000000000) == (arg2 & 0xff00000000000000)) {

-      INC_AFL_AREA(cur_loc + 1);
-      if ((arg1 & 0xffffff) == (arg2 & 0xffffff)) {
+    INC_AFL_AREA(idx + 6);
+    if ((arg1 & 0xff000000000000) == (arg2 & 0xff000000000000)) {

-        INC_AFL_AREA(cur_loc + 2);
-        if ((arg1 & 0xffffffff) == (arg2 & 0xffffffff)) {
+      INC_AFL_AREA(idx + 5);
+      if ((arg1 & 0xff0000000000) == (arg2 & 0xff0000000000)) {

-          INC_AFL_AREA(cur_loc + 3);
-          if ((arg1 & 0xffffffffff) == (arg2 & 0xffffffffff)) {
+        INC_AFL_AREA(idx + 4);
+        if ((arg1 & 0xff00000000) == (arg2 & 0xff00000000)) {

-            INC_AFL_AREA(cur_loc + 4);
-            if ((arg1 & 0xffffffffffff) == (arg2 & 0xffffffffffff)) {
+          INC_AFL_AREA(idx + 3);
+          if ((arg1 & 0xff000000) == (arg2 & 0xff000000)) {

-              INC_AFL_AREA(cur_loc + 5);
-              if ((arg1 & 0xffffffffffffff) == (arg2 & 0xffffffffffffff)) {
+            INC_AFL_AREA(idx + 2);
+            if ((arg1 & 0xff0000) == (arg2 & 0xff0000)) {

-                INC_AFL_AREA(cur_loc + 6);
-
-              }
+              INC_AFL_AREA(idx + 1);
+              if ((arg1 & 0xff00) == (arg2 & 0xff00)) { INC_AFL_AREA(idx); }

            }

@ -137,3 +130,132 @@ static void afl_gen_compcov(target_ulong cur_loc, TCGv_i64 arg1, TCGv_i64 arg2,

 }

+/* Routines for debug */
+/*
+static void log_x86_saved_gpr(void) {
+
+  static const char reg_names[CPU_NB_REGS][4] = {
+
+#ifdef TARGET_X86_64
+        [R_EAX] = "rax",
+        [R_EBX] = "rbx",
+        [R_ECX] = "rcx",
+        [R_EDX] = "rdx",
+        [R_ESI] = "rsi",
+        [R_EDI] = "rdi",
+        [R_EBP] = "rbp",
+        [R_ESP] = "rsp",
+        [8]  = "r8",
+        [9]  = "r9",
+        [10] = "r10",
+        [11] = "r11",
+        [12] = "r12",
+        [13] = "r13",
+        [14] = "r14",
+        [15] = "r15",
+#else
+        [R_EAX] = "eax",
+        [R_EBX] = "ebx",
+        [R_ECX] = "ecx",
+        [R_EDX] = "edx",
+        [R_ESI] = "esi",
+        [R_EDI] = "edi",
+        [R_EBP] = "ebp",
+        [R_ESP] = "esp",
+#endif
+
+    };
+
+  int i;
+  for (i = 0; i < CPU_NB_REGS; ++i) {
+
+    fprintf(stderr, "%s = %lx\n", reg_names[i], persistent_saved_gpr[i]);
+
+  }
+
+}
+
+static void log_x86_sp_content(void) {
+
+  fprintf(stderr, ">> SP = %lx -> %lx\n", persistent_saved_gpr[R_ESP],
+*(unsigned long*)persistent_saved_gpr[R_ESP]);
+
+}*/
+
+#define I386_RESTORE_STATE_FOR_PERSISTENT                               \
+  do {                                                                  \
+                                                                        \
+    if (persistent_save_gpr) {                                          \
+                                                                        \
+      int      i;                                                       \
+      TCGv_ptr gpr_sv;                                                  \
+                                                                        \
+      TCGv_ptr first_pass_ptr = tcg_const_ptr(&persistent_first_pass);  \
+      TCGv     first_pass = tcg_temp_local_new();                       \
+      TCGv     one = tcg_const_tl(1);                                   \
+      tcg_gen_ld8u_tl(first_pass, first_pass_ptr, 0);                   \
+                                                                        \
+      TCGLabel *lbl_save_gpr = gen_new_label();                         \
+      TCGLabel *lbl_finish_restore_gpr = gen_new_label();               \
+      tcg_gen_brcond_tl(TCG_COND_EQ, first_pass, one, lbl_save_gpr);    \
+                                                                        \
+      for (i = 0; i < CPU_NB_REGS; ++i) {                               \
+                                                                        \
+        gpr_sv = tcg_const_ptr(&persistent_saved_gpr[i]);               \
+        tcg_gen_ld_tl(cpu_regs[i], gpr_sv, 0);                          \
+                                                                        \
+      }                                                                 \
+                                                                        \
+      tcg_gen_br(lbl_finish_restore_gpr);                               \
+                                                                        \
+      gen_set_label(lbl_save_gpr);                                      \
+                                                                        \
+      for (i = 0; i < CPU_NB_REGS; ++i) {                               \
+                                                                        \
+        gpr_sv = tcg_const_ptr(&persistent_saved_gpr[i]);               \
+        tcg_gen_st_tl(cpu_regs[i], gpr_sv, 0);                          \
+                                                                        \
+      }                                                                 \
+                                                                        \
+      gen_set_label(lbl_finish_restore_gpr);                            \
+      tcg_temp_free(first_pass);                                        \
+                                                                        \
+    } else if (afl_persistent_ret_addr == 0) {                          \
+                                                                        \
+      TCGv_ptr stack_off_ptr = tcg_const_ptr(&persistent_stack_offset); \
+      TCGv     stack_off = tcg_temp_new();                              \
+      tcg_gen_ld_tl(stack_off, stack_off_ptr, 0);                       \
+      tcg_gen_sub_tl(cpu_regs[R_ESP], cpu_regs[R_ESP], stack_off);      \
+      tcg_temp_free(stack_off);                                         \
+                                                                        \
+    }                                                                   \
+                                                                        \
+  } while (0)
+
+#define AFL_QEMU_TARGET_i386_SNIPPET                                          \
+  if (is_persistent) {                                                        \
+                                                                              \
+    if (s->pc == afl_persistent_addr) {                                       \
+                                                                              \
+      I386_RESTORE_STATE_FOR_PERSISTENT;                                      \
+      /*tcg_gen_afl_call0(log_x86_saved_gpr);                                 \
+      tcg_gen_afl_call0(log_x86_sp_content);*/                                \
+                                                                              \
+      if (afl_persistent_ret_addr == 0) {                                     \
+                                                                              \
+        TCGv_ptr paddr = tcg_const_ptr(afl_persistent_addr);                  \
+        tcg_gen_st_tl(paddr, cpu_regs[R_ESP], persisent_retaddr_offset);      \
+                                                                              \
+      }                                                                       \
+      tcg_gen_afl_call0(&afl_persistent_loop);                                \
+      /*tcg_gen_afl_call0(log_x86_sp_content);*/                              \
+                                                                              \
+    } else if (afl_persistent_ret_addr && s->pc == afl_persistent_ret_addr) { \
+                                                                              \
+      gen_jmp_im(s, afl_persistent_addr);                                     \
+      gen_eob(s);                                                             \
+                                                                              \
+    }                                                                         \
+                                                                              \
+  }
+
--- a/Show More
+++ b/Show More