Merge pull request #767 from AFLplusplus/dev

Final push for release
ensure proper aligning for skim patch
2025-06-24 14:43:22 +00:00 · 2021-03-01 10:12:04 +01:00 · 2021-03-01 09:57:57 +01:00 · 2021-03-01 09:43:35 +01:00 · 2021-03-01 09:37:07 +01:00 · 2021-02-28 22:02:35 +01:00
537 changed files with 157917 additions and 53676 deletions
--- a/.clang-format
+++ b/.clang-format
@ -10,7 +10,7 @@ AlignOperands:   true
 AlignTrailingComments: true
 AllowAllParametersOfDeclarationOnNextLine: true
 AllowShortBlocksOnASingleLine: true
-AllowShortCaseLabelsOnASingleLine: true
+AllowShortCaseLabelsOnASingleLine: false
 AllowShortFunctionsOnASingleLine: false
 AllowShortIfStatementsOnASingleLine: true
 AllowShortLoopsOnASingleLine: false
@ -52,7 +52,7 @@ ConstructorInitializerAllOnOneLineOrOnePerLine: true
 ConstructorInitializerIndentWidth: 4
 ContinuationIndentWidth: 4
 Cpp11BracedListStyle: true
-DerivePointerAlignment: true
+DerivePointerAlignment: false
 DisableFormat:   false
 ExperimentalAutoDetectBinPacking: false
 FixNamespaceComments: true
@ -72,7 +72,7 @@ IncludeCategories:
    Priority:        3
 IncludeIsMainRegex: '([-_](test|unittest))?$'
 IndentCaseLabels: true
-IndentPPDirectives: None
+IndentPPDirectives: BeforeHash
 IndentWidth:     2
 IndentWrappedFunctionNames: false
 JavaScriptQuotes: Leave
--- a/.custom-format.py
+++ b/.custom-format.py
@ -29,30 +29,31 @@ CLANG_FORMAT_BIN = os.getenv("CLANG_FORMAT_BIN")
 if CLANG_FORMAT_BIN is None:
    o = 0
    try:
-        p = subprocess.Popen(["clang-format-8", "--version"], stdout=subprocess.PIPE)
+        p = subprocess.Popen(["clang-format-11", "--version"], stdout=subprocess.PIPE)
        o, _ = p.communicate()
        o = str(o, "utf-8")
-        o = o[len("clang-format version "):].strip()
-        o = o[:o.find(".")]
+        o = re.sub(r".*ersion ", "", o)
+        # o = o[len("clang-format version "):].strip()
+        o = o[: o.find(".")]
        o = int(o)
    except:
-        print ("clang-format-8 is needed. Aborted.")
+        print("clang-format-11 is needed. Aborted.")
        exit(1)
-    #if o < 7:
+    # if o < 7:
    #    if subprocess.call(['which', 'clang-format-7'], stdout=subprocess.PIPE) == 0:
    #        CLANG_FORMAT_BIN = 'clang-format-7'
    #    elif subprocess.call(['which', 'clang-format-8'], stdout=subprocess.PIPE) == 0:
    #        CLANG_FORMAT_BIN = 'clang-format-8'
    #    elif subprocess.call(['which', 'clang-format-9'], stdout=subprocess.PIPE) == 0:
    #        CLANG_FORMAT_BIN = 'clang-format-9'
-    #    elif subprocess.call(['which', 'clang-format-10'], stdout=subprocess.PIPE) == 0:
-    #        CLANG_FORMAT_BIN = 'clang-format-10'
+    #    elif subprocess.call(['which', 'clang-format-11'], stdout=subprocess.PIPE) == 0:
+    #        CLANG_FORMAT_BIN = 'clang-format-11'
    #    else:
    #        print ("clang-format 7 or above is needed. Aborted.")
    #        exit(1)
    else:
-        CLANG_FORMAT_BIN = 'clang-format-8'
-            
+        CLANG_FORMAT_BIN = "clang-format-11"
+
 COLUMN_LIMIT = 80
 for line in fmt.split("\n"):
    line = line.split(":")
@ -68,26 +69,47 @@ def custom_format(filename):
    in_define = False
    last_line = None
    out = ""
-    
+
    for line in src.split("\n"):
-        if line.startswith("#"):
-            if line.startswith("#define"):
+        if line.lstrip().startswith("#"):
+            if line[line.find("#") + 1 :].lstrip().startswith("define"):
                in_define = True
-        
-        if "/*" in line and not line.strip().startswith("/*") and line.endswith("*/") and len(line) < (COLUMN_LIMIT-2):
+
+        if (
+            "/*" in line
+            and not line.strip().startswith("/*")
+            and line.endswith("*/")
+            and len(line) < (COLUMN_LIMIT - 2)
+        ):
            cmt_start = line.rfind("/*")
-            line = line[:cmt_start] + " " * (COLUMN_LIMIT-2 - len(line)) + line[cmt_start:]
+            line = (
+                line[:cmt_start]
+                + " " * (COLUMN_LIMIT - 2 - len(line))
+                + line[cmt_start:]
+            )

        define_padding = 0
        if last_line is not None and in_define and last_line.endswith("\\"):
            last_line = last_line[:-1]
-            define_padding = max(0, len(last_line[last_line.rfind("\n")+1:]))
+            define_padding = max(0, len(last_line[last_line.rfind("\n") + 1 :]))

-        if last_line is not None and last_line.strip().endswith("{") and line.strip() != "":
+        if (
+            last_line is not None
+            and last_line.strip().endswith("{")
+            and line.strip() != ""
+        ):
            line = (" " * define_padding + "\\" if in_define else "") + "\n" + line
-        elif last_line is not None and last_line.strip().startswith("}") and line.strip() != "":
+        elif (
+            last_line is not None
+            and last_line.strip().startswith("}")
+            and line.strip() != ""
+        ):
            line = (" " * define_padding + "\\" if in_define else "") + "\n" + line
-        elif line.strip().startswith("}") and last_line is not None and last_line.strip() != "":
+        elif (
+            line.strip().startswith("}")
+            and last_line is not None
+            and last_line.strip() != ""
+        ):
            line = (" " * define_padding + "\\" if in_define else "") + "\n" + line

        if not line.endswith("\\"):
@ -96,14 +118,15 @@ def custom_format(filename):
        out += line + "\n"
        last_line = line

-    return (out)
+    return out
+

 args = sys.argv[1:]
 if len(args) == 0:
-    print ("Usage: ./format.py [-i] <filename>")
-    print ()
-    print (" The -i option, if specified, let the script to modify in-place")
-    print (" the source files. By default the results are written to stdout.")
+    print("Usage: ./format.py [-i] <filename>")
+    print()
+    print(" The -i option, if specified, let the script to modify in-place")
+    print(" the source files. By default the results are written to stdout.")
    print()
    exit(1)

@ -119,4 +142,3 @@ for filename in args:
            f.write(code)
    else:
        print(code)
-
--- a/.dockerignore
+++ b/.dockerignore
@ -0,0 +1,65 @@
+.test
+.test2
+.sync_tmp
+*.o
+*.so
+*.pyc
+*.dSYM
+as
+ld
+in
+out
+core*
+afl-analyze
+afl-as
+afl-clang
+afl-clang\+\+
+afl-clang-fast
+afl-clang-fast\+\+
+afl-clang-lto
+afl-clang-lto\+\+
+afl-fuzz
+afl-g\+\+
+afl-gcc
+afl-gcc-fast
+afl-g\+\+-fast
+afl-gotcpu
+afl-ld
+afl-ld-lto
+afl-qemu-trace
+afl-showmap
+afl-tmin
+afl-analyze.8
+afl-as.8
+afl-clang-fast\+\+.8
+afl-clang-fast.8
+afl-clang-lto.8
+afl-clang-lto\+\+.8
+afl-cmin.8
+afl-cmin.bash.8
+afl-fuzz.8
+afl-gcc.8
+afl-gcc-fast.8
+afl-g\+\+-fast.8
+afl-gotcpu.8
+afl-plot.8
+afl-showmap.8
+afl-system-config.8
+afl-tmin.8
+afl-whatsup.8
+qemu_mode/libcompcov/compcovtest
+qemu_mode/qemu-*
+unicorn_mode/samples/*/\.test-*
+unicorn_mode/samples/*/output
+unicorn_mode/unicornafl
+test/unittests/unit_maybe_alloc
+test/unittests/unit_preallocable
+test/unittests/unit_list
+test/unittests/unit_rand
+test/unittests/unit_hash
+examples/afl_network_proxy/afl-network-server
+examples/afl_network_proxy/afl-network-client
+examples/afl_frida/afl-frida
+examples/afl_frida/libtestinstr.so
+examples/afl_frida/frida-gum-example.c
+examples/afl_frida/frida-gum.h
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@ -0,0 +1,31 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+**IMPORTANT**
+1. You have verified that the issue to be present in the current `dev` branch
+2. Please supply the command line options and relevant environment variables, e.g. a copy-paste of the contents of `out/default/fuzzer_setup`
+
+Thank you for making afl++ better!
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**To Reproduce**
+Steps to reproduce the behavior:
+1. ...
+2. ...
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**Screen output/Screenshots**
+If applicable, add copy-paste of the screen output or screenshot that shows the issue. Please ensure the output is in **English** and not in Chinese, Russian, German, etc.
+
+**Additional context**
+Add any other context about the problem here.
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@ -0,0 +1,20 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+**Is your feature request related to a problem? Please describe.**
+A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
+
+**Additional context**
+Add any other context or screenshots about the feature request here.
--- a/.github/workflows/build_aflplusplus_docker.yaml
+++ b/.github/workflows/build_aflplusplus_docker.yaml
@ -0,0 +1,27 @@
+name: Publish Docker Images
+on:
+  push:
+    branches: [ stable ]
+    paths:
+    - Dockerfile
+  pull_request:
+    branches: [ stable ]
+    paths:
+    - Dockerfile
+jobs:
+  push_to_registry:
+    name: Push Docker images to Dockerhub
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@master
+    - name: Login to Dockerhub
+      uses: docker/login-action@v1
+      with:
+        username: ${{ secrets.DOCKER_USERNAME }}
+        password: ${{ secrets.DOCKER_TOKEN }}
+    - name: Publish aflpp to Registry
+      uses: docker/build-push-action@v2
+      with:
+        context: .
+        push: true
+        tags: aflplusplus/aflplusplus:latest
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -0,0 +1,28 @@
+name: CI
+
+on:
+  push:
+    branches: [ stable, dev ]
+  pull_request:
+    branches: [ stable, dev ]
+
+jobs:
+  build:
+    runs-on: '${{ matrix.os }}'
+    strategy:
+      matrix:
+        os: [ubuntu-20.04, ubuntu-18.04]
+    steps:
+      - uses: actions/checkout@v2
+      - name: debug
+        run: apt-cache search plugin-dev | grep gcc- ; echo ; apt-cache search clang-format- | grep clang-format-
+      - name: install packages
+        run: sudo apt-get install -y -m -f --install-suggests build-essential git libtool libtool-bin automake bison libglib2.0-0 clang llvm-dev libc++-dev findutils libcmocka-dev python3-dev python3-setuptools
+      - name: compiler installed
+        run: gcc -v ; echo ; clang -v
+      - name: install gcc plugin
+        run: sudo apt-get install -y -m -f --install-suggests $(readlink /usr/bin/gcc)-plugin-dev
+      - name: build afl++
+        run: make distrib ASAN_BUILD=1
+      - name: run tests
+        run: sudo -E ./afl-system-config ; export AFL_SKIP_CPUFREQ=1 ; make tests
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@ -0,0 +1,32 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ stable, dev ]
+  pull_request:
+    branches: [ stable, dev ]
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'cpp' ]
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v2
+
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v1
+      with:
+        languages: ${{ matrix.language }}
+
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v1
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v1
--- a/.gitignore
+++ b/.gitignore
@ -1,28 +1,51 @@
 .test
 .test2
+.sync_tmp
+.vscode
 *.o
 *.so
+*.swp
+*.pyc
+*.dSYM
+as
+a.out
+ld
+in
+out
+core*
+compile_commands.json
 afl-analyze
 afl-as
 afl-clang
 afl-clang++
 afl-clang-fast
 afl-clang-fast++
+afl-clang-lto
+afl-clang-lto++
 afl-fuzz
 afl-g++
 afl-gcc
 afl-gcc-fast
 afl-g++-fast
 afl-gotcpu
+afl-ld
+afl-ld-lto
 afl-qemu-trace
 afl-showmap
 afl-tmin
 afl-analyze.8
+afl-as.8
 afl-clang-fast++.8
 afl-clang-fast.8
+afl-clang-lto.8
+afl-clang-lto++.8
 afl-cmin.8
+afl-cmin.bash.8
 afl-fuzz.8
+afl-c++.8
+afl-cc.8
 afl-gcc.8
+afl-g++.8
 afl-gcc-fast.8
 afl-g++-fast.8
 afl-gotcpu.8
@ -31,10 +54,32 @@ afl-showmap.8
 afl-system-config.8
 afl-tmin.8
 afl-whatsup.8
+afl-c++
+afl-cc
+afl-lto
+afl-lto++
+afl-lto++.8
+afl-lto.8
 qemu_mode/libcompcov/compcovtest
-as
 qemu_mode/qemu-*
-unicorn_mode/unicornafl/
+qemu_mode/qemuafl
 unicorn_mode/samples/*/\.test-*
 unicorn_mode/samples/*/output/
-core\.*
+unicorn_mode/unicornafl
+test/unittests/unit_maybe_alloc
+test/unittests/unit_preallocable
+test/unittests/unit_list
+test/unittests/unit_rand
+test/unittests/unit_hash
+examples/afl_network_proxy/afl-network-server
+examples/afl_network_proxy/afl-network-client
+examples/afl_frida/afl-frida
+examples/afl_frida/libtestinstr.so
+examples/afl_frida/frida-gum-example.c
+examples/afl_frida/frida-gum.h
+examples/aflpp_driver/libAFLDriver.a
+examples/aflpp_driver/libAFLQemuDriver.a
+libAFLDriver.a
+libAFLQemuDriver.a
+test/.afl_performance
+gmon.out
--- a/.gitmodules
+++ b/.gitmodules
@ -0,0 +1,9 @@
+[submodule "unicorn_mode/unicornafl"]
+	path = unicorn_mode/unicornafl
+	url = https://github.com/AFLplusplus/unicornafl
+[submodule "custom_mutators/grammar_mutator"]
+	path = custom_mutators/grammar_mutator/grammar_mutator
+	url = https://github.com/AFLplusplus/Grammar-Mutator
+[submodule "qemu_mode/qemuafl"]
+	path = qemu_mode/qemuafl
+	url = https://github.com/AFLplusplus/qemuafl
--- a/.travis.yml
+++ b/.travis.yml
@ -1,53 +0,0 @@
-language: c
-
-sudo: required
-
-branches:
-  only:
-    - master
-
-matrix:
-  include:
-  - os: linux
-    dist: bionic
-    env: NAME="bionic-amd64" MODERN="yes" GCC="7"
-  - os: linux
-    dist: xenial
-    env: NAME="xenial-amd64" MODERN="no" GCC="5" EXTRA="libtool-bin clang-6.0"
-  - os: linux
-    dist: trusty
-    env: NAME="trusty-amd64" MODERN="no" GCC="4.8"
-#  - os: linux # until travis can fix this!
-#    dist: xenial
-#    arch: arm64
-#    env: NAME="xenial-arm64" MODERN="no" GCC="5" EXTRA="libtool-bin clang-6.0" AFL_NO_X86="1" CPU_TARGET="aarch64"
-#  - os: osx
-#    osx_image: xcode11.2
-#    env: NAME="osx" HOMEBREW_NO_ANALYTICS="1" LINK="http://releases.llvm.org/9.0.0/" NAME="clang+llvm-9.0.0-x86_64-darwin-apple"
-
-jobs:
-  allow_failures:
-    - os: osx
-
-env:
-  - AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 AFL_NO_UI=1 AFL_STOP_MANUALLY=1
- # - AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 AFL_NO_UI=1 AFL_EXIT_WHEN_DONE=1
- # TODO: test AFL_BENCH_UNTIL_CRASH once we have a target that crashes
- # - AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 AFL_NO_UI=1 AFL_BENCH_JUST_ONE=1
-
-before_install:
-  # export LLVM_DIR=${TRAVIS_BUILD_DIR}/${LLVM_PACKAGE}
-  - echo Testing on $NAME
-  - if [ "$TRAVIS_OS_NAME" = "osx" ]; then wget "$LINK""$NAME".tar.xz ; export LLVM_CONFIG=`pwd`/"$NAME" ; tar xJf "$NAME".tar.xz ; fi
-  - if [ "$MODERN" = "yes" ]; then sudo apt update ; sudo apt upgrade ; sudo apt install -y libtool libtool-bin automake bison libglib2.0 build-essential clang gcc-"$GCC" gcc-"$GCC"-plugin-dev libc++-"$GCC"-dev findutils ; fi
-  - if [ "$MODERN" = "no" ]; then sudo apt update ; sudo apt install -y libtool $EXTRA libpixman-1-dev automake bison libglib2.0 build-essential gcc-"$GCC" gcc-"$GCC"-plugin-dev libc++-dev findutils ; fi
-
-script:
-  - gcc -v
-  - clang -v
-  - sudo -E ./afl-system-config
-  - if [ "$TRAVIS_OS_NAME" = "osx" ]; then export LLVM_CONFIG=`pwd`/"$NAME" ; make source-only ASAN_BUILD=1 ; fi
-  - if [ "$TRAVIS_OS_NAME" = "linux" -a "$TRAVIS_CPU_ARCH" = "amd64" ]; then make distrib ASAN_BUILD=1 ; fi
-  - if [ "$TRAVIS_CPU_ARCH" = "arm64" ] ; then echo DEBUG ; find / -name llvm-config.h 2>/dev/null; apt-cache search clang | grep clang- ; apt-cache search llvm | grep llvm- ; dpkg -l | egrep 'clang|llvm'; echo DEBUG ; export LLVM_CONFIG=llvm-config-6.0 ; make ASAN_BUILD=1 ; cd qemu_mode && sh ./build_qemu_support.sh ; cd .. ; fi
-  - make tests
-  - travis_terminate 0
--- a/Android.bp
+++ b/Android.bp
@ -1,7 +1,16 @@
 cc_defaults {
  name: "afl-defaults",
+  sanitize: {
+    never: true,
+  },
+
+  local_include_dirs: [
+    "include",
+    "instrumentation",
+  ],

  cflags: [
+    "-flto=full",
    "-funroll-loops",
    "-Wno-pointer-sign",
    "-Wno-pointer-arith",
@ -10,24 +19,35 @@ cc_defaults {
    "-Wno-unused-function",
    "-Wno-format",
    "-Wno-user-defined-warnings",
-    "-DUSE_TRACE_PC=1",
+    "-DAFL_LLVM_USE_TRACE_PC=1",
    "-DBIN_PATH=\"out/host/linux-x86/bin\"",
    "-DDOC_PATH=\"out/host/linux-x86/shared/doc/afl\"",
    "-D__USE_GNU",
+    "-D__aarch64__",
+    "-DDEBUG_BUILD",
+    "-U_FORTIFY_SOURCE",
+    "-ggdb3",
+    "-g",
+    "-O0",
+    "-fno-omit-frame-pointer",
  ],
 }

 cc_binary {
  name: "afl-fuzz",
-  static_executable: true,
  host_supported: true,
+  compile_multilib: "64",

  defaults: [
    "afl-defaults",
  ],

  srcs: [
-    "afl-fuzz.c",
+    "src/afl-fuzz*.c",
+    "src/afl-common.c",
+    "src/afl-sharedmem.c",
+    "src/afl-forkserver.c",
+    "src/afl-performance.c",
  ],
 }

@ -41,7 +61,11 @@ cc_binary {
  ],

  srcs: [
-    "afl-showmap.c",
+    "src/afl-showmap.c",
+    "src/afl-common.c",
+    "src/afl-sharedmem.c",
+    "src/afl-forkserver.c",
+    "src/afl-performance.c",
  ],
 }

@ -55,7 +79,11 @@ cc_binary {
  ],

  srcs: [
-    "afl-tmin.c",
+    "src/afl-tmin.c",
+    "src/afl-common.c",
+    "src/afl-sharedmem.c",
+    "src/afl-forkserver.c",
+    "src/afl-performance.c",
  ],
 }

@ -69,7 +97,10 @@ cc_binary {
  ],

  srcs: [
-    "afl-analyze.c",
+    "src/afl-analyze.c",
+    "src/afl-common.c",
+    "src/afl-sharedmem.c",
+    "src/afl-performance.c",
  ],
 }

@ -83,12 +114,13 @@ cc_binary {
  ],

  srcs: [
-    "afl-gotcpu.c",
+    "src/afl-gotcpu.c",
+    "src/afl-common.c",
  ],
 }

 cc_binary_host {
-  name: "afl-clang-fast",
+  name: "afl-cc",
  static_executable: true,

  defaults: [
@ -98,44 +130,144 @@ cc_binary_host {
  cflags: [
    "-D__ANDROID__",
    "-DAFL_PATH=\"out/host/linux-x86/lib64\"",
+    "-DAFL_CLANG_FLTO=\"-flto=full\"",
+    "-DUSE_BINDIR=1",
+    "-DLLVM_BINDIR=\"prebuilts/clang/host/linux-x86/clang-r383902b/bin\"",
+    "-DLLVM_LIBDIR=\"prebuilts/clang/host/linux-x86/clang-r383902b/lib64\"",
+    "-DCLANGPP_BIN=\"prebuilts/clang/host/linux-x86/clang-r383902b/bin/clang++\"",
+    "-DAFL_REAL_LD=\"prebuilts/clang/host/linux-x86/clang-r383902b/bin/ld.lld\"",
+    "-DLLVM_LTO=1",
+    "-DLLVM_MAJOR=11",
+    "-DLLVM_MINOR=2",
  ],

  srcs: [
-    "llvm_mode/afl-clang-fast.c",
-  ],
-}
-
-cc_binary_host {
-  name: "afl-clang-fast++",
-  static_executable: true,
-
-  defaults: [
-    "afl-defaults",
+    "src/afl-cc.c",
+    "src/afl-common.c",
  ],

-  cflags: [
-    "-D__ANDROID__",
-    "-DAFL_PATH=\"out/host/linux-x86/lib64\"",
-  ],
-
-  srcs: [
-    "llvm_mode/afl-clang-fast.c",
+  symlinks: [
+    "afl-clang-fast",
+    "afl-clang-fast++",
  ],
 }

 cc_library_static {
  name: "afl-llvm-rt",
-  compile_multilib: "both",
+  compile_multilib: "64",
  vendor_available: true,
  host_supported: true,
  recovery_available: true,
  sdk_version: "9",

+  apex_available: [
+    "com.android.adbd",
+    "com.android.appsearch",
+    "com.android.art",
+    "com.android.bluetooth.updatable",
+    "com.android.cellbroadcast",
+    "com.android.conscrypt",
+    "com.android.extservices",
+    "com.android.cronet",
+    "com.android.neuralnetworks",
+    "com.android.media",
+    "com.android.media.swcodec",
+    "com.android.mediaprovider",
+    "com.android.permission",
+    "com.android.runtime",
+    "com.android.resolv",
+    "com.android.tethering",
+    "com.android.wifi",
+    "com.android.sdkext",
+    "com.android.os.statsd",
+    "//any",
+  ],
+
  defaults: [
    "afl-defaults",
  ],

  srcs: [
-    "llvm_mode/afl-llvm-rt.o.c",
+    "instrumentation/afl-compiler-rt.o.c",
  ],
 }
+
+cc_library_headers {
+  name: "libafl_headers",
+  vendor_available: true,
+  host_supported: true,
+
+  export_include_dirs: [
+    "include",
+  ],
+}
+
+cc_prebuilt_library_static {
+  name: "libfrida-gum",
+  compile_multilib: "64",
+  strip: {
+    none: true,
+  },
+
+  srcs: [
+    "utils/afl_frida/android/libfrida-gum.a",
+  ],
+
+  export_include_dirs: [
+    "utils/afl_frida/android",
+  ],
+}
+
+cc_library_shared {
+  name: "libtestinstr",
+
+  srcs: [
+    "utils/afl_frida/libtestinstr.c",
+  ],
+
+  cflags: [
+    "-O0",
+    "-fPIC",
+  ],
+}
+
+cc_binary {
+  name: "afl-frida",
+  compile_multilib: "64",
+
+  defaults: [
+    "afl-defaults",
+  ],
+
+  cflags: [
+    "-g",
+    "-O0",
+    "-Wno-format",
+    "-Wno-pointer-sign",
+    "-fpermissive",
+    "-fPIC",
+  ],
+
+  static_libs: [
+    "afl-llvm-rt",
+    "libfrida-gum",
+  ],
+
+  shared_libs: [
+    "libdl",
+    "liblog",
+  ],
+
+  srcs: [
+    "utils/afl_frida/afl-frida.c",
+  ],
+
+  local_include_dirs: [
+    "utils/afl_frida",
+    "utils/afl_frida/android",
+  ],
+}
+
+subdirs = [
+  "custom_mutators",
+]
--- a/Android.mk
+++ b/Android.mk
@ -1 +0,0 @@
-Makefile
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -1,19 +1,24 @@
 # How to submit a Pull Request to AFLplusplus

+All contributions (pull requests) must be made against our `dev` branch.
+
 Each modified source file, before merging, must be formatted.

 ```
-make code-formatter
+make code-format
 ```

 This should be fine if you modified one of the files already present in the
-project, otherwise run:
+project, or added a file in a directory we already format, otherwise run:

 ```
 ./.custom-format.py -i file-that-you-have-created.c
 ```

 Regarding the coding style, please follow the AFL style.
-No camel case at all and use the AFL's macros when possible (e.g. WARNF, FATAL, ...).
+No camel case at all and use AFL's macros wherever possible
+(e.g. WARNF, FATAL, MAP_SIZE, ...).

-Remember that AFLplusplus has to build and run on many platforms, so generalize your Makefiles (or your patches to our pre-existing Makefiles) to be as much general as possible.
+Remember that AFLplusplus has to build and run on many platforms, so
+generalize your Makefiles/GNUmakefile (or your patches to our pre-existing
+Makefiles) to be as generic as possible.
--- a/87
+++ b/87
@ -1,37 +1,70 @@
-FROM ubuntu:eoan
-MAINTAINER David Carlier <devnexen@gmail.com>
+#
+# This Dockerfile for AFLplusplus uses Ubuntu 20.04 focal and
+# installs LLVM 11 from llvm.org for afl-clang-lto support :-)
+# It also installs gcc/g++ 10 from the Ubuntu development platform
+# since focal has gcc-10 but not g++-10 ...
+#
+
+FROM ubuntu:20.04 AS aflplusplus
+LABEL "maintainer"="afl++ team <afl@aflplus.plus>"
 LABEL "about"="AFLplusplus docker image"
-RUN apt-get update && apt-get -y install \
-    --no-install-suggests --no-install-recommends \
+
+ARG DEBIAN_FRONTEND=noninteractive
+
+env NO_ARCH_OPT 1
+
+RUN apt-get update && \
+    apt-get -y install --no-install-suggests --no-install-recommends \
    automake \
-    bison \
+    ninja-build \
+    bison flex \
    build-essential \
-    clang \
-    clang-9 \
-    flex \
    git \
-    python3.7 \
-    python3.7-dev \
-    gcc-9 \
-    gcc-9-plugin-dev \
-    gcc-9-multilib \
-    libc++-9-dev \
-    libtool \
-    libtool-bin \
+    python3 python3-dev python3-setuptools python-is-python3 \
+    libtool libtool-bin \
    libglib2.0-dev \
-    llvm-9-dev \
-    python-setuptools \
-    python2.7-dev \
-    wget \
-    ca-certificates \
+    wget vim jupp nano bash-completion less \
+    apt-utils apt-transport-https ca-certificates gnupg dialog \
    libpixman-1-dev \
+    gnuplot-nox \
    && rm -rf /var/lib/apt/lists/*

-ARG CC=gcc-9
-ARG CXX=g++-9
-ARG LLVM_CONFIG=llvm-config-9
+RUN echo "deb http://apt.llvm.org/focal/ llvm-toolchain-focal-12 main" >> /etc/apt/sources.list && \
+    wget -qO - https://apt.llvm.org/llvm-snapshot.gpg.key | apt-key add -

-RUN git clone https://github.com/vanhauser-thc/AFLplusplus
+RUN echo "deb http://ppa.launchpad.net/ubuntu-toolchain-r/test/ubuntu focal main" >> /etc/apt/sources.list && \
+    apt-key adv --recv-keys --keyserver keyserver.ubuntu.com 1E9377A2BA9EF27F

-RUN cd AFLplusplus && make clean && make distrib && \
-    make install && cd .. && rm -rf AFLplusplus
+RUN apt-get update && apt-get full-upgrade -y && \
+    apt-get -y install --no-install-suggests --no-install-recommends \
+    gcc-10 g++-10 gcc-10-plugin-dev gcc-10-multilib gdb lcov \
+    clang-12 clang-tools-12 libc++1-12 libc++-12-dev \
+    libc++abi1-12 libc++abi-12-dev libclang1-12 libclang-12-dev \
+    libclang-common-12-dev libclang-cpp12 libclang-cpp12-dev liblld-12 \
+    liblld-12-dev liblldb-12 liblldb-12-dev libllvm12 libomp-12-dev \
+    libomp5-12 lld-12 lldb-12 llvm-12 llvm-12-dev llvm-12-runtime llvm-12-tools \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-10 0
+RUN update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-10 0
+
+ENV LLVM_CONFIG=llvm-config-12
+ENV AFL_SKIP_CPUFREQ=1
+ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1
+
+RUN git clone --depth=1 https://github.com/vanhauser-thc/afl-cov /afl-cov
+RUN cd /afl-cov && make install && cd ..
+
+COPY . /AFLplusplus
+WORKDIR /AFLplusplus
+
+RUN export CC=gcc-10 && export CXX=g++-10 && make clean && \
+    make distrib && make install && make clean
+
+RUN echo 'alias joe="jupp --wordwrap"' >> ~/.bashrc
+RUN echo 'export PS1="[afl++]$PS1"' >> ~/.bashrc
+ENV IS_DOCKER="1"
+
+# Disabled until we have the container ready
+#COPY --from=aflplusplus/afl-dyninst /usr/local/lib/libdyninstAPI_RT.so /usr/local/lib/libdyninstAPI_RT.so
+#COPY --from=aflplusplus/afl-dyninst /afl-dyninst/libAflDyninst.so /usr/local/lib/libAflDyninst.so
--- a/662
+++ b/662
@ -0,0 +1,662 @@
+#
+# american fuzzy lop++ - makefile
+# -----------------------------
+#
+# Originally written by Michal Zalewski
+#
+# Copyright 2013, 2014, 2015, 2016, 2017 Google Inc. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at:
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+
+# For Heiko:
+#TEST_MMAP=1
+# the hash character is treated differently in different make versions
+# so use a variable for '#'
+HASH=\#
+
+PREFIX     ?= /usr/local
+BIN_PATH    = $(PREFIX)/bin
+HELPER_PATH = $(PREFIX)/lib/afl
+DOC_PATH    = $(PREFIX)/share/doc/afl
+MISC_PATH   = $(PREFIX)/share/afl
+MAN_PATH    = $(PREFIX)/man/man8
+
+PROGNAME    = afl
+VERSION     = $(shell grep '^$(HASH)define VERSION ' ../config.h | cut -d '"' -f2)
+
+# PROGS intentionally omit afl-as, which gets installed elsewhere.
+
+PROGS       = afl-fuzz afl-showmap afl-tmin afl-gotcpu afl-analyze
+SH_PROGS    = afl-plot afl-cmin afl-cmin.bash afl-whatsup afl-system-config
+MANPAGES=$(foreach p, $(PROGS) $(SH_PROGS), $(p).8) afl-as.8
+ASAN_OPTIONS=detect_leaks=0
+
+ifdef NO_SPLICING
+  override CFLAGS += -DNO_SPLICING
+endif
+
+ifdef ASAN_BUILD
+  $(info Compiling ASAN version of binaries)
+  override CFLAGS += $(ASAN_CFLAGS)
+  LDFLAGS += $(ASAN_LDFLAGS)
+endif
+ifdef UBSAN_BUILD
+  $(info Compiling UBSAN version of binaries)
+  override CFLAGS += -fsanitize=undefined -fno-omit-frame-pointer
+  override LDFLAGS += -fsanitize=undefined
+endif
+ifdef MSAN_BUILD
+  $(info Compiling MSAN version of binaries)
+  CC := clang
+  override CFLAGS += -fsanitize=memory -fno-omit-frame-pointer
+  override LDFLAGS += -fsanitize=memory
+endif
+
+ifeq "$(findstring android, $(shell $(CC) --version 2>/dev/null))" ""
+ifeq "$(shell echo 'int main() {return 0; }' | $(CC) $(CFLAGS) -Werror -x c - -flto=full -o .test 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1"
+	CFLAGS_FLTO ?= -flto=full
+else
+ ifeq "$(shell echo 'int main() {return 0; }' | $(CC) $(CFLAGS) -Werror -x c - -flto=thin -o .test 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1"
+	CFLAGS_FLTO ?= -flto=thin
+ else
+  ifeq "$(shell echo 'int main() {return 0; }' | $(CC) $(CFLAGS) -Werror -x c - -flto -o .test 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1"
+	CFLAGS_FLTO ?= -flto
+  endif
+ endif
+endif
+endif
+
+ifeq "$(shell echo 'int main() {return 0; }' | $(CC) -fno-move-loop-invariants -fdisable-tree-cunrolli -x c - -o .test 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1"
+	SPECIAL_PERFORMANCE += -fno-move-loop-invariants -fdisable-tree-cunrolli
+endif
+
+#ifeq "$(shell echo 'int main() {return 0; }' | $(CC) $(CFLAGS) -Werror -x c - -march=native -o .test 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1"
+#  ifndef SOURCE_DATE_EPOCH
+#    HAVE_MARCHNATIVE = 1
+#    CFLAGS_OPT += -march=native
+#  endif
+#endif
+
+ifneq "$(shell uname)" "Darwin"
+  #ifeq "$(HAVE_MARCHNATIVE)" "1"
+  #  SPECIAL_PERFORMANCE += -march=native
+  #endif
+ # OS X does not like _FORTIFY_SOURCE=2
+  ifndef DEBUG
+    CFLAGS_OPT += -D_FORTIFY_SOURCE=2
+  endif
+endif
+
+ifeq "$(shell uname)" "SunOS"
+  CFLAGS_OPT += -Wno-format-truncation
+  LDFLAGS = -lkstat -lrt
+endif
+
+ifdef STATIC
+  $(info Compiling static version of binaries, disabling python though)
+  # Disable python for static compilation to simplify things
+  PYTHON_OK = 0
+  PYFLAGS=
+  PYTHON_INCLUDE = /
+
+  CFLAGS_OPT += -static
+  LDFLAGS += -lm -lpthread -lz -lutil
+endif
+
+ifdef PROFILING
+  $(info Compiling with profiling information, for analysis: gprof ./afl-fuzz gmon.out > prof.txt)
+  CFLAGS_OPT += -pg -DPROFILING=1
+  LDFLAGS += -pg
+endif
+
+ifdef INTROSPECTION
+  $(info Compiling with introspection documentation)
+  CFLAGS_OPT += -DINTROSPECTION=1
+endif
+
+
+ifneq "$(shell uname -m)" "x86_64"
+ ifneq "$(patsubst i%86,i386,$(shell uname -m))" "i386"
+  ifneq "$(shell uname -m)" "amd64"
+   ifneq "$(shell uname -m)" "i86pc"
+	AFL_NO_X86=1
+   endif
+  endif
+ endif
+endif
+
+ifdef DEBUG
+  $(info Compiling DEBUG version of binaries)
+  CFLAGS += -ggdb3 -O0 -Wall -Wextra -Werror
+else
+  CFLAGS ?= -O3 -funroll-loops $(CFLAGS_OPT)
+endif
+
+override CFLAGS += -g -Wno-pointer-sign -Wno-variadic-macros -Wall -Wextra -Wpointer-arith \
+			  -I include/ -DAFL_PATH=\"$(HELPER_PATH)\" \
+			  -DBIN_PATH=\"$(BIN_PATH)\" -DDOC_PATH=\"$(DOC_PATH)\"
+
+ifeq "$(shell uname -s)" "FreeBSD"
+  override CFLAGS  += -I /usr/local/include/
+  LDFLAGS += -L /usr/local/lib/
+endif
+
+ifeq "$(shell uname -s)" "DragonFly"
+  override CFLAGS  += -I /usr/local/include/
+  LDFLAGS += -L /usr/local/lib/
+endif
+
+ifeq "$(shell uname -s)" "OpenBSD"
+  override CFLAGS  += -I /usr/local/include/ -mno-retpoline
+  LDFLAGS += -Wl,-z,notext -L /usr/local/lib/
+endif
+
+ifeq "$(shell uname -s)" "NetBSD"
+  override CFLAGS  += -I /usr/pkg/include/
+  LDFLAGS += -L /usr/pkg/lib/
+endif
+
+ifeq "$(shell uname -s)" "Haiku"
+  SHMAT_OK=0
+  override CFLAGS  += -DUSEMMAP=1 -Wno-error=format -fPIC
+  LDFLAGS += -Wno-deprecated-declarations -lgnu
+  SPECIAL_PERFORMANCE += -DUSEMMAP=1
+endif
+
+AFL_FUZZ_FILES = $(wildcard src/afl-fuzz*.c)
+
+ifneq "$(shell command -v python3m 2>/dev/null)" ""
+  ifneq "$(shell command -v python3m-config 2>/dev/null)" ""
+    PYTHON_INCLUDE  ?= $(shell python3m-config --includes)
+    PYTHON_VERSION  ?= $(strip $(shell python3m --version 2>&1))
+    # Starting with python3.8, we need to pass the `embed` flag. Earlier versions didn't know this flag.
+    ifeq "$(shell python3m-config --embed --libs 2>/dev/null | grep -q lpython && echo 1 )" "1"
+      PYTHON_LIB      ?= $(shell python3m-config --libs --embed --ldflags)
+    else
+      PYTHON_LIB      ?= $(shell python3m-config --ldflags)
+    endif
+  endif
+endif
+
+ifeq "$(PYTHON_INCLUDE)" ""
+  ifneq "$(shell command -v python3 2>/dev/null)" ""
+    ifneq "$(shell command -v python3-config 2>/dev/null)" ""
+      PYTHON_INCLUDE  ?= $(shell python3-config --includes)
+      PYTHON_VERSION  ?= $(strip $(shell python3 --version 2>&1))
+      # Starting with python3.8, we need to pass the `embed` flag. Earier versions didn't know this flag.
+      ifeq "$(shell python3-config --embed --libs 2>/dev/null | grep -q lpython && echo 1 )" "1"
+        PYTHON_LIB      ?= $(shell python3-config --libs --embed --ldflags)
+      else
+        PYTHON_LIB      ?= $(shell python3-config --ldflags)
+      endif
+    endif
+  endif
+endif
+
+ifeq "$(PYTHON_INCLUDE)" ""
+  ifneq "$(shell command -v python 2>/dev/null)" ""
+    ifneq "$(shell command -v python-config 2>/dev/null)" ""
+      PYTHON_INCLUDE  ?= $(shell python-config --includes)
+      PYTHON_LIB      ?= $(shell python-config --ldflags)
+      PYTHON_VERSION  ?= $(strip $(shell python --version 2>&1))
+    endif
+  endif
+endif
+
+# Old Ubuntu and others dont have python/python3-config so we hardcode 3.7
+ifeq "$(PYTHON_INCLUDE)" ""
+  ifneq "$(shell command -v python3.7 2>/dev/null)" ""
+    ifneq "$(shell command -v python3.7-config 2>/dev/null)" ""
+      PYTHON_INCLUDE  ?= $(shell python3.7-config --includes)
+      PYTHON_LIB      ?= $(shell python3.7-config --ldflags)
+      PYTHON_VERSION  ?= $(strip $(shell python3.7 --version 2>&1))
+    endif
+  endif
+endif
+
+# Old Ubuntu and others dont have python/python2-config so we hardcode 2.7
+ifeq "$(PYTHON_INCLUDE)" ""
+  ifneq "$(shell command -v python2.7 2>/dev/null)" ""
+    ifneq "$(shell command -v python2.7-config 2>/dev/null)" ""
+      PYTHON_INCLUDE  ?= $(shell python2.7-config --includes)
+      PYTHON_LIB      ?= $(shell python2.7-config --ldflags)
+      PYTHON_VERSION  ?= $(strip $(shell python2.7 --version 2>&1))
+    endif
+  endif
+endif
+
+ifdef SOURCE_DATE_EPOCH
+    BUILD_DATE ?= $(shell date -u -d "@$(SOURCE_DATE_EPOCH)" "+%Y-%m-%d" 2>/dev/null || date -u -r "$(SOURCE_DATE_EPOCH)" "+%Y-%m-%d" 2>/dev/null || date -u "+%Y-%m-%d")
+else
+    BUILD_DATE ?= $(shell date "+%Y-%m-%d")
+endif
+
+ifneq "$(filter Linux GNU%,$(shell uname))" ""
+ ifndef DEBUG
+  override CFLAGS += -D_FORTIFY_SOURCE=2
+ endif
+  LDFLAGS += -ldl -lrt -lm
+endif
+
+ifneq "$(findstring FreeBSD, $(shell uname))" ""
+  override CFLAGS  += -pthread
+  LDFLAGS += -lpthread
+endif
+
+ifneq "$(findstring NetBSD, $(shell uname))" ""
+  override CFLAGS  += -pthread
+  LDFLAGS += -lpthread
+endif
+
+ifneq "$(findstring OpenBSD, $(shell uname))" ""
+  override CFLAGS  += -pthread
+  LDFLAGS += -lpthread
+endif
+
+COMM_HDR    = include/alloc-inl.h include/config.h include/debug.h include/types.h
+
+ifeq "$(shell echo '$(HASH)include <Python.h>@int main() {return 0; }' | tr @ '\n' | $(CC) $(CFLAGS) -x c - -o .test $(PYTHON_INCLUDE) $(LDFLAGS) $(PYTHON_LIB) 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1"
+	PYTHON_OK=1
+	PYFLAGS=-DUSE_PYTHON $(PYTHON_INCLUDE) $(LDFLAGS) $(PYTHON_LIB) -DPYTHON_VERSION="\"$(PYTHON_VERSION)\""
+else
+	PYTHON_OK=0
+	PYFLAGS=
+endif
+
+ifdef NO_PYTHON
+	PYTHON_OK=0
+	PYFLAGS=
+endif
+
+IN_REPO=0
+ifeq "$(shell command -v git >/dev/null && git status >/dev/null 2>&1 && echo 1 || echo 0)" "1"
+  IN_REPO=1
+endif
+ifeq "$(shell command -v svn >/dev/null && svn proplist . 2>/dev/null && echo 1 || echo 0)" "1"
+  IN_REPO=1
+endif
+
+ifeq "$(shell echo 'int main() { return 0;}' | $(CC) $(CFLAGS) -fsanitize=address -x c - -o .test2 2>/dev/null && echo 1 || echo 0 ; rm -f .test2 )" "1"
+	ASAN_CFLAGS=-fsanitize=address -fstack-protector-all -fno-omit-frame-pointer -DASAN_BUILD
+	ASAN_LDFLAGS=-fsanitize=address -fstack-protector-all -fno-omit-frame-pointer
+endif
+
+ifeq "$(shell echo '$(HASH)include <sys/ipc.h>@$(HASH)include <sys/shm.h>@int main() { int _id = shmget(IPC_PRIVATE, 65536, IPC_CREAT | IPC_EXCL | 0600); shmctl(_id, IPC_RMID, 0); return 0;}' | tr @ '\n' | $(CC) $(CFLAGS) -x c - -o .test2 2>/dev/null && echo 1 || echo 0 ; rm -f .test2 )" "1"
+	SHMAT_OK=1
+else
+	SHMAT_OK=0
+	override CFLAGS+=-DUSEMMAP=1
+	LDFLAGS += -Wno-deprecated-declarations
+endif
+
+ifdef TEST_MMAP
+	SHMAT_OK=0
+	override CFLAGS += -DUSEMMAP=1
+	LDFLAGS += -Wno-deprecated-declarations
+endif
+
+.PHONY: all
+all:	test_x86 test_shm test_python ready $(PROGS) afl-as llvm gcc_plugin test_build all_done
+
+.PHONY: llvm
+llvm:
+	-$(MAKE) -j -f GNUmakefile.llvm
+	@test -e afl-cc || { echo "[-] Compiling afl-cc failed. You seem not to have a working compiler." ; exit 1; }
+
+.PHONY: gcc_plugin
+gcc_plugin:
+	-$(MAKE) -f GNUmakefile.gcc_plugin
+
+.PHONY: man
+man:    $(MANPAGES)
+
+.PHONY: test
+test:	tests
+
+.PHONY: tests
+tests:	source-only
+	@cd test ; ./test-all.sh
+	@rm -f test/errors
+
+.PHONY: performance-tests
+performance-tests:	performance-test
+.PHONY: test-performance
+test-performance:	performance-test
+
+.PHONY: performance-test
+performance-test:	source-only
+	@cd test ; ./test-performance.sh
+
+
+# hint: make targets are also listed in the top level README.md
+.PHONY: help
+help:
+	@echo "HELP --- the following make targets exist:"
+	@echo "=========================================="
+	@echo "all: just the main afl++ binaries"
+	@echo "binary-only: everything for binary-only fuzzing: qemu_mode, unicorn_mode, libdislocator, libtokencap"
+	@echo "source-only: everything for source code fuzzing: gcc_plugin, libdislocator, libtokencap"
+	@echo "distrib: everything (for both binary-only and source code fuzzing)"
+	@echo "man: creates simple man pages from the help option of the programs"
+	@echo "install: installs everything you have compiled with the build option above"
+	@echo "clean: cleans everything compiled (not downloads when on a checkout)"
+	@echo "deepclean: cleans everything including downloads"
+	@echo "code-format: format the code, do this before you commit and send a PR please!"
+	@echo "tests: this runs the test framework. It is more catered for the developers, but if you run into problems this helps pinpointing the problem"
+	@echo "unit: perform unit tests (based on cmocka and GNU linker)"
+	@echo "document: creates afl-fuzz-document which will only do one run and save all manipulated inputs into out/queue/mutations"
+	@echo "help: shows these build options :-)"
+	@echo "=========================================="
+	@echo "Recommended: \"distrib\" or \"source-only\", then \"install\""
+	@echo
+	@echo Known build environment options:
+	@echo "=========================================="
+	@echo STATIC - compile AFL++ static
+	@echo ASAN_BUILD - compiles with memory sanitizer for debug purposes
+	@echo DEBUG - no optimization, -ggdb3, all warnings and -Werror
+	@echo PROFILING - compile afl-fuzz with profiling information
+	@echo INTROSPECTION - compile afl-fuzz with mutation introspection
+	@echo NO_PYTHON - disable python support
+	@echo NO_SPLICING - disables splicing mutation in afl-fuzz, not recommended for normal fuzzing
+	@echo AFL_NO_X86 - if compiling on non-intel/amd platforms
+	@echo NO_ARCH_OPT - builds afl++ without machine architecture optimizations
+	@echo "LLVM_CONFIG - if your distro doesn't use the standard name for llvm-config (e.g. Debian)"
+	@echo "=========================================="
+	@echo e.g.: make ASAN_BUILD=1
+
+.PHONY: test_x86
+ifndef AFL_NO_X86
+test_x86:
+	@echo "[*] Checking for the default compiler cc..."
+	@type $(CC) >/dev/null || ( echo; echo "Oops, looks like there is no compiler '"$(CC)"' in your path."; echo; echo "Don't panic! You can restart with '"$(_)" CC=<yourCcompiler>'."; echo; exit 1 )
+	@echo "[*] Testing the PATH environment variable..."
+	@test "$${PATH}" != "$${PATH#.:}" && { echo "Please remove current directory '.' from PATH to avoid recursion of 'as', thanks!"; echo; exit 1; } || :
+	@echo "[*] Checking for the ability to compile x86 code..."
+	@echo 'main() { __asm__("xorb %al, %al"); }' | $(CC) $(CFLAGS) -w -x c - -o .test1 || ( echo; echo "Oops, looks like your compiler can't generate x86 code."; echo; echo "Don't panic! You can use the LLVM or QEMU mode, but see docs/INSTALL first."; echo "(To ignore this error, set AFL_NO_X86=1 and try again.)"; echo; exit 1 )
+	@rm -f .test1
+else
+test_x86:
+	@echo "[!] Note: skipping x86 compilation checks (AFL_NO_X86 set)."
+endif
+
+.PHONY: test_shm
+ifeq "$(SHMAT_OK)" "1"
+test_shm:
+	@echo "[+] shmat seems to be working."
+	@rm -f .test2
+else
+test_shm:
+	@echo "[-] shmat seems not to be working, switching to mmap implementation"
+endif
+
+.PHONY: test_python
+ifeq "$(PYTHON_OK)" "1"
+test_python:
+	@rm -f .test 2> /dev/null
+	@echo "[+] $(PYTHON_VERSION) support seems to be working."
+else
+test_python:
+	@echo "[-] You seem to need to install the package python3-dev, python2-dev or python-dev (and perhaps python[23]-apt), but it is optional so we continue"
+endif
+
+.PHONY: ready
+ready:
+	@echo "[+] Everything seems to be working, ready to compile."
+
+afl-as: src/afl-as.c include/afl-as.h $(COMM_HDR) | test_x86
+	$(CC) $(CFLAGS) src/$@.c -o $@ $(LDFLAGS)
+	@ln -sf afl-as as
+
+src/afl-performance.o : $(COMM_HDR) src/afl-performance.c include/hash.h
+	$(CC) $(CFLAGS) -Iinclude $(SPECIAL_PERFORMANCE) -O3 -fno-unroll-loops -c src/afl-performance.c -o src/afl-performance.o
+
+src/afl-common.o : $(COMM_HDR) src/afl-common.c include/common.h
+	$(CC) $(CFLAGS) $(CFLAGS_FLTO) -c src/afl-common.c -o src/afl-common.o
+
+src/afl-forkserver.o : $(COMM_HDR) src/afl-forkserver.c include/forkserver.h
+	$(CC) $(CFLAGS) $(CFLAGS_FLTO) -c src/afl-forkserver.c -o src/afl-forkserver.o
+
+src/afl-sharedmem.o : $(COMM_HDR) src/afl-sharedmem.c include/sharedmem.h
+	$(CC) $(CFLAGS) $(CFLAGS_FLTO) -c src/afl-sharedmem.c -o src/afl-sharedmem.o
+
+afl-fuzz: $(COMM_HDR) include/afl-fuzz.h $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o | test_x86
+	$(CC) $(CFLAGS) $(COMPILE_STATIC) $(CFLAGS_FLTO) $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o -o $@ $(PYFLAGS) $(LDFLAGS) -lm
+
+afl-showmap: src/afl-showmap.c src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o $(COMM_HDR) | test_x86
+	$(CC) $(CFLAGS) $(COMPILE_STATIC) $(CFLAGS_FLTO) src/$@.c src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o -o $@ $(LDFLAGS)
+
+afl-tmin: src/afl-tmin.c src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o $(COMM_HDR) | test_x86
+	$(CC) $(CFLAGS) $(COMPILE_STATIC) $(CFLAGS_FLTO) src/$@.c src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o -o $@ $(LDFLAGS)
+
+afl-analyze: src/afl-analyze.c src/afl-common.o src/afl-sharedmem.o src/afl-performance.o $(COMM_HDR) | test_x86
+	$(CC) $(CFLAGS) $(COMPILE_STATIC) $(CFLAGS_FLTO) src/$@.c src/afl-common.o src/afl-sharedmem.o src/afl-performance.o -o $@ $(LDFLAGS)
+
+afl-gotcpu: src/afl-gotcpu.c src/afl-common.o $(COMM_HDR) | test_x86
+	$(CC) $(CFLAGS) $(COMPILE_STATIC) $(CFLAGS_FLTO) src/$@.c src/afl-common.o -o $@ $(LDFLAGS)
+
+.PHONY: document
+document:	afl-fuzz-document
+
+# document all mutations and only do one run (use with only one input file!)
+afl-fuzz-document: $(COMM_HDR) include/afl-fuzz.h $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-performance.o | test_x86
+	$(CC) -D_DEBUG=\"1\" -D_AFL_DOCUMENT_MUTATIONS $(CFLAGS) $(CFLAGS_FLTO) $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.c src/afl-performance.o -o afl-fuzz-document $(PYFLAGS) $(LDFLAGS)
+
+test/unittests/unit_maybe_alloc.o : $(COMM_HDR) include/alloc-inl.h test/unittests/unit_maybe_alloc.c $(AFL_FUZZ_FILES)
+	@$(CC) $(CFLAGS) $(ASAN_CFLAGS) -c test/unittests/unit_maybe_alloc.c -o test/unittests/unit_maybe_alloc.o
+
+unit_maybe_alloc: test/unittests/unit_maybe_alloc.o
+	@$(CC) $(CFLAGS) -Wl,--wrap=exit -Wl,--wrap=printf test/unittests/unit_maybe_alloc.o -o test/unittests/unit_maybe_alloc $(LDFLAGS) $(ASAN_LDFLAGS) -lcmocka
+	./test/unittests/unit_maybe_alloc
+
+test/unittests/unit_hash.o : $(COMM_HDR) include/alloc-inl.h test/unittests/unit_hash.c $(AFL_FUZZ_FILES) src/afl-performance.o
+	@$(CC) $(CFLAGS) $(ASAN_CFLAGS) -c test/unittests/unit_hash.c -o test/unittests/unit_hash.o
+
+unit_hash: test/unittests/unit_hash.o src/afl-performance.o
+	@$(CC) $(CFLAGS) -Wl,--wrap=exit -Wl,--wrap=printf $^ -o test/unittests/unit_hash $(LDFLAGS) $(ASAN_LDFLAGS) -lcmocka
+	./test/unittests/unit_hash
+
+test/unittests/unit_rand.o : $(COMM_HDR) include/alloc-inl.h test/unittests/unit_rand.c $(AFL_FUZZ_FILES) src/afl-performance.o
+	@$(CC) $(CFLAGS) $(ASAN_CFLAGS) -c test/unittests/unit_rand.c -o test/unittests/unit_rand.o
+
+unit_rand: test/unittests/unit_rand.o src/afl-common.o src/afl-performance.o
+	@$(CC) $(CFLAGS) $(ASAN_CFLAGS) -Wl,--wrap=exit -Wl,--wrap=printf $^ -o test/unittests/unit_rand  $(LDFLAGS) $(ASAN_LDFLAGS) -lcmocka
+	./test/unittests/unit_rand
+
+test/unittests/unit_list.o : $(COMM_HDR) include/list.h test/unittests/unit_list.c $(AFL_FUZZ_FILES)
+	@$(CC) $(CFLAGS) $(ASAN_CFLAGS) -c test/unittests/unit_list.c -o test/unittests/unit_list.o
+
+unit_list: test/unittests/unit_list.o
+	@$(CC) $(CFLAGS) $(ASAN_CFLAGS) -Wl,--wrap=exit -Wl,--wrap=printf test/unittests/unit_list.o -o test/unittests/unit_list  $(LDFLAGS) $(ASAN_LDFLAGS) -lcmocka
+	./test/unittests/unit_list
+
+test/unittests/unit_preallocable.o : $(COMM_HDR) include/alloc-inl.h test/unittests/unit_preallocable.c $(AFL_FUZZ_FILES)
+	@$(CC) $(CFLAGS) $(ASAN_CFLAGS) -c test/unittests/unit_preallocable.c -o test/unittests/unit_preallocable.o
+
+unit_preallocable: test/unittests/unit_preallocable.o
+	@$(CC) $(CFLAGS) $(ASAN_CFLAGS) -Wl,--wrap=exit -Wl,--wrap=printf test/unittests/unit_preallocable.o -o test/unittests/unit_preallocable $(LDFLAGS) $(ASAN_LDFLAGS) -lcmocka
+	./test/unittests/unit_preallocable
+
+.PHONY: unit_clean
+unit_clean:
+	@rm -f ./test/unittests/unit_preallocable ./test/unittests/unit_list ./test/unittests/unit_maybe_alloc test/unittests/*.o
+
+.PHONY: unit
+ifneq "$(shell uname)" "Darwin"
+unit:	unit_maybe_alloc unit_preallocable unit_list unit_clean unit_rand unit_hash
+else
+unit:
+	@echo [-] unit tests are skipped on Darwin \(lacks GNU linker feature --wrap\)
+endif
+
+.PHONY: code-format
+code-format:
+	./.custom-format.py -i src/*.c
+	./.custom-format.py -i include/*.h
+	./.custom-format.py -i instrumentation/*.h
+	./.custom-format.py -i instrumentation/*.cc
+	./.custom-format.py -i instrumentation/*.c
+	@#./.custom-format.py -i custom_mutators/*/*.c* # destroys libfuzzer :-(
+	@#./.custom-format.py -i custom_mutators/*/*.h # destroys honggfuzz :-(
+	./.custom-format.py -i utils/*/*.c*
+	./.custom-format.py -i utils/*/*.h
+	./.custom-format.py -i test/*.c
+	./.custom-format.py -i qemu_mode/libcompcov/*.c
+	./.custom-format.py -i qemu_mode/libcompcov/*.cc
+	./.custom-format.py -i qemu_mode/libcompcov/*.h
+	./.custom-format.py -i qemu_mode/libqasan/*.c
+	./.custom-format.py -i qemu_mode/libqasan/*.h
+	./.custom-format.py -i *.h
+	./.custom-format.py -i *.c
+
+
+.PHONY: test_build
+ifndef AFL_NO_X86
+test_build: afl-cc afl-gcc afl-as afl-showmap
+	@echo "[*] Testing the CC wrapper afl-cc and its instrumentation output..."
+	@unset AFL_MAP_SIZE AFL_USE_UBSAN AFL_USE_CFISAN AFL_USE_ASAN AFL_USE_MSAN; ASAN_OPTIONS=detect_leaks=0 AFL_INST_RATIO=100 AFL_PATH=. ./afl-cc test-instr.c -o test-instr 2>&1 || (echo "Oops, afl-cc failed"; exit 1 )
+	ASAN_OPTIONS=detect_leaks=0 ./afl-showmap -m none -q -o .test-instr0 ./test-instr < /dev/null
+	echo 1 | ASAN_OPTIONS=detect_leaks=0 ./afl-showmap -m none -q -o .test-instr1 ./test-instr
+	@rm -f test-instr
+	@cmp -s .test-instr0 .test-instr1; DR="$$?"; rm -f .test-instr0 .test-instr1; if [ "$$DR" = "0" ]; then echo; echo "Oops, the instrumentation of afl-cc does not seem to be behaving correctly!"; echo; echo "Please post to https://github.com/AFLplusplus/AFLplusplus/issues to troubleshoot the issue."; echo; exit 1; fi
+	@echo
+	@echo "[+] All right, the instrumentation of afl-cc seems to be working!"
+#	@echo "[*] Testing the CC wrapper afl-gcc and its instrumentation output..."
+#	@unset AFL_MAP_SIZE AFL_USE_UBSAN AFL_USE_CFISAN AFL_USE_ASAN AFL_USE_MSAN; AFL_CC=$(CC) ASAN_OPTIONS=detect_leaks=0 AFL_INST_RATIO=100 AFL_PATH=. ./afl-gcc test-instr.c -o test-instr 2>&1 || (echo "Oops, afl-gcc failed"; exit 1 )
+#	ASAN_OPTIONS=detect_leaks=0 ./afl-showmap -m none -q -o .test-instr0 ./test-instr < /dev/null
+#	echo 1 | ASAN_OPTIONS=detect_leaks=0 ./afl-showmap -m none -q -o .test-instr1 ./test-instr
+#	@rm -f test-instr
+#	@cmp -s .test-instr0 .test-instr1; DR="$$?"; rm -f .test-instr0 .test-instr1; if [ "$$DR" = "0" ]; then echo; echo "Oops, the instrumentation of afl-gcc does not seem to be behaving correctly!"; \
+#		gcc -v 2>&1 | grep -q -- --with-as= && ( echo; echo "Gcc is configured not to use an external assembler with the -B option."; echo "See docs/INSTALL.md section 5 how to build a -B enabled gcc." ) || \
+#		( echo; echo "Please post to https://github.com/AFLplusplus/AFLplusplus/issues to troubleshoot the issue." ); echo; exit 0; fi
+#	@echo
+#	@echo "[+] All right, the instrumentation of afl-gcc seems to be working!"
+else
+test_build: afl-cc afl-as afl-showmap
+	@echo "[!] Note: skipping build tests (you may need to use LLVM or QEMU mode)."
+endif
+
+.PHONY: all_done
+all_done: test_build
+	@test -e afl-cc && echo "[+] Main compiler 'afl-cc' successfully built!" || { echo "[-] Main compiler 'afl-cc' failed to build, set up a working build environment first!" ; exit 1 ; }
+	@test -e cmplog-instructions-pass.so && echo "[+] LLVM mode for 'afl-cc' successfully built!" || echo "[-] LLVM mode for 'afl-cc'  failed to build, likely you either don't have llvm installed, or you need to set LLVM_CONFIG, to point to e.g. llvm-config-11. See instrumentation/README.llvm.md how to do this. Highly recommended!"
+	@test -e SanitizerCoverageLTO.so && echo "[+] LLVM LTO mode for 'afl-cc' successfully built!" || echo "[-] LLVM LTO mode for 'afl-cc'  failed to build, this would need LLVM 11+, see instrumentation/README.lto.md how to build it"
+	@test -e afl-gcc-pass.so && echo "[+] gcc_plugin for 'afl-cc' successfully built!" || echo "[-] gcc_plugin for 'afl-cc'  failed to build, unless you really need it that is fine - or read instrumentation/README.gcc_plugin.md how to build it"
+	@echo "[+] All done! Be sure to review the README.md - it's pretty short and useful."
+	@if [ "`uname`" = "Darwin" ]; then printf "\nWARNING: Fuzzing on MacOS X is slow because of the unusually high overhead of\nfork() on this OS. Consider using Linux or *BSD. You can also use VirtualBox\n(virtualbox.org) to put AFL inside a Linux or *BSD VM.\n\n"; fi
+	@! tty <&1 >/dev/null || printf "\033[0;30mNOTE: If you can read this, your terminal probably uses white background.\nThis will make the UI hard to read. See docs/status_screen.md for advice.\033[0m\n" 2>/dev/null
+
+.NOTPARALLEL: clean all
+
+.PHONY: clean
+clean:
+	rm -f $(PROGS) libradamsa.so afl-fuzz-document afl-as as afl-g++ afl-clang afl-clang++ *.o src/*.o *~ a.out core core.[1-9][0-9]* *.stackdump .test .test1 .test2 test-instr .test-instr0 .test-instr1 afl-qemu-trace afl-gcc-fast afl-gcc-pass.so afl-g++-fast ld *.so *.8 test/unittests/*.o test/unittests/unit_maybe_alloc test/unittests/preallocable .afl-* afl-gcc afl-g++ afl-clang afl-clang++ test/unittests/unit_hash test/unittests/unit_rand
+	-$(MAKE) -f GNUmakefile.llvm clean
+	-$(MAKE) -f GNUmakefile.gcc_plugin clean
+	$(MAKE) -C utils/libdislocator clean
+	$(MAKE) -C utils/libtokencap clean
+	$(MAKE) -C utils/afl_network_proxy clean
+	$(MAKE) -C utils/socket_fuzzing clean
+	$(MAKE) -C utils/argv_fuzzing clean
+	$(MAKE) -C qemu_mode/unsigaction clean
+	$(MAKE) -C qemu_mode/libcompcov clean
+	$(MAKE) -C qemu_mode/libqasan clean
+ifeq "$(IN_REPO)" "1"
+	test -e qemu_mode/qemuafl/Makefile && $(MAKE) -C qemu_mode/qemuafl clean || true
+	test -e unicorn_mode/unicornafl/Makefile && $(MAKE) -C unicorn_mode/unicornafl clean || true
+else
+	rm -rf qemu_mode/qemuafl
+	rm -rf unicorn_mode/unicornafl
+endif
+
+.PHONY: deepclean
+deepclean:	clean
+	rm -rf unicorn_mode/unicornafl
+	rm -rf qemu_mode/qemuafl
+# NEVER EVER ACTIVATE THAT!!!!! git reset --hard >/dev/null 2>&1 || true
+
+.PHONY: distrib
+distrib: all
+	-$(MAKE) -j -f GNUmakefile.llvm
+	-$(MAKE) -f GNUmakefile.gcc_plugin
+	$(MAKE) -C utils/libdislocator
+	$(MAKE) -C utils/libtokencap
+	-$(MAKE) -C utils/aflpp_driver
+	$(MAKE) -C utils/afl_network_proxy
+	$(MAKE) -C utils/socket_fuzzing
+	$(MAKE) -C utils/argv_fuzzing
+	-cd qemu_mode && sh ./build_qemu_support.sh
+	-cd unicorn_mode && unset CFLAGS && sh ./build_unicorn_support.sh
+
+.PHONY: binary-only
+binary-only: test_shm test_python ready $(PROGS)
+	$(MAKE) -C utils/libdislocator
+	$(MAKE) -C utils/libtokencap
+	$(MAKE) -C utils/afl_network_proxy
+	$(MAKE) -C utils/socket_fuzzing
+	$(MAKE) -C utils/argv_fuzzing
+	-cd qemu_mode && sh ./build_qemu_support.sh
+	-cd unicorn_mode && unset CFLAGS && sh ./build_unicorn_support.sh
+
+.PHONY: source-only
+source-only: all
+	-$(MAKE) -j -f GNUmakefile.llvm
+	-$(MAKE) -f GNUmakefile.gcc_plugin
+	$(MAKE) -C utils/libdislocator
+	$(MAKE) -C utils/libtokencap
+	-$(MAKE) -C utils/aflpp_driver
+
+%.8:	%
+	@echo .TH $* 8 $(BUILD_DATE) "afl++" > $@
+	@echo .SH NAME >> $@
+	@echo .B $* >> $@
+	@echo >> $@
+	@echo .SH SYNOPSIS >> $@
+	@./$* -h 2>&1 | head -n 3 | tail -n 1 | sed 's/^\.\///' >> $@
+	@echo >> $@
+	@echo .SH OPTIONS >> $@
+	@echo .nf >> $@
+	@./$* -hh 2>&1 | tail -n +4 >> $@
+	@echo >> $@
+	@echo .SH AUTHOR >> $@
+	@echo "afl++ was written by Michal \"lcamtuf\" Zalewski and is maintained by Marc \"van Hauser\" Heuse <mh@mh-sec.de>, Heiko \"hexcoder-\" Eissfeldt <heiko.eissfeldt@hexco.de>, Andrea Fioraldi <andreafioraldi@gmail.com> and Dominik Maier <domenukk@gmail.com>" >> $@
+	@echo  The homepage of afl++ is: https://github.com/AFLplusplus/AFLplusplus >> $@
+	@echo >> $@
+	@echo .SH LICENSE >> $@
+	@echo Apache License Version 2.0, January 2004 >> $@
+
+.PHONY: install
+install: all $(MANPAGES)
+	@install -d -m 755 $${DESTDIR}$(BIN_PATH) $${DESTDIR}$(HELPER_PATH) $${DESTDIR}$(DOC_PATH) $${DESTDIR}$(MISC_PATH)
+	@rm -f $${DESTDIR}$(BIN_PATH)/afl-plot.sh
+	@rm -f $${DESTDIR}$(BIN_PATH)/afl-as
+	@rm -f $${DESTDIR}$(HELPER_PATH)/afl-llvm-rt.o $${DESTDIR}$(HELPER_PATH)/afl-llvm-rt-32.o $${DESTDIR}$(HELPER_PATH)/afl-llvm-rt-64.o $${DESTDIR}$(HELPER_PATH)/afl-gcc-rt.o
+	install -m 755 $(PROGS) $(SH_PROGS) $${DESTDIR}$(BIN_PATH)
+	@if [ -f afl-qemu-trace ]; then install -m 755 afl-qemu-trace $${DESTDIR}$(BIN_PATH); fi
+	@if [ -f libdislocator.so ]; then set -e; install -m 755 libdislocator.so $${DESTDIR}$(HELPER_PATH); fi
+	@if [ -f libtokencap.so ]; then set -e; install -m 755 libtokencap.so $${DESTDIR}$(HELPER_PATH); fi
+	@if [ -f libcompcov.so ]; then set -e; install -m 755 libcompcov.so $${DESTDIR}$(HELPER_PATH); fi
+	@if [ -f libqasan.so ]; then set -e; install -m 755 libqasan.so $${DESTDIR}$(HELPER_PATH); fi
+	@if [ -f afl-fuzz-document ]; then set -e; install -m 755 afl-fuzz-document $${DESTDIR}$(BIN_PATH); fi
+	@if [ -f socketfuzz32.so -o -f socketfuzz64.so ]; then $(MAKE) -C utils/socket_fuzzing install; fi
+	@if [ -f argvfuzz32.so -o -f argvfuzz64.so ]; then $(MAKE) -C utils/argv_fuzzing install; fi
+	@if [ -f utils/afl_network_proxy/afl-network-server ]; then $(MAKE) -C utils/afl_network_proxy install; fi
+	@if [ -f utils/aflpp_driver/libAFLDriver.a ]; then set -e; install -m 644 utils/aflpp_driver/libAFLDriver.a $${DESTDIR}$(HELPER_PATH); fi
+	@if [ -f utils/aflpp_driver/libAFLQemuDriver.a ]; then set -e; install -m 644 utils/aflpp_driver/libAFLQemuDriver.a $${DESTDIR}$(HELPER_PATH); fi
+	-$(MAKE) -f GNUmakefile.llvm install
+	-$(MAKE) -f GNUmakefile.gcc_plugin install
+	ln -sf afl-cc $${DESTDIR}$(BIN_PATH)/afl-gcc
+	ln -sf afl-cc $${DESTDIR}$(BIN_PATH)/afl-g++
+	ln -sf afl-cc $${DESTDIR}$(BIN_PATH)/afl-clang
+	ln -sf afl-cc $${DESTDIR}$(BIN_PATH)/afl-clang++
+	@mkdir -m 0755 -p ${DESTDIR}$(MAN_PATH)
+	install -m0644 *.8 ${DESTDIR}$(MAN_PATH)
+	install -m 755 afl-as $${DESTDIR}$(HELPER_PATH)
+	ln -sf afl-as $${DESTDIR}$(HELPER_PATH)/as
+	install -m 644 docs/*.md $${DESTDIR}$(DOC_PATH)
+	cp -r testcases/ $${DESTDIR}$(MISC_PATH)
+	cp -r dictionaries/ $${DESTDIR}$(MISC_PATH)
--- a/GNUmakefile.gcc_plugin
+++ b/GNUmakefile.gcc_plugin
@ -0,0 +1,185 @@
+#
+# american fuzzy lop++ - GCC plugin instrumentation
+# -----------------------------------------------
+#
+# Written by Austin Seipp <aseipp@pobox.com> and
+#            Laszlo Szekeres <lszekeres@google.com> and
+#            Michal Zalewski and
+#            Heiko Eißfeldt  <heiko@hexco.de>
+#
+# GCC integration design is based on the LLVM design, which comes
+# from Laszlo Szekeres.
+#
+# Copyright 2015 Google Inc. All rights reserved.
+# Copyright 2019-2020 AFLplusplus Project. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at:
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+#TEST_MMAP=1
+PREFIX      ?= /usr/local
+HELPER_PATH ?= $(PREFIX)/lib/afl
+BIN_PATH    ?= $(PREFIX)/bin
+DOC_PATH    ?= $(PREFIX)/share/doc/afl
+MAN_PATH    ?= $(PREFIX)/share/man/man8
+
+VERSION     = $(shell grep '^$(HASH)define VERSION ' ./config.h | cut -d '"' -f2)
+
+CFLAGS          ?= -O3 -g -funroll-loops -D_FORTIFY_SOURCE=2
+CFLAGS_SAFE     := -Wall -Iinclude -Wno-pointer-sign \
+                   -DAFL_PATH=\"$(HELPER_PATH)\" -DBIN_PATH=\"$(BIN_PATH)\" \
+                   -DGCC_VERSION=\"$(GCCVER)\" -DGCC_BINDIR=\"$(GCCBINDIR)\" \
+                   -Wno-unused-function
+override CFLAGS += $(CFLAGS_SAFE)
+
+CXXFLAGS    ?= -O3 -g -funroll-loops -D_FORTIFY_SOURCE=2
+CXXEFLAGS   := $(CXXFLAGS) -Wall -std=c++11
+
+CC          ?= gcc
+CXX         ?= g++
+
+ifeq "clang" "$(CC)"
+        CC  = gcc
+        CXX = g++
+endif
+
+ifeq "clang++" "$(CXX)"
+        CC  = gcc
+        CXX = g++
+endif
+
+ifeq "$(findstring Foundation,$(shell $(CC) --version))" ""
+        CC  = gcc
+        CXX = g++
+endif
+
+PLUGIN_BASE = "$(shell $(CC) -print-file-name=plugin)"
+PLUGIN_FLAGS = -fPIC -fno-rtti -I$(PLUGIN_BASE)/include -I$(PLUGIN_BASE)
+HASH=\#
+
+GCCVER    = $(shell $(CC) --version 2>/dev/null | awk 'NR == 1 {print $$NF}')
+GCCBINDIR = $(shell dirname `command -v $(CC)` 2>/dev/null )
+
+ifeq "$(shell echo '$(HASH)include <sys/ipc.h>@$(HASH)include <sys/shm.h>@int main() { int _id = shmget(IPC_PRIVATE, 65536, IPC_CREAT | IPC_EXCL | 0600); shmctl(_id, IPC_RMID, 0); return 0;}' | tr @ '\n' | $(CC) -x c - -o .test2 2>/dev/null && echo 1 || echo 0 ; rm -f .test2 )" "1"
+	SHMAT_OK=1
+else
+	SHMAT_OK=0
+	override CFLAGS_SAFE += -DUSEMMAP=1
+endif
+
+ifeq "$(TEST_MMAP)" "1"
+	SHMAT_OK=0
+	override CFLAGS_SAFE += -DUSEMMAP=1
+endif
+
+ifneq "$(shell uname -s)" "Haiku"
+ifneq "$(shell uname -s)" "OpenBSD"
+  	LDFLAGS += -lrt
+endif
+else
+	CFLAGS_SAFE += -DUSEMMAP=1
+endif
+
+ifeq "$(shell uname -s)" "OpenBSD"
+    CC  = egcc
+    CXX = eg++
+    PLUGIN_FLAGS += -I/usr/local/include
+endif
+
+ifeq "$(shell uname -s)" "DragonFly"
+  	PLUGIN_FLAGS += -I/usr/local/include
+endif
+
+ifeq "$(shell uname -s)" "SunOS"
+  	PLUGIN_FLAGS += -I/usr/include/gmp
+endif
+
+
+PROGS        = ./afl-gcc-pass.so
+
+.PHONY: all
+all: test_shm test_deps $(PROGS) test_build all_done
+
+.PHONY: test_shm
+ifeq "$(SHMAT_OK)" "1"
+test_shm:
+	@echo "[+] shmat seems to be working."
+	@rm -f .test2
+else
+test_shm:
+	@echo "[-] shmat seems not to be working, switching to mmap implementation"
+endif
+
+.PHONY: test_deps
+test_deps:
+	@echo "[*] Checking for working '$(CC)'..."
+	@command -v $(CC) >/dev/null 2>&1 || ( echo "[-] Oops, can't find '$(CC)'. Make sure that it's in your \$$PATH (or set \$$CC and \$$CXX)."; exit 1 )
+#	@echo "[*] Checking for gcc for plugin support..."
+#	@$(CC) -v 2>&1 | grep -q -- --enable-plugin || ( echo "[-] Oops, this gcc has not been configured with plugin support."; exit 1 )
+	@echo "[*] Checking for gcc plugin development header files..."
+	@test -d `$(CC) -print-file-name=plugin`/include || ( echo "[-] Oops, can't find gcc header files. Be sure to install 'gcc-X-plugin-dev'."; exit 1 )
+	@echo "[*] Checking for './afl-showmap'..."
+	@test -f ./afl-showmap || ( echo "[-] Oops, can't find './afl-showmap'. Be sure to compile AFL first."; exit 1 )
+	@echo "[+] All set and ready to build."
+
+afl-common.o: ./src/afl-common.c
+	$(CC) $(CFLAGS) $(CPPFLAGS) -c $< -o $@ $(LDFLAGS)
+
+./afl-gcc-pass.so: instrumentation/afl-gcc-pass.so.cc | test_deps
+	$(CXX) $(CXXEFLAGS) $(PLUGIN_FLAGS) -shared $< -o $@
+	ln -sf afl-cc afl-gcc-fast
+	ln -sf afl-cc afl-g++-fast
+	ln -sf afl-cc.8 afl-gcc-fast.8
+	ln -sf afl-cc.8 afl-g++-fast.8
+
+.PHONY: test_build
+test_build: $(PROGS)
+	@echo "[*] Testing the CC wrapper and instrumentation output..."
+	unset AFL_USE_ASAN AFL_USE_MSAN; ASAN_OPTIONS=detect_leaks=0 AFL_QUIET=1 AFL_INST_RATIO=100 AFL_PATH=. AFL_CC=$(CC) ./afl-gcc-fast $(CFLAGS) $(CPPFLAGS) ./test-instr.c -o test-instr $(LDFLAGS)
+	ASAN_OPTIONS=detect_leaks=0 ./afl-showmap -m none -q -o .test-instr0 ./test-instr </dev/null
+	echo 1 | ASAN_OPTIONS=detect_leaks=0 ./afl-showmap -m none -q -o .test-instr1 ./test-instr
+	@rm -f test-instr
+	@cmp -s .test-instr0 .test-instr1; DR="$$?"; rm -f .test-instr0 .test-instr1; if [ "$$DR" = "0" ]; then echo; echo "Oops, the instrumentation does not seem to be behaving correctly!"; echo; echo "Please post to https://github.com/AFLplusplus/AFLplusplus/issues to troubleshoot the issue."; echo; exit 1; fi
+	@echo "[+] All right, the instrumentation seems to be working!"
+
+.PHONY: all_done
+all_done: test_build
+	@echo "[+] All done! You can now use './afl-gcc-fast' to compile programs."
+
+.NOTPARALLEL: clean
+
+%.8: %
+	@echo .TH $* 8 `date "+%Y-%m-%d"` "afl++" > ./$@
+	@echo .SH NAME >> ./$@
+	@echo .B $* >> ./$@
+	@echo >> ./$@
+	@echo .SH SYNOPSIS >> ./$@
+	@./$* -h 2>&1 | head -n 3 | tail -n 1 | sed 's/^\.\///' >> ./$@
+	@echo >> ./$@
+	@echo .SH OPTIONS >> ./$@
+	@echo .nf >> ./$@
+	@./$* -h 2>&1 | tail -n +4 >> ./$@
+	@echo >> ./$@
+	@echo .SH AUTHOR >> ./$@
+	@echo "afl++ was written by Michal \"lcamtuf\" Zalewski and is maintained by Marc \"van Hauser\" Heuse <mh@mh-sec.de>, Heiko \"hexcoder-\" Eissfeldt <heiko.eissfeldt@hexco.de>, Andrea Fioraldi <andreafioraldi@gmail.com> and Dominik Maier <domenukk@gmail.com>" >> ./$@
+	@echo  The homepage of afl++ is: https://github.com/AFLplusplus/AFLplusplus >> ./$@
+	@echo >> ./$@
+	@echo .SH LICENSE >> ./$@
+	@echo Apache License Version 2.0, January 2004 >> ./$@
+	ln -sf afl-cc.8 ./afl-g++-fast.8
+
+.PHONY: install
+install: all
+	ln -sf afl-cc $${DESTDIR}$(BIN_PATH)/afl-gcc-fast
+	ln -sf afl-c++ $${DESTDIR}$(BIN_PATH)/afl-g++-fast
+	ln -sf afl-compiler-rt.o $${DESTDIR}$(HELPER_PATH)/afl-gcc-rt.o
+	install -m 755 ./afl-gcc-pass.so $${DESTDIR}$(HELPER_PATH)
+	install -m 644 -T instrumentation/README.gcc_plugin.md $${DESTDIR}$(DOC_PATH)/README.gcc_plugin.md
+
+.PHONY: clean
+clean:
+	rm -f *.o *.so *~ a.out core core.[1-9][0-9]* test-instr .test-instr0 .test-instr1 .test2
+	rm -f $(PROGS) afl-common.o ./afl-g++-fast ./afl-g*-fast.8 instrumentation/*.o
--- a/GNUmakefile.llvm
+++ b/GNUmakefile.llvm
@ -0,0 +1,522 @@
+# american fuzzy lop++ - LLVM instrumentation
+# -----------------------------------------
+#
+# Written by Laszlo Szekeres <lszekeres@google.com> and
+#            Michal Zalewski
+#
+# LLVM integration design comes from Laszlo Szekeres.
+#
+# Copyright 2015, 2016 Google Inc. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at:
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+
+# For Heiko:
+#TEST_MMAP=1
+HASH=\#
+
+PREFIX      ?= /usr/local
+HELPER_PATH ?= $(PREFIX)/lib/afl
+BIN_PATH    ?= $(PREFIX)/bin
+DOC_PATH    ?= $(PREFIX)/share/doc/afl
+MISC_PATH   ?= $(PREFIX)/share/afl
+MAN_PATH    ?= $(PREFIX)/share/man/man8
+
+BUILD_DATE  ?= $(shell date -u -d "@$(SOURCE_DATE_EPOCH)" "+%Y-%m-%d" 2>/dev/null || date -u -r "$(SOURCE_DATE_EPOCH)" "+%Y-%m-%d" 2>/dev/null || date -u "+%Y-%m-%d")
+
+VERSION     = $(shell grep '^$(HASH)define VERSION ' ./config.h | cut -d '"' -f2)
+
+ifeq "$(shell uname)" "OpenBSD"
+  LLVM_CONFIG ?= $(BIN_PATH)/llvm-config
+  HAS_OPT = $(shell test -x $(BIN_PATH)/opt && echo 0 || echo 1)
+  ifeq "$(HAS_OPT)" "1"
+    $(warning llvm_mode needs a complete llvm installation (versions 3.4 up to 12) -> e.g. "pkg_add llvm-7.0.1p9")
+  endif
+else
+  LLVM_CONFIG ?= llvm-config
+endif
+
+LLVMVER  = $(shell $(LLVM_CONFIG) --version 2>/dev/null | sed 's/git//' | sed 's/svn//' )
+LLVM_MAJOR = $(shell $(LLVM_CONFIG) --version 2>/dev/null | sed 's/\..*//' )
+LLVM_MINOR = $(shell $(LLVM_CONFIG) --version 2>/dev/null | sed 's/.*\.//' | sed 's/git//' | sed 's/svn//' | sed 's/ .*//' )
+LLVM_UNSUPPORTED = $(shell $(LLVM_CONFIG) --version 2>/dev/null | egrep -q '^3\.[0-3]|^[0-2]\.' && echo 1 || echo 0 )
+LLVM_TOO_NEW = $(shell $(LLVM_CONFIG) --version 2>/dev/null | egrep -q '^1[3-9]' && echo 1 || echo 0 )
+LLVM_NEW_API = $(shell $(LLVM_CONFIG) --version 2>/dev/null | egrep -q '^1[0-9]' && echo 1 || echo 0 )
+LLVM_10_OK = $(shell $(LLVM_CONFIG) --version 2>/dev/null | egrep -q '^1[1-9]|^10\.[1-9]|^10\.0.[1-9]' && echo 1 || echo 0 )
+LLVM_HAVE_LTO = $(shell $(LLVM_CONFIG) --version 2>/dev/null | egrep -q '^1[1-9]' && echo 1 || echo 0 )
+LLVM_BINDIR = $(shell $(LLVM_CONFIG) --bindir 2>/dev/null)
+LLVM_LIBDIR = $(shell $(LLVM_CONFIG) --libdir 2>/dev/null)
+LLVM_STDCXX = gnu++11
+LLVM_APPLE_XCODE = $(shell clang -v 2>&1 | grep -q Apple && echo 1 || echo 0)
+LLVM_LTO   = 0
+
+ifeq "$(LLVMVER)" ""
+  $(warning [!] llvm_mode needs llvm-config, which was not found)
+endif
+
+ifeq "$(LLVM_UNSUPPORTED)" "1"
+  $(error llvm_mode only supports llvm from version 3.4 onwards)
+endif
+
+ifeq "$(LLVM_TOO_NEW)" "1"
+  $(warning you are using an in-development llvm version - this might break llvm_mode!)
+endif
+
+LLVM_TOO_OLD=1
+
+ifeq "$(LLVM_MAJOR)" "9"
+  $(info [+] llvm_mode detected llvm 9, enabling neverZero implementation)
+  LLVM_TOO_OLD=0
+endif
+
+ifeq "$(LLVM_NEW_API)" "1"
+  $(info [+] llvm_mode detected llvm 10+, enabling neverZero implementation and c++14)
+  LLVM_STDCXX = c++14
+  LLVM_TOO_OLD=0
+endif
+
+ifeq "$(LLVM_TOO_OLD)" "1"
+  $(info [!] llvm_mode detected an old version of llvm, upgrade to at least 9 or preferable 11!)
+  $(shell sleep 1)
+endif
+
+ifeq "$(LLVM_HAVE_LTO)" "1"
+  $(info [+] llvm_mode detected llvm 11+, enabling afl-lto LTO implementation)
+  LLVM_LTO = 1
+  #TEST_MMAP = 1
+endif
+
+ifeq "$(LLVM_LTO)" "0"
+  $(info [+] llvm_mode detected llvm < 11, afl-lto LTO will not be build.)
+endif
+
+ifeq "$(LLVM_APPLE_XCODE)" "1"
+  $(warning llvm_mode will not compile with Xcode clang...)
+endif
+
+# We were using llvm-config --bindir to get the location of clang, but
+# this seems to be busted on some distros, so using the one in $PATH is
+# probably better.
+
+CC         = $(LLVM_BINDIR)/clang
+CXX        = $(LLVM_BINDIR)/clang++
+
+# llvm-config --bindir may not providing a valid path, so ...
+ifeq "$(shell test -e $(CC) || echo 1 )" "1"
+  # however we must ensure that this is not a "CC=gcc make"
+  ifeq "$(shell command -v $(CC) 2> /dev/null)" ""
+    # we do not have a valid CC variable so we try alternatives
+    ifeq "$(shell test -e '$(BIN_DIR)/clang' && echo 1)" "1"
+      # we found one in the local install directory, lets use these
+      CC         = $(BIN_DIR)/clang
+    else
+      # hope for the best
+      $(warning we have trouble finding clang - llvm-config is not helping us)
+      CC         = clang
+    endif
+  endif
+endif
+# llvm-config --bindir may not providing a valid path, so ...
+ifeq "$(shell test -e $(CXX) || echo 1 )" "1"
+  # however we must ensure that this is not a "CXX=g++ make"
+  ifeq "$(shell command -v $(CXX) 2> /dev/null)" ""
+    # we do not have a valid CXX variable so we try alternatives
+    ifeq "$(shell test -e '$(BIN_DIR)/clang++' && echo 1)" "1"
+      # we found one in the local install directory, lets use these
+      CXX        = $(BIN_DIR)/clang++
+    else
+      # hope for the best
+      $(warning we have trouble finding clang++ - llvm-config is not helping us)
+      CXX        = clang++
+    endif
+  endif
+endif
+
+# sanity check.
+# Are versions of clang --version and llvm-config --version equal?
+CLANGVER = $(shell $(CC) --version | sed -E -ne '/^.*version\ (1?[0-9]\.[0-9]\.[0-9]).*/s//\1/p')
+
+# I disable this because it does not make sense with what we did before (marc)
+# We did exactly set these 26 lines above with these values, and it would break
+# "CC=gcc make" etc. usages
+ifeq "$(findstring clang, $(shell $(CC) --version 2>/dev/null))" ""
+  CC_SAVE := $(LLVM_BINDIR)/clang
+else
+  CC_SAVE := $(CC)
+endif
+ifeq "$(findstring clang, $(shell $(CXX) --version 2>/dev/null))" ""
+  CXX_SAVE := $(LLVM_BINDIR)/clang++
+else
+  CXX_SAVE := $(CXX)
+endif
+
+CLANG_BIN := $(CC_SAVE)
+CLANGPP_BIN := $(CXX_SAVE)
+
+ifeq "$(CC_SAVE)" "$(LLVM_BINDIR)/clang"
+  USE_BINDIR = 1
+else
+  ifeq "$(CXX_SAVE)" "$(LLVM_BINDIR)/clang++"
+    USE_BINDIR = 1
+  else
+    USE_BINDIR = 0
+  endif
+endif
+
+# On old platform we cannot compile with clang because std++ libraries are too
+# old. For these we need to use gcc/g++, so if we find REAL_CC and REAL_CXX
+# variable we override the compiler variables here
+ifneq "$(REAL_CC)" ""
+  CC  = $(REAL_CC)
+endif
+ifneq "$(REAL_CXX)" ""
+  CXX = $(REAL_CXX)
+endif
+
+#
+# Now it can happen that CC points to clang - but there is no clang on the
+# system. Then we fall back to cc
+#
+ifeq "$(shell command -v $(CC) 2>/dev/null)" ""
+  CC = cc
+endif
+ifeq "$(shell command -v $(CXX) 2>/dev/null)" ""
+  CXX = c++
+endif
+
+
+# After we set CC/CXX we can start makefile magic tests
+
+#ifeq "$(shell echo 'int main() {return 0; }' | $(CC) -x c - -march=native -o .test 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1"
+#	CFLAGS_OPT = -march=native
+#endif
+
+ifeq "$(shell echo 'int main() {return 0; }' | $(CLANG_BIN) -x c - -flto=full -o .test 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1"
+        AFL_CLANG_FLTO ?= -flto=full
+else
+ ifeq "$(shell echo 'int main() {return 0; }' | $(CLANG_BIN) -x c - -flto=thin -o .test 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1"
+        AFL_CLANG_FLTO ?= -flto=thin
+ else
+  ifeq "$(shell echo 'int main() {return 0; }' | $(CLANG_BIN) -x c - -flto -o .test 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1"
+        AFL_CLANG_FLTO ?= -flto
+  endif
+ endif
+endif
+
+ifeq "$(LLVM_LTO)" "1"
+  ifneq "$(AFL_CLANG_FLTO)" ""
+    ifeq "$(AFL_REAL_LD)" ""
+      ifneq "$(shell readlink $(LLVM_BINDIR)/ld.lld 2>&1)" ""
+        AFL_REAL_LD = $(LLVM_BINDIR)/ld.lld
+      else
+        $(warning ld.lld not found, cannot enable LTO mode)
+        LLVM_LTO = 0
+      endif
+    endif
+  else
+    $(warning clang option -flto is not working - maybe LLVMgold.so not found - cannot enable LTO mode)
+    LLVM_LTO = 0
+  endif
+endif
+
+AFL_CLANG_FUSELD=
+ifeq "$(LLVM_LTO)" "1"
+  ifeq "$(shell echo 'int main() {return 0; }' | $(CLANG_BIN) -x c - -fuse-ld=`command -v ld` -o .test 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1"
+    AFL_CLANG_FUSELD=1
+    ifeq "$(shell echo 'int main() {return 0; }' | $(CLANG_BIN) -x c - -fuse-ld=ld.lld --ld-path=$(LLVM_BINDIR)/ld.lld -o .test 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1"
+      AFL_CLANG_LDPATH=1
+    endif
+  else
+    $(warning -fuse-ld is not working, cannot enable LTO mode)
+    LLVM_LTO = 0
+  endif
+endif
+
+ifeq "$(shell echo 'int main() {return 0; }' | $(CLANG_BIN) -x c - -fdebug-prefix-map=$(CURDIR)=llvm_mode -o .test 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1"
+        AFL_CLANG_DEBUG_PREFIX = -fdebug-prefix-map="$(CURDIR)=llvm_mode"
+else
+        AFL_CLANG_DEBUG_PREFIX =
+endif
+
+CFLAGS          ?= -O3 -funroll-loops -fPIC -D_FORTIFY_SOURCE=2
+CFLAGS_SAFE     := -Wall -g -Wno-cast-qual -Wno-variadic-macros -Wno-pointer-sign -I ./include/ -I ./instrumentation/ \
+                   -DAFL_PATH=\"$(HELPER_PATH)\" -DBIN_PATH=\"$(BIN_PATH)\" \
+                   -DLLVM_BINDIR=\"$(LLVM_BINDIR)\" -DVERSION=\"$(VERSION)\" \
+                   -DLLVM_LIBDIR=\"$(LLVM_LIBDIR)\" -DLLVM_VERSION=\"$(LLVMVER)\" \
+                   -Wno-deprecated -DAFL_CLANG_FLTO=\"$(AFL_CLANG_FLTO)\" \
+                   -DAFL_REAL_LD=\"$(AFL_REAL_LD)\" \
+                   -DAFL_CLANG_LDPATH=\"$(AFL_CLANG_LDPATH)\" \
+                   -DAFL_CLANG_FUSELD=\"$(AFL_CLANG_FUSELD)\" \
+                   -DCLANG_BIN=\"$(CLANG_BIN)\" -DCLANGPP_BIN=\"$(CLANGPP_BIN)\" -DUSE_BINDIR=$(USE_BINDIR) -Wno-unused-function \
+                   $(AFL_CLANG_DEBUG_PREFIX)
+override CFLAGS += $(CFLAGS_SAFE)
+
+ifdef AFL_TRACE_PC
+  $(info Compile option AFL_TRACE_PC is deprecated, just set AFL_LLVM_INSTRUMENT=PCGUARD to activate when compiling targets )
+endif
+
+CXXFLAGS          ?= -O3 -funroll-loops -fPIC -D_FORTIFY_SOURCE=2
+override CXXFLAGS += -Wall -g -I ./include/ \
+                     -DVERSION=\"$(VERSION)\" -Wno-variadic-macros \
+                     -DLLVM_MINOR=$(LLVM_MINOR) -DLLVM_MAJOR=$(LLVM_MAJOR)
+
+ifneq "$(shell $(LLVM_CONFIG) --includedir) 2> /dev/null" ""
+  CLANG_CFL  = -I$(shell $(LLVM_CONFIG) --includedir)
+endif
+ifneq "$(LLVM_CONFIG)" ""
+  CLANG_CFL += -I$(shell dirname $(LLVM_CONFIG))/../include
+endif
+CLANG_CPPFL  = `$(LLVM_CONFIG) --cxxflags` -fno-rtti -fPIC $(CXXFLAGS) -Wno-deprecated-declarations
+CLANG_LFL    = `$(LLVM_CONFIG) --ldflags` $(LDFLAGS)
+
+
+# User teor2345 reports that this is required to make things work on MacOS X.
+ifeq "$(shell uname)" "Darwin"
+  CLANG_LFL += -Wl,-flat_namespace -Wl,-undefined,suppress
+else
+  CLANG_CPPFL += -Wl,-znodelete
+endif
+
+ifeq "$(shell uname)" "OpenBSD"
+  CLANG_LFL += `$(LLVM_CONFIG) --libdir`/libLLVM.so
+  CLANG_CPPFL += -mno-retpoline
+  CFLAGS += -mno-retpoline
+  # Needed for unwind symbols
+  LDFLAGS += -lc++abi -lpthread
+endif
+
+ifeq "$(shell echo '$(HASH)include <sys/ipc.h>@$(HASH)include <sys/shm.h>@int main() { int _id = shmget(IPC_PRIVATE, 65536, IPC_CREAT | IPC_EXCL | 0600); shmctl(_id, IPC_RMID, 0); return 0;}' | tr @ '\n' | $(CC) -x c - -o .test2 2>/dev/null && echo 1 || echo 0 ; rm -f .test2 )" "1"
+        SHMAT_OK=1
+else
+        SHMAT_OK=0
+        CFLAGS_SAFE += -DUSEMMAP=1
+        LDFLAGS += -Wno-deprecated-declarations
+endif
+
+ifeq "$(TEST_MMAP)" "1"
+        SHMAT_OK=0
+        CFLAGS_SAFE += -DUSEMMAP=1
+        LDFLAGS += -Wno-deprecated-declarations
+endif
+
+PROGS_ALWAYS = ./afl-cc ./afl-compiler-rt.o ./afl-compiler-rt-32.o ./afl-compiler-rt-64.o 
+PROGS        = $(PROGS_ALWAYS) ./afl-llvm-pass.so ./SanitizerCoveragePCGUARD.so ./split-compares-pass.so ./split-switches-pass.so ./cmplog-routines-pass.so ./cmplog-instructions-pass.so ./afl-llvm-dict2file.so ./compare-transform-pass.so ./libLLVMInsTrim.so ./afl-ld-lto ./afl-llvm-lto-instrumentlist.so ./afl-llvm-lto-instrumentation.so ./SanitizerCoverageLTO.so
+
+# If prerequisites are not given, warn, do not build anything, and exit with code 0
+ifeq "$(LLVMVER)" ""
+  NO_BUILD = 1
+endif
+
+ifneq "$(LLVM_UNSUPPORTED)$(LLVM_APPLE_XCODE)" "00"
+  NO_BUILD = 1
+endif
+
+ifeq "$(NO_BUILD)" "1"
+  TARGETS = test_shm $(PROGS_ALWAYS) afl-cc.8
+else
+  TARGETS = test_shm test_deps $(PROGS) afl-cc.8 test_build all_done
+endif
+
+LLVM_MIN_4_0_1 = $(shell awk 'function tonum(ver, a) {split(ver,a,"."); return a[1]*1000000+a[2]*1000+a[3]} BEGIN { exit tonum(ARGV[1]) >= tonum(ARGV[2]) }' $(LLVMVER) 4.0.1; echo $$?)
+
+.PHONY: all
+all: $(TARGETS)
+
+.PHONY: test_shm
+ifeq "$(SHMAT_OK)" "1"
+test_shm:
+	@echo "[+] shmat seems to be working."
+	@rm -f .test2
+else
+test_shm:
+	@echo "[-] shmat seems not to be working, switching to mmap implementation"
+endif
+
+.PHONY: no_build
+no_build:
+	@printf "%b\\n" "\\033[0;31mPrerequisites are not met, skipping build llvm_mode\\033[0m"
+
+.PHONY: test_deps
+test_deps:
+	@echo "[*] Checking for working 'llvm-config'..."
+ ifneq "$(LLVM_APPLE_XCODE)" "1"
+	@type $(LLVM_CONFIG) >/dev/null 2>&1 || ( echo "[-] Oops, can't find 'llvm-config'. Install clang or set \$$LLVM_CONFIG or \$$PATH beforehand."; echo "    (Sometimes, the binary will be named llvm-config-3.5 or something like that.)"; exit 1 )
+ endif
+	@echo "[*] Checking for working '$(CC)'..."
+	@type $(CC) >/dev/null 2>&1 || ( echo "[-] Oops, can't find '$(CC)'. Make sure that it's in your \$$PATH (or set \$$CC and \$$CXX)."; exit 1 )
+	@echo "[*] Checking for matching versions of '$(CC)' and '$(LLVM_CONFIG)'"
+ifneq "$(CLANGVER)" "$(LLVMVER)"
+	@echo "[!] WARNING: we have llvm-config version $(LLVMVER) and a clang version $(CLANGVER)"
+else
+	@echo "[*] We have llvm-config version $(LLVMVER) with a clang version $(CLANGVER), good."
+endif
+	@echo "[*] Checking for './afl-showmap'..."
+	@test -f ./afl-showmap || ( echo "[-] Oops, can't find './afl-showmap'. Be sure to compile AFL first."; exit 1 )
+	@echo "[+] All set and ready to build."
+
+instrumentation/afl-common.o: ./src/afl-common.c
+	$(CC) $(CFLAGS) $(CPPFLAGS) -c $< -o $@ $(LDFLAGS)
+
+./afl-cc: src/afl-cc.c instrumentation/afl-common.o
+	$(CC) $(CLANG_CFL) $(CFLAGS) $(CPPFLAGS) $< instrumentation/afl-common.o -o $@ -DLLVM_MINOR=$(LLVM_MINOR) -DLLVM_MAJOR=$(LLVM_MAJOR) $(LDFLAGS) -DCFLAGS_OPT=\"$(CFLAGS_OPT)\" -lm
+	@ln -sf afl-cc ./afl-c++
+	@ln -sf afl-cc ./afl-gcc
+	@ln -sf afl-cc ./afl-g++
+	@ln -sf afl-cc ./afl-clang
+	@ln -sf afl-cc ./afl-clang++
+	@ln -sf afl-cc ./afl-clang-fast
+	@ln -sf afl-cc ./afl-clang-fast++
+ifneq "$(AFL_CLANG_FLTO)" ""
+ifeq "$(LLVM_LTO)" "1"
+	@ln -sf afl-cc ./afl-clang-lto
+	@ln -sf afl-cc ./afl-clang-lto++
+	@ln -sf afl-cc ./afl-lto
+	@ln -sf afl-cc ./afl-lto++
+endif
+endif
+
+instrumentation/afl-llvm-common.o: instrumentation/afl-llvm-common.cc instrumentation/afl-llvm-common.h
+	$(CXX) $(CFLAGS) $(CPPFLAGS) `$(LLVM_CONFIG) --cxxflags` -fno-rtti -fPIC -std=$(LLVM_STDCXX) -c $< -o $@ 
+
+./libLLVMInsTrim.so: instrumentation/LLVMInsTrim.so.cc instrumentation/MarkNodes.cc instrumentation/afl-llvm-common.o | test_deps
+	-$(CXX) $(CLANG_CPPFL) -DLLVMInsTrim_EXPORTS -fno-rtti -fPIC -std=$(LLVM_STDCXX) -shared $< instrumentation/MarkNodes.cc -o $@ $(CLANG_LFL) instrumentation/afl-llvm-common.o
+
+./afl-llvm-pass.so: instrumentation/afl-llvm-pass.so.cc instrumentation/afl-llvm-common.o | test_deps
+ifeq "$(LLVM_MIN_4_0_1)" "0"
+	$(info [!] N-gram branch coverage instrumentation is not available for llvm version $(LLVMVER))
+endif
+	$(CXX) $(CLANG_CPPFL) -DLLVMInsTrim_EXPORTS -fno-rtti -fPIC -std=$(LLVM_STDCXX) -shared $< -o $@ $(CLANG_LFL) instrumentation/afl-llvm-common.o
+
+./SanitizerCoveragePCGUARD.so: instrumentation/SanitizerCoveragePCGUARD.so.cc instrumentation/afl-llvm-common.o | test_deps
+ifeq "$(LLVM_10_OK)" "1"
+	-$(CXX) $(CLANG_CPPFL) -fno-rtti -fPIC -std=$(LLVM_STDCXX) -shared $< -o $@ $(CLANG_LFL) instrumentation/afl-llvm-common.o
+endif
+
+./afl-llvm-lto-instrumentlist.so: instrumentation/afl-llvm-lto-instrumentlist.so.cc instrumentation/afl-llvm-common.o
+ifeq "$(LLVM_LTO)" "1"
+	$(CXX) $(CLANG_CPPFL) -fno-rtti -fPIC -std=$(LLVM_STDCXX) -shared $< -o $@ $(CLANG_LFL) instrumentation/afl-llvm-common.o
+endif
+
+./afl-ld-lto: src/afl-ld-lto.c
+ifeq "$(LLVM_LTO)" "1"
+	$(CC) $(CFLAGS) $(CPPFLAGS) $< -o $@
+endif
+
+./SanitizerCoverageLTO.so: instrumentation/SanitizerCoverageLTO.so.cc
+ifeq "$(LLVM_LTO)" "1"
+	$(CXX) $(CLANG_CPPFL) -Wno-writable-strings -fno-rtti -fPIC -std=$(LLVM_STDCXX) -shared $< -o $@ $(CLANG_LFL) instrumentation/afl-llvm-common.o
+endif
+
+./afl-llvm-lto-instrumentation.so: instrumentation/afl-llvm-lto-instrumentation.so.cc instrumentation/afl-llvm-common.o
+ifeq "$(LLVM_LTO)" "1"
+	$(CXX) $(CLANG_CPPFL) -Wno-writable-strings -fno-rtti -fPIC -std=$(LLVM_STDCXX) -shared $< -o $@ $(CLANG_LFL) instrumentation/afl-llvm-common.o
+	$(CLANG_BIN) $(CFLAGS_SAFE) $(CPPFLAGS) -Wno-unused-result -O0 $(AFL_CLANG_FLTO) -fPIC -c instrumentation/afl-llvm-rt-lto.o.c -o ./afl-llvm-rt-lto.o
+	@$(CLANG_BIN) $(CFLAGS_SAFE) $(CPPFLAGS) -Wno-unused-result -O0 $(AFL_CLANG_FLTO) -m64 -fPIC -c instrumentation/afl-llvm-rt-lto.o.c -o ./afl-llvm-rt-lto-64.o 2>/dev/null; if [ "$$?" = "0" ]; then : ; fi
+	@$(CLANG_BIN) $(CFLAGS_SAFE) $(CPPFLAGS) -Wno-unused-result -O0 $(AFL_CLANG_FLTO) -m32 -fPIC -c instrumentation/afl-llvm-rt-lto.o.c -o ./afl-llvm-rt-lto-32.o 2>/dev/null; if [ "$$?" = "0" ]; then : ; fi
+endif
+
+# laf
+./split-switches-pass.so:	instrumentation/split-switches-pass.so.cc instrumentation/afl-llvm-common.o | test_deps
+	$(CXX) $(CLANG_CPPFL) -shared $< -o $@ $(CLANG_LFL) instrumentation/afl-llvm-common.o
+./compare-transform-pass.so:	instrumentation/compare-transform-pass.so.cc instrumentation/afl-llvm-common.o | test_deps
+	$(CXX) $(CLANG_CPPFL) -shared $< -o $@ $(CLANG_LFL) instrumentation/afl-llvm-common.o
+./split-compares-pass.so:	instrumentation/split-compares-pass.so.cc instrumentation/afl-llvm-common.o | test_deps
+	$(CXX) $(CLANG_CPPFL) -shared $< -o $@ $(CLANG_LFL) instrumentation/afl-llvm-common.o
+# /laf
+
+./cmplog-routines-pass.so:	instrumentation/cmplog-routines-pass.cc instrumentation/afl-llvm-common.o | test_deps
+	$(CXX) $(CLANG_CPPFL) -shared $< -o $@ $(CLANG_LFL) instrumentation/afl-llvm-common.o
+
+./cmplog-instructions-pass.so:	instrumentation/cmplog-instructions-pass.cc instrumentation/afl-llvm-common.o | test_deps
+	$(CXX) $(CLANG_CPPFL) -shared $< -o $@ $(CLANG_LFL) instrumentation/afl-llvm-common.o
+
+afl-llvm-dict2file.so:	instrumentation/afl-llvm-dict2file.so.cc instrumentation/afl-llvm-common.o | test_deps
+	$(CXX) $(CLANG_CPPFL) -shared $< -o $@ $(CLANG_LFL) instrumentation/afl-llvm-common.o
+
+.PHONY: document
+document:
+	$(CLANG_BIN) -D_AFL_DOCUMENT_MUTATIONS $(CFLAGS_SAFE) $(CPPFLAGS) $(CLANG_CFL) -O3 -Wno-unused-result -fPIC -c instrumentation/afl-compiler-rt.o.c -o ./afl-compiler-rt.o
+	@$(CLANG_BIN) -D_AFL_DOCUMENT_MUTATIONS $(CFLAGS_SAFE) $(CPPFLAGS) $(CLANG_CFL) -O3 -Wno-unused-result -m32 -fPIC -c instrumentation/afl-compiler-rt.o.c -o ./afl-compiler-rt-32.o 2>/dev/null; if [ "$$?" = "0" ]; then echo "success!"; else echo "failed (that's fine)"; fi
+	@$(CLANG_BIN) -D_AFL_DOCUMENT_MUTATIONS $(CFLAGS_SAFE) $(CPPFLAGS) $(CLANG_CFL) -O3 -Wno-unused-result -m64 -fPIC -c instrumentation/afl-compiler-rt.o.c -o ./afl-compiler-rt-64.o 2>/dev/null; if [ "$$?" = "0" ]; then echo "success!"; else echo "failed (that's fine)"; fi
+
+./afl-compiler-rt.o: instrumentation/afl-compiler-rt.o.c
+	$(CC) $(CLANG_CFL) $(CFLAGS_SAFE) $(CPPFLAGS) -O3 -Wno-unused-result -fPIC -c $< -o $@
+
+./afl-compiler-rt-32.o: instrumentation/afl-compiler-rt.o.c
+	@printf "[*] Building 32-bit variant of the runtime (-m32)... "
+	@$(CC) $(CLANG_CFL) $(CFLAGS_SAFE) $(CPPFLAGS) -O3 -Wno-unused-result -m32 -fPIC -c $< -o $@ 2>/dev/null; if [ "$$?" = "0" ]; then echo "success!"; ln -sf afl-compiler-rt-32.o afl-llvm-rt-32.o; else echo "failed (that's fine)"; fi
+
+./afl-compiler-rt-64.o: instrumentation/afl-compiler-rt.o.c
+	@printf "[*] Building 64-bit variant of the runtime (-m64)... "
+	@$(CC) $(CLANG_CFL) $(CFLAGS_SAFE) $(CPPFLAGS) -O3 -Wno-unused-result -m64 -fPIC -c $< -o $@ 2>/dev/null; if [ "$$?" = "0" ]; then echo "success!"; ln -sf afl-compiler-rt-64.o afl-llvm-rt-64.o; else echo "failed (that's fine)"; fi
+
+.PHONY: test_build
+test_build: $(PROGS)
+	@echo "[*] Testing the CC wrapper and instrumentation output..."
+	unset AFL_USE_ASAN AFL_USE_MSAN AFL_INST_RATIO; ASAN_OPTIONS=detect_leaks=0 AFL_QUIET=1 AFL_PATH=. AFL_LLVM_LAF_ALL=1 ./afl-cc $(CFLAGS) $(CPPFLAGS) ./test-instr.c -o test-instr $(LDFLAGS)
+	ASAN_OPTIONS=detect_leaks=0 ./afl-showmap -m none -q -o .test-instr0 ./test-instr < /dev/null
+	echo 1 | ASAN_OPTIONS=detect_leaks=0 ./afl-showmap -m none -q -o .test-instr1 ./test-instr
+	@rm -f test-instr
+	@cmp -s .test-instr0 .test-instr1; DR="$$?"; rm -f .test-instr0 .test-instr1; if [ "$$DR" = "0" ]; then echo; echo "Oops, the instrumentation does not seem to be behaving correctly!"; echo; echo "Please post to https://github.com/AFLplusplus/AFLplusplus/issues to troubleshoot the issue."; echo; exit 1; fi
+	@echo "[+] All right, the instrumentation seems to be working!"
+
+.PHONY: all_done
+all_done: test_build
+	@echo "[+] All done! You can now use './afl-cc' to compile programs."
+
+.NOTPARALLEL: clean
+
+.PHONY: install
+install: all
+	@install -d -m 755 $${DESTDIR}$(BIN_PATH) $${DESTDIR}$(HELPER_PATH) $${DESTDIR}$(DOC_PATH) $${DESTDIR}$(MISC_PATH)
+	@if [ -f ./afl-cc ]; then set -e; install -m 755 ./afl-cc $${DESTDIR}$(BIN_PATH); ln -sf afl-cc $${DESTDIR}$(BIN_PATH)/afl-c++; fi
+	@rm -f $${DESTDIR}$(HELPER_PATH)/afl-llvm-rt*.o $${DESTDIR}$(HELPER_PATH)/afl-gcc-rt*.o
+	@if [ -f ./afl-compiler-rt.o ]; then set -e; install -m 755 ./afl-compiler-rt.o $${DESTDIR}$(HELPER_PATH); ln -sf afl-compiler-rt.o $${DESTDIR}$(HELPER_PATH)/afl-llvm-rt.o ;fi
+	@if [ -f ./afl-lto ]; then set -e; ln -sf afl-cc $${DESTDIR}$(BIN_PATH)/afl-lto; ln -sf afl-cc $${DESTDIR}$(BIN_PATH)/afl-lto++; ln -sf afl-cc $${DESTDIR}$(BIN_PATH)/afl-clang-lto; ln -sf afl-cc $${DESTDIR}$(BIN_PATH)/afl-clang-lto++; install -m 755 ./afl-llvm-lto-instrumentation.so ./afl-llvm-rt-lto*.o ./afl-llvm-lto-instrumentlist.so $${DESTDIR}$(HELPER_PATH); fi
+	@if [ -f ./afl-ld-lto ]; then set -e; install -m 755 ./afl-ld-lto $${DESTDIR}$(BIN_PATH); fi
+	@if [ -f ./afl-compiler-rt-32.o ]; then set -e; install -m 755 ./afl-compiler-rt-32.o $${DESTDIR}$(HELPER_PATH); ln -sf afl-compiler-rt-32.o $${DESTDIR}$(HELPER_PATH)/afl-llvm-rt-32.o ;fi
+	@if [ -f ./afl-compiler-rt-64.o ]; then set -e; install -m 755 ./afl-compiler-rt-64.o $${DESTDIR}$(HELPER_PATH); ln -sf afl-compiler-rt-64.o $${DESTDIR}$(HELPER_PATH)/afl-llvm-rt-64.o ; fi
+	@if [ -f ./compare-transform-pass.so ]; then set -e; install -m 755 ./*.so $${DESTDIR}$(HELPER_PATH); fi
+	@if [ -f ./compare-transform-pass.so ]; then set -e; ln -sf afl-cc $${DESTDIR}$(BIN_PATH)/afl-clang-fast ; ln -sf ./afl-c++ $${DESTDIR}$(BIN_PATH)/afl-clang-fast++ ; ln -sf afl-cc $${DESTDIR}$(BIN_PATH)/afl-clang ; ln -sf ./afl-c++ $${DESTDIR}$(BIN_PATH)/afl-clang++ ; fi
+	@if [ -f ./SanitizerCoverageLTO.so ]; then set -e; ln -sf afl-cc $${DESTDIR}$(BIN_PATH)/afl-clang-lto ; ln -sf ./afl-c++ $${DESTDIR}$(BIN_PATH)/afl-clang-lto++ ; fi
+	set -e; install -m 644 ./dynamic_list.txt $${DESTDIR}$(HELPER_PATH)
+	install -m 644 instrumentation/README.*.md $${DESTDIR}$(DOC_PATH)/
+
+%.8: %
+	@echo .TH $* 8 $(BUILD_DATE) "afl++" > ./$@
+	@echo .SH NAME >> ./$@
+	@printf "%s" ".B $* \- " >> ./$@
+	@./$* -h 2>&1 | head -n 1 | sed -e "s/$$(printf '\e')[^m]*m//g" >> ./$@
+	@echo .B $* >> ./$@
+	@echo >> ./$@
+	@echo .SH SYNOPSIS >> ./$@
+	@./$* -h 2>&1 | head -n 3 | tail -n 1 | sed 's/^\.\///' >> ./$@
+	@echo >> ./$@
+	@echo .SH OPTIONS >> ./$@
+	@echo .nf >> ./$@
+	@./$* -h 2>&1 | tail -n +4 >> ./$@
+	@echo >> ./$@
+	@echo .SH AUTHOR >> ./$@
+	@echo "afl++ was written by Michal \"lcamtuf\" Zalewski and is maintained by Marc \"van Hauser\" Heuse <mh@mh-sec.de>, Heiko \"hexcoder-\" Eissfeldt <heiko.eissfeldt@hexco.de>, Andrea Fioraldi <andreafioraldi@gmail.com> and Dominik Maier <domenukk@gmail.com>" >> ./$@
+	@echo  The homepage of afl++ is: https://github.com/AFLplusplus/AFLplusplus >> ./$@
+	@echo >> ./$@
+	@echo .SH LICENSE >> ./$@
+	@echo Apache License Version 2.0, January 2004 >> ./$@
+	@ln -sf afl-cc.8 ./afl-c++.8
+ifneq "$(AFL_CLANG_FLTO)" ""
+ifeq "$(LLVM_LTO)" "1"
+	@ln -sf afl-cc.8 ./afl-clang-lto.8
+	@ln -sf afl-cc.8 ./afl-clang-lto++.8
+	@ln -sf afl-cc.8 ./afl-lto.8
+	@ln -sf afl-cc.8 ./afl-lto++.8
+endif
+endif
+
+.PHONY: clean
+clean:
+	rm -f *.o *.so *~ a.out core core.[1-9][0-9]* .test2 test-instr .test-instr0 .test-instr1 *.dwo
+	rm -f $(PROGS) afl-common.o ./afl-c++ ./afl-lto ./afl-lto++ ./afl-clang-lto* ./afl-clang-fast* ./afl-clang*.8 ./ld ./afl-ld ./afl-llvm-rt*.o instrumentation/*.o
--- a/459
+++ b/459
@ -1,447 +1,42 @@
-#
-# american fuzzy lop++ - makefile
-# -----------------------------
-#
-# Originally written by Michal Zalewski
-# 
-# Copyright 2013, 2014, 2015, 2016, 2017 Google Inc. All rights reserved.
-# 
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at:
-# 
-#   http://www.apache.org/licenses/LICENSE-2.0
-#
+all:
+	@echo trying to use GNU make...
+	@gmake all || echo please install GNUmake

-# For Heiko:
-#TEST_MMAP=1
-# the hash character is treated differently in different make versions
-# so use a variable for '#'
-HASH=\#
+source-only:
+	@gmake source-only

-PREFIX     ?= /usr/local
-BIN_PATH    = $(PREFIX)/bin
-HELPER_PATH = $(PREFIX)/lib/afl
-DOC_PATH    = $(PREFIX)/share/doc/afl
-MISC_PATH   = $(PREFIX)/share/afl
-MAN_PATH    = $(PREFIX)/man/man8
+binary-only:
+	@gmake binary-only

-PROGNAME    = afl
-VERSION     = $(shell grep '^$(HASH)define VERSION ' ../config.h | cut -d '"' -f2)
+distrib:
+	@gmake distrib

-# PROGS intentionally omit afl-as, which gets installed elsewhere.
+man:
+	@gmake man

-PROGS       = afl-gcc afl-fuzz afl-showmap afl-tmin afl-gotcpu afl-analyze
-SH_PROGS    = afl-plot afl-cmin afl-cmin.bash afl-whatsup afl-system-config
-MANPAGES=$(foreach p, $(PROGS) $(SH_PROGS), $(p).8) afl-as.8
+install:
+	@gmake install

-ifeq "$(shell echo 'int main() {return 0; }' | $(CC) -x c - -flto=full -o .test 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1"
-	CFLAGS_FLTO ?= -flto=full
-else
- ifeq "$(shell echo 'int main() {return 0; }' | $(CC) -x c - -flto=thin -o .test 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1"
-	CFLAGS_FLTO ?= -flto=thin
- else
-  ifeq "$(shell echo 'int main() {return 0; }' | $(CC) -x c - -flto -o .test 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1"
-	CFLAGS_FLTO ?= -flto
-  endif
- endif
-endif
-
-ifeq "$(shell echo 'int main() {return 0; }' | $(CC) -x c - -march=native -o .test 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1"
-	CFLAGS_OPT = -march=native
-endif
-
-ifneq "$(shell uname -m)" "x86_64"
- ifneq "$(shell uname -m)" "i386"
-  ifneq "$(shell uname -m)" "amd64"
-   ifneq "$(shell uname -m)" "i86pc"
-	AFL_NO_X86=1
-   endif
-  endif
- endif
-endif
-
-CFLAGS     ?= -O3 -funroll-loops $(CFLAGS_OPT)
-override CFLAGS     += -Wall -g -Wno-pointer-sign -I include/ \
-              -DAFL_PATH=\"$(HELPER_PATH)\" -DBIN_PATH=\"$(BIN_PATH)\" \
-              -DDOC_PATH=\"$(DOC_PATH)\" -Wno-unused-function -fcommon
-
-AFL_FUZZ_FILES = $(wildcard src/afl-fuzz*.c)
-
-ifneq "$(shell which python3m)" ""
-  ifneq "$(shell which python3m-config)" ""
-    PYTHON_INCLUDE  ?= $(shell python3m-config --includes)
-    PYTHON_VERSION  ?= $(strip $(shell python3m --version 2>&1))
-    # Starting with python3.8, we need to pass the `embed` flag. Earier versions didn't know this flag.
-    ifeq "$(shell python3m-config --embed --libs 2>/dev/null | grep -q lpython && echo 1 )" "1"
-      PYTHON_LIB      ?= $(shell python3m-config --libs --embed)
-    else
-      PYTHON_LIB      ?= $(shell python3m-config --ldflags)
-    endif
-  endif
-endif
-
-ifneq "$(shell which python3)" ""
-  ifneq "$(shell which python3-config)" ""
-    PYTHON_INCLUDE  ?= $(shell python3-config --includes)
-    PYTHON_VERSION  ?= $(strip $(shell python3 --version 2>&1))
-    # Starting with python3.8, we need to pass the `embed` flag. Earier versions didn't know this flag.
-    ifeq "$(shell python3-config --embed --libs 2>/dev/null | grep -q lpython && echo 1 )" "1"
-      PYTHON_LIB      ?= $(shell python3-config --libs --embed)
-    else
-      PYTHON_LIB      ?= $(shell python3-config --ldflags)
-    endif
-  endif
-endif
-
-ifneq "$(shell which python)" ""
-  ifneq "$(shell which python-config)" ""
-    PYTHON_INCLUDE  ?= $(shell python-config --includes)
-    PYTHON_LIB      ?= $(shell python-config --ldflags)
-    PYTHON_VERSION  ?= $(strip $(shell python --version 2>&1))
-  endif
-endif
-
-ifdef SOURCE_DATE_EPOCH
-    BUILD_DATE ?= $(shell date -u -d "@$(SOURCE_DATE_EPOCH)" "+%Y-%m-%d" 2>/dev/null || date -u -r "$(SOURCE_DATE_EPOCH)" "+%Y-%m-%d" 2>/dev/null || date -u "+%Y-%m-%d")
-else
-    BUILD_DATE ?= $(shell date "+%Y-%m-%d")
-endif
-
-ifneq "$(filter Linux GNU%,$(shell uname))" ""
-  LDFLAGS  += -ldl
-endif
-
-ifneq "$(findstring FreeBSD, $(shell uname))" ""
-  CFLAGS += -pthread
-  LDFLAGS  += -lpthread
-endif
-
-ifneq "$(findstring NetBSD, $(shell uname))" ""
-  CFLAGS += -pthread
-  LDFLAGS  += -lpthread
-endif
-
-ifeq "$(findstring clang, $(shell $(CC) --version 2>/dev/null))" ""
-  TEST_CC   = afl-gcc
-else
-  TEST_CC   = afl-clang
-endif
-
-COMM_HDR    = include/alloc-inl.h include/config.h include/debug.h include/types.h
-
-ifeq "$(shell echo '$(HASH)include <Python.h>@int main() {return 0; }' | tr @ '\n' | $(CC) -x c - -o .test $(PYTHON_INCLUDE) $(LDFLAGS) $(PYTHON_LIB) 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1"
-	PYTHON_OK=1
-	PYFLAGS=-DUSE_PYTHON $(PYTHON_INCLUDE) $(LDFLAGS) $(PYTHON_LIB) -DPYTHON_VERSION="\"$(PYTHON_VERSION)\""
-else
-	PYTHON_OK=0
-	PYFLAGS=
-endif
-
-ifdef STATIC
-  $(info Compiling static version of binaries)
-  # Disable python for static compilation to simplify things
-  PYTHON_OK=0
-  PYFLAGS=
-
-  CFLAGS += -static
-  LDFLAGS += -lm -lrt -lpthread -lz -lutil
-endif
-
-ifeq "$(shell echo '$(HASH)include <sys/ipc.h>@$(HASH)include <sys/shm.h>@int main() { int _id = shmget(IPC_PRIVATE, 65536, IPC_CREAT | IPC_EXCL | 0600); shmctl(_id, IPC_RMID, 0); return 0;}' | tr @ '\n' | $(CC) -x c - -o .test2 2>/dev/null && echo 1 || echo 0 ; rm -f .test2 )" "1"
-	SHMAT_OK=1
-else
-	SHMAT_OK=0
-	CFLAGS+=-DUSEMMAP=1
-	LDFLAGS+=-Wno-deprecated-declarations -lrt
-endif
-
-ifeq "$(TEST_MMAP)" "1"
-	SHMAT_OK=0
-	CFLAGS+=-DUSEMMAP=1
-	LDFLAGS+=-Wno-deprecated-declarations -lrt
-endif
-
-ifdef ASAN_BUILD
-  CFLAGS+=-fsanitize=address
-	LDFLAGS+=-fsanitize=address
-endif
-
-all:	test_x86 test_shm test_python ready $(PROGS) afl-as test_build all_done
-
-man:    $(MANPAGES) 
-	-$(MAKE) -C llvm_mode
-	-$(MAKE) -C gcc_plugin
-
-tests:	source-only
-	@cd test ; ./test.sh
-	@rm -f test/errors
-
-performance-tests:	performance-test
-test-performance:	performance-test
-
-performance-test:	source-only
-	@cd test ; ./test-performance.sh
-
-
-help:
-	@echo "HELP --- the following make targets exist:"
-	@echo "=========================================="
-	@echo "all: just the main afl++ binaries"
-	@echo "binary-only: everything for binary-only fuzzing: qemu_mode, unicorn_mode, libdislocator, libtokencap, radamsa"
-	@echo "source-only: everything for source code fuzzing: llvm_mode, gcc_plugin, libdislocator, libtokencap, radamsa"
-	@echo "distrib: everything (for both binary-only and source code fuzzing)"
-	@echo "man: creates simple man pages from the help option of the programs"
-	@echo "install: installs everything you have compiled with the build option above"
-	@echo "clean: cleans everything. for qemu_mode it means it deletes all downloads as well"
-	@echo "code-format: format the code, do this before you commit and send a PR please!"
-	@echo "tests: this runs the test framework. It is more catered for the developers, but if you run into problems this helps pinpointing the problem"
-	@echo "document: creates afl-fuzz-document which will only do one run and save all manipulated inputs into out/queue/mutations"
-	@echo "help: shows these build options :-)"
-	@echo "=========================================="
-	@echo "Recommended: \"distrib\" or \"source-only\", then \"install\""
-	@echo
-	@echo Known build environment options:
-	@echo "=========================================="
-	@echo STATIC - compile AFL++ static
-	@echo ASAN_BUILD - compiles with memory sanitizer for debug purposes
-	@echo AFL_NO_X86 - if compiling on non-intel/amd platforms
-	@echo "=========================================="
-	@echo e.g.: make ASAN_BUILD=1
-
-ifndef AFL_NO_X86
-
-test_x86:
-	@echo "[*] Checking for the default compiler cc..."
-	@which $(CC) >/dev/null || ( echo; echo "Oops, looks like there is no compiler '"$(CC)"' in your path."; echo; echo "Don't panic! You can restart with '"$(_)" CC=<yourCcompiler>'."; echo; exit 1 )
-	@echo "[*] Checking for the ability to compile x86 code..."
-	@echo 'main() { __asm__("xorb %al, %al"); }' | $(CC) -w -x c - -o .test1 || ( echo; echo "Oops, looks like your compiler can't generate x86 code."; echo; echo "Don't panic! You can use the LLVM or QEMU mode, but see docs/INSTALL first."; echo "(To ignore this error, set AFL_NO_X86=1 and try again.)"; echo; exit 1 )
-	@rm -f .test1
-
-else
-
-test_x86:
-	@echo "[!] Note: skipping x86 compilation checks (AFL_NO_X86 set)."
-
-endif
-
-
-ifeq "$(SHMAT_OK)" "1"
-
-test_shm:
-	@echo "[+] shmat seems to be working."
-	@rm -f .test2
-
-else
-
-test_shm:
-	@echo "[-] shmat seems not to be working, switching to mmap implementation"
-
-endif
-
-
-ifeq "$(PYTHON_OK)" "1"
-
-test_python:
-	@rm -f .test 2> /dev/null
-	@echo "[+] $(PYTHON_VERSION) support seems to be working."
-
-else
-
-test_python:
-	@echo "[-] You seem to need to install the package python3-dev or python2-dev (and perhaps python[23]-apt), but it is optional so we continue"
-
-endif
-
-
-ready:
-	@echo "[+] Everything seems to be working, ready to compile."
-
-afl-gcc: src/afl-gcc.c $(COMM_HDR) | test_x86
-	$(CC) $(CFLAGS) src/$@.c -o $@ $(LDFLAGS)
-	set -e; for i in afl-g++ afl-clang afl-clang++; do ln -sf afl-gcc $$i; done
-
-afl-as: src/afl-as.c include/afl-as.h $(COMM_HDR) | test_x86
-	$(CC) $(CFLAGS) src/$@.c -o $@ $(LDFLAGS)
-	ln -sf afl-as as
-
-src/afl-common.o : $(COMM_HDR) src/afl-common.c include/common.h
-	$(CC) $(CFLAGS) $(CFLAGS_FLTO) -c src/afl-common.c -o src/afl-common.o
-
-src/afl-forkserver.o : $(COMM_HDR) src/afl-forkserver.c include/forkserver.h
-	$(CC) $(CFLAGS) $(CFLAGS_FLTO) -c src/afl-forkserver.c -o src/afl-forkserver.o
-
-src/afl-sharedmem.o : $(COMM_HDR) src/afl-sharedmem.c include/sharedmem.h
-	$(CC) $(CFLAGS) $(CFLAGS_FLTO) -c src/afl-sharedmem.c -o src/afl-sharedmem.o
-
-radamsa: src/third_party/libradamsa/libradamsa.so
-	cp src/third_party/libradamsa/libradamsa.so .
-
-src/third_party/libradamsa/libradamsa.so: src/third_party/libradamsa/libradamsa.c src/third_party/libradamsa/radamsa.h
-	$(MAKE) -C src/third_party/libradamsa/ CFLAGS="$(CFLAGS)"
-
-afl-fuzz: $(COMM_HDR) include/afl-fuzz.h $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o | test_x86
-	$(CC) $(CFLAGS) $(CFLAGS_FLTO) $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o -o $@ $(PYFLAGS) $(LDFLAGS)
-
-afl-showmap: src/afl-showmap.c src/afl-common.o src/afl-sharedmem.o $(COMM_HDR) | test_x86
-	$(CC) $(CFLAGS) $(CFLAGS_FLTO) src/$@.c src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o -o $@ $(LDFLAGS)
-
-afl-tmin: src/afl-tmin.c src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o $(COMM_HDR) | test_x86
-	$(CC) $(CFLAGS) $(CFLAGS_FLTO) src/$@.c src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o -o $@ $(LDFLAGS)
-
-afl-analyze: src/afl-analyze.c src/afl-common.o src/afl-sharedmem.o $(COMM_HDR) | test_x86
-	$(CC) $(CFLAGS) $(CFLAGS_FLTO) src/$@.c src/afl-common.o src/afl-sharedmem.o -o $@ $(LDFLAGS)
-
-afl-gotcpu: src/afl-gotcpu.c $(COMM_HDR) | test_x86
-	$(CC) $(CFLAGS) src/$@.c -o $@ $(LDFLAGS)
-
-
-# document all mutations and only do one run (use with only one input file!)
-document: include/afl-fuzz.h $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o $(COMM_HDR) | test_x86
-	$(CC) $(CFLAGS) $(AFL_FUZZ_FILES) -D_AFL_DOCUMENT_MUTATIONS src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o -o afl-fuzz-document $(LDFLAGS) $(PYFLAGS)
+document:
+	@gmake document

+deepclean:
+	@gmake deepclean

 code-format:
-	./.custom-format.py -i src/*.c
-	./.custom-format.py -i include/*.h
-	./.custom-format.py -i libdislocator/*.c 
-	./.custom-format.py -i libtokencap/*.c 
-	./.custom-format.py -i llvm_mode/*.c
-	./.custom-format.py -i llvm_mode/*.h
-	./.custom-format.py -i llvm_mode/*.cc
-	./.custom-format.py -i gcc_plugin/*.c
-	#./.custom-format.py -i gcc_plugin/*.h
-	./.custom-format.py -i gcc_plugin/*.cc
-	./.custom-format.py -i examples/*/*.c
-	./.custom-format.py -i examples/*/*.h
-	./.custom-format.py -i qemu_mode/patches/*.h
-	./.custom-format.py -i qemu_mode/libcompcov/*.c
-	./.custom-format.py -i qemu_mode/libcompcov/*.cc
-	./.custom-format.py -i qemu_mode/libcompcov/*.h
-	./.custom-format.py -i qbdi_mode/*.c
-	./.custom-format.py -i qbdi_mode/*.cpp
-	./.custom-format.py -i *.h
-	./.custom-format.py -i *.c
+	@gmake code-format

+help:
+	@gmake help

-ifndef AFL_NO_X86
+tests:
+	@gmake tests

-test_build: afl-gcc afl-as afl-showmap
-	@echo "[*] Testing the CC wrapper and instrumentation output..."
-	@unset AFL_USE_ASAN AFL_USE_MSAN AFL_CC; AFL_DEBUG=1 AFL_INST_RATIO=100 AFL_PATH=. ./$(TEST_CC) $(CFLAGS) test-instr.c -o test-instr $(LDFLAGS) 2>&1 | grep 'afl-as' >/dev/null || (echo "Oops, afl-as did not get called from "$(TEST_CC)". This is normally achieved by "$(CC)" honoring the -B option."; exit 1 )
-	./afl-showmap -m none -q -o .test-instr0 ./test-instr < /dev/null
-	echo 1 | ./afl-showmap -m none -q -o .test-instr1 ./test-instr
-	@rm -f test-instr
-	@cmp -s .test-instr0 .test-instr1; DR="$$?"; rm -f .test-instr0 .test-instr1; if [ "$$DR" = "0" ]; then echo; echo "Oops, the instrumentation does not seem to be behaving correctly!"; echo; echo "Please post to https://github.com/vanhauser-thc/AFLplusplus/issues to troubleshoot the issue."; echo; exit 1; fi
-	@echo "[+] All right, the instrumentation seems to be working!"
+unit:
+	@gmake unit

-else
-
-test_build: afl-gcc afl-as afl-showmap
-	@echo "[!] Note: skipping build tests (you may need to use LLVM or QEMU mode)."
-
-endif
-
-
-all_done: test_build
-	@if [ ! "`which clang 2>/dev/null`" = "" ]; then echo "[+] LLVM users: see llvm_mode/README.md for a faster alternative to afl-gcc."; fi
-	@echo "[+] All done! Be sure to review the README.md - it's pretty short and useful."
-	@if [ "`uname`" = "Darwin" ]; then printf "\nWARNING: Fuzzing on MacOS X is slow because of the unusually high overhead of\nfork() on this OS. Consider using Linux or *BSD. You can also use VirtualBox\n(virtualbox.org) to put AFL inside a Linux or *BSD VM.\n\n"; fi
-	@! tty <&1 >/dev/null || printf "\033[0;30mNOTE: If you can read this, your terminal probably uses white background.\nThis will make the UI hard to read. See docs/status_screen.md for advice.\033[0m\n" 2>/dev/null
-
-.NOTPARALLEL: clean
+unit_clean:
+	@gmake unit_clean

 clean:
-	rm -f $(PROGS) libradamsa.so afl-fuzz-document afl-as as afl-g++ afl-clang afl-clang++ *.o src/*.o *~ a.out core core.[1-9][0-9]* *.stackdump .test .test1 .test2 test-instr .test-instr0 .test-instr1 qemu_mode/qemu-3.1.1.tar.xz afl-qemu-trace afl-gcc-fast afl-gcc-pass.so afl-gcc-rt.o afl-g++-fast *.so *.8
-	rm -rf out_dir qemu_mode/qemu-3.1.1 *.dSYM */*.dSYM
-	-$(MAKE) -C llvm_mode clean
-	-$(MAKE) -C gcc_plugin clean
-	$(MAKE) -C libdislocator clean
-	$(MAKE) -C libtokencap clean
-	$(MAKE) -C examples/socket_fuzzing clean
-	$(MAKE) -C examples/argv_fuzzing clean
-	$(MAKE) -C qemu_mode/unsigaction clean
-	$(MAKE) -C qemu_mode/libcompcov clean
-	$(MAKE) -C src/third_party/libradamsa/ clean
-	-rm -rf unicorn_mode/unicornafl
-
-distrib: all radamsa
-	-$(MAKE) -C llvm_mode
-	-$(MAKE) -C gcc_plugin
-	$(MAKE) -C libdislocator
-	$(MAKE) -C libtokencap
-	$(MAKE) -C examples/socket_fuzzing
-	$(MAKE) -C examples/argv_fuzzing
-	cd qemu_mode && sh ./build_qemu_support.sh
-	cd unicorn_mode && sh ./build_unicorn_support.sh
-
-binary-only: all radamsa
-	$(MAKE) -C libdislocator
-	$(MAKE) -C libtokencap
-	$(MAKE) -C examples/socket_fuzzing
-	$(MAKE) -C examples/argv_fuzzing
-	cd qemu_mode && sh ./build_qemu_support.sh
-	cd unicorn_mode && sh ./build_unicorn_support.sh
-
-source-only: all radamsa
-	-$(MAKE) -C llvm_mode
-	-$(MAKE) -C gcc_plugin
-	$(MAKE) -C libdislocator
-	$(MAKE) -C libtokencap
-
-%.8:	%
-	@echo .TH $* 8 $(BUILD_DATE) "afl++" > $@
-	@echo .SH NAME >> $@
-	@echo .B $* >> $@
-	@echo >> $@
-	@echo .SH SYNOPSIS >> $@
-	@./$* -h 2>&1 | head -n 3 | tail -n 1 | sed 's/^\.\///' >> $@
-	@echo >> $@
-	@echo .SH OPTIONS >> $@
-	@echo .nf >> $@
-	@./$* -h 2>&1 | tail -n +4 >> $@
-	@echo >> $@
-	@echo .SH AUTHOR >> $@
-	@echo "afl++ was written by Michal \"lcamtuf\" Zalewski and is maintained by Marc \"van Hauser\" Heuse <mh@mh-sec.de>, Heiko \"hexcoder-\" Eissfeldt <heiko.eissfeldt@hexco.de> and Andrea Fioraldi <andreafioraldi@gmail.com>" >> $@
-	@echo  The homepage of afl++ is: https://github.com/vanhauser-thc/AFLplusplus >> $@
-	@echo >> $@
-	@echo .SH LICENSE >> $@
-	@echo Apache License Version 2.0, January 2004 >> $@
-
-install: all $(MANPAGES)
-	install -d -m 755 $${DESTDIR}$(BIN_PATH) $${DESTDIR}$(HELPER_PATH) $${DESTDIR}$(DOC_PATH) $${DESTDIR}$(MISC_PATH)
-	rm -f $${DESTDIR}$(BIN_PATH)/afl-plot.sh
-	install -m 755 $(PROGS) $(SH_PROGS) $${DESTDIR}$(BIN_PATH)
-	rm -f $${DESTDIR}$(BIN_PATH)/afl-as
-	if [ -f afl-qemu-trace ]; then install -m 755 afl-qemu-trace $${DESTDIR}$(BIN_PATH); fi
-	if [ -f afl-gcc-fast ]; then set e; install -m 755 afl-gcc-fast $${DESTDIR}$(BIN_PATH); ln -sf afl-gcc-fast $${DESTDIR}$(BIN_PATH)/afl-g++-fast; install -m 755 afl-gcc-pass.so afl-gcc-rt.o $${DESTDIR}$(HELPER_PATH); fi
-ifndef AFL_TRACE_PC
-	if [ -f afl-clang-fast -a -f libLLVMInsTrim.so -a -f afl-llvm-rt.o ]; then set -e; install -m 755 afl-clang-fast $${DESTDIR}$(BIN_PATH); ln -sf afl-clang-fast $${DESTDIR}$(BIN_PATH)/afl-clang-fast++; install -m 755 libLLVMInsTrim.so afl-llvm-pass.so afl-llvm-rt.o $${DESTDIR}$(HELPER_PATH); fi
-else
-	if [ -f afl-clang-fast -a -f afl-llvm-rt.o ]; then set -e; install -m 755 afl-clang-fast $${DESTDIR}$(BIN_PATH); ln -sf afl-clang-fast $${DESTDIR}$(BIN_PATH)/afl-clang-fast++; install -m 755 afl-llvm-rt.o $${DESTDIR}$(HELPER_PATH); fi
-endif
-	if [ -f afl-llvm-rt-32.o ]; then set -e; install -m 755 afl-llvm-rt-32.o $${DESTDIR}$(HELPER_PATH); fi
-	if [ -f afl-llvm-rt-64.o ]; then set -e; install -m 755 afl-llvm-rt-64.o $${DESTDIR}$(HELPER_PATH); fi
-	if [ -f compare-transform-pass.so ]; then set -e; install -m 755 compare-transform-pass.so $${DESTDIR}$(HELPER_PATH); fi
-	if [ -f split-compares-pass.so ]; then set -e; install -m 755 split-compares-pass.so $${DESTDIR}$(HELPER_PATH); fi
-	if [ -f split-switches-pass.so ]; then set -e; install -m 755 split-switches-pass.so $${DESTDIR}$(HELPER_PATH); fi
-	if [ -f libdislocator.so ]; then set -e; install -m 755 libdislocator.so $${DESTDIR}$(HELPER_PATH); fi
-	if [ -f libtokencap.so ]; then set -e; install -m 755 libtokencap.so $${DESTDIR}$(HELPER_PATH); fi
-	if [ -f libcompcov.so ]; then set -e; install -m 755 libcompcov.so $${DESTDIR}$(HELPER_PATH); fi
-	if [ -f libradamsa.so ]; then set -e; install -m 755 libradamsa.so $${DESTDIR}$(HELPER_PATH); fi
-	if [ -f afl-fuzz-document ]; then set -e; install -m 755 afl-fuzz-document $${DESTDIR}$(BIN_PATH); fi
-	$(MAKE) -C examples/socket_fuzzing install
-	$(MAKE) -C examples/argv_fuzzing install
-
-	set -e; ln -sf afl-gcc $${DESTDIR}$(BIN_PATH)/afl-g++
-	set -e; if [ -f afl-clang-fast ] ; then ln -sf afl-clang-fast $${DESTDIR}$(BIN_PATH)/afl-clang ; ln -sf afl-clang-fast $${DESTDIR}$(BIN_PATH)/afl-clang++ ; else ln -sf afl-gcc $${DESTDIR}$(BIN_PATH)/afl-clang ; ln -sf afl-gcc $${DESTDIR}$(BIN_PATH)/afl-clang++; fi
-
-	mkdir -m 0755 -p ${DESTDIR}$(MAN_PATH)
-	install -m0644 *.8 ${DESTDIR}$(MAN_PATH)
-
-	install -m 755 afl-as $${DESTDIR}$(HELPER_PATH)
-	ln -sf afl-as $${DESTDIR}$(HELPER_PATH)/as
-	install -m 644 docs/*.md $${DESTDIR}$(DOC_PATH)
-	cp -r testcases/ $${DESTDIR}$(MISC_PATH)
-	cp -r dictionaries/ $${DESTDIR}$(MISC_PATH)
-
+	@gmake clean
--- a/README.md
+++ b/README.md
--- a/TODO.md
+++ b/TODO.md
@ -1,92 +1,31 @@
 # TODO list for AFL++

-## Roadmap 2.61
-
-Makefile:
- - -march=native -Ofast -flto=full (especially for afl-fuzz)
-
-llvm_mode:
- - using lto + opt to instrument at link time, and using a sat solver to
-   select basic block IDs that do not result in collisions
-   (Solution for "The far away future", see bottom of file)
-
-qemu_mode:
- - ensure redqueen implementation works fine
- - ensure no issues in persistent mode
+## Roadmap 3.00+

+ - AFL_MAP_SIZE for qemu_mode and unicorn_mode
+ - CPU affinity for many cores? There seems to be an issue > 96 cores
+ - afl-plot to support multiple plot_data
+ - afl_custom_fuzz_splice_optin()
+ - afl_custom_splice()
+ - intel-pt tracer

 ## Further down the road

 afl-fuzz:
- - sync_fuzzers(): only masters sync from all, slaves only sync from master
-   (@andrea: be careful, often people run all slaves)
- - ascii_only mode
-
-gcc_plugin:
- - laf-intel
- - better instrumentation
+ - setting min_len/max_len/start_offset/end_offset limits for mutation output

 qemu_mode:
- - update to 4.x (probably this will be skipped :( )
- - instrim for QEMU mode via static analysis (with r2pipe? or angr?)
-   Idea: The static analyzer outputs a map in which each edge that must be
-   skipped is marked with 1. QEMU loads it at startup in the parent process.
- - rename qemu specific envs to AFL_QEMU (AFL_ENTRYPOINT, AFL_CODE_START/END, AFL_COMPCOV_LEVEL?)
- - add AFL_QEMU_EXITPOINT (maybe multiple?)
+ - non colliding instrumentation
+ - rename qemu specific envs to AFL_QEMU (AFL_ENTRYPOINT, AFL_CODE_START/END,
+   AFL_COMPCOV_LEVEL?)
+ - add AFL_QEMU_EXITPOINT (maybe multiple?), maybe pointless as we have
+   persistent mode
 - add/implement AFL_QEMU_INST_LIBLIST and AFL_QEMU_NOINST_PROGRAM
 - add/implement AFL_QEMU_INST_REGIONS as a list of _START/_END addresses

-custom_mutators:
- - rip what Superion is doing into custom mutators for js, php, etc.
- - uniform python and custom mutators API
+## Ideas

-
-## The far away future:
-
-Problem: Average targets (tiff, jpeg, unrar) go through 1500 edges.
-         At afl's default map that means ~16 collisions and ~3 wrappings.
-
- - Solution #1: increase map size.
-
-    => speed loss is bad. last resort solution
-
-    every +1 decreases fuzzing speed by ~10% and halfs the collisions
-    birthday paradox predicts collisions at this # of edges:
-    
-    | mapsize | collisions |
-    | :-----: | :--------: |
-    | 2^16    | 302        |
-    | 2^17    | 427        |
-    | 2^18    | 603        |
-    | 2^19    | 853        |
-    | 2^20    | 1207       |
-    | 2^21    | 1706       |
-    | 2^22    | 2412       |
-    | 2^23    | 3411       |
-    | 2^24    | 4823       |
-
-    Increasing the map is an easy solution but also not a good one.
-
- - Solution #2: use dynamic map size and collision free basic block IDs
-
-    => This works and is the selected solution
-
-    This only works in llvm_mode and llvm >= 9 though
-    A potential good future solution. Heiko/hexcoder follows this up
-
- - Solution #3: write instruction pointers to a big shared map
-
-    => Tested and it is a dead end
-
-    512kb/1MB shared map and the instrumented code writes the instruction
-    pointer into the map. Map must be big enough but could be command line
-    controlled.
-    
-    Good: complete coverage information, nothing is lost. choice of analysis
-          impacts speed, but this can be decided by user options
-    
-    Neutral: a little bit slower but no loss of coverage
-    
-    Bad: completely changes how afl uses the map and the scheduling.
-    Overall another very good solution, Marc Heuse/vanHauser follows this up
-    
+ - LTO/sancov: write current edge to prev_loc and use that information when
+   using cmplog or __sanitizer_cov_trace_cmp*. maybe we can deduct by follow
+   up edge numbers that both following cmp paths have been found and then
+   disable working on this edge id -> cmplog_intelligence branch
--- a/109
+++ b/109
@ -1,4 +1,6 @@
 #!/usr/bin/env sh
+export AFL_QUIET=1
+export ASAN_OPTIONS=detect_leaks=0
 THISPATH=`dirname ${0}`
 export PATH="${THISPATH}:$PATH"
 awk -f - -- ${@+"$@"} <<'EOF'
@ -23,7 +25,7 @@ awk -f - -- ${@+"$@"} <<'EOF'
 # ln
 # cp
 # pwd
-# which
+# type
 # cd
 # find
 # stat
@ -111,13 +113,16 @@ function usage() {
 "  -C            - keep crashing inputs, reject everything else\n" \
 "  -e            - solve for edge coverage only, ignore hit counts\n" \
 "\n" \
-"For additional tips, please consult docs/README.md\n" \
+"For additional tips, please consult README.md\n" \
 "\n" \
 "Environment variables used:\n" \
+"AFL_ALLOW_TMP: allow unsafe use of input/output directories under {/var}/tmp\n" \
+"AFL_CRASH_EXITCODE: optional child exit code to be interpreted as crash\n" \
+"AFL_FORKSRV_INIT_TMOUT: time the fuzzer waits for the target to come up, initially\n" \
 "AFL_KEEP_TRACES: leave the temporary <out_dir>/.traces directory\n" \
-"AFL_PATH: path for the afl-showmap binary\n" \
-"AFL_SKIP_BIN_CHECK: skip check for target binary\n" \
-"AFL_ALLOW_TMP: allow unsafe use of input/output directories under {/var}/tmp\n"
+"AFL_KILL_SIGNAL: Signal ID delivered to child processes on timeout, etc. (default: SIGKILL)\n"
+"AFL_PATH: path for the afl-showmap binary if not found anywhere else\n" \
+"AFL_SKIP_BIN_CHECK: skip check for target binary\n"
   exit 1
 }

@ -130,6 +135,8 @@ BEGIN {

  # defaults
  extra_par = ""
+  AFL_CMIN_CRASHES_ONLY = ""
+
  # process options
  Opterr = 1    # default is to diagnose
  Optind = 1    # skip ARGV[0]
@ -166,7 +173,7 @@ BEGIN {
      continue
    } else 
    if (_go_c == "C") {
-      ENVIRON["AFL_CMIN_CRASHES_ONLY"] = 1
+      AFL_CMIN_CRASHES_ONLY = "AFL_CMIN_CRASHES_ONLY=1 "
      continue
    } else 
    if (_go_c == "e") {
@ -176,14 +183,12 @@ BEGIN {
    if (_go_c == "Q") {
      if (qemu_mode) { print "Option "_go_c" is only allowed once" > "/dev/stderr"}
      extra_par = extra_par " -Q"
-      if ( !mem_limit_given ) mem_limit = "250"
      qemu_mode = 1
      continue
    } else 
    if (_go_c == "U") {
      if (unicorn_mode) { print "Option "_go_c" is only allowed once" > "/dev/stderr"}
      extra_par = extra_par " -U"
-      if ( !mem_limit_given ) mem_limit = "250"
      unicorn_mode = 1
      continue
    } else 
@ -193,7 +198,7 @@ BEGIN {
      usage()
  } # while options

-  if (!mem_limit) mem_limit = 200
+  if (!mem_limit) mem_limit = "none"
  if (!timeout) timeout = "none"

  # get program args
@ -262,7 +267,7 @@ BEGIN {

  if (target_bin && !exists_and_is_executable(target_bin)) {

-    "which "target_bin" 2>/dev/null" | getline tnew
+    "command -v "target_bin" 2>/dev/null" | getline tnew
    if (!tnew || !exists_and_is_executable(tnew)) {
      print "[-] Error: binary '"target_bin"' not found or not executable." > "/dev/stderr"
      exit 1
@ -307,14 +312,18 @@ BEGIN {
    close( stdin_file )
  }

-  if (!ENVIRON["AFL_PATH"]) {
-    if (0 == system("test -f afl-cmin")) {
+  # First we look in PATH
+  if (0 == system("command -v afl-showmap >/dev/null 2>&1")) {
+    "command -v afl-showmap 2>/dev/null" | getline showmap
+  } else {
+    # then we look in the current directory
+    if (0 == system("test -x ./afl-showmap")) {
      showmap = "./afl-showmap"
    } else {
-      "which afl-showmap 2>/dev/null" | getline showmap
+      if (ENVIRON["AFL_PATH"]) {
+        showmap = ENVIRON["AFL_PATH"] "/afl-showmap"
+      }
    }
-  } else {
-    showmap = ENVIRON["AFL_PATH"] "/afl-showmap"
  }

  if (!showmap || 0 != system("test -x "showmap )) {
@ -334,7 +343,7 @@ BEGIN {
    stat_format = "-f '%z %N'" # *BSD, MacOS
  }
  cmdline = "cd "in_dir" && find . \\( ! -name . -a -type d -prune \\) -o -type f -exec stat "stat_format" \\{\\} \\; | sort -k1n -k2r"
-  cmdline = "ls "in_dir" | (cd "in_dir" && xargs stat "stat_format") | sort -k1n -k2r"
+  cmdline = "ls "in_dir" | (cd "in_dir" && xargs stat "stat_format" 2>/dev/null) | sort -k1n -k2r"
  while (cmdline | getline) {
    sub(/^[0-9]+ (\.\/)?/,"",$0)
    infilesSmallToBig[i++] = $0
@ -346,7 +355,7 @@ BEGIN {
  # Make sure that we're not dealing with a directory.

  if (0 == system("test -d "in_dir"/"first_file)) {
-    print "[-] Error: The input directory contains subdirectories - please fix." > "/dev/stderr"
+    print "[-] Error: The input directory is empty or contains subdirectories - please fix." > "/dev/stderr"
    exit 1
  }

@ -356,33 +365,35 @@ BEGIN {
    cp_tool = "cp"
  }

-  # Make sure that we can actually get anything out of afl-showmap before we
-  # waste too much time.
+  if (!ENVIRON["AFL_SKIP_BIN_CHECK"]) {
+    # Make sure that we can actually get anything out of afl-showmap before we
+    # waste too much time.

-  print "[*] Testing the target binary..."
+    print "[*] Testing the target binary..."

-  if (!stdin_file) {
-    system( "AFL_CMIN_ALLOW_ANY=1 \""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"/.run_test\" -Z "extra_par" -- \""target_bin"\" "prog_args_string" <\""in_dir"/"first_file"\"")
-  } else {
-    system("cp "in_dir"/"first_file" "stdin_file)
-    system( "AFL_CMIN_ALLOW_ANY=1 \""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"/.run_test\" -Z "extra_par" -A \""stdin_file"\" -- \""target_bin"\" "prog_args_string" </dev/null")
-  }
-
-  first_count = 0
-
-  runtest = trace_dir"/.run_test"
-  while ((getline < runtest) > 0) {
-    ++first_count
-  }
-
-  if (first_count) {
-    print "[+] OK, "first_count" tuples recorded."
-  } else {
-    print "[-] Error: no instrumentation output detected (perhaps crash or timeout)." > "/dev/stderr"
-    if (!ENVIRON["AFL_KEEP_TRACES"]) {
-      system("rm -rf "trace_dir" 2>/dev/null")
+    if (!stdin_file) {
+      system( "AFL_CMIN_ALLOW_ANY=1 "AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"/.run_test\" -Z "extra_par" -- \""target_bin"\" "prog_args_string" <\""in_dir"/"first_file"\"")
+    } else {
+      system("cp "in_dir"/"first_file" "stdin_file)
+      system( "AFL_CMIN_ALLOW_ANY=1 "AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"/.run_test\" -Z "extra_par" -A \""stdin_file"\" -- \""target_bin"\" "prog_args_string" </dev/null")
+    }
+
+    first_count = 0
+
+    runtest = trace_dir"/.run_test"
+    while ((getline < runtest) > 0) {
+      ++first_count
+    }
+
+    if (first_count) {
+      print "[+] OK, "first_count" tuples recorded."
+    } else {
+      print "[-] Error: no instrumentation output detected (perhaps crash or timeout)." > "/dev/stderr"
+      if (!ENVIRON["AFL_KEEP_TRACES"]) {
+        system("rm -rf "trace_dir" 2>/dev/null")
+      }
+      exit 1
    }
-    exit 1
  }

  # Let's roll!
@ -396,10 +407,22 @@ BEGIN {
  cur = 0;
  if (!stdin_file) {
    print "    Processing "in_count" files (forkserver mode)..."
-    system( "AFL_CMIN_ALLOW_ANY=1 \""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"\" -Z "extra_par" -i \""in_dir"\" -- \""target_bin"\" "prog_args_string)
+#    print AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"\" -Z "extra_par" -i \""in_dir"\" -- \""target_bin"\" "prog_args_string
+    retval = system( AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"\" -Z "extra_par" -i \""in_dir"\" -- \""target_bin"\" "prog_args_string)
  } else {
    print "    Processing "in_count" files (forkserver mode)..."
-    system( "AFL_CMIN_ALLOW_ANY=1 \""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"\" -Z "extra_par" -i \""in_dir"\" -- \""target_bin"\" "prog_args_string" </dev/null")
+#    print AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"\" -Z "extra_par" -i \""in_dir"\" -A \""stdin_file"\" -- \""target_bin"\" "prog_args_string" </dev/null"
+    retval = system( AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"\" -Z "extra_par" -i \""in_dir"\" -A \""stdin_file"\" -- \""target_bin"\" "prog_args_string" </dev/null")
+  }
+
+  if (retval && !AFL_CMIN_CRASHES_ONLY) {
+    print "[!] Exit code "retval" != 0 received from afl-showmap, terminating..."
+
+    if (!ENVIRON["AFL_KEEP_TRACES"]) {
+      system("rm -rf "trace_dir" 2>/dev/null")
+      system("rmdir "out_dir)
+    }
+    exit retval
  }

  #######################################################
--- a/afl-cmin.bash
+++ b/afl-cmin.bash
@ -45,12 +45,14 @@ echo

 # Process command-line options...

-MEM_LIMIT=200
+MEM_LIMIT=none
 TIMEOUT=none

 unset IN_DIR OUT_DIR STDIN_FILE EXTRA_PAR MEM_LIMIT_GIVEN \
  AFL_CMIN_CRASHES_ONLY AFL_CMIN_ALLOW_ANY QEMU_MODE UNICORN_MODE

+export AFL_QUIET=1
+
 while getopts "+i:o:f:m:t:eQUCh" opt; do

  case "$opt" in 
@ -83,12 +85,10 @@ while getopts "+i:o:f:m:t:eQUCh" opt; do
         ;;
    "Q")
         EXTRA_PAR="$EXTRA_PAR -Q"
-         test "$MEM_LIMIT_GIVEN" = "" && MEM_LIMIT=250
         QEMU_MODE=1
         ;;
    "U")
         EXTRA_PAR="$EXTRA_PAR -U"
-         test "$MEM_LIMIT_GIVEN" = "" && MEM_LIMIT=250
         UNICORN_MODE=1
         ;;    
    "?")
@ -126,13 +126,12 @@ Minimization settings:
  -C            - keep crashing inputs, reject everything else
  -e            - solve for edge coverage only, ignore hit counts

-For additional tips, please consult docs/README.md.
+For additional tips, please consult README.md.

 Environment variables used:
 AFL_KEEP_TRACES: leave the temporary <out_dir>\.traces directory
-AFL_PATH: path for the afl-showmap binary
+AFL_PATH: last resort location to find the afl-showmap binary
 AFL_SKIP_BIN_CHECK: skip check for target binary
-AFL_ALLOW_TMP: allow unsafe use of input/output directories under {/var}/tmp
 _EOF_
  exit 1
 fi
@ -140,29 +139,29 @@ fi
 # Do a sanity check to discourage the use of /tmp, since we can't really
 # handle this safely from a shell script.

-if [ "$AFL_ALLOW_TMP" = "" ]; then
-
-  echo "$IN_DIR" | grep -qE '^(/var)?/tmp/'
-  T1="$?"
-
-  echo "$TARGET_BIN" | grep -qE '^(/var)?/tmp/'
-  T2="$?"
-
-  echo "$OUT_DIR" | grep -qE '^(/var)?/tmp/'
-  T3="$?"
-
-  echo "$STDIN_FILE" | grep -qE '^(/var)?/tmp/'
-  T4="$?"
-
-  echo "$PWD" | grep -qE '^(/var)?/tmp/'
-  T5="$?"
-
-  if [ "$T1" = "0" -o "$T2" = "0" -o "$T3" = "0" -o "$T4" = "0" -o "$T5" = "0" ]; then
-    echo "[-] Error: do not use this script in /tmp or /var/tmp." 1>&2
-    exit 1
-  fi
-
-fi
+#if [ "$AFL_ALLOW_TMP" = "" ]; then
+#
+#  echo "$IN_DIR" | grep -qE '^(/var)?/tmp/'
+#  T1="$?"
+#
+#  echo "$TARGET_BIN" | grep -qE '^(/var)?/tmp/'
+#  T2="$?"
+#
+#  echo "$OUT_DIR" | grep -qE '^(/var)?/tmp/'
+#  T3="$?"
+#
+#  echo "$STDIN_FILE" | grep -qE '^(/var)?/tmp/'
+#  T4="$?"
+#
+#  echo "$PWD" | grep -qE '^(/var)?/tmp/'
+#  T5="$?"
+#
+#  if [ "$T1" = "0" -o "$T2" = "0" -o "$T3" = "0" -o "$T4" = "0" -o "$T5" = "0" ]; then
+#    echo "[-] Error: do not use this script in /tmp or /var/tmp." 1>&2
+#    exit 1
+#  fi
+#
+#fi

 # If @@ is specified, but there's no -f, let's come up with a temporary input
 # file name.
@ -243,10 +242,21 @@ if [ ! "$STDIN_FILE" = "" ]; then
  touch "$STDIN_FILE" || exit 1
 fi

-if [ "$AFL_PATH" = "" ]; then
-  SHOWMAP="${0%/afl-cmin}/afl-showmap"
+SHOWMAP=`command -v afl-showmap 2>/dev/null`
+
+if [ -z "$SHOWMAP" ]; then
+  TMP="${0%/afl-cmin.bash}/afl-showmap"
+  if [ -x "$TMP" ]; then
+    SHOWMAP=$TMP
+  fi
+fi
+
+if [ -z "$SHOWMAP" -a -x "./afl-showmap" ]; then
+  SHOWMAP="./afl-showmap"
 else
-  SHOWMAP="$AFL_PATH/afl-showmap"
+  if [ -n "$AFL_PATH" ]; then
+    SHOWMAP="$AFL_PATH/afl-showmap"
+  fi
 fi

 if [ ! -x "$SHOWMAP" ]; then
--- a/99
+++ b/99
@ -15,6 +15,10 @@
 #   http://www.apache.org/licenses/LICENSE-2.0
 #

+get_abs_path() {
+  echo $(cd "`dirname "$1"`" && pwd)/"`basename "$1"`"
+}
+
 echo "progress plotting utility for afl-fuzz by Michal Zalewski"
 echo

@ -31,44 +35,53 @@ an empty directory where this tool can write the resulting plots to.

 The program will put index.html and three PNG images in the output directory;
 you should be able to view it with any web browser of your choice.
-
-Environment variables used:
-AFL_ALLOW_TMP: allow /var/tmp or /tmp for input and output directories
 _EOF_

  exit 1

 fi

-if [ "$AFL_ALLOW_TMP" = "" ]; then
+inputdir=`get_abs_path "$1"`
+outputdir=`get_abs_path "$2"`

-  echo "$1" | grep -qE '^(/var)?/tmp/'
-  T1="$?"
+#if [ "$AFL_ALLOW_TMP" = "" ]; then
+#
+#  echo "$inputdir" | grep -qE '^(/var)?/tmp/'
+#  T1="$?"
+#
+#  echo "$outputdir" | grep -qE '^(/var)?/tmp/'
+#  T2="$?"
+#
+#  if [ "$T1" = "0" -o "$T2" = "0" ]; then
+#
+#    echo "[-] Error: this script shouldn't be used with shared /tmp directories." 1>&2
+#    exit 1
+#
+#  fi
+#
+#fi

-  echo "$2" | grep -qE '^(/var)?/tmp/'
-  T2="$?"
-
-  if [ "$T1" = "0" -o "$T2" = "0" ]; then
-
-    echo "[-] Error: this script shouldn't be used with shared /tmp directories." 1>&2
-    exit 1
-
-  fi
-
-fi
-
-if [ ! -f "$1/plot_data" ]; then
+if [ ! -f "$inputdir/plot_data" ]; then

  echo "[-] Error: input directory is not valid (missing 'plot_data')." 1>&2
  exit 1

 fi

-BANNER="`cat "$1/fuzzer_stats" | grep '^afl_banner ' | cut -d: -f2- | cut -b2-`"
+LINES=`cat "$inputdir/plot_data" | wc -l`
+
+if [ "$LINES" -lt 3 ]; then
+
+  echo "[-] Error: plot_data carries too little data, let it run longer." 1>&2
+  exit 1
+
+fi
+
+BANNER="`cat "$inputdir/fuzzer_stats" 2> /dev/null | grep '^afl_banner ' | cut -d: -f2- | cut -b2-`"

 test "$BANNER" = "" && BANNER="(none)"

-GNUPLOT=`which gnuplot 2>/dev/null`
+GNUPLOT=`command -v gnuplot 2>/dev/null`

 if [ "$GNUPLOT" = "" ]; then

@ -77,17 +90,17 @@ if [ "$GNUPLOT" = "" ]; then

 fi

-mkdir "$2" 2>/dev/null
+mkdir "$outputdir" 2>/dev/null

-if [ ! -d "$2" ]; then
+if [ ! -d "$outputdir" ]; then

  echo "[-] Error: unable to create the output directory - pick another location." 1>&2
  exit 1

 fi

-rm -f "$2/high_freq.png" "$2/low_freq.png" "$2/exec_speed.png"
-mv -f "$2/index.html" "$2/index.html.orig" 2>/dev/null
+rm -f "$outputdir/high_freq.png" "$outputdir/low_freq.png" "$outputdir/exec_speed.png" "$outputdir/edges.png"
+mv -f "$outputdir/index.html" "$outputdir/index.html.orig" 2>/dev/null

 echo "[*] Generating plots..."

@ -96,7 +109,7 @@ echo "[*] Generating plots..."
 cat <<_EOF_
 set terminal png truecolor enhanced size 1000,300 butt

-set output '$2/high_freq.png'
+set output '$outputdir/high_freq.png'

 set xdata time
 set timefmt '%s'
@ -114,31 +127,42 @@ set key outside
 set autoscale xfixmin
 set autoscale xfixmax

-plot '$1/plot_data' using 1:4 with filledcurve x1 title 'total paths' linecolor rgb '#000000' fillstyle transparent solid 0.2 noborder, \\
+set xlabel "all times in UTC" font "small"
+
+set ytics auto
+plot '$inputdir/plot_data' using 1:4 with filledcurve x1 title 'total paths' linecolor rgb '#000000' fillstyle transparent solid 0.2 noborder, \\
     '' using 1:3 with filledcurve x1 title 'current path' linecolor rgb '#f0f0f0' fillstyle transparent solid 0.5 noborder, \\
     '' using 1:5 with lines title 'pending paths' linecolor rgb '#0090ff' linewidth 3, \\
     '' using 1:6 with lines title 'pending favs' linecolor rgb '#c00080' linewidth 3, \\
     '' using 1:2 with lines title 'cycles done' linecolor rgb '#c000f0' linewidth 3

 set terminal png truecolor enhanced size 1000,200 butt
-set output '$2/low_freq.png'
+set output '$outputdir/low_freq.png'

-plot '$1/plot_data' using 1:8 with filledcurve x1 title '' linecolor rgb '#c00080' fillstyle transparent solid 0.2 noborder, \\
+set ytics 1
+plot '$inputdir/plot_data' using 1:8 with filledcurve x1 title '' linecolor rgb '#c00080' fillstyle transparent solid 0.2 noborder, \\
     '' using 1:8 with lines title ' uniq crashes' linecolor rgb '#c00080' linewidth 3, \\
     '' using 1:9 with lines title 'uniq hangs' linecolor rgb '#c000f0' linewidth 3, \\
     '' using 1:10 with lines title 'levels' linecolor rgb '#0090ff' linewidth 3

 set terminal png truecolor enhanced size 1000,200 butt
-set output '$2/exec_speed.png'
+set output '$outputdir/exec_speed.png'

-plot '$1/plot_data' using 1:11 with filledcurve x1 title '' linecolor rgb '#0090ff' fillstyle transparent solid 0.2 noborder, \\
-     '$1/plot_data' using 1:11 with lines title '    execs/sec' linecolor rgb '#0090ff' linewidth 3 smooth bezier;
+set ytics auto
+plot '$inputdir/plot_data' using 1:11 with filledcurve x1 title '' linecolor rgb '#0090ff' fillstyle transparent solid 0.2 noborder, \\
+     '$inputdir/plot_data' using 1:11 with lines title '    execs/sec' linecolor rgb '#0090ff' linewidth 3 smooth bezier;
+
+set terminal png truecolor enhanced size 1000,300 butt
+set output '$outputdir/edges.png'
+
+set ytics auto
+plot '$inputdir/plot_data' using 1:13 with lines title '        edges' linecolor rgb '#0090ff' linewidth 3

 _EOF_

 ) | gnuplot 

-if [ ! -s "$2/exec_speed.png" ]; then
+if [ ! -s "$outputdir/exec_speed.png" ]; then

  echo "[-] Error: something went wrong! Perhaps you have an ancient version of gnuplot?" 1>&2
  exit 1
@ -147,13 +171,14 @@ fi

 echo "[*] Generating index.html..."

-cat >"$2/index.html" <<_EOF_
+cat >"$outputdir/index.html" <<_EOF_
 <table style="font-family: 'Trebuchet MS', 'Tahoma', 'Arial', 'Helvetica'">
 <tr><td style="width: 18ex"><b>Banner:</b></td><td>$BANNER</td></tr>
-<tr><td><b>Directory:</b></td><td>$1</td></tr>
+<tr><td><b>Directory:</b></td><td>$inputdir</td></tr>
 <tr><td><b>Generated on:</b></td><td>`date`</td></tr>
 </table>
 <p>
+<img src="edges.png" width=1000 height=300>
 <img src="high_freq.png" width=1000 height=300><p>
 <img src="low_freq.png" width=1000 height=200><p>
 <img src="exec_speed.png" width=1000 height=200>
@ -164,8 +189,8 @@ _EOF_
 # served by Apache or other HTTP daemon. Since the plots aren't horribly
 # sensitive, this seems like a reasonable trade-off.

-chmod 755 "$2"
-chmod 644 "$2/high_freq.png" "$2/low_freq.png" "$2/exec_speed.png" "$2/index.html"
+chmod 755 "$outputdir"
+chmod 644 "$outputdir/high_freq.png" "$outputdir/low_freq.png" "$outputdir/exec_speed.png" "$outputdir/edges.png" "$outputdir/index.html"

 echo "[+] All done - enjoy your charts!"

--- a/31
+++ b/31
@ -1,5 +1,5 @@
 #!/bin/sh
-test "$1" = "-h" && {
+test "$1" = "-h" -o "$1" = "-hh" && {
  echo 'afl-system-config by Marc Heuse <mh@mh-sec.de>'
  echo
  echo $0
@ -34,6 +34,7 @@ if [ "$PLATFORM" = "Linux" ] ; then
  test -e /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor && echo performance | tee /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor
  test -e /sys/devices/system/cpu/intel_pstate/no_turbo && echo 0 > /sys/devices/system/cpu/intel_pstate/no_turbo
  test -e /sys/devices/system/cpu/cpufreq/boost && echo 1 > /sys/devices/system/cpu/cpufreq/boost
+  test -e /sys/devices/system/cpu/intel_pstate/max_perf_pct && echo 100 > /sys/devices/system/cpu/intel_pstate/max_perf_pct
 } > /dev/null
  echo Settings applied.
  dmesg | egrep -q 'nospectre_v2|spectre_v2=off' || {
@ -48,6 +49,12 @@ if [ "$PLATFORM" = "FreeBSD" ] ; then
  sysctl kern.elf64.aslr.enable=0
 } > /dev/null
  echo Settings applied.
+  cat <<EOF
+In order to suppress core file generation during fuzzing it is recommended to set
+me:\\
+	:coredumpsize=0:
+in the ~/.login_conf file for the user used for fuzzing.
+EOF
  echo It is recommended to boot the kernel with lots of security off - if you are running a machine that is in a secured network - so set this:
  echo '  sysctl hw.ibrs_disable=1'
  echo 'Setting kern.pmap.pg_ps_enabled=0 into /boot/loader.conf might be helpful too.'
@ -58,6 +65,17 @@ if [ "$PLATFORM" = "OpenBSD" ] ; then
  echo 'System security features cannot be disabled on OpenBSD.'
  DONE=1
 fi
+if [ "$PLATFORM" = "DragonFly" ] ; then
+  #/sbin/sysctl kern.corefile=/dev/null
+  #echo Settings applied.
+  cat <<EOF
+In order to suppress core file generation during fuzzing it is recommended to set
+me:\\
+	:coredumpsize=0:
+in the ~/.login_conf file for the user used for fuzzing.
+EOF
+  DONE=1
+fi
 if [ "$PLATFORM" = "NetBSD" ] ; then
 {
  #echo It is recommended to enable unprivileged users to set cpu affinity
@ -79,5 +97,14 @@ if [ "$PLATFORM" = "Darwin" ] ; then
  fi
  DONE=1
 fi
+if [ "$PLATFORM" = "Haiku" ] ; then
+  SETTINGS=~/config/settings/system/debug_server/settings
+  [ -r ${SETTINGS} ] && grep -qE "default_action\s+kill" ${SETTINGS} && { echo "Nothing to do"; } || { \
+    echo We change the debug_server default_action from user to silently kill; \
+    [ ! -r ${SETTINGS} ] && echo "default_action kill" >${SETTINGS} || { mv ${SETTINGS} s.tmp; sed -e "s/default_action\s\s*user/default_action kill/" s.tmp > ${SETTINGS}; rm s.tmp; }; \
+    echo Settings applied.; \
+  }
+  DONE=1
+fi
 test -z "$DONE" && echo Error: Unknown platform: $PLATFORM
-test -z "$AFL_TMPDIR" && echo Also use AFL_TMPDIR and point it to a tmpfs for the input file caching
+exit 0
--- a/119
+++ b/119
@ -20,7 +20,7 @@

 echo "$0 status check tool for afl-fuzz by Michal Zalewski"
 echo
-test "$1" = "-h" && {
+test "$1" = "-h" -o "$1" = "-hh" && {
  echo $0 [-s] output_directory
  echo
  echo Options:
@ -61,6 +61,13 @@ if [ -d queue ]; then

 fi

+RED=`tput setaf 9 1 1`
+GREEN=`tput setaf 2 1 1`
+BLUE=`tput setaf 4 1 1`
+YELLOW=`tput setaf 11 1 1`
+NC=`tput sgr0`
+RESET="$NC"
+
 CUR_TIME=`date +%s`

 TMP=`mktemp -t .afl-whatsup-XXXXXXXX` || TMP=`mktemp -p /data/local/tmp .afl-whatsup-XXXXXXXX` || TMP=`mktemp -p /data/local/tmp .afl-whatsup-XXXXXXXX` || exit 1
@ -75,6 +82,12 @@ TOTAL_CRASHES=0
 TOTAL_PFAV=0
 TOTAL_PENDING=0

+# Time since last path / crash / hang, formatted as string
+FMT_TIME="0 days 0 hours"
+FMT_PATH="${RED}none seen yet${NC}"
+FMT_CRASH="none seen yet"
+FMT_HANG="none seen yet"
+
 if [ "$SUMMARY_ONLY" = "" ]; then

  echo "Individual fuzzers"
@ -83,6 +96,38 @@ if [ "$SUMMARY_ONLY" = "" ]; then

 fi

+fmt_duration()
+{
+  DUR_STRING=
+  if [ $1 -le 0 ]; then
+    return 1
+  fi
+
+  local duration=$((CUR_TIME - $1))
+  local days=$((duration / 60 / 60 / 24))
+  local hours=$(((duration / 60 / 60) % 24))
+  local minutes=$(((duration / 60) % 60))
+  local seconds=$((duration % 60))
+
+  if [ $duration -le 0 ]; then
+    DUR_STRING="0 seconds"
+  elif [ $duration -eq 1 ]; then
+    DUR_STRING="1 second"
+  elif [ $days -gt 0 ]; then
+    DUR_STRING="$days days, $hours hours"
+  elif [ $hours -gt 0 ]; then
+    DUR_STRING="$hours hours, $minutes minutes"
+  elif [ $minutes -gt 0 ]; then
+    DUR_STRING="$minutes minutes, $seconds seconds"
+  else
+    DUR_STRING="$seconds seconds"
+  fi
+}
+
+FIRST=true
+TOTAL_WCOP=
+TOTAL_LAST_PATH=0
+
 for i in `find . -maxdepth 2 -iname fuzzer_stats | sort`; do

  sed 's/^command_line.*$/_skip:1/;s/[ ]*:[ ]*/="/;s/$/"/' "$i" >"$TMP"
@ -92,9 +137,15 @@ for i in `find . -maxdepth 2 -iname fuzzer_stats | sort`; do
  RUN_DAYS=$((RUN_UNIX / 60 / 60 / 24))
  RUN_HRS=$(((RUN_UNIX / 60 / 60) % 24))

+  test -n "$cycles_wo_finds" && {
+    test -z "$FIRST" && TOTAL_WCOP="${TOTAL_WCOP}/"
+    TOTAL_WCOP="${TOTAL_WCOP}${cycles_wo_finds}"
+    FIRST=
+  }
+
  if [ "$SUMMARY_ONLY" = "" ]; then

-    echo ">>> $afl_banner ($RUN_DAYS days, $RUN_HRS hrs) <<<"
+    echo ">>> $afl_banner ($RUN_DAYS days, $RUN_HRS hrs) fuzzer PID: $fuzzer_pid <<<"
    echo

  fi
@ -115,7 +166,8 @@ for i in `find . -maxdepth 2 -iname fuzzer_stats | sort`; do

  ALIVE_CNT=$((ALIVE_CNT + 1))

-  EXEC_SEC=$((execs_done / RUN_UNIX))
+  EXEC_SEC=0
+  test -z "$RUN_UNIX" -o "$RUN_UNIX" = 0 || EXEC_SEC=$((execs_done / RUN_UNIX))
  PATH_PERC=$((cur_path * 100 / paths_total))

  TOTAL_TIME=$((TOTAL_TIME + RUN_UNIX))
@ -125,8 +177,43 @@ for i in `find . -maxdepth 2 -iname fuzzer_stats | sort`; do
  TOTAL_PENDING=$((TOTAL_PENDING + pending_total))
  TOTAL_PFAV=$((TOTAL_PFAV + pending_favs))

+  if [ "$last_path" -gt "$TOTAL_LAST_PATH" ]; then
+    TOTAL_LAST_PATH=$last_path
+  fi
+
  if [ "$SUMMARY_ONLY" = "" ]; then

+    # Warnings in red
+    TIMEOUT_PERC=$((exec_timeout * 100 / execs_done))
+    if [ $TIMEOUT_PERC -ge 10 ]; then
+      echo "  ${RED}timeout_ratio $TIMEOUT_PERC%${NC}"
+    fi
+
+    if [ $EXEC_SEC -eq 0 ]; then
+      echo "  ${YELLOW}no data yet, 0 execs/sec${NC}"
+    elif [ $EXEC_SEC -lt 100 ]; then
+      echo "  ${RED}slow execution, $EXEC_SEC execs/sec${NC}"
+    fi
+
+    fmt_duration $last_path && FMT_PATH=$DUR_STRING
+    fmt_duration $last_crash && FMT_CRASH=$DUR_STRING
+    fmt_duration $last_hang && FMT_HANG=$DUR_STRING
+    FMT_CWOP="not available"
+    test -n "$cycles_wo_finds" && {
+      test "$cycles_wo_finds" = 0 && FMT_CWOP="$cycles_wo_finds"
+      test "$cycles_wo_finds" -gt 10 && FMT_CWOP="${YELLOW}$cycles_wo_finds${NC}"
+      test "$cycles_wo_finds" -gt 50 && FMT_CWOP="${RED}$cycles_wo_finds${NC}"
+    }
+
+    echo "  last_path       : $FMT_PATH"
+    echo "  last_crash      : $FMT_CRASH"
+    echo "  last_hang       : $FMT_HANG"
+    echo "  cycles_wo_finds : $FMT_CWOP"
+
+    CPU_USAGE=$(ps aux | grep $fuzzer_pid | grep -v grep | awk '{print $3}')
+    MEM_USAGE=$(ps aux | grep $fuzzer_pid | grep -v grep | awk '{print $4}')
+
+    echo "  cpu usage $CPU_USAGE%, memory usage $MEM_USAGE%"
    echo "  cycle $((cycles_done + 1)), lifetime speed $EXEC_SEC execs/sec, path $cur_path/$paths_total (${PATH_PERC}%)"

    if [ "$unique_crashes" = "0" ]; then
@ -141,11 +228,28 @@ for i in `find . -maxdepth 2 -iname fuzzer_stats | sort`; do

 done

+# Formatting for total time, time since last path, crash, and hang
+fmt_duration $((CUR_TIME - TOTAL_TIME)) && FMT_TIME=$DUR_STRING
+# Formatting for total execution
+FMT_EXECS="0 millions"
+EXECS_MILLION=$((TOTAL_EXECS / 1000 / 1000))
+EXECS_THOUSAND=$((TOTAL_EXECS / 1000 % 1000))
+if [ $EXECS_MILLION -gt 9 ]; then
+  FMT_EXECS="$EXECS_MILLION millions"
+elif [ $EXECS_MILLION -gt 0 ]; then
+  FMT_EXECS="$EXECS_MILLION millions, $EXECS_THOUSAND thousands"
+else
+  FMT_EXECS="$EXECS_THOUSAND thousands"
+fi
+
 rm -f "$TMP"

 TOTAL_DAYS=$((TOTAL_TIME / 60 / 60 / 24))
 TOTAL_HRS=$(((TOTAL_TIME / 60 / 60) % 24))

+test -z "$TOTAL_WCOP" && TOTAL_WCOP="not available"
+fmt_duration $TOTAL_LAST_PATH && TOTAL_LAST_PATH=$DUR_STRING
+
 test "$TOTAL_TIME" = "0" && TOTAL_TIME=1

 echo "Summary stats"
@ -157,9 +261,12 @@ if [ ! "$DEAD_CNT" = "0" ]; then
  echo "      Dead or remote : $DEAD_CNT (excluded from stats)"
 fi

-echo "      Total run time : $TOTAL_DAYS days, $TOTAL_HRS hours"
-echo "         Total execs : $((TOTAL_EXECS / 1000 / 1000)) million"
+echo "      Total run time : $FMT_TIME"
+echo "         Total execs : $FMT_EXECS"
 echo "    Cumulative speed : $TOTAL_EPS execs/sec"
+if [ "$ALIVE_CNT" -gt "0" ]; then
+  echo "       Average speed : $((TOTAL_EPS / ALIVE_CNT)) execs/sec"
+fi
 echo "       Pending paths : $TOTAL_PFAV faves, $TOTAL_PENDING total"

 if [ "$ALIVE_CNT" -gt "1" ]; then
@ -167,6 +274,8 @@ if [ "$ALIVE_CNT" -gt "1" ]; then
 fi

 echo "       Crashes found : $TOTAL_CRASHES locally unique"
+echo "Cycles without finds : $TOTAL_WCOP"
+echo "  Time without finds : $TOTAL_LAST_PATH"
 echo

 exit 0
--- a/11
+++ b/11
@ -28,9 +28,9 @@ if not os.getenv("AFL_INST_LIBS"):
        os.environ["AFL_CODE_END"] = "0x%x" % (pe.OPTIONAL_HEADER.ImageBase + pe.OPTIONAL_HEADER.BaseOfCode + pe.OPTIONAL_HEADER.SizeOfCode)

 if pe.FILE_HEADER.Machine == pefile.MACHINE_TYPE["IMAGE_FILE_MACHINE_AMD64"] or pe.FILE_HEADER.Machine == pefile.MACHINE_TYPE["IMAGE_FILE_MACHINE_IA64"]:
-    os.environ["LD_PRELOAD"] = os.path.join(my_dir, "qemu_mode/unsigaction/unsigaction64.so")
+    os.environ["QEMU_SET_ENV"] = "LD_PRELOAD=" + os.path.join(my_dir, "qemu_mode/unsigaction/unsigaction64.so") + ",WINEARCH=win64"
 else:
-    os.environ["LD_PRELOAD"] = os.path.join(my_dir, "qemu_mode/unsigaction/unsigaction32.so")
+    os.environ["QEMU_SET_ENV"] = "LD_PRELOAD=" + os.path.join(my_dir, "qemu_mode/unsigaction/unsigaction32.so") + ",WINEARCH=win32"

 if os.getenv("WINECOV_QEMU_PATH"):
    qemu_path = os.getenv("WINECOV_QEMU_PATH")
@ -68,7 +68,12 @@ else:
 argv = sys.argv[1:]
 for i in range(len(argv)):
    if ".cur_input" in argv[i]:
-        argv[i] = subprocess.run([os.path.join(os.path.dirname(wine_path), "winepath"), "--windows", argv[i]], universal_newlines=True, stdout=subprocess.PIPE).stdout
+        # Get the Wine translated path using the winepath tool
+        arg_translated = subprocess.run([os.path.join(os.path.dirname(wine_path), "winepath"), "--windows", argv[i]], universal_newlines=True, stdout=subprocess.PIPE).stdout
+        # Remove the spurious LF at the end of the path
+        if len(arg_translated) > 0 and arg_translated[-1] == '\n':
+            arg_translated = arg_translated[:-1]
+        argv[i] = arg_translated
        break

 print("[afl-wine-trace] exec:", " ".join([qemu_path, wine_path] + argv))
--- a/custom_mutators/Android.bp
+++ b/custom_mutators/Android.bp
@ -0,0 +1,115 @@
+cc_library_shared {
+  name: "libfuzzer-mutator",
+  vendor_available: true,
+  host_supported: true,
+
+  cflags: [
+    "-g",
+    "-O0",
+    "-funroll-loops",
+    "-fPIC",
+    "-fpermissive",
+    "-std=c++11",
+  ],
+
+  srcs: [
+    "libfuzzer/FuzzerCrossOver.cpp",
+    "libfuzzer/FuzzerDataFlowTrace.cpp",
+    "libfuzzer/FuzzerDriver.cpp",
+    "libfuzzer/FuzzerExtFunctionsDlsym.cpp",
+    "libfuzzer/FuzzerExtFunctionsWeak.cpp",
+    "libfuzzer/FuzzerExtFunctionsWindows.cpp",
+    "libfuzzer/FuzzerExtraCounters.cpp",
+    "libfuzzer/FuzzerFork.cpp",
+    "libfuzzer/FuzzerIO.cpp",
+    "libfuzzer/FuzzerIOPosix.cpp",
+    "libfuzzer/FuzzerIOWindows.cpp",
+    "libfuzzer/FuzzerLoop.cpp",
+    "libfuzzer/FuzzerMerge.cpp",
+    "libfuzzer/FuzzerMutate.cpp",
+    "libfuzzer/FuzzerSHA1.cpp",
+    "libfuzzer/FuzzerTracePC.cpp",
+    "libfuzzer/FuzzerUtil.cpp",
+    "libfuzzer/FuzzerUtilDarwin.cpp",
+    "libfuzzer/FuzzerUtilFuchsia.cpp",
+    "libfuzzer/FuzzerUtilLinux.cpp",
+    "libfuzzer/FuzzerUtilPosix.cpp",
+    "libfuzzer/FuzzerUtilWindows.cpp",
+    "libfuzzer/libfuzzer.cpp",
+  ],
+
+  header_libs: [
+    "libafl_headers",
+  ],
+}
+
+/*cc_library_shared {
+  name: "honggfuzz-mutator",
+  vendor_available: true,
+  host_supported: true,
+
+  cflags: [
+    "-g",
+    "-O0",
+    "-funroll-loops",
+    "-fPIC",
+    "-Wl,-Bsymbolic",
+  ],
+
+  srcs: [
+    "honggfuzz/honggfuzz.c",
+    "honggfuzz/mangle.c",
+//    "../src/afl-perfomance.c",
+  ],
+
+  header_libs: [
+    "libafl_headers",
+  ],
+}*/
+
+cc_library_shared {
+  name: "radamsa-mutator",
+  vendor_available: true,
+  host_supported: true,
+
+  cflags: [
+    "-g",
+    "-O0",
+    "-funroll-loops",
+    "-fPIC",
+  ],
+
+  srcs: [
+    "radamsa/libradamsa.c",
+    "radamsa/radamsa-mutator.c",
+  ],
+
+  header_libs: [
+    "libafl_headers",
+  ],
+}
+
+cc_library_shared {
+  name: "symcc-mutator",
+  vendor_available: true,
+  host_supported: true,
+
+  cflags: [
+    "-g",
+    "-O0",
+    "-funroll-loops",
+    "-fPIC",
+  ],
+
+  srcs: [
+    "symcc/symcc.c",
+  ],
+
+  header_libs: [
+    "libafl_headers",
+  ],
+}
+
+subdirs = [
+  "libprotobuf-mutator-example",
+]
--- a/custom_mutators/README.md
+++ b/custom_mutators/README.md
@ -0,0 +1,48 @@
+# Custom Mutators
+
+Custom mutators enhance and alter the mutation strategies of afl++.
+For further information and documentation on how to write your own, read [the docs](../docs/custom_mutators.md).
+
+## The afl++ Grammar Mutator
+
+If you use git to clone afl++, then the following will incorporate our
+excellent grammar custom mutator:
+```sh
+git submodule update --init
+```
+
+Read the README in the [Grammar-Mutator] repository on how to use it.
+
+[Grammar-Mutator]: https://github.com/AFLplusplus/Grammar-Mutator
+
+## Production-Ready Custom Mutators
+
+This directory holds ready to use custom mutators.
+Just type "make" in the individual subdirectories.
+
+Use with e.g.
+
+`AFL_CUSTOM_MUTATOR_LIBRARY=custom_mutators/radamsa/radamsa-mutator.so afl-fuzz ....`
+
+and add `AFL_CUSTOM_MUTATOR_ONLY=1` if you only want to use the custom mutator.
+
+Multiple custom mutators can be used by separating their paths with `:` in the environment variable.
+
+## 3rd Party Custom Mutators
+
+### Superion Mutators
+
+Adrian Tiron ported the Superion grammar fuzzer to afl++, it is WIP and
+requires cmake (among other things):
+[https://github.com/adrian-rt/superion-mutator](https://github.com/adrian-rt/superion-mutator)
+
+### libprotobuf Mutators
+
+There are two WIP protobuf projects, that require work to be working though:
+
+transforms protobuf raw:
+https://github.com/bruce30262/libprotobuf-mutator_fuzzing_learning/tree/master/4_libprotobuf_aflpp_custom_mutator
+
+has a transform function you need to fill for your protobuf format, however
+needs to be ported to the updated afl++ custom mutator API (not much work):
+https://github.com/thebabush/afl-libprotobuf-mutator
--- a/custom_mutators/grammar_mutator/GRAMMAR_VERSION
+++ b/custom_mutators/grammar_mutator/GRAMMAR_VERSION
@ -0,0 +1 @@
+b3c4fcf
--- a/custom_mutators/grammar_mutator/README.md
+++ b/custom_mutators/grammar_mutator/README.md
@ -0,0 +1,6 @@
+# Grammar-Mutator
+
+This is just a stub directory that will clone the real grammar mutator
+directory.
+
+Execute `./build_grammar_mutator.sh` to set everything up.
--- a/custom_mutators/grammar_mutator/build_grammar_mutator.sh
+++ b/custom_mutators/grammar_mutator/build_grammar_mutator.sh
@ -0,0 +1,140 @@
+#!/bin/sh
+#
+# american fuzzy lop++ - unicorn mode build script
+# ------------------------------------------------
+#
+# Originally written by Nathan Voss <njvoss99@gmail.com>
+#
+# Adapted from code by Andrew Griffiths <agriffiths@google.com> and
+#                      Michal Zalewski
+#
+# Adapted for AFLplusplus by Dominik Maier <mail@dmnk.co>
+#
+# CompareCoverage and NeverZero counters by Andrea Fioraldi
+#                                <andreafioraldi@gmail.com>
+#
+# Copyright 2017 Battelle Memorial Institute. All rights reserved.
+# Copyright 2019-2020 AFLplusplus Project. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at:
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# This script downloads, patches, and builds a version of Unicorn with
+# minor tweaks to allow Unicorn-emulated binaries to be run under
+# afl-fuzz.
+#
+# The modifications reside in patches/*. The standalone Unicorn library
+# will be written to /usr/lib/libunicornafl.so, and the Python bindings
+# will be installed system-wide.
+#
+# You must make sure that Unicorn Engine is not already installed before
+# running this script. If it is, please uninstall it first.
+
+GRAMMAR_VERSION="$(cat ./GRAMMAR_VERSION)"
+GRAMMAR_REPO="https://github.com/AFLplusplus/grammar-mutator"
+
+echo "================================================="
+echo "Grammar Mutator build script"
+echo "================================================="
+echo
+
+echo "[*] Performing basic sanity checks..."
+
+PLT=`uname -s`
+
+if [ ! -f "../../config.h" ]; then
+
+  echo "[-] Error: key files not found - wrong working directory?"
+  exit 1
+
+fi
+
+PYTHONBIN=`command -v python3 || command -v python || command -v python2 || echo python3`
+MAKECMD=make
+TARCMD=tar
+
+if [ "$PLT" = "Darwin" ]; then
+  CORES=`sysctl -n hw.ncpu`
+  TARCMD=tar
+fi
+
+if [ "$PLT" = "FreeBSD" ]; then
+  MAKECMD=gmake
+  CORES=`sysctl -n hw.ncpu`
+  TARCMD=gtar
+fi
+
+if [ "$PLT" = "NetBSD" ] || [ "$PLT" = "OpenBSD" ]; then
+  MAKECMD=gmake
+  CORES=`sysctl -n hw.ncpu`
+  TARCMD=gtar
+fi
+
+PREREQ_NOTFOUND=
+for i in git $MAKECMD $TARCMD; do
+
+  T=`command -v "$i" 2>/dev/null`
+
+  if [ "$T" = "" ]; then
+
+    echo "[-] Error: '$i' not found. Run 'sudo apt-get install $i' or similar."
+    PREREQ_NOTFOUND=1
+
+  fi
+
+done
+
+if echo "$CC" | grep -qF /afl-; then
+
+  echo "[-] Error: do not use afl-gcc or afl-clang to compile this tool."
+  PREREQ_NOTFOUND=1
+
+fi
+
+if [ "$PREREQ_NOTFOUND" = "1" ]; then
+  exit 1
+fi
+
+echo "[+] All checks passed!"
+
+echo "[*] Making sure grammar mutator is checked out"
+
+git status 1>/dev/null 2>/dev/null
+if [ $? -eq 0 ]; then
+  echo "[*] initializing grammar mutator submodule"
+  git submodule init || exit 1
+  git submodule update ./grammar-mutator 2>/dev/null # ignore errors
+else
+  echo "[*] cloning grammar mutator"
+  test -d grammar-mutator || {
+    CNT=1
+    while [ '!' -d grammar-mutator -a "$CNT" -lt 4 ]; do
+      echo "Trying to clone grammar-mutator (attempt $CNT/3)"
+      git clone "$GRAMMAR_REPO" 
+      CNT=`expr "$CNT" + 1`
+    done
+  }
+fi
+
+test -d grammar-mutator || { echo "[-] not checked out, please install git or check your internet connection." ; exit 1 ; }
+echo "[+] Got grammar mutator."
+
+cd "grammar-mutator" || exit 1
+echo "[*] Checking out $GRAMMAR_VERSION"
+sh -c 'git stash && git stash drop' 1>/dev/null 2>/dev/null
+git checkout "$GRAMMAR_VERSION" || exit 1
+echo "[*] Downloading antlr..."
+wget -c https://www.antlr.org/download/antlr-4.8-complete.jar
+cd ..
+
+echo
+echo
+echo "[+] All successfully prepared!"
+echo "[!] To build for your grammar just do:"
+echo "      cd grammar-mutator"
+echo "      make GRAMMAR_FILE=/path/to/your/grammar"
+echo "[+] You will find a JSON and RUBY grammar in grammar-mutator/grammars to play with."
+echo
--- a/custom_mutators/grammar_mutator/grammar_mutator
+++ b/custom_mutators/grammar_mutator/grammar_mutator
--- a/custom_mutators/grammar_mutator/update_grammar_ref.sh
+++ b/custom_mutators/grammar_mutator/update_grammar_ref.sh
@ -0,0 +1,50 @@
+#!/bin/sh
+
+##################################################
+# AFL++ tool to update a git ref.
+# Usage: ./<script>.sh <new commit hash>
+# If no commit hash was provided, it'll take HEAD.
+##################################################
+
+TOOL="grammar mutator"
+VERSION_FILE='./GRAMMAR_VERSION'
+REPO_FOLDER='./grammar_mutator'
+THIS_SCRIPT=`basename $0`
+BRANCH="stable"
+
+NEW_VERSION="$1"
+
+if [ "$NEW_VERSION" = "-h" ]; then
+  echo "Internal script to update bound $TOOL version."
+  echo
+  echo "Usage: $THIS_SCRIPT <new commit hash>"
+  echo "If no commit hash is provided, will use HEAD."
+  echo "-h to show this help screen."
+  exit 1
+fi
+
+git submodule init && git submodule update ./grammar_mutator || exit 1
+cd "$REPO_FOLDER" || exit 1
+git fetch origin $BRANCH 1>/dev/null || exit 1
+git stash 1>/dev/null 2>/dev/null
+git stash drop 1>/dev/null 2>/dev/null
+git checkout $BRANCH
+
+if [ -z "$NEW_VERSION" ]; then
+  # No version provided, take HEAD.
+  NEW_VERSION=$(git rev-parse --short HEAD)
+fi
+
+if [ -z "$NEW_VERSION" ]; then
+  echo "Error getting version."
+  exit 1
+fi
+
+git checkout "$NEW_VERSION" || exit 1
+
+cd ..
+
+rm "$VERSION_FILE"
+echo "$NEW_VERSION" > "$VERSION_FILE"
+
+echo "Done. New $TOOL version is $NEW_VERSION."
--- a/custom_mutators/honggfuzz/Makefile
+++ b/custom_mutators/honggfuzz/Makefile
@ -0,0 +1,17 @@
+
+CFLAGS = -O3 -funroll-loops -fPIC -Wl,-Bsymbolic
+
+all: honggfuzz-mutator.so
+
+honggfuzz-mutator.so:	honggfuzz.c input.h mangle.c ../../src/afl-performance.c
+	$(CC) $(CFLAGS) -I../../include -I. -shared -o honggfuzz-mutator.so honggfuzz.c mangle.c ../../src/afl-performance.c
+
+update:
+	@# seriously? --unlink is a dud option? sigh ...
+	rm -f mangle.c mangle.h honggfuzz.h
+	wget --unlink https://github.com/google/honggfuzz/raw/master/mangle.c
+	wget --unlink https://github.com/google/honggfuzz/raw/master/mangle.h
+	wget --unlink https://github.com/google/honggfuzz/raw/master/honggfuzz.h
+
+clean:
+	rm -f *.o *~ *.so core
--- a/custom_mutators/honggfuzz/README.md
+++ b/custom_mutators/honggfuzz/README.md
@ -0,0 +1,12 @@
+# custum mutator: honggfuzz mangle
+
+this is the honggfuzz mutator in mangle.c as a custom mutator
+module for afl++. It is the original mangle.c, mangle.h and honggfuzz.h
+with a lot of mocking around it :-)
+
+just type `make` to build
+
+```AFL_CUSTOM_MUTATOR_LIBRARY=custom_mutators/honggfuzz/honggfuzz-mutator.so afl-fuzz ...```
+
+> Original repository: https://github.com/google/honggfuzz
+> Source commit: d0fbcb0373c32436b8fb922e6937da93b17291f5
--- a/custom_mutators/honggfuzz/custom_mutator_helpers.h
+++ b/custom_mutators/honggfuzz/custom_mutator_helpers.h
@ -0,0 +1,22 @@
+#ifndef CUSTOM_MUTATOR_HELPERS
+#define CUSTOM_MUTATOR_HELPERS
+
+#include "config.h"
+#include "types.h"
+#include "afl-fuzz.h"
+#include <stdlib.h>
+
+#define INITIAL_GROWTH_SIZE (64)
+
+/* Use in a struct: creates a name_buf and a name_size variable. */
+#define BUF_VAR(type, name) \
+  type * name##_buf;        \
+  size_t name##_size;
+/* this filles in `&structptr->something_buf, &structptr->something_size`. */
+#define BUF_PARAMS(struct, name) \
+  (void **)&struct->name##_buf, &struct->name##_size
+
+#undef INITIAL_GROWTH_SIZE
+
+#endif
+
--- a/custom_mutators/honggfuzz/honggfuzz.c
+++ b/custom_mutators/honggfuzz/honggfuzz.c
@ -0,0 +1,144 @@
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "custom_mutator_helpers.h"
+#include "mangle.h"
+
+#define NUMBER_OF_MUTATIONS 5
+
+uint8_t *         queue_input;
+size_t            queue_input_size;
+afl_state_t *     afl_struct;
+run_t             run;
+honggfuzz_t       global;
+struct _dynfile_t dynfile;
+
+typedef struct my_mutator {
+
+  afl_state_t *afl;
+  run_t *      run;
+  u8 *         mutator_buf;
+  unsigned int seed;
+  unsigned int extras_cnt, a_extras_cnt;
+
+} my_mutator_t;
+
+my_mutator_t *afl_custom_init(afl_state_t *afl, unsigned int seed) {
+
+  my_mutator_t *data = calloc(1, sizeof(my_mutator_t));
+  if (!data) {
+
+    perror("afl_custom_init alloc");
+    return NULL;
+
+  }
+
+  if ((data->mutator_buf = malloc(MAX_FILE)) == NULL) {
+
+    free(data);
+    perror("mutator_buf alloc");
+    return NULL;
+
+  }
+
+  run.dynfile = &dynfile;
+  run.global = &global;
+  data->afl = afl;
+  data->seed = seed;
+  data->run = &run;
+  afl_struct = afl;
+
+  run.global->mutate.maxInputSz = MAX_FILE;
+  run.global->mutate.mutationsPerRun = NUMBER_OF_MUTATIONS;
+  run.mutationsPerRun = NUMBER_OF_MUTATIONS;
+  run.global->timing.lastCovUpdate = 6;
+
+  // global->feedback.cmpFeedback
+  // global->feedback.cmpFeedbackMap
+
+  return data;
+
+}
+
+/* When a new queue entry is added we check if there are new dictionary
+   entries to add to honggfuzz structure */
+
+void afl_custom_queue_new_entry(my_mutator_t * data,
+                                const uint8_t *filename_new_queue,
+                                const uint8_t *filename_orig_queue) {
+
+  if (run.global->mutate.dictionaryCnt >= 1024) return;
+
+  while (data->extras_cnt < data->afl->extras_cnt &&
+         run.global->mutate.dictionaryCnt < 1024) {
+
+    memcpy(run.global->mutate.dictionary[run.global->mutate.dictionaryCnt].val,
+           data->afl->extras[data->extras_cnt].data,
+           data->afl->extras[data->extras_cnt].len);
+    run.global->mutate.dictionary[run.global->mutate.dictionaryCnt].len =
+        data->afl->extras[data->extras_cnt].len;
+    run.global->mutate.dictionaryCnt++;
+    data->extras_cnt++;
+
+  }
+
+  while (data->a_extras_cnt < data->afl->a_extras_cnt &&
+         run.global->mutate.dictionaryCnt < 1024) {
+
+    memcpy(run.global->mutate.dictionary[run.global->mutate.dictionaryCnt].val,
+           data->afl->a_extras[data->a_extras_cnt].data,
+           data->afl->a_extras[data->a_extras_cnt].len);
+    run.global->mutate.dictionary[run.global->mutate.dictionaryCnt].len =
+        data->afl->a_extras[data->a_extras_cnt].len;
+    run.global->mutate.dictionaryCnt++;
+    data->a_extras_cnt++;
+
+  }
+
+}
+
+/* we could set only_printable if is_ascii is set ... let's see
+uint8_t afl_custom_queue_get(void *data, const uint8_t *filename) {
+
+  //run.global->cfg.only_printable = ...
+
+}
+
+*/
+
+/* here we run the honggfuzz mutator, which is really good */
+
+size_t afl_custom_fuzz(my_mutator_t *data, uint8_t *buf, size_t buf_size,
+                       u8 **out_buf, uint8_t *add_buf, size_t add_buf_size,
+                       size_t max_size) {
+
+  /* set everything up, costly ... :( */
+  memcpy(data->mutator_buf, buf, buf_size);
+  queue_input = data->mutator_buf;
+  run.dynfile->data = data->mutator_buf;
+  queue_input_size = buf_size;
+  run.dynfile->size = buf_size;
+  *out_buf = data->mutator_buf;
+
+  /* the mutation */
+  mangle_mangleContent(&run, NUMBER_OF_MUTATIONS);
+
+  /* return size of mutated data */
+  return run.dynfile->size;
+
+}
+
+/**
+ * Deinitialize everything
+ *
+ * @param data The data ptr from afl_custom_init
+ */
+void afl_custom_deinit(my_mutator_t *data) {
+
+  free(data->mutator_buf);
+  free(data);
+
+}
+
--- a/custom_mutators/honggfuzz/honggfuzz.h
+++ b/custom_mutators/honggfuzz/honggfuzz.h
@ -0,0 +1,386 @@
+/*
+ *
+ * honggfuzz - core structures and macros
+ * -----------------------------------------
+ *
+ * Author: Robert Swiecki <swiecki@google.com>
+ *
+ * Copyright 2010-2018 by Google Inc. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License. You may obtain
+ * a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ *
+ */
+
+#ifndef _HF_HONGGFUZZ_H_
+#define _HF_HONGGFUZZ_H_
+
+#include <dirent.h>
+#include <inttypes.h>
+#include <limits.h>
+#include <pthread.h>
+#include <signal.h>
+#include <stdbool.h>
+#include <stdint.h>
+#include <sys/param.h>
+#include <sys/queue.h>
+#include <sys/types.h>
+#include <time.h>
+
+#include "libhfcommon/util.h"
+
+#define PROG_NAME    "honggfuzz"
+#define PROG_VERSION "2.4"
+
+/* Name of the template which will be replaced with the proper name of the file */
+#define _HF_FILE_PLACEHOLDER "___FILE___"
+
+/* Default name of the report created with some architectures */
+#define _HF_REPORT_FILE "HONGGFUZZ.REPORT.TXT"
+
+/* Default stack-size of created threads. */
+#define _HF_PTHREAD_STACKSIZE (1024ULL * 1024ULL * 2ULL) /* 2MB */
+
+/* Name of envvar which indicates sequential number of fuzzer */
+#define _HF_THREAD_NO_ENV "HFUZZ_THREAD_NO"
+
+/* Name of envvar which indicates that the netDriver should be used */
+#define _HF_THREAD_NETDRIVER_ENV "HFUZZ_USE_NETDRIVER"
+
+/* Name of envvar which indicates honggfuzz's log level in use */
+#define _HF_LOG_LEVEL_ENV "HFUZZ_LOG_LEVEL"
+
+/* Number of crash verifier iterations before tag crash as stable */
+#define _HF_VERIFIER_ITER 5
+
+/* Size (in bytes) for report data to be stored in stack before written to file */
+#define _HF_REPORT_SIZE 32768
+
+/* Perf bitmap size */
+#define _HF_PERF_BITMAP_SIZE_16M   (1024U * 1024U * 16U)
+#define _HF_PERF_BITMAP_BITSZ_MASK 0x7FFFFFFULL
+/* Maximum number of PC guards (=trace-pc-guard) we support */
+#define _HF_PC_GUARD_MAX (1024ULL * 1024ULL * 64ULL)
+
+/* Maximum size of the input file in bytes (1 MiB) */
+#define _HF_INPUT_MAX_SIZE (1024ULL * 1024ULL)
+
+/* Default maximum size of produced inputs */
+#define _HF_INPUT_DEFAULT_SIZE (1024ULL * 8)
+
+/* Per-thread bitmap */
+#define _HF_PERTHREAD_BITMAP_FD 1018
+/* FD used to report back used int/str constants from the fuzzed process */
+#define _HF_CMP_BITMAP_FD 1019
+/* FD used to log inside the child process */
+#define _HF_LOG_FD 1020
+/* FD used to represent the input file */
+#define _HF_INPUT_FD 1021
+/* FD used to pass coverage feedback from the fuzzed process */
+#define _HF_COV_BITMAP_FD 1022
+#define _HF_BITMAP_FD     _HF_COV_BITMAP_FD /* Old name for _HF_COV_BITMAP_FD */
+/* FD used to pass data to a persistent process */
+#define _HF_PERSISTENT_FD 1023
+
+/* Input file as a string */
+#define _HF_INPUT_FILE_PATH "/dev/fd/" HF_XSTR(_HF_INPUT_FD)
+
+/* Maximum number of supported execve() args */
+#define _HF_ARGS_MAX 2048
+
+/* Message indicating that the fuzzed process is ready for new data */
+static const uint8_t HFReadyTag = 'R';
+
+/* Maximum number of active fuzzing threads */
+#define _HF_THREAD_MAX 1024U
+
+/* Persistent-binary signature - if found within file, it means it's a persistent mode binary */
+#define _HF_PERSISTENT_SIG "\x01_LIBHFUZZ_PERSISTENT_BINARY_SIGNATURE_\x02\xFF"
+/* HF NetDriver signature - if found within file, it means it's a NetDriver-based binary */
+#define _HF_NETDRIVER_SIG "\x01_LIBHFUZZ_NETDRIVER_BINARY_SIGNATURE_\x02\xFF"
+
+/* printf() nonmonetary separator. According to MacOSX's man it's supported there as well */
+#define _HF_NONMON_SEP "'"
+
+typedef enum {
+    _HF_DYNFILE_NONE         = 0x0,
+    _HF_DYNFILE_INSTR_COUNT  = 0x1,
+    _HF_DYNFILE_BRANCH_COUNT = 0x2,
+    _HF_DYNFILE_BTS_EDGE     = 0x10,
+    _HF_DYNFILE_IPT_BLOCK    = 0x20,
+    _HF_DYNFILE_SOFT         = 0x40,
+} dynFileMethod_t;
+
+typedef struct {
+    uint64_t cpuInstrCnt;
+    uint64_t cpuBranchCnt;
+    uint64_t bbCnt;
+    uint64_t newBBCnt;
+    uint64_t softCntPc;
+    uint64_t softCntEdge;
+    uint64_t softCntCmp;
+} hwcnt_t;
+
+typedef enum {
+    _HF_STATE_UNSET = 0,
+    _HF_STATE_STATIC,
+    _HF_STATE_DYNAMIC_DRY_RUN,
+    _HF_STATE_DYNAMIC_MAIN,
+    _HF_STATE_DYNAMIC_MINIMIZE,
+} fuzzState_t;
+
+typedef enum {
+    HF_MAYBE = -1,
+    HF_NO    = 0,
+    HF_YES   = 1,
+} tristate_t;
+
+struct _dynfile_t {
+    size_t             size;
+    uint64_t           cov[4];
+    size_t             idx;
+    int                fd;
+    uint64_t           timeExecUSecs;
+    char               path[PATH_MAX];
+    struct _dynfile_t* src;
+    uint32_t           refs;
+    uint8_t*           data;
+    TAILQ_ENTRY(_dynfile_t) pointers;
+};
+
+typedef struct _dynfile_t dynfile_t;
+
+struct strings_t {
+    size_t len;
+    TAILQ_ENTRY(strings_t) pointers;
+    char s[];
+};
+
+typedef struct {
+    uint8_t  pcGuardMap[_HF_PC_GUARD_MAX];
+    uint8_t  bbMapPc[_HF_PERF_BITMAP_SIZE_16M];
+    uint32_t bbMapCmp[_HF_PERF_BITMAP_SIZE_16M];
+    uint64_t pidNewPC[_HF_THREAD_MAX];
+    uint64_t pidNewEdge[_HF_THREAD_MAX];
+    uint64_t pidNewCmp[_HF_THREAD_MAX];
+    uint64_t guardNb;
+    uint64_t pidTotalPC[_HF_THREAD_MAX];
+    uint64_t pidTotalEdge[_HF_THREAD_MAX];
+    uint64_t pidTotalCmp[_HF_THREAD_MAX];
+} feedback_t;
+
+typedef struct {
+    uint32_t cnt;
+    struct {
+        uint8_t  val[32];
+        uint32_t len;
+    } valArr[1024 * 16];
+} cmpfeedback_t;
+
+typedef struct {
+    struct {
+        size_t    threadsMax;
+        size_t    threadsFinished;
+        uint32_t  threadsActiveCnt;
+        pthread_t mainThread;
+        pid_t     mainPid;
+        pthread_t threads[_HF_THREAD_MAX];
+    } threads;
+    struct {
+        const char* inputDir;
+        const char* outputDir;
+        DIR*        inputDirPtr;
+        size_t      fileCnt;
+        size_t      testedFileCnt;
+        const char* fileExtn;
+        size_t      maxFileSz;
+        size_t      newUnitsAdded;
+        char        workDir[PATH_MAX];
+        const char* crashDir;
+        const char* covDirNew;
+        bool        saveUnique;
+        bool        saveSmaller;
+        size_t      dynfileqMaxSz;
+        size_t      dynfileqCnt;
+        dynfile_t*  dynfileqCurrent;
+        dynfile_t*  dynfileq2Current;
+        TAILQ_HEAD(dyns_t, _dynfile_t) dynfileq;
+        bool exportFeedback;
+    } io;
+    struct {
+        int                argc;
+        const char* const* cmdline;
+        bool               nullifyStdio;
+        bool               fuzzStdin;
+        const char*        externalCommand;
+        const char*        postExternalCommand;
+        const char*        feedbackMutateCommand;
+        bool               netDriver;
+        bool               persistent;
+        uint64_t           asLimit;
+        uint64_t           rssLimit;
+        uint64_t           dataLimit;
+        uint64_t           coreLimit;
+        uint64_t           stackLimit;
+        bool               clearEnv;
+        char*              env_ptrs[128];
+        char               env_vals[128][4096];
+        sigset_t           waitSigSet;
+    } exe;
+    struct {
+        time_t  timeStart;
+        time_t  runEndTime;
+        time_t  tmOut;
+        time_t  lastCovUpdate;
+        int64_t timeOfLongestUnitUSecs;
+        bool    tmoutVTALRM;
+    } timing;
+    struct {
+        struct {
+            uint8_t val[256];
+            size_t  len;
+        } dictionary[1024];
+        size_t      dictionaryCnt;
+        const char* dictionaryFile;
+        size_t      mutationsMax;
+        unsigned    mutationsPerRun;
+        size_t      maxInputSz;
+    } mutate;
+    struct {
+        bool    useScreen;
+        char    cmdline_txt[65];
+        int64_t lastDisplayUSecs;
+    } display;
+    struct {
+        bool        useVerifier;
+        bool        exitUponCrash;
+        const char* reportFile;
+        size_t      dynFileIterExpire;
+        bool        only_printable;
+        bool        minimize;
+        bool        switchingToFDM;
+    } cfg;
+    struct {
+        bool enable;
+        bool del_report;
+    } sanitizer;
+    struct {
+        fuzzState_t     state;
+        feedback_t*     covFeedbackMap;
+        int             covFeedbackFd;
+        cmpfeedback_t*  cmpFeedbackMap;
+        int             cmpFeedbackFd;
+        bool            cmpFeedback;
+        const char*     blocklistFile;
+        uint64_t*       blocklist;
+        size_t          blocklistCnt;
+        bool            skipFeedbackOnTimeout;
+        uint64_t        maxCov[4];
+        dynFileMethod_t dynFileMethod;
+        hwcnt_t         hwCnts;
+    } feedback;
+    struct {
+        size_t mutationsCnt;
+        size_t crashesCnt;
+        size_t uniqueCrashesCnt;
+        size_t verifiedCrashesCnt;
+        size_t blCrashesCnt;
+        size_t timeoutedCnt;
+    } cnts;
+    struct {
+        bool enabled;
+        int  serverSocket;
+        int  clientSocket;
+    } socketFuzzer;
+    struct {
+        pthread_rwlock_t dynfileq;
+        pthread_mutex_t  feedback;
+        pthread_mutex_t  report;
+        pthread_mutex_t  state;
+        pthread_mutex_t  input;
+        pthread_mutex_t  timing;
+    } mutex;
+
+    /* For the Linux code */
+    struct {
+        int         exeFd;
+        uint64_t    dynamicCutOffAddr;
+        bool        disableRandomization;
+        void*       ignoreAddr;
+        const char* symsBlFile;
+        char**      symsBl;
+        size_t      symsBlCnt;
+        const char* symsWlFile;
+        char**      symsWl;
+        size_t      symsWlCnt;
+        uintptr_t   cloneFlags;
+        tristate_t  useNetNs;
+        bool        kernelOnly;
+        bool        useClone;
+    } arch_linux;
+    /* For the NetBSD code */
+    struct {
+        void*       ignoreAddr;
+        const char* symsBlFile;
+        char**      symsBl;
+        size_t      symsBlCnt;
+        const char* symsWlFile;
+        char**      symsWl;
+        size_t      symsWlCnt;
+    } arch_netbsd;
+} honggfuzz_t;
+
+typedef enum {
+    _HF_RS_UNKNOWN                   = 0,
+    _HF_RS_WAITING_FOR_INITIAL_READY = 1,
+    _HF_RS_WAITING_FOR_READY         = 2,
+    _HF_RS_SEND_DATA                 = 3,
+} runState_t;
+
+typedef struct {
+    honggfuzz_t* global;
+    pid_t        pid;
+    int64_t      timeStartedUSecs;
+    char         crashFileName[PATH_MAX];
+    uint64_t     pc;
+    uint64_t     backtrace;
+    uint64_t     access;
+    int          exception;
+    char         report[_HF_REPORT_SIZE];
+    bool         mainWorker;
+    unsigned     mutationsPerRun;
+    dynfile_t*   dynfile;
+    bool         staticFileTryMore;
+    uint32_t     fuzzNo;
+    int          persistentSock;
+    runState_t   runState;
+    bool         tmOutSignaled;
+    char*        args[_HF_ARGS_MAX + 1];
+    int          perThreadCovFeedbackFd;
+    unsigned     triesLeft;
+    dynfile_t*   current;
+#if !defined(_HF_ARCH_DARWIN)
+    timer_t timerId;
+#endif    // !defined(_HF_ARCH_DARWIN)
+    hwcnt_t hwCnts;
+
+    struct {
+        /* For Linux code */
+        uint8_t* perfMmapBuf;
+        uint8_t* perfMmapAux;
+        int      cpuInstrFd;
+        int      cpuBranchFd;
+        int      cpuIptBtsFd;
+    } arch_linux;
+} run_t;
+
+#endif
--- a/custom_mutators/honggfuzz/input.h
+++ b/custom_mutators/honggfuzz/input.h
@ -0,0 +1,106 @@
+#ifndef _HG_INPUT_
+#define _HG_INPUT_
+
+#include <stdarg.h>
+#ifdef __clang__
+#include <stdatomic.h>
+#endif
+#include <stdbool.h>
+#include <stdint.h>
+#include <time.h>
+
+#include "honggfuzz.h"
+#include "afl-fuzz.h"
+
+/*
+ * Go-style defer scoped implementation
+ *
+ * If compiled with clang, use: -fblocks -lBlocksRuntime
+ *
+ * Example of use:
+ *
+ * {
+ *   int fd = open(fname, O_RDONLY);
+ *   if (fd == -1) {
+ *     error(....);
+ *     return;
+ *   }
+ *   defer { close(fd); };
+ *   ssize_t sz = read(fd, buf, sizeof(buf));
+ *   ...
+ *   ...
+ * }
+ *
+ */
+
+#define __STRMERGE(a, b) a##b
+#define _STRMERGE(a, b)  __STRMERGE(a, b)
+#ifdef __clang__
+#if __has_extension(blocks)
+static void __attribute__((unused)) __clang_cleanup_func(void (^*dfunc)(void)) {
+    (*dfunc)();
+}
+
+#define defer                                                                                      \
+    void (^_STRMERGE(__defer_f_, __COUNTER__))(void)                                               \
+        __attribute__((cleanup(__clang_cleanup_func))) __attribute__((unused)) = ^
+
+#else /* __has_extension(blocks) */
+#define defer UNIMPLEMENTED - NO - SUPPORT - FOR - BLOCKS - IN - YOUR - CLANG - ENABLED
+#endif /*  __has_extension(blocks) */
+#else  /* !__clang__, e.g.: gcc */
+
+#define __block
+#define _DEFER(a, count)                                                                            \
+    auto void _STRMERGE(__defer_f_, count)(void* _defer_arg __attribute__((unused)));               \
+    int       _STRMERGE(__defer_var_, count) __attribute__((cleanup(_STRMERGE(__defer_f_, count)))) \
+        __attribute__((unused));                                                                    \
+    void _STRMERGE(__defer_f_, count)(void* _defer_arg __attribute__((unused)))
+#define defer _DEFER(a, __COUNTER__)
+#endif /* ifdef __clang__ */
+
+#define HF_MIN(x, y) (x <= y ? x : y)
+#define HF_MAX(x, y) (x >= y ? x : y)
+#define ATOMIC_GET
+#define ARRAYSIZE(x) (sizeof(x) / sizeof(*x))
+#define HF_ATTR_UNUSED __attribute__((unused))
+#define util_Malloc(x) malloc(x)
+
+extern uint8_t *         queue_input;
+extern size_t            queue_input_size;
+extern afl_state_t *     afl_struct;
+
+inline void wmb() { }
+inline void LOG_F(const char *format, ...) { }
+static inline uint64_t util_rndGet(uint64_t min, uint64_t max) {
+  return min + rand_below(afl_struct, max - min + 1);
+}
+static inline uint64_t util_rnd64() { return rand_below(afl_struct, 1 << 30); }
+
+static inline const uint8_t* input_getRandomInputAsBuf(run_t* run, size_t* len) {
+  *len = queue_input_size;
+  run->dynfile->data = queue_input;
+  run->dynfile->size = queue_input_size;
+  return queue_input;
+}
+static inline void input_setSize(run_t* run, size_t sz) {
+  run->dynfile->size = sz;
+}
+static inline void util_turnToPrintable(uint8_t* buf, size_t sz) {
+  for (size_t i = 0; i < sz; i++)
+    buf[i] = buf[i] % 95 + 32;
+}
+static inline void util_rndBuf(uint8_t* buf, size_t sz) {
+  if (sz == 0) return;
+  for (size_t i = 0; i < sz; i++)
+    buf[i] = (uint8_t)rand_below(afl_struct, 256);
+}
+static inline uint8_t util_rndPrintable() {
+  return 32 + rand_below(afl_struct, 127 - 32);
+}
+static inline void util_rndBufPrintable(uint8_t* buf, size_t sz) {
+  for (size_t i = 0; i < sz; i++)
+    buf[i] = util_rndPrintable();
+}
+
+#endif
--- a/custom_mutators/honggfuzz/libhfcommon/common.h
+++ b/custom_mutators/honggfuzz/libhfcommon/common.h
@ -0,0 +1,3 @@
+#ifndef LOG_E
+  #define LOG_E LOG_F
+#endif
--- a/custom_mutators/honggfuzz/libhfcommon/log.h
+++ b/custom_mutators/honggfuzz/libhfcommon/log.h
@ -0,0 +1 @@
+common.h
--- a/custom_mutators/honggfuzz/libhfcommon/util.h
+++ b/custom_mutators/honggfuzz/libhfcommon/util.h
@ -0,0 +1 @@
+common.h
--- a/custom_mutators/honggfuzz/mangle.c
+++ b/custom_mutators/honggfuzz/mangle.c
@ -0,0 +1,907 @@
+/*
+ *
+ * honggfuzz - run->dynfile->datafer mangling routines
+ * -----------------------------------------
+ *
+ * Author:
+ * Robert Swiecki <swiecki@google.com>
+ *
+ * Copyright 2010-2018 by Google Inc. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License. You may obtain
+ * a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ *
+ */
+
+#include "mangle.h"
+
+#include <ctype.h>
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/types.h>
+#include <time.h>
+
+#include "input.h"
+#include "libhfcommon/common.h"
+#include "libhfcommon/log.h"
+#include "libhfcommon/util.h"
+
+static inline size_t mangle_LenLeft(run_t* run, size_t off) {
+    if (off >= run->dynfile->size) {
+        LOG_F("Offset is too large: off:%zu >= len:%zu", off, run->dynfile->size);
+    }
+    return (run->dynfile->size - off - 1);
+}
+
+/*
+ * Get a random value <1:max>, but prefer smaller ones
+ * Based on an idea by https://twitter.com/gamozolabs
+ */
+static inline size_t mangle_getLen(size_t max) {
+    if (max > _HF_INPUT_MAX_SIZE) {
+        LOG_F("max (%zu) > _HF_INPUT_MAX_SIZE (%zu)", max, (size_t)_HF_INPUT_MAX_SIZE);
+    }
+    if (max == 0) {
+        LOG_F("max == 0");
+    }
+    if (max == 1) {
+        return 1;
+    }
+
+    /* Give 50% chance the the uniform distribution */
+    if (util_rnd64() & 1) {
+        return (size_t)util_rndGet(1, max);
+    }
+
+    /* effectively exprand() */
+    return (size_t)util_rndGet(1, util_rndGet(1, max));
+}
+
+/* Prefer smaller values here, so use mangle_getLen() */
+static inline size_t mangle_getOffSet(run_t* run) {
+    return mangle_getLen(run->dynfile->size) - 1;
+}
+
+/* Offset which can be equal to the file size */
+static inline size_t mangle_getOffSetPlus1(run_t* run) {
+    size_t reqlen = HF_MIN(run->dynfile->size + 1, _HF_INPUT_MAX_SIZE);
+    return mangle_getLen(reqlen) - 1;
+}
+
+static inline void mangle_Move(run_t* run, size_t off_from, size_t off_to, size_t len) {
+    if (off_from >= run->dynfile->size) {
+        return;
+    }
+    if (off_to >= run->dynfile->size) {
+        return;
+    }
+    if (off_from == off_to) {
+        return;
+    }
+
+    size_t len_from = run->dynfile->size - off_from;
+    len             = HF_MIN(len, len_from);
+
+    size_t len_to = run->dynfile->size - off_to;
+    len           = HF_MIN(len, len_to);
+
+    memmove(&run->dynfile->data[off_to], &run->dynfile->data[off_from], len);
+}
+
+static inline void mangle_Overwrite(
+    run_t* run, size_t off, const uint8_t* src, size_t len, bool printable) {
+    if (len == 0) {
+        return;
+    }
+    size_t maxToCopy = run->dynfile->size - off;
+    if (len > maxToCopy) {
+        len = maxToCopy;
+    }
+
+    memmove(&run->dynfile->data[off], src, len);
+    if (printable) {
+        util_turnToPrintable(&run->dynfile->data[off], len);
+    }
+}
+
+static inline size_t mangle_Inflate(run_t* run, size_t off, size_t len, bool printable) {
+    if (run->dynfile->size >= run->global->mutate.maxInputSz) {
+        return 0;
+    }
+    if (len > (run->global->mutate.maxInputSz - run->dynfile->size)) {
+        len = run->global->mutate.maxInputSz - run->dynfile->size;
+    }
+
+    input_setSize(run, run->dynfile->size + len);
+    mangle_Move(run, off, off + len, run->dynfile->size);
+    if (printable) {
+        memset(&run->dynfile->data[off], ' ', len);
+    }
+
+    return len;
+}
+
+static inline void mangle_Insert(
+    run_t* run, size_t off, const uint8_t* val, size_t len, bool printable) {
+    len = mangle_Inflate(run, off, len, printable);
+    mangle_Overwrite(run, off, val, len, printable);
+}
+
+static inline void mangle_UseValue(run_t* run, const uint8_t* val, size_t len, bool printable) {
+    if (util_rnd64() & 1) {
+        mangle_Overwrite(run, mangle_getOffSet(run), val, len, printable);
+    } else {
+        mangle_Insert(run, mangle_getOffSetPlus1(run), val, len, printable);
+    }
+}
+
+static inline void mangle_UseValueAt(
+    run_t* run, size_t off, const uint8_t* val, size_t len, bool printable) {
+    if (util_rnd64() & 1) {
+        mangle_Overwrite(run, off, val, len, printable);
+    } else {
+        mangle_Insert(run, off, val, len, printable);
+    }
+}
+
+static void mangle_MemSwap(run_t* run, bool printable HF_ATTR_UNUSED) {
+    /* No big deal if those two are overlapping */
+    size_t off1    = mangle_getOffSet(run);
+    size_t maxlen1 = run->dynfile->size - off1;
+    size_t off2    = mangle_getOffSet(run);
+    size_t maxlen2 = run->dynfile->size - off2;
+    size_t len     = mangle_getLen(HF_MIN(maxlen1, maxlen2));
+
+    if (off1 == off2) {
+        return;
+    }
+
+    for (size_t i = 0; i < (len / 2); i++) {
+        /*
+         * First - from the head, next from the tail. Don't worry about layout of the overlapping
+         * part - there's no good solution to that, and it can be left somewhat scrambled,
+         * while still preserving the entropy
+         */
+        const uint8_t tmp1                       = run->dynfile->data[off2 + i];
+        run->dynfile->data[off2 + i]             = run->dynfile->data[off1 + i];
+        run->dynfile->data[off1 + i]             = tmp1;
+        const uint8_t tmp2                       = run->dynfile->data[off2 + (len - 1) - i];
+        run->dynfile->data[off2 + (len - 1) - i] = run->dynfile->data[off1 + (len - 1) - i];
+        run->dynfile->data[off1 + (len - 1) - i] = tmp2;
+    }
+}
+
+static void mangle_MemCopy(run_t* run, bool printable HF_ATTR_UNUSED) {
+    size_t off = mangle_getOffSet(run);
+    size_t len = mangle_getLen(run->dynfile->size - off);
+
+    /* Use a temp buf, as Insert/Inflate can change source bytes */
+    uint8_t* tmpbuf = (uint8_t*)util_Malloc(len);
+    defer {
+        free(tmpbuf);
+    };
+    memmove(tmpbuf, &run->dynfile->data[off], len);
+
+    mangle_UseValue(run, tmpbuf, len, printable);
+}
+
+static void mangle_Bytes(run_t* run, bool printable) {
+    uint16_t buf;
+    if (printable) {
+        util_rndBufPrintable((uint8_t*)&buf, sizeof(buf));
+    } else {
+        buf = util_rnd64();
+    }
+
+    /* Overwrite with random 1-2-byte values */
+    size_t toCopy = util_rndGet(1, 2);
+    mangle_UseValue(run, (const uint8_t*)&buf, toCopy, printable);
+}
+
+static void mangle_ByteRepeat(run_t* run, bool printable) {
+    size_t off     = mangle_getOffSet(run);
+    size_t destOff = off + 1;
+    size_t maxSz   = run->dynfile->size - destOff;
+
+    /* No space to repeat */
+    if (!maxSz) {
+        mangle_Bytes(run, printable);
+        return;
+    }
+
+    size_t len = mangle_getLen(maxSz);
+    if (util_rnd64() & 0x1) {
+        len = mangle_Inflate(run, destOff, len, printable);
+    }
+    memset(&run->dynfile->data[destOff], run->dynfile->data[off], len);
+}
+
+static void mangle_Bit(run_t* run, bool printable) {
+    size_t off = mangle_getOffSet(run);
+    run->dynfile->data[off] ^= (uint8_t)(1U << util_rndGet(0, 7));
+    if (printable) {
+        util_turnToPrintable(&(run->dynfile->data[off]), 1);
+    }
+}
+
+static const struct {
+    const uint8_t val[8];
+    const size_t  size;
+} mangleMagicVals[] = {
+    /* 1B - No endianness */
+    {"\x00\x00\x00\x00\x00\x00\x00\x00", 1},
+    {"\x01\x00\x00\x00\x00\x00\x00\x00", 1},
+    {"\x02\x00\x00\x00\x00\x00\x00\x00", 1},
+    {"\x03\x00\x00\x00\x00\x00\x00\x00", 1},
+    {"\x04\x00\x00\x00\x00\x00\x00\x00", 1},
+    {"\x05\x00\x00\x00\x00\x00\x00\x00", 1},
+    {"\x06\x00\x00\x00\x00\x00\x00\x00", 1},
+    {"\x07\x00\x00\x00\x00\x00\x00\x00", 1},
+    {"\x08\x00\x00\x00\x00\x00\x00\x00", 1},
+    {"\x09\x00\x00\x00\x00\x00\x00\x00", 1},
+    {"\x0A\x00\x00\x00\x00\x00\x00\x00", 1},
+    {"\x0B\x00\x00\x00\x00\x00\x00\x00", 1},
+    {"\x0C\x00\x00\x00\x00\x00\x00\x00", 1},
+    {"\x0D\x00\x00\x00\x00\x00\x00\x00", 1},
+    {"\x0E\x00\x00\x00\x00\x00\x00\x00", 1},
+    {"\x0F\x00\x00\x00\x00\x00\x00\x00", 1},
+    {"\x10\x00\x00\x00\x00\x00\x00\x00", 1},
+    {"\x20\x00\x00\x00\x00\x00\x00\x00", 1},
+    {"\x40\x00\x00\x00\x00\x00\x00\x00", 1},
+    {"\x7E\x00\x00\x00\x00\x00\x00\x00", 1},
+    {"\x7F\x00\x00\x00\x00\x00\x00\x00", 1},
+    {"\x80\x00\x00\x00\x00\x00\x00\x00", 1},
+    {"\x81\x00\x00\x00\x00\x00\x00\x00", 1},
+    {"\xC0\x00\x00\x00\x00\x00\x00\x00", 1},
+    {"\xFE\x00\x00\x00\x00\x00\x00\x00", 1},
+    {"\xFF\x00\x00\x00\x00\x00\x00\x00", 1},
+    /* 2B - NE */
+    {"\x00\x00\x00\x00\x00\x00\x00\x00", 2},
+    {"\x01\x01\x00\x00\x00\x00\x00\x00", 2},
+    {"\x80\x80\x00\x00\x00\x00\x00\x00", 2},
+    {"\xFF\xFF\x00\x00\x00\x00\x00\x00", 2},
+    /* 2B - BE */
+    {"\x00\x01\x00\x00\x00\x00\x00\x00", 2},
+    {"\x00\x02\x00\x00\x00\x00\x00\x00", 2},
+    {"\x00\x03\x00\x00\x00\x00\x00\x00", 2},
+    {"\x00\x04\x00\x00\x00\x00\x00\x00", 2},
+    {"\x00\x05\x00\x00\x00\x00\x00\x00", 2},
+    {"\x00\x06\x00\x00\x00\x00\x00\x00", 2},
+    {"\x00\x07\x00\x00\x00\x00\x00\x00", 2},
+    {"\x00\x08\x00\x00\x00\x00\x00\x00", 2},
+    {"\x00\x09\x00\x00\x00\x00\x00\x00", 2},
+    {"\x00\x0A\x00\x00\x00\x00\x00\x00", 2},
+    {"\x00\x0B\x00\x00\x00\x00\x00\x00", 2},
+    {"\x00\x0C\x00\x00\x00\x00\x00\x00", 2},
+    {"\x00\x0D\x00\x00\x00\x00\x00\x00", 2},
+    {"\x00\x0E\x00\x00\x00\x00\x00\x00", 2},
+    {"\x00\x0F\x00\x00\x00\x00\x00\x00", 2},
+    {"\x00\x10\x00\x00\x00\x00\x00\x00", 2},
+    {"\x00\x20\x00\x00\x00\x00\x00\x00", 2},
+    {"\x00\x40\x00\x00\x00\x00\x00\x00", 2},
+    {"\x00\x7E\x00\x00\x00\x00\x00\x00", 2},
+    {"\x00\x7F\x00\x00\x00\x00\x00\x00", 2},
+    {"\x00\x80\x00\x00\x00\x00\x00\x00", 2},
+    {"\x00\x81\x00\x00\x00\x00\x00\x00", 2},
+    {"\x00\xC0\x00\x00\x00\x00\x00\x00", 2},
+    {"\x00\xFE\x00\x00\x00\x00\x00\x00", 2},
+    {"\x00\xFF\x00\x00\x00\x00\x00\x00", 2},
+    {"\x7E\xFF\x00\x00\x00\x00\x00\x00", 2},
+    {"\x7F\xFF\x00\x00\x00\x00\x00\x00", 2},
+    {"\x80\x00\x00\x00\x00\x00\x00\x00", 2},
+    {"\x80\x01\x00\x00\x00\x00\x00\x00", 2},
+    {"\xFF\xFE\x00\x00\x00\x00\x00\x00", 2},
+    /* 2B - LE */
+    {"\x00\x00\x00\x00\x00\x00\x00\x00", 2},
+    {"\x01\x00\x00\x00\x00\x00\x00\x00", 2},
+    {"\x02\x00\x00\x00\x00\x00\x00\x00", 2},
+    {"\x03\x00\x00\x00\x00\x00\x00\x00", 2},
+    {"\x04\x00\x00\x00\x00\x00\x00\x00", 2},
+    {"\x05\x00\x00\x00\x00\x00\x00\x00", 2},
+    {"\x06\x00\x00\x00\x00\x00\x00\x00", 2},
+    {"\x07\x00\x00\x00\x00\x00\x00\x00", 2},
+    {"\x08\x00\x00\x00\x00\x00\x00\x00", 2},
+    {"\x09\x00\x00\x00\x00\x00\x00\x00", 2},
+    {"\x0A\x00\x00\x00\x00\x00\x00\x00", 2},
+    {"\x0B\x00\x00\x00\x00\x00\x00\x00", 2},
+    {"\x0C\x00\x00\x00\x00\x00\x00\x00", 2},
+    {"\x0D\x00\x00\x00\x00\x00\x00\x00", 2},
+    {"\x0E\x00\x00\x00\x00\x00\x00\x00", 2},
+    {"\x0F\x00\x00\x00\x00\x00\x00\x00", 2},
+    {"\x10\x00\x00\x00\x00\x00\x00\x00", 2},
+    {"\x20\x00\x00\x00\x00\x00\x00\x00", 2},
+    {"\x40\x00\x00\x00\x00\x00\x00\x00", 2},
+    {"\x7E\x00\x00\x00\x00\x00\x00\x00", 2},
+    {"\x7F\x00\x00\x00\x00\x00\x00\x00", 2},
+    {"\x80\x00\x00\x00\x00\x00\x00\x00", 2},
+    {"\x81\x00\x00\x00\x00\x00\x00\x00", 2},
+    {"\xC0\x00\x00\x00\x00\x00\x00\x00", 2},
+    {"\xFE\x00\x00\x00\x00\x00\x00\x00", 2},
+    {"\xFF\x00\x00\x00\x00\x00\x00\x00", 2},
+    {"\xFF\x7E\x00\x00\x00\x00\x00\x00", 2},
+    {"\xFF\x7F\x00\x00\x00\x00\x00\x00", 2},
+    {"\x00\x80\x00\x00\x00\x00\x00\x00", 2},
+    {"\x01\x80\x00\x00\x00\x00\x00\x00", 2},
+    {"\xFE\xFF\x00\x00\x00\x00\x00\x00", 2},
+    /* 4B - NE */
+    {"\x00\x00\x00\x00\x00\x00\x00\x00", 4},
+    {"\x01\x01\x01\x01\x00\x00\x00\x00", 4},
+    {"\x80\x80\x80\x80\x00\x00\x00\x00", 4},
+    {"\xFF\xFF\xFF\xFF\x00\x00\x00\x00", 4},
+    /* 4B - BE */
+    {"\x00\x00\x00\x01\x00\x00\x00\x00", 4},
+    {"\x00\x00\x00\x02\x00\x00\x00\x00", 4},
+    {"\x00\x00\x00\x03\x00\x00\x00\x00", 4},
+    {"\x00\x00\x00\x04\x00\x00\x00\x00", 4},
+    {"\x00\x00\x00\x05\x00\x00\x00\x00", 4},
+    {"\x00\x00\x00\x06\x00\x00\x00\x00", 4},
+    {"\x00\x00\x00\x07\x00\x00\x00\x00", 4},
+    {"\x00\x00\x00\x08\x00\x00\x00\x00", 4},
+    {"\x00\x00\x00\x09\x00\x00\x00\x00", 4},
+    {"\x00\x00\x00\x0A\x00\x00\x00\x00", 4},
+    {"\x00\x00\x00\x0B\x00\x00\x00\x00", 4},
+    {"\x00\x00\x00\x0C\x00\x00\x00\x00", 4},
+    {"\x00\x00\x00\x0D\x00\x00\x00\x00", 4},
+    {"\x00\x00\x00\x0E\x00\x00\x00\x00", 4},
+    {"\x00\x00\x00\x0F\x00\x00\x00\x00", 4},
+    {"\x00\x00\x00\x10\x00\x00\x00\x00", 4},
+    {"\x00\x00\x00\x20\x00\x00\x00\x00", 4},
+    {"\x00\x00\x00\x40\x00\x00\x00\x00", 4},
+    {"\x00\x00\x00\x7E\x00\x00\x00\x00", 4},
+    {"\x00\x00\x00\x7F\x00\x00\x00\x00", 4},
+    {"\x00\x00\x00\x80\x00\x00\x00\x00", 4},
+    {"\x00\x00\x00\x81\x00\x00\x00\x00", 4},
+    {"\x00\x00\x00\xC0\x00\x00\x00\x00", 4},
+    {"\x00\x00\x00\xFE\x00\x00\x00\x00", 4},
+    {"\x00\x00\x00\xFF\x00\x00\x00\x00", 4},
+    {"\x7E\xFF\xFF\xFF\x00\x00\x00\x00", 4},
+    {"\x7F\xFF\xFF\xFF\x00\x00\x00\x00", 4},
+    {"\x80\x00\x00\x00\x00\x00\x00\x00", 4},
+    {"\x80\x00\x00\x01\x00\x00\x00\x00", 4},
+    {"\xFF\xFF\xFF\xFE\x00\x00\x00\x00", 4},
+    /* 4B - LE */
+    {"\x00\x00\x00\x00\x00\x00\x00\x00", 4},
+    {"\x01\x00\x00\x00\x00\x00\x00\x00", 4},
+    {"\x02\x00\x00\x00\x00\x00\x00\x00", 4},
+    {"\x03\x00\x00\x00\x00\x00\x00\x00", 4},
+    {"\x04\x00\x00\x00\x00\x00\x00\x00", 4},
+    {"\x05\x00\x00\x00\x00\x00\x00\x00", 4},
+    {"\x06\x00\x00\x00\x00\x00\x00\x00", 4},
+    {"\x07\x00\x00\x00\x00\x00\x00\x00", 4},
+    {"\x08\x00\x00\x00\x00\x00\x00\x00", 4},
+    {"\x09\x00\x00\x00\x00\x00\x00\x00", 4},
+    {"\x0A\x00\x00\x00\x00\x00\x00\x00", 4},
+    {"\x0B\x00\x00\x00\x00\x00\x00\x00", 4},
+    {"\x0C\x00\x00\x00\x00\x00\x00\x00", 4},
+    {"\x0D\x00\x00\x00\x00\x00\x00\x00", 4},
+    {"\x0E\x00\x00\x00\x00\x00\x00\x00", 4},
+    {"\x0F\x00\x00\x00\x00\x00\x00\x00", 4},
+    {"\x10\x00\x00\x00\x00\x00\x00\x00", 4},
+    {"\x20\x00\x00\x00\x00\x00\x00\x00", 4},
+    {"\x40\x00\x00\x00\x00\x00\x00\x00", 4},
+    {"\x7E\x00\x00\x00\x00\x00\x00\x00", 4},
+    {"\x7F\x00\x00\x00\x00\x00\x00\x00", 4},
+    {"\x80\x00\x00\x00\x00\x00\x00\x00", 4},
+    {"\x81\x00\x00\x00\x00\x00\x00\x00", 4},
+    {"\xC0\x00\x00\x00\x00\x00\x00\x00", 4},
+    {"\xFE\x00\x00\x00\x00\x00\x00\x00", 4},
+    {"\xFF\x00\x00\x00\x00\x00\x00\x00", 4},
+    {"\xFF\xFF\xFF\x7E\x00\x00\x00\x00", 4},
+    {"\xFF\xFF\xFF\x7F\x00\x00\x00\x00", 4},
+    {"\x00\x00\x00\x80\x00\x00\x00\x00", 4},
+    {"\x01\x00\x00\x80\x00\x00\x00\x00", 4},
+    {"\xFE\xFF\xFF\xFF\x00\x00\x00\x00", 4},
+    /* 8B - NE */
+    {"\x00\x00\x00\x00\x00\x00\x00\x00", 8},
+    {"\x01\x01\x01\x01\x01\x01\x01\x01", 8},
+    {"\x80\x80\x80\x80\x80\x80\x80\x80", 8},
+    {"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF", 8},
+    /* 8B - BE */
+    {"\x00\x00\x00\x00\x00\x00\x00\x01", 8},
+    {"\x00\x00\x00\x00\x00\x00\x00\x02", 8},
+    {"\x00\x00\x00\x00\x00\x00\x00\x03", 8},
+    {"\x00\x00\x00\x00\x00\x00\x00\x04", 8},
+    {"\x00\x00\x00\x00\x00\x00\x00\x05", 8},
+    {"\x00\x00\x00\x00\x00\x00\x00\x06", 8},
+    {"\x00\x00\x00\x00\x00\x00\x00\x07", 8},
+    {"\x00\x00\x00\x00\x00\x00\x00\x08", 8},
+    {"\x00\x00\x00\x00\x00\x00\x00\x09", 8},
+    {"\x00\x00\x00\x00\x00\x00\x00\x0A", 8},
+    {"\x00\x00\x00\x00\x00\x00\x00\x0B", 8},
+    {"\x00\x00\x00\x00\x00\x00\x00\x0C", 8},
+    {"\x00\x00\x00\x00\x00\x00\x00\x0D", 8},
+    {"\x00\x00\x00\x00\x00\x00\x00\x0E", 8},
+    {"\x00\x00\x00\x00\x00\x00\x00\x0F", 8},
+    {"\x00\x00\x00\x00\x00\x00\x00\x10", 8},
+    {"\x00\x00\x00\x00\x00\x00\x00\x20", 8},
+    {"\x00\x00\x00\x00\x00\x00\x00\x40", 8},
+    {"\x00\x00\x00\x00\x00\x00\x00\x7E", 8},
+    {"\x00\x00\x00\x00\x00\x00\x00\x7F", 8},
+    {"\x00\x00\x00\x00\x00\x00\x00\x80", 8},
+    {"\x00\x00\x00\x00\x00\x00\x00\x81", 8},
+    {"\x00\x00\x00\x00\x00\x00\x00\xC0", 8},
+    {"\x00\x00\x00\x00\x00\x00\x00\xFE", 8},
+    {"\x00\x00\x00\x00\x00\x00\x00\xFF", 8},
+    {"\x7E\xFF\xFF\xFF\xFF\xFF\xFF\xFF", 8},
+    {"\x7F\xFF\xFF\xFF\xFF\xFF\xFF\xFF", 8},
+    {"\x80\x00\x00\x00\x00\x00\x00\x00", 8},
+    {"\x80\x00\x00\x00\x00\x00\x00\x01", 8},
+    {"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFE", 8},
+    /* 8B - LE */
+    {"\x00\x00\x00\x00\x00\x00\x00\x00", 8},
+    {"\x01\x00\x00\x00\x00\x00\x00\x00", 8},
+    {"\x02\x00\x00\x00\x00\x00\x00\x00", 8},
+    {"\x03\x00\x00\x00\x00\x00\x00\x00", 8},
+    {"\x04\x00\x00\x00\x00\x00\x00\x00", 8},
+    {"\x05\x00\x00\x00\x00\x00\x00\x00", 8},
+    {"\x06\x00\x00\x00\x00\x00\x00\x00", 8},
+    {"\x07\x00\x00\x00\x00\x00\x00\x00", 8},
+    {"\x08\x00\x00\x00\x00\x00\x00\x00", 8},
+    {"\x09\x00\x00\x00\x00\x00\x00\x00", 8},
+    {"\x0A\x00\x00\x00\x00\x00\x00\x00", 8},
+    {"\x0B\x00\x00\x00\x00\x00\x00\x00", 8},
+    {"\x0C\x00\x00\x00\x00\x00\x00\x00", 8},
+    {"\x0D\x00\x00\x00\x00\x00\x00\x00", 8},
+    {"\x0E\x00\x00\x00\x00\x00\x00\x00", 8},
+    {"\x0F\x00\x00\x00\x00\x00\x00\x00", 8},
+    {"\x10\x00\x00\x00\x00\x00\x00\x00", 8},
+    {"\x20\x00\x00\x00\x00\x00\x00\x00", 8},
+    {"\x40\x00\x00\x00\x00\x00\x00\x00", 8},
+    {"\x7E\x00\x00\x00\x00\x00\x00\x00", 8},
+    {"\x7F\x00\x00\x00\x00\x00\x00\x00", 8},
+    {"\x80\x00\x00\x00\x00\x00\x00\x00", 8},
+    {"\x81\x00\x00\x00\x00\x00\x00\x00", 8},
+    {"\xC0\x00\x00\x00\x00\x00\x00\x00", 8},
+    {"\xFE\x00\x00\x00\x00\x00\x00\x00", 8},
+    {"\xFF\x00\x00\x00\x00\x00\x00\x00", 8},
+    {"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x7E", 8},
+    {"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x7F", 8},
+    {"\x00\x00\x00\x00\x00\x00\x00\x80", 8},
+    {"\x01\x00\x00\x00\x00\x00\x00\x80", 8},
+    {"\xFE\xFF\xFF\xFF\xFF\xFF\xFF\xFF", 8},
+};
+
+static void mangle_Magic(run_t* run, bool printable) {
+    uint64_t choice = util_rndGet(0, ARRAYSIZE(mangleMagicVals) - 1);
+    mangle_UseValue(run, mangleMagicVals[choice].val, mangleMagicVals[choice].size, printable);
+}
+
+static void mangle_StaticDict(run_t* run, bool printable) {
+    if (run->global->mutate.dictionaryCnt == 0) {
+        mangle_Bytes(run, printable);
+        return;
+    }
+    uint64_t choice = util_rndGet(0, run->global->mutate.dictionaryCnt - 1);
+    mangle_UseValue(run, run->global->mutate.dictionary[choice].val,
+        run->global->mutate.dictionary[choice].len, printable);
+}
+
+static inline const uint8_t* mangle_FeedbackDict(run_t* run, size_t* len) {
+    if (!run->global->feedback.cmpFeedback) {
+        return NULL;
+    }
+    cmpfeedback_t* cmpf = run->global->feedback.cmpFeedbackMap;
+    uint32_t       cnt  = ATOMIC_GET(cmpf->cnt);
+    if (cnt == 0) {
+        return NULL;
+    }
+    if (cnt > ARRAYSIZE(cmpf->valArr)) {
+        cnt = ARRAYSIZE(cmpf->valArr);
+    }
+    uint32_t choice = util_rndGet(0, cnt - 1);
+    *len            = (size_t)ATOMIC_GET(cmpf->valArr[choice].len);
+    if (*len == 0) {
+        return NULL;
+    }
+    return cmpf->valArr[choice].val;
+}
+
+static void mangle_ConstFeedbackDict(run_t* run, bool printable) {
+    size_t         len;
+    const uint8_t* val = mangle_FeedbackDict(run, &len);
+    if (val == NULL) {
+        mangle_Bytes(run, printable);
+        return;
+    }
+    mangle_UseValue(run, val, len, printable);
+}
+
+static void mangle_MemSet(run_t* run, bool printable) {
+    size_t off = mangle_getOffSet(run);
+    size_t len = mangle_getLen(run->dynfile->size - off);
+    int    val = printable ? (int)util_rndPrintable() : (int)util_rndGet(0, UINT8_MAX);
+
+    if (util_rnd64() & 1) {
+        len = mangle_Inflate(run, off, len, printable);
+    }
+
+    memset(&run->dynfile->data[off], val, len);
+}
+
+static void mangle_MemClr(run_t* run, bool printable) {
+    size_t off = mangle_getOffSet(run);
+    size_t len = mangle_getLen(run->dynfile->size - off);
+    int    val = printable ? ' ' : 0;
+
+    if (util_rnd64() & 1) {
+        len = mangle_Inflate(run, off, len, printable);
+    }
+
+    memset(&run->dynfile->data[off], val, len);
+}
+
+static void mangle_RandomBuf(run_t* run, bool printable) {
+    size_t off = mangle_getOffSet(run);
+    size_t len = mangle_getLen(run->dynfile->size - off);
+
+    if (util_rnd64() & 1) {
+        len = mangle_Inflate(run, off, len, printable);
+    }
+
+    if (printable) {
+        util_rndBufPrintable(&run->dynfile->data[off], len);
+    } else {
+        util_rndBuf(&run->dynfile->data[off], len);
+    }
+}
+
+static inline void mangle_AddSubWithRange(
+    run_t* run, size_t off, size_t varLen, uint64_t range, bool printable) {
+    int64_t delta = (int64_t)util_rndGet(0, range * 2) - (int64_t)range;
+
+    switch (varLen) {
+        case 1: {
+            run->dynfile->data[off] += delta;
+            break;
+        }
+        case 2: {
+            int16_t val;
+            memcpy(&val, &run->dynfile->data[off], sizeof(val));
+            if (util_rnd64() & 0x1) {
+                val += delta;
+            } else {
+                /* Foreign endianess */
+                val = __builtin_bswap16(val);
+                val += delta;
+                val = __builtin_bswap16(val);
+            }
+            mangle_Overwrite(run, off, (uint8_t*)&val, varLen, printable);
+            break;
+        }
+        case 4: {
+            int32_t val;
+            memcpy(&val, &run->dynfile->data[off], sizeof(val));
+            if (util_rnd64() & 0x1) {
+                val += delta;
+            } else {
+                /* Foreign endianess */
+                val = __builtin_bswap32(val);
+                val += delta;
+                val = __builtin_bswap32(val);
+            }
+            mangle_Overwrite(run, off, (uint8_t*)&val, varLen, printable);
+            break;
+        }
+        case 8: {
+            int64_t val;
+            memcpy(&val, &run->dynfile->data[off], sizeof(val));
+            if (util_rnd64() & 0x1) {
+                val += delta;
+            } else {
+                /* Foreign endianess */
+                val = __builtin_bswap64(val);
+                val += delta;
+                val = __builtin_bswap64(val);
+            }
+            mangle_Overwrite(run, off, (uint8_t*)&val, varLen, printable);
+            break;
+        }
+        default: {
+            LOG_F("Unknown variable length size: %zu", varLen);
+        }
+    }
+}
+
+static void mangle_AddSub(run_t* run, bool printable) {
+    size_t off = mangle_getOffSet(run);
+
+    /* 1,2,4,8 */
+    size_t varLen = 1U << util_rndGet(0, 3);
+    if ((run->dynfile->size - off) < varLen) {
+        varLen = 1;
+    }
+
+    uint64_t range;
+    switch (varLen) {
+        case 1:
+            range = 16;
+            break;
+        case 2:
+            range = 4096;
+            break;
+        case 4:
+            range = 1048576;
+            break;
+        case 8:
+            range = 268435456;
+            break;
+        default:
+            LOG_F("Invalid operand size: %zu", varLen);
+    }
+
+    mangle_AddSubWithRange(run, off, varLen, range, printable);
+}
+
+static void mangle_IncByte(run_t* run, bool printable) {
+    size_t off = mangle_getOffSet(run);
+    if (printable) {
+        run->dynfile->data[off] = (run->dynfile->data[off] - 32 + 1) % 95 + 32;
+    } else {
+        run->dynfile->data[off] += (uint8_t)1UL;
+    }
+}
+
+static void mangle_DecByte(run_t* run, bool printable) {
+    size_t off = mangle_getOffSet(run);
+    if (printable) {
+        run->dynfile->data[off] = (run->dynfile->data[off] - 32 + 94) % 95 + 32;
+    } else {
+        run->dynfile->data[off] -= (uint8_t)1UL;
+    }
+}
+
+static void mangle_NegByte(run_t* run, bool printable) {
+    size_t off = mangle_getOffSet(run);
+    if (printable) {
+        run->dynfile->data[off] = 94 - (run->dynfile->data[off] - 32) + 32;
+    } else {
+        run->dynfile->data[off] = ~(run->dynfile->data[off]);
+    }
+}
+
+static void mangle_Expand(run_t* run, bool printable) {
+    size_t off = mangle_getOffSet(run);
+    size_t len;
+    if (util_rnd64() % 16) {
+        len = mangle_getLen(HF_MIN(16, run->global->mutate.maxInputSz - off));
+    } else {
+        len = mangle_getLen(run->global->mutate.maxInputSz - off);
+    }
+
+    mangle_Inflate(run, off, len, printable);
+}
+
+static void mangle_Shrink(run_t* run, bool printable HF_ATTR_UNUSED) {
+    if (run->dynfile->size <= 2U) {
+        return;
+    }
+
+    size_t off_start = mangle_getOffSet(run);
+    size_t len       = mangle_LenLeft(run, off_start);
+    if (len == 0) {
+        return;
+    }
+    if (util_rnd64() % 16) {
+        len = mangle_getLen(HF_MIN(16, len));
+    } else {
+        len = mangle_getLen(len);
+    }
+    size_t off_end     = off_start + len;
+    size_t len_to_move = run->dynfile->size - off_end;
+
+    mangle_Move(run, off_end, off_start, len_to_move);
+    input_setSize(run, run->dynfile->size - len);
+}
+static void mangle_ASCIINum(run_t* run, bool printable) {
+    size_t len = util_rndGet(2, 8);
+
+    char buf[20];
+    snprintf(buf, sizeof(buf), "%-19" PRId64, (int64_t)util_rnd64());
+
+    mangle_UseValue(run, (const uint8_t*)buf, len, printable);
+}
+
+static void mangle_ASCIINumChange(run_t* run, bool printable) {
+    size_t off = mangle_getOffSet(run);
+
+    /* Find a digit */
+    for (; off < run->dynfile->size; off++) {
+        if (isdigit(run->dynfile->data[off])) {
+            break;
+        }
+    }
+    size_t left = run->dynfile->size - off;
+    if (left == 0) {
+        return;
+    }
+
+    size_t   len = 0;
+    uint64_t val = 0;
+    /* 20 is maximum lenght of a string representing a 64-bit unsigned value */
+    for (len = 0; (len < 20) && (len < left); len++) {
+        char c = run->dynfile->data[off + len];
+        if (!isdigit(c)) {
+            break;
+        }
+        val *= 10;
+        val += (c - '0');
+    }
+
+    switch (util_rndGet(0, 7)) {
+        case 0:
+            val++;
+            break;
+        case 1:
+            val--;
+            break;
+        case 2:
+            val *= 2;
+            break;
+        case 3:
+            val /= 2;
+            break;
+        case 4:
+            val = util_rnd64();
+            break;
+        case 5:
+            val += util_rndGet(1, 256);
+            break;
+        case 6:
+            val -= util_rndGet(1, 256);
+            break;
+        case 7:
+            val = ~(val);
+            break;
+        default:
+            LOG_F("Invalid choice");
+    };
+
+    char buf[20];
+    snprintf(buf, sizeof(buf), "%-19" PRIu64, val);
+
+    mangle_UseValueAt(run, off, (const uint8_t*)buf, len, printable);
+}
+
+static void mangle_Splice(run_t* run, bool printable) {
+    if (run->global->feedback.dynFileMethod == _HF_DYNFILE_NONE) {
+        mangle_Bytes(run, printable);
+        return;
+    }
+
+    size_t         sz  = 0;
+    const uint8_t* buf = input_getRandomInputAsBuf(run, &sz);
+    if (!buf) {
+        LOG_E("input_getRandomInputAsBuf() returned no input");
+        mangle_Bytes(run, printable);
+        return;
+    }
+    if (!sz) {
+        mangle_Bytes(run, printable);
+        return;
+    }
+
+    size_t remoteOff = mangle_getLen(sz) - 1;
+    size_t len       = mangle_getLen(sz - remoteOff);
+    mangle_UseValue(run, &buf[remoteOff], len, printable);
+}
+
+static void mangle_Resize(run_t* run, bool printable) {
+    ssize_t oldsz = run->dynfile->size;
+    ssize_t newsz = 0;
+
+    uint64_t choice = util_rndGet(0, 32);
+    switch (choice) {
+        case 0: /* Set new size arbitrarily */
+            newsz = (ssize_t)util_rndGet(1, run->global->mutate.maxInputSz);
+            break;
+        case 1 ... 4: /* Increase size by a small value */
+            newsz = oldsz + (ssize_t)util_rndGet(0, 8);
+            break;
+        case 5: /* Increase size by a larger value */
+            newsz = oldsz + (ssize_t)util_rndGet(9, 128);
+            break;
+        case 6 ... 9: /* Decrease size by a small value */
+            newsz = oldsz - (ssize_t)util_rndGet(0, 8);
+            break;
+        case 10: /* Decrease size by a larger value */
+            newsz = oldsz - (ssize_t)util_rndGet(9, 128);
+            break;
+        case 11 ... 32: /* Do nothing */
+            newsz = oldsz;
+            break;
+        default:
+            LOG_F("Illegal value from util_rndGet: %" PRIu64, choice);
+            break;
+    }
+    if (newsz < 1) {
+        newsz = 1;
+    }
+    if (newsz > (ssize_t)run->global->mutate.maxInputSz) {
+        newsz = run->global->mutate.maxInputSz;
+    }
+
+    input_setSize(run, (size_t)newsz);
+    if (newsz > oldsz) {
+        if (printable) {
+            memset(&run->dynfile->data[oldsz], ' ', newsz - oldsz);
+        }
+    }
+}
+
+void mangle_mangleContent(run_t* run, int speed_factor) {
+    static void (*const mangleFuncs[])(run_t * run, bool printable) = {
+        mangle_Shrink,
+        mangle_Expand,
+        mangle_Bit,
+        mangle_IncByte,
+        mangle_DecByte,
+        mangle_NegByte,
+        mangle_AddSub,
+        mangle_MemSet,
+        mangle_MemClr,
+        mangle_MemSwap,
+        mangle_MemCopy,
+        mangle_Bytes,
+        mangle_ASCIINum,
+        mangle_ASCIINumChange,
+        mangle_ByteRepeat,
+        mangle_Magic,
+        mangle_StaticDict,
+        mangle_ConstFeedbackDict,
+        mangle_RandomBuf,
+        mangle_Splice,
+    };
+
+    if (run->mutationsPerRun == 0U) {
+        return;
+    }
+    if (run->dynfile->size == 0U) {
+        mangle_Resize(run, /* printable= */ run->global->cfg.only_printable);
+    }
+
+    uint64_t changesCnt = run->global->mutate.mutationsPerRun;
+
+    if (speed_factor < 5) {
+        changesCnt = util_rndGet(1, run->global->mutate.mutationsPerRun);
+    } else if (speed_factor < 10) {
+        changesCnt = run->global->mutate.mutationsPerRun;
+    } else {
+        changesCnt = HF_MIN(speed_factor, 10);
+        changesCnt = HF_MAX(changesCnt, (run->global->mutate.mutationsPerRun * 5));
+    }
+
+    /* If last coverage acquisition was more than 5 secs ago, use splicing more frequently */
+    if ((time(NULL) - ATOMIC_GET(run->global->timing.lastCovUpdate)) > 5) {
+        if (util_rnd64() & 0x1) {
+            mangle_Splice(run, run->global->cfg.only_printable);
+        }
+    }
+
+    for (uint64_t x = 0; x < changesCnt; x++) {
+        if (run->global->feedback.cmpFeedback && (util_rnd64() & 0x1)) {
+            /*
+             * mangle_ConstFeedbackDict() is quite powerful if the dynamic feedback dictionary
+             * exists. If so, give it 50% chance of being used among all mangling functions.
+             */
+            mangle_ConstFeedbackDict(run, /* printable= */ run->global->cfg.only_printable);
+        } else {
+            uint64_t choice = util_rndGet(0, ARRAYSIZE(mangleFuncs) - 1);
+            mangleFuncs[choice](run, /* printable= */ run->global->cfg.only_printable);
+        }
+    }
+
+    wmb();
+}
--- a/custom_mutators/honggfuzz/mangle.h
+++ b/custom_mutators/honggfuzz/mangle.h
@ -0,0 +1,31 @@
+/*
+ *
+ * honggfuzz - buffer mangling routines
+ * -----------------------------------------
+ *
+ * Author: Robert Swiecki <swiecki@google.com>
+ *
+ * Copyright 2010-2018 by Google Inc. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License. You may obtain
+ * a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ *
+ */
+
+#ifndef _HF_MANGLE_H_
+#define _HF_MANGLE_H_
+
+#include "honggfuzz.h"
+
+extern void mangle_mangleContent(run_t* run, int speed_factor);
+
+#endif
--- a/custom_mutators/libfuzzer/FuzzerBuiltins.h
+++ b/custom_mutators/libfuzzer/FuzzerBuiltins.h
@ -0,0 +1,35 @@
+//===- FuzzerBuiltins.h - Internal header for builtins ----------*- C++ -* ===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+// Wrapper functions and macros around builtin functions.
+//===----------------------------------------------------------------------===//
+
+#ifndef LLVM_FUZZER_BUILTINS_H
+#define LLVM_FUZZER_BUILTINS_H
+
+#include "FuzzerPlatform.h"
+
+#if !LIBFUZZER_MSVC
+#include <cstdint>
+
+#define GET_CALLER_PC() __builtin_return_address(0)
+
+namespace fuzzer {
+
+inline uint8_t  Bswap(uint8_t x)  { return x; }
+inline uint16_t Bswap(uint16_t x) { return __builtin_bswap16(x); }
+inline uint32_t Bswap(uint32_t x) { return __builtin_bswap32(x); }
+inline uint64_t Bswap(uint64_t x) { return __builtin_bswap64(x); }
+
+inline uint32_t Clzll(unsigned long long X) { return __builtin_clzll(X); }
+inline uint32_t Clz(unsigned long long X) { return __builtin_clz(X); }
+inline int Popcountll(unsigned long long X) { return __builtin_popcountll(X); }
+
+}  // namespace fuzzer
+
+#endif  // !LIBFUZZER_MSVC
+#endif  // LLVM_FUZZER_BUILTINS_H
--- a/custom_mutators/libfuzzer/FuzzerBuiltinsMsvc.h
+++ b/custom_mutators/libfuzzer/FuzzerBuiltinsMsvc.h
@ -0,0 +1,72 @@
+//===- FuzzerBuiltinsMSVC.h - Internal header for builtins ------*- C++ -* ===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+// Wrapper functions and macros that use intrinsics instead of builtin functions
+// which cannot be compiled by MSVC.
+//===----------------------------------------------------------------------===//
+
+#ifndef LLVM_FUZZER_BUILTINS_MSVC_H
+#define LLVM_FUZZER_BUILTINS_MSVC_H
+
+#include "FuzzerPlatform.h"
+
+#if LIBFUZZER_MSVC
+#include <intrin.h>
+#include <cstdint>
+#include <cstdlib>
+
+// __builtin_return_address() cannot be compiled with MSVC. Use the equivalent
+// from <intrin.h>
+#define GET_CALLER_PC() _ReturnAddress()
+
+namespace fuzzer {
+
+inline uint8_t  Bswap(uint8_t x)  { return x; }
+// Use alternatives to __builtin functions from <stdlib.h> and <intrin.h> on
+// Windows since the builtins are not supported by MSVC.
+inline uint16_t Bswap(uint16_t x) { return _byteswap_ushort(x); }
+inline uint32_t Bswap(uint32_t x) { return _byteswap_ulong(x); }
+inline uint64_t Bswap(uint64_t x) { return _byteswap_uint64(x); }
+
+// The functions below were mostly copied from
+// compiler-rt/lib/builtins/int_lib.h which defines the __builtin functions used
+// outside of Windows.
+inline uint32_t Clzll(uint64_t X) {
+  unsigned long LeadZeroIdx = 0;
+
+#if !defined(_M_ARM) && !defined(_M_X64)
+  // Scan the high 32 bits.
+  if (_BitScanReverse(&LeadZeroIdx, static_cast<unsigned long>(X >> 32)))
+    return static_cast<int>(63 - (LeadZeroIdx + 32)); // Create a bit offset from the MSB.
+  // Scan the low 32 bits.
+  if (_BitScanReverse(&LeadZeroIdx, static_cast<unsigned long>(X)))
+    return static_cast<int>(63 - LeadZeroIdx);
+
+#else
+  if (_BitScanReverse64(&LeadZeroIdx, X)) return 63 - LeadZeroIdx;
+#endif
+  return 64;
+}
+
+inline uint32_t Clz(uint32_t X) {
+  unsigned long LeadZeroIdx = 0;
+  if (_BitScanReverse(&LeadZeroIdx, X)) return 31 - LeadZeroIdx;
+  return 32;
+}
+
+inline int Popcountll(unsigned long long X) {
+#if !defined(_M_ARM) && !defined(_M_X64)
+  return __popcnt(X) + __popcnt(X >> 32);
+#else
+  return __popcnt64(X);
+#endif
+}
+
+}  // namespace fuzzer
+
+#endif  // LIBFUZER_MSVC
+#endif  // LLVM_FUZZER_BUILTINS_MSVC_H
--- a/custom_mutators/libfuzzer/FuzzerCommand.h
+++ b/custom_mutators/libfuzzer/FuzzerCommand.h
@ -0,0 +1,178 @@
+//===- FuzzerCommand.h - Interface representing a process -------*- C++ -* ===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+// FuzzerCommand represents a command to run in a subprocess.  It allows callers
+// to manage command line arguments and output and error streams.
+//===----------------------------------------------------------------------===//
+
+#ifndef LLVM_FUZZER_COMMAND_H
+#define LLVM_FUZZER_COMMAND_H
+
+#include "FuzzerDefs.h"
+#include "FuzzerIO.h"
+
+#include <algorithm>
+#include <sstream>
+#include <string>
+#include <vector>
+
+namespace fuzzer {
+
+class Command final {
+public:
+  // This command line flag is used to indicate that the remaining command line
+  // is immutable, meaning this flag effectively marks the end of the mutable
+  // argument list.
+  static inline const char *ignoreRemainingArgs() {
+    return "-ignore_remaining_args=1";
+  }
+
+  Command() : CombinedOutAndErr(false) {}
+
+  explicit Command(const Vector<std::string> &ArgsToAdd)
+      : Args(ArgsToAdd), CombinedOutAndErr(false) {}
+
+  explicit Command(const Command &Other)
+      : Args(Other.Args), CombinedOutAndErr(Other.CombinedOutAndErr),
+        OutputFile(Other.OutputFile) {}
+
+  Command &operator=(const Command &Other) {
+    Args = Other.Args;
+    CombinedOutAndErr = Other.CombinedOutAndErr;
+    OutputFile = Other.OutputFile;
+    return *this;
+  }
+
+  ~Command() {}
+
+  // Returns true if the given Arg is present in Args.  Only checks up to
+  // "-ignore_remaining_args=1".
+  bool hasArgument(const std::string &Arg) const {
+    auto i = endMutableArgs();
+    return std::find(Args.begin(), i, Arg) != i;
+  }
+
+  // Gets all of the current command line arguments, **including** those after
+  // "-ignore-remaining-args=1".
+  const Vector<std::string> &getArguments() const { return Args; }
+
+  // Adds the given argument before "-ignore_remaining_args=1", or at the end
+  // if that flag isn't present.
+  void addArgument(const std::string &Arg) {
+    Args.insert(endMutableArgs(), Arg);
+  }
+
+  // Adds all given arguments before "-ignore_remaining_args=1", or at the end
+  // if that flag isn't present.
+  void addArguments(const Vector<std::string> &ArgsToAdd) {
+    Args.insert(endMutableArgs(), ArgsToAdd.begin(), ArgsToAdd.end());
+  }
+
+  // Removes the given argument from the command argument list.  Ignores any
+  // occurrences after "-ignore_remaining_args=1", if present.
+  void removeArgument(const std::string &Arg) {
+    auto i = endMutableArgs();
+    Args.erase(std::remove(Args.begin(), i, Arg), i);
+  }
+
+  // Like hasArgument, but checks for "-[Flag]=...".
+  bool hasFlag(const std::string &Flag) const {
+    std::string Arg("-" + Flag + "=");
+    auto IsMatch = [&](const std::string &Other) {
+      return Arg.compare(0, std::string::npos, Other, 0, Arg.length()) == 0;
+    };
+    return std::any_of(Args.begin(), endMutableArgs(), IsMatch);
+  }
+
+  // Returns the value of the first instance of a given flag, or an empty string
+  // if the flag isn't present.  Ignores any occurrences after
+  // "-ignore_remaining_args=1", if present.
+  std::string getFlagValue(const std::string &Flag) const {
+    std::string Arg("-" + Flag + "=");
+    auto IsMatch = [&](const std::string &Other) {
+      return Arg.compare(0, std::string::npos, Other, 0, Arg.length()) == 0;
+    };
+    auto i = endMutableArgs();
+    auto j = std::find_if(Args.begin(), i, IsMatch);
+    std::string result;
+    if (j != i) {
+      result = j->substr(Arg.length());
+    }
+    return result;
+  }
+
+  // Like AddArgument, but adds "-[Flag]=[Value]".
+  void addFlag(const std::string &Flag, const std::string &Value) {
+    addArgument("-" + Flag + "=" + Value);
+  }
+
+  // Like RemoveArgument, but removes "-[Flag]=...".
+  void removeFlag(const std::string &Flag) {
+    std::string Arg("-" + Flag + "=");
+    auto IsMatch = [&](const std::string &Other) {
+      return Arg.compare(0, std::string::npos, Other, 0, Arg.length()) == 0;
+    };
+    auto i = endMutableArgs();
+    Args.erase(std::remove_if(Args.begin(), i, IsMatch), i);
+  }
+
+  // Returns whether the command's stdout is being written to an output file.
+  bool hasOutputFile() const { return !OutputFile.empty(); }
+
+  // Returns the currently set output file.
+  const std::string &getOutputFile() const { return OutputFile; }
+
+  // Configures the command to redirect its output to the name file.
+  void setOutputFile(const std::string &FileName) { OutputFile = FileName; }
+
+  // Returns whether the command's stderr is redirected to stdout.
+  bool isOutAndErrCombined() const { return CombinedOutAndErr; }
+
+  // Sets whether to redirect the command's stderr to its stdout.
+  void combineOutAndErr(bool combine = true) { CombinedOutAndErr = combine; }
+
+  // Returns a string representation of the command.  On many systems this will
+  // be the equivalent command line.
+  std::string toString() const {
+    std::stringstream SS;
+    for (auto arg : getArguments())
+      SS << arg << " ";
+    if (hasOutputFile())
+      SS << ">" << getOutputFile() << " ";
+    if (isOutAndErrCombined())
+      SS << "2>&1 ";
+    std::string result = SS.str();
+    if (!result.empty())
+      result = result.substr(0, result.length() - 1);
+    return result;
+  }
+
+private:
+  Command(Command &&Other) = delete;
+  Command &operator=(Command &&Other) = delete;
+
+  Vector<std::string>::iterator endMutableArgs() {
+    return std::find(Args.begin(), Args.end(), ignoreRemainingArgs());
+  }
+
+  Vector<std::string>::const_iterator endMutableArgs() const {
+    return std::find(Args.begin(), Args.end(), ignoreRemainingArgs());
+  }
+
+  // The command arguments.  Args[0] is the command name.
+  Vector<std::string> Args;
+
+  // True indicates stderr is redirected to stdout.
+  bool CombinedOutAndErr;
+
+  // If not empty, stdout is redirected to the named file.
+  std::string OutputFile;
+};
+
+} // namespace fuzzer
+
+#endif // LLVM_FUZZER_COMMAND_H
--- a/custom_mutators/libfuzzer/FuzzerCorpus.h
+++ b/custom_mutators/libfuzzer/FuzzerCorpus.h
@ -0,0 +1,581 @@
+//===- FuzzerCorpus.h - Internal header for the Fuzzer ----------*- C++ -* ===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+// fuzzer::InputCorpus
+//===----------------------------------------------------------------------===//
+
+#ifndef LLVM_FUZZER_CORPUS
+#define LLVM_FUZZER_CORPUS
+
+#include "FuzzerDataFlowTrace.h"
+#include "FuzzerDefs.h"
+#include "FuzzerIO.h"
+#include "FuzzerRandom.h"
+#include "FuzzerSHA1.h"
+#include "FuzzerTracePC.h"
+#include <algorithm>
+#include <chrono>
+#include <numeric>
+#include <random>
+#include <unordered_set>
+
+namespace fuzzer {
+
+struct InputInfo {
+  Unit U;  // The actual input data.
+  std::chrono::microseconds TimeOfUnit;
+  uint8_t Sha1[kSHA1NumBytes];  // Checksum.
+  // Number of features that this input has and no smaller input has.
+  size_t NumFeatures = 0;
+  size_t Tmp = 0; // Used by ValidateFeatureSet.
+  // Stats.
+  size_t NumExecutedMutations = 0;
+  size_t NumSuccessfullMutations = 0;
+  bool NeverReduce = false;
+  bool MayDeleteFile = false;
+  bool Reduced = false;
+  bool HasFocusFunction = false;
+  Vector<uint32_t> UniqFeatureSet;
+  Vector<uint8_t> DataFlowTraceForFocusFunction;
+  // Power schedule.
+  bool NeedsEnergyUpdate = false;
+  double Energy = 0.0;
+  size_t SumIncidence = 0;
+  Vector<std::pair<uint32_t, uint16_t>> FeatureFreqs;
+
+  // Delete feature Idx and its frequency from FeatureFreqs.
+  bool DeleteFeatureFreq(uint32_t Idx) {
+    if (FeatureFreqs.empty())
+      return false;
+
+    // Binary search over local feature frequencies sorted by index.
+    auto Lower = std::lower_bound(FeatureFreqs.begin(), FeatureFreqs.end(),
+                                  std::pair<uint32_t, uint16_t>(Idx, 0));
+
+    if (Lower != FeatureFreqs.end() && Lower->first == Idx) {
+      FeatureFreqs.erase(Lower);
+      return true;
+    }
+    return false;
+  }
+
+  // Assign more energy to a high-entropy seed, i.e., that reveals more
+  // information about the globally rare features in the neighborhood of the
+  // seed. Since we do not know the entropy of a seed that has never been
+  // executed we assign fresh seeds maximum entropy and let II->Energy approach
+  // the true entropy from above. If ScalePerExecTime is true, the computed
+  // entropy is scaled based on how fast this input executes compared to the
+  // average execution time of inputs. The faster an input executes, the more
+  // energy gets assigned to the input.
+  void UpdateEnergy(size_t GlobalNumberOfFeatures, bool ScalePerExecTime,
+                    std::chrono::microseconds AverageUnitExecutionTime) {
+    Energy = 0.0;
+    SumIncidence = 0;
+
+    // Apply add-one smoothing to locally discovered features.
+    for (auto F : FeatureFreqs) {
+      size_t LocalIncidence = F.second + 1;
+      Energy -= LocalIncidence * logl(LocalIncidence);
+      SumIncidence += LocalIncidence;
+    }
+
+    // Apply add-one smoothing to locally undiscovered features.
+    //   PreciseEnergy -= 0; // since logl(1.0) == 0)
+    SumIncidence += (GlobalNumberOfFeatures - FeatureFreqs.size());
+
+    // Add a single locally abundant feature apply add-one smoothing.
+    size_t AbdIncidence = NumExecutedMutations + 1;
+    Energy -= AbdIncidence * logl(AbdIncidence);
+    SumIncidence += AbdIncidence;
+
+    // Normalize.
+    if (SumIncidence != 0)
+      Energy = (Energy / SumIncidence) + logl(SumIncidence);
+
+    if (ScalePerExecTime) {
+      // Scaling to favor inputs with lower execution time.
+      uint32_t PerfScore = 100;
+      if (TimeOfUnit.count() > AverageUnitExecutionTime.count() * 10)
+        PerfScore = 10;
+      else if (TimeOfUnit.count() > AverageUnitExecutionTime.count() * 4)
+        PerfScore = 25;
+      else if (TimeOfUnit.count() > AverageUnitExecutionTime.count() * 2)
+        PerfScore = 50;
+      else if (TimeOfUnit.count() * 3 > AverageUnitExecutionTime.count() * 4)
+        PerfScore = 75;
+      else if (TimeOfUnit.count() * 4 < AverageUnitExecutionTime.count())
+        PerfScore = 300;
+      else if (TimeOfUnit.count() * 3 < AverageUnitExecutionTime.count())
+        PerfScore = 200;
+      else if (TimeOfUnit.count() * 2 < AverageUnitExecutionTime.count())
+        PerfScore = 150;
+
+      Energy *= PerfScore;
+    }
+  }
+
+  // Increment the frequency of the feature Idx.
+  void UpdateFeatureFrequency(uint32_t Idx) {
+    NeedsEnergyUpdate = true;
+
+    // The local feature frequencies is an ordered vector of pairs.
+    // If there are no local feature frequencies, push_back preserves order.
+    // Set the feature frequency for feature Idx32 to 1.
+    if (FeatureFreqs.empty()) {
+      FeatureFreqs.push_back(std::pair<uint32_t, uint16_t>(Idx, 1));
+      return;
+    }
+
+    // Binary search over local feature frequencies sorted by index.
+    auto Lower = std::lower_bound(FeatureFreqs.begin(), FeatureFreqs.end(),
+                                  std::pair<uint32_t, uint16_t>(Idx, 0));
+
+    // If feature Idx32 already exists, increment its frequency.
+    // Otherwise, insert a new pair right after the next lower index.
+    if (Lower != FeatureFreqs.end() && Lower->first == Idx) {
+      Lower->second++;
+    } else {
+      FeatureFreqs.insert(Lower, std::pair<uint32_t, uint16_t>(Idx, 1));
+    }
+  }
+};
+
+struct EntropicOptions {
+  bool Enabled;
+  size_t NumberOfRarestFeatures;
+  size_t FeatureFrequencyThreshold;
+  bool ScalePerExecTime;
+};
+
+class InputCorpus {
+  static const uint32_t kFeatureSetSize = 1 << 21;
+  static const uint8_t kMaxMutationFactor = 20;
+  static const size_t kSparseEnergyUpdates = 100;
+
+  size_t NumExecutedMutations = 0;
+
+  EntropicOptions Entropic;
+
+public:
+  InputCorpus(const std::string &OutputCorpus, EntropicOptions Entropic)
+      : Entropic(Entropic), OutputCorpus(OutputCorpus) {
+    memset(InputSizesPerFeature, 0, sizeof(InputSizesPerFeature));
+    memset(SmallestElementPerFeature, 0, sizeof(SmallestElementPerFeature));
+  }
+  ~InputCorpus() {
+    for (auto II : Inputs)
+      delete II;
+  }
+  size_t size() const { return Inputs.size(); }
+  size_t SizeInBytes() const {
+    size_t Res = 0;
+    for (auto II : Inputs)
+      Res += II->U.size();
+    return Res;
+  }
+  size_t NumActiveUnits() const {
+    size_t Res = 0;
+    for (auto II : Inputs)
+      Res += !II->U.empty();
+    return Res;
+  }
+  size_t MaxInputSize() const {
+    size_t Res = 0;
+    for (auto II : Inputs)
+        Res = std::max(Res, II->U.size());
+    return Res;
+  }
+  void IncrementNumExecutedMutations() { NumExecutedMutations++; }
+
+  size_t NumInputsThatTouchFocusFunction() {
+    return std::count_if(Inputs.begin(), Inputs.end(), [](const InputInfo *II) {
+      return II->HasFocusFunction;
+    });
+  }
+
+  size_t NumInputsWithDataFlowTrace() {
+    return std::count_if(Inputs.begin(), Inputs.end(), [](const InputInfo *II) {
+      return !II->DataFlowTraceForFocusFunction.empty();
+    });
+  }
+
+  bool empty() const { return Inputs.empty(); }
+  const Unit &operator[] (size_t Idx) const { return Inputs[Idx]->U; }
+  InputInfo *AddToCorpus(const Unit &U, size_t NumFeatures, bool MayDeleteFile,
+                         bool HasFocusFunction, bool NeverReduce,
+                         std::chrono::microseconds TimeOfUnit,
+                         const Vector<uint32_t> &FeatureSet,
+                         const DataFlowTrace &DFT, const InputInfo *BaseII) {
+    assert(!U.empty());
+    if (FeatureDebug)
+      Printf("ADD_TO_CORPUS %zd NF %zd\n", Inputs.size(), NumFeatures);
+    Inputs.push_back(new InputInfo());
+    InputInfo &II = *Inputs.back();
+    II.U = U;
+    II.NumFeatures = NumFeatures;
+    II.NeverReduce = NeverReduce;
+    II.TimeOfUnit = TimeOfUnit;
+    II.MayDeleteFile = MayDeleteFile;
+    II.UniqFeatureSet = FeatureSet;
+    II.HasFocusFunction = HasFocusFunction;
+    // Assign maximal energy to the new seed.
+    II.Energy = RareFeatures.empty() ? 1.0 : log(RareFeatures.size());
+    II.SumIncidence = RareFeatures.size();
+    II.NeedsEnergyUpdate = false;
+    std::sort(II.UniqFeatureSet.begin(), II.UniqFeatureSet.end());
+    ComputeSHA1(U.data(), U.size(), II.Sha1);
+    auto Sha1Str = Sha1ToString(II.Sha1);
+    Hashes.insert(Sha1Str);
+    if (HasFocusFunction)
+      if (auto V = DFT.Get(Sha1Str))
+        II.DataFlowTraceForFocusFunction = *V;
+    // This is a gross heuristic.
+    // Ideally, when we add an element to a corpus we need to know its DFT.
+    // But if we don't, we'll use the DFT of its base input.
+    if (II.DataFlowTraceForFocusFunction.empty() && BaseII)
+      II.DataFlowTraceForFocusFunction = BaseII->DataFlowTraceForFocusFunction;
+    DistributionNeedsUpdate = true;
+    PrintCorpus();
+    // ValidateFeatureSet();
+    return &II;
+  }
+
+  // Debug-only
+  void PrintUnit(const Unit &U) {
+    if (!FeatureDebug) return;
+    for (uint8_t C : U) {
+      if (C != 'F' && C != 'U' && C != 'Z')
+        C = '.';
+      Printf("%c", C);
+    }
+  }
+
+  // Debug-only
+  void PrintFeatureSet(const Vector<uint32_t> &FeatureSet) {
+    if (!FeatureDebug) return;
+    Printf("{");
+    for (uint32_t Feature: FeatureSet)
+      Printf("%u,", Feature);
+    Printf("}");
+  }
+
+  // Debug-only
+  void PrintCorpus() {
+    if (!FeatureDebug) return;
+    Printf("======= CORPUS:\n");
+    int i = 0;
+    for (auto II : Inputs) {
+      if (std::find(II->U.begin(), II->U.end(), 'F') != II->U.end()) {
+        Printf("[%2d] ", i);
+        Printf("%s sz=%zd ", Sha1ToString(II->Sha1).c_str(), II->U.size());
+        PrintUnit(II->U);
+        Printf(" ");
+        PrintFeatureSet(II->UniqFeatureSet);
+        Printf("\n");
+      }
+      i++;
+    }
+  }
+
+  void Replace(InputInfo *II, const Unit &U) {
+    assert(II->U.size() > U.size());
+    Hashes.erase(Sha1ToString(II->Sha1));
+    DeleteFile(*II);
+    ComputeSHA1(U.data(), U.size(), II->Sha1);
+    Hashes.insert(Sha1ToString(II->Sha1));
+    II->U = U;
+    II->Reduced = true;
+    DistributionNeedsUpdate = true;
+  }
+
+  bool HasUnit(const Unit &U) { return Hashes.count(Hash(U)); }
+  bool HasUnit(const std::string &H) { return Hashes.count(H); }
+  InputInfo &ChooseUnitToMutate(Random &Rand) {
+    InputInfo &II = *Inputs[ChooseUnitIdxToMutate(Rand)];
+    assert(!II.U.empty());
+    return II;
+  }
+
+  InputInfo &ChooseUnitToCrossOverWith(Random &Rand, bool UniformDist) {
+    if (!UniformDist) {
+      return ChooseUnitToMutate(Rand);
+    }
+    InputInfo &II = *Inputs[Rand(Inputs.size())];
+    assert(!II.U.empty());
+    return II;
+  }
+
+  // Returns an index of random unit from the corpus to mutate.
+  size_t ChooseUnitIdxToMutate(Random &Rand) {
+    UpdateCorpusDistribution(Rand);
+    size_t Idx = static_cast<size_t>(CorpusDistribution(Rand));
+    assert(Idx < Inputs.size());
+    return Idx;
+  }
+
+  void PrintStats() {
+    for (size_t i = 0; i < Inputs.size(); i++) {
+      const auto &II = *Inputs[i];
+      Printf("  [% 3zd %s] sz: % 5zd runs: % 5zd succ: % 5zd focus: %d\n", i,
+             Sha1ToString(II.Sha1).c_str(), II.U.size(),
+             II.NumExecutedMutations, II.NumSuccessfullMutations, II.HasFocusFunction);
+    }
+  }
+
+  void PrintFeatureSet() {
+    for (size_t i = 0; i < kFeatureSetSize; i++) {
+      if(size_t Sz = GetFeature(i))
+        Printf("[%zd: id %zd sz%zd] ", i, SmallestElementPerFeature[i], Sz);
+    }
+    Printf("\n\t");
+    for (size_t i = 0; i < Inputs.size(); i++)
+      if (size_t N = Inputs[i]->NumFeatures)
+        Printf(" %zd=>%zd ", i, N);
+    Printf("\n");
+  }
+
+  void DeleteFile(const InputInfo &II) {
+    if (!OutputCorpus.empty() && II.MayDeleteFile)
+      RemoveFile(DirPlusFile(OutputCorpus, Sha1ToString(II.Sha1)));
+  }
+
+  void DeleteInput(size_t Idx) {
+    InputInfo &II = *Inputs[Idx];
+    DeleteFile(II);
+    Unit().swap(II.U);
+    II.Energy = 0.0;
+    II.NeedsEnergyUpdate = false;
+    DistributionNeedsUpdate = true;
+    if (FeatureDebug)
+      Printf("EVICTED %zd\n", Idx);
+  }
+
+  void AddRareFeature(uint32_t Idx) {
+    // Maintain *at least* TopXRarestFeatures many rare features
+    // and all features with a frequency below ConsideredRare.
+    // Remove all other features.
+    while (RareFeatures.size() > Entropic.NumberOfRarestFeatures &&
+           FreqOfMostAbundantRareFeature > Entropic.FeatureFrequencyThreshold) {
+
+      // Find most and second most abbundant feature.
+      uint32_t MostAbundantRareFeatureIndices[2] = {RareFeatures[0],
+                                                    RareFeatures[0]};
+      size_t Delete = 0;
+      for (size_t i = 0; i < RareFeatures.size(); i++) {
+        uint32_t Idx2 = RareFeatures[i];
+        if (GlobalFeatureFreqs[Idx2] >=
+            GlobalFeatureFreqs[MostAbundantRareFeatureIndices[0]]) {
+          MostAbundantRareFeatureIndices[1] = MostAbundantRareFeatureIndices[0];
+          MostAbundantRareFeatureIndices[0] = Idx2;
+          Delete = i;
+        }
+      }
+
+      // Remove most abundant rare feature.
+      RareFeatures[Delete] = RareFeatures.back();
+      RareFeatures.pop_back();
+
+      for (auto II : Inputs) {
+        if (II->DeleteFeatureFreq(MostAbundantRareFeatureIndices[0]))
+          II->NeedsEnergyUpdate = true;
+      }
+
+      // Set 2nd most abundant as the new most abundant feature count.
+      FreqOfMostAbundantRareFeature =
+          GlobalFeatureFreqs[MostAbundantRareFeatureIndices[1]];
+    }
+
+    // Add rare feature, handle collisions, and update energy.
+    RareFeatures.push_back(Idx);
+    GlobalFeatureFreqs[Idx] = 0;
+    for (auto II : Inputs) {
+      II->DeleteFeatureFreq(Idx);
+
+      // Apply add-one smoothing to this locally undiscovered feature.
+      // Zero energy seeds will never be fuzzed and remain zero energy.
+      if (II->Energy > 0.0) {
+        II->SumIncidence += 1;
+        II->Energy += logl(II->SumIncidence) / II->SumIncidence;
+      }
+    }
+
+    DistributionNeedsUpdate = true;
+  }
+
+  bool AddFeature(size_t Idx, uint32_t NewSize, bool Shrink) {
+    assert(NewSize);
+    Idx = Idx % kFeatureSetSize;
+    uint32_t OldSize = GetFeature(Idx);
+    if (OldSize == 0 || (Shrink && OldSize > NewSize)) {
+      if (OldSize > 0) {
+        size_t OldIdx = SmallestElementPerFeature[Idx];
+        InputInfo &II = *Inputs[OldIdx];
+        assert(II.NumFeatures > 0);
+        II.NumFeatures--;
+        if (II.NumFeatures == 0)
+          DeleteInput(OldIdx);
+      } else {
+        NumAddedFeatures++;
+        if (Entropic.Enabled)
+          AddRareFeature((uint32_t)Idx);
+      }
+      NumUpdatedFeatures++;
+      if (FeatureDebug)
+        Printf("ADD FEATURE %zd sz %d\n", Idx, NewSize);
+      SmallestElementPerFeature[Idx] = Inputs.size();
+      InputSizesPerFeature[Idx] = NewSize;
+      return true;
+    }
+    return false;
+  }
+
+  // Increment frequency of feature Idx globally and locally.
+  void UpdateFeatureFrequency(InputInfo *II, size_t Idx) {
+    uint32_t Idx32 = Idx % kFeatureSetSize;
+
+    // Saturated increment.
+    if (GlobalFeatureFreqs[Idx32] == 0xFFFF)
+      return;
+    uint16_t Freq = GlobalFeatureFreqs[Idx32]++;
+
+    // Skip if abundant.
+    if (Freq > FreqOfMostAbundantRareFeature ||
+        std::find(RareFeatures.begin(), RareFeatures.end(), Idx32) ==
+            RareFeatures.end())
+      return;
+
+    // Update global frequencies.
+    if (Freq == FreqOfMostAbundantRareFeature)
+      FreqOfMostAbundantRareFeature++;
+
+    // Update local frequencies.
+    if (II)
+      II->UpdateFeatureFrequency(Idx32);
+  }
+
+  size_t NumFeatures() const { return NumAddedFeatures; }
+  size_t NumFeatureUpdates() const { return NumUpdatedFeatures; }
+
+private:
+
+  static const bool FeatureDebug = false;
+
+  size_t GetFeature(size_t Idx) const { return InputSizesPerFeature[Idx]; }
+
+  void ValidateFeatureSet() {
+    if (FeatureDebug)
+      PrintFeatureSet();
+    for (size_t Idx = 0; Idx < kFeatureSetSize; Idx++)
+      if (GetFeature(Idx))
+        Inputs[SmallestElementPerFeature[Idx]]->Tmp++;
+    for (auto II: Inputs) {
+      if (II->Tmp != II->NumFeatures)
+        Printf("ZZZ %zd %zd\n", II->Tmp, II->NumFeatures);
+      assert(II->Tmp == II->NumFeatures);
+      II->Tmp = 0;
+    }
+  }
+
+  // Updates the probability distribution for the units in the corpus.
+  // Must be called whenever the corpus or unit weights are changed.
+  //
+  // Hypothesis: inputs that maximize information about globally rare features
+  // are interesting.
+  void UpdateCorpusDistribution(Random &Rand) {
+    // Skip update if no seeds or rare features were added/deleted.
+    // Sparse updates for local change of feature frequencies,
+    // i.e., randomly do not skip.
+    if (!DistributionNeedsUpdate &&
+        (!Entropic.Enabled || Rand(kSparseEnergyUpdates)))
+      return;
+
+    DistributionNeedsUpdate = false;
+
+    size_t N = Inputs.size();
+    assert(N);
+    Intervals.resize(N + 1);
+    Weights.resize(N);
+    std::iota(Intervals.begin(), Intervals.end(), 0);
+
+    std::chrono::microseconds AverageUnitExecutionTime(0);
+    for (auto II : Inputs) {
+      AverageUnitExecutionTime += II->TimeOfUnit;
+    }
+    AverageUnitExecutionTime /= N;
+
+    bool VanillaSchedule = true;
+    if (Entropic.Enabled) {
+      for (auto II : Inputs) {
+        if (II->NeedsEnergyUpdate && II->Energy != 0.0) {
+          II->NeedsEnergyUpdate = false;
+          II->UpdateEnergy(RareFeatures.size(), Entropic.ScalePerExecTime,
+                           AverageUnitExecutionTime);
+        }
+      }
+
+      for (size_t i = 0; i < N; i++) {
+
+        if (Inputs[i]->NumFeatures == 0) {
+          // If the seed doesn't represent any features, assign zero energy.
+          Weights[i] = 0.;
+        } else if (Inputs[i]->NumExecutedMutations / kMaxMutationFactor >
+                   NumExecutedMutations / Inputs.size()) {
+          // If the seed was fuzzed a lot more than average, assign zero energy.
+          Weights[i] = 0.;
+        } else {
+          // Otherwise, simply assign the computed energy.
+          Weights[i] = Inputs[i]->Energy;
+        }
+
+        // If energy for all seeds is zero, fall back to vanilla schedule.
+        if (Weights[i] > 0.0)
+          VanillaSchedule = false;
+      }
+    }
+
+    if (VanillaSchedule) {
+      for (size_t i = 0; i < N; i++)
+        Weights[i] = Inputs[i]->NumFeatures
+                         ? (i + 1) * (Inputs[i]->HasFocusFunction ? 1000 : 1)
+                         : 0.;
+    }
+
+    if (FeatureDebug) {
+      for (size_t i = 0; i < N; i++)
+        Printf("%zd ", Inputs[i]->NumFeatures);
+      Printf("SCORE\n");
+      for (size_t i = 0; i < N; i++)
+        Printf("%f ", Weights[i]);
+      Printf("Weights\n");
+    }
+    CorpusDistribution = std::piecewise_constant_distribution<double>(
+        Intervals.begin(), Intervals.end(), Weights.begin());
+  }
+  std::piecewise_constant_distribution<double> CorpusDistribution;
+
+  Vector<double> Intervals;
+  Vector<double> Weights;
+
+  std::unordered_set<std::string> Hashes;
+  Vector<InputInfo*> Inputs;
+
+  size_t NumAddedFeatures = 0;
+  size_t NumUpdatedFeatures = 0;
+  uint32_t InputSizesPerFeature[kFeatureSetSize];
+  uint32_t SmallestElementPerFeature[kFeatureSetSize];
+
+  bool DistributionNeedsUpdate = true;
+  uint16_t FreqOfMostAbundantRareFeature = 0;
+  uint16_t GlobalFeatureFreqs[kFeatureSetSize] = {};
+  Vector<uint32_t> RareFeatures;
+
+  std::string OutputCorpus;
+};
+
+}  // namespace fuzzer
+
+#endif  // LLVM_FUZZER_CORPUS
--- a/custom_mutators/libfuzzer/FuzzerCrossOver.cpp
+++ b/custom_mutators/libfuzzer/FuzzerCrossOver.cpp
@ -0,0 +1,60 @@
+//===- FuzzerCrossOver.cpp - Cross over two test inputs -------------------===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+// Cross over test inputs.
+//===----------------------------------------------------------------------===//
+
+#include "FuzzerDefs.h"
+#include "FuzzerMutate.h"
+#include "FuzzerRandom.h"
+#include <cstring>
+
+namespace fuzzer {
+
+// Cross Data1 and Data2, store the result (up to MaxOutSize bytes) in Out.
+size_t MutationDispatcher::CrossOver(const uint8_t *Data1, size_t Size1,
+                                     const uint8_t *Data2, size_t Size2,
+                                     uint8_t *Out, size_t MaxOutSize) {
+
+  assert(Size1 || Size2);
+  MaxOutSize = Rand(MaxOutSize) + 1;
+  size_t         OutPos = 0;
+  size_t         Pos1 = 0;
+  size_t         Pos2 = 0;
+  size_t *       InPos = &Pos1;
+  size_t         InSize = Size1;
+  const uint8_t *Data = Data1;
+  bool           CurrentlyUsingFirstData = true;
+  while (OutPos < MaxOutSize && (Pos1 < Size1 || Pos2 < Size2)) {
+
+    // Merge a part of Data into Out.
+    size_t OutSizeLeft = MaxOutSize - OutPos;
+    if (*InPos < InSize) {
+
+      size_t InSizeLeft = InSize - *InPos;
+      size_t MaxExtraSize = std::min(OutSizeLeft, InSizeLeft);
+      size_t ExtraSize = Rand(MaxExtraSize) + 1;
+      memcpy(Out + OutPos, Data + *InPos, ExtraSize);
+      OutPos += ExtraSize;
+      (*InPos) += ExtraSize;
+
+    }
+
+    // Use the other input data on the next iteration.
+    InPos = CurrentlyUsingFirstData ? &Pos2 : &Pos1;
+    InSize = CurrentlyUsingFirstData ? Size2 : Size1;
+    Data = CurrentlyUsingFirstData ? Data2 : Data1;
+    CurrentlyUsingFirstData = !CurrentlyUsingFirstData;
+
+  }
+
+  return OutPos;
+
+}
+
+}  // namespace fuzzer
+
--- a/custom_mutators/libfuzzer/FuzzerDataFlowTrace.cpp
+++ b/custom_mutators/libfuzzer/FuzzerDataFlowTrace.cpp
@ -0,0 +1,344 @@
+//===- FuzzerDataFlowTrace.cpp - DataFlowTrace                ---*- C++ -* ===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+// fuzzer::DataFlowTrace
+//===----------------------------------------------------------------------===//
+
+#include "FuzzerDataFlowTrace.h"
+
+#include "FuzzerCommand.h"
+#include "FuzzerIO.h"
+#include "FuzzerRandom.h"
+#include "FuzzerSHA1.h"
+#include "FuzzerUtil.h"
+
+#include <cstdlib>
+#include <fstream>
+#include <numeric>
+#include <queue>
+#include <sstream>
+#include <string>
+#include <unordered_map>
+#include <unordered_set>
+#include <vector>
+
+namespace fuzzer {
+
+static const char *kFunctionsTxt = "functions.txt";
+
+bool BlockCoverage::AppendCoverage(const std::string &S) {
+
+  std::stringstream SS(S);
+  return AppendCoverage(SS);
+
+}
+
+// Coverage lines have this form:
+// CN X Y Z T
+// where N is the number of the function, T is the total number of instrumented
+// BBs, and X,Y,Z, if present, are the indecies of covered BB.
+// BB #0, which is the entry block, is not explicitly listed.
+bool BlockCoverage::AppendCoverage(std::istream &IN) {
+
+  std::string L;
+  while (std::getline(IN, L, '\n')) {
+
+    if (L.empty()) continue;
+    std::stringstream SS(L.c_str() + 1);
+    size_t            FunctionId = 0;
+    SS >> FunctionId;
+    if (L[0] == 'F') {
+
+      FunctionsWithDFT.insert(FunctionId);
+      continue;
+
+    }
+
+    if (L[0] != 'C') continue;
+    Vector<uint32_t> CoveredBlocks;
+    while (true) {
+
+      uint32_t BB = 0;
+      SS >> BB;
+      if (!SS) break;
+      CoveredBlocks.push_back(BB);
+
+    }
+
+    if (CoveredBlocks.empty()) return false;
+    uint32_t NumBlocks = CoveredBlocks.back();
+    CoveredBlocks.pop_back();
+    for (auto BB : CoveredBlocks)
+      if (BB >= NumBlocks) return false;
+    auto  It = Functions.find(FunctionId);
+    auto &Counters =
+        It == Functions.end()
+            ? Functions.insert({FunctionId, Vector<uint32_t>(NumBlocks)})
+                  .first->second
+            : It->second;
+
+    if (Counters.size() != NumBlocks) return false;  // wrong number of blocks.
+
+    Counters[0]++;
+    for (auto BB : CoveredBlocks)
+      Counters[BB]++;
+
+  }
+
+  return true;
+
+}
+
+// Assign weights to each function.
+// General principles:
+//   * any uncovered function gets weight 0.
+//   * a function with lots of uncovered blocks gets bigger weight.
+//   * a function with a less frequently executed code gets bigger weight.
+Vector<double> BlockCoverage::FunctionWeights(size_t NumFunctions) const {
+
+  Vector<double> Res(NumFunctions);
+  for (auto It : Functions) {
+
+    auto FunctionID = It.first;
+    auto Counters = It.second;
+    assert(FunctionID < NumFunctions);
+    auto &Weight = Res[FunctionID];
+    // Give higher weight if the function has a DFT.
+    Weight = FunctionsWithDFT.count(FunctionID) ? 1000. : 1;
+    // Give higher weight to functions with less frequently seen basic blocks.
+    Weight /= SmallestNonZeroCounter(Counters);
+    // Give higher weight to functions with the most uncovered basic blocks.
+    Weight *= NumberOfUncoveredBlocks(Counters) + 1;
+
+  }
+
+  return Res;
+
+}
+
+void DataFlowTrace::ReadCoverage(const std::string &DirPath) {
+
+  Vector<SizedFile> Files;
+  GetSizedFilesFromDir(DirPath, &Files);
+  for (auto &SF : Files) {
+
+    auto Name = Basename(SF.File);
+    if (Name == kFunctionsTxt) continue;
+    if (!CorporaHashes.count(Name)) continue;
+    std::ifstream IF(SF.File);
+    Coverage.AppendCoverage(IF);
+
+  }
+
+}
+
+static void DFTStringAppendToVector(Vector<uint8_t> *  DFT,
+                                    const std::string &DFTString) {
+
+  assert(DFT->size() == DFTString.size());
+  for (size_t I = 0, Len = DFT->size(); I < Len; I++)
+    (*DFT)[I] = DFTString[I] == '1';
+
+}
+
+// converts a string of '0' and '1' into a Vector<uint8_t>
+static Vector<uint8_t> DFTStringToVector(const std::string &DFTString) {
+
+  Vector<uint8_t> DFT(DFTString.size());
+  DFTStringAppendToVector(&DFT, DFTString);
+  return DFT;
+
+}
+
+static bool ParseError(const char *Err, const std::string &Line) {
+
+  Printf("DataFlowTrace: parse error: %s: Line: %s\n", Err, Line.c_str());
+  return false;
+
+}
+
+// TODO(metzman): replace std::string with std::string_view for
+// better performance. Need to figure our how to use string_view on Windows.
+static bool ParseDFTLine(const std::string &Line, size_t *FunctionNum,
+                         std::string *DFTString) {
+
+  if (!Line.empty() && Line[0] != 'F') return false;  // Ignore coverage.
+  size_t SpacePos = Line.find(' ');
+  if (SpacePos == std::string::npos)
+    return ParseError("no space in the trace line", Line);
+  if (Line.empty() || Line[0] != 'F')
+    return ParseError("the trace line doesn't start with 'F'", Line);
+  *FunctionNum = std::atol(Line.c_str() + 1);
+  const char *Beg = Line.c_str() + SpacePos + 1;
+  const char *End = Line.c_str() + Line.size();
+  assert(Beg < End);
+  size_t Len = End - Beg;
+  for (size_t I = 0; I < Len; I++) {
+
+    if (Beg[I] != '0' && Beg[I] != '1')
+      return ParseError("the trace should contain only 0 or 1", Line);
+
+  }
+
+  *DFTString = Beg;
+  return true;
+
+}
+
+bool DataFlowTrace::Init(const std::string &DirPath, std::string *FocusFunction,
+                         Vector<SizedFile> &CorporaFiles, Random &Rand) {
+
+  if (DirPath.empty()) return false;
+  Printf("INFO: DataFlowTrace: reading from '%s'\n", DirPath.c_str());
+  Vector<SizedFile> Files;
+  GetSizedFilesFromDir(DirPath, &Files);
+  std::string         L;
+  size_t              FocusFuncIdx = SIZE_MAX;
+  Vector<std::string> FunctionNames;
+
+  // Collect the hashes of the corpus files.
+  for (auto &SF : CorporaFiles)
+    CorporaHashes.insert(Hash(FileToVector(SF.File)));
+
+  // Read functions.txt
+  std::ifstream IF(DirPlusFile(DirPath, kFunctionsTxt));
+  size_t        NumFunctions = 0;
+  while (std::getline(IF, L, '\n')) {
+
+    FunctionNames.push_back(L);
+    NumFunctions++;
+    if (*FocusFunction == L) FocusFuncIdx = NumFunctions - 1;
+
+  }
+
+  if (!NumFunctions) return false;
+
+  if (*FocusFunction == "auto") {
+
+    // AUTOFOCUS works like this:
+    // * reads the coverage data from the DFT files.
+    // * assigns weights to functions based on coverage.
+    // * chooses a random function according to the weights.
+    ReadCoverage(DirPath);
+    auto           Weights = Coverage.FunctionWeights(NumFunctions);
+    Vector<double> Intervals(NumFunctions + 1);
+    std::iota(Intervals.begin(), Intervals.end(), 0);
+    auto Distribution = std::piecewise_constant_distribution<double>(
+        Intervals.begin(), Intervals.end(), Weights.begin());
+    FocusFuncIdx = static_cast<size_t>(Distribution(Rand));
+    *FocusFunction = FunctionNames[FocusFuncIdx];
+    assert(FocusFuncIdx < NumFunctions);
+    Printf("INFO: AUTOFOCUS: %zd %s\n", FocusFuncIdx,
+           FunctionNames[FocusFuncIdx].c_str());
+    for (size_t i = 0; i < NumFunctions; i++) {
+
+      if (!Weights[i]) continue;
+      Printf("  [%zd] W %g\tBB-tot %u\tBB-cov %u\tEntryFreq %u:\t%s\n", i,
+             Weights[i], Coverage.GetNumberOfBlocks(i),
+             Coverage.GetNumberOfCoveredBlocks(i), Coverage.GetCounter(i, 0),
+             FunctionNames[i].c_str());
+
+    }
+
+  }
+
+  if (FocusFuncIdx == SIZE_MAX || Files.size() <= 1)
+    return false;
+
+  // Read traces.
+  size_t NumTraceFiles = 0;
+  size_t NumTracesWithFocusFunction = 0;
+  for (auto &SF : Files) {
+
+    auto Name = Basename(SF.File);
+    if (Name == kFunctionsTxt) continue;
+    if (!CorporaHashes.count(Name)) continue;  // not in the corpus.
+    NumTraceFiles++;
+    // Printf("=== %s\n", Name.c_str());
+    std::ifstream IF2(SF.File);
+    while (std::getline(IF2, L, '\n')) {
+
+      size_t      FunctionNum = 0;
+      std::string DFTString;
+      if (ParseDFTLine(L, &FunctionNum, &DFTString) &&
+          FunctionNum == FocusFuncIdx) {
+
+        NumTracesWithFocusFunction++;
+
+        if (FunctionNum >= NumFunctions)
+          return ParseError("N is greater than the number of functions", L);
+        Traces[Name] = DFTStringToVector(DFTString);
+        // Print just a few small traces.
+        if (NumTracesWithFocusFunction <= 3 && DFTString.size() <= 16)
+          Printf("%s => |%s|\n", Name.c_str(), std::string(DFTString).c_str());
+        break;  // No need to parse the following lines.
+
+      }
+
+    }
+
+  }
+
+  Printf(
+      "INFO: DataFlowTrace: %zd trace files, %zd functions, "
+      "%zd traces with focus function\n",
+      NumTraceFiles, NumFunctions, NumTracesWithFocusFunction);
+  return NumTraceFiles > 0;
+
+}
+
+int CollectDataFlow(const std::string &DFTBinary, const std::string &DirPath,
+                    const Vector<SizedFile> &CorporaFiles) {
+
+  Printf("INFO: collecting data flow: bin: %s dir: %s files: %zd\n",
+         DFTBinary.c_str(), DirPath.c_str(), CorporaFiles.size());
+  if (CorporaFiles.empty()) {
+
+    Printf("ERROR: can't collect data flow without corpus provided.");
+    return 1;
+
+  }
+
+  static char DFSanEnv[] = "DFSAN_OPTIONS=warn_unimplemented=0";
+  putenv(DFSanEnv);
+  MkDir(DirPath);
+  for (auto &F : CorporaFiles) {
+
+    // For every input F we need to collect the data flow and the coverage.
+    // Data flow collection may fail if we request too many DFSan tags at once.
+    // So, we start from requesting all tags in range [0,Size) and if that fails
+    // we then request tags in [0,Size/2) and [Size/2, Size), and so on.
+    // Function number => DFT.
+    auto OutPath = DirPlusFile(DirPath, Hash(FileToVector(F.File)));
+//    std::unordered_map<size_t, Vector<uint8_t>> DFTMap;
+//    std::unordered_set<std::string>             Cov;
+    Command                                     Cmd;
+    Cmd.addArgument(DFTBinary);
+    Cmd.addArgument(F.File);
+    Cmd.addArgument(OutPath);
+    Printf("CMD: %s\n", Cmd.toString().c_str());
+    ExecuteCommand(Cmd);
+
+  }
+
+  // Write functions.txt if it's currently empty or doesn't exist.
+  auto FunctionsTxtPath = DirPlusFile(DirPath, kFunctionsTxt);
+  if (FileToString(FunctionsTxtPath).empty()) {
+
+    Command Cmd;
+    Cmd.addArgument(DFTBinary);
+    Cmd.setOutputFile(FunctionsTxtPath);
+    ExecuteCommand(Cmd);
+
+  }
+
+  return 0;
+
+}
+
+}  // namespace fuzzer
+
--- a/custom_mutators/libfuzzer/FuzzerDataFlowTrace.h
+++ b/custom_mutators/libfuzzer/FuzzerDataFlowTrace.h
@ -0,0 +1,135 @@
+//===- FuzzerDataFlowTrace.h - Internal header for the Fuzzer ---*- C++ -* ===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+// fuzzer::DataFlowTrace; reads and handles a data-flow trace.
+//
+// A data flow trace is generated by e.g. dataflow/DataFlow.cpp
+// and is stored on disk in a separate directory.
+//
+// The trace dir contains a file 'functions.txt' which lists function names,
+// oner per line, e.g.
+// ==> functions.txt <==
+// Func2
+// LLVMFuzzerTestOneInput
+// Func1
+//
+// All other files in the dir are the traces, see dataflow/DataFlow.cpp.
+// The name of the file is sha1 of the input used to generate the trace.
+//
+// Current status:
+//   the data is parsed and the summary is printed, but the data is not yet
+//   used in any other way.
+//===----------------------------------------------------------------------===//
+
+#ifndef LLVM_FUZZER_DATA_FLOW_TRACE
+#define LLVM_FUZZER_DATA_FLOW_TRACE
+
+#include "FuzzerDefs.h"
+#include "FuzzerIO.h"
+
+#include <unordered_map>
+#include <unordered_set>
+#include <vector>
+#include <string>
+
+namespace fuzzer {
+
+int CollectDataFlow(const std::string &DFTBinary, const std::string &DirPath,
+                    const Vector<SizedFile> &CorporaFiles);
+
+class BlockCoverage {
+ public:
+  bool AppendCoverage(std::istream &IN);
+  bool AppendCoverage(const std::string &S);
+
+  size_t NumCoveredFunctions() const { return Functions.size(); }
+
+  uint32_t GetCounter(size_t FunctionId, size_t BasicBlockId) {
+    auto It = Functions.find(FunctionId);
+    if (It == Functions.end()) return 0;
+    const auto &Counters = It->second;
+    if (BasicBlockId < Counters.size())
+      return Counters[BasicBlockId];
+    return 0;
+  }
+
+  uint32_t GetNumberOfBlocks(size_t FunctionId) {
+    auto It = Functions.find(FunctionId);
+    if (It == Functions.end()) return 0;
+    const auto &Counters = It->second;
+    return Counters.size();
+  }
+
+  uint32_t GetNumberOfCoveredBlocks(size_t FunctionId) {
+    auto It = Functions.find(FunctionId);
+    if (It == Functions.end()) return 0;
+    const auto &Counters = It->second;
+    uint32_t Result = 0;
+    for (auto Cnt: Counters)
+      if (Cnt)
+        Result++;
+    return Result;
+  }
+
+  Vector<double> FunctionWeights(size_t NumFunctions) const;
+  void clear() { Functions.clear(); }
+
+ private:
+
+  typedef Vector<uint32_t> CoverageVector;
+
+  uint32_t NumberOfCoveredBlocks(const CoverageVector &Counters) const {
+    uint32_t Res = 0;
+    for (auto Cnt : Counters)
+      if (Cnt)
+        Res++;
+    return Res;
+  }
+
+  uint32_t NumberOfUncoveredBlocks(const CoverageVector &Counters) const {
+    return Counters.size() - NumberOfCoveredBlocks(Counters);
+  }
+
+  uint32_t SmallestNonZeroCounter(const CoverageVector &Counters) const {
+    assert(!Counters.empty());
+    uint32_t Res = Counters[0];
+    for (auto Cnt : Counters)
+      if (Cnt)
+        Res = Min(Res, Cnt);
+    assert(Res);
+    return Res;
+  }
+
+  // Function ID => vector of counters.
+  // Each counter represents how many input files trigger the given basic block.
+  std::unordered_map<size_t, CoverageVector> Functions;
+  // Functions that have DFT entry.
+  std::unordered_set<size_t> FunctionsWithDFT;
+};
+
+class DataFlowTrace {
+ public:
+  void ReadCoverage(const std::string &DirPath);
+  bool Init(const std::string &DirPath, std::string *FocusFunction,
+            Vector<SizedFile> &CorporaFiles, Random &Rand);
+  void Clear() { Traces.clear(); }
+  const Vector<uint8_t> *Get(const std::string &InputSha1) const {
+    auto It = Traces.find(InputSha1);
+    if (It != Traces.end())
+      return &It->second;
+    return nullptr;
+  }
+
+ private:
+  // Input's sha1 => DFT for the FocusFunction.
+  std::unordered_map<std::string, Vector<uint8_t> > Traces;
+  BlockCoverage Coverage;
+  std::unordered_set<std::string> CorporaHashes;
+};
+}  // namespace fuzzer
+
+#endif // LLVM_FUZZER_DATA_FLOW_TRACE
--- a/custom_mutators/libfuzzer/FuzzerDefs.h
+++ b/custom_mutators/libfuzzer/FuzzerDefs.h
@ -0,0 +1,75 @@
+//===- FuzzerDefs.h - Internal header for the Fuzzer ------------*- C++ -* ===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+// Basic definitions.
+//===----------------------------------------------------------------------===//
+
+#ifndef LLVM_FUZZER_DEFS_H
+#define LLVM_FUZZER_DEFS_H
+
+#include <cassert>
+#include <cstddef>
+#include <cstdint>
+#include <cstring>
+#include <memory>
+#include <set>
+#include <string>
+#include <vector>
+
+
+namespace fuzzer {
+
+template <class T> T Min(T a, T b) { return a < b ? a : b; }
+template <class T> T Max(T a, T b) { return a > b ? a : b; }
+
+class Random;
+class Dictionary;
+class DictionaryEntry;
+class MutationDispatcher;
+struct FuzzingOptions;
+class InputCorpus;
+struct InputInfo;
+struct ExternalFunctions;
+
+// Global interface to functions that may or may not be available.
+extern ExternalFunctions *EF;
+
+// We are using a custom allocator to give a different symbol name to STL
+// containers in order to avoid ODR violations.
+template<typename T>
+  class fuzzer_allocator: public std::allocator<T> {
+    public:
+      fuzzer_allocator() = default;
+
+      template<class U>
+      explicit fuzzer_allocator(const fuzzer_allocator<U>&) {}
+
+      template<class Other>
+      struct rebind { typedef fuzzer_allocator<Other> other;  };
+  };
+
+template<typename T>
+using Vector = std::vector<T, fuzzer_allocator<T>>;
+
+template<typename T>
+using Set = std::set<T, std::less<T>, fuzzer_allocator<T>>;
+
+typedef Vector<uint8_t> Unit;
+typedef Vector<Unit> UnitVector;
+typedef int (*UserCallback)(const uint8_t *Data, size_t Size);
+
+int FuzzerDriver(int *argc, char ***argv, UserCallback Callback);
+
+uint8_t *ExtraCountersBegin();
+uint8_t *ExtraCountersEnd();
+void ClearExtraCounters();
+
+extern bool RunningUserCallback;
+
+}  // namespace fuzzer
+
+#endif  // LLVM_FUZZER_DEFS_H
--- a/custom_mutators/libfuzzer/FuzzerDictionary.h
+++ b/custom_mutators/libfuzzer/FuzzerDictionary.h
@ -0,0 +1,118 @@
+//===- FuzzerDictionary.h - Internal header for the Fuzzer ------*- C++ -* ===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+// fuzzer::Dictionary
+//===----------------------------------------------------------------------===//
+
+#ifndef LLVM_FUZZER_DICTIONARY_H
+#define LLVM_FUZZER_DICTIONARY_H
+
+#include "FuzzerDefs.h"
+#include "FuzzerIO.h"
+#include "FuzzerUtil.h"
+#include <algorithm>
+#include <limits>
+
+namespace fuzzer {
+// A simple POD sized array of bytes.
+template <size_t kMaxSizeT> class FixedWord {
+public:
+  static const size_t kMaxSize = kMaxSizeT;
+  FixedWord() {}
+  FixedWord(const uint8_t *B, uint8_t S) { Set(B, S); }
+
+  void Set(const uint8_t *B, uint8_t S) {
+    assert(S <= kMaxSize);
+    memcpy(Data, B, S);
+    Size = S;
+  }
+
+  bool operator==(const FixedWord<kMaxSize> &w) const {
+    return Size == w.Size && 0 == memcmp(Data, w.Data, Size);
+  }
+
+  static size_t GetMaxSize() { return kMaxSize; }
+  const uint8_t *data() const { return Data; }
+  uint8_t size() const { return Size; }
+
+private:
+  uint8_t Size = 0;
+  uint8_t Data[kMaxSize];
+};
+
+typedef FixedWord<64> Word;
+
+class DictionaryEntry {
+ public:
+  DictionaryEntry() {}
+  explicit DictionaryEntry(Word W) : W(W) {}
+  DictionaryEntry(Word W, size_t PositionHint) : W(W), PositionHint(PositionHint) {}
+  const Word &GetW() const { return W; }
+
+  bool HasPositionHint() const { return PositionHint != std::numeric_limits<size_t>::max(); }
+  size_t GetPositionHint() const {
+    assert(HasPositionHint());
+    return PositionHint;
+  }
+  void IncUseCount() { UseCount++; }
+  void IncSuccessCount() { SuccessCount++; }
+  size_t GetUseCount() const { return UseCount; }
+  size_t GetSuccessCount() const {return SuccessCount; }
+
+  void Print(const char *PrintAfter = "\n") {
+    PrintASCII(W.data(), W.size());
+    if (HasPositionHint())
+      Printf("@%zd", GetPositionHint());
+    Printf("%s", PrintAfter);
+  }
+
+private:
+  Word W;
+  size_t PositionHint = std::numeric_limits<size_t>::max();
+  size_t UseCount = 0;
+  size_t SuccessCount = 0;
+};
+
+class Dictionary {
+ public:
+  static const size_t kMaxDictSize = 1 << 14;
+
+  bool ContainsWord(const Word &W) const {
+    return std::any_of(begin(), end(), [&](const DictionaryEntry &DE) {
+      return DE.GetW() == W;
+    });
+  }
+  const DictionaryEntry *begin() const { return &DE[0]; }
+  const DictionaryEntry *end() const { return begin() + Size; }
+  DictionaryEntry & operator[] (size_t Idx) {
+    assert(Idx < Size);
+    return DE[Idx];
+  }
+  void push_back(const DictionaryEntry &DE) {
+    if (Size < kMaxDictSize)
+      this->DE[Size++] = DE;
+  }
+  void clear() { Size = 0; }
+  bool empty() const { return Size == 0; }
+  size_t size() const { return Size; }
+
+private:
+  DictionaryEntry DE[kMaxDictSize];
+  size_t Size = 0;
+};
+
+// Parses one dictionary entry.
+// If successful, write the enty to Unit and returns true,
+// otherwise returns false.
+bool ParseOneDictionaryEntry(const std::string &Str, Unit *U);
+// Parses the dictionary file, fills Units, returns true iff all lines
+// were parsed successfully.
+bool ParseDictionaryFile(const std::string &Text, Vector<Unit> *Units);
+
+}  // namespace fuzzer
+
+#endif  // LLVM_FUZZER_DICTIONARY_H
--- a/custom_mutators/libfuzzer/FuzzerDriver.cpp
+++ b/custom_mutators/libfuzzer/FuzzerDriver.cpp
--- a/custom_mutators/libfuzzer/FuzzerExtFunctions.def
+++ b/custom_mutators/libfuzzer/FuzzerExtFunctions.def
@ -0,0 +1,50 @@
+//===- FuzzerExtFunctions.def - External functions --------------*- C++ -* ===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+// This defines the external function pointers that
+// ``fuzzer::ExternalFunctions`` should contain and try to initialize.  The
+// EXT_FUNC macro must be defined at the point of inclusion. The signature of
+// the macro is:
+//
+// EXT_FUNC(<name>, <return_type>, <function_signature>, <warn_if_missing>)
+//===----------------------------------------------------------------------===//
+
+// Optional user functions
+EXT_FUNC(LLVMFuzzerInitialize, int, (int *argc, char ***argv), false);
+EXT_FUNC(LLVMFuzzerCustomMutator, size_t,
+         (uint8_t *Data, size_t Size, size_t MaxSize, unsigned int Seed),
+         false);
+EXT_FUNC(LLVMFuzzerCustomCrossOver, size_t,
+         (const uint8_t *Data1, size_t Size1,
+          const uint8_t *Data2, size_t Size2,
+          uint8_t *Out, size_t MaxOutSize, unsigned int Seed),
+         false);
+
+// Sanitizer functions
+EXT_FUNC(__lsan_enable, void, (), false);
+EXT_FUNC(__lsan_disable, void, (), false);
+EXT_FUNC(__lsan_do_recoverable_leak_check, int, (), false);
+EXT_FUNC(__sanitizer_acquire_crash_state, int, (), true);
+EXT_FUNC(__sanitizer_install_malloc_and_free_hooks, int,
+         (void (*malloc_hook)(const volatile void *, size_t),
+          void (*free_hook)(const volatile void *)),
+         false);
+EXT_FUNC(__sanitizer_log_write, void, (const char *buf, size_t len), false);
+EXT_FUNC(__sanitizer_purge_allocator, void, (), false);
+EXT_FUNC(__sanitizer_print_memory_profile, void, (size_t, size_t), false);
+EXT_FUNC(__sanitizer_print_stack_trace, void, (), true);
+EXT_FUNC(__sanitizer_symbolize_pc, void,
+         (void *, const char *fmt, char *out_buf, size_t out_buf_size), false);
+EXT_FUNC(__sanitizer_get_module_and_offset_for_pc, int,
+         (void *pc, char *module_path,
+         size_t module_path_len,void **pc_offset), false);
+EXT_FUNC(__sanitizer_set_death_callback, void, (void (*)(void)), true);
+EXT_FUNC(__sanitizer_set_report_fd, void, (void*), false);
+EXT_FUNC(__msan_scoped_disable_interceptor_checks, void, (), false);
+EXT_FUNC(__msan_scoped_enable_interceptor_checks, void, (), false);
+EXT_FUNC(__msan_unpoison, void, (const volatile void *, size_t size), false);
+EXT_FUNC(__msan_unpoison_param, void, (size_t n), false);
--- a/custom_mutators/libfuzzer/FuzzerExtFunctions.h
+++ b/custom_mutators/libfuzzer/FuzzerExtFunctions.h
@ -0,0 +1,34 @@
+//===- FuzzerExtFunctions.h - Interface to external functions ---*- C++ -* ===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+// Defines an interface to (possibly optional) functions.
+//===----------------------------------------------------------------------===//
+
+#ifndef LLVM_FUZZER_EXT_FUNCTIONS_H
+#define LLVM_FUZZER_EXT_FUNCTIONS_H
+
+#include <stddef.h>
+#include <stdint.h>
+
+namespace fuzzer {
+
+struct ExternalFunctions {
+  // Initialize function pointers. Functions that are not available will be set
+  // to nullptr.  Do not call this constructor  before ``main()`` has been
+  // entered.
+  ExternalFunctions();
+
+#define EXT_FUNC(NAME, RETURN_TYPE, FUNC_SIG, WARN)                            \
+  RETURN_TYPE(*NAME) FUNC_SIG = nullptr
+
+#include "FuzzerExtFunctions.def"
+
+#undef EXT_FUNC
+};
+} // namespace fuzzer
+
+#endif
--- a/custom_mutators/libfuzzer/FuzzerExtFunctionsDlsym.cpp
+++ b/custom_mutators/libfuzzer/FuzzerExtFunctionsDlsym.cpp
@ -0,0 +1,60 @@
+//===- FuzzerExtFunctionsDlsym.cpp - Interface to external functions ------===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+// Implementation for operating systems that support dlsym(). We only use it on
+// Apple platforms for now. We don't use this approach on Linux because it
+// requires that clients of LibFuzzer pass ``--export-dynamic`` to the linker.
+// That is a complication we don't wish to expose to clients right now.
+//===----------------------------------------------------------------------===//
+#include "FuzzerPlatform.h"
+#if LIBFUZZER_APPLE
+
+  #include "FuzzerExtFunctions.h"
+  #include "FuzzerIO.h"
+  #include <dlfcn.h>
+
+using namespace fuzzer;
+
+template <typename T>
+static T GetFnPtr(const char *FnName, bool WarnIfMissing) {
+
+  dlerror();  // Clear any previous errors.
+  void *Fn = dlsym(RTLD_DEFAULT, FnName);
+  if (Fn == nullptr) {
+
+    if (WarnIfMissing) {
+
+      const char *ErrorMsg = dlerror();
+      Printf("WARNING: Failed to find function \"%s\".", FnName);
+      if (ErrorMsg) Printf(" Reason %s.", ErrorMsg);
+      Printf("\n");
+
+    }
+
+  }
+
+  return reinterpret_cast<T>(Fn);
+
+}
+
+namespace fuzzer {
+
+ExternalFunctions::ExternalFunctions() {
+\
+  #define EXT_FUNC(NAME, RETURN_TYPE, FUNC_SIG, WARN) \
+    this->NAME = GetFnPtr<decltype(ExternalFunctions::NAME)>(#NAME, WARN)
+
+  #include "FuzzerExtFunctions.def"
+
+  #undef EXT_FUNC
+
+}
+
+}  // namespace fuzzer
+
+#endif  // LIBFUZZER_APPLE
+
--- a/custom_mutators/libfuzzer/FuzzerExtFunctionsWeak.cpp
+++ b/custom_mutators/libfuzzer/FuzzerExtFunctionsWeak.cpp
@ -0,0 +1,63 @@
+//===- FuzzerExtFunctionsWeak.cpp - Interface to external functions -------===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+// Implementation for Linux. This relies on the linker's support for weak
+// symbols. We don't use this approach on Apple platforms because it requires
+// clients of LibFuzzer to pass ``-U _<symbol_name>`` to the linker to allow
+// weak symbols to be undefined. That is a complication we don't want to expose
+// to clients right now.
+//===----------------------------------------------------------------------===//
+#include "FuzzerPlatform.h"
+#if LIBFUZZER_LINUX || LIBFUZZER_NETBSD || LIBFUZZER_FUCHSIA || \
+    LIBFUZZER_FREEBSD || LIBFUZZER_OPENBSD || LIBFUZZER_EMSCRIPTEN
+
+  #include "FuzzerExtFunctions.h"
+  #include "FuzzerIO.h"
+
+extern "C" {
+
+  // Declare these symbols as weak to allow them to be optionally defined.
+  #define EXT_FUNC(NAME, RETURN_TYPE, FUNC_SIG, WARN) \
+    __attribute__((weak, visibility("default"))) RETURN_TYPE NAME FUNC_SIG
+
+  #include "FuzzerExtFunctions.def"
+
+  #undef EXT_FUNC
+
+}
+
+using namespace fuzzer;
+
+static void CheckFnPtr(void *FnPtr, const char *FnName, bool WarnIfMissing) {
+
+  if (FnPtr == nullptr && WarnIfMissing) {
+
+    Printf("WARNING: Failed to find function \"%s\".\n", FnName);
+
+  }
+
+}
+
+namespace fuzzer {
+
+ExternalFunctions::ExternalFunctions() {
+\
+  #define EXT_FUNC(NAME, RETURN_TYPE, FUNC_SIG, WARN)                         \
+    this->NAME = ::NAME;                                                      \
+    CheckFnPtr(reinterpret_cast<void *>(reinterpret_cast<uintptr_t>(::NAME)), \
+               #NAME, WARN);
+
+  #include "FuzzerExtFunctions.def"
+
+  #undef EXT_FUNC
+
+}
+
+}  // namespace fuzzer
+
+#endif
+
--- a/custom_mutators/libfuzzer/FuzzerExtFunctionsWindows.cpp
+++ b/custom_mutators/libfuzzer/FuzzerExtFunctionsWindows.cpp
@ -0,0 +1,95 @@
+//=== FuzzerExtWindows.cpp - Interface to external functions --------------===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+// Implementation of FuzzerExtFunctions for Windows. Uses alternatename when
+// compiled with MSVC. Uses weak aliases when compiled with clang. Unfortunately
+// the method each compiler supports is not supported by the other.
+//===----------------------------------------------------------------------===//
+#include "FuzzerPlatform.h"
+#if LIBFUZZER_WINDOWS
+
+  #include "FuzzerExtFunctions.h"
+  #include "FuzzerIO.h"
+
+using namespace fuzzer;
+
+  // Intermediate macro to ensure the parameter is expanded before stringified.
+  #define STRINGIFY_(A) #A
+  #define STRINGIFY(A) STRINGIFY_(A)
+
+  #if LIBFUZZER_MSVC
+    // Copied from compiler-rt/lib/sanitizer_common/sanitizer_win_defs.h
+    #if defined(_M_IX86) || defined(__i386__)
+      #define WIN_SYM_PREFIX "_"
+    #else
+      #define WIN_SYM_PREFIX
+    #endif
+
+    // Declare external functions as having alternativenames, so that we can
+    // determine if they are not defined.
+    #define EXTERNAL_FUNC(Name, Default)                              \
+      __pragma(                                                       \
+          comment(linker, "/alternatename:" WIN_SYM_PREFIX STRINGIFY( \
+                              Name) "=" WIN_SYM_PREFIX STRINGIFY(Default)))
+  #else
+    // Declare external functions as weak to allow them to default to a
+    // specified function if not defined explicitly. We must use weak symbols
+    // because clang's support for alternatename is not 100%, see
+    // https://bugs.llvm.org/show_bug.cgi?id=40218 for more details.
+    #define EXTERNAL_FUNC(Name, Default) \
+      __attribute__((weak, alias(STRINGIFY(Default))))
+  #endif  // LIBFUZZER_MSVC
+
+extern "C" {
+\
+  #define EXT_FUNC(NAME, RETURN_TYPE, FUNC_SIG, WARN)         \
+    RETURN_TYPE NAME##Def FUNC_SIG {                          \
+                                                              \
+      Printf("ERROR: Function \"%s\" not defined.\n", #NAME); \
+      exit(1);                                                \
+                                                              \
+    }                                                         \
+    EXTERNAL_FUNC(NAME, NAME##Def) RETURN_TYPE NAME FUNC_SIG
+
+  #include "FuzzerExtFunctions.def"
+
+  #undef EXT_FUNC
+
+}
+
+template <typename T>
+static T *GetFnPtr(T *Fun, T *FunDef, const char *FnName, bool WarnIfMissing) {
+
+  if (Fun == FunDef) {
+
+    if (WarnIfMissing)
+      Printf("WARNING: Failed to find function \"%s\".\n", FnName);
+    return nullptr;
+
+  }
+
+  return Fun;
+
+}
+
+namespace fuzzer {
+
+ExternalFunctions::ExternalFunctions() {
+\
+  #define EXT_FUNC(NAME, RETURN_TYPE, FUNC_SIG, WARN) \
+    this->NAME = GetFnPtr<decltype(::NAME)>(::NAME, ::NAME##Def, #NAME, WARN);
+
+  #include "FuzzerExtFunctions.def"
+
+  #undef EXT_FUNC
+
+}
+
+}  // namespace fuzzer
+
+#endif  // LIBFUZZER_WINDOWS
+
--- a/custom_mutators/libfuzzer/FuzzerExtraCounters.cpp
+++ b/custom_mutators/libfuzzer/FuzzerExtraCounters.cpp
@ -0,0 +1,71 @@
+//===- FuzzerExtraCounters.cpp - Extra coverage counters ------------------===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+// Extra coverage counters defined by user code.
+//===----------------------------------------------------------------------===//
+
+#include "FuzzerPlatform.h"
+#include <cstdint>
+
+#if LIBFUZZER_LINUX || LIBFUZZER_NETBSD || LIBFUZZER_FREEBSD || \
+    LIBFUZZER_OPENBSD || LIBFUZZER_FUCHSIA || LIBFUZZER_EMSCRIPTEN
+__attribute__((weak)) extern uint8_t __start___libfuzzer_extra_counters;
+__attribute__((weak)) extern uint8_t __stop___libfuzzer_extra_counters;
+
+namespace fuzzer {
+
+uint8_t *ExtraCountersBegin() {
+
+  return &__start___libfuzzer_extra_counters;
+
+}
+
+uint8_t *ExtraCountersEnd() {
+
+  return &__stop___libfuzzer_extra_counters;
+
+}
+
+ATTRIBUTE_NO_SANITIZE_ALL
+void ClearExtraCounters() {  // hand-written memset, don't asan-ify.
+  uintptr_t *Beg = reinterpret_cast<uintptr_t *>(ExtraCountersBegin());
+  uintptr_t *End = reinterpret_cast<uintptr_t *>(ExtraCountersEnd());
+  for (; Beg < End; Beg++) {
+
+    *Beg = 0;
+    __asm__ __volatile__("" : : : "memory");
+
+  }
+
+}
+
+}  // namespace fuzzer
+
+#else
+// TODO: implement for other platforms.
+namespace fuzzer {
+
+uint8_t *ExtraCountersBegin() {
+
+  return nullptr;
+
+}
+
+uint8_t *ExtraCountersEnd() {
+
+  return nullptr;
+
+}
+
+void ClearExtraCounters() {
+
+}
+
+}  // namespace fuzzer
+
+#endif
+
--- a/custom_mutators/libfuzzer/FuzzerFlags.def
+++ b/custom_mutators/libfuzzer/FuzzerFlags.def
@ -0,0 +1,198 @@
+//===- FuzzerFlags.def - Run-time flags -------------------------*- C++ -* ===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+// Flags. FUZZER_FLAG_INT/FUZZER_FLAG_STRING macros should be defined at the
+// point of inclusion. We are not using any flag parsing library for better
+// portability and independence.
+//===----------------------------------------------------------------------===//
+FUZZER_FLAG_INT(verbosity, 1, "Verbosity level.")
+FUZZER_FLAG_UNSIGNED(seed, 0, "Random seed. If 0, seed is generated.")
+FUZZER_FLAG_INT(runs, -1,
+            "Number of individual test runs (-1 for infinite runs).")
+FUZZER_FLAG_INT(max_len, 0, "Maximum length of the test input. "
+    "If 0, libFuzzer tries to guess a good value based on the corpus "
+    "and reports it. ")
+FUZZER_FLAG_INT(len_control, 100, "Try generating small inputs first, "
+  "then try larger inputs over time.  Specifies the rate at which the length "
+  "limit is increased (smaller == faster).  If 0, immediately try inputs with "
+  "size up to max_len. Default value is 0, if LLVMFuzzerCustomMutator is used.")
+FUZZER_FLAG_STRING(seed_inputs, "A comma-separated list of input files "
+  "to use as an additional seed corpus. Alternatively, an \"@\" followed by "
+  "the name of a file containing the comma-separated list.")
+FUZZER_FLAG_INT(keep_seed, 0, "If 1, keep seed inputs in the corpus even if "
+  "they do not produce new coverage. When used with |reduce_inputs==1|, the "
+  "seed inputs will never be reduced. This option can be useful when seeds are"
+  "not properly formed for the fuzz target but still have useful snippets.")
+FUZZER_FLAG_INT(cross_over, 1, "If 1, cross over inputs.")
+FUZZER_FLAG_INT(cross_over_uniform_dist, 0, "Experimental. If 1, use a "
+  "uniform probability distribution when choosing inputs to cross over with. "
+  "Some of the inputs in the corpus may never get chosen for mutation "
+  "depending on the input mutation scheduling policy. With this flag, all "
+  "inputs, regardless of the input mutation scheduling policy, can be chosen "
+  "as an input to cross over with. This can be particularly useful with "
+  "|keep_seed==1|; all the initial seed inputs, even though they do not "
+  "increase coverage because they are not properly formed, will still be "
+  "chosen as an input to cross over with.")
+
+FUZZER_FLAG_INT(mutate_depth, 5,
+            "Apply this number of consecutive mutations to each input.")
+FUZZER_FLAG_INT(reduce_depth, 0, "Experimental/internal. "
+                "Reduce depth if mutations lose unique features")
+FUZZER_FLAG_INT(shuffle, 1, "Shuffle inputs at startup")
+FUZZER_FLAG_INT(prefer_small, 1,
+    "If 1, always prefer smaller inputs during the corpus shuffle.")
+FUZZER_FLAG_INT(
+    timeout, 1200,
+    "Timeout in seconds (if positive). "
+    "If one unit runs more than this number of seconds the process will abort.")
+FUZZER_FLAG_INT(error_exitcode, 77, "When libFuzzer itself reports a bug "
+  "this exit code will be used.")
+FUZZER_FLAG_INT(timeout_exitcode, 70, "When libFuzzer reports a timeout "
+  "this exit code will be used.")
+FUZZER_FLAG_INT(max_total_time, 0, "If positive, indicates the maximal total "
+                                   "time in seconds to run the fuzzer.")
+FUZZER_FLAG_INT(help, 0, "Print help.")
+FUZZER_FLAG_INT(fork, 0, "Experimental mode where fuzzing happens "
+                "in a subprocess")
+FUZZER_FLAG_INT(ignore_timeouts, 1, "Ignore timeouts in fork mode")
+FUZZER_FLAG_INT(ignore_ooms, 1, "Ignore OOMs in fork mode")
+FUZZER_FLAG_INT(ignore_crashes, 0, "Ignore crashes in fork mode")
+FUZZER_FLAG_INT(merge, 0, "If 1, the 2-nd, 3-rd, etc corpora will be "
+  "merged into the 1-st corpus. Only interesting units will be taken. "
+  "This flag can be used to minimize a corpus.")
+FUZZER_FLAG_STRING(stop_file, "Stop fuzzing ASAP if this file exists")
+FUZZER_FLAG_STRING(merge_inner, "internal flag")
+FUZZER_FLAG_STRING(merge_control_file,
+                   "Specify a control file used for the merge process. "
+                   "If a merge process gets killed it tries to leave this file "
+                   "in a state suitable for resuming the merge. "
+                   "By default a temporary file will be used."
+                   "The same file can be used for multistep merge process.")
+FUZZER_FLAG_INT(minimize_crash, 0, "If 1, minimizes the provided"
+  " crash input. Use with -runs=N or -max_total_time=N to limit "
+  "the number attempts."
+  " Use with -exact_artifact_path to specify the output."
+  " Combine with ASAN_OPTIONS=dedup_token_length=3 (or similar) to ensure that"
+  " the minimized input triggers the same crash."
+  )
+FUZZER_FLAG_INT(cleanse_crash, 0, "If 1, tries to cleanse the provided"
+  " crash input to make it contain fewer original bytes."
+  " Use with -exact_artifact_path to specify the output."
+  )
+FUZZER_FLAG_INT(minimize_crash_internal_step, 0, "internal flag")
+FUZZER_FLAG_STRING(features_dir, "internal flag. Used to dump feature sets on disk."
+  "Every time a new input is added to the corpus, a corresponding file in the features_dir"
+  " is created containing the unique features of that input."
+  " Features are stored in binary format.")
+FUZZER_FLAG_STRING(mutation_graph_file, "Saves a graph (in DOT format) to"
+  " mutation_graph_file. The graph contains a vertex for each input that has"
+  " unique coverage; directed edges are provided between parents and children"
+  " where the child has unique coverage, and are recorded with the type of"
+  " mutation that caused the child.")
+FUZZER_FLAG_INT(use_counters, 1, "Use coverage counters")
+FUZZER_FLAG_INT(use_memmem, 1,
+                "Use hints from intercepting memmem, strstr, etc")
+FUZZER_FLAG_INT(use_value_profile, 0,
+                "Experimental. Use value profile to guide fuzzing.")
+FUZZER_FLAG_INT(use_cmp, 1, "Use CMP traces to guide mutations")
+FUZZER_FLAG_INT(shrink, 0, "Experimental. Try to shrink corpus inputs.")
+FUZZER_FLAG_INT(reduce_inputs, 1,
+  "Try to reduce the size of inputs while preserving their full feature sets")
+FUZZER_FLAG_UNSIGNED(jobs, 0, "Number of jobs to run. If jobs >= 1 we spawn"
+                          " this number of jobs in separate worker processes"
+                          " with stdout/stderr redirected to fuzz-JOB.log.")
+FUZZER_FLAG_UNSIGNED(workers, 0,
+            "Number of simultaneous worker processes to run the jobs."
+            " If zero, \"min(jobs,NumberOfCpuCores()/2)\" is used.")
+FUZZER_FLAG_INT(reload, 1,
+                "Reload the main corpus every <N> seconds to get new units"
+                " discovered by other processes. If 0, disabled")
+FUZZER_FLAG_INT(report_slow_units, 10,
+    "Report slowest units if they run for more than this number of seconds.")
+FUZZER_FLAG_INT(only_ascii, 0,
+                "If 1, generate only ASCII (isprint+isspace) inputs.")
+FUZZER_FLAG_STRING(dict, "Experimental. Use the dictionary file.")
+FUZZER_FLAG_STRING(artifact_prefix, "Write fuzzing artifacts (crash, "
+                                    "timeout, or slow inputs) as "
+                                    "$(artifact_prefix)file")
+FUZZER_FLAG_STRING(exact_artifact_path,
+                   "Write the single artifact on failure (crash, timeout) "
+                   "as $(exact_artifact_path). This overrides -artifact_prefix "
+                   "and will not use checksum in the file name. Do not "
+                   "use the same path for several parallel processes.")
+FUZZER_FLAG_INT(print_pcs, 0, "If 1, print out newly covered PCs.")
+FUZZER_FLAG_INT(print_funcs, 2, "If >=1, print out at most this number of "
+                                "newly covered functions.")
+FUZZER_FLAG_INT(print_final_stats, 0, "If 1, print statistics at exit.")
+FUZZER_FLAG_INT(print_corpus_stats, 0,
+  "If 1, print statistics on corpus elements at exit.")
+FUZZER_FLAG_INT(print_coverage, 0, "If 1, print coverage information as text"
+                                   " at exit.")
+FUZZER_FLAG_INT(dump_coverage, 0, "Deprecated.")
+FUZZER_FLAG_INT(handle_segv, 1, "If 1, try to intercept SIGSEGV.")
+FUZZER_FLAG_INT(handle_bus, 1, "If 1, try to intercept SIGBUS.")
+FUZZER_FLAG_INT(handle_abrt, 1, "If 1, try to intercept SIGABRT.")
+FUZZER_FLAG_INT(handle_ill, 1, "If 1, try to intercept SIGILL.")
+FUZZER_FLAG_INT(handle_fpe, 1, "If 1, try to intercept SIGFPE.")
+FUZZER_FLAG_INT(handle_int, 1, "If 1, try to intercept SIGINT.")
+FUZZER_FLAG_INT(handle_term, 1, "If 1, try to intercept SIGTERM.")
+FUZZER_FLAG_INT(handle_xfsz, 1, "If 1, try to intercept SIGXFSZ.")
+FUZZER_FLAG_INT(handle_usr1, 1, "If 1, try to intercept SIGUSR1.")
+FUZZER_FLAG_INT(handle_usr2, 1, "If 1, try to intercept SIGUSR2.")
+FUZZER_FLAG_INT(close_fd_mask, 0, "If 1, close stdout at startup; "
+    "if 2, close stderr; if 3, close both. "
+    "Be careful, this will also close e.g. stderr of asan.")
+FUZZER_FLAG_INT(detect_leaks, 1, "If 1, and if LeakSanitizer is enabled "
+    "try to detect memory leaks during fuzzing (i.e. not only at shut down).")
+FUZZER_FLAG_INT(purge_allocator_interval, 1, "Purge allocator caches and "
+    "quarantines every <N> seconds. When rss_limit_mb is specified (>0), "
+    "purging starts when RSS exceeds 50% of rss_limit_mb. Pass "
+    "purge_allocator_interval=-1 to disable this functionality.")
+FUZZER_FLAG_INT(trace_malloc, 0, "If >= 1 will print all mallocs/frees. "
+    "If >= 2 will also print stack traces.")
+FUZZER_FLAG_INT(rss_limit_mb, 2048, "If non-zero, the fuzzer will exit upon"
+    "reaching this limit of RSS memory usage.")
+FUZZER_FLAG_INT(malloc_limit_mb, 0, "If non-zero, the fuzzer will exit "
+    "if the target tries to allocate this number of Mb with one malloc call. "
+    "If zero (default) same limit as rss_limit_mb is applied.")
+FUZZER_FLAG_STRING(exit_on_src_pos, "Exit if a newly found PC originates"
+    " from the given source location. Example: -exit_on_src_pos=foo.cc:123. "
+    "Used primarily for testing libFuzzer itself.")
+FUZZER_FLAG_STRING(exit_on_item, "Exit if an item with a given sha1 sum"
+    " was added to the corpus. "
+    "Used primarily for testing libFuzzer itself.")
+FUZZER_FLAG_INT(ignore_remaining_args, 0, "If 1, ignore all arguments passed "
+                "after this one. Useful for fuzzers that need to do their own "
+                "argument parsing.")
+FUZZER_FLAG_STRING(focus_function, "Experimental. "
+     "Fuzzing will focus on inputs that trigger calls to this function. "
+     "If -focus_function=auto and -data_flow_trace is used, libFuzzer "
+     "will choose the focus functions automatically. Disables -entropic when "
+     "specified.")
+FUZZER_FLAG_INT(entropic, 1, "Enables entropic power schedule.")
+FUZZER_FLAG_INT(entropic_feature_frequency_threshold, 0xFF, "Experimental. If "
+     "entropic is enabled, all features which are observed less often than "
+     "the specified value are considered as rare.")
+FUZZER_FLAG_INT(entropic_number_of_rarest_features, 100, "Experimental. If "
+     "entropic is enabled, we keep track of the frequencies only for the "
+     "Top-X least abundant features (union features that are considered as "
+     "rare).")
+FUZZER_FLAG_INT(entropic_scale_per_exec_time, 0, "Experimental. If 1, "
+     "the Entropic power schedule gets scaled based on the input execution "
+     "time. Inputs with lower execution time get scheduled more (up to 30x). "
+     "Note that, if 1, fuzzer stops from being deterministic even if a "
+     "non-zero random seed is given.")
+
+FUZZER_FLAG_INT(analyze_dict, 0, "Experimental")
+FUZZER_DEPRECATED_FLAG(use_clang_coverage)
+FUZZER_FLAG_STRING(data_flow_trace, "Experimental: use the data flow trace")
+FUZZER_FLAG_STRING(collect_data_flow,
+                   "Experimental: collect the data flow trace")
+
+FUZZER_FLAG_INT(create_missing_dirs, 0, "Automatically attempt to create "
+     "directories for arguments that would normally expect them to already "
+     "exist (i.e. artifact_prefix, exact_artifact_path, features_dir, corpus)")
--- a/custom_mutators/libfuzzer/FuzzerFork.cpp
+++ b/custom_mutators/libfuzzer/FuzzerFork.cpp
@ -0,0 +1,501 @@
+//===- FuzzerFork.cpp - run fuzzing in separate subprocesses --------------===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+// Spawn and orchestrate separate fuzzing processes.
+//===----------------------------------------------------------------------===//
+
+#include "FuzzerCommand.h"
+#include "FuzzerFork.h"
+#include "FuzzerIO.h"
+#include "FuzzerInternal.h"
+#include "FuzzerMerge.h"
+#include "FuzzerSHA1.h"
+#include "FuzzerTracePC.h"
+#include "FuzzerUtil.h"
+
+#include <atomic>
+#include <chrono>
+#include <condition_variable>
+#include <fstream>
+#include <memory>
+#include <mutex>
+#include <queue>
+#include <sstream>
+#include <thread>
+
+namespace fuzzer {
+
+struct Stats {
+
+  size_t number_of_executed_units = 0;
+  size_t peak_rss_mb = 0;
+  size_t average_exec_per_sec = 0;
+
+};
+
+static Stats ParseFinalStatsFromLog(const std::string &LogPath) {
+
+  std::ifstream In(LogPath);
+  std::string   Line;
+  Stats         Res;
+  struct {
+
+    const char *Name;
+    size_t *    Var;
+
+  } NameVarPairs[] = {
+
+      {"stat::number_of_executed_units:", &Res.number_of_executed_units},
+      {"stat::peak_rss_mb:", &Res.peak_rss_mb},
+      {"stat::average_exec_per_sec:", &Res.average_exec_per_sec},
+      {nullptr, nullptr},
+
+  };
+
+  while (std::getline(In, Line, '\n')) {
+
+    if (Line.find("stat::") != 0) continue;
+    std::istringstream ISS(Line);
+    std::string        Name;
+    size_t             Val;
+    ISS >> Name >> Val;
+    for (size_t i = 0; NameVarPairs[i].Name; i++)
+      if (Name == NameVarPairs[i].Name) *NameVarPairs[i].Var = Val;
+
+  }
+
+  return Res;
+
+}
+
+struct FuzzJob {
+
+  // Inputs.
+  Command     Cmd;
+  std::string CorpusDir;
+  std::string FeaturesDir;
+  std::string LogPath;
+  std::string SeedListPath;
+  std::string CFPath;
+  size_t      JobId;
+
+  int DftTimeInSeconds = 0;
+
+  // Fuzzing Outputs.
+  int ExitCode;
+
+  ~FuzzJob() {
+
+    RemoveFile(CFPath);
+    RemoveFile(LogPath);
+    RemoveFile(SeedListPath);
+    RmDirRecursive(CorpusDir);
+    RmDirRecursive(FeaturesDir);
+
+  }
+
+};
+
+struct GlobalEnv {
+
+  Vector<std::string>                   Args;
+  Vector<std::string>                   CorpusDirs;
+  std::string                           MainCorpusDir;
+  std::string                           TempDir;
+  std::string                           DFTDir;
+  std::string                           DataFlowBinary;
+  Set<uint32_t>                         Features, Cov;
+  Set<std::string>                      FilesWithDFT;
+  Vector<std::string>                   Files;
+  Random *                              Rand;
+  std::chrono::system_clock::time_point ProcessStartTime;
+  int                                   Verbosity = 0;
+
+  size_t NumTimeouts = 0;
+  size_t NumOOMs = 0;
+  size_t NumCrashes = 0;
+
+  size_t NumRuns = 0;
+
+  std::string StopFile() {
+
+    return DirPlusFile(TempDir, "STOP");
+
+  }
+
+  size_t secondsSinceProcessStartUp() const {
+
+    return std::chrono::duration_cast<std::chrono::seconds>(
+               std::chrono::system_clock::now() - ProcessStartTime)
+        .count();
+
+  }
+
+  FuzzJob *CreateNewJob(size_t JobId) {
+
+    Command Cmd(Args);
+    Cmd.removeFlag("fork");
+    Cmd.removeFlag("runs");
+    Cmd.removeFlag("collect_data_flow");
+    for (auto &C : CorpusDirs)  // Remove all corpora from the args.
+      Cmd.removeArgument(C);
+    Cmd.addFlag("reload", "0");  // working in an isolated dir, no reload.
+    Cmd.addFlag("print_final_stats", "1");
+    Cmd.addFlag("print_funcs", "0");  // no need to spend time symbolizing.
+    Cmd.addFlag("max_total_time", std::to_string(std::min((size_t)300, JobId)));
+    Cmd.addFlag("stop_file", StopFile());
+    if (!DataFlowBinary.empty()) {
+
+      Cmd.addFlag("data_flow_trace", DFTDir);
+      if (!Cmd.hasFlag("focus_function")) Cmd.addFlag("focus_function", "auto");
+
+    }
+
+    auto        Job = new FuzzJob;
+    std::string Seeds;
+    if (size_t CorpusSubsetSize =
+            std::min(Files.size(), (size_t)sqrt(Files.size() + 2))) {
+
+      auto Time1 = std::chrono::system_clock::now();
+      for (size_t i = 0; i < CorpusSubsetSize; i++) {
+
+        auto &SF = Files[Rand->SkewTowardsLast(Files.size())];
+        Seeds += (Seeds.empty() ? "" : ",") + SF;
+        CollectDFT(SF);
+
+      }
+
+      auto Time2 = std::chrono::system_clock::now();
+      Job->DftTimeInSeconds = duration_cast<seconds>(Time2 - Time1).count();
+
+    }
+
+    if (!Seeds.empty()) {
+
+      Job->SeedListPath =
+          DirPlusFile(TempDir, std::to_string(JobId) + ".seeds");
+      WriteToFile(Seeds, Job->SeedListPath);
+      Cmd.addFlag("seed_inputs", "@" + Job->SeedListPath);
+
+    }
+
+    Job->LogPath = DirPlusFile(TempDir, std::to_string(JobId) + ".log");
+    Job->CorpusDir = DirPlusFile(TempDir, "C" + std::to_string(JobId));
+    Job->FeaturesDir = DirPlusFile(TempDir, "F" + std::to_string(JobId));
+    Job->CFPath = DirPlusFile(TempDir, std::to_string(JobId) + ".merge");
+    Job->JobId = JobId;
+
+    Cmd.addArgument(Job->CorpusDir);
+    Cmd.addFlag("features_dir", Job->FeaturesDir);
+
+    for (auto &D : {Job->CorpusDir, Job->FeaturesDir}) {
+
+      RmDirRecursive(D);
+      MkDir(D);
+
+    }
+
+    Cmd.setOutputFile(Job->LogPath);
+    Cmd.combineOutAndErr();
+
+    Job->Cmd = Cmd;
+
+    if (Verbosity >= 2)
+      Printf("Job %zd/%p Created: %s\n", JobId, Job,
+             Job->Cmd.toString().c_str());
+    // Start from very short runs and gradually increase them.
+    return Job;
+
+  }
+
+  void RunOneMergeJob(FuzzJob *Job) {
+
+    auto Stats = ParseFinalStatsFromLog(Job->LogPath);
+    NumRuns += Stats.number_of_executed_units;
+
+    Vector<SizedFile> TempFiles, MergeCandidates;
+    // Read all newly created inputs and their feature sets.
+    // Choose only those inputs that have new features.
+    GetSizedFilesFromDir(Job->CorpusDir, &TempFiles);
+    std::sort(TempFiles.begin(), TempFiles.end());
+    for (auto &F : TempFiles) {
+
+      auto FeatureFile = F.File;
+      FeatureFile.replace(0, Job->CorpusDir.size(), Job->FeaturesDir);
+      auto FeatureBytes = FileToVector(FeatureFile, 0, false);
+      assert((FeatureBytes.size() % sizeof(uint32_t)) == 0);
+      Vector<uint32_t> NewFeatures(FeatureBytes.size() / sizeof(uint32_t));
+      memcpy(NewFeatures.data(), FeatureBytes.data(), FeatureBytes.size());
+      for (auto Ft : NewFeatures) {
+
+        if (!Features.count(Ft)) {
+
+          MergeCandidates.push_back(F);
+          break;
+
+        }
+
+      }
+
+    }
+
+    // if (!FilesToAdd.empty() || Job->ExitCode != 0)
+    Printf(
+        "#%zd: cov: %zd ft: %zd corp: %zd exec/s %zd "
+        "oom/timeout/crash: %zd/%zd/%zd time: %zds job: %zd dft_time: %d\n",
+        NumRuns, Cov.size(), Features.size(), Files.size(),
+        Stats.average_exec_per_sec, NumOOMs, NumTimeouts, NumCrashes,
+        secondsSinceProcessStartUp(), Job->JobId, Job->DftTimeInSeconds);
+
+    if (MergeCandidates.empty()) return;
+
+    Vector<std::string> FilesToAdd;
+    Set<uint32_t>       NewFeatures, NewCov;
+    CrashResistantMerge(Args, {}, MergeCandidates, &FilesToAdd, Features,
+                        &NewFeatures, Cov, &NewCov, Job->CFPath, false);
+    for (auto &Path : FilesToAdd) {
+
+      auto U = FileToVector(Path);
+      auto NewPath = DirPlusFile(MainCorpusDir, Hash(U));
+      WriteToFile(U, NewPath);
+      Files.push_back(NewPath);
+
+    }
+
+    Features.insert(NewFeatures.begin(), NewFeatures.end());
+    Cov.insert(NewCov.begin(), NewCov.end());
+    for (auto Idx : NewCov)
+      if (auto *TE = TPC.PCTableEntryByIdx(Idx))
+        if (TPC.PcIsFuncEntry(TE))
+          PrintPC("  NEW_FUNC: %p %F %L\n", "",
+                  TPC.GetNextInstructionPc(TE->PC));
+
+  }
+
+  void CollectDFT(const std::string &InputPath) {
+
+    if (DataFlowBinary.empty()) return;
+    if (!FilesWithDFT.insert(InputPath).second) return;
+    Command Cmd(Args);
+    Cmd.removeFlag("fork");
+    Cmd.removeFlag("runs");
+    Cmd.addFlag("data_flow_trace", DFTDir);
+    Cmd.addArgument(InputPath);
+    for (auto &C : CorpusDirs)  // Remove all corpora from the args.
+      Cmd.removeArgument(C);
+    Cmd.setOutputFile(DirPlusFile(TempDir, "dft.log"));
+    Cmd.combineOutAndErr();
+    // Printf("CollectDFT: %s\n", Cmd.toString().c_str());
+    ExecuteCommand(Cmd);
+
+  }
+
+};
+
+struct JobQueue {
+
+  std::queue<FuzzJob *>   Qu;
+  std::mutex              Mu;
+  std::condition_variable Cv;
+
+  void Push(FuzzJob *Job) {
+
+    {
+
+      std::lock_guard<std::mutex> Lock(Mu);
+      Qu.push(Job);
+
+    }
+
+    Cv.notify_one();
+
+  }
+
+  FuzzJob *Pop() {
+
+    std::unique_lock<std::mutex> Lk(Mu);
+    // std::lock_guard<std::mutex> Lock(Mu);
+    Cv.wait(Lk, [&] { return !Qu.empty(); });
+    assert(!Qu.empty());
+    auto Job = Qu.front();
+    Qu.pop();
+    return Job;
+
+  }
+
+};
+
+void WorkerThread(JobQueue *FuzzQ, JobQueue *MergeQ) {
+
+  while (auto Job = FuzzQ->Pop()) {
+
+    // Printf("WorkerThread: job %p\n", Job);
+    Job->ExitCode = ExecuteCommand(Job->Cmd);
+    MergeQ->Push(Job);
+
+  }
+
+}
+
+// This is just a skeleton of an experimental -fork=1 feature.
+void FuzzWithFork(Random &Rand, const FuzzingOptions &Options,
+                  const Vector<std::string> &Args,
+                  const Vector<std::string> &CorpusDirs, int NumJobs) {
+
+  Printf("INFO: -fork=%d: fuzzing in separate process(s)\n", NumJobs);
+
+  GlobalEnv Env;
+  Env.Args = Args;
+  Env.CorpusDirs = CorpusDirs;
+  Env.Rand = &Rand;
+  Env.Verbosity = Options.Verbosity;
+  Env.ProcessStartTime = std::chrono::system_clock::now();
+  Env.DataFlowBinary = Options.CollectDataFlow;
+
+  Vector<SizedFile> SeedFiles;
+  for (auto &Dir : CorpusDirs)
+    GetSizedFilesFromDir(Dir, &SeedFiles);
+  std::sort(SeedFiles.begin(), SeedFiles.end());
+  Env.TempDir = TempPath("FuzzWithFork", ".dir");
+  Env.DFTDir = DirPlusFile(Env.TempDir, "DFT");
+  RmDirRecursive(Env.TempDir);  // in case there is a leftover from old runs.
+  MkDir(Env.TempDir);
+  MkDir(Env.DFTDir);
+
+  if (CorpusDirs.empty())
+    MkDir(Env.MainCorpusDir = DirPlusFile(Env.TempDir, "C"));
+  else
+    Env.MainCorpusDir = CorpusDirs[0];
+
+  if (Options.KeepSeed) {
+
+    for (auto &File : SeedFiles)
+      Env.Files.push_back(File.File);
+
+  } else {
+
+    auto CFPath = DirPlusFile(Env.TempDir, "merge.txt");
+    CrashResistantMerge(Env.Args, {}, SeedFiles, &Env.Files, {}, &Env.Features,
+                        {}, &Env.Cov, CFPath, false);
+    RemoveFile(CFPath);
+
+  }
+
+  Printf("INFO: -fork=%d: %zd seed inputs, starting to fuzz in %s\n", NumJobs,
+         Env.Files.size(), Env.TempDir.c_str());
+
+  int ExitCode = 0;
+
+  JobQueue FuzzQ, MergeQ;
+
+  auto StopJobs = [&]() {
+
+    for (int i = 0; i < NumJobs; i++)
+      FuzzQ.Push(nullptr);
+    MergeQ.Push(nullptr);
+    WriteToFile(Unit({1}), Env.StopFile());
+
+  };
+
+  size_t              JobId = 1;
+  Vector<std::thread> Threads;
+  for (int t = 0; t < NumJobs; t++) {
+
+    Threads.push_back(std::thread(WorkerThread, &FuzzQ, &MergeQ));
+    FuzzQ.Push(Env.CreateNewJob(JobId++));
+
+  }
+
+  while (true) {
+
+    std::unique_ptr<FuzzJob> Job(MergeQ.Pop());
+    if (!Job) break;
+    ExitCode = Job->ExitCode;
+    if (ExitCode == Options.InterruptExitCode) {
+
+      Printf("==%lu== libFuzzer: a child was interrupted; exiting\n", GetPid());
+      StopJobs();
+      break;
+
+    }
+
+    Fuzzer::MaybeExitGracefully();
+
+    Env.RunOneMergeJob(Job.get());
+
+    // Continue if our crash is one of the ignorred ones.
+    if (Options.IgnoreTimeouts && ExitCode == Options.TimeoutExitCode)
+      Env.NumTimeouts++;
+    else if (Options.IgnoreOOMs && ExitCode == Options.OOMExitCode)
+      Env.NumOOMs++;
+    else if (ExitCode != 0) {
+
+      Env.NumCrashes++;
+      if (Options.IgnoreCrashes) {
+
+        std::ifstream In(Job->LogPath);
+        std::string   Line;
+        while (std::getline(In, Line, '\n'))
+          if (Line.find("ERROR:") != Line.npos ||
+              Line.find("runtime error:") != Line.npos)
+            Printf("%s\n", Line.c_str());
+
+      } else {
+
+        // And exit if we don't ignore this crash.
+        Printf("INFO: log from the inner process:\n%s",
+               FileToString(Job->LogPath).c_str());
+        StopJobs();
+        break;
+
+      }
+
+    }
+
+    // Stop if we are over the time budget.
+    // This is not precise, since other threads are still running
+    // and we will wait while joining them.
+    // We also don't stop instantly: other jobs need to finish.
+    if (Options.MaxTotalTimeSec > 0 &&
+        Env.secondsSinceProcessStartUp() >= (size_t)Options.MaxTotalTimeSec) {
+
+      Printf("INFO: fuzzed for %zd seconds, wrapping up soon\n",
+             Env.secondsSinceProcessStartUp());
+      StopJobs();
+      break;
+
+    }
+
+    if (Env.NumRuns >= Options.MaxNumberOfRuns) {
+
+      Printf("INFO: fuzzed for %zd iterations, wrapping up soon\n",
+             Env.NumRuns);
+      StopJobs();
+      break;
+
+    }
+
+    FuzzQ.Push(Env.CreateNewJob(JobId++));
+
+  }
+
+  for (auto &T : Threads)
+    T.join();
+
+  // The workers have terminated. Don't try to remove the directory before they
+  // terminate to avoid a race condition preventing cleanup on Windows.
+  RmDirRecursive(Env.TempDir);
+
+  // Use the exit code from the last child process.
+  Printf("INFO: exiting: %d time: %zds\n", ExitCode,
+         Env.secondsSinceProcessStartUp());
+  exit(ExitCode);
+
+}
+
+}  // namespace fuzzer
+
--- a/custom_mutators/libfuzzer/FuzzerFork.h
+++ b/custom_mutators/libfuzzer/FuzzerFork.h
@ -0,0 +1,24 @@
+//===- FuzzerFork.h - run fuzzing in sub-processes --------------*- C++ -* ===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+
+#ifndef LLVM_FUZZER_FORK_H
+#define LLVM_FUZZER_FORK_H
+
+#include "FuzzerDefs.h"
+#include "FuzzerOptions.h"
+#include "FuzzerRandom.h"
+
+#include <string>
+
+namespace fuzzer {
+void FuzzWithFork(Random &Rand, const FuzzingOptions &Options,
+                  const Vector<std::string> &Args,
+                  const Vector<std::string> &CorpusDirs, int NumJobs);
+} // namespace fuzzer
+
+#endif // LLVM_FUZZER_FORK_H
--- a/custom_mutators/libfuzzer/FuzzerIO.cpp
+++ b/custom_mutators/libfuzzer/FuzzerIO.cpp
@ -0,0 +1,255 @@
+//===- FuzzerIO.cpp - IO utils. -------------------------------------------===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+// IO functions.
+//===----------------------------------------------------------------------===//
+
+#include "FuzzerDefs.h"
+#include "FuzzerExtFunctions.h"
+#include "FuzzerIO.h"
+#include "FuzzerUtil.h"
+#include <algorithm>
+#include <cstdarg>
+#include <fstream>
+#include <iterator>
+#include <sys/stat.h>
+#include <sys/types.h>
+
+namespace fuzzer {
+
+static FILE *OutputFile = stderr;
+
+long GetEpoch(const std::string &Path) {
+
+  struct stat St;
+  if (stat(Path.c_str(), &St)) return 0;  // Can't stat, be conservative.
+  return St.st_mtime;
+
+}
+
+Unit FileToVector(const std::string &Path, size_t MaxSize, bool ExitOnError) {
+
+  std::ifstream T(Path, std::ios::binary);
+  if (ExitOnError && !T) {
+
+    Printf("No such directory: %s; exiting\n", Path.c_str());
+    exit(1);
+
+  }
+
+  T.seekg(0, T.end);
+  auto EndPos = T.tellg();
+  if (EndPos < 0) return {};
+  size_t FileLen = EndPos;
+  if (MaxSize) FileLen = std::min(FileLen, MaxSize);
+
+  T.seekg(0, T.beg);
+  Unit Res(FileLen);
+  T.read(reinterpret_cast<char *>(Res.data()), FileLen);
+  return Res;
+
+}
+
+std::string FileToString(const std::string &Path) {
+
+  std::ifstream T(Path, std::ios::binary);
+  return std::string((std::istreambuf_iterator<char>(T)),
+                     std::istreambuf_iterator<char>());
+
+}
+
+void CopyFileToErr(const std::string &Path) {
+
+  Printf("%s", FileToString(Path).c_str());
+
+}
+
+void WriteToFile(const Unit &U, const std::string &Path) {
+
+  WriteToFile(U.data(), U.size(), Path);
+
+}
+
+void WriteToFile(const std::string &Data, const std::string &Path) {
+
+  WriteToFile(reinterpret_cast<const uint8_t *>(Data.c_str()), Data.size(),
+              Path);
+
+}
+
+void WriteToFile(const uint8_t *Data, size_t Size, const std::string &Path) {
+
+  return;
+ 
+  // Use raw C interface because this function may be called from a sig handler.
+  FILE *Out = fopen(Path.c_str(), "wb");
+  if (!Out) return;
+  fwrite(Data, sizeof(Data[0]), Size, Out);
+  fclose(Out);
+
+}
+
+void AppendToFile(const std::string &Data, const std::string &Path) {
+
+  return;
+
+  AppendToFile(reinterpret_cast<const uint8_t *>(Data.data()), Data.size(),
+               Path);
+
+}
+
+void AppendToFile(const uint8_t *Data, size_t Size, const std::string &Path) {
+
+  return;
+
+  FILE *Out = fopen(Path.c_str(), "a");
+  if (!Out) return;
+  fwrite(Data, sizeof(Data[0]), Size, Out);
+  fclose(Out);
+
+}
+
+void ReadDirToVectorOfUnits(const char *Path, Vector<Unit> *V, long *Epoch,
+                            size_t MaxSize, bool ExitOnError) {
+
+  long                E = Epoch ? *Epoch : 0;
+  Vector<std::string> Files;
+  ListFilesInDirRecursive(Path, Epoch, &Files, /*TopDir*/ true);
+  size_t NumLoaded = 0;
+  for (size_t i = 0; i < Files.size(); i++) {
+
+    auto &X = Files[i];
+    if (Epoch && GetEpoch(X) < E) continue;
+    NumLoaded++;
+    if ((NumLoaded & (NumLoaded - 1)) == 0 && NumLoaded >= 1024)
+      Printf("Loaded %zd/%zd files from %s\n", NumLoaded, Files.size(), Path);
+    auto S = FileToVector(X, MaxSize, ExitOnError);
+    if (!S.empty()) V->push_back(S);
+
+  }
+
+}
+
+void GetSizedFilesFromDir(const std::string &Dir, Vector<SizedFile> *V) {
+
+  Vector<std::string> Files;
+  ListFilesInDirRecursive(Dir, 0, &Files, /*TopDir*/ true);
+  for (auto &File : Files)
+    if (size_t Size = FileSize(File)) V->push_back({File, Size});
+
+}
+
+std::string DirPlusFile(const std::string &DirPath,
+                        const std::string &FileName) {
+
+  return DirPath + GetSeparator() + FileName;
+
+}
+
+void DupAndCloseStderr() {
+
+  int OutputFd = DuplicateFile(2);
+  if (OutputFd >= 0) {
+
+    FILE *NewOutputFile = OpenFile(OutputFd, "w");
+    if (NewOutputFile) {
+
+      OutputFile = NewOutputFile;
+      if (EF->__sanitizer_set_report_fd)
+        EF->__sanitizer_set_report_fd(
+            reinterpret_cast<void *>(GetHandleFromFd(OutputFd)));
+      DiscardOutput(2);
+
+    }
+
+  }
+
+}
+
+void CloseStdout() {
+
+  DiscardOutput(1);
+
+}
+
+void Printf(const char *Fmt, ...) {
+
+  va_list ap;
+  va_start(ap, Fmt);
+  vfprintf(OutputFile, Fmt, ap);
+  va_end(ap);
+  fflush(OutputFile);
+
+}
+
+void VPrintf(bool Verbose, const char *Fmt, ...) {
+
+  return;
+  if (!Verbose) return;
+  va_list ap;
+  va_start(ap, Fmt);
+  vfprintf(OutputFile, Fmt, ap);
+  va_end(ap);
+  fflush(OutputFile);
+
+}
+
+static bool MkDirRecursiveInner(const std::string &Leaf) {
+
+  // Prevent chance of potential infinite recursion
+  if (Leaf == ".") return true;
+
+  const std::string &Dir = DirName(Leaf);
+
+  if (IsDirectory(Dir)) {
+
+    MkDir(Leaf);
+    return IsDirectory(Leaf);
+
+  }
+
+  bool ret = MkDirRecursiveInner(Dir);
+  if (!ret) {
+
+    // Give up early if a previous MkDir failed
+    return ret;
+
+  }
+
+  MkDir(Leaf);
+  return IsDirectory(Leaf);
+
+}
+
+bool MkDirRecursive(const std::string &Dir) {
+
+  if (Dir.empty()) return false;
+
+  if (IsDirectory(Dir)) return true;
+
+  return MkDirRecursiveInner(Dir);
+
+}
+
+void RmDirRecursive(const std::string &Dir) {
+
+  IterateDirRecursive(
+      Dir, [](const std::string &Path) {},
+      [](const std::string &Path) { RmDir(Path); },
+      [](const std::string &Path) { RemoveFile(Path); });
+
+}
+
+std::string TempPath(const char *Prefix, const char *Extension) {
+
+  return DirPlusFile(TmpDir(), std::string("libFuzzerTemp.") + Prefix +
+                                   std::to_string(GetPid()) + Extension);
+
+}
+
+}  // namespace fuzzer
+
--- a/custom_mutators/libfuzzer/FuzzerIO.h
+++ b/custom_mutators/libfuzzer/FuzzerIO.h
@ -0,0 +1,112 @@
+//===- FuzzerIO.h - Internal header for IO utils ----------------*- C++ -* ===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+// IO interface.
+//===----------------------------------------------------------------------===//
+
+#ifndef LLVM_FUZZER_IO_H
+#define LLVM_FUZZER_IO_H
+
+#include "FuzzerDefs.h"
+
+namespace fuzzer {
+
+long GetEpoch(const std::string &Path);
+
+Unit FileToVector(const std::string &Path, size_t MaxSize = 0,
+                  bool ExitOnError = true);
+
+std::string FileToString(const std::string &Path);
+
+void CopyFileToErr(const std::string &Path);
+
+void WriteToFile(const uint8_t *Data, size_t Size, const std::string &Path);
+// Write Data.c_str() to the file without terminating null character.
+void WriteToFile(const std::string &Data, const std::string &Path);
+void WriteToFile(const Unit &U, const std::string &Path);
+
+void AppendToFile(const uint8_t *Data, size_t Size, const std::string &Path);
+void AppendToFile(const std::string &Data, const std::string &Path);
+
+void ReadDirToVectorOfUnits(const char *Path, Vector<Unit> *V,
+                            long *Epoch, size_t MaxSize, bool ExitOnError);
+
+// Returns "Dir/FileName" or equivalent for the current OS.
+std::string DirPlusFile(const std::string &DirPath,
+                        const std::string &FileName);
+
+// Returns the name of the dir, similar to the 'dirname' utility.
+std::string DirName(const std::string &FileName);
+
+// Returns path to a TmpDir.
+std::string TmpDir();
+
+std::string TempPath(const char *Prefix, const char *Extension);
+
+bool IsInterestingCoverageFile(const std::string &FileName);
+
+void DupAndCloseStderr();
+
+void CloseStdout();
+
+void Printf(const char *Fmt, ...);
+void VPrintf(bool Verbose, const char *Fmt, ...);
+
+// Print using raw syscalls, useful when printing at early init stages.
+void RawPrint(const char *Str);
+
+// Platform specific functions:
+bool IsFile(const std::string &Path);
+bool IsDirectory(const std::string &Path);
+size_t FileSize(const std::string &Path);
+
+void ListFilesInDirRecursive(const std::string &Dir, long *Epoch,
+                             Vector<std::string> *V, bool TopDir);
+
+bool MkDirRecursive(const std::string &Dir);
+void RmDirRecursive(const std::string &Dir);
+
+// Iterate files and dirs inside Dir, recursively.
+// Call DirPreCallback/DirPostCallback on dirs before/after
+// calling FileCallback on files.
+void IterateDirRecursive(const std::string &Dir,
+                         void (*DirPreCallback)(const std::string &Dir),
+                         void (*DirPostCallback)(const std::string &Dir),
+                         void (*FileCallback)(const std::string &Dir));
+
+struct SizedFile {
+  std::string File;
+  size_t Size;
+  bool operator<(const SizedFile &B) const { return Size < B.Size; }
+};
+
+void GetSizedFilesFromDir(const std::string &Dir, Vector<SizedFile> *V);
+
+char GetSeparator();
+bool IsSeparator(char C);
+// Similar to the basename utility: returns the file name w/o the dir prefix.
+std::string Basename(const std::string &Path);
+
+FILE* OpenFile(int Fd, const char *Mode);
+
+int CloseFile(int Fd);
+
+int DuplicateFile(int Fd);
+
+void RemoveFile(const std::string &Path);
+void RenameFile(const std::string &OldPath, const std::string &NewPath);
+
+intptr_t GetHandleFromFd(int fd);
+
+void MkDir(const std::string &Path);
+void RmDir(const std::string &Path);
+
+const std::string &getDevNull();
+
+}  // namespace fuzzer
+
+#endif  // LLVM_FUZZER_IO_H
--- a/custom_mutators/libfuzzer/FuzzerIOPosix.cpp
+++ b/custom_mutators/libfuzzer/FuzzerIOPosix.cpp
@ -0,0 +1,223 @@
+//===- FuzzerIOPosix.cpp - IO utils for Posix. ----------------------------===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+// IO functions implementation using Posix API.
+//===----------------------------------------------------------------------===//
+#include "FuzzerPlatform.h"
+#if LIBFUZZER_POSIX || LIBFUZZER_FUCHSIA
+
+  #include "FuzzerExtFunctions.h"
+  #include "FuzzerIO.h"
+  #include <cstdarg>
+  #include <cstdio>
+  #include <dirent.h>
+  #include <fstream>
+  #include <iterator>
+  #include <libgen.h>
+  #include <sys/stat.h>
+  #include <sys/types.h>
+  #include <unistd.h>
+
+namespace fuzzer {
+
+bool IsFile(const std::string &Path) {
+
+  struct stat St;
+  if (stat(Path.c_str(), &St)) return false;
+  return S_ISREG(St.st_mode);
+
+}
+
+bool IsDirectory(const std::string &Path) {
+
+  struct stat St;
+  if (stat(Path.c_str(), &St)) return false;
+  return S_ISDIR(St.st_mode);
+
+}
+
+size_t FileSize(const std::string &Path) {
+
+  struct stat St;
+  if (stat(Path.c_str(), &St)) return 0;
+  return St.st_size;
+
+}
+
+std::string Basename(const std::string &Path) {
+
+  size_t Pos = Path.rfind(GetSeparator());
+  if (Pos == std::string::npos) return Path;
+  assert(Pos < Path.size());
+  return Path.substr(Pos + 1);
+
+}
+
+void ListFilesInDirRecursive(const std::string &Dir, long *Epoch,
+                             Vector<std::string> *V, bool TopDir) {
+
+  auto E = GetEpoch(Dir);
+  if (Epoch)
+    if (E && *Epoch >= E) return;
+
+  DIR *D = opendir(Dir.c_str());
+  if (!D) {
+
+    Printf("%s: %s; exiting\n", strerror(errno), Dir.c_str());
+    exit(1);
+
+  }
+
+  while (auto E = readdir(D)) {
+
+    std::string Path = DirPlusFile(Dir, E->d_name);
+    if (E->d_type == DT_REG || E->d_type == DT_LNK ||
+        (E->d_type == DT_UNKNOWN && IsFile(Path)))
+      V->push_back(Path);
+    else if ((E->d_type == DT_DIR ||
+              (E->d_type == DT_UNKNOWN && IsDirectory(Path))) &&
+             *E->d_name != '.')
+      ListFilesInDirRecursive(Path, Epoch, V, false);
+
+  }
+
+  closedir(D);
+  if (Epoch && TopDir) *Epoch = E;
+
+}
+
+void IterateDirRecursive(const std::string &Dir,
+                         void (*DirPreCallback)(const std::string &Dir),
+                         void (*DirPostCallback)(const std::string &Dir),
+                         void (*FileCallback)(const std::string &Dir)) {
+
+  DirPreCallback(Dir);
+  DIR *D = opendir(Dir.c_str());
+  if (!D) return;
+  while (auto E = readdir(D)) {
+
+    std::string Path = DirPlusFile(Dir, E->d_name);
+    if (E->d_type == DT_REG || E->d_type == DT_LNK ||
+        (E->d_type == DT_UNKNOWN && IsFile(Path)))
+      FileCallback(Path);
+    else if ((E->d_type == DT_DIR ||
+              (E->d_type == DT_UNKNOWN && IsDirectory(Path))) &&
+             *E->d_name != '.')
+      IterateDirRecursive(Path, DirPreCallback, DirPostCallback, FileCallback);
+
+  }
+
+  closedir(D);
+  DirPostCallback(Dir);
+
+}
+
+char GetSeparator() {
+
+  return '/';
+
+}
+
+bool IsSeparator(char C) {
+
+  return C == '/';
+
+}
+
+FILE *OpenFile(int Fd, const char *Mode) {
+
+  return fdopen(Fd, Mode);
+
+}
+
+int CloseFile(int fd) {
+
+  return close(fd);
+
+}
+
+int DuplicateFile(int Fd) {
+
+  return dup(Fd);
+
+}
+
+void RemoveFile(const std::string &Path) {
+
+  unlink(Path.c_str());
+
+}
+
+void RenameFile(const std::string &OldPath, const std::string &NewPath) {
+
+  rename(OldPath.c_str(), NewPath.c_str());
+
+}
+
+intptr_t GetHandleFromFd(int fd) {
+
+  return static_cast<intptr_t>(fd);
+
+}
+
+std::string DirName(const std::string &FileName) {
+
+  char *Tmp = new char[FileName.size() + 1];
+  memcpy(Tmp, FileName.c_str(), FileName.size() + 1);
+  std::string Res = dirname(Tmp);
+  delete[] Tmp;
+  return Res;
+
+}
+
+std::string TmpDir() {
+
+  if (auto Env = getenv("TMPDIR")) return Env;
+  return "/tmp";
+
+}
+
+bool IsInterestingCoverageFile(const std::string &FileName) {
+
+  if (FileName.find("compiler-rt/lib/") != std::string::npos)
+    return false;  // sanitizer internal.
+  if (FileName.find("/usr/lib/") != std::string::npos) return false;
+  if (FileName.find("/usr/include/") != std::string::npos) return false;
+  if (FileName == "<null>") return false;
+  return true;
+
+}
+
+void RawPrint(const char *Str) {
+
+  write(2, Str, strlen(Str));
+
+}
+
+void MkDir(const std::string &Path) {
+
+  mkdir(Path.c_str(), 0700);
+
+}
+
+void RmDir(const std::string &Path) {
+
+  rmdir(Path.c_str());
+
+}
+
+const std::string &getDevNull() {
+
+  static const std::string devNull = "/dev/null";
+  return devNull;
+
+}
+
+}  // namespace fuzzer
+
+#endif  // LIBFUZZER_POSIX
+
--- a/custom_mutators/libfuzzer/FuzzerIOWindows.cpp
+++ b/custom_mutators/libfuzzer/FuzzerIOWindows.cpp
@ -0,0 +1,513 @@
+//===- FuzzerIOWindows.cpp - IO utils for Windows. ------------------------===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+// IO functions implementation for Windows.
+//===----------------------------------------------------------------------===//
+#include "FuzzerPlatform.h"
+#if LIBFUZZER_WINDOWS
+
+  #include "FuzzerExtFunctions.h"
+  #include "FuzzerIO.h"
+  #include <cstdarg>
+  #include <cstdio>
+  #include <fstream>
+  #include <io.h>
+  #include <iterator>
+  #include <sys/stat.h>
+  #include <sys/types.h>
+  #include <windows.h>
+
+namespace fuzzer {
+
+static bool IsFile(const std::string &Path, const DWORD &FileAttributes) {
+
+  if (FileAttributes & FILE_ATTRIBUTE_NORMAL) return true;
+
+  if (FileAttributes & FILE_ATTRIBUTE_DIRECTORY) return false;
+
+  HANDLE FileHandle(CreateFileA(Path.c_str(), 0, FILE_SHARE_READ, NULL,
+                                OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS, 0));
+
+  if (FileHandle == INVALID_HANDLE_VALUE) {
+
+    Printf("CreateFileA() failed for \"%s\" (Error code: %lu).\n", Path.c_str(),
+           GetLastError());
+    return false;
+
+  }
+
+  DWORD FileType = GetFileType(FileHandle);
+
+  if (FileType == FILE_TYPE_UNKNOWN) {
+
+    Printf("GetFileType() failed for \"%s\" (Error code: %lu).\n", Path.c_str(),
+           GetLastError());
+    CloseHandle(FileHandle);
+    return false;
+
+  }
+
+  if (FileType != FILE_TYPE_DISK) {
+
+    CloseHandle(FileHandle);
+    return false;
+
+  }
+
+  CloseHandle(FileHandle);
+  return true;
+
+}
+
+bool IsFile(const std::string &Path) {
+
+  DWORD Att = GetFileAttributesA(Path.c_str());
+
+  if (Att == INVALID_FILE_ATTRIBUTES) {
+
+    Printf("GetFileAttributesA() failed for \"%s\" (Error code: %lu).\n",
+           Path.c_str(), GetLastError());
+    return false;
+
+  }
+
+  return IsFile(Path, Att);
+
+}
+
+static bool IsDir(DWORD FileAttrs) {
+
+  if (FileAttrs == INVALID_FILE_ATTRIBUTES) return false;
+  return FileAttrs & FILE_ATTRIBUTE_DIRECTORY;
+
+}
+
+bool IsDirectory(const std::string &Path) {
+
+  DWORD Att = GetFileAttributesA(Path.c_str());
+
+  if (Att == INVALID_FILE_ATTRIBUTES) {
+
+    Printf("GetFileAttributesA() failed for \"%s\" (Error code: %lu).\n",
+           Path.c_str(), GetLastError());
+    return false;
+
+  }
+
+  return IsDir(Att);
+
+}
+
+std::string Basename(const std::string &Path) {
+
+  size_t Pos = Path.find_last_of("/\\");
+  if (Pos == std::string::npos) return Path;
+  assert(Pos < Path.size());
+  return Path.substr(Pos + 1);
+
+}
+
+size_t FileSize(const std::string &Path) {
+
+  WIN32_FILE_ATTRIBUTE_DATA attr;
+  if (!GetFileAttributesExA(Path.c_str(), GetFileExInfoStandard, &attr)) {
+
+    DWORD LastError = GetLastError();
+    if (LastError != ERROR_FILE_NOT_FOUND)
+      Printf("GetFileAttributesExA() failed for \"%s\" (Error code: %lu).\n",
+             Path.c_str(), LastError);
+    return 0;
+
+  }
+
+  ULARGE_INTEGER size;
+  size.HighPart = attr.nFileSizeHigh;
+  size.LowPart = attr.nFileSizeLow;
+  return size.QuadPart;
+
+}
+
+void ListFilesInDirRecursive(const std::string &Dir, long *Epoch,
+                             Vector<std::string> *V, bool TopDir) {
+
+  auto E = GetEpoch(Dir);
+  if (Epoch)
+    if (E && *Epoch >= E) return;
+
+  std::string Path(Dir);
+  assert(!Path.empty());
+  if (Path.back() != '\\') Path.push_back('\\');
+  Path.push_back('*');
+
+  // Get the first directory entry.
+  WIN32_FIND_DATAA FindInfo;
+  HANDLE           FindHandle(FindFirstFileA(Path.c_str(), &FindInfo));
+  if (FindHandle == INVALID_HANDLE_VALUE) {
+
+    if (GetLastError() == ERROR_FILE_NOT_FOUND) return;
+    Printf("No such file or directory: %s; exiting\n", Dir.c_str());
+    exit(1);
+
+  }
+
+  do {
+
+    std::string FileName = DirPlusFile(Dir, FindInfo.cFileName);
+
+    if (FindInfo.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) {
+
+      size_t FilenameLen = strlen(FindInfo.cFileName);
+      if ((FilenameLen == 1 && FindInfo.cFileName[0] == '.') ||
+          (FilenameLen == 2 && FindInfo.cFileName[0] == '.' &&
+           FindInfo.cFileName[1] == '.'))
+        continue;
+
+      ListFilesInDirRecursive(FileName, Epoch, V, false);
+
+    } else if (IsFile(FileName, FindInfo.dwFileAttributes))
+
+      V->push_back(FileName);
+
+  } while (FindNextFileA(FindHandle, &FindInfo));
+
+  DWORD LastError = GetLastError();
+  if (LastError != ERROR_NO_MORE_FILES)
+    Printf("FindNextFileA failed (Error code: %lu).\n", LastError);
+
+  FindClose(FindHandle);
+
+  if (Epoch && TopDir) *Epoch = E;
+
+}
+
+void IterateDirRecursive(const std::string &Dir,
+                         void (*DirPreCallback)(const std::string &Dir),
+                         void (*DirPostCallback)(const std::string &Dir),
+                         void (*FileCallback)(const std::string &Dir)) {
+
+  // TODO(metzman): Implement ListFilesInDirRecursive via this function.
+  DirPreCallback(Dir);
+
+  DWORD DirAttrs = GetFileAttributesA(Dir.c_str());
+  if (!IsDir(DirAttrs)) return;
+
+  std::string TargetDir(Dir);
+  assert(!TargetDir.empty());
+  if (TargetDir.back() != '\\') TargetDir.push_back('\\');
+  TargetDir.push_back('*');
+
+  WIN32_FIND_DATAA FindInfo;
+  // Find the directory's first file.
+  HANDLE FindHandle = FindFirstFileA(TargetDir.c_str(), &FindInfo);
+  if (FindHandle == INVALID_HANDLE_VALUE) {
+
+    DWORD LastError = GetLastError();
+    if (LastError != ERROR_FILE_NOT_FOUND) {
+
+      // If the directory isn't empty, then something abnormal is going on.
+      Printf("FindFirstFileA failed for %s (Error code: %lu).\n", Dir.c_str(),
+             LastError);
+
+    }
+
+    return;
+
+  }
+
+  do {
+
+    std::string Path = DirPlusFile(Dir, FindInfo.cFileName);
+    DWORD       PathAttrs = FindInfo.dwFileAttributes;
+    if (IsDir(PathAttrs)) {
+
+      // Is Path the current directory (".") or the parent ("..")?
+      if (strcmp(FindInfo.cFileName, ".") == 0 ||
+          strcmp(FindInfo.cFileName, "..") == 0)
+        continue;
+      IterateDirRecursive(Path, DirPreCallback, DirPostCallback, FileCallback);
+
+    } else if (PathAttrs != INVALID_FILE_ATTRIBUTES) {
+
+      FileCallback(Path);
+
+    }
+
+  } while (FindNextFileA(FindHandle, &FindInfo));
+
+  DWORD LastError = GetLastError();
+  if (LastError != ERROR_NO_MORE_FILES)
+    Printf("FindNextFileA failed for %s (Error code: %lu).\n", Dir.c_str(),
+           LastError);
+
+  FindClose(FindHandle);
+  DirPostCallback(Dir);
+
+}
+
+char GetSeparator() {
+
+  return '\\';
+
+}
+
+FILE *OpenFile(int Fd, const char *Mode) {
+
+  return _fdopen(Fd, Mode);
+
+}
+
+int CloseFile(int Fd) {
+
+  return _close(Fd);
+
+}
+
+int DuplicateFile(int Fd) {
+
+  return _dup(Fd);
+
+}
+
+void RemoveFile(const std::string &Path) {
+
+  _unlink(Path.c_str());
+
+}
+
+void RenameFile(const std::string &OldPath, const std::string &NewPath) {
+
+  rename(OldPath.c_str(), NewPath.c_str());
+
+}
+
+intptr_t GetHandleFromFd(int fd) {
+
+  return _get_osfhandle(fd);
+
+}
+
+bool IsSeparator(char C) {
+
+  return C == '\\' || C == '/';
+
+}
+
+// Parse disk designators, like "C:\". If Relative == true, also accepts: "C:".
+// Returns number of characters considered if successful.
+static size_t ParseDrive(const std::string &FileName, const size_t Offset,
+                         bool Relative = true) {
+
+  if (Offset + 1 >= FileName.size() || FileName[Offset + 1] != ':') return 0;
+  if (Offset + 2 >= FileName.size() || !IsSeparator(FileName[Offset + 2])) {
+
+    if (!Relative)  // Accept relative path?
+      return 0;
+    else
+      return 2;
+
+  }
+
+  return 3;
+
+}
+
+// Parse a file name, like: SomeFile.txt
+// Returns number of characters considered if successful.
+static size_t ParseFileName(const std::string &FileName, const size_t Offset) {
+
+  size_t       Pos = Offset;
+  const size_t End = FileName.size();
+  for (; Pos < End && !IsSeparator(FileName[Pos]); ++Pos)
+    ;
+  return Pos - Offset;
+
+}
+
+// Parse a directory ending in separator, like: `SomeDir\`
+// Returns number of characters considered if successful.
+static size_t ParseDir(const std::string &FileName, const size_t Offset) {
+
+  size_t       Pos = Offset;
+  const size_t End = FileName.size();
+  if (Pos >= End || IsSeparator(FileName[Pos])) return 0;
+  for (; Pos < End && !IsSeparator(FileName[Pos]); ++Pos)
+    ;
+  if (Pos >= End) return 0;
+  ++Pos;  // Include separator.
+  return Pos - Offset;
+
+}
+
+// Parse a servername and share, like: `SomeServer\SomeShare\`
+// Returns number of characters considered if successful.
+static size_t ParseServerAndShare(const std::string &FileName,
+                                  const size_t       Offset) {
+
+  size_t Pos = Offset, Res;
+  if (!(Res = ParseDir(FileName, Pos))) return 0;
+  Pos += Res;
+  if (!(Res = ParseDir(FileName, Pos))) return 0;
+  Pos += Res;
+  return Pos - Offset;
+
+}
+
+// Parse the given Ref string from the position Offset, to exactly match the
+// given string Patt. Returns number of characters considered if successful.
+static size_t ParseCustomString(const std::string &Ref, size_t Offset,
+                                const char *Patt) {
+
+  size_t Len = strlen(Patt);
+  if (Offset + Len > Ref.size()) return 0;
+  return Ref.compare(Offset, Len, Patt) == 0 ? Len : 0;
+
+}
+
+// Parse a location, like:
+// \\?\UNC\Server\Share\  \\?\C:\  \\Server\Share\  \  C:\  C:
+// Returns number of characters considered if successful.
+static size_t ParseLocation(const std::string &FileName) {
+
+  size_t Pos = 0, Res;
+
+  if ((Res = ParseCustomString(FileName, Pos, R"(\\?\)"))) {
+
+    Pos += Res;
+    if ((Res = ParseCustomString(FileName, Pos, R"(UNC\)"))) {
+
+      Pos += Res;
+      if ((Res = ParseServerAndShare(FileName, Pos))) return Pos + Res;
+      return 0;
+
+    }
+
+    if ((Res = ParseDrive(FileName, Pos, false))) return Pos + Res;
+    return 0;
+
+  }
+
+  if (Pos < FileName.size() && IsSeparator(FileName[Pos])) {
+
+    ++Pos;
+    if (Pos < FileName.size() && IsSeparator(FileName[Pos])) {
+
+      ++Pos;
+      if ((Res = ParseServerAndShare(FileName, Pos))) return Pos + Res;
+      return 0;
+
+    }
+
+    return Pos;
+
+  }
+
+  if ((Res = ParseDrive(FileName, Pos))) return Pos + Res;
+
+  return Pos;
+
+}
+
+std::string DirName(const std::string &FileName) {
+
+  size_t LocationLen = ParseLocation(FileName);
+  size_t DirLen = 0, Res;
+  while ((Res = ParseDir(FileName, LocationLen + DirLen)))
+    DirLen += Res;
+  size_t FileLen = ParseFileName(FileName, LocationLen + DirLen);
+
+  if (LocationLen + DirLen + FileLen != FileName.size()) {
+
+    Printf("DirName() failed for \"%s\", invalid path.\n", FileName.c_str());
+    exit(1);
+
+  }
+
+  if (DirLen) {
+
+    --DirLen;        // Remove trailing separator.
+    if (!FileLen) {  // Path ended in separator.
+      assert(DirLen);
+      // Remove file name from Dir.
+      while (DirLen && !IsSeparator(FileName[LocationLen + DirLen - 1]))
+        --DirLen;
+      if (DirLen)  // Remove trailing separator.
+        --DirLen;
+
+    }
+
+  }
+
+  if (!LocationLen) {  // Relative path.
+    if (!DirLen) return ".";
+    return std::string(".\\").append(FileName, 0, DirLen);
+
+  }
+
+  return FileName.substr(0, LocationLen + DirLen);
+
+}
+
+std::string TmpDir() {
+
+  std::string Tmp;
+  Tmp.resize(MAX_PATH + 1);
+  DWORD Size = GetTempPathA(Tmp.size(), &Tmp[0]);
+  if (Size == 0) {
+
+    Printf("Couldn't get Tmp path.\n");
+    exit(1);
+
+  }
+
+  Tmp.resize(Size);
+  return Tmp;
+
+}
+
+bool IsInterestingCoverageFile(const std::string &FileName) {
+
+  if (FileName.find("Program Files") != std::string::npos) return false;
+  if (FileName.find("compiler-rt\\lib\\") != std::string::npos)
+    return false;  // sanitizer internal.
+  if (FileName == "<null>") return false;
+  return true;
+
+}
+
+void RawPrint(const char *Str) {
+
+  _write(2, Str, strlen(Str));
+
+}
+
+void MkDir(const std::string &Path) {
+
+  if (CreateDirectoryA(Path.c_str(), nullptr)) return;
+  Printf("CreateDirectoryA failed for %s (Error code: %lu).\n", Path.c_str(),
+         GetLastError());
+
+}
+
+void RmDir(const std::string &Path) {
+
+  if (RemoveDirectoryA(Path.c_str())) return;
+  Printf("RemoveDirectoryA failed for %s (Error code: %lu).\n", Path.c_str(),
+         GetLastError());
+
+}
+
+const std::string &getDevNull() {
+
+  static const std::string devNull = "NUL";
+  return devNull;
+
+}
+
+}  // namespace fuzzer
+
+#endif  // LIBFUZZER_WINDOWS
+
--- a/custom_mutators/libfuzzer/FuzzerInterceptors.cpp
+++ b/custom_mutators/libfuzzer/FuzzerInterceptors.cpp
@ -0,0 +1,290 @@
+//===-- FuzzerInterceptors.cpp --------------------------------------------===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+// Intercept certain libc functions to aid fuzzing.
+// Linked only when other RTs that define their own interceptors are not linked.
+//===----------------------------------------------------------------------===//
+
+#include "FuzzerPlatform.h"
+
+#if LIBFUZZER_LINUX
+
+  #define GET_CALLER_PC() __builtin_return_address(0)
+
+  #define PTR_TO_REAL(x) real_##x
+  #define REAL(x) __interception::PTR_TO_REAL(x)
+  #define FUNC_TYPE(x) x##_type
+  #define DEFINE_REAL(ret_type, func, ...)            \
+    typedef ret_type (*FUNC_TYPE(func))(__VA_ARGS__); \
+    namespace __interception {                        \
+                                                      \
+    FUNC_TYPE(func) PTR_TO_REAL(func);                \
+                                                      \
+    }
+
+  #include <cassert>
+  #include <cstdint>
+  #include <dlfcn.h>  // for dlsym()
+
+static void *getFuncAddr(const char *name, uintptr_t wrapper_addr) {
+
+  void *addr = dlsym(RTLD_NEXT, name);
+  if (!addr) {
+
+    // If the lookup using RTLD_NEXT failed, the sanitizer runtime library is
+    // later in the library search order than the DSO that we are trying to
+    // intercept, which means that we cannot intercept this function. We still
+    // want the address of the real definition, though, so look it up using
+    // RTLD_DEFAULT.
+    addr = dlsym(RTLD_DEFAULT, name);
+
+    // In case `name' is not loaded, dlsym ends up finding the actual wrapper.
+    // We don't want to intercept the wrapper and have it point to itself.
+    if (reinterpret_cast<uintptr_t>(addr) == wrapper_addr) addr = nullptr;
+
+  }
+
+  return addr;
+
+}
+
+static int  FuzzerInited = 0;
+static bool FuzzerInitIsRunning;
+
+static void fuzzerInit();
+
+static void ensureFuzzerInited() {
+
+  assert(!FuzzerInitIsRunning);
+  if (!FuzzerInited) { fuzzerInit(); }
+
+}
+
+static int internal_strcmp_strncmp(const char *s1, const char *s2, bool strncmp,
+                                   size_t n) {
+
+  size_t i = 0;
+  while (true) {
+
+    if (strncmp) {
+
+      if (i == n) break;
+      i++;
+
+    }
+
+    unsigned c1 = *s1;
+    unsigned c2 = *s2;
+    if (c1 != c2) return (c1 < c2) ? -1 : 1;
+    if (c1 == 0) break;
+    s1++;
+    s2++;
+
+  }
+
+  return 0;
+
+}
+
+static int internal_strncmp(const char *s1, const char *s2, size_t n) {
+
+  return internal_strcmp_strncmp(s1, s2, true, n);
+
+}
+
+static int internal_strcmp(const char *s1, const char *s2) {
+
+  return internal_strcmp_strncmp(s1, s2, false, 0);
+
+}
+
+static int internal_memcmp(const void *s1, const void *s2, size_t n) {
+
+  const uint8_t *t1 = static_cast<const uint8_t *>(s1);
+  const uint8_t *t2 = static_cast<const uint8_t *>(s2);
+  for (size_t i = 0; i < n; ++i, ++t1, ++t2)
+    if (*t1 != *t2) return *t1 < *t2 ? -1 : 1;
+  return 0;
+
+}
+
+static size_t internal_strlen(const char *s) {
+
+  size_t i = 0;
+  while (s[i])
+    i++;
+  return i;
+
+}
+
+static char *internal_strstr(const char *haystack, const char *needle) {
+
+  // This is O(N^2), but we are not using it in hot places.
+  size_t len1 = internal_strlen(haystack);
+  size_t len2 = internal_strlen(needle);
+  if (len1 < len2) return nullptr;
+  for (size_t pos = 0; pos <= len1 - len2; pos++) {
+
+    if (internal_memcmp(haystack + pos, needle, len2) == 0)
+      return const_cast<char *>(haystack) + pos;
+
+  }
+
+  return nullptr;
+
+}
+
+extern "C" {
+
+// Weak hooks forward-declared to avoid dependency on
+// <sanitizer/common_interface_defs.h>.
+void __sanitizer_weak_hook_memcmp(void *called_pc, const void *s1,
+                                  const void *s2, size_t n, int result);
+void __sanitizer_weak_hook_strncmp(void *called_pc, const char *s1,
+                                   const char *s2, size_t n, int result);
+void __sanitizer_weak_hook_strncasecmp(void *called_pc, const char *s1,
+                                       const char *s2, size_t n, int result);
+void __sanitizer_weak_hook_strcmp(void *called_pc, const char *s1,
+                                  const char *s2, int result);
+void __sanitizer_weak_hook_strcasecmp(void *called_pc, const char *s1,
+                                      const char *s2, int result);
+void __sanitizer_weak_hook_strstr(void *called_pc, const char *s1,
+                                  const char *s2, char *result);
+void __sanitizer_weak_hook_strcasestr(void *called_pc, const char *s1,
+                                      const char *s2, char *result);
+void __sanitizer_weak_hook_memmem(void *called_pc, const void *s1, size_t len1,
+                                  const void *s2, size_t len2, void *result);
+
+DEFINE_REAL(int, bcmp, const void *, const void *, size_t)
+DEFINE_REAL(int, memcmp, const void *, const void *, size_t)
+DEFINE_REAL(int, strncmp, const char *, const char *, size_t)
+DEFINE_REAL(int, strcmp, const char *, const char *)
+DEFINE_REAL(int, strncasecmp, const char *, const char *, size_t)
+DEFINE_REAL(int, strcasecmp, const char *, const char *)
+DEFINE_REAL(char *, strstr, const char *, const char *)
+DEFINE_REAL(char *, strcasestr, const char *, const char *)
+DEFINE_REAL(void *, memmem, const void *, size_t, const void *, size_t)
+
+ATTRIBUTE_INTERFACE int bcmp(const char *s1, const char *s2, size_t n) {
+
+  if (!FuzzerInited) return internal_memcmp(s1, s2, n);
+  int result = REAL(bcmp)(s1, s2, n);
+  __sanitizer_weak_hook_memcmp(GET_CALLER_PC(), s1, s2, n, result);
+  return result;
+
+}
+
+ATTRIBUTE_INTERFACE int memcmp(const void *s1, const void *s2, size_t n) {
+
+  if (!FuzzerInited) return internal_memcmp(s1, s2, n);
+  int result = REAL(memcmp)(s1, s2, n);
+  __sanitizer_weak_hook_memcmp(GET_CALLER_PC(), s1, s2, n, result);
+  return result;
+
+}
+
+ATTRIBUTE_INTERFACE int strncmp(const char *s1, const char *s2, size_t n) {
+
+  if (!FuzzerInited) return internal_strncmp(s1, s2, n);
+  int result = REAL(strncmp)(s1, s2, n);
+  __sanitizer_weak_hook_strncmp(GET_CALLER_PC(), s1, s2, n, result);
+  return result;
+
+}
+
+ATTRIBUTE_INTERFACE int strcmp(const char *s1, const char *s2) {
+
+  if (!FuzzerInited) return internal_strcmp(s1, s2);
+  int result = REAL(strcmp)(s1, s2);
+  __sanitizer_weak_hook_strcmp(GET_CALLER_PC(), s1, s2, result);
+  return result;
+
+}
+
+ATTRIBUTE_INTERFACE int strncasecmp(const char *s1, const char *s2, size_t n) {
+
+  ensureFuzzerInited();
+  int result = REAL(strncasecmp)(s1, s2, n);
+  __sanitizer_weak_hook_strncasecmp(GET_CALLER_PC(), s1, s2, n, result);
+  return result;
+
+}
+
+ATTRIBUTE_INTERFACE int strcasecmp(const char *s1, const char *s2) {
+
+  ensureFuzzerInited();
+  int result = REAL(strcasecmp)(s1, s2);
+  __sanitizer_weak_hook_strcasecmp(GET_CALLER_PC(), s1, s2, result);
+  return result;
+
+}
+
+ATTRIBUTE_INTERFACE char *strstr(const char *s1, const char *s2) {
+
+  if (!FuzzerInited) return internal_strstr(s1, s2);
+  char *result = REAL(strstr)(s1, s2);
+  __sanitizer_weak_hook_strstr(GET_CALLER_PC(), s1, s2, result);
+  return result;
+
+}
+
+ATTRIBUTE_INTERFACE char *strcasestr(const char *s1, const char *s2) {
+
+  ensureFuzzerInited();
+  char *result = REAL(strcasestr)(s1, s2);
+  __sanitizer_weak_hook_strcasestr(GET_CALLER_PC(), s1, s2, result);
+  return result;
+
+}
+
+ATTRIBUTE_INTERFACE
+void *memmem(const void *s1, size_t len1, const void *s2, size_t len2) {
+
+  ensureFuzzerInited();
+  void *result = REAL(memmem)(s1, len1, s2, len2);
+  __sanitizer_weak_hook_memmem(GET_CALLER_PC(), s1, len1, s2, len2, result);
+  return result;
+
+}
+
+__attribute__((section(".preinit_array"),
+               used)) static void (*__local_fuzzer_preinit)(void) = fuzzerInit;
+
+}  // extern "C"
+
+static void fuzzerInit() {
+
+  assert(!FuzzerInitIsRunning);
+  if (FuzzerInited) return;
+  FuzzerInitIsRunning = true;
+
+  REAL(bcmp) = reinterpret_cast<memcmp_type>(
+      getFuncAddr("bcmp", reinterpret_cast<uintptr_t>(&bcmp)));
+  REAL(memcmp) = reinterpret_cast<memcmp_type>(
+      getFuncAddr("memcmp", reinterpret_cast<uintptr_t>(&memcmp)));
+  REAL(strncmp) = reinterpret_cast<strncmp_type>(
+      getFuncAddr("strncmp", reinterpret_cast<uintptr_t>(&strncmp)));
+  REAL(strcmp) = reinterpret_cast<strcmp_type>(
+      getFuncAddr("strcmp", reinterpret_cast<uintptr_t>(&strcmp)));
+  REAL(strncasecmp) = reinterpret_cast<strncasecmp_type>(
+      getFuncAddr("strncasecmp", reinterpret_cast<uintptr_t>(&strncasecmp)));
+  REAL(strcasecmp) = reinterpret_cast<strcasecmp_type>(
+      getFuncAddr("strcasecmp", reinterpret_cast<uintptr_t>(&strcasecmp)));
+  REAL(strstr) = reinterpret_cast<strstr_type>(
+      getFuncAddr("strstr", reinterpret_cast<uintptr_t>(&strstr)));
+  REAL(strcasestr) = reinterpret_cast<strcasestr_type>(
+      getFuncAddr("strcasestr", reinterpret_cast<uintptr_t>(&strcasestr)));
+  REAL(memmem) = reinterpret_cast<memmem_type>(
+      getFuncAddr("memmem", reinterpret_cast<uintptr_t>(&memmem)));
+
+  FuzzerInitIsRunning = false;
+  FuzzerInited = 1;
+
+}
+
+#endif
+
--- a/custom_mutators/libfuzzer/FuzzerInterface.h
+++ b/custom_mutators/libfuzzer/FuzzerInterface.h
@ -0,0 +1,79 @@
+//===- FuzzerInterface.h - Interface header for the Fuzzer ------*- C++ -* ===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+// Define the interface between libFuzzer and the library being tested.
+//===----------------------------------------------------------------------===//
+
+// NOTE: the libFuzzer interface is thin and in the majority of cases
+// you should not include this file into your target. In 95% of cases
+// all you need is to define the following function in your file:
+// extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size);
+
+// WARNING: keep the interface in C.
+
+#ifndef LLVM_FUZZER_INTERFACE_H
+#define LLVM_FUZZER_INTERFACE_H
+
+#include <stddef.h>
+#include <stdint.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif  // __cplusplus
+
+// Define FUZZER_INTERFACE_VISIBILITY to set default visibility in a way that
+// doesn't break MSVC.
+#if defined(_WIN32)
+#define FUZZER_INTERFACE_VISIBILITY __declspec(dllexport)
+#else
+#define FUZZER_INTERFACE_VISIBILITY __attribute__((visibility("default")))
+#endif
+
+// Mandatory user-provided target function.
+// Executes the code under test with [Data, Data+Size) as the input.
+// libFuzzer will invoke this function *many* times with different inputs.
+// Must return 0.
+FUZZER_INTERFACE_VISIBILITY int
+LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size);
+
+// Optional user-provided initialization function.
+// If provided, this function will be called by libFuzzer once at startup.
+// It may read and modify argc/argv.
+// Must return 0.
+FUZZER_INTERFACE_VISIBILITY int LLVMFuzzerInitialize(int *argc, char ***argv);
+
+// Optional user-provided custom mutator.
+// Mutates raw data in [Data, Data+Size) inplace.
+// Returns the new size, which is not greater than MaxSize.
+// Given the same Seed produces the same mutation.
+FUZZER_INTERFACE_VISIBILITY size_t
+LLVMFuzzerCustomMutator(uint8_t *Data, size_t Size, size_t MaxSize,
+                        unsigned int Seed);
+
+// Optional user-provided custom cross-over function.
+// Combines pieces of Data1 & Data2 together into Out.
+// Returns the new size, which is not greater than MaxOutSize.
+// Should produce the same mutation given the same Seed.
+FUZZER_INTERFACE_VISIBILITY size_t
+LLVMFuzzerCustomCrossOver(const uint8_t *Data1, size_t Size1,
+                          const uint8_t *Data2, size_t Size2, uint8_t *Out,
+                          size_t MaxOutSize, unsigned int Seed);
+
+// Experimental, may go away in future.
+// libFuzzer-provided function to be used inside LLVMFuzzerCustomMutator.
+// Mutates raw data in [Data, Data+Size) inplace.
+// Returns the new size, which is not greater than MaxSize.
+FUZZER_INTERFACE_VISIBILITY size_t
+LLVMFuzzerMutate(uint8_t *Data, size_t Size, size_t MaxSize);
+
+#undef FUZZER_INTERFACE_VISIBILITY
+
+#ifdef __cplusplus
+}  // extern "C"
+#endif  // __cplusplus
+
+#endif  // LLVM_FUZZER_INTERFACE_H
--- a/custom_mutators/libfuzzer/FuzzerInternal.h
+++ b/custom_mutators/libfuzzer/FuzzerInternal.h
@ -0,0 +1,173 @@
+//===- FuzzerInternal.h - Internal header for the Fuzzer --------*- C++ -* ===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+// Define the main class fuzzer::Fuzzer and most functions.
+//===----------------------------------------------------------------------===//
+
+#ifndef LLVM_FUZZER_INTERNAL_H
+#define LLVM_FUZZER_INTERNAL_H
+
+#include "FuzzerDataFlowTrace.h"
+#include "FuzzerDefs.h"
+#include "FuzzerExtFunctions.h"
+#include "FuzzerInterface.h"
+#include "FuzzerOptions.h"
+#include "FuzzerSHA1.h"
+#include "FuzzerValueBitMap.h"
+#include <algorithm>
+#include <atomic>
+#include <chrono>
+#include <climits>
+#include <cstdlib>
+#include <string.h>
+
+namespace fuzzer {
+
+using namespace std::chrono;
+
+class Fuzzer {
+public:
+
+  Fuzzer(UserCallback CB, InputCorpus &Corpus, MutationDispatcher &MD,
+         FuzzingOptions Options);
+  ~Fuzzer();
+  void Loop(Vector<SizedFile> &CorporaFiles);
+  void ReadAndExecuteSeedCorpora(Vector<SizedFile> &CorporaFiles);
+  void MinimizeCrashLoop(const Unit &U);
+  void RereadOutputCorpus(size_t MaxSize);
+
+  size_t secondsSinceProcessStartUp() {
+    return duration_cast<seconds>(system_clock::now() - ProcessStartTime)
+        .count();
+  }
+
+  bool TimedOut() {
+    return Options.MaxTotalTimeSec > 0 &&
+           secondsSinceProcessStartUp() >
+               static_cast<size_t>(Options.MaxTotalTimeSec);
+  }
+
+  size_t execPerSec() {
+    size_t Seconds = secondsSinceProcessStartUp();
+    return Seconds ? TotalNumberOfRuns / Seconds : 0;
+  }
+
+  size_t getTotalNumberOfRuns() { return TotalNumberOfRuns; }
+
+  static void StaticAlarmCallback();
+  static void StaticCrashSignalCallback();
+  static void StaticExitCallback();
+  static void StaticInterruptCallback();
+  static void StaticFileSizeExceedCallback();
+  static void StaticGracefulExitCallback();
+
+  void ExecuteCallback(const uint8_t *Data, size_t Size);
+  bool RunOne(const uint8_t *Data, size_t Size, bool MayDeleteFile = false,
+              InputInfo *II = nullptr, bool ForceAddToCorpus = false,
+              bool *FoundUniqFeatures = nullptr);
+
+  // Merge Corpora[1:] into Corpora[0].
+  void Merge(const Vector<std::string> &Corpora);
+  void CrashResistantMergeInternalStep(const std::string &ControlFilePath);
+  MutationDispatcher &GetMD() { return MD; }
+  void PrintFinalStats();
+  void SetMaxInputLen(size_t MaxInputLen);
+  void SetMaxMutationLen(size_t MaxMutationLen);
+  void RssLimitCallback();
+
+  bool InFuzzingThread() const { return IsMyThread; }
+  size_t GetCurrentUnitInFuzzingThead(const uint8_t **Data) const;
+  void TryDetectingAMemoryLeak(const uint8_t *Data, size_t Size,
+                               bool DuringInitialCorpusExecution);
+
+  void HandleMalloc(size_t Size);
+  static void MaybeExitGracefully();
+  std::string WriteToOutputCorpus(const Unit &U);
+
+private:
+  void AlarmCallback();
+  void CrashCallback();
+  void ExitCallback();
+  void CrashOnOverwrittenData();
+  void InterruptCallback();
+  void MutateAndTestOne();
+  void PurgeAllocator();
+  void ReportNewCoverage(InputInfo *II, const Unit &U);
+  void PrintPulseAndReportSlowInput(const uint8_t *Data, size_t Size);
+  void WriteUnitToFileWithPrefix(const Unit &U, const char *Prefix);
+  void PrintStats(const char *Where, const char *End = "\n", size_t Units = 0,
+                  size_t Features = 0);
+  void PrintStatusForNewUnit(const Unit &U, const char *Text);
+  void CheckExitOnSrcPosOrItem();
+
+  static void StaticDeathCallback();
+  void DumpCurrentUnit(const char *Prefix);
+  void DeathCallback();
+
+  void AllocateCurrentUnitData();
+  uint8_t *CurrentUnitData = nullptr;
+  std::atomic<size_t> CurrentUnitSize;
+  uint8_t BaseSha1[kSHA1NumBytes];  // Checksum of the base unit.
+
+  bool GracefulExitRequested = false;
+
+  size_t TotalNumberOfRuns = 0;
+  size_t NumberOfNewUnitsAdded = 0;
+
+  size_t LastCorpusUpdateRun = 0;
+
+  bool HasMoreMallocsThanFrees = false;
+  size_t NumberOfLeakDetectionAttempts = 0;
+
+  system_clock::time_point LastAllocatorPurgeAttemptTime = system_clock::now();
+
+  UserCallback CB;
+  InputCorpus &Corpus;
+  MutationDispatcher &MD;
+  FuzzingOptions Options;
+  DataFlowTrace DFT;
+
+  system_clock::time_point ProcessStartTime = system_clock::now();
+  system_clock::time_point UnitStartTime, UnitStopTime;
+  long TimeOfLongestUnitInSeconds = 0;
+  long EpochOfLastReadOfOutputCorpus = 0;
+
+  size_t MaxInputLen = 0;
+  size_t MaxMutationLen = 0;
+  size_t TmpMaxMutationLen = 0;
+
+  Vector<uint32_t> UniqFeatureSetTmp;
+
+  // Need to know our own thread.
+  static thread_local bool IsMyThread;
+};
+
+struct ScopedEnableMsanInterceptorChecks {
+  ScopedEnableMsanInterceptorChecks() {
+    if (EF->__msan_scoped_enable_interceptor_checks)
+      EF->__msan_scoped_enable_interceptor_checks();
+  }
+  ~ScopedEnableMsanInterceptorChecks() {
+    if (EF->__msan_scoped_disable_interceptor_checks)
+      EF->__msan_scoped_disable_interceptor_checks();
+  }
+};
+
+struct ScopedDisableMsanInterceptorChecks {
+  ScopedDisableMsanInterceptorChecks() {
+    if (EF->__msan_scoped_disable_interceptor_checks)
+      EF->__msan_scoped_disable_interceptor_checks();
+  }
+  ~ScopedDisableMsanInterceptorChecks() {
+    if (EF->__msan_scoped_enable_interceptor_checks)
+      EF->__msan_scoped_enable_interceptor_checks();
+  }
+};
+
+} // namespace fuzzer
+
+#endif // LLVM_FUZZER_INTERNAL_H
--- a/custom_mutators/libfuzzer/FuzzerLoop.cpp
+++ b/custom_mutators/libfuzzer/FuzzerLoop.cpp
--- a/custom_mutators/libfuzzer/FuzzerMain.cpp
+++ b/custom_mutators/libfuzzer/FuzzerMain.cpp
@ -0,0 +1,26 @@
+//===- FuzzerMain.cpp - main() function and flags -------------------------===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+// main() and flags.
+//===----------------------------------------------------------------------===//
+
+#include "FuzzerDefs.h"
+#include "FuzzerPlatform.h"
+
+extern "C" {
+
+// This function should be defined by the user.
+int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size);
+
+}  // extern "C"
+
+ATTRIBUTE_INTERFACE int main(int argc, char **argv) {
+
+  return fuzzer::FuzzerDriver(&argc, &argv, LLVMFuzzerTestOneInput);
+
+}
+
--- a/custom_mutators/libfuzzer/FuzzerMerge.cpp
+++ b/custom_mutators/libfuzzer/FuzzerMerge.cpp
@ -0,0 +1,485 @@
+//===- FuzzerMerge.cpp - merging corpora ----------------------------------===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+// Merging corpora.
+//===----------------------------------------------------------------------===//
+
+#include "FuzzerCommand.h"
+#include "FuzzerMerge.h"
+#include "FuzzerIO.h"
+#include "FuzzerInternal.h"
+#include "FuzzerTracePC.h"
+#include "FuzzerUtil.h"
+
+#include <fstream>
+#include <iterator>
+#include <set>
+#include <sstream>
+#include <unordered_set>
+
+namespace fuzzer {
+
+bool Merger::Parse(const std::string &Str, bool ParseCoverage) {
+
+  std::istringstream SS(Str);
+  return Parse(SS, ParseCoverage);
+
+}
+
+void Merger::ParseOrExit(std::istream &IS, bool ParseCoverage) {
+
+  if (!Parse(IS, ParseCoverage)) {
+
+    Printf("MERGE: failed to parse the control file (unexpected error)\n");
+    exit(1);
+
+  }
+
+}
+
+// The control file example:
+//
+// 3 # The number of inputs
+// 1 # The number of inputs in the first corpus, <= the previous number
+// file0
+// file1
+// file2  # One file name per line.
+// STARTED 0 123  # FileID, file size
+// FT 0 1 4 6 8  # FileID COV1 COV2 ...
+// COV 0 7 8 9 # FileID COV1 COV1
+// STARTED 1 456  # If FT is missing, the input crashed while processing.
+// STARTED 2 567
+// FT 2 8 9
+// COV 2 11 12
+bool Merger::Parse(std::istream &IS, bool ParseCoverage) {
+
+  LastFailure.clear();
+  std::string Line;
+
+  // Parse NumFiles.
+  if (!std::getline(IS, Line, '\n')) return false;
+  std::istringstream L1(Line);
+  size_t             NumFiles = 0;
+  L1 >> NumFiles;
+  if (NumFiles == 0 || NumFiles > 10000000) return false;
+
+  // Parse NumFilesInFirstCorpus.
+  if (!std::getline(IS, Line, '\n')) return false;
+  std::istringstream L2(Line);
+  NumFilesInFirstCorpus = NumFiles + 1;
+  L2 >> NumFilesInFirstCorpus;
+  if (NumFilesInFirstCorpus > NumFiles) return false;
+
+  // Parse file names.
+  Files.resize(NumFiles);
+  for (size_t i = 0; i < NumFiles; i++)
+    if (!std::getline(IS, Files[i].Name, '\n')) return false;
+
+  // Parse STARTED, FT, and COV lines.
+  size_t           ExpectedStartMarker = 0;
+  const size_t     kInvalidStartMarker = -1;
+  size_t           LastSeenStartMarker = kInvalidStartMarker;
+  Vector<uint32_t> TmpFeatures;
+  Set<uint32_t>    PCs;
+  while (std::getline(IS, Line, '\n')) {
+
+    std::istringstream ISS1(Line);
+    std::string        Marker;
+    size_t             N;
+    ISS1 >> Marker;
+    ISS1 >> N;
+    if (Marker == "STARTED") {
+
+      // STARTED FILE_ID FILE_SIZE
+      if (ExpectedStartMarker != N) return false;
+      ISS1 >> Files[ExpectedStartMarker].Size;
+      LastSeenStartMarker = ExpectedStartMarker;
+      assert(ExpectedStartMarker < Files.size());
+      ExpectedStartMarker++;
+
+    } else if (Marker == "FT") {
+
+      // FT FILE_ID COV1 COV2 COV3 ...
+      size_t CurrentFileIdx = N;
+      if (CurrentFileIdx != LastSeenStartMarker) return false;
+      LastSeenStartMarker = kInvalidStartMarker;
+      if (ParseCoverage) {
+
+        TmpFeatures.clear();  // use a vector from outer scope to avoid resizes.
+        while (ISS1 >> N)
+          TmpFeatures.push_back(N);
+        std::sort(TmpFeatures.begin(), TmpFeatures.end());
+        Files[CurrentFileIdx].Features = TmpFeatures;
+
+      }
+
+    } else if (Marker == "COV") {
+
+      size_t CurrentFileIdx = N;
+      if (ParseCoverage)
+        while (ISS1 >> N)
+          if (PCs.insert(N).second) Files[CurrentFileIdx].Cov.push_back(N);
+
+    } else {
+
+      return false;
+
+    }
+
+  }
+
+  if (LastSeenStartMarker != kInvalidStartMarker)
+    LastFailure = Files[LastSeenStartMarker].Name;
+
+  FirstNotProcessedFile = ExpectedStartMarker;
+  return true;
+
+}
+
+size_t Merger::ApproximateMemoryConsumption() const {
+
+  size_t Res = 0;
+  for (const auto &F : Files)
+    Res += sizeof(F) + F.Features.size() * sizeof(F.Features[0]);
+  return Res;
+
+}
+
+// Decides which files need to be merged (add those to NewFiles).
+// Returns the number of new features added.
+size_t Merger::Merge(const Set<uint32_t> &InitialFeatures,
+                     Set<uint32_t> *      NewFeatures,
+                     const Set<uint32_t> &InitialCov, Set<uint32_t> *NewCov,
+                     Vector<std::string> *NewFiles) {
+
+  NewFiles->clear();
+  assert(NumFilesInFirstCorpus <= Files.size());
+  Set<uint32_t> AllFeatures = InitialFeatures;
+
+  // What features are in the initial corpus?
+  for (size_t i = 0; i < NumFilesInFirstCorpus; i++) {
+
+    auto &Cur = Files[i].Features;
+    AllFeatures.insert(Cur.begin(), Cur.end());
+
+  }
+
+  // Remove all features that we already know from all other inputs.
+  for (size_t i = NumFilesInFirstCorpus; i < Files.size(); i++) {
+
+    auto &           Cur = Files[i].Features;
+    Vector<uint32_t> Tmp;
+    std::set_difference(Cur.begin(), Cur.end(), AllFeatures.begin(),
+                        AllFeatures.end(), std::inserter(Tmp, Tmp.begin()));
+    Cur.swap(Tmp);
+
+  }
+
+  // Sort. Give preference to
+  //   * smaller files
+  //   * files with more features.
+  std::sort(Files.begin() + NumFilesInFirstCorpus, Files.end(),
+            [&](const MergeFileInfo &a, const MergeFileInfo &b) -> bool {
+
+              if (a.Size != b.Size) return a.Size < b.Size;
+              return a.Features.size() > b.Features.size();
+
+            });
+
+  // One greedy pass: add the file's features to AllFeatures.
+  // If new features were added, add this file to NewFiles.
+  for (size_t i = NumFilesInFirstCorpus; i < Files.size(); i++) {
+
+    auto &Cur = Files[i].Features;
+    // Printf("%s -> sz %zd ft %zd\n", Files[i].Name.c_str(),
+    //       Files[i].Size, Cur.size());
+    bool FoundNewFeatures = false;
+    for (auto Fe : Cur) {
+
+      if (AllFeatures.insert(Fe).second) {
+
+        FoundNewFeatures = true;
+        NewFeatures->insert(Fe);
+
+      }
+
+    }
+
+    if (FoundNewFeatures) NewFiles->push_back(Files[i].Name);
+    for (auto Cov : Files[i].Cov)
+      if (InitialCov.find(Cov) == InitialCov.end()) NewCov->insert(Cov);
+
+  }
+
+  return NewFeatures->size();
+
+}
+
+Set<uint32_t> Merger::AllFeatures() const {
+
+  Set<uint32_t> S;
+  for (auto &File : Files)
+    S.insert(File.Features.begin(), File.Features.end());
+  return S;
+
+}
+
+// Inner process. May crash if the target crashes.
+void Fuzzer::CrashResistantMergeInternalStep(const std::string &CFPath) {
+
+  Printf("MERGE-INNER: using the control file '%s'\n", CFPath.c_str());
+  Merger        M;
+  std::ifstream IF(CFPath);
+  M.ParseOrExit(IF, false);
+  IF.close();
+  if (!M.LastFailure.empty())
+    Printf("MERGE-INNER: '%s' caused a failure at the previous merge step\n",
+           M.LastFailure.c_str());
+
+  Printf(
+      "MERGE-INNER: %zd total files;"
+      " %zd processed earlier; will process %zd files now\n",
+      M.Files.size(), M.FirstNotProcessedFile,
+      M.Files.size() - M.FirstNotProcessedFile);
+
+  std::ofstream OF(CFPath, std::ofstream::out | std::ofstream::app);
+  Set<size_t>   AllFeatures;
+  auto          PrintStatsWrapper = [this, &AllFeatures](const char *Where) {
+
+    this->PrintStats(Where, "\n", 0, AllFeatures.size());
+
+  };
+
+  Set<const TracePC::PCTableEntry *> AllPCs;
+  for (size_t i = M.FirstNotProcessedFile; i < M.Files.size(); i++) {
+
+    Fuzzer::MaybeExitGracefully();
+    auto U = FileToVector(M.Files[i].Name);
+    if (U.size() > MaxInputLen) {
+
+      U.resize(MaxInputLen);
+      U.shrink_to_fit();
+
+    }
+
+    // Write the pre-run marker.
+    OF << "STARTED " << i << " " << U.size() << "\n";
+    OF.flush();  // Flush is important since Command::Execute may crash.
+    // Run.
+    TPC.ResetMaps();
+    ExecuteCallback(U.data(), U.size());
+    // Collect coverage. We are iterating over the files in this order:
+    // * First, files in the initial corpus ordered by size, smallest first.
+    // * Then, all other files, smallest first.
+    // So it makes no sense to record all features for all files, instead we
+    // only record features that were not seen before.
+    Set<size_t> UniqFeatures;
+    TPC.CollectFeatures([&](size_t Feature) {
+
+      if (AllFeatures.insert(Feature).second) UniqFeatures.insert(Feature);
+
+    });
+
+    TPC.UpdateObservedPCs();
+    // Show stats.
+    if (!(TotalNumberOfRuns & (TotalNumberOfRuns - 1)))
+      PrintStatsWrapper("pulse ");
+    if (TotalNumberOfRuns == M.NumFilesInFirstCorpus)
+      PrintStatsWrapper("LOADED");
+    // Write the post-run marker and the coverage.
+    OF << "FT " << i;
+    for (size_t F : UniqFeatures)
+      OF << " " << F;
+    OF << "\n";
+    OF << "COV " << i;
+    TPC.ForEachObservedPC([&](const TracePC::PCTableEntry *TE) {
+
+      if (AllPCs.insert(TE).second) OF << " " << TPC.PCTableEntryIdx(TE);
+
+    });
+
+    OF << "\n";
+    OF.flush();
+
+  }
+
+  PrintStatsWrapper("DONE  ");
+
+}
+
+static size_t WriteNewControlFile(const std::string &          CFPath,
+                                  const Vector<SizedFile> &    OldCorpus,
+                                  const Vector<SizedFile> &    NewCorpus,
+                                  const Vector<MergeFileInfo> &KnownFiles) {
+
+  std::unordered_set<std::string> FilesToSkip;
+  for (auto &SF : KnownFiles)
+    FilesToSkip.insert(SF.Name);
+
+  Vector<std::string> FilesToUse;
+  auto                MaybeUseFile = [=, &FilesToUse](std::string Name) {
+
+    if (FilesToSkip.find(Name) == FilesToSkip.end()) FilesToUse.push_back(Name);
+
+  };
+
+  for (auto &SF : OldCorpus)
+    MaybeUseFile(SF.File);
+  auto FilesToUseFromOldCorpus = FilesToUse.size();
+  for (auto &SF : NewCorpus)
+    MaybeUseFile(SF.File);
+
+  RemoveFile(CFPath);
+  std::ofstream ControlFile(CFPath);
+  ControlFile << FilesToUse.size() << "\n";
+  ControlFile << FilesToUseFromOldCorpus << "\n";
+  for (auto &FN : FilesToUse)
+    ControlFile << FN << "\n";
+
+  if (!ControlFile) {
+
+    Printf("MERGE-OUTER: failed to write to the control file: %s\n",
+           CFPath.c_str());
+    exit(1);
+
+  }
+
+  return FilesToUse.size();
+
+}
+
+// Outer process. Does not call the target code and thus should not fail.
+void CrashResistantMerge(const Vector<std::string> &Args,
+                         const Vector<SizedFile> &  OldCorpus,
+                         const Vector<SizedFile> &  NewCorpus,
+                         Vector<std::string> *      NewFiles,
+                         const Set<uint32_t> &      InitialFeatures,
+                         Set<uint32_t> *            NewFeatures,
+                         const Set<uint32_t> &InitialCov, Set<uint32_t> *NewCov,
+                         const std::string &CFPath, bool V /*Verbose*/) {
+
+  if (NewCorpus.empty() && OldCorpus.empty()) return;  // Nothing to merge.
+  size_t                NumAttempts = 0;
+  Vector<MergeFileInfo> KnownFiles;
+  if (FileSize(CFPath)) {
+
+    VPrintf(V, "MERGE-OUTER: non-empty control file provided: '%s'\n",
+            CFPath.c_str());
+    Merger        M;
+    std::ifstream IF(CFPath);
+    if (M.Parse(IF, /*ParseCoverage=*/true)) {
+
+      VPrintf(V,
+              "MERGE-OUTER: control file ok, %zd files total,"
+              " first not processed file %zd\n",
+              M.Files.size(), M.FirstNotProcessedFile);
+      if (!M.LastFailure.empty())
+        VPrintf(V,
+                "MERGE-OUTER: '%s' will be skipped as unlucky "
+                "(merge has stumbled on it the last time)\n",
+                M.LastFailure.c_str());
+      if (M.FirstNotProcessedFile >= M.Files.size()) {
+
+        // Merge has already been completed with the given merge control file.
+        if (M.Files.size() == OldCorpus.size() + NewCorpus.size()) {
+
+          VPrintf(
+              V,
+              "MERGE-OUTER: nothing to do, merge has been completed before\n");
+          exit(0);
+
+        }
+
+        // Number of input files likely changed, start merge from scratch, but
+        // reuse coverage information from the given merge control file.
+        VPrintf(
+            V,
+            "MERGE-OUTER: starting merge from scratch, but reusing coverage "
+            "information from the given control file\n");
+        KnownFiles = M.Files;
+
+      } else {
+
+        // There is a merge in progress, continue.
+        NumAttempts = M.Files.size() - M.FirstNotProcessedFile;
+
+      }
+
+    } else {
+
+      VPrintf(V, "MERGE-OUTER: bad control file, will overwrite it\n");
+
+    }
+
+  }
+
+  if (!NumAttempts) {
+
+    // The supplied control file is empty or bad, create a fresh one.
+    VPrintf(V,
+            "MERGE-OUTER: "
+            "%zd files, %zd in the initial corpus, %zd processed earlier\n",
+            OldCorpus.size() + NewCorpus.size(), OldCorpus.size(),
+            KnownFiles.size());
+    NumAttempts = WriteNewControlFile(CFPath, OldCorpus, NewCorpus, KnownFiles);
+
+  }
+
+  // Execute the inner process until it passes.
+  // Every inner process should execute at least one input.
+  Command BaseCmd(Args);
+  BaseCmd.removeFlag("merge");
+  BaseCmd.removeFlag("fork");
+  BaseCmd.removeFlag("collect_data_flow");
+  for (size_t Attempt = 1; Attempt <= NumAttempts; Attempt++) {
+
+    Fuzzer::MaybeExitGracefully();
+    VPrintf(V, "MERGE-OUTER: attempt %zd\n", Attempt);
+    Command Cmd(BaseCmd);
+    Cmd.addFlag("merge_control_file", CFPath);
+    Cmd.addFlag("merge_inner", "1");
+    if (!V) {
+
+      Cmd.setOutputFile(getDevNull());
+      Cmd.combineOutAndErr();
+
+    }
+
+    auto ExitCode = ExecuteCommand(Cmd);
+    if (!ExitCode) {
+
+      VPrintf(V, "MERGE-OUTER: succesfull in %zd attempt(s)\n", Attempt);
+      break;
+
+    }
+
+  }
+
+  // Read the control file and do the merge.
+  Merger        M;
+  std::ifstream IF(CFPath);
+  IF.seekg(0, IF.end);
+  VPrintf(V, "MERGE-OUTER: the control file has %zd bytes\n",
+          (size_t)IF.tellg());
+  IF.seekg(0, IF.beg);
+  M.ParseOrExit(IF, true);
+  IF.close();
+  VPrintf(V,
+          "MERGE-OUTER: consumed %zdMb (%zdMb rss) to parse the control file\n",
+          M.ApproximateMemoryConsumption() >> 20, GetPeakRSSMb());
+
+  M.Files.insert(M.Files.end(), KnownFiles.begin(), KnownFiles.end());
+  M.Merge(InitialFeatures, NewFeatures, InitialCov, NewCov, NewFiles);
+  VPrintf(V,
+          "MERGE-OUTER: %zd new files with %zd new features added; "
+          "%zd new coverage edges\n",
+          NewFiles->size(), NewFeatures->size(), NewCov->size());
+
+}
+
+}  // namespace fuzzer
+
--- a/custom_mutators/libfuzzer/FuzzerMerge.h
+++ b/custom_mutators/libfuzzer/FuzzerMerge.h
@ -0,0 +1,87 @@
+//===- FuzzerMerge.h - merging corpa ----------------------------*- C++ -* ===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+// Merging Corpora.
+//
+// The task:
+//   Take the existing corpus (possibly empty) and merge new inputs into
+//   it so that only inputs with new coverage ('features') are added.
+//   The process should tolerate the crashes, OOMs, leaks, etc.
+//
+// Algorithm:
+//   The outer process collects the set of files and writes their names
+//   into a temporary "control" file, then repeatedly launches the inner
+//   process until all inputs are processed.
+//   The outer process does not actually execute the target code.
+//
+//   The inner process reads the control file and sees a) list of all the inputs
+//   and b) the last processed input. Then it starts processing the inputs one
+//   by one. Before processing every input it writes one line to control file:
+//   STARTED INPUT_ID INPUT_SIZE
+//   After processing an input it writes the following lines:
+//   FT INPUT_ID Feature1 Feature2 Feature3 ...
+//   COV INPUT_ID Coverage1 Coverage2 Coverage3 ...
+//   If a crash happens while processing an input the last line in the control
+//   file will be "STARTED INPUT_ID" and so the next process will know
+//   where to resume.
+//
+//   Once all inputs are processed by the inner process(es) the outer process
+//   reads the control files and does the merge based entirely on the contents
+//   of control file.
+//   It uses a single pass greedy algorithm choosing first the smallest inputs
+//   within the same size the inputs that have more new features.
+//
+//===----------------------------------------------------------------------===//
+
+#ifndef LLVM_FUZZER_MERGE_H
+#define LLVM_FUZZER_MERGE_H
+
+#include "FuzzerDefs.h"
+
+#include <istream>
+#include <ostream>
+#include <set>
+#include <vector>
+
+namespace fuzzer {
+
+struct MergeFileInfo {
+  std::string Name;
+  size_t Size = 0;
+  Vector<uint32_t> Features, Cov;
+};
+
+struct Merger {
+  Vector<MergeFileInfo> Files;
+  size_t NumFilesInFirstCorpus = 0;
+  size_t FirstNotProcessedFile = 0;
+  std::string LastFailure;
+
+  bool Parse(std::istream &IS, bool ParseCoverage);
+  bool Parse(const std::string &Str, bool ParseCoverage);
+  void ParseOrExit(std::istream &IS, bool ParseCoverage);
+  size_t Merge(const Set<uint32_t> &InitialFeatures, Set<uint32_t> *NewFeatures,
+               const Set<uint32_t> &InitialCov, Set<uint32_t> *NewCov,
+               Vector<std::string> *NewFiles);
+  size_t ApproximateMemoryConsumption() const;
+  Set<uint32_t> AllFeatures() const;
+};
+
+void CrashResistantMerge(const Vector<std::string> &Args,
+                         const Vector<SizedFile> &OldCorpus,
+                         const Vector<SizedFile> &NewCorpus,
+                         Vector<std::string> *NewFiles,
+                         const Set<uint32_t> &InitialFeatures,
+                         Set<uint32_t> *NewFeatures,
+                         const Set<uint32_t> &InitialCov,
+                         Set<uint32_t> *NewCov,
+                         const std::string &CFPath,
+                         bool Verbose);
+
+}  // namespace fuzzer
+
+#endif  // LLVM_FUZZER_MERGE_H
--- a/custom_mutators/libfuzzer/FuzzerMutate.cpp
+++ b/custom_mutators/libfuzzer/FuzzerMutate.cpp
@ -0,0 +1,747 @@
+//===- FuzzerMutate.cpp - Mutate a test input -----------------------------===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+// Mutate a test input.
+//===----------------------------------------------------------------------===//
+
+#include "FuzzerDefs.h"
+#include "FuzzerExtFunctions.h"
+#include "FuzzerIO.h"
+#include "FuzzerMutate.h"
+#include "FuzzerOptions.h"
+#include "FuzzerTracePC.h"
+#include <random>
+#include <chrono>
+
+namespace fuzzer {
+
+const size_t        Dictionary::kMaxDictSize;
+static const size_t kMaxMutationsToPrint = 10;
+
+static void PrintASCII(const Word &W, const char *PrintAfter) {
+
+  PrintASCII(W.data(), W.size(), PrintAfter);
+
+}
+
+MutationDispatcher::MutationDispatcher(Random &              Rand,
+                                       const FuzzingOptions &Options)
+    : Rand(Rand), Options(Options) {
+
+  DefaultMutators.insert(
+      DefaultMutators.begin(),
+      {
+
+          {&MutationDispatcher::Mutate_EraseBytes, "EraseBytes"},
+          {&MutationDispatcher::Mutate_InsertByte, "InsertByte"},
+          {&MutationDispatcher::Mutate_InsertRepeatedBytes,
+           "InsertRepeatedBytes"},
+          {&MutationDispatcher::Mutate_ChangeByte, "ChangeByte"},
+          {&MutationDispatcher::Mutate_ChangeBit, "ChangeBit"},
+          {&MutationDispatcher::Mutate_ShuffleBytes, "ShuffleBytes"},
+          {&MutationDispatcher::Mutate_ChangeASCIIInteger, "ChangeASCIIInt"},
+          {&MutationDispatcher::Mutate_ChangeBinaryInteger, "ChangeBinInt"},
+          {&MutationDispatcher::Mutate_CopyPart, "CopyPart"},
+          {&MutationDispatcher::Mutate_CrossOver, "CrossOver"},
+          {&MutationDispatcher::Mutate_AddWordFromManualDictionary,
+           "ManualDict"},
+          {&MutationDispatcher::Mutate_AddWordFromPersistentAutoDictionary,
+           "PersAutoDict"},
+
+      });
+
+  if (Options.UseCmp)
+    DefaultMutators.push_back(
+        {&MutationDispatcher::Mutate_AddWordFromTORC, "CMP"});
+
+  if (EF->LLVMFuzzerCustomMutator)
+    Mutators.push_back({&MutationDispatcher::Mutate_Custom, "Custom"});
+  else
+    Mutators = DefaultMutators;
+
+  if (EF->LLVMFuzzerCustomCrossOver)
+    Mutators.push_back(
+        {&MutationDispatcher::Mutate_CustomCrossOver, "CustomCrossOver"});
+
+}
+
+static char RandCh(Random &Rand) {
+
+  if (Rand.RandBool()) return Rand(256);
+  const char Special[] = "!*'();:@&=+$,/?%#[]012Az-`~.\xff\x00";
+  return Special[Rand(sizeof(Special) - 1)];
+
+}
+
+size_t MutationDispatcher::Mutate_Custom(uint8_t *Data, size_t Size,
+                                         size_t MaxSize) {
+
+  return EF->LLVMFuzzerCustomMutator(Data, Size, MaxSize, Rand.Rand());
+
+}
+
+size_t MutationDispatcher::Mutate_CustomCrossOver(uint8_t *Data, size_t Size,
+                                                  size_t MaxSize) {
+
+  if (Size == 0) return 0;
+  if (!CrossOverWith) return 0;
+  const Unit &Other = *CrossOverWith;
+  if (Other.empty()) return 0;
+  CustomCrossOverInPlaceHere.resize(MaxSize);
+  auto & U = CustomCrossOverInPlaceHere;
+  size_t NewSize = EF->LLVMFuzzerCustomCrossOver(
+      Data, Size, Other.data(), Other.size(), U.data(), U.size(), Rand.Rand());
+  if (!NewSize) return 0;
+  assert(NewSize <= MaxSize && "CustomCrossOver returned overisized unit");
+  memcpy(Data, U.data(), NewSize);
+  return NewSize;
+
+}
+
+
+size_t MutationDispatcher::Mutate_ShuffleBytes(uint8_t *Data, size_t Size,
+                                               size_t MaxSize) {
+  if (Size > MaxSize || Size == 0) return 0;
+  size_t ShuffleAmount =
+      Rand(std::min(Size, (size_t)8)) + 1;  // [1,8] and <= Size.
+  size_t ShuffleStart = Rand(Size - ShuffleAmount);
+  assert(ShuffleStart + ShuffleAmount <= Size);
+  unsigned num = std::chrono::system_clock::now().time_since_epoch().count();
+  std::shuffle(Data + ShuffleStart, Data + ShuffleStart + ShuffleAmount, std::default_random_engine(num));
+  //std::shuffle(Data + ShuffleStart, Data + ShuffleStart + ShuffleAmount, Rand);
+  return Size;
+
+}
+
+size_t MutationDispatcher::Mutate_EraseBytes(uint8_t *Data, size_t Size,
+                                             size_t MaxSize) {
+
+  if (Size <= 1) return 0;
+  size_t N = Rand(Size / 2) + 1;
+  assert(N < Size);
+  size_t Idx = Rand(Size - N + 1);
+  // Erase Data[Idx:Idx+N].
+  memmove(Data + Idx, Data + Idx + N, Size - Idx - N);
+  // Printf("Erase: %zd %zd => %zd; Idx %zd\n", N, Size, Size - N, Idx);
+  return Size - N;
+
+}
+
+size_t MutationDispatcher::Mutate_InsertByte(uint8_t *Data, size_t Size,
+                                             size_t MaxSize) {
+
+  if (Size >= MaxSize) return 0;
+  size_t Idx = Rand(Size + 1);
+  // Insert new value at Data[Idx].
+  memmove(Data + Idx + 1, Data + Idx, Size - Idx);
+  Data[Idx] = RandCh(Rand);
+  return Size + 1;
+
+}
+
+size_t MutationDispatcher::Mutate_InsertRepeatedBytes(uint8_t *Data,
+                                                      size_t   Size,
+                                                      size_t   MaxSize) {
+
+  const size_t kMinBytesToInsert = 3;
+  if (Size + kMinBytesToInsert >= MaxSize) return 0;
+  size_t MaxBytesToInsert = std::min(MaxSize - Size, (size_t)128);
+  size_t N = Rand(MaxBytesToInsert - kMinBytesToInsert + 1) + kMinBytesToInsert;
+  assert(Size + N <= MaxSize && N);
+  size_t Idx = Rand(Size + 1);
+  // Insert new values at Data[Idx].
+  memmove(Data + Idx + N, Data + Idx, Size - Idx);
+  // Give preference to 0x00 and 0xff.
+  uint8_t Byte = Rand.RandBool() ? Rand(256) : (Rand.RandBool() ? 0 : 255);
+  for (size_t i = 0; i < N; i++)
+    Data[Idx + i] = Byte;
+  return Size + N;
+
+}
+
+size_t MutationDispatcher::Mutate_ChangeByte(uint8_t *Data, size_t Size,
+                                             size_t MaxSize) {
+
+  if (Size > MaxSize) return 0;
+  size_t Idx = Rand(Size);
+  Data[Idx] = RandCh(Rand);
+  return Size;
+
+}
+
+size_t MutationDispatcher::Mutate_ChangeBit(uint8_t *Data, size_t Size,
+                                            size_t MaxSize) {
+
+  if (Size > MaxSize) return 0;
+  size_t Idx = Rand(Size);
+  Data[Idx] ^= 1 << Rand(8);
+  return Size;
+
+}
+
+size_t MutationDispatcher::Mutate_AddWordFromManualDictionary(uint8_t *Data,
+                                                              size_t   Size,
+                                                              size_t MaxSize) {
+
+  return AddWordFromDictionary(ManualDictionary, Data, Size, MaxSize);
+
+}
+
+size_t MutationDispatcher::ApplyDictionaryEntry(uint8_t *Data, size_t Size,
+                                                size_t           MaxSize,
+                                                DictionaryEntry &DE) {
+
+  const Word &W = DE.GetW();
+  bool        UsePositionHint = DE.HasPositionHint() &&
+                         DE.GetPositionHint() + W.size() < Size &&
+                         Rand.RandBool();
+  if (Rand.RandBool()) {  // Insert W.
+    if (Size + W.size() > MaxSize) return 0;
+    size_t Idx = UsePositionHint ? DE.GetPositionHint() : Rand(Size + 1);
+    memmove(Data + Idx + W.size(), Data + Idx, Size - Idx);
+    memcpy(Data + Idx, W.data(), W.size());
+    Size += W.size();
+
+  } else {  // Overwrite some bytes with W.
+
+    if (W.size() > Size) return 0;
+    size_t Idx = UsePositionHint ? DE.GetPositionHint() : Rand(Size - W.size());
+    memcpy(Data + Idx, W.data(), W.size());
+
+  }
+
+  return Size;
+
+}
+
+// Somewhere in the past we have observed a comparison instructions
+// with arguments Arg1 Arg2. This function tries to guess a dictionary
+// entry that will satisfy that comparison.
+// It first tries to find one of the arguments (possibly swapped) in the
+// input and if it succeeds it creates a DE with a position hint.
+// Otherwise it creates a DE with one of the arguments w/o a position hint.
+DictionaryEntry MutationDispatcher::MakeDictionaryEntryFromCMP(
+    const void *Arg1, const void *Arg2, const void *Arg1Mutation,
+    const void *Arg2Mutation, size_t ArgSize, const uint8_t *Data,
+    size_t Size) {
+
+  bool           HandleFirst = Rand.RandBool();
+  const void *   ExistingBytes, *DesiredBytes;
+  Word           W;
+  const uint8_t *End = Data + Size;
+  for (int Arg = 0; Arg < 2; Arg++) {
+
+    ExistingBytes = HandleFirst ? Arg1 : Arg2;
+    DesiredBytes = HandleFirst ? Arg2Mutation : Arg1Mutation;
+    HandleFirst = !HandleFirst;
+    W.Set(reinterpret_cast<const uint8_t *>(DesiredBytes), ArgSize);
+    const size_t kMaxNumPositions = 8;
+    size_t       Positions[kMaxNumPositions];
+    size_t       NumPositions = 0;
+    for (const uint8_t *Cur = Data;
+         Cur < End && NumPositions < kMaxNumPositions; Cur++) {
+
+      Cur =
+          (const uint8_t *)SearchMemory(Cur, End - Cur, ExistingBytes, ArgSize);
+      if (!Cur) break;
+      Positions[NumPositions++] = Cur - Data;
+
+    }
+
+    if (!NumPositions) continue;
+    return DictionaryEntry(W, Positions[Rand(NumPositions)]);
+
+  }
+
+  DictionaryEntry DE(W);
+  return DE;
+
+}
+
+template <class T>
+DictionaryEntry MutationDispatcher::MakeDictionaryEntryFromCMP(
+    T Arg1, T Arg2, const uint8_t *Data, size_t Size) {
+
+  if (Rand.RandBool()) Arg1 = Bswap(Arg1);
+  if (Rand.RandBool()) Arg2 = Bswap(Arg2);
+  T Arg1Mutation = Arg1 + Rand(-1, 1);
+  T Arg2Mutation = Arg2 + Rand(-1, 1);
+  return MakeDictionaryEntryFromCMP(&Arg1, &Arg2, &Arg1Mutation, &Arg2Mutation,
+                                    sizeof(Arg1), Data, Size);
+
+}
+
+DictionaryEntry MutationDispatcher::MakeDictionaryEntryFromCMP(
+    const Word &Arg1, const Word &Arg2, const uint8_t *Data, size_t Size) {
+
+  return MakeDictionaryEntryFromCMP(Arg1.data(), Arg2.data(), Arg1.data(),
+                                    Arg2.data(), Arg1.size(), Data, Size);
+
+}
+
+size_t MutationDispatcher::Mutate_AddWordFromTORC(uint8_t *Data, size_t Size,
+                                                  size_t MaxSize) {
+
+  Word            W;
+  DictionaryEntry DE;
+  switch (Rand(4)) {
+
+    case 0: {
+
+      auto X = TPC.TORC8.Get(Rand.Rand());
+      DE = MakeDictionaryEntryFromCMP(X.A, X.B, Data, Size);
+
+    } break;
+
+    case 1: {
+
+      auto X = TPC.TORC4.Get(Rand.Rand());
+      if ((X.A >> 16) == 0 && (X.B >> 16) == 0 && Rand.RandBool())
+        DE = MakeDictionaryEntryFromCMP((uint16_t)X.A, (uint16_t)X.B, Data,
+                                        Size);
+      else
+        DE = MakeDictionaryEntryFromCMP(X.A, X.B, Data, Size);
+
+    } break;
+
+    case 2: {
+
+      auto X = TPC.TORCW.Get(Rand.Rand());
+      DE = MakeDictionaryEntryFromCMP(X.A, X.B, Data, Size);
+
+    } break;
+
+    case 3:
+      if (Options.UseMemmem) {
+
+        auto X = TPC.MMT.Get(Rand.Rand());
+        DE = DictionaryEntry(X);
+
+      }
+
+      break;
+    default:
+      assert(0);
+
+  }
+
+  if (!DE.GetW().size()) return 0;
+  Size = ApplyDictionaryEntry(Data, Size, MaxSize, DE);
+  if (!Size) return 0;
+  DictionaryEntry &DERef =
+      CmpDictionaryEntriesDeque[CmpDictionaryEntriesDequeIdx++ %
+                                kCmpDictionaryEntriesDequeSize];
+  DERef = DE;
+  CurrentDictionaryEntrySequence.push_back(&DERef);
+  return Size;
+
+}
+
+size_t MutationDispatcher::Mutate_AddWordFromPersistentAutoDictionary(
+    uint8_t *Data, size_t Size, size_t MaxSize) {
+
+  return AddWordFromDictionary(PersistentAutoDictionary, Data, Size, MaxSize);
+
+}
+
+size_t MutationDispatcher::AddWordFromDictionary(Dictionary &D, uint8_t *Data,
+                                                 size_t Size, size_t MaxSize) {
+
+  if (Size > MaxSize) return 0;
+  if (D.empty()) return 0;
+  DictionaryEntry &DE = D[Rand(D.size())];
+  Size = ApplyDictionaryEntry(Data, Size, MaxSize, DE);
+  if (!Size) return 0;
+  DE.IncUseCount();
+  CurrentDictionaryEntrySequence.push_back(&DE);
+  return Size;
+
+}
+
+// Overwrites part of To[0,ToSize) with a part of From[0,FromSize).
+// Returns ToSize.
+size_t MutationDispatcher::CopyPartOf(const uint8_t *From, size_t FromSize,
+                                      uint8_t *To, size_t ToSize) {
+
+  // Copy From[FromBeg, FromBeg + CopySize) into To[ToBeg, ToBeg + CopySize).
+  size_t ToBeg = Rand(ToSize);
+  size_t CopySize = Rand(ToSize - ToBeg) + 1;
+  assert(ToBeg + CopySize <= ToSize);
+  CopySize = std::min(CopySize, FromSize);
+  size_t FromBeg = Rand(FromSize - CopySize + 1);
+  assert(FromBeg + CopySize <= FromSize);
+  memmove(To + ToBeg, From + FromBeg, CopySize);
+  return ToSize;
+
+}
+
+// Inserts part of From[0,ToSize) into To.
+// Returns new size of To on success or 0 on failure.
+size_t MutationDispatcher::InsertPartOf(const uint8_t *From, size_t FromSize,
+                                        uint8_t *To, size_t ToSize,
+                                        size_t MaxToSize) {
+
+  if (ToSize >= MaxToSize) return 0;
+  size_t AvailableSpace = MaxToSize - ToSize;
+  size_t MaxCopySize = std::min(AvailableSpace, FromSize);
+  size_t CopySize = Rand(MaxCopySize) + 1;
+  size_t FromBeg = Rand(FromSize - CopySize + 1);
+  assert(FromBeg + CopySize <= FromSize);
+  size_t ToInsertPos = Rand(ToSize + 1);
+  assert(ToInsertPos + CopySize <= MaxToSize);
+  size_t TailSize = ToSize - ToInsertPos;
+  if (To == From) {
+
+    MutateInPlaceHere.resize(MaxToSize);
+    memcpy(MutateInPlaceHere.data(), From + FromBeg, CopySize);
+    memmove(To + ToInsertPos + CopySize, To + ToInsertPos, TailSize);
+    memmove(To + ToInsertPos, MutateInPlaceHere.data(), CopySize);
+
+  } else {
+
+    memmove(To + ToInsertPos + CopySize, To + ToInsertPos, TailSize);
+    memmove(To + ToInsertPos, From + FromBeg, CopySize);
+
+  }
+
+  return ToSize + CopySize;
+
+}
+
+size_t MutationDispatcher::Mutate_CopyPart(uint8_t *Data, size_t Size,
+                                           size_t MaxSize) {
+
+  if (Size > MaxSize || Size == 0) return 0;
+  // If Size == MaxSize, `InsertPartOf(...)` will
+  // fail so there's no point using it in this case.
+  if (Size == MaxSize || Rand.RandBool())
+    return CopyPartOf(Data, Size, Data, Size);
+  else
+    return InsertPartOf(Data, Size, Data, Size, MaxSize);
+
+}
+
+size_t MutationDispatcher::Mutate_ChangeASCIIInteger(uint8_t *Data, size_t Size,
+                                                     size_t MaxSize) {
+
+  if (Size > MaxSize) return 0;
+  size_t B = Rand(Size);
+  while (B < Size && !isdigit(Data[B]))
+    B++;
+  if (B == Size) return 0;
+  size_t E = B;
+  while (E < Size && isdigit(Data[E]))
+    E++;
+  assert(B < E);
+  // now we have digits in [B, E).
+  // strtol and friends don't accept non-zero-teminated data, parse it manually.
+  uint64_t Val = Data[B] - '0';
+  for (size_t i = B + 1; i < E; i++)
+    Val = Val * 10 + Data[i] - '0';
+
+  // Mutate the integer value.
+  switch (Rand(5)) {
+
+    case 0:
+      Val++;
+      break;
+    case 1:
+      Val--;
+      break;
+    case 2:
+      Val /= 2;
+      break;
+    case 3:
+      Val *= 2;
+      break;
+    case 4:
+      Val = Rand(Val * Val);
+      break;
+    default:
+      assert(0);
+
+  }
+
+  // Just replace the bytes with the new ones, don't bother moving bytes.
+  for (size_t i = B; i < E; i++) {
+
+    size_t Idx = E + B - i - 1;
+    assert(Idx >= B && Idx < E);
+    Data[Idx] = (Val % 10) + '0';
+    Val /= 10;
+
+  }
+
+  return Size;
+
+}
+
+template <class T>
+size_t ChangeBinaryInteger(uint8_t *Data, size_t Size, Random &Rand) {
+
+  if (Size < sizeof(T)) return 0;
+  size_t Off = Rand(Size - sizeof(T) + 1);
+  assert(Off + sizeof(T) <= Size);
+  T Val;
+  if (Off < 64 && !Rand(4)) {
+
+    Val = Size;
+    if (Rand.RandBool()) Val = Bswap(Val);
+
+  } else {
+
+    memcpy(&Val, Data + Off, sizeof(Val));
+    T Add = Rand(21);
+    Add -= 10;
+    if (Rand.RandBool())
+      Val = Bswap(T(Bswap(Val) + Add));  // Add assuming different endiannes.
+    else
+      Val = Val + Add;                // Add assuming current endiannes.
+    if (Add == 0 || Rand.RandBool())  // Maybe negate.
+      Val = -Val;
+
+  }
+
+  memcpy(Data + Off, &Val, sizeof(Val));
+  return Size;
+
+}
+
+size_t MutationDispatcher::Mutate_ChangeBinaryInteger(uint8_t *Data,
+                                                      size_t   Size,
+                                                      size_t   MaxSize) {
+
+  if (Size > MaxSize) return 0;
+  switch (Rand(4)) {
+
+    case 3:
+      return ChangeBinaryInteger<uint64_t>(Data, Size, Rand);
+    case 2:
+      return ChangeBinaryInteger<uint32_t>(Data, Size, Rand);
+    case 1:
+      return ChangeBinaryInteger<uint16_t>(Data, Size, Rand);
+    case 0:
+      return ChangeBinaryInteger<uint8_t>(Data, Size, Rand);
+    default:
+      assert(0);
+
+  }
+
+  return 0;
+
+}
+
+size_t MutationDispatcher::Mutate_CrossOver(uint8_t *Data, size_t Size,
+                                            size_t MaxSize) {
+
+  if (Size > MaxSize) return 0;
+  if (Size == 0) return 0;
+  if (!CrossOverWith) return 0;
+  const Unit &O = *CrossOverWith;
+  if (O.empty()) return 0;
+  size_t NewSize = 0;
+  switch (Rand(3)) {
+
+    case 0:
+      MutateInPlaceHere.resize(MaxSize);
+      NewSize = CrossOver(Data, Size, O.data(), O.size(),
+                          MutateInPlaceHere.data(), MaxSize);
+      memcpy(Data, MutateInPlaceHere.data(), NewSize);
+      break;
+    case 1:
+      NewSize = InsertPartOf(O.data(), O.size(), Data, Size, MaxSize);
+      if (!NewSize) NewSize = CopyPartOf(O.data(), O.size(), Data, Size);
+      break;
+    case 2:
+      NewSize = CopyPartOf(O.data(), O.size(), Data, Size);
+      break;
+    default:
+      assert(0);
+
+  }
+
+  assert(NewSize > 0 && "CrossOver returned empty unit");
+  assert(NewSize <= MaxSize && "CrossOver returned overisized unit");
+  return NewSize;
+
+}
+
+void MutationDispatcher::StartMutationSequence() {
+
+  CurrentMutatorSequence.clear();
+  CurrentDictionaryEntrySequence.clear();
+
+}
+
+// Copy successful dictionary entries to PersistentAutoDictionary.
+void MutationDispatcher::RecordSuccessfulMutationSequence() {
+
+  for (auto DE : CurrentDictionaryEntrySequence) {
+
+    // PersistentAutoDictionary.AddWithSuccessCountOne(DE);
+    DE->IncSuccessCount();
+    assert(DE->GetW().size());
+    // Linear search is fine here as this happens seldom.
+    if (!PersistentAutoDictionary.ContainsWord(DE->GetW()))
+      PersistentAutoDictionary.push_back({DE->GetW(), 1});
+
+  }
+
+}
+
+void MutationDispatcher::PrintRecommendedDictionary() {
+
+  Vector<DictionaryEntry> V;
+  for (auto &DE : PersistentAutoDictionary)
+    if (!ManualDictionary.ContainsWord(DE.GetW())) V.push_back(DE);
+  if (V.empty()) return;
+  Printf("###### Recommended dictionary. ######\n");
+  for (auto &DE : V) {
+
+    assert(DE.GetW().size());
+    Printf("\"");
+    PrintASCII(DE.GetW(), "\"");
+    Printf(" # Uses: %zd\n", DE.GetUseCount());
+
+  }
+
+  Printf("###### End of recommended dictionary. ######\n");
+
+}
+
+const char *MutationDispatcher::WriteMutationSequence() {
+
+  static std::string buf;
+  buf = "";
+
+  for (size_t i = 0; i < CurrentMutatorSequence.size(); i++) {
+  
+    buf = buf + " " + CurrentMutatorSequence[i].Name;
+  
+  }
+  
+  return buf.c_str();
+
+}
+
+void MutationDispatcher::PrintMutationSequence(bool Verbose) {
+
+  return;
+  Printf("MS: %zd ", CurrentMutatorSequence.size());
+  size_t EntriesToPrint =
+      Verbose ? CurrentMutatorSequence.size()
+              : std::min(kMaxMutationsToPrint, CurrentMutatorSequence.size());
+  for (size_t i = 0; i < EntriesToPrint; i++)
+    Printf("%s-", CurrentMutatorSequence[i].Name);
+  if (!CurrentDictionaryEntrySequence.empty()) {
+
+    Printf(" DE: ");
+    EntriesToPrint = Verbose ? CurrentDictionaryEntrySequence.size()
+                             : std::min(kMaxMutationsToPrint,
+                                        CurrentDictionaryEntrySequence.size());
+    for (size_t i = 0; i < EntriesToPrint; i++) {
+
+      Printf("\"");
+      PrintASCII(CurrentDictionaryEntrySequence[i]->GetW(), "\"-");
+
+    }
+
+  }
+
+}
+
+std::string MutationDispatcher::MutationSequence() {
+
+  std::string MS;
+  for (auto M : CurrentMutatorSequence) {
+
+    MS += M.Name;
+    MS += "-";
+
+  }
+
+  return MS;
+
+}
+
+size_t MutationDispatcher::Mutate(uint8_t *Data, size_t Size, size_t MaxSize) {
+
+  return MutateImpl(Data, Size, MaxSize, Mutators);
+
+}
+
+size_t MutationDispatcher::DefaultMutate(uint8_t *Data, size_t Size,
+                                         size_t MaxSize) {
+
+  return MutateImpl(Data, Size, MaxSize, DefaultMutators);
+
+}
+
+// Mutates Data in place, returns new size.
+size_t MutationDispatcher::MutateImpl(uint8_t *Data, size_t Size,
+                                      size_t           MaxSize,
+                                      Vector<Mutator> &Mutators) {
+
+  assert(MaxSize > 0);
+  // Some mutations may fail (e.g. can't insert more bytes if Size == MaxSize),
+  // in which case they will return 0.
+  // Try several times before returning un-mutated data.
+  for (int Iter = 0; Iter < 100; Iter++) {
+
+    auto   M = Mutators[Rand(Mutators.size())];
+    size_t NewSize = (this->*(M.Fn))(Data, Size, MaxSize);
+    if (NewSize && NewSize <= MaxSize) {
+
+      if (Options.OnlyASCII) ToASCII(Data, NewSize);
+      CurrentMutatorSequence.push_back(M);
+      return NewSize;
+
+    }
+
+  }
+
+  *Data = ' ';
+  return 1;  // Fallback, should not happen frequently.
+
+}
+
+// Mask represents the set of Data bytes that are worth mutating.
+size_t MutationDispatcher::MutateWithMask(uint8_t *Data, size_t Size,
+                                          size_t                 MaxSize,
+                                          const Vector<uint8_t> &Mask) {
+
+  size_t MaskedSize = std::min(Size, Mask.size());
+  // * Copy the worthy bytes into a temporary array T
+  // * Mutate T
+  // * Copy T back.
+  // This is totally unoptimized.
+  auto &T = MutateWithMaskTemp;
+  if (T.size() < Size) T.resize(Size);
+  size_t OneBits = 0;
+  for (size_t I = 0; I < MaskedSize; I++)
+    if (Mask[I]) T[OneBits++] = Data[I];
+
+  if (!OneBits) return 0;
+  assert(!T.empty());
+  size_t NewSize = Mutate(T.data(), OneBits, OneBits);
+  assert(NewSize <= OneBits);
+  (void)NewSize;
+  // Even if NewSize < OneBits we still use all OneBits bytes.
+  for (size_t I = 0, J = 0; I < MaskedSize; I++)
+    if (Mask[I]) Data[I] = T[J++];
+  return Size;
+
+}
+
+void MutationDispatcher::AddWordToManualDictionary(const Word &W) {
+
+  ManualDictionary.push_back({W, std::numeric_limits<size_t>::max()});
+
+}
+
+}  // namespace fuzzer
+
--- a/custom_mutators/libfuzzer/FuzzerMutate.h
+++ b/custom_mutators/libfuzzer/FuzzerMutate.h
@ -0,0 +1,160 @@
+//===- FuzzerMutate.h - Internal header for the Fuzzer ----------*- C++ -* ===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+// fuzzer::MutationDispatcher
+//===----------------------------------------------------------------------===//
+
+#ifndef LLVM_FUZZER_MUTATE_H
+#define LLVM_FUZZER_MUTATE_H
+
+#include "FuzzerDefs.h"
+#include "FuzzerDictionary.h"
+#include "FuzzerOptions.h"
+#include "FuzzerRandom.h"
+
+namespace fuzzer {
+
+class MutationDispatcher {
+public:
+  MutationDispatcher(Random &Rand, const FuzzingOptions &Options);
+  ~MutationDispatcher() {}
+  /// Indicate that we are about to start a new sequence of mutations.
+  void StartMutationSequence();
+  /// Print the current sequence of mutations. Only prints the full sequence
+  /// when Verbose is true.
+  const char *WriteMutationSequence();
+  void PrintMutationSequence(bool Verbose = true);
+  /// Return the current sequence of mutations.
+  std::string MutationSequence();
+  /// Indicate that the current sequence of mutations was successful.
+  void RecordSuccessfulMutationSequence();
+  /// Mutates data by invoking user-provided mutator.
+  size_t Mutate_Custom(uint8_t *Data, size_t Size, size_t MaxSize);
+  /// Mutates data by invoking user-provided crossover.
+  size_t Mutate_CustomCrossOver(uint8_t *Data, size_t Size, size_t MaxSize);
+  /// Mutates data by shuffling bytes.
+  size_t Mutate_ShuffleBytes(uint8_t *Data, size_t Size, size_t MaxSize);
+  /// Mutates data by erasing bytes.
+  size_t Mutate_EraseBytes(uint8_t *Data, size_t Size, size_t MaxSize);
+  /// Mutates data by inserting a byte.
+  size_t Mutate_InsertByte(uint8_t *Data, size_t Size, size_t MaxSize);
+  /// Mutates data by inserting several repeated bytes.
+  size_t Mutate_InsertRepeatedBytes(uint8_t *Data, size_t Size, size_t MaxSize);
+  /// Mutates data by chanding one byte.
+  size_t Mutate_ChangeByte(uint8_t *Data, size_t Size, size_t MaxSize);
+  /// Mutates data by chanding one bit.
+  size_t Mutate_ChangeBit(uint8_t *Data, size_t Size, size_t MaxSize);
+  /// Mutates data by copying/inserting a part of data into a different place.
+  size_t Mutate_CopyPart(uint8_t *Data, size_t Size, size_t MaxSize);
+
+  /// Mutates data by adding a word from the manual dictionary.
+  size_t Mutate_AddWordFromManualDictionary(uint8_t *Data, size_t Size,
+                                            size_t MaxSize);
+
+  /// Mutates data by adding a word from the TORC.
+  size_t Mutate_AddWordFromTORC(uint8_t *Data, size_t Size, size_t MaxSize);
+
+  /// Mutates data by adding a word from the persistent automatic dictionary.
+  size_t Mutate_AddWordFromPersistentAutoDictionary(uint8_t *Data, size_t Size,
+                                                    size_t MaxSize);
+
+  /// Tries to find an ASCII integer in Data, changes it to another ASCII int.
+  size_t Mutate_ChangeASCIIInteger(uint8_t *Data, size_t Size, size_t MaxSize);
+  /// Change a 1-, 2-, 4-, or 8-byte integer in interesting ways.
+  size_t Mutate_ChangeBinaryInteger(uint8_t *Data, size_t Size, size_t MaxSize);
+
+  /// CrossOver Data with CrossOverWith.
+  size_t Mutate_CrossOver(uint8_t *Data, size_t Size, size_t MaxSize);
+
+  /// Applies one of the configured mutations.
+  /// Returns the new size of data which could be up to MaxSize.
+  size_t Mutate(uint8_t *Data, size_t Size, size_t MaxSize);
+
+  /// Applies one of the configured mutations to the bytes of Data
+  /// that have '1' in Mask.
+  /// Mask.size() should be >= Size.
+  size_t MutateWithMask(uint8_t *Data, size_t Size, size_t MaxSize,
+                        const Vector<uint8_t> &Mask);
+
+  /// Applies one of the default mutations. Provided as a service
+  /// to mutation authors.
+  size_t DefaultMutate(uint8_t *Data, size_t Size, size_t MaxSize);
+
+  /// Creates a cross-over of two pieces of Data, returns its size.
+  size_t CrossOver(const uint8_t *Data1, size_t Size1, const uint8_t *Data2,
+                   size_t Size2, uint8_t *Out, size_t MaxOutSize);
+
+  void AddWordToManualDictionary(const Word &W);
+
+  void PrintRecommendedDictionary();
+
+  void SetCrossOverWith(const Unit *U) { CrossOverWith = U; }
+
+  Random &GetRand() { return Rand; }
+
+ private:
+  struct Mutator {
+    size_t (MutationDispatcher::*Fn)(uint8_t *Data, size_t Size, size_t Max);
+    const char *Name;
+  };
+
+  size_t AddWordFromDictionary(Dictionary &D, uint8_t *Data, size_t Size,
+                               size_t MaxSize);
+  size_t MutateImpl(uint8_t *Data, size_t Size, size_t MaxSize,
+                    Vector<Mutator> &Mutators);
+
+  size_t InsertPartOf(const uint8_t *From, size_t FromSize, uint8_t *To,
+                      size_t ToSize, size_t MaxToSize);
+  size_t CopyPartOf(const uint8_t *From, size_t FromSize, uint8_t *To,
+                    size_t ToSize);
+  size_t ApplyDictionaryEntry(uint8_t *Data, size_t Size, size_t MaxSize,
+                              DictionaryEntry &DE);
+
+  template <class T>
+  DictionaryEntry MakeDictionaryEntryFromCMP(T Arg1, T Arg2,
+                                             const uint8_t *Data, size_t Size);
+  DictionaryEntry MakeDictionaryEntryFromCMP(const Word &Arg1, const Word &Arg2,
+                                             const uint8_t *Data, size_t Size);
+  DictionaryEntry MakeDictionaryEntryFromCMP(const void *Arg1, const void *Arg2,
+                                             const void *Arg1Mutation,
+                                             const void *Arg2Mutation,
+                                             size_t ArgSize,
+                                             const uint8_t *Data, size_t Size);
+
+  Random &Rand;
+  const FuzzingOptions Options;
+
+  // Dictionary provided by the user via -dict=DICT_FILE.
+  Dictionary ManualDictionary;
+  // Temporary dictionary modified by the fuzzer itself,
+  // recreated periodically.
+  Dictionary TempAutoDictionary;
+  // Persistent dictionary modified by the fuzzer, consists of
+  // entries that led to successful discoveries in the past mutations.
+  Dictionary PersistentAutoDictionary;
+
+  Vector<DictionaryEntry *> CurrentDictionaryEntrySequence;
+
+  static const size_t kCmpDictionaryEntriesDequeSize = 16;
+  DictionaryEntry CmpDictionaryEntriesDeque[kCmpDictionaryEntriesDequeSize];
+  size_t CmpDictionaryEntriesDequeIdx = 0;
+
+  const Unit *CrossOverWith = nullptr;
+  Vector<uint8_t> MutateInPlaceHere;
+  Vector<uint8_t> MutateWithMaskTemp;
+  // CustomCrossOver needs its own buffer as a custom implementation may call
+  // LLVMFuzzerMutate, which in turn may resize MutateInPlaceHere.
+  Vector<uint8_t> CustomCrossOverInPlaceHere;
+
+  Vector<Mutator> Mutators;
+  Vector<Mutator> DefaultMutators;
+  Vector<Mutator> CurrentMutatorSequence;
+};
+
+}  // namespace fuzzer
+
+#endif  // LLVM_FUZZER_MUTATE_H
--- a/custom_mutators/libfuzzer/FuzzerOptions.h
+++ b/custom_mutators/libfuzzer/FuzzerOptions.h
@ -0,0 +1,90 @@
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+// fuzzer::FuzzingOptions
+//===----------------------------------------------------------------------===//
+
+#ifndef LLVM_FUZZER_OPTIONS_H
+#define LLVM_FUZZER_OPTIONS_H
+
+#include "FuzzerDefs.h"
+
+namespace fuzzer {
+
+struct FuzzingOptions {
+  int Verbosity = 1;
+  size_t MaxLen = 0;
+  size_t LenControl = 1000;
+  bool KeepSeed = false;
+  int UnitTimeoutSec = 300;
+  int TimeoutExitCode = 70;
+  int OOMExitCode = 71;
+  int InterruptExitCode = 72;
+  int ErrorExitCode = 77;
+  bool IgnoreTimeouts = true;
+  bool IgnoreOOMs = true;
+  bool IgnoreCrashes = false;
+  int MaxTotalTimeSec = 0;
+  int RssLimitMb = 0;
+  int MallocLimitMb = 0;
+  bool DoCrossOver = true;
+  bool CrossOverUniformDist = false;
+  int MutateDepth = 5;
+  bool ReduceDepth = false;
+  bool UseCounters = false;
+  bool UseMemmem = true;
+  bool UseCmp = false;
+  int UseValueProfile = false;
+  bool Shrink = false;
+  bool ReduceInputs = false;
+  int ReloadIntervalSec = 1;
+  bool ShuffleAtStartUp = true;
+  bool PreferSmall = true;
+  size_t MaxNumberOfRuns = -1L;
+  int ReportSlowUnits = 10;
+  bool OnlyASCII = false;
+  bool Entropic = true;
+  size_t EntropicFeatureFrequencyThreshold = 0xFF;
+  size_t EntropicNumberOfRarestFeatures = 100;
+  bool EntropicScalePerExecTime = false;
+  std::string OutputCorpus;
+  std::string ArtifactPrefix = "./";
+  std::string ExactArtifactPath;
+  std::string ExitOnSrcPos;
+  std::string ExitOnItem;
+  std::string FocusFunction;
+  std::string DataFlowTrace;
+  std::string CollectDataFlow;
+  std::string FeaturesDir;
+  std::string MutationGraphFile;
+  std::string StopFile;
+  bool SaveArtifacts = true;
+  bool PrintNEW = true; // Print a status line when new units are found;
+  bool PrintNewCovPcs = false;
+  int PrintNewCovFuncs = 0;
+  bool PrintFinalStats = false;
+  bool PrintCorpusStats = false;
+  bool PrintCoverage = false;
+  bool DumpCoverage = false;
+  bool DetectLeaks = true;
+  int PurgeAllocatorIntervalSec = 1;
+  int  TraceMalloc = 0;
+  bool HandleAbrt = false;
+  bool HandleAlrm = false;
+  bool HandleBus = false;
+  bool HandleFpe = false;
+  bool HandleIll = false;
+  bool HandleInt = false;
+  bool HandleSegv = false;
+  bool HandleTerm = false;
+  bool HandleXfsz = false;
+  bool HandleUsr1 = false;
+  bool HandleUsr2 = false;
+};
+
+}  // namespace fuzzer
+
+#endif  // LLVM_FUZZER_OPTIONS_H
--- a/custom_mutators/libfuzzer/FuzzerPlatform.h
+++ b/custom_mutators/libfuzzer/FuzzerPlatform.h
@ -0,0 +1,163 @@
+//===-- FuzzerPlatform.h --------------------------------------------------===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+// Common platform macros.
+//===----------------------------------------------------------------------===//
+
+#ifndef LLVM_FUZZER_PLATFORM_H
+#define LLVM_FUZZER_PLATFORM_H
+
+// Platform detection.
+#ifdef __linux__
+#define LIBFUZZER_APPLE 0
+#define LIBFUZZER_FUCHSIA 0
+#define LIBFUZZER_LINUX 1
+#define LIBFUZZER_NETBSD 0
+#define LIBFUZZER_FREEBSD 0
+#define LIBFUZZER_OPENBSD 0
+#define LIBFUZZER_WINDOWS 0
+#define LIBFUZZER_EMSCRIPTEN 0
+#elif __APPLE__
+#define LIBFUZZER_APPLE 1
+#define LIBFUZZER_FUCHSIA 0
+#define LIBFUZZER_LINUX 0
+#define LIBFUZZER_NETBSD 0
+#define LIBFUZZER_FREEBSD 0
+#define LIBFUZZER_OPENBSD 0
+#define LIBFUZZER_WINDOWS 0
+#define LIBFUZZER_EMSCRIPTEN 0
+#elif __NetBSD__
+#define LIBFUZZER_APPLE 0
+#define LIBFUZZER_FUCHSIA 0
+#define LIBFUZZER_LINUX 0
+#define LIBFUZZER_NETBSD 1
+#define LIBFUZZER_FREEBSD 0
+#define LIBFUZZER_OPENBSD 0
+#define LIBFUZZER_WINDOWS 0
+#define LIBFUZZER_EMSCRIPTEN 0
+#elif __FreeBSD__
+#define LIBFUZZER_APPLE 0
+#define LIBFUZZER_FUCHSIA 0
+#define LIBFUZZER_LINUX 0
+#define LIBFUZZER_NETBSD 0
+#define LIBFUZZER_FREEBSD 1
+#define LIBFUZZER_OPENBSD 0
+#define LIBFUZZER_WINDOWS 0
+#define LIBFUZZER_EMSCRIPTEN 0
+#elif __OpenBSD__
+#define LIBFUZZER_APPLE 0
+#define LIBFUZZER_FUCHSIA 0
+#define LIBFUZZER_LINUX 0
+#define LIBFUZZER_NETBSD 0
+#define LIBFUZZER_FREEBSD 0
+#define LIBFUZZER_OPENBSD 1
+#define LIBFUZZER_WINDOWS 0
+#define LIBFUZZER_EMSCRIPTEN 0
+#elif _WIN32
+#define LIBFUZZER_APPLE 0
+#define LIBFUZZER_FUCHSIA 0
+#define LIBFUZZER_LINUX 0
+#define LIBFUZZER_NETBSD 0
+#define LIBFUZZER_FREEBSD 0
+#define LIBFUZZER_OPENBSD 0
+#define LIBFUZZER_WINDOWS 1
+#define LIBFUZZER_EMSCRIPTEN 0
+#elif __Fuchsia__
+#define LIBFUZZER_APPLE 0
+#define LIBFUZZER_FUCHSIA 1
+#define LIBFUZZER_LINUX 0
+#define LIBFUZZER_NETBSD 0
+#define LIBFUZZER_FREEBSD 0
+#define LIBFUZZER_OPENBSD 0
+#define LIBFUZZER_WINDOWS 0
+#define LIBFUZZER_EMSCRIPTEN 0
+#elif __EMSCRIPTEN__
+#define LIBFUZZER_APPLE 0
+#define LIBFUZZER_FUCHSIA 0
+#define LIBFUZZER_LINUX 0
+#define LIBFUZZER_NETBSD 0
+#define LIBFUZZER_FREEBSD 0
+#define LIBFUZZER_OPENBSD 0
+#define LIBFUZZER_WINDOWS 0
+#define LIBFUZZER_EMSCRIPTEN 1
+#else
+#error "Support for your platform has not been implemented"
+#endif
+
+#if defined(_MSC_VER) && !defined(__clang__)
+// MSVC compiler is being used.
+#define LIBFUZZER_MSVC 1
+#else
+#define LIBFUZZER_MSVC 0
+#endif
+
+#ifndef __has_attribute
+#define __has_attribute(x) 0
+#endif
+
+#define LIBFUZZER_POSIX                                                        \
+  (LIBFUZZER_APPLE || LIBFUZZER_LINUX || LIBFUZZER_NETBSD ||                   \
+   LIBFUZZER_FREEBSD || LIBFUZZER_OPENBSD || LIBFUZZER_EMSCRIPTEN)
+
+#ifdef __x86_64
+#if __has_attribute(target)
+#define ATTRIBUTE_TARGET_POPCNT __attribute__((target("popcnt")))
+#else
+#define ATTRIBUTE_TARGET_POPCNT
+#endif
+#else
+#define ATTRIBUTE_TARGET_POPCNT
+#endif
+
+#ifdef __clang__ // avoid gcc warning.
+#if __has_attribute(no_sanitize)
+#define ATTRIBUTE_NO_SANITIZE_MEMORY __attribute__((no_sanitize("memory")))
+#else
+#define ATTRIBUTE_NO_SANITIZE_MEMORY
+#endif
+#define ALWAYS_INLINE __attribute__((always_inline))
+#else
+#define ATTRIBUTE_NO_SANITIZE_MEMORY
+#define ALWAYS_INLINE
+#endif // __clang__
+
+#if LIBFUZZER_WINDOWS
+#define ATTRIBUTE_NO_SANITIZE_ADDRESS
+#else
+#define ATTRIBUTE_NO_SANITIZE_ADDRESS __attribute__((no_sanitize_address))
+#endif
+
+#if LIBFUZZER_WINDOWS
+#define ATTRIBUTE_ALIGNED(X) __declspec(align(X))
+#define ATTRIBUTE_INTERFACE __declspec(dllexport)
+// This is used for __sancov_lowest_stack which is needed for
+// -fsanitize-coverage=stack-depth. That feature is not yet available on
+// Windows, so make the symbol static to avoid linking errors.
+#define ATTRIBUTES_INTERFACE_TLS_INITIAL_EXEC static
+#define ATTRIBUTE_NOINLINE __declspec(noinline)
+#else
+#define ATTRIBUTE_ALIGNED(X) __attribute__((aligned(X)))
+#define ATTRIBUTE_INTERFACE __attribute__((visibility("default")))
+#define ATTRIBUTES_INTERFACE_TLS_INITIAL_EXEC                                  \
+  ATTRIBUTE_INTERFACE __attribute__((tls_model("initial-exec"))) thread_local
+
+#define ATTRIBUTE_NOINLINE __attribute__((noinline))
+#endif
+
+#if defined(__has_feature)
+#if __has_feature(address_sanitizer)
+#define ATTRIBUTE_NO_SANITIZE_ALL ATTRIBUTE_NO_SANITIZE_ADDRESS
+#elif __has_feature(memory_sanitizer)
+#define ATTRIBUTE_NO_SANITIZE_ALL ATTRIBUTE_NO_SANITIZE_MEMORY
+#else
+#define ATTRIBUTE_NO_SANITIZE_ALL
+#endif
+#else
+#define ATTRIBUTE_NO_SANITIZE_ALL
+#endif
+
+#endif // LLVM_FUZZER_PLATFORM_H
--- a/custom_mutators/libfuzzer/FuzzerRandom.h
+++ b/custom_mutators/libfuzzer/FuzzerRandom.h
@ -0,0 +1,38 @@
+//===- FuzzerRandom.h - Internal header for the Fuzzer ----------*- C++ -* ===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+// fuzzer::Random
+//===----------------------------------------------------------------------===//
+
+#ifndef LLVM_FUZZER_RANDOM_H
+#define LLVM_FUZZER_RANDOM_H
+
+#include <random>
+
+namespace fuzzer {
+class Random : public std::minstd_rand {
+ public:
+  explicit Random(unsigned int seed) : std::minstd_rand(seed) {}
+  result_type operator()() { return this->std::minstd_rand::operator()(); }
+  size_t Rand() { return this->operator()(); }
+  size_t RandBool() { return Rand() % 2; }
+  size_t SkewTowardsLast(size_t n) {
+    size_t T = this->operator()(n * n);
+    size_t Res = sqrt(T);
+    return Res;
+  }
+  size_t operator()(size_t n) { return n ? Rand() % n : 0; }
+  intptr_t operator()(intptr_t From, intptr_t To) {
+    assert(From < To);
+    intptr_t RangeSize = To - From + 1;
+    return operator()(RangeSize) + From;
+  }
+};
+
+}  // namespace fuzzer
+
+#endif  // LLVM_FUZZER_RANDOM_H
--- a/custom_mutators/libfuzzer/FuzzerSHA1.cpp
+++ b/custom_mutators/libfuzzer/FuzzerSHA1.cpp
@ -0,0 +1,269 @@
+//===- FuzzerSHA1.h - Private copy of the SHA1 implementation ---*- C++ -* ===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+// This code is taken from public domain
+// (http://oauth.googlecode.com/svn/code/c/liboauth/src/sha1.c)
+// and modified by adding anonymous namespace, adding an interface
+// function fuzzer::ComputeSHA1() and removing unnecessary code.
+//
+// lib/Fuzzer can not use SHA1 implementation from openssl because
+// openssl may not be available and because we may be fuzzing openssl itself.
+// For the same reason we do not want to depend on SHA1 from LLVM tree.
+//===----------------------------------------------------------------------===//
+
+#include "FuzzerSHA1.h"
+#include "FuzzerDefs.h"
+#include "FuzzerPlatform.h"
+
+/* This code is public-domain - it is based on libcrypt
+ * placed in the public domain by Wei Dai and other contributors.
+ */
+
+#include <iomanip>
+#include <sstream>
+#include <stdint.h>
+#include <string.h>
+
+namespace {  // Added for LibFuzzer
+
+#ifdef __BIG_ENDIAN__
+  #define SHA_BIG_ENDIAN
+// Windows is always little endian and MSVC doesn't have <endian.h>
+#elif defined __LITTLE_ENDIAN__ || LIBFUZZER_WINDOWS
+/* override */
+#elif defined __BYTE_ORDER
+  #if __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__
+    #define SHA_BIG_ENDIAN
+  #endif
+#else                  // ! defined __LITTLE_ENDIAN__
+  #include <endian.h>  // machine/endian.h
+  #if __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__
+    #define SHA_BIG_ENDIAN
+  #endif
+#endif
+
+/* header */
+
+#define HASH_LENGTH 20
+#define BLOCK_LENGTH 64
+
+typedef struct sha1nfo {
+
+  uint32_t buffer[BLOCK_LENGTH / 4];
+  uint32_t state[HASH_LENGTH / 4];
+  uint32_t byteCount;
+  uint8_t  bufferOffset;
+  uint8_t  keyBuffer[BLOCK_LENGTH];
+  uint8_t  innerHash[HASH_LENGTH];
+
+} sha1nfo;
+
+/* public API - prototypes - TODO: doxygen*/
+
+/**
+ */
+void sha1_init(sha1nfo *s);
+/**
+ */
+void sha1_writebyte(sha1nfo *s, uint8_t data);
+/**
+ */
+void sha1_write(sha1nfo *s, const char *data, size_t len);
+/**
+ */
+uint8_t *sha1_result(sha1nfo *s);
+
+/* code */
+#define SHA1_K0 0x5a827999
+#define SHA1_K20 0x6ed9eba1
+#define SHA1_K40 0x8f1bbcdc
+#define SHA1_K60 0xca62c1d6
+
+void sha1_init(sha1nfo *s) {
+
+  s->state[0] = 0x67452301;
+  s->state[1] = 0xefcdab89;
+  s->state[2] = 0x98badcfe;
+  s->state[3] = 0x10325476;
+  s->state[4] = 0xc3d2e1f0;
+  s->byteCount = 0;
+  s->bufferOffset = 0;
+
+}
+
+uint32_t sha1_rol32(uint32_t number, uint8_t bits) {
+
+  return ((number << bits) | (number >> (32 - bits)));
+
+}
+
+void sha1_hashBlock(sha1nfo *s) {
+
+  uint8_t  i;
+  uint32_t a, b, c, d, e, t;
+
+  a = s->state[0];
+  b = s->state[1];
+  c = s->state[2];
+  d = s->state[3];
+  e = s->state[4];
+  for (i = 0; i < 80; i++) {
+
+    if (i >= 16) {
+
+      t = s->buffer[(i + 13) & 15] ^ s->buffer[(i + 8) & 15] ^
+          s->buffer[(i + 2) & 15] ^ s->buffer[i & 15];
+      s->buffer[i & 15] = sha1_rol32(t, 1);
+
+    }
+
+    if (i < 20) {
+
+      t = (d ^ (b & (c ^ d))) + SHA1_K0;
+
+    } else if (i < 40) {
+
+      t = (b ^ c ^ d) + SHA1_K20;
+
+    } else if (i < 60) {
+
+      t = ((b & c) | (d & (b | c))) + SHA1_K40;
+
+    } else {
+
+      t = (b ^ c ^ d) + SHA1_K60;
+
+    }
+
+    t += sha1_rol32(a, 5) + e + s->buffer[i & 15];
+    e = d;
+    d = c;
+    c = sha1_rol32(b, 30);
+    b = a;
+    a = t;
+
+  }
+
+  s->state[0] += a;
+  s->state[1] += b;
+  s->state[2] += c;
+  s->state[3] += d;
+  s->state[4] += e;
+
+}
+
+void sha1_addUncounted(sha1nfo *s, uint8_t data) {
+
+  uint8_t *const b = (uint8_t *)s->buffer;
+#ifdef SHA_BIG_ENDIAN
+  b[s->bufferOffset] = data;
+#else
+  b[s->bufferOffset ^ 3] = data;
+#endif
+  s->bufferOffset++;
+  if (s->bufferOffset == BLOCK_LENGTH) {
+
+    sha1_hashBlock(s);
+    s->bufferOffset = 0;
+
+  }
+
+}
+
+void sha1_writebyte(sha1nfo *s, uint8_t data) {
+
+  ++s->byteCount;
+  sha1_addUncounted(s, data);
+
+}
+
+void sha1_write(sha1nfo *s, const char *data, size_t len) {
+
+  for (; len--;)
+    sha1_writebyte(s, (uint8_t)*data++);
+
+}
+
+void sha1_pad(sha1nfo *s) {
+
+  // Implement SHA-1 padding (fips180-2 §5.1.1)
+
+  // Pad with 0x80 followed by 0x00 until the end of the block
+  sha1_addUncounted(s, 0x80);
+  while (s->bufferOffset != 56)
+    sha1_addUncounted(s, 0x00);
+
+  // Append length in the last 8 bytes
+  sha1_addUncounted(s, 0);  // We're only using 32 bit lengths
+  sha1_addUncounted(s, 0);  // But SHA-1 supports 64 bit lengths
+  sha1_addUncounted(s, 0);  // So zero pad the top bits
+  sha1_addUncounted(s, s->byteCount >> 29);  // Shifting to multiply by 8
+  sha1_addUncounted(
+      s, s->byteCount >> 21);  // as SHA-1 supports bitstreams as well as
+  sha1_addUncounted(s, s->byteCount >> 13);  // byte.
+  sha1_addUncounted(s, s->byteCount >> 5);
+  sha1_addUncounted(s, s->byteCount << 3);
+
+}
+
+uint8_t *sha1_result(sha1nfo *s) {
+
+  // Pad to complete the last block
+  sha1_pad(s);
+
+#ifndef SHA_BIG_ENDIAN
+  // Swap byte order back
+  int i;
+  for (i = 0; i < 5; i++) {
+
+    s->state[i] = (((s->state[i]) << 24) & 0xff000000) |
+                  (((s->state[i]) << 8) & 0x00ff0000) |
+                  (((s->state[i]) >> 8) & 0x0000ff00) |
+                  (((s->state[i]) >> 24) & 0x000000ff);
+
+  }
+
+#endif
+
+  // Return pointer to hash (20 characters)
+  return (uint8_t *)s->state;
+
+}
+
+}  // namespace
+
+namespace fuzzer {
+
+// The rest is added for LibFuzzer
+void ComputeSHA1(const uint8_t *Data, size_t Len, uint8_t *Out) {
+
+  sha1nfo s;
+  sha1_init(&s);
+  sha1_write(&s, (const char *)Data, Len);
+  memcpy(Out, sha1_result(&s), HASH_LENGTH);
+
+}
+
+std::string Sha1ToString(const uint8_t Sha1[kSHA1NumBytes]) {
+
+  std::stringstream SS;
+  for (int i = 0; i < kSHA1NumBytes; i++)
+    SS << std::hex << std::setfill('0') << std::setw(2) << (unsigned)Sha1[i];
+  return SS.str();
+
+}
+
+std::string Hash(const Unit &U) {
+
+  uint8_t Hash[kSHA1NumBytes];
+  ComputeSHA1(U.data(), U.size(), Hash);
+  return Sha1ToString(Hash);
+
+}
+
+}  // namespace fuzzer
+
--- a/custom_mutators/libfuzzer/FuzzerSHA1.h
+++ b/custom_mutators/libfuzzer/FuzzerSHA1.h
@ -0,0 +1,32 @@
+//===- FuzzerSHA1.h - Internal header for the SHA1 utils --------*- C++ -* ===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+// SHA1 utils.
+//===----------------------------------------------------------------------===//
+
+#ifndef LLVM_FUZZER_SHA1_H
+#define LLVM_FUZZER_SHA1_H
+
+#include "FuzzerDefs.h"
+#include <cstddef>
+#include <stdint.h>
+
+namespace fuzzer {
+
+// Private copy of SHA1 implementation.
+static const int kSHA1NumBytes = 20;
+
+// Computes SHA1 hash of 'Len' bytes in 'Data', writes kSHA1NumBytes to 'Out'.
+void ComputeSHA1(const uint8_t *Data, size_t Len, uint8_t *Out);
+
+std::string Sha1ToString(const uint8_t Sha1[kSHA1NumBytes]);
+
+std::string Hash(const Unit &U);
+
+}  // namespace fuzzer
+
+#endif  // LLVM_FUZZER_SHA1_H
--- a/custom_mutators/libfuzzer/FuzzerTracePC.cpp
+++ b/custom_mutators/libfuzzer/FuzzerTracePC.cpp
@ -0,0 +1,819 @@
+//===- FuzzerTracePC.cpp - PC tracing--------------------------------------===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+// Trace PCs.
+// This module implements __sanitizer_cov_trace_pc_guard[_init],
+// the callback required for -fsanitize-coverage=trace-pc-guard instrumentation.
+//
+//===----------------------------------------------------------------------===//
+
+#include "FuzzerTracePC.h"
+#include "FuzzerBuiltins.h"
+#include "FuzzerBuiltinsMsvc.h"
+#include "FuzzerCorpus.h"
+#include "FuzzerDefs.h"
+#include "FuzzerDictionary.h"
+#include "FuzzerExtFunctions.h"
+#include "FuzzerIO.h"
+#include "FuzzerPlatform.h"
+#include "FuzzerUtil.h"
+#include "FuzzerValueBitMap.h"
+#include <set>
+
+// Used by -fsanitize-coverage=stack-depth to track stack depth
+ATTRIBUTES_INTERFACE_TLS_INITIAL_EXEC uintptr_t __sancov_lowest_stack;
+
+namespace fuzzer {
+
+TracePC TPC;
+
+size_t TracePC::GetTotalPCCoverage() {
+
+  return ObservedPCs.size();
+
+}
+
+void TracePC::HandleInline8bitCountersInit(uint8_t *Start, uint8_t *Stop) {
+
+  if (Start == Stop) return;
+  if (NumModules && Modules[NumModules - 1].Start() == Start) return;
+  assert(NumModules < sizeof(Modules) / sizeof(Modules[0]));
+  auto &   M = Modules[NumModules++];
+  uint8_t *AlignedStart = RoundUpByPage(Start);
+  uint8_t *AlignedStop = RoundDownByPage(Stop);
+  size_t   NumFullPages = AlignedStop > AlignedStart
+                            ? (AlignedStop - AlignedStart) / PageSize()
+                            : 0;
+  bool NeedFirst = Start < AlignedStart || !NumFullPages;
+  bool NeedLast = Stop > AlignedStop && AlignedStop >= AlignedStart;
+  M.NumRegions = NumFullPages + NeedFirst + NeedLast;
+  ;
+  assert(M.NumRegions > 0);
+  M.Regions = new Module::Region[M.NumRegions];
+  assert(M.Regions);
+  size_t R = 0;
+  if (NeedFirst)
+    M.Regions[R++] = {Start, std::min(Stop, AlignedStart), true, false};
+  for (uint8_t *P = AlignedStart; P < AlignedStop; P += PageSize())
+    M.Regions[R++] = {P, P + PageSize(), true, true};
+  if (NeedLast) M.Regions[R++] = {AlignedStop, Stop, true, false};
+  assert(R == M.NumRegions);
+  assert(M.Size() == (size_t)(Stop - Start));
+  assert(M.Stop() == Stop);
+  assert(M.Start() == Start);
+  NumInline8bitCounters += M.Size();
+
+}
+
+void TracePC::HandlePCsInit(const uintptr_t *Start, const uintptr_t *Stop) {
+
+  const PCTableEntry *B = reinterpret_cast<const PCTableEntry *>(Start);
+  const PCTableEntry *E = reinterpret_cast<const PCTableEntry *>(Stop);
+  if (NumPCTables && ModulePCTable[NumPCTables - 1].Start == B) return;
+  assert(NumPCTables < sizeof(ModulePCTable) / sizeof(ModulePCTable[0]));
+  ModulePCTable[NumPCTables++] = {B, E};
+  NumPCsInPCTables += E - B;
+
+}
+
+void TracePC::PrintModuleInfo() {
+
+  if (NumModules) {
+
+    Printf("INFO: Loaded %zd modules   (%zd inline 8-bit counters): ",
+           NumModules, NumInline8bitCounters);
+    for (size_t i = 0; i < NumModules; i++)
+      Printf("%zd [%p, %p), ", Modules[i].Size(), Modules[i].Start(),
+             Modules[i].Stop());
+    Printf("\n");
+
+  }
+
+  if (NumPCTables) {
+
+    Printf("INFO: Loaded %zd PC tables (%zd PCs): ", NumPCTables,
+           NumPCsInPCTables);
+    for (size_t i = 0; i < NumPCTables; i++) {
+
+      Printf("%zd [%p,%p), ", ModulePCTable[i].Stop - ModulePCTable[i].Start,
+             ModulePCTable[i].Start, ModulePCTable[i].Stop);
+
+    }
+
+    Printf("\n");
+
+    if (NumInline8bitCounters && NumInline8bitCounters != NumPCsInPCTables) {
+
+      Printf(
+          "ERROR: The size of coverage PC tables does not match the\n"
+          "number of instrumented PCs. This might be a compiler bug,\n"
+          "please contact the libFuzzer developers.\n"
+          "Also check https://bugs.llvm.org/show_bug.cgi?id=34636\n"
+          "for possible workarounds (tl;dr: don't use the old GNU ld)\n");
+      _Exit(1);
+
+    }
+
+  }
+
+  if (size_t NumExtraCounters = ExtraCountersEnd() - ExtraCountersBegin())
+    Printf("INFO: %zd Extra Counters\n", NumExtraCounters);
+
+}
+
+ATTRIBUTE_NO_SANITIZE_ALL
+void TracePC::HandleCallerCallee(uintptr_t Caller, uintptr_t Callee) {
+
+  const uintptr_t kBits = 12;
+  const uintptr_t kMask = (1 << kBits) - 1;
+  uintptr_t       Idx = (Caller & kMask) | ((Callee & kMask) << kBits);
+  ValueProfileMap.AddValueModPrime(Idx);
+
+}
+
+/// \return the address of the previous instruction.
+/// Note: the logic is copied from `sanitizer_common/sanitizer_stacktrace.h`
+inline ALWAYS_INLINE uintptr_t GetPreviousInstructionPc(uintptr_t PC) {
+
+#if defined(__arm__)
+  // T32 (Thumb) branch instructions might be 16 or 32 bit long,
+  // so we return (pc-2) in that case in order to be safe.
+  // For A32 mode we return (pc-4) because all instructions are 32 bit long.
+  return (PC - 3) & (~1);
+#elif defined(__powerpc__) || defined(__powerpc64__) || defined(__aarch64__)
+  // PCs are always 4 byte aligned.
+  return PC - 4;
+#elif defined(__sparc__) || defined(__mips__)
+  return PC - 8;
+#else
+  return PC - 1;
+#endif
+
+}
+
+/// \return the address of the next instruction.
+/// Note: the logic is copied from `sanitizer_common/sanitizer_stacktrace.cpp`
+ALWAYS_INLINE uintptr_t TracePC::GetNextInstructionPc(uintptr_t PC) {
+
+#if defined(__mips__)
+  return PC + 8;
+#elif defined(__powerpc__) || defined(__sparc__) || defined(__arm__) || \
+    defined(__aarch64__)
+  return PC + 4;
+#else
+  return PC + 1;
+#endif
+
+}
+
+void TracePC::UpdateObservedPCs() {
+
+  Vector<uintptr_t> CoveredFuncs;
+  auto              ObservePC = [&](const PCTableEntry *TE) {
+
+    if (ObservedPCs.insert(TE).second && DoPrintNewPCs) {
+
+      PrintPC("\tNEW_PC: %p %F %L", "\tNEW_PC: %p",
+              GetNextInstructionPc(TE->PC));
+      Printf("\n");
+
+    }
+
+  };
+
+  auto Observe = [&](const PCTableEntry *TE) {
+
+    if (PcIsFuncEntry(TE))
+      if (++ObservedFuncs[TE->PC] == 1 && NumPrintNewFuncs)
+        CoveredFuncs.push_back(TE->PC);
+    ObservePC(TE);
+
+  };
+
+  if (NumPCsInPCTables) {
+
+    if (NumInline8bitCounters == NumPCsInPCTables) {
+
+      for (size_t i = 0; i < NumModules; i++) {
+
+        auto &M = Modules[i];
+        assert(M.Size() ==
+               (size_t)(ModulePCTable[i].Stop - ModulePCTable[i].Start));
+        for (size_t r = 0; r < M.NumRegions; r++) {
+
+          auto &R = M.Regions[r];
+          if (!R.Enabled) continue;
+          for (uint8_t *P = R.Start; P < R.Stop; P++)
+            if (*P) Observe(&ModulePCTable[i].Start[M.Idx(P)]);
+
+        }
+
+      }
+
+    }
+
+  }
+
+  for (size_t i = 0, N = Min(CoveredFuncs.size(), NumPrintNewFuncs); i < N;
+       i++) {
+
+    Printf("\tNEW_FUNC[%zd/%zd]: ", i + 1, CoveredFuncs.size());
+    PrintPC("%p %F %L", "%p", GetNextInstructionPc(CoveredFuncs[i]));
+    Printf("\n");
+
+  }
+
+}
+
+uintptr_t TracePC::PCTableEntryIdx(const PCTableEntry *TE) {
+
+  size_t TotalTEs = 0;
+  for (size_t i = 0; i < NumPCTables; i++) {
+
+    auto &M = ModulePCTable[i];
+    if (TE >= M.Start && TE < M.Stop) return TotalTEs + TE - M.Start;
+    TotalTEs += M.Stop - M.Start;
+
+  }
+
+  assert(0);
+  return 0;
+
+}
+
+const TracePC::PCTableEntry *TracePC::PCTableEntryByIdx(uintptr_t Idx) {
+
+  for (size_t i = 0; i < NumPCTables; i++) {
+
+    auto & M = ModulePCTable[i];
+    size_t Size = M.Stop - M.Start;
+    if (Idx < Size) return &M.Start[Idx];
+    Idx -= Size;
+
+  }
+
+  return nullptr;
+
+}
+
+static std::string GetModuleName(uintptr_t PC) {
+
+  char  ModulePathRaw[4096] = "";  // What's PATH_MAX in portable C++?
+  void *OffsetRaw = nullptr;
+  if (!EF->__sanitizer_get_module_and_offset_for_pc(
+          reinterpret_cast<void *>(PC), ModulePathRaw, sizeof(ModulePathRaw),
+          &OffsetRaw))
+    return "";
+  return ModulePathRaw;
+
+}
+
+template <class CallBack>
+void TracePC::IterateCoveredFunctions(CallBack CB) {
+
+  for (size_t i = 0; i < NumPCTables; i++) {
+
+    auto &M = ModulePCTable[i];
+    assert(M.Start < M.Stop);
+    auto ModuleName = GetModuleName(M.Start->PC);
+    for (auto NextFE = M.Start; NextFE < M.Stop;) {
+
+      auto FE = NextFE;
+      assert(PcIsFuncEntry(FE) && "Not a function entry point");
+      do {
+
+        NextFE++;
+
+      } while (NextFE < M.Stop && !(PcIsFuncEntry(NextFE)));
+
+      CB(FE, NextFE, ObservedFuncs[FE->PC]);
+
+    }
+
+  }
+
+}
+
+void TracePC::SetFocusFunction(const std::string &FuncName) {
+
+  // This function should be called once.
+  assert(!FocusFunctionCounterPtr);
+  // "auto" is not a valid function name. If this function is called with "auto"
+  // that means the auto focus functionality failed.
+  if (FuncName.empty() || FuncName == "auto") return;
+  for (size_t M = 0; M < NumModules; M++) {
+
+    auto & PCTE = ModulePCTable[M];
+    size_t N = PCTE.Stop - PCTE.Start;
+    for (size_t I = 0; I < N; I++) {
+
+      if (!(PcIsFuncEntry(&PCTE.Start[I]))) continue;  // not a function entry.
+      auto Name = DescribePC("%F", GetNextInstructionPc(PCTE.Start[I].PC));
+      if (Name[0] == 'i' && Name[1] == 'n' && Name[2] == ' ')
+        Name = Name.substr(3, std::string::npos);
+      if (FuncName != Name) continue;
+      Printf("INFO: Focus function is set to '%s'\n", Name.c_str());
+      FocusFunctionCounterPtr = Modules[M].Start() + I;
+      return;
+
+    }
+
+  }
+
+  Printf(
+      "ERROR: Failed to set focus function. Make sure the function name is "
+      "valid (%s) and symbolization is enabled.\n",
+      FuncName.c_str());
+  exit(1);
+
+}
+
+bool TracePC::ObservedFocusFunction() {
+
+  return FocusFunctionCounterPtr && *FocusFunctionCounterPtr;
+
+}
+
+void TracePC::PrintCoverage() {
+
+  if (!EF->__sanitizer_symbolize_pc ||
+      !EF->__sanitizer_get_module_and_offset_for_pc) {
+
+    Printf(
+        "INFO: __sanitizer_symbolize_pc or "
+        "__sanitizer_get_module_and_offset_for_pc is not available,"
+        " not printing coverage\n");
+    return;
+
+  }
+
+  Printf("COVERAGE:\n");
+  auto CoveredFunctionCallback = [&](const PCTableEntry *First,
+                                     const PCTableEntry *Last,
+                                     uintptr_t           Counter) {
+
+    assert(First < Last);
+    auto        VisualizePC = GetNextInstructionPc(First->PC);
+    std::string FileStr = DescribePC("%s", VisualizePC);
+    if (!IsInterestingCoverageFile(FileStr)) return;
+    std::string FunctionStr = DescribePC("%F", VisualizePC);
+    if (FunctionStr.find("in ") == 0) FunctionStr = FunctionStr.substr(3);
+    std::string       LineStr = DescribePC("%l", VisualizePC);
+    size_t            NumEdges = Last - First;
+    Vector<uintptr_t> UncoveredPCs;
+    for (auto TE = First; TE < Last; TE++)
+      if (!ObservedPCs.count(TE)) UncoveredPCs.push_back(TE->PC);
+    Printf("%sCOVERED_FUNC: hits: %zd", Counter ? "" : "UN", Counter);
+    Printf(" edges: %zd/%zd", NumEdges - UncoveredPCs.size(), NumEdges);
+    Printf(" %s %s:%s\n", FunctionStr.c_str(), FileStr.c_str(),
+           LineStr.c_str());
+    if (Counter)
+      for (auto PC : UncoveredPCs)
+        Printf("  UNCOVERED_PC: %s\n",
+               DescribePC("%s:%l", GetNextInstructionPc(PC)).c_str());
+
+  };
+
+  IterateCoveredFunctions(CoveredFunctionCallback);
+
+}
+
+// Value profile.
+// We keep track of various values that affect control flow.
+// These values are inserted into a bit-set-based hash map.
+// Every new bit in the map is treated as a new coverage.
+//
+// For memcmp/strcmp/etc the interesting value is the length of the common
+// prefix of the parameters.
+// For cmp instructions the interesting value is a XOR of the parameters.
+// The interesting value is mixed up with the PC and is then added to the map.
+
+ATTRIBUTE_NO_SANITIZE_ALL
+void TracePC::AddValueForMemcmp(void *caller_pc, const void *s1, const void *s2,
+                                size_t n, bool StopAtZero) {
+
+  if (!n) return;
+  size_t         Len = std::min(n, Word::GetMaxSize());
+  const uint8_t *A1 = reinterpret_cast<const uint8_t *>(s1);
+  const uint8_t *A2 = reinterpret_cast<const uint8_t *>(s2);
+  uint8_t        B1[Word::kMaxSize];
+  uint8_t        B2[Word::kMaxSize];
+  // Copy the data into locals in this non-msan-instrumented function
+  // to avoid msan complaining further.
+  size_t Hash = 0;  // Compute some simple hash of both strings.
+  for (size_t i = 0; i < Len; i++) {
+
+    B1[i] = A1[i];
+    B2[i] = A2[i];
+    size_t T = B1[i];
+    Hash ^= (T << 8) | B2[i];
+
+  }
+
+  size_t  I = 0;
+  uint8_t HammingDistance = 0;
+  for (; I < Len; I++) {
+
+    if (B1[I] != B2[I] || (StopAtZero && B1[I] == 0)) {
+
+      HammingDistance = Popcountll(B1[I] ^ B2[I]);
+      break;
+
+    }
+
+  }
+
+  size_t PC = reinterpret_cast<size_t>(caller_pc);
+  size_t Idx = (PC & 4095) | (I << 12);
+  Idx += HammingDistance;
+  ValueProfileMap.AddValue(Idx);
+  TORCW.Insert(Idx ^ Hash, Word(B1, Len), Word(B2, Len));
+
+}
+
+template <class T>
+ATTRIBUTE_TARGET_POPCNT ALWAYS_INLINE ATTRIBUTE_NO_SANITIZE_ALL void
+TracePC::HandleCmp(uintptr_t PC, T Arg1, T Arg2) {
+
+  uint64_t ArgXor = Arg1 ^ Arg2;
+  if (sizeof(T) == 4)
+    TORC4.Insert(ArgXor, Arg1, Arg2);
+  else if (sizeof(T) == 8)
+    TORC8.Insert(ArgXor, Arg1, Arg2);
+  uint64_t HammingDistance = Popcountll(ArgXor);  // [0,64]
+  uint64_t AbsoluteDistance = (Arg1 == Arg2 ? 0 : Clzll(Arg1 - Arg2) + 1);
+  ValueProfileMap.AddValue(PC * 128 + HammingDistance);
+  ValueProfileMap.AddValue(PC * 128 + 64 + AbsoluteDistance);
+
+}
+
+static size_t InternalStrnlen(const char *S, size_t MaxLen) {
+
+  size_t Len = 0;
+  for (; Len < MaxLen && S[Len]; Len++) {}
+  return Len;
+
+}
+
+// Finds min of (strlen(S1), strlen(S2)).
+// Needed bacause one of these strings may actually be non-zero terminated.
+static size_t InternalStrnlen2(const char *S1, const char *S2) {
+
+  size_t Len = 0;
+  for (; S1[Len] && S2[Len]; Len++) {}
+  return Len;
+
+}
+
+void TracePC::ClearInlineCounters() {
+
+  IterateCounterRegions([](const Module::Region &R) {
+
+    if (R.Enabled) memset(R.Start, 0, R.Stop - R.Start);
+
+  });
+
+}
+
+ATTRIBUTE_NO_SANITIZE_ALL
+void TracePC::RecordInitialStack() {
+
+  int stack;
+  __sancov_lowest_stack = InitialStack = reinterpret_cast<uintptr_t>(&stack);
+
+}
+
+uintptr_t TracePC::GetMaxStackOffset() const {
+
+  return InitialStack - __sancov_lowest_stack;  // Stack grows down
+
+}
+
+void WarnAboutDeprecatedInstrumentation(const char *flag) {
+
+  // Use RawPrint because Printf cannot be used on Windows before OutputFile is
+  // initialized.
+  RawPrint(flag);
+  RawPrint(
+      " is no longer supported by libFuzzer.\n"
+      "Please either migrate to a compiler that supports -fsanitize=fuzzer\n"
+      "or use an older version of libFuzzer\n");
+  exit(1);
+
+}
+
+}  // namespace fuzzer
+
+extern "C" {
+
+ATTRIBUTE_INTERFACE
+ATTRIBUTE_NO_SANITIZE_ALL
+void __sanitizer_cov_trace_pc_guard(uint32_t *Guard) {
+
+  fuzzer::WarnAboutDeprecatedInstrumentation(
+      "-fsanitize-coverage=trace-pc-guard");
+
+}
+
+// Best-effort support for -fsanitize-coverage=trace-pc, which is available
+// in both Clang and GCC.
+ATTRIBUTE_INTERFACE
+ATTRIBUTE_NO_SANITIZE_ALL
+void __sanitizer_cov_trace_pc() {
+
+  fuzzer::WarnAboutDeprecatedInstrumentation("-fsanitize-coverage=trace-pc");
+
+}
+
+ATTRIBUTE_INTERFACE
+void __sanitizer_cov_trace_pc_guard_init(uint32_t *Start, uint32_t *Stop) {
+
+  fuzzer::WarnAboutDeprecatedInstrumentation(
+      "-fsanitize-coverage=trace-pc-guard");
+
+}
+
+ATTRIBUTE_INTERFACE
+void __sanitizer_cov_8bit_counters_init(uint8_t *Start, uint8_t *Stop) {
+
+  fuzzer::TPC.HandleInline8bitCountersInit(Start, Stop);
+
+}
+
+ATTRIBUTE_INTERFACE
+void __sanitizer_cov_pcs_init(const uintptr_t *pcs_beg,
+                              const uintptr_t *pcs_end) {
+
+  fuzzer::TPC.HandlePCsInit(pcs_beg, pcs_end);
+
+}
+
+ATTRIBUTE_INTERFACE
+ATTRIBUTE_NO_SANITIZE_ALL
+void __sanitizer_cov_trace_pc_indir(uintptr_t Callee) {
+
+  uintptr_t PC = reinterpret_cast<uintptr_t>(GET_CALLER_PC());
+  fuzzer::TPC.HandleCallerCallee(PC, Callee);
+
+}
+
+ATTRIBUTE_INTERFACE
+ATTRIBUTE_NO_SANITIZE_ALL
+ATTRIBUTE_TARGET_POPCNT
+void __sanitizer_cov_trace_cmp8(uint64_t Arg1, uint64_t Arg2) {
+
+  uintptr_t PC = reinterpret_cast<uintptr_t>(GET_CALLER_PC());
+  fuzzer::TPC.HandleCmp(PC, Arg1, Arg2);
+
+}
+
+ATTRIBUTE_INTERFACE
+ATTRIBUTE_NO_SANITIZE_ALL
+ATTRIBUTE_TARGET_POPCNT
+// Now the __sanitizer_cov_trace_const_cmp[1248] callbacks just mimic
+// the behaviour of __sanitizer_cov_trace_cmp[1248] ones. This, however,
+// should be changed later to make full use of instrumentation.
+void __sanitizer_cov_trace_const_cmp8(uint64_t Arg1, uint64_t Arg2) {
+
+  uintptr_t PC = reinterpret_cast<uintptr_t>(GET_CALLER_PC());
+  fuzzer::TPC.HandleCmp(PC, Arg1, Arg2);
+
+}
+
+ATTRIBUTE_INTERFACE
+ATTRIBUTE_NO_SANITIZE_ALL
+ATTRIBUTE_TARGET_POPCNT
+void __sanitizer_cov_trace_cmp4(uint32_t Arg1, uint32_t Arg2) {
+
+  uintptr_t PC = reinterpret_cast<uintptr_t>(GET_CALLER_PC());
+  fuzzer::TPC.HandleCmp(PC, Arg1, Arg2);
+
+}
+
+ATTRIBUTE_INTERFACE
+ATTRIBUTE_NO_SANITIZE_ALL
+ATTRIBUTE_TARGET_POPCNT
+void __sanitizer_cov_trace_const_cmp4(uint32_t Arg1, uint32_t Arg2) {
+
+  uintptr_t PC = reinterpret_cast<uintptr_t>(GET_CALLER_PC());
+  fuzzer::TPC.HandleCmp(PC, Arg1, Arg2);
+
+}
+
+ATTRIBUTE_INTERFACE
+ATTRIBUTE_NO_SANITIZE_ALL
+ATTRIBUTE_TARGET_POPCNT
+void __sanitizer_cov_trace_cmp2(uint16_t Arg1, uint16_t Arg2) {
+
+  uintptr_t PC = reinterpret_cast<uintptr_t>(GET_CALLER_PC());
+  fuzzer::TPC.HandleCmp(PC, Arg1, Arg2);
+
+}
+
+ATTRIBUTE_INTERFACE
+ATTRIBUTE_NO_SANITIZE_ALL
+ATTRIBUTE_TARGET_POPCNT
+void __sanitizer_cov_trace_const_cmp2(uint16_t Arg1, uint16_t Arg2) {
+
+  uintptr_t PC = reinterpret_cast<uintptr_t>(GET_CALLER_PC());
+  fuzzer::TPC.HandleCmp(PC, Arg1, Arg2);
+
+}
+
+ATTRIBUTE_INTERFACE
+ATTRIBUTE_NO_SANITIZE_ALL
+ATTRIBUTE_TARGET_POPCNT
+void __sanitizer_cov_trace_cmp1(uint8_t Arg1, uint8_t Arg2) {
+
+  uintptr_t PC = reinterpret_cast<uintptr_t>(GET_CALLER_PC());
+  fuzzer::TPC.HandleCmp(PC, Arg1, Arg2);
+
+}
+
+ATTRIBUTE_INTERFACE
+ATTRIBUTE_NO_SANITIZE_ALL
+ATTRIBUTE_TARGET_POPCNT
+void __sanitizer_cov_trace_const_cmp1(uint8_t Arg1, uint8_t Arg2) {
+
+  uintptr_t PC = reinterpret_cast<uintptr_t>(GET_CALLER_PC());
+  fuzzer::TPC.HandleCmp(PC, Arg1, Arg2);
+
+}
+
+ATTRIBUTE_INTERFACE
+ATTRIBUTE_NO_SANITIZE_ALL
+ATTRIBUTE_TARGET_POPCNT
+void __sanitizer_cov_trace_switch(uint64_t Val, uint64_t *Cases) {
+
+  uint64_t  N = Cases[0];
+  uint64_t  ValSizeInBits = Cases[1];
+  uint64_t *Vals = Cases + 2;
+  // Skip the most common and the most boring case: all switch values are small.
+  // We may want to skip this at compile-time, but it will make the
+  // instrumentation less general.
+  if (Vals[N - 1] < 256) return;
+  // Also skip small inputs values, they won't give good signal.
+  if (Val < 256) return;
+  uintptr_t PC = reinterpret_cast<uintptr_t>(GET_CALLER_PC());
+  size_t    i;
+  uint64_t  Smaller = 0;
+  uint64_t  Larger = ~(uint64_t)0;
+  // Find two switch values such that Smaller < Val < Larger.
+  // Use 0 and 0xfff..f as the defaults.
+  for (i = 0; i < N; i++) {
+
+    if (Val < Vals[i]) {
+
+      Larger = Vals[i];
+      break;
+
+    }
+
+    if (Val > Vals[i]) Smaller = Vals[i];
+
+  }
+
+  // Apply HandleCmp to {Val,Smaller} and {Val, Larger},
+  // use i as the PC modifier for HandleCmp.
+  if (ValSizeInBits == 16) {
+
+    fuzzer::TPC.HandleCmp(PC + 2 * i, static_cast<uint16_t>(Val),
+                          (uint16_t)(Smaller));
+    fuzzer::TPC.HandleCmp(PC + 2 * i + 1, static_cast<uint16_t>(Val),
+                          (uint16_t)(Larger));
+
+  } else if (ValSizeInBits == 32) {
+
+    fuzzer::TPC.HandleCmp(PC + 2 * i, static_cast<uint32_t>(Val),
+                          (uint32_t)(Smaller));
+    fuzzer::TPC.HandleCmp(PC + 2 * i + 1, static_cast<uint32_t>(Val),
+                          (uint32_t)(Larger));
+
+  } else {
+
+    fuzzer::TPC.HandleCmp(PC + 2 * i, Val, Smaller);
+    fuzzer::TPC.HandleCmp(PC + 2 * i + 1, Val, Larger);
+
+  }
+
+}
+
+ATTRIBUTE_INTERFACE
+ATTRIBUTE_NO_SANITIZE_ALL
+ATTRIBUTE_TARGET_POPCNT
+void __sanitizer_cov_trace_div4(uint32_t Val) {
+
+  uintptr_t PC = reinterpret_cast<uintptr_t>(GET_CALLER_PC());
+  fuzzer::TPC.HandleCmp(PC, Val, (uint32_t)0);
+
+}
+
+ATTRIBUTE_INTERFACE
+ATTRIBUTE_NO_SANITIZE_ALL
+ATTRIBUTE_TARGET_POPCNT
+void __sanitizer_cov_trace_div8(uint64_t Val) {
+
+  uintptr_t PC = reinterpret_cast<uintptr_t>(GET_CALLER_PC());
+  fuzzer::TPC.HandleCmp(PC, Val, (uint64_t)0);
+
+}
+
+ATTRIBUTE_INTERFACE
+ATTRIBUTE_NO_SANITIZE_ALL
+ATTRIBUTE_TARGET_POPCNT
+void __sanitizer_cov_trace_gep(uintptr_t Idx) {
+
+  uintptr_t PC = reinterpret_cast<uintptr_t>(GET_CALLER_PC());
+  fuzzer::TPC.HandleCmp(PC, Idx, (uintptr_t)0);
+
+}
+
+ATTRIBUTE_INTERFACE ATTRIBUTE_NO_SANITIZE_MEMORY void
+__sanitizer_weak_hook_memcmp(void *caller_pc, const void *s1, const void *s2,
+                             size_t n, int result) {
+
+  if (!fuzzer::RunningUserCallback) return;
+  if (result == 0) return;  // No reason to mutate.
+  if (n <= 1) return;       // Not interesting.
+  fuzzer::TPC.AddValueForMemcmp(caller_pc, s1, s2, n, /*StopAtZero*/ false);
+
+}
+
+ATTRIBUTE_INTERFACE ATTRIBUTE_NO_SANITIZE_MEMORY void
+__sanitizer_weak_hook_strncmp(void *caller_pc, const char *s1, const char *s2,
+                              size_t n, int result) {
+
+  if (!fuzzer::RunningUserCallback) return;
+  if (result == 0) return;  // No reason to mutate.
+  size_t Len1 = fuzzer::InternalStrnlen(s1, n);
+  size_t Len2 = fuzzer::InternalStrnlen(s2, n);
+  n = std::min(n, Len1);
+  n = std::min(n, Len2);
+  if (n <= 1) return;  // Not interesting.
+  fuzzer::TPC.AddValueForMemcmp(caller_pc, s1, s2, n, /*StopAtZero*/ true);
+
+}
+
+ATTRIBUTE_INTERFACE ATTRIBUTE_NO_SANITIZE_MEMORY void
+__sanitizer_weak_hook_strcmp(void *caller_pc, const char *s1, const char *s2,
+                             int result) {
+
+  if (!fuzzer::RunningUserCallback) return;
+  if (result == 0) return;  // No reason to mutate.
+  size_t N = fuzzer::InternalStrnlen2(s1, s2);
+  if (N <= 1) return;  // Not interesting.
+  fuzzer::TPC.AddValueForMemcmp(caller_pc, s1, s2, N, /*StopAtZero*/ true);
+
+}
+
+ATTRIBUTE_INTERFACE ATTRIBUTE_NO_SANITIZE_MEMORY void
+__sanitizer_weak_hook_strncasecmp(void *called_pc, const char *s1,
+                                  const char *s2, size_t n, int result) {
+
+  if (!fuzzer::RunningUserCallback) return;
+  return __sanitizer_weak_hook_strncmp(called_pc, s1, s2, n, result);
+
+}
+
+ATTRIBUTE_INTERFACE ATTRIBUTE_NO_SANITIZE_MEMORY void
+__sanitizer_weak_hook_strcasecmp(void *called_pc, const char *s1,
+                                 const char *s2, int result) {
+
+  if (!fuzzer::RunningUserCallback) return;
+  return __sanitizer_weak_hook_strcmp(called_pc, s1, s2, result);
+
+}
+
+ATTRIBUTE_INTERFACE ATTRIBUTE_NO_SANITIZE_MEMORY void
+__sanitizer_weak_hook_strstr(void *called_pc, const char *s1, const char *s2,
+                             char *result) {
+
+  if (!fuzzer::RunningUserCallback) return;
+  fuzzer::TPC.MMT.Add(reinterpret_cast<const uint8_t *>(s2), strlen(s2));
+
+}
+
+ATTRIBUTE_INTERFACE ATTRIBUTE_NO_SANITIZE_MEMORY void
+__sanitizer_weak_hook_strcasestr(void *called_pc, const char *s1,
+                                 const char *s2, char *result) {
+
+  if (!fuzzer::RunningUserCallback) return;
+  fuzzer::TPC.MMT.Add(reinterpret_cast<const uint8_t *>(s2), strlen(s2));
+
+}
+
+ATTRIBUTE_INTERFACE ATTRIBUTE_NO_SANITIZE_MEMORY void
+__sanitizer_weak_hook_memmem(void *called_pc, const void *s1, size_t len1,
+                             const void *s2, size_t len2, void *result) {
+
+  if (!fuzzer::RunningUserCallback) return;
+  fuzzer::TPC.MMT.Add(reinterpret_cast<const uint8_t *>(s2), len2);
+
+}
+
+}  // extern "C"
+
--- a/custom_mutators/libfuzzer/FuzzerTracePC.h
+++ b/custom_mutators/libfuzzer/FuzzerTracePC.h
@ -0,0 +1,291 @@
+//===- FuzzerTracePC.h - Internal header for the Fuzzer ---------*- C++ -* ===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+// fuzzer::TracePC
+//===----------------------------------------------------------------------===//
+
+#ifndef LLVM_FUZZER_TRACE_PC
+#define LLVM_FUZZER_TRACE_PC
+
+#include "FuzzerDefs.h"
+#include "FuzzerDictionary.h"
+#include "FuzzerValueBitMap.h"
+
+#include <set>
+#include <unordered_map>
+
+namespace fuzzer {
+
+// TableOfRecentCompares (TORC) remembers the most recently performed
+// comparisons of type T.
+// We record the arguments of CMP instructions in this table unconditionally
+// because it seems cheaper this way than to compute some expensive
+// conditions inside __sanitizer_cov_trace_cmp*.
+// After the unit has been executed we may decide to use the contents of
+// this table to populate a Dictionary.
+template<class T, size_t kSizeT>
+struct TableOfRecentCompares {
+  static const size_t kSize = kSizeT;
+  struct Pair {
+    T A, B;
+  };
+  ATTRIBUTE_NO_SANITIZE_ALL
+  void Insert(size_t Idx, const T &Arg1, const T &Arg2) {
+    Idx = Idx % kSize;
+    Table[Idx].A = Arg1;
+    Table[Idx].B = Arg2;
+  }
+
+  Pair Get(size_t I) { return Table[I % kSize]; }
+
+  Pair Table[kSize];
+};
+
+template <size_t kSizeT>
+struct MemMemTable {
+  static const size_t kSize = kSizeT;
+  Word MemMemWords[kSize];
+  Word EmptyWord;
+
+  void Add(const uint8_t *Data, size_t Size) {
+    if (Size <= 2) return;
+    Size = std::min(Size, Word::GetMaxSize());
+    size_t Idx = SimpleFastHash(Data, Size) % kSize;
+    MemMemWords[Idx].Set(Data, Size);
+  }
+  const Word &Get(size_t Idx) {
+    for (size_t i = 0; i < kSize; i++) {
+      const Word &W = MemMemWords[(Idx + i) % kSize];
+      if (W.size()) return W;
+    }
+    EmptyWord.Set(nullptr, 0);
+    return EmptyWord;
+  }
+};
+
+class TracePC {
+ public:
+  void HandleInline8bitCountersInit(uint8_t *Start, uint8_t *Stop);
+  void HandlePCsInit(const uintptr_t *Start, const uintptr_t *Stop);
+  void HandleCallerCallee(uintptr_t Caller, uintptr_t Callee);
+  template <class T> void HandleCmp(uintptr_t PC, T Arg1, T Arg2);
+  size_t GetTotalPCCoverage();
+  void SetUseCounters(bool UC) { UseCounters = UC; }
+  void SetUseValueProfileMask(uint32_t VPMask) { UseValueProfileMask = VPMask; }
+  void SetPrintNewPCs(bool P) { DoPrintNewPCs = P; }
+  void SetPrintNewFuncs(size_t P) { NumPrintNewFuncs = P; }
+  void UpdateObservedPCs();
+  template <class Callback> void CollectFeatures(Callback CB) const;
+
+  void ResetMaps() {
+    ValueProfileMap.Reset();
+    ClearExtraCounters();
+    ClearInlineCounters();
+  }
+
+  void ClearInlineCounters();
+
+  void UpdateFeatureSet(size_t CurrentElementIdx, size_t CurrentElementSize);
+  void PrintFeatureSet();
+
+  void PrintModuleInfo();
+
+  void PrintCoverage();
+
+  template<class CallBack>
+  void IterateCoveredFunctions(CallBack CB);
+
+  void AddValueForMemcmp(void *caller_pc, const void *s1, const void *s2,
+                         size_t n, bool StopAtZero);
+
+  TableOfRecentCompares<uint32_t, 32> TORC4;
+  TableOfRecentCompares<uint64_t, 32> TORC8;
+  TableOfRecentCompares<Word, 32> TORCW;
+  MemMemTable<1024> MMT;
+
+  void RecordInitialStack();
+  uintptr_t GetMaxStackOffset() const;
+
+  template<class CallBack>
+  void ForEachObservedPC(CallBack CB) {
+    for (auto PC : ObservedPCs)
+      CB(PC);
+  }
+
+  void SetFocusFunction(const std::string &FuncName);
+  bool ObservedFocusFunction();
+
+  struct PCTableEntry {
+    uintptr_t PC, PCFlags;
+  };
+
+  uintptr_t PCTableEntryIdx(const PCTableEntry *TE);
+  const PCTableEntry *PCTableEntryByIdx(uintptr_t Idx);
+  static uintptr_t GetNextInstructionPc(uintptr_t PC);
+  bool PcIsFuncEntry(const PCTableEntry *TE) { return TE->PCFlags & 1; }
+
+private:
+  bool UseCounters = false;
+  uint32_t UseValueProfileMask = false;
+  bool DoPrintNewPCs = false;
+  size_t NumPrintNewFuncs = 0;
+
+  // Module represents the array of 8-bit counters split into regions
+  // such that every region, except maybe the first and the last one, is one
+  // full page.
+  struct Module {
+    struct Region {
+      uint8_t *Start, *Stop;
+      bool Enabled;
+      bool OneFullPage;
+    };
+    Region *Regions;
+    size_t NumRegions;
+    uint8_t *Start() const { return Regions[0].Start; }
+    uint8_t *Stop()  const { return Regions[NumRegions - 1].Stop; }
+    size_t Size()    const { return Stop() - Start(); }
+    size_t  Idx(uint8_t *P) const {
+      assert(P >= Start() && P < Stop());
+      return P - Start();
+    }
+  };
+
+  Module Modules[4096];
+  size_t NumModules;  // linker-initialized.
+  size_t NumInline8bitCounters;
+
+  template <class Callback>
+  void IterateCounterRegions(Callback CB) {
+    for (size_t m = 0; m < NumModules; m++)
+      for (size_t r = 0; r < Modules[m].NumRegions; r++)
+        CB(Modules[m].Regions[r]);
+  }
+
+  struct { const PCTableEntry *Start, *Stop; } ModulePCTable[4096];
+  size_t NumPCTables;
+  size_t NumPCsInPCTables;
+
+  Set<const PCTableEntry*> ObservedPCs;
+  std::unordered_map<uintptr_t, uintptr_t> ObservedFuncs;  // PC => Counter.
+
+  uint8_t *FocusFunctionCounterPtr = nullptr;
+
+  ValueBitMap ValueProfileMap;
+  uintptr_t InitialStack;
+};
+
+template <class Callback>
+// void Callback(size_t FirstFeature, size_t Idx, uint8_t Value);
+ATTRIBUTE_NO_SANITIZE_ALL
+size_t ForEachNonZeroByte(const uint8_t *Begin, const uint8_t *End,
+                        size_t FirstFeature, Callback Handle8bitCounter) {
+  typedef uintptr_t LargeType;
+  const size_t Step = sizeof(LargeType) / sizeof(uint8_t);
+  const size_t StepMask = Step - 1;
+  auto P = Begin;
+  // Iterate by 1 byte until either the alignment boundary or the end.
+  for (; reinterpret_cast<uintptr_t>(P) & StepMask && P < End; P++)
+    if (uint8_t V = *P)
+      Handle8bitCounter(FirstFeature, P - Begin, V);
+
+  // Iterate by Step bytes at a time.
+  for (; P < End; P += Step)
+    if (LargeType Bundle = *reinterpret_cast<const LargeType *>(P)) {
+      Bundle = HostToLE(Bundle);
+      for (size_t I = 0; I < Step; I++, Bundle >>= 8)
+        if (uint8_t V = Bundle & 0xff)
+          Handle8bitCounter(FirstFeature, P - Begin + I, V);
+    }
+
+  // Iterate by 1 byte until the end.
+  for (; P < End; P++)
+    if (uint8_t V = *P)
+      Handle8bitCounter(FirstFeature, P - Begin, V);
+  return End - Begin;
+}
+
+// Given a non-zero Counter returns a number in the range [0,7].
+template<class T>
+unsigned CounterToFeature(T Counter) {
+    // Returns a feature number by placing Counters into buckets as illustrated
+    // below.
+    //
+    // Counter bucket: [1] [2] [3] [4-7] [8-15] [16-31] [32-127] [128+]
+    // Feature number:  0   1   2    3     4       5       6       7
+    //
+    // This is a heuristic taken from AFL (see
+    // http://lcamtuf.coredump.cx/afl/technical_details.txt).
+    //
+    // This implementation may change in the future so clients should
+    // not rely on it.
+    assert(Counter);
+    unsigned Bit = 0;
+    /**/ if (Counter >= 128) Bit = 7;
+    else if (Counter >= 32) Bit = 6;
+    else if (Counter >= 16) Bit = 5;
+    else if (Counter >= 8) Bit = 4;
+    else if (Counter >= 4) Bit = 3;
+    else if (Counter >= 3) Bit = 2;
+    else if (Counter >= 2) Bit = 1;
+    return Bit;
+}
+
+template <class Callback>  // void Callback(size_t Feature)
+ATTRIBUTE_NO_SANITIZE_ADDRESS
+ATTRIBUTE_NOINLINE
+void TracePC::CollectFeatures(Callback HandleFeature) const {
+  auto Handle8bitCounter = [&](size_t FirstFeature,
+                               size_t Idx, uint8_t Counter) {
+    if (UseCounters)
+      HandleFeature(FirstFeature + Idx * 8 + CounterToFeature(Counter));
+    else
+      HandleFeature(FirstFeature + Idx);
+  };
+
+  size_t FirstFeature = 0;
+
+  for (size_t i = 0; i < NumModules; i++) {
+    for (size_t r = 0; r < Modules[i].NumRegions; r++) {
+      if (!Modules[i].Regions[r].Enabled) continue;
+      FirstFeature += 8 * ForEachNonZeroByte(Modules[i].Regions[r].Start,
+                                             Modules[i].Regions[r].Stop,
+                                             FirstFeature, Handle8bitCounter);
+    }
+  }
+
+  FirstFeature +=
+      8 * ForEachNonZeroByte(ExtraCountersBegin(), ExtraCountersEnd(),
+                             FirstFeature, Handle8bitCounter);
+
+  if (UseValueProfileMask) {
+    ValueProfileMap.ForEach([&](size_t Idx) {
+      HandleFeature(FirstFeature + Idx);
+    });
+    FirstFeature += ValueProfileMap.SizeInBits();
+  }
+
+  // Step function, grows similar to 8 * Log_2(A).
+  auto StackDepthStepFunction = [](uint32_t A) -> uint32_t {
+    if (!A) return A;
+    uint32_t Log2 = Log(A);
+    if (Log2 < 3) return A;
+    Log2 -= 3;
+    return (Log2 + 1) * 8 + ((A >> Log2) & 7);
+  };
+  assert(StackDepthStepFunction(1024) == 64);
+  assert(StackDepthStepFunction(1024 * 4) == 80);
+  assert(StackDepthStepFunction(1024 * 1024) == 144);
+
+  if (auto MaxStackOffset = GetMaxStackOffset())
+    HandleFeature(FirstFeature + StackDepthStepFunction(MaxStackOffset / 8));
+}
+
+extern TracePC TPC;
+
+}  // namespace fuzzer
+
+#endif  // LLVM_FUZZER_TRACE_PC
--- a/custom_mutators/libfuzzer/FuzzerUtil.cpp
+++ b/custom_mutators/libfuzzer/FuzzerUtil.cpp
@ -0,0 +1,314 @@
+//===- FuzzerUtil.cpp - Misc utils ----------------------------------------===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+// Misc utils.
+//===----------------------------------------------------------------------===//
+
+#include "FuzzerUtil.h"
+#include "FuzzerIO.h"
+#include "FuzzerInternal.h"
+#include <cassert>
+#include <chrono>
+#include <cstring>
+#include <errno.h>
+#include <mutex>
+#include <signal.h>
+#include <sstream>
+#include <stdio.h>
+#include <sys/types.h>
+#include <thread>
+
+namespace fuzzer {
+
+void PrintHexArray(const uint8_t *Data, size_t Size, const char *PrintAfter) {
+
+  for (size_t i = 0; i < Size; i++)
+    Printf("0x%x,", (unsigned)Data[i]);
+  Printf("%s", PrintAfter);
+
+}
+
+void Print(const Unit &v, const char *PrintAfter) {
+
+  PrintHexArray(v.data(), v.size(), PrintAfter);
+
+}
+
+void PrintASCIIByte(uint8_t Byte) {
+
+  if (Byte == '\\')
+    Printf("\\\\");
+  else if (Byte == '"')
+    Printf("\\\"");
+  else if (Byte >= 32 && Byte < 127)
+    Printf("%c", Byte);
+  else
+    Printf("\\x%02x", Byte);
+
+}
+
+void PrintASCII(const uint8_t *Data, size_t Size, const char *PrintAfter) {
+
+  for (size_t i = 0; i < Size; i++)
+    PrintASCIIByte(Data[i]);
+  Printf("%s", PrintAfter);
+
+}
+
+void PrintASCII(const Unit &U, const char *PrintAfter) {
+
+  PrintASCII(U.data(), U.size(), PrintAfter);
+
+}
+
+bool ToASCII(uint8_t *Data, size_t Size) {
+
+  bool Changed = false;
+  for (size_t i = 0; i < Size; i++) {
+
+    uint8_t &X = Data[i];
+    auto     NewX = X;
+    NewX &= 127;
+    if (!isspace(NewX) && !isprint(NewX)) NewX = ' ';
+    Changed |= NewX != X;
+    X = NewX;
+
+  }
+
+  return Changed;
+
+}
+
+bool IsASCII(const Unit &U) {
+
+  return IsASCII(U.data(), U.size());
+
+}
+
+bool IsASCII(const uint8_t *Data, size_t Size) {
+
+  for (size_t i = 0; i < Size; i++)
+    if (!(isprint(Data[i]) || isspace(Data[i]))) return false;
+  return true;
+
+}
+
+bool ParseOneDictionaryEntry(const std::string &Str, Unit *U) {
+
+  U->clear();
+  if (Str.empty()) return false;
+  size_t L = 0, R = Str.size() - 1;  // We are parsing the range [L,R].
+  // Skip spaces from both sides.
+  while (L < R && isspace(Str[L]))
+    L++;
+  while (R > L && isspace(Str[R]))
+    R--;
+  if (R - L < 2) return false;
+  // Check the closing "
+  if (Str[R] != '"') return false;
+  R--;
+  // Find the opening "
+  while (L < R && Str[L] != '"')
+    L++;
+  if (L >= R) return false;
+  assert(Str[L] == '\"');
+  L++;
+  assert(L <= R);
+  for (size_t Pos = L; Pos <= R; Pos++) {
+
+    uint8_t V = (uint8_t)Str[Pos];
+    if (!isprint(V) && !isspace(V)) return false;
+    if (V == '\\') {
+
+      // Handle '\\'
+      if (Pos + 1 <= R && (Str[Pos + 1] == '\\' || Str[Pos + 1] == '"')) {
+
+        U->push_back(Str[Pos + 1]);
+        Pos++;
+        continue;
+
+      }
+
+      // Handle '\xAB'
+      if (Pos + 3 <= R && Str[Pos + 1] == 'x' && isxdigit(Str[Pos + 2]) &&
+          isxdigit(Str[Pos + 3])) {
+
+        char Hex[] = "0xAA";
+        Hex[2] = Str[Pos + 2];
+        Hex[3] = Str[Pos + 3];
+        U->push_back(strtol(Hex, nullptr, 16));
+        Pos += 3;
+        continue;
+
+      }
+
+      return false;  // Invalid escape.
+
+    } else {
+
+      // Any other character.
+      U->push_back(V);
+
+    }
+
+  }
+
+  return true;
+
+}
+
+bool ParseDictionaryFile(const std::string &Text, Vector<Unit> *Units) {
+
+  if (Text.empty()) {
+
+    Printf("ParseDictionaryFile: file does not exist or is empty\n");
+    return false;
+
+  }
+
+  std::istringstream ISS(Text);
+  Units->clear();
+  Unit        U;
+  int         LineNo = 0;
+  std::string S;
+  while (std::getline(ISS, S, '\n')) {
+
+    LineNo++;
+    size_t Pos = 0;
+    while (Pos < S.size() && isspace(S[Pos]))
+      Pos++;                        // Skip spaces.
+    if (Pos == S.size()) continue;  // Empty line.
+    if (S[Pos] == '#') continue;    // Comment line.
+    if (ParseOneDictionaryEntry(S, &U)) {
+
+      Units->push_back(U);
+
+    } else {
+
+      Printf("ParseDictionaryFile: error in line %d\n\t\t%s\n", LineNo,
+             S.c_str());
+      return false;
+
+    }
+
+  }
+
+  return true;
+
+}
+
+// Code duplicated (and tested) in llvm/include/llvm/Support/Base64.h
+std::string Base64(const Unit &U) {
+
+  static const char Table[] =
+      "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+      "abcdefghijklmnopqrstuvwxyz"
+      "0123456789+/";
+  std::string Buffer;
+  Buffer.resize(((U.size() + 2) / 3) * 4);
+
+  size_t i = 0, j = 0;
+  for (size_t n = U.size() / 3 * 3; i < n; i += 3, j += 4) {
+
+    uint32_t x = ((unsigned char)U[i] << 16) | ((unsigned char)U[i + 1] << 8) |
+                 (unsigned char)U[i + 2];
+    Buffer[j + 0] = Table[(x >> 18) & 63];
+    Buffer[j + 1] = Table[(x >> 12) & 63];
+    Buffer[j + 2] = Table[(x >> 6) & 63];
+    Buffer[j + 3] = Table[x & 63];
+
+  }
+
+  if (i + 1 == U.size()) {
+
+    uint32_t x = ((unsigned char)U[i] << 16);
+    Buffer[j + 0] = Table[(x >> 18) & 63];
+    Buffer[j + 1] = Table[(x >> 12) & 63];
+    Buffer[j + 2] = '=';
+    Buffer[j + 3] = '=';
+
+  } else if (i + 2 == U.size()) {
+
+    uint32_t x = ((unsigned char)U[i] << 16) | ((unsigned char)U[i + 1] << 8);
+    Buffer[j + 0] = Table[(x >> 18) & 63];
+    Buffer[j + 1] = Table[(x >> 12) & 63];
+    Buffer[j + 2] = Table[(x >> 6) & 63];
+    Buffer[j + 3] = '=';
+
+  }
+
+  return Buffer;
+
+}
+
+static std::mutex SymbolizeMutex;
+
+std::string DescribePC(const char *SymbolizedFMT, uintptr_t PC) {
+
+  std::unique_lock<std::mutex> l(SymbolizeMutex, std::try_to_lock);
+  if (!EF->__sanitizer_symbolize_pc || !l.owns_lock())
+    return "<can not symbolize>";
+  char PcDescr[1024] = {};
+  EF->__sanitizer_symbolize_pc(reinterpret_cast<void *>(PC), SymbolizedFMT,
+                               PcDescr, sizeof(PcDescr));
+  PcDescr[sizeof(PcDescr) - 1] = 0;  // Just in case.
+  return PcDescr;
+
+}
+
+void PrintPC(const char *SymbolizedFMT, const char *FallbackFMT, uintptr_t PC) {
+
+  if (EF->__sanitizer_symbolize_pc)
+    Printf("%s", DescribePC(SymbolizedFMT, PC).c_str());
+  else
+    Printf(FallbackFMT, PC);
+
+}
+
+void PrintStackTrace() {
+
+  std::unique_lock<std::mutex> l(SymbolizeMutex, std::try_to_lock);
+  if (EF->__sanitizer_print_stack_trace && l.owns_lock())
+    EF->__sanitizer_print_stack_trace();
+
+}
+
+void PrintMemoryProfile() {
+
+  std::unique_lock<std::mutex> l(SymbolizeMutex, std::try_to_lock);
+  if (EF->__sanitizer_print_memory_profile && l.owns_lock())
+    EF->__sanitizer_print_memory_profile(95, 8);
+
+}
+
+unsigned NumberOfCpuCores() {
+
+  unsigned N = std::thread::hardware_concurrency();
+  if (!N) {
+
+    Printf(
+        "WARNING: std::thread::hardware_concurrency not well defined for "
+        "your platform. Assuming CPU count of 1.\n");
+    N = 1;
+
+  }
+
+  return N;
+
+}
+
+size_t SimpleFastHash(const uint8_t *Data, size_t Size) {
+
+  size_t Res = 0;
+  for (size_t i = 0; i < Size; i++)
+    Res = Res * 11 + Data[i];
+  return Res;
+
+}
+
+}  // namespace fuzzer
+
--- a/custom_mutators/libfuzzer/FuzzerUtil.h
+++ b/custom_mutators/libfuzzer/FuzzerUtil.h
@ -0,0 +1,117 @@
+//===- FuzzerUtil.h - Internal header for the Fuzzer Utils ------*- C++ -* ===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+// Util functions.
+//===----------------------------------------------------------------------===//
+
+#ifndef LLVM_FUZZER_UTIL_H
+#define LLVM_FUZZER_UTIL_H
+
+#include "FuzzerBuiltins.h"
+#include "FuzzerBuiltinsMsvc.h"
+#include "FuzzerCommand.h"
+#include "FuzzerDefs.h"
+
+namespace fuzzer {
+
+void PrintHexArray(const Unit &U, const char *PrintAfter = "");
+
+void PrintHexArray(const uint8_t *Data, size_t Size,
+                   const char *PrintAfter = "");
+
+void PrintASCII(const uint8_t *Data, size_t Size, const char *PrintAfter = "");
+
+void PrintASCII(const Unit &U, const char *PrintAfter = "");
+
+// Changes U to contain only ASCII (isprint+isspace) characters.
+// Returns true iff U has been changed.
+bool ToASCII(uint8_t *Data, size_t Size);
+
+bool IsASCII(const Unit &U);
+
+bool IsASCII(const uint8_t *Data, size_t Size);
+
+std::string Base64(const Unit &U);
+
+void PrintPC(const char *SymbolizedFMT, const char *FallbackFMT, uintptr_t PC);
+
+std::string DescribePC(const char *SymbolizedFMT, uintptr_t PC);
+
+void PrintStackTrace();
+
+void PrintMemoryProfile();
+
+unsigned NumberOfCpuCores();
+
+// Platform specific functions.
+void SetSignalHandler(const FuzzingOptions& Options);
+
+void SleepSeconds(int Seconds);
+
+unsigned long GetPid();
+
+size_t GetPeakRSSMb();
+
+int ExecuteCommand(const Command &Cmd);
+bool ExecuteCommand(const Command &Cmd, std::string *CmdOutput);
+
+// Fuchsia does not have popen/pclose.
+FILE *OpenProcessPipe(const char *Command, const char *Mode);
+int CloseProcessPipe(FILE *F);
+
+const void *SearchMemory(const void *haystack, size_t haystacklen,
+                         const void *needle, size_t needlelen);
+
+std::string CloneArgsWithoutX(const Vector<std::string> &Args,
+                              const char *X1, const char *X2);
+
+inline std::string CloneArgsWithoutX(const Vector<std::string> &Args,
+                                     const char *X) {
+  return CloneArgsWithoutX(Args, X, X);
+}
+
+inline std::pair<std::string, std::string> SplitBefore(std::string X,
+                                                       std::string S) {
+  auto Pos = S.find(X);
+  if (Pos == std::string::npos)
+    return std::make_pair(S, "");
+  return std::make_pair(S.substr(0, Pos), S.substr(Pos));
+}
+
+void DiscardOutput(int Fd);
+
+std::string DisassembleCmd(const std::string &FileName);
+
+std::string SearchRegexCmd(const std::string &Regex);
+
+size_t SimpleFastHash(const uint8_t *Data, size_t Size);
+
+inline uint32_t Log(uint32_t X) { return 32 - Clz(X) - 1; }
+
+inline size_t PageSize() { return 4096; }
+inline uint8_t *RoundUpByPage(uint8_t *P) {
+  uintptr_t X = reinterpret_cast<uintptr_t>(P);
+  size_t Mask = PageSize() - 1;
+  X = (X + Mask) & ~Mask;
+  return reinterpret_cast<uint8_t *>(X);
+}
+inline uint8_t *RoundDownByPage(uint8_t *P) {
+  uintptr_t X = reinterpret_cast<uintptr_t>(P);
+  size_t Mask = PageSize() - 1;
+  X = X & ~Mask;
+  return reinterpret_cast<uint8_t *>(X);
+}
+
+#if __BYTE_ORDER == __LITTLE_ENDIAN
+template <typename T> T HostToLE(T X) { return X; }
+#else
+template <typename T> T HostToLE(T X) { return Bswap(X); }
+#endif
+
+}  // namespace fuzzer
+
+#endif  // LLVM_FUZZER_UTIL_H
--- a/custom_mutators/libfuzzer/FuzzerUtilDarwin.cpp
+++ b/custom_mutators/libfuzzer/FuzzerUtilDarwin.cpp
@ -0,0 +1,205 @@
+//===- FuzzerUtilDarwin.cpp - Misc utils ----------------------------------===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+// Misc utils for Darwin.
+//===----------------------------------------------------------------------===//
+#include "FuzzerPlatform.h"
+#if LIBFUZZER_APPLE
+  #include "FuzzerCommand.h"
+  #include "FuzzerIO.h"
+  #include <mutex>
+  #include <signal.h>
+  #include <spawn.h>
+  #include <stdlib.h>
+  #include <string.h>
+  #include <sys/wait.h>
+  #include <unistd.h>
+
+// There is no header for this on macOS so declare here
+extern "C" char **environ;
+
+namespace fuzzer {
+
+static std::mutex SignalMutex;
+// Global variables used to keep track of how signal handling should be
+// restored. They should **not** be accessed without holding `SignalMutex`.
+static int              ActiveThreadCount = 0;
+static struct sigaction OldSigIntAction;
+static struct sigaction OldSigQuitAction;
+static sigset_t         OldBlockedSignalsSet;
+
+// This is a reimplementation of Libc's `system()`. On Darwin the Libc
+// implementation contains a mutex which prevents it from being used
+// concurrently. This implementation **can** be used concurrently. It sets the
+// signal handlers when the first thread enters and restores them when the last
+// thread finishes execution of the function and ensures this is not racey by
+// using a mutex.
+int ExecuteCommand(const Command &Cmd) {
+
+  std::string       CmdLine = Cmd.toString();
+  posix_spawnattr_t SpawnAttributes;
+  if (posix_spawnattr_init(&SpawnAttributes)) return -1;
+  // Block and ignore signals of the current process when the first thread
+  // enters.
+  {
+
+    std::lock_guard<std::mutex> Lock(SignalMutex);
+    if (ActiveThreadCount == 0) {
+
+      static struct sigaction IgnoreSignalAction;
+      sigset_t                BlockedSignalsSet;
+      memset(&IgnoreSignalAction, 0, sizeof(IgnoreSignalAction));
+      IgnoreSignalAction.sa_handler = SIG_IGN;
+
+      if (sigaction(SIGINT, &IgnoreSignalAction, &OldSigIntAction) == -1) {
+
+        Printf("Failed to ignore SIGINT\n");
+        (void)posix_spawnattr_destroy(&SpawnAttributes);
+        return -1;
+
+      }
+
+      if (sigaction(SIGQUIT, &IgnoreSignalAction, &OldSigQuitAction) == -1) {
+
+        Printf("Failed to ignore SIGQUIT\n");
+        // Try our best to restore the signal handlers.
+        (void)sigaction(SIGINT, &OldSigIntAction, NULL);
+        (void)posix_spawnattr_destroy(&SpawnAttributes);
+        return -1;
+
+      }
+
+      (void)sigemptyset(&BlockedSignalsSet);
+      (void)sigaddset(&BlockedSignalsSet, SIGCHLD);
+      if (sigprocmask(SIG_BLOCK, &BlockedSignalsSet, &OldBlockedSignalsSet) ==
+          -1) {
+
+        Printf("Failed to block SIGCHLD\n");
+        // Try our best to restore the signal handlers.
+        (void)sigaction(SIGQUIT, &OldSigQuitAction, NULL);
+        (void)sigaction(SIGINT, &OldSigIntAction, NULL);
+        (void)posix_spawnattr_destroy(&SpawnAttributes);
+        return -1;
+
+      }
+
+    }
+
+    ++ActiveThreadCount;
+
+  }
+
+  // NOTE: Do not introduce any new `return` statements past this
+  // point. It is important that `ActiveThreadCount` always be decremented
+  // when leaving this function.
+
+  // Make sure the child process uses the default handlers for the
+  // following signals rather than inheriting what the parent has.
+  sigset_t DefaultSigSet;
+  (void)sigemptyset(&DefaultSigSet);
+  (void)sigaddset(&DefaultSigSet, SIGQUIT);
+  (void)sigaddset(&DefaultSigSet, SIGINT);
+  (void)posix_spawnattr_setsigdefault(&SpawnAttributes, &DefaultSigSet);
+  // Make sure the child process doesn't block SIGCHLD
+  (void)posix_spawnattr_setsigmask(&SpawnAttributes, &OldBlockedSignalsSet);
+  short SpawnFlags = POSIX_SPAWN_SETSIGDEF | POSIX_SPAWN_SETSIGMASK;
+  (void)posix_spawnattr_setflags(&SpawnAttributes, SpawnFlags);
+
+  pid_t       Pid;
+  char **     Environ = environ;  // Read from global
+  const char *CommandCStr = CmdLine.c_str();
+  char *const Argv[] = {strdup("sh"), strdup("-c"), strdup(CommandCStr), NULL};
+  int         ErrorCode = 0, ProcessStatus = 0;
+  // FIXME: We probably shouldn't hardcode the shell path.
+  ErrorCode =
+      posix_spawn(&Pid, "/bin/sh", NULL, &SpawnAttributes, Argv, Environ);
+  (void)posix_spawnattr_destroy(&SpawnAttributes);
+  if (!ErrorCode) {
+
+    pid_t SavedPid = Pid;
+    do {
+
+      // Repeat until call completes uninterrupted.
+      Pid = waitpid(SavedPid, &ProcessStatus, /*options=*/0);
+
+    } while (Pid == -1 && errno == EINTR);
+
+    if (Pid == -1) {
+
+      // Fail for some other reason.
+      ProcessStatus = -1;
+
+    }
+
+  } else if (ErrorCode == ENOMEM || ErrorCode == EAGAIN) {
+
+    // Fork failure.
+    ProcessStatus = -1;
+
+  } else {
+
+    // Shell execution failure.
+    ProcessStatus = W_EXITCODE(127, 0);
+
+  }
+
+  for (unsigned i = 0, n = sizeof(Argv) / sizeof(Argv[0]); i < n; ++i)
+    free(Argv[i]);
+
+  // Restore the signal handlers of the current process when the last thread
+  // using this function finishes.
+  {
+
+    std::lock_guard<std::mutex> Lock(SignalMutex);
+    --ActiveThreadCount;
+    if (ActiveThreadCount == 0) {
+
+      bool FailedRestore = false;
+      if (sigaction(SIGINT, &OldSigIntAction, NULL) == -1) {
+
+        Printf("Failed to restore SIGINT handling\n");
+        FailedRestore = true;
+
+      }
+
+      if (sigaction(SIGQUIT, &OldSigQuitAction, NULL) == -1) {
+
+        Printf("Failed to restore SIGQUIT handling\n");
+        FailedRestore = true;
+
+      }
+
+      if (sigprocmask(SIG_BLOCK, &OldBlockedSignalsSet, NULL) == -1) {
+
+        Printf("Failed to unblock SIGCHLD\n");
+        FailedRestore = true;
+
+      }
+
+      if (FailedRestore) ProcessStatus = -1;
+
+    }
+
+  }
+
+  return ProcessStatus;
+
+}
+
+void DiscardOutput(int Fd) {
+
+  FILE *Temp = fopen("/dev/null", "w");
+  if (!Temp) return;
+  dup2(fileno(Temp), Fd);
+  fclose(Temp);
+
+}
+
+}  // namespace fuzzer
+
+#endif  // LIBFUZZER_APPLE
+
--- a/custom_mutators/libfuzzer/FuzzerUtilFuchsia.cpp
+++ b/custom_mutators/libfuzzer/FuzzerUtilFuchsia.cpp
@ -0,0 +1,658 @@
+//===- FuzzerUtilFuchsia.cpp - Misc utils for Fuchsia. --------------------===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+// Misc utils implementation using Fuchsia/Zircon APIs.
+//===----------------------------------------------------------------------===//
+#include "FuzzerPlatform.h"
+
+#if LIBFUZZER_FUCHSIA
+
+  #include "FuzzerInternal.h"
+  #include "FuzzerUtil.h"
+  #include <cassert>
+  #include <cerrno>
+  #include <cinttypes>
+  #include <cstdint>
+  #include <fcntl.h>
+  #include <lib/fdio/fdio.h>
+  #include <lib/fdio/spawn.h>
+  #include <string>
+  #include <sys/select.h>
+  #include <thread>
+  #include <unistd.h>
+  #include <zircon/errors.h>
+  #include <zircon/process.h>
+  #include <zircon/sanitizer.h>
+  #include <zircon/status.h>
+  #include <zircon/syscalls.h>
+  #include <zircon/syscalls/debug.h>
+  #include <zircon/syscalls/exception.h>
+  #include <zircon/syscalls/object.h>
+  #include <zircon/types.h>
+
+  #include <vector>
+
+namespace fuzzer {
+
+// Given that Fuchsia doesn't have the POSIX signals that libFuzzer was written
+// around, the general approach is to spin up dedicated threads to watch for
+// each requested condition (alarm, interrupt, crash).  Of these, the crash
+// handler is the most involved, as it requires resuming the crashed thread in
+// order to invoke the sanitizers to get the needed state.
+
+// Forward declaration of assembly trampoline needed to resume crashed threads.
+// This appears to have external linkage to  C++, which is why it's not in the
+// anonymous namespace.  The assembly definition inside MakeTrampoline()
+// actually defines the symbol with internal linkage only.
+void CrashTrampolineAsm() __asm__("CrashTrampolineAsm");
+
+namespace {
+
+// Helper function to handle Zircon syscall failures.
+void ExitOnErr(zx_status_t Status, const char *Syscall) {
+
+  if (Status != ZX_OK) {
+
+    Printf("libFuzzer: %s failed: %s\n", Syscall,
+           _zx_status_get_string(Status));
+    exit(1);
+
+  }
+
+}
+
+void AlarmHandler(int Seconds) {
+
+  while (true) {
+
+    SleepSeconds(Seconds);
+    Fuzzer::StaticAlarmCallback();
+
+  }
+
+}
+
+void InterruptHandler() {
+
+  fd_set readfds;
+  // Ctrl-C sends ETX in Zircon.
+  do {
+
+    FD_ZERO(&readfds);
+    FD_SET(STDIN_FILENO, &readfds);
+    select(STDIN_FILENO + 1, &readfds, nullptr, nullptr, nullptr);
+
+  } while (!FD_ISSET(STDIN_FILENO, &readfds) || getchar() != 0x03);
+
+  Fuzzer::StaticInterruptCallback();
+
+}
+
+  // CFAOffset is used to reference the stack pointer before entering the
+  // trampoline (Stack Pointer + CFAOffset = prev Stack Pointer). Before jumping
+  // to the trampoline we copy all the registers onto the stack. We need to make
+  // sure that the new stack has enough space to store all the registers.
+  //
+  // The trampoline holds CFI information regarding the registers stored in the
+  // stack, which is then used by the unwinder to restore them.
+  #if defined(__x86_64__)
+// In x86_64 the crashing function might also be using the red zone (128 bytes
+// on top of their rsp).
+constexpr size_t CFAOffset = 128 + sizeof(zx_thread_state_general_regs_t);
+  #elif defined(__aarch64__)
+// In aarch64 we need to always have the stack pointer aligned to 16 bytes, so
+// we make sure that we are keeping that same alignment.
+constexpr size_t CFAOffset =
+    (sizeof(zx_thread_state_general_regs_t) + 15) & -(uintptr_t)16;
+  #endif
+
+  // For the crash handler, we need to call Fuzzer::StaticCrashSignalCallback
+  // without POSIX signal handlers.  To achieve this, we use an assembly
+  // function to add the necessary CFI unwinding information and a C function to
+  // bridge from that back into C++.
+
+  // FIXME: This works as a short-term solution, but this code really shouldn't
+  // be architecture dependent. A better long term solution is to implement
+  // remote unwinding and expose the necessary APIs through sanitizer_common
+  // and/or ASAN to allow the exception handling thread to gather the crash
+  // state directly.
+  //
+  // Alternatively, Fuchsia may in future actually implement basic signal
+  // handling for the machine trap signals.
+  #if defined(__x86_64__)
+    #define FOREACH_REGISTER(OP_REG, OP_NUM) \
+      OP_REG(rax)                            \
+      OP_REG(rbx)                            \
+      OP_REG(rcx)                            \
+      OP_REG(rdx)                            \
+      OP_REG(rsi)                            \
+      OP_REG(rdi)                            \
+      OP_REG(rbp)                            \
+      OP_REG(rsp)                            \
+      OP_REG(r8)                             \
+      OP_REG(r9)                             \
+      OP_REG(r10)                            \
+      OP_REG(r11)                            \
+      OP_REG(r12)                            \
+      OP_REG(r13)                            \
+      OP_REG(r14)                            \
+      OP_REG(r15)                            \
+      OP_REG(rip)
+
+  #elif defined(__aarch64__)
+    #define FOREACH_REGISTER(OP_REG, OP_NUM) \
+      OP_NUM(0)                              \
+      OP_NUM(1)                              \
+      OP_NUM(2)                              \
+      OP_NUM(3)                              \
+      OP_NUM(4)                              \
+      OP_NUM(5)                              \
+      OP_NUM(6)                              \
+      OP_NUM(7)                              \
+      OP_NUM(8)                              \
+      OP_NUM(9)                              \
+      OP_NUM(10)                             \
+      OP_NUM(11)                             \
+      OP_NUM(12)                             \
+      OP_NUM(13)                             \
+      OP_NUM(14)                             \
+      OP_NUM(15)                             \
+      OP_NUM(16)                             \
+      OP_NUM(17)                             \
+      OP_NUM(18)                             \
+      OP_NUM(19)                             \
+      OP_NUM(20)                             \
+      OP_NUM(21)                             \
+      OP_NUM(22)                             \
+      OP_NUM(23)                             \
+      OP_NUM(24)                             \
+      OP_NUM(25)                             \
+      OP_NUM(26)                             \
+      OP_NUM(27)                             \
+      OP_NUM(28)                             \
+      OP_NUM(29)                             \
+      OP_REG(sp)
+
+  #else
+    #error "Unsupported architecture for fuzzing on Fuchsia"
+  #endif
+
+  // Produces a CFI directive for the named or numbered register.
+  // The value used refers to an assembler immediate operand with the same name
+  // as the register (see ASM_OPERAND_REG).
+  #define CFI_OFFSET_REG(reg) ".cfi_offset " #reg ", %c[" #reg "]\n"
+  #define CFI_OFFSET_NUM(num) CFI_OFFSET_REG(x##num)
+
+  // Produces an assembler immediate operand for the named or numbered register.
+  // This operand contains the offset of the register relative to the CFA.
+  #define ASM_OPERAND_REG(reg) \
+    [reg] "i"(offsetof(zx_thread_state_general_regs_t, reg) - CFAOffset),
+  #define ASM_OPERAND_NUM(num) \
+    [x##num] "i"(offsetof(zx_thread_state_general_regs_t, r[num]) - CFAOffset),
+
+// Trampoline to bridge from the assembly below to the static C++ crash
+// callback.
+__attribute__((noreturn)) static void StaticCrashHandler() {
+
+  Fuzzer::StaticCrashSignalCallback();
+  for (;;) {
+
+    _Exit(1);
+
+  }
+
+}
+
+// Creates the trampoline with the necessary CFI information to unwind through
+// to the crashing call stack:
+//  * Defining the CFA so that it points to the stack pointer at the point
+//    of crash.
+//  * Storing all registers at the point of crash in the stack and refer to them
+//    via CFI information (relative to the CFA).
+//  * Setting the return column so the unwinder knows how to continue unwinding.
+//  * (x86_64) making sure rsp is aligned before calling StaticCrashHandler.
+//  * Calling StaticCrashHandler that will trigger the unwinder.
+//
+// The __attribute__((used)) is necessary because the function
+// is never called; it's just a container around the assembly to allow it to
+// use operands for compile-time computed constants.
+__attribute__((used)) void MakeTrampoline() {
+
+  __asm__(".cfi_endproc\n"
+    ".pushsection .text.CrashTrampolineAsm\n"
+    ".type CrashTrampolineAsm,STT_FUNC\n"
+"CrashTrampolineAsm:\n"
+    ".cfi_startproc simple\n"
+    ".cfi_signal_frame\n"
+  #if defined(__x86_64__)
+    ".cfi_return_column rip\n"
+    ".cfi_def_cfa rsp, %c[CFAOffset]\n"
+    FOREACH_REGISTER(CFI_OFFSET_REG, CFI_OFFSET_NUM)
+    "mov %%rsp, %%rbp\n"
+    ".cfi_def_cfa_register rbp\n"
+    "andq $-16, %%rsp\n"
+    "call %c[StaticCrashHandler]\n"
+    "ud2\n"
+  #elif defined(__aarch64__)
+    ".cfi_return_column 33\n"
+    ".cfi_def_cfa sp, %c[CFAOffset]\n"
+    FOREACH_REGISTER(CFI_OFFSET_REG, CFI_OFFSET_NUM)
+    ".cfi_offset 33, %c[pc]\n"
+    ".cfi_offset 30, %c[lr]\n"
+    "bl %c[StaticCrashHandler]\n"
+    "brk 1\n"
+  #else
+    #error "Unsupported architecture for fuzzing on Fuchsia"
+  #endif
+    ".cfi_endproc\n"
+    ".size CrashTrampolineAsm, . - CrashTrampolineAsm\n"
+    ".popsection\n"
+    ".cfi_startproc\n"
+    : // No outputs
+    : FOREACH_REGISTER(ASM_OPERAND_REG, ASM_OPERAND_NUM)
+  #if defined(__aarch64__)
+      ASM_OPERAND_REG(pc)
+      ASM_OPERAND_REG(lr)
+  #endif
+      [StaticCrashHandler] "i" (StaticCrashHandler),
+      [CFAOffset] "i" (CFAOffset));
+
+}
+
+void CrashHandler(zx_handle_t *Event) {
+
+  // This structure is used to ensure we close handles to objects we create in
+  // this handler.
+  struct ScopedHandle {
+
+    ~ScopedHandle() {
+
+      _zx_handle_close(Handle);
+
+    }
+
+    zx_handle_t Handle = ZX_HANDLE_INVALID;
+
+  };
+
+  // Create the exception channel.  We need to claim to be a "debugger" so the
+  // kernel will allow us to modify and resume dying threads (see below). Once
+  // the channel is set, we can signal the main thread to continue and wait
+  // for the exception to arrive.
+  ScopedHandle Channel;
+  zx_handle_t  Self = _zx_process_self();
+  ExitOnErr(_zx_task_create_exception_channel(
+                Self, ZX_EXCEPTION_CHANNEL_DEBUGGER, &Channel.Handle),
+            "_zx_task_create_exception_channel");
+
+  ExitOnErr(_zx_object_signal(*Event, 0, ZX_USER_SIGNAL_0),
+            "_zx_object_signal");
+
+  // This thread lives as long as the process in order to keep handling
+  // crashes.  In practice, the first crashed thread to reach the end of the
+  // StaticCrashHandler will end the process.
+  while (true) {
+
+    ExitOnErr(_zx_object_wait_one(Channel.Handle, ZX_CHANNEL_READABLE,
+                                  ZX_TIME_INFINITE, nullptr),
+              "_zx_object_wait_one");
+
+    zx_exception_info_t ExceptionInfo;
+    ScopedHandle        Exception;
+    ExitOnErr(
+        _zx_channel_read(Channel.Handle, 0, &ExceptionInfo, &Exception.Handle,
+                         sizeof(ExceptionInfo), 1, nullptr, nullptr),
+        "_zx_channel_read");
+
+    // Ignore informational synthetic exceptions.
+    if (ZX_EXCP_THREAD_STARTING == ExceptionInfo.type ||
+        ZX_EXCP_THREAD_EXITING == ExceptionInfo.type ||
+        ZX_EXCP_PROCESS_STARTING == ExceptionInfo.type) {
+
+      continue;
+
+    }
+
+    // At this point, we want to get the state of the crashing thread, but
+    // libFuzzer and the sanitizers assume this will happen from that same
+    // thread via a POSIX signal handler. "Resurrecting" the thread in the
+    // middle of the appropriate callback is as simple as forcibly setting the
+    // instruction pointer/program counter, provided we NEVER EVER return from
+    // that function (since otherwise our stack will not be valid).
+    ScopedHandle Thread;
+    ExitOnErr(_zx_exception_get_thread(Exception.Handle, &Thread.Handle),
+              "_zx_exception_get_thread");
+
+    zx_thread_state_general_regs_t GeneralRegisters;
+    ExitOnErr(
+        _zx_thread_read_state(Thread.Handle, ZX_THREAD_STATE_GENERAL_REGS,
+                              &GeneralRegisters, sizeof(GeneralRegisters)),
+        "_zx_thread_read_state");
+
+    // To unwind properly, we need to push the crashing thread's register state
+    // onto the stack and jump into a trampoline with CFI instructions on how
+    // to restore it.
+  #if defined(__x86_64__)
+    uintptr_t StackPtr = GeneralRegisters.rsp - CFAOffset;
+    __unsanitized_memcpy(reinterpret_cast<void *>(StackPtr), &GeneralRegisters,
+                         sizeof(GeneralRegisters));
+    GeneralRegisters.rsp = StackPtr;
+    GeneralRegisters.rip = reinterpret_cast<zx_vaddr_t>(CrashTrampolineAsm);
+
+  #elif defined(__aarch64__)
+    uintptr_t StackPtr = GeneralRegisters.sp - CFAOffset;
+    __unsanitized_memcpy(reinterpret_cast<void *>(StackPtr), &GeneralRegisters,
+                         sizeof(GeneralRegisters));
+    GeneralRegisters.sp = StackPtr;
+    GeneralRegisters.pc = reinterpret_cast<zx_vaddr_t>(CrashTrampolineAsm);
+
+  #else
+    #error "Unsupported architecture for fuzzing on Fuchsia"
+  #endif
+
+    // Now force the crashing thread's state.
+    ExitOnErr(
+        _zx_thread_write_state(Thread.Handle, ZX_THREAD_STATE_GENERAL_REGS,
+                               &GeneralRegisters, sizeof(GeneralRegisters)),
+        "_zx_thread_write_state");
+
+    // Set the exception to HANDLED so it resumes the thread on close.
+    uint32_t ExceptionState = ZX_EXCEPTION_STATE_HANDLED;
+    ExitOnErr(_zx_object_set_property(Exception.Handle, ZX_PROP_EXCEPTION_STATE,
+                                      &ExceptionState, sizeof(ExceptionState)),
+              "zx_object_set_property");
+
+  }
+
+}
+
+}  // namespace
+
+// Platform specific functions.
+void SetSignalHandler(const FuzzingOptions &Options) {
+
+  // Make sure information from libFuzzer and the sanitizers are easy to
+  // reassemble. `__sanitizer_log_write` has the added benefit of ensuring the
+  // DSO map is always available for the symbolizer.
+  // A uint64_t fits in 20 chars, so 64 is plenty.
+  char Buf[64];
+  memset(Buf, 0, sizeof(Buf));
+  snprintf(Buf, sizeof(Buf), "==%lu== INFO: libFuzzer starting.\n", GetPid());
+  if (EF->__sanitizer_log_write) __sanitizer_log_write(Buf, sizeof(Buf));
+  Printf("%s", Buf);
+
+  // Set up alarm handler if needed.
+  if (Options.HandleAlrm && Options.UnitTimeoutSec > 0) {
+
+    std::thread T(AlarmHandler, Options.UnitTimeoutSec / 2 + 1);
+    T.detach();
+
+  }
+
+  // Set up interrupt handler if needed.
+  if (Options.HandleInt || Options.HandleTerm) {
+
+    std::thread T(InterruptHandler);
+    T.detach();
+
+  }
+
+  // Early exit if no crash handler needed.
+  if (!Options.HandleSegv && !Options.HandleBus && !Options.HandleIll &&
+      !Options.HandleFpe && !Options.HandleAbrt)
+    return;
+
+  // Set up the crash handler and wait until it is ready before proceeding.
+  zx_handle_t Event;
+  ExitOnErr(_zx_event_create(0, &Event), "_zx_event_create");
+
+  std::thread T(CrashHandler, &Event);
+  zx_status_t Status =
+      _zx_object_wait_one(Event, ZX_USER_SIGNAL_0, ZX_TIME_INFINITE, nullptr);
+  _zx_handle_close(Event);
+  ExitOnErr(Status, "_zx_object_wait_one");
+
+  T.detach();
+
+}
+
+void SleepSeconds(int Seconds) {
+
+  _zx_nanosleep(_zx_deadline_after(ZX_SEC(Seconds)));
+
+}
+
+unsigned long GetPid() {
+
+  zx_status_t            rc;
+  zx_info_handle_basic_t Info;
+  if ((rc = _zx_object_get_info(_zx_process_self(), ZX_INFO_HANDLE_BASIC, &Info,
+                                sizeof(Info), NULL, NULL)) != ZX_OK) {
+
+    Printf("libFuzzer: unable to get info about self: %s\n",
+           _zx_status_get_string(rc));
+    exit(1);
+
+  }
+
+  return Info.koid;
+
+}
+
+size_t GetPeakRSSMb() {
+
+  zx_status_t          rc;
+  zx_info_task_stats_t Info;
+  if ((rc = _zx_object_get_info(_zx_process_self(), ZX_INFO_TASK_STATS, &Info,
+                                sizeof(Info), NULL, NULL)) != ZX_OK) {
+
+    Printf("libFuzzer: unable to get info about self: %s\n",
+           _zx_status_get_string(rc));
+    exit(1);
+
+  }
+
+  return (Info.mem_private_bytes + Info.mem_shared_bytes) >> 20;
+
+}
+
+template <typename Fn>
+class RunOnDestruction {
+
+ public:
+  explicit RunOnDestruction(Fn fn) : fn_(fn) {
+
+  }
+
+  ~RunOnDestruction() {
+
+    fn_();
+
+  }
+
+ private:
+  Fn fn_;
+
+};
+
+template <typename Fn>
+RunOnDestruction<Fn> at_scope_exit(Fn fn) {
+
+  return RunOnDestruction<Fn>(fn);
+
+}
+
+static fdio_spawn_action_t clone_fd_action(int localFd, int targetFd) {
+
+  return {
+
+      .action = FDIO_SPAWN_ACTION_CLONE_FD,
+      .fd =
+          {
+
+              .local_fd = localFd,
+              .target_fd = targetFd,
+
+          },
+
+  };
+
+}
+
+int ExecuteCommand(const Command &Cmd) {
+
+  zx_status_t rc;
+
+  // Convert arguments to C array
+  auto   Args = Cmd.getArguments();
+  size_t Argc = Args.size();
+  assert(Argc != 0);
+  std::unique_ptr<const char *[]> Argv(new const char *[Argc + 1]);
+  for (size_t i = 0; i < Argc; ++i)
+    Argv[i] = Args[i].c_str();
+  Argv[Argc] = nullptr;
+
+  // Determine output.  On Fuchsia, the fuzzer is typically run as a component
+  // that lacks a mutable working directory. Fortunately, when this is the case
+  // a mutable output directory must be specified using "-artifact_prefix=...",
+  // so write the log file(s) there.
+  // However, we don't want to apply this logic for absolute paths.
+  int  FdOut = STDOUT_FILENO;
+  bool discardStdout = false;
+  bool discardStderr = false;
+
+  if (Cmd.hasOutputFile()) {
+
+    std::string Path = Cmd.getOutputFile();
+    if (Path == getDevNull()) {
+
+      // On Fuchsia, there's no "/dev/null" like-file, so we
+      // just don't copy the FDs into the spawned process.
+      discardStdout = true;
+
+    } else {
+
+      bool IsAbsolutePath = Path.length() > 1 && Path[0] == '/';
+      if (!IsAbsolutePath && Cmd.hasFlag("artifact_prefix"))
+        Path = Cmd.getFlagValue("artifact_prefix") + "/" + Path;
+
+      FdOut = open(Path.c_str(), O_WRONLY | O_CREAT | O_TRUNC, 0);
+      if (FdOut == -1) {
+
+        Printf("libFuzzer: failed to open %s: %s\n", Path.c_str(),
+               strerror(errno));
+        return ZX_ERR_IO;
+
+      }
+
+    }
+
+  }
+
+  auto CloseFdOut = at_scope_exit([FdOut]() {
+
+    if (FdOut != STDOUT_FILENO) close(FdOut);
+
+  });
+
+  // Determine stderr
+  int FdErr = STDERR_FILENO;
+  if (Cmd.isOutAndErrCombined()) {
+
+    FdErr = FdOut;
+    if (discardStdout) discardStderr = true;
+
+  }
+
+  // Clone the file descriptors into the new process
+  std::vector<fdio_spawn_action_t> SpawnActions;
+  SpawnActions.push_back(clone_fd_action(STDIN_FILENO, STDIN_FILENO));
+
+  if (!discardStdout)
+    SpawnActions.push_back(clone_fd_action(FdOut, STDOUT_FILENO));
+  if (!discardStderr)
+    SpawnActions.push_back(clone_fd_action(FdErr, STDERR_FILENO));
+
+  // Start the process.
+  char        ErrorMsg[FDIO_SPAWN_ERR_MSG_MAX_LENGTH];
+  zx_handle_t ProcessHandle = ZX_HANDLE_INVALID;
+  rc = fdio_spawn_etc(ZX_HANDLE_INVALID,
+                      FDIO_SPAWN_CLONE_ALL & (~FDIO_SPAWN_CLONE_STDIO), Argv[0],
+                      Argv.get(), nullptr, SpawnActions.size(),
+                      SpawnActions.data(), &ProcessHandle, ErrorMsg);
+
+  if (rc != ZX_OK) {
+
+    Printf("libFuzzer: failed to launch '%s': %s, %s\n", Argv[0], ErrorMsg,
+           _zx_status_get_string(rc));
+    return rc;
+
+  }
+
+  auto CloseHandle = at_scope_exit([&]() { _zx_handle_close(ProcessHandle); });
+
+  // Now join the process and return the exit status.
+  if ((rc = _zx_object_wait_one(ProcessHandle, ZX_PROCESS_TERMINATED,
+                                ZX_TIME_INFINITE, nullptr)) != ZX_OK) {
+
+    Printf("libFuzzer: failed to join '%s': %s\n", Argv[0],
+           _zx_status_get_string(rc));
+    return rc;
+
+  }
+
+  zx_info_process_t Info;
+  if ((rc = _zx_object_get_info(ProcessHandle, ZX_INFO_PROCESS, &Info,
+                                sizeof(Info), nullptr, nullptr)) != ZX_OK) {
+
+    Printf("libFuzzer: unable to get return code from '%s': %s\n", Argv[0],
+           _zx_status_get_string(rc));
+    return rc;
+
+  }
+
+  return Info.return_code;
+
+}
+
+bool ExecuteCommand(const Command &BaseCmd, std::string *CmdOutput) {
+
+  auto    LogFilePath = TempPath("SimPopenOut", ".txt");
+  Command Cmd(BaseCmd);
+  Cmd.setOutputFile(LogFilePath);
+  int Ret = ExecuteCommand(Cmd);
+  *CmdOutput = FileToString(LogFilePath);
+  RemoveFile(LogFilePath);
+  return Ret == 0;
+
+}
+
+const void *SearchMemory(const void *Data, size_t DataLen, const void *Patt,
+                         size_t PattLen) {
+
+  return memmem(Data, DataLen, Patt, PattLen);
+
+}
+
+// In fuchsia, accessing /dev/null is not supported. There's nothing
+// similar to a file that discards everything that is written to it.
+// The way of doing something similar in fuchsia is by using
+// fdio_null_create and binding that to a file descriptor.
+void DiscardOutput(int Fd) {
+
+  fdio_t *fdio_null = fdio_null_create();
+  if (fdio_null == nullptr) return;
+  int nullfd = fdio_bind_to_fd(fdio_null, -1, 0);
+  if (nullfd < 0) return;
+  dup2(nullfd, Fd);
+
+}
+
+}  // namespace fuzzer
+
+#endif  // LIBFUZZER_FUCHSIA
+
--- a/custom_mutators/libfuzzer/FuzzerUtilLinux.cpp
+++ b/custom_mutators/libfuzzer/FuzzerUtilLinux.cpp
@ -0,0 +1,43 @@
+//===- FuzzerUtilLinux.cpp - Misc utils for Linux. ------------------------===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+// Misc utils for Linux.
+//===----------------------------------------------------------------------===//
+#include "FuzzerPlatform.h"
+#if LIBFUZZER_LINUX || LIBFUZZER_NETBSD || LIBFUZZER_FREEBSD || \
+    LIBFUZZER_OPENBSD || LIBFUZZER_EMSCRIPTEN
+  #include "FuzzerCommand.h"
+
+  #include <stdlib.h>
+  #include <sys/types.h>
+  #include <sys/wait.h>
+  #include <unistd.h>
+
+namespace fuzzer {
+
+int ExecuteCommand(const Command &Cmd) {
+
+  std::string CmdLine = Cmd.toString();
+  int         exit_code = system(CmdLine.c_str());
+  if (WIFEXITED(exit_code)) return WEXITSTATUS(exit_code);
+  return exit_code;
+
+}
+
+void DiscardOutput(int Fd) {
+
+  FILE *Temp = fopen("/dev/null", "w");
+  if (!Temp) return;
+  dup2(fileno(Temp), Fd);
+  fclose(Temp);
+
+}
+
+}  // namespace fuzzer
+
+#endif
+
--- a/custom_mutators/libfuzzer/FuzzerUtilPosix.cpp
+++ b/custom_mutators/libfuzzer/FuzzerUtilPosix.cpp
@ -0,0 +1,239 @@
+//===- FuzzerUtilPosix.cpp - Misc utils for Posix. ------------------------===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+// Misc utils implementation using Posix API.
+//===----------------------------------------------------------------------===//
+#include "FuzzerPlatform.h"
+#if LIBFUZZER_POSIX
+  #include "FuzzerIO.h"
+  #include "FuzzerInternal.h"
+  #include "FuzzerTracePC.h"
+  #include <cassert>
+  #include <chrono>
+  #include <cstring>
+  #include <errno.h>
+  #include <iomanip>
+  #include <signal.h>
+  #include <stdio.h>
+  #include <sys/mman.h>
+  #include <sys/resource.h>
+  #include <sys/syscall.h>
+  #include <sys/time.h>
+  #include <sys/types.h>
+  #include <thread>
+  #include <unistd.h>
+
+namespace fuzzer {
+
+static void AlarmHandler(int, siginfo_t *, void *) {
+
+  Fuzzer::StaticAlarmCallback();
+
+}
+
+static void (*upstream_segv_handler)(int, siginfo_t *, void *);
+
+static void SegvHandler(int sig, siginfo_t *si, void *ucontext) {
+
+  assert(si->si_signo == SIGSEGV);
+  if (upstream_segv_handler) return upstream_segv_handler(sig, si, ucontext);
+  Fuzzer::StaticCrashSignalCallback();
+
+}
+
+static void CrashHandler(int, siginfo_t *, void *) {
+
+  Fuzzer::StaticCrashSignalCallback();
+
+}
+
+static void InterruptHandler(int, siginfo_t *, void *) {
+
+  Fuzzer::StaticInterruptCallback();
+
+}
+
+static void GracefulExitHandler(int, siginfo_t *, void *) {
+
+  Fuzzer::StaticGracefulExitCallback();
+
+}
+
+static void FileSizeExceedHandler(int, siginfo_t *, void *) {
+
+  Fuzzer::StaticFileSizeExceedCallback();
+
+}
+
+static void SetSigaction(int signum,
+                         void (*callback)(int, siginfo_t *, void *)) {
+
+  struct sigaction sigact = {};
+  if (sigaction(signum, nullptr, &sigact)) {
+
+    Printf("libFuzzer: sigaction failed with %d\n", errno);
+    exit(1);
+
+  }
+
+  if (sigact.sa_flags & SA_SIGINFO) {
+
+    if (sigact.sa_sigaction) {
+
+      if (signum != SIGSEGV) return;
+      upstream_segv_handler = sigact.sa_sigaction;
+
+    }
+
+  } else {
+
+    if (sigact.sa_handler != SIG_DFL && sigact.sa_handler != SIG_IGN &&
+        sigact.sa_handler != SIG_ERR)
+      return;
+
+  }
+
+  sigact = {};
+  sigact.sa_flags = SA_SIGINFO;
+  sigact.sa_sigaction = callback;
+  if (sigaction(signum, &sigact, 0)) {
+
+    Printf("libFuzzer: sigaction failed with %d\n", errno);
+    exit(1);
+
+  }
+
+}
+
+// Return true on success, false otherwise.
+bool ExecuteCommand(const Command &Cmd, std::string *CmdOutput) {
+
+  FILE *Pipe = popen(Cmd.toString().c_str(), "r");
+  if (!Pipe) return false;
+
+  if (CmdOutput) {
+
+    char TmpBuffer[128];
+    while (fgets(TmpBuffer, sizeof(TmpBuffer), Pipe))
+      CmdOutput->append(TmpBuffer);
+
+  }
+
+  return pclose(Pipe) == 0;
+
+}
+
+void SetTimer(int Seconds) {
+
+  struct itimerval T {
+
+    {Seconds, 0}, {
+
+      Seconds, 0
+
+    }
+
+  };
+
+  if (setitimer(ITIMER_REAL, &T, nullptr)) {
+
+    Printf("libFuzzer: setitimer failed with %d\n", errno);
+    exit(1);
+
+  }
+
+  SetSigaction(SIGALRM, AlarmHandler);
+
+}
+
+void SetSignalHandler(const FuzzingOptions &Options) {
+
+  // setitimer is not implemented in emscripten.
+  if (Options.HandleAlrm && Options.UnitTimeoutSec > 0 && !LIBFUZZER_EMSCRIPTEN)
+    SetTimer(Options.UnitTimeoutSec / 2 + 1);
+  if (Options.HandleInt) SetSigaction(SIGINT, InterruptHandler);
+  if (Options.HandleTerm) SetSigaction(SIGTERM, InterruptHandler);
+  if (Options.HandleSegv) SetSigaction(SIGSEGV, SegvHandler);
+  if (Options.HandleBus) SetSigaction(SIGBUS, CrashHandler);
+  if (Options.HandleAbrt) SetSigaction(SIGABRT, CrashHandler);
+  if (Options.HandleIll) SetSigaction(SIGILL, CrashHandler);
+  if (Options.HandleFpe) SetSigaction(SIGFPE, CrashHandler);
+  if (Options.HandleXfsz) SetSigaction(SIGXFSZ, FileSizeExceedHandler);
+  if (Options.HandleUsr1) SetSigaction(SIGUSR1, GracefulExitHandler);
+  if (Options.HandleUsr2) SetSigaction(SIGUSR2, GracefulExitHandler);
+
+}
+
+void SleepSeconds(int Seconds) {
+
+  sleep(Seconds);  // Use C API to avoid coverage from instrumented libc++.
+
+}
+
+unsigned long GetPid() {
+
+  return (unsigned long)getpid();
+
+}
+
+size_t GetPeakRSSMb() {
+
+  struct rusage usage;
+  if (getrusage(RUSAGE_SELF, &usage)) return 0;
+  if (LIBFUZZER_LINUX || LIBFUZZER_FREEBSD || LIBFUZZER_NETBSD ||
+      LIBFUZZER_OPENBSD || LIBFUZZER_EMSCRIPTEN) {
+
+    // ru_maxrss is in KiB
+    return usage.ru_maxrss >> 10;
+
+  } else if (LIBFUZZER_APPLE) {
+
+    // ru_maxrss is in bytes
+    return usage.ru_maxrss >> 20;
+
+  }
+
+  assert(0 && "GetPeakRSSMb() is not implemented for your platform");
+  return 0;
+
+}
+
+FILE *OpenProcessPipe(const char *Command, const char *Mode) {
+
+  return popen(Command, Mode);
+
+}
+
+int CloseProcessPipe(FILE *F) {
+
+  return pclose(F);
+
+}
+
+const void *SearchMemory(const void *Data, size_t DataLen, const void *Patt,
+                         size_t PattLen) {
+
+  return memmem(Data, DataLen, Patt, PattLen);
+
+}
+
+std::string DisassembleCmd(const std::string &FileName) {
+
+  return "objdump -d " + FileName;
+
+}
+
+std::string SearchRegexCmd(const std::string &Regex) {
+
+  return "grep '" + Regex + "'";
+
+}
+
+}  // namespace fuzzer
+
+#endif  // LIBFUZZER_POSIX
+
--- a/custom_mutators/libfuzzer/FuzzerUtilWindows.cpp
+++ b/custom_mutators/libfuzzer/FuzzerUtilWindows.cpp
@ -0,0 +1,279 @@
+//===- FuzzerUtilWindows.cpp - Misc utils for Windows. --------------------===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+// Misc utils implementation for Windows.
+//===----------------------------------------------------------------------===//
+#include "FuzzerPlatform.h"
+#if LIBFUZZER_WINDOWS
+  #include "FuzzerCommand.h"
+  #include "FuzzerIO.h"
+  #include "FuzzerInternal.h"
+  #include <cassert>
+  #include <chrono>
+  #include <cstring>
+  #include <errno.h>
+  #include <io.h>
+  #include <iomanip>
+  #include <signal.h>
+  #include <stdio.h>
+  #include <sys/types.h>
+  #include <windows.h>
+
+  // This must be included after windows.h.
+  #include <psapi.h>
+
+namespace fuzzer {
+
+static const FuzzingOptions *HandlerOpt = nullptr;
+
+static LONG CALLBACK ExceptionHandler(PEXCEPTION_POINTERS ExceptionInfo) {
+
+  switch (ExceptionInfo->ExceptionRecord->ExceptionCode) {
+
+    case EXCEPTION_ACCESS_VIOLATION:
+    case EXCEPTION_ARRAY_BOUNDS_EXCEEDED:
+    case EXCEPTION_STACK_OVERFLOW:
+      if (HandlerOpt->HandleSegv) Fuzzer::StaticCrashSignalCallback();
+      break;
+    case EXCEPTION_DATATYPE_MISALIGNMENT:
+    case EXCEPTION_IN_PAGE_ERROR:
+      if (HandlerOpt->HandleBus) Fuzzer::StaticCrashSignalCallback();
+      break;
+    case EXCEPTION_ILLEGAL_INSTRUCTION:
+    case EXCEPTION_PRIV_INSTRUCTION:
+      if (HandlerOpt->HandleIll) Fuzzer::StaticCrashSignalCallback();
+      break;
+    case EXCEPTION_FLT_DENORMAL_OPERAND:
+    case EXCEPTION_FLT_DIVIDE_BY_ZERO:
+    case EXCEPTION_FLT_INEXACT_RESULT:
+    case EXCEPTION_FLT_INVALID_OPERATION:
+    case EXCEPTION_FLT_OVERFLOW:
+    case EXCEPTION_FLT_STACK_CHECK:
+    case EXCEPTION_FLT_UNDERFLOW:
+    case EXCEPTION_INT_DIVIDE_BY_ZERO:
+    case EXCEPTION_INT_OVERFLOW:
+      if (HandlerOpt->HandleFpe) Fuzzer::StaticCrashSignalCallback();
+      break;
+      // TODO: handle (Options.HandleXfsz)
+
+  }
+
+  return EXCEPTION_CONTINUE_SEARCH;
+
+}
+
+BOOL WINAPI CtrlHandler(DWORD dwCtrlType) {
+
+  switch (dwCtrlType) {
+
+    case CTRL_C_EVENT:
+      if (HandlerOpt->HandleInt) Fuzzer::StaticInterruptCallback();
+      return TRUE;
+    case CTRL_BREAK_EVENT:
+      if (HandlerOpt->HandleTerm) Fuzzer::StaticInterruptCallback();
+      return TRUE;
+
+  }
+
+  return FALSE;
+
+}
+
+void CALLBACK AlarmHandler(PVOID, BOOLEAN) {
+
+  Fuzzer::StaticAlarmCallback();
+
+}
+
+class TimerQ {
+
+  HANDLE TimerQueue;
+
+ public:
+  TimerQ() : TimerQueue(NULL) {
+
+  }
+
+  ~TimerQ() {
+
+    if (TimerQueue) DeleteTimerQueueEx(TimerQueue, NULL);
+
+  }
+
+  void SetTimer(int Seconds) {
+
+    if (!TimerQueue) {
+
+      TimerQueue = CreateTimerQueue();
+      if (!TimerQueue) {
+
+        Printf("libFuzzer: CreateTimerQueue failed.\n");
+        exit(1);
+
+      }
+
+    }
+
+    HANDLE Timer;
+    if (!CreateTimerQueueTimer(&Timer, TimerQueue, AlarmHandler, NULL,
+                               Seconds * 1000, Seconds * 1000, 0)) {
+
+      Printf("libFuzzer: CreateTimerQueueTimer failed.\n");
+      exit(1);
+
+    }
+
+  }
+
+};
+
+static TimerQ Timer;
+
+static void CrashHandler(int) {
+
+  Fuzzer::StaticCrashSignalCallback();
+
+}
+
+void SetSignalHandler(const FuzzingOptions &Options) {
+
+  HandlerOpt = &Options;
+
+  if (Options.HandleAlrm && Options.UnitTimeoutSec > 0)
+    Timer.SetTimer(Options.UnitTimeoutSec / 2 + 1);
+
+  if (Options.HandleInt || Options.HandleTerm)
+    if (!SetConsoleCtrlHandler(CtrlHandler, TRUE)) {
+
+      DWORD LastError = GetLastError();
+      Printf("libFuzzer: SetConsoleCtrlHandler failed (Error code: %lu).\n",
+             LastError);
+      exit(1);
+
+    }
+
+  if (Options.HandleSegv || Options.HandleBus || Options.HandleIll ||
+      Options.HandleFpe)
+    SetUnhandledExceptionFilter(ExceptionHandler);
+
+  if (Options.HandleAbrt)
+    if (SIG_ERR == signal(SIGABRT, CrashHandler)) {
+
+      Printf("libFuzzer: signal failed with %d\n", errno);
+      exit(1);
+
+    }
+
+}
+
+void SleepSeconds(int Seconds) {
+
+  Sleep(Seconds * 1000);
+
+}
+
+unsigned long GetPid() {
+
+  return GetCurrentProcessId();
+
+}
+
+size_t GetPeakRSSMb() {
+
+  PROCESS_MEMORY_COUNTERS info;
+  if (!GetProcessMemoryInfo(GetCurrentProcess(), &info, sizeof(info))) return 0;
+  return info.PeakWorkingSetSize >> 20;
+
+}
+
+FILE *OpenProcessPipe(const char *Command, const char *Mode) {
+
+  return _popen(Command, Mode);
+
+}
+
+int CloseProcessPipe(FILE *F) {
+
+  return _pclose(F);
+
+}
+
+int ExecuteCommand(const Command &Cmd) {
+
+  std::string CmdLine = Cmd.toString();
+  return system(CmdLine.c_str());
+
+}
+
+bool ExecuteCommand(const Command &Cmd, std::string *CmdOutput) {
+
+  FILE *Pipe = _popen(Cmd.toString().c_str(), "r");
+  if (!Pipe) return false;
+
+  if (CmdOutput) {
+
+    char TmpBuffer[128];
+    while (fgets(TmpBuffer, sizeof(TmpBuffer), Pipe))
+      CmdOutput->append(TmpBuffer);
+
+  }
+
+  return _pclose(Pipe) == 0;
+
+}
+
+const void *SearchMemory(const void *Data, size_t DataLen, const void *Patt,
+                         size_t PattLen) {
+
+  // TODO: make this implementation more efficient.
+  const char *Cdata = (const char *)Data;
+  const char *Cpatt = (const char *)Patt;
+
+  if (!Data || !Patt || DataLen == 0 || PattLen == 0 || DataLen < PattLen)
+    return NULL;
+
+  if (PattLen == 1) return memchr(Data, *Cpatt, DataLen);
+
+  const char *End = Cdata + DataLen - PattLen + 1;
+
+  for (const char *It = Cdata; It < End; ++It)
+    if (It[0] == Cpatt[0] && memcmp(It, Cpatt, PattLen) == 0) return It;
+
+  return NULL;
+
+}
+
+std::string DisassembleCmd(const std::string &FileName) {
+
+  Vector<std::string> command_vector;
+  command_vector.push_back("dumpbin /summary > nul");
+  if (ExecuteCommand(Command(command_vector)) == 0)
+    return "dumpbin /disasm " + FileName;
+  Printf("libFuzzer: couldn't find tool to disassemble (dumpbin)\n");
+  exit(1);
+
+}
+
+std::string SearchRegexCmd(const std::string &Regex) {
+
+  return "findstr /r \"" + Regex + "\"";
+
+}
+
+void DiscardOutput(int Fd) {
+
+  FILE *Temp = fopen("nul", "w");
+  if (!Temp) return;
+  _dup2(_fileno(Temp), Fd);
+  fclose(Temp);
+
+}
+
+}  // namespace fuzzer
+
+#endif  // LIBFUZZER_WINDOWS
+
--- a/custom_mutators/libfuzzer/FuzzerValueBitMap.h
+++ b/custom_mutators/libfuzzer/FuzzerValueBitMap.h
@ -0,0 +1,73 @@
+//===- FuzzerValueBitMap.h - INTERNAL - Bit map -----------------*- C++ -* ===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+// ValueBitMap.
+//===----------------------------------------------------------------------===//
+
+#ifndef LLVM_FUZZER_VALUE_BIT_MAP_H
+#define LLVM_FUZZER_VALUE_BIT_MAP_H
+
+#include "FuzzerPlatform.h"
+#include <cstdint>
+
+namespace fuzzer {
+
+// A bit map containing kMapSizeInWords bits.
+struct ValueBitMap {
+  static const size_t kMapSizeInBits = 1 << 16;
+  static const size_t kMapPrimeMod = 65371;  // Largest Prime < kMapSizeInBits;
+  static const size_t kBitsInWord = (sizeof(uintptr_t) * 8);
+  static const size_t kMapSizeInWords = kMapSizeInBits / kBitsInWord;
+ public:
+
+  // Clears all bits.
+  void Reset() { memset(Map, 0, sizeof(Map)); }
+
+  // Computes a hash function of Value and sets the corresponding bit.
+  // Returns true if the bit was changed from 0 to 1.
+  ATTRIBUTE_NO_SANITIZE_ALL
+  inline bool AddValue(uintptr_t Value) {
+    uintptr_t Idx = Value % kMapSizeInBits;
+    uintptr_t WordIdx = Idx / kBitsInWord;
+    uintptr_t BitIdx = Idx % kBitsInWord;
+    uintptr_t Old = Map[WordIdx];
+    uintptr_t New = Old | (1ULL << BitIdx);
+    Map[WordIdx] = New;
+    return New != Old;
+  }
+
+  ATTRIBUTE_NO_SANITIZE_ALL
+  inline bool AddValueModPrime(uintptr_t Value) {
+    return AddValue(Value % kMapPrimeMod);
+  }
+
+  inline bool Get(uintptr_t Idx) {
+    assert(Idx < kMapSizeInBits);
+    uintptr_t WordIdx = Idx / kBitsInWord;
+    uintptr_t BitIdx = Idx % kBitsInWord;
+    return Map[WordIdx] & (1ULL << BitIdx);
+  }
+
+  size_t SizeInBits() const { return kMapSizeInBits; }
+
+  template <class Callback>
+  ATTRIBUTE_NO_SANITIZE_ALL
+  void ForEach(Callback CB) const {
+    for (size_t i = 0; i < kMapSizeInWords; i++)
+      if (uintptr_t M = Map[i])
+        for (size_t j = 0; j < sizeof(M) * 8; j++)
+          if (M & ((uintptr_t)1 << j))
+            CB(i * sizeof(M) * 8 + j);
+  }
+
+ private:
+  ATTRIBUTE_ALIGNED(512) uintptr_t Map[kMapSizeInWords];
+};
+
+}  // namespace fuzzer
+
+#endif  // LLVM_FUZZER_VALUE_BIT_MAP_H
--- a/custom_mutators/libfuzzer/Makefile
+++ b/custom_mutators/libfuzzer/Makefile
@ -0,0 +1,86 @@
+
+CFLAGS = -g -O3 -funroll-loops -fPIC -fpermissive -std=c++11
+#CFLAGS = -g -O0 -fPIC -fpermissive -std=c++11
+CXX ?= clang++
+
+ifdef INTROSPECTION
+  $(info Compiling with introspection documentation)
+  CFLAGS += -DINTROSPECTION=1
+endif
+
+all: libfuzzer-mutator.so
+
+FuzzerCrossOver.o:	FuzzerCrossOver.cpp
+	$(CXX) $(CFLAGS) -I../../include -I. -c $^
+
+FuzzerDataFlowTrace.o:	FuzzerDataFlowTrace.cpp
+	$(CXX) $(CFLAGS) -I../../include -I. -c $^
+
+FuzzerDriver.o:	FuzzerDriver.cpp
+	$(CXX) $(CFLAGS) -I../../include -I. -c $^
+
+FuzzerExtFunctionsDlsym.o:	FuzzerExtFunctionsDlsym.cpp
+	$(CXX) $(CFLAGS) -I../../include -I. -c $^
+
+FuzzerExtFunctionsWeak.o:	FuzzerExtFunctionsWeak.cpp
+	$(CXX) $(CFLAGS) -I../../include -I. -c $^
+
+FuzzerExtFunctionsWindows.o:	FuzzerExtFunctionsWindows.cpp
+	$(CXX) $(CFLAGS) -I../../include -I. -c $^
+
+FuzzerExtraCounters.o:	FuzzerExtraCounters.cpp
+	$(CXX) $(CFLAGS) -I../../include -I. -c $^
+
+FuzzerFork.o:	FuzzerFork.cpp
+	$(CXX) $(CFLAGS) -I../../include -I. -c $^
+
+FuzzerIO.o:	FuzzerIO.cpp
+	$(CXX) $(CFLAGS) -I../../include -I. -c $^
+
+FuzzerIOPosix.o:	FuzzerIOPosix.cpp
+	$(CXX) $(CFLAGS) -I../../include -I. -c $^
+
+FuzzerIOWindows.o:	FuzzerIOWindows.cpp
+	$(CXX) $(CFLAGS) -I../../include -I. -c $^
+
+FuzzerLoop.o:	FuzzerLoop.cpp
+	$(CXX) $(CFLAGS) -I../../include -I. -c $^
+
+FuzzerMerge.o:	FuzzerMerge.cpp
+	$(CXX) $(CFLAGS) -I../../include -I. -c $^
+
+FuzzerMutate.o:	FuzzerMutate.cpp
+	$(CXX) $(CFLAGS) -I../../include -I. -c $^
+
+FuzzerSHA1.o:	FuzzerSHA1.cpp
+	$(CXX) $(CFLAGS) -I../../include -I. -c $^
+
+FuzzerTracePC.o:	FuzzerTracePC.cpp
+	$(CXX) $(CFLAGS) -I../../include -I. -c $^
+
+FuzzerUtil.o:	FuzzerUtil.cpp
+	$(CXX) $(CFLAGS) -I../../include -I. -c $^
+
+FuzzerUtilDarwin.o:	FuzzerUtilDarwin.cpp
+	$(CXX) $(CFLAGS) -I../../include -I. -c $^
+
+FuzzerUtilFuchsia.o:	FuzzerUtilFuchsia.cpp
+	$(CXX) $(CFLAGS) -I../../include -I. -c $^
+
+FuzzerUtilLinux.o:	FuzzerUtilLinux.cpp
+	$(CXX) $(CFLAGS) -I../../include -I. -c $^
+
+FuzzerUtilPosix.o:	FuzzerUtilPosix.cpp
+	$(CXX) $(CFLAGS) -I../../include -I. -c $^
+
+FuzzerUtilWindows.o:	FuzzerUtilWindows.cpp
+	$(CXX) $(CFLAGS) -I../../include -I. -c $^
+
+libfuzzer.o:	libfuzzer.cpp
+	$(CXX) $(CFLAGS) -I../../include -I. -c $^
+
+libfuzzer-mutator.so:	FuzzerCrossOver.o FuzzerDataFlowTrace.o FuzzerDriver.o FuzzerExtFunctionsDlsym.o FuzzerExtFunctionsWeak.o FuzzerExtFunctionsWindows.o FuzzerExtraCounters.o FuzzerFork.o FuzzerIO.o FuzzerIOPosix.o FuzzerIOWindows.o FuzzerLoop.o FuzzerMerge.o FuzzerMutate.o FuzzerSHA1.o FuzzerTracePC.o FuzzerUtil.o FuzzerUtilDarwin.o FuzzerUtilFuchsia.o FuzzerUtilLinux.o FuzzerUtilPosix.o FuzzerUtilWindows.o libfuzzer.o
+	$(CXX) $(CFLAGS) -I../../include -I. -shared -o libfuzzer-mutator.so *.o
+
+clean:
+	rm -f *.o *~ *.so core
--- a/custom_mutators/libfuzzer/README.md
+++ b/custom_mutators/libfuzzer/README.md
@ -0,0 +1,24 @@
+# custum mutator: libfuzzer LLVMFuzzerMutate()
+
+This uses the libfuzzer LLVMFuzzerMutate() function in llvm 12.
+
+just type `make` to build
+
+```AFL_CUSTOM_MUTATOR_LIBRARY=custom_mutators/libfuzzer/libfuzzer-mutator.so afl-fuzz ...```
+
+Note that this is currently a simple implementation and it is missing two features:
+  * Splicing ("Crossover")
+  * Dictionary support
+
+To update the source, all that is needed is that FuzzerDriver.cpp has to receive
+```
+#include "libfuzzer.inc"
+```
+before the closing namespace bracket.
+
+It is also libfuzzer.inc where the configuration of the libfuzzer mutations
+are done.
+
+> Original repository: https://github.com/llvm/llvm-project
+> Path: compiler-rt/lib/fuzzer/*.{h|cpp}
+> Source commit: df3e903655e2499968fc7af64fb5fa52b2ee79bb
--- a/custom_mutators/libfuzzer/libfuzzer.cpp
+++ b/custom_mutators/libfuzzer/libfuzzer.cpp
@ -0,0 +1,160 @@
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+//#include "config.h"
+//#include "debug.h"
+#include "afl-fuzz.h"
+
+#ifdef  INTROSPECTION
+  const char *introspection_ptr;
+#endif
+
+afl_state_t *afl_struct;
+
+extern "C" size_t LLVMFuzzerMutate(uint8_t *Data, size_t Size, size_t MaxSize);
+extern "C" int    LLVMFuzzerRunDriver(int *argc, char ***argv,
+                                      int (*UserCb)(const uint8_t *Data,
+                                                 size_t         Size));
+extern "C" void   LLVMFuzzerMyInit(int (*UserCb)(const uint8_t *Data,
+                                               size_t         Size),
+                                   unsigned int Seed);
+
+typedef struct my_mutator {
+
+  afl_state_t *afl;
+  u8 *         mutator_buf;
+  unsigned int seed;
+  unsigned int extras_cnt, a_extras_cnt;
+
+} my_mutator_t;
+
+extern "C" int dummy(const uint8_t *Data, size_t Size) {
+
+  (void)(Data);
+  (void)(Size);
+  fprintf(stderr, "dummy() called\n");
+  return 0;
+
+}
+
+extern "C" my_mutator_t *afl_custom_init(afl_state_t *afl, unsigned int seed) {
+
+  my_mutator_t *data = (my_mutator_t *)calloc(1, sizeof(my_mutator_t));
+  if (!data) {
+
+    perror("afl_custom_init alloc");
+    return NULL;
+
+  }
+
+  if ((data->mutator_buf = (u8 *)malloc(MAX_FILE)) == NULL) {
+
+    free(data);
+    perror("mutator_buf alloc");
+    return NULL;
+
+  }
+
+  data->afl = afl;
+  data->seed = seed;
+  afl_struct = afl;
+
+  /*
+    char **argv;
+    argv = (char**)malloc(sizeof(size_t) * 2);
+    argv[0] = (char*)"foo";
+    argv[1] = NULL;
+    int eins = 1;
+    LLVMFuzzerRunDriver(&eins, &argv, dummy);
+  */
+
+  LLVMFuzzerMyInit(dummy, seed);
+
+  return data;
+
+}
+
+/* When a new queue entry is added we check if there are new dictionary
+   entries to add to honggfuzz structure */
+#if 0
+extern "C" void afl_custom_queue_new_entry(my_mutator_t * data,
+                                           const uint8_t *filename_new_queue,
+                                           const uint8_t *filename_orig_queue) {
+
+  while (data->extras_cnt < afl_struct->extras_cnt) {
+
+    /*
+        memcpy(run.global->mutate.dictionary[run.global->mutate.dictionaryCnt].val,
+               afl_struct->extras[data->extras_cnt].data,
+               afl_struct->extras[data->extras_cnt].len);
+        run.global->mutate.dictionary[run.global->mutate.dictionaryCnt].len =
+            afl_struct->extras[data->extras_cnt].len;
+        run.global->mutate.dictionaryCnt++;
+    */
+    data->extras_cnt++;
+
+  }
+
+  while (data->a_extras_cnt < afl_struct->a_extras_cnt) {
+
+    /*
+        memcpy(run.global->mutate.dictionary[run.global->mutate.dictionaryCnt].val,
+               afl_struct->a_extras[data->a_extras_cnt].data,
+               afl_struct->a_extras[data->a_extras_cnt].len);
+        run.global->mutate.dictionary[run.global->mutate.dictionaryCnt].len =
+            afl_struct->a_extras[data->a_extras_cnt].len;
+        run.global->mutate.dictionaryCnt++;
+        data->a_extras_cnt++;
+    */
+
+  }
+
+}
+
+#endif
+/* we could set only_printable if is_ascii is set ... let's see
+uint8_t afl_custom_queue_get(void *data, const uint8_t *filename) {
+
+  //run.global->cfg.only_printable = ...
+
+}
+
+*/
+
+/* here we run the honggfuzz mutator, which is really good */
+
+extern "C" size_t afl_custom_fuzz(my_mutator_t *data, uint8_t *buf,
+                                  size_t buf_size, u8 **out_buf,
+                                  uint8_t *add_buf, size_t add_buf_size,
+                                  size_t max_size) {
+
+  memcpy(data->mutator_buf, buf, buf_size);
+  size_t ret = LLVMFuzzerMutate(data->mutator_buf, buf_size, max_size);
+
+  /* return size of mutated data */
+  *out_buf = data->mutator_buf;
+  return ret;
+
+}
+
+#ifdef  INTROSPECTION
+extern "C" const char* afl_custom_introspection(my_mutator_t *data) {
+
+  return introspection_ptr;
+
+}
+#endif
+
+/**
+ * Deinitialize everything
+ *
+ * @param data The data ptr from afl_custom_init
+ */
+extern "C" void afl_custom_deinit(my_mutator_t *data) {
+
+  free(data->mutator_buf);
+  free(data);
+
+}
+
--- a/custom_mutators/libfuzzer/libfuzzer.inc
+++ b/custom_mutators/libfuzzer/libfuzzer.inc
@ -0,0 +1,36 @@
+
+
+extern "C" ATTRIBUTE_INTERFACE void
+LLVMFuzzerMyInit(int (*Callback)(const uint8_t *Data, size_t Size), unsigned int Seed) {
+  Random Rand(Seed);
+  FuzzingOptions Options;
+  Options.Verbosity = 3;
+  Options.MaxLen = 1024000;
+  Options.LenControl = true;
+  Options.DoCrossOver = false;
+  Options.MutateDepth = 6;
+  Options.UseCounters = false;
+  Options.UseMemmem = false;
+  Options.UseCmp = false;
+  Options.UseValueProfile = false;
+  Options.Shrink = false;
+  Options.ReduceInputs = false;
+  Options.PreferSmall = false;
+  Options.ReloadIntervalSec = 0;
+  Options.OnlyASCII = false;
+  Options.DetectLeaks = false;
+  Options.PurgeAllocatorIntervalSec = 0;
+  Options.TraceMalloc = false;
+  Options.RssLimitMb = 100;
+  Options.MallocLimitMb = 100;
+  Options.MaxNumberOfRuns = 0;
+  Options.ReportSlowUnits = false;
+  Options.Entropic = false;
+  
+  struct EntropicOptions Entropic;
+  Entropic.Enabled = Options.Entropic;
+  EF = new ExternalFunctions();
+  auto *MD = new MutationDispatcher(Rand, Options);
+  auto *Corpus = new InputCorpus(Options.OutputCorpus, Entropic);
+  auto *F = new Fuzzer(Callback, *Corpus, *MD, Options);
+}
--- a/custom_mutators/libprotobuf-mutator-example/Android.bp
+++ b/custom_mutators/libprotobuf-mutator-example/Android.bp
@ -0,0 +1,32 @@
+cc_library_shared {
+  name: "libprotobuf-mutator-example-afl",
+  vendor_available: true,
+  host_supported: true,
+
+  cflags: [
+    "-g",
+    "-O0",
+    "-fPIC",
+    "-Wall",
+  ],
+
+  srcs: [
+    "lpm_aflpp_custom_mutator_input.cc",
+    "test.proto",
+  ],
+
+  shared_libs: [
+    "libprotobuf-cpp-full",
+    "libprotobuf-mutator",
+  ],
+}
+
+cc_binary {
+  name: "libprotobuf-mutator-vuln",
+  vendor_available: true,
+  host_supported: true,
+
+  srcs: [
+    "vuln.c",
+  ],
+}
--- a/custom_mutators/libprotobuf-mutator-example/README.md
+++ b/custom_mutators/libprotobuf-mutator-example/README.md
@ -0,0 +1 @@
+Ported from [https://github.com/bruce30262/libprotobuf-mutator_fuzzing_learning/tree/master/5_libprotobuf_aflpp_custom_mutator_input](https://github.com/bruce30262/libprotobuf-mutator_fuzzing_learning/tree/master/5_libprotobuf_aflpp_custom_mutator_input)
--- a/custom_mutators/libprotobuf-mutator-example/lpm_aflpp_custom_mutator_input.cc
+++ b/custom_mutators/libprotobuf-mutator-example/lpm_aflpp_custom_mutator_input.cc
@ -0,0 +1,118 @@
+#include "lpm_aflpp_custom_mutator_input.h"
+#include <iostream>
+#include <sstream>
+#include <fstream>
+
+using std::cin;
+using std::cout;
+using std::endl;
+
+std::string ProtoToData(const TEST &test_proto) {
+    std::stringstream all;
+    const auto &aa = test_proto.a();
+    const auto &bb = test_proto.b();
+    all.write((const char*)&aa, sizeof(aa));
+    if(bb.size() != 0) {
+        all.write(bb.c_str(), bb.size());
+    }
+
+    std::string res = all.str();
+    if (bb.size() != 0 && res.size() != 0) {
+        // set PROTO_FUZZER_DUMP_PATH env to dump the serialized protobuf
+        if (const char *dump_path = getenv("PROTO_FUZZER_DUMP_PATH")) {
+            std::ofstream of(dump_path);
+            of.write(res.data(), res.size());
+        }
+    }
+    return res;
+}
+
+/**
+ * Initialize this custom mutator
+ *
+ * @param[in] afl a pointer to the internal state object. Can be ignored for
+ * now.
+ * @param[in] seed A seed for this mutator - the same seed should always mutate
+ * in the same way.
+ * @return Pointer to the data object this custom mutator instance should use.
+ *         There may be multiple instances of this mutator in one afl-fuzz run!
+ *         Return NULL on error.
+ */
+extern "C" MyMutator *afl_custom_init(void *afl, unsigned int seed) {
+    MyMutator *mutator = new MyMutator();
+    
+    mutator->RegisterPostProcessor(
+        TEST::descriptor(),
+        [](google::protobuf::Message* message, unsigned int seed) {
+            // libprotobuf-mutator's built-in mutator is kind of....crappy :P
+            // Even a dumb fuzz like `TEST.a = rand();` is better in this case... Q_Q
+            // We register a post processor to apply our dumb fuzz
+            
+            TEST *t = static_cast<TEST *>(message);
+            t->set_a(rand());
+        });
+
+    srand(seed);
+    return mutator;
+}
+
+/**
+ * Perform custom mutations on a given input
+ *
+ * @param[in] data pointer returned in afl_custom_init for this fuzz case
+ * @param[in] buf Pointer to input data to be mutated
+ * @param[in] buf_size Size of input data
+ * @param[out] out_buf the buffer we will work on. we can reuse *buf. NULL on
+ * error.
+ * @param[in] add_buf Buffer containing the additional test case
+ * @param[in] add_buf_size Size of the additional test case
+ * @param[in] max_size Maximum size of the mutated output. The mutation must not
+ *     produce data larger than max_size.
+ * @return Size of the mutated output.
+ */
+extern "C" size_t afl_custom_fuzz(MyMutator *mutator, // return value from afl_custom_init
+                       uint8_t *buf, size_t buf_size, // input data to be mutated
+                       uint8_t **out_buf, // output buffer
+                       uint8_t *add_buf, size_t add_buf_size,  // add_buf can be NULL
+                       size_t max_size) {
+    // This function can be named either "afl_custom_fuzz" or "afl_custom_mutator"
+    // A simple test shows that "buf" will be the content of the current test case
+    // "add_buf" will be the next test case ( from AFL++'s input queue )
+    
+    TEST input;
+    // parse input data to TEST
+    // Notice that input data should be a serialized protobuf data
+    // Check ./in/ii and test_protobuf_serializer for more detail
+    bool parse_ok = input.ParseFromArray(buf, buf_size);
+    if(!parse_ok) {
+        // Invalid serialize protobuf data. Don't mutate.
+        // Return a dummy buffer. Also mutated_size = 0
+        static uint8_t *dummy = new uint8_t[10]; // dummy buffer with no data
+        *out_buf = dummy;
+        return 0;
+    }
+    // mutate the protobuf
+    mutator->Mutate(&input, max_size);
+    
+    // Convert protobuf to raw data
+    const TEST *p = &input;
+    std::string s = ProtoToData(*p);
+    // Copy to a new buffer ( mutated_out )
+    size_t mutated_size = s.size() <= max_size ? s.size() : max_size; // check if raw data's size is larger than max_size
+    uint8_t *mutated_out = new uint8_t[mutated_size+1];
+    memcpy(mutated_out, s.c_str(), mutated_size); // copy the mutated data
+    // Assign the mutated data and return mutated_size
+    *out_buf = mutated_out;
+    return mutated_size;
+}
+
+/**
+ * Deinitialize everything
+ *
+ * @param data The data ptr from afl_custom_init
+ */
+extern "C" void afl_custom_deinit(void *data) {
+    // Honestly I don't know what to do with this...
+    return;
+}
+
--- a/custom_mutators/libprotobuf-mutator-example/lpm_aflpp_custom_mutator_input.h
+++ b/custom_mutators/libprotobuf-mutator-example/lpm_aflpp_custom_mutator_input.h
@ -0,0 +1,5 @@
+#include <src/mutator.h>
+#include "test.pb.h"
+
+class MyMutator : public protobuf_mutator::Mutator {
+};
--- a/Show More
+++ b/Show More
				`@ -0,0 +1 @@`
				`Ported from [https://github.com/bruce30262/libprotobuf-mutator_fuzzing_learning/tree/master/5_libprotobuf_aflpp_custom_mutator_input](https://github.com/bruce30262/libprotobuf-mutator_fuzzing_learning/tree/master/5_libprotobuf_aflpp_custom_mutator_input)`