Merge pull request #1610 from AFLplusplus/dev

push to stable
rust custom mutator: mark external fns unsafe
2025-06-24 14:43:22 +00:00 · 2023-01-05 13:51:20 +01:00 · 2023-01-05 12:25:02 +00:00 · 2023-01-05 12:15:54 +00:00 · 2023-01-05 12:12:01 +00:00 · 2023-01-05 11:49:58 +00:00
227 changed files with 6035 additions and 2659 deletions
--- a/.custom-format.py
+++ b/.custom-format.py
@ -3,10 +3,10 @@
 # american fuzzy lop++ - custom code formatter
 # --------------------------------------------
 #
-# Written and maintaned by Andrea Fioraldi <andreafioraldi@gmail.com>
+# Written and maintained by Andrea Fioraldi <andreafioraldi@gmail.com>
 #
 # Copyright 2015, 2016, 2017 Google Inc. All rights reserved.
-# Copyright 2019-2022 AFLplusplus Project. All rights reserved.
+# Copyright 2019-2023 AFLplusplus Project. All rights reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@ -18,41 +18,56 @@
 import subprocess
 import sys
 import os
-import re
+# import re # TODO: for future use
+import shutil
+import importlib.metadata
+
+# string_re = re.compile('(\\"(\\\\.|[^"\\\\])*\\")') # TODO: for future use
+
+CURRENT_LLVM = os.getenv('LLVM_VERSION', 14)
+CLANG_FORMAT_BIN = os.getenv("CLANG_FORMAT_BIN", "")
+
+
+def check_clang_format_pip_version():
+    """
+    Check if the correct version of clang-format is installed via pip.
+
+    Returns:
+        bool: True if the correct version of clang-format is installed,
+        False otherwise.
+    """
+    # Check if clang-format is installed
+    if importlib.util.find_spec('clang_format'):
+        # Check if the installed version is the expected LLVM version
+        if importlib.metadata.version('clang-format')\
+                .startswith(CURRENT_LLVM+'.'):
+            return True
+        else:
+            # Return False, because the clang-format version does not match
+            return False
+    else:
+        # If the 'clang_format' package isn't installed, return False
+        return False

-# string_re = re.compile('(\\"(\\\\.|[^"\\\\])*\\")') # future use

 with open(".clang-format") as f:
    fmt = f.read()

-CLANG_FORMAT_BIN = os.getenv("CLANG_FORMAT_BIN")
-if CLANG_FORMAT_BIN is None:
-    o = 0
-    try:
-        p = subprocess.Popen(["clang-format-11", "--version"], stdout=subprocess.PIPE)
-        o, _ = p.communicate()
-        o = str(o, "utf-8")
-        o = re.sub(r".*ersion ", "", o)
-        # o = o[len("clang-format version "):].strip()
-        o = o[: o.find(".")]
-        o = int(o)
-    except:
-        print("clang-format-11 is needed. Aborted.")
-        exit(1)
-    # if o < 7:
-    #    if subprocess.call(['which', 'clang-format-7'], stdout=subprocess.PIPE) == 0:
-    #        CLANG_FORMAT_BIN = 'clang-format-7'
-    #    elif subprocess.call(['which', 'clang-format-8'], stdout=subprocess.PIPE) == 0:
-    #        CLANG_FORMAT_BIN = 'clang-format-8'
-    #    elif subprocess.call(['which', 'clang-format-9'], stdout=subprocess.PIPE) == 0:
-    #        CLANG_FORMAT_BIN = 'clang-format-9'
-    #    elif subprocess.call(['which', 'clang-format-11'], stdout=subprocess.PIPE) == 0:
-    #        CLANG_FORMAT_BIN = 'clang-format-11'
-    #    else:
-    #        print ("clang-format 7 or above is needed. Aborted.")
-    #        exit(1)
-    else:
-        CLANG_FORMAT_BIN = "clang-format-11"
+
+CLANG_FORMAT_PIP = check_clang_format_pip_version()
+
+if shutil.which(CLANG_FORMAT_BIN) is None:
+    CLANG_FORMAT_BIN = f"clang-format-{CURRENT_LLVM}"
+
+if shutil.which(CLANG_FORMAT_BIN) is None \
+        and CLANG_FORMAT_PIP is False:
+    print(f"[!] clang-format-{CURRENT_LLVM} is needed. Aborted.")
+    print(f"Run `pip3 install \"clang-format=={CURRENT_LLVM}.*\"` \
+to install via pip.")
+    exit(1)
+
+if CLANG_FORMAT_PIP:
+    CLANG_FORMAT_BIN = shutil.which("clang-format")

 COLUMN_LIMIT = 80
 for line in fmt.split("\n"):
@ -72,43 +87,43 @@ def custom_format(filename):

    for line in src.split("\n"):
        if line.lstrip().startswith("#"):
-            if line[line.find("#") + 1 :].lstrip().startswith("define"):
+            if line[line.find("#") + 1:].lstrip().startswith("define"):
                in_define = True

        if (
-            "/*" in line
-            and not line.strip().startswith("/*")
-            and line.endswith("*/")
-            and len(line) < (COLUMN_LIMIT - 2)
+                "/*" in line
+                and not line.strip().startswith("/*")
+                and line.endswith("*/")
+                and len(line) < (COLUMN_LIMIT - 2)
        ):
            cmt_start = line.rfind("/*")
            line = (
-                line[:cmt_start]
-                + " " * (COLUMN_LIMIT - 2 - len(line))
-                + line[cmt_start:]
+                    line[:cmt_start]
+                    + " " * (COLUMN_LIMIT - 2 - len(line))
+                    + line[cmt_start:]
            )

        define_padding = 0
        if last_line is not None and in_define and last_line.endswith("\\"):
            last_line = last_line[:-1]
-            define_padding = max(0, len(last_line[last_line.rfind("\n") + 1 :]))
+            define_padding = max(0, len(last_line[last_line.rfind("\n") + 1:]))

        if (
-            last_line is not None
-            and last_line.strip().endswith("{")
-            and line.strip() != ""
+                last_line is not None
+                and last_line.strip().endswith("{")
+                and line.strip() != ""
        ):
            line = (" " * define_padding + "\\" if in_define else "") + "\n" + line
        elif (
-            last_line is not None
-            and last_line.strip().startswith("}")
-            and line.strip() != ""
+                last_line is not None
+                and last_line.strip().startswith("}")
+                and line.strip() != ""
        ):
            line = (" " * define_padding + "\\" if in_define else "") + "\n" + line
        elif (
-            line.strip().startswith("}")
-            and last_line is not None
-            and last_line.strip() != ""
+                line.strip().startswith("}")
+                and last_line is not None
+                and last_line.strip() != ""
        ):
            line = (" " * define_padding + "\\" if in_define else "") + "\n" + line

--- a/.dockerignore
+++ b/.dockerignore
@ -1,65 +1,75 @@
+!/coresight_mode
+*.dSYM
+*.o
+*.pyc
+*.so
+.sync_tmp
 .test
 .test2
-.sync_tmp
-*.o
-*.so
-*.pyc
-*.dSYM
-as
-ld
-in
-out
-core*
+.git
+.dockerignore
+.github
+CITATION.cff
+CONTRIBUTING.md
+Changelog.md
+Dockerfile
+LICENSE
+TODO.md
 afl-analyze
-afl-as
-afl-clang
-afl-clang\+\+
-afl-clang-fast
-afl-clang-fast\+\+
-afl-clang-lto
-afl-clang-lto\+\+
-afl-fuzz
-afl-g\+\+
-afl-gcc
-afl-gcc-fast
-afl-g\+\+-fast
-afl-gotcpu
-afl-ld
-afl-ld-lto
-afl-qemu-trace
-afl-showmap
-afl-tmin
 afl-analyze.8
+afl-as
 afl-as.8
-afl-clang-fast\+\+.8
+afl-clang
+afl-clang-fast
 afl-clang-fast.8
+afl-clang-fast\+\+
+afl-clang-fast\+\+.8
+afl-clang-lto
 afl-clang-lto.8
+afl-clang-lto\+\+
 afl-clang-lto\+\+.8
+afl-clang\+\+
 afl-cmin.8
 afl-cmin.bash.8
+afl-fuzz
 afl-fuzz.8
-afl-gcc.8
-afl-gcc-fast.8
+afl-g\+\+
+afl-g\+\+-fast
 afl-g\+\+-fast.8
+afl-gcc
+afl-gcc-fast
+afl-gcc-fast.8
+afl-gcc.8
+afl-gotcpu
 afl-gotcpu.8
+afl-ld
+afl-ld-lto
 afl-plot.8
+afl-qemu-trace
+afl-showmap
 afl-showmap.8
 afl-system-config.8
+afl-tmin
 afl-tmin.8
 afl-whatsup.8
+as
+core*
+examples/afl_frida/afl-frida
+examples/afl_frida/frida-gum-example.c
+examples/afl_frida/frida-gum.h
+examples/afl_frida/libtestinstr.so
+examples/afl_network_proxy/afl-network-client
+examples/afl_network_proxy/afl-network-server
+in
+ld
+out
 qemu_mode/libcompcov/compcovtest
 qemu_mode/qemu-*
+test/unittests/unit_hash
+test/unittests/unit_list
+test/unittests/unit_maybe_alloc
+test/unittests/unit_preallocable
+test/unittests/unit_rand
 unicorn_mode/samples/*/\.test-*
 unicorn_mode/samples/*/output
 unicorn_mode/unicornafl
-test/unittests/unit_maybe_alloc
-test/unittests/unit_preallocable
-test/unittests/unit_list
-test/unittests/unit_rand
-test/unittests/unit_hash
-examples/afl_network_proxy/afl-network-server
-examples/afl_network_proxy/afl-network-client
-examples/afl_frida/afl-frida
-examples/afl_frida/libtestinstr.so
-examples/afl_frida/frida-gum-example.c
-examples/afl_frida/frida-gum.h
--- a/.github/workflows/build_aflplusplus_docker.yaml
+++ b/.github/workflows/build_aflplusplus_docker.yaml
@ -1,49 +0,0 @@
-name: Publish Docker Images
-
-on:
-  push:
-    branches:
-      - stable
-      - dev
-    tags:
-      - '*'
-
-jobs:
-  push_to_registry:
-    name: Push Docker images to Dockerhub
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@master
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
-      - name: Login to Dockerhub
-        uses: docker/login-action@v2
-        with:
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_TOKEN }}
-      - name: Publish dev as dev to docker.io registry
-        uses: docker/build-push-action@v3
-        with:
-          context: .
-          platforms: linux/amd64,linux/arm64
-          push: true
-          tags: aflplusplus/aflplusplus:${{ github.ref_name }}
-        if: ${{ github.ref_name == 'dev' }}
-      - name: Publish stable as stable and latest to docker.io registry
-        uses: docker/build-push-action@v3
-        with:
-          context: .
-          platforms: linux/amd64,linux/arm64
-          push: true
-          tags: aflplusplus/aflplusplus:${{ github.ref_name }},aflplusplus/aflplusplus:latest
-        if: ${{ github.ref_name == 'stable' }}
-      - name: Publish tagged release to docker.io registry
-        uses: docker/build-push-action@v3
-        with:
-          context: .
-          platforms: linux/amd64,linux/arm64
-          push: true
-          tags: aflplusplus/aflplusplus:${{ github.ref_name }}
-        if: ${{ github.ref_type == 'tag' }}
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -2,13 +2,16 @@ name: CI

 on:
  push:
-    branches: [ stable, dev ]
+    branches:
+      - stable
+      - dev
  pull_request:
-    branches: [ stable, dev ]
+    branches:
+      - dev # No need for stable-pull-request, as that equals dev-push

 jobs:
  linux:
-    runs-on: '${{ matrix.os }}'
+    runs-on: "${{ matrix.os }}"
    strategy:
      matrix:
        os: [ubuntu-22.04, ubuntu-20.04, ubuntu-18.04]
@ -16,7 +19,7 @@ jobs:
      AFL_SKIP_CPUFREQ: 1
      AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES: 1
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
      - name: debug
        run: apt-cache search plugin-dev | grep gcc-; echo; apt-cache search clang-format- | grep clang-format-
      - name: update
@ -38,9 +41,9 @@ jobs:
      AFL_SKIP_CPUFREQ: 1
      AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES: 1
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
      - name: install
-        run: brew install make gcc
+        run: brew install make gcc llvm
      - name: fix install
        run: cd /usr/local/bin; ln -s gcc-11 gcc; ln -s g++-11 g++; which gcc; gcc -v
      - name: build
--- a/.github/workflows/code-format.yml
+++ b/.github/workflows/code-format.yml
@ -0,0 +1,33 @@
+name: Formatting
+
+on:
+  push:
+    branches:
+      - stable
+      - dev
+  pull_request:
+    branches:
+      - dev # No need for stable-pull-request, as that equals dev-push
+
+jobs:
+  code-format-check:
+    name: Check code format
+    if: ${{ 'false' == 'true' }} # Disable the job
+    runs-on: ubuntu-22.04
+    container: docker.io/aflplusplus/aflplusplus:dev
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Format
+        run: |
+          git config --global --add safe.directory /__w/AFLplusplus/AFLplusplus
+          apt-get update
+          apt-get install -y clang-format-${LLVM_VERSION}
+          make code-format
+      - name: Check if code needed formatting
+        run: |
+          git --no-pager -c color.ui=always diff HEAD
+          if ! git diff HEAD --quiet; then
+            echo "[!] Please run 'make code-format' and push its changes."
+            exit 1
+          fi
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@ -2,31 +2,32 @@ name: "CodeQL"

 on:
  push:
-    branches: [ stable, dev ]
+    branches:
+      - stable
+      - dev
  pull_request:
-    branches: [ stable, dev ]
+    branches:
+      - dev # No need for stable-pull-request, as that equals dev-push

 jobs:
  analyze:
    name: Analyze
    runs-on: ubuntu-latest
-
-    strategy:
-      fail-fast: false
-      matrix:
-        language: [ 'cpp' ]
-
+    container: # We use a previous image as it's expected to have all the dependencies
+      image: docker.io/aflplusplus/aflplusplus:dev
    steps:
-    - name: Checkout repository
-      uses: actions/checkout@v2
-
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
-      with:
-        languages: ${{ matrix.language }}
-
-    - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
-
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
+      - name: Fix for using external repo in container build # https://github.com/actions/checkout/issues/760
+        run: git config --global --add safe.directory /__w/AFLplusplus/AFLplusplus
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+          languages: cpp, python
+      - name: Build AFLplusplus # Rebuild because CodeQL needs to monitor the build process
+        env:
+          CC: gcc # These are symlinked to the version used in the container build
+          CXX: g++
+        run: make -i all # Best effort using -i
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v2
--- a/.github/workflows/container.yml
+++ b/.github/workflows/container.yml
@ -0,0 +1,75 @@
+name: Container
+on:
+  push:
+    branches:
+      - stable
+      - dev
+    tags:
+      - "*"
+  pull_request:
+    branches:
+      - dev # No need for stable-pull-request, as that equals dev-push
+
+jobs:
+  build-and-test-amd64:
+    name: Test amd64 image
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: Build amd64
+        uses: docker/build-push-action@v3
+        with:
+          context: .
+          tags: aflplusplus:test-amd64
+          load: true
+          cache-to: type=gha,mode=max
+          build-args: |
+            TEST_BUILD=1
+      - name: Test amd64
+        run: >
+          docker run --rm aflplusplus:test-amd64 bash -c "
+          apt-get update && 
+          apt-get install -y libcmocka-dev && 
+          make -i tests
+          "
+
+  push:
+    name: Push amd64 and arm64 images
+    runs-on: ubuntu-latest
+    needs:
+      - build-and-test-amd64
+    if: ${{ github.event_name == 'push' && github.repository == 'AFLplusplus/AFLplusplus' }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+        with:
+          platforms: arm64
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: Login to docker.io
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_TOKEN }}
+      - name: Set tags to push
+        id: push-tags
+        run: |
+          PUSH_TAGS=docker.io/aflplusplus/aflplusplus:${GITHUB_REF_NAME}
+          if [ "${GITHUB_REF_NAME}" = "stable" ]; then
+            PUSH_TAGS=${PUSH_TAGS},docker.io/aflplusplus/aflplusplus:latest
+          fi
+          export PUSH_TAGS
+          echo "::set-output name=PUSH_TAGS::${PUSH_TAGS}"
+      - name: Push to docker.io registry
+        uses: docker/build-push-action@v3
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ steps.push-tags.outputs.PUSH_TAGS }}
+          cache-from: type=gha
--- a/.github/workflows/rust_custom_mutator.yml
+++ b/.github/workflows/rust_custom_mutator.yml
@ -2,9 +2,12 @@ name: Rust Custom Mutators

 on:
  push:
-    branches: [ stable, dev ]
+    branches:
+      - stable
+      - dev
  pull_request:
-    branches: [ stable, dev ]
+    branches:
+      - dev # No need for stable-pull-request, as that equals dev-push

 jobs:
  test:
@ -17,7 +20,7 @@ jobs:
      matrix:
        os: [ubuntu-22.04, ubuntu-20.04]
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
      - name: Install Rust Toolchain
        uses: actions-rs/toolchain@v1
        with:
@ -27,4 +30,4 @@ jobs:
      - name: Run General Tests
        run: cargo test
      - name: Run Tests for afl_internals feature flag
-        run: cd custom_mutator && cargo test --features=afl_internals
+        run: cd custom_mutator && cargo test --features=afl_internals
--- a/128
+++ b/128
@ -1,81 +1,95 @@
 #
 # This Dockerfile for AFLplusplus uses Ubuntu 22.04 jammy and
-# installs LLVM 14 for afl-clang-lto support :-)
+# installs LLVM 14 for afl-clang-lto support.
+#
+# GCC 11 is used instead of 12 because genhtml for afl-cov doesn't like it.
 #

 FROM ubuntu:22.04 AS aflplusplus
 LABEL "maintainer"="afl++ team <afl@aflplus.plus>"
-LABEL "about"="AFLplusplus docker image"
+LABEL "about"="AFLplusplus container image"
+
+### Comment out to enable these features
+# Only available on specific ARM64 boards
+ENV NO_CORESIGHT=1
+# Possible but unlikely in a docker container
+ENV NO_NYX=1
+
+### Only change these if you know what you are doing:
+# LLVM 15 does not look good so we stay at 14 to still have LTO
+ENV LLVM_VERSION=14
+# GCC 12 is producing compile errors for some targets so we stay at GCC 11
+ENV GCC_VERSION=11
+
+### No changes beyond the point unless you know what you are doing :)

 ARG DEBIAN_FRONTEND=noninteractive

-env NO_ARCH_OPT 1
-
-RUN apt-get update && \
-    apt-get -y install --no-install-suggests --no-install-recommends \
-    automake \
-    cmake \
-    meson \
-    ninja-build \
-    bison flex \
-    build-essential \
-    git \
-    python3 python3-dev python3-setuptools python-is-python3 \
-    libtool libtool-bin \
-    libglib2.0-dev \
-    wget vim jupp nano bash-completion less \
-    apt-utils apt-transport-https ca-certificates gnupg dialog \
-    libpixman-1-dev \
-    gnuplot-nox \
-    && rm -rf /var/lib/apt/lists/*
-
-# TODO: reactivate in timely manner
-#RUN echo "deb http://apt.llvm.org/jammy/ llvm-toolchain-jammy-15 main" >> /etc/apt/sources.list && \
-#    wget -qO - https://apt.llvm.org/llvm-snapshot.gpg.key | apt-key add -
-
-RUN echo "deb http://ppa.launchpad.net/ubuntu-toolchain-r/test/ubuntu jammy main" >> /etc/apt/sources.list && \
-    apt-key adv --recv-keys --keyserver keyserver.ubuntu.com 1E9377A2BA9EF27F
+ENV NO_ARCH_OPT=1
+ENV IS_DOCKER=1

 RUN apt-get update && apt-get full-upgrade -y && \
-    apt-get -y install --no-install-suggests --no-install-recommends \
-    gcc-12 g++-12 gcc-12-plugin-dev gdb lcov \
-    clang-14 clang-tools-14 libc++1-14 libc++-14-dev \
-    libc++abi1-14 libc++abi-14-dev libclang1-14 libclang-14-dev \
-    libclang-common-14-dev libclang-cpp14 libclang-cpp14-dev liblld-14 \
-    liblld-14-dev liblldb-14 liblldb-14-dev libllvm14 libomp-14-dev \
-    libomp5-14 lld-14 lldb-14 llvm-14 llvm-14-dev llvm-14-runtime llvm-14-tools
+    apt-get install -y --no-install-recommends wget ca-certificates apt-utils && \
+    rm -rf /var/lib/apt/lists/*

-# arm64 doesn't have gcc-multilib, and it's only used for -m32 support on x86
-ARG TARGETPLATFORM
-RUN [ "$TARGETPLATFORM" = "linux/amd64" ] && \
-    apt-get -y install --no-install-suggests --no-install-recommends \
-    gcc-10-multilib gcc-multilib || true
+RUN echo "deb [signed-by=/etc/apt/keyrings/llvm-snapshot.gpg.key] http://apt.llvm.org/jammy/ llvm-toolchain-jammy-${LLVM_VERSION} main" > /etc/apt/sources.list.d/llvm.list && \
+    wget -qO /etc/apt/keyrings/llvm-snapshot.gpg.key https://apt.llvm.org/llvm-snapshot.gpg.key

-RUN rm -rf /var/lib/apt/lists/*
+RUN apt-get update && \
+    apt-get -y install --no-install-recommends \
+    make cmake automake meson ninja-build bison flex \
+    git xz-utils bzip2 wget jupp nano bash-completion less vim joe ssh psmisc \
+    python3 python3-dev python3-pip python-is-python3 \
+    libtool libtool-bin libglib2.0-dev \
+    apt-transport-https gnupg dialog \
+    gnuplot-nox libpixman-1-dev \
+    gcc-${GCC_VERSION} g++-${GCC_VERSION} gcc-${GCC_VERSION}-plugin-dev gdb lcov \
+    clang-${LLVM_VERSION} clang-tools-${LLVM_VERSION} libc++1-${LLVM_VERSION} \
+    libc++-${LLVM_VERSION}-dev libc++abi1-${LLVM_VERSION} libc++abi-${LLVM_VERSION}-dev \
+    libclang1-${LLVM_VERSION} libclang-${LLVM_VERSION}-dev \
+    libclang-common-${LLVM_VERSION}-dev libclang-cpp${LLVM_VERSION} \
+    libclang-cpp${LLVM_VERSION}-dev liblld-${LLVM_VERSION} \
+    liblld-${LLVM_VERSION}-dev liblldb-${LLVM_VERSION} liblldb-${LLVM_VERSION}-dev \
+    libllvm${LLVM_VERSION} libomp-${LLVM_VERSION}-dev libomp5-${LLVM_VERSION} \
+    lld-${LLVM_VERSION} lldb-${LLVM_VERSION} llvm-${LLVM_VERSION} \
+    llvm-${LLVM_VERSION}-dev llvm-${LLVM_VERSION}-runtime llvm-${LLVM_VERSION}-tools \
+    $([ "$(dpkg --print-architecture)" = "amd64" ] && echo gcc-${GCC_VERSION}-multilib gcc-multilib) \
+    $([ "$(dpkg --print-architecture)" = "arm64" ] && echo libcapstone-dev) && \
+    rm -rf /var/lib/apt/lists/*
+    # gcc-multilib is only used for -m32 support on x86
+    # libcapstone-dev is used for coresight_mode on arm64

-RUN update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-12 0
-RUN update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-12 0
+RUN update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-${GCC_VERSION} 0 && \
+    update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-${GCC_VERSION} 0 && \
+    update-alternatives --install /usr/bin/clang clang /usr/bin/clang-${LLVM_VERSION} 0 && \
+    update-alternatives --install /usr/bin/clang++ clang++ /usr/bin/clang++-${LLVM_VERSION} 0

-ENV LLVM_CONFIG=llvm-config-14
+RUN wget -qO- https://sh.rustup.rs | CARGO_HOME=/etc/cargo sh -s -- -y -q --no-modify-path
+ENV PATH=$PATH:/etc/cargo/bin
+
+ENV LLVM_CONFIG=llvm-config-${LLVM_VERSION}
 ENV AFL_SKIP_CPUFREQ=1
 ENV AFL_TRY_AFFINITY=1
 ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1

-RUN git clone --depth=1 https://github.com/vanhauser-thc/afl-cov /afl-cov
-RUN cd /afl-cov && make install && cd ..
+RUN git clone --depth=1 https://github.com/vanhauser-thc/afl-cov && \
+    (cd afl-cov && make install) && rm -rf afl-cov

-COPY . /AFLplusplus
 WORKDIR /AFLplusplus
+COPY . .

-RUN export CC=gcc-12 && export CXX=g++-12 && make clean && \
-    make distrib && make install && make clean
+ARG CC=gcc-$GCC_VERSION
+ARG CXX=g++-$GCC_VERSION

-RUN sh -c 'echo set encoding=utf-8 > /root/.vimrc'
-RUN echo '. /etc/bash_completion' >> ~/.bashrc
-RUN echo 'alias joe="joe --wordwrap --joe_state -nobackup"' >> ~/.bashrc
-RUN echo "export PS1='"'[afl++ \h] \w$(__git_ps1) \$ '"'" >> ~/.bashrc
-ENV IS_DOCKER="1"
+# Used in CI to prevent a 'make clean' which would remove the binaries to be tested
+ARG TEST_BUILD

-# Disabled as there are now better alternatives
-#COPY --from=aflplusplus/afl-dyninst /usr/local/lib/libdyninstAPI_RT.so /usr/local/lib/libdyninstAPI_RT.so
-#COPY --from=aflplusplus/afl-dyninst /afl-dyninst/libAflDyninst.so /usr/local/lib/libAflDyninst.so
+RUN sed -i.bak 's/^	-/	/g' GNUmakefile && \
+    make clean && make distrib && \
+    ([ "${TEST_BUILD}" ] || (make install && make clean)) && \
+    mv GNUmakefile.bak GNUmakefile
+
+RUN echo "set encoding=utf-8" > /root/.vimrc && \
+    echo ". /etc/bash_completion" >> ~/.bashrc && \
+    echo 'alias joe="joe --wordwrap --joe_state -nobackup"' >> ~/.bashrc && \
+    echo "export PS1='"'[afl++ \h] \w$(__git_ps1) \$ '"'" >> ~/.bashrc
--- a/110
+++ b/110
@ -91,9 +91,8 @@ ifneq "$(SYS)" "Darwin"
  #ifeq "$(HAVE_MARCHNATIVE)" "1"
  #  SPECIAL_PERFORMANCE += -march=native
  #endif
- # OS X does not like _FORTIFY_SOURCE=2
 ifndef DEBUG
-   CFLAGS_OPT += -D_FORTIFY_SOURCE=2
+   CFLAGS_OPT += -D_FORTIFY_SOURCE=1
 endif
 else
  # On some odd MacOS system configurations, the Xcode sdk path is not set correctly
@ -103,7 +102,7 @@ endif

 ifeq "$(SYS)" "SunOS"
  CFLAGS_OPT += -Wno-format-truncation
-  LDFLAGS = -lkstat -lrt
+  LDFLAGS = -lkstat -lrt -lsocket -lnsl
 endif

 ifdef STATIC
@ -309,10 +308,21 @@ endif
 .PHONY: all
 all:	test_x86 test_shm test_python ready $(PROGS) afl-as llvm gcc_plugin test_build all_done
 	-$(MAKE) -C utils/aflpp_driver
+	@echo
+	@echo
+	@echo Build Summary:
+	@test -e afl-fuzz && echo "[+] afl-fuzz and supporting tools successfully built" || echo "[-] afl-fuzz could not be built, please set CC to a working compiler"
+	@test -e afl-llvm-pass.so && echo "[+] LLVM basic mode successfully built" || echo "[-] LLVM mode could not be build, please install at least llvm-11 and clang-11 or newer, see docs/INSTALL.md"
+	@test -e SanitizerCoveragePCGUARD.so && echo "[+] LLVM mode successfully built" || echo "[-] LLVM mode could not be build, please install at least llvm-11 and clang-11 or newer, see docs/INSTALL.md"
+	@test -e SanitizerCoverageLTO.so && echo "[+] LLVM LTO mode successfully built" || echo "[-] LLVM LTO mode could not be build, it is optional, if you want it, please install LLVM 11-14. More information at instrumentation/README.lto.md on how to build it"
+ifneq "$(SYS)" "Darwin"
+	@test -e afl-gcc-pass.so && echo "[+] gcc_mode successfully built" || echo "[-] gcc_mode could not be built, it is optional, install gcc-VERSION-plugin-dev to enable this"
+endif
+	@echo

 .PHONY: llvm
 llvm:
-	-$(MAKE) -j4 -f GNUmakefile.llvm
+	-$(MAKE) -j$(nproc) -f GNUmakefile.llvm
 	@test -e afl-cc || { echo "[-] Compiling afl-cc failed. You seem not to have a working compiler." ; exit 1; }

 .PHONY: gcc_plugin
@ -367,15 +377,19 @@ help:
 	@echo Known build environment options:
 	@echo "=========================================="
 	@echo STATIC - compile AFL++ static
-	@echo ASAN_BUILD - compiles with memory sanitizer for debug purposes
+	@echo ASAN_BUILD - compiles AFL++ with memory sanitizer for debug purposes
+	@echo UBSAN_BUILD - compiles AFL++ tools with undefined behaviour sanitizer for debug purposes
 	@echo DEBUG - no optimization, -ggdb3, all warnings and -Werror
+	@echo LLVM_DEBUG - shows llvm deprecation warnings
 	@echo PROFILING - compile afl-fuzz with profiling information
 	@echo INTROSPECTION - compile afl-fuzz with mutation introspection
 	@echo NO_PYTHON - disable python support
 	@echo NO_SPLICING - disables splicing mutation in afl-fuzz, not recommended for normal fuzzing
 	@echo NO_NYX - disable building nyx mode dependencies
+	@echo "NO_CORESIGHT - disable building coresight (arm64 only)"
+	@echo NO_UNICORN_ARM64 - disable building unicorn on arm64
 	@echo AFL_NO_X86 - if compiling on non-intel/amd platforms
-	@echo "LLVM_CONFIG - if your distro doesn't use the standard name for llvm-config (e.g. Debian)"
+	@echo "LLVM_CONFIG - if your distro doesn't use the standard name for llvm-config (e.g., Debian)"
 	@echo "=========================================="
 	@echo e.g.: make ASAN_BUILD=1

@ -411,7 +425,7 @@ test_python:
 	@echo "[+] $(PYTHON_VERSION) support seems to be working."
 else
 test_python:
-	@echo "[-] You seem to need to install the package python3-dev, python2-dev or python-dev (and perhaps python[23]-apt), but it is optional so we continue"
+	@echo "[-] You seem to need to install the package python3-dev or python-dev (and perhaps python[3]-apt), but it is optional so we continue"
 endif

 .PHONY: ready
@ -572,12 +586,13 @@ clean:
 	-$(MAKE) -f GNUmakefile.gcc_plugin clean
 	-$(MAKE) -C utils/libdislocator clean
 	-$(MAKE) -C utils/libtokencap clean
-	$(MAKE) -C utils/aflpp_driver clean
+	-$(MAKE) -C utils/aflpp_driver clean
 	-$(MAKE) -C utils/afl_network_proxy clean
 	-$(MAKE) -C utils/socket_fuzzing clean
 	-$(MAKE) -C utils/argv_fuzzing clean
 	-$(MAKE) -C utils/plot_ui clean
 	-$(MAKE) -C qemu_mode/unsigaction clean
+	-$(MAKE) -C qemu_mode/fastexit clean
 	-$(MAKE) -C qemu_mode/libcompcov clean
 	-$(MAKE) -C qemu_mode/libqasan clean
 	-$(MAKE) -C frida_mode clean
@ -610,34 +625,44 @@ endif

 .PHONY: distrib
 distrib: all
-	-$(MAKE) -j4 -f GNUmakefile.llvm
+	-$(MAKE) -j$(nproc) -f GNUmakefile.llvm
 ifneq "$(SYS)" "Darwin"
 	-$(MAKE) -f GNUmakefile.gcc_plugin
-endif
 	-$(MAKE) -C utils/libdislocator
 	-$(MAKE) -C utils/libtokencap
+endif
 	-$(MAKE) -C utils/afl_network_proxy
 	-$(MAKE) -C utils/socket_fuzzing
 	-$(MAKE) -C utils/argv_fuzzing
 	# -$(MAKE) -C utils/plot_ui
 	-$(MAKE) -C frida_mode
 ifneq "$(SYS)" "Darwin"
-ifeq "$(ARCH)" "aarch64"
+  ifeq "$(ARCH)" "aarch64"
+    ifndef NO_CORESIGHT
 	-$(MAKE) -C coresight_mode
-endif
-ifeq "$(SYS)" "Linux"
-ifndef NO_NYX
+    endif
+  endif
+  ifeq "$(SYS)" "Linux"
+    ifndef NO_NYX
 	-cd nyx_mode && ./build_nyx_support.sh
-endif
-endif
+    endif
+  endif
 	-cd qemu_mode && sh ./build_qemu_support.sh
+  ifeq "$(ARCH)" "aarch64"
+    ifndef NO_UNICORN_ARM64
 	-cd unicorn_mode && unset CFLAGS && sh ./build_unicorn_support.sh
+    endif
+  else
+	-cd unicorn_mode && unset CFLAGS && sh ./build_unicorn_support.sh
+  endif
 endif

 .PHONY: binary-only
 binary-only: test_shm test_python ready $(PROGS)
+ifneq "$(SYS)" "Darwin"
 	-$(MAKE) -C utils/libdislocator
 	-$(MAKE) -C utils/libtokencap
+endif
 	-$(MAKE) -C utils/afl_network_proxy
 	-$(MAKE) -C utils/socket_fuzzing
 	-$(MAKE) -C utils/argv_fuzzing
@ -645,7 +670,9 @@ binary-only: test_shm test_python ready $(PROGS)
 	-$(MAKE) -C frida_mode
 ifneq "$(SYS)" "Darwin"
 ifeq "$(ARCH)" "aarch64"
+  ifndef NO_CORESIGHT
 	-$(MAKE) -C coresight_mode
+  endif
 endif
 ifeq "$(SYS)" "Linux"
 ifndef NO_NYX
@ -653,23 +680,70 @@ ifndef NO_NYX
 endif
 endif
 	-cd qemu_mode && sh ./build_qemu_support.sh
+  ifeq "$(ARCH)" "aarch64"
+    ifndef NO_UNICORN_ARM64
 	-cd unicorn_mode && unset CFLAGS && sh ./build_unicorn_support.sh
+    endif
+  else
+	-cd unicorn_mode && unset CFLAGS && sh ./build_unicorn_support.sh
+  endif
 endif
+	@echo
+	@echo
+	@echo Build Summary:
+	@test -e afl-fuzz && echo "[+] afl-fuzz and supporting tools successfully built" || echo "[-] afl-fuzz could not be built, please set CC to a working compiler"
+ifneq "$(SYS)" "Darwin"
+ifeq "$(ARCH)" "aarch64"
+  ifndef NO_CORESIGHT
+	@test -e afl-cs-proxy && echo "[+] coresight_mode successfully built" || echo "[-] coresight_mode could not be built, it is optional and experimental, see coresight_mode/README.md for what is needed"
+  endif
+endif
+ifeq "$(SYS)" "Linux"
+ifndef NO_NYX
+	@test -e libnyx.so && echo "[+] nyx_mode successfully built" || echo "[-] nyx_mode could not be built, it is optional, see nyx_mode/README.md for what is needed"
+endif
+endif
+	@test -e afl-qemu-trace && echo "[+] qemu_mode successfully built" || echo "[-] qemu_mode could not be built, see docs/INSTALL.md for what is needed"
+  ifeq "$(ARCH)" "aarch64"
+    ifndef NO_UNICORN_ARM64
+	@test -e unicorn_mode/unicornafl/build_python/libunicornafl.so && echo "[+] unicorn_mode successfully built" || echo "[-] unicorn_mode could not be built, it is optional, see unicorn_mode/README.md for what is needed"
+    endif
+  else
+	@test -e unicorn_mode/unicornafl/build_python/libunicornafl.so && echo "[+] unicorn_mode successfully built" || echo "[-] unicorn_mode could not be built, it is optional, see unicorn_mode/README.md for what is needed"
+  endif
+endif
+	@echo

 .PHONY: source-only
 source-only: all
-	-$(MAKE) -j4 -f GNUmakefile.llvm
+	-$(MAKE) -j$(nproc) -f GNUmakefile.llvm
 ifneq "$(SYS)" "Darwin"
 	-$(MAKE) -f GNUmakefile.gcc_plugin
-endif
 	-$(MAKE) -C utils/libdislocator
 	-$(MAKE) -C utils/libtokencap
+endif
 	# -$(MAKE) -C utils/plot_ui
 ifeq "$(SYS)" "Linux"
 ifndef NO_NYX
 	-cd nyx_mode && ./build_nyx_support.sh
 endif
 endif
+	@echo
+	@echo
+	@echo Build Summary:
+	@test -e afl-fuzz && echo "[+] afl-fuzz and supporting tools successfully built" || echo "[-] afl-fuzz could not be built, please set CC to a working compiler"
+	@test -e afl-llvm-pass.so && echo "[+] LLVM basic mode successfully built" || echo "[-] LLVM mode could not be build, please install at least llvm-11 and clang-11 or newer, see docs/INSTALL.md"
+	@test -e SanitizerCoveragePCGUARD.so && echo "[+] LLVM mode successfully built" || echo "[-] LLVM mode could not be build, please install at least llvm-11 and clang-11 or newer, see docs/INSTALL.md"
+	@test -e SanitizerCoverageLTO.so && echo "[+] LLVM LTO mode successfully built" || echo "[-] LLVM LTO mode could not be build, it is optional, if you want it, please install LLVM 11-14. More information at instrumentation/README.lto.md on how to build it"
+ifneq "$(SYS)" "Darwin"
+	test -e afl-gcc-pass.so && echo "[+] gcc_mode successfully built" || echo "[-] gcc_mode could not be built, it is optional, install gcc-VERSION-plugin-dev to enable this"
+endif
+ifeq "$(SYS)" "Linux"
+ifndef NO_NYX
+	@test -e libnyx.so && echo "[+] nyx_mode successfully built" || echo "[-] nyx_mode could not be built, it is optional, see nyx_mode/README.md for what is needed"
+endif
+endif
+	@echo

 %.8:	%
 	@echo .TH $* 8 $(BUILD_DATE) "afl++" > $@
--- a/GNUmakefile.gcc_plugin
+++ b/GNUmakefile.gcc_plugin
@ -11,7 +11,7 @@
 # from Laszlo Szekeres.
 #
 # Copyright 2015 Google Inc. All rights reserved.
-# Copyright 2019-2022 AFLplusplus Project. All rights reserved.
+# Copyright 2019-2023 AFLplusplus Project. All rights reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@ -28,14 +28,14 @@ MAN_PATH    ?= $(PREFIX)/share/man/man8

 VERSION     = $(shell grep '^$(HASH)define VERSION ' ./config.h | cut -d '"' -f2)

-CFLAGS          ?= -O3 -g -funroll-loops -D_FORTIFY_SOURCE=2
+CFLAGS          ?= -O3 -g -funroll-loops -D_FORTIFY_SOURCE=1
 CFLAGS_SAFE     := -Wall -Iinclude -Wno-pointer-sign \
                   -DAFL_PATH=\"$(HELPER_PATH)\" -DBIN_PATH=\"$(BIN_PATH)\" \
                   -DGCC_VERSION=\"$(GCCVER)\" -DGCC_BINDIR=\"$(GCCBINDIR)\" \
                   -Wno-unused-function
 override CFLAGS += $(CFLAGS_SAFE)

-CXXFLAGS    ?= -O3 -g -funroll-loops -D_FORTIFY_SOURCE=2
+CXXFLAGS    ?= -O3 -g -funroll-loops -D_FORTIFY_SOURCE=1
 CXXEFLAGS   := $(CXXFLAGS) -Wall -std=c++11

 CC          ?= gcc
@ -100,7 +100,9 @@ ifeq "$(SYS)" "SunOS"
 endif


-PROGS        = ./afl-gcc-pass.so ./afl-compiler-rt.o ./afl-compiler-rt-32.o ./afl-compiler-rt-64.o
+PASSES       = ./afl-gcc-pass.so ./afl-gcc-cmplog-pass.so ./afl-gcc-cmptrs-pass.so
+
+PROGS        = $(PASSES) ./afl-compiler-rt.o ./afl-compiler-rt-32.o ./afl-compiler-rt-64.o

 .PHONY: all
 all: test_shm test_deps $(PROGS) test_build all_done
@ -141,6 +143,8 @@ afl-common.o: ./src/afl-common.c
 	@printf "[*] Building 64-bit variant of the runtime (-m64)... "
 	@$(CC) $(CFLAGS_SAFE) $(CPPFLAGS) -O3 -Wno-unused-result -m64 -fPIC -c $< -o $@ 2>/dev/null; if [ "$$?" = "0" ]; then echo "success!"; else echo "failed (that's fine)"; fi

+$(PASSES): instrumentation/afl-gcc-common.h
+
 ./afl-gcc-pass.so: instrumentation/afl-gcc-pass.so.cc | test_deps
 	$(CXX) $(CXXEFLAGS) $(PLUGIN_FLAGS) -shared $< -o $@
 	ln -sf afl-cc afl-gcc-fast
@ -148,6 +152,12 @@ afl-common.o: ./src/afl-common.c
 	ln -sf afl-cc.8 afl-gcc-fast.8
 	ln -sf afl-cc.8 afl-g++-fast.8

+./afl-gcc-cmplog-pass.so: instrumentation/afl-gcc-cmplog-pass.so.cc | test_deps
+	$(CXX) $(CXXEFLAGS) $(PLUGIN_FLAGS) -shared $< -o $@
+
+./afl-gcc-cmptrs-pass.so: instrumentation/afl-gcc-cmptrs-pass.so.cc | test_deps
+	$(CXX) $(CXXEFLAGS) $(PLUGIN_FLAGS) -shared $< -o $@
+
 .PHONY: test_build
 test_build: $(PROGS)
 	@echo "[*] Testing the CC wrapper and instrumentation output..."
@ -190,6 +200,8 @@ install: all
 	ln -sf afl-c++ $${DESTDIR}$(BIN_PATH)/afl-g++-fast
 	ln -sf afl-compiler-rt.o $${DESTDIR}$(HELPER_PATH)/afl-gcc-rt.o
 	install -m 755 ./afl-gcc-pass.so $${DESTDIR}$(HELPER_PATH)
+	install -m 755 ./afl-gcc-cmplog-pass.so $${DESTDIR}$(HELPER_PATH)
+	install -m 755 ./afl-gcc-cmptrs-pass.so $${DESTDIR}$(HELPER_PATH)
 	install -m 644 -T instrumentation/README.gcc_plugin.md $${DESTDIR}$(DOC_PATH)/README.gcc_plugin.md

 .PHONY: clean
--- a/GNUmakefile.llvm
+++ b/GNUmakefile.llvm
@ -45,11 +45,11 @@ endif
 LLVMVER  = $(shell $(LLVM_CONFIG) --version 2>/dev/null | sed 's/git//' | sed 's/svn//' )
 LLVM_MAJOR = $(shell $(LLVM_CONFIG) --version 2>/dev/null | sed 's/\..*//' )
 LLVM_MINOR = $(shell $(LLVM_CONFIG) --version 2>/dev/null | sed 's/.*\.//' | sed 's/git//' | sed 's/svn//' | sed 's/ .*//' )
-LLVM_UNSUPPORTED = $(shell $(LLVM_CONFIG) --version 2>/dev/null | egrep -q '^[0-2]\.|^3.[0-7]\.' && echo 1 || echo 0 )
-LLVM_TOO_NEW = $(shell $(LLVM_CONFIG) --version 2>/dev/null | egrep -q '^1[5-9]' && echo 1 || echo 0 )
-LLVM_NEW_API = $(shell $(LLVM_CONFIG) --version 2>/dev/null | egrep -q '^1[0-9]' && echo 1 || echo 0 )
-LLVM_10_OK = $(shell $(LLVM_CONFIG) --version 2>/dev/null | egrep -q '^1[1-9]|^10\.[1-9]|^10\.0.[1-9]' && echo 1 || echo 0 )
-LLVM_HAVE_LTO = $(shell $(LLVM_CONFIG) --version 2>/dev/null | egrep -q '^1[1-9]' && echo 1 || echo 0 )
+LLVM_UNSUPPORTED = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^[0-2]\.|^3.[0-7]\.' && echo 1 || echo 0 )
+LLVM_TOO_NEW = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^1[5-9]' && echo 1 || echo 0 )
+LLVM_NEW_API = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^1[0-9]' && echo 1 || echo 0 )
+LLVM_10_OK = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^1[1-9]|^10\.[1-9]|^10\.0.[1-9]' && echo 1 || echo 0 )
+LLVM_HAVE_LTO = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^1[1-9]' && echo 1 || echo 0 )
 LLVM_BINDIR = $(shell $(LLVM_CONFIG) --bindir 2>/dev/null)
 LLVM_LIBDIR = $(shell $(LLVM_CONFIG) --libdir 2>/dev/null)
 LLVM_STDCXX = gnu++11
@ -86,20 +86,13 @@ ifeq "$(LLVM_TOO_OLD)" "1"
  $(shell sleep 1)
 endif

-ifeq "$(LLVM_MAJOR)" "15"
-  $(info [!] llvm_mode detected llvm 15, which is currently broken for LTO plugins.)
-  LLVM_LTO = 0
-  LLVM_HAVE_LTO = 0
-endif
-
 ifeq "$(LLVM_HAVE_LTO)" "1"
  $(info [+] llvm_mode detected llvm 11+, enabling afl-lto LTO implementation)
  LLVM_LTO = 1
-  #TEST_MMAP = 1
 endif

 ifeq "$(LLVM_LTO)" "0"
-  $(info [+] llvm_mode detected llvm < 11 or llvm 15, afl-lto LTO will not be build.)
+  $(info [+] llvm_mode detected llvm < 11, afl-lto LTO will not be build.)
 endif

 ifeq "$(LLVM_APPLE_XCODE)" "1"
@ -220,6 +213,17 @@ ifeq "$(LLVM_LTO)" "1"
    ifeq "$(AFL_REAL_LD)" ""
      ifneq "$(shell readlink $(LLVM_BINDIR)/ld.lld 2>&1)" ""
        AFL_REAL_LD = $(LLVM_BINDIR)/ld.lld
+      else ifneq "$(shell command -v ld.lld 2>/dev/null)" ""
+        AFL_REAL_LD = $(shell command -v ld.lld)
+        TMP_LDLDD_VERSION = $(shell $(AFL_REAL_LD) --version | awk '{ print $$2 }')
+        ifeq "$(LLVMVER)" "$(TMP_LDLDD_VERSION)"
+          $(warning ld.lld found in a weird location ($(AFL_REAL_LD)), but its the same version as LLVM so we will allow it)
+        else
+          $(warning ld.lld found in a weird location ($(AFL_REAL_LD)) and its of a different version than LLMV ($(TMP_LDLDD_VERSION) vs. $(LLVMVER)) - cannot enable LTO mode)
+          AFL_REAL_LD=
+          LLVM_LTO = 0
+        endif
+        undefine TMP_LDLDD_VERSION
      else
        $(warning ld.lld not found, cannot enable LTO mode)
        LLVM_LTO = 0
@ -235,7 +239,7 @@ AFL_CLANG_FUSELD=
 ifeq "$(LLVM_LTO)" "1"
  ifeq "$(shell echo 'int main() {return 0; }' | $(CLANG_BIN) -x c - -fuse-ld=`command -v ld` -o .test 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1"
    AFL_CLANG_FUSELD=1
-    ifeq "$(shell echo 'int main() {return 0; }' | $(CLANG_BIN) -x c - -fuse-ld=ld.lld --ld-path=$(LLVM_BINDIR)/ld.lld -o .test 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1"
+    ifeq "$(shell echo 'int main() {return 0; }' | $(CLANG_BIN) -x c - -fuse-ld=ld.lld --ld-path=$(AFL_REAL_LD) -o .test 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1"
      AFL_CLANG_LDPATH=1
    endif
  else
@ -250,26 +254,29 @@ else
        AFL_CLANG_DEBUG_PREFIX =
 endif

-CFLAGS          ?= -O3 -funroll-loops -fPIC -D_FORTIFY_SOURCE=2
-CFLAGS_SAFE     := -Wall -g -Wno-cast-qual -Wno-variadic-macros -Wno-pointer-sign -I ./include/ -I ./instrumentation/ \
+CFLAGS          ?= -O3 -funroll-loops -fPIC -D_FORTIFY_SOURCE=1
+CFLAGS_SAFE     := -Wall -g -Wno-cast-qual -Wno-variadic-macros -Wno-pointer-sign \
+                   -I ./include/ -I ./instrumentation/ \
                   -DAFL_PATH=\"$(HELPER_PATH)\" -DBIN_PATH=\"$(BIN_PATH)\" \
                   -DLLVM_BINDIR=\"$(LLVM_BINDIR)\" -DVERSION=\"$(VERSION)\" \
                   -DLLVM_LIBDIR=\"$(LLVM_LIBDIR)\" -DLLVM_VERSION=\"$(LLVMVER)\" \
-                   -Wno-deprecated -DAFL_CLANG_FLTO=\"$(AFL_CLANG_FLTO)\" \
-                   -DAFL_REAL_LD=\"$(AFL_REAL_LD)\" \
-                   -DAFL_CLANG_LDPATH=\"$(AFL_CLANG_LDPATH)\" \
-                   -DAFL_CLANG_FUSELD=\"$(AFL_CLANG_FUSELD)\" \
-                   -DCLANG_BIN=\"$(CLANG_BIN)\" -DCLANGPP_BIN=\"$(CLANGPP_BIN)\" -DUSE_BINDIR=$(USE_BINDIR) -Wno-unused-function \
-                   $(AFL_CLANG_DEBUG_PREFIX)
+                   -DAFL_CLANG_FLTO=\"$(AFL_CLANG_FLTO)\" -DAFL_REAL_LD=\"$(AFL_REAL_LD)\" \
+                   -DAFL_CLANG_LDPATH=\"$(AFL_CLANG_LDPATH)\" -DAFL_CLANG_FUSELD=\"$(AFL_CLANG_FUSELD)\" \
+                   -DCLANG_BIN=\"$(CLANG_BIN)\" -DCLANGPP_BIN=\"$(CLANGPP_BIN)\" -DUSE_BINDIR=$(USE_BINDIR) \
+                   -Wno-unused-function $(AFL_CLANG_DEBUG_PREFIX)
+ifndef LLVM_DEBUG
+  CFLAGS_SAFE += -Wno-deprecated
+endif
+
 override CFLAGS += $(CFLAGS_SAFE)

 ifdef AFL_TRACE_PC
  $(info Compile option AFL_TRACE_PC is deprecated, just set AFL_LLVM_INSTRUMENT=PCGUARD to activate when compiling targets )
 endif

-CXXFLAGS          ?= -O3 -funroll-loops -fPIC -D_FORTIFY_SOURCE=2
+CXXFLAGS          ?= -O3 -funroll-loops -fPIC -D_FORTIFY_SOURCE=1
 override CXXFLAGS += -Wall -g -I ./include/ \
-                     -DVERSION=\"$(VERSION)\" -Wno-variadic-macros \
+                     -DVERSION=\"$(VERSION)\" -Wno-variadic-macros -Wno-deprecated-copy-with-dtor \
                     -DLLVM_MINOR=$(LLVM_MINOR) -DLLVM_MAJOR=$(LLVM_MAJOR)

 ifneq "$(shell $(LLVM_CONFIG) --includedir) 2> /dev/null" ""
--- a/README.md
+++ b/README.md
@ -2,9 +2,9 @@

 <img align="right" src="https://raw.githubusercontent.com/AFLplusplus/Website/master/static/aflpp_bg.svg" alt="AFL++ logo" width="250" heigh="250">

-Release version: [4.01c](https://github.com/AFLplusplus/AFLplusplus/releases)
+Release version: [4.05c](https://github.com/AFLplusplus/AFLplusplus/releases)

-GitHub version: 4.02a
+GitHub version: 4.06a

 Repository:
 [https://github.com/AFLplusplus/AFLplusplus](https://github.com/AFLplusplus/AFLplusplus)
--- a/TODO.md
+++ b/TODO.md
@ -2,13 +2,14 @@

 ## Should

- - makefiles should show provide a build summary success/failure
- - better documentation for custom mutators
+ - support afl_custom_{send,post_process}, persistent and deferred fork
+   server in afl-showmap
 - better autodetection of shifting runtime timeout values
 - Update afl->pending_not_fuzzed for MOpt
 - afl-plot to support multiple plot_data
 - parallel builds for source-only targets
 - get rid of check_binary, replace with more forkserver communication
+ - first fuzzer should be a main automatically

 ## Maybe

--- a/37
+++ b/37
@ -105,12 +105,13 @@ function usage() {
 "Execution control settings:\n" \
 "  -f file       - location read by the fuzzed program (stdin)\n" \
 "  -m megs       - memory limit for child process ("mem_limit" MB)\n" \
-"  -t msec       - run time limit for child process (none)\n" \
+"  -t msec       - run time limit for child process (default: none)\n" \
 "  -O            - use binary-only instrumentation (FRIDA mode)\n" \
 "  -Q            - use binary-only instrumentation (QEMU mode)\n" \
 "  -U            - use unicorn-based instrumentation (unicorn mode)\n" \
 "\n" \
 "Minimization settings:\n" \
+"  -A            - allow crashes and timeouts (not recommended)\n" \
 "  -C            - keep crashing inputs, reject everything else\n" \
 "  -e            - solve for edge coverage only, ignore hit counts\n" \
 "\n" \
@ -122,7 +123,11 @@ function usage() {
 "AFL_FORKSRV_INIT_TMOUT: time the fuzzer waits for the forkserver to come up\n" \
 "AFL_KEEP_TRACES: leave the temporary <out_dir>/.traces directory\n" \
 "AFL_KILL_SIGNAL: Signal delivered to child processes on timeout (default: SIGKILL)\n" \
+"AFL_FORK_SERVER_KILL_SIGNAL: Signal delivered to fork server processes on termination\n" \
+"                             (default: SIGTERM). If this is not set and AFL_KILL_SIGNAL is set,\n" \
+"                             this will be set to the same value as AFL_KILL_SIGNAL.\n" \
 "AFL_NO_FORKSRV: run target via execve instead of using the forkserver\n" \
+"AFL_CMIN_ALLOW_ANY: write tuples for crashing inputs also\n" \
 "AFL_PATH: path for the afl-showmap binary if not found anywhere in PATH\n" \
 "AFL_PRINT_FILENAMES: If set, the filename currently processed will be " \
      "printed to stdout\n" \
@ -146,11 +151,12 @@ BEGIN {
  # defaults
  extra_par = ""
  AFL_CMIN_CRASHES_ONLY = ""
+  AFL_CMIN_ALLOW_ANY = ""

  # process options
  Opterr = 1    # default is to diagnose
  Optind = 1    # skip ARGV[0]
-  while ((_go_c = getopt(ARGC, ARGV, "hi:o:f:m:t:eCOQU?")) != -1) {
+  while ((_go_c = getopt(ARGC, ARGV, "hi:o:f:m:t:eACOQU?")) != -1) {
    if (_go_c == "i") {
      if (!Optarg) usage()
      if (in_dir) { print "Option "_go_c" is only allowed once" > "/dev/stderr"}
@ -186,6 +192,10 @@ BEGIN {
      AFL_CMIN_CRASHES_ONLY = "AFL_CMIN_CRASHES_ONLY=1 "
      continue
    } else 
+    if (_go_c == "A") {
+      AFL_CMIN_ALLOW_ANY = "AFL_CMIN_ALLOW_ANY=1 "
+      continue
+    } else 
    if (_go_c == "e") {
      extra_par = extra_par " -e"
      continue
@ -291,6 +301,16 @@ BEGIN {
    target_bin = tnew
  }

+  if (0 == system ( "grep -aq AFL_DUMP_MAP_SIZE " target_bin )) {
+    echo "[!] Trying to obtain the map size of the target ..."
+    get_map_size = "AFL_DUMP_MAP_SIZE=1 " target_bin
+    get_map_size | getline mapsize
+    if (mapsize && mapsize > 65535 && mapsize < 100000000) {
+      AFL_MAP_SIZE = "AFL_MAP_SIZE="mapsize" "
+      print "[+] Setting "AFL_MAP_SIZE
+    }
+  }
+
  if (!ENVIRON["AFL_SKIP_BIN_CHECK"] && !qemu_mode && !frida_mode && !unicorn_mode) {
    if (0 != system( "grep -q __AFL_SHM_ID "target_bin )) {
      print "[-] Error: binary '"target_bin"' doesn't appear to be instrumented." > "/dev/stderr"
@ -399,10 +419,10 @@ BEGIN {
    print "[*] Testing the target binary..."

    if (!stdin_file) {
-      system( "AFL_CMIN_ALLOW_ANY=1 "AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"/.run_test\" -Z "extra_par" -- \""target_bin"\" "prog_args_string" <\""in_dir"/"first_file"\"")
+      system(AFL_MAP_SIZE "AFL_CMIN_ALLOW_ANY=1 "AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"/.run_test\" -Z "extra_par" -- \""target_bin"\" "prog_args_string" <\""in_dir"/"first_file"\"")
    } else {
      system("cp \""in_dir"/"first_file"\" "stdin_file)
-      system( "AFL_CMIN_ALLOW_ANY=1 "AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"/.run_test\" -Z "extra_par" -H \""stdin_file"\" -- \""target_bin"\" "prog_args_string" </dev/null")
+      system(AFL_MAP_SIZE "AFL_CMIN_ALLOW_ANY=1 "AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"/.run_test\" -Z "extra_par" -H \""stdin_file"\" -- \""target_bin"\" "prog_args_string" </dev/null")
    }

    first_count = 0
@ -435,15 +455,15 @@ BEGIN {
  if (!stdin_file) {
    print "    Processing "in_count" files (forkserver mode)..."
 #    print AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"\" -Z "extra_par" -i \""in_dir"\" -- \""target_bin"\" "prog_args_string
-    retval = system( AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"\" -Z "extra_par" -i \""in_dir"\" -- \""target_bin"\" "prog_args_string)
+    retval = system(AFL_MAP_SIZE AFL_CMIN_ALLOW_ANY AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"\" -Z "extra_par" -i \""in_dir"\" -- \""target_bin"\" "prog_args_string)
  } else {
    print "    Processing "in_count" files (forkserver mode)..."
 #    print AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"\" -Z "extra_par" -i \""in_dir"\" -H \""stdin_file"\" -- \""target_bin"\" "prog_args_string" </dev/null"
-    retval = system( AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"\" -Z "extra_par" -i \""in_dir"\" -H \""stdin_file"\" -- \""target_bin"\" "prog_args_string" </dev/null")
+    retval = system(AFL_MAP_SIZE AFL_CMIN_ALLOW_ANY AFL_CMIN_CRASHES_ONLY"\""showmap"\" -m "mem_limit" -t "timeout" -o \""trace_dir"\" -Z "extra_par" -i \""in_dir"\" -H \""stdin_file"\" -- \""target_bin"\" "prog_args_string" </dev/null")
  }

-  if (retval && !AFL_CMIN_CRASHES_ONLY) {
-    print "[!] Exit code "retval" != 0 received from afl-showmap, terminating..."
+  if (retval && (!AFL_CMIN_CRASHES_ONLY && !AFL_CMIN_ALLOW_ANY)) {
+    print "[!] Exit code "retval" != 0 received from afl-showmap (this means a crashing or timeout input is likely present), terminating..."

    if (!ENVIRON["AFL_KEEP_TRACES"]) {
      system("rm -rf "trace_dir" 2>/dev/null")
@ -534,7 +554,6 @@ BEGIN {
    }
  }
  close(sortedKeys)
-  print ""
  print "[+] Found "tuple_count" unique tuples across "in_count" files."

  if (out_count == 1) {
--- a/afl-cmin.bash
+++ b/afl-cmin.bash
@ -53,7 +53,7 @@ unset IN_DIR OUT_DIR STDIN_FILE EXTRA_PAR MEM_LIMIT_GIVEN \

 export AFL_QUIET=1

-while getopts "+i:o:f:m:t:eOQUCh" opt; do
+while getopts "+i:o:f:m:t:eOQUACh" opt; do

  case "$opt" in 

@ -80,6 +80,9 @@ while getopts "+i:o:f:m:t:eOQUCh" opt; do
    "e")
         EXTRA_PAR="$EXTRA_PAR -e"
         ;;
+    "A")
+         export AFL_CMIN_ALLOW_ANY=1
+         ;;
    "C")
         export AFL_CMIN_CRASHES_ONLY=1
         ;;
@ -128,6 +131,7 @@ Execution control settings:
  
 Minimization settings:

+  -A            - allow crashing and timeout inputs
  -C            - keep crashing inputs, reject everything else
  -e            - solve for edge coverage only, ignore hit counts

@ -215,6 +219,15 @@ if [ ! -f "$TARGET_BIN" -o ! -x "$TARGET_BIN" ]; then

 fi

+grep -aq AFL_DUMP_MAP_SIZE "./$TARGET_BIN" && {
+  echo "[!] Trying to obtain the map size of the target ..."
+  MAPSIZE=`AFL_DUMP_MAP_SIZE=1 "./$TARGET_BIN" 2>/dev/null`
+  test -n "$MAPSIZE" && {
+    export AFL_MAP_SIZE=$MAPSIZE
+    echo "[+] Setting AFL_MAP_SIZE=$MAPSIZE"
+  }
+}
+
 if [ "$AFL_SKIP_BIN_CHECK" = "" -a "$QEMU_MODE" = "" -a "$FRIDA_MODE" = "" -a "$UNICORN_MODE" = "" ]; then

  if ! grep -qF "__AFL_SHM_ID" "$TARGET_BIN"; then
--- a/10
+++ b/10
@ -111,12 +111,12 @@ kernel.sched_latency_ns=250000000
 EOF
  }

-  egrep -q '^GRUB_CMDLINE_LINUX_DEFAULT=' /etc/default/grub 2>/dev/null || echo Error: /etc/default/grub with GRUB_CMDLINE_LINUX_DEFAULT is not present, cannot set boot options
-  egrep -q '^GRUB_CMDLINE_LINUX_DEFAULT=' /etc/default/grub 2>/dev/null && {
-    egrep '^GRUB_CMDLINE_LINUX_DEFAULT=' /etc/default/grub | egrep -q hardened_usercopy=off || {
+  grep -E -q '^GRUB_CMDLINE_LINUX_DEFAULT=' /etc/default/grub 2>/dev/null || echo Error: /etc/default/grub with GRUB_CMDLINE_LINUX_DEFAULT is not present, cannot set boot options
+  grep -E -q '^GRUB_CMDLINE_LINUX_DEFAULT=' /etc/default/grub 2>/dev/null && {
+    grep -E '^GRUB_CMDLINE_LINUX_DEFAULT=' /etc/default/grub | grep -E -q 'noibrs pcid nopti' || {
      echo "Configuring performance boot options"
-      LINE=`egrep '^GRUB_CMDLINE_LINUX_DEFAULT=' /etc/default/grub | sed 's/^GRUB_CMDLINE_LINUX_DEFAULT=//' | tr -d '"'`
-      OPTIONS="$LINE ibpb=off ibrs=off kpti=off l1tf=off mds=off mitigations=off no_stf_barrier noibpb noibrs nopcid nopti nospec_store_bypass_disable nospectre_v1 nospectre_v2 pcid=off pti=off spec_store_bypass_disable=off spectre_v2=off stf_barrier=off srbds=off noexec=off noexec32=off tsx=on tsx=on tsx_async_abort=off mitigations=off audit=0 hardened_usercopy=off ssbd=force-off"
+      LINE=`grep -E '^GRUB_CMDLINE_LINUX_DEFAULT=' /etc/default/grub | sed 's/^GRUB_CMDLINE_LINUX_DEFAULT=//' | tr -d '"'`
+      OPTIONS="$LINE ibpb=off ibrs=off kpti=off l1tf=off mds=off mitigations=off no_stf_barrier noibpb noibrs pcid nopti nospec_store_bypass_disable nospectre_v1 nospectre_v2 pcid=on pti=off spec_store_bypass_disable=off spectre_v2=off stf_barrier=off srbds=off noexec=off noexec32=off tsx=on tsx=on tsx_async_abort=off mitigations=off audit=0 hardened_usercopy=off ssbd=force-off"
      echo Setting boot options in /etc/default/grub to GRUB_CMDLINE_LINUX_DEFAULT=\"$OPTIONS\"
      sed -i "s|^GRUB_CMDLINE_LINUX_DEFAULT=.*|GRUB_CMDLINE_LINUX_DEFAULT=\"$OPTIONS\"|" /etc/default/grub
    }
--- a/4
+++ b/4
@ -47,9 +47,9 @@ if [ "$PLATFORM" = "Linux" ] ; then
 } > /dev/null
  echo Settings applied.
  echo
-  dmesg | egrep -q 'nospectre_v2|spectre_v2=off' || {
+  dmesg | grep -E -q 'noibrs pcid nopti' || {
    echo It is recommended to boot the kernel with lots of security off - if you are running a machine that is in a secured network - so set this:
-    echo '  /etc/default/grub:GRUB_CMDLINE_LINUX_DEFAULT="ibpb=off ibrs=off kpti=0 l1tf=off mds=off mitigations=off no_stf_barrier noibpb noibrs nopcid nopti nospec_store_bypass_disable nospectre_v1 nospectre_v2 pcid=off pti=off spec_store_bypass_disable=off spectre_v2=off stf_barrier=off srbds=off noexec=off noexec32=off tsx=on tsx_async_abort=off arm64.nopauth audit=0 hardened_usercopy=off ssbd=force-off"'
+    echo '  /etc/default/grub:GRUB_CMDLINE_LINUX_DEFAULT="ibpb=off ibrs=off kpti=0 l1tf=off mds=off mitigations=off no_stf_barrier noibpb noibrs pcid nopti nospec_store_bypass_disable nospectre_v1 nospectre_v2 pcid=on pti=off spec_store_bypass_disable=off spectre_v2=off stf_barrier=off srbds=off noexec=off noexec32=off tsx=on tsx_async_abort=off arm64.nopauth audit=0 hardened_usercopy=off ssbd=force-off"'
    echo
  }
  echo If you run fuzzing instances in docker, run them with \"--security-opt seccomp=unconfined\" for more speed.
--- a/2
+++ b/2
@ -6,7 +6,7 @@
 # Originally written by Michal Zalewski
 #
 # Copyright 2015 Google Inc. All rights reserved.
-# Copyright 2019-2022 AFLplusplus Project. All rights reserved.
+# Copyright 2019-2023 AFLplusplus Project. All rights reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
--- a/coresight_mode/GNUmakefile
+++ b/coresight_mode/GNUmakefile
@ -54,7 +54,7 @@ $(GLIBC_LDSO): | $(GLIBC_NAME).tar.xz
 	  $(MAKE) install

 $(GLIBC_NAME).tar.xz:
-	wget -O $@ $(GLIBC_URL_BASE)/$@
+	wget -qO $@ $(GLIBC_URL_BASE)/$@

 clean:
 	$(MAKE) -C $(CS_TRACE) clean
--- a/custom_mutators/examples/custom_send.c
+++ b/custom_mutators/examples/custom_send.c
@ -0,0 +1,56 @@
+// cc -O3 -fPIC -shared -g -o custom_send.so -I../../include custom_send.c
+// cd ../..
+// afl-cc -o test-instr test-instr.c
+// afl-fuzz -i in -o out -- ./test-instr -f /tmp/foo
+
+#include "custom_mutator_helpers.h"
+
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <fcntl.h>
+
+typedef struct my_mutator {
+
+  afl_t *afl;
+
+} my_mutator_t;
+
+my_mutator_t *afl_custom_init(afl_t *afl, unsigned int seed) {
+
+  my_mutator_t *data = calloc(1, sizeof(my_mutator_t));
+  if (!data) {
+
+    perror("afl_custom_init alloc");
+    return NULL;
+
+  }
+
+  data->afl = afl;
+
+  return data;
+
+}
+
+void afl_custom_fuzz_send(my_mutator_t *data, uint8_t *buf, size_t buf_size) {
+
+  int fd = open("/tmp/foo", O_CREAT | O_NOFOLLOW | O_TRUNC | O_RDWR, 0644);
+
+  if (fd >= 0) {
+
+    (void)write(fd, buf, buf_size);
+    close(fd);
+
+  }
+
+  return;
+
+}
+
+void afl_custom_deinit(my_mutator_t *data) {
+
+  free(data);
+
+}
+
--- a/custom_mutators/examples/example.c
+++ b/custom_mutators/examples/example.c
@ -352,7 +352,7 @@ uint8_t afl_custom_queue_get(my_mutator_t *data, const uint8_t *filename) {
 * @return if the file contents was modified return 1 (True), 0 (False)
 *         otherwise
 */
-uint8_t afl_custom_queue_new_entry(my_mutator_t * data,
+uint8_t afl_custom_queue_new_entry(my_mutator_t  *data,
                                   const uint8_t *filename_new_queue,
                                   const uint8_t *filename_orig_queue) {

--- a/custom_mutators/examples/post_library_gif.so.c
+++ b/custom_mutators/examples/post_library_gif.so.c
@ -72,6 +72,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include "alloc-inl.h"

 /* Header that must be present at the beginning of every test case: */

@ -127,9 +128,11 @@ size_t afl_custom_post_process(post_state_t *data, unsigned char *in_buf,
  }

  /* Allocate memory for new buffer, reusing previous allocation if
-     possible. */
+     possible. Note we have to use afl-fuzz's own realloc!
+     Note that you should only do this if you need to grow the buffer,
+     otherwise work with in_buf, and assign it to *out_buf instead. */

-  *out_buf = realloc(data->buf, len);
+  *out_buf = afl_realloc(out_buf, len);

  /* If we're out of memory, the most graceful thing to do is to return the
     original buffer and give up on modifying it. Let AFL handle OOM on its
@ -142,9 +145,9 @@ size_t afl_custom_post_process(post_state_t *data, unsigned char *in_buf,

  }

-  /* Copy the original data to the new location. */
-
-  memcpy(*out_buf, in_buf, len);
+  if (len > strlen(HEADER))
+    memcpy(*out_buf + strlen(HEADER), in_buf + strlen(HEADER),
+           len - strlen(HEADER));

  /* Insert the new header. */

--- a/custom_mutators/examples/post_library_png.so.c
+++ b/custom_mutators/examples/post_library_png.so.c
@ -29,8 +29,8 @@
 #include <stdint.h>
 #include <string.h>
 #include <zlib.h>
-
 #include <arpa/inet.h>
+#include "alloc-inl.h"

 /* A macro to round an integer up to 4 kB. */

@ -70,9 +70,6 @@ size_t afl_custom_post_process(post_state_t *data, const unsigned char *in_buf,
                               unsigned int          len,
                               const unsigned char **out_buf) {

-  unsigned char *new_buf = (unsigned char *)in_buf;
-  unsigned int   pos = 8;
-
  /* Don't do anything if there's not enough room for the PNG header
     (8 bytes). */

@ -83,6 +80,22 @@ size_t afl_custom_post_process(post_state_t *data, const unsigned char *in_buf,

  }

+  /* This is not a good way to do it, if you do not need to grow the buffer
+     then just work with in_buf instead for speed reasons.
+     But we want to show how to grow a buffer, so this is how it's done: */
+
+  unsigned int   pos = 8;
+  unsigned char *new_buf = afl_realloc(out_buf, UP4K(len));
+
+  if (!new_buf) {
+
+    *out_buf = in_buf;
+    return len;
+
+  }
+
+  memcpy(new_buf, in_buf, len);
+
  /* Minimum size of a zero-length PNG chunk is 12 bytes; if we
     don't have that, we can bail out. */

@ -111,33 +124,6 @@ size_t afl_custom_post_process(post_state_t *data, const unsigned char *in_buf,

    if (real_cksum != file_cksum) {

-      /* First modification? Make a copy of the input buffer. Round size
-         up to 4 kB to minimize the number of reallocs needed. */
-
-      if (new_buf == in_buf) {
-
-        if (len <= data->size) {
-
-          new_buf = data->buf;
-
-        } else {
-
-          new_buf = realloc(data->buf, UP4K(len));
-          if (!new_buf) {
-
-            *out_buf = in_buf;
-            return len;
-
-          }
-
-          data->buf = new_buf;
-          data->size = UP4K(len);
-          memcpy(new_buf, in_buf, len);
-
-        }
-
-      }
-
      *(uint32_t *)(new_buf + pos + 8 + chunk_len) = real_cksum;

    }
--- a/custom_mutators/gramatron/build_gramatron_mutator.sh
+++ b/custom_mutators/gramatron/build_gramatron_mutator.sh
@ -11,7 +11,7 @@
 # Adapted for AFLplusplus by Dominik Maier <mail@dmnk.co>
 #
 # Copyright 2017 Battelle Memorial Institute. All rights reserved.
-# Copyright 2019-2022 AFLplusplus Project. All rights reserved.
+# Copyright 2019-2023 AFLplusplus Project. All rights reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@ -125,7 +125,7 @@ else
  }
 fi

-test -d json-c/.git || { echo "[-] not checked out, please install git or check your internet connection." ; exit 1 ; }
+test -e json-c/.git || { echo "[-] not checked out, please install git or check your internet connection." ; exit 1 ; }
 echo "[+] Got json-c."

 test -e json-c/.libs/libjson-c.a || {
--- a/custom_mutators/grammar_mutator/build_grammar_mutator.sh
+++ b/custom_mutators/grammar_mutator/build_grammar_mutator.sh
@ -14,7 +14,7 @@
 #                                <andreafioraldi@gmail.com>
 #
 # Copyright 2017 Battelle Memorial Institute. All rights reserved.
-# Copyright 2019-2022 AFLplusplus Project. All rights reserved.
+# Copyright 2019-2023 AFLplusplus Project. All rights reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@ -119,7 +119,7 @@ else
  }
 fi

-test -f grammar_mutator/.git || { echo "[-] not checked out, please install git or check your internet connection." ; exit 1 ; }
+test -e grammar_mutator/.git || { echo "[-] not checked out, please install git or check your internet connection." ; exit 1 ; }
 echo "[+] Got grammar mutator."

 cd "grammar_mutator" || exit 1
@ -128,7 +128,7 @@ git pull >/dev/null 2>&1
 sh -c 'git stash && git stash drop' 1>/dev/null 2>/dev/null
 git checkout "$GRAMMAR_VERSION" || exit 1
 echo "[*] Downloading antlr..."
-wget -c https://www.antlr.org/download/antlr-4.8-complete.jar
+wget -q https://www.antlr.org/download/antlr-4.8-complete.jar
 cd ..

 echo
--- a/custom_mutators/libafl_base/Cargo.toml
+++ b/custom_mutators/libafl_base/Cargo.toml
@ -6,7 +6,7 @@ edition = "2021"
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html

 [dependencies]
-libafl = { git = "https://github.com/AFLplusplus/LibAFL.git", rev = "62614ce1016c86e3f00f35b56399292ceabd486b" }
+libafl = { git = "https://github.com/AFLplusplus/LibAFL.git", rev = "266677bb88abe75165430f34e7de897c35560504" }
 custom_mutator = { path = "../rust/custom_mutator", features = ["afl_internals"] }
 serde = { version = "1.0", default-features = false, features = ["alloc"] } # serialization lib

--- a/custom_mutators/libafl_base/src/lib.rs
+++ b/custom_mutators/libafl_base/src/lib.rs
@ -1,5 +1,4 @@
 #![cfg(unix)]
-#![allow(unused_variables)]

 use serde::{Deserialize, Deserializer, Serialize, Serializer};
 use std::{
@ -18,10 +17,12 @@ use libafl::{
        scheduled::{havoc_mutations, tokens_mutations, StdScheduledMutator, Tokens},
        Mutator,
    },
-    state::{HasCorpus, HasMaxSize, HasMetadata, HasRand, State},
+    prelude::UsesInput,
+    state::{HasCorpus, HasMaxSize, HasMetadata, HasRand, State, UsesState},
    Error,
 };

+#[allow(clippy::identity_op)]
 const MAX_FILE: usize = 1 * 1024 * 1024;

 static mut AFL: Option<&'static afl_state> = None;
@ -64,24 +65,32 @@ impl<'de> Deserialize<'de> for AFLCorpus {
    }
 }

-impl Corpus<BytesInput> for AFLCorpus {
+impl UsesState for AFLCorpus {
+    type State = AFLState;
+}
+
+impl Corpus for AFLCorpus {
    #[inline]
    fn count(&self) -> usize {
        afl().queued_items as usize
    }

    #[inline]
-    fn add(&mut self, testcase: Testcase<BytesInput>) -> Result<usize, Error> {
+    fn add(&mut self, _testcase: Testcase<BytesInput>) -> Result<usize, Error> {
        unimplemented!();
    }

    #[inline]
-    fn replace(&mut self, idx: usize, testcase: Testcase<BytesInput>) -> Result<(), Error> {
+    fn replace(
+        &mut self,
+        _idx: usize,
+        _testcase: Testcase<BytesInput>,
+    ) -> Result<Testcase<Self::Input>, Error> {
        unimplemented!();
    }

    #[inline]
-    fn remove(&mut self, idx: usize) -> Result<Option<Testcase<BytesInput>>, Error> {
+    fn remove(&mut self, _idx: usize) -> Result<Option<Testcase<BytesInput>>, Error> {
        unimplemented!();
    }

@ -92,7 +101,7 @@ impl Corpus<BytesInput> for AFLCorpus {
            entries.entry(idx).or_insert_with(|| {
                let queue_buf = std::slice::from_raw_parts_mut(afl().queue_buf, self.count());
                let entry = queue_buf[idx].as_mut().unwrap();
-                let fname = CStr::from_ptr((entry.fname as *mut i8).as_ref().unwrap())
+                let fname = CStr::from_ptr((entry.fname.cast::<i8>()).as_ref().unwrap())
                    .to_str()
                    .unwrap()
                    .to_owned();
@ -127,9 +136,10 @@ pub struct AFLState {
 }

 impl AFLState {
+    #[must_use]
    pub fn new(seed: u32) -> Self {
        Self {
-            rand: StdRand::with_seed(seed as u64),
+            rand: StdRand::with_seed(u64::from(seed)),
            corpus: AFLCorpus::default(),
            metadata: SerdeAnyMap::new(),
            max_size: MAX_FILE,
@ -153,7 +163,11 @@ impl HasRand for AFLState {
    }
 }

-impl HasCorpus<BytesInput> for AFLState {
+impl UsesInput for AFLState {
+    type Input = BytesInput;
+}
+
+impl HasCorpus for AFLState {
    type Corpus = AFLCorpus;

    #[inline]
@ -208,7 +222,7 @@ impl CustomMutator for LibAFLBaseCustomMutator {
                tokens.push(data.to_vec());
            }
            if !tokens.is_empty() {
-                state.add_metadata(Tokens::new(tokens));
+                state.add_metadata(Tokens::from(tokens));
            }
            Ok(Self {
                state,
@ -220,7 +234,7 @@ impl CustomMutator for LibAFLBaseCustomMutator {
    fn fuzz<'b, 's: 'b>(
        &'s mut self,
        buffer: &'b mut [u8],
-        add_buff: Option<&[u8]>,
+        _add_buff: Option<&[u8]>,
        max_size: usize,
    ) -> Result<Option<&'b [u8]>, Self::Error> {
        self.state.set_max_size(max_size);
--- a/custom_mutators/rust/custom_mutator-sys/Cargo.toml
+++ b/custom_mutators/rust/custom_mutator-sys/Cargo.toml
@ -1,12 +1,12 @@
 [package]
 name = "custom_mutator-sys"
-version = "0.1.0"
+version = "0.1.1"
 authors = ["Julius Hohnerlein <julihoh@users.noreply.github.com>"]
-edition = "2018"
+edition = "2021"

 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html

 [dependencies]

 [build-dependencies]
-bindgen = "0.56"
+bindgen = "0.63"
--- a/custom_mutators/rust/custom_mutator-sys/build.rs
+++ b/custom_mutators/rust/custom_mutator-sys/build.rs
@ -15,8 +15,8 @@ fn main() {
        // The input header we would like to generate
        // bindings for.
        .header("wrapper.h")
-        .whitelist_type("afl_state_t")
-        .blacklist_type(r"u\d+")
+        .allowlist_type("afl_state_t")
+        .blocklist_type(r"u\d+")
        .opaque_type(r"_.*")
        .opaque_type("FILE")
        .opaque_type("in_addr(_t)?")
--- a/custom_mutators/rust/custom_mutator-sys/src/lib.rs
+++ b/custom_mutators/rust/custom_mutator-sys/src/lib.rs
@ -1,5 +1,7 @@
 #![allow(non_upper_case_globals)]
 #![allow(non_camel_case_types)]
 #![allow(non_snake_case)]
+#![allow(clippy::too_many_lines)]
+#![allow(clippy::used_underscore_binding)]

 include!(concat!(env!("OUT_DIR"), "/bindings.rs"));
--- a/custom_mutators/rust/custom_mutator/Cargo.toml
+++ b/custom_mutators/rust/custom_mutator/Cargo.toml
@ -2,7 +2,7 @@
 name = "custom_mutator"
 version = "0.1.0"
 authors = ["Julius Hohnerlein <julihoh@users.noreply.github.com>"]
-edition = "2018"
+edition = "2021"

 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html

--- a/custom_mutators/rust/custom_mutator/src/lib.rs
+++ b/custom_mutators/rust/custom_mutator/src/lib.rs
@ -20,7 +20,7 @@
 //! This binding is panic-safe in that it will prevent panics from unwinding into AFL++. Any panic will `abort` at the boundary between the custom mutator and AFL++.
 //!
 //! # Access to AFL++ internals
-//! This crate has an optional feature "afl_internals", which gives access to AFL++'s internal state.
+//! This crate has an optional feature "`afl_internals`", which gives access to AFL++'s internal state.
 //! The state is passed to [`CustomMutator::init`], when the feature is activated.
 //!
 //! _This is completely unsafe and uses automatically generated types extracted from the AFL++ source._
@ -115,7 +115,7 @@ pub mod wrappers {
    impl<M: RawCustomMutator> FFIContext<M> {
        fn from(ptr: *mut c_void) -> ManuallyDrop<Box<Self>> {
            assert!(!ptr.is_null());
-            ManuallyDrop::new(unsafe { Box::from_raw(ptr as *mut Self) })
+            ManuallyDrop::new(unsafe { Box::from_raw(ptr.cast::<Self>()) })
        }

        fn into_ptr(self: Box<Self>) -> *const c_void {
@ -141,27 +141,28 @@ pub mod wrappers {
    }

    /// panic handler called for every panic
-    fn panic_handler(method: &str, panic_info: Box<dyn Any + Send + 'static>) -> ! {
+    fn panic_handler(method: &str, panic_info: &Box<dyn Any + Send + 'static>) -> ! {
        use std::ops::Deref;
-        let cause = panic_info
-            .downcast_ref::<String>()
-            .map(String::deref)
-            .unwrap_or_else(|| {
+        let cause = panic_info.downcast_ref::<String>().map_or_else(
+            || {
                panic_info
                    .downcast_ref::<&str>()
                    .copied()
                    .unwrap_or("<cause unknown>")
-            });
-        eprintln!("A panic occurred at {}: {}", method, cause);
+            },
+            String::deref,
+        );
+        eprintln!("A panic occurred at {method}: {cause}");
        abort()
    }

    /// Internal function used in the macro
    #[cfg(not(feature = "afl_internals"))]
+    #[must_use]
    pub fn afl_custom_init_<M: RawCustomMutator>(seed: u32) -> *const c_void {
        match catch_unwind(|| FFIContext::<M>::new(seed).into_ptr()) {
            Ok(ret) => ret,
-            Err(err) => panic_handler("afl_custom_init", err),
+            Err(err) => panic_handler("afl_custom_init", &err),
        }
    }

@ -176,7 +177,7 @@ pub mod wrappers {
            FFIContext::<M>::new(afl, seed).into_ptr()
        }) {
            Ok(ret) => ret,
-            Err(err) => panic_handler("afl_custom_init", err),
+            Err(err) => panic_handler("afl_custom_init", &err),
        }
    }

@ -196,32 +197,27 @@ pub mod wrappers {
    ) -> usize {
        match catch_unwind(|| {
            let mut context = FFIContext::<M>::from(data);
-            if buf.is_null() {
-                panic!("null buf passed to afl_custom_fuzz")
-            }
-            if out_buf.is_null() {
-                panic!("null out_buf passed to afl_custom_fuzz")
-            }
+
+            assert!(!buf.is_null(), "null buf passed to afl_custom_fuzz");
+            assert!(!out_buf.is_null(), "null out_buf passed to afl_custom_fuzz");
+
            let buff_slice = slice::from_raw_parts_mut(buf, buf_size);
            let add_buff_slice = if add_buf.is_null() {
                None
            } else {
                Some(slice::from_raw_parts(add_buf, add_buf_size))
            };
-            match context.mutator.fuzz(buff_slice, add_buff_slice, max_size) {
-                Some(buffer) => {
-                    *out_buf = buffer.as_ptr();
-                    buffer.len()
-                }
-                None => {
-                    // return the input buffer with 0-length to let AFL skip this mutation attempt
-                    *out_buf = buf;
-                    0
-                }
+            if let Some(buffer) = context.mutator.fuzz(buff_slice, add_buff_slice, max_size) {
+                *out_buf = buffer.as_ptr();
+                buffer.len()
+            } else {
+                // return the input buffer with 0-length to let AFL skip this mutation attempt
+                *out_buf = buf;
+                0
            }
        }) {
            Ok(ret) => ret,
-            Err(err) => panic_handler("afl_custom_fuzz", err),
+            Err(err) => panic_handler("afl_custom_fuzz", &err),
        }
    }

@ -237,9 +233,8 @@ pub mod wrappers {
    ) -> u32 {
        match catch_unwind(|| {
            let mut context = FFIContext::<M>::from(data);
-            if buf.is_null() {
-                panic!("null buf passed to afl_custom_fuzz")
-            }
+            assert!(!buf.is_null(), "null buf passed to afl_custom_fuzz");
+
            let buf_slice = slice::from_raw_parts(buf, buf_size);
            // see https://doc.rust-lang.org/nomicon/borrow-splitting.html
            let ctx = &mut **context;
@ -247,37 +242,39 @@ pub mod wrappers {
            mutator.fuzz_count(buf_slice)
        }) {
            Ok(ret) => ret,
-            Err(err) => panic_handler("afl_custom_fuzz_count", err),
+            Err(err) => panic_handler("afl_custom_fuzz_count", &err),
        }
    }

    /// Internal function used in the macro
-    pub fn afl_custom_queue_new_entry_<M: RawCustomMutator>(
+    pub unsafe fn afl_custom_queue_new_entry_<M: RawCustomMutator>(
        data: *mut c_void,
        filename_new_queue: *const c_char,
        filename_orig_queue: *const c_char,
    ) -> bool {
        match catch_unwind(|| {
            let mut context = FFIContext::<M>::from(data);
-            if filename_new_queue.is_null() {
-                panic!("received null filename_new_queue in afl_custom_queue_new_entry");
-            }
+            assert!(
+                !filename_new_queue.is_null(),
+                "received null filename_new_queue in afl_custom_queue_new_entry"
+            );
+
            let filename_new_queue = Path::new(OsStr::from_bytes(
                unsafe { CStr::from_ptr(filename_new_queue) }.to_bytes(),
            ));
-            let filename_orig_queue = if !filename_orig_queue.is_null() {
+            let filename_orig_queue = if filename_orig_queue.is_null() {
+                None
+            } else {
                Some(Path::new(OsStr::from_bytes(
                    unsafe { CStr::from_ptr(filename_orig_queue) }.to_bytes(),
                )))
-            } else {
-                None
            };
            context
                .mutator
                .queue_new_entry(filename_new_queue, filename_orig_queue)
        }) {
            Ok(ret) => ret,
-            Err(err) => panic_handler("afl_custom_queue_new_entry", err),
+            Err(err) => panic_handler("afl_custom_queue_new_entry", &err),
        }
    }

@ -292,7 +289,7 @@ pub mod wrappers {
            ManuallyDrop::into_inner(FFIContext::<M>::from(data));
        }) {
            Ok(ret) => ret,
-            Err(err) => panic_handler("afl_custom_deinit", err),
+            Err(err) => panic_handler("afl_custom_deinit", &err),
        }
    }

@ -306,13 +303,13 @@ pub mod wrappers {
                buf.extend_from_slice(res.as_bytes());
                buf.push(0);
                // unwrapping here, as the error case should be extremely rare
-                CStr::from_bytes_with_nul(&buf).unwrap().as_ptr()
+                CStr::from_bytes_with_nul(buf).unwrap().as_ptr()
            } else {
                null()
            }
        }) {
            Ok(ret) => ret,
-            Err(err) => panic_handler("afl_custom_introspection", err),
+            Err(err) => panic_handler("afl_custom_introspection", &err),
        }
    }

@ -329,18 +326,18 @@ pub mod wrappers {
                buf.extend_from_slice(res.as_bytes());
                buf.push(0);
                // unwrapping here, as the error case should be extremely rare
-                CStr::from_bytes_with_nul(&buf).unwrap().as_ptr()
+                CStr::from_bytes_with_nul(buf).unwrap().as_ptr()
            } else {
                null()
            }
        }) {
            Ok(ret) => ret,
-            Err(err) => panic_handler("afl_custom_describe", err),
+            Err(err) => panic_handler("afl_custom_describe", &err),
        }
    }

    /// Internal function used in the macro
-    pub fn afl_custom_queue_get_<M: RawCustomMutator>(
+    pub unsafe fn afl_custom_queue_get_<M: RawCustomMutator>(
        data: *mut c_void,
        filename: *const c_char,
    ) -> u8 {
@ -348,12 +345,12 @@ pub mod wrappers {
            let mut context = FFIContext::<M>::from(data);
            assert!(!filename.is_null());

-            context.mutator.queue_get(Path::new(OsStr::from_bytes(
+            u8::from(context.mutator.queue_get(Path::new(OsStr::from_bytes(
                unsafe { CStr::from_ptr(filename) }.to_bytes(),
-            ))) as u8
+            ))))
        }) {
            Ok(ret) => ret,
-            Err(err) => panic_handler("afl_custom_queue_get", err),
+            Err(err) => panic_handler("afl_custom_queue_get", &err),
        }
    }
 }
@ -373,7 +370,7 @@ macro_rules! _define_afl_custom_init {
    };
 }

-/// An exported macro to defined afl_custom_init meant for insternal usage
+/// An exported macro to defined `afl_custom_init` meant for internal usage
 #[cfg(not(feature = "afl_internals"))]
 #[macro_export]
 macro_rules! _define_afl_custom_init {
@ -444,7 +441,7 @@ macro_rules! export_mutator {
        }

        #[no_mangle]
-        pub extern "C" fn afl_custom_queue_new_entry(
+        pub unsafe extern "C" fn afl_custom_queue_new_entry(
            data: *mut ::std::os::raw::c_void,
            filename_new_queue: *const ::std::os::raw::c_char,
            filename_orig_queue: *const ::std::os::raw::c_char,
@ -457,7 +454,7 @@ macro_rules! export_mutator {
        }

        #[no_mangle]
-        pub extern "C" fn afl_custom_queue_get(
+        pub unsafe extern "C" fn afl_custom_queue_get(
            data: *mut ::std::os::raw::c_void,
            filename: *const ::std::os::raw::c_char,
        ) -> u8 {
@ -520,9 +517,10 @@ mod sanity_test {
    export_mutator!(ExampleMutator);
 }

-#[allow(unused_variables)]
 /// A custom mutator.
 /// [`CustomMutator::handle_error`] will be called in case any method returns an [`Result::Err`].
+#[allow(unused_variables)]
+#[allow(clippy::missing_errors_doc)]
 pub trait CustomMutator {
    /// The error type. All methods must return the same error type.
    type Error: Debug;
@ -537,7 +535,7 @@ pub trait CustomMutator {
            .map(|v| !v.is_empty())
            .unwrap_or(false)
        {
-            eprintln!("Error in custom mutator: {:?}", err)
+            eprintln!("Error in custom mutator: {err:?}");
        }
    }

@ -759,8 +757,7 @@ mod truncate_test {
            let actual_output = truncate_str_unicode_safe(input, *max_len);
            assert_eq!(
                &actual_output, expected_output,
-                "{:#?} truncated to {} bytes should be {:#?}, but is {:#?}",
-                input, max_len, expected_output, actual_output
+                "{input:#?} truncated to {max_len} bytes should be {expected_output:#?}, but is {actual_output:#?}"
            );
        }
    }
--- a/custom_mutators/rust/example/Cargo.toml
+++ b/custom_mutators/rust/example/Cargo.toml
@ -2,7 +2,7 @@
 name = "example_mutator"
 version = "0.1.0"
 authors = ["Julius Hohnerlein <julihoh@users.noreply.github.com>"]
-edition = "2018"
+edition = "2021"

 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html

--- a/custom_mutators/rust/example_lain/Cargo.toml
+++ b/custom_mutators/rust/example_lain/Cargo.toml
@ -2,7 +2,7 @@
 name = "example_lain"
 version = "0.1.0"
 authors = ["Julius Hohnerlein <julihoh@users.noreply.github.com>"]
-edition = "2018"
+edition = "2021"

 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html

--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@ -3,10 +3,90 @@
  This is the list of all noteworthy changes made in every public
  release of the tool. See README.md for the general instruction manual.

-## Staying informed
+### Version ++4.05c (release)
+  - MacOS: libdislocator, libtokencap etc. do not work with modern
+    MacOS anymore, but could be patched to work, see this issue if you
+    want to make the effort and send a PR:
+    https://github.com/AFLplusplus/AFLplusplus/issues/1594
+  - afl-fuzz:
+    - added afl_custom_fuzz_send custom mutator feature. Now your can
+      send fuzz data to the target as you need, e.g. via IPC.
+    - cmplog mode now has a -l R option for random colorization, thanks
+      to guyf2010 for the PR!
+    - queue statistics are written every 30 minutes to
+      out/NAME/queue_data if compiled with INTROSPECTION
+    - new env: AFL_FORK_SERVER_KILL_SIGNAL
+  - afl-showmap/afl-cmin
+    - `-t none` now translates to `-t 120000` (120 seconds)
+  - unicorn_mode updated
+  - updated rust custom mutator dependencies and LibAFL custom mutator
+  - several minor bugfixes

-Want to stay in the loop on major new features? Join our mailing list by
-sending a mail to <afl-users+subscribe@googlegroups.com>.
+### Version ++4.04c (release)
+  - fix gramatron and grammar_mutator build scripts
+  - enhancements to the afl-persistent-config and afl-system-config
+    scripts
+  - afl-fuzz:
+    - force writing all stats on exit
+    - ensure targets are killed on exit
+    - `AFL_FORK_SERVER_KILL_SIGNAL` added
+  - afl-cc:
+    - make gcc_mode (afl-gcc-fast) work with gcc down to version 3.6
+  - qemu_mode:
+    - fixed 10x speed degredation in v4.03c, thanks to @ele7enxxh for
+      reporting!
+    - added qemu_mode/fastexit helper library
+  - unicorn_mode:
+    - Enabled tricore arch (by @jma-qb)
+    - Updated Capstone version in Rust bindings
+  - llvm-mode:
+    - AFL runtime will always pass inputs via shared memory, when possible,
+      ignoring the command line.
+
+
+### Version ++4.03c (release)
+  - Building now gives a build summary what succeeded and what not
+  - afl-fuzz:
+    - added AFL_NO_STARTUP_CALIBRATION to start fuzzing at once instead
+      of calibrating all initial seeds first. Good for large queues
+      and long execution times, especially in CIs.
+    - default calibration cycles set to 7 from 8, and only add 5 cycles
+      to variables queue items instead of 12.
+  - afl-cc:
+    - fixed off-by-one bug in our pcguard implemenation, thanks for
+      @tokatoka for reporting
+    - fix for llvm 15 and reenabling LTO, thanks to nikic for the PR!
+    - better handling of -fsanitize=..,...,.. lists
+    - support added for LLVMFuzzerRunDriver()
+    - fix gcc_mode cmplog
+    - obtain the map size of a target with setting AFL_DUMP_MAP_SIZE=1
+      note that this will exit the target before main()
+  - qemu_mode:
+    - added AFL_QEMU_TRACK_UNSTABLE to log the addresses of unstable
+      edges (together with AFL_DEBUG=1 afl-fuzz). thanks to
+      worksbutnottested!
+  - afl-analyze broke at some point, fix by CodeLogicError, thank you!
+  - afl-cmin/afl-cmin.bash now have an -A option to allow also crashing
+    and timeout inputs
+  - unicorn_mode:
+    - updated upstream unicorn version
+    - fixed builds for aarch64
+    - build now uses all available cores
+
+
+### Version ++4.02c (release)
+  - afl-cc:
+    - important fix for the default pcguard mode when LLVM IR vector
+      selects are produced, thanks to @juppytt for reporting!
+  - gcc_plugin:
+    - Adacore submitted CMPLOG support to the gcc_plugin! :-)
+  - llvm_mode:
+    - laf cmp splitting fixed for more comparison types
+  - frida_mode:
+    - now works on Android!
+  - afl-fuzz:
+    - change post_process hook to allow returning NULL and 0 length to
+      tell afl-fuzz to skip this mutated input

 ### Version ++4.01c (release)
  - fixed */build_...sh scripts to work outside of git
--- a/docs/FAQ.md
+++ b/docs/FAQ.md
@ -255,3 +255,18 @@ If you find an interesting or important question missing, submit it via

  Solution: `git pull ; make clean install` of AFL++.
 </p></details>
+
+<details>
+  <summary id="afl-map-size-warning">AFL++ map size warning.</summary><p>
+
+  When you run a large instrumented program stand-alone or via afl-showmap
+  you might see a warning like the following:
+
+  ```
+  Warning: AFL++ tools might need to set AFL_MAP_SIZE to 223723 to be able to run this instrumented program if this crashes!
+  ```
+
+  Depending how the target works it might also crash afterwards.
+
+  Solution: just do an `export AFL_MAP_SIZE=(the value in the warning)`.
+</p></details>
--- a/docs/INSTALL.md
+++ b/docs/INSTALL.md
@ -21,12 +21,12 @@ development state of AFL++.
 If you want to build AFL++ yourself, you have many options. The easiest choice
 is to build and install everything:

-NOTE: depending on your Debian/Ubuntu/Kali/... version replease `-12` with
-whatever llvm version is available!
+NOTE: depending on your Debian/Ubuntu/Kali/... release, replace `-12` with
+whatever llvm version is available. We recommend llvm 12, 13 or 14.

 ```shell
 sudo apt-get update
-sudo apt-get install -y build-essential python3-dev automake cmake git flex bison libglib2.0-dev libpixman-1-dev python3-setuptools
+sudo apt-get install -y build-essential python3-dev automake cmake git flex bison libglib2.0-dev libpixman-1-dev python3-setuptools cargo libgtk-3-dev
 # try to install llvm 12 and install the distro default if that fails
 sudo apt-get install -y lld-12 llvm-12 llvm-12-dev clang-12 || sudo apt-get install -y lld llvm llvm-dev clang
 sudo apt-get install -y gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-plugin-dev libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev
@ -79,19 +79,24 @@ make STATIC=1
 These build options exist:

 * STATIC - compile AFL++ static
-* ASAN_BUILD - compiles with memory sanitizer for debug purposes
+* ASAN_BUILD - compiles AFL++ with memory sanitizer for debug purposes
+* UBSAN_BUILD - compiles AFL++ tools with undefined behaviour sanitizer for
+  debug purposes
 * DEBUG - no optimization, -ggdb3, all warnings and -Werror
-* PROFILING - compile with profiling information (gprof)
+* LLVM_DEBUG - shows llvm deprecation warnings
+* PROFILING - compile afl-fuzz with profiling information
 * INTROSPECTION - compile afl-fuzz with mutation introspection
 * NO_PYTHON - disable python support
 * NO_SPLICING - disables splicing mutation in afl-fuzz, not recommended for
  normal fuzzing
 * NO_NYX - disable building nyx mode dependencies
+* NO_CORESIGHT - disable building coresight (arm64 only)
+* NO_UNICORN_ARM64 - disable building unicorn on arm64
 * AFL_NO_X86 - if compiling on non-intel/amd platforms
 * LLVM_CONFIG - if your distro doesn't use the standard name for llvm-config
  (e.g., Debian)

-e.g.: `make ASAN_BUILD=1`
+e.g.: `make LLVM_CONFIG=llvm-config-14`

 ## MacOS X on x86 and arm64 (M1)

@ -148,7 +153,7 @@ and definitely don't look POSIX-compliant. This means two things:
    environment before starting afl-fuzz.

 User emulation mode of QEMU does not appear to be supported on MacOS X, so
-black-box instrumentation mode (`-Q`) will not work. However, Frida mode (`-O`)
+black-box instrumentation mode (`-Q`) will not work. However, FRIDA mode (`-O`)
 works on both x86 and arm64 MacOS boxes.

 MacOS X supports SYSV shared memory used by AFL's instrumentation, but the
--- a/docs/custom_mutators.md
+++ b/docs/custom_mutators.md
@ -38,6 +38,11 @@ performed with the custom mutator.

 ## 2) APIs

+**IMPORTANT NOTE**: If you use our C/C++ API and you want to increase the size
+of an **out_buf buffer, you have to use `afl_realloc()` for this, so include
+`include/alloc-inl.h` - otherwise afl-fuzz will crash when trying to free
+your buffers.
+
 C/C++:

 ```c
@ -52,6 +57,7 @@ int afl_custom_post_trim(void *data, unsigned char success);
 size_t afl_custom_havoc_mutation(void *data, unsigned char *buf, size_t buf_size, unsigned char **out_buf, size_t max_size);
 unsigned char afl_custom_havoc_mutation_probability(void *data);
 unsigned char afl_custom_queue_get(void *data, const unsigned char *filename);
+void (*afl_custom_fuzz_send)(void *data, const u8 *buf, size_t buf_size);
 u8 afl_custom_queue_new_entry(void *data, const unsigned char *filename_new_queue, const unsigned int *filename_orig_queue);
 const char* afl_custom_introspection(my_mutator_t *data);
 void afl_custom_deinit(void *data);
@ -63,7 +69,7 @@ Python:
 def init(seed):
    pass

-def fuzz_count(buf, add_buf, max_size):
+def fuzz_count(buf):
    return cnt

 def fuzz(buf, add_buf, max_size):
@ -93,6 +99,9 @@ def havoc_mutation_probability():
 def queue_get(filename):
    return True

+def fuzz_send(buf):
+    pass
+
 def queue_new_entry(filename_new_queue, filename_orig_queue):
    return False

@ -159,6 +168,17 @@ def deinit():  # optional for Python
    This can return any python object that implements the buffer protocol and
    supports PyBUF_SIMPLE. These include bytes, bytearray, etc.

+    You can decide in the post_process mutator to not send the mutated data
+    to the target, e.g. if it is too short, too corrupted, etc. If so,
+    return a NULL buffer and zero length (or a 0 length string in Python).
+
+- `fuzz_send` (optional):
+
+    This method can be used if you want to send data to the target yourself,
+    e.g. via IPC. This replaces some usage of utils/afl_proxy but requires
+    that you start the target with afl-fuzz.
+    Example: [custom_mutators/examples/custom_send.c](custom_mutators/examples/custom_send.c)
+
 - `queue_new_entry` (optional):

    This methods is called after adding a new test case to the queue. If the
@ -260,10 +280,10 @@ sudo apt install python-dev
 ```

 Then, AFL++ can be compiled with Python support. The AFL++ Makefile detects
-Python 2 and 3 through `python-config` if it is in the PATH and compiles
-`afl-fuzz` with the feature if available.
+Python3 through `python-config`/`python3-config` if it is in the PATH and
+compiles `afl-fuzz` with the feature if available.

-Note: for some distributions, you might also need the package `python[23]-apt`.
+Note: for some distributions, you might also need the package `python[3]-apt`.
 In case your setup is different, set the necessary variables like this:
 `PYTHON_INCLUDE=/path/to/python/include LDFLAGS=-L/path/to/python/lib make`.

--- a/docs/env_variables.md
+++ b/docs/env_variables.md
@ -160,6 +160,8 @@ Available options:
 Setting `AFL_LLVM_CMPLOG=1` during compilation will tell afl-clang-fast to
 produce a CmpLog binary.

+For afl-gcc-fast, set `AFL_GCC_CMPLOG=1` instead.
+
 For more information, see
 [instrumentation/README.cmplog.md](../instrumentation/README.cmplog.md).

@ -376,10 +378,10 @@ checks or alter some of the more exotic semantics of the tool:
    valid terminal was detected (for virtual consoles).

  - Setting `AFL_FORKSRV_INIT_TMOUT` allows you to specify a different timeout
-    to wait for the forkserver to spin up. The default is the `-t` value times
-    `FORK_WAIT_MULT` from `config.h` (usually 10), so for a `-t 100`, the
-    default would wait for `1000` milliseconds. Setting a different time here is
-    useful if the target has a very slow startup time, for example, when doing
+    to wait for the forkserver to spin up. The specified value is the new timeout, in milliseconds.
+    The default is the `-t` value times `FORK_WAIT_MULT` from `config.h` (usually 10), so for a `-t 100`, the default would wait for `1000` milliseconds.
+    The `AFL_FORKSRV_INIT_TMOUT` value does not get multiplied. It overwrites the initial timeout afl-fuzz waits for the target to come up with a constant time.
+    Setting a different time here is useful if the target has a very slow startup time, for example, when doing
    full-system fuzzing or emulation, but you don't want the actual runs to wait
    too long for timeouts.

@ -407,11 +409,22 @@ checks or alter some of the more exotic semantics of the tool:
    the afl-fuzz -g/-G command line option to control the minimum/maximum
    of fuzzing input generated.

-  - `AFL_KILL_SIGNAL`: Set the signal ID to be delivered to child processes on
-    timeout. Unless you implement your own targets or instrumentation, you
+  - `AFL_KILL_SIGNAL`: Set the signal ID to be delivered to child processes
+    on timeout. Unless you implement your own targets or instrumentation, you
    likely don't have to set it. By default, on timeout and on exit, `SIGKILL`
    (`AFL_KILL_SIGNAL=9`) will be delivered to the child.

+  - `AFL_FORK_SERVER_KILL_SIGNAL`: Set the signal ID to be delivered to the
+    fork server when AFL++ is terminated. Unless you implement your
+    fork server, you likely do not have to set it. By default, `SIGTERM`
+    (`AFL_FORK_SERVER_KILL_SIGNAL=15`) will be delivered to the fork server.
+    If only `AFL_KILL_SIGNAL` is provided, `AFL_FORK_SERVER_KILL_SIGNAL` will
+    be set to same value as `AFL_KILL_SIGNAL` to provide backward compatibility.
+    If `AFL_FORK_SERVER_KILL_SIGNAL` is also set, it takes precedence.
+
+    NOTE: Uncatchable signals, such as `SIGKILL`, cause child processes of
+    the fork server to be orphaned and leaves them in a zombie state.
+
  - `AFL_MAP_SIZE` sets the size of the shared map that afl-analyze, afl-fuzz,
    afl-showmap, and afl-tmin create to gather instrumentation data from the
    target. This must be equal or larger than the size the target was compiled
@ -453,14 +466,17 @@ checks or alter some of the more exotic semantics of the tool:
    normally done when starting up the forkserver and causes a pretty
    significant performance drop.

-  - `AFL_NO_SNAPSHOT` will advice afl-fuzz not to use the snapshot feature if
+  - `AFL_NO_SNAPSHOT` will advise afl-fuzz not to use the snapshot feature if
    the snapshot lkm is loaded.

  - Setting `AFL_NO_UI` inhibits the UI altogether and just periodically prints
    some basic stats. This behavior is also automatically triggered when the
    output from afl-fuzz is redirected to a file or to a pipe.

-  - In QEMU mode (-Q) and Frida mode (-O), `AFL_PATH` will be searched for
+  - Setting `AFL_NO_STARTUP_CALIBRATION` will skip the initial calibration
+    of all starting seeds, and start fuzzing at once.
+
+  - In QEMU mode (-Q) and FRIDA mode (-O), `AFL_PATH` will be searched for
    afl-qemu-trace and afl-frida-trace.so.

  - If you are using persistent mode (you should, see
@ -468,7 +484,7 @@ checks or alter some of the more exotic semantics of the tool:
    some targets keep inherent state due which a detected crash test case does
    not crash the target again when the test case is given. To be able to still
    re-trigger these crashes, you can use the `AFL_PERSISTENT_RECORD` variable
-    with a value of how many previous fuzz cases to keep prio a crash. If set to
+    with a value of how many previous fuzz cases to keep prior a crash. If set to
    e.g., 10, then the 9 previous inputs are written to out/default/crashes as
    RECORD:000000,cnt:000000 to RECORD:000000,cnt:000008 and
    RECORD:000000,cnt:000009 being the crash case. NOTE: This option needs to be
@ -553,10 +569,10 @@ checks or alter some of the more exotic semantics of the tool:
      in the target binary

  - If you need an early forkserver in your target because of early
-    constructors in your target you can set `AFL_EARLY_FORKSERVER`.
+    constructors in your target, you can set `AFL_EARLY_FORKSERVER`.
    Note that this is not a compile time option but a runtime option :-)

-  - set `AFL_PIZZA_MODE` to 1 to enable the April 1st stats menu, set to 0
+  - Set `AFL_PIZZA_MODE` to 1 to enable the April 1st stats menu, set to 0
    to disable although it is 1st of April.

 ## 5) Settings for afl-qemu-trace
@ -689,8 +705,8 @@ support.
 * `AFL_FRIDA_STALKER_ADJACENT_BLOCKS` - Configure the number of adjacent blocks
  to fetch when generating instrumented code. By fetching blocks in the same
  order they appear in the original program, rather than the order of execution
-  should help reduce locallity and adjacency. This includes allowing us to
-  vector between adjancent blocks using a NOP slide rather than an immediate
+  should help reduce locality and adjacency. This includes allowing us to
+  vector between adjacent blocks using a NOP slide rather than an immediate
  branch.
 * `AFL_FRIDA_STALKER_IC_ENTRIES` - Configure the number of inline cache entries
  stored along-side branch instructions which provide a cache to avoid having to
--- a/docs/features.md
+++ b/docs/features.md
@ -12,7 +12,7 @@ QEMU 5.1 with laf-intel and Redqueen, FRIDA mode, unicorn mode, gcc plugin, full
 | NeverZero           [B]       | x86[_64] |    x(1)   |      x     |        x       |         x        |         x        |              |                    |
 | Persistent Mode     [C]       |          |     x     |      x     | x86[_64]/arm64 | x86[_64]/arm[64] |         x        |              |                    |
 | LAF-Intel / CompCov [D]       |          |     x     |            |                | x86[_64]/arm[64] | x86[_64]/arm[64] |   x86[_64]   |                    |
-| CmpLog              [E]       |          |     x     |            | x86[_64]/arm64 | x86[_64]/arm[64] |                  |              |                    |
+| CmpLog              [E]       |          |     x     |      x     | x86[_64]/arm64 | x86[_64]/arm[64] |                  |              |                    |
 | Selective Instrumentation [F] |          |     x     |      x     |        x       |         x        |                  |              |                    |
 | Non-Colliding Coverage    [G] |          |    x(4)   |            |                |       (x)(5)     |                  |              |                    |
 | Ngram prev_loc Coverage   [H] |          |    x(6)   |            |                |                  |                  |              |                    |
--- a/docs/fuzzing_binary-only_targets.md
+++ b/docs/fuzzing_binary-only_targets.md
@ -291,7 +291,7 @@ its IPT performance is just 6%!

 There are many binary-only fuzzing frameworks. Some are great for CTFs but don't
 work with large binaries, others are very slow but have good path discovery,
-some are very hard to set-up...
+some are very hard to set up...

 * Jackalope:
  [https://github.com/googleprojectzero/Jackalope](https://github.com/googleprojectzero/Jackalope)
--- a/docs/fuzzing_in_depth.md
+++ b/docs/fuzzing_in_depth.md
@ -523,7 +523,7 @@ mode!) and switch the input directory with a dash (`-`):
 afl-fuzz -i - -o output -- bin/target -someopt @@
 ```

-Adding a dictionary is helpful. You have to following options:
+Adding a dictionary is helpful. You have the following options:

 * See the directory
 [dictionaries/](../dictionaries/), if something is already included for your
@ -626,6 +626,9 @@ from other fuzzers in the campaign first.

 If you have a large corpus, a corpus from a previous run or are fuzzing in a CI,
 then also set `export AFL_CMPLOG_ONLY_NEW=1` and `export AFL_FAST_CAL=1`.
+If the queue in the CI is huge and/or the execution time is slow then you can
+also add `AFL_NO_STARTUP_CALIBRATION=1` to skip the initial queue calibration
+phase and start fuzzing at once.

 You can also use different fuzzers. If you are using AFL spinoffs or AFL
 conforming fuzzers, then just use the same -o directory and give it a unique
@ -669,7 +672,7 @@ The syncing process itself is very simple. As the `-M main-$HOSTNAME` instance
 syncs to all `-S` secondaries as well as to other fuzzers, you have to copy only
 this directory to the other machines.

-Lets say all servers have the `-o out` directory in /target/foo/out, and you
+Let's say all servers have the `-o out` directory in /target/foo/out, and you
 created a file `servers.txt` which contains the hostnames of all participating
 servers, plus you have an ssh key deployed to all of them, then run:

@ -838,9 +841,10 @@ Here are some of the most important caveats for AFL++:

 - There is no direct support for fuzzing network services, background daemons,
  or interactive apps that require UI interaction to work. You may need to make
-  simple code changes to make them behave in a more traditional way. Preeny or libdesock may
-  offer a relatively simple option, too - see:
-  [https://github.com/zardus/preeny](https://github.com/zardus/preeny) or [https://github.com/fkie-cad/libdesock](https://github.com/fkie-cad/libdesock)
+  simple code changes to make them behave in a more traditional way. Preeny or
+  libdesock may offer a relatively simple option, too - see:
+  [https://github.com/zardus/preeny](https://github.com/zardus/preeny) or
+  [https://github.com/fkie-cad/libdesock](https://github.com/fkie-cad/libdesock)

  Some useful tips for modifying network-based services can be also found at:
  [https://www.fastly.com/blog/how-to-fuzz-server-american-fuzzy-lop](https://www.fastly.com/blog/how-to-fuzz-server-american-fuzzy-lop)
@ -896,11 +900,22 @@ then color-codes the input based on which sections appear to be critical and
 which are not; while not bulletproof, it can often offer quick insights into
 complex file formats.

+`casr-afl` from [CASR](https://github.com/ispras/casr) tools provides
+comfortable triaging for crashes found by AFL++. Reports are clustered and
+contain severity and other information.
+```shell
+casr-afl -i /path/to/afl/out/dir -o /path/to/casr/out/dir
+```
+
 ## 5. CI fuzzing

 Some notes on continuous integration (CI) fuzzing - this fuzzing is different to
 normal fuzzing campaigns as these are much shorter runnings.

+If the queue in the CI is huge and/or the execution time is slow then you can
+also add `AFL_NO_STARTUP_CALIBRATION=1` to skip the initial queue calibration
+phase and start fuzzing at once.
+
 1. Always:
    * LTO has a much longer compile time which is diametrical to short fuzzing -
      hence use afl-clang-fast instead.
--- a/docs/ideas.md
+++ b/docs/ideas.md
@ -19,18 +19,18 @@ Mentor: vanhauser-thc
 ## WASM Instrumentation

 Currently, AFL++ can be used for source code fuzzing and traditional binaries.
-With the rise of WASM as a compile target, however, a novel way of instrumentation
-needs to be implemented for binaries compiled to Webassembly. This can either be
-done by inserting instrumentation directly into the WASM AST, or by patching
-feedback into a WASM VM of choice, similar to the current Unicorn
+With the rise of WASM as a compile target, however, a novel way of
+instrumentation needs to be implemented for binaries compiled to Webassembly.
+This can either be done by inserting instrumentation directly into the WASM AST,
+or by patching feedback into a WASM VM of choice, similar to the current Unicorn
 instrumentation.

 Mentor: any

 ## Support other programming languages

-Other programming languages also use llvm hence they could be (easily?) supported
-for fuzzing, e.g., mono, swift, go, kotlin native, fortran, ...
+Other programming languages also use llvm hence they could be (easily?)
+supported for fuzzing, e.g., mono, swift, go, kotlin native, fortran, ...

 GCC also supports: Objective-C, Fortran, Ada, Go, and D (according to
 [Gcc homepage](https://gcc.gnu.org/))
--- a/docs/third_party_tools.md
+++ b/docs/third_party_tools.md
@ -1,11 +1,13 @@
 # Tools that help fuzzing with AFL++

-Speeding up fuzzing:
+## Speeding up fuzzing
+
 * [libfiowrapper](https://github.com/marekzmyslowski/libfiowrapper) - if the
  function you want to fuzz requires loading a file, this allows using the
  shared memory test case feature :-) - recommended.

-Minimization of test cases:
+## Minimization of test cases
+
 * [afl-pytmin](https://github.com/ilsani/afl-pytmin) - a wrapper for afl-tmin
  that tries to speed up the process of minimization of a single test case by
  using many CPU cores.
@ -14,7 +16,8 @@ Minimization of test cases:
 * [halfempty](https://github.com/googleprojectzero/halfempty) -  is a fast
  utility for minimizing test cases by Tavis Ormandy based on parallelization.

-Distributed execution:
+## Distributed execution
+
 * [disfuzz-afl](https://github.com/MartijnB/disfuzz-afl) - distributed fuzzing
  for AFL.
 * [AFLDFF](https://github.com/quantumvm/AFLDFF) - AFL distributed fuzzing
@ -26,7 +29,8 @@ Distributed execution:
 * [afl-in-the-cloud](https://github.com/abhisek/afl-in-the-cloud) - another
  script for running AFL in AWS.

-Deployment, management, monitoring, reporting
+## Deployment, management, monitoring, reporting
+
 * [afl-utils](https://gitlab.com/rc0r/afl-utils) - a set of utilities for
  automatic processing/analysis of crashes and reducing the number of test
  cases.
@ -44,7 +48,8 @@ Deployment, management, monitoring, reporting
 * [afl-extras](https://github.com/fekir/afl-extras) - shell scripts to
  parallelize afl-tmin, startup, and data collection.

-Crash processing
+## Crash processing
+
 * [AFLTriage](https://github.com/quic/AFLTriage) -
  triage crashing input files using gdb.
 * [afl-crash-analyzer](https://github.com/floyd-fuh/afl-crash-analyzer) -
@ -57,3 +62,5 @@ Crash processing
  generates builds of debian packages suitable for AFL.
 * [afl-fid](https://github.com/FoRTE-Research/afl-fid) - a set of tools for
  working with input data.
+* [CASR](https://github.com/ispras/casr) - a set of tools for crash triage and
+  analysis.
--- a/docs/tutorials.md
+++ b/docs/tutorials.md
@ -33,6 +33,7 @@ structure is), these links have you covered (some are outdated though):
  [https://github.com/adrian-rt/superion-mutator](https://github.com/adrian-rt/superion-mutator)

 ## Video Tutorials
+
 * [Install AFL++ Ubuntu](https://www.youtube.com/watch?v=5dCvhkbi3RA)
 * [[Fuzzing with AFLplusplus] Installing AFLPlusplus and fuzzing a simple C program](https://www.youtube.com/watch?v=9wRVo0kYSlc)
 * [[Fuzzing with AFLplusplus] How to fuzz a binary with no source code on Linux in persistent mode](https://www.youtube.com/watch?v=LGPJdEO02p4)
--- a/dynamic_list.txt
+++ b/dynamic_list.txt
@ -8,6 +8,7 @@
  "__afl_auto_first";
  "__afl_auto_init";
  "__afl_auto_second";
+  "__afl_connected";
  "__afl_coverage_discard";
  "__afl_coverage_interesting";
  "__afl_coverage_off";
--- a/frida_mode/GNUmakefile
+++ b/frida_mode/GNUmakefile
@ -13,6 +13,16 @@ JS_SRC:=$(BUILD_DIR)api.c
 JS_OBJ:=$(BUILD_DIR)api.o
 SOURCES:=$(wildcard $(SRC_DIR)**/*.c) $(wildcard $(SRC_DIR)*.c)
 OBJS:=$(foreach src,$(SOURCES),$(OBJ_DIR)$(notdir $(patsubst %.c, %.o, $(src))))
+
+TARGET_CC?=$(CC)
+TARGET_CXX?=$(CXX)
+HOST_CC?=$(CC)
+HOST_CXX?=$(CXX)
+IS_ANDROID:=$(findstring android, $(shell $(TARGET_CC) --version 2>/dev/null))
+IS_x86:=$(findstring i686, $(shell $(TARGET_CC) --version 2>/dev/null))
+IS_x86_64:=$(findstring x86_64, $(shell $(TARGET_CC) --version 2>/dev/null))
+IS_ARM:=$(findstring arm, $(shell $(TARGET_CC) --version 2>/dev/null))
+IS_ARM64:=$(findstring aarch64, $(shell $(TARGET_CC) --version 2>/dev/null))
 CFLAGS+=-fPIC \
 		-D_GNU_SOURCE \
 		-D_FORTIFY_SOURCE=2 \
@ -21,6 +31,10 @@ CFLAGS+=-fPIC \
 		-funroll-loops \
 		-ffunction-sections \

+ifdef IS_ANDROID
+CFLAGS+=-DANDROID
+endif
+
 AFL_CFLAGS:=-Wno-unused-parameter \
 		   -Wno-sign-compare \
 		   -Wno-unused-function \
@ -28,25 +42,37 @@ AFL_CFLAGS:=-Wno-unused-parameter \
 		   -Wno-int-to-pointer-cast \
 		   -Wno-pointer-sign

+ifdef IS_ANDROID
+LDFLAGS+= -static-libstdc++ \
+		  -DANDROID \
+		  -llog \
+		  -shared
+else
 LDFLAGS+=-shared \
 		 -lpthread \
 		 -lresolv
+endif

 ifdef DEBUG
 CFLAGS+=-Werror \
 		-Wall \
 		-Wextra \
-		-Wpointer-arith
+		-Wpointer-arith \
+		-Wno-unknown-pragmas \
+		-Wno-pointer-to-int-cast \
+		-Wno-int-to-pointer-cast
 else
 CFLAGS+=-Wno-pointer-arith
 endif

 FRIDA_BUILD_DIR:=$(BUILD_DIR)frida/
 FRIDA_TRACE:=$(BUILD_DIR)afl-frida-trace.so
+FRIDA_TRACE_LIB:=$(BUILD_DIR)libafl-frida-trace.a
 FRIDA_TRACE_EMBEDDED:=$(BUILD_DIR)afl-frida-trace-embedded

 TARGET_CC?=$(CC)
 TARGET_CXX?=$(CXX)
+TARGET_AR?=$(AR)
 HOST_CC?=$(CC)
 HOST_CXX?=$(CXX)

@ -76,11 +102,11 @@ else
 ifdef DEBUG
 AFL_CFLAGS:=$(AFL_CFLAGS) -Wno-prio-ctor-dtor
 endif
+
 LDFLAGS+=	-z noexecstack \
 			-Wl,--gc-sections \
 			-Wl,--exclude-libs,ALL \
-		    -ldl \
-		    -lrt
+		    -ldl
 LDSCRIPT:=-Wl,--version-script=$(PWD)frida.map
 endif

@ -91,32 +117,35 @@ ifeq "$(shell uname)" "Linux"
 endif
 endif

-ifneq "$(findstring android, $(shell $(CC) --version 2>/dev/null))" ""
+
+ifdef IS_ANDROID
 OS:=android
- ifneq "$(findstring aarch64, $(shell $(CC) --version 2>/dev/null))" ""
-   ARCH:=arm64
+ ifdef IS_x86
+  ARCH:=x86
 endif
- ifneq "$(findstring arm, $(shell $(CC) --version 2>/dev/null))" ""
+ ifdef IS_x86
+  ARCH:=x86_64
+ endif
+ ifdef IS_ARM
   ARCH:=arm
 endif
- ifneq "$(findstring x86_64, $(shell $(CC) --version 2>/dev/null))" ""
-   ARCH:=x86_64
- endif
- ifneq "$(findstring i686, $(shell $(CC) --version 2>/dev/null))" ""
-   ARCH:=x86
+ ifdef IS_ARM64
+   ARCH:=arm64
 endif
 endif

+
 ifeq "$(ARCH)" "armhf"
 TARGET_CC:=arm-linux-gnueabihf-gcc
 TARGET_CXX:=arm-linux-gnueabihf-g++
+ TARGET_AR:=arm-linux-gnueabihf-ar
 endif

 ifndef OS
 $(error "Operating system unsupported")
 endif

-GUM_DEVKIT_VERSION=15.1.22
+GUM_DEVKIT_VERSION=16.0.6
 GUM_DEVKIT_FILENAME=frida-gumjs-devkit-$(GUM_DEVKIT_VERSION)-$(OS)-$(ARCH).tar.xz
 GUM_DEVKIT_URL="https://github.com/frida/frida/releases/download/$(GUM_DEVKIT_VERSION)/$(GUM_DEVKIT_FILENAME)"

@ -157,11 +186,14 @@ BIN2C_SRC:=$(PWD)util/bin2c.c

 ############################## ALL #############################################

-all: $(FRIDA_TRACE) $(AFLPP_FRIDA_DRIVER_HOOK_OBJ) $(AFLPP_QEMU_DRIVER_HOOK_OBJ) $(ADDR_BIN)
+all: $(FRIDA_TRACE) $(FRIDA_TRACE_LIB) $(AFLPP_FRIDA_DRIVER_HOOK_OBJ) $(AFLPP_QEMU_DRIVER_HOOK_OBJ) $(ADDR_BIN)

 32:
 	CFLAGS="-m32" LDFLAGS="-m32" ARCH="x86" make all

+arm:
+	CFLAGS="-marm" LDFLAGS="-marm" ARCH="armhf" TARGET_CC=arm-linux-gnueabihf-gcc TARGET_CXX=arm-linux-gnueabihf-g++ make all
+
 $(BUILD_DIR):
 	mkdir -p $(BUILD_DIR)

@ -180,7 +212,7 @@ $(FRIDA_MAKEFILE): | $(BUILD_DIR)
 .PHONY: $(GUM_DEVIT_LIBRARY)

 $(GUM_DEVIT_LIBRARY): $(FRIDA_MAKEFILE)
-	cd $(FRIDA_DIR) && make gum-$(OS)$(GUM_ARCH)
+	cd $(FRIDA_DIR) && make gum-$(OS)$(GUM_ARCH) FRIDA_V8=disabled

 $(GUM_DEVIT_HEADER): $(FRIDA_MAKEFILE) | $(FRIDA_BUILD_DIR)
 	echo "#include <stdio.h>" > $@
@ -219,37 +251,24 @@ TRACE_LDFLAGS+=$(FRIDA_DIR)build/frida-$(OS)-$(ARCH)/lib/libfrida-gum-1.0.a \

 else ifeq "$(ARCH)" "arm64"

-CFLAGS+=-I $(FRIDA_DIR)build/frida_thin-$(OS)-$(ARCH)/include/frida-1.0 \
-	    -I $(FRIDA_DIR)build/frida_thin-sdk-$(OS)-$(ARCH)/include/glib-2.0/ \
-		-I $(FRIDA_DIR)build/frida_thin-sdk-$(OS)-$(ARCH)/lib/glib-2.0/include/ \
-		-I $(FRIDA_DIR)build/frida_thin-sdk-$(OS)-$(ARCH)/include/capstone/ \
-		-I $(FRIDA_DIR)build/frida_thin-sdk-$(OS)-$(ARCH)/include/json-glib-1.0/ \
-
-TRACE_LDFLAGS+=$(FRIDA_DIR)build/frida-$(OS)-$(ARCH)/lib/libfrida-gum-1.0.a \
-			   $(FRIDA_DIR)build/frida_thin-sdk-$(OS)-$(ARCH)/lib/libsoup-2.4.a \
-			   $(FRIDA_DIR)build/frida_thin-sdk-$(OS)-$(ARCH)/lib/libsqlite3.a \
-			   $(FRIDA_DIR)build/frida_thin-sdk-$(OS)-$(ARCH)/lib/libtcc.a \
-			   $(FRIDA_DIR)build/frida_thin-sdk-$(OS)-$(ARCH)/lib/libjson-glib-1.0.a \
-			   $(FRIDA_DIR)build/frida_thin-sdk-$(OS)-$(ARCH)/lib/libquickjs.a \
-			   $(FRIDA_DIR)build/frida_thin-sdk-$(OS)-$(ARCH)/lib/libcapstone.a \
-			   $(FRIDA_DIR)build/frida_thin-sdk-$(OS)-$(ARCH)/lib/libunwind.a \
-			   $(FRIDA_DIR)build/frida_thin-sdk-$(OS)-$(ARCH)/lib/libffi.a \
-			   $(FRIDA_DIR)build/frida_thin-sdk-$(OS)-$(ARCH)/lib/libdwarf.a \
-			   $(FRIDA_DIR)build/frida_thin-sdk-$(OS)-$(ARCH)/lib/libelf.a \
-			   $(FRIDA_DIR)build/frida_thin-sdk-$(OS)-$(ARCH)/lib/libgio-2.0.a \
-			   $(FRIDA_DIR)build/frida_thin-sdk-$(OS)-$(ARCH)/lib/libgobject-2.0.a \
-			   $(FRIDA_DIR)build/frida_thin-sdk-$(OS)-$(ARCH)/lib/libglib-2.0.a \
-			   $(FRIDA_DIR)build/frida_thin-sdk-$(OS)-$(ARCH)/lib/liblzma.a \
-			   $(FRIDA_DIR)build/frida_thin-sdk-$(OS)-$(ARCH)/lib/libz.a \
-
-else
-
-CFLAGS+=-I $(FRIDA_DIR)build/frida-$(OS)-$(ARCH)/include/frida-1.0 \
+CFLAGS+=-I $(FRIDA_DIR)build/$(OS)-$(ARCH)/include/frida-1.0 \
 	    -I $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/include/glib-2.0/ \
 		-I $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/glib-2.0/include/ \
 		-I $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/include/capstone/ \
 		-I $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/include/json-glib-1.0/ \

+ifeq "$(OS)" "android"
+CFLAGS += -static-libstdc++
+endif
+else
+CFLAGS+=-I $(FRIDA_DIR)build/$(OS)-$(ARCH)/include/frida-1.0 \
+	    -I $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/include/glib-2.0/ \
+		-I $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/glib-2.0/include/ \
+		-I $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/include/capstone/ \
+		-I $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/include/json-glib-1.0/ \
+
+endif
+
 TRACE_LDFLAGS+=$(FRIDA_DIR)build/frida-$(OS)-$(ARCH)/lib/libfrida-gum-1.0.a \
 			   $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/libsoup-2.4.a \
 			   $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/libsqlite3.a \
@ -267,15 +286,37 @@ TRACE_LDFLAGS+=$(FRIDA_DIR)build/frida-$(OS)-$(ARCH)/lib/libfrida-gum-1.0.a \
 			   $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/liblzma.a \
 			   $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/libz.a \

+CFLAGS+=-I $(FRIDA_DIR)build/frida-$(OS)-$(ARCH)/include/frida-1.0 \
+	    -I $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/include/glib-2.0/ \
+		-I $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/glib-2.0/include/ \
+		-I $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/include/capstone/ \
+		-I $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/include/json-glib-1.0/
+
+ifeq "$(OS)" "android"
+ CFLAGS += -static-libstdc++
 endif

-
-
+TRACE_LDFLAGS+=$(FRIDA_DIR)build/frida-$(OS)-$(ARCH)/lib/libfrida-gum-1.0.a \
+			   $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/libsoup-2.4.a \
+			   $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/libsqlite3.a \
+			   $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/libtcc.a \
+			   $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/libjson-glib-1.0.a \
+			   $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/libquickjs.a \
+			   $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/libcapstone.a \
+			   $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/libunwind.a \
+			   $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/libffi.a \
+			   $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/libdwarf.a \
+			   $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/libelf.a \
+			   $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/libgio-2.0.a \
+			   $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/libgobject-2.0.a \
+			   $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/libglib-2.0.a \
+			   $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/liblzma.a \
+			   $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/libz.a \


 else
 $(GUM_DEVKIT_TARBALL): | $(FRIDA_BUILD_DIR)
-	wget -O $@ $(GUM_DEVKIT_URL) || curl -L -o $@ $(GUM_DEVKIT_URL)
+	wget -qO $@ $(GUM_DEVKIT_URL) || curl -L -o $@ $(GUM_DEVKIT_URL)

 $(GUM_DEVIT_LIBRARY): $(GUM_DEVKIT_TARBALL)
 	tar Jxvfm $(GUM_DEVKIT_TARBALL) -C $(FRIDA_BUILD_DIR)
@ -353,6 +394,15 @@ $(FRIDA_TRACE): $(GUM_DEVIT_LIBRARY) $(GUM_DEVIT_HEADER) $(OBJS) $(JS_OBJ) $(AFL

 	cp -v $(FRIDA_TRACE) $(ROOT)

+$(FRIDA_TRACE_LIB): $(GUM_DEVIT_LIBRARY) $(GUM_DEVIT_HEADER) $(OBJS) $(JS_OBJ) $(AFL_COMPILER_RT_OBJ) $(AFL_PERFORMANCE_OBJ) GNUmakefile | $(BUILD_DIR)
+	$(TARGET_AR) \
+		-rcs \
+		$@ \
+		$(OBJS) \
+		$(JS_OBJ) \
+		$(AFL_COMPILER_RT_OBJ) \
+		$(AFL_PERFORMANCE_OBJ) \
+
 ############################# HOOK #############################################

 $(AFLPP_FRIDA_DRIVER_HOOK_OBJ): $(AFLPP_FRIDA_DRIVER_HOOK_SRC) $(GUM_DEVIT_HEADER) | $(BUILD_DIR)
@ -364,6 +414,7 @@ $(AFLPP_QEMU_DRIVER_HOOK_OBJ): $(AFLPP_QEMU_DRIVER_HOOK_SRC) | $(BUILD_DIR)
 hook: $(AFLPP_FRIDA_DRIVER_HOOK_OBJ) $(AFLPP_QEMU_DRIVER_HOOK_OBJ)

 ############################# ADDR #############################################
+ifneq "$(OS)" "android"
 $(ADDR_BIN): $(ADDR_SRC) | $(BUILD_DIR)
 	-$(TARGET_CC) \
 		$(CFLAGS) \
@ -377,7 +428,20 @@ $(ADDR_BIN): $(ADDR_SRC) | $(BUILD_DIR)
 		-ldl \
 		-lrt \
 		$< -o $@
-
+else
+$(ADDR_BIN): $(ADDR_SRC) | $(BUILD_DIR)
+	-$(TARGET_CC) \
+		$(CFLAGS) \
+		-Werror \
+		-Wall \
+		-Wextra \
+		-Wpointer-arith \
+		-z noexecstack \
+		-Wl,--gc-sections \
+		-Wl,--exclude-libs,ALL \
+		-ldl \
+		$< -o $@
+endif
 addr: $(ADDR_BIN)

 ############################# CLEAN ############################################
--- a/frida_mode/README.md
+++ b/frida_mode/README.md
@ -86,7 +86,7 @@ To enable the powerful CMPLOG mechanism, set `-c 0` for `afl-fuzz`.

 ## Scripting

-One of the more powerful features of FRIDA mode is it's support for
+One of the more powerful features of FRIDA mode is its support for
 configuration by JavaScript, rather than using environment variables. For
 details of how this works, see [Scripting.md](Scripting.md).

@ -146,11 +146,14 @@ instances run CMPLOG mode and instrumentation of the binary is less frequent
  QEMU driver to provide a `main` loop for a user provided
  `LLVMFuzzerTestOneInput`, this option configures the driver to read input from
  `stdin` rather than using in-memory test cases.
+* `AFL_FRIDA_INST_COVERAGE_ABSOLUTE` - Generate coverage files using absolute
+  virtual addresses rather than relative virtual addresses.
 * `AFL_FRIDA_INST_COVERAGE_FILE` - File to write DynamoRIO format coverage
  information (e.g., to be loaded within IDA lighthouse).
 * `AFL_FRIDA_INST_DEBUG_FILE` - File to write raw assembly of original blocks
  and their instrumented counterparts during block compilation.

+```
 Creating block for 0x7ffff7953313:
        0x7ffff7953313  mov qword ptr [rax], 0
        0x7ffff795331a  add rsp, 8
@ -166,7 +169,7 @@ Generated block 0x7ffff75e98e2


  ***
-  ```
+```
 * `AFL_FRIDA_INST_CACHE_SIZE` - Set the size of the instrumentation cache used
 as a look-up table to cache real to instrumented address block translations.
 Default is 256Mb.
@ -177,6 +180,8 @@ Default is 256Mb.
  a file.
 * `AFL_FRIDA_INST_NO_OPTIMIZE` - Don't use optimized inline assembly coverage
  instrumentation (the default where available). Required to use
+* `AFL_FRIDA_INST_REGS_FILE` - File to write raw register contents at the start
+  of each block.
  `AFL_FRIDA_INST_TRACE`.
 * `AFL_FRIDA_INST_NO_CACHE` - Don't use a look-up table to cache real to
 instrumented address block translations.
--- a/frida_mode/Scripting.md
+++ b/frida_mode/Scripting.md
@ -2,7 +2,7 @@

 FRIDA now supports the ability to configure itself using JavaScript. This allows
 the user to make use of the convenience of FRIDA's scripting engine (along with
-it's support for debug symbols and exports) to configure all of the things which
+its support for debug symbols and exports) to configure all of the things which
 were traditionally configured using environment variables.

 By default, FRIDA mode will look for the file `afl.js` in the current working
@ -95,7 +95,7 @@ Afl.print("done");

 ## Stripped binaries

-Lastly, if the binary you attempting to fuzz has no symbol information and no
+Lastly, if the binary you're attempting to fuzz has no symbol information and no
 exports, then the following approach can be used.

 ```js
@ -390,7 +390,7 @@ Consider the [following](test/js/test2.c) test code...
   --------------------------------------------------------
   Originally written by Michal Zalewski
   Copyright 2014 Google Inc. All rights reserved.
-   Copyright 2019-2022 AFLplusplus Project. All rights reserved.
+   Copyright 2019-2023 AFLplusplus Project. All rights reserved.
   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at:
@ -850,6 +850,14 @@ class Afl {
  static setInstrumentNoOptimize() {
      Afl.jsApiSetInstrumentNoOptimize();
  }
+  /**
+   * See `AFL_FRIDA_INST_REGS_FILE`. This function takes a single `string` as
+   * an argument.
+   */
+  public static setInstrumentRegsFile(file: string): void {
+    const buf = Memory.allocUtf8String(file);
+    Afl.jsApiSetInstrumentRegsFile(buf);
+  }
  /*
    * See `AFL_FRIDA_INST_SEED`
    */
--- a/frida_mode/frida.map
+++ b/frida_mode/frida.map
@ -13,12 +13,14 @@
    js_api_set_debug_maps;
    js_api_set_entrypoint;
    js_api_set_instrument_cache_size;
+    js_api_set_instrument_coverage_absolute;
    js_api_set_instrument_coverage_file;
    js_api_set_instrument_debug_file;
    js_api_set_instrument_jit;
    js_api_set_instrument_libraries;
    js_api_set_instrument_instructions;
    js_api_set_instrument_no_optimize;
+    js_api_set_instrument_regs_file;
    js_api_set_instrument_seed;
    js_api_set_instrument_trace;
    js_api_set_instrument_trace_unique;
--- a/frida_mode/hook/frida_hook.c
+++ b/frida_mode/hook/frida_hook.c
@ -31,7 +31,7 @@ __attribute__((visibility("default"))) void afl_persistent_hook(
  // do a length check matching the target!

  void **esp = (void **)regs->esp;
-  void * arg1 = esp[0];
+  void  *arg1 = esp[0];
  void **arg2 = &esp[1];
  memcpy(arg1, input_buf, input_buf_len);
  *arg2 = (void *)input_buf_len;
@ -50,6 +50,18 @@ __attribute__((visibility("default"))) void afl_persistent_hook(

 }

+#elif defined(__arm__)
+
+__attribute__((visibility("default"))) void afl_persistent_hook(
+    GumCpuContext *regs, uint8_t *input_buf, uint32_t input_buf_len) {
+
+  // do a length check matching the target!
+
+  memcpy((void *)regs->r[0], input_buf, input_buf_len);
+  regs->r[1] = input_buf_len;
+
+}
+
 #else
  #pragma error "Unsupported architecture"
 #endif
--- a/frida_mode/include/instrument.h
+++ b/frida_mode/include/instrument.h
@ -5,14 +5,16 @@

 #include "config.h"

-extern char *   instrument_debug_filename;
-extern char *   instrument_coverage_filename;
+extern char    *instrument_debug_filename;
+extern char    *instrument_coverage_filename;
+extern bool     instrument_coverage_absolute;
 extern gboolean instrument_tracing;
 extern gboolean instrument_optimize;
 extern gboolean instrument_unique;
 extern guint64  instrument_hash_zero;
-extern char *   instrument_coverage_unstable_filename;
+extern char    *instrument_coverage_unstable_filename;
 extern gboolean instrument_coverage_insn;
+extern char    *instrument_regs_filename;

 extern gboolean instrument_use_fixed_seed;
 extern guint64  instrument_fixed_seed;
@ -35,9 +37,9 @@ GumStalkerTransformer *instrument_get_transformer(void);
 gboolean instrument_is_coverage_optimize_supported(void);

 void instrument_coverage_optimize_init(void);
-void instrument_coverage_optimize(const cs_insn *   instr,
+void instrument_coverage_optimize(const cs_insn    *instr,
                                  GumStalkerOutput *output);
-void instrument_coverage_optimize_insn(const cs_insn *   instr,
+void instrument_coverage_optimize_insn(const cs_insn    *instr,
                                       GumStalkerOutput *output);

 void     instrument_debug_config(void);
@ -66,6 +68,8 @@ void instrument_cache_config(void);
 void instrument_cache_init(void);
 void instrument_cache_insert(gpointer real_address, gpointer code_address);
 void instrument_cache(const cs_insn *instr, GumStalkerOutput *output);
+void instrument_write_regs(GumCpuContext *cpu_context, gpointer user_data);
+void instrument_regs_format(int fd, char *format, ...);

 #endif

--- a/frida_mode/include/persistent.h
+++ b/frida_mode/include/persistent.h
@ -13,7 +13,7 @@ typedef void (*afl_persistent_hook_fn)(api_regs *regs, uint64_t guest_base,

 extern int __afl_persistent_loop(unsigned int max_cnt);

-extern unsigned int * __afl_fuzz_len;
+extern unsigned int  *__afl_fuzz_len;
 extern unsigned char *__afl_fuzz_ptr;

 extern guint64                persistent_start;
--- a/frida_mode/include/seccomp.h
+++ b/frida_mode/include/seccomp.h
@ -1,7 +1,7 @@
 #ifndef _SECCOMP_H
 #define _SECCOMP_H

-#ifndef __APPLE__
+#if !defined(__APPLE__) && !defined(__ANDROID__)

  #include <stdint.h>
  #include <linux/filter.h>
@ -401,9 +401,9 @@ enum {

 typedef void (*seccomp_child_func_t)(int event_fd, void *ctx);

-typedef void (*seccomp_filter_callback_t)(struct seccomp_notif *     req,
+typedef void (*seccomp_filter_callback_t)(struct seccomp_notif      *req,
                                          struct seccomp_notif_resp *resp,
-                                          GumReturnAddressArray *    frames);
+                                          GumReturnAddressArray     *frames);

 void seccomp_atomic_set(volatile bool *ptr, bool val);
 bool seccomp_atomic_try_set(volatile bool *ptr, bool val);
--- a/frida_mode/include/shm.h
+++ b/frida_mode/include/shm.h
@ -0,0 +1,9 @@
+#ifndef _SHM_H
+#define _SHM_H
+
+#include <stddef.h>
+
+void *shm_create(size_t size);
+
+#endif
+
--- a/frida_mode/include/stats.h
+++ b/frida_mode/include/stats.h
@ -43,7 +43,7 @@ typedef struct {
 G_DECLARE_FINAL_TYPE(GumAflStalkerStats, gum_afl_stalker_stats, GUM,
                     AFL_STALKER_STATS, GObject)

-extern char *  stats_filename;
+extern char   *stats_filename;
 extern guint64 stats_interval;

 void stats_config(void);
--- a/frida_mode/src/asan/asan.c
+++ b/frida_mode/src/asan/asan.c
@ -30,12 +30,21 @@ void asan_init(void) {
 static gboolean asan_exclude_module(const GumModuleDetails *details,
                                    gpointer                user_data) {

-  gchar *    symbol_name = (gchar *)user_data;
+  gchar     *symbol_name = (gchar *)user_data;
  GumAddress address;

  address = gum_module_find_export_by_name(details->name, symbol_name);
  if (address == 0) { return TRUE; }

+  /* If the reported address of the symbol is outside of the range of the module
+   * then ignore it */
+  if (address < details->range->base_address) { return TRUE; }
+  if (address > (details->range->base_address + details->range->size)) {
+
+    return TRUE;
+
+  }
+
  ranges_add_exclude((GumMemoryRange *)details->range);
  return FALSE;

--- a/frida_mode/src/asan/asan_arm64.c
+++ b/frida_mode/src/asan/asan_arm64.c
@ -22,8 +22,8 @@ asan_storeN_t asan_storeN = NULL;

 static void asan_callout(GumCpuContext *ctx, gpointer user_data) {

-  asan_ctx_t *  asan_ctx = (asan_ctx_t *)user_data;
-  cs_arm64_op * operand = &asan_ctx->operand;
+  asan_ctx_t   *asan_ctx = (asan_ctx_t *)user_data;
+  cs_arm64_op  *operand = &asan_ctx->operand;
  arm64_op_mem *mem = &operand->mem;
  gsize         base = 0;
  gsize         index = 0;
@ -59,7 +59,7 @@ void asan_instrument(const cs_insn *instr, GumStalkerIterator *iterator) {

  cs_arm64     arm64 = instr->detail->arm64;
  cs_arm64_op *operand;
-  asan_ctx_t * ctx;
+  asan_ctx_t  *ctx;

  if (!asan_initialized) return;

--- a/frida_mode/src/asan/asan_x64.c
+++ b/frida_mode/src/asan/asan_x64.c
@ -17,7 +17,7 @@ static void asan_callout(GumCpuContext *ctx, gpointer user_data) {

  UNUSED_PARAMETER(user_data);

-  cs_x86_op * operand = (cs_x86_op *)user_data;
+  cs_x86_op  *operand = (cs_x86_op *)user_data;
  x86_op_mem *mem = &operand->mem;
  gsize       base = 0;
  gsize       index = 0;
@ -48,9 +48,9 @@ void asan_instrument(const cs_insn *instr, GumStalkerIterator *iterator) {
  UNUSED_PARAMETER(iterator);

  cs_x86      x86 = instr->detail->x86;
-  cs_x86_op * operand;
+  cs_x86_op  *operand;
  x86_op_mem *mem;
-  cs_x86_op * ctx;
+  cs_x86_op  *ctx;

  if (!asan_initialized) return;

--- a/frida_mode/src/asan/asan_x86.c
+++ b/frida_mode/src/asan/asan_x86.c
@ -17,7 +17,7 @@ static void asan_callout(GumCpuContext *ctx, gpointer user_data) {

  UNUSED_PARAMETER(user_data);

-  cs_x86_op * operand = (cs_x86_op *)user_data;
+  cs_x86_op  *operand = (cs_x86_op *)user_data;
  x86_op_mem *mem = &operand->mem;
  gsize       base = 0;
  gsize       index = 0;
@ -48,9 +48,9 @@ void asan_instrument(const cs_insn *instr, GumStalkerIterator *iterator) {
  UNUSED_PARAMETER(iterator);

  cs_x86      x86 = instr->detail->x86;
-  cs_x86_op * operand;
+  cs_x86_op  *operand;
  x86_op_mem *mem;
-  cs_x86_op * ctx;
+  cs_x86_op  *ctx;

  if (!asan_initialized) return;

--- a/frida_mode/src/cmplog/cmplog.c
+++ b/frida_mode/src/cmplog/cmplog.c
@ -13,9 +13,9 @@
 #define MAX_MEMFD_SIZE (64UL << 10)

 extern struct cmp_map *__afl_cmp_map;
-static GArray *        cmplog_ranges = NULL;
-static GHashTable *    hash_yes = NULL;
-static GHashTable *    hash_no = NULL;
+static GArray         *cmplog_ranges = NULL;
+static GHashTable     *hash_yes = NULL;
+static GHashTable     *hash_no = NULL;

 static long page_size = 0;
 static long page_offset_mask = 0;
@ -24,7 +24,7 @@ static long page_mask = 0;
 static gboolean cmplog_range(const GumRangeDetails *details,
                             gpointer               user_data) {

-  GArray *       cmplog_ranges = (GArray *)user_data;
+  GArray        *cmplog_ranges = (GArray *)user_data;
  GumMemoryRange range = *details->range;
  g_array_append_val(cmplog_ranges, range);
  return TRUE;
@ -118,7 +118,7 @@ gboolean cmplog_test_addr(guint64 addr, size_t size) {
  if (g_hash_table_contains(hash_yes, GSIZE_TO_POINTER(addr))) { return true; }
  if (g_hash_table_contains(hash_no, GSIZE_TO_POINTER(addr))) { return false; }

-  void * page_addr = GSIZE_TO_POINTER(addr & page_mask);
+  void  *page_addr = GSIZE_TO_POINTER(addr & page_mask);
  size_t page_offset = addr & page_offset_mask;

  /* If it spans a page, then bail */
--- a/frida_mode/src/cmplog/cmplog_arm64.c
+++ b/frida_mode/src/cmplog/cmplog_arm64.c
@ -148,7 +148,7 @@ static void cmplog_call_callout(GumCpuContext *context, gpointer user_data) {
 }

 static void cmplog_instrument_put_operand(cmplog_ctx_t *ctx,
-                                          cs_arm64_op * operand) {
+                                          cs_arm64_op  *operand) {

  ctx->type = operand->type;
  switch (operand->type) {
@ -169,7 +169,7 @@ static void cmplog_instrument_put_operand(cmplog_ctx_t *ctx,

 }

-static void cmplog_instrument_call(const cs_insn *     instr,
+static void cmplog_instrument_call(const cs_insn      *instr,
                                   GumStalkerIterator *iterator) {

  cs_arm64     arm64 = instr->detail->arm64;
@ -204,10 +204,7 @@ static void cmplog_handle_cmp_sub(GumCpuContext *context, gsize operand1,

  gsize address = context->pc;

-  register uintptr_t k = (uintptr_t)address;
-
-  k = (k >> 4) ^ (k << 8);
-  k &= CMP_MAP_W - 1;
+  register uintptr_t k = instrument_get_offset_hash(GUM_ADDRESS(address));

  if (__afl_cmp_map->headers[k].type != CMP_TYPE_INS)
    __afl_cmp_map->headers[k].hits = 0;
@ -247,8 +244,8 @@ static void cmplog_cmp_sub_callout(GumCpuContext *context, gpointer user_data) {
 }

 static void cmplog_instrument_cmp_sub_put_callout(GumStalkerIterator *iterator,
-                                                  cs_arm64_op *       operand1,
-                                                  cs_arm64_op *       operand2,
+                                                  cs_arm64_op        *operand1,
+                                                  cs_arm64_op        *operand2,
                                                  size_t              size) {

  cmplog_pair_ctx_t *ctx = g_malloc(sizeof(cmplog_pair_ctx_t));
@ -263,7 +260,7 @@ static void cmplog_instrument_cmp_sub_put_callout(GumStalkerIterator *iterator,

 }

-static void cmplog_instrument_cmp_sub(const cs_insn *     instr,
+static void cmplog_instrument_cmp_sub(const cs_insn      *instr,
                                      GumStalkerIterator *iterator) {

  cs_arm64     arm64 = instr->detail->arm64;
--- a/frida_mode/src/cmplog/cmplog_x64.c
+++ b/frida_mode/src/cmplog/cmplog_x64.c
@ -141,7 +141,7 @@ static void cmplog_call_callout(GumCpuContext *context, gpointer user_data) {
 }

 static void cmplog_instrument_put_operand(cmplog_ctx_t *ctx,
-                                          cs_x86_op *   operand) {
+                                          cs_x86_op    *operand) {

  ctx->type = operand->type;
  ctx->size = operand->size;
@ -163,7 +163,7 @@ static void cmplog_instrument_put_operand(cmplog_ctx_t *ctx,

 }

-static void cmplog_instrument_call(const cs_insn *     instr,
+static void cmplog_instrument_call(const cs_insn      *instr,
                                   GumStalkerIterator *iterator) {

  cs_x86     x86 = instr->detail->x86;
@ -188,10 +188,7 @@ static void cmplog_handle_cmp_sub(GumCpuContext *context, gsize operand1,

  gsize address = ctx_read_reg(context, X86_REG_RIP);

-  register uintptr_t k = (uintptr_t)address;
-
-  k = (k >> 4) ^ (k << 8);
-  k &= CMP_MAP_W - 7;
+  register uintptr_t k = instrument_get_offset_hash(GUM_ADDRESS(address));

  if (__afl_cmp_map->headers[k].type != CMP_TYPE_INS)
    __afl_cmp_map->headers[k].hits = 0;
@ -230,7 +227,7 @@ static void cmplog_cmp_sub_callout(GumCpuContext *context, gpointer user_data) {
 }

 static void cmplog_instrument_cmp_sub_put_callout(GumStalkerIterator *iterator,
-                                                  cs_x86_op *         operand1,
+                                                  cs_x86_op          *operand1,
                                                  cs_x86_op *operand2) {

  cmplog_pair_ctx_t *ctx = g_malloc(sizeof(cmplog_pair_ctx_t));
@ -244,7 +241,7 @@ static void cmplog_instrument_cmp_sub_put_callout(GumStalkerIterator *iterator,

 }

-static void cmplog_instrument_cmp_sub(const cs_insn *     instr,
+static void cmplog_instrument_cmp_sub(const cs_insn      *instr,
                                      GumStalkerIterator *iterator) {

  cs_x86     x86 = instr->detail->x86;
--- a/frida_mode/src/cmplog/cmplog_x86.c
+++ b/frida_mode/src/cmplog/cmplog_x86.c
@ -146,7 +146,7 @@ static void cmplog_call_callout(GumCpuContext *context, gpointer user_data) {
 }

 static void cmplog_instrument_put_operand(cmplog_ctx_t *ctx,
-                                          cs_x86_op *   operand) {
+                                          cs_x86_op    *operand) {

  ctx->type = operand->type;
  ctx->size = operand->size;
@ -168,7 +168,7 @@ static void cmplog_instrument_put_operand(cmplog_ctx_t *ctx,

 }

-static void cmplog_instrument_call(const cs_insn *     instr,
+static void cmplog_instrument_call(const cs_insn      *instr,
                                   GumStalkerIterator *iterator) {

  cs_x86     x86 = instr->detail->x86;
@ -193,10 +193,7 @@ static void cmplog_handle_cmp_sub(GumCpuContext *context, gsize operand1,

  gsize address = ctx_read_reg(context, X86_REG_EIP);

-  register uintptr_t k = (uintptr_t)address;
-
-  k = (k >> 4) ^ (k << 8);
-  k &= CMP_MAP_W - 1;
+  register uintptr_t k = instrument_get_offset_hash(GUM_ADDRESS(address));

  if (__afl_cmp_map->headers[k].type != CMP_TYPE_INS)
    __afl_cmp_map->headers[k].hits = 0;
@ -238,7 +235,7 @@ static void cmplog_cmp_sub_callout(GumCpuContext *context, gpointer user_data) {
 }

 static void cmplog_instrument_cmp_sub_put_callout(GumStalkerIterator *iterator,
-                                                  cs_x86_op *         operand1,
+                                                  cs_x86_op          *operand1,
                                                  cs_x86_op *operand2) {

  cmplog_pair_ctx_t *ctx = g_malloc(sizeof(cmplog_pair_ctx_t));
@ -252,7 +249,7 @@ static void cmplog_instrument_cmp_sub_put_callout(GumStalkerIterator *iterator,

 }

-static void cmplog_instrument_cmp_sub(const cs_insn *     instr,
+static void cmplog_instrument_cmp_sub(const cs_insn      *instr,
                                      GumStalkerIterator *iterator) {

  cs_x86     x86 = instr->detail->x86;
--- a/frida_mode/src/ctx/ctx_arm32.c
+++ b/frida_mode/src/ctx/ctx_arm32.c
@ -7,6 +7,8 @@

 gsize ctx_read_reg(GumArmCpuContext *ctx, arm_reg reg) {

+  UNUSED_PARAMETER(ctx);
+  UNUSED_PARAMETER(reg);
  FFATAL("ctx_read_reg unimplemented for this architecture");

 }
--- a/frida_mode/src/instrument/instrument.c
+++ b/frida_mode/src/instrument/instrument.c
@ -1,6 +1,5 @@
+#include <fcntl.h>
 #include <unistd.h>
-#include <sys/shm.h>
-#include <sys/mman.h>
 #include <sys/syscall.h>

 #include "frida-gumjs.h"
@ -16,10 +15,13 @@
 #include "persistent.h"
 #include "prefetch.h"
 #include "ranges.h"
+#include "shm.h"
 #include "stalker.h"
 #include "stats.h"
 #include "util.h"

+#define FRIDA_DEFAULT_MAP_SIZE (64UL << 10)
+
 gboolean instrument_tracing = false;
 gboolean instrument_optimize = false;
 gboolean instrument_unique = false;
@ -28,14 +30,17 @@ guint64  instrument_hash_seed = 0;

 gboolean instrument_use_fixed_seed = FALSE;
 guint64  instrument_fixed_seed = 0;
-char *   instrument_coverage_unstable_filename = NULL;
+char    *instrument_coverage_unstable_filename = NULL;
 gboolean instrument_coverage_insn = FALSE;
+char    *instrument_regs_filename = NULL;

 static GumStalkerTransformer *transformer = NULL;

 static GumAddress previous_rip = 0;
 static GumAddress previous_end = 0;
-static u8 *       edges_notified = NULL;
+static u8        *edges_notified = NULL;
+
+static int regs_fd = -1;

 __thread guint64  instrument_previous_pc;
 __thread guint64 *instrument_previous_pc_addr = NULL;
@ -149,7 +154,7 @@ __attribute__((hot)) static void on_basic_block(GumCpuContext *context,
 }

 static void instrument_basic_block(GumStalkerIterator *iterator,
-                                   GumStalkerOutput *  output,
+                                   GumStalkerOutput   *output,
                                   gpointer            user_data) {

  UNUSED_PARAMETER(user_data);
@ -157,7 +162,7 @@ static void instrument_basic_block(GumStalkerIterator *iterator,
  const cs_insn *instr;
  gboolean       begin = TRUE;
  gboolean       excluded;
-  block_ctx_t *  ctx = NULL;
+  block_ctx_t   *ctx = NULL;

  while (gum_stalker_iterator_next(iterator, &instr)) {

@ -230,6 +235,13 @@ static void instrument_basic_block(GumStalkerIterator *iterator,

        }

+        if (unlikely(instrument_regs_filename != NULL)) {
+
+          gum_stalker_iterator_put_callout(iterator, instrument_write_regs,
+                                           (void *)(size_t)regs_fd, NULL);
+
+        }
+
      }

    }
@ -240,8 +252,6 @@ static void instrument_basic_block(GumStalkerIterator *iterator,

    }

-    instrument_debug_instruction(instr->address, instr->size, output);
-
    if (likely(!excluded)) {

      asan_instrument(instr, iterator);
@ -279,6 +289,7 @@ void instrument_config(void) {
  instrument_coverage_unstable_filename =
      (getenv("AFL_FRIDA_INST_UNSTABLE_COVERAGE_FILE"));
  instrument_coverage_insn = (getenv("AFL_FRIDA_INST_INSN") != NULL);
+  instrument_regs_filename = getenv("AFL_FRIDA_INST_REGS_FILE");

  instrument_debug_config();
  instrument_coverage_config();
@ -290,6 +301,8 @@ void instrument_config(void) {

 void instrument_init(void) {

+  if (__afl_map_size == MAP_SIZE) __afl_map_size = FRIDA_DEFAULT_MAP_SIZE;
+
  if (!instrument_is_coverage_optimize_supported()) instrument_optimize = false;

  FOKF(cBLU "Instrumentation" cRST " - " cGRN "optimize:" cYEL " [%c]",
@ -334,29 +347,7 @@ void instrument_init(void) {
  transformer = gum_stalker_transformer_make_from_callback(
      instrument_basic_block, NULL, NULL);

-  if (instrument_unique) {
-
-    int shm_id =
-        shmget(IPC_PRIVATE, __afl_map_size, IPC_CREAT | IPC_EXCL | 0600);
-    if (shm_id < 0) { FATAL("shm_id < 0 - errno: %d\n", errno); }
-
-    edges_notified = shmat(shm_id, NULL, 0);
-    g_assert(edges_notified != MAP_FAILED);
-
-    /*
-     * Configure the shared memory region to be removed once the process
-     * dies.
-     */
-    if (shmctl(shm_id, IPC_RMID, NULL) < 0) {
-
-      FATAL("shmctl (IPC_RMID) < 0 - errno: %d\n", errno);
-
-    }
-
-    /* Clear it, not sure it's necessary, just seems like good practice */
-    memset(edges_notified, '\0', __afl_map_size);
-
-  }
+  if (instrument_unique) { edges_notified = shm_create(__afl_map_size); }

  if (instrument_use_fixed_seed) {

@ -390,6 +381,25 @@ void instrument_init(void) {
       instrument_hash_seed);
  instrument_hash_zero = instrument_get_offset_hash(0);

+  FOKF(cBLU "Instrumentation" cRST " - " cGRN "regs:" cYEL " [%s]",
+       instrument_regs_filename == NULL ? " " : instrument_regs_filename);
+
+  if (instrument_regs_filename != NULL) {
+
+    char *path =
+        g_canonicalize_filename(instrument_regs_filename, g_get_current_dir());
+
+    FOKF(cBLU "Instrumentation" cRST " - " cGRN "path:" cYEL " [%s]", path);
+
+    regs_fd = open(path, O_RDWR | O_CREAT | O_TRUNC,
+                   S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP);
+
+    if (regs_fd < 0) { FFATAL("Failed to open regs file '%s'", path); }
+
+    g_free(path);
+
+  }
+
  asan_init();
  cmplog_init();
  instrument_coverage_init();
@ -416,3 +426,22 @@ void instrument_on_fork() {

 }

+void instrument_regs_format(int fd, char *format, ...) {
+
+  va_list ap;
+  char    buffer[4096] = {0};
+  int     ret;
+  int     len;
+
+  va_start(ap, format);
+  ret = vsnprintf(buffer, sizeof(buffer) - 1, format, ap);
+  va_end(ap);
+
+  if (ret < 0) { return; }
+
+  len = strnlen(buffer, sizeof(buffer));
+
+  IGNORED_RETURN(write(fd, buffer, len));
+
+}
+
--- a/frida_mode/src/instrument/instrument_arm32.c
+++ b/frida_mode/src/instrument/instrument_arm32.c
@ -1,40 +1,259 @@
 #include "frida-gumjs.h"

 #include "instrument.h"
+#include "stalker.h"
 #include "util.h"

 #if defined(__arm__)

-gboolean instrument_cache_enabled = FALSE;
-gsize    instrument_cache_size = 0;
+  #define PAGE_MASK (~(GUM_ADDRESS(0xfff)))
+  #define PAGE_ALIGNED(x) ((GUM_ADDRESS(x) & PAGE_MASK) == GUM_ADDRESS(x))
+
+gboolean           instrument_cache_enabled = FALSE;
+gsize              instrument_cache_size = 0;
+static GHashTable *coverage_blocks = NULL;
+
+extern __thread guint64 instrument_previous_pc;
+
+__attribute__((aligned(0x1000))) static guint8 area_ptr_dummy[MAP_SIZE];
+
+  #pragma pack(push, 1)
+typedef struct {
+
+  // cur_location = (block_address >> 4) ^ (block_address << 8);
+  // shared_mem[cur_location ^ prev_location]++;
+  // prev_location = cur_location >> 1;
+
+  // str     r0, [sp, #-128] ; 0xffffff80
+  // str     r1, [sp, #-132] ; 0xffffff7c
+  // ldr     r0, [pc, #-20]  ; 0xf691b29c
+  // ldrh    r1, [r0]
+  // movw    r0, #33222      ; 0x81c6
+  // eor     r0, r0, r1
+  // ldr     r1, [pc, #-40]  ; 0xf691b298
+  // add     r1, r1, r0
+  // ldrb    r0, [r1]
+  // add     r0, r0, #1
+  // add     r0, r0, r0, lsr #8
+  // strb    r0, [r1]
+  // movw    r0, #49379      ; 0xc0e3
+  // ldr     r1, [pc, #-64]  ; 0xf691b29c
+  // strh    r0, [r1]
+  // ldr     r1, [sp, #-132] ; 0xffffff7c
+  // ldr     r0, [sp, #-128] ; 0xffffff80
+
+  uint32_t  b_code;                                                /* b imm */
+  uint8_t  *shared_mem;
+  uint64_t *prev_location;
+
+  /* code */
+
+  /* save regs */
+  uint32_t str_r0_sp_rz;                         /* str r0, [sp - RED_ZONE] */
+  uint32_t str_r1_sp_rz_4;                 /* str r1, [sp - (RED_ZONE + 4)] */
+
+  /* load prev */
+  uint32_t ldr_r0_pprev;                                  /* ldr r0, [pc-x] */
+  uint32_t ldrh_r1_r0;                                     /* ldrh r1, [r0] */
+
+  /* load curr */
+  uint32_t mov_r0_block_id;                               /* mov r0, #imm16 */
+
+  /* calculate new */
+  uint32_t eor_r0_r0_r1;                                  /* eor r0, r0, r1 */
+
+  /* load map */
+  uint32_t ldr_r1_pmap;                                   /* ldr r1, [pc-x] */
+
+  /* calculate offset */
+  uint32_t add_r1_r1_r0;                                  /* add r1, r1, r0 */
+
+  /* Load the value */
+  uint32_t ldrb_r0_r1;                                     /* ldrb r0, [r1] */
+
+  /* Increment the value */
+  uint32_t add_r0_r0_1;                                   /* add r0, r0, #1 */
+  uint32_t add_r0_r0_r0_lsr_8;                    /* add r0, r0, r0, lsr #8 */
+
+  /* Save the value */
+  uint32_t strb_r0_r1;                                     /* strb r0, [r1] */
+
+  /* load curr shifted */
+  uint32_t mov_r0_block_id_shr_1;                     /* mov r0, #imm16 >> 1*/
+
+  /* Update prev */
+  uint32_t ldr_r1_pprev;                                  /* ldr r1, [pc-x] */
+  uint32_t strh_r0_r1;                                     /* strh r0, [r1] */
+
+  /* restore regs */
+  uint32_t ldr_r1_sp_rz_4;                 /* ldr r1, [sp - (RED_ZONE + 4)] */
+  uint32_t ldr_r0_sp_rz;                         /* ldr r0, [sp - RED_ZONE] */
+
+} afl_log_code_asm_t;
+
+typedef union {
+
+  afl_log_code_asm_t code;
+  uint8_t            bytes[0];
+
+} afl_log_code;
+
+  #pragma pack(pop)
+
+static const afl_log_code_asm_t template =
+    {
+
+        .b_code = GUINT32_TO_LE(0xea000001),
+        .shared_mem = (uint8_t *)GUINT32_TO_LE(0xcefaadde),
+        .prev_location = (uint64_t *)GUINT32_TO_LE(0xadba0df0),
+        .str_r0_sp_rz = GUINT32_TO_LE(0xe50d0080),
+        .str_r1_sp_rz_4 = GUINT32_TO_LE(0xe50d1084),
+        .ldr_r0_pprev = GUINT32_TO_LE(0xe51f0014),
+        .ldrh_r1_r0 = GUINT32_TO_LE(0xe1d010b0),
+        .mov_r0_block_id = GUINT32_TO_LE(0xe3000000),
+        .eor_r0_r0_r1 = GUINT32_TO_LE(0xe0200001),
+        .ldr_r1_pmap = GUINT32_TO_LE(0xe51f1028),
+        .add_r1_r1_r0 = GUINT32_TO_LE(0xe0811000),
+        .ldrb_r0_r1 = GUINT32_TO_LE(0xe5d10000),
+        .add_r0_r0_1 = GUINT32_TO_LE(0xe2800001),
+        .add_r0_r0_r0_lsr_8 = GUINT32_TO_LE(0xe0800420),
+        .strb_r0_r1 = GUINT32_TO_LE(0xe5c10000),
+        .mov_r0_block_id_shr_1 = GUINT32_TO_LE(0xe3000000),
+        .ldr_r1_pprev = GUINT32_TO_LE(0xe51f1040),
+        .strh_r0_r1 = GUINT32_TO_LE(0xe1c100b0),
+        .ldr_r1_sp_rz_4 = GUINT32_TO_LE(0xe51d1084),
+        .ldr_r0_sp_rz = GUINT32_TO_LE(0xe51d0080),
+
+}
+
+;

 gboolean instrument_is_coverage_optimize_supported(void) {

-  return false;
+  return true;

 }

-void instrument_coverage_optimize(const cs_insn *   instr,
+static void instrument_coverage_switch(GumStalkerObserver *self,
+                                       gpointer            from_address,
+                                       gpointer start_address, void *from_insn,
+                                       gpointer *target) {
+
+  UNUSED_PARAMETER(self);
+  UNUSED_PARAMETER(from_address);
+  UNUSED_PARAMETER(start_address);
+  UNUSED_PARAMETER(from_insn);
+
+  if (!g_hash_table_contains(coverage_blocks, GSIZE_TO_POINTER(*target))) {
+
+    return;
+
+  }
+
+  *target =
+      (guint8 *)*target + G_STRUCT_OFFSET(afl_log_code_asm_t, str_r0_sp_rz);
+
+}
+
+static void instrument_coverage_suppress_init(void) {
+
+  static gboolean initialized = false;
+  if (initialized) { return; }
+  initialized = true;
+
+  GumStalkerObserver          *observer = stalker_get_observer();
+  GumStalkerObserverInterface *iface = GUM_STALKER_OBSERVER_GET_IFACE(observer);
+  iface->switch_callback = instrument_coverage_switch;
+
+  coverage_blocks = g_hash_table_new(g_direct_hash, g_direct_equal);
+  if (coverage_blocks == NULL) {
+
+    FATAL("Failed to g_hash_table_new, errno: %d", errno);
+
+  }
+
+}
+
+static void patch_t3_insn(uint32_t *insn, uint16_t val) {
+
+  uint32_t orig = GUINT32_FROM_LE(*insn);
+  uint32_t imm12 = (val & 0xfff);
+  uint32_t imm4 = (val >> 12);
+  orig |= imm12;
+  orig |= (imm4 << 16);
+  *insn = GUINT32_TO_LE(orig);
+
+}
+
+void instrument_coverage_optimize(const cs_insn    *instr,
                                  GumStalkerOutput *output) {

-  UNUSED_PARAMETER(instr);
-  UNUSED_PARAMETER(output);
-  FFATAL("Optimized coverage not supported on this architecture");
+  afl_log_code  code = {0};
+  GumArmWriter *cw = output->writer.arm;
+  gpointer      block_start;
+  guint64 area_offset = instrument_get_offset_hash(GUM_ADDRESS(instr->address));
+  gsize   map_size_pow2;
+  gsize   area_offset_ror;
+
+  instrument_coverage_suppress_init();
+
+  block_start = GSIZE_TO_POINTER(GUM_ADDRESS(cw->code));
+
+  if (!g_hash_table_add(coverage_blocks, block_start)) {
+
+    FATAL("Failed - g_hash_table_add");
+
+  }
+
+  code.code = template;
+
+  g_assert(PAGE_ALIGNED(__afl_area_ptr));
+
+  map_size_pow2 = util_log2(__afl_map_size);
+  area_offset_ror = util_rotate(area_offset, 1, map_size_pow2);
+
+  code.code.shared_mem = __afl_area_ptr;
+  code.code.prev_location = instrument_previous_pc_addr;
+
+  patch_t3_insn(&code.code.mov_r0_block_id, (uint16_t)area_offset);
+  patch_t3_insn(&code.code.mov_r0_block_id_shr_1, (uint16_t)area_offset_ror);
+
+  // gum_arm_writer_put_breakpoint(cw);
+  gum_arm_writer_put_bytes(cw, code.bytes, sizeof(afl_log_code));

 }

-void instrument_coverage_optimize_insn(const cs_insn *   instr,
+void instrument_coverage_optimize_insn(const cs_insn    *instr,
                                       GumStalkerOutput *output) {

  UNUSED_PARAMETER(instr);
  UNUSED_PARAMETER(output);
-  FFATAL("Optimized coverage not supported on this architecture");

 }

 void instrument_coverage_optimize_init(void) {

-  FWARNF("Optimized coverage not supported on this architecture");
+  char *shm_env = getenv(SHM_ENV_VAR);
+  FVERBOSE("SHM_ENV_VAR: %s", shm_env);
+
+  if (shm_env == NULL) {
+
+    FWARNF("SHM_ENV_VAR not set, using dummy for debugging purposes");
+
+    __afl_area_ptr = area_ptr_dummy;
+    memset(area_ptr_dummy, '\0', sizeof(area_ptr_dummy));
+
+  }
+
+  FVERBOSE("__afl_area_ptr: %p", __afl_area_ptr);
+
+  if (instrument_previous_pc_addr == NULL) {
+
+    instrument_previous_pc_addr = &instrument_previous_pc;
+    *instrument_previous_pc_addr = instrument_hash_zero;
+    FVERBOSE("instrument_previous_pc_addr: %p", instrument_previous_pc_addr);
+
+  }

 }

@ -54,7 +273,19 @@ void instrument_flush(GumStalkerOutput *output) {

 gpointer instrument_cur(GumStalkerOutput *output) {

-  return gum_arm_writer_cur(output->writer.arm);
+  gpointer curr = NULL;
+
+  if (output->encoding == GUM_INSTRUCTION_SPECIAL) {
+
+    curr = gum_thumb_writer_cur(output->writer.thumb);
+
+  } else {
+
+    curr = gum_arm_writer_cur(output->writer.arm);
+
+  }
+
+  return curr;

 }

@ -80,5 +311,26 @@ void instrument_cache(const cs_insn *instr, GumStalkerOutput *output) {

 }

+void instrument_write_regs(GumCpuContext *cpu_context, gpointer user_data) {
+
+  int fd = (int)user_data;
+  instrument_regs_format(fd,
+                         "r0 : 0x%08x, r1 : 0x%08x, r2 : 0x%08x, r3 : 0x%08x\n",
+                         cpu_context->r[0], cpu_context->r[2],
+                         cpu_context->r[1], cpu_context->r[3]);
+  instrument_regs_format(fd,
+                         "r4 : 0x%08x, r5 : 0x%08x, r6 : 0x%08x, r7 : 0x%08x\n",
+                         cpu_context->r[4], cpu_context->r[5],
+                         cpu_context->r[6], cpu_context->r[7]);
+  instrument_regs_format(
+      fd, "r8 : 0x%08x, r9 : 0x%08x, r10: 0x%08x, r11: 0x%08x\n",
+      cpu_context->r8, cpu_context->r9, cpu_context->r10, cpu_context->r11);
+  instrument_regs_format(
+      fd, "r12: 0x%08x, sp : 0x%08x, lr : 0x%08x, pc : 0x%08x\n",
+      cpu_context->r12, cpu_context->sp, cpu_context->lr, cpu_context->pc);
+  instrument_regs_format(fd, "cpsr: 0x%08x\n\n", cpu_context->cpsr);
+
+}
+
 #endif

--- a/frida_mode/src/instrument/instrument_arm64.c
+++ b/frida_mode/src/instrument/instrument_arm64.c
@ -156,26 +156,47 @@ static gboolean instrument_is_deterministic(const cs_insn *from_insn) {

 }

+cs_insn *instrument_disassemble(gconstpointer address) {
+
+  csh      capstone;
+  cs_insn *insn = NULL;
+
+  cs_open(CS_ARCH_ARM64, GUM_DEFAULT_CS_ENDIAN, &capstone);
+  cs_option(capstone, CS_OPT_DETAIL, CS_OPT_ON);
+
+  cs_disasm(capstone, address, 16, GPOINTER_TO_SIZE(address), 1, &insn);
+
+  cs_close(&capstone);
+
+  return insn;
+
+}
+
 static void instrument_coverage_switch(GumStalkerObserver *self,
                                       gpointer            from_address,
-                                       gpointer            start_address,
-                                       const cs_insn *     from_insn,
-                                       gpointer *          target) {
+                                       gpointer start_address, void *from_insn,
+                                       gpointer *target) {

  UNUSED_PARAMETER(self);
  UNUSED_PARAMETER(from_address);
  UNUSED_PARAMETER(start_address);

-  gsize fixup_offset;
+  cs_insn *insn = NULL;
+  gboolean deterministic = FALSE;
+  gsize    fixup_offset;

  if (!g_hash_table_contains(coverage_blocks, GSIZE_TO_POINTER(*target)) &&
-      !g_hash_table_contains(coverage_blocks, GSIZE_TO_POINTER(*target + 4))) {
+      !g_hash_table_contains(coverage_blocks,
+                             GSIZE_TO_POINTER((guint8 *)*target + 4))) {

    return;

  }

-  if (instrument_is_deterministic(from_insn)) { return; }
+  insn = instrument_disassemble(from_insn);
+  deterministic = instrument_is_deterministic(insn);
+  cs_free(insn, 1);
+  if (!deterministic) { return; }

  /*
   * Since each block is prefixed with a restoration prologue, we need to be
@ -208,7 +229,7 @@ static void instrument_coverage_switch(GumStalkerObserver *self,
   */
  fixup_offset = GUM_RESTORATION_PROLOG_SIZE +
                 G_STRUCT_OFFSET(afl_log_code_asm_t, restoration_prolog);
-  *target += fixup_offset;
+  *target = (guint8 *)*target + fixup_offset;

 }

@ -218,7 +239,7 @@ static void instrument_coverage_suppress_init(void) {
  if (initialized) { return; }
  initialized = true;

-  GumStalkerObserver *         observer = stalker_get_observer();
+  GumStalkerObserver          *observer = stalker_get_observer();
  GumStalkerObserverInterface *iface = GUM_STALKER_OBSERVER_GET_IFACE(observer);
  iface->switch_callback = instrument_coverage_switch;

@ -257,7 +278,7 @@ static void instrument_patch_ardp(guint32 *patch, GumAddress insn,

 }

-void instrument_coverage_optimize(const cs_insn *   instr,
+void instrument_coverage_optimize(const cs_insn    *instr,
                                  GumStalkerOutput *output) {

  afl_log_code    code = {0};
@ -272,9 +293,10 @@ void instrument_coverage_optimize(const cs_insn *   instr,

    GumAddressSpec spec = {.near_address = cw->code,
                           .max_distance = 1ULL << 30};
+    guint          page_size = gum_query_page_size();

    instrument_previous_pc_addr = gum_memory_allocate_near(
-        &spec, sizeof(guint64), 0x1000, GUM_PAGE_READ | GUM_PAGE_WRITE);
+        &spec, sizeof(guint64), page_size, GUM_PAGE_READ | GUM_PAGE_WRITE);
    *instrument_previous_pc_addr = instrument_hash_zero;
    FVERBOSE("instrument_previous_pc_addr: %p", instrument_previous_pc_addr);
    FVERBOSE("code_addr: %p", cw->code);
@ -345,7 +367,7 @@ void instrument_coverage_optimize(const cs_insn *   instr,

 }

-void instrument_coverage_optimize_insn(const cs_insn *   instr,
+void instrument_coverage_optimize_insn(const cs_insn    *instr,
                                       GumStalkerOutput *output) {

  UNUSED_PARAMETER(instr);
@ -405,5 +427,43 @@ void instrument_cache(const cs_insn *instr, GumStalkerOutput *output) {

 }

+void instrument_write_regs(GumCpuContext *cpu_context, gpointer user_data) {
+
+  int fd = (int)(size_t)user_data;
+  instrument_regs_format(
+      fd, "x0 : 0x%016x, x1 : 0x%016x, x2 : 0x%016x, x3 : 0x%016x\n",
+      cpu_context->x[0], cpu_context->x[1], cpu_context->x[2],
+      cpu_context->x[3]);
+  instrument_regs_format(
+      fd, "x4 : 0x%016x, x5 : 0x%016x, x6 : 0x%016x, x7 : 0x%016x\n",
+      cpu_context->x[4], cpu_context->x[5], cpu_context->x[6],
+      cpu_context->x[7]);
+  instrument_regs_format(
+      fd, "x8 : 0x%016x, x9 : 0x%016x, x10: 0x%016x, x11: 0x%016x\n",
+      cpu_context->x[8], cpu_context->x[9], cpu_context->x[10],
+      cpu_context->x[11]);
+  instrument_regs_format(
+      fd, "x12: 0x%016x, x13: 0x%016x, x14: 0x%016x, x15: 0x%016x\n",
+      cpu_context->x[12], cpu_context->x[13], cpu_context->x[14],
+      cpu_context->x[15]);
+  instrument_regs_format(
+      fd, "x16: 0x%016x, x17: 0x%016x, x18: 0x%016x, x19: 0x%016x\n",
+      cpu_context->x[16], cpu_context->x[17], cpu_context->x[18],
+      cpu_context->x[19]);
+  instrument_regs_format(
+      fd, "x20: 0x%016x, x21: 0x%016x, x22: 0x%016x, x23: 0x%016x\n",
+      cpu_context->x[20], cpu_context->x[21], cpu_context->x[22],
+      cpu_context->x[23]);
+  instrument_regs_format(
+      fd, "x24: 0x%016x, x25: 0x%016x, x26: 0x%016x, x27: 0x%016x\n",
+      cpu_context->x[24], cpu_context->x[25], cpu_context->x[26],
+      cpu_context->x[27]);
+  instrument_regs_format(
+      fd, "x28: 0x%016x, fp : 0x%016x, lr : 0x%016x, sp : 0x%016x\n",
+      cpu_context->x[28], cpu_context->fp, cpu_context->lr, cpu_context->sp);
+  instrument_regs_format(fd, "pc : 0x%016x\n\n", cpu_context->pc);
+
+}
+
 #endif

--- a/frida_mode/src/instrument/instrument_coverage.c
+++ b/frida_mode/src/instrument/instrument_coverage.c
@ -9,6 +9,7 @@
 #include "util.h"

 char *instrument_coverage_filename = NULL;
+bool  instrument_coverage_absolute = false;

 static int normal_coverage_fd = -1;
 static int normal_coverage_pipes[2] = {-1, -1};
@ -17,7 +18,7 @@ static int unstable_coverage_fd = -1;
 static int unstable_coverage_pipes[2] = {-1, -1};

 static uint64_t normal_coverage_last_start = 0;
-static gchar *  unstable_coverage_fuzzer_stats = NULL;
+static gchar   *unstable_coverage_fuzzer_stats = NULL;

 typedef struct {

@ -68,7 +69,7 @@ typedef struct {
 static gboolean coverage_range(const GumRangeDetails *details,
                               gpointer               user_data) {

-  GArray *         coverage_ranges = (GArray *)user_data;
+  GArray          *coverage_ranges = (GArray *)user_data;
  coverage_range_t coverage = {0};

  if (details->file == NULL) { return TRUE; }
@ -210,8 +211,8 @@ static GArray *coverage_get_modules(void) {
 static void instrument_coverage_mark(void *key, void *value, void *user_data) {

  UNUSED_PARAMETER(key);
-  coverage_mark_ctx_t *   ctx = (coverage_mark_ctx_t *)user_data;
-  GArray *                coverage_modules = ctx->modules;
+  coverage_mark_ctx_t    *ctx = (coverage_mark_ctx_t *)user_data;
+  GArray                 *coverage_modules = ctx->modules;
  normal_coverage_data_t *val = (normal_coverage_data_t *)value;
  guint                   i;

@ -237,6 +238,18 @@ static void instrument_coverage_mark(void *key, void *value, void *user_data) {

 }

+static void instrument_coverage_mark_first(void *key, void *value,
+                                           void *user_data) {
+
+  UNUSED_PARAMETER(key);
+  coverage_range_t       *module = (coverage_range_t *)user_data;
+  normal_coverage_data_t *val = (normal_coverage_data_t *)value;
+
+  val->module = module;
+  module->count++;
+
+}
+
 static void coverage_write(int fd, void *data, size_t size) {

  ssize_t written;
@ -289,9 +302,9 @@ static void coverage_write_modules(int fd, GArray *coverage_modules) {
    coverage_format(fd, "%016" G_GINT64_MODIFIER "X, ", module->base_address);
    coverage_format(fd, "%016" G_GINT64_MODIFIER "X, ", module->limit);
    /* entry */
-    coverage_format(fd, "%016" G_GINT64_MODIFIER "X, ", 0);
+    coverage_format(fd, "%016" G_GINT64_MODIFIER "X, ", 0UL);
    /* checksum */
-    coverage_format(fd, "%016" G_GINT64_MODIFIER "X, ", 0);
+    coverage_format(fd, "%016" G_GINT64_MODIFIER "X, ", 0UL);
    /* timestamp */
    coverage_format(fd, "%08" G_GINT32_MODIFIER "X, ", 0);
    coverage_format(fd, "%s\n", module->path);
@ -317,6 +330,12 @@ static void coverage_write_events(void *key, void *value, void *user_data) {

  };

+#if (__BYTE_ORDER__ == __ORDER_BIG_ENDIAN__)
+  evt.offset = __builtin_bswap32(evt.offset);
+  evt.length = __builtin_bswap16(evt.length);
+  evt.module = __builtin_bswap16(evt.module);
+#endif
+
  coverage_write(fd, &evt, sizeof(coverage_event_t));

 }
@ -398,35 +417,76 @@ static void instrument_coverage_normal_run() {

  instrument_coverage_print("Coverage - Preparing\n");

-  GArray *coverage_modules = coverage_get_modules();
+  if (instrument_coverage_absolute) {

-  guint size = g_hash_table_size(coverage_hash);
-  instrument_coverage_print("Coverage - Total Entries: %u\n", size);
+    guint size = g_hash_table_size(coverage_hash);
+    instrument_coverage_print("Coverage - Total Entries: %u\n", size);

-  coverage_mark_ctx_t ctx = {.modules = coverage_modules, .count = 0};
+    coverage_range_t module = {

-  g_hash_table_foreach(coverage_hash, instrument_coverage_mark, &ctx);
-  instrument_coverage_print("Coverage - Marked Entries: %u\n", ctx.count);
+        .base_address = GUM_ADDRESS(0),
+        .limit = GUM_ADDRESS(-1),
+        .size = GUM_ADDRESS(-1),
+        .path = "absolute",
+        .offset = 0,
+        .is_executable = true,
+        .count = size,
+        .id = 0,

-  guint coverage_marked_modules = coverage_mark_modules(coverage_modules);
-  instrument_coverage_print("Coverage - Marked Modules: %u\n",
-                            coverage_marked_modules);
+    };

-  coverage_write_header(normal_coverage_fd, coverage_marked_modules);
-  coverage_write_modules(normal_coverage_fd, coverage_modules);
-  coverage_format(normal_coverage_fd, "BB Table: %u bbs\n", ctx.count);
-  g_hash_table_foreach(coverage_hash, coverage_write_events,
-                       &normal_coverage_fd);
+    instrument_coverage_print("Coverage Module - 0x%016" G_GINT64_MODIFIER
+                              "X - 0x%016" G_GINT64_MODIFIER "X (%s)\n",
+                              module.base_address, module.limit, module.path);
+
+    GArray *coverage_modules =
+        g_array_sized_new(false, false, sizeof(coverage_range_t), 1);
+    g_array_append_val(coverage_modules, module);
+
+    g_hash_table_foreach(coverage_hash, instrument_coverage_mark_first,
+                         &module);
+
+    coverage_write_header(normal_coverage_fd, 1);
+    coverage_write_modules(normal_coverage_fd, coverage_modules);
+    coverage_format(normal_coverage_fd, "BB Table: %u bbs\n", size);
+    g_hash_table_foreach(coverage_hash, coverage_write_events,
+                         &normal_coverage_fd);
+
+  } else {
+
+    GArray *coverage_modules = coverage_get_modules();
+
+    guint size = g_hash_table_size(coverage_hash);
+    instrument_coverage_print("Coverage - Total Entries: %u\n", size);
+
+    coverage_mark_ctx_t ctx = {.modules = coverage_modules, .count = 0};
+
+    /* For each coverage event in the hashtable associate it with a module and
+     * count the number of entries per module */
+    g_hash_table_foreach(coverage_hash, instrument_coverage_mark, &ctx);
+    instrument_coverage_print("Coverage - Marked Entries: %u\n", ctx.count);
+
+    /* For each module with coverage events assign it an incrementing number */
+    guint coverage_marked_modules = coverage_mark_modules(coverage_modules);
+    instrument_coverage_print("Coverage - Marked Modules: %u\n",
+                              coverage_marked_modules);
+
+    coverage_write_header(normal_coverage_fd, coverage_marked_modules);
+    coverage_write_modules(normal_coverage_fd, coverage_modules);
+    coverage_format(normal_coverage_fd, "BB Table: %u bbs\n", ctx.count);
+    g_hash_table_foreach(coverage_hash, coverage_write_events,
+                         &normal_coverage_fd);
+
+  }

  g_hash_table_unref(coverage_hash);
-
  instrument_coverage_print("Coverage - Completed\n");

 }

 static GArray *instrument_coverage_unstable_read_unstable_ids(void) {

-  gchar * contents = NULL;
+  gchar  *contents = NULL;
  gsize   length = 0;
  GArray *unstable_edge_ids =
      g_array_sized_new(false, false, sizeof(gpointer), 100);
@ -533,7 +593,7 @@ static GHashTable *instrument_collect_unstable_blocks(
    while (g_hash_table_iter_next(&iter, NULL, &value)) {

      unstable_coverage_data_t *unstable = (unstable_coverage_data_t *)value;
-      normal_coverage_data_t *  from =
+      normal_coverage_data_t   *from =
          gum_malloc0(sizeof(normal_coverage_data_t));
      normal_coverage_data_t *to = gum_malloc0(sizeof(normal_coverage_data_t));
      from->start = unstable->from;
@ -616,8 +676,6 @@ static void instrument_coverage_unstable_run(void) {

  instrument_coverage_print("Coverage - Preparing\n");

-  GArray *coverage_modules = coverage_get_modules();
-
  instrument_coverage_print("Found edges: %u\n", edges);

  GArray *unstable_edge_ids = instrument_coverage_unstable_read_unstable_ids();
@ -628,20 +686,60 @@ static void instrument_coverage_unstable_run(void) {
  guint size = g_hash_table_size(unstable_blocks);
  instrument_coverage_print("Unstable blocks: %u\n", size);

-  coverage_mark_ctx_t ctx = {.modules = coverage_modules, .count = 0};
+  if (instrument_coverage_absolute) {

-  g_hash_table_foreach(unstable_blocks, instrument_coverage_mark, &ctx);
-  instrument_coverage_print("Coverage - Marked Entries: %u\n", ctx.count);
+    instrument_coverage_print("Coverage - Total Entries: %u\n", size);

-  guint coverage_marked_modules = coverage_mark_modules(coverage_modules);
-  instrument_coverage_print("Coverage - Marked Modules: %u\n",
-                            coverage_marked_modules);
+    coverage_range_t module = {

-  coverage_write_header(unstable_coverage_fd, coverage_marked_modules);
-  coverage_write_modules(unstable_coverage_fd, coverage_modules);
-  coverage_format(unstable_coverage_fd, "BB Table: %u bbs\n", ctx.count);
-  g_hash_table_foreach(unstable_blocks, coverage_write_events,
-                       &unstable_coverage_fd);
+        .base_address = GUM_ADDRESS(0),
+        .limit = GUM_ADDRESS(-1),
+        .size = GUM_ADDRESS(-1),
+        .path = "absolute",
+        .offset = 0,
+        .is_executable = true,
+        .count = size,
+        .id = 0,
+
+    };
+
+    instrument_coverage_print("Coverage Module - 0x%016" G_GINT64_MODIFIER
+                              "X - 0x%016" G_GINT64_MODIFIER "X (%s)\n",
+                              module.base_address, module.limit, module.path);
+
+    GArray *coverage_modules =
+        g_array_sized_new(false, false, sizeof(coverage_range_t), 1);
+    g_array_append_val(coverage_modules, module);
+
+    g_hash_table_foreach(unstable_blocks, instrument_coverage_mark_first,
+                         &module);
+
+    coverage_write_header(unstable_coverage_fd, 1);
+    coverage_write_modules(unstable_coverage_fd, coverage_modules);
+    coverage_format(unstable_coverage_fd, "BB Table: %u bbs\n", size);
+    g_hash_table_foreach(unstable_blocks, coverage_write_events,
+                         &unstable_coverage_fd);
+
+  } else {
+
+    GArray *coverage_modules = coverage_get_modules();
+
+    coverage_mark_ctx_t ctx = {.modules = coverage_modules, .count = 0};
+
+    g_hash_table_foreach(unstable_blocks, instrument_coverage_mark, &ctx);
+    instrument_coverage_print("Coverage - Marked Entries: %u\n", ctx.count);
+
+    guint coverage_marked_modules = coverage_mark_modules(coverage_modules);
+    instrument_coverage_print("Coverage - Marked Modules: %u\n",
+                              coverage_marked_modules);
+
+    coverage_write_header(unstable_coverage_fd, coverage_marked_modules);
+    coverage_write_modules(unstable_coverage_fd, coverage_modules);
+    coverage_format(unstable_coverage_fd, "BB Table: %u bbs\n", ctx.count);
+    g_hash_table_foreach(unstable_blocks, coverage_write_events,
+                         &unstable_coverage_fd);
+
+  }

  g_hash_table_unref(unstable_blocks);
  g_array_free(unstable_edge_ids, TRUE);
@ -654,6 +752,8 @@ static void instrument_coverage_unstable_run(void) {
 void instrument_coverage_config(void) {

  instrument_coverage_filename = getenv("AFL_FRIDA_INST_COVERAGE_FILE");
+  instrument_coverage_absolute =
+      (getenv("AFL_FRIDA_INST_COVERAGE_ABSOLUTE") != NULL);

 }

--- a/frida_mode/src/instrument/instrument_debug.c
+++ b/frida_mode/src/instrument/instrument_debug.c
@ -66,7 +66,7 @@ static void instrument_disasm(guint8 *start, guint8 *end,

      instrument_debug("\t0x%" G_GINT64_MODIFIER "x\t* 0x%016" G_GSIZE_MODIFIER
                       "x\n",
-                       curr, *(size_t *)curr);
+                       (uint64_t)(size_t)curr, *(size_t *)curr);

      len += sizeof(size_t);
      continue;
--- a/frida_mode/src/instrument/instrument_x64.c
+++ b/frida_mode/src/instrument/instrument_x64.c
@ -171,16 +171,16 @@ void instrument_coverage_optimize_init(void) {

 }

-static void instrument_coverage_switch(GumStalkerObserver *self,
-                                       gpointer            from_address,
-                                       gpointer            start_address,
-                                       const cs_insn *     from_insn,
-                                       gpointer *          target) {
+static void instrument_coverage_switch_insn(GumStalkerObserver *self,
+                                            gpointer            from_address,
+                                            gpointer            start_address,
+                                            const cs_insn      *from_insn,
+                                            gpointer           *target) {

  UNUSED_PARAMETER(self);
  UNUSED_PARAMETER(from_address);

-  cs_x86 *   x86;
+  cs_x86    *x86;
  cs_x86_op *op;
  if (from_insn == NULL) { return; }

@ -224,13 +224,42 @@ static void instrument_coverage_switch(GumStalkerObserver *self,

 }

+cs_insn *instrument_disassemble(gconstpointer address) {
+
+  csh      capstone;
+  cs_insn *insn = NULL;
+
+  cs_open(CS_ARCH_X86, GUM_CPU_MODE, &capstone);
+  cs_option(capstone, CS_OPT_DETAIL, CS_OPT_ON);
+
+  cs_disasm(capstone, address, 16, GPOINTER_TO_SIZE(address), 1, &insn);
+
+  cs_close(&capstone);
+
+  return insn;
+
+}
+
+static void instrument_coverage_switch(GumStalkerObserver *self,
+                                       gpointer            from_address,
+                                       gpointer start_address, void *from_insn,
+                                       gpointer *target) {
+
+  if (from_insn == NULL) { return; }
+  cs_insn *insn = instrument_disassemble(from_insn);
+  instrument_coverage_switch_insn(self, from_address, start_address, insn,
+                                  target);
+  cs_free(insn, 1);
+
+}
+
 static void instrument_coverage_suppress_init(void) {

  static gboolean initialized = false;
  if (initialized) { return; }
  initialized = true;

-  GumStalkerObserver *         observer = stalker_get_observer();
+  GumStalkerObserver          *observer = stalker_get_observer();
  GumStalkerObserverInterface *iface = GUM_STALKER_OBSERVER_GET_IFACE(observer);
  iface->switch_callback = instrument_coverage_switch;

@ -333,19 +362,18 @@ static void instrument_coverage_write(GumAddress        address,

 }

-void instrument_coverage_optimize(const cs_insn *   instr,
+void instrument_coverage_optimize(const cs_insn    *instr,
                                  GumStalkerOutput *output) {

  GumX86Writer *cw = output->writer.x86;
-  /* guint64 area_offset =
-   * instrument_get_offset_hash(GUM_ADDRESS(instr->address)); */
  if (instrument_previous_pc_addr == NULL) {

    GumAddressSpec spec = {.near_address = cw->code,
                           .max_distance = 1ULL << 30};
+    guint          page_size = gum_query_page_size();

    instrument_previous_pc_addr = gum_memory_allocate_near(
-        &spec, sizeof(guint64), 0x1000, GUM_PAGE_READ | GUM_PAGE_WRITE);
+        &spec, sizeof(guint64), page_size, GUM_PAGE_READ | GUM_PAGE_WRITE);
    *instrument_previous_pc_addr = instrument_hash_zero;
    FVERBOSE("instrument_previous_pc_addr: %p", instrument_previous_pc_addr);
    FVERBOSE("code_addr: %p", cw->code);
@ -364,7 +392,7 @@ void instrument_coverage_optimize(const cs_insn *   instr,

 }

-void instrument_coverage_optimize_insn(const cs_insn *   instr,
+void instrument_coverage_optimize_insn(const cs_insn    *instr,
                                       GumStalkerOutput *output) {

  GumX86Writer *cw = output->writer.x86;
@ -469,5 +497,24 @@ gpointer instrument_cur(GumStalkerOutput *output) {

 }

+void instrument_write_regs(GumCpuContext *cpu_context, gpointer user_data) {
+
+  int fd = (int)(size_t)user_data;
+  instrument_regs_format(
+      fd, "rax: 0x%016x, rbx: 0x%016x, rcx: 0x%016x, rdx: 0x%016x\n",
+      cpu_context->rax, cpu_context->rbx, cpu_context->rcx, cpu_context->rdx);
+  instrument_regs_format(
+      fd, "rdi: 0x%016x, rsi: 0x%016x, rbp: 0x%016x, rsp: 0x%016x\n",
+      cpu_context->rdi, cpu_context->rsi, cpu_context->rbp, cpu_context->rsp);
+  instrument_regs_format(
+      fd, "r8 : 0x%016x, r9 : 0x%016x, r10: 0x%016x, r11: 0x%016x\n",
+      cpu_context->r8, cpu_context->r9, cpu_context->r10, cpu_context->r11);
+  instrument_regs_format(
+      fd, "r12: 0x%016x, r13: 0x%016x, r14: 0x%016x, r15: 0x%016x\n",
+      cpu_context->r12, cpu_context->r13, cpu_context->r14, cpu_context->r15);
+  instrument_regs_format(fd, "rip: 0x%016x\n\n", cpu_context->rip);
+
+}
+
 #endif

--- a/frida_mode/src/instrument/instrument_x64_cache.c
+++ b/frida_mode/src/instrument/instrument_x64_cache.c
@ -105,11 +105,11 @@ static gboolean instrument_cache_relocate(GumAddress old_pc, GumAddress new_pc,

 }

-static void instrument_cache_rewrite_branch_insn(const cs_insn *   instr,
+static void instrument_cache_rewrite_branch_insn(const cs_insn    *instr,
                                                 GumStalkerOutput *output) {

  GumX86Writer *cw = output->writer.x86;
-  cs_x86 *      x86 = &instr->detail->x86;
+  cs_x86       *x86 = &instr->detail->x86;
  guint8        modified[sizeof(instr->bytes)] = {0};
  guint8        offset = 0;
  guint8        skip = 0;
@ -225,8 +225,8 @@ static void instrument_cache_rewrite_branch_insn(const cs_insn *   instr,
    } else {

      GumAddress target = instr->address + old_offset;
-      gum_x86_writer_put_mov_reg_address(cw, GUM_REG_RAX, target);
-      gum_x86_writer_put_mov_reg_reg_ptr(cw, GUM_REG_RAX, GUM_REG_RAX);
+      gum_x86_writer_put_mov_reg_address(cw, GUM_X86_RAX, target);
+      gum_x86_writer_put_mov_reg_reg_ptr(cw, GUM_X86_RAX, GUM_X86_RAX);
      return;

    }
@ -249,29 +249,29 @@ static void instrument_cache_rewrite_branch_insn(const cs_insn *   instr,
 static void instrument_cache_write_push_frame(GumX86Writer *cw) {

  gum_x86_writer_put_mov_reg_offset_ptr_reg(
-      cw, GUM_REG_XSP, -(GUM_RED_ZONE_SIZE + (1 * sizeof(gpointer))),
-      GUM_REG_XAX);
+      cw, GUM_X86_XSP, -(GUM_RED_ZONE_SIZE + (1 * sizeof(gpointer))),
+      GUM_X86_XAX);
  gum_x86_writer_put_lahf(cw);
  gum_x86_writer_put_mov_reg_offset_ptr_reg(
-      cw, GUM_REG_XSP, -(GUM_RED_ZONE_SIZE + (2 * sizeof(gpointer))),
-      GUM_REG_XAX);
+      cw, GUM_X86_XSP, -(GUM_RED_ZONE_SIZE + (2 * sizeof(gpointer))),
+      GUM_X86_XAX);
  gum_x86_writer_put_mov_reg_offset_ptr_reg(
-      cw, GUM_REG_XSP, -(GUM_RED_ZONE_SIZE + (3 * sizeof(gpointer))),
-      GUM_REG_XBX);
+      cw, GUM_X86_XSP, -(GUM_RED_ZONE_SIZE + (3 * sizeof(gpointer))),
+      GUM_X86_XBX);

 }

 static void instrument_cache_write_pop_frame(GumX86Writer *cw) {

  gum_x86_writer_put_mov_reg_reg_offset_ptr(
-      cw, GUM_REG_XBX, GUM_REG_XSP,
+      cw, GUM_X86_XBX, GUM_X86_XSP,
      -(GUM_RED_ZONE_SIZE + (3 * sizeof(gpointer))));
  gum_x86_writer_put_mov_reg_reg_offset_ptr(
-      cw, GUM_REG_XAX, GUM_REG_XSP,
+      cw, GUM_X86_XAX, GUM_X86_XSP,
      -(GUM_RED_ZONE_SIZE + (2 * sizeof(gpointer))));
  gum_x86_writer_put_sahf(cw);
  gum_x86_writer_put_mov_reg_reg_offset_ptr(
-      cw, GUM_REG_XAX, GUM_REG_XSP,
+      cw, GUM_X86_XAX, GUM_X86_XSP,
      -(GUM_RED_ZONE_SIZE + (1 * sizeof(gpointer))));

 }
@ -281,21 +281,21 @@ static void instrument_cache_write_lookup(GumX86Writer *cw) {
  /* &map_base[GPOINTER_TO_SIZE(addr) & MAP_MASK]; */

  gsize mask = (instrument_cache_size / sizeof(gpointer)) - 1;
-  gum_x86_writer_put_mov_reg_u64(cw, GUM_REG_XBX, mask);
-  gum_x86_writer_put_and_reg_reg(cw, GUM_REG_XAX, GUM_REG_XBX);
-  gum_x86_writer_put_shl_reg_u8(cw, GUM_REG_XAX, util_log2(sizeof(gpointer)));
-  gum_x86_writer_put_mov_reg_u64(cw, GUM_REG_XBX, GPOINTER_TO_SIZE(map_base));
-  gum_x86_writer_put_add_reg_reg(cw, GUM_REG_XAX, GUM_REG_XBX);
+  gum_x86_writer_put_mov_reg_u64(cw, GUM_X86_XBX, mask);
+  gum_x86_writer_put_and_reg_reg(cw, GUM_X86_XAX, GUM_X86_XBX);
+  gum_x86_writer_put_shl_reg_u8(cw, GUM_X86_XAX, util_log2(sizeof(gpointer)));
+  gum_x86_writer_put_mov_reg_u64(cw, GUM_X86_XBX, GPOINTER_TO_SIZE(map_base));
+  gum_x86_writer_put_add_reg_reg(cw, GUM_X86_XAX, GUM_X86_XBX);

  /* Read the return address lookup */
-  gum_x86_writer_put_mov_reg_reg_ptr(cw, GUM_REG_XAX, GUM_REG_XAX);
+  gum_x86_writer_put_mov_reg_reg_ptr(cw, GUM_X86_XAX, GUM_X86_XAX);

 }

 void instrument_cache_jmp_call(const cs_insn *instr, GumStalkerOutput *output) {

  GumX86Writer *cw = output->writer.x86;
-  cs_x86 *      x86 = &instr->detail->x86;
+  cs_x86       *x86 = &instr->detail->x86;

  if (x86->op_count != 1) { FFATAL("Unexpected operand count"); }

@ -315,7 +315,7 @@ void instrument_cache_jmp_call(const cs_insn *instr, GumStalkerOutput *output) {
   * red-zone.
   */
  gum_x86_writer_put_mov_reg_reg_offset_ptr(
-      cw, GUM_REG_XAX, GUM_REG_XSP,
+      cw, GUM_X86_XAX, GUM_X86_XSP,
      -(GUM_RED_ZONE_SIZE + (1 * sizeof(gpointer))));

  instrument_cache_rewrite_branch_insn(instr, output);
@ -323,33 +323,33 @@ void instrument_cache_jmp_call(const cs_insn *instr, GumStalkerOutput *output) {
  instrument_cache_write_lookup(cw);

  /* Test if its set*/
-  gum_x86_writer_put_cmp_reg_i32(cw, GUM_REG_XAX, INVALID);
+  gum_x86_writer_put_cmp_reg_i32(cw, GUM_X86_XAX, INVALID);
  gum_x86_writer_put_jcc_short_label(cw, X86_INS_JLE, null, GUM_UNLIKELY);

  /* If it's set, then stash the address beyond the red-zone */
  gum_x86_writer_put_mov_reg_offset_ptr_reg(
-      cw, GUM_REG_XSP, -(GUM_RED_ZONE_SIZE + (4 * sizeof(gpointer))),
-      GUM_REG_XAX);
+      cw, GUM_X86_XSP, -(GUM_RED_ZONE_SIZE + (4 * sizeof(gpointer))),
+      GUM_X86_XAX);

  if (instr->id == X86_INS_JMP) {

    instrument_cache_write_pop_frame(cw);
    gum_x86_writer_put_jmp_reg_offset_ptr(
-        cw, GUM_REG_XSP, -(GUM_RED_ZONE_SIZE + (4 * sizeof(gpointer))));
+        cw, GUM_X86_XSP, -(GUM_RED_ZONE_SIZE + (4 * sizeof(gpointer))));

  } else {

    gum_x86_writer_put_mov_reg_address(
-        cw, GUM_REG_XAX, GUM_ADDRESS(instr->address + instr->size));
-    gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_REG_XSP,
-                                              -sizeof(gpointer), GUM_REG_XAX);
+        cw, GUM_X86_XAX, GUM_ADDRESS(instr->address + instr->size));
+    gum_x86_writer_put_mov_reg_offset_ptr_reg(cw, GUM_X86_XSP,
+                                              -sizeof(gpointer), GUM_X86_XAX);

    instrument_cache_write_pop_frame(cw);

-    gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_XSP, GUM_REG_XSP,
+    gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_X86_XSP, GUM_X86_XSP,
                                          -sizeof(gpointer));
    gum_x86_writer_put_jmp_reg_offset_ptr(
-        cw, GUM_REG_XSP, -(GUM_RED_ZONE_SIZE + ((4 - 1) * sizeof(gpointer))));
+        cw, GUM_X86_XSP, -(GUM_RED_ZONE_SIZE + ((4 - 1) * sizeof(gpointer))));

  }

@ -362,7 +362,7 @@ void instrument_cache_jmp_call(const cs_insn *instr, GumStalkerOutput *output) {
 void instrument_cache_ret(const cs_insn *instr, GumStalkerOutput *output) {

  GumX86Writer *cw = output->writer.x86;
-  cs_x86 *      x86 = &instr->detail->x86;
+  cs_x86       *x86 = &instr->detail->x86;
  guint16       n = 0;

  if (x86->op_count != 0) {
@ -381,16 +381,16 @@ void instrument_cache_ret(const cs_insn *instr, GumStalkerOutput *output) {

  instrument_cache_write_push_frame(cw);

-  gum_x86_writer_put_mov_reg_reg_ptr(cw, GUM_REG_XAX, GUM_REG_XSP);
+  gum_x86_writer_put_mov_reg_reg_ptr(cw, GUM_X86_XAX, GUM_X86_XSP);

  instrument_cache_write_lookup(cw);

  /* Test if its set*/
-  gum_x86_writer_put_cmp_reg_i32(cw, GUM_REG_XAX, INVALID);
+  gum_x86_writer_put_cmp_reg_i32(cw, GUM_X86_XAX, INVALID);
  gum_x86_writer_put_jcc_short_label(cw, X86_INS_JLE, null, GUM_UNLIKELY);

  /* If it's set, then overwrite our return address and return */
-  gum_x86_writer_put_mov_reg_ptr_reg(cw, GUM_REG_XSP, GUM_REG_XAX);
+  gum_x86_writer_put_mov_reg_ptr_reg(cw, GUM_X86_XSP, GUM_X86_XAX);
  instrument_cache_write_pop_frame(cw);

  if (n == 0) {
--- a/frida_mode/src/instrument/instrument_x86.c
+++ b/frida_mode/src/instrument/instrument_x86.c
@ -83,17 +83,17 @@ gboolean instrument_is_coverage_optimize_supported(void) {

 }

-static void instrument_coverage_switch(GumStalkerObserver *self,
-                                       gpointer            from_address,
-                                       gpointer            start_address,
-                                       const cs_insn *     from_insn,
-                                       gpointer *          target) {
+static void instrument_coverage_switch_insn(GumStalkerObserver *self,
+                                            gpointer            from_address,
+                                            gpointer            start_address,
+                                            const cs_insn      *from_insn,
+                                            gpointer           *target) {

  UNUSED_PARAMETER(self);
  UNUSED_PARAMETER(from_address);
  UNUSED_PARAMETER(start_address);

-  cs_x86 *   x86;
+  cs_x86    *x86;
  cs_x86_op *op;
  if (from_insn == NULL) { return; }

@ -130,13 +130,42 @@ static void instrument_coverage_switch(GumStalkerObserver *self,

 }

+cs_insn *instrument_disassemble(gconstpointer address) {
+
+  csh      capstone;
+  cs_insn *insn = NULL;
+
+  cs_open(CS_ARCH_X86, GUM_CPU_MODE, &capstone);
+  cs_option(capstone, CS_OPT_DETAIL, CS_OPT_ON);
+
+  cs_disasm(capstone, address, 16, GPOINTER_TO_SIZE(address), 1, &insn);
+
+  cs_close(&capstone);
+
+  return insn;
+
+}
+
+static void instrument_coverage_switch(GumStalkerObserver *self,
+                                       gpointer            from_address,
+                                       gpointer start_address, void *from_insn,
+                                       gpointer *target) {
+
+  if (from_insn == NULL) { return; }
+  cs_insn *insn = instrument_disassemble(from_insn);
+  instrument_coverage_switch_insn(self, from_address, start_address, insn,
+                                  target);
+  cs_free(insn, 1);
+
+}
+
 static void instrument_coverage_suppress_init(void) {

  static gboolean initialized = false;
  if (initialized) { return; }
  initialized = true;

-  GumStalkerObserver *         observer = stalker_get_observer();
+  GumStalkerObserver          *observer = stalker_get_observer();
  GumStalkerObserverInterface *iface = GUM_STALKER_OBSERVER_GET_IFACE(observer);
  iface->switch_callback = instrument_coverage_switch;

@ -149,7 +178,7 @@ static void instrument_coverage_suppress_init(void) {

 }

-void instrument_coverage_optimize(const cs_insn *   instr,
+void instrument_coverage_optimize(const cs_insn    *instr,
                                  GumStalkerOutput *output) {

  afl_log_code  code = {0};
@ -162,9 +191,10 @@ void instrument_coverage_optimize(const cs_insn *   instr,

    GumAddressSpec spec = {.near_address = cw->code,
                           .max_distance = 1ULL << 30};
+    guint          page_size = gum_query_page_size();

    instrument_previous_pc_addr = gum_memory_allocate_near(
-        &spec, sizeof(guint64), 0x1000, GUM_PAGE_READ | GUM_PAGE_WRITE);
+        &spec, sizeof(guint64), page_size, GUM_PAGE_READ | GUM_PAGE_WRITE);
    *instrument_previous_pc_addr = instrument_hash_zero;
    FVERBOSE("instrument_previous_pc_addr: %p", instrument_previous_pc_addr);
    FVERBOSE("code_addr: %p", cw->code);
@ -223,7 +253,7 @@ void instrument_coverage_optimize(const cs_insn *   instr,

 }

-void instrument_coverage_optimize_insn(const cs_insn *   instr,
+void instrument_coverage_optimize_insn(const cs_insn    *instr,
                                       GumStalkerOutput *output) {

  UNUSED_PARAMETER(instr);
@ -269,5 +299,18 @@ void instrument_cache(const cs_insn *instr, GumStalkerOutput *output) {

 }

+void instrument_write_regs(GumCpuContext *cpu_context, gpointer user_data) {
+
+  int fd = (int)(size_t)user_data;
+  instrument_regs_format(
+      fd, "eax: 0x%08x, ebx: 0x%08x, ecx: 0x%08x, edx: 0x%08x\n",
+      cpu_context->eax, cpu_context->ebx, cpu_context->ecx, cpu_context->edx);
+  instrument_regs_format(
+      fd, "esi: 0x%08x, edi: 0x%08x, ebp: 0x%08x, esp: 0x%08x\n",
+      cpu_context->esi, cpu_context->edi, cpu_context->ebp, cpu_context->esp);
+  instrument_regs_format(fd, "eip: 0x%08x\n\n", cpu_context->eip);
+
+}
+
 #endif

--- a/frida_mode/src/intercept.c
+++ b/frida_mode/src/intercept.c
@ -7,8 +7,8 @@ void intercept_hook(void *address, gpointer replacement, gpointer user_data) {

  GumInterceptor *interceptor = gum_interceptor_obtain();
  gum_interceptor_begin_transaction(interceptor);
-  GumReplaceReturn ret =
-      gum_interceptor_replace(interceptor, address, replacement, user_data);
+  GumReplaceReturn ret = gum_interceptor_replace(interceptor, address,
+                                                 replacement, user_data, NULL);
  if (ret != GUM_REPLACE_OK) { FFATAL("gum_interceptor_attach: %d", ret); }
  gum_interceptor_end_transaction(interceptor);

--- a/frida_mode/src/js/api.js
+++ b/frida_mode/src/js/api.js
@ -104,6 +104,12 @@ class Afl {
    static setInstrumentCacheSize(size) {
        Afl.jsApiSetInstrumentCacheSize(size);
    }
+    /**
+     * See `AFL_FRIDA_INST_COVERAGE_ABSOLUTE`.
+     */
+    static setInstrumentCoverageAbsolute() {
+        Afl.jsApiSetInstrumentCoverageAbsolute();
+    }
    /**
     * See `AFL_FRIDA_INST_COVERAGE_FILE`. This function takes a single `string`
     * as an argument.
@ -150,6 +156,14 @@ class Afl {
    static setInstrumentNoOptimize() {
        Afl.jsApiSetInstrumentNoOptimize();
    }
+    /**
+     * See `AFL_FRIDA_INST_REGS_FILE`. This function takes a single `string` as
+     * an argument.
+     */
+    static setInstrumentRegsFile(file) {
+        const buf = Memory.allocUtf8String(file);
+        Afl.jsApiSetInstrumentRegsFile(buf);
+    }
    /*
     * See `AFL_FRIDA_INST_SEED`
     */
@ -316,12 +330,14 @@ Afl.jsApiSetCacheDisable = Afl.jsApiGetFunction("js_api_set_cache_disable", "voi
 Afl.jsApiSetDebugMaps = Afl.jsApiGetFunction("js_api_set_debug_maps", "void", []);
 Afl.jsApiSetEntryPoint = Afl.jsApiGetFunction("js_api_set_entrypoint", "void", ["pointer"]);
 Afl.jsApiSetInstrumentCacheSize = Afl.jsApiGetFunction("js_api_set_instrument_cache_size", "void", ["size_t"]);
+Afl.jsApiSetInstrumentCoverageAbsolute = Afl.jsApiGetFunction("js_api_set_instrument_coverage_absolute", "void", []);
 Afl.jsApiSetInstrumentCoverageFile = Afl.jsApiGetFunction("js_api_set_instrument_coverage_file", "void", ["pointer"]);
 Afl.jsApiSetInstrumentDebugFile = Afl.jsApiGetFunction("js_api_set_instrument_debug_file", "void", ["pointer"]);
 Afl.jsApiSetInstrumentInstructions = Afl.jsApiGetFunction("js_api_set_instrument_instructions", "void", []);
 Afl.jsApiSetInstrumentJit = Afl.jsApiGetFunction("js_api_set_instrument_jit", "void", []);
 Afl.jsApiSetInstrumentLibraries = Afl.jsApiGetFunction("js_api_set_instrument_libraries", "void", []);
 Afl.jsApiSetInstrumentNoOptimize = Afl.jsApiGetFunction("js_api_set_instrument_no_optimize", "void", []);
+Afl.jsApiSetInstrumentRegsFile = Afl.jsApiGetFunction("js_api_set_instrument_regs_file", "void", ["pointer"]);
 Afl.jsApiSetInstrumentSeed = Afl.jsApiGetFunction("js_api_set_instrument_seed", "void", ["uint64"]);
 Afl.jsApiSetInstrumentTrace = Afl.jsApiGetFunction("js_api_set_instrument_trace", "void", []);
 Afl.jsApiSetInstrumentTraceUnique = Afl.jsApiGetFunction("js_api_set_instrument_trace_unique", "void", []);
--- a/frida_mode/src/js/js.c
+++ b/frida_mode/src/js/js.c
@ -7,21 +7,19 @@ gboolean                  js_done = FALSE;
 js_api_stalker_callback_t js_user_callback = NULL;
 js_main_hook_t            js_main_hook = NULL;

-static char *              js_script = NULL;
-static gchar *             filename = "afl.js";
-static gchar *             contents;
-static GumScriptBackend *  backend;
-static GCancellable *      cancellable = NULL;
-static GError *            error = NULL;
-static GumScript *         script;
+static char               *js_script = NULL;
+static gchar              *filename = "afl.js";
+static gchar              *contents;
+static GumScriptBackend   *backend;
+static GCancellable       *cancellable = NULL;
+static GError             *error = NULL;
+static GumScript          *script;
 static GumScriptScheduler *scheduler;
-static GMainContext *      context;
-static GMainLoop *         main_loop;
+static GMainContext       *context;
+static GMainLoop          *main_loop;

-static void js_msg(GumScript *script, const gchar *message, GBytes *data,
-                   gpointer user_data) {
+static void js_msg(const gchar *message, GBytes *data, gpointer user_data) {

-  UNUSED_PARAMETER(script);
  UNUSED_PARAMETER(data);
  UNUSED_PARAMETER(user_data);
  FOKF("%s", message);
@ -124,8 +122,8 @@ void js_start(void) {
  main_loop = g_main_loop_new(context, true);
  g_main_context_push_thread_default(context);

-  gum_script_backend_create(backend, "example", source, cancellable, create_cb,
-                            &error);
+  gum_script_backend_create(backend, "example", source, NULL, cancellable,
+                            create_cb, &error);

  while (g_main_context_pending(context))
    g_main_context_iteration(context, FALSE);
--- a/frida_mode/src/js/js_api.c
+++ b/frida_mode/src/js/js_api.c
@ -115,6 +115,13 @@ __attribute__((visibility("default"))) void js_api_set_instrument_libraries() {

 }

+__attribute__((visibility("default"))) void
+js_api_set_instrument_coverage_absolute(void) {
+
+  instrument_coverage_absolute = true;
+
+}
+
 __attribute__((visibility("default"))) void js_api_set_instrument_coverage_file(
    char *path) {

@ -156,6 +163,13 @@ __attribute__((visibility("default"))) void js_api_set_instrument_no_optimize(

 }

+__attribute__((visibility("default"))) void js_api_set_instrument_regs_file(
+    char *path) {
+
+  instrument_regs_filename = g_strdup(path);
+
+}
+
 __attribute__((visibility("default"))) void js_api_set_instrument_seed(
    guint64 seed) {

--- a/frida_mode/src/lib/lib.c
+++ b/frida_mode/src/lib/lib.c
@ -69,8 +69,8 @@ static void lib_read_text_section(lib_details_t *lib_details, Elf_Ehdr *hdr) {
  Elf_Addr  preferred_base;
  Elf_Shdr *shdr;
  Elf_Shdr *shstrtab;
-  char *    shstr;
-  char *    section_name;
+  char     *shstr;
+  char     *section_name;
  Elf_Shdr *curr;
  char      text_name[] = ".text";

--- a/frida_mode/src/lib/lib_apple.c
+++ b/frida_mode/src/lib/lib_apple.c
@ -16,9 +16,9 @@ static gboolean lib_get_main_module(const GumModuleDetails *details,
                                    gpointer                user_data) {

  GumDarwinModule **ret = (GumDarwinModule **)user_data;
-  GumDarwinModule * module = gum_darwin_module_new_from_memory(
-      details->path, mach_task_self(), details->range->base_address,
-      GUM_DARWIN_MODULE_FLAGS_NONE, NULL);
+  GumDarwinModule  *module = gum_darwin_module_new_from_memory(
+       details->path, mach_task_self(), details->range->base_address,
+       GUM_DARWIN_MODULE_FLAGS_NONE, NULL);

  FVERBOSE("Found main module: %s", module->name);

--- a/frida_mode/src/main.c
+++ b/frida_mode/src/main.c
@ -36,6 +36,18 @@
 #ifdef __APPLE__
 extern mach_port_t mach_task_self();
 extern GumAddress  gum_darwin_find_entrypoint(mach_port_t task);
+#elif defined(__ANDROID__)
+typedef struct {
+
+  void (**preinit_array)(void);
+  void (**init_array)(void);
+  void (**fini_array)(void);
+
+} structors_array_t;
+
+extern void __libc_init(void *raw_args, void (*onexit)(void) __unused,
+                        int (*slingshot)(int, char **, char **),
+                        structors_array_t const *const structors);
 #else
 extern int  __libc_start_main(int (*main)(int, char **, char **), int argc,
                              char **ubp_av, void (*init)(void),
@ -69,7 +81,11 @@ static void on_main_os(int argc, char **argv, char **envp) {
  GumInterceptor *interceptor = gum_interceptor_obtain();

  gum_interceptor_begin_transaction(interceptor);
+  #if defined(__ANDROID__)
+  gum_interceptor_revert(interceptor, __libc_init);
+  #else
  gum_interceptor_revert(interceptor, __libc_start_main);
+  #endif
  gum_interceptor_end_transaction(interceptor);
  gum_interceptor_flush(interceptor);

@ -92,7 +108,7 @@ static void embedded_init(void) {
 static void afl_print_cmdline(void) {

 #if defined(__linux__)
-  char * buffer = g_malloc0(PROC_MAX);
+  char  *buffer = g_malloc0(PROC_MAX);
  gchar *fname = g_strdup_printf("/proc/%d/cmdline", getppid());
  int    fd = open(fname, O_RDONLY);

@ -144,7 +160,7 @@ static void afl_print_cmdline(void) {

 static void afl_print_env(void) {

-  char * buffer = g_malloc0(PROC_MAX);
+  char  *buffer = g_malloc0(PROC_MAX);
  gchar *fname = g_strdup_printf("/proc/%d/environ", getppid());
  int    fd = open(fname, O_RDONLY);

@ -277,6 +293,24 @@ static void intercept_main(void) {

 }

+#elif defined(__ANDROID__)
+static void on_libc_init(void *raw_args, void (*onexit)(void) __unused,
+                         int (*slingshot)(int, char **, char **),
+                         structors_array_t const *const structors) {
+
+  main_fn = slingshot;
+  intercept_unhook_self();
+  intercept_hook(slingshot, on_main, NULL);
+  return __libc_init(raw_args, onexit, slingshot, structors);
+
+}
+
+static void intercept_main(void) {
+
+  intercept_hook(__libc_init, on_libc_init, NULL);
+
+}
+
 #else
 static int on_libc_start_main(int (*main)(int, char **, char **), int argc,
                              char **ubp_av, void (*init)(void),
--- a/frida_mode/src/module.c
+++ b/frida_mode/src/module.c
@ -31,7 +31,7 @@ typedef struct {
 gboolean found_range(const GumRangeDetails *details, gpointer user_data) {

  gum_range_t range = {0};
-  GArray *    ranges = (GArray *)user_data;
+  GArray     *ranges = (GArray *)user_data;

  range.range = *details->range;
  range.protection = details->protection;
@ -45,9 +45,9 @@ gboolean found_range(const GumRangeDetails *details, gpointer user_data) {
 #if defined(__linux__) && !defined(__ANDROID__)
 static int on_dlclose(void *handle) {

-  GArray *         ranges = NULL;
+  GArray          *ranges = NULL;
  struct link_map *lm = NULL;
-  gum_range_t *    range = NULL;
+  gum_range_t     *range = NULL;
  GumAddress       base;
  GumAddress       limit;
  gpointer         mem;
@ -77,7 +77,9 @@ static int on_dlclose(void *handle) {
    range = &g_array_index(ranges, gum_range_t, i);
    base = range->range.base_address;
    limit = base + range->range.size;
-    FVERBOSE("Reserving range: 0x%016lx, 0x%016lX", base, limit);
+    FVERBOSE("Reserving range: 0x%016" G_GINT64_MODIFIER
+             "x, 0x%016" G_GINT64_MODIFIER "X",
+             base, limit);
    mem = gum_memory_allocate(GSIZE_TO_POINTER(base), range->range.size,
                              page_size, GUM_PAGE_NO_ACCESS);
    if (mem == NULL) { FATAL("Failed to allocate %p (%d)", mem, errno); }
--- a/frida_mode/src/persistent/persistent_arm32.c
+++ b/frida_mode/src/persistent/persistent_arm32.c
@ -1,75 +1,294 @@
 #include "frida-gumjs.h"

+#include "instrument.h"
 #include "persistent.h"
 #include "util.h"

 #if defined(__arm__)

-struct arm_regs {
+// struct _GumArmCpuContext {

-  uint32_t r0, r1, r2, r3, r4, r5, r6, r7, r8, r9, r10;
+//   guint32 pc;
+//   guint32 sp;
+//   guint32 cpsr;

-  union {
+//   guint32 r8;
+//   guint32 r9;
+//   guint32 r10;
+//   guint32 r11;
+//   guint32 r12;

-    uint32_t r11;
-    uint32_t fp;
+//   GumArmVectorReg v[16];

-  };
+//   guint32 _padding;

-  union {
+//   guint32 r[8];
+//   guint32 lr;
+// };

-    uint32_t r12;
-    uint32_t ip;
+// r11 - fp
+// r12 - ip
+// r13 - sp
+// r14 - lr
+// r15 - pc

-  };
-
-  union {
-
-    uint32_t r13;
-    uint32_t sp;
-
-  };
-
-  union {
-
-    uint32_t r14;
-    uint32_t lr;
-
-  };
-
-  union {
-
-    uint32_t r15;
-    uint32_t pc;
-
-  };
-
-  uint32_t cpsr;
-
-  uint8_t  vfp_zregs[32][16];
-  uint32_t vfp_xregs[16];
-
-};
-
-typedef struct arm_regs arch_api_regs;
+static GumCpuContext saved_regs = {0};
+static gpointer      saved_lr = NULL;

 gboolean persistent_is_supported(void) {

-  return false;
+  return true;
+
+}
+
+static void instrument_persitent_save_regs(GumArmWriter  *cw,
+                                           GumCpuContext *regs) {
+
+  /* Save Regs */
+  gum_arm_writer_put_str_reg_reg_offset(cw, ARM_REG_R0, ARM_REG_SP,
+                                        GUM_RED_ZONE_SIZE);
+  gum_arm_writer_put_str_reg_reg_offset(cw, ARM_REG_R1, ARM_REG_SP,
+                                        GUM_RED_ZONE_SIZE + sizeof(guint32));
+
+  gum_arm_writer_put_ldr_reg_address(cw, ARM_REG_R0, GUM_ADDRESS(regs));
+
+  /* Save r1-r7 */
+  for (size_t i = ARM_REG_R1; i < ARM_REG_R8; i++) {
+
+    gum_arm_writer_put_str_reg_reg_offset(
+        cw, i, ARM_REG_R0, offsetof(GumCpuContext, r[i - ARM_REG_R0]));
+
+  }
+
+  /* Save r8-r12 */
+  gum_arm_writer_put_str_reg_reg_offset(cw, ARM_REG_R8, ARM_REG_R0,
+                                        offsetof(GumCpuContext, r8));
+  gum_arm_writer_put_str_reg_reg_offset(cw, ARM_REG_R9, ARM_REG_R0,
+                                        offsetof(GumCpuContext, r9));
+  gum_arm_writer_put_str_reg_reg_offset(cw, ARM_REG_R10, ARM_REG_R0,
+                                        offsetof(GumCpuContext, r10));
+  gum_arm_writer_put_str_reg_reg_offset(cw, ARM_REG_R11, ARM_REG_R0,
+                                        offsetof(GumCpuContext, r11));
+  gum_arm_writer_put_str_reg_reg_offset(cw, ARM_REG_R12, ARM_REG_R0,
+                                        offsetof(GumCpuContext, r12));
+
+  /* Save sp & lr */
+  gum_arm_writer_put_str_reg_reg_offset(cw, ARM_REG_SP, ARM_REG_R0,
+                                        offsetof(GumCpuContext, sp));
+  gum_arm_writer_put_str_reg_reg_offset(cw, ARM_REG_LR, ARM_REG_R0,
+                                        offsetof(GumCpuContext, lr));
+
+  /* Save r0 (load from stack into r1) */
+  gum_arm_writer_put_ldr_reg_reg_offset(cw, ARM_REG_R1, ARM_REG_SP,
+                                        GUM_RED_ZONE_SIZE);
+  gum_arm_writer_put_str_reg_reg_offset(cw, ARM_REG_R1, ARM_REG_R0,
+                                        offsetof(GumCpuContext, r[0]));
+
+  /* Save CPSR */
+  gum_arm_writer_put_mov_reg_cpsr(cw, ARM_REG_R1);
+  gum_arm_writer_put_str_reg_reg_offset(cw, ARM_REG_R1, ARM_REG_R0,
+                                        offsetof(GumCpuContext, cpsr));
+
+  /* Save PC */
+  gum_arm_writer_put_ldr_reg_address(cw, ARM_REG_R1,
+                                     GUM_ADDRESS(persistent_start));
+  gum_arm_writer_put_str_reg_reg_offset(cw, ARM_REG_R1, ARM_REG_R0,
+                                        offsetof(GumCpuContext, pc));
+
+  /* Restore Regs */
+  gum_arm_writer_put_ldr_reg_reg_offset(cw, ARM_REG_R1, ARM_REG_SP,
+                                        GUM_RED_ZONE_SIZE + sizeof(guint32));
+  gum_arm_writer_put_ldr_reg_reg_offset(cw, ARM_REG_R0, ARM_REG_SP,
+                                        GUM_RED_ZONE_SIZE);
+
+}
+
+static void instrument_persitent_restore_regs(GumArmWriter  *cw,
+                                              GumCpuContext *regs) {
+
+  gum_arm_writer_put_ldr_reg_address(cw, ARM_REG_R0, GUM_ADDRESS(regs));
+
+  /* Restore CPSR */
+  gum_arm_writer_put_ldr_reg_reg_offset(cw, ARM_REG_R1, ARM_REG_R0,
+                                        offsetof(GumCpuContext, cpsr));
+  gum_arm_writer_put_mov_cpsr_reg(cw, ARM_REG_R1);
+
+  /* Restore sp & lr */
+  gum_arm_writer_put_ldr_reg_reg_offset(cw, ARM_REG_SP, ARM_REG_R0,
+                                        offsetof(GumCpuContext, sp));
+  gum_arm_writer_put_ldr_reg_reg_offset(cw, ARM_REG_LR, ARM_REG_R0,
+                                        offsetof(GumCpuContext, lr));
+
+  /* Restore r8-r12 */
+  gum_arm_writer_put_ldr_reg_reg_offset(cw, ARM_REG_R8, ARM_REG_R0,
+                                        offsetof(GumCpuContext, r8));
+  gum_arm_writer_put_ldr_reg_reg_offset(cw, ARM_REG_R9, ARM_REG_R0,
+                                        offsetof(GumCpuContext, r9));
+  gum_arm_writer_put_ldr_reg_reg_offset(cw, ARM_REG_R10, ARM_REG_R0,
+                                        offsetof(GumCpuContext, r10));
+  gum_arm_writer_put_ldr_reg_reg_offset(cw, ARM_REG_R11, ARM_REG_R0,
+                                        offsetof(GumCpuContext, r11));
+  gum_arm_writer_put_ldr_reg_reg_offset(cw, ARM_REG_R12, ARM_REG_R0,
+                                        offsetof(GumCpuContext, r12));
+
+  /* Restore r7-r0 */
+  for (size_t i = ARM_REG_R7; i >= ARM_REG_R0; i--) {
+
+    gum_arm_writer_put_ldr_reg_reg_offset(
+        cw, i, ARM_REG_R0, offsetof(GumCpuContext, r[i - ARM_REG_R0]));
+
+  }
+
+}
+
+static void instrument_exit(GumArmWriter *cw) {
+
+  gum_arm_writer_put_sub_reg_reg_reg(cw, ARM_REG_R0, ARM_REG_R0, ARM_REG_R0);
+  gum_arm_writer_put_call_address_with_arguments(cw, GUM_ADDRESS(_exit), 1,
+                                                 GUM_ARG_REGISTER, ARM_REG_R0);
+
+}
+
+static int instrument_afl_persistent_loop_func(void) {
+
+  int ret = __afl_persistent_loop(persistent_count);
+  if (instrument_previous_pc_addr == NULL) {
+
+    FATAL("instrument_previous_pc_addr uninitialized");
+
+  }
+
+  *instrument_previous_pc_addr = instrument_hash_zero;
+  return ret;
+
+}
+
+static void instrument_afl_persistent_loop(GumArmWriter *cw) {
+
+  gum_arm_writer_put_sub_reg_reg_imm(cw, ARM_REG_SP, ARM_REG_SP,
+                                     GUM_RED_ZONE_SIZE);
+  gum_arm_writer_put_call_address_with_arguments(
+      cw, GUM_ADDRESS(instrument_afl_persistent_loop_func), 0);
+  gum_arm_writer_put_add_reg_reg_imm(cw, ARM_REG_SP, ARM_REG_SP,
+                                     GUM_RED_ZONE_SIZE);
+
+}
+
+static void persistent_prologue_hook(GumArmWriter *cw, GumCpuContext *regs) {
+
+  if (persistent_hook == NULL) return;
+
+  gum_arm_writer_put_sub_reg_reg_imm(cw, ARM_REG_SP, ARM_REG_SP,
+                                     GUM_RED_ZONE_SIZE);
+  gum_arm_writer_put_ldr_reg_address(cw, ARM_REG_R2,
+                                     GUM_ADDRESS(&__afl_fuzz_len));
+  gum_arm_writer_put_ldr_reg_reg_offset(cw, ARM_REG_R2, ARM_REG_R2, 0);
+  gum_arm_writer_put_ldr_reg_reg_offset(cw, ARM_REG_R2, ARM_REG_R2, 0);
+
+  gum_arm_writer_put_ldr_reg_address(cw, ARM_REG_R1,
+                                     GUM_ADDRESS(&__afl_fuzz_ptr));
+  gum_arm_writer_put_ldr_reg_reg_offset(cw, ARM_REG_R1, ARM_REG_R1, 0);
+
+  gum_arm_writer_put_call_address_with_arguments(
+      cw, GUM_ADDRESS(persistent_hook), 3, GUM_ARG_ADDRESS, GUM_ADDRESS(regs),
+      GUM_ARG_REGISTER, ARM_REG_R1, GUM_ARG_REGISTER, ARM_REG_R2);
+
+  gum_arm_writer_put_add_reg_reg_imm(cw, ARM_REG_SP, ARM_REG_SP,
+                                     GUM_RED_ZONE_SIZE);
+
+}
+
+static void instrument_persitent_save_lr(GumArmWriter *cw) {
+
+  gum_arm_writer_put_str_reg_reg_offset(cw, ARM_REG_R0, ARM_REG_SP,
+                                        GUM_RED_ZONE_SIZE);
+
+  gum_arm_writer_put_ldr_reg_address(cw, ARM_REG_R0, GUM_ADDRESS(&saved_lr));
+  gum_arm_writer_put_str_reg_reg_offset(cw, ARM_REG_LR, ARM_REG_R0, 0);
+
+  gum_arm_writer_put_ldr_reg_reg_offset(cw, ARM_REG_R0, ARM_REG_SP,
+                                        GUM_RED_ZONE_SIZE);

 }

 void persistent_prologue_arch(GumStalkerOutput *output) {

-  UNUSED_PARAMETER(output);
-  FFATAL("Persistent mode not supported on this architecture");
+  /*
+   *  SAVE REGS
+   *  SAVE RET
+   *  POP RET
+   * loop:
+   *  CALL instrument_afl_persistent_loop
+   *  TEST EAX, EAX
+   *  JZ end:
+   *  call hook (optionally)
+   *  RESTORE REGS
+   *  call original
+   *  jmp loop:
+   *
+   * end:
+   *  JMP SAVED RET
+   *
+   * original:
+   *  INSTRUMENTED PERSISTENT FUNC
+   */
+
+  GumArmWriter *cw = output->writer.arm;
+
+  gconstpointer loop = cw->code + 1;
+
+  FVERBOSE("Persistent loop reached");
+
+  instrument_persitent_save_regs(cw, &saved_regs);
+
+  /* loop: */
+  gum_arm_writer_put_label(cw, loop);
+
+  /* call instrument_prologue_func */
+  instrument_afl_persistent_loop(cw);
+
+  /* jz done */
+  gconstpointer done = cw->code + 1;
+  gum_arm_writer_put_cmp_reg_imm(cw, ARM_REG_R0, 0);
+  gum_arm_writer_put_b_cond_label(cw, ARM_CC_EQ, done);
+
+  /* Optionally call the persistent hook */
+  persistent_prologue_hook(cw, &saved_regs);
+
+  instrument_persitent_restore_regs(cw, &saved_regs);
+  gconstpointer original = cw->code + 1;
+  /* call original */
+
+  gum_arm_writer_put_bl_label(cw, original);
+
+  /* jmp loop */
+  gum_arm_writer_put_b_label(cw, loop);
+
+  /* done: */
+  gum_arm_writer_put_label(cw, done);
+
+  instrument_exit(cw);
+
+  /* original: */
+  gum_arm_writer_put_label(cw, original);
+
+  instrument_persitent_save_lr(cw);
+
+  if (persistent_debug) { gum_arm_writer_put_breakpoint(cw); }

 }

 void persistent_epilogue_arch(GumStalkerOutput *output) {

-  UNUSED_PARAMETER(output);
-  FFATAL("Persistent mode not supported on this architecture");
+  GumArmWriter *cw = output->writer.arm;
+
+  if (persistent_debug) { gum_arm_writer_put_breakpoint(cw); }
+
+  gum_arm_writer_put_ldr_reg_address(cw, ARM_REG_R0, GUM_ADDRESS(&saved_lr));
+
+  gum_arm_writer_put_ldr_reg_reg_offset(cw, ARM_REG_R0, ARM_REG_R0, 0);
+
+  gum_arm_writer_put_bx_reg(cw, ARM_REG_R0);

 }

--- a/frida_mode/src/persistent/persistent_arm64.c
+++ b/frida_mode/src/persistent/persistent_arm64.c
@ -24,7 +24,7 @@ gboolean persistent_is_supported(void) {

 }

-static void instrument_persitent_save_regs(GumArm64Writer *  cw,
+static void instrument_persitent_save_regs(GumArm64Writer   *cw,
                                           persistent_ctx_t *regs) {

  GumAddress    regs_address = GUM_ADDRESS(regs);
@ -105,18 +105,13 @@ static void instrument_persitent_save_regs(GumArm64Writer *  cw,
                                          offsetof(persistent_ctx_t, rflags));

  /* Q */
-  gum_arm64_writer_put_stp_reg_reg_reg_offset(
-      cw, ARM64_REG_Q0, ARM64_REG_Q1, ARM64_REG_X0,
-      offsetof(GumCpuContext, q[0]), GUM_INDEX_SIGNED_OFFSET);
-  gum_arm64_writer_put_stp_reg_reg_reg_offset(
-      cw, ARM64_REG_Q2, ARM64_REG_Q3, ARM64_REG_X0,
-      offsetof(GumCpuContext, q[16]), GUM_INDEX_SIGNED_OFFSET);
-  gum_arm64_writer_put_stp_reg_reg_reg_offset(
-      cw, ARM64_REG_Q4, ARM64_REG_Q5, ARM64_REG_X0,
-      offsetof(GumCpuContext, q[32]), GUM_INDEX_SIGNED_OFFSET);
-  gum_arm64_writer_put_stp_reg_reg_reg_offset(
-      cw, ARM64_REG_Q6, ARM64_REG_Q7, ARM64_REG_X0,
-      offsetof(GumCpuContext, q[48]), GUM_INDEX_SIGNED_OFFSET);
+  for (int i = 0; i < 16; i++) {
+
+    gum_arm64_writer_put_stp_reg_reg_reg_offset(
+        cw, ARM64_REG_Q0 + (i * 2), ARM64_REG_Q0 + (i * 2) + 1, ARM64_REG_X0,
+        offsetof(GumCpuContext, v[i]), GUM_INDEX_SIGNED_OFFSET);
+
+  }

  /* x0 & x1 */
  gum_arm64_writer_put_ldp_reg_reg_reg_offset(cw, ARM64_REG_X2, ARM64_REG_X3,
@ -136,7 +131,7 @@ static void instrument_persitent_save_regs(GumArm64Writer *  cw,

 }

-static void instrument_persitent_restore_regs(GumArm64Writer *  cw,
+static void instrument_persitent_restore_regs(GumArm64Writer   *cw,
                                              persistent_ctx_t *regs) {

  GumAddress    regs_address = GUM_ADDRESS(regs);
@ -201,18 +196,14 @@ static void instrument_persitent_restore_regs(GumArm64Writer *  cw,
                                          offsetof(persistent_ctx_t, rflags));
  gum_arm64_writer_put_instruction(cw, msr_nzcv_x1);

-  gum_arm64_writer_put_ldp_reg_reg_reg_offset(
-      cw, ARM64_REG_Q0, ARM64_REG_Q1, ARM64_REG_X0,
-      offsetof(GumCpuContext, q[0]), GUM_INDEX_SIGNED_OFFSET);
-  gum_arm64_writer_put_ldp_reg_reg_reg_offset(
-      cw, ARM64_REG_Q2, ARM64_REG_Q3, ARM64_REG_X0,
-      offsetof(GumCpuContext, q[16]), GUM_INDEX_SIGNED_OFFSET);
-  gum_arm64_writer_put_ldp_reg_reg_reg_offset(
-      cw, ARM64_REG_Q4, ARM64_REG_Q5, ARM64_REG_X0,
-      offsetof(GumCpuContext, q[32]), GUM_INDEX_SIGNED_OFFSET);
-  gum_arm64_writer_put_ldp_reg_reg_reg_offset(
-      cw, ARM64_REG_Q6, ARM64_REG_Q7, ARM64_REG_X0,
-      offsetof(GumCpuContext, q[48]), GUM_INDEX_SIGNED_OFFSET);
+  /* Q */
+  for (int i = 0; i < 16; i++) {
+
+    gum_arm64_writer_put_ldp_reg_reg_reg_offset(
+        cw, ARM64_REG_Q0 + (i * 2), ARM64_REG_Q0 + (i * 2) + 1, ARM64_REG_X0,
+        offsetof(GumCpuContext, v[i]), GUM_INDEX_SIGNED_OFFSET);
+
+  }

  /* x2 & x3 */
  gum_arm64_writer_put_ldp_reg_reg_reg_offset(
@ -258,7 +249,7 @@ static void instrument_afl_persistent_loop(GumArm64Writer *cw) {

 }

-static void persistent_prologue_hook(GumArm64Writer *  cw,
+static void persistent_prologue_hook(GumArm64Writer   *cw,
                                     persistent_ctx_t *regs) {

  if (persistent_hook == NULL) return;
--- a/frida_mode/src/persistent/persistent_x64.c
+++ b/frida_mode/src/persistent/persistent_x64.c
@ -25,148 +25,148 @@ gboolean persistent_is_supported(void) {

 }

-static void instrument_persitent_save_regs(GumX86Writer *    cw,
+static void instrument_persitent_save_regs(GumX86Writer     *cw,
                                           persistent_ctx_t *regs) {

  GumAddress regs_address = GUM_ADDRESS(regs);
-  gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP,
+  gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_X86_RSP, GUM_X86_RSP,
                                        -(GUM_RED_ZONE_SIZE));

  /* Should be pushing FPU here, but meh */
  gum_x86_writer_put_pushfx(cw);
-  gum_x86_writer_put_push_reg(cw, GUM_REG_RAX);
+  gum_x86_writer_put_push_reg(cw, GUM_X86_RAX);

-  gum_x86_writer_put_mov_reg_address(cw, GUM_REG_RAX, regs_address);
+  gum_x86_writer_put_mov_reg_address(cw, GUM_X86_RAX, regs_address);

  gum_x86_writer_put_mov_reg_offset_ptr_reg(
-      cw, GUM_REG_RAX, offsetof(GumCpuContext, rbx), GUM_REG_RBX);
+      cw, GUM_X86_RAX, offsetof(GumCpuContext, rbx), GUM_X86_RBX);
  gum_x86_writer_put_mov_reg_offset_ptr_reg(
-      cw, GUM_REG_RAX, offsetof(GumCpuContext, rcx), GUM_REG_RCX);
+      cw, GUM_X86_RAX, offsetof(GumCpuContext, rcx), GUM_X86_RCX);
  gum_x86_writer_put_mov_reg_offset_ptr_reg(
-      cw, GUM_REG_RAX, offsetof(GumCpuContext, rdx), GUM_REG_RDX);
+      cw, GUM_X86_RAX, offsetof(GumCpuContext, rdx), GUM_X86_RDX);
  gum_x86_writer_put_mov_reg_offset_ptr_reg(
-      cw, GUM_REG_RAX, offsetof(GumCpuContext, rdi), GUM_REG_RDI);
+      cw, GUM_X86_RAX, offsetof(GumCpuContext, rdi), GUM_X86_RDI);
  gum_x86_writer_put_mov_reg_offset_ptr_reg(
-      cw, GUM_REG_RAX, offsetof(GumCpuContext, rsi), GUM_REG_RSI);
+      cw, GUM_X86_RAX, offsetof(GumCpuContext, rsi), GUM_X86_RSI);
  gum_x86_writer_put_mov_reg_offset_ptr_reg(
-      cw, GUM_REG_RAX, offsetof(GumCpuContext, rbp), GUM_REG_RBP);
+      cw, GUM_X86_RAX, offsetof(GumCpuContext, rbp), GUM_X86_RBP);
  gum_x86_writer_put_mov_reg_offset_ptr_reg(
-      cw, GUM_REG_RAX, offsetof(GumCpuContext, r8), GUM_REG_R8);
+      cw, GUM_X86_RAX, offsetof(GumCpuContext, r8), GUM_X86_R8);
  gum_x86_writer_put_mov_reg_offset_ptr_reg(
-      cw, GUM_REG_RAX, offsetof(GumCpuContext, r9), GUM_REG_R9);
+      cw, GUM_X86_RAX, offsetof(GumCpuContext, r9), GUM_X86_R9);
  gum_x86_writer_put_mov_reg_offset_ptr_reg(
-      cw, GUM_REG_RAX, offsetof(GumCpuContext, r10), GUM_REG_R10);
+      cw, GUM_X86_RAX, offsetof(GumCpuContext, r10), GUM_X86_R10);
  gum_x86_writer_put_mov_reg_offset_ptr_reg(
-      cw, GUM_REG_RAX, offsetof(GumCpuContext, r11), GUM_REG_R11);
+      cw, GUM_X86_RAX, offsetof(GumCpuContext, r11), GUM_X86_R11);
  gum_x86_writer_put_mov_reg_offset_ptr_reg(
-      cw, GUM_REG_RAX, offsetof(GumCpuContext, r12), GUM_REG_R12);
+      cw, GUM_X86_RAX, offsetof(GumCpuContext, r12), GUM_X86_R12);
  gum_x86_writer_put_mov_reg_offset_ptr_reg(
-      cw, GUM_REG_RAX, offsetof(GumCpuContext, r13), GUM_REG_R13);
+      cw, GUM_X86_RAX, offsetof(GumCpuContext, r13), GUM_X86_R13);
  gum_x86_writer_put_mov_reg_offset_ptr_reg(
-      cw, GUM_REG_RAX, offsetof(GumCpuContext, r14), GUM_REG_R14);
+      cw, GUM_X86_RAX, offsetof(GumCpuContext, r14), GUM_X86_R14);
  gum_x86_writer_put_mov_reg_offset_ptr_reg(
-      cw, GUM_REG_RAX, offsetof(GumCpuContext, r15), GUM_REG_R15);
+      cw, GUM_X86_RAX, offsetof(GumCpuContext, r15), GUM_X86_R15);

  /* Store RIP */
-  gum_x86_writer_put_mov_reg_address(cw, GUM_REG_RBX,
+  gum_x86_writer_put_mov_reg_address(cw, GUM_X86_RBX,
                                     GUM_ADDRESS(persistent_start));

  gum_x86_writer_put_mov_reg_offset_ptr_reg(
-      cw, GUM_REG_RAX, offsetof(GumCpuContext, rip), GUM_REG_RBX);
+      cw, GUM_X86_RAX, offsetof(GumCpuContext, rip), GUM_X86_RBX);

  /* Store adjusted RSP */
-  gum_x86_writer_put_mov_reg_reg(cw, GUM_REG_RBX, GUM_REG_RSP);
+  gum_x86_writer_put_mov_reg_reg(cw, GUM_X86_RBX, GUM_X86_RSP);

  /* RED_ZONE + Saved flags, RAX, alignment */
-  gum_x86_writer_put_add_reg_imm(cw, GUM_REG_RBX,
+  gum_x86_writer_put_add_reg_imm(cw, GUM_X86_RBX,
                                 GUM_RED_ZONE_SIZE + (0x8 * 2));
  gum_x86_writer_put_mov_reg_offset_ptr_reg(
-      cw, GUM_REG_RAX, offsetof(GumCpuContext, rsp), GUM_REG_RBX);
+      cw, GUM_X86_RAX, offsetof(GumCpuContext, rsp), GUM_X86_RBX);

  /* Save the flags */
-  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RBX, GUM_REG_RSP, 0x8);
+  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_X86_RBX, GUM_X86_RSP, 0x8);
  gum_x86_writer_put_mov_reg_offset_ptr_reg(
-      cw, GUM_REG_RAX, offsetof(persistent_ctx_t, rflags), GUM_REG_RBX);
+      cw, GUM_X86_RAX, offsetof(persistent_ctx_t, rflags), GUM_X86_RBX);

  /* Save the RAX */
-  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RBX, GUM_REG_RSP, 0x0);
+  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_X86_RBX, GUM_X86_RSP, 0x0);
  gum_x86_writer_put_mov_reg_offset_ptr_reg(
-      cw, GUM_REG_RAX, offsetof(GumCpuContext, rax), GUM_REG_RBX);
+      cw, GUM_X86_RAX, offsetof(GumCpuContext, rax), GUM_X86_RBX);

  /* Pop the saved values */
-  gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP, 0x10);
+  gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_X86_RSP, GUM_X86_RSP, 0x10);

-  gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP,
+  gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_X86_RSP, GUM_X86_RSP,
                                        (GUM_RED_ZONE_SIZE));

 }

-static void instrument_persitent_restore_regs(GumX86Writer *    cw,
+static void instrument_persitent_restore_regs(GumX86Writer     *cw,
                                              persistent_ctx_t *regs) {

  GumAddress regs_address = GUM_ADDRESS(regs);
-  gum_x86_writer_put_mov_reg_address(cw, GUM_REG_RAX, regs_address);
+  gum_x86_writer_put_mov_reg_address(cw, GUM_X86_RAX, regs_address);

-  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RCX, GUM_REG_RAX,
+  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_X86_RCX, GUM_X86_RAX,
                                            offsetof(GumCpuContext, rcx));
-  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RDX, GUM_REG_RAX,
+  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_X86_RDX, GUM_X86_RAX,
                                            offsetof(GumCpuContext, rdx));
-  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RDI, GUM_REG_RAX,
+  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_X86_RDI, GUM_X86_RAX,
                                            offsetof(GumCpuContext, rdi));
-  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RSI, GUM_REG_RAX,
+  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_X86_RSI, GUM_X86_RAX,
                                            offsetof(GumCpuContext, rsi));
-  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RBP, GUM_REG_RAX,
+  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_X86_RBP, GUM_X86_RAX,
                                            offsetof(GumCpuContext, rbp));
-  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_R8, GUM_REG_RAX,
+  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_X86_R8, GUM_X86_RAX,
                                            offsetof(GumCpuContext, r8));
-  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_R9, GUM_REG_RAX,
+  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_X86_R9, GUM_X86_RAX,
                                            offsetof(GumCpuContext, r9));
-  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_R10, GUM_REG_RAX,
+  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_X86_R10, GUM_X86_RAX,
                                            offsetof(GumCpuContext, r10));
-  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_R11, GUM_REG_RAX,
+  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_X86_R11, GUM_X86_RAX,
                                            offsetof(GumCpuContext, r11));
-  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_R12, GUM_REG_RAX,
+  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_X86_R12, GUM_X86_RAX,
                                            offsetof(GumCpuContext, r12));
-  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_R13, GUM_REG_RAX,
+  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_X86_R13, GUM_X86_RAX,
                                            offsetof(GumCpuContext, r13));
-  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_R14, GUM_REG_RAX,
+  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_X86_R14, GUM_X86_RAX,
                                            offsetof(GumCpuContext, r14));
-  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_R15, GUM_REG_RAX,
+  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_X86_R15, GUM_X86_RAX,
                                            offsetof(GumCpuContext, r15));

  /* Don't restore RIP */
-  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RSP, GUM_REG_RAX,
+  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_X86_RSP, GUM_X86_RAX,
                                            offsetof(GumCpuContext, rsp));

  /* Restore RBX, RAX & Flags */
-  gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP,
+  gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_X86_RSP, GUM_X86_RSP,
                                        -(GUM_RED_ZONE_SIZE));

-  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RBX, GUM_REG_RAX,
+  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_X86_RBX, GUM_X86_RAX,
                                            offsetof(GumCpuContext, rbx));
-  gum_x86_writer_put_push_reg(cw, GUM_REG_RBX);
+  gum_x86_writer_put_push_reg(cw, GUM_X86_RBX);

-  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RBX, GUM_REG_RAX,
+  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_X86_RBX, GUM_X86_RAX,
                                            offsetof(GumCpuContext, rax));
-  gum_x86_writer_put_push_reg(cw, GUM_REG_RBX);
-  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RBX, GUM_REG_RAX,
+  gum_x86_writer_put_push_reg(cw, GUM_X86_RBX);
+  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_X86_RBX, GUM_X86_RAX,
                                            offsetof(persistent_ctx_t, rflags));
-  gum_x86_writer_put_push_reg(cw, GUM_REG_RBX);
+  gum_x86_writer_put_push_reg(cw, GUM_X86_RBX);

  gum_x86_writer_put_popfx(cw);
-  gum_x86_writer_put_pop_reg(cw, GUM_REG_RAX);
-  gum_x86_writer_put_pop_reg(cw, GUM_REG_RBX);
+  gum_x86_writer_put_pop_reg(cw, GUM_X86_RAX);
+  gum_x86_writer_put_pop_reg(cw, GUM_X86_RBX);

-  gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP,
+  gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_X86_RSP, GUM_X86_RSP,
                                        (GUM_RED_ZONE_SIZE));

 }

 static void instrument_exit(GumX86Writer *cw) {

-  gum_x86_writer_put_mov_reg_address(cw, GUM_REG_RAX, GUM_ADDRESS(_exit));
-  gum_x86_writer_put_mov_reg_u32(cw, GUM_REG_RDI, 0);
-  gum_x86_writer_put_call_reg(cw, GUM_REG_RAX);
+  gum_x86_writer_put_mov_reg_address(cw, GUM_X86_RAX, GUM_ADDRESS(_exit));
+  gum_x86_writer_put_mov_reg_u32(cw, GUM_X86_RDI, 0);
+  gum_x86_writer_put_call_reg(cw, GUM_X86_RAX);

 }

@ -186,13 +186,13 @@ static int instrument_afl_persistent_loop_func(void) {

 static void instrument_afl_persistent_loop(GumX86Writer *cw) {

-  gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP,
+  gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_X86_RSP, GUM_X86_RSP,
                                        -(GUM_RED_ZONE_SIZE));
  gum_x86_writer_put_call_address_with_arguments(
      cw, GUM_CALL_CAPI, GUM_ADDRESS(instrument_afl_persistent_loop_func), 0);
-  gum_x86_writer_put_test_reg_reg(cw, GUM_REG_RAX, GUM_REG_RAX);
+  gum_x86_writer_put_test_reg_reg(cw, GUM_X86_RAX, GUM_X86_RAX);

-  gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP,
+  gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_X86_RSP, GUM_X86_RSP,
                                        (GUM_RED_ZONE_SIZE));

 }
@ -200,26 +200,26 @@ static void instrument_afl_persistent_loop(GumX86Writer *cw) {
 static void persistent_prologue_hook(GumX86Writer *cw, persistent_ctx_t *regs) {

  if (persistent_hook == NULL) return;
-  gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP,
+  gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_X86_RSP, GUM_X86_RSP,
                                        -(GUM_RED_ZONE_SIZE));

-  gum_x86_writer_put_mov_reg_address(cw, GUM_REG_RDX,
+  gum_x86_writer_put_mov_reg_address(cw, GUM_X86_RDX,
                                     GUM_ADDRESS(&__afl_fuzz_len));
-  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RDX, GUM_REG_RDX, 0);
-  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RDX, GUM_REG_RDX, 0);
-  gum_x86_writer_put_mov_reg_u64(cw, GUM_REG_RDI, 0xffffffff);
-  gum_x86_writer_put_and_reg_reg(cw, GUM_REG_RDX, GUM_REG_RDI);
+  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_X86_RDX, GUM_X86_RDX, 0);
+  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_X86_RDX, GUM_X86_RDX, 0);
+  gum_x86_writer_put_mov_reg_u64(cw, GUM_X86_RDI, 0xffffffff);
+  gum_x86_writer_put_and_reg_reg(cw, GUM_X86_RDX, GUM_X86_RDI);

-  gum_x86_writer_put_mov_reg_address(cw, GUM_REG_RSI,
+  gum_x86_writer_put_mov_reg_address(cw, GUM_X86_RSI,
                                     GUM_ADDRESS(&__afl_fuzz_ptr));
-  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RSI, GUM_REG_RSI, 0);
+  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_X86_RSI, GUM_X86_RSI, 0);

  gum_x86_writer_put_call_address_with_arguments(
      cw, GUM_CALL_CAPI, GUM_ADDRESS(persistent_hook), 3, GUM_ARG_ADDRESS,
-      GUM_ADDRESS(&regs->ctx), GUM_ARG_REGISTER, GUM_REG_RSI, GUM_ARG_REGISTER,
-      GUM_REG_RDX);
+      GUM_ADDRESS(&regs->ctx), GUM_ARG_REGISTER, GUM_X86_RSI, GUM_ARG_REGISTER,
+      GUM_X86_RDX);

-  gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP,
+  gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_X86_RSP, GUM_X86_RSP,
                                        (GUM_RED_ZONE_SIZE));

 }
@ -228,23 +228,23 @@ static void instrument_persitent_save_ret(GumX86Writer *cw) {

  /* Stack usage by this function */
  gssize offset = GUM_RED_ZONE_SIZE + (3 * 8);
-  gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP,
+  gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_X86_RSP, GUM_X86_RSP,
                                        -(GUM_RED_ZONE_SIZE));

  gum_x86_writer_put_pushfx(cw);
-  gum_x86_writer_put_push_reg(cw, GUM_REG_RAX);
-  gum_x86_writer_put_push_reg(cw, GUM_REG_RBX);
+  gum_x86_writer_put_push_reg(cw, GUM_X86_RAX);
+  gum_x86_writer_put_push_reg(cw, GUM_X86_RBX);

-  gum_x86_writer_put_mov_reg_address(cw, GUM_REG_RAX, GUM_ADDRESS(&saved_ret));
-  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_RBX, GUM_REG_RSP,
+  gum_x86_writer_put_mov_reg_address(cw, GUM_X86_RAX, GUM_ADDRESS(&saved_ret));
+  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_X86_RBX, GUM_X86_RSP,
                                            offset);
-  gum_x86_writer_put_mov_reg_ptr_reg(cw, GUM_REG_RAX, GUM_REG_RBX);
+  gum_x86_writer_put_mov_reg_ptr_reg(cw, GUM_X86_RAX, GUM_X86_RBX);

-  gum_x86_writer_put_pop_reg(cw, GUM_REG_RBX);
-  gum_x86_writer_put_pop_reg(cw, GUM_REG_RAX);
+  gum_x86_writer_put_pop_reg(cw, GUM_X86_RBX);
+  gum_x86_writer_put_pop_reg(cw, GUM_X86_RAX);
  gum_x86_writer_put_popfx(cw);

-  gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP,
+  gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_X86_RSP, GUM_X86_RSP,
                                        (GUM_RED_ZONE_SIZE));

 }
@ -278,7 +278,7 @@ void persistent_prologue_arch(GumStalkerOutput *output) {
  FVERBOSE("Persistent loop reached");

  /* Pop the return value */
-  gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP, 8);
+  gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_X86_RSP, GUM_X86_RSP, 8);

  instrument_persitent_save_regs(cw, &saved_regs);

@ -326,13 +326,13 @@ void persistent_epilogue_arch(GumStalkerOutput *output) {

  /* The stack should be aligned when we re-enter our loop */
  gconstpointer zero = cw->code + 1;
-  gum_x86_writer_put_test_reg_u32(cw, GUM_REG_RSP, 0xF);
+  gum_x86_writer_put_test_reg_u32(cw, GUM_X86_RSP, 0xF);
  gum_x86_writer_put_jcc_near_label(cw, X86_INS_JE, zero, GUM_NO_HINT);
-  gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_RSP, GUM_REG_RSP, -8);
+  gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_X86_RSP, GUM_X86_RSP, -8);
  gum_x86_writer_put_label(cw, zero);

-  gum_x86_writer_put_mov_reg_address(cw, GUM_REG_RAX, GUM_ADDRESS(&saved_ret));
-  gum_x86_writer_put_jmp_reg_ptr(cw, GUM_REG_RAX);
+  gum_x86_writer_put_mov_reg_address(cw, GUM_X86_RAX, GUM_ADDRESS(&saved_ret));
+  gum_x86_writer_put_jmp_reg_ptr(cw, GUM_X86_RAX);

 }

--- a/frida_mode/src/persistent/persistent_x86.c
+++ b/frida_mode/src/persistent/persistent_x86.c
@ -25,105 +25,105 @@ gboolean persistent_is_supported(void) {

 }

-static void instrument_persitent_save_regs(GumX86Writer *    cw,
+static void instrument_persitent_save_regs(GumX86Writer     *cw,
                                           persistent_ctx_t *regs) {

  GumAddress regs_address = GUM_ADDRESS(regs);

  /* Should be pushing FPU here, but meh */
  gum_x86_writer_put_pushfx(cw);
-  gum_x86_writer_put_push_reg(cw, GUM_REG_EAX);
+  gum_x86_writer_put_push_reg(cw, GUM_X86_EAX);

-  gum_x86_writer_put_mov_reg_address(cw, GUM_REG_EAX, regs_address);
+  gum_x86_writer_put_mov_reg_address(cw, GUM_X86_EAX, regs_address);

  gum_x86_writer_put_mov_reg_offset_ptr_reg(
-      cw, GUM_REG_EAX, offsetof(GumCpuContext, ebx), GUM_REG_EBX);
+      cw, GUM_X86_EAX, offsetof(GumCpuContext, ebx), GUM_X86_EBX);
  gum_x86_writer_put_mov_reg_offset_ptr_reg(
-      cw, GUM_REG_EAX, offsetof(GumCpuContext, ecx), GUM_REG_ECX);
+      cw, GUM_X86_EAX, offsetof(GumCpuContext, ecx), GUM_X86_ECX);
  gum_x86_writer_put_mov_reg_offset_ptr_reg(
-      cw, GUM_REG_EAX, offsetof(GumCpuContext, edx), GUM_REG_EDX);
+      cw, GUM_X86_EAX, offsetof(GumCpuContext, edx), GUM_X86_EDX);
  gum_x86_writer_put_mov_reg_offset_ptr_reg(
-      cw, GUM_REG_EAX, offsetof(GumCpuContext, edi), GUM_REG_EDI);
+      cw, GUM_X86_EAX, offsetof(GumCpuContext, edi), GUM_X86_EDI);
  gum_x86_writer_put_mov_reg_offset_ptr_reg(
-      cw, GUM_REG_EAX, offsetof(GumCpuContext, esi), GUM_REG_ESI);
+      cw, GUM_X86_EAX, offsetof(GumCpuContext, esi), GUM_X86_ESI);
  gum_x86_writer_put_mov_reg_offset_ptr_reg(
-      cw, GUM_REG_EAX, offsetof(GumCpuContext, ebp), GUM_REG_EBP);
+      cw, GUM_X86_EAX, offsetof(GumCpuContext, ebp), GUM_X86_EBP);

  /* Store RIP */
-  gum_x86_writer_put_mov_reg_address(cw, GUM_REG_EBX,
+  gum_x86_writer_put_mov_reg_address(cw, GUM_X86_EBX,
                                     GUM_ADDRESS(persistent_start));

  gum_x86_writer_put_mov_reg_offset_ptr_reg(
-      cw, GUM_REG_EAX, offsetof(GumCpuContext, eip), GUM_REG_EBX);
+      cw, GUM_X86_EAX, offsetof(GumCpuContext, eip), GUM_X86_EBX);

  /* Store adjusted RSP */
-  gum_x86_writer_put_mov_reg_reg(cw, GUM_REG_EBX, GUM_REG_ESP);
+  gum_x86_writer_put_mov_reg_reg(cw, GUM_X86_EBX, GUM_X86_ESP);

  /* RED_ZONE + Saved flags, RAX */
-  gum_x86_writer_put_add_reg_imm(cw, GUM_REG_EBX, (0x4 * 2));
+  gum_x86_writer_put_add_reg_imm(cw, GUM_X86_EBX, (0x4 * 2));
  gum_x86_writer_put_mov_reg_offset_ptr_reg(
-      cw, GUM_REG_EAX, offsetof(GumCpuContext, esp), GUM_REG_EBX);
+      cw, GUM_X86_EAX, offsetof(GumCpuContext, esp), GUM_X86_EBX);

  /* Save the flags */
-  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_EBX, GUM_REG_ESP, 0x4);
+  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_X86_EBX, GUM_X86_ESP, 0x4);
  gum_x86_writer_put_mov_reg_offset_ptr_reg(
-      cw, GUM_REG_EAX, offsetof(persistent_ctx_t, eflags), GUM_REG_EBX);
+      cw, GUM_X86_EAX, offsetof(persistent_ctx_t, eflags), GUM_X86_EBX);

  /* Save the RAX */
-  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_EBX, GUM_REG_ESP, 0x0);
+  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_X86_EBX, GUM_X86_ESP, 0x0);
  gum_x86_writer_put_mov_reg_offset_ptr_reg(
-      cw, GUM_REG_EAX, offsetof(GumCpuContext, eax), GUM_REG_EBX);
+      cw, GUM_X86_EAX, offsetof(GumCpuContext, eax), GUM_X86_EBX);

  /* Pop the saved values */
-  gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_ESP, GUM_REG_ESP, 0x8);
+  gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_X86_ESP, GUM_X86_ESP, 0x8);

 }

-static void instrument_persitent_restore_regs(GumX86Writer *    cw,
+static void instrument_persitent_restore_regs(GumX86Writer     *cw,
                                              persistent_ctx_t *regs) {

  GumAddress regs_address = GUM_ADDRESS(regs);
-  gum_x86_writer_put_mov_reg_address(cw, GUM_REG_EAX, regs_address);
+  gum_x86_writer_put_mov_reg_address(cw, GUM_X86_EAX, regs_address);

-  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_ECX, GUM_REG_EAX,
+  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_X86_ECX, GUM_X86_EAX,
                                            offsetof(GumCpuContext, ecx));
-  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_EDX, GUM_REG_EAX,
+  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_X86_EDX, GUM_X86_EAX,
                                            offsetof(GumCpuContext, edx));
-  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_EDI, GUM_REG_EAX,
+  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_X86_EDI, GUM_X86_EAX,
                                            offsetof(GumCpuContext, edi));
-  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_ESI, GUM_REG_EAX,
+  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_X86_ESI, GUM_X86_EAX,
                                            offsetof(GumCpuContext, esi));
-  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_EBP, GUM_REG_EAX,
+  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_X86_EBP, GUM_X86_EAX,
                                            offsetof(GumCpuContext, ebp));

  /* Don't restore RIP */
-  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_ESP, GUM_REG_EAX,
+  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_X86_ESP, GUM_X86_EAX,
                                            offsetof(GumCpuContext, esp));

  /* Restore RBX, RAX & Flags */
-  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_EBX, GUM_REG_EAX,
+  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_X86_EBX, GUM_X86_EAX,
                                            offsetof(GumCpuContext, ebx));
-  gum_x86_writer_put_push_reg(cw, GUM_REG_EBX);
+  gum_x86_writer_put_push_reg(cw, GUM_X86_EBX);

-  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_EBX, GUM_REG_EAX,
+  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_X86_EBX, GUM_X86_EAX,
                                            offsetof(GumCpuContext, eax));
-  gum_x86_writer_put_push_reg(cw, GUM_REG_EBX);
-  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_EBX, GUM_REG_EAX,
+  gum_x86_writer_put_push_reg(cw, GUM_X86_EBX);
+  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_X86_EBX, GUM_X86_EAX,
                                            offsetof(persistent_ctx_t, eflags));
-  gum_x86_writer_put_push_reg(cw, GUM_REG_EBX);
+  gum_x86_writer_put_push_reg(cw, GUM_X86_EBX);

  gum_x86_writer_put_popfx(cw);
-  gum_x86_writer_put_pop_reg(cw, GUM_REG_EAX);
-  gum_x86_writer_put_pop_reg(cw, GUM_REG_EBX);
+  gum_x86_writer_put_pop_reg(cw, GUM_X86_EAX);
+  gum_x86_writer_put_pop_reg(cw, GUM_X86_EBX);

 }

 static void instrument_exit(GumX86Writer *cw) {

-  gum_x86_writer_put_mov_reg_address(cw, GUM_REG_EAX, GUM_ADDRESS(_exit));
-  gum_x86_writer_put_mov_reg_u32(cw, GUM_REG_EDI, 0);
-  gum_x86_writer_put_push_reg(cw, GUM_REG_EDI);
-  gum_x86_writer_put_call_reg(cw, GUM_REG_EAX);
+  gum_x86_writer_put_mov_reg_address(cw, GUM_X86_EAX, GUM_ADDRESS(_exit));
+  gum_x86_writer_put_mov_reg_u32(cw, GUM_X86_EDI, 0);
+  gum_x86_writer_put_push_reg(cw, GUM_X86_EDI);
+  gum_x86_writer_put_call_reg(cw, GUM_X86_EAX);

 }

@ -145,7 +145,7 @@ static void instrument_afl_persistent_loop(GumX86Writer *cw) {

  gum_x86_writer_put_call_address_with_arguments(
      cw, GUM_CALL_CAPI, GUM_ADDRESS(instrument_afl_persistent_loop_func), 0);
-  gum_x86_writer_put_test_reg_reg(cw, GUM_REG_EAX, GUM_REG_EAX);
+  gum_x86_writer_put_test_reg_reg(cw, GUM_X86_EAX, GUM_X86_EAX);

 }

@ -153,20 +153,20 @@ static void persistent_prologue_hook(GumX86Writer *cw, persistent_ctx_t *regs) {

  if (persistent_hook == NULL) return;

-  gum_x86_writer_put_mov_reg_address(cw, GUM_REG_ECX,
+  gum_x86_writer_put_mov_reg_address(cw, GUM_X86_ECX,
                                     GUM_ADDRESS(&__afl_fuzz_len));
-  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_ECX, GUM_REG_ECX, 0);
-  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_ECX, GUM_REG_ECX, 0);
+  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_X86_ECX, GUM_X86_ECX, 0);
+  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_X86_ECX, GUM_X86_ECX, 0);

-  gum_x86_writer_put_mov_reg_address(cw, GUM_REG_EDX,
+  gum_x86_writer_put_mov_reg_address(cw, GUM_X86_EDX,
                                     GUM_ADDRESS(&__afl_fuzz_ptr));
-  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_EDX, GUM_REG_EDX, 0);
+  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_X86_EDX, GUM_X86_EDX, 0);

  /* Base address is 64-bits (hence two zero arguments) */
  gum_x86_writer_put_call_address_with_arguments(
      cw, GUM_CALL_CAPI, GUM_ADDRESS(persistent_hook), 3, GUM_ARG_ADDRESS,
-      GUM_ADDRESS(&regs->ctx), GUM_ARG_REGISTER, GUM_REG_EDX, GUM_ARG_REGISTER,
-      GUM_REG_ECX);
+      GUM_ADDRESS(&regs->ctx), GUM_ARG_REGISTER, GUM_X86_EDX, GUM_ARG_REGISTER,
+      GUM_X86_ECX);

 }

@ -176,16 +176,16 @@ static void instrument_persitent_save_ret(GumX86Writer *cw) {
  gssize offset = (3 * 4);

  gum_x86_writer_put_pushfx(cw);
-  gum_x86_writer_put_push_reg(cw, GUM_REG_EAX);
-  gum_x86_writer_put_push_reg(cw, GUM_REG_EBX);
+  gum_x86_writer_put_push_reg(cw, GUM_X86_EAX);
+  gum_x86_writer_put_push_reg(cw, GUM_X86_EBX);

-  gum_x86_writer_put_mov_reg_address(cw, GUM_REG_EAX, GUM_ADDRESS(&saved_ret));
-  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_REG_EBX, GUM_REG_ESP,
+  gum_x86_writer_put_mov_reg_address(cw, GUM_X86_EAX, GUM_ADDRESS(&saved_ret));
+  gum_x86_writer_put_mov_reg_reg_offset_ptr(cw, GUM_X86_EBX, GUM_X86_ESP,
                                            offset);
-  gum_x86_writer_put_mov_reg_ptr_reg(cw, GUM_REG_EAX, GUM_REG_EBX);
+  gum_x86_writer_put_mov_reg_ptr_reg(cw, GUM_X86_EAX, GUM_X86_EBX);

-  gum_x86_writer_put_pop_reg(cw, GUM_REG_EBX);
-  gum_x86_writer_put_pop_reg(cw, GUM_REG_EAX);
+  gum_x86_writer_put_pop_reg(cw, GUM_X86_EBX);
+  gum_x86_writer_put_pop_reg(cw, GUM_X86_EAX);
  gum_x86_writer_put_popfx(cw);

 }
@ -219,7 +219,7 @@ void persistent_prologue_arch(GumStalkerOutput *output) {
  FVERBOSE("Persistent loop reached");

  /* Pop the return value */
-  gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_REG_ESP, GUM_REG_ESP, 4);
+  gum_x86_writer_put_lea_reg_reg_offset(cw, GUM_X86_ESP, GUM_X86_ESP, 4);

  instrument_persitent_save_regs(cw, &saved_regs);

@ -263,8 +263,8 @@ void persistent_epilogue_arch(GumStalkerOutput *output) {

  if (persistent_debug) { gum_x86_writer_put_breakpoint(cw); }

-  gum_x86_writer_put_mov_reg_address(cw, GUM_REG_EAX, GUM_ADDRESS(&saved_ret));
-  gum_x86_writer_put_jmp_reg_ptr(cw, GUM_REG_EAX);
+  gum_x86_writer_put_mov_reg_address(cw, GUM_X86_EAX, GUM_ADDRESS(&saved_ret));
+  gum_x86_writer_put_jmp_reg_ptr(cw, GUM_X86_EAX);

 }

--- a/frida_mode/src/prefetch.c
+++ b/frida_mode/src/prefetch.c
@ -1,12 +1,11 @@
 #include <errno.h>
-#include <sys/shm.h>
-#include <sys/mman.h>

 #include "frida-gumjs.h"

 #include "entry.h"
 #include "intercept.h"
 #include "prefetch.h"
+#include "shm.h"
 #include "stalker.h"
 #include "util.h"

@ -19,7 +18,7 @@
 typedef struct {

  size_t count;
-  void * entry[PREFETCH_ENTRIES];
+  void  *entry[PREFETCH_ENTRIES];

  guint8 backpatch_data[BP_SIZE];
  gsize  backpatch_size;
@ -30,7 +29,6 @@ gboolean prefetch_enable = TRUE;
 gboolean prefetch_backpatch = TRUE;

 static prefetch_data_t *prefetch_data = NULL;
-static int              prefetch_shm_id = -1;

 static GHashTable *cant_prefetch = NULL;

@ -173,7 +171,7 @@ static void prefetch_read_blocks(void) {
 static void prefetch_read_patches(void) {

  gsize         offset = 0;
-  GumStalker *  stalker = stalker_get();
+  GumStalker   *stalker = stalker_get();
  GumBackpatch *backpatch = NULL;

  for (gsize remaining = prefetch_data->backpatch_size - offset;
@ -285,28 +283,7 @@ void prefetch_init(void) {
   * with the coverage bitmap region and fork will take care of ensuring both
   * the parent and child see the same consistent memory region.
   */
-  prefetch_shm_id =
-      shmget(IPC_PRIVATE, sizeof(prefetch_data_t), IPC_CREAT | IPC_EXCL | 0600);
-  if (prefetch_shm_id < 0) {
-
-    FFATAL("prefetch_shm_id < 0 - errno: %d\n", errno);
-
-  }
-
-  prefetch_data = shmat(prefetch_shm_id, NULL, 0);
-  g_assert(prefetch_data != MAP_FAILED);
-
-  /*
-   * Configure the shared memory region to be removed once the process dies.
-   */
-  if (shmctl(prefetch_shm_id, IPC_RMID, NULL) < 0) {
-
-    FFATAL("shmctl (IPC_RMID) < 0 - errno: %d\n", errno);
-
-  }
-
-  /* Clear it, not sure it's necessary, just seems like good practice */
-  memset(prefetch_data, '\0', sizeof(prefetch_data_t));
+  prefetch_data = shm_create(sizeof(prefetch_data_t));

  prefetch_hook_fork();

@ -319,7 +296,7 @@ void prefetch_init(void) {

  if (!prefetch_backpatch) { return; }

-  GumStalkerObserver *         observer = stalker_get_observer();
+  GumStalkerObserver          *observer = stalker_get_observer();
  GumStalkerObserverInterface *iface = GUM_STALKER_OBSERVER_GET_IFACE(observer);
  iface->notify_backpatch = gum_afl_stalker_backpatcher_notify;

--- a/frida_mode/src/ranges.c
+++ b/frida_mode/src/ranges.c
@ -9,7 +9,7 @@

 typedef struct {

-  gchar *         suffix;
+  gchar          *suffix;
  GumMemoryRange *range;
  gboolean        done;

@ -135,7 +135,7 @@ static gboolean convert_name_token_for_module(const GumModuleDetails *details,

 static void convert_name_token(gchar *token, GumMemoryRange *range) {

-  gchar *            suffix = g_strconcat("/", token, NULL);
+  gchar             *suffix = g_strconcat("/", token, NULL);
  convert_name_ctx_t ctx = {.suffix = suffix, .range = range, .done = false};

  gum_process_enumerate_modules(convert_name_token_for_module, &ctx);
@ -235,7 +235,7 @@ static void print_ranges(char *key, GArray *ranges) {
 static gboolean collect_module_ranges_callback(const GumRangeDetails *details,
                                               gpointer user_data) {

-  GArray *       ranges = (GArray *)user_data;
+  GArray        *ranges = (GArray *)user_data;
  GumMemoryRange range = *details->range;
  g_array_append_val(ranges, range);
  return TRUE;
@ -292,12 +292,12 @@ void ranges_add_exclude(GumMemoryRange *range) {

 static GArray *collect_ranges(char *env_key) {

-  char *         env_val;
-  gchar **       tokens;
+  char          *env_val;
+  gchar        **tokens;
  int            token_count;
  GumMemoryRange range;
  int            i;
-  GArray *       result;
+  GArray        *result;

  result = g_array_new(false, false, sizeof(GumMemoryRange));

@ -330,7 +330,7 @@ static GArray *collect_ranges(char *env_key) {

 static GArray *collect_libs_ranges(void) {

-  GArray *       result;
+  GArray        *result;
  GumMemoryRange range;
  result = g_array_new(false, false, sizeof(GumMemoryRange));

@ -422,7 +422,7 @@ static gboolean intersect_range(GumMemoryRange *rr, GumMemoryRange *ra,

 static GArray *intersect_ranges(GArray *a, GArray *b) {

-  GArray *        result;
+  GArray         *result;
  GumMemoryRange *ra;
  GumMemoryRange *rb;
  GumMemoryRange  ri;
@ -452,7 +452,7 @@ static GArray *intersect_ranges(GArray *a, GArray *b) {

 static GArray *subtract_ranges(GArray *a, GArray *b) {

-  GArray *        result;
+  GArray         *result;
  GumMemoryRange *ra;
  GumAddress      ral;
  GumMemoryRange *rb;
@ -528,7 +528,7 @@ static GArray *subtract_ranges(GArray *a, GArray *b) {

 static GArray *merge_ranges(GArray *a) {

-  GArray *        result;
+  GArray         *result;
  GumMemoryRange  rp;
  GumMemoryRange *r;

@ -585,11 +585,11 @@ void ranges_config(void) {
 void ranges_init(void) {

  GumMemoryRange ri;
-  GArray *       step1;
-  GArray *       step2;
-  GArray *       step3;
-  GArray *       step4;
-  GArray *       step5;
+  GArray        *step1;
+  GArray        *step2;
+  GArray        *step3;
+  GArray        *step4;
+  GArray        *step5;

  FOKF(cBLU "Ranges" cRST " - " cGRN "instrument jit:" cYEL " [%c]",
       ranges_inst_jit ? 'X' : ' ');
@ -669,7 +669,7 @@ gboolean range_is_excluded(GumAddress address) {
 void ranges_exclude() {

  GumMemoryRange *r;
-  GumStalker *    stalker = stalker_get();
+  GumStalker     *stalker = stalker_get();

  FVERBOSE("Excluding ranges");

--- a/frida_mode/src/seccomp/seccomp.c
+++ b/frida_mode/src/seccomp/seccomp.c
@ -11,6 +11,8 @@ void seccomp_on_fork(void) {

 #ifdef __APPLE__
  FFATAL("Seccomp not supported on OSX");
+#elif defined(__ANDROID__)
+  FFATAL("Seccomp not supported on Android");
 #else
  seccomp_callback_parent();
 #endif
@ -32,6 +34,8 @@ void seccomp_init(void) {

 #ifdef __APPLE__
  FFATAL("Seccomp not supported on OSX");
+#elif defined(__ANDROID__)
+  FFATAL("Seccomp not supported on Android");
 #else
  seccomp_callback_initialize();
 #endif
--- a/frida_mode/src/seccomp/seccomp_callback.c
+++ b/frida_mode/src/seccomp/seccomp_callback.c
@ -8,9 +8,9 @@
  #include "seccomp.h"
  #include "util.h"

-static void seccomp_callback_filter(struct seccomp_notif *     req,
+static void seccomp_callback_filter(struct seccomp_notif      *req,
                                    struct seccomp_notif_resp *resp,
-                                    GumReturnAddressArray *    frames) {
+                                    GumReturnAddressArray     *frames) {

  GumDebugSymbolDetails details = {0};
  if (req->data.nr == SYS_OPENAT) {
@ -54,7 +54,7 @@ static void seccomp_callback_filter(struct seccomp_notif *     req,
  free(syms);
  #else
  void **syms = (void **)__builtin_frame_address(0);
-  void * framep = __builtin_frame_address(1);
+  void  *framep = __builtin_frame_address(1);
  int    i = 0;

  syms = framep;
--- a/frida_mode/src/seccomp/seccomp_child.c
+++ b/frida_mode/src/seccomp/seccomp_child.c
@ -21,7 +21,7 @@ typedef struct {

  seccomp_child_func_t func;
  int                  event_fd;
-  void *               ctx;
+  void                *ctx;

 } seccomp_child_func_ctx_t;

--- a/frida_mode/src/seccomp/seccomp_filter.c
+++ b/frida_mode/src/seccomp/seccomp_filter.c
@ -129,7 +129,7 @@ static volatile bool         seccomp_filter_child_done = false;
 static pid_t                 seccomp_filter_child = -1;
 static GumCpuContext         seccomp_filter_cpu_context = {0};
 static GumReturnAddressArray seccomp_filter_frames = {.len = 0, .items = {0}};
-static GumBacktracer *       seccomp_filter_backtracer = NULL;
+static GumBacktracer        *seccomp_filter_backtracer = NULL;

 static void seccomp_filter_child_handler(int sig, siginfo_t *info,
                                         void *ucontext) {
@ -209,7 +209,7 @@ int seccomp_filter_install(pid_t child) {

 void seccomp_filter_run(int fd, seccomp_filter_callback_t callback) {

-  struct seccomp_notif *     req = NULL;
+  struct seccomp_notif      *req = NULL;
  struct seccomp_notif_resp *resp = NULL;
  struct seccomp_notif_sizes sizes;

--- a/frida_mode/src/seccomp/seccomp_socket.c
+++ b/frida_mode/src/seccomp/seccomp_socket.c
@ -59,9 +59,9 @@ void seccomp_socket_send(int sockfd, int fd) {
  struct iovec iov = {.iov_base = &data, .iov_len = sizeof(data)};
  union cmsg   control_msg = {.hdr = {

-                                .cmsg_len = CMSG_LEN(sizeof(int)),
-                                .cmsg_level = SOL_SOCKET,
-                                .cmsg_type = SCM_RIGHTS,
+                                  .cmsg_len = CMSG_LEN(sizeof(int)),
+                                  .cmsg_level = SOL_SOCKET,
+                                  .cmsg_type = SCM_RIGHTS,

                            }};

--- a/frida_mode/src/shm.c
+++ b/frida_mode/src/shm.c
@ -0,0 +1,87 @@
+#include "shm.h"
+#include "util.h"
+
+#include <errno.h>
+#include <fcntl.h>
+#include <string.h>
+#include <sys/ipc.h>
+#include <sys/mman.h>
+#include <sys/shm.h>
+#ifdef __ANDROID__
+  #include <linux/ashmem.h>
+  #include <sys/ioctl.h>
+#endif
+
+#ifdef __ANDROID__
+  #define ASHMEM_DEVICE "/dev/ashmem"
+
+void *shm_create(size_t size) {
+
+  int               fd = -1;
+  char              ourkey[11] = {0};
+  void             *addr = MAP_FAILED;
+  struct ashmem_pin pin = {0, size};
+
+  fd = open(ASHMEM_DEVICE, O_RDWR);
+  if (fd < 0) { FFATAL("Failed open /dev/ashmem: %d", errno); }
+
+  if (snprintf(ourkey, sizeof(ourkey) - 1, "%d", IPC_PRIVATE) < 0) {
+
+    FFATAL("Failed to generate key: %d", errno);
+
+  }
+
+  if (ioctl(fd, ASHMEM_SET_NAME, ourkey) < 0) {
+
+    FFATAL("ioctl(ASHMEM_SET_NAME) errno: %d\n", errno);
+
+  }
+
+  if (ioctl(fd, ASHMEM_SET_SIZE, size) < 0) {
+
+    FFATAL("ioctl(ASHMEM_SET_SIZE) errno: %d\n", errno);
+
+  }
+
+  addr = mmap(NULL, size, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);
+  if (addr == MAP_FAILED) { FFATAL("mmap failed: %d\n", errno); }
+
+  /* Shared memory pinning has been deprecated. So if the ioctl fails, then
+  just assume we are running on a version where it has been. Worst case, we
+  will leak the shared memory region.*/
+  ioctl(fd, ASHMEM_UNPIN, &pin);
+  close(fd);
+
+  return addr;
+
+}
+
+#else
+void *shm_create(size_t size) {
+
+  int shm_id =
+      shmget(IPC_PRIVATE, size, IPC_CREAT | IPC_EXCL | S_IRUSR | S_IWUSR);
+  if (shm_id < 0) { FFATAL("shm_id < 0 - errno: %d\n", errno); }
+
+  void *addr = shmat(shm_id, NULL, 0);
+  if (addr == MAP_FAILED) { FFATAL("addr == MAP_FAILED - errno: %d\n", errno); }
+
+  /*
+   * Configure the shared memory region to be removed once the process
+   * dies.
+   */
+  if (shmctl(shm_id, IPC_RMID, NULL) < 0) {
+
+    FFATAL("shmctl (IPC_RMID) < 0 - errno: %d\n", errno);
+
+  }
+
+  /* Clear it, not sure it's necessary, just seems like good practice */
+  memset(addr, '\0', size);
+
+  return addr;
+
+}
+
+#endif
+
--- a/frida_mode/src/stalker.c
+++ b/frida_mode/src/stalker.c
@ -74,7 +74,7 @@ static gboolean stalker_exclude_self(const GumRangeDetails *details,
                                     gpointer               user_data) {

  UNUSED_PARAMETER(user_data);
-  gchar *     name;
+  gchar      *name;
  gboolean    found;
  GumStalker *stalker;
  if (details->file == NULL) { return TRUE; }
--- a/frida_mode/src/stats/stats.c
+++ b/frida_mode/src/stats/stats.c
@ -2,21 +2,20 @@
 #include <fcntl.h>
 #include <stdio.h>
 #include <unistd.h>
-#include <sys/shm.h>
 #include <sys/mman.h>

 #include "frida-gumjs.h"

 #include "config.h"
-#include "util.h"
-
 #include "entry.h"
+#include "shm.h"
 #include "stalker.h"
 #include "stats.h"
+#include "util.h"

 #define MICRO_TO_SEC 1000000

-char *               stats_filename = NULL;
+char                *stats_filename = NULL;
 guint64              stats_interval = 0;
 static guint64       stats_interval_us = 0;
 static int           stats_fd = -1;
@ -41,8 +40,8 @@ void stats_write(void) {
  stats_data->curr.stats_time = current_time;

  GDateTime *date_time = g_date_time_new_now_local();
-  char *     date_string = g_date_time_format(date_time, "%Y-%m-%d");
-  char *     time_string = g_date_time_format(date_time, "%H:%M:%S");
+  char      *date_string = g_date_time_format(date_time, "%Y-%m-%d");
+  char      *time_string = g_date_time_format(date_time, "%H:%M:%S");
  guint elapsed = (stats_data->curr.stats_time - stats_data->prev.stats_time) /
                  MICRO_TO_SEC;

@ -360,27 +359,10 @@ void stats_init(void) {

  g_free(path);

-  int shm_id =
-      shmget(IPC_PRIVATE, sizeof(stats_data_t), IPC_CREAT | IPC_EXCL | 0600);
-  if (shm_id < 0) { FFATAL("shm_id < 0 - errno: %d\n", errno); }
-
-  stats_data = shmat(shm_id, NULL, 0);
-  g_assert(stats_data != MAP_FAILED);
-
  GumStalkerObserver *observer = stalker_get_observer();
  stats_observer_init(observer);

-  /*
-   * Configure the shared memory region to be removed once the process dies.
-   */
-  if (shmctl(shm_id, IPC_RMID, NULL) < 0) {
-
-    FFATAL("shmctl (IPC_RMID) < 0 - errno: %d\n", errno);
-
-  }
-
-  /* Clear it, not sure it's necessary, just seems like good practice */
-  memset(stats_data, '\0', sizeof(stats_data_t));
+  stats_data = shm_create(sizeof(stats_data_t));

  starts_arch_init();

--- a/frida_mode/src/stats/stats_arm32.c
+++ b/frida_mode/src/stats/stats_arm32.c
@ -13,6 +13,7 @@ void starts_arch_init(void) {

 void stats_write_arch(stats_data_t *data) {

+  UNUSED_PARAMETER(data);
  FFATAL("Stats not supported on this architecture");

 }
--- a/frida_mode/src/stats/stats_arm64.c
+++ b/frida_mode/src/stats/stats_arm64.c
@ -1,9 +1,9 @@
-#include <sys/shm.h>
 #include <sys/mman.h>

 #include "frida-gumjs.h"

 #include "ranges.h"
+#include "shm.h"
 #include "stats.h"
 #include "util.h"

@ -44,24 +44,7 @@ static stats_data_arch_t *stats_data_arch = NULL;

 void starts_arch_init(void) {

-  int shm_id = shmget(IPC_PRIVATE, sizeof(stats_data_arch_t),
-                      IPC_CREAT | IPC_EXCL | 0600);
-  if (shm_id < 0) { FFATAL("shm_id < 0 - errno: %d\n", errno); }
-
-  stats_data_arch = shmat(shm_id, NULL, 0);
-  g_assert(stats_data_arch != MAP_FAILED);
-
-  /*
-   * Configure the shared memory region to be removed once the process dies.
-   */
-  if (shmctl(shm_id, IPC_RMID, NULL) < 0) {
-
-    FFATAL("shmctl (IPC_RMID) < 0 - errno: %d\n", errno);
-
-  }
-
-  /* Clear it, not sure it's necessary, just seems like good practice */
-  memset(stats_data_arch, '\0', sizeof(stats_data_arch_t));
+  stats_data_arch = shm_create(sizeof(stats_data_arch_t));

 }

--- a/frida_mode/src/stats/stats_x86_64.c
+++ b/frida_mode/src/stats/stats_x86_64.c
@ -1,9 +1,9 @@
-#include <sys/shm.h>
 #include <sys/mman.h>

 #include "frida-gumjs.h"

 #include "ranges.h"
+#include "shm.h"
 #include "stats.h"
 #include "util.h"

@ -46,24 +46,7 @@ static stats_data_arch_t *stats_data_arch = NULL;

 void starts_arch_init(void) {

-  int shm_id = shmget(IPC_PRIVATE, sizeof(stats_data_arch_t),
-                      IPC_CREAT | IPC_EXCL | 0600);
-  if (shm_id < 0) { FFATAL("shm_id < 0 - errno: %d\n", errno); }
-
-  stats_data_arch = shmat(shm_id, NULL, 0);
-  g_assert(stats_data_arch != MAP_FAILED);
-
-  /*
-   * Configure the shared memory region to be removed once the process dies.
-   */
-  if (shmctl(shm_id, IPC_RMID, NULL) < 0) {
-
-    FFATAL("shmctl (IPC_RMID) < 0 - errno: %d\n", errno);
-
-  }
-
-  /* Clear it, not sure it's necessary, just seems like good practice */
-  memset(stats_data_arch, '\0', sizeof(stats_data_arch_t));
+  stats_data_arch = shm_create(sizeof(stats_data_arch_t));

 }

@ -248,7 +231,7 @@ void stats_write_arch(stats_data_t *data) {

 static x86_op_type stats_get_operand_type(const cs_insn *instr) {

-  cs_x86 *   x86 = &instr->detail->x86;
+  cs_x86    *x86 = &instr->detail->x86;
  cs_x86_op *operand;

  if (x86->op_count != 1) {
@ -266,7 +249,7 @@ static x86_op_type stats_get_operand_type(const cs_insn *instr) {

 static void stats_collect_call_imm_excluded_arch(const cs_insn *instr) {

-  cs_x86 *   x86 = &instr->detail->x86;
+  cs_x86    *x86 = &instr->detail->x86;
  cs_x86_op *operand = &x86->operands[0];

  if (range_is_excluded(GUM_ADDRESS(operand->imm))) {
--- a/frida_mode/test/cmplog/cmplog.c
+++ b/frida_mode/test/cmplog/cmplog.c
@ -2,7 +2,7 @@
 //
 // Author: Mateusz Jurczyk (mjurczyk@google.com)
 //
-// Copyright 2019-2022 Google LLC
+// Copyright 2019-2023 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
--- a/Show More
+++ b/Show More