Merge pull request #2460 from AFLplusplus/dev

update frida
Merge pull request #2459 from WorksButNotTested/update-frida
2025-06-24 06:42:42 +00:00 · 2025-05-30 18:14:52 +02:00 · 2025-05-29 22:36:07 +02:00 · 2025-05-29 17:33:39 +01:00 · 2025-05-28 22:52:27 +02:00 · 2025-05-27 15:11:16 +02:00
292 changed files with 23629 additions and 7257 deletions
--- a/.custom-format.py
+++ b/.custom-format.py
@ -21,12 +21,15 @@ import os
 # import re # TODO: for future use
 import shutil
 import importlib.metadata
+import hashlib

 # string_re = re.compile('(\\"(\\\\.|[^"\\\\])*\\")') # TODO: for future use

-CURRENT_LLVM = os.getenv('LLVM_VERSION', 17)
+CURRENT_LLVM = os.getenv('LLVM_VERSION', 18)
 CLANG_FORMAT_BIN = os.getenv("CLANG_FORMAT_BIN", "")

+FORMAT_CACHE_DIR = '.format-cache'
+os.makedirs(FORMAT_CACHE_DIR, exist_ok=True)

 def check_clang_format_pip_version():
    """
@ -69,6 +72,8 @@ to install via pip.")
 if CLANG_FORMAT_PIP:
    CLANG_FORMAT_BIN = shutil.which("clang-format")

+CLANG_FORMAT_VERSION = subprocess.check_output([CLANG_FORMAT_BIN, '--version'])
+
 COLUMN_LIMIT = 80
 for line in fmt.split("\n"):
    line = line.split(":")
@ -86,9 +91,10 @@ def custom_format(filename):
    out = ""

    for line in src.split("\n"):
+        define_start = False
        if line.lstrip().startswith("#"):
            if line[line.find("#") + 1:].lstrip().startswith("define"):
-                in_define = True
+                define_start = True

        if (
                "/*" in line
@ -126,9 +132,7 @@ def custom_format(filename):
                and last_line.strip() != ""
        ):
            line = (" " * define_padding + "\\" if in_define else "") + "\n" + line
-
-        if not line.endswith("\\"):
-            in_define = False
+        in_define = (define_start or in_define) and line.endswith("\\")

        out += line + "\n"
        last_line = line
@ -136,6 +140,38 @@ def custom_format(filename):
    return out


+def hash_code_and_formatter(code):
+    hasher = hashlib.sha256()
+
+    hasher.update(code.encode())
+    hasher.update(CLANG_FORMAT_VERSION)
+    with open(__file__, 'rb') as f:
+        hasher.update(f.read())
+
+    return hasher.hexdigest()
+
+
+def custom_format_cached(filename):
+    filename_hash = hashlib.sha256(filename.encode()).hexdigest()
+    cache_file = os.path.join(FORMAT_CACHE_DIR, filename_hash)
+
+    if os.path.exists(cache_file):
+        with open(filename) as f:
+            code = f.read()
+        code_hash = hash_code_and_formatter(code)
+        with open(cache_file) as f:
+            if f.read() == code_hash:
+                return code
+
+    code = custom_format(filename)
+
+    code_hash = hash_code_and_formatter(code)
+    with open(cache_file, 'w') as f:
+        f.write(code_hash)
+
+    return code
+
+
 args = sys.argv[1:]
 if len(args) == 0:
    print("Usage: ./format.py [-i] <filename>")
@ -151,7 +187,7 @@ if args[0] == "-i":
    args = args[1:]

 for filename in args:
-    code = custom_format(filename)
+    code = custom_format_cached(filename)
    if in_place:
        with open(filename, "w") as f:
            f.write(code)
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -14,18 +14,18 @@ jobs:
    runs-on: "${{ matrix.os }}"
    strategy:
      matrix:
-        os: [ubuntu-22.04, ubuntu-20.04]
+        os: [ubuntu-24.04, ubuntu-22.04, ubuntu-24.04-arm]
    env:
      AFL_SKIP_CPUFREQ: 1
      AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES: 1
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
      - name: update
        run: sudo apt-get update && sudo apt-get upgrade -y
      - name: debug
        run: apt-cache search plugin-dev | grep gcc-; echo; apt-cache search clang-format- | grep clang-format-
      - name: install packages
-        run: sudo apt-get install -y -m -f build-essential gcc-10 g++-10 git libtool libtool-bin automake flex bison libglib2.0-0 clang-12 llvm-12-dev libc++-dev findutils libcmocka-dev python3-dev python3-setuptools ninja-build python3-pip gcc-10-plugin-dev
+        run: sudo apt-get install -y -m -f build-essential gcc-12 g++-12 git libtool libtool-bin automake flex bison libglib2.0-0 clang-15 llvm-15-dev libc++-dev findutils libcmocka-dev python3-dev python3-setuptools ninja-build python3-pip gcc-12-plugin-dev
      - name: compiler installed
        run: gcc -v; echo; clang -v
      - name: install gcc plugin
@ -34,23 +34,25 @@ jobs:
        run: export NO_NYX=1; export ASAN_BUILD=1; export LLVM_CONFIG=llvm-config-12; make ASAN_BUILD=1 NO_NYX=1 LLVM_CONFIG=llvm-config-12 distrib
      - name: run tests
        run: sudo -E ./afl-system-config; make tests
- # macos:
- #   runs-on: macOS-latest
- #   env:
- #     AFL_MAP_SIZE: 65536
- #     AFL_SKIP_CPUFREQ: 1
- #     AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES: 1
- #   steps:
- #     - uses: actions/checkout@v3
- #     - name: install
- #       run: brew install make gcc llvm
- #     - name: fix install
- #       run: cd /usr/local/bin; ln -s gcc-11 gcc; ln -s g++-11 g++; which gcc; gcc -v
- #     - name: build
- #       run: export PATH=/usr/local/Cellar/llvm/*/":$PATH"; export CC=/usr/local/Cellar/llvm/*/bin/clang; export CXX="$CC"++; export LLVM_CONFIG=/usr/local/Cellar/llvm/*/bin/llvm-config; sudo -E ./afl-system-config; gmake ASAN_BUILD=1
- #     - name: frida
- #       run: export CC=/usr/local/Cellar/llvm/*/bin/clang; export CXX="$CC"++; cd frida_mode; gmake
- #     - name: run tests
- #       run: sudo -E ./afl-system-config; export CC=/usr/local/Cellar/llvm/*/bin/clang; export CXX="$CC"++; export PATH=/usr/local/Cellar/llvm/*/":/usr/local/bin:$PATH"; export LLVM_CONFIG=/usr/local/Cellar/llvm/*/bin/llvm-config; gmake tests
- #     - name: force frida test for MacOS
- #       run: export AFL_PATH=`pwd`; /usr/local/bin/gcc -o test-instr test-instr.c; mkdir in; echo > in/in; AFL_NO_UI=1 ./afl-fuzz -O -i in -o out -V 5 -- ./test-instr
+  macos:
+    runs-on: macOS-latest
+    env:
+      AFL_MAP_SIZE: 65536
+      AFL_SKIP_CPUFREQ: 1
+      AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES: 1
+    steps:
+      - uses: actions/checkout@v3
+      - name: install
+        run: brew install make gcc llvm
+#     - name: fix install
+#       run: cd /usr/local/bin; ln -s gcc-12 gcc; ln -s g++-12 g++; which gcc; gcc -v
+#      - name: build
+#        run: export PATH=/usr/local/Cellar/llvm/*/":$PATH"; export CC=/usr/local/Cellar/llvm/*/bin/clang; export CXX="$CC"++; export LLVM_CONFIG=/usr/local/Cellar/llvm/*/bin/llvm-config; sudo -E ./afl-system-config; gmake ASAN_BUILD=1 afl-fuzz
+      - name: build
+        run: sudo -E ./afl-system-config; gmake ASAN_BUILD=1 afl-fuzz
+#     - name: frida
+#       run: export CC=/usr/local/Cellar/llvm/*/bin/clang; export CXX="$CC"++; cd frida_mode; gmake
+#     - name: run tests
+#       run: sudo -E ./afl-system-config; export CC=/usr/local/Cellar/llvm/*/bin/clang; export CXX="$CC"++; export PATH=/usr/local/Cellar/llvm/*/":/usr/local/bin:$PATH"; export LLVM_CONFIG=/usr/local/Cellar/llvm/*/bin/llvm-config; gmake tests
+#     - name: force frida test for MacOS
+#       run: export AFL_PATH=`pwd`; /usr/local/bin/gcc -o test-instr test-instr.c; mkdir in; echo > in/in; AFL_NO_UI=1 ./afl-fuzz -O -i in -o out -V 5 -- ./test-instr
--- a/.github/workflows/container.yml
+++ b/.github/workflows/container.yml
@ -16,11 +16,11 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
      - name: Build amd64
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v6
        with:
          context: .
          tags: aflplusplus:test-amd64
@ -35,20 +35,41 @@ jobs:
          apt-get install -y libcmocka-dev && 
          make -i tests
          "
+  build-and-test-arm64:
+    name: Test arm64 image
+    runs-on: ubuntu-24.04-arm
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Build arm64
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          tags: aflplusplus:test-arm64
+          load: true
+          cache-to: type=gha,mode=max
+          build-args: |
+            TEST_BUILD=1
+      - name: Test arm64
+        run: >
+          docker run --rm aflplusplus:test-arm64 bash -c "
+          apt-get update && 
+          apt-get install -y libcmocka-dev && 
+          make -i tests
+          "

  push:
    name: Push amd64 and arm64 images
    runs-on: ubuntu-latest
    needs:
      - build-and-test-amd64
+      - build-and-test-arm64
    if: ${{ github.event_name == 'push' && github.repository == 'AFLplusplus/AFLplusplus' }}
    steps:
      - name: Checkout
        uses: actions/checkout@v3
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
-        with:
-          platforms: arm64
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2
      - name: Login to docker.io
--- a/.github/workflows/rust_custom_mutator.yml
+++ b/.github/workflows/rust_custom_mutator.yml
@ -18,7 +18,7 @@ jobs:
        working-directory: custom_mutators/rust
    strategy:
      matrix:
-        os: [ubuntu-22.04, ubuntu-20.04]
+        os: [ubuntu-22.04]
    steps:
      - uses: actions/checkout@v3
      - name: Install Rust Toolchain
--- a/.gitignore
+++ b/.gitignore
@ -6,6 +6,8 @@
 *.pyc
 *.so
 *.swp
+.DS_Store
+.format-cache
 .sync_tmp
 .test
 .test2
@ -99,10 +101,17 @@ unicorn_mode/samples/*/\.test-*
 utils/afl_network_proxy/afl-network-client
 utils/afl_network_proxy/afl-network-server
 utils/afl_proxy/afl-proxy
+utils/bench/hash
 utils/optimin/build
 utils/optimin/optimin
 utils/persistent_mode/persistent_demo
 utils/persistent_mode/persistent_demo_new
+utils/persistent_mode/persistent_demo_new_compat
 utils/persistent_mode/test-instr
+utils/replay_record/persistent_demo_replay
+utils/replay_record/persistent_demo_replay_compat
+utils/replay_record/persistent_demo_replay_argparse
 utils/plot_ui/afl-plot-ui
 vuln_prog
+argv_fuzz_demo
+argv_fuzz_persistent_demo
--- a/CITATION.cff
+++ b/CITATION.cff
@ -27,5 +27,5 @@ keywords:
  - qemu
  - llvm
  - unicorn-emulator
-  - securiy
+  - security
 license: AGPL-3.0-or-later
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -34,6 +34,7 @@ file in one the following folders:
 * [docs/](docs/) (this is where you can find most of our docs content)
 * [frida_mode/](frida_mode/)
 * [instrumentation/](instrumentation/)
+* [nyx_mode/](nyx_mode/)
 * [qemu_mode/](qemu_mode/)
 * [unicorn_mode/](unicorn_mode/)

@ -47,7 +48,7 @@ When working on the docs, please keep the following guidelines in mind:
  * Don't: fuzzing-network-service.md
 * Use a maximum of 80 characters per line to make reading in a console easier.
 * Make all pull requests against `dev`, see
-  [#how-to-submit-a-pull-request-to-afl](#how-to-submit-a-pull-request-to-afl).
+  [#how-to-submit-a-pull-request](#how-to-submit-a-pull-request).

 And finally, here are some best practices for writing docs content:

--- a/1
+++ b/1
@ -61,6 +61,7 @@ RUN apt-get update && \

 RUN update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-${GCC_VERSION} 0 && \
    update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-${GCC_VERSION} 0 && \
+    update-alternatives --install /usr/bin/c++ c++ /usr/bin/g++-${GCC_VERSION} 0 && \
    update-alternatives --install /usr/bin/clang clang /usr/bin/clang-${LLVM_VERSION} 0 && \
    update-alternatives --install /usr/bin/clang++ clang++ /usr/bin/clang++-${LLVM_VERSION} 0

--- a/201
+++ b/201
@ -25,15 +25,15 @@ HELPER_PATH = $(PREFIX)/lib/afl
 DOC_PATH     = $(PREFIX)/share/doc/afl
 MISC_PATH    = $(PREFIX)/share/afl
 MAN_PATH     = $(PREFIX)/share/man/man8
+INCLUDE_PATH = $(PREFIX)/include/afl

 PROGNAME    = afl
 VERSION     = $(shell grep '^$(HASH)define VERSION ' ../config.h | cut -d '"' -f2)

-# PROGS intentionally omit afl-as, which gets installed elsewhere.
-
 PROGS       = afl-fuzz afl-showmap afl-tmin afl-gotcpu afl-analyze
-SH_PROGS    = afl-plot afl-cmin afl-cmin.bash afl-whatsup afl-addseeds afl-system-config afl-persistent-config afl-cc
-MANPAGES=$(foreach p, $(PROGS) $(SH_PROGS), $(p).8) afl-as.8
+SH_PROGS    = afl-plot afl-cmin afl-cmin.bash afl-cmin.py afl-whatsup afl-addseeds afl-system-config afl-persistent-config afl-cc
+HEADERS     = include/afl-fuzz.h include/afl-mutations.h include/afl-persistent-replay.h include/afl-prealloc.h include/afl-record-compat.h include/alloc-inl.h include/android-ashmem.h include/cmplog.h include/common.h include/config.h include/coverage-32.h include/coverage-64.h include/debug.h include/envs.h include/forkserver.h include/hash.h include/list.h include/sharedmem.h include/snapshot-inl.h include/t1ha.h include/t1ha0_ia32aes_b.h include/t1ha_bits.h include/t1ha_selfcheck.h include/types.h include/xxhash.h
+MANPAGES=$(foreach p, $(PROGS) $(SH_PROGS), $(p).8)
 ASAN_OPTIONS=detect_leaks=0

 SYS = $(shell uname -s)
@ -41,10 +41,6 @@ ARCH = $(shell uname -m)

 $(info [*] Compiling AFL++ for OS $(SYS) on ARCH $(ARCH))

-ifdef NO_SPLICING
-  override CFLAGS_OPT += -DNO_SPLICING
-endif
-
 ifdef NO_UTF
  override CFLAGS_OPT += -DFANCY_BOXES_NO_UTF
 endif
@ -52,7 +48,7 @@ endif
 ifdef ASAN_BUILD
  $(info Compiling ASAN version of binaries)
  override CFLAGS += $(ASAN_CFLAGS)
-  LDFLAGS += $(ASAN_LDFLAGS)
+  override LDFLAGS += $(ASAN_LDFLAGS)
 endif
 ifdef UBSAN_BUILD
  $(info Compiling UBSAN version of binaries)
@ -65,15 +61,25 @@ ifdef MSAN_BUILD
  override CFLAGS += -fsanitize=memory -fno-omit-frame-pointer
  override LDFLAGS += -fsanitize=memory
 endif
+ifdef NO_SPLICING
+  $(info The NO_SPLICING parameter is deprecated)
+endif
+

 ifdef CODE_COVERAGE
  override CFLAGS += -D__AFL_CODE_COVERAGE=1
 endif

+IS_IOS:=$(findstring ios, $(shell $(CC) --version 2>/dev/null))
+ifdef IS_IOS
+  override CFLAGS += -DTARGET_OS_IPHONE -DTARGET_OS_IOS -isysroot $(IOS_SDK_PATH)
+endif
+
 ifeq "$(findstring android, $(shell $(CC) --version 2>/dev/null))" ""
-ifeq "$(shell echo 'int main() {return 0; }' | $(CC) $(CFLAGS) -Werror -x c - -flto=full -o .test 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1"
+ifndef ASAN_BUILD
+ ifeq "$(shell echo 'int main() {return 0; }' | $(CC) $(CFLAGS) -Werror -x c - -flto=full -o .test 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1"
 	CFLAGS_FLTO ?= -flto=full
-else
+ else
  ifeq "$(shell echo 'int main() {return 0; }' | $(CC) $(CFLAGS) -Werror -x c - -flto=thin -o .test 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1"
 	CFLAGS_FLTO ?= -flto=thin
  else
@ -81,41 +87,50 @@ else
 	CFLAGS_FLTO ?= -flto
   endif
  endif
+ endif
 endif
 endif

-#ifeq "$(shell echo 'int main() {return 0; }' | $(CC) -fno-move-loop-invariants -fdisable-tree-cunrolli -x c - -o .test 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1"
-#	SPECIAL_PERFORMANCE += -fno-move-loop-invariants -fdisable-tree-cunrolli
-#endif
+ifdef PERFORMANCE
+  SPECIAL_PERFORMANCE := -D_AFL_SPECIAL_PERFORMANCE
+  ifeq "$(SYS)" "Linux"
+    ifeq "$(shell grep avx2 /proc/cpuinfo)" ""
+    else
+  	SPECIAL_PERFORMANCE += -mavx2 -D_HAVE_AVX2
+    endif
+  endif
+  ifeq "$(shell echo 'int main() {return 0; }' | $(CC) $(CFLAGS) -Werror -x c - -march=native -o .test 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1"
+	HAVE_MARCHNATIVE = 1
+	SPECIAL_PERFORMANCE += -march=native
+  endif
+  $(info SPECIAL_PERFORMANCE=$(SPECIAL_PERFORMANCE))
+else
+  SPECIAL_PERFORMANCE :=
+endif

-#ifeq "$(shell echo 'int main() {return 0; }' | $(CC) $(CFLAGS) -Werror -x c - -march=native -o .test 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1"
-#  ifndef SOURCE_DATE_EPOCH
-#    HAVE_MARCHNATIVE = 1
-#    CFLAGS_OPT += -march=native
-#  endif
-#endif
-
-ifneq "$(SYS)" "Darwin"
+ifndef IS_IOS
+  ifneq "$(SYS)" "Darwin"
   #ifeq "$(HAVE_MARCHNATIVE)" "1"
   #  SPECIAL_PERFORMANCE += -march=native
   #endif
   #ifndef DEBUG
- #  CFLAGS_OPT += -D_FORTIFY_SOURCE=1
+   #  override CFLAGS_OPT += -D_FORTIFY_SOURCE=1
   #endif
-else
+  else
    # On some odd MacOS system configurations, the Xcode sdk path is not set correctly
    SDK_LD = -L$(shell xcrun --show-sdk-path)/usr/lib
-  LDFLAGS += $(SDK_LD)
+    override LDFLAGS += $(SDK_LD)
+  endif
 endif

 COMPILER_TYPE=$(shell $(CC) --version|grep "Free Software Foundation")
 ifneq "$(COMPILER_TYPE)" ""
  #$(info gcc is being used)
-  CFLAGS_OPT += -Wno-error=format-truncation -Wno-format-truncation
+  override CFLAGS_OPT += -Wno-format-truncation
 endif

 ifeq "$(SYS)" "SunOS"
-  LDFLAGS = -lkstat -lrt -lsocket -lnsl
+  override LDFLAGS = -lkstat -lrt -lsocket -lnsl
 endif

 ifdef STATIC
@ -125,8 +140,8 @@ ifdef STATIC
  PYFLAGS=
  PYTHON_INCLUDE = /

-  CFLAGS_OPT += -static
-  LDFLAGS += -lm -lpthread -lz -lutil
+  override CFLAGS_OPT += -static
+  override LDFLAGS += -lm -lpthread -lz -lutil
 endif

 ifdef PROFILING
@ -276,7 +291,7 @@ ifneq "$(findstring OpenBSD, $(SYS))" ""
  override LDFLAGS += -lpthread -lm
 endif

-COMM_HDR    = include/alloc-inl.h include/config.h include/debug.h include/types.h
+COMM_HDR    = include/alloc-inl.h include/config.h include/debug.h include/types.h include/afl-fuzz.h include/hash.h include/sharedmem.h include/forkserver.h include/common.h include/list.h

 ifeq "$(shell echo '$(HASH)include <Python.h>@int main() {return 0; }' | tr @ '\n' | $(CC) $(CFLAGS) -x c - -o .test $(PYTHON_INCLUDE) $(LDFLAGS) $(PYTHON_LIB) 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1"
 	PYTHON_OK=1
@ -300,8 +315,8 @@ ifeq "$(shell command -v svn >/dev/null && svn proplist . 2>/dev/null && echo 1
 endif

 ifeq "$(shell echo 'int main() { return 0;}' | $(CC) $(CFLAGS) -fsanitize=address -x c - -o .test2 2>/dev/null && echo 1 || echo 0 ; rm -f .test2 )" "1"
-	ASAN_CFLAGS=-fsanitize=address -fstack-protector-all -fno-omit-frame-pointer -DASAN_BUILD
-	ASAN_LDFLAGS=-fsanitize=address -fstack-protector-all -fno-omit-frame-pointer
+	ASAN_CFLAGS=-fsanitize=address -fstack-protector-all -fno-omit-frame-pointer -DASAN_BUILD -fno-lto
+	ASAN_LDFLAGS=-fsanitize=address -fstack-protector-all -fno-omit-frame-pointer -fno-lto
 endif

 ifeq "$(shell echo '$(HASH)include <sys/ipc.h>@$(HASH)include <sys/shm.h>@int main() { int _id = shmget(IPC_PRIVATE, 65536, IPC_CREAT | IPC_EXCL | 0600); shmctl(_id, IPC_RMID, 0); return 0;}' | tr @ '\n' | $(CC) $(CFLAGS) -x c - -o .test2 2>/dev/null && echo 1 || echo 0 ; rm -f .test2 )" "1"
@ -319,10 +334,12 @@ ifdef TEST_MMAP
 endif

 .PHONY: all
-all:	test_x86 test_shm test_python ready $(PROGS) afl-as llvm gcc_plugin test_build all_done
+all:	test_x86 test_shm test_python ready $(PROGS) llvm gcc_plugin test_build all_done
 	-$(MAKE) -C utils/aflpp_driver
 	@echo
 	@echo
+	@echo
+	@echo
 	@echo Build Summary:
 	@test -e afl-fuzz && echo "[+] afl-fuzz and supporting tools successfully built" || echo "[-] afl-fuzz could not be built, please set CC to a working compiler"
 	@test -e afl-llvm-pass.so && echo "[+] LLVM basic mode successfully built" || echo "[-] LLVM mode could not be built, please install at least llvm-11 and clang-11 or newer, see docs/INSTALL.md"
@ -331,6 +348,7 @@ all:	test_x86 test_shm test_python ready $(PROGS) afl-as llvm gcc_plugin test_bu
 ifneq "$(SYS)" "Darwin"
 	@test -e afl-gcc-pass.so && echo "[+] gcc_mode successfully built" || echo "[-] gcc_mode could not be built, it is optional, install gcc-VERSION-plugin-dev to enable this"
 endif
+	@test -e afl-cc || echo "[-] AFL++ instrumentation compilers could not be built! Install llvm-VERSION-dev or gcc-VERSION-plugin-dev, see docs/INSTALL.md!"
 	@echo

 .PHONY: llvm
@ -389,6 +407,7 @@ help:
 	@echo
 	@echo Known build environment options:
 	@echo "=========================================="
+	@echo "PERFORMANCE - compile with performance options that make the binary not transferable to other systems. Recommended!"
 	@echo STATIC - compile AFL++ static
 	@echo "CODE_COVERAGE - compile the target for code coverage (see docs/instrumentation/README.llvm.md)"
 	@echo ASAN_BUILD - compiles AFL++ with memory sanitizer for debug purposes
@ -398,7 +417,6 @@ help:
 	@echo PROFILING - compile afl-fuzz with profiling information
 	@echo INTROSPECTION - compile afl-fuzz with mutation introspection
 	@echo NO_PYTHON - disable python support
-	@echo NO_SPLICING - disables splicing mutation in afl-fuzz, not recommended for normal fuzzing
 	@echo "NO_UTF - do not use UTF-8 for line rendering in status screen (fallback to G1 box drawing, of vanilla AFL)"
 	@echo NO_NYX - disable building nyx mode dependencies
 	@echo "NO_CORESIGHT - disable building coresight (arm64 only)"
@ -434,6 +452,14 @@ test_shm:
 	@echo "[-] shmat seems not to be working, switching to mmap implementation"
 endif

+ifeq "$(shell echo '$(HASH)include <zlib.h>@int main() {return 0; }' | tr @ '\n' | $(CC) $(CFLAGS) -Werror -x c - -lz -o .test 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1"
+  override SPECIAL_PERFORMANCE += -DHAVE_ZLIB
+  override LDFLAGS += -lz
+  $(info [+] ZLIB detected)
+else
+  $(info [!] Warning: no ZLIB detected)
+endif
+
 .PHONY: test_python
 ifeq "$(PYTHON_OK)" "1"
 test_python:
@ -448,36 +474,47 @@ endif
 ready:
 	@echo "[+] Everything seems to be working, ready to compile. ($(shell $(CC) --version 2>&1|head -n 1))"

-afl-as: src/afl-as.c include/afl-as.h $(COMM_HDR) | test_x86
-	$(CC) $(CFLAGS) src/$@.c -o $@ $(LDFLAGS)
-	@ln -sf afl-as as
+src/afl-performance.o: $(COMM_HDR) src/afl-performance.c
+	$(CC) $(CFLAGS) $(CFLAGS_FLTO) $(CFLAGS_OPT) $(SPECIAL_PERFORMANCE) -Iinclude -c src/afl-performance.c -o src/afl-performance.o

-src/afl-performance.o : $(COMM_HDR) src/afl-performance.c include/hash.h
-	$(CC) $(CFLAGS) $(CFLAGS_OPT) -Iinclude -c src/afl-performance.c -o src/afl-performance.o
+src/afl-common.o: $(COMM_HDR) src/afl-common.c include/envs.h
+	$(CC) $(CFLAGS) $(CFLAGS_FLTO) $(SPECIAL_PERFORMANCE) -c src/afl-common.c -o src/afl-common.o

-src/afl-common.o : $(COMM_HDR) src/afl-common.c include/common.h
-	$(CC) $(CFLAGS) $(CFLAGS_FLTO) -c src/afl-common.c -o src/afl-common.o
+src/afl-forkserver.o: $(COMM_HDR) src/afl-forkserver.c 
+	$(CC) $(CFLAGS) $(CFLAGS_FLTO) $(SPECIAL_PERFORMANCE) -c src/afl-forkserver.c -o src/afl-forkserver.o

-src/afl-forkserver.o : $(COMM_HDR) src/afl-forkserver.c include/forkserver.h
-	$(CC) $(CFLAGS) $(CFLAGS_FLTO) -c src/afl-forkserver.c -o src/afl-forkserver.o
+src/afl-sharedmem.o: $(COMM_HDR) src/afl-sharedmem.c include/android-ashmem.h include/cmplog.h
+	$(CC) $(CFLAGS) $(CFLAGS_FLTO) $(SPECIAL_PERFORMANCE) -c src/afl-sharedmem.c -o src/afl-sharedmem.o

-src/afl-sharedmem.o : $(COMM_HDR) src/afl-sharedmem.c include/sharedmem.h
-	$(CC) $(CFLAGS) $(CFLAGS_FLTO) -c src/afl-sharedmem.c -o src/afl-sharedmem.o
+afl-fuzz: $(COMM_HDR) include/afl-fuzz.h $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o include/cmplog.h include/envs.h | test_x86
+	$(CC) $(CFLAGS) $(COMPILE_STATIC) $(CFLAGS_FLTO) $(SPECIAL_PERFORMANCE) $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o -o $@ $(PYFLAGS) $(LDFLAGS) -lm
+ifdef IS_IOS
+	@ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; }
+endif

-afl-fuzz: $(COMM_HDR) include/afl-fuzz.h $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o | test_x86
-	$(CC) $(CFLAGS) $(COMPILE_STATIC) $(CFLAGS_FLTO) $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o -o $@ $(PYFLAGS) $(LDFLAGS) -lm
+afl-showmap: src/afl-showmap.c src/afl-fuzz-mutators.c src/afl-fuzz-python.c src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o $(COMM_HDR) | test_x86
+	$(CC) $(CFLAGS) $(COMPILE_STATIC) $(CFLAGS_FLTO) $(SPECIAL_PERFORMANCE) src/$@.c src/afl-fuzz-mutators.c src/afl-fuzz-python.c src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o -o $@ $(PYFLAGS) $(LDFLAGS)
+ifdef IS_IOS
+	@ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; }
+endif

-afl-showmap: src/afl-showmap.c src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o $(COMM_HDR) | test_x86
-	$(CC) $(CFLAGS) $(COMPILE_STATIC) $(CFLAGS_FLTO) src/$@.c src/afl-fuzz-mutators.c src/afl-fuzz-python.c src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o -o $@ $(PYFLAGS) $(LDFLAGS)
-
-afl-tmin: src/afl-tmin.c src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o $(COMM_HDR) | test_x86
-	$(CC) $(CFLAGS) $(COMPILE_STATIC) $(CFLAGS_FLTO) src/$@.c src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o -o $@ $(LDFLAGS)
+afl-tmin: src/afl-tmin.c src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o src/afl-fuzz-python.o src/afl-fuzz-mutators.o $(COMM_HDR) | test_x86
+	$(CC) $(CFLAGS) $(COMPILE_STATIC) $(CFLAGS_FLTO) $(SPECIAL_PERFORMANCE) src/$@.c src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o src/afl-fuzz-python.o src/afl-fuzz-mutators.o -o $@ $(PYFLAGS) $(LDFLAGS)
+ifdef IS_IOS
+	@ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; }
+endif

 afl-analyze: src/afl-analyze.c src/afl-common.o src/afl-sharedmem.o src/afl-performance.o src/afl-forkserver.o $(COMM_HDR) | test_x86
-	$(CC) $(CFLAGS) $(COMPILE_STATIC) $(CFLAGS_FLTO) src/$@.c src/afl-common.o src/afl-sharedmem.o src/afl-performance.o src/afl-forkserver.o -o $@ $(LDFLAGS)
+	$(CC) $(CFLAGS) $(COMPILE_STATIC) $(CFLAGS_FLTO) $(SPECIAL_PERFORMANCE) src/$@.c src/afl-common.o src/afl-sharedmem.o src/afl-performance.o src/afl-forkserver.o -o $@ $(LDFLAGS)
+ifdef IS_IOS
+	@ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; }
+endif

 afl-gotcpu: src/afl-gotcpu.c src/afl-common.o $(COMM_HDR) | test_x86
-	$(CC) $(CFLAGS) $(COMPILE_STATIC) $(CFLAGS_FLTO) src/$@.c src/afl-common.o -o $@ $(LDFLAGS)
+	$(CC) $(CFLAGS) $(COMPILE_STATIC) $(CFLAGS_FLTO) $(SPECIAL_PERFORMANCE) src/$@.c src/afl-common.o -o $@ $(LDFLAGS)
+ifdef IS_IOS
+	@ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; }
+endif

 .PHONY: document
 document:	afl-fuzz-document
@ -485,6 +522,9 @@ document:	afl-fuzz-document
 # document all mutations and only do one run (use with only one input file!)
 afl-fuzz-document: $(COMM_HDR) include/afl-fuzz.h $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-performance.o | test_x86
 	$(CC) -D_DEBUG=\"1\" -D_AFL_DOCUMENT_MUTATIONS $(CFLAGS) $(CFLAGS_FLTO) $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.c src/afl-performance.o -o afl-fuzz-document $(PYFLAGS) $(LDFLAGS)
+ifdef IS_IOS
+	@ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; }
+endif

 test/unittests/unit_maybe_alloc.o : $(COMM_HDR) include/alloc-inl.h test/unittests/unit_maybe_alloc.c $(AFL_FUZZ_FILES)
 	@$(CC) $(CFLAGS) $(ASAN_CFLAGS) -c test/unittests/unit_maybe_alloc.c -o test/unittests/unit_maybe_alloc.o
@ -492,20 +532,29 @@ test/unittests/unit_maybe_alloc.o : $(COMM_HDR) include/alloc-inl.h test/unittes
 unit_maybe_alloc: test/unittests/unit_maybe_alloc.o
 	@$(CC) $(CFLAGS) -Wl,--wrap=exit -Wl,--wrap=printf test/unittests/unit_maybe_alloc.o -o test/unittests/unit_maybe_alloc $(LDFLAGS) $(ASAN_LDFLAGS) -lcmocka
 	./test/unittests/unit_maybe_alloc
+ifdef IS_IOS
+	@ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; }
+endif

 test/unittests/unit_hash.o : $(COMM_HDR) include/alloc-inl.h test/unittests/unit_hash.c $(AFL_FUZZ_FILES) src/afl-performance.o
-	@$(CC) $(CFLAGS) $(ASAN_CFLAGS) -c test/unittests/unit_hash.c -o test/unittests/unit_hash.o
+	@$(CC) $(CFLAGS) $(CFLAGS_FLTO) $(ASAN_CFLAGS) $(SPECIAL_PERFORMANCE) -c test/unittests/unit_hash.c -o test/unittests/unit_hash.o

 unit_hash: test/unittests/unit_hash.o src/afl-performance.o
-	@$(CC) $(CFLAGS) -Wl,--wrap=exit -Wl,--wrap=printf $^ -o test/unittests/unit_hash $(LDFLAGS) $(ASAN_LDFLAGS) -lcmocka
+	@$(CC) $(CFLAGS) $(CFLAGS_FLTO) $(SPECIAL_PERFORMANCE) -Wl,--wrap=exit -Wl,--wrap=printf $^ -o test/unittests/unit_hash $(LDFLAGS) $(ASAN_LDFLAGS) -lcmocka
 	./test/unittests/unit_hash
+ifdef IS_IOS
+	@ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; }
+endif

 test/unittests/unit_rand.o : $(COMM_HDR) include/alloc-inl.h test/unittests/unit_rand.c $(AFL_FUZZ_FILES) src/afl-performance.o
-	@$(CC) $(CFLAGS) $(ASAN_CFLAGS) -c test/unittests/unit_rand.c -o test/unittests/unit_rand.o
+	@$(CC) $(CFLAGS) $(CFLAGS_FLTO) $(ASAN_CFLAGS) $(SPECIAL_PERFORMANCE) -c test/unittests/unit_rand.c -o test/unittests/unit_rand.o

 unit_rand: test/unittests/unit_rand.o src/afl-common.o src/afl-performance.o
-	@$(CC) $(CFLAGS) $(ASAN_CFLAGS) -Wl,--wrap=exit -Wl,--wrap=printf $^ -o test/unittests/unit_rand  $(LDFLAGS) $(ASAN_LDFLAGS) -lcmocka
+	@$(CC) $(CFLAGS) $(CFLAGS_FLTO) $(ASAN_CFLAGS) $(SPECIAL_PERFORMANCE) -Wl,--wrap=exit -Wl,--wrap=printf $^ -o test/unittests/unit_rand  $(LDFLAGS) $(ASAN_LDFLAGS) -lcmocka
 	./test/unittests/unit_rand
+ifdef IS_IOS
+	@ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; }
+endif

 test/unittests/unit_list.o : $(COMM_HDR) include/list.h test/unittests/unit_list.c $(AFL_FUZZ_FILES)
 	@$(CC) $(CFLAGS) $(ASAN_CFLAGS) -c test/unittests/unit_list.c -o test/unittests/unit_list.o
@ -513,6 +562,9 @@ test/unittests/unit_list.o : $(COMM_HDR) include/list.h test/unittests/unit_list
 unit_list: test/unittests/unit_list.o
 	@$(CC) $(CFLAGS) $(ASAN_CFLAGS) -Wl,--wrap=exit -Wl,--wrap=printf test/unittests/unit_list.o -o test/unittests/unit_list  $(LDFLAGS) $(ASAN_LDFLAGS) -lcmocka
 	./test/unittests/unit_list
+ifdef IS_IOS
+	@ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; }
+endif

 test/unittests/unit_preallocable.o : $(COMM_HDR) include/alloc-inl.h test/unittests/unit_preallocable.c $(AFL_FUZZ_FILES)
 	@$(CC) $(CFLAGS) $(ASAN_CFLAGS) -c test/unittests/unit_preallocable.c -o test/unittests/unit_preallocable.o
@ -520,6 +572,9 @@ test/unittests/unit_preallocable.o : $(COMM_HDR) include/alloc-inl.h test/unitte
 unit_preallocable: test/unittests/unit_preallocable.o
 	@$(CC) $(CFLAGS) $(ASAN_CFLAGS) -Wl,--wrap=exit -Wl,--wrap=printf test/unittests/unit_preallocable.o -o test/unittests/unit_preallocable $(LDFLAGS) $(ASAN_LDFLAGS) -lcmocka
 	./test/unittests/unit_preallocable
+ifdef IS_IOS
+	@ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; }
+endif

 .PHONY: unit_clean
 unit_clean:
@ -559,27 +614,27 @@ code-format:

 .PHONY: test_build
 ifndef AFL_NO_X86
-test_build: afl-cc afl-gcc afl-as afl-showmap
+test_build: afl-cc afl-showmap
 	@echo "[*] Testing the CC wrapper afl-cc and its instrumentation output..."
-	@unset AFL_MAP_SIZE AFL_USE_UBSAN AFL_USE_CFISAN AFL_USE_LSAN AFL_USE_ASAN AFL_USE_MSAN; ASAN_OPTIONS=detect_leaks=0 AFL_INST_RATIO=100 AFL_PATH=. ./afl-cc test-instr.c $(LDFLAGS) -o test-instr 2>&1 || (echo "Oops, afl-cc failed"; exit 1 )
+	@unset AFL_MAP_SIZE AFL_USE_UBSAN AFL_USE_CFISAN AFL_USE_LSAN AFL_USE_ASAN AFL_USE_MSAN AFL_LLVM_ALLOWLIST AFL_LLVM_DENYLIST; ASAN_OPTIONS=detect_leaks=0 AFL_INST_RATIO=100 AFL_PATH=. ./afl-cc test-instr.c $(LDFLAGS) -o test-instr 2>&1 || (echo "Oops, afl-cc failed"; exit 1 )
 	-ASAN_OPTIONS=detect_leaks=0 ./afl-showmap -q -m none -o .test-instr0 ./test-instr < /dev/null
 	-echo 1 | ASAN_OPTIONS=detect_leaks=0 ./afl-showmap -m none -q -o .test-instr1 ./test-instr
 	@rm -f test-instr
 	@cmp -s .test-instr0 .test-instr1; DR="$$?"; rm -f .test-instr0 .test-instr1; if [ "$$DR" = "0" ]; then echo; echo "Oops, the instrumentation of afl-cc does not seem to be behaving correctly!"; echo; echo "Please post to https://github.com/AFLplusplus/AFLplusplus/issues to troubleshoot the issue."; echo; exit 1; fi
 	@echo
 	@echo "[+] All right, the instrumentation of afl-cc seems to be working!"
-#	@echo "[*] Testing the CC wrapper afl-gcc and its instrumentation output..."
-#	@unset AFL_MAP_SIZE AFL_USE_UBSAN AFL_USE_CFISAN AFL_USE_LSAN AFL_USE_ASAN AFL_USE_MSAN; AFL_CC=$(CC) ASAN_OPTIONS=detect_leaks=0 AFL_INST_RATIO=100 AFL_PATH=. ./afl-gcc test-instr.c -o test-instr 2>&1 || (echo "Oops, afl-gcc failed"; exit 1 )
+#	@echo "[*] Testing the CC wrapper and its instrumentation output..."
+#	@unset AFL_MAP_SIZE AFL_USE_UBSAN AFL_USE_CFISAN AFL_USE_LSAN AFL_USE_ASAN AFL_USE_MSAN; AFL_CC=$(CC) ASAN_OPTIONS=detect_leaks=0 AFL_INST_RATIO=100 AFL_PATH=. ./afl-clang-fast test-instr.c -o test-instr 2>&1 || (echo "Oops, afl-clang-fast failed"; exit 1 )
 #	ASAN_OPTIONS=detect_leaks=0 ./afl-showmap -m none -q -o .test-instr0 ./test-instr < /dev/null
 #	echo 1 | ASAN_OPTIONS=detect_leaks=0 ./afl-showmap -m none -q -o .test-instr1 ./test-instr
 #	@rm -f test-instr
-#	@cmp -s .test-instr0 .test-instr1; DR="$$?"; rm -f .test-instr0 .test-instr1; if [ "$$DR" = "0" ]; then echo; echo "Oops, the instrumentation of afl-gcc does not seem to be behaving correctly!"; \
+#	@cmp -s .test-instr0 .test-instr1; DR="$$?"; rm -f .test-instr0 .test-instr1; if [ "$$DR" = "0" ]; then echo; echo "Oops, the instrumentation of afl-clang-fast does not seem to be behaving correctly!"; \
 #		gcc -v 2>&1 | grep -q -- --with-as= && ( echo; echo "Gcc is configured not to use an external assembler with the -B option." ) || \
 #		( echo; echo "Please post to https://github.com/AFLplusplus/AFLplusplus/issues to troubleshoot the issue." ); echo; exit 0; fi
 #	@echo
-#	@echo "[+] All right, the instrumentation of afl-gcc seems to be working!"
+#	@echo "[+] All right, the instrumentation of afl-clang-fast seems to be working!"
 else
-test_build: afl-cc afl-as afl-showmap
+test_build: afl-cc afl-showmap
 	@echo "[!] Note: skipping build tests (you may need to use LLVM or QEMU mode)."
 endif

@ -589,7 +644,8 @@ all_done: test_build
 	@test -e cmplog-instructions-pass.so && echo "[+] LLVM mode for 'afl-cc' successfully built!" || echo "[-] LLVM mode for 'afl-cc'  failed to build, likely you either don't have llvm installed, or you need to set LLVM_CONFIG, to point to e.g. llvm-config-11. See instrumentation/README.llvm.md how to do this. Highly recommended!"
 	@test -e SanitizerCoverageLTO.so && echo "[+] LLVM LTO mode for 'afl-cc' successfully built!" || echo "[-] LLVM LTO mode for 'afl-cc'  failed to build, this would need LLVM 11+, see instrumentation/README.lto.md how to build it"
 	@test -e afl-gcc-pass.so && echo "[+] gcc_plugin for 'afl-cc' successfully built!" || echo "[-] gcc_plugin for 'afl-cc'  failed to build, unless you really need it that is fine - or read instrumentation/README.gcc_plugin.md how to build it"
-	@echo "[+] All done! Be sure to review the README.md - it's pretty short and useful."
+	@test -e afl-cc && echo "[+] All done! Be sure to review the README.md - it's pretty short and useful."
+	@test -e afl-cc || echo "[-] ERROR  - neither afl-clang-fast or afl-gcc-fast could be compiled - YOU ARE MISSING PACKAGES! Read docs/INSTALL.md!"
 	@if [ "$(SYS)" = "Darwin" ]; then printf "\nWARNING: Fuzzing on MacOS X is slow because of the unusually high overhead of\nfork() on this OS. Consider using Linux or *BSD for fuzzing software not\nspecifically for MacOS.\n\n"; fi
 	@! tty <&1 >/dev/null || printf "\033[0;30mNOTE: If you can read this, your terminal probably uses white background.\nThis will make the UI hard to read. See docs/status_screen.md for advice.\033[0m\n" 2>/dev/null

@ -597,7 +653,7 @@ all_done: test_build

 .PHONY: clean
 clean:
-	rm -rf $(PROGS) afl-fuzz-document afl-as as afl-g++ afl-clang afl-clang++ *.o src/*.o *~ a.out core core.[1-9][0-9]* *.stackdump .test .test1 .test2 test-instr .test-instr0 .test-instr1 afl-cs-proxy afl-qemu-trace afl-gcc-fast afl-g++-fast ld *.so *.8 test/unittests/*.o test/unittests/unit_maybe_alloc test/unittests/preallocable .afl-* afl-gcc afl-g++ afl-clang afl-clang++ test/unittests/unit_hash test/unittests/unit_rand *.dSYM lib*.a
+	rm -rf $(PROGS) afl-fuzz-document as afl-as afl-g++ afl-clang afl-clang++ *.o src/*.o *~ a.out core core.[1-9][0-9]* *.stackdump .test .test1 .test2 test-instr .test-instr0 .test-instr1 afl-cs-proxy afl-qemu-trace afl-gcc-fast afl-g++-fast ld *.so *.8 test/unittests/*.o test/unittests/unit_maybe_alloc test/unittests/preallocable .afl-* afl-gcc afl-g++ afl-clang afl-clang++ test/unittests/unit_hash test/unittests/unit_rand *.dSYM lib*.a
 	-$(MAKE) -f GNUmakefile.llvm clean
 	-$(MAKE) -f GNUmakefile.gcc_plugin clean
 	-$(MAKE) -C utils/libdislocator clean
@ -630,6 +686,7 @@ deepclean:	clean
 	rm -rf unicorn_mode/unicornafl
 	rm -rf qemu_mode/qemuafl
 	rm -rf nyx_mode/libnyx nyx_mode/packer nyx_mode/QEMU-Nyx
+	rm -rf .format-cache
 ifeq "$(IN_REPO)" "1"
 	git checkout coresight_mode/coresight-trace
 	git checkout unicorn_mode/unicornafl
@ -752,7 +809,7 @@ endif
 	@test -e SanitizerCoveragePCGUARD.so && echo "[+] LLVM mode successfully built" || echo "[-] LLVM mode could not be built, please install at least llvm-13 and clang-13 or newer, see docs/INSTALL.md"
 	@test -e SanitizerCoverageLTO.so && echo "[+] LLVM LTO mode successfully built" || echo "[-] LLVM LTO mode could not be built, it is optional, if you want it, please install LLVM 11-14. More information at instrumentation/README.lto.md on how to build it"
 ifneq "$(SYS)" "Darwin"
-	test -e afl-gcc-pass.so && echo "[+] gcc_mode successfully built" || echo "[-] gcc_mode could not be built, it is optional, install gcc-VERSION-plugin-dev to enable this"
+	@test -e afl-gcc-pass.so && echo "[+] gcc_mode successfully built" || echo "[-] gcc_mode could not be built, it is optional, install gcc-VERSION-plugin-dev to enable this"
 endif
 ifeq "$(SYS)" "Linux"
 ifndef NO_NYX
@ -810,10 +867,10 @@ endif
 	ln -sf afl-cc $${DESTDIR}$(BIN_PATH)/afl-g++
 	ln -sf afl-cc $${DESTDIR}$(BIN_PATH)/afl-clang
 	ln -sf afl-cc $${DESTDIR}$(BIN_PATH)/afl-clang++
+	@mkdir -m 755 -p $${DESTDIR}$(INCLUDE_PATH)
+	install -m 644 $(HEADERS) $${DESTDIR}$(INCLUDE_PATH)
 	@mkdir -m 0755 -p ${DESTDIR}$(MAN_PATH)
 	install -m0644 *.8 ${DESTDIR}$(MAN_PATH)
-	install -m 755 afl-as $${DESTDIR}$(HELPER_PATH)
-	ln -sf afl-as $${DESTDIR}$(HELPER_PATH)/as
 	install -m 644 docs/*.md $${DESTDIR}$(DOC_PATH)
 	cp -r testcases/ $${DESTDIR}$(MISC_PATH)
 	cp -r dictionaries/ $${DESTDIR}$(MISC_PATH)
@ -821,12 +878,14 @@ endif

 .PHONY: uninstall
 uninstall:
-	-cd $${DESTDIR}$(BIN_PATH) && rm -f $(PROGS) $(SH_PROGS) afl-cs-proxy afl-qemu-trace afl-plot-ui afl-fuzz-document afl-network-client afl-network-server afl-g* afl-plot.sh afl-as afl-ld-lto afl-c* afl-lto*
+	-cd $${DESTDIR}$(BIN_PATH) && rm -f $(PROGS) $(SH_PROGS) afl-cs-proxy afl-qemu-trace afl-plot-ui afl-fuzz-document afl-network-client afl-network-server afl-g* afl-plot.sh afl-ld-lto afl-c* afl-lto*
+	-cd $${DESTDIR}$(INCLUDE_PATH) && rm -f $(HEADERS:include/%=%)
 	-cd $${DESTDIR}$(HELPER_PATH) && rm -f afl-g*.*o afl-llvm-*.*o afl-compiler-*.*o libdislocator.so libtokencap.so libcompcov.so libqasan.so afl-frida-trace.so libnyx.so socketfuzz*.so argvfuzz*.so libAFLDriver.a libAFLQemuDriver.a as afl-as SanitizerCoverage*.so compare-transform-pass.so cmplog-*-pass.so split-*-pass.so dynamic_list.txt injections.dic
 	-rm -rf $${DESTDIR}$(MISC_PATH)/testcases $${DESTDIR}$(MISC_PATH)/dictionaries
 	-sh -c "ls docs/*.md | sed 's|^docs/|$${DESTDIR}$(DOC_PATH)/|' | xargs rm -f"
 	-cd $${DESTDIR}$(MAN_PATH) && rm -f $(MANPAGES)
 	-rmdir $${DESTDIR}$(BIN_PATH) 2>/dev/null
+	-rmdir $${DESTDIR}$(INCLUDE_PATH) 2>/dev/null
 	-rmdir $${DESTDIR}$(HELPER_PATH) 2>/dev/null
 	-rmdir $${DESTDIR}$(MISC_PATH) 2>/dev/null
 	-rmdir $${DESTDIR}$(DOC_PATH) 2>/dev/null
--- a/GNUmakefile.gcc_plugin
+++ b/GNUmakefile.gcc_plugin
@ -148,7 +148,7 @@ afl-common.o: ./src/afl-common.c
 $(PASSES): instrumentation/afl-gcc-common.h

 ./afl-gcc-pass.so: instrumentation/afl-gcc-pass.so.cc | test_deps
-	$(CXX) $(CXXEFLAGS) $(PLUGIN_FLAGS) -shared $< -o $@
+	$(CXX) $(CXXEFLAGS) $(PLUGIN_FLAGS) -shared $< -o $@ $(LDFLAGS)
 	ln -sf afl-cc afl-gcc-fast
 	ln -sf afl-cc afl-g++-fast
 	ln -sf afl-cc.8 afl-gcc-fast.8
@ -163,7 +163,7 @@ $(PASSES): instrumentation/afl-gcc-common.h
 .PHONY: test_build
 test_build: $(PROGS)
 	@echo "[*] Testing the CC wrapper and instrumentation output..."
-	unset AFL_USE_ASAN AFL_USE_MSAN; ASAN_OPTIONS=detect_leaks=0 AFL_QUIET=1 AFL_INST_RATIO=100 AFL_PATH=. AFL_CC=$(CC) ./afl-gcc-fast $(CFLAGS) $(CPPFLAGS) ./test-instr.c -o test-instr $(LDFLAGS)
+	unset AFL_USE_ASAN AFL_USE_MSAN AFL_LLVM_ALLOWLIST AFL_LLVM_DENYLIST; ASAN_OPTIONS=detect_leaks=0 AFL_QUIET=1 AFL_INST_RATIO=100 AFL_PATH=. AFL_CC=$(CC) ./afl-gcc-fast $(CFLAGS) $(CPPFLAGS) ./test-instr.c -o test-instr $(LDFLAGS)
 	ASAN_OPTIONS=detect_leaks=0 ./afl-showmap -m none -q -o .test-instr0 ./test-instr </dev/null
 	echo 1 | ASAN_OPTIONS=detect_leaks=0 ./afl-showmap -m none -q -o .test-instr1 ./test-instr
 	@rm -f test-instr
--- a/GNUmakefile.llvm
+++ b/GNUmakefile.llvm
@ -28,10 +28,13 @@ MAN_PATH    ?= $(PREFIX)/share/man/man8

 BUILD_DATE  ?= $(shell date -u -d "@$(SOURCE_DATE_EPOCH)" "+%Y-%m-%d" 2>/dev/null || date -u -r "$(SOURCE_DATE_EPOCH)" "+%Y-%m-%d" 2>/dev/null || date -u "+%Y-%m-%d")

-VERSION     = $(shell grep '^$(HASH)define VERSION ' ./config.h | cut -d '"' -f2)
+VERSION     = $(shell grep '^ *$(HASH)define VERSION ' ./config.h | cut -d '"' -f2)

 SYS = $(shell uname -s)

+override LLVM_TOO_NEW_DEFAULT := 21
+override LLVM_TOO_OLD_DEFAULT := 14
+
 ifeq "$(SYS)" "OpenBSD"
  LLVM_CONFIG ?= $(BIN_PATH)/llvm-config
  HAS_OPT = $(shell test -x $(BIN_PATH)/opt && echo 0 || echo 1)
@ -39,31 +42,43 @@ ifeq "$(SYS)" "OpenBSD"
    $(warning llvm_mode needs a complete llvm installation (versions 6.0 up to 13) -> e.g. "pkg_add llvm-7.0.1p9")
  endif
 else
-  LLVM_CONFIG ?= llvm-config
+  # Small function to use Bash to detect the latest available clang and clang++ binaries, if using them by that name fails
+  override _CLANG_VERSIONS_TO_TEST := $(patsubst %,-%,$(shell seq $(LLVM_TOO_NEW_DEFAULT) -1 $(LLVM_TOO_OLD_DEFAULT)))
+  detect_newest=$(shell for v in "" $(_CLANG_VERSIONS_TO_TEST); do test -n "$$(command -v -- $1$$v)" && { echo "$1$$v"; break; }; done)
+  LLVM_CONFIG ?= $(call detect_newest,llvm-config)
 endif

-LLVMVER  = $(shell $(LLVM_CONFIG) --version 2>/dev/null | sed 's/git//' | sed 's/svn//' )
-LLVM_MAJOR = $(shell $(LLVM_CONFIG) --version 2>/dev/null | sed 's/\..*//' )
-LLVM_MINOR = $(shell $(LLVM_CONFIG) --version 2>/dev/null | sed 's/.*\.//' | sed 's/git//' | sed 's/svn//' | sed 's/ .*//' )
-LLVM_UNSUPPORTED = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^[0-2]\.|^3.[0-8]\.' && echo 1 || echo 0 )
-LLVM_TOO_NEW = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^1[8-9]|^2[0-9]' && echo 1 || echo 0 )
-LLVM_TOO_OLD = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^[1-9]\.|^1[012]\.' && echo 1 || echo 0 )
-LLVM_NEW_API = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^1[0-9]' && echo 1 || echo 0 )
-LLVM_NEWER_API = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^1[6-9]' && echo 1 || echo 0 )
-LLVM_13_OK = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^1[3-9]' && echo 1 || echo 0 )
-LLVM_HAVE_LTO = $(shell $(LLVM_CONFIG) --version 2>/dev/null | grep -E -q '^1[2-9]' && echo 1 || echo 0 )
-LLVM_BINDIR = $(shell $(LLVM_CONFIG) --bindir 2>/dev/null)
-LLVM_LIBDIR = $(shell $(LLVM_CONFIG) --libdir 2>/dev/null)
-LLVM_STDCXX = gnu++11
-LLVM_APPLE_XCODE = $(shell $(CC) -v 2>&1 | grep -q Apple && echo 1 || echo 0)
-LLVM_LTO   = 0
+ifneq "$(LLVM_CONFIG)" ""
+  override LLVM_RAW_VER        := $(shell $(LLVM_CONFIG) --version 2>/dev/null)
+  LLVMVER                      := $(subst svn,,$(subst git,,$(LLVM_RAW_VER)))
+
+  LLVM_BINDIR                  := $(shell $(LLVM_CONFIG) --bindir 2>/dev/null)
+  LLVM_LIBDIR                  := $(shell $(LLVM_CONFIG) --libdir 2>/dev/null)
+endif
+
+ifneq "$(LLVMVER)" ""
+  LLVM_MAJOR                   := $(firstword $(subst ., ,$(LLVMVER)))
+  LLVM_MINOR                   := $(firstword $(subst ., ,$(subst $(LLVM_MAJOR).,,$(LLVMVER))))
+  LLVM_TOO_NEW                 := $(shell test $(LLVM_MAJOR) -gt $(LLVM_TOO_NEW_DEFAULT) && echo 1 || echo 0)
+  LLVM_TOO_OLD                 := $(shell test $(LLVM_MAJOR) -lt $(LLVM_TOO_OLD_DEFAULT) && echo 1 || echo 0)
+  LLVM_NEW_API                 := $(shell test $(LLVM_MAJOR) -ge 10 && echo 1 || echo 0)
+  LLVM_NEWER_API               := $(shell test $(LLVM_MAJOR) -ge 16 && echo 1 || echo 0)
+  LLVM_13_OK                   := $(shell test $(LLVM_MAJOR) -ge 13 && echo 1 || echo 0)
+  LLVM_HAVE_LTO                := $(shell test $(LLVM_MAJOR) -ge 12 && echo 1 || echo 0)
+endif
+
+LLVM_STDCXX                  := gnu++11
+LLVM_LTO                     := 0
+LLVM_UNSUPPORTED             := $(shell echo "$(LLVMVER)" | grep -E -q '^[0-2]\.|^3\.[0-7]\.|^2[2-9]\.' && echo 1 || echo 0)
+# Uncomment to see the values assigned above
+# $(foreach var,_CLANG_VERSIONS_TO_TEST LLVM_CONFIG LLVMVER LLVM_MAJOR LLVM_MINOR LLVM_TOO_NEW LLVM_TOO_OLD LLVM_TOO_NEW_DEFAULT LLVM_TOO_OLD_DEFAULT LLVM_NEW_API LLVM_NEWER_API LLVM_13_OK LLVM_HAVE_LTO LLVM_BINDIR LLVM_LIBDIR LLVM_STDCXX LLVM_APPLE_XCODE LLVM_LTO LLVM_UNSUPPORTED,$(warning $(var) = $($(var))))

 ifeq "$(LLVMVER)" ""
  $(warning [!] llvm_mode needs llvm-config, which was not found. Set LLVM_CONFIG to its path and retry.)
 endif

 ifeq "$(LLVM_UNSUPPORTED)" "1"
-  $(error llvm_mode only supports llvm from version 3.8 onwards)
+  $(error llvm_mode only supports llvm from version 3.8 onwards - or your version is too new. Upgrade AFL++ if possible or downgrade LLVM.)
 endif

 ifeq "$(LLVM_TOO_NEW)" "1"
@ -103,10 +118,6 @@ ifeq "$(LLVM_LTO)" "0"
  $(info [+] llvm_mode detected llvm < 12, afl-lto LTO will not be build.)
 endif

-ifeq "$(LLVM_APPLE_XCODE)" "1"
-  $(warning llvm_mode will not compile with Xcode clang...)
-endif
-
 # We were using llvm-config --bindir to get the location of clang, but
 # this seems to be busted on some distros, so using the one in $PATH is
 # probably better.
@ -114,6 +125,11 @@ endif
 CC         = $(LLVM_BINDIR)/clang
 CXX        = $(LLVM_BINDIR)/clang++

+LLVM_APPLE_XCODE             := $(shell $(CC) -v 2>&1 | grep -q Apple && echo 1 || echo 0)
+ifeq "$(LLVM_APPLE_XCODE)" "1"
+  $(warning llvm_mode will not compile with Xcode clang...)
+endif
+
 # llvm-config --bindir may not providing a valid path, so ...
 ifeq "$(shell test -e $(CC) || echo 1 )" "1"
  # however we must ensure that this is not a "CC=gcc make"
@ -147,7 +163,7 @@ endif

 # sanity check.
 # Are versions of clang --version and llvm-config --version equal?
-CLANGVER = $(shell $(CC) --version | sed -E -ne '/^.*version\ (1?[0-9]\.[0-9]\.[0-9]).*/s//\1/p')
+CLANGVER = $(shell $(CC) --version | sed -E -ne '/^.*version\ ([12]?[0-9]\.[0-9]\.[0-9]).*/s//\1/p')

 # I disable this because it does not make sense with what we did before (marc)
 # We did exactly set these 26 lines above with these values, and it would break
@ -221,9 +237,10 @@ ifeq "$(LLVM_LTO)" "1"
    ifeq "$(AFL_REAL_LD)" ""
      ifneq "$(shell readlink $(LLVM_BINDIR)/ld.lld 2>&1)" ""
        AFL_REAL_LD = $(LLVM_BINDIR)/ld.lld
-      else ifneq "$(shell command -v ld.lld 2>/dev/null)" ""
+      else
+        ifneq "$(shell command -v ld.lld 2>/dev/null)" ""
          AFL_REAL_LD = $(shell command -v ld.lld)
-        TMP_LDLDD_VERSION = $(shell $(AFL_REAL_LD) --version | awk '{ print $$2 }')
+          TMP_LDLDD_VERSION = $(shell $(AFL_REAL_LD) --version | sed -E -ne '/^.*LLD\ ([12]?[0-9]\.[0-9]\.[0-9]).*/s//\1/p')
          ifeq "$(LLVMVER)" "$(TMP_LDLDD_VERSION)"
            $(warning ld.lld found in a weird location ($(AFL_REAL_LD)), but its the same version as LLVM so we will allow it)
          else
@ -231,12 +248,12 @@ ifeq "$(LLVM_LTO)" "1"
            AFL_REAL_LD=
            LLVM_LTO = 0
          endif
-        undefine TMP_LDLDD_VERSION
        else
          $(warning ld.lld not found, cannot enable LTO mode)
          LLVM_LTO = 0
        endif
      endif
+    endif
  else
    $(warning clang option -flto is not working - maybe LLVMgold.so not found - cannot enable LTO mode)
    LLVM_LTO = 0
@ -245,7 +262,7 @@ endif

 AFL_CLANG_FUSELD=
 ifeq "$(LLVM_LTO)" "1"
-  ifeq "$(shell echo 'int main() {return 0; }' | $(CLANG_BIN) -x c - -fuse-ld=`command -v ld` -o .test 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1"
+  ifeq "$(shell echo 'int main() {return 0; }' | $(CLANG_BIN) -x c - -fuse-ld=$$(command -v ld) -o .test 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1"
    AFL_CLANG_FUSELD=1
    ifeq "$(shell echo 'int main() {return 0; }' | $(CLANG_BIN) -x c - -fuse-ld=ld.lld --ld-path=$(AFL_REAL_LD) -o .test 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1"
      AFL_CLANG_LDPATH=1
@ -256,11 +273,7 @@ ifeq "$(LLVM_LTO)" "1"
  endif
 endif

-ifeq "$(shell echo 'int main() {return 0; }' | $(CLANG_BIN) -x c - -fdebug-prefix-map=$(CURDIR)=llvm_mode -o .test 2>/dev/null && echo 1 || echo 0 ; rm -f .test )" "1"
-        AFL_CLANG_DEBUG_PREFIX = -fdebug-prefix-map="$(CURDIR)=llvm_mode"
-else
-        AFL_CLANG_DEBUG_PREFIX =
-endif
+IS_IOS          := $(findstring ios, $(shell $(CC) --version 2>/dev/null))

 CFLAGS          ?= -O3 -funroll-loops -fPIC
 # -D_FORTIFY_SOURCE=1
@ -272,11 +285,15 @@ CFLAGS_SAFE     := -Wall -g -Wno-cast-qual -Wno-variadic-macros -Wno-pointer-sig
                   -DAFL_CLANG_FLTO=\"$(AFL_CLANG_FLTO)\" -DAFL_REAL_LD=\"$(AFL_REAL_LD)\" \
                   -DAFL_CLANG_LDPATH=\"$(AFL_CLANG_LDPATH)\" -DAFL_CLANG_FUSELD=\"$(AFL_CLANG_FUSELD)\" \
                   -DCLANG_BIN=\"$(CLANG_BIN)\" -DCLANGPP_BIN=\"$(CLANGPP_BIN)\" -DUSE_BINDIR=$(USE_BINDIR) \
-                   -Wno-unused-function $(AFL_CLANG_DEBUG_PREFIX)
+                   -Wno-unused-function
 ifndef LLVM_DEBUG
  CFLAGS_SAFE += -Wno-deprecated
 endif

+ifdef IOS_SDK_PATH
+  override CFLAGS_SAFE += -isysroot $(IOS_SDK_PATH)
+endif
+
 ifdef CODE_COVERAGE
  override CFLAGS_SAFE += -D__AFL_CODE_COVERAGE=1
  override LDFLAGS += -ldl
@ -294,14 +311,18 @@ override CXXFLAGS += -Wall -g -I ./include/ \
                     -DVERSION=\"$(VERSION)\" -Wno-variadic-macros -Wno-deprecated-copy-with-dtor \
                     -DLLVM_MINOR=$(LLVM_MINOR) -DLLVM_MAJOR=$(LLVM_MAJOR)

+ifdef IOS_SDK_PATH
+  override CXXFLAGS += -isysroot $(IOS_SDK_PATH)
+endif
+
 ifneq "$(shell $(LLVM_CONFIG) --includedir) 2> /dev/null" ""
  CLANG_CFL  = -I$(shell $(LLVM_CONFIG) --includedir)
 endif
 ifneq "$(LLVM_CONFIG)" ""
  CLANG_CFL += -I$(shell dirname $(LLVM_CONFIG))/../include
 endif
-CLANG_CPPFL  = `$(LLVM_CONFIG) --cxxflags` -fno-rtti -fno-exceptions -fPIC $(CXXFLAGS) $(CPPFLAGS) -Wno-deprecated-declarations
-CLANG_LFL    = `$(LLVM_CONFIG) --ldflags` $(LDFLAGS)
+CLANG_CPPFL  = $$($(LLVM_CONFIG) --cxxflags) -fno-rtti -fno-exceptions -fPIC $(CXXFLAGS) $(CPPFLAGS) -Wno-deprecated-declarations
+CLANG_LFL    = $$($(LLVM_CONFIG) --ldflags) $(LDFLAGS)

 # wasm fuzzing: disable thread-local storage and unset LLVM debug flag
 ifdef WAFL_MODE
@ -311,7 +332,7 @@ endif

 # User teor2345 reports that this is required to make things work on MacOS X.
 ifeq "$(SYS)" "Darwin"
-  CLANG_LFL += -Wl,-flat_namespace -Wl,-undefined,suppress
+  CLANG_LFL += -Wl,-undefined,dynamic_lookup
  override LLVM_HAVE_LTO := 0
  override LLVM_LTO := 0
 else
@ -319,7 +340,7 @@ else
 endif

 ifeq "$(SYS)" "OpenBSD"
-  CLANG_LFL += `$(LLVM_CONFIG) --libdir`/libLLVM.so
+  CLANG_LFL += $(LLVM_LIBDIR)/libLLVM.so
  CLANG_CPPFL += -mno-retpoline
  CFLAGS += -mno-retpoline
  # Needed for unwind symbols
@ -415,29 +436,44 @@ ifeq "$(LLVM_LTO)" "1"
 	@ln -sf afl-cc ./afl-lto++
 endif
 endif
+ifdef IS_IOS
+	@ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; }
+endif

 instrumentation/afl-llvm-common.o: instrumentation/afl-llvm-common.cc instrumentation/afl-llvm-common.h
-	$(CXX) $(CFLAGS) $(CPPFLAGS) `$(LLVM_CONFIG) --cxxflags` -fno-rtti -fPIC -std=$(LLVM_STDCXX) -c $< -o $@ 
+	$(CXX) $(CFLAGS) $(CPPFLAGS) $$($(LLVM_CONFIG) --cxxflags) -fno-rtti -fPIC -std=$(LLVM_STDCXX) -c $< -o $@

 ./afl-llvm-pass.so: instrumentation/afl-llvm-pass.so.cc instrumentation/afl-llvm-common.o | test_deps
 ifeq "$(LLVM_MIN_4_0_1)" "0"
 	$(info [!] N-gram branch coverage instrumentation is not available for llvm version $(LLVMVER))
 endif
 	$(CXX) $(CLANG_CPPFL) -Wdeprecated -fno-rtti -fPIC -std=$(LLVM_STDCXX) -shared $< -o $@ $(CLANG_LFL) instrumentation/afl-llvm-common.o
+ifdef IS_IOS
+	@ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; }
+endif

 ./SanitizerCoveragePCGUARD.so: instrumentation/SanitizerCoveragePCGUARD.so.cc instrumentation/afl-llvm-common.o | test_deps
 ifeq "$(LLVM_13_OK)" "1"
 	-$(CXX) $(CLANG_CPPFL) -fno-rtti -fPIC -std=$(LLVM_STDCXX) -shared $< -o $@ $(CLANG_LFL) -Wno-deprecated-copy-dtor -Wdeprecated instrumentation/afl-llvm-common.o
+ifdef IS_IOS
+	@ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; }
+endif
 endif

 ./afl-llvm-lto-instrumentlist.so: instrumentation/afl-llvm-lto-instrumentlist.so.cc instrumentation/afl-llvm-common.o
 ifeq "$(LLVM_LTO)" "1"
 	$(CXX) $(CLANG_CPPFL) -fno-rtti -fPIC -std=$(LLVM_STDCXX) -shared $< -o $@ $(CLANG_LFL) instrumentation/afl-llvm-common.o
+ifdef IS_IOS
+	@ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; }
+endif
 endif

 ./afl-ld-lto: src/afl-ld-lto.c
 ifeq "$(LLVM_LTO)" "1"
-	$(CC) $(CFLAGS) $(CPPFLAGS) $< -o $@
+	$(CC) $(CFLAGS) $(CPPFLAGS) $< -o $@ $(LDFLAGS)
+ifdef IS_IOS
+	@ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; }
+endif
 endif

 ./SanitizerCoverageLTO.so: instrumentation/SanitizerCoverageLTO.so.cc instrumentation/afl-llvm-common.o
@ -446,31 +482,58 @@ ifeq "$(LLVM_LTO)" "1"
 	$(CLANG_BIN) $(CFLAGS_SAFE) $(CPPFLAGS) -Wno-unused-result -O0 $(AFL_CLANG_FLTO) -fPIC -c instrumentation/afl-llvm-rt-lto.o.c -o ./afl-llvm-rt-lto.o
 	@$(CLANG_BIN) $(CFLAGS_SAFE) $(CPPFLAGS) -Wno-unused-result -O0 $(AFL_CLANG_FLTO) -m64 -fPIC -c instrumentation/afl-llvm-rt-lto.o.c -o ./afl-llvm-rt-lto-64.o 2>/dev/null; if [ "$$?" = "0" ]; then : ; fi
 	@$(CLANG_BIN) $(CFLAGS_SAFE) $(CPPFLAGS) -Wno-unused-result -O0 $(AFL_CLANG_FLTO) -m32 -fPIC -c instrumentation/afl-llvm-rt-lto.o.c -o ./afl-llvm-rt-lto-32.o 2>/dev/null; if [ "$$?" = "0" ]; then : ; fi
+ifdef IS_IOS
+	@ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; }
+endif
 endif

 # laf
 ./split-switches-pass.so:	instrumentation/split-switches-pass.so.cc instrumentation/afl-llvm-common.o | test_deps
 	$(CXX) $(CLANG_CPPFL) -shared $< -o $@ $(CLANG_LFL) instrumentation/afl-llvm-common.o
+ifdef IS_IOS
+	@ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; }
+endif
 ./compare-transform-pass.so:	instrumentation/compare-transform-pass.so.cc instrumentation/afl-llvm-common.o | test_deps
 	$(CXX) $(CLANG_CPPFL) -shared $< -o $@ $(CLANG_LFL) instrumentation/afl-llvm-common.o
+ifdef IS_IOS
+	@ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; }
+endif
 ./split-compares-pass.so:	instrumentation/split-compares-pass.so.cc instrumentation/afl-llvm-common.o | test_deps
 	$(CXX) $(CLANG_CPPFL) -shared $< -o $@ $(CLANG_LFL) instrumentation/afl-llvm-common.o
+ifdef IS_IOS
+	@ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; }
+endif
 # /laf

 ./cmplog-routines-pass.so:	instrumentation/cmplog-routines-pass.cc instrumentation/afl-llvm-common.o | test_deps
 	$(CXX) $(CLANG_CPPFL) -shared $< -o $@ $(CLANG_LFL) instrumentation/afl-llvm-common.o
+ifdef IS_IOS
+	@ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; }
+endif

 ./cmplog-instructions-pass.so:	instrumentation/cmplog-instructions-pass.cc instrumentation/afl-llvm-common.o | test_deps
 	$(CXX) $(CLANG_CPPFL) -shared $< -o $@ $(CLANG_LFL) instrumentation/afl-llvm-common.o
+ifdef IS_IOS
+	@ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; }
+endif

 ./cmplog-switches-pass.so:	instrumentation/cmplog-switches-pass.cc instrumentation/afl-llvm-common.o | test_deps
 	$(CXX) $(CLANG_CPPFL) -shared $< -o $@ $(CLANG_LFL) instrumentation/afl-llvm-common.o
+ifdef IS_IOS
+	@ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; }
+endif

 afl-llvm-dict2file.so:	instrumentation/afl-llvm-dict2file.so.cc instrumentation/afl-llvm-common.o | test_deps
 	$(CXX) $(CLANG_CPPFL) -shared $< -o $@ $(CLANG_LFL) instrumentation/afl-llvm-common.o
+ifdef IS_IOS
+	@ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; }
+endif

 ./injection-pass.so:	instrumentation/injection-pass.cc instrumentation/afl-llvm-common.o | test_deps
 	$(CXX) $(CLANG_CPPFL) -shared $< -o $@ $(CLANG_LFL) instrumentation/afl-llvm-common.o
+ifdef IS_IOS
+	@ldid -Sentitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; }
+endif

 .PHONY: document
 document:
@ -492,7 +555,10 @@ document:
 .PHONY: test_build
 test_build: $(PROGS)
 	@echo "[*] Testing the CC wrapper and instrumentation output..."
-	unset AFL_USE_ASAN AFL_USE_MSAN AFL_INST_RATIO; ASAN_OPTIONS=detect_leaks=0 AFL_QUIET=1 AFL_PATH=. AFL_LLVM_LAF_ALL=1 ./afl-cc $(CFLAGS) $(CPPFLAGS) ./test-instr.c -o test-instr $(LDFLAGS)
+	unset AFL_USE_ASAN AFL_USE_MSAN AFL_INST_RATIO AFL_LLVM_ALLOWLIST AFL_LLVM_DENYLIST; ASAN_OPTIONS=detect_leaks=0 AFL_QUIET=1 AFL_PATH=. AFL_LLVM_LAF_ALL=1 ./afl-cc $(CFLAGS) $(CPPFLAGS) ./test-instr.c -o test-instr $(LDFLAGS)
+ifdef IS_IOS
+	@ldid -Sentitlements.plist test-instr && echo "[+] Signed test-instr" || echo "[-] Failed to sign test-instr"
+endif
 	ASAN_OPTIONS=detect_leaks=0 ./afl-showmap -m none -q -o .test-instr0 ./test-instr < /dev/null
 	echo 1 | ASAN_OPTIONS=detect_leaks=0 ./afl-showmap -m none -q -o .test-instr1 ./test-instr
 	@rm -f test-instr
--- a/README.md
+++ b/README.md
@ -1,10 +1,10 @@
 # American Fuzzy Lop plus plus (AFL++)

-<img align="right" src="https://raw.githubusercontent.com/AFLplusplus/Website/main/static/aflpp_bg.svg" alt="AFL++ logo" width="250" heigh="250">
+<img align="right" src="https://raw.githubusercontent.com/AFLplusplus/Website/main/static/aflpp_bg.svg" alt="AFL++ logo" width="250" height="250">

-Release version: [4.10c](https://github.com/AFLplusplus/AFLplusplus/releases)
+Release version: [4.32c](https://github.com/AFLplusplus/AFLplusplus/releases)

-GitHub version: 4.10c
+GitHub version: 4.33a

 Repository:
 [https://github.com/AFLplusplus/AFLplusplus](https://github.com/AFLplusplus/AFLplusplus)
@ -16,7 +16,6 @@ AFL++ is maintained by:
 * Andrea Fioraldi <andreafioraldi@gmail.com>
 * Heiko "hexcoder-" Eissfeldt <heiko.eissfeldt@hexco.de>
 * frida_mode is maintained by @Worksbutnottested
-* Documentation: Jana Aydinbas <jana.aydinbas@gmail.com>

 Originally developed by Michal "lcamtuf" Zalewski.

@ -230,6 +229,8 @@ Thank you! (For people sending pull requests - please add yourself to this list
    Ruben ten Hove                        Joey Jiao
    fuzzah                                @intrigus-lgtm
    Yaakov Saxon                          Sergej Schumilo
+    Ziqiao Kong                           Ryan Berger
+    Sangjun Park                          Scott Guest
  ```

 </details>
@ -258,3 +259,5 @@ presented at WOOT'20:
  ```

 </details>
+
+[![Ask DeepWiki](https://deepwiki.com/badge.svg)](https://deepwiki.com/AFLplusplus/AFLplusplus)
--- a/TODO.md
+++ b/TODO.md
@ -2,22 +2,24 @@

 ## Must

- - UI revamp
+ - afl_fsrv_deinit cmplog
+ - ijon support?
+ - check for null ptr for xml/curl/g_ string transform functions
 - hardened_usercopy=0 page_alloc.shuffle=0
 - add value_profile but only enable after 15 minutes without finds
- - cmplog max len, cmplog max items envs?
+ - cmplog max items env?
 - adapt MOpt to new mutation engine
   - Update afl->pending_not_fuzzed for MOpt
 - cmplog rtn sanity check on fixed length? currently we ignore the length
 - afl-showmap -f support
 - afl-fuzz multicore wrapper script
 - when trimming then perform crash detection
- - problem: either -L0 and/or -p mmopt results in zero new coverage


 ## Should

 - afl-crash-analysis
+ - cmplog: add loop count resolving (byte -> loop cnt change, calc special values)
 - support persistent and deferred fork server in afl-showmap?
 - better autodetection of shifting runtime timeout values
 - afl-plot to support multiple plot_data
--- a/21
+++ b/21
@ -1,19 +1,26 @@
 #!/usr/bin/env sh
+THISPATH=`dirname ${0}`
+
+# call afl-cmin.py if it can be executed successfully.
+if $THISPATH/afl-cmin.py --help > /dev/null 2>&1; then
+  exec $THISPATH/afl-cmin.py "$@"
+fi
+
 SYS=$(uname -s)
 test "$SYS" = "Darwin" && {
  echo Error: afl-cmin does not work on Apple currently. please use afl-cmin.bash instead.
  exit 1
 }
+
 export AFL_QUIET=1
 export ASAN_OPTIONS=detect_leaks=0
-THISPATH=`dirname ${0}`
 export PATH="${THISPATH}:$PATH"
 awk -f - -- ${@+"$@"} <<'EOF'
 #!/usr/bin/awk -f
 # awk script to minimize a test corpus of input files
 #
 # based on afl-cmin bash script written by Michal Zalewski
-# rewritten by Heiko Eißfeldt (hexcoder-)
+# rewritten by Heiko Eissfeldt (hexcoder-)
 # tested with:
 #   gnu awk (x86 Linux)
 #   bsd awk (x86 *BSD)
@ -108,7 +115,7 @@ function usage() {
 "\n" \
 "Execution control settings:\n" \
 "  -T tasks      - how many parallel tasks to run (default: 1, all=nproc)\n" \
-"  -f file       - location read by the fuzzed program (stdin)\n" \
+"  -f file       - location read by the fuzzed program (default: stdin)\n" \
 "  -m megs       - memory limit for child process ("mem_limit" MB)\n" \
 "  -t msec       - run time limit for child process (default: 5000)\n" \
 "  -O            - use binary-only instrumentation (FRIDA mode)\n" \
@ -331,7 +338,7 @@ BEGIN {
  }

  if (0 == system ( "grep -aq AFL_DUMP_MAP_SIZE " target_bin )) {
-    echo "[!] Trying to obtain the map size of the target ..."
+    print "[!] Trying to obtain the map size of the target ..."
    get_map_size = "AFL_DUMP_MAP_SIZE=1 " target_bin
    get_map_size | getline mapsize
    close(get_map_size)
@ -432,7 +439,7 @@ BEGIN {
  } else {
    stat_format = "-f '%z %N'" # *BSD, MacOS
  }
-  cmdline = "(cd "in_dir" && find . \\( ! -name \".*\" -a -type d \\) -o -type f -exec stat "stat_format" \\{\\} + | sort -k1n -k2r) | grep -Ev '^0'"
+  cmdline = "(cd "in_dir" && find . \\( ! -name \".*\" -a -type d \\) -o \\( -type f -a ! -name \"cmdline\" -a ! -name \"fastresume.bin\" -a ! -name \"fuzz_bitmap\" -a ! -name \"fuzzer_setup\" -a ! -name \"fuzzer_stats\" -a ! -name \"plot_data\" -a ! -name \"target_hash\" \\) -exec stat "stat_format" \\{\\} + | sort -k1n -k2r) | grep -Ev '^0'"
  #cmdline = "ls "in_dir" | (cd "in_dir" && xargs stat "stat_format" 2>/dev/null) | sort -k1n -k2r"
  #cmdline = "(cd "in_dir" && stat "stat_format" *) | sort -k1n -k2r"
  #cmdline = "(cd "in_dir" && ls | xargs stat "stat_format" ) | sort -k1n -k2r"
@ -603,8 +610,8 @@ BEGIN {
    # create path for the trace file from afl-showmap
    tracefile_path = trace_dir"/"fn
    # ensure the file size is not zero
-    cmd = "du -b "tracefile_path
-    "ls -l "tracefile_path
+    cmd = "du -b \""tracefile_path"\""
+    # "ls -l \""tracefile_path"\""
    cmd | getline output
    close(cmd)
    split(output, result, "\t")
--- a/afl-cmin.bash
+++ b/afl-cmin.bash
@ -152,6 +152,7 @@ Minimization settings:
  -e            - solve for edge coverage only, ignore hit counts

 For additional tips, please consult README.md.
+This script cannot read filenames that end with a space ' '.

 Environment variables used:
 AFL_KEEP_TRACES: leave the temporary <out_dir>\.traces directory
--- a/afl-cmin.py
+++ b/afl-cmin.py
@ -0,0 +1,760 @@
+#!/usr/bin/env python3
+# Copyright 2016-2025 Google Inc.
+# Copyright 2025 AFLplusplus Project. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+import argparse
+import array
+import base64
+import collections
+import glob
+import hashlib
+import itertools
+import logging
+import multiprocessing
+import os
+import shutil
+import subprocess
+import sys
+
+# https://more-itertools.readthedocs.io/en/stable/_modules/more_itertools/recipes.html#batched
+from sys import hexversion
+
+def _batched(iterable, n, *, strict=False):
+    """Batch data into tuples of length *n*. If the number of items in
+    *iterable* is not divisible by *n*:
+    * The last batch will be shorter if *strict* is ``False``.
+    * :exc:`ValueError` will be raised if *strict* is ``True``.
+
+    >>> list(batched('ABCDEFG', 3))
+    [('A', 'B', 'C'), ('D', 'E', 'F'), ('G',)]
+
+    On Python 3.13 and above, this is an alias for :func:`itertools.batched`.
+    """
+    if n < 1:
+        raise ValueError('n must be at least one')
+    iterator = iter(iterable)
+    while batch := tuple(itertools.islice(iterator, n)):
+        if strict and len(batch) != n:
+            raise ValueError('batched(): incomplete batch')
+        yield batch
+
+
+if hexversion >= 0x30D00A2:  # pragma: no cover
+    from itertools import batched as itertools_batched
+    def batched(iterable, n, *, strict=False):
+        return itertools_batched(iterable, n, strict=strict)
+else:
+    batched = _batched
+
+    batched.__doc__ = _batched.__doc__
+
+try:
+    from tqdm import tqdm
+except ImportError:
+    print('Hint: install python module "tqdm" to show progress bar')
+
+    class tqdm:
+
+        def __init__(self, data=None, *args, **argd):
+            self.data = data
+
+        def __iter__(self):
+            yield from self.data
+
+        def __enter__(self):
+            return self
+
+        def __exit__(self, exc_type, exc_value, traceback):
+            pass
+
+        def update(self, *args):
+            pass
+
+
+parser = argparse.ArgumentParser()
+
+cpu_count = multiprocessing.cpu_count()
+group = parser.add_argument_group("Required parameters")
+group.add_argument(
+    "-i",
+    dest="input",
+    action="append",
+    metavar="dir",
+    required=True,
+    help="input directory with the starting corpus",
+)
+group.add_argument(
+    "-o",
+    dest="output",
+    metavar="dir",
+    required=True,
+    help="output directory for minimized files",
+)
+
+group = parser.add_argument_group("Execution control settings")
+group.add_argument(
+    "-f",
+    dest="stdin_file",
+    metavar="file",
+    help="location read by the fuzzed program (stdin)",
+)
+group.add_argument(
+    "-m",
+    dest="memory_limit",
+    default="none",
+    metavar="megs",
+    type=lambda x: x if x == "none" else int(x),
+    help="memory limit for child process (default: %(default)s)",
+)
+group.add_argument(
+    "-t",
+    dest="time_limit",
+    default=5000,
+    metavar="msec",
+    type=lambda x: x if x == "none" else int(x),
+    help="timeout for each run (default: %(default)s)",
+)
+group.add_argument(
+    "-O",
+    dest="frida_mode",
+    action="store_true",
+    default=False,
+    help="use binary-only instrumentation (FRIDA mode)",
+)
+group.add_argument(
+    "-Q",
+    dest="qemu_mode",
+    action="store_true",
+    default=False,
+    help="use binary-only instrumentation (QEMU mode)",
+)
+group.add_argument(
+    "-U",
+    dest="unicorn_mode",
+    action="store_true",
+    default=False,
+    help="use unicorn-based instrumentation (Unicorn mode)",
+)
+group.add_argument(
+    "-X", dest="nyx_mode", action="store_true", default=False, help="use Nyx mode"
+)
+
+group = parser.add_argument_group("Minimization settings")
+group.add_argument(
+    "--crash-dir",
+    dest="crash_dir",
+    metavar="dir",
+    default=None,
+    help="move crashes to a separate dir, always deduplicated",
+)
+group.add_argument(
+    "-A",
+    dest="allow_any",
+    action="store_true",
+    help="allow crashes and timeouts (not recommended)",
+)
+group.add_argument(
+    "-C",
+    dest="crash_only",
+    action="store_true",
+    help="keep crashing inputs, reject everything else",
+)
+group.add_argument(
+    "-e",
+    dest="edge_mode",
+    action="store_true",
+    default=False,
+    help="solve for edge coverage only, ignore hit counts",
+)
+
+group = parser.add_argument_group("Misc")
+group.add_argument(
+    "-T",
+    dest="workers",
+    type=lambda x: cpu_count if x == "all" else int(x),
+    default=1,
+    help="number of concurrent worker (default: %(default)d)",
+)
+group.add_argument(
+    "--as_queue",
+    action="store_true",
+    help='output file name like "id:000000,hash:value"',
+)
+group.add_argument(
+    "--no-dedup", action="store_true", help="skip deduplication step for corpus files"
+)
+group.add_argument("--debug", action="store_true")
+
+parser.add_argument("exe", metavar="/path/to/target_app")
+parser.add_argument("args", nargs="*")
+
+args = parser.parse_args()
+logger = None
+afl_showmap_bin = None
+tuple_index_type_code = "I"
+file_index_type_code = None
+
+
+def init():
+    global logger
+    log_level = logging.DEBUG if args.debug else logging.INFO
+    logging.basicConfig(
+        level=log_level, format="%(asctime)s - %(levelname)s - %(message)s"
+    )
+    logger = logging.getLogger(__name__)
+
+    if args.stdin_file and args.workers > 1:
+        logger.error("-f is only supported with one worker (-T 1)")
+        sys.exit(1)
+
+    if args.memory_limit != "none" and args.memory_limit < 5:
+        logger.error("dangerously low memory limit")
+        sys.exit(1)
+
+    if args.time_limit != "none" and args.time_limit < 10:
+        logger.error("dangerously low timeout")
+        sys.exit(1)
+
+    if not os.path.isfile(args.exe):
+        logger.error('binary "%s" not found or not regular file', args.exe)
+        sys.exit(1)
+
+    if not os.environ.get("AFL_SKIP_BIN_CHECK") and not any(
+        [args.qemu_mode, args.frida_mode, args.unicorn_mode, args.nyx_mode]
+    ):
+        if b"__AFL_SHM_ID" not in open(args.exe, "rb").read():
+            logger.error("binary '%s' doesn't appear to be instrumented", args.exe)
+            sys.exit(1)
+
+    for dn in args.input:
+        if not os.path.isdir(dn) and not glob.glob(dn):
+            logger.error('directory "%s" not found', dn)
+            sys.exit(1)
+
+    global afl_showmap_bin
+    searches = [
+        None,
+        os.path.dirname(__file__),
+        os.getcwd(),
+    ]
+    if os.environ.get("AFL_PATH"):
+        searches.append(os.environ["AFL_PATH"])
+
+    for search in searches:
+        afl_showmap_bin = shutil.which("afl-showmap", path=search)
+        if afl_showmap_bin:
+            break
+    if not afl_showmap_bin:
+        logger.fatal("cannot find afl-showmap, please set AFL_PATH")
+        sys.exit(1)
+
+    trace_dir = os.path.join(args.output, ".traces")
+    shutil.rmtree(trace_dir, ignore_errors=True)
+    try:
+        os.rmdir(args.output)
+    except OSError:
+        pass
+    if os.path.exists(args.output):
+        logger.error(
+            'directory "%s" exists and is not empty - delete it first', args.output
+        )
+        sys.exit(1)
+    if args.crash_dir and not os.path.exists(args.crash_dir):
+        os.makedirs(args.crash_dir)
+    os.makedirs(trace_dir)
+
+    logger.info("use %d workers (-T)", args.workers)
+
+
+def detect_type_code(size):
+    for type_code in ["B", "H", "I", "L", "Q"]:
+        if 256 ** array.array(type_code).itemsize > size:
+            return type_code
+
+
+def afl_showmap(input_path=None, batch=None, afl_map_size=None, first=False):
+    assert input_path or batch
+    # yapf: disable
+    cmd = [
+        afl_showmap_bin,
+        '-m', str(args.memory_limit),
+        '-t', str(args.time_limit),
+        '-Z', # cmin mode
+    ]
+    # yapf: enable
+    found_atat = False
+    for arg in args.args:
+        if "@@" in arg:
+            found_atat = True
+
+    if args.stdin_file:
+        assert args.workers == 1
+        input_from_file = True
+        stdin_file = args.stdin_file
+        cmd += ["-H", stdin_file]
+    elif found_atat:
+        input_from_file = True
+        stdin_file = os.path.join(args.output, f".input.{os.getpid()}")
+        cmd += ["-H", stdin_file]
+    else:
+        input_from_file = False
+
+    if batch:
+        input_from_file = True
+        filelist = os.path.join(args.output, f".filelist.{os.getpid()}")
+        with open(filelist, "w") as f:
+            for _, path in batch:
+                f.write(path + "\n")
+        cmd += ["-I", filelist]
+        output_path = os.path.join(args.output, f".showmap.{os.getpid()}")
+        cmd += ["-o", output_path]
+    else:
+        if input_from_file:
+            shutil.copy(input_path, stdin_file)
+        cmd += ["-o", "-"]
+
+    if args.frida_mode:
+        cmd += ["-O"]
+    if args.qemu_mode:
+        cmd += ["-Q"]
+    if args.unicorn_mode:
+        cmd += ["-U"]
+    if args.nyx_mode:
+        cmd += ["-X"]
+    if args.edge_mode:
+        cmd += ["-e"]
+    cmd += ["--", args.exe] + args.args
+
+    env = os.environ.copy()
+    env["AFL_QUIET"] = "1"
+    env["ASAN_OPTIONS"] = "detect_leaks=0"
+    if first:
+        logger.debug("run command line: %s", subprocess.list2cmdline(cmd))
+        env["AFL_CMIN_ALLOW_ANY"] = "1"
+    if afl_map_size:
+        env["AFL_MAP_SIZE"] = str(afl_map_size)
+    if args.crash_only:
+        env["AFL_CMIN_CRASHES_ONLY"] = "1"
+    if args.allow_any:
+        env["AFL_CMIN_ALLOW_ANY"] = "1"
+
+    if input_from_file:
+        p = subprocess.Popen(cmd, stdout=subprocess.PIPE, env=env, bufsize=1048576)
+    else:
+        p = subprocess.Popen(
+            cmd,
+            stdin=open(input_path, "rb"),
+            stdout=subprocess.PIPE,
+            env=env,
+            bufsize=1048576,
+        )
+    out = p.stdout.read()
+    p.wait()
+
+    if batch:
+        result = []
+        for idx, input_path in batch:
+            basename = os.path.basename(input_path)
+            values = []
+            try:
+                trace_file = os.path.join(output_path, basename)
+                with open(trace_file, "r") as f:
+                    values = list(map(int, f))
+                crashed = len(values) == 0
+                os.unlink(trace_file)
+            except FileNotFoundError:
+                a = None
+                crashed = True
+            values = [(t // 1000) * 9 + t % 1000 for t in values]
+            a = array.array(tuple_index_type_code, values)
+            result.append((idx, a, crashed))
+        os.unlink(filelist)
+        os.rmdir(output_path)
+        return result
+    else:
+        values = []
+        for line in out.split():
+            if not line.isdigit():
+                continue
+            values.append(int(line))
+        values = [(t // 1000) * 9 + t % 1000 for t in values]
+        a = array.array(tuple_index_type_code, values)
+        crashed = p.returncode in [2, 3]
+        if input_from_file and stdin_file != args.stdin_file:
+            os.unlink(stdin_file)
+        return a, crashed
+
+
+class JobDispatcher(multiprocessing.Process):
+
+    def __init__(self, job_queue, jobs):
+        super().__init__()
+        self.job_queue = job_queue
+        self.jobs = jobs
+
+    def run(self):
+        for job in self.jobs:
+            self.job_queue.put(job)
+        self.job_queue.close()
+
+
+class Worker(multiprocessing.Process):
+
+    def __init__(self, idx, afl_map_size, q_in, p_out, r_out):
+        super().__init__()
+        self.idx = idx
+        self.afl_map_size = afl_map_size
+        self.q_in = q_in
+        self.p_out = p_out
+        self.r_out = r_out
+
+    def run(self):
+        map_size = self.afl_map_size or 65536
+        max_tuple = map_size * 9
+        max_file_index = 256 ** array.array(file_index_type_code).itemsize - 1
+        m = array.array(file_index_type_code, [max_file_index] * max_tuple)
+        counter = collections.Counter()
+        crashes = []
+
+        pack_name = os.path.join(args.output, ".traces", f"{self.idx}.pack")
+        pack_pos = 0
+        with open(pack_name, "wb") as trace_pack:
+            while True:
+                batch = self.q_in.get()
+                if batch is None:
+                    break
+
+                for idx, r, crash in afl_showmap(
+                    batch=batch, afl_map_size=self.afl_map_size
+                ):
+                    counter.update(r)
+
+                    used = False
+
+                    if crash:
+                        crashes.append(idx)
+
+                    # If we aren't saving crashes to a separate dir, handle them
+                    # the same as other inputs. However, unless AFL_CMIN_ALLOW_ANY=1,
+                    # afl_showmap will not return any coverage for crashes so they will
+                    # never be retained.
+                    if not crash or not args.crash_dir:
+                        for t in r:
+                            if idx < m[t]:
+                                m[t] = idx
+                                used = True
+
+                    if used:
+                        tuple_count = len(r)
+                        r.tofile(trace_pack)
+                        self.p_out.put((idx, self.idx, pack_pos, tuple_count))
+                        pack_pos += tuple_count * r.itemsize
+                    else:
+                        self.p_out.put(None)
+
+        self.r_out.put((self.idx, m, counter, crashes))
+
+
+class CombineTraceWorker(multiprocessing.Process):
+
+    def __init__(self, pack_name, jobs, r_out):
+        super().__init__()
+        self.pack_name = pack_name
+        self.jobs = jobs
+        self.r_out = r_out
+
+    def run(self):
+        already_have = set()
+        with open(self.pack_name, "rb") as f:
+            for pos, tuple_count in self.jobs:
+                f.seek(pos)
+                result = array.array(tuple_index_type_code)
+                result.fromfile(f, tuple_count)
+                already_have.update(result)
+        self.r_out.put(already_have)
+
+
+def hash_file(path):
+    m = hashlib.sha1()
+    with open(path, "rb") as f:
+        m.update(f.read())
+    return m.digest()
+
+
+def dedup(files):
+    with multiprocessing.Pool(args.workers) as pool:
+        seen_hash = set()
+        result = []
+        hash_list = []
+        # use large chunksize to reduce multiprocessing overhead
+        chunksize = max(1, min(256, len(files) // args.workers))
+        for i, h in enumerate(
+            tqdm(
+                pool.imap(hash_file, files, chunksize),
+                desc="dedup",
+                total=len(files),
+                ncols=0,
+                leave=(len(files) > 100000),
+            )
+        ):
+            if h in seen_hash:
+                continue
+            seen_hash.add(h)
+            result.append(files[i])
+            hash_list.append(h)
+        return result, hash_list
+
+
+def is_afl_dir(dirnames, filenames):
+    return (
+        "queue" in dirnames
+        and "hangs" in dirnames
+        and "crashes" in dirnames
+        and "fuzzer_setup" in filenames
+    )
+
+
+def collect_files(input_paths):
+    paths = []
+    for s in input_paths:
+        paths += glob.glob(s)
+
+    files = []
+    with tqdm(desc="search", unit=" files", ncols=0) as pbar:
+        for path in paths:
+            for root, dirnames, filenames in os.walk(path, followlinks=True):
+                for dirname in dirnames:
+                    if dirname.startswith("."):
+                        dirnames.remove(dirname)
+
+                if not args.crash_only and is_afl_dir(dirnames, filenames):
+                    continue
+
+                for filename in filenames:
+                    if filename.startswith("."):
+                        continue
+                    pbar.update(1)
+                    files.append(os.path.join(root, filename))
+    return files
+
+
+def main():
+    init()
+
+    files = collect_files(args.input)
+    if len(files) == 0:
+        logger.error("no inputs in the target directory - nothing to be done")
+        sys.exit(1)
+    logger.info("Found %d input files in %d directories", len(files), len(args.input))
+
+    if not args.no_dedup:
+        files, hash_list = dedup(files)
+        logger.info("Remain %d files after dedup", len(files))
+    else:
+        logger.info("Skipping file deduplication.")
+
+    global file_index_type_code
+    file_index_type_code = detect_type_code(len(files))
+
+    logger.info("Sorting files.")
+    with multiprocessing.Pool(args.workers) as pool:
+        chunksize = max(1, min(512, len(files) // args.workers))
+        size_list = list(pool.map(os.path.getsize, files, chunksize))
+    idxes = sorted(range(len(files)), key=lambda x: size_list[x])
+    files = [files[idx] for idx in idxes]
+    hash_list = [hash_list[idx] for idx in idxes]
+
+    afl_map_size = None
+    if b"AFL_DUMP_MAP_SIZE" in open(args.exe, "rb").read():
+        output = subprocess.run(
+            [args.exe], capture_output=True, env={"AFL_DUMP_MAP_SIZE": "1", "ASAN_OPTIONS": "detect_leaks=0"}
+        ).stdout
+        afl_map_size = int(output)
+        logger.info("Setting AFL_MAP_SIZE=%d", afl_map_size)
+
+        global tuple_index_type_code
+        tuple_index_type_code = detect_type_code(afl_map_size * 9)
+
+    logger.info("Testing the target binary")
+    tuples, _ = afl_showmap(files[0], afl_map_size=afl_map_size, first=True)
+    if tuples:
+        logger.info("ok, %d tuples recorded", len(tuples))
+    else:
+        logger.error("no instrumentation output detected")
+        sys.exit(1)
+
+    job_queue = multiprocessing.Queue()
+    progress_queue = multiprocessing.Queue()
+    result_queue = multiprocessing.Queue()
+
+    workers = []
+    for i in range(args.workers):
+        p = Worker(i, afl_map_size, job_queue, progress_queue, result_queue)
+        p.start()
+        workers.append(p)
+
+    chunk = max(1, min(128, len(files) // args.workers))
+    jobs = list(batched(enumerate(files), chunk))
+    jobs += [None] * args.workers  # sentinel
+
+    dispatcher = JobDispatcher(job_queue, jobs)
+    dispatcher.start()
+
+    logger.info("Processing traces")
+    effective = 0
+    trace_info = {}
+    for _ in tqdm(files, ncols=0, smoothing=0.01):
+        r = progress_queue.get()
+        if r is not None:
+            idx, worker_idx, pos, tuple_count = r
+            trace_info[idx] = worker_idx, pos, tuple_count
+            effective += 1
+    dispatcher.join()
+
+    logger.info("Obtaining trace results")
+    ms = []
+    crashes = []
+    counter = collections.Counter()
+    for _ in tqdm(range(args.workers), ncols=0):
+        idx, m, c, crs = result_queue.get()
+        ms.append(m)
+        counter.update(c)
+        crashes.extend(crs)
+        workers[idx].join()
+    best_idxes = list(map(min, zip(*ms)))
+
+    if not args.crash_dir:
+        logger.info(
+            "Found %d unique tuples across %d files (%d effective)",
+            len(counter),
+            len(files),
+            effective,
+        )
+    else:
+        logger.info(
+            "Found %d unique tuples across %d files (%d effective, %d crashes)",
+            len(counter),
+            len(files),
+            effective,
+            len(crashes),
+        )
+    all_unique = counter.most_common()
+
+    logger.info("Processing candidates and writing output")
+    already_have = set()
+    count = 0
+
+    def save_file(idx):
+        input_path = files[idx]
+        fn = (
+            base64.b16encode(hash_list[idx]).decode("utf8").lower()
+            if not args.no_dedup
+            else os.path.basename(input_path)
+        )
+        if args.as_queue:
+            if args.no_dedup:
+                fn = "id:%06d,orig:%s" % (count, fn)
+            else:
+                fn = "id:%06d,hash:%s" % (count, fn)
+        output_path = os.path.join(args.output, fn)
+        try:
+            os.link(input_path, output_path)
+        except OSError:
+            shutil.copy(input_path, output_path)
+
+    jobs = [[] for i in range(args.workers)]
+    saved = set()
+    for t, c in all_unique:
+        if c != 1:
+            continue
+        idx = best_idxes[t]
+        if idx in saved:
+            continue
+        save_file(idx)
+        saved.add(idx)
+        count += 1
+
+        worker_idx, pos, tuple_count = trace_info[idx]
+        job = (pos, tuple_count)
+        jobs[worker_idx].append(job)
+
+    trace_packs = []
+    workers = []
+    for i in range(args.workers):
+        pack_name = os.path.join(args.output, ".traces", f"{i}.pack")
+        trace_f = open(pack_name, "rb")
+        trace_packs.append(trace_f)
+
+        p = CombineTraceWorker(pack_name, jobs[i], result_queue)
+        p.start()
+        workers.append(p)
+
+    for _ in range(args.workers):
+        result = result_queue.get()
+        already_have.update(result)
+
+    for t, c in tqdm(list(reversed(all_unique)), ncols=0):
+        if t in already_have:
+            continue
+
+        idx = best_idxes[t]
+        save_file(idx)
+        count += 1
+
+        worker_idx, pos, tuple_count = trace_info[idx]
+        trace_pack = trace_packs[worker_idx]
+        trace_pack.seek(pos)
+        result = array.array(tuple_index_type_code)
+        result.fromfile(trace_pack, tuple_count)
+
+        already_have.update(result)
+
+    for f in trace_packs:
+        f.close()
+
+    if args.crash_dir:
+        logger.info("Saving crashes to %s", args.crash_dir)
+        crash_files = [files[c] for c in crashes]
+
+        if args.no_dedup:
+            # Unless we deduped previously, we have to dedup the crash files
+            # now.
+            crash_files, hash_list = dedup(crash_files)
+
+        for idx, crash_path in enumerate(crash_files):
+            fn = base64.b16encode(hash_list[idx]).decode("utf8").lower()
+            output_path = os.path.join(args.crash_dir, fn)
+            try:
+                os.link(crash_path, output_path)
+            except OSError:
+                try:
+                    shutil.copy(crash_path, output_path)
+                except shutil.Error:
+                    # This error happens when src and dest are hardlinks of the
+                    # same file. We have nothing to do in this case, but handle
+                    # it gracefully.
+                    pass
+
+    if count == 1:
+        logger.warning("all test cases had the same traces, check syntax!")
+    logger.info('narrowed down to %s files, saved in "%s"', count, args.output)
+    if not os.environ.get("AFL_KEEP_TRACES"):
+        logger.info("Deleting trace files")
+        trace_dir = os.path.join(args.output, ".traces")
+        shutil.rmtree(trace_dir, ignore_errors=True)
+
+
+if __name__ == "__main__":
+    main()
--- a/26
+++ b/26
@ -121,20 +121,30 @@ kernel.sched_child_runs_first=1
 kernel.sched_autogroup_enabled=1
 kernel.sched_migration_cost_ns=50000000
 kernel.sched_latency_ns=250000000
+vm.swappiness=10
 EOF
  }

-  grep -E -q '^GRUB_CMDLINE_LINUX_DEFAULT=' /etc/default/grub 2>/dev/null || echo Error: /etc/default/grub with GRUB_CMDLINE_LINUX_DEFAULT is not present, cannot set boot options
-  grep -E -q '^GRUB_CMDLINE_LINUX_DEFAULT=' /etc/default/grub 2>/dev/null && {
-    grep -E '^GRUB_CMDLINE_LINUX_DEFAULT=' /etc/default/grub | grep -E -q 'noibrs pcid nopti' || {
+  grub_try_disable_mitigation () {
+    KEY="$1"
+    if ! grep -E "^$KEY=" /etc/default/grub | grep -E -q 'noibrs pcid nopti'; then
      echo "Configuring performance boot options"
-      LINE=`grep -E '^GRUB_CMDLINE_LINUX_DEFAULT=' /etc/default/grub | sed 's/^GRUB_CMDLINE_LINUX_DEFAULT=//' | tr -d '"'`
-      OPTIONS="$LINE ibpb=off ibrs=off kpti=off l1tf=off mds=off mitigations=off no_stf_barrier noibpb noibrs pcid nopti nospec_store_bypass_disable nospectre_v1 nospectre_v2 pcid=on pti=off spec_store_bypass_disable=off spectre_v2=off stf_barrier=off srbds=off noexec=off noexec32=off tsx=on tsx=on tsx_async_abort=off mitigations=off audit=0 hardened_usercopy=off ssbd=force-off"
-      echo Setting boot options in /etc/default/grub to GRUB_CMDLINE_LINUX_DEFAULT=\"$OPTIONS\"
-      sed -i "s|^GRUB_CMDLINE_LINUX_DEFAULT=.*|GRUB_CMDLINE_LINUX_DEFAULT=\"$OPTIONS\"|" /etc/default/grub
-    }
+      LINE=`grep -E "^$KEY=" /etc/default/grub | sed "s/^$KEY=//" | tr -d '"'`
+      OPTIONS="$LINE ibpb=off ibrs=off kpti=off l1tf=off spec_rstack_overflow=off mds=off nokaslr no_stf_barrier noibpb noibrs pcid nopti nospec_store_bypass_disable nospectre_v1 nospectre_v2 pcid=on pti=off spec_store_bypass_disable=off spectre_v2=off stf_barrier=off srbds=off noexec=off noexec32=off tsx=on tsx=on tsx_async_abort=off mitigations=off audit=0 hardened_usercopy=off ssbd=force-off"
+      echo Setting boot options in /etc/default/grub to $KEY=\"$OPTIONS\"
+      sed -i "s|^$KEY=.*|$KEY=\"$OPTIONS\"|" /etc/default/grub
+    fi
  }

+
+  if grep -E -q '^GRUB_CMDLINE_LINUX=' /etc/default/grub || grep -E -q '^GRUB_CMDLINE_LINUX_DEFAULT=' /etc/default/grub; then
+    grub_try_disable_mitigation "GRUB_CMDLINE_LINUX_DEFAULT"
+    # We also overwrite GRUB_CMDLINE_LINUX because some distributions already overwrite GRUB_CMDLINE_LINUX_DEFAULT
+    grub_try_disable_mitigation "GRUB_CMDLINE_LINUX"
+  else
+    echo "Error: /etc/default/grub with GRUB_CMDLINE_LINUX is not present, cannot set boot options"
+  fi
+
  echo
  echo "Reboot and enjoy your fuzzing"
  exit 0
--- a/3
+++ b/3
@ -41,6 +41,7 @@ if [ "$PLATFORM" = "Linux" ] ; then
  sysctl -w kernel.sched_autogroup_enabled=1
  sysctl -w kernel.sched_migration_cost_ns=50000000 2>/dev/null
  sysctl -w kernel.sched_latency_ns=250000000 2>/dev/null
+  sysctl -w vm.swappiness=10 2>/dev/null
  echo never > /sys/kernel/mm/transparent_hugepage/enabled
  test -e /sys/devices/system/cpu/cpufreq/scaling_governor && echo performance | tee /sys/devices/system/cpu/cpufreq/scaling_governor
  test -e /sys/devices/system/cpu/cpufreq/policy0/scaling_governor && echo performance | tee /sys/devices/system/cpu/cpufreq/policy*/scaling_governor
@ -54,7 +55,7 @@ if [ "$PLATFORM" = "Linux" ] ; then
  echo
  dmesg | grep -E -q 'noibrs pcid nopti' || {
    echo It is recommended to boot the kernel with lots of security off - if you are running a machine that is in a secured network - so set this:
-    echo '  /etc/default/grub:GRUB_CMDLINE_LINUX_DEFAULT="ibpb=off ibrs=off kpti=0 l1tf=off mds=off mitigations=off no_stf_barrier noibpb noibrs pcid nopti nospec_store_bypass_disable nospectre_v1 nospectre_v2 pcid=on pti=off spec_store_bypass_disable=off spectre_v2=off stf_barrier=off srbds=off noexec=off noexec32=off tsx=on tsx_async_abort=off arm64.nopauth audit=0 hardened_usercopy=off ssbd=force-off"'
+    echo '  /etc/default/grub:GRUB_CMDLINE_LINUX_DEFAULT="ibpb=off ibrs=off kpti=off l1tf=off spec_rstack_overflow=off mds=off nokaslr no_stf_barrier noibpb noibrs pcid nopti nospec_store_bypass_disable nospectre_v1 nospectre_v2 pcid=on pti=off spec_store_bypass_disable=off spectre_v2=off stf_barrier=off srbds=off noexec=off noexec32=off tsx=on tsx=on tsx_async_abort=off mitigations=off audit=0 hardened_usercopy=off ssbd=force-off"'
    echo
  }
  echo If you run fuzzing instances in docker, run them with \"--security-opt seccomp=unconfined\" for more speed.
--- a/26
+++ b/26
@ -111,9 +111,16 @@ if [ -z "$NO_COLOR" ]; then
  RESET="$NC"
 fi

-CUR_TIME=`date +%s`
+PLATFORM=`uname -s`
+#if [ "$PLATFORM" = "Linux" ] ; then
+#  CUR_TIME=`cat /proc/uptime | awk '{printf "%.0f\n", $1}'`
+#else
+  # This will lead to inaccurate results but will prevent the script from breaking on platforms other than Linux
+  CUR_TIME=`date +%s`
+#fi

 TMP=`mktemp -t .afl-whatsup-XXXXXXXX` || TMP=`mktemp -p /data/local/tmp .afl-whatsup-XXXXXXXX` || TMP=`mktemp -p /data/local/tmp .afl-whatsup-XXXXXXXX` || exit 1
+trap "rm -f $TMP" 1 2 3 13 15

 ALIVE_CNT=0
 DEAD_CNT=0
@ -122,6 +129,7 @@ START_CNT=0
 TOTAL_TIME=0
 TOTAL_EXECS=0
 TOTAL_EPS=0
+TOTAL_EPLM=0
 TOTAL_CRASHES=0
 TOTAL_HANGS=0
 TOTAL_PFAV=0
@ -181,6 +189,8 @@ for j in `find . -maxdepth 2 -iname fuzzer_setup | sort`; do
  
  if [ -f "$i" ]; then
    
+    IS_STARTING=
+    IS_DEAD=
    sed 's/^command_line.*$/_skip:1/;s/[ ]*:[ ]*/="/;s/$/"/' "$i" >"$TMP"
    . "$TMP"
    DIRECTORY=$DIR
@ -211,9 +221,6 @@ for j in `find . -maxdepth 2 -iname fuzzer_setup | sort`; do
    
    if ! kill -0 "$fuzzer_pid" 2>/dev/null; then
      
-      IS_STARTING=
-      IS_DEAD=
-      
      if [ -e "$i" ] && [ -e "$j" ] && [ -n "$FUSER" ]; then
        
        if [ "$i" -ot "$j" ]; then
@ -272,11 +279,15 @@ for j in `find . -maxdepth 2 -iname fuzzer_setup | sort`; do
    ALIVE_CNT=$((ALIVE_CNT + 1))
    
    EXEC_SEC=0
+    EXEC_MIN=0
    test -z "$RUN_UNIX" -o "$RUN_UNIX" = 0 || EXEC_SEC=$((execs_done / RUN_UNIX))
    PATH_PERC=$((cur_item * 100 / corpus_count))

+    test "$IS_DEAD" = 1 || EXEC_MIN=$(echo $execs_ps_last_min|sed 's/\..*//')
+    
    TOTAL_TIME=$((TOTAL_TIME + RUN_UNIX))
    TOTAL_EPS=$((TOTAL_EPS + EXEC_SEC))
+    TOTAL_EPLM=$((TOTAL_EPLM + EXEC_MIN))
    TOTAL_EXECS=$((TOTAL_EXECS + execs_done))
    TOTAL_CRASHES=$((TOTAL_CRASHES + saved_crashes))
    TOTAL_HANGS=$((TOTAL_HANGS + saved_hangs))
@ -412,9 +423,12 @@ echo "      Total run time : $FMT_TIME"
 if [ -z "$MINIMAL_ONLY" ]; then
  echo "          Total execs : $FMT_EXECS"
  echo "     Cumulative speed : $TOTAL_EPS execs/sec"
+  if [ "$ALIVE_CNT" -gt "0" ]; then
+    echo "  Total average speed : $((TOTAL_EPS / ALIVE_CNT)) execs/sec"
+  fi
 fi
 if [ "$ALIVE_CNT" -gt "0" ]; then
-  echo "       Average speed : $((TOTAL_EPS / ALIVE_CNT)) execs/sec"
+  echo "Current average speed : $TOTAL_EPLM execs/sec"
 fi
 if [ -z "$MINIMAL_ONLY" ]; then
  echo "        Pending items : $TOTAL_PFAV faves, $TOTAL_PENDING total"
@ -430,7 +444,7 @@ echo "    Coverage reached : ${TOTAL_COVERAGE}%"
 echo "        Crashes saved : $TOTAL_CRASHES"
 if [ -z "$MINIMAL_ONLY" ]; then
  echo "          Hangs saved : $TOTAL_HANGS"
-  echo "Cycles without finds : $TOTAL_WCOP"
+  echo " Cycles without finds : $TOTAL_WCOP"
 fi
 echo "   Time without finds : $TOTAL_LAST_FIND"
 echo
--- a/benchmark/COMPARISON.md
+++ b/benchmark/COMPARISON.md
@ -1,9 +1,14 @@
-CPU                                                 | MHz   | threads | singlecore | multicore | afl-*-config |
-====================================================|=======|=========|============|===========|==============|
-Raspberry Pi 5                                      | 2400  | 4       | 25786      | 101114    | both         |
-AMD EPYC 7282 16-Core Processor                     | 3194  | 32      | 87199      | 769001    | both         |
-AMD Ryzen 5 PRO 4650G with Radeon Graphics          | 3700  | 12      | 95356      | 704840    | both         |
-Intel(R) Core(TM) i9-9900K CPU @ 3.60GHz            | 4995  | 16      | 120064     | 1168943   | both         |
-12th Gen Intel(R) Core(TM) i7-1270P                 | 4761  | 16      | 149778     | 641219    | both         |
-AMD Ryzen 9 5950X 16-Core Processor                 | 4792  | 32      | 161690     | 2339763   | both         |
-Apple Mac Studio M2 Ultra 2023, Linux VM guest      | 3500  | 16      | 163570     | 1157465   | both         |
+|CPU                                                 | MHz   | threads | singlecore | multicore | afl-*-config |
+|----------------------------------------------------|-------|---------|------------|-----------|--------------|
+|Raspberry Pi 5                                      | 2400  | 4       | 25786      | 101114    | both         |
+|AMD EPYC 7282 16-Core Processor                     | 3194  | 32      | 87199      | 769001    | both         |
+|AMD Ryzen 5 PRO 4650G with Radeon Graphics          | 3700  | 12      | 95356      | 704840    | both         |
+|Intel(R) Core(TM) i9-9900K CPU @ 3.60GHz            | 4995  | 16      | 120064     | 1168943   | both         |
+|12th Gen Intel(R) Core(TM) i7-1270P                 | 4761  | 16      | 149778     | 641219    | both         |
+|AMD Ryzen 9 5950X 16-Core Processor                 | 4792  | 32      | 161690     | 2339763   | both         |
+|Apple Mac Studio M2 Ultra 2023, Linux VM guest      | 3500  | 16      | 163570     | 1157465   | both         |
+|AMD Ryzen 9 6900HS with Radeon Graphics             | 4676  | 16      | 62860      | 614404    | system       |
+|AMD Ryzen 9 6900HS with Radeon Graphics             | 4745  | 16      | 135501     | 991133    | both         |
+|AMD Ryzen 9 7950X3D 16-Core Processor               | 5400  | 32      | 71566      | 1566279   | system       |
+|AMD Ryzen 9 7950X3D 16-Core Processor               | 5478  | 32      | 161960     | 2173959   | both         |
+|Ampere Altra Q80-30                                 | 0     | 80      | 54477      | 1604482   | system       |
--- a/benchmark/benchmark-results.jsonl
+++ b/benchmark/benchmark-results.jsonl
@ -418,3 +418,7 @@
 {"config": {"afl_persistent_config": true, "afl_system_config": true, "afl_version": "++4.08a", "comment": "", "compiler": "Ubuntu clang version 14.0.0-1ubuntu1.1", "target_arch": "x86_64-pc-linux-gnu"}, "hardware": {"cpu_fastest_core_mhz": 3700.0, "cpu_model": "AMD Ryzen 5 PRO 4650G with Radeon Graphics", "cpu_threads": 12}, "targets": {"test-instr-persist-shmem": {"multicore": {"execs_per_sec": 704840.16, "execs_total": 21163992, "fuzzers_used": 12}, "singlecore": {"execs_per_sec": 95356.14, "execs_total": 2862114, "fuzzers_used": 1}}}}
 {"config": {"afl_persistent_config": true, "afl_system_config": true, "afl_version": "++4.09a", "comment": "", "compiler": "Debian clang version 14.0.6", "target_arch": "aarch64-unknown-linux-gnu"}, "hardware": {"cpu_fastest_core_mhz": 2400.0, "cpu_model": "Raspberry Pi 5", "cpu_threads": 4}, "targets": {"test-instr-persist-shmem": {"multicore": {"execs_per_sec": 101114.23, "execs_total": 3036637, "fuzzers_used": 4}, "singlecore": {"execs_per_sec": 25786.11, "execs_total": 774460, "fuzzers_used": 1}}}}
 {"config": {"afl_persistent_config": true, "afl_system_config": true, "afl_version": "++4.07a", "comment": "", "compiler": "Debian clang version 17.0.0 (++20230417071830+ae77aceba5ad-1~exp1~20230417071935.630)", "target_arch": "x86_64-pc-linux-gnu"}, "hardware": {"cpu_fastest_core_mhz": 4792.073, "cpu_model": "AMD Ryzen 9 5950X 16-Core Processor", "cpu_threads": 32}, "targets": {"test-instr-persist-shmem": {"multicore": {"execs_per_sec": 2339762.91, "execs_total": 70253164, "fuzzers_used": 32}, "singlecore": {"execs_per_sec": 161690.07, "execs_total": 4851838, "fuzzers_used": 1}}}}
+{"config": {"afl_persistent_config": false, "afl_system_config": true, "afl_version": "++4.10c", "comment": "", "compiler": "clang version 17.0.6", "target_arch": "x86_64-pc-linux-gnu"}, "hardware": {"cpu_fastest_core_mhz": 4675.949, "cpu_model": "AMD Ryzen 9 6900HS with Radeon Graphics", "cpu_threads": 16}, "targets": {"test-instr-persist-shmem": {"multicore": {"execs_per_sec": 614403.91, "execs_total": 18435083, "fuzzers_used": 16}, "singlecore": {"execs_per_sec": 62859.9, "execs_total": 1886111, "fuzzers_used": 1}}}}
+{"config": {"afl_persistent_config": true, "afl_system_config": true, "afl_version": "++4.10c", "comment": "", "compiler": "clang version 17.0.6", "target_arch": "x86_64-pc-linux-gnu"}, "hardware": {"cpu_fastest_core_mhz": 4744.522, "cpu_model": "AMD Ryzen 9 6900HS with Radeon Graphics", "cpu_threads": 16}, "targets": {"test-instr-persist-shmem": {"multicore": {"execs_per_sec": 991132.96, "execs_total": 29737588, "fuzzers_used": 16}, "singlecore": {"execs_per_sec": 135501.07, "execs_total": 4066116, "fuzzers_used": 1}}}}
+{"config": {"afl_persistent_config": false, "afl_system_config": true, "afl_version": "++4.10c", "comment": "", "compiler": "Ubuntu clang version 14.0.6", "target_arch": "x86_64-pc-linux-gnu"}, "hardware": {"cpu_fastest_core_mhz": 5399.822, "cpu_model": "AMD Ryzen 9 7950X3D 16-Core Processor", "cpu_threads": 32}, "targets": {"test-instr-persist-shmem": {"multicore": {"execs_per_sec": 1566279.42, "execs_total": 46994452, "fuzzers_used": 32}, "singlecore": {"execs_per_sec": 71565.56, "execs_total": 2147396, "fuzzers_used": 1}}}}
+{"config": {"afl_persistent_config": true, "afl_system_config": true, "afl_version": "++4.10c", "comment": "", "compiler": "clang version 17.0.6", "target_arch": "x86_64-pc-linux-gnu"}, "hardware": {"cpu_fastest_core_mhz": 5478.258, "cpu_model": "AMD Ryzen 9 7950X3D 16-Core Processor", "cpu_threads": 32}, "targets": {"test-instr-persist-shmem": {"multicore": {"execs_per_sec": 2173959.15, "execs_total": 65229513, "fuzzers_used": 32}, "singlecore": {"execs_per_sec": 161960.29, "execs_total": 4859457, "fuzzers_used": 1}}}}
--- a/benchmark/benchmark.py
+++ b/benchmark/benchmark.py
@ -205,7 +205,7 @@ async def save_benchmark_results() -> None:
        single = str(round(results.targets["test-instr-persist-shmem"]["singlecore"].execs_per_sec)).ljust(10)
        multi = str(round(results.targets["test-instr-persist-shmem"]["multicore"].execs_per_sec)).ljust(9)
        cores = str(args.fuzzers).ljust(7)
-        comparisonfile.write(f"{cpu_model} | {cpu_mhz} | {cores} | {single} | {multi} | {aflconfig} |\n")
+        comparisonfile.write(f"|{cpu_model} | {cpu_mhz} | {cores} | {single} | {multi} | {aflconfig} |\n")
        print(blue(f" [*] Results have been written to the COMPARISON.md file."))
    with open("COMPARISON.md", "r") as comparisonfile:
        print(comparisonfile.read())
--- a/custom_mutators/aflpp/README.md
+++ b/custom_mutators/aflpp/README.md
@ -1,4 +1,4 @@
-# custum mutator: AFL++
+# custom mutator: AFL++

 this is the AFL++ havoc mutator as a custom mutator module for AFL++.

--- a/custom_mutators/aflpp/aflpp.c
+++ b/custom_mutators/aflpp/aflpp.c
@ -1,3 +1,4 @@
+#include "afl-fuzz.h"
 #include "afl-mutations.h"

 typedef struct my_mutator {
@ -47,7 +48,7 @@ size_t afl_custom_fuzz(my_mutator_t *data, uint8_t *buf, size_t buf_size,

    u8 *ptr = realloc(data->buf, max_size);

-    if (ptr) {
+    if (!ptr) {

      return 0;

--- a/custom_mutators/aflpp/standalone/Makefile
+++ b/custom_mutators/aflpp/standalone/Makefile
@ -4,7 +4,7 @@ CFLAGS = -O3 -funroll-loops -fPIC
 all: aflpp-standalone

 aflpp-standalone:	aflpp-standalone.c
-	$(CC) $(CFLAGS) -I../../../include -I. -o aflpp-standalone aflpp-standalone.c ../../../src/afl-performance.c
+	$(CC) $(CFLAGS) -w -DBIN_PATH=\"foo\" -I../../../include -I. -o aflpp-standalone aflpp-standalone.c ../../../src/afl-performance.c ../../../src/afl-fuzz-extras.c ../../../src/afl-common.c

 clean:
 	rm -f *.o *~ aflpp-standalone core
--- a/custom_mutators/aflpp/standalone/README.md
+++ b/custom_mutators/aflpp/standalone/README.md
@ -5,6 +5,6 @@ this is the AFL++ havoc mutator as a standalone mutator
 just type `make` to build.

 ```
-aflpp-standalone inputfile outputfile [splicefile]
+aflpp-standalone -h # to see all parameteres
+cat file | aflpp-standalone -m 4 -x foo.dict - outputfile splicefile # example
 ```
-
--- a/custom_mutators/aflpp/standalone/aflpp-standalone.c
+++ b/custom_mutators/aflpp/standalone/aflpp-standalone.c
@ -1,8 +1,11 @@
+#include "afl-fuzz.h"
 #include "afl-mutations.h"

-s8  interesting_8[] = {INTERESTING_8};
-s16 interesting_16[] = {INTERESTING_8, INTERESTING_16};
-s32 interesting_32[] = {INTERESTING_8, INTERESTING_16, INTERESTING_32};
+#include <unistd.h>
+#include <getopt.h>
+
+static int            max_havoc = 16, verbose;
+static unsigned char *dict;

 typedef struct my_mutator {

@ -24,14 +27,14 @@ my_mutator_t *afl_custom_init(afl_state_t *afl, unsigned int seed) {

  }

-  if ((data->buf = malloc(1024*1024)) == NULL) {
+  if ((data->buf = malloc(1024 * 1024)) == NULL) {

    perror("afl_custom_init alloc");
    return NULL;

  } else {

-    data->buf_size = 1024*1024;
+    data->buf_size = 1024 * 1024;

  }

@ -39,9 +42,23 @@ my_mutator_t *afl_custom_init(afl_state_t *afl, unsigned int seed) {
  data->afl = calloc(1, sizeof(afl_state_t));
  data->afl->queue_cycle = 1;
  data->afl->fsrv.dev_urandom_fd = open("/dev/urandom", O_RDONLY);
-  if (data->afl->fsrv.dev_urandom_fd < 0) { PFATAL("Unable to open /dev/urandom"); }
+  if (data->afl->fsrv.dev_urandom_fd < 0) {
+
+    PFATAL("Unable to open /dev/urandom");
+
+  }
+
  rand_set_seed(data->afl, getpid());

+  if (dict) {
+
+    load_extras(data->afl, dict);
+    if (verbose)
+      fprintf(stderr, "Loaded dictionary: %s (%u entries)\n", dict,
+              data->afl->extras_cnt);
+
+  }
+
  return data;

 }
@ -56,7 +73,7 @@ size_t afl_custom_fuzz(my_mutator_t *data, uint8_t *buf, size_t buf_size,

    u8 *ptr = realloc(data->buf, max_size);

-    if (ptr) {
+    if (!ptr) {

      return 0;

@ -69,14 +86,20 @@ size_t afl_custom_fuzz(my_mutator_t *data, uint8_t *buf, size_t buf_size,

  }

-  u32 havoc_steps = 1 + rand_below(data->afl, 16);
+  u32 havoc_steps = 1 + rand_below(data->afl, max_havoc);
+  if (verbose) fprintf(stderr, "Havoc steps: %u\n", havoc_steps);

  /* set everything up, costly ... :( */
  memcpy(data->buf, buf, buf_size);

  /* the mutation */
-  u32 out_buf_len = afl_mutate(data->afl, data->buf, buf_size, havoc_steps,
-                               false, true, add_buf, add_buf_size, max_size);
+  u32 out_buf_len;
+  do {
+
+    out_buf_len = afl_mutate(data->afl, data->buf, buf_size, havoc_steps, false,
+                             true, add_buf, add_buf_size, max_size);
+
+  } while (out_buf_len == buf_size && memcmp(buf, data->buf, buf_size) == 0);

  /* return size of mutated data */
  *out_buf = data->buf;
@ -87,80 +110,143 @@ size_t afl_custom_fuzz(my_mutator_t *data, uint8_t *buf, size_t buf_size,
 int main(int argc, char *argv[]) {

  if (argc > 1 && strncmp(argv[1], "-h", 2) == 0) {
-    printf("Syntax: %s [-v] [inputfile [outputfile [splicefile]]]\n\n", argv[0]);
-    printf("Reads a testcase from stdin when no input file (or '-') is specified,\n");
-    printf("mutates according to AFL++'s mutation engine, and write to stdout when '-' or\n");
-    printf("no output filename is given. As an optional third parameter you can give a file\n");
+
+    printf(
+        "Syntax: %s [-v] [-m maxmutations] [-x dict] [inputfile [outputfile "
+        "[splicefile]]]\n\n",
+        argv[0]);
+    printf(
+        "Reads a testcase from stdin when no input file (or '-') is "
+        "specified,\n");
+    printf(
+        "mutates according to AFL++'s mutation engine, and write to stdout "
+        "when '-' or\n");
+    printf(
+        "no output filename is given. As an optional third parameter you can "
+        "give a file\n");
    printf("for splicing. Maximum input and output length is 1MB.\n");
-    printf("The -v verbose option prints debug output to stderr.\n");
+    printf("Options:\n");
+    printf("  -v      verbose debug output to stderr.\n");
+    printf("  -m val  max mutations (1-val, val default is 16)\n");
+    printf("  -x file dictionary file (AFL++ format)\n");
    return 0;
+
  }

  FILE          *in = stdin, *out = stdout, *splice = NULL;
-  unsigned char *inbuf = malloc(1024 * 1024), *outbuf, *splicebuf = NULL;
-  int verbose = 0, splicelen = 0;
+  unsigned char *inbuf = malloc(1024 * 1024), *outbuf = NULL, *splicebuf = NULL;
+  int            splicelen = 0, opt;

-  if (argc > 1 && strcmp(argv[1], "-v") == 0) {
+  while ((opt = getopt(argc, argv, "vm:x:")) > 0) {
+
+    switch (opt) {
+
+      case 'm':
+        max_havoc = atoi(optarg);
+        break;
+      case 'v':
        verbose = 1;
-    argc--;
-    argv++;
-    fprintf(stderr, "Verbose active\n");
+        break;
+      case 'x':
+        dict = optarg;
+        break;
+      default:
+        fprintf(stderr, "Error: unknown parameter -%c\n", opt);
+        exit(-1);
+
+    }
+
+  }
+
+  if (max_havoc < 1) {
+
+    fprintf(stderr, "Error: illegal -m value\n");
+    exit(-1);
+
  }

  my_mutator_t *data = afl_custom_init(NULL, 0);

-  if (argc > 1 && strcmp(argv[1], "-") != 0) {
-    if ((in = fopen(argv[1], "r")) == NULL) {
+  if (argc > optind && strcmp(argv[optind], "-") != 0) {
+
+    if ((in = fopen(argv[optind], "r")) == NULL) {
+
      perror(argv[1]);
      return -1;
-    }
-    if (verbose) fprintf(stderr, "Input: %s\n", argv[1]);
+
    }

-  size_t inlen = fread(inbuf, 1, 1024*1024, in);
+    if (verbose) fprintf(stderr, "Input: %s\n", argv[optind]);
+
+  }
+
+  size_t inlen = fread(inbuf, 1, 1024 * 1024, in);

  if (!inlen) {
-    fprintf(stderr, "Error: empty file %s\n", argv[1] ? argv[1] : "stdin");
+
+    fprintf(stderr, "Error: empty file %s\n",
+            argv[optind] ? argv[optind] : "stdin");
    return -1;
+
  }

-  if (argc > 2 && strcmp(argv[2], "-") != 0) {
-    if ((out = fopen(argv[2], "w")) == NULL) {
-      perror(argv[2]);
+  if (argc > optind + 1 && strcmp(argv[optind + 1], "-") != 0) {
+
+    if ((out = fopen(argv[optind + 1], "w")) == NULL) {
+
+      perror(argv[optind + 1]);
      return -1;
-    }
-    if (verbose) fprintf(stderr, "Output: %s\n", argv[2]);
+
    }

-  if (argc > 3) {
-    if ((splice = fopen(argv[3], "r")) == NULL) {
-      perror(argv[3]);
-      return -1;
+    if (verbose) fprintf(stderr, "Output: %s\n", argv[optind + 1]);
+
  }
-    if (verbose) fprintf(stderr, "Splice: %s\n", argv[3]);
-    splicebuf = malloc(1024*1024);
-    size_t splicelen = fread(splicebuf, 1, 1024*1024, splice);
+
+  if (argc > optind + 2) {
+
+    if ((splice = fopen(argv[optind + 2], "r")) == NULL) {
+
+      perror(argv[optind + 2]);
+      return -1;
+
+    }
+
+    if (verbose) fprintf(stderr, "Splice: %s\n", argv[optind + 2]);
+    splicebuf = malloc(1024 * 1024);
+    size_t splicelen = fread(splicebuf, 1, 1024 * 1024, splice);
    if (!splicelen) {
-      fprintf(stderr, "Error: empty file %s\n", argv[3]);
+
+      fprintf(stderr, "Error: empty file %s\n", argv[optind + 2]);
      return -1;
+
    }
+
    if (verbose) fprintf(stderr, "Mutation splice length: %zu\n", splicelen);
+
  }

  if (verbose) fprintf(stderr, "Mutation input length: %zu\n", inlen);
-  unsigned int outlen = afl_custom_fuzz(data, inbuf, inlen, &outbuf, splicebuf, splicelen, 1024*1024);
+  unsigned int outlen = afl_custom_fuzz(data, inbuf, inlen, &outbuf, splicebuf,
+                                        splicelen, 1024 * 1024);

  if (outlen == 0 || !outbuf) {
+
    fprintf(stderr, "Error: no mutation data returned.\n");
    return -1;
+
  }

-  if (verbose) fprintf(stderr, "Mutation output length: %zu\n", outlen);
+  if (verbose) fprintf(stderr, "Mutation output length: %u\n", outlen);

  if (fwrite(outbuf, 1, outlen, out) != outlen) {
+
    fprintf(stderr, "Warning: incomplete write.\n");
    return -1;
+
  }

  return 0;
+
 }
+
--- a/custom_mutators/atnwalk/README.md
+++ b/custom_mutators/atnwalk/README.md
@ -13,7 +13,7 @@ Just type `make` to build `atnwalk.so`.
 **NOTE:** The commands below just demonstrate an example how running ATNwalk looks like and require a working [testbed](https://github.com/atnwalk/testbed)

 ```bash
-# create the required a random seed first
+# create the required random seed first
 mkdir -p ~/campaign/example/seeds
 cd ~/campaign/example/seeds
 head -c1 /dev/urandom | ~/atnwalk/build/javascript/bin/decode -wb > seed.decoded 2> seed.encoded
--- a/custom_mutators/atnwalk/atnwalk.c
+++ b/custom_mutators/atnwalk/atnwalk.c
@ -180,7 +180,8 @@ size_t fail_fatal(int fd_socket, uint8_t **out_buf) {

  if (fd_socket != -1) { close(fd_socket); }
  *out_buf = NULL;
-  return 0;
+  fprintf(stderr, "atnwalk.socket not found in current directory!\n");
+  exit(-1);

 }

@ -408,7 +409,7 @@ size_t afl_custom_fuzz(atnwalk_mutator_t *data, uint8_t *buf, size_t buf_size,

  } else {

-    // new_size fits into buf, so re-use it
+    // new_size fits into buf, so reuse it
    *out_buf = buf;

  }
--- a/custom_mutators/autotokens/autotokens.cpp
+++ b/custom_mutators/autotokens/autotokens.cpp
@ -39,6 +39,7 @@ extern "C" {
 #ifndef AFL_TXT_MAX_LEN
  #define AFL_TXT_MAX_LEN 65535
 #endif
+#define AUTOTOKENS_TXT_MIN_LEN 1

 #if AUTOTOKENS_SPLICE_MIN >= AUTOTOKENS_SIZE_MIN
  #error SPLICE_MIN must be lower than SIZE_MIN
@ -57,8 +58,9 @@ typedef struct my_mutator {
  if (unlikely(debug)) fprintf
 #define IFDEBUG if (unlikely(debug))

+int module_disabled = 0;
+
 static afl_state *afl_ptr;
-static int        module_disabled = 0;
 static int        auto_disable = AUTOTOKENS_AUTO_DISABLE;
 static int        debug = AUTOTOKENS_DEBUG;
 static int        only_fav = AUTOTOKENS_ONLY_FAV;
@ -104,9 +106,9 @@ static void first_run(void *data) {
  if (afl_ptr->custom_only || !auto_disable) { return; }

  if (unlikely(afl_ptr->active_items == 1 &&
-               afl_ptr->queue_cur->len < AFL_TXT_MIN_LEN)) {
+               afl_ptr->queue_cur->len < AUTOTOKENS_TXT_MIN_LEN)) {

-    if (afl_ptr->extras_cnt > 8) {
+    if (afl_ptr->extras_cnt) {

      u32 valid = 0;

@ -237,7 +239,7 @@ extern "C" u32 afl_custom_fuzz_count(void *data, const u8 *buf,

 }

-extern "C" size_t afl_custom_fuzz(my_mutator_t *data, u8 *buf, size_t buf_size,
+extern "C" size_t afl_custom_fuzz(void *data, u8 *buf, size_t buf_size,
                                  u8 **out_buf, u8 *add_buf,
                                  size_t add_buf_size, size_t max_size) {

@ -655,6 +657,7 @@ extern "C" unsigned char afl_custom_queue_get(void                *data,
    if (current_id > whitespace_ids + 6 && afl_ptr->active_items == 1 &&
        afl_ptr->queue_cur->len < AFL_TXT_MIN_LEN) {

+    retry_thin_air:
      DEBUGF(stderr, "Creating an entry from thin air...\n");
      structure = new vector<u32>();
      u32 item, prev, cnt = current_id >> 1;
@ -684,8 +687,6 @@ extern "C" unsigned char afl_custom_queue_get(void                *data,

    }

-    create_from_thin_air = 0;
-
  }

  if (entry == file_mapping.end()) {
@ -693,7 +694,7 @@ extern "C" unsigned char afl_custom_queue_get(void                *data,
    // this input file was not analyzed for tokens yet, so let's do it!
    size_t len = afl_ptr->queue_cur->len;

-    if (len < AFL_TXT_MIN_LEN) {
+    if (len < AUTOTOKENS_TXT_MIN_LEN) {

      file_mapping[fn] = structure;  // NULL ptr so we don't read the file again
      s = NULL;
@ -895,6 +896,7 @@ extern "C" unsigned char afl_custom_queue_get(void                *data,

    if (tokens.size() < AUTOTOKENS_SIZE_MIN) {

+      if (create_from_thin_air) { goto retry_thin_air; }
      file_mapping[fn] = NULL;
      s = NULL;
      DEBUGF(stderr, "too few tokens\n");
@ -955,7 +957,7 @@ extern "C" unsigned char afl_custom_queue_get(void                *data,

 }

-extern "C" my_mutator_t *afl_custom_init(afl_state *afl, unsigned int seed) {
+extern "C" void *afl_custom_init(afl_state_t *afl, unsigned int seed) {

  (void)(seed);
  my_mutator_t *data = (my_mutator_t *)calloc(1, sizeof(my_mutator_t));
@ -1070,7 +1072,7 @@ extern "C" my_mutator_t *afl_custom_init(afl_state *afl, unsigned int seed) {
  id_to_token[current_id] = "'";
  ++current_id;

-  return data;
+  return (void *)data;

 }

--- a/custom_mutators/autotokens/standalone/Makefile
+++ b/custom_mutators/autotokens/standalone/Makefile
@ -0,0 +1,20 @@
+
+CFLAGS = -g -O3 -funroll-loops -fPIC -D_STANDALONE_MODULE=1 -Wno-pointer-sign
+CXXFLAGS= -g -O3 -funroll-loops -fPIC -D_STANDALONE_MODULE=1
+
+all: autotokens-standalone
+
+autotokens.o:	../autotokens.cpp
+	$(CXX) $(CXXFLAGS) -g -I../../../include -I. -I../.. -c ../autotokens.cpp
+
+autotokens-standalone:	autotokens-standalone.c	autotokens.o
+	$(CC) $(CFLAGS) -g -DBIN_PATH=\"foo\" -I../../../include -I. -c autotokens-standalone.c
+	$(CC) $(CFLAGS) -g -DBIN_PATH=\"foo\" -I../../../include -I. -c ../../../src/afl-performance.c
+	$(CC) $(CFLAGS) -g -DBIN_PATH=\"foo\" -I../../../include -I. -c ../../../src/afl-fuzz-extras.c
+	$(CC) $(CFLAGS) -g -DBIN_PATH=\"foo\" -I../../../include -I. -c ../../../src/afl-fuzz-queue.c
+	$(CC) $(CFLAGS) -g -DBIN_PATH=\"foo\" -I../../../include -I. -c ../../../src/afl-common.c
+	$(CXX) $(CFLAGS) -g -DBIN_PATH=\"foo\" -I../../../include -I. -o autotokens-standalone *.o
+	@rm -f ../../../src/afl-common.o ../../../src/afl-fuzz-queue.o ../../../src/afl-fuzz-extras.o ../../../src/afl-performance.o
+
+clean:
+	rm -f *.o *~ autotokens-standalone core
--- a/custom_mutators/autotokens/standalone/README.md
+++ b/custom_mutators/autotokens/standalone/README.md
@ -0,0 +1,12 @@
+# Autotokens standalone mutator
+
+this is a standalone version of the AFL++ autotokens custom mutator.
+
+just type `make` to build.
+
+You *MUST* use a dictionary file to have an effective grammarless grammar fuzzer!
+
+```
+autotokens-standalone -h # to see all parameters
+autotokens-standalone -x foo.dict inputfile outputfile # example
+```
--- a/custom_mutators/autotokens/standalone/autotokens-standalone.c
+++ b/custom_mutators/autotokens/standalone/autotokens-standalone.c
@ -0,0 +1,205 @@
+#include "afl-fuzz.h"
+#include "afl-mutations.h"
+#include "forkserver.h"
+
+#include <unistd.h>
+#include <getopt.h>
+
+static int            max_havoc = 16, verbose;
+static char _mh[4] = "16";
+static char *dict, *mh = _mh;
+
+extern int module_disabled;
+
+void *afl_custom_init(afl_state_t *, unsigned int);
+u8 afl_custom_queue_get(void *data, const u8 *filename);
+size_t afl_custom_fuzz(void *data, u8 *buf, size_t buf_size, u8 **out_buf,
+                            u8 *add_buf, size_t add_buf_size, size_t max_size);
+
+u32 write_to_testcase(afl_state_t *afl, void **mem, u32 a, u32 b) {
+  return 0;
+}
+fsrv_run_result_t fuzz_run_target(afl_state_t *afl, afl_forkserver_t *fsrv,
+                                  u32 i) {
+return FSRV_RUN_OK;
+                                  }
+
+int main(int argc, char *argv[]) {
+
+  if (argc > 1 && strncmp(argv[1], "-h", 2) == 0) {
+
+    printf(
+        "Syntax: %s [-v] [-m maxmutations] [-x dict] [inputfile [outputfile "
+        "[splicefile]]]\n\n",
+        argv[0]);
+    printf("Reads a testcase from a file (not stdin!),\n");
+    printf("writes to stdout when '-' or\n");
+    printf(
+        "no output filename is given. As an optional third parameter you can "
+        "give a file\n");
+    printf("for splicing. Maximum input and output length is 1MB.\n");
+    printf("Options:\n");
+    printf("  -v      verbose debug output to stderr.\n");
+    printf("  -m val  max mutations (1-val, val default is 16)\n");
+    printf("  -x file dictionary file (AFL++ format)\n");
+    printf("You can set the following environment variable parameters:\n");
+    printf("AUTOTOKENS_COMMENT` - what character or string starts a comment which will be\n");
+    printf("                      removed. Default: \"/* ... */\"\n");
+    return 0;
+
+  }
+
+  FILE          *in = stdin, *out = stdout, *splice = NULL;
+  unsigned char *inbuf = malloc(1024 * 1024), *outbuf = NULL, *splicebuf = NULL;
+  int            splicelen = 0, opt;
+
+  while ((opt = getopt(argc, argv, "vm:x:")) > 0) {
+
+    switch (opt) {
+
+      case 'm':
+        max_havoc = atoi(optarg);
+        mh = optarg;
+        break;
+      case 'v':
+        verbose = 1;
+        break;
+      case 'x':
+        dict = optarg;
+        break;
+      default:
+        fprintf(stderr, "Error: unknown parameter -%c\n", opt);
+        exit(-1);
+
+    }
+
+  }
+
+  if (max_havoc < 1) {
+
+    fprintf(stderr, "Error: illegal -m value\n");
+    exit(-1);
+
+  }
+
+  if (argc > optind && strcmp(argv[optind], "-") != 0) {
+
+    if ((in = fopen(argv[optind], "r")) == NULL) {
+
+      perror(argv[1]);
+      return -1;
+
+    }
+
+    if (verbose) fprintf(stderr, "Input: %s\n", argv[optind]);
+
+  }
+
+  size_t inlen = fread(inbuf, 1, 1024 * 1024, in);
+
+  if (!inlen) {
+
+    fprintf(stderr, "Error: empty file %s\n",
+            argv[optind] ? argv[optind] : "stdin");
+    return -1;
+
+  }
+
+  if (argc > optind + 1 && strcmp(argv[optind + 1], "-") != 0) {
+
+    if ((out = fopen(argv[optind + 1], "w")) == NULL) {
+
+      perror(argv[optind + 1]);
+      return -1;
+
+    }
+
+    if (verbose) fprintf(stderr, "Output: %s\n", argv[optind + 1]);
+
+  }
+
+  if (argc > optind + 2) {
+
+    if ((splice = fopen(argv[optind + 2], "r")) == NULL) {
+
+      perror(argv[optind + 2]);
+      return -1;
+
+    }
+
+    if (verbose) fprintf(stderr, "Splice: %s\n", argv[optind + 2]);
+    splicebuf = malloc(1024 * 1024);
+    size_t splicelen = fread(splicebuf, 1, 1024 * 1024, splice);
+    if (!splicelen) {
+
+      fprintf(stderr, "Error: empty file %s\n", argv[optind + 2]);
+      return -1;
+
+    }
+
+    if (verbose) fprintf(stderr, "Mutation splice length: %zu\n", splicelen);
+
+  }
+
+  /* configure autotokens */
+  setenv("AUTOTOKENS_LEARN_DICT", "1", 0);
+  setenv("AUTOTOKENS_CREATE_FROM_THIN_AIR", "1", 0);
+  setenv("AUTOTOKENS_CHANGE_MAX", mh, 0);
+
+  /* fake AFL++ state */
+  afl_state_t *afl = (afl_state_t *)calloc(1, sizeof(afl_state_t));
+  afl->queue_cycle = afl->havoc_div = afl->active_items = afl->queued_items = 1;
+  afl->shm.cmplog_mode = 0;
+  afl->fsrv.dev_urandom_fd = open("/dev/urandom", O_RDONLY);
+  if (afl->fsrv.dev_urandom_fd < 0) { PFATAL("Unable to open /dev/urandom"); }
+
+  rand_set_seed(afl, getpid());
+
+  if (dict) {
+
+    load_extras(afl, (u8*)dict);
+    if (verbose)
+      fprintf(stderr, "Loaded dictionary: %s (%u entries)\n", dict,
+              afl->extras_cnt);
+
+  }
+
+  // setup a fake queue entry
+  afl->queue_buf = malloc(64);
+  afl->queue_buf[0] = afl->queue_cur =
+      (struct queue_entry *)malloc(sizeof(struct queue_entry));
+  afl->queue_cur->testcase_buf = inbuf;
+  afl->queue_cur->fname = (u8 *)argv[optind];
+  afl->queue_cur->len = inlen;
+  afl->queue_cur->perf_score = 100;
+  afl->queue_cur->favored = afl->queue_cur->is_ascii = 1;
+  // afl->custom_only = 1;
+
+  void *data = (void *)afl_custom_init(afl, (u32)0);
+
+  u8 res = afl_custom_queue_get(inbuf, (u8 *)argv[optind]);
+
+  if (verbose) fprintf(stderr, "Mutation input length: %zu\n", inlen);
+  unsigned int outlen = afl_custom_fuzz(data, inbuf, inlen, &outbuf, splicebuf,
+                                        splicelen, 1024 * 1024);
+
+  if (outlen == 0 || !outbuf) {
+
+    fprintf(stderr, "Error: no mutation data returned.\n");
+    return -1;
+
+  }
+
+  if (verbose) fprintf(stderr, "Mutation output length: %u\n", outlen);
+
+  if (fwrite(outbuf, 1, outlen, out) != outlen) {
+
+    fprintf(stderr, "Warning: incomplete write.\n");
+    return -1;
+
+  }
+
+  return 0;
+
+}
+
--- a/custom_mutators/custom_send_tcp/Makefile
+++ b/custom_mutators/custom_send_tcp/Makefile
@ -0,0 +1,7 @@
+all:	custom_send_tcp.so
+
+custom_send_tcp.so:
+	$(CC) -Wno-unused-result -g -O3 -shared -fPIC -o custom_send_tcp.so -I../../include custom_send_tcp.c
+
+clean:
+	rm -f custom_send_tcp.so *.o *~ core
--- a/custom_mutators/custom_send_tcp/README.md
+++ b/custom_mutators/custom_send_tcp/README.md
@ -0,0 +1,13 @@
+# Send testcases via TCP custom mutator
+
+This custom mutator sends the fuzzing testcases via TCP.
+
+`AFL_CUSTOM_MUTATOR_LATE_SEND` - MUST be set!
+`CUSTOM_SEND_IP` - the IP address to send to (basically only 127.0.0.1 makes sense)
+`CUSTOM_SEND_PORT` - the TCP port to send to
+`CUSTOM_SEND_READ` - if the custom mutator should wait for a reply from the target
+
+Example:
+```
+CUSTOM_SEND_IP=127.0.0.1 CUSTOM_SEND_PORT=8000 CUSTOM_SEND_READ=1 AFL_CUSTOM_MUTATOR_LATE_SEND=1 AFL_CUSTOM_MUTATOR_LIBRARY=custom_send_tcp.so ./afl-fuzz ...
+```
--- a/custom_mutators/custom_send_tcp/custom_send_tcp.c
+++ b/custom_mutators/custom_send_tcp/custom_send_tcp.c
@ -0,0 +1,113 @@
+#include <time.h>
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <arpa/inet.h>
+#include <sys/select.h>
+
+#include "afl-fuzz.h"
+
+static int my_debug = 0;
+static int my_read = 0;
+
+#define DEBUG(...) if (my_debug) printf(__VA_ARGS__)
+
+typedef struct tcp_send_mutator {
+    afl_state_t* afl;
+    struct sockaddr_in server_addr;
+} tcp_send_mutator_t;
+
+void *afl_custom_init(afl_state_t* afl, uint32_t seed) {
+    const char* ip = getenv("CUSTOM_SEND_IP");
+    const char* port = getenv("CUSTOM_SEND_PORT");
+
+    if (getenv("AFL_DEBUG")) my_debug = 1;
+    if (getenv("CUSTOM_SEND_READ")) my_read = 1;
+
+    if (!ip || !port) {
+       fprintf(stderr, "You forgot to set CUSTOM_SEND_IP and/or CUSTOM_SEND_PORT\n");
+       exit(1); 
+    }
+
+    tcp_send_mutator_t* mutator = calloc(1, sizeof(tcp_send_mutator_t));
+    if (!mutator) {
+       fprintf(stderr, "Failed to allocate mutator struct\n");
+       exit(1); 
+    }
+
+    mutator->afl = afl;
+
+    bzero(&mutator->server_addr, sizeof(mutator->server_addr));
+    mutator->server_addr.sin_family = AF_INET;
+    if (inet_pton(AF_INET, ip, &mutator->server_addr.sin_addr) <= 0) {
+        fprintf(stderr, "Could not convert target ip address!\n");
+        exit(1);
+    }
+    mutator->server_addr.sin_port = htons(atoi(port));
+    
+    printf("[+] Custom tcp send mutator setup ready to go!\n");
+
+    return mutator;
+}
+
+int try_connect(tcp_send_mutator_t *mutator, int sock, int max_attempts) {
+    while (max_attempts > 0) {
+        if (connect(sock, (struct sockaddr*)&mutator->server_addr, sizeof(mutator->server_addr)) == 0) {
+            return 0;
+        }
+
+        // Even with AFL_CUSTOM_LATE_SEND=1, there is a race between the
+        // application under test having started to listen for connections and
+        // afl_custom_fuzz_send being called. To address this race, we attempt
+        // to connect N times and sleep a short period of time in between
+        // connection attempts.
+        struct timespec t;
+        t.tv_sec = 0;
+        t.tv_nsec = 100;
+        nanosleep(&t, NULL);
+        --max_attempts;
+    }
+    return 1;
+}
+
+void afl_custom_fuzz_send(tcp_send_mutator_t *mutator, uint8_t *buf, size_t buf_size) {
+    int sock = socket(AF_INET, SOCK_STREAM, 0);
+
+    int written = 0;
+    if (sock >= 0 && try_connect(mutator, sock, 10000) == 0) {
+        DEBUG("connected, write()\n");
+        written = write(sock, buf, buf_size); 
+    } else {
+        DEBUG("socket() or connect() error: %d\n", errno);
+    }
+
+    if (written < 0) {
+        DEBUG("write() error: %d\n", errno);
+    } else if (my_read) {
+        struct timeval timeout;
+        timeout.tv_sec = 1;
+        timeout.tv_usec = 0;
+
+        fd_set set;
+        FD_ZERO(&set);
+        FD_SET(sock, &set);
+
+        int select_res = select(sock + 1, &set, NULL, NULL, &timeout);
+        if (select_res == -1) {
+            DEBUG("select() error: %d\n", errno);
+        } else if (select_res == 0) {
+            DEBUG("read() timeout!\n");
+        } else {
+            uint8_t buf[64];
+            (void)read(sock, buf, sizeof(buf));
+        }
+    }
+
+    close(sock);
+}
+
+void afl_custom_deinit(tcp_send_mutator_t* mutator) {
+    free(mutator);
+}
--- a/custom_mutators/examples/XmlMutatorMin.py
+++ b/custom_mutators/examples/XmlMutatorMin.py
@ -304,7 +304,7 @@ class XmlMutatorMin:

        # Log something
        if self.verbose:
-            print("Reseting tag #%i '%s'" % (rand_elem_id, rand_elem.tag))
+            print("Resetting tag #%i '%s'" % (rand_elem_id, rand_elem.tag))

        # Reset the node
        rand_elem.clear()
--- a/custom_mutators/examples/wrapper_afl_min.py
+++ b/custom_mutators/examples/wrapper_afl_min.py
@ -80,12 +80,12 @@ def fuzz(buf, add_buf, max_size):
            via_buffer = False
            log("fuzz(): Can't initialize mutator with AFL buffer")

-    # If init from AFL buffer wasn't succesful
+    # If init from AFL buffer wasn't successful
    if not via_buffer:
        log("fuzz(): Returning unmodified AFL buffer")
        return buf

-    # Sucessful initialization -> mutate
+    # Successful initialization -> mutate
    try:
        __mutator__.mutate(max=5)
        log("fuzz(): Input mutated")
--- a/custom_mutators/gramatron/build_gramatron_mutator.sh
+++ b/custom_mutators/gramatron/build_gramatron_mutator.sh
@ -143,7 +143,7 @@ test -e json-c/.libs/libjson-c.a || {
 echo
 echo
 echo "[+] Json-c successfully prepared!"
-echo "[+] Builing gramatron now."
+echo "[+] Building gramatron now."
 $CC -O3 -g -fPIC -Wno-unused-result -Wl,--allow-multiple-definition -I../../include -o gramatron.so -shared -I. -I/prg/dev/include gramfuzz.c gramfuzz-helpers.c gramfuzz-mutators.c gramfuzz-util.c hashmap.c ../../src/afl-performance.o json-c/.libs/libjson-c.a || exit 1
 echo
 echo "[+] gramatron successfully built!"
--- a/custom_mutators/gramatron/json-c
+++ b/custom_mutators/gramatron/json-c
--- a/custom_mutators/grammar_mutator/GRAMMAR_VERSION
+++ b/custom_mutators/grammar_mutator/GRAMMAR_VERSION
@ -1 +1 @@
-5ed4f8d
+05d8f53
--- a/custom_mutators/grammar_mutator/grammar_mutator
+++ b/custom_mutators/grammar_mutator/grammar_mutator
--- a/custom_mutators/honggfuzz/README.md
+++ b/custom_mutators/honggfuzz/README.md
@ -1,4 +1,4 @@
-# custum mutator: honggfuzz mangle
+# custom mutator: honggfuzz mangle

 this is the honggfuzz mutator in mangle.c as a custom mutator
 module for AFL++. It is the original mangle.c, mangle.h and honggfuzz.h
--- a/custom_mutators/honggfuzz/mangle.c
+++ b/custom_mutators/honggfuzz/mangle.c
@ -850,7 +850,7 @@ static void mangle_ASCIINumChange(run_t *run, bool printable) {

  size_t   len = 0;
  uint64_t val = 0;
-  /* 20 is maximum lenght of a string representing a 64-bit unsigned value */
+  /* 20 is maximum length of a string representing a 64-bit unsigned value */
  for (len = 0; (len < 20) && (len < left); len++) {

    char c = run->dynfile->data[off + len];
--- a/custom_mutators/libfuzzer/FuzzerDataFlowTrace.cpp
+++ b/custom_mutators/libfuzzer/FuzzerDataFlowTrace.cpp
@ -40,7 +40,7 @@ bool BlockCoverage::AppendCoverage(const std::string &S) {
 // Coverage lines have this form:
 // CN X Y Z T
 // where N is the number of the function, T is the total number of instrumented
-// BBs, and X,Y,Z, if present, are the indecies of covered BB.
+// BBs, and X,Y,Z, if present, are the indices of covered BB.
 // BB #0, which is the entry block, is not explicitly listed.
 bool BlockCoverage::AppendCoverage(std::istream &IN) {

--- a/custom_mutators/libfuzzer/FuzzerDictionary.h
+++ b/custom_mutators/libfuzzer/FuzzerDictionary.h
@ -106,7 +106,7 @@ private:
 };

 // Parses one dictionary entry.
-// If successful, write the enty to Unit and returns true,
+// If successful, write the entry to Unit and returns true,
 // otherwise returns false.
 bool ParseOneDictionaryEntry(const std::string &Str, Unit *U);
 // Parses the dictionary file, fills Units, returns true iff all lines
--- a/custom_mutators/libfuzzer/FuzzerFork.cpp
+++ b/custom_mutators/libfuzzer/FuzzerFork.cpp
@ -427,7 +427,7 @@ void FuzzWithFork(Random &Rand, const FuzzingOptions &Options,

    Env.RunOneMergeJob(Job.get());

-    // Continue if our crash is one of the ignorred ones.
+    // Continue if our crash is one of the ignored ones.
    if (Options.IgnoreTimeouts && ExitCode == Options.TimeoutExitCode)
      Env.NumTimeouts++;
    else if (Options.IgnoreOOMs && ExitCode == Options.OOMExitCode)
--- a/custom_mutators/libfuzzer/FuzzerMerge.cpp
+++ b/custom_mutators/libfuzzer/FuzzerMerge.cpp
@ -452,7 +452,7 @@ void CrashResistantMerge(const Vector<std::string> &Args,
    auto ExitCode = ExecuteCommand(Cmd);
    if (!ExitCode) {

-      VPrintf(V, "MERGE-OUTER: succesfull in %zd attempt(s)\n", Attempt);
+      VPrintf(V, "MERGE-OUTER: succesful in %zd attempt(s)\n", Attempt);
      break;

    }
--- a/custom_mutators/libfuzzer/FuzzerMutate.cpp
+++ b/custom_mutators/libfuzzer/FuzzerMutate.cpp
@ -498,9 +498,9 @@ size_t ChangeBinaryInteger(uint8_t *Data, size_t Size, Random &Rand) {
    T Add = Rand(21);
    Add -= 10;
    if (Rand.RandBool())
-      Val = Bswap(T(Bswap(Val) + Add));  // Add assuming different endiannes.
+      Val = Bswap(T(Bswap(Val) + Add));  // Add assuming different endianness.
    else
-      Val = Val + Add;                // Add assuming current endiannes.
+      Val = Val + Add;                // Add assuming current endianness.
    if (Add == 0 || Rand.RandBool())  // Maybe negate.
      Val = -Val;

--- a/custom_mutators/libfuzzer/FuzzerTracePC.cpp
+++ b/custom_mutators/libfuzzer/FuzzerTracePC.cpp
@ -460,7 +460,7 @@ static size_t InternalStrnlen(const char *S, size_t MaxLen) {
 }

 // Finds min of (strlen(S1), strlen(S2)).
-// Needed bacause one of these strings may actually be non-zero terminated.
+// Needed because one of these strings may actually be non-zero terminated.
 static size_t InternalStrnlen2(const char *S1, const char *S2) {

  size_t Len = 0;
--- a/custom_mutators/libfuzzer/README.md
+++ b/custom_mutators/libfuzzer/README.md
@ -1,4 +1,4 @@
-# custum mutator: libfuzzer LLVMFuzzerMutate()
+# custom mutator: libfuzzer LLVMFuzzerMutate()

 This uses the libfuzzer LLVMFuzzerMutate() function in llvm 12.

--- a/custom_mutators/radamsa/GNUmakefile
+++ b/custom_mutators/radamsa/GNUmakefile
@ -2,7 +2,7 @@ CUR_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))

 all: radamsa-mutator.so

-# These can be overriden:
+# These can be overridden:
 CFLAGS	?= $(CFLAGS_FLTO)

 # These are required: (otherwise radamsa gets very very slooooow)
--- a/custom_mutators/radamsa/README.md
+++ b/custom_mutators/radamsa/README.md
@ -1,4 +1,4 @@
-# custum mutator: libradamsa
+# custom mutator: libradamsa

 Pretranslated radamsa library. This code belongs to the radamsa author.

--- a/custom_mutators/radamsa/libradamsa.c
+++ b/custom_mutators/radamsa/libradamsa.c
@ -3707,7 +3707,7 @@ typedef intptr_t     wdiff;
  1024 * 1024 * 8         /* static malloc'd heap size if used as a library */
 #define FBITS 24             /* bits in fixnum, on the way to 24 and beyond */
 #define FMAX                                                       \
-  ((1 << FBITS) - 1)  /* maximum fixnum (and most negative fixnum) \
+  ((1U << FBITS) - 1)  /* maximum fixnum (and most negative fixnum) \
                       */
 #define MAXOBJ 0xffff                /* max words in tuple including header */
 #define MAXPAYL                                                \
--- a/custom_mutators/rust/Cargo.toml
+++ b/custom_mutators/rust/Cargo.toml
@ -5,4 +5,5 @@ members = [
    "example",
    # Lain needs a nightly toolchain
    # "example_lain",
+    # "example_lain_post_process",
 ]
--- a/custom_mutators/rust/README.md
+++ b/custom_mutators/rust/README.md
@ -9,3 +9,11 @@ A minimal example can be found in `example`. Build it using `cargo build --examp

 An example using [lain](https://github.com/microsoft/lain) for structured fuzzing can be found in `example_lain`.
 Since lain requires a nightly rust toolchain, you need to set one up before you can play with it.
+
+An example for the use of the post_process function, using [lain](https://github.com/microsoft/lain) with [serde](https://github.com/serde-rs/serde) and [bincode](https://github.com/bincode-org/bincode) can be found in `example_lain_post_process`.
+In order for it to work you need to:
+
+- disable input trimming with `AFL_DISABLE_TRIM=1`
+- provide an initial instance serialized with `bincode` or use the `AFL_NO_STARTUP_CALIBRATION=1` environment variable.
+
+Note that `bincode` can also be used to serialize/deserialize the lain-generated structure and mutate it rather than generating a new one at each iteration, but it requires some structure serialized with `bincode` as input seed.
--- a/custom_mutators/rust/custom_mutator/src/lib.rs
+++ b/custom_mutators/rust/custom_mutator/src/lib.rs
@ -73,6 +73,8 @@ pub trait RawCustomMutator {
        None
    }

+    fn post_process<'b, 's: 'b>(&'s mut self, buffer: &'b mut [u8]) -> Option<&'b [u8]>;
+
    /*fn post_process(&self, buffer: &[u8], unsigned char **out_buf)-> usize;
    int afl_custom_init_trim(&self, buffer: &[u8]);
    size_t afl_custom_trim(&self, unsigned char **out_buf);
@ -353,6 +355,33 @@ pub mod wrappers {
            Err(err) => panic_handler("afl_custom_queue_get", &err),
        }
    }
+
+    /// Internal function used in the macro
+    pub unsafe fn afl_custom_post_process<M: RawCustomMutator>(
+        data: *mut c_void,
+        buf: *mut u8,
+        buf_size: usize,
+        out_buf: *mut *const u8,
+    ) -> usize {
+        match catch_unwind(|| {
+            let mut context = FFIContext::<M>::from(data);
+
+            assert!(!buf.is_null(), "null buf passed to afl_custom_post_process");
+            assert!(
+                !out_buf.is_null(),
+                "null out_buf passed to afl_custom_post_process"
+            );
+            let buff_slice = slice::from_raw_parts_mut(buf, buf_size);
+            if let Some(buffer) = context.mutator.post_process(buff_slice) {
+                *out_buf = buffer.as_ptr();
+                return buffer.len();
+            }
+            0
+        }) {
+            Ok(ret) => ret,
+            Err(err) => panic_handler("afl_custom_post_process", &err),
+        }
+    }
 }

 /// An exported macro to defined afl_custom_init meant for insternal usage
@ -480,6 +509,16 @@ macro_rules! export_mutator {
        pub unsafe extern "C" fn afl_custom_deinit(data: *mut ::std::os::raw::c_void) {
            $crate::wrappers::afl_custom_deinit_::<$mutator_type>(data)
        }
+
+        #[no_mangle]
+        pub unsafe extern "C" fn afl_custom_post_process(
+            data: *mut ::std::os::raw::c_void,
+            buf: *mut u8,
+            buf_size: usize,
+            out_buf: *mut *const u8,
+        ) -> usize {
+            $crate::wrappers::afl_custom_post_process::<$mutator_type>(data, buf, buf_size, out_buf)
+        }
    };
 }

@ -512,6 +551,10 @@ mod sanity_test {
        ) -> Option<&'b [u8]> {
            unimplemented!()
        }
+
+        fn post_process<'b, 's: 'b>(&'s mut self, buffer: &'b mut [u8]) -> Option<&'b [u8]> {
+            unimplemented!()
+        }
    }

    export_mutator!(ExampleMutator);
@ -579,6 +622,13 @@ pub trait CustomMutator {
    fn introspection(&mut self) -> Result<Option<&str>, Self::Error> {
        Ok(None)
    }
+
+    fn post_process<'b, 's: 'b>(
+        &'s mut self,
+        buffer: &'b mut [u8],
+    ) -> Result<Option<&'b [u8]>, Self::Error> {
+        Ok(Some(buffer))
+    }
 }

 impl<M> RawCustomMutator for M
@ -682,6 +732,16 @@ where
            }
        }
    }
+
+    fn post_process<'b, 's: 'b>(&'s mut self, buffer: &'b mut [u8]) -> Option<&'b [u8]> {
+        match self.post_process(buffer) {
+            Ok(r) => r,
+            Err(e) => {
+                Self::handle_error(e);
+                None
+            }
+        }
+    }
 }

 /// the default value to return from [`CustomMutator::describe`].
--- a/custom_mutators/rust/example_lain/Cargo.toml
+++ b/custom_mutators/rust/example_lain/Cargo.toml
@ -8,7 +8,7 @@ edition = "2021"

 [dependencies]
 custom_mutator = { path = "../custom_mutator" }
-lain="0.5"
+lain = { git = "https://github.com/AFLplusplus/lain.git" }

 [[example]]
 name = "example_lain"
--- a/custom_mutators/rust/example_lain_post_process/Cargo.toml
+++ b/custom_mutators/rust/example_lain_post_process/Cargo.toml
@ -0,0 +1,21 @@
+[package]
+name = "example_lain_post_process"
+version = "0.1.0"
+authors = [
+    "Julius Hohnerlein <julihoh@users.noreply.github.com>",
+    "jma <94166787+jma-qb@users.noreply.github.com>",
+]
+edition = "2021"
+
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+
+[dependencies]
+custom_mutator = { path = "../custom_mutator" }
+lain = { git = "https://github.com/AFLplusplus/lain.git" }
+bincode = "1.3.3"
+serde = { version = "1.0.214", features = ["derive"] }
+
+[[example]]
+name = "example_lain_post_process"
+path = "./src/lain_mutator.rs"
+crate-type = ["cdylib"]
--- a/custom_mutators/rust/example_lain_post_process/rust-toolchain
+++ b/custom_mutators/rust/example_lain_post_process/rust-toolchain
@ -0,0 +1 @@
+nightly
--- a/custom_mutators/rust/example_lain_post_process/src/lain_mutator.rs
+++ b/custom_mutators/rust/example_lain_post_process/src/lain_mutator.rs
@ -0,0 +1,70 @@
+#![cfg(unix)]
+
+use custom_mutator::{export_mutator, CustomMutator};
+use lain::{
+    mutator::Mutator,
+    prelude::*,
+    rand::{rngs::StdRng, SeedableRng},
+};
+use serde::{Deserialize, Serialize};
+
+#[derive(Debug, Deserialize, Serialize, Mutatable, NewFuzzed, BinarySerialize)]
+struct MyStruct {
+    tag: u8,
+    #[lain(ignore)]
+    length: u32,
+    #[lain(min = 0, max = 10)]
+    data: Vec<u8>,
+}
+
+struct LainMutator {
+    mutator: Mutator<StdRng>,
+    buffer: Vec<u8>,
+    post_buffer: Vec<u8>,
+}
+
+impl CustomMutator for LainMutator {
+    type Error = ();
+
+    fn init(seed: u32) -> Result<Self, ()> {
+        Ok(Self {
+            mutator: Mutator::new(StdRng::seed_from_u64(seed as u64)),
+            buffer: Vec::new(),
+            post_buffer: Vec::new(),
+        })
+    }
+
+    fn fuzz<'b, 's: 'b>(
+        &'s mut self,
+        _buffer: &'b mut [u8],
+        _add_buff: Option<&[u8]>,
+        max_size: usize,
+    ) -> Result<Option<&'b [u8]>, ()> {
+        // we just sample an instance of MyStruct, ignoring the current input
+        let instance = MyStruct::new_fuzzed(&mut self.mutator, None);
+        let serialized = bincode::serialize(&instance).unwrap();
+        let size = serialized.len();
+        if size > max_size {
+            return Err(());
+        }
+        self.buffer.clear();
+        self.buffer.reserve(size);
+        self.buffer.extend_from_slice(&serialized);
+        Ok(Some(self.buffer.as_slice()))
+    }
+
+    fn post_process<'b, 's: 'b>(
+        &'s mut self,
+        buffer: &'b mut [u8],
+    ) -> Result<Option<&'b [u8]>, Self::Error> {
+        let mut instance = bincode::deserialize::<MyStruct>(&buffer).unwrap();
+        instance.length = instance.data.len() as u32;
+        let size = instance.serialized_size();
+        self.post_buffer.clear();
+        self.post_buffer.reserve(size);
+        instance.binary_serialize::<_, BigEndian>(&mut self.post_buffer);
+        Ok(Some(&self.post_buffer))
+    }
+}
+
+export_mutator!(LainMutator);
--- a/custom_mutators/symcc/README.md
+++ b/custom_mutators/symcc/README.md
@ -1,4 +1,4 @@
-# custum mutator: symcc
+# custom mutator: symcc

 This uses the symcc to find new paths into the target.

--- a/custom_mutators/symcc/symcc.c
+++ b/custom_mutators/symcc/symcc.c
@ -22,10 +22,10 @@ afl_state_t *afl_struct;
 typedef struct my_mutator {

  afl_state_t *afl;
-  u8 *         mutator_buf;
-  u8 *         out_dir;
-  u8 *         tmp_dir;
-  u8 *         target;
+  u8          *mutator_buf;
+  u8          *out_dir;
+  u8          *tmp_dir;
+  u8          *target;
  uint32_t     seed;

 } my_mutator_t;
@ -101,7 +101,7 @@ my_mutator_t *afl_custom_init(afl_state_t *afl, unsigned int seed) {

 /* When a new queue entry is added we run this input with the symcc
   instrumented binary */
-uint8_t afl_custom_queue_new_entry(my_mutator_t * data,
+uint8_t afl_custom_queue_new_entry(my_mutator_t  *data,
                                   const uint8_t *filename_new_queue,
                                   const uint8_t *filename_orig_queue) {

@ -176,7 +176,7 @@ uint8_t afl_custom_queue_new_entry(my_mutator_t * data,

    struct dirent **nl;
    int32_t         items = scandir(data->tmp_dir, &nl, NULL, NULL);
-    u8 *            origin_name = basename(filename_new_queue);
+    u8             *origin_name = basename(filename_new_queue);
    int32_t         i;
    if (items > 0) {

@ -187,8 +187,8 @@ uint8_t afl_custom_queue_new_entry(my_mutator_t * data,
        DBG("test=%s\n", fn);
        if (stat(source_name, &st) == 0 && S_ISREG(st.st_mode) && st.st_size) {

-          u8 *destination_name =
-              alloc_printf("%s/%s.%s", data->out_dir, origin_name, nl[i]->d_name);
+          u8 *destination_name = alloc_printf("%s/%s.%s", data->out_dir,
+                                              origin_name, nl[i]->d_name);
          rename(source_name, destination_name);
          ck_free(destination_name);
          DBG("found=%s\n", source_name);
@ -248,7 +248,7 @@ uint32_t afl_custom_fuzz_count(my_mutator_t *data, const u8 *buf,
    for (i = 0; i < (u32)items; ++i) {

      struct stat st;
-      u8 *        fn = alloc_printf("%s/%s", data->out_dir, nl[i]->d_name);
+      u8         *fn = alloc_printf("%s/%s", data->out_dir, nl[i]->d_name);
      DBG("test=%s\n", fn);
      if (stat(fn, &st) == 0 && S_ISREG(st.st_mode) && st.st_size) {

@ -282,12 +282,12 @@ size_t afl_custom_fuzz(my_mutator_t *data, uint8_t *buf, size_t buf_size,

  if (items <= 0) return 0;

-  for (i = 0; i < (u32)items; ++i) {
+  for (i = 0; i < (s32)items; ++i) {
+
+    if (!done) {

      struct stat st;
-    u8 *        fn = alloc_printf("%s/%s", data->out_dir, nl[i]->d_name);
-
-    if (done == 0) {
+      u8         *fn = alloc_printf("%s/%s", data->out_dir, nl[i]->d_name);

      if (stat(fn, &st) == 0 && S_ISREG(st.st_mode) && st.st_size) {

@ -306,10 +306,10 @@ size_t afl_custom_fuzz(my_mutator_t *data, uint8_t *buf, size_t buf_size,
      }

      unlink(fn);
+      ck_free(fn);

    }

-    ck_free(fn);
    free(nl[i]);

  }
--- a/custom_mutators/symqemu/README.md
+++ b/custom_mutators/symqemu/README.md
@ -1,4 +1,4 @@
-# custum mutator: symqemu
+# custom mutator: symqemu

 This uses the symcc to find new paths into the target.

--- a/dictionaries/jsonschema.dict
+++ b/dictionaries/jsonschema.dict
@ -0,0 +1,120 @@
+#
+# AFL dictionary for JSON Schema
+# https://json-schema.org/
+# -----------------------
+#
+
+"\"$schema\""
+"\"$id\""
+"\"$ref\""
+"\"$defs\""
+"\"definitions\""
+"\"enum\""
+"\"const\""
+"\"type\""
+
+# Annotations
+
+"\"title\""
+"\"description\""
+"\"default\""
+"\"examples\""
+"\"$comment\""
+"\"readOnly\""
+"\"writeOnly\""
+"\"deprecated\""
+
+# Types
+
+"\"string\""
+"\"integer\""
+"\"number\""
+"\"object\""
+"\"array\""
+"\"null\""
+"\"boolean\""
+
+# String
+
+"\"minLength\""
+"\"maxLength\""
+"\"pattern\""
+"\"format\""
+"\"contentMediaType\""
+"\"contentEncoding\""
+"\"contentSchema\""
+
+# Formats
+
+"\"date-time\""
+"\"time\""
+"\"date\""
+"\"duration\""
+"\"email\""
+"\"idn-email\""
+"\"hostname\""
+"\"idn-hostname\""
+"\"ipv4\""
+"\"ipv6\""
+"\"uuid\""
+"\"uri\""
+"\"uri-reference\""
+"\"iri\""
+"\"iri-reference\""
+"\"uri-template\""
+"\"json-pointer\""
+"\"relative-json-pointer\""
+"\"regex\""
+
+# Numeric
+
+"\"multipleOf\""
+"\"minimum\""
+"\"exclusiveMinimum\""
+"\"maximum\""
+"\"exclusiveMaximum\""
+
+# Object
+
+"\"properties\""
+"\"patternProperties\""
+"\"additionalProperties\""
+"\"unevaluatedProperties\""
+"\"required\""
+"\"propertyNames\""
+"\"minProperties\""
+"\"maxProperties\""
+"\"dependencies\""
+
+# Array
+
+"\"items\""
+"\"prefixItems\""
+"\"additionalItems\""
+"\"unevaluatedItems\""
+"\"contains\""
+"\"minContains\""
+"\"maxContains\""
+"\"minItems\""
+"\"maxItems\""
+"\"uniqueItems\""
+
+# Booleans
+
+"true"
+"false"
+
+# Composition
+
+"\"allOf\""
+"\"anyOf\""
+"\"oneOf\""
+"\"not\""
+
+# Conditions
+
+"\"dependentRequired\""
+"\"dependentSchemas\""
+"\"if\""
+"\"then\""
+"\"else\""
--- a/dictionaries/ruby.dict
+++ b/dictionaries/ruby.dict
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@ -3,6 +3,195 @@
  This is the list of all noteworthy changes made in every public
  release of the tool. See README.md for the general instruction manual.

+
+### Version ++4.33a (dev)
+  - afl-fuzz:
+    - Use `AFL_PRELOAD_DISCRIMINATE_FORKSERVER_PARENT` if you use AFL_PRELOAD
+      to disable fork, see docs (thanks to @alexandredoyen29)
+    - Fix for FAST power schedules (introduced in 4.32c) (thanks to @kcwu)
+    - Colors for NO_UI output (thanks to @smoelius)
+    - Fix potential sync issues when resuming sessions and when instances in a
+      campaign are restarted and skip entries that were synced from itself
+      (thanks to @kcwu for raising the issues and providing support!)
+    - more 64 bit archicture support by @maribu
+  - afl-cc:
+    - Added instrumenting hidden edges (approx 5% edges were not instrumented,
+      LLVM sancov overall misses 8% of edges compared to our implementation)
+      Note that is is currently only implemented for our PCGUARD plugin, not
+      LTO, CLASSIC, etc.!
+    - Fix to make AFL_SAN_NO_INST work with gcc_plugin
+    - MacOS aflpp driver compilation fix (-fsanitize=fuzzer implementation)
+    - Make AFL_DUMP_MAP_SIZE work even if the target has sanitizer issues
+  - qemuafl:
+    - Better MIPS persistent mode support
+  - afl-cmin:
+    - New afl-cmin.py which is much faster, will be executed by default via
+      afl-cmin if it executes successfully (thanks to @kcwu!)
+  - New desocketing library: utils/libaflppdesock
+    - Likely works when all other desocketing options fail
+
+
+### Version ++4.32c (release)
+  - Fixed a bug where after a fast restart of a full fuzzed corpus afl-fuzz
+    terminates with "need at least one valid input seed that does not crash"
+  - Small improvements to afl-*-config
+  - afl-fuzz:
+    - memory leak fixes by @kcwu - thanks!
+    - many more nits and small memory saves thanks to @kcwu
+    - remove deprecated files from queue/.state
+    - fix bitmap update function if no current trace is present 
+    - fix for afl_custom_queue_get
+    - various small nits
+  - afl-cc:
+    - fix pass support for LLVM 20 (passes were run too early)
+    - dropped plugin support for LLVM 13
+    - fix AFL_OLD_FORKSERVER
+    - various minor fixes
+  - frida_mode:
+    - fixes for new MacOS + M4 hardware
+
+### Version ++4.31c (release)
+  - SAND mode added (docs/SAND.md) for more effecient fuzzing with sanitizers
+    (thanks to @wtdcode !)
+  - afl-fuzz:
+    - splicing phase is now DISABLED by default because research showed
+      it is counterproductive. New command line parameter `-u` to enable
+      it.
+    - Python 3.13+ support
+    - loose file and shared memory permissions on Android and iPhone
+  - afl-cc:
+    - LLVM 20 support (again - please don't change the API all the time ...)
+    - -fsanitize=fuzzer now inserts libAFLDriver.a addtionally early to help
+      compiling if LLVMFuzzerTestOneOnput is in an .a archive
+    - added __sanitizer_weak_hook_* functions (in case that is helpful in
+      weird setups)
+    - fix bug with large map sizes when multiple libraries are loaded after
+      the shared memory was obtained.
+
+### Version ++4.30c (release)
+  ! afl-gcc and afl-clang funcionality is now removed !
+  - afl-fuzz:
+    - fastresume feature added. if you abort fuzzing and resume fuzzing
+      with `-i -` or `AFL_AUTORESUME=1` and the target binary has not changed
+      then a dump will be loaded and the calibration phase skipped.
+      to disable this feature set `AFL_NO_FASTRESUME=1`
+      zlib compression is used if zlib is found at compile time
+    - improved seed selection algorithm
+    - added `AFL_CUSTOM_MUTATOR_LATE_SEND=1` to call the custom send()
+      function after the target has been restarted.
+    - because of bad math and undefined behaviour fixes we have to change
+      the CMPLOG map. **YOU NEED TO RECOMPILE CMPLOG TARGETS**
+    - fixed custom_post_process for calibration
+    - fixes for AFL_EXIT_ON_TIME and AFL_EXIT_WHEN_DONE, changed behaviour of
+      AFL_EXIT_WHEN_DONE to finish when really done :-)
+  - frida_mode:
+    - AFL_FRIDA_PERSISTENT_ADDR can now be be any reachable address not just
+      a function entry
+    - AFL_DEBUG is now the same as AFL_FRIDA_VERBOSE
+    - AFL_FRIDA_DEBUG_MAPS now works as expected
+  - qemu_mode:
+    - new hooks supported (optional), see qemu_mode/hooking_bridge - thanks to
+      @CowBoy4mH3LL
+  - unicorn_mode:
+    - fix install and forkserver (thanks aarnav!)
+    - pin unicorn version
+  - nyx_mode:
+    - bugfixes
+  - custom mutators:
+    - custom_send_tcp custom mutator added, thanks to @dergoegge
+  - afl-cc
+    - fix to support pointless changes in LLVM 20
+    - new runtime (!) variable: `AFL_OLD_FORKSERVER` to use the old vanilla
+      AFL type forkserver. Useful for symcc/symqemu/nautilus/etc. with
+      AFL_LLVM_INSTRUMENT=CLASSIC
+    - new compile time variable: `AFL_OPT_LEVEL` to set a specific optimization
+      level, default is `3`
+    - correctly explain how to get the correct map size for large targets
+    - small fix for weird LLVM defines in redhat
+  - code formatting updated to llvm 18
+  - improved custom_mutators/aflpp/standalone/aflpp-standalone
+  - added custom_mutators/autotokens/standalone/autotokens-standalone
+  - AFL++ headers are now installed to $PREFIX/include/afl
+
+### Version ++4.21c (release)
+  * afl-fuzz
+    - fixed a regression in afl-fuzz that resulted in a 5-10% performace loss
+      do a switch from gettimeofday() to clock_gettime() which should be rather
+      three times faster. The reason for this is unknown.
+    - new queue selection algorithm based on 2 core years of queue data
+      analysis. gives a noticable improvement on coverage although the results
+      seem counterintuitive :-)
+    - added AFL_DISABLE_REDUNDANT for huge queues
+    - added `AFL_NO_SYNC` environment variable that does what you think it does
+    - fix AFL_PERSISTENT_RECORD
+    - run custom_post_process after standard trimming
+    - prevent filenames in the queue that have spaces
+    - minor fix for FAST schedules
+    - more frequent stats update when syncing (todo: check performance impact)
+    - now timing of calibration, trimming and syncing is measured seperately,
+      thanks to @eqv!
+    - -V timing is now accurately the fuzz time (without syncing), before
+      long calibration times and syncing could result in now fuzzing being
+      made when the time was already run out until then, thanks to @eqv!
+    - fix -n uninstrumented mode when ending fuzzing
+    - enhanced the ASAN configuration
+    - make afl-fuzz use less memory with cmplog and fix a memleak
+  * afl-cc:
+    - re-enable i386 support that was accidently disabled
+    - fixes for LTO and outdated afl-gcc mode for i386
+    - fix COMPCOV split compare for old LLVMs
+    - disable xml/curl/g_ string transform functions because we do not check
+      for null pointers ... TODO
+    - ensure shared memory variables are visible in weird build setups
+    - compatability to new LLVM 19 changes
+  * afl-cmin
+    - work with input files that have a space
+  * afl-showmap
+    - fix memory leak on shmem testcase usage (thanks to @ndrewh)
+    - minor fix to collect coverage -C (thanks to @bet4it)
+  * Fixed a shmem mmap bug (that rarely came up on MacOS)
+  * libtokencap: script generate_libtoken_dict.sh added by @a-shvedov 
+
+### Version ++4.20c (release)
+  ! A new forkserver communication model is now introduced. afl-fuzz is
+    backward compatible to old compiled targets if they are not built
+    for CMPLOG/Redqueen, but new compiled targets will not work with
+    old afl-fuzz versions!
+  ! Recompile all targets that are instrumented for CMPLOG/Redqueen!
+  - AFL++ now supports up to 4 billion coverage edges, up from 6 million.
+  - New compile option: `make PERFORMANCE=1` - this will enable special
+    CPU dependent optimizations that make everything more performant - but
+    the binaries will likely won't work on different platforms. Also
+    enables a faster hasher if the CPU requirements are met.
+  - The persistent record feature (see config.h) was expanded to also
+    support replay, thanks to @quarta-qti !
+  - afl-fuzz:
+    - the new deterministic fuzzing feature is now activated by default,
+      deactivate with -z. Parameters -d and -D are ignored.
+    - small improvements to CMPLOG/redqueen
+    - workround for a bug with MOpt -L when used with -M - in the future
+      we will either remove or rewrite MOpt.
+    - fix for `-t xxx+` feature
+    - -e extension option now saves the queue items, crashes, etc. with the
+      extension too
+    - fixes for trimmming, correct -V time and reading stats on resume by eqv
+      thanks a lot!
+  - afl-cc:
+    - added collision free caller instrumentation to LTO mode. activate with
+      `AFL_LLVM_LTO_CALLER=1`. You can set a max depth to go through single
+      block functions with `AFL_LLVM_LTO_CALLER_DEPTH` (default 0)
+    - fixes for COMPCOV/LAF and most other modules
+    - fix for GCC_PLUGIN cmplog that broke on std::strings
+  - afl-whatsup:
+    - now also displays current average speed
+    - small bugfixes
+  - custom mutators:
+    - fixes for aflpp custom mutator and standalone tool
+    - important fix to the symcc custom mutator
+  - Minor edits to afl-persistent-config
+  - Prevent temporary files being left behind on aborted afl-whatsup
+  - More CPU benchmarks added to benchmark/
+
 ### Version ++4.10c (release)
  - afl-fuzz:
    - default power schedule is now EXPLORE, due a fix in fast schedules
--- a/docs/FAQ.md
+++ b/docs/FAQ.md
@ -11,7 +11,7 @@ If you find an interesting or important question missing, submit it via
  AFL++ is a superior fork to Google's AFL - more speed, more and better
  mutations, more and better instrumentation, custom module support, etc.

-  American Fuzzy Lop (AFL) was developed by Michał "lcamtuf" Zalewski starting
+  American Fuzzy Lop (AFL) was developed by Michal "lcamtuf" Zalewski starting
  in 2013/2014, and when he left Google end of 2017 he stopped developing it.

  At the end of 2019, the Google fuzzing team took over maintenance of AFL,
@ -106,7 +106,7 @@ If you find an interesting or important question missing, submit it via
 <details>
  <summary id="should-you-ever-stop-afl-fuzz-minimize-the-corpus-and-restart">Should you ever stop afl-fuzz, minimize the corpus and restart?</summary><p>

-  To stop afl-fuzz, minimize it's corpus and restart you would usually do:
+  To stop afl-fuzz, minimize its corpus and restart you would usually do:

  ```
  Control-C  # to terminate afl-fuzz
@ -236,7 +236,7 @@ If you find an interesting or important question missing, submit it via
  [AFLFast](https://github.com/mboehme/aflfast), however, modified to be more
  effective and several more modes added.

-  The most effective modes are `-p fast` (default) and `-p explore`.
+  The most effective modes are `-p explore` (default) and `-p fast`.

  If you fuzz with several parallel afl-fuzz instances, then it is beneficial
  to assign a different schedule to each instance, however the majority should
@ -274,7 +274,7 @@ If you find an interesting or important question missing, submit it via
  the existing map will be used also for the newly loaded libraries, which
  allows it to work, however, the efficiency of the fuzzing will be partially
  degraded. Note that there is additionally `AFL_IGNORE_PROBLEMS_COVERAGE` to
-  additionally tell AFL++ to ignore any coverage from the late loaded libaries.
+  additionally tell AFL++ to ignore any coverage from the late loaded libraries.
 </p></details>

 <details>
@ -284,14 +284,14 @@ If you find an interesting or important question missing, submit it via
  afl-cc/afl-clang-fast/afl-clang-lto:

  ```
-  /prg/tmp/llvm-project/build/bin/clang-13: symbol lookup error: /usr/local/bin/../lib/afl//cmplog-instructions-pass.so: undefined symbol: _ZNK4llvm8TypeSizecvmEv
-  clang-13: error: unable to execute command: No such file or directory
-  clang-13: error: clang frontend command failed due to signal (use -v to see invocation)
-  clang version 13.0.0 (https://github.com/llvm/llvm-project 1d7cf550721c51030144f3cd295c5789d51c4aad)
+  /prg/tmp/llvm-project/build/bin/clang-18: symbol lookup error: /usr/local/bin/../lib/afl//cmplog-instructions-pass.so: undefined symbol: _ZNK4llvm8TypeSizecvmEv
+  clang-18: error: unable to execute command: No such file or directory
+  clang-18: error: clang frontend command failed due to signal (use -v to see invocation)
+  clang version 18.0.0 (https://github.com/llvm/llvm-project 1d7cf550721c51030144f3cd295c5789d51c4aad)
  Target: x86_64-unknown-linux-gnu
  Thread model: posix
  InstalledDir: /prg/tmp/llvm-project/build/bin
-  clang-13: note: diagnostic msg:
+  clang-18: note: diagnostic msg:
  ********************
  ```

--- a/docs/INSTALL.md
+++ b/docs/INSTALL.md
@ -21,7 +21,7 @@ If you want to build AFL++ yourself, you have many options. The easiest choice
 is to build and install everything:

 NOTE: depending on your Debian/Ubuntu/Kali/... release, replace `-14` with
-whatever llvm version is available. We recommend llvm 13, 14, 15 or 16.
+whatever llvm version is available. We recommend llvm 14 or newer.

 ```shell
 sudo apt-get update
@ -30,6 +30,9 @@ sudo apt-get install -y build-essential python3-dev automake cmake git flex biso
 sudo apt-get install -y lld-14 llvm-14 llvm-14-dev clang-14 || sudo apt-get install -y lld llvm llvm-dev clang
 sudo apt-get install -y gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-plugin-dev libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev
 sudo apt-get install -y ninja-build # for QEMU mode
+sudo apt-get install -y cpio libcapstone-dev # for Nyx mode
+sudo apt-get install -y wget curl # for Frida mode
+sudo apt-get install -y python3-pip # for Unicorn mode
 git clone https://github.com/AFLplusplus/AFLplusplus
 cd AFLplusplus
 make distrib
@ -67,125 +70,146 @@ These build targets exist:
 * unit: perform unit tests (based on cmocka)
 * help: shows these build options

-[Unless you are on Mac OS X](https://developer.apple.com/library/archive/qa/qa1118/_index.html),
+[Unless you are on macOS](https://developer.apple.com/library/archive/qa/qa1118/_index.html),
 you can also build statically linked versions of the AFL++ binaries by passing
-the `STATIC=1` argument to make:
+the `PERFORMANCE=1` argument to make:

 ```shell
-make STATIC=1
+make PERFORMANCE=1
 ```

 These build options exist:

-* STATIC - compile AFL++ static
-* CODE_COVERAGE - compile the target for code coverage (see docs/instrumentation/README.llvm.md)
-* ASAN_BUILD - compiles AFL++ with memory sanitizer for debug purposes
+* PERFORMANCE - compile with performance options that make the binary not transferable to other systems. Recommended (except on macOS)!
+* STATIC - compile AFL++ static (does not work on macOS)
+* CODE_COVERAGE - compile the target for code coverage (see [README.llvm.md](../instrumentation/README.llvm.md))
+* ASAN_BUILD - compiles AFL++ with address sanitizer for debug purposes
 * UBSAN_BUILD - compiles AFL++ tools with undefined behaviour sanitizer for debug purposes
 * DEBUG - no optimization, -ggdb3, all warnings and -Werror
 * LLVM_DEBUG - shows llvm deprecation warnings
 * PROFILING - compile afl-fuzz with profiling information
 * INTROSPECTION - compile afl-fuzz with mutation introspection
 * NO_PYTHON - disable python support
-* NO_SPLICING - disables splicing mutation in afl-fuzz, not recommended for normal fuzzing
 * NO_UTF - do not use UTF-8 for line rendering in status screen (fallback to G1 box drawing, of vanilla AFL)
 * NO_NYX - disable building nyx mode dependencies
 * NO_CORESIGHT - disable building coresight (arm64 only)
 * NO_UNICORN_ARM64 - disable building unicorn on arm64
-* AFL_NO_X86 - if compiling on non-intel/amd platforms
+* AFL_NO_X86 - if compiling on non-Intel/AMD platforms
 * LLVM_CONFIG - if your distro doesn't use the standard name for llvm-config (e.g., Debian)

 e.g.: `make LLVM_CONFIG=llvm-config-14`

-## MacOS X on x86 and arm64 (M1)
+## macOS on x86_64 and arm64

-MacOS has some gotchas due to the idiosyncrasies of the platform.
+macOS has some gotchas due to the idiosyncrasies of the platform.

-To build AFL, install llvm (and perhaps gcc) from brew and follow the general
-instructions for Linux. If possible, avoid Xcode at all cost.
+macOS supports SYSV shared memory used by AFL++'s instrumentation, but the
+default settings aren't sufficient. Before even building, increase
+them by running the provided script:
+
+```shell
+sudo afl-system-config
+```
+
+See
+[https://www.spy-hill.com/help/apple/SharedMemory.html](https://www.spy-hill.com/help/apple/SharedMemory.html)
+for documentation for the shared memory settings and how to make them permanent.
+
+Next, to build AFL++, install the following packages from brew:

 ```shell
 brew install wget git make cmake llvm gdb coreutils
 ```

-Be sure to setup `PATH` to point to the correct clang binaries and use the
-freshly installed clang, clang++, llvm-config, gmake and coreutils, e.g.:
+Depending on your macOS system + brew version, brew may be installed in different places.
+You can check with `brew info llvm` to know where, then create a variable for it:

 ```shell
-# Depending on your MacOS system + brew version it is either
-export PATH="/opt/homebrew/opt/llvm/bin:$PATH"
-# or
-export PATH="/usr/local/opt/llvm/bin:/usr/local/opt/coreutils/libexec/gnubin:$PATH"
-# you can check with "brew info llvm"
+export HOMEBREW_BASE="/opt/homebrew/opt"
+```

-export PATH="/usr/local/bin:$PATH"
+or
+
+```shell
+export HOMEBREW_BASE="/usr/local/opt"
+```
+
+Set `PATH` to point to the brew clang, clang++, llvm-config, gmake and coreutils.
+Also use the brew clang compiler; the Xcode clang compiler must not be used.
+
+```shell
+export PATH="$HOMEBREW_BASE/coreutils/libexec/gnubin:/usr/local/bin:$HOMEBREW_BASE/llvm/bin:$PATH"
 export CC=clang
 export CXX=clang++
-gmake
-cd frida_mode
-gmake
-cd ..
-sudo gmake install
 ```

-`afl-gcc` will fail unless you have GCC installed, but that is using outdated
-instrumentation anyway. `afl-clang` might fail too depending on your PATH setup.
-But you don't want neither, you want `afl-clang-fast` anyway :) Note that
-`afl-clang-lto`, `afl-gcc-fast` and `qemu_mode` are not working on MacOS.
+Then build following the general Linux instructions.

-The crash reporting daemon that comes by default with MacOS X will cause
-problems with fuzzing. You need to turn it off:
+If everything worked, you should then have `afl-clang-fast` installed, which you can check with:

-```
-launchctl unload -w /System/Library/LaunchAgents/com.apple.ReportCrash.plist
-sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.ReportCrash.Root.plist
+```shell
+which afl-clang-fast
 ```

-The `fork()` semantics on OS X are a bit unusual compared to other unix systems
+Note that `afl-clang-lto`, `afl-gcc-fast` and `qemu_mode` are not working on macOS.
+
+The crash reporting daemon that comes by default with macOS will cause
+problems with fuzzing. You need to turn it off, which you can do with `afl-system-config`.
+
+The `fork()` semantics on macOS are a bit unusual compared to other unix systems
 and definitely don't look POSIX-compliant. This means two things:

  - Fuzzing will be probably slower than on Linux. In fact, some folks report
    considerable performance gains by running the jobs inside a Linux VM on
-    MacOS X.
+    macOS.
  - Some non-portable, platform-specific code may be incompatible with the AFL++
    forkserver. If you run into any problems, set `AFL_NO_FORKSRV=1` in the
    environment before starting afl-fuzz.

-User emulation mode of QEMU does not appear to be supported on MacOS X, so
+User emulation mode of QEMU does not appear to be supported on macOS, so
 black-box instrumentation mode (`-Q`) will not work. However, FRIDA mode (`-O`)
-works on both x86 and arm64 MacOS boxes.
+works on both x86 and arm64 macOS boxes.

-MacOS X supports SYSV shared memory used by AFL's instrumentation, but the
-default settings aren't usable with AFL++. The default settings on 10.14 seem to
-be:
+## iOS on arm64 and arm64e

-```bash
-$ ipcs -M
-IPC status from <running system> as of XXX
-shminfo:
-        shmmax: 4194304 (max shared memory segment size)
-        shmmin:       1 (min shared memory segment size)
-        shmmni:      32 (max number of shared memory identifiers)
-        shmseg:       8 (max shared memory segments per process)
-        shmall:    1024 (max amount of shared memory in pages)
+**Option 1: Compilation on jailbroken iOS (recommended)**
+
+To compile directly on a jailbroken iOS device, it is recommended to use a jailbreak that supports Procursus,
+as Procursus provides up-to-date pre-built packages for the required tools.
+
+Ensure `openssh` is installed on your iOS device, then SSH into it.
+Install the following packages:
+
+```shell
+sudo apt install wget git make cmake clang gawk llvm ldid coreutils build-essential xz-utils
 ```

-To temporarily change your settings to something minimally usable with AFL++,
-run these commands as root:
+Configure the environment for compilation:

-```bash
-sysctl kern.sysv.shmmax=8388608
-sysctl kern.sysv.shmall=4096
+```shell
+export IOS_SDK_PATH="/usr/share/SDKs/iPhoneOS.sdk"
+export CC=clang
+export CXX=clang++
 ```

-If you're running more than one instance of AFL, you likely want to make
-`shmall` bigger and increase `shmseg` as well:
+Then build following the general Linux instructions.

-```bash
-sysctl kern.sysv.shmmax=8388608
-sysctl kern.sysv.shmseg=48
-sysctl kern.sysv.shmall=98304
+**Option 2: Cross-Compilation on macOS for Jailbroken iOS**
+
+In addition to the packages required for a macOS build, install `ldid` for signing binaries:
+
+```shell
+brew install ldid-procursus
 ```

-See
-[http://www.spy-hill.com/help/apple/SharedMemory.html](http://www.spy-hill.com/help/apple/SharedMemory.html)
-for documentation for these settings and how to make them permanent.
+Configure the environment for compilation:
+
+```shell
+export IOS_SDK_PATH="$(xcrun --sdk iphoneos --show-sdk-path)"
+export CC="$(xcrun --sdk iphoneos -f clang) -target arm64-apple-ios14.0"
+export CXX="$(xcrun --sdk iphoneos -f clang++) -target arm64-apple-ios14.0"
+export HOST_CC=cc
+```
+
+Then build following the general Linux instructions.
+Finally, transfer the binaries to your iOS device.
--- a/docs/SAND.md
+++ b/docs/SAND.md
@ -0,0 +1,81 @@
+# SAND: Decoupling Sanitization from Fuzzing for Low Overhead
+
+- Authors: Ziqiao Kong, Shaohua Li, Heqing Huang, Zhendong Su
+- Maintainer: [Ziqiao Kong](https://github.com/wtdcode)
+- Preprint: [arXiv](https://arxiv.org/abs/2402.16497), accepted by ICSE 2025
+- Main repo (for paper, reproduction, reference or cite): https://github.com/wtdcode/sand-aflpp
+
+## Motivation
+
+SAND introduces a new fuzzing workflow that can greatly reduce (or even eliminate) sanitizer overhead and combine different sanitizers in one fuzzing campaign.
+
+The key point of SAND is that: sanitizing all inputs is wasting fuzzing power, because bug-triggering inputs are extremely rare (~1%). Obviously, not all inputs worth going through sanitizers. Therefore, if we can somehow "predict" if an input could trigger bugs (defined as "execution pattern"), we could greatly save fuzzing power by only sanitizing a small proportion of all inputs. That's exactly how SAND works.
+
+## Usage
+
+For a normal fuzzing workflow, we have:
+
+1. Build target project with AFL_USE_ASAN=1 to get `target_asan`
+2. Fuzz the target with `afl-fuzz -i seeds -o out -- ./target_asan`
+
+For SAND fuzzing workflow, this is slightly different:
+
+1. Build target project _without_ any sanitizers to get `target_native`, which we will define as a "native binary". It is usually done by using `afl-clang-fast/lto(++)` to compile your project _without_ `AFL_USE_ASAN/UBSAN/MSAN`.
+2. Build target project with AFL_USE_ASAN=1 AFL_LLVM_ONLY_FSRV=1 to get `target_asan`. Do note this step can be repeated for multiple sanitizers, like MSAN, UBSAN etc. It is also possible to have ASAN and UBSAN to build together.
+3. Fuzz the target with `afl-fuzz -i seeds -o out -w ./target_asan -- ./target_native`. Note `-w` can be specified multiple times.
+
+Then you get:
+
+- almost the same performance as `afl-fuzz -i seeds -o out -- ./target_native`
+- and the same bug-finding capability as `afl-fuzz -i seeds -o out -- ./target_asan`
+
+## Example Workflow
+
+Take [test-instr.c](../test-instr.c) as an example.
+
+1. Build the native binary
+
+```bash
+afl-clang-fast test-instr.c -o ./native
+```
+
+Just like the normal building process, except using `afl-clang-fast`
+
+2. Build the sanitizers-enabled binaries.
+
+```bash
+AFL_LLVM_ONLY_FSRV=1 AFL_USE_UBSAN=1 AFL_USE_ASAN=1 afl-clang-fast test-instr.c -o ./asanubsan
+AFL_LLVM_ONLY_FSRV=1 AFL_USE_MSAN=1 afl-clang-fast test-instr.c -o ./msan
+```
+
+Do note `AFL_LLVM_ONLY_FSRV=1` is crucial, this enables forkservers but disables pc instrumentation. You are allowed to reuse sanitizers-enabled binaries, i.e. binaries built _without_ `AFL_LLVM_ONLY_FSRV=1`, at a cost of reduced speed. 
+
+3. Start fuzzing
+
+```bash
+mkdir /tmp/test
+echo "a" > /tmp/test/a
+AFL_NO_UI=1 AFL_SKIP_CPUFREQ=1 afl-fuzz -i /tmp/test -o /tmp/out -w ./asanubsan -w ./msan -- ./native @@
+```
+
+That's it!
+
+## Tips
+
+### Alternative execution patterns
+
+By default, SAND uses the hash value of the simplified coverage map as execution pattern, i.e. if an input has a unique simplefied coverage map, it will be sent to sanitizers for inspection. This shall work for most cases. However, if you are strongly worried about missing bugs, try `AFL_SAN_ABSTRACTION=unique_trace afl-fuzz ...`, which filters inputs having a _unique coverage map_. Do note this significantly increases the number of inputs by 4-10 times, leading to much lower throughput. Alternatively, SAND also supports `AFL_SAN_ABSTRACTION=coverage_increase`, which essentially equals to running sanitizers on the corpus and thus having almost zero overhead, but at a cost of missing ~15% bugs in our evaluation.
+
+### Run as many sanitizers as possible
+
+Though we just used ASAN as an example, SAND works best if you provide more sanitizers, for example, UBSAN and MSAN.
+
+You might do it via `afl-fuzz -i seeds -o out -w ./target_asan -w ./target_msan -w ./target_ubsan -- ./target_native`. Don't worry about the slow sanitizers like MSAN, SAND could still run very fast because only rather a few inputs are sanitized.
+
+### Bugs types
+
+The execution pattern evaluated in our papers is targeting the common bugs, as ASAN/MSAN/UBSAN catches. For other bug types, you probably need to define new execution patterns and re-evaluate.
+
+### My throughput is greatly impacted
+
+Generally, this is due to too many inputs going through sanitizers, for example, because of unstable targets. You could check stats from `plot_file` to confirm this. Try to switch execution patterns as stated above.
--- a/docs/afl-fuzz_approach.md
+++ b/docs/afl-fuzz_approach.md
@ -6,7 +6,7 @@ coverage to effortlessly pick up subtle, local-scale changes to program control
 flow.

 Note: If you are interested in a more current up-to-date deep dive how AFL++
-works then we commend this blog post:
+works then we recommend this blog post:
 [https://blog.ritsec.club/posts/afl-under-hood/](https://blog.ritsec.club/posts/afl-under-hood/)

 Simplifying a bit, the overall algorithm can be summed up as:
@ -385,10 +385,6 @@ there are several things to look at:
  subsequent iterations (e.g., due to incomplete clean-up or reinitialization of
  the state) and that most of the fuzzing effort goes to waste.

-The paths where variable behavior is detected are marked with a matching entry
-in the `<out_dir>/queue/.state/variable_behavior/` directory, so you can look
-them up easily.
-
 ### CPU load

 ```
--- a/docs/best_practices.md
+++ b/docs/best_practices.md
@ -38,9 +38,8 @@ For PCGUARD instrumentation `abort()` is called if this is detected, for LTO
 there will either be no coverage for the instrumented dlopen()'ed libraries or
 you will see lots of crashes in the UI.

-Note that this is not an issue if you use the inferiour `afl-gcc-fast`,
-`afl-gcc` or`AFL_LLVM_INSTRUMENT=CLASSIC/NGRAM/CTX afl-clang-fast`
-instrumentation.
+Note that this is not an issue if you use the inferiour `afl-gcc-fast`, or
+`AFL_LLVM_INSTRUMENT=CLASSIC/NGRAM/CTX afl-clang-fast` instrumentation.

 ### Fuzzing a binary-only target

--- a/docs/custom_mutators.md
+++ b/docs/custom_mutators.md
@ -151,7 +151,7 @@ def deinit():  # optional for Python
    splicing - or anything else - and can also be ignored. If you are not
    using this additional data then define `splice_optout` (see above).
    This function is optional.
-    Returing a length of 0 is valid and is interpreted as skipping this
+    Returning a length of 0 is valid and is interpreted as skipping this
    one mutation result.
    For non-Python: the returned output buffer is under **your** memory
    management!
@ -198,6 +198,11 @@ def deinit():  # optional for Python
    This method can be used if you want to send data to the target yourself,
    e.g. via IPC. This replaces some usage of utils/afl_proxy but requires
    that you start the target with afl-fuzz.
+
+    Setting `AFL_CUSTOM_MUTATOR_LATE_SEND` will call the afl_custom_fuzz_send()
+    function after the target has been restarted. (This is needed for e.g. TCP
+    services.)
+
    Example: [custom_mutators/examples/custom_send.c](../custom_mutators/examples/custom_send.c)

 - `queue_new_entry` (optional):
@ -266,6 +271,11 @@ trimmed input. Here's a quick API description:
 Omitting any of three trimming methods will cause the trimming to be disabled
 and trigger a fallback to the built-in default trimming routine.

+**IMPORTANT** If you have a custom post process mutator that needs to be run
+after trimming, you must call it yourself at the end of your successful
+trimming!
+
+
 ### Environment Variables

 Optionally, the following environment variables are supported:
--- a/docs/env_variables.md
+++ b/docs/env_variables.md
@ -24,7 +24,6 @@ To select the different instrumentation modes, use one of the following options:
  - Use the `AFL_CC_COMPILER` environment variable with `MODE`. To select
    `MODE`, use one of the following values:

-    - `GCC` (afl-gcc/afl-g++)
    - `GCC_PLUGIN` (afl-g*-fast)
    - `LLVM` (afl-clang-fast*)
    - `LTO` (afl-clang-lto*).
@ -45,14 +44,10 @@ fairly broad use of environment variables instead:
          make
    ```

-  - Setting `AFL_AS`, `AFL_CC`, and `AFL_CXX` lets you use alternate downstream
-    compilation tools, rather than the default 'as', 'clang', or 'gcc' binaries
+  - Setting `AFL_CC`, and `AFL_CXX` lets you use alternate downstream
+    compilation tools, rather than the default 'clang', or 'gcc' binaries
    in your `$PATH`.

-  - If you are a weird person that wants to compile and instrument asm text
-    files, then use the `AFL_AS_FORCE_INSTRUMENT` variable:
-    `AFL_AS_FORCE_INSTRUMENT=1 afl-gcc foo.s -o foo`
-
  - Most AFL tools do not print any output if stdout/stderr are redirected. If
    you want to get the output into a file, then set the `AFL_DEBUG` environment
    variable. This is sadly necessary for various build processes which fail
@ -64,6 +59,9 @@ fairly broad use of environment variables instead:
    optimizations, set `AFL_DONT_OPTIMIZE`. However, if `-O...` and/or
    `-fno-unroll-loops` are set, these are not overridden.

+  - The optimization level can also be set with `AFL_OPT_LEVEL`, e.g.
+    `AFL_OPT_LEVEL=z` for `-Oz`, default is `3`
+
  - Setting `AFL_HARDEN` automatically adds code hardening options when invoking
    the downstream compiler. This currently includes `-D_FORTIFY_SOURCE=2` and
    `-fstack-protector-all`. The setting is useful for catching non-crashing
@ -80,17 +78,13 @@ fairly broad use of environment variables instead:
    Setting `AFL_INST_RATIO` to 0 is a valid choice. This will instrument only
    the transitions between function entry points, but not individual branches.

-    Note that this is an outdated variable. A few instances (e.g., afl-gcc)
-    still support these, but state-of-the-art (e.g., LLVM LTO and LLVM PCGUARD)
-    do not need this.
+    Note that this is an outdated variable. Only LLVM CLASSIC pass can use this.

  - `AFL_NO_BUILTIN` causes the compiler to generate code suitable for use with
    libtokencap.so (but perhaps running a bit slower than without the flag).

-  - `AFL_PATH` can be used to point afl-gcc to an alternate location of afl-as.
-    One possible use of this is utils/clang_asm_normalize/, which lets you
-    instrument hand-written assembly when compiling clang code by plugging a
-    normalizer into the chain. (There is no equivalent feature for GCC.)
+  - `AFL_PATH` can be used to point a directory that contains LLVM/GCC plugins
+    for AFL++, AFL++'s runtime objects and QEMU/Frida support files.

  - Setting `AFL_QUIET` will prevent afl-as and afl-cc banners from being
    displayed during compilation, in case you find them distracting.
@ -101,6 +95,7 @@ fairly broad use of environment variables instead:
      detection)
    - `AFL_USE_CFISAN=1` - activates the Control Flow Integrity sanitizer (e.g.
      type confusion vulnerabilities)
+    - `AFL_CFISAN_VERBOSE=1` - outputs detailed information when control flow integrity violations occur, instead of simply terminating with "Illegal Instruction"
    - `AFL_USE_LSAN` - activates the leak sanitizer. To perform a leak check
      within your program at a certain point (such as at the end of an
      `__AFL_LOOP()`), you can run the macro  `__AFL_LEAK_CHECK();` which will
@ -111,6 +106,14 @@ fairly broad use of environment variables instead:
    - `AFL_USE_TSAN=1` - activates the thread sanitizer to find thread race
      conditions
    - `AFL_USE_UBSAN=1` - activates the undefined behavior sanitizer
+    - `AFL_UBSAN_VERBOSE=1` - outputs detailed diagnostic information when undefined behavior is detected, instead of simply terminating with "Illegal Instruction"
+    . `AFL_USE_RTSAN` . activates the realtime sanitizer (realtime violations in deterministic run time constraints). (clang 20 minimum)
+
+    - Note: both `AFL_CFISAN_VERBOSE=1` and `AFL_UBSAN_VERBOSE=1` are disabled by default as verbose output can significantly slow down fuzzing performance. Use these options only during debugging or when additional crash diagnostics are required
+
+  - `AFL_LLVM_ONLY_FSRV`/`AFL_GCC_ONLY_FSRV` will inject forkserver but not pc instrumentation. Please note this is different compared to `AFL_LLVM_DISABLE_INSTRUMENTATION`, which will totally disable forkserver implementation. This env is pretty useful in two cases:
+    - [SAND](./SAND.md). In this case, the binaries built in this way will serve as extra oracles. Check the corresponding documents for details.
+    - Compatible with LibAFL ForkserverExecutor implementation and thus faster to repeatedly run, compared to simple CommandExecutor.

  - `TMPDIR` is used by afl-as for temporary files; if this variable is not set,
    the tool defaults to /tmp.
@ -248,6 +251,9 @@ use (which only ever the author of this LTO implementation will use). These are
 used if several separated instrumentations are performed which are then later
 combined.

+  - `AFL_LLVM_LTO_CALLER` activates collision free CALLER instrumentation
+  - `AFL_LLVM_LTO_CALLER` sets the maximum number of single block functions
+    to dig deeper into a real function. Default 0.
  - `AFL_LLVM_DOCUMENT_IDS=file` will document to a file which edge ID was given
    to which function. This helps to identify functions with variable bytes or
    which functions were touched by an input.
@ -320,6 +326,11 @@ mode.
    [instrumentation/README.instrument_list.md](../instrumentation/README.instrument_list.md)
    for more information.

+    Setting `AFL_GCC_DISABLE_VERSION_CHECK=1` will disable the GCC plugin 
+    version check if the target GCC plugin differs from the system-installed
+    version, resolving issues caused by version mismatches between GCC and 
+    the plugin. 
+
    Setting `AFL_GCC_OUT_OF_LINE=1` will instruct afl-gcc-fast to instrument the
    code with calls to an injected subroutine instead of the much more efficient
    inline instrumentation.
@ -328,7 +339,26 @@ mode.
    the target performs only a few loops, then this will give a small
    performance boost.

-## 4) Settings for afl-fuzz
+## 4) Runtime settings
+
+The following environment variables are for a compiled AFL++ target.
+
+  - Setting `AFL_DUMP_MAP_SIZE` when executing the target directly will
+    dump the map size of the target and exit.
+
+  - Setting `AFL_OLD_FORKSERVER` will use the old AFL vanilla forkserver.
+    This makes only sense when you
+      a) compile in a classic colliding coverage mode (e.g.
+         AFL_LLVM_INSTRUMENT=CLASSIC) or if the map size of the target is
+         below MAP_SIZE (65536 by default), AND
+      b) you want to use this compiled AFL++ target with a different tool
+         that expects vanilla AFL behaviour, e.g. symcc, symqemu, nautilus, etc.
+    You would use this option together with the target fuzzing application.
+
+  - Setting `AFL_DISABLE_LLVM_INSTRUMENTATION` will disable collecting
+    instrumentation. (More of an internal option.)
+
+## 5) Settings for afl-fuzz

 The main fuzzer binary accepts several options that disable a couple of sanity
 checks or alter some of the more exotic semantics of the tool:
@ -365,6 +395,10 @@ checks or alter some of the more exotic semantics of the tool:
    XML or other highly flexible structured input. For details, see
    [custom_mutators.md](custom_mutators.md).

+  - Setting `AFL_CUSTOM_MUTATOR_LATE_SEND` will call the afl_custom_fuzz_send()
+    function after the target has been restarted. (This is needed for e.g. TCP
+    services.)
+
  - Setting `AFL_CYCLE_SCHEDULES` will switch to a different schedule every time
    a cycle is finished.

@ -378,6 +412,9 @@ checks or alter some of the more exotic semantics of the tool:
  - Setting `AFL_DISABLE_TRIM` tells afl-fuzz not to trim test cases. This is
    usually a bad idea!

+  - Setting `AFL_DISABLE_REDUNDANT` disables any queue items that are redundant.
+    This can be useful with huge queues.
+
  - Setting `AFL_KEEP_TIMEOUTS` will keep longer running inputs if they reach
    new coverage

@ -395,9 +432,8 @@ checks or alter some of the more exotic semantics of the tool:
    types of automated jobs.

  - `AFL_EXIT_WHEN_DONE` causes afl-fuzz to terminate when all existing paths
-    have been fuzzed and there were no new finds for a while. This would be
-    normally indicated by the cycle counter in the UI turning green. May be
-    convenient for some types of automated jobs.
+    have been fuzzed and there were no new finds for a while. This is basically
+    when the fuzzing state says `state: finished`

  - Setting `AFL_EXPAND_HAVOC_NOW` will start in the extended havoc mode that
    includes costly mutations. afl-fuzz automatically enables this mode when
@ -508,6 +544,8 @@ checks or alter some of the more exotic semantics of the tool:
  - `AFL_NO_SNAPSHOT` will advise afl-fuzz not to use the snapshot feature if
    the snapshot lkm is loaded.

+  - `AFL_NO_FASTRESUME` will not try to read or write a fast resume file.
+
  - Setting `AFL_NO_UI` inhibits the UI altogether and just periodically prints
    some basic stats. This behavior is also automatically triggered when the
    output from afl-fuzz is redirected to a file or to a pipe.
@ -544,6 +582,9 @@ checks or alter some of the more exotic semantics of the tool:
    use a custom afl-qemu-trace or if you need to modify the afl-qemu-trace
    arguments.

+  - `AFL_SHA1_FILENAMES` causes AFL++ to generate files named by the SHA1 hash
+    of their contents, rather than use the standard `id:000000,...` names.
+
  - `AFL_SHUFFLE_QUEUE` randomly reorders the input queue on startup. Requested
    by some users for unorthodox parallelized fuzzing setups, but not advisable
    otherwise.
@ -576,9 +617,12 @@ checks or alter some of the more exotic semantics of the tool:
    see [rpc_statsd.md](rpc_statsd.md).

  - `AFL_SYNC_TIME` allows you to specify a different minimal time (in minutes)
-    between fuzzing instances synchronization. Default sync time is 30 minutes,
+    between fuzzing instances synchronization. Default sync time is 20 minutes,
    note that time is halved for -M main nodes.

+  - `AFL_NO_SYNC` disables any syncing whatsoever and takes priority on all
+    other syncing parameters.
+
  - Setting `AFL_TARGET_ENV` causes AFL++ to set extra environment variables for
    the target binary. Example: `AFL_TARGET_ENV="VAR1=1 VAR2='a b c'" afl-fuzz
    ... `. This exists mostly for things like `LD_LIBRARY_PATH` but it would
@ -624,7 +668,25 @@ checks or alter some of the more exotic semantics of the tool:
    Note that will not be exact and with slow targets it can take seconds
    until there is a slice for the time test.

-## 5) Settings for afl-qemu-trace
+  - When using `AFL_PRELOAD` with a preload that disable `fork()` calls in
+    the target, the forkserver becomes unable to fork.
+    To overcome this issue, the `AFL_PRELOAD_DISCRIMINATE_FORKSERVER_PARENT`
+    permits to be able to check in the preloaded library if the environment
+    variable `AFL_FORKSERVER_PARENT` is set, to be able to use vanilla
+    `fork()` in the forkserver, and the placeholder in the target.
+    Here is a POC :
+    ```C
+    // AFL_PRELOAD_DISCRIMINATE_FORKSERVER_PARENT=1 afl-fuzz ...
+    pid_t fork(void)
+    {
+        if (getenv("AFL_FORKSERVER_PARENT") == NULL)
+            return 0; // We are in the target
+        else
+            return real_fork(); // We are in the forkserver
+    }
+    ```
+
+## 6) Settings for afl-qemu-trace

 The QEMU wrapper used to instrument binary-only code supports several settings:

@ -696,7 +758,7 @@ The QEMU wrapper used to instrument binary-only code supports several settings:
    crash is found. Setting `AFL_NO_CRASH_README` will prevent this. Useful when
    counting crashes based on a file count in that directory.

-## 7) Settings for afl-frida-trace
+## 8) Settings for afl-frida-trace

 The FRIDA wrapper used to instrument binary-only code supports many of the same
 options as `afl-qemu-trace`, but also has a number of additional advanced
@ -786,7 +848,7 @@ support.
  dump you must set a sufficient timeout (using `-t`) to avoid `afl-fuzz`
  killing the process whilst it is being dumped.

-## 8) Settings for afl-cmin
+## 9) Settings for afl-cmin

 The corpus minimization script offers very little customization:

@ -804,7 +866,7 @@ The corpus minimization script offers very little customization:
  - `AFL_PRINT_FILENAMES` prints each filename to stdout, as it gets processed.
    This can help when embedding `afl-cmin` or `afl-showmap` in other scripts.

-## 9) Settings for afl-tmin
+## 10) Settings for afl-tmin

 Virtually nothing to play with. Well, in QEMU mode (`-Q`), `AFL_PATH` will be
 searched for afl-qemu-trace. In addition to this, `TMPDIR` may be used if a
@ -815,12 +877,12 @@ to match when minimizing crashes. This will make minimization less useful, but
 may prevent the tool from "jumping" from one crashing condition to another in
 very buggy software. You probably want to combine it with the `-e` flag.

-## 10) Settings for afl-analyze
+## 11) Settings for afl-analyze

 You can set `AFL_ANALYZE_HEX` to get file offsets printed as hexadecimal instead
 of decimal.

-## 11) Settings for libdislocator
+## 12) Settings for libdislocator

 The library honors these environment variables:

@ -842,12 +904,12 @@ The library honors these environment variables:
  - `AFL_LD_VERBOSE` causes the library to output some diagnostic messages that
    may be useful for pinpointing the cause of any observed issues.

-## 11) Settings for libtokencap
+## 13) Settings for libtokencap

 This library accepts `AFL_TOKEN_FILE` to indicate the location to which the
 discovered tokens should be written.

-## 12) Third-party variables set by afl-fuzz & other tools
+## 14) Third-party variables set by afl-fuzz & other tools

 Several variables are not directly interpreted by afl-fuzz, but are set to
 optimal values if not already present in the environment:
--- a/docs/features.md
+++ b/docs/features.md
@ -6,20 +6,22 @@ QEMU 5.1 with laf-intel and Redqueen, FRIDA mode, unicorn mode, gcc plugin, full

 ## Features and instrumentation

-| Feature/Instrumentation       | afl-gcc  | llvm      | gcc_plugin | FRIDA mode(9)  | QEMU mode(10)    | unicorn_mode(10) | nyx_mode(12) | coresight_mode(11) |
-| ------------------------------|:--------:|:---------:|:----------:|:--------------:|:----------------:|:----------------:|:------------:|:------------------:|
-| Threadsafe counters [A]       |          |    x(3)   |            |                |                  |                  |       x      |                    |
-| NeverZero           [B]       | x86[_64] |    x(1)   |      x     |        x       |         x        |         x        |              |                    |
-| Persistent Mode     [C]       |          |     x     |      x     | x86[_64]/arm64 | x86[_64]/arm[64] |         x        |              |                    |
-| LAF-Intel / CompCov [D]       |          |     x     |            |                | x86[_64]/arm[64] | x86[_64]/arm[64] |   x86[_64]   |                    |
-| CmpLog              [E]       |          |     x     |      x     | x86[_64]/arm64 | x86[_64]/arm[64] |                  |              |                    |
-| Selective Instrumentation [F] |          |     x     |      x     |        x       |         x        |                  |              |                    |
-| Non-Colliding Coverage    [G] |          |    x(4)   |            |                |       (x)(5)     |                  |              |                    |
-| Ngram prev_loc Coverage   [H] |          |    x(6)   |            |                |                  |                  |              |                    |
-| Context Coverage    [I]       |          |    x(6)   |            |                |                  |                  |              |                    |
-| Auto Dictionary     [J]       |          |    x(7)   |            |                |                  |                  |              |                    |
-| Snapshot Support    [K]       |          |   (x)(8)  |   (x)(8)   |                |       (x)(5)     |                  |       x      |                    |
-| Shared Memory Test cases  [L] |          |     x     |      x     | x86[_64]/arm64 |         x        |         x        |       x      |                    |
+Note that afl-gcc and afl-clang have been removed because their instrumentation is absolutely outdated.
+
+| Feature/Instrumentation       | llvm      | gcc_plugin | FRIDA mode(9)  | QEMU mode(10)    | unicorn_mode(10) | nyx_mode(12) | coresight_mode(11) |
+| ------------------------------|:---------:|:----------:|:--------------:|:----------------:|:----------------:|:------------:|:------------------:|
+| Threadsafe counters [A]       |    x(3)   |            |                |                  |                  |       x      |                    |
+| NeverZero           [B]       |    x(1)   |      x     |        x       |         x        |         x        |              |                    |
+| Persistent Mode     [C]       |     x     |      x     | x86[_64]/arm64 | x86[_64]/arm[64] |         x        |              |                    |
+| LAF-Intel / CompCov [D]       |     x     |            |                | x86[_64]/arm[64] | x86[_64]/arm[64] |   x86[_64]   |                    |
+| CmpLog              [E]       |     x     |      x     | x86[_64]/arm64 | x86[_64]/arm[64] |                  |              |                    |
+| Selective Instrumentation [F] |     x     |      x     |        x       |         x        |                  |              |                    |
+| Non-Colliding Coverage    [G] |    x(4)   |            |                |       (x)(5)     |                  |              |                    |
+| Ngram prev_loc Coverage   [H] |    x(6)   |            |                |                  |                  |              |                    |
+| Context Coverage    [I]       |    x(6)   |            |                |                  |                  |              |                    |
+| Auto Dictionary     [J]       |    x(7)   |            |                |                  |                  |              |                    |
+| Snapshot Support    [K]       |   (x)(8)  |   (x)(8)   |                |       (x)(5)     |                  |       x      |                    |
+| Shared Memory Test cases  [L] |     x     |      x     | x86[_64]/arm64 |         x        |         x        |       x      |                    |

 ## More information about features

@ -43,7 +45,7 @@ E. CmpLog is our enhanced
   implementation, see
   [instrumentation/README.cmplog.md](../instrumentation/README.cmplog.md)

-F. Similar and compatible to clang 13+ sancov sanitize-coverage-allow/deny but
+F. Similar and compatible to clang 14+ sancov sanitize-coverage-allow/deny but
   for all llvm versions and all our compile modes, only instrument what should
   be instrumented, for more speed, directed fuzzing and less instability; see
   [instrumentation/README.instrument_list.md](../instrumentation/README.instrument_list.md)
@ -94,7 +96,7 @@ L. Faster fuzzing and less kernel syscall overhead by in-memory fuzz testcase

 Among others, the following features and patches have been integrated:

-* NeverZero patch for afl-gcc, instrumentation, QEMU mode and unicorn_mode which
+* NeverZero for llvm/gcc instrumentation, QEMU mode and unicorn_mode which
  prevents a wrapping map value to zero, increases coverage
 * Persistent mode, deferred forkserver and in-memory fuzzing for QEMU mode
 * Unicorn mode which allows fuzzing of binaries from completely different
@ -104,6 +106,7 @@ Among others, the following features and patches have been integrated:
 * Win32 PE binary-only fuzzing with QEMU and Wine
 * AFLfast's power schedules by Marcel Böhme:
  [https://github.com/mboehme/aflfast](https://github.com/mboehme/aflfast)
+* The fast deterministic stage by Han Zheng: [https://github.com/hexhive/mendelFuzz-Artifact/](https://github.com/hexhive/mendelFuzz-Artifact/)
 * The MOpt mutator:
  [https://github.com/puppet-meteor/MOpt-AFL](https://github.com/puppet-meteor/MOpt-AFL)
 * LLVM mode Ngram coverage by Adrian Herrera
--- a/docs/fuzzing_binary-only_targets.md
+++ b/docs/fuzzing_binary-only_targets.md
@ -46,10 +46,9 @@ The following setup to use QEMU mode is recommended:
  `AFL_COMPCOV_LEVEL=2`), alternatively you can use FRIDA mode, just switch `-Q`
  with `-O` and remove the LAF instance

-Then run as many instances as you have cores left with either -Q mode or - even
-better - use a binary rewriter like Dyninst, RetroWrite, ZAFL, etc.
-The binary rewriters all have their own advantages and caveats.
-ZAFL is the best but cannot be used in a business/commercial context.
+Then run as many instances as you have cores left with either `-Q` mode or use
+a static binary rewriter like Dyninst, RetroWrite, ZAFL, etc.
+The binary rewriters all have their own advantages and caveats, but ZAFL is a good choice.

 If a binary rewriter works for your target then you can use afl-fuzz normally
 and it will have twice the speed compared to QEMU mode (but slower than QEMU
@ -197,9 +196,10 @@ afl-clang-fast's.

 RetroWrite is a static binary rewriter that can be combined with AFL++. If you
 have an x86_64 or arm64 binary that does not contain C++ exceptions and - if
-x86_64 - still has it's symbols and compiled with position independent code
+x86_64 - still has its symbols and compiled with position independent code
 (PIC/PIE), then the RetroWrite solution might be for you.
 It decompiles to ASM files which can then be instrumented with afl-gcc.
+Note that afl-gcc is only present until AFL++ v4.21c and was subsequently removed as it is obsolete.

 Binaries that are statically instrumented for fuzzing using RetroWrite are close
 in performance to compiler-instrumented binaries and outperform the QEMU-based
--- a/docs/fuzzing_in_depth.md
+++ b/docs/fuzzing_in_depth.md
@ -61,6 +61,8 @@ evaluation flow will help you to select the best possible.
 It is highly recommended to have the newest llvm version possible installed,
 anything below 9 is not recommended.

+IMPORTANT NOTICE: afl-gcc/afl-clang have been removed from AFL++ as they are obsolete.
+
 ```
 +--------------------------------+
 | clang/clang++ 11+ is available | --> use LTO mode (afl-clang-lto/afl-clang-lto++)
@ -84,7 +86,7 @@ anything below 9 is not recommended.
    | if not, or if you do not have a gcc with plugin support
    |
    v
-   use GCC mode (afl-gcc/afl-g++) (or afl-clang/afl-clang++ for clang)
+   GAME OVER! Install gcc-VERSION-plugin-dev or llvm-VERSION-dev
 ```

 Clickable README links for the chosen compiler:
@ -92,14 +94,12 @@ Clickable README links for the chosen compiler:
 * [LTO mode - afl-clang-lto](../instrumentation/README.lto.md)
 * [LLVM mode - afl-clang-fast](../instrumentation/README.llvm.md)
 * [GCC_PLUGIN mode - afl-gcc-fast](../instrumentation/README.gcc_plugin.md)
-* GCC/CLANG modes (afl-gcc/afl-clang) have no README as they have no own
-  features

 You can select the mode for the afl-cc compiler by one of the following methods:

-* Using a symlink to afl-cc: afl-gcc, afl-g++, afl-clang, afl-clang++,
+* Using a symlink to afl-cc: 
   afl-clang-fast, afl-clang-fast++, afl-clang-lto, afl-clang-lto++,
-   afl-gcc-fast, afl-g++-fast (recommended!).
+   afl-gcc-fast, afl-g++-fast.
 * Using the environment variable `AFL_CC_COMPILER` with `MODE`.
 * Passing --afl-`MODE` command line options to the compiler via
   `CFLAGS`/`CXXFLAGS`/`CPPFLAGS`.
@ -108,8 +108,7 @@ You can select the mode for the afl-cc compiler by one of the following methods:

 * LTO (afl-clang-lto*)
 * LLVM (afl-clang-fast*)
-* GCC_PLUGIN (afl-g*-fast) or GCC (afl-gcc/afl-g++)
-* CLANG(afl-clang/afl-clang++)
+* GCC_PLUGIN (afl-g*-fast)

 Because no AFL++ specific command-line options are accepted (beside the
 --afl-MODE command), the compile-time tools make fairly broad use of environment
@ -133,11 +132,15 @@ options are available:
  locations. This technique is very fast and good - if the target does not
  transform input data before comparison. Therefore, this technique is called
  `input to state` or `redqueen`. If you want to use this technique, then you
-  have to compile the target twice, once specifically with/for this mode by
-  setting `AFL_LLVM_CMPLOG=1`, and pass this binary to afl-fuzz via the `-c`
-  parameter. Note that you can compile also just a cmplog binary and use that
-  for both, however, there will be a performance penalty. You can read more
-  about this in
+  have to compile the target with `AFL_LLVM_CMPLOG=1`.
+  You could use the resulting binary for both normal fuzzing and `-c` CMPLOG
+  mode (with `-c 0`), however this will result in a performance loss of about
+  20%.
+  It is therefore better to compile a specific CMPLOG target with
+  `AFL_LLVM_ONLY_FSRV=1 AFL_LLVM_CMPLOG=1` and pass this binary name via
+  `-c cmplog-fuzzing-target` and compile target again normally with `afl-cc`
+   and use this is the fuzzing target as usual.
+  You can read more about this in
  [instrumentation/README.cmplog.md](../instrumentation/README.cmplog.md).

 If you use LTO, LLVM, or GCC_PLUGIN mode
@ -201,6 +204,12 @@ type. This is enough because e.g. a use-after-free bug will be picked up by ASAN
 (address sanitizer) anyway after syncing test cases from other fuzzing
 instances, so running more than one address sanitized target would be a waste.

+*IF* you are running a saturated corpus, then you can run up to half of the 
+instances with sanitizers.
+
+An alternative but more effective approach is to use [SAND](./SAND.md) which could
+combine different sanitizers at a much higher throughput.
+
 The following sanitizers have built-in support in AFL++:

 * ASAN = Address SANitizer, finds memory corruption vulnerabilities like
@ -242,6 +251,12 @@ CFISAN. You might need to experiment which sanitizers you can combine in a
 target (which means more instances can be run without a sanitized target, which
 is more effective).

+Note that some sanitizers (MSAN and LSAN) exit with a particular exit code
+instead of aborting. afl-fuzz treats these exit codes as a crash when these
+sanitizers are enabled. If the target uses these exit codes there could be false
+positives among the saved crashes. LSAN uses exit code 23 and MSAN uses exit
+code 86.
+
 ### d) Modifying the target

 If the target has features that make fuzzing more difficult, e.g., checksums,
@ -491,6 +506,8 @@ Note:
  protection against attacks! So set strong firewall rules and only expose SSH
  as a network service if you use these (which is highly recommended).

+If you execute afl-fuzz in a Docker container, it is recommended to pass [`--cpuset-cpus`](https://docs.docker.com/engine/containers/resource_constraints/#configure-the-default-cfs-scheduler) option with free CPU cores to docker daemon when starting the container, or pass `AFL_NO_AFFINITY` to afl-fuzz. This is due to the fact that AFL++ will bind to a free CPU core by default, while Docker container will prevent AFL++ instance from seeing processes in other containers or host, which leads to all AFL++ instances trying to bind the same CPU core.
+
 If you have an input corpus from [step 2](#2-preparing-the-fuzzing-campaign),
 then specify this directory with the `-i` option. Otherwise, create a new
 directory and create a file with any content as test data in there.
@ -622,8 +639,8 @@ The other secondaries should be run like this:
 * 40% should run with `-P explore` and 20% with `-P exploit`
 * If you use `-a` then set 30% of the instances to not use `-a`; if you did
  not set `-a` (why??), then set 30% to `-a ascii` and 30% to `-a binary`.
-* run each with a different power schedule, recommended are: `fast` (default),
-  `explore`, `coe`, `lin`, `quad`, `exploit`, and `rare` which you can set with
+* run each with a different power schedule, recommended are: `explore` (default),
+  `fast`, `coe`, `lin`, `quad`, `exploit`, and `rare` which you can set with
  the `-p` option, e.g., `-p explore`. See the
  [FAQ](FAQ.md#what-are-power-schedules) for details.

@ -632,7 +649,7 @@ crash or timeout during startup.

 Also, it is recommended to set `export AFL_IMPORT_FIRST=1` to load test cases
 from other fuzzers in the campaign first. But note that can slow down the start
-of the first fuzz by quite a lot of you have many fuzzers and/or many seeds.
+of the first fuzz by quite a lot if you have many fuzzers and/or many seeds.

 If you have a large corpus, a corpus from a previous run or are fuzzing in a CI,
 then also set `export AFL_CMPLOG_ONLY_NEW=1` and `export AFL_FAST_CAL=1`.
@ -852,10 +869,13 @@ Here are some of the most important caveats for AFL++:

 - There is no direct support for fuzzing network services, background daemons,
  or interactive apps that require UI interaction to work. You may need to make
-  simple code changes to make them behave in a more traditional way. Preeny or
-  libdesock may offer a relatively simple option, too - see:
+  simple code changes to make them behave in a more traditional way. Preeny,
+  libdesock or desockmulti may offer a relatively simple option, too - see:
  [https://github.com/zardus/preeny](https://github.com/zardus/preeny) or
  [https://github.com/fkie-cad/libdesock](https://github.com/fkie-cad/libdesock)
+  [https://github.com/zyingp/desockmulti](https://github.com/zyingp/desockmulti)
+  If these fail then try our own which might be a bit slower but is more
+  reliable: [utils/libaflppdesock](../utils/libaflppdesock)

  Some useful tips for modifying network-based services can be also found at:
  [https://www.fastly.com/blog/how-to-fuzz-server-american-fuzzy-lop](https://www.fastly.com/blog/how-to-fuzz-server-american-fuzzy-lop)
@ -958,7 +978,7 @@ too long for your overall available fuzz run time.
   campaign but not good for short CI runs.

 How this can look like can, e.g., be seen at AFL++'s setup in Google's
-[oss-fuzz](https://github.com/google/oss-fuzz/blob/master/infra/base-images/base-builder/compile_afl)
+[previous oss-fuzz version](https://github.com/google/oss-fuzz/blob/3e2c5312417d1a6f9564472f3df1fd27759b289d/infra/base-images/base-builder/compile_afl)
 and
 [clusterfuzz](https://github.com/google/clusterfuzz/blob/master/src/clusterfuzz/_internal/bot/fuzzers/afl/launcher.py).

--- a/docs/third_party_tools.md
+++ b/docs/third_party_tools.md
@ -5,6 +5,10 @@
 * [afl-rs](https://github.com/rust-fuzz/afl.rs) - AFL++ for RUST
 * [WASM](https://github.com/fgsect/WAFL) - AFL++ for WASM

+## Starting multiple AFL++ instances in parallel with recommended settings:
+* [https://github.com/0xricksanchez/AFL_Runner](https://github.com/0xricksanchez/AFL_Runner)
+* [https://github.com/MegaManSec/AFLplusplus-Parallel-Gen](https://github.com/MegaManSec/AFLplusplus-Parallel-Gen)
+
 ## Speeding up fuzzing

 * [libfiowrapper](https://github.com/marekzmyslowski/libfiowrapper) - if the
--- a/docs/tutorials.md
+++ b/docs/tutorials.md
@ -21,6 +21,9 @@ training, then we can highly recommend the following:

 * [https://github.com/antonio-morales/Fuzzing101](https://github.com/antonio-morales/Fuzzing101)

+A good workflow overview (like our [fuzzing_in_depth.md](fuzzing_in_depth.md)):
+* [https://appsec.guide/docs/fuzzing/c-cpp/aflpp/](https://appsec.guide/docs/fuzzing/c-cpp/aflpp/)
+
 Here is a good workflow description (and tutorial) for qemu_mode:

 * [https://airbus-seclab.github.io/AFLplusplus-blogpost/](https://airbus-seclab.github.io/AFLplusplus-blogpost/)
--- a/entitlements.plist
+++ b/entitlements.plist
@ -0,0 +1,29 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/ PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>research.com.apple.license-to-operate</key> <true/>
+	<key>application-identifier</key> <string>aflplusplus</string>
+	<key>com.apple.asl.access_as_root</key> <true/>
+	<key>com.apple.backboardd.launchapplications</key> <true/>
+	<key>com.apple.companionappd.connect.allow</key> <true/>
+	<key>com.apple.multitasking.termination</key> <true/>
+	<key>com.apple.private.security.container-required</key> <false/>
+	<key>com.apple.seld.cm</key> <true/>
+	<key>com.apple.sh</key> <true/>
+	<key>com.apple.private.thread-set-state</key> <true/>
+	<key>com.apple.private.cs.debugger</key> <true/>
+	<key>com.apple.springboard.debugapplications</key> <true/>
+	<key>com.apple.springboard.launchapplications</key> <true/>
+	<key>com.apple.springboard.opensensitiveurl</key> <true/>
+	<key>dynamic-codesigning</key> <true/>
+	<key>get-task-allow</key> <true/>
+	<key>platform-application</key> <true/>
+	<key>run-unsigned-code</key> <true/>
+	<key>task_for_pid-allow</key> <true/>
+	<key>com.apple.private.skip-library-validation</key> <true/>
+	<key>com.apple.private.amfi.can-load-cdhash</key> <true/>
+	<key>com.apple.private.amfi.can-execute-cdhash</key> <true/>
+	<key>com.apple.private.security.no-container</key> <true/>
+</dict>
+</plist>
--- a/frida_mode/DEBUGGING.md
+++ b/frida_mode/DEBUGGING.md
@ -39,7 +39,7 @@ is *VERY* important to carry out these basic steps first before taking on the
 additional complexity of debugging with FRIDA mode or `afl-fuzz`.

 - Run your harness outside of the fuzzer, passing it a representative seed as
-  it's input `./harness <input>`.
+  its input `./harness <input>`.
 - Pass your harness multiple seeds to check that it is stable when running
  multiple tests as it will when running in fork server mode `./harness <input1>
  <intput2>`.
--- a/frida_mode/GNUmakefile
+++ b/frida_mode/GNUmakefile
@ -15,15 +15,20 @@ JS_OBJ:=$(BUILD_DIR)api.o
 SOURCES:=$(wildcard $(SRC_DIR)**/*.c) $(wildcard $(SRC_DIR)*.c)
 OBJS:=$(foreach src,$(SOURCES),$(OBJ_DIR)$(notdir $(patsubst %.c, %.o, $(src))))

+XTOOLS_HOST?=x86_64-linux-gnu
 TARGET_CC?=$(CC)
 TARGET_CXX?=$(CXX)
 HOST_CC?=$(CC)
 HOST_CXX?=$(CXX)
-IS_ANDROID:=$(findstring android, $(shell $(TARGET_CC) --version 2>/dev/null))
-IS_x86:=$(findstring i686, $(shell $(TARGET_CC) --version 2>/dev/null))
-IS_x86_64:=$(findstring x86_64, $(shell $(TARGET_CC) --version 2>/dev/null))
-IS_ARM:=$(findstring arm, $(shell $(TARGET_CC) --version 2>/dev/null))
-IS_ARM64:=$(findstring aarch64, $(shell $(TARGET_CC) --version 2>/dev/null))
+TARGET_CC_INFO=$(shell $(TARGET_CC) --version)
+IS_IOS:=$(findstring ios, $(TARGET_CC_INFO))
+IS_SIMULATOR:=$(findstring sim, $(TARGET_CC_INFO))
+IS_ANDROID:=$(findstring android, $(TARGET_CC_INFO))
+IS_x86:=$(findstring i686, $(TARGET_CC_INFO))
+IS_x86_64:=$(findstring x86_64, $(TARGET_CC_INFO))
+IS_ARM:=$(findstring arm, $(TARGET_CC_INFO))
+IS_ARM64E:=$(findstring arm64e, $(TARGET_CC_INFO))
+IS_ARM64 := $(or $(findstring aarch64,$(TARGET_CC_INFO)), $(findstring arm64,$(TARGET_CC_INFO)))
 CFLAGS+=-fPIC \
 		-D_GNU_SOURCE \
 		-D_FORTIFY_SOURCE=2 \
@ -95,7 +100,24 @@ endif

 GUM_ARCH="-$(ARCH)"

-ifeq "$(shell uname)" "Darwin"
+ifdef IS_IOS
+ OS:=ios
+ ifdef IS_SIMULATOR
+  ifdef IS_x86_64
+   ARCH := x86_64-simulator
+  else ifdef IS_ARM64
+   ARCH := arm64-simulator
+  endif
+ else
+  ifdef IS_ARM64E
+   ARCH := arm64e
+  else ifdef IS_ARM64
+   ARCH := arm64
+  endif
+ endif
+ override CFLAGS += -isysroot $(IOS_SDK_PATH)
+ override LDFLAGS += -L$(IOS_SDK_PATH)/usr/lib
+else ifeq "$(shell uname)" "Darwin"
 OS:=macos
 AFL_CFLAGS:=$(AFL_CFLAGS) -Wno-deprecated-declarations
 GUM_ARCH:=""
@ -165,17 +187,13 @@ ifndef OS
 $(error "Operating system unsupported")
 endif

-GUM_DEVKIT_VERSION=16.0.11
+GUM_DEVKIT_VERSION=17.0.7
 GUM_DEVKIT_FILENAME=frida-gumjs-devkit-$(GUM_DEVKIT_VERSION)-$(OS)-$(ARCH).tar.xz
 GUM_DEVKIT_URL="https://github.com/frida/frida/releases/download/$(GUM_DEVKIT_VERSION)/$(GUM_DEVKIT_FILENAME)"

 GUM_DEVKIT_TARBALL:=$(FRIDA_BUILD_DIR)$(GUM_DEVKIT_FILENAME)
-ifdef FRIDA_SOURCE
-GUM_DEVIT_LIBRARY=$(FRIDA_DIR)build/frida-$(OS)-$(ARCH)/lib/libfrida-gumjs-1.0.a
-else
-GUM_DEVIT_LIBRARY=$(FRIDA_BUILD_DIR)libfrida-gumjs.a
-endif
 GUM_DEVIT_HEADER=$(FRIDA_BUILD_DIR)frida-gumjs.h
+GUM_DEVIT_LIBRARY=$(FRIDA_BUILD_DIR)libfrida-gumjs.a

 FRIDA_DIR:=$(PWD)build/frida-source/
 FRIDA_MAKEFILE:=$(FRIDA_DIR)Makefile
@ -209,10 +227,13 @@ BIN2C_SRC:=$(PWD)util/bin2c.c
 all: $(FRIDA_TRACE) $(FRIDA_TRACE_LIB) $(AFLPP_FRIDA_DRIVER_HOOK_OBJ) $(AFLPP_QEMU_DRIVER_HOOK_OBJ) $(ADDR_BIN)

 32:
-	CFLAGS="-m32" LDFLAGS="-m32" ARCH="x86" make all
+	XTOOLS_HOST=i686-linux-gnu CFLAGS="-m32" LDFLAGS="-m32" ARCH="x86" make all

 arm:
-	CFLAGS="-marm" LDFLAGS="-marm" ARCH="armhf" TARGET_CC=arm-linux-gnueabihf-gcc TARGET_CXX=arm-linux-gnueabihf-g++ make all
+	XTOOLS_HOST=arm-linux-gnueabihf CFLAGS="-marm" LDFLAGS="-marm" ARCH="armhf" TARGET_CC=arm-linux-gnueabihf-gcc TARGET_CXX=arm-linux-gnueabihf-g++ make all
+
+arm64:
+	XTOOLS_HOST=aarch64-linux-gnu ARCH="arm64" TARGET_CC=aarch64-linux-gnu-gcc TARGET_CXX=aarch64-linux-gnu-g++ make all

 $(BUILD_DIR):
 	mkdir -p $(BUILD_DIR)
@ -225,114 +246,29 @@ $(OBJ_DIR): | $(BUILD_DIR)
 $(FRIDA_BUILD_DIR): | $(BUILD_DIR)
 	mkdir -p $@

+#TODO Set architecture
 ifdef FRIDA_SOURCE
 $(FRIDA_MAKEFILE): | $(BUILD_DIR)
-	git clone --recursive https://github.com/frida/frida.git $(FRIDA_DIR)
+	git clone https://github.com/frida/frida-gum.git $(FRIDA_DIR)
+	cd $(FRIDA_DIR) && \
+	./configure \
+		--host=$(XTOOLS_HOST) \
+		--enable-tests \
+		--enable-gumpp \
+		--enable-gumjs \
+		--with-devkits=gum,gumjs

 .PHONY: $(GUM_DEVIT_LIBRARY)

-$(GUM_DEVIT_LIBRARY): $(FRIDA_MAKEFILE)
-	cd $(FRIDA_DIR) && make gum-$(OS)$(GUM_ARCH) FRIDA_V8=disabled
-
-$(GUM_DEVIT_HEADER): $(FRIDA_MAKEFILE) | $(FRIDA_BUILD_DIR)
-	echo "#include <stdio.h>" > $@
-	echo "#include <unistd.h>" >> $@
-	echo "#include <gum/gumreturnaddress.h>" >> $@
-	echo "#include <gum/gumbacktracer.h>" >> $@
-	echo "#include <gum/gumsymbolutil.h>" >> $@
-	echo "#include <gum/gumstalker.h>" >> $@
-	echo "#include <gum/gumlibc.h>" >> $@
-	echo "#include <gumjs/gumscriptbackend.h>" >> $@
-
-ifeq "$(OS)" "macos"
-
-CFLAGS+=-I $(FRIDA_DIR)build/frida-$(OS)-$(ARCH)/include/frida-1.0 \
-	    -I $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/include/glib-2.0/ \
-		-I $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/glib-2.0/include/ \
-		-I $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/include/capstone/ \
-		-I $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/include/json-glib-1.0/ \
-
-TRACE_LDFLAGS+=$(FRIDA_DIR)build/frida-$(OS)-$(ARCH)/lib/libfrida-gum-1.0.a \
-			   $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/libsoup-2.4.a \
-			   $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/libsqlite3.a \
-			   $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/libtcc.a \
-			   $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/libjson-glib-1.0.a \
-			   $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/libquickjs.a \
-			   $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/libcapstone.a \
-			   $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/libffi.a \
-			   $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/libgio-2.0.a \
-			   $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/libgobject-2.0.a \
-			   $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/libglib-2.0.a \
-			   $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/liblzma.a \
-			   $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/libz.a \
-			   $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/libiconv.a \
-			   $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/libv8-8.0.a \
-			   $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/libgmodule-2.0.a \
-
-else ifeq "$(ARCH)" "arm64"
-
-CFLAGS+=-I $(FRIDA_DIR)build/$(OS)-$(ARCH)/include/frida-1.0 \
-	    -I $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/include/glib-2.0/ \
-		-I $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/glib-2.0/include/ \
-		-I $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/include/capstone/ \
-		-I $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/include/json-glib-1.0/ \
+$(GUM_DEVIT_LIBRARY): $(FRIDA_MAKEFILE) | $(FRIDA_BUILD_DIR)
+	echo $(GUM_DEVIT_LIBRARY) $(FRIDA_MAKEFILE) $(FRIDA_BUILD_DIR)
+	cd $(FRIDA_DIR) && make FRIDA_V8=disabled
+	cp $(FRIDA_DIR)build/bindings/gumjs/devkit/frida-gumjs.h $(GUM_DEVIT_HEADER)
+	cp $(FRIDA_DIR)build/bindings/gumjs/devkit/libfrida-gumjs.a $(GUM_DEVIT_LIBRARY)

 ifeq "$(OS)" "android"
 CFLAGS += -static-libstdc++
 endif
-else
-CFLAGS+=-I $(FRIDA_DIR)build/$(OS)-$(ARCH)/include/frida-1.0 \
-	    -I $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/include/glib-2.0/ \
-		-I $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/glib-2.0/include/ \
-		-I $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/include/capstone/ \
-		-I $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/include/json-glib-1.0/ \
-
-endif
-
-TRACE_LDFLAGS+=$(FRIDA_DIR)build/frida-$(OS)-$(ARCH)/lib/libfrida-gum-1.0.a \
-			   $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/libsoup-2.4.a \
-			   $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/libsqlite3.a \
-			   $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/libtcc.a \
-			   $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/libjson-glib-1.0.a \
-			   $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/libquickjs.a \
-			   $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/libcapstone.a \
-			   $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/libunwind.a \
-			   $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/libffi.a \
-			   $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/libdwarf.a \
-			   $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/libelf.a \
-			   $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/libgio-2.0.a \
-			   $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/libgobject-2.0.a \
-			   $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/libglib-2.0.a \
-			   $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/liblzma.a \
-			   $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/libz.a \
-
-CFLAGS+=-I $(FRIDA_DIR)build/frida-$(OS)-$(ARCH)/include/frida-1.0 \
-	    -I $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/include/glib-2.0/ \
-		-I $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/glib-2.0/include/ \
-		-I $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/include/capstone/ \
-		-I $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/include/json-glib-1.0/
-
-ifeq "$(OS)" "android"
- CFLAGS += -static-libstdc++
-endif
-
-TRACE_LDFLAGS+=$(FRIDA_DIR)build/frida-$(OS)-$(ARCH)/lib/libfrida-gum-1.0.a \
-			   $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/libsoup-2.4.a \
-			   $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/libsqlite3.a \
-			   $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/libtcc.a \
-			   $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/libjson-glib-1.0.a \
-			   $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/libquickjs.a \
-			   $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/libcapstone.a \
-			   $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/libunwind.a \
-			   $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/libffi.a \
-			   $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/libdwarf.a \
-			   $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/libelf.a \
-			   $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/libgio-2.0.a \
-			   $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/libgobject-2.0.a \
-			   $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/libglib-2.0.a \
-			   $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/liblzma.a \
-			   $(FRIDA_DIR)build/sdk-$(OS)-$(ARCH)/lib/libz.a \
-

 else
 $(GUM_DEVKIT_TARBALL): | $(FRIDA_BUILD_DIR)
@ -370,6 +306,11 @@ $(AFL_PERFORMANCE_OBJ): $(AFL_PERFORMANCE_SRC)

 $(BIN2C): $(BIN2C_SRC)
 	$(HOST_CC) -D_GNU_SOURCE -o $@ $<
+ifdef IS_IOS
+ifeq ($(HOST_CC),$(TARGET_CC))
+	@ldid -S../entitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; }
+endif
+endif

 $(JS_SRC): $(JS) $(BIN2C)| $(BUILD_DIR)
 	cd $(JS_DIR) && $(BIN2C) api_js $(JS) $@
@ -410,8 +351,10 @@ $(FRIDA_TRACE): $(GUM_DEVIT_LIBRARY) $(GUM_DEVIT_HEADER) $(OBJS) $(JS_OBJ) $(AFL
 		$(TRACE_LDFLAGS) \
 		$(LDFLAGS) \
 		$(LDSCRIPT) \
-		-o $@ \
-
+		-o $@
+ifdef IS_IOS
+	@ldid -S../entitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; }
+endif
 	cp -v $(FRIDA_TRACE) $(ROOT)

 $(FRIDA_TRACE_LIB): $(GUM_DEVIT_LIBRARY) $(GUM_DEVIT_HEADER) $(OBJS) $(JS_OBJ) $(AFL_COMPILER_RT_OBJ) $(AFL_PERFORMANCE_OBJ) GNUmakefile | $(BUILD_DIR)
@ -427,9 +370,15 @@ $(FRIDA_TRACE_LIB): $(GUM_DEVIT_LIBRARY) $(GUM_DEVIT_HEADER) $(OBJS) $(JS_OBJ) $

 $(AFLPP_FRIDA_DRIVER_HOOK_OBJ): $(AFLPP_FRIDA_DRIVER_HOOK_SRC) $(GUM_DEVIT_HEADER) | $(BUILD_DIR)
 	$(TARGET_CC) $(CFLAGS) $(LDFLAGS) -I $(FRIDA_BUILD_DIR) $< -o $@
+ifdef IS_IOS
+	@ldid -S../entitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; }
+endif

 $(AFLPP_QEMU_DRIVER_HOOK_OBJ): $(AFLPP_QEMU_DRIVER_HOOK_SRC) | $(BUILD_DIR)
 	$(TARGET_CC) $(CFLAGS) $(LDFLAGS) $< -o $@
+ifdef IS_IOS
+	@ldid -S../entitlements.plist $@ && echo "[+] Signed $@" || { echo "[-] Failed to sign $@"; }
+endif

 hook: $(AFLPP_FRIDA_DRIVER_HOOK_OBJ) $(AFLPP_QEMU_DRIVER_HOOK_OBJ)

--- a/frida_mode/MapDensity.md
+++ b/frida_mode/MapDensity.md
@ -107,7 +107,7 @@ every block of code we execute, performance is critical.
 However, the design of the binary instrumentation modes of AFL++ has moved on.
 Both QEMU and FRIDA modes use a two stage process when executing a target
 application. Each block is first compiled or instrumented, and then it is
-executed. The compiled blocks can be re-used each time the target executes them.
+executed. The compiled blocks can be reused each time the target executes them.

 Since a blocks ID is based on its address, and this is known at compile time, we
 only need to generate this ID once per block and so this ID generation no longer
--- a/frida_mode/README.md
+++ b/frida_mode/README.md
@ -200,10 +200,10 @@ instrumented address block translations.
 * `AFL_FRIDA_INST_NO_SUPPRESS` - Disable deterministic branch suppression.
  Deterministic branch suppression skips the preamble which generates coverage
  information at the start of each block, if the block is reached by a
-  deterministic branch. This reduces map polution, and may improve performance
+  deterministic branch. This reduces map pollution, and may improve performance
  when all the executing blocks have been prefetched and backpatching applied.
  However, in the event that backpatching is incomplete, this may incur a
-  performance penatly as branch instructions are disassembled on each branch.
+  performance penalty as branch instructions are disassembled on each branch.
 * `AFL_FRIDA_INST_SEED` - Sets the initial seed for the hash function used to
  generate block (and hence edge) IDs. Setting this to a constant value may be
  useful for debugging purposes, e.g., investigating unstable edges.
@ -215,7 +215,7 @@ instrumented address block translations.
  coverage information for unstable edges (e.g., to be loaded within IDA
  lighthouse).
 * `AFL_FRIDA_JS_SCRIPT` - Set the script to be loaded by the FRIDA scripting
-  engine. See [Scipting.md](Scripting.md) for details.
+  engine. See [Scripting.md](Scripting.md) for details.
 * `AFL_FRIDA_OUTPUT_STDOUT` - Redirect the standard output of the target
  application to the named file (supersedes the setting of `AFL_DEBUG_CHILD`).
 * `AFL_FRIDA_OUTPUT_STDERR` - Redirect the standard error of the target
--- a/frida_mode/Scripting.md
+++ b/frida_mode/Scripting.md
@ -724,16 +724,16 @@ class Afl {
   * it takes as arguments a `NativePointer` and a `number`. It can be
   * called multiple times to exclude several ranges.
   */
-  static addExcludedRange(addressess, size) {
-      Afl.jsApiAddExcludeRange(addressess, size);
+  static addExcludedRange(addresses, size) {
+      Afl.jsApiAddExcludeRange(addresses, size);
  }
  /**
   * This is equivalent to setting a value in `AFL_FRIDA_INST_RANGES`,
   * it takes as arguments a `NativePointer` and a `number`. It can be
   * called multiple times to include several ranges.
   */
-  static addIncludedRange(addressess, size) {
-      Afl.jsApiAddIncludeRange(addressess, size);
+  static addIncludedRange(addresses, size) {
+      Afl.jsApiAddIncludeRange(addresses, size);
  }
  /**
   * This must always be called at the end of your script. This lets
@ -771,7 +771,7 @@ class Afl {
  }
  /**
   * Print a message to the STDOUT. This should be preferred to
-   * FRIDA's `console.log` since FRIDA will queue it's log messages.
+   * FRIDA's `console.log` since FRIDA will queue its log messages.
   * If `console.log` is used in a callback in particular, then there
   * may no longer be a thread running to service this queue.
   */
@ -893,14 +893,14 @@ class Afl {
  }
  /**
   * This is equivalent to setting `AFL_FRIDA_PERSISTENT_ADDR`, again a
-   * `NativePointer` should be provided as it's argument.
+   * `NativePointer` should be provided as its argument.
   */
  static setPersistentAddress(address) {
      Afl.jsApiSetPersistentAddress(address);
  }
  /**
   * This is equivalent to setting `AFL_FRIDA_PERSISTENT_CNT`, a
-   * `number` should be provided as it's argument.
+   * `number` should be provided as its argument.
   */
  static setPersistentCount(count) {
      Afl.jsApiSetPersistentCount(count);
@ -920,7 +920,7 @@ class Afl {
  }
  /**
   * This is equivalent to setting `AFL_FRIDA_PERSISTENT_RET`, again a
-   * `NativePointer` should be provided as it's argument.
+   * `NativePointer` should be provided as its argument.
   */
  static setPersistentReturn(address) {
      Afl.jsApiSetPersistentReturn(address);
--- a/frida_mode/addr/addr.c
+++ b/frida_mode/addr/addr.c
@ -6,18 +6,20 @@

 #define UNUSED_PARAMETER(x) (void)(x)

-int phdr_callback(struct dl_phdr_info *info, size_t size, void *data)
-{
-    UNUSED_PARAMETER (size);
+int phdr_callback(struct dl_phdr_info *info, size_t size, void *data) {

-    ElfW(Addr) * base = data;
+  UNUSED_PARAMETER(size);
+
+  ElfW(Addr) *base = data;

  if (info->dlpi_name[0] == 0) { *base = info->dlpi_addr; }
  return 0;
+
 }

-int main (int argc, char** argv, char** envp) {
-    UNUSED_PARAMETER (argc);
+int main(int argc, char **argv, char **envp) {
+
+  UNUSED_PARAMETER(argc);

  ElfW(Addr) base = 0;

@ -26,6 +28,7 @@ int main (int argc, char** argv, char** envp) {

    printf("Failed to set ADDR_NO_RANDOMIZE: %d", errno);
    return 1;
+
  }

  if ((persona & ADDR_NO_RANDOMIZE) == 0) { execvpe(argv[0], argv, envp); }
@ -36,4 +39,6 @@ int main (int argc, char** argv, char** envp) {
  if (base == 0) { return 1; }

  return 0;
+
 }
+
--- a/frida_mode/frida.map
+++ b/frida_mode/frida.map
@ -45,6 +45,7 @@
    js_api_set_stdout;
    js_api_set_traceable;
    js_api_set_verbose;
+    js_api_ijon_set;

  local:
    *;
--- a/frida_mode/hook/frida_hook.c
+++ b/frida_mode/hook/frida_hook.c
@ -31,8 +31,8 @@ __attribute__((visibility("default"))) void afl_persistent_hook(
  // do a length check matching the target!

  void **esp = (void **)regs->esp;
-  void  *arg1 = esp[0];
-  void **arg2 = &esp[1];
+  void  *arg1 = esp[1];
+  void **arg2 = &esp[2];
  memcpy(arg1, input_buf, input_buf_len);
  *arg2 = (void *)input_buf_len;

--- a/frida_mode/hook/qemu_hook.c
+++ b/frida_mode/hook/qemu_hook.c
@ -78,12 +78,13 @@ void afl_persistent_hook(struct x86_regs *regs, uint64_t guest_base,

  (void)guest_base;                                               /* unused */
  void **esp = (void **)regs->esp;
-  void * arg1 = esp[1];
+  void  *arg1 = esp[1];
  void **arg2 = &esp[2];
  memcpy(arg1, input_buf, input_buf_len);
  *arg2 = (void *)input_buf_len;

 }
+
 #elif defined(__aarch64__)

 struct arm64_regs {
@ -180,6 +181,7 @@ void afl_persistent_hook(struct arm64_regs *regs, uint64_t guest_base,
  (void)guest_base;                                               /* unused */
  memcpy((void *)regs->x0, input_buf, input_buf_len);
  regs->x1 = input_buf_len;
+
 }

 #else
@ -193,3 +195,4 @@ int afl_persistent_hook_init(void) {
  return 1;

 }
+
--- a/frida_mode/include/instrument.h
+++ b/frida_mode/include/instrument.h
@ -22,6 +22,7 @@ extern guint64  instrument_fixed_seed;

 extern uint8_t *__afl_area_ptr;
 extern uint32_t __afl_map_size;
+extern void     __afl_coverage_interesting(uint8_t, uint32_t);

 extern __thread guint64 *instrument_previous_pc_addr;

@ -72,5 +73,7 @@ void instrument_cache(const cs_insn *instr, GumStalkerOutput *output);
 void instrument_write_regs(GumCpuContext *cpu_context, gpointer user_data);
 void instrument_regs_format(int fd, char *format, ...);

+void ijon_set(uint32_t edge);
+
 #endif

--- a/frida_mode/many-linux/README.md
+++ b/frida_mode/many-linux/README.md
@ -4,6 +4,6 @@ This folder contains a Docker image to allow the building of
 `afl-frida-trace.so` using the `many-linux` docker image. This docker image is
 based on CentOS Linux 5. By building `afl-frida-trace.so` for such an old
 version of Linux, given the strong backward compatibility of Linux, this should
-work on the majority of Linux environments. This may be useful for targetting
+work on the majority of Linux environments. This may be useful for targeting
 Linux distributions other than your development environment. `many-local` builds
 `AFLplusplus` from the local working copy in the `many-linux` environment.
--- a/frida_mode/src/asan/asan.c
+++ b/frida_mode/src/asan/asan.c
@ -27,25 +27,21 @@ void asan_init(void) {

 }

-static gboolean asan_exclude_module(const GumModuleDetails *details,
-                                    gpointer                user_data) {
+static gboolean asan_exclude_module(GumModule *module, gpointer user_data) {

  gchar                *symbol_name = (gchar *)user_data;
  GumAddress            address;
+  const GumMemoryRange *range = gum_module_get_range(module);

-  address = gum_module_find_export_by_name(details->name, symbol_name);
+  address = gum_module_find_export_by_name(module, symbol_name);
  if (address == 0) { return TRUE; }

  /* If the reported address of the symbol is outside of the range of the module
   * then ignore it */
-  if (address < details->range->base_address) { return TRUE; }
-  if (address > (details->range->base_address + details->range->size)) {
+  if (address < range->base_address) { return TRUE; }
+  if (address > (range->base_address + range->size)) { return TRUE; }

-    return TRUE;
-
-  }
-
-  ranges_add_exclude((GumMemoryRange *)details->range);
+  ranges_add_exclude((GumMemoryRange *)range);
  return FALSE;

 }
--- a/frida_mode/src/asan/asan_arm64.c
+++ b/frida_mode/src/asan/asan_arm64.c
@ -39,18 +39,18 @@ static void asan_callout(GumCpuContext *ctx, gpointer user_data) {

  address = base + index + mem->disp;

-  if ((operand->access & CS_AC_READ) == CS_AC_READ) {
-
-    asan_loadN(address, asan_ctx->size);
-
-  }
-
  if ((operand->access & CS_AC_WRITE) == CS_AC_WRITE) {

    asan_storeN(address, asan_ctx->size);

  }

+  if ((operand->access & CS_AC_READ) == CS_AC_READ) {
+
+    asan_loadN(address, asan_ctx->size);
+
+  }
+
 }

 void asan_instrument(const cs_insn *instr, GumStalkerIterator *iterator) {
--- a/frida_mode/src/cmplog/cmplog.c
+++ b/frida_mode/src/cmplog/cmplog.c
@ -166,7 +166,7 @@ gboolean cmplog_is_readable(guint64 addr, size_t size) {
   */
  if (addr < DEFAULT_MMAP_MIN_ADDR) { return false; }

-  /* Check our addres/length don't wrap around */
+  /* Check our address/length don't wrap around */
  if (SIZE_MAX - addr < size) { return false; }

  GumAddress inner_base = addr;
--- a/frida_mode/src/instrument/instrument.c
+++ b/frida_mode/src/instrument/instrument.c
@ -186,7 +186,7 @@ static void instrument_basic_block(GumStalkerIterator *iterator,
     * execution), we instead ensure that we honour the additional
     * instrumentation requested (e.g. coverage, asan and complog) when a block
     * is compiled no matter where we are during initialization. We will end up
-     * re-using these blocks if the code under test calls a block which is also
+     * reusing these blocks if the code under test calls a block which is also
     * used during initialization.
     *
     * Coverage data generated during initialization isn't a problem since the
@ -449,3 +449,9 @@ void instrument_regs_format(int fd, char *format, ...) {

 }

+void ijon_set(uint32_t edge) {
+
+  __afl_coverage_interesting(1, edge);
+
+}
+
--- a/frida_mode/src/instrument/instrument_arm64.c
+++ b/frida_mode/src/instrument/instrument_arm64.c
@ -285,7 +285,7 @@ static void instrument_coverage_switch(GumStalkerObserver *self,

  /*
   * If the branch is deterministic, then we should start execution at the
-   * begining of the block. From here, we will branch and skip the coverage
+   * beginning of the block. From here, we will branch and skip the coverage
   * code and jump right to the target code of the instrumented block.
   * Otherwise, if the branch is non-deterministic, then we need to branch
   * part way into the block to where the coverage instrumentation starts.
@ -516,7 +516,7 @@ void instrument_coverage_optimize(const cs_insn    *instr,
   * an instruction to load x16,x17 from beyond the red-zone on the stack. A
   * pair of registers are saved/restored because on AARCH64, the stack pointer
   * must be 16 byte aligned. This instruction is emitted into the block before
-   * the tranformer (from which we are called) is executed. If is is possible
+   * the transformer (from which we are called) is executed. If is is possible
   * for Stalker to make a direct branch (the target block is close enough), it
   * can forego pushing the registers and instead branch at an offset into the
   * block to skip this restoration prolog.
--- a/frida_mode/src/instrument/instrument_coverage.c
+++ b/frida_mode/src/instrument/instrument_coverage.c
@ -818,6 +818,9 @@ void instrument_coverage_unstable_find_output(void) {

  GDir *dir = g_dir_open(fds_name, 0, NULL);

+  gchar *path_tmp = getenv("AFL_CUSTOM_INFO_OUT");
+  gchar *instance_name = g_path_get_basename(path_tmp);
+
  FVERBOSE("Coverage Unstable - fds: %s", fds_name);

  for (const gchar *filename = g_dir_read_name(dir); filename != NULL;
@ -829,7 +832,7 @@ void instrument_coverage_unstable_find_output(void) {
    if (link == NULL) { FFATAL("Failed to read link: %s", fullname); }

    gchar *basename = g_path_get_basename(link);
-    if (g_strcmp0(basename, "default") != 0) {
+    if (g_strcmp0(basename, instance_name) != 0) {

      g_free(basename);
      g_free(link);
@ -874,6 +877,7 @@ void instrument_coverage_unstable_find_output(void) {
  }

  g_dir_close(dir);
+  g_free(instance_name);
  g_free(fds_name);

  if (unstable_coverage_fuzzer_stats == NULL) {
--- a/frida_mode/src/instrument/instrument_x64_cache.c
+++ b/frida_mode/src/instrument/instrument_x64_cache.c
@ -49,14 +49,23 @@ void instrument_cache_init(void) {

  if (setrlimit(RLIMIT_AS, &data_limit) != 0) {

-    FFATAL("Failed to setrlimit: %d", errno);
+    FWARNF("Failed to setrlimit: %d, you may need root or CAP_SYS_RESOURCE",
+           errno);

  }

  map_base =
      gum_memory_allocate(NULL, instrument_cache_size, instrument_cache_size,
                          GUM_PAGE_READ | GUM_PAGE_WRITE);
-  if (map_base == MAP_FAILED) { FFATAL("Failed to map segment: %d", errno); }
+  if (map_base == MAP_FAILED) {
+
+    FFATAL(
+        "Failed to map segment: %d. This can be caused by failure to setrlimit."
+        "Disabling or reducing the size of the allocation using "
+        "AFL_FRIDA_INST_NO_CACHE or AFL_FRIDA_INST_CACHE_SIZE may help",
+        errno);
+
+  }

  FOKF(cBLU "Instrumentation" cRST " - " cGRN "cache addr:" cYEL " [0x%016lX]",
       GUM_ADDRESS(map_base));
--- a/frida_mode/src/js/api.js
+++ b/frida_mode/src/js/api.js
@ -5,16 +5,16 @@ class Afl {
     * it takes as arguments a `NativePointer` and a `number`. It can be
     * called multiple times to exclude several ranges.
     */
-    static addExcludedRange(addressess, size) {
-        Afl.jsApiAddExcludeRange(addressess, size);
+    static addExcludedRange(addresses, size) {
+        Afl.jsApiAddExcludeRange(addresses, size);
    }
    /**
     * This is equivalent to setting a value in `AFL_FRIDA_INST_RANGES`,
     * it takes as arguments a `NativePointer` and a `number`. It can be
     * called multiple times to include several ranges.
     */
-    static addIncludedRange(addressess, size) {
-        Afl.jsApiAddIncludeRange(addressess, size);
+    static addIncludedRange(addresses, size) {
+        Afl.jsApiAddIncludeRange(addresses, size);
    }
    /**
     * This must always be called at the end of your script. This lets
@ -52,7 +52,7 @@ class Afl {
    }
    /**
     * Print a message to the STDOUT. This should be preferred to
-     * FRIDA's `console.log` since FRIDA will queue it's log messages.
+     * FRIDA's `console.log` since FRIDA will queue its log messages.
     * If `console.log` is used in a callback in particular, then there
     * may no longer be a thread running to service this queue.
     */
@ -205,14 +205,14 @@ class Afl {
    }
    /**
     * This is equivalent to setting `AFL_FRIDA_PERSISTENT_ADDR`, again a
-     * `NativePointer` should be provided as it's argument.
+     * `NativePointer` should be provided as its argument.
     */
    static setPersistentAddress(address) {
        Afl.jsApiSetPersistentAddress(address);
    }
    /**
     * This is equivalent to setting `AFL_FRIDA_PERSISTENT_CNT`, a
-     * `number` should be provided as it's argument.
+     * `number` should be provided as its argument.
     */
    static setPersistentCount(count) {
        Afl.jsApiSetPersistentCount(count);
@ -232,7 +232,7 @@ class Afl {
    }
    /**
     * This is equivalent to setting `AFL_FRIDA_PERSISTENT_RET`, again a
-     * `NativePointer` should be provided as it's argument.
+     * `NativePointer` should be provided as its argument.
     */
    static setPersistentReturn(address) {
        Afl.jsApiSetPersistentReturn(address);
@ -326,6 +326,12 @@ class Afl {
    static jsApiGetSymbol(name) {
        return Afl.module.getExportByName(name);
    }
+
+    static IJON = class {
+        static set(addr, val) {
+            Afl.jsApiIjonSet((addr ^ val) & 0xffffffff);
+        }
+    }
 }
 /**
 * Field containing the `Module` object for `afl-frida-trace.so` (the FRIDA mode
@ -376,4 +382,5 @@ Afl.jsApiSetTraceable = Afl.jsApiGetFunction("js_api_set_traceable", "void", [])
 Afl.jsApiSetVerbose = Afl.jsApiGetFunction("js_api_set_verbose", "void", []);
 Afl.jsApiWrite = new NativeFunction(
 /* tslint:disable-next-line:no-null-keyword */
-Module.getExportByName(null, "write"), "int", ["int", "pointer", "int"]);
+Module.getGlobalExportByName("write"), "int", ["int", "pointer", "int"]);
+Afl.jsApiIjonSet = Afl.jsApiGetFunction("js_api_ijon_set", "void", ["uint32"]);
--- a/frida_mode/src/js/js_api.c
+++ b/frida_mode/src/js/js_api.c
@ -316,3 +316,9 @@ __attribute__((visibility("default"))) void js_api_set_verbose(void) {

 }

+__attribute__((visibility("default"))) void js_api_ijon_set(uint32_t edge) {
+
+  ijon_set(edge);
+
+}
+
--- a/Show More
+++ b/Show More
 @ -1 +1 @@
 ed4f8d
 d8f53