avoid copy of function names

* use libafl_wide

* fix

.devcontainer/Build/devcontainer.json

@@ -1,27 +1,35 @@
 // For format details, see https://aka.ms/devcontainer.json. For config options, see the README at:
 // https://github.com/microsoft/vscode-dev-containers/tree/v0.191.0/containers/docker-existing-dockerfile
 {
-	"name": "LibAFL Dockerfile",
+	"name": "Build LibAFL Dockerfile",
 	// Sets the run context to one level up instead of the .devcontainer folder.
-	"context": "..",
+	"context": "../..",
 	// Update the 'dockerFile' property if you aren't using the standard 'Dockerfile' filename.
-	"dockerFile": "../Dockerfile",
-	// Set *default* container specific settings.json values on container create.
-	"settings": {},
-	// Add the IDs of extensions you want installed when the container is created.
-	"extensions": [
-		"matklad.rust-analyzer"
-	],
+	"dockerFile": "../../Dockerfile",
+	"customizations": {
+		"vscode": {
+			// Add the IDs of extensions you want installed when the container is created.
+			"extensions": [
+				"rust-lang.rust-analyzer",
+				"microsoft.Docker"
+			],
+			// Set *default* container specific settings.json values on container create.
+			"settings": {
+				"rust-analyzer.cargo.noDefaultFeatures": true
+			}
+		}
+	},
 	// Use 'forwardPorts' to make a list of ports inside the container available locally.
 	// "forwardPorts": [],
 	// Uncomment the next line to run commands after the container is created - for example installing curl.
-	// "postCreateCommand": "apt-get update && apt-get install -y curl",
+	// Install development components that shouldn't be in the main Dockerfile
+	"postCreateCommand": "rustup component add rustfmt clippy llvm-tools-preview",
 	// Uncomment when using a ptrace-based debugger like C++, Go, and Rust
 	"runArgs": [
 		"--cap-add=SYS_PTRACE",
 		"--security-opt",
 		"seccomp=unconfined"
-	],
+	]
 	// Uncomment to use the Docker CLI from inside the container. See https://aka.ms/vscode-remote/samples/docker-from-docker.
 	// "mounts": [ "source=/var/run/docker.sock,target=/var/run/docker.sock,type=bind" ],
 	// Uncomment to connect as a non-root user if you've added one. See https://aka.ms/vscode-remote/containers/non-root.

.devcontainer/Download/devcontainer.json

@@ -0,0 +1,34 @@
+// For format details, see https://aka.ms/devcontainer.json. For config options, see the README at:
+// https://github.com/microsoft/vscode-dev-containers/tree/v0.191.0/containers/docker-existing-dockerfile
+{
+	"name": "Download LibAFL Dockerfile",
+	"image": "ghcr.io/aflplusplus/libafl:latest",
+	"customizations": {
+		"vscode": {
+			// Add the IDs of extensions you want installed when the container is created.
+			"extensions": [
+				"rust-lang.rust-analyzer",
+				"microsoft.Docker"
+			],
+			// Set *default* container specific settings.json values on container create.
+			"settings": {
+				"rust-analyzer.cargo.noDefaultFeatures": true
+			}
+		}
+	},
+	// Use 'forwardPorts' to make a list of ports inside the container available locally.
+	// "forwardPorts": [],
+	// Uncomment the next line to run commands after the container is created - for example installing curl.
+	// Install development components that shouldn't be in the main Dockerfile
+	"postCreateCommand": "rustup component add rustfmt clippy llvm-tools-preview",
+	// Uncomment when using a ptrace-based debugger like C++, Go, and Rust
+	"runArgs": [
+		"--cap-add=SYS_PTRACE",
+		"--security-opt",
+		"seccomp=unconfined"
+	]
+	// Uncomment to use the Docker CLI from inside the container. See https://aka.ms/vscode-remote/samples/docker-from-docker.
+	// "mounts": [ "source=/var/run/docker.sock,target=/var/run/docker.sock,type=bind" ],
+	// Uncomment to connect as a non-root user if you've added one. See https://aka.ms/vscode-remote/containers/non-root.
+	// "remoteUser": "vscode"
+}

.dockerignore

@@ -1,4 +1,5 @@
-target
+**/target
+**/.git
 Cargo.lock
 
 *.o

.github/.linkspector.yml

@@ -0,0 +1,14 @@
+dirs:
+  - .
+
+useGitIgnore: true
+
+ignorePatterns:
+  - pattern: "^https://crates.io"
+  - pattern: "^https://github.com/AFLplusplus/linux-qemu-image-builder"
+  - pattern: "https://www.romu-random.org/"
+
+aliveStatusCodes:
+  - 0
+  - 200
+  - 403

.github/ISSUE_TEMPLATE/bug_report.md

@@ -13,6 +13,8 @@ Thank you for making LibAFL better!
 
 **Describe the bug**
 A clear and concise description of what the bug is.
+If you want to present the backtrace, don't forget to run with `errors_backtrace` feature and log from `RUST_LOG`
+In addition, please tell us what is your fuzzer's Cargo.toml
 
 **To Reproduce**
 Steps to reproduce the behavior:

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,7 @@
+## Description
+
+*describe your PR here*
+
+## Checklist
+
+- [ ] I have run `./scripts/precommit.sh` and addressed all comments

.github/dependabot.yml

@@ -0,0 +1,8 @@
+version: 2
+updates:
+  - package-ecosystem: "cargo"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    ignore:
+      - dependency-name: "pyo3"

.github/workflows/fuzzer-tester-prepare/action.yml

@@ -0,0 +1,47 @@
+name: Setup Rust Environment
+description: Sets up the Rust environment for the CI workflow
+inputs:
+  fuzzer-name:
+    description: 'The fuzzer name to run'
+    required: true
+runs:
+  using: composite
+  steps:
+    - uses: actions/checkout@v4
+      with:
+        submodules: true
+        fetch-depth: 0
+    - uses: ./.github/workflows/ubuntu-prepare
+    - name: enable mult-thread for `make`
+      shell: bash
+      run: export MAKEFLAGS="-j$(expr $(nproc) \+ 1)"
+    - name: Add nightly toolchain
+      if: ${{ inputs.fuzzer-name == 'inprocess/fuzzbench_ctx' || inputs.fuzzer-name == 'fuzz_anything/baby_no_std' || inputs.fuzzer-name == 'baby/tutorial'}}
+      shell: bash
+      run: rustup toolchain install nightly-x86_64-unknown-linux-gnu; rustup component add clippy rustfmt --toolchain nightly-x86_64-unknown-linux-gnu; rustup default nightly
+    - name: Add no_std toolchain
+      if: ${{ inputs.fuzzer-name == 'fuzz_anything/baby_no_std' }}
+      shell: bash
+      run: rustup component add rust-src --toolchain nightly-x86_64-unknown-linux-gnu
+    - name: Add nyx deps
+      if: ${{ inputs.fuzzer-name == 'full_system/nyx_launcher' || inputs.fuzzer-name == 'full_system/nyx_libxml2_standalone' || inputs.fuzzer-name == 'full_system/nyx_libxml2_parallel' }}
+      shell: bash
+      run: sudo apt update && sudo apt install -y libgtk-3-dev pax-utils python3-msgpack python3-jinja2 libcapstone-dev
+    - name: install just
+      uses: extractions/setup-just@v2
+      with:
+        just-version: '1.40.0'
+    - name: Add wasm target
+      if: ${{ inputs.fuzzer-name == 'fuzz_anything/baby_fuzzer_wasm' }}
+      shell: bash
+      run: rustup target add wasm32-unknown-unknown
+    - name: install wasm-pack
+      if: ${{ inputs.fuzzer-name == 'fuzz_anything/baby_fuzzer_wasm' }}
+      uses: baptiste0928/cargo-install@v3
+      with:
+        crate: wasm-pack
+    - name: install chrome
+      if: ${{ inputs.fuzzer-name == 'fuzz_anything/baby_fuzzer_wasm' }}
+      uses: browser-actions/setup-chrome@v1
+      with:
+        chrome-version: stable

.github/workflows/librasan-prepare/action.yml

@@ -0,0 +1,73 @@
+name: Setup QEMU librasan environment
+description: Sets up the QEMU librasan environment
+runs:
+  using: composite
+  steps:
+    - name: Enable i386
+      shell: bash
+      run: sudo dpkg --add-architecture i386
+    - name: Install QEMU deps
+      shell: bash
+      run: |
+        sudo apt-get update && \
+        DEBIAN_FRONTEND=noninteractive \
+          sudo apt-get install -y \
+          build-essential \
+          clang-18 \
+          clang++-18 \
+          cmake \
+          curl \
+          g++-aarch64-linux-gnu \
+          g++-arm-linux-gnueabi \
+          g++-i686-linux-gnu \
+          g++-mipsel-linux-gnu \
+          g++-powerpc-linux-gnu \
+          gcc-aarch64-linux-gnu \
+          gcc-arm-linux-gnueabi \
+          gcc-i686-linux-gnu \
+          gcc-mipsel-linux-gnu \
+          gcc-powerpc-linux-gnu \
+          gdb \
+          gdb-multiarch \
+          git \
+          gnupg \
+          libc6-dev:i386 \
+          libclang-dev \
+          libgcc-13-dev:i386 \
+          libglib2.0-dev \
+          lsb-release \
+          ninja-build \
+          python3 \
+          python3-pip \
+          python3-venv \
+          qemu-user \
+          software-properties-common \
+          wget
+    - uses: dtolnay/rust-toolchain@stable
+    - name: install just
+      uses: extractions/setup-just@v2
+      with:
+        just-version: '1.40.0'
+    - name: Install cargo-binstall
+      shell: bash
+      run: |
+        curl -L --proto '=https' --tlsv1.2 -sSf \
+          https://raw.githubusercontent.com/cargo-bins/cargo-binstall/main/install-from-binstall-release.sh | \
+            bash
+    - name: Install nextest
+      shell: bash
+      run: |
+        cargo binstall --no-confirm cargo-nextest
+    - name: Install Rust Targets
+      shell: bash
+      run: |
+        rustup target add armv7-unknown-linux-gnueabi && \
+        rustup target add aarch64-unknown-linux-gnu && \
+        rustup target add i686-unknown-linux-gnu && \
+        rustup target add powerpc-unknown-linux-gnu
+    - uses: actions/checkout@v4
+      with:
+        submodules: true
+        fetch-depth: 0
+    - uses: Swatinem/rust-cache@v2
+      with: { shared-key: "${{ runner.os }}-shared-fuzzer-cache" }

.github/workflows/qemu-fuzzer-tester-prepare/action.yml

@@ -0,0 +1,32 @@
+name: Setup QEMU Fuzzers environment
+description: Sets up the QEMU fuzzers environment
+runs:
+  using: composite
+  steps:
+    - name: Install QEMU deps
+      shell: bash
+      run: |
+        apt-get update 
+        apt-get install -y qemu-utils sudo python3-msgpack python3-jinja2 curl python3-dev gcc-arm-none-eabi \
+          gcc-arm-linux-gnueabi g++-arm-linux-gnueabi
+    - name: Remove old rust
+      shell: bash
+      run: sudo apt purge -y 'rust*' 'cargo*'
+    - uses: dtolnay/rust-toolchain@stable
+      env:
+        RUSTUP_HOME: /usr/local/rustup
+        CARGO_HOME: /usr/local/cargo
+    - name: enable mult-thread for `make`
+      shell: bash
+      run: export MAKEFLAGS="-j$(expr $(nproc) \+ 1)"
+    - name: install just
+      uses: extractions/setup-just@v2
+      with:
+        just-version: '1.40.0'
+    - uses: actions/checkout@v4
+      with:
+        submodules: true
+        fetch-depth: 0
+    - uses: ./.github/workflows/ubuntu-prepare
+    - uses: Swatinem/rust-cache@v2
+      with: { shared-key: "${{ runner.os }}-shared-fuzzer-cache" }

.github/workflows/ubuntu-prepare/action.yml

@@ -0,0 +1,59 @@
+name: Setup Rust Environment
+description: Sets up the Rust environment for the CI workflow and optionally installs nightly
+
+# ---------- new section ----------
+inputs:
+  use_nightly:
+    description: "If true, install the Rust nightly toolchain instead of stable"
+    required: false
+    default: "false"
+# ---------------------------------
+
+runs:
+  using: composite
+  steps:
+    - name: Uninstall all currently installed Rust
+      shell: bash
+      run: |
+        sudo apt purge -y 'cargo*' 'rust*'
+
+    - name: Install and cache deps
+      shell: bash
+      run: |
+        sudo apt-get update
+        sudo apt-get install -y \
+          curl lsb-release wget software-properties-common gnupg shellcheck pax-utils \
+          libsqlite3-dev libpixman-1-dev libc6-dev gcc g++ build-essential libglib2.0-dev
+
+    # ---------- toolchain selection ----------
+    - name: Install Rust (stable)
+      if: ${{ inputs.use_nightly == 'false' }}
+      uses: dtolnay/rust-toolchain@stable
+      with:
+        components: clippy, rustfmt
+
+    - name: Install Rust (nightly)
+      if: ${{ inputs.use_nightly == 'true' }}
+      uses: dtolnay/rust-toolchain@nightly
+      with:
+        components: clippy, rustfmt
+    # -----------------------------------------
+
+    - name: Install just
+      uses: extractions/setup-just@v2
+      with:
+        just-version: '1.40.0'
+
+    - uses: taiki-e/install-action@cargo-hack
+
+    - name: Install LLVM
+      shell: bash
+      run: |
+        wget https://apt.llvm.org/llvm.sh
+        chmod +x llvm.sh
+        sudo ./llvm.sh ${{ env.MAIN_LLVM_VERSION }} all
+        sudo update-alternatives --install /usr/bin/clang clang /usr/bin/clang-${{ env.MAIN_LLVM_VERSION }} 200
+
+    - name: Symlink headers
+      shell: bash
+      run: sudo ln -s /usr/include/asm-generic /usr/include/asm

.github/workflows/windows-tester-prepare/action.yml

@@ -0,0 +1,21 @@
+name: Setup Rust Environment
+description: Sets up the Rust environment for the CI workflow
+runs:
+  using: composite
+  steps:
+    - uses: dtolnay/rust-toolchain@stable
+      with:
+        components: llvm-tools, clippy, rustfmt
+    - uses: actions/checkout@v4
+    - uses: Swatinem/rust-cache@v2
+    - name: Build docs
+      shell: pwsh
+      run: cargo doc
+    - uses: ilammy/msvc-dev-cmd@v1
+    - name: Set LIBCLANG_PATH
+      shell: pwsh
+      run: echo "LIBCLANG_PATH=$((gcm clang).source -replace "clang.exe")" >> $env:GITHUB_ENV
+    - name: install just
+      uses: extractions/setup-just@v2
+      with:
+        just-version: '1.40.0'

.gitignore

@@ -1,12 +1,19 @@
 target
 target-bin
 out
-Cargo.lock
 vendor
 
+# cargo lockfiles except from binaries
+Cargo.lock
+./**/Cargo.lock
+# Un-ignore Cargo.lock files within the fuzzers directory
+!./fuzzers/**/Cargo.lock
+
 .DS_Store
 .env
+.vscode
 
+*.test
 *.tmp
 *.swp
 *.o
@@ -17,27 +24,31 @@ vendor
 *.bin
 *.dll
 *.exe
+*.dylib
 *.dSYM
 *.obj
 
 .cur_input
+.cur_input_*
+cur_input
 .venv
 
 crashes
+corpus
 
 callgrind.out.*
 perf.data
 perf.data.old
 
-.vscode
+.vscode/settings.json
 test.dict
 
+.idea/
+
 # Ignore all built fuzzers
-fuzzer_*
 AFLplusplus
 test_*
 *_fuzzer
-*_harness
 
 # Ignore common dummy and logfiles
 *.log
@@ -46,6 +57,7 @@ a
 forkserver_test
 __pycache__
 *.lafl_lock
+*.metadata
 
 *atomic_file_testfile*
 **/libxml2
@@ -53,4 +65,35 @@ __pycache__
 **/libxml2-*.tar.gz
 
 libafl_nyx/QEMU-Nyx
-libafl_nyx/packer
+libafl_nyx/packer
+
+.z3-trace
+
+# No gdb history
+.gdb_history
+# No llvm IR
+*.ll
+
+*.tar.gz
+
+# common harness names
+harness
+program
+fuzzer_libpng*
+
+*.patch
+
+# Sometimes this happens
+rustc-ice-*
+
+# perf files
+*.mm_profdata
+
+# backup files
+*.bak
+
+# log
+log
+
+# Coredumps
+*.core

.gitmodules

@@ -1,3 +0,0 @@
-[submodule "libafl_concolic/symcc_runtime/symcc"]
-	path = libafl_concolic/symcc_runtime/symcc
-	url = https://github.com/AFLplusplus/symcc.git

.pre-commit-config.yaml

@@ -0,0 +1,13 @@
+# See https://pre-commit.com for more information
+# See https://pre-commit.com/hooks.html for more hooks
+repos:
+-   repo: local
+    hooks:
+      - id: fmt
+        name: fmt
+        entry: scripts/fmt_all.sh check
+        language: script
+- repo: https://github.com/ComPWA/taplo-pre-commit
+  rev: v0.9.3
+  hooks:
+    - id: taplo-format

.vscode/settings.json.default

@@ -0,0 +1,19 @@
+{
+    "[rust]": {
+        "editor.defaultFormatter": "rust-lang.rust-analyzer",
+        "editor.formatOnSave": true
+    },
+    "rust-analyzer.rustfmt.extraArgs": [
+        "+nightly"
+    ],
+    "rust-analyzer.cargo.buildScripts.overrideCommand": [
+        "cargo",
+        "check",
+        "--message-format=json",
+    ],
+    "rust-analyzer.check.overrideCommand": [
+        "cargo",
+        "check",
+        "--message-format=json",
+    ]
+}

CONTRIBUTING.md

@@ -0,0 +1,163 @@
+# How to Contribute to LibAFL
+
+For bugs, feel free to open issues or contact us directly. Thank you for your support. <3
+
+## Pull Request Guideline
+
+Even though we will gladly assist you in finishing up your PR, try to:
+
+- keep all the crates compiling with *stable* rust (hide the eventual non-stable code under [`cfg`s](https://github.com/AFLplusplus/LibAFL/blob/main/libafl/build.rs#L26))
+- run `cargo +nightly fmt` on your code before pushing
+- check the output of `cargo clippy --all` or `./scripts/clippy.sh` (On windows use `.\scripts\clippy.ps1`)
+- run `cargo build --no-default-features` to check for `no_std` compatibility (and possibly add `#[cfg(feature = "std")]`) to hide parts of your code.
+- Please add and describe your changes to MIGRATION.md if you change the APIs.
+
+You can also run ./scripts/precommit.sh to execute checks that will be performed on a PR.
+
+Some of the parts in this list may be hard, don't be afraid to open a PR if you cannot fix them by yourself, so we can help.
+
+### Pre-commit Hooks
+
+Some of these checks can be performed automatically during commit using [pre-commit](https://pre-commit.com/).
+Once the package is installed, simply run `pre-commit install` to enable the hooks, the checks will run automatically before the commit becomes effective.
+
+## LibAFL Code Rules
+
+Before making your pull requests, try to see if your code follows these rules.
+
+- Wherever possible, use `Cow<'static, str>` instead of String.
+- `PhantomData` should have the smallest set of types needed. Try not adding `PhantomData` to your struct unless it is really necessary. Also even when you really need `PhantomData`, try to keep the types `T` used in `PhantomData` as smallest as possible 
+- Wherever possible, trait implementations with lifetime specifiers should use '_ lifetime elision.
+- Complex constructors should be replaced with `typed_builder`, or write code in the builder pattern for yourself.
+
+
+## Rules for Generics and Associated Types
+1. Remove generic restrictions at the definitions (e.g., we do not need to specify that types impl `Serialize`, `Deserialize`, or `Debug` anymore at the struct definitions). Therefore, try avoiding code like this unless the constraint is really necessary.
+```rust
+pub struct X<A> 
+    where
+        A: P // <- Do not add contraints here
+{
+    fn ...
+}
+```
+2. Reduce generics to the least restrictive necessary. __Never overspecify the constraints__. There's no automated tool to check the useless constraints, so you have to verify this manually.
+```rust
+pub struct X<A> 
+    where
+        A: P + Q // <- Try to use the as smallest set of constraints as possible. If the code still compiles after deleting Q, then remove it. 
+{
+    fn ...
+}
+```
+
+3. Prefer generic to associated types in traits definition as much as possible. They are much easier to use around, and avoid tricky caveats / type repetition in the code. It is also much easier to have unconstrained struct definitions.
+Try not to write this:
+```rust
+pub trait X
+{
+    type A;
+    
+    fn a(&self) -> Self::A;
+}
+```
+Try to write this instead:
+```rust
+pub trait X<A>
+{
+    fn a(&self) -> A;
+}
+```
+
+4. Traits which have an associated type (if you have made sure you cannot use a generic instead) should refer to the associated type, not the concrete/generic. In other words, you should only have the associated type when you can define a getter to it. For example, in the following code, you can define a associate type.
+```rust
+pub trait X 
+{
+    type A; // <- You should(can) define it as long as you have a getter to it.
+    
+    fn a(&self) -> Self::A;
+}
+```
+5. Generic naming should be consistent. Do NOT use multiple name for the same generic, it just makes things more confusing. Do:
+```rust
+pub struct X<A> {
+    phantom: PhanomData<A>,
+}
+
+impl<A> X<A> {}
+```
+But not:
+```rust
+pub struct X<A> {
+    phantom: PhanomData<A>,
+}
+
+impl<B> X<B> {} // <- Do NOT do that, use A instead of B
+```
+6. __Ideally__ the types used in the arguments of methods in traits should have the same as the types defined on the traits.
+```rust
+pub trait X<A, B, C> // <- this trait have 3 generics, A, B, and C
+{
+    fn do_stuff(&self, a: A, b: B, c: C); // <- this is good because it uses all A, B, and C.
+    
+    fn do_other_stuff(&self, a: A, b: B); // <- this is not ideal because it does not have C.
+}
+```
+7. Try to avoid cyclical dependency if possible. Sometimes it is necessary but try to avoid it. For example, The following code is a bad example.
+```rust
+pub struct X {}
+pub struct Y {}
+
+pub trait Fuzzer: Sized {
+    fn fuzz<EM>(&self, em: &EM) 
+    where
+        EM: EventManager
+    {
+        em.do_stuff(self);
+    }
+}
+
+pub trait EventManager: Sized {
+    fn do_stuff<Z>(&self, fuzzer: &Z); // <- This function signature should not take fuzzer
+}
+```
+trait `EventManager` should not implement any method that takes fuzzer, any object that could implement `Fuzzer` trait.
+
+
+## Formatting
+1. Always alphabetically order the type generics. Therefore,
+```rust
+pub struct X<E, EM, OT, S, Z> {}; // <- Generics are alphabetically ordered
+```
+But not,
+```rust
+pub struct X<S, OT, Z, EM, E> {}; // <- Generics are not ordered
+```
+2. Similarly, generic bounds in `where` clauses should be alphabetically sorted.
+Prefer:
+```rust
+pub trait FooA {}
+pub trait FooB {}
+
+pub struct X<A, B>;
+
+impl<A, B> X<A, B>
+where
+    A: FooA,
+    B: FooB,
+{}
+```
+Over:
+```rust
+pub trait FooA {}
+pub trait FooB {}
+
+pub struct X<A, B>;
+
+impl<A, B> X<A, B>
+where
+    B: FooB, // <-|
+             //   | Generic bounds are not alphabetically ordered.
+    A: FooA, // <-|
+{}
+```

Cargo.toml

@@ -1,42 +1,188 @@
 [workspace]
+resolver = "2"
 members = [
-    "libafl",
-    "libafl_derive",
-    "libafl_cc",
-    "libafl_targets",
-    "libafl_frida",
-    "libafl_qemu",
-    "libafl_tinyinst",
-    "libafl_sugar",
-    "libafl_nyx",
-    "libafl_concolic/symcc_runtime",
-    "libafl_concolic/symcc_libafl",
-    "libafl_concolic/test/dump_constraints",
-    "libafl_concolic/test/runtime_test",
-    "utils/deexit",
-    "utils/gramatron/construct_automata",
-    "utils/libafl_benches",
+  "libafl",
+  "libafl_bolts",
+  "libafl_cc",
+  "libafl_concolic/symcc_runtime",
+  "libafl_concolic/symcc_libafl",
+  "libafl_derive",
+  "libafl_frida",
+  "libafl_intelpt",
+  "libafl_libfuzzer",
+  "libafl_nyx",
+  "libafl_unicorn",
+  "libafl_targets",
+  "libafl_tinyinst",
+  "libafl_qemu",
+  "libafl_qemu/libafl_qemu_build",
+  "libafl_qemu/libafl_qemu_sys",
+  "libafl_sugar",
+  "libafl_concolic/test/dump_constraints",
+  "libafl_concolic/test/runtime_test",
+  "utils/build_and_test_fuzzers",
+  "utils/deexit",
+  "utils/drcov_utils",
+  "utils/gramatron/construct_automata",
+  "utils/libafl_benches",
+  "utils/libafl_jumper",
+  "utils/ci_runner",
+  "utils/ci_splitter",
 ]
+
 default-members = [
-    "libafl",
-    "libafl_derive",
-    "libafl_cc",
-    "libafl_targets",
+  "libafl",
+  "libafl_bolts",
+  "libafl_cc",
+  "libafl_derive",
+  "libafl_targets",
 ]
+
 exclude = [
-    "fuzzers",
-    "bindings",
-    "scripts",
-    "libafl_qemu/libafl_qemu_build",
-    "libafl_qemu/libafl_qemu_sys"
+  "bindings/pylibafl",
+  "docs",
+  "fuzzers",
+  "libafl_libfuzzer_runtime",
+  "utils/noaslr",
+  "utils/gdb_qemu",
+  "utils/libafl_repo_tools",
+  "utils/desyscall",
+  "utils/multi_machine_generator",
+  "scripts",
+  # additional crates
+  "libafl_concolic/test/symcc/util/symcc_fuzzing_helper",
 ]
 
 [workspace.package]
-version = "0.8.2"
+version = "0.15.3"
+license = "MIT OR Apache-2.0"
+
+[workspace.dependencies]
+# Internal deps
+libafl = { path = "./libafl", version = "0.15.3", default-features = false }
+libafl_bolts = { path = "./libafl_bolts", version = "0.15.3", default-features = false }
+libafl_cc = { path = "./libafl_cc", version = "0.15.3", default-features = false }
+symcc_runtime = { path = "./libafl_concolic/symcc_runtime", version = "0.15.2", default-features = false }
+symcc_libafl = { path = "./libafl_concolic/symcc_libafl", version = "0.15.3", default-features = false }
+libafl_derive = { path = "./libafl_derive", version = "0.15.3", default-features = false }
+libafl_frida = { path = "./libafl_frida", version = "0.15.3", default-features = false }
+libafl_intelpt = { path = "./libafl_intelpt", version = "0.15.3", default-features = false }
+libafl_libfuzzer = { path = "./libafl_libfuzzer", version = "0.15.3", default-features = false }
+libafl_nyx = { path = "./libafl_nyx", version = "0.15.3", default-features = false }
+libafl_targets = { path = "./libafl_targets", version = "0.15.3", default-features = false }
+libafl_tinyinst = { path = "./libafl_tinyinst", version = "0.15.3", default-features = false }
+libafl_qemu = { path = "./libafl_qemu", version = "0.15.3", default-features = false }
+libafl_qemu_build = { path = "./libafl_qemu/libafl_qemu_build", version = "0.15.3", default-features = false }
+libafl_qemu_sys = { path = "./libafl_qemu/libafl_qemu_sys", version = "0.15.3", default-features = false }
+libafl_sugar = { path = "./libafl_sugar", version = "0.15.3", default-features = false }
+dump_constraints = { path = "./libafl_concolic/test/dump_constraints", version = "0.15.2", default-features = false }
+runtime_test = { path = "./libafl_concolic/test/runtime_test", version = "0.15.2", default-features = false }
+build_and_test_fuzzers = { path = "./utils/build_and_test_fuzzers", version = "0.15.2", default-features = false }
+deexit = { path = "./utils/deexit", version = "0.15.2", default-features = false }
+drcov_utils = { path = "./utils/drcov_utils", version = "0.15.2", default-features = false }
+construct_automata = { path = "./utils/gramatron/construct_automata", version = "0.15.2", default-features = false }
+libafl_benches = { path = "./utils/libafl_benches", version = "0.15.3", default-features = false }
+libafl_jumper = { path = "./utils/libafl_jumper", version = "0.15.3", default-features = false }
+
+# External deps
+ahash = { version = "0.8.12", default-features = false }     # The hash function already used in hashbrown
+arbitrary-int = "1.2.7"                                      # arbitrary sized integers, useful in combination with bitfields (bitbybit crate)
+backtrace = { version = "0.3.74", default-features = false } # Used to get the stacktrace in StacktraceObserver
+bindgen = "0.71.1"
+# 2024-12-16: bitbybit 1.3.3 is leading CI to fail due to missing docs.
+# fixme: Change this to 1.3.3 when the issue https://github.com/danlehmann/bitfield/issues/66 is resolved.
+bitbybit = "=1.3.2" # bitfields, use this for bit fields and bit enums
+capstone = "0.13.0" # Disassembler used in libafl_unicorn to provide disassembly on crash
+clap = "4.5.18"
+cc = "1.1.21"
+cmake = "0.1.51"
+document-features = "0.2.10"
+fastbloom = { version = "0.11.0", default-features = false }
+hashbrown = { version = "0.14.5", default-features = false } # A faster hashmap, nostd compatible
+just = "1.40.0"
+libc = "0.2.159" # For (*nix) libc
+libipt = "0.3.0"
+log = "0.4.22"
+meminterval = "0.4.1"
+mimalloc = { version = "0.1.43", default-features = false }
+nix = { version = "0.29.0", default-features = false }
+num_enum = { version = "0.7.3", default-features = false }
+num-traits = { version = "0.2.19", default-features = false }
+paste = "1.0.15"
+postcard = { version = "1.0.10", features = [
+  "alloc",
+], default-features = false } # no_std compatible serde serialization format
+pyo3 = "0.24.1"
+pyo3-build-config = "0.25.0"
+rangemap = "1.5.1"
+regex = "1.10.6"
+rustversion = "1.0.17"
+serde = { version = "1.0.210", default-features = false } # serialization lib
+serial_test = { version = "3.1.1", default-features = false }
+serde_json = { version = "1.0.128", default-features = false }
+serde_yaml = { version = "0.9.34" } # For parsing the injections yaml file
+static_assertions = "1.1.0"
+strum = "0.27.0"
+strum_macros = "0.27.0"
+toml = "0.8.19" # For parsing the injections toml file
+typed-builder = "0.21.0" # Implement the builder pattern at compiletime
+typeid = "1.0.0" # Safe type_eq that doesn't rely on std specialization
+unicorn-engine = "2.0.1" # Used in libafl_unicorn
+uuid = { version = "1.10.0", features = ["serde", "v4"] }
+which = "7.0.2"
+windows = "0.59.0"
+z3 = "0.12.1"
+fs2 = "0.4.3" # Used by OnDisk Corpus for file locking
+
+[workspace.lints.rust]
+# Deny
+warnings = { level = "deny", priority = -1 }
+
+# Forbid
+unexpected_cfgs = "forbid"
+
+# Allow
+incomplete_features = "allow"
+# ambiguous_glob_reexports = "allow"
+
+
+[workspace.lints.clippy]
+# Deny
+all = { level = "deny", priority = -1 }
+pedantic = { level = "deny", priority = -1 }
+cargo_common_metadata = "deny"
+
+alloc_instead_of_core = "deny"
+std_instead_of_alloc = "deny"
+std_instead_of_core = "deny"
+
+# Warn
+cargo = { level = "warn", priority = -1 }
+
+# Allow
+negative_feature_names = "allow"    # TODO: turn into 'warn' when working
+multiple_crate_versions = "allow"   # TODO: turn into `warn` when working
+unreadable_literal = "allow"
+type_repetition_in_bounds = "allow"
+missing_errors_doc = "allow"
+cast_possible_truncation = "allow"
+used_underscore_binding = "allow"
+ptr_as_ptr = "allow"
+missing_panics_doc = "allow"
+module_name_repetitions = "allow"
+unsafe_derive_deserialize = "allow"
+similar_names = "allow"
+too_many_lines = "allow"
+comparison_chain = "allow"          # This lint makes **ZERO** sense
+struct_field_names = "allow"        # ????
+
+[workspace.lints.rustdoc]
+# Deny
+broken_intra_doc_links = "deny"
+
 
 [profile.release]
 lto = true
 codegen-units = 1
 opt-level = 3
 debug = true
-

Dockerfile

@@ -1,122 +1,103 @@
 # syntax=docker/dockerfile:1.2
-FROM rust:bullseye AS libafl
+FROM rust:1.87.0 AS libafl
 LABEL "maintainer"="afl++ team <afl@aflplus.plus>"
 LABEL "about"="LibAFL Docker image"
 
-# install sccache to cache subsequent builds of dependencies
-RUN cargo install sccache
+# Install cargo-binstall
+RUN curl -L --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/cargo-bins/cargo-binstall/main/install-from-binstall-release.sh | bash
+
+# We now use just to build things rather than cargo-make
+RUN cargo binstall --no-confirm just
+# Nexttest allows us to run tests which panic in an environment where we can't unwind
+RUN cargo binstall --no-confirm cargo-nextest
+# Cargo fuzz is useful for fuzz testing our implementations
+RUN cargo binstall -y cargo-fuzz
+# Taplo allows us to format toml files
+RUN cargo binstall -y taplo-cli
 
 ENV HOME=/root
-ENV SCCACHE_CACHE_SIZE="1G"
-ENV SCCACHE_DIR=$HOME/.cache/sccache
-ENV RUSTC_WRAPPER="/usr/local/cargo/bin/sccache"
 ENV IS_DOCKER="1"
 RUN sh -c 'echo set encoding=utf-8 > /root/.vimrc' \
-    echo "export PS1='"'[LibAFL \h] \w$(__git_ps1) \$ '"'" >> ~/.bashrc && \
-    mkdir ~/.cargo && \
-    echo "[build]\nrustc-wrapper = \"${RUSTC_WRAPPER}\"" >> ~/.cargo/config
+  echo "export PS1='"'[LibAFL \h] \w$(__git_ps1) \$ '"'" >> ~/.bashrc && \
+  mkdir ~/.cargo && \
+  echo "[build]\nrustc-wrapper = \"${RUSTC_WRAPPER}\"" >> ~/.cargo/config
 
 RUN rustup component add rustfmt clippy
 
-# Install clang 11, common build tools
-RUN apt update && apt install -y build-essential gdb git wget clang clang-tools libc++-11-dev libc++abi-11-dev llvm
+RUN rustup target add armv7-unknown-linux-gnueabi
+RUN rustup target add aarch64-unknown-linux-gnu
+RUN rustup target add i686-unknown-linux-gnu
+RUN rustup target add powerpc-unknown-linux-gnu
 
-# Copy a dummy.rs and Cargo.toml first, so that dependencies are cached
-WORKDIR /libafl
-COPY Cargo.toml README.md ./
+# Install clang 18, common build tools
+ENV LLVM_VERSION=18
+ENV LLVM_CONFIG=llvm-config-${LLVM_VERSION}
+RUN dpkg --add-architecture i386
+RUN apt-get update && \
+    apt-get install -y \
+    build-essential \
+    cmake \
+    curl \
+    g++-aarch64-linux-gnu \
+    g++-arm-linux-gnueabi \
+    g++-i686-linux-gnu \
+    g++-mipsel-linux-gnu \
+    g++-powerpc-linux-gnu \
+    gcc-aarch64-linux-gnu \
+    gcc-arm-linux-gnueabi \
+    gcc-i686-linux-gnu \
+    gcc-mipsel-linux-gnu \
+    gcc-powerpc-linux-gnu \
+    gcc-riscv64-linux-gnu \
+    gdb \
+    gdb-multiarch \
+    git \
+    gnupg \
+    less \
+    libc6-dev:i386 \
+    libclang-dev \
+    libgcc-12-dev:i386 \
+    libglib2.0-dev \
+    lsb-release \
+    ninja-build \
+    python3 \
+    python3-pip \
+    python3-venv \
+    software-properties-common \
+    ca-certificates \
+    wget
+RUN set -ex &&\
+  wget https://apt.llvm.org/llvm.sh &&\
+  chmod +x llvm.sh &&\
+  ./llvm.sh ${LLVM_VERSION}
 
-COPY libafl_derive/Cargo.toml libafl_derive/Cargo.toml
-COPY scripts/dummy.rs libafl_derive/src/lib.rs
+RUN apt-get update && \
+  apt-get install -y \
+  clang-format-${LLVM_VERSION}
 
-COPY libafl/Cargo.toml libafl/build.rs libafl/
-COPY libafl/examples libafl/examples
-COPY scripts/dummy.rs libafl/src/lib.rs
+# Install a modern version of QEMU
+WORKDIR /root
+ENV QEMU_VER=10.0.0
+RUN wget https://download.qemu.org/qemu-${QEMU_VER}.tar.xz && \
+    tar xvJf qemu-${QEMU_VER}.tar.xz && \
+    cd /root/qemu-${QEMU_VER} && \
+   ./configure --target-list="\
+      arm-linux-user,\
+      aarch64-linux-user,\
+      i386-linux-user,\
+      ppc-linux-user,\
+      mips-linux-user,\
+      x86_64-linux-user,\
+      arm-softmmu,\
+      aarch64-softmmu,\
+      i386-softmmu,\
+      ppc-softmmu,\
+      mips-softmmu,\
+      x86_64-softmmu" && \
+    make -j && \
+    make install && \
+    cd /root && \
+    rm -rf qemu-${QEMU_VER}
 
-COPY libafl_frida/Cargo.toml libafl_frida/build.rs libafl_frida/
-COPY scripts/dummy.rs libafl_frida/src/lib.rs
-COPY libafl_frida/src/gettls.c libafl_frida/src/gettls.c
-
-COPY libafl_qemu/Cargo.toml libafl_qemu/build.rs libafl_qemu/
-COPY scripts/dummy.rs libafl_qemu/src/lib.rs
-
-COPY libafl_qemu/libafl_qemu_build/Cargo.toml libafl_qemu/libafl_qemu_build/
-COPY scripts/dummy.rs libafl_qemu/libafl_qemu_build/src/lib.rs
-
-COPY libafl_qemu/libafl_qemu_sys/Cargo.toml libafl_qemu/libafl_qemu_sys/build.rs libafl_qemu/libafl_qemu_sys/
-COPY scripts/dummy.rs libafl_qemu/libafl_qemu_sys/src/lib.rs
-
-COPY libafl_sugar/Cargo.toml libafl_sugar/
-COPY scripts/dummy.rs libafl_sugar/src/lib.rs
-
-COPY libafl_cc/Cargo.toml libafl_cc/Cargo.toml
-COPY libafl_cc/build.rs libafl_cc/build.rs
-COPY libafl_cc/src libafl_cc/src
-COPY scripts/dummy.rs libafl_cc/src/lib.rs
-
-COPY libafl_targets/Cargo.toml libafl_targets/build.rs libafl_targets/
-COPY libafl_targets/src libafl_targets/src
-COPY scripts/dummy.rs libafl_targets/src/lib.rs
-
-COPY libafl_concolic/test/dump_constraints/Cargo.toml libafl_concolic/test/dump_constraints/
-COPY scripts/dummy.rs libafl_concolic/test/dump_constraints/src/lib.rs
-
-COPY libafl_concolic/test/runtime_test/Cargo.toml libafl_concolic/test/runtime_test/
-COPY scripts/dummy.rs libafl_concolic/test/runtime_test/src/lib.rs
-
-COPY libafl_concolic/symcc_runtime/Cargo.toml libafl_concolic/symcc_runtime/build.rs libafl_concolic/symcc_runtime/
-COPY scripts/dummy.rs libafl_concolic/symcc_runtime/src/lib.rs
-
-COPY libafl_concolic/symcc_libafl/Cargo.toml libafl_concolic/symcc_libafl/
-COPY scripts/dummy.rs libafl_concolic/symcc_libafl/src/lib.rs
-
-COPY libafl_nyx/Cargo.toml libafl_nyx/build.rs libafl_nyx/
-COPY scripts/dummy.rs libafl_nyx/src/lib.rs
-
-COPY libafl_tinyinst/Cargo.toml libafl_tinyinst/
-COPY scripts/dummy.rs libafl_tinyinst/src/lib.rs
-
-COPY utils utils
-
-RUN cargo build && cargo build --release
-
-COPY scripts scripts
-COPY docs docs
-
-# Pre-build dependencies for a few common fuzzers
-
-# Dep chain:
-# libafl_cc (independent)
-# libafl_derive -> libafl
-# libafl -> libafl_targets
-# libafl_targets -> libafl_frida
-
-# Build once without source
-COPY libafl_cc/src libafl_cc/src
-RUN touch libafl_cc/src/lib.rs
-COPY libafl_derive/src libafl_derive/src
-RUN touch libafl_derive/src/lib.rs
-COPY libafl/src libafl/src
-RUN touch libafl/src/lib.rs
-COPY libafl_targets/src libafl_targets/src
-RUN touch libafl_targets/src/lib.rs
-COPY libafl_frida/src libafl_frida/src
-RUN touch libafl_qemu/libafl_qemu_build/src/lib.rs
-COPY libafl_qemu/libafl_qemu_build/src libafl_qemu/libafl_qemu_build/src
-RUN touch libafl_qemu/libafl_qemu_sys/src/lib.rs
-COPY libafl_qemu/libafl_qemu_sys/src libafl_qemu/libafl_qemu_sys/src
-RUN touch libafl_qemu/src/lib.rs
-COPY libafl_qemu/src libafl_qemu/src
-RUN touch libafl_frida/src/lib.rs
-COPY libafl_concolic/symcc_libafl libafl_concolic/symcc_libafl
-COPY libafl_concolic/symcc_runtime libafl_concolic/symcc_runtime
-COPY libafl_concolic/test libafl_concolic/test
-COPY libafl_nyx/src libafl_nyx/src
-RUN touch libafl_nyx/src/lib.rs
-RUN cargo build && cargo build --release
-
-# Copy fuzzers over
-COPY fuzzers fuzzers
-
-# RUN ./scripts/test_all_fuzzers.sh --no-fmt
-
-ENTRYPOINT [ "/bin/bash" ]
+ENTRYPOINT [ "/bin/bash", "-c" ]
+CMD ["/bin/bash"]

MIGRATION.md

@@ -0,0 +1,51 @@
+# Migration Notes For LibAFL Versions
+
+## 0.15.0 -> 0.16.0
+
+- `EventManager` is refactored to avoid calling function from `Fuzzer`, thus we do not evaluate testcases in `EventManager` anymore.
+  - Now we have `EventReceiver` in `events` module, and `EventProcessor` in `fuzzer` module.
+  - `EventReceiver` is responsible for receiving testcases and delegates its evaluation to `EventProcessor`.
+  - `EventProcessor` is responsible for evaluating the testcases passed by the `EventReceiver`.
+  - Since we don't evaluate testcases in the `EventManager` anymore. `on_fire` and `post_exec` have been deleted from `EventManagerHook`.
+  - Similarly `pre_exec` has been renamed to `pre_receive`.
+- `AsanModule` now uses a `builder()` method for constructing its instances.
+- `Monitor` is refactored. Most statistics have been extracted into an individual `stats` module under `monitors`.
+  - There is a `ClientStatsManager` to manage client statistics, and is owned by `EventManager`. Most of previous `Monitor`'s trait methods have been moved to the `ClientStatsManager`.
+  - `user_monitor` has been renamed to `user_stats`, `introspection_monitor` has been renamed to `introspection_stats`, perf-related structure definitions have been renamed, and all were moved to the `stats` module.
+  - `OnDiskTomlMonitor`, `OnDiskJsonMonitor`, `OnDiskJsonAggregateMonitor` are now no longer takes a base monitor to wrap. If you want to use multiple monitors together, simply use a `tuple_list`.
+- `MultipartInput` is now implemented as key-value tuples in a `ListInput`. The interface slightly changed, all functionality is maintained.
+  - Instead of names, `MultipartInput` uses generic `key`s (function names were changed accordingly).
+  - If you don't need the keys to identify individual parts, consider using `ListInput` directly.
+  - `StdScheduledMutator` has been renamed to `HavocScheduledMutator`.
+
+## 0.14.1 -> 0.15.0
+
+- `MmapShMem::new` and `MmapShMemProvider::new_shmem_with_id` now take `AsRef<Path>` instead of a byte array for the filename/id.
+- The closure passed to a `DumpToDiskStage` now provides the `Testcase` instead of just the `Input`.
+- `StatsStage` is deleted, and it is superceded by `AflStatsStage`
+- Renamed and changed mapping mutators to take borrows directly instead of `MappedInput`s. See `baby_fuzzer_custom_input` for example usage
+  - Related: `MutVecInput` is deprecated in favor of directly using `&mut Vec<u8>`
+  - Related: `MappedInputFunctionMappingMutator` and `ToMappedInputFunctionMappingMutatorMapper` have been removed as now duplicates of `MappingMutator` (previously `FunctionMappingMutator`) and `ToMappingMutator` (previously `ToFunctionMappingMutatorMapper`)
+  - Related: `ToOptionMappingMutatorMapper` and `ToFunctionMappingMutatorMapper` have been renamed to `ToOptionalMutator` and `ToMappingMutator` respectively
+- `Qemu` cannot be used to initialize `Emulator` directly anymore. Instead, `Qemu` should be initialized through `Emulator` systematically if `Emulator` should be used.
+  - Related: `EmulatorBuilder` uses a single function to provide a `Qemu` initializer: `EmulatorBuilder::qemu_parameters`. For now, it can be either a `Vec<String>` or a `QemuConfig` instance.
+  - Related: Qemu's `AsanModule` does not need any special call to `Qemu` init methods anymore. It is now possible to simply initialize `AsanModule` (or `AsanGuestModule`) with a reference to the environment as parameter.
+  - `CustomBufHandlers` has been deleted. Please use `EventManagerHooksTuple` from now on.
+- Trait restrictions have been simplified
+  - The `UsesState` and `UsesInput` traits have been removed in favor of regular Generics.
+  - For the structs/traits that used to use `UsesState`, we bring back the generic for the state.
+  - `Input` is now only accessible through generic. `Input` associated types have been definitely removed.
+  - `HasCorpus` bound has been removed in many places it was unused before.
+  - `StdMutationalStage::transforming` must now explicitly state the Inputs types. As a result, `StdMutationalStage::transforming` must be written `StdMutationalStage::<_, _, FirstInputType, SecondInputType, _, _, _>::transforming`.
+  - The `State` trait is now private in favour of individual and more specific traits
+- Restrictions from certain schedulers and stages that required their inner observer to implement `MapObserver` have been lifted in favor of requiring `Hash`
+  - Related: removed `hash_simple` from `MapObserver`
+
+## 0.14.0 -> 0.15.0
+
+- Removed `with_observers` from `Executor` trait.
+- `MmapShMemProvider::new_shmem_persistent` has been removed in favour of `MmapShMem::persist`. You probably want to do something like this: `let shmem = MmapShMemProvider::new()?.new_shmem(size)?.persist()?;`
+
+## Pre 0.9 -> 0.9
+
+- [Migrating from LibAFL <0.9 to 0.9](https://aflplus.plus/libafl-book/design/migration-0.9.html)

README.md

@@ -1,19 +1,10 @@
 # LibAFL, the fuzzer library.
 
- <img align="right" src="https://github.com/AFLplusplus/Website/raw/master/static/logo_256x256.png" alt="AFL++ Logo">
+ <img align="right" src="https://raw.githubusercontent.com/AFLplusplus/Website/main/static/libafl_logo.svg" alt="LibAFL logo" width="250" heigh="250">
 
 Advanced Fuzzing Library - Slot your own fuzzers together and extend their features using Rust.
 
-LibAFL is written and maintained by
-
- * [Andrea Fioraldi](https://twitter.com/andreafioraldi) <andrea@aflplus.plus>
- * [Dominik Maier](https://twitter.com/domenuk) <dominik@aflplus.plus>
- * [s1341](https://twitter.com/srubenst1341) <github@shmarya.net>
- * [Dongjia Zhang](https://github.com/tokatoka) <toka@aflplus.plus>
-
-## Why LibAFL?
-
-LibAFL gives you many of the benefits of an off-the-shelf fuzzer, while being completely customizable.
+LibAFL is a collection of reusable pieces of fuzzers, written in Rust, it gives you many of the benefits of an off-the-shelf fuzzer, while being completely customizable.
 Some highlight features currently include:
 - `fast`: We do everything we can at compile time, keeping runtime overhead minimal. Users reach 120k execs/sec in frida-mode on a phone (using all cores).
 - `scalable`: `Low Level Message Passing`, `LLMP` for short, allows LibAFL to scale almost linearly over cores, and via TCP to multiple machines.
@@ -22,104 +13,80 @@ feel free to add an AST-based input for structured fuzzing, and more.
 - `multi platform`: LibAFL was confirmed to work on *Windows*, *MacOS*, *Linux*, and *Android* on *x86_64* and *aarch64*. `LibAFL` can be built in `no_std` mode to inject LibAFL into obscure targets like embedded devices and hypervisors.
 - `bring your own target`: We support binary-only modes, like Frida-Mode, as well as multiple compilation passes for sourced-based instrumentation. Of course it's easy to add custom instrumentation backends.
 
-## Overview
+## Core concepts
 
-LibAFL is a collection of reusable pieces of fuzzers, written in Rust.
-It is fast, multi-platform, no_std compatible, and scales over cores and machines.
+LibAFL is fast, multi-platform, no_std compatible, and scales over cores and machines. It offers a main crate that provide building blocks for custom fuzzers, [libafl](./libafl), a library containing common code that can be used for targets instrumentation, [libafl_targets](./libafl_targets), and a library providing facilities to wrap compilers, [libafl_cc](./libafl_cc). It offers integrations with popular instrumentation frameworks. At the moment, the supported backends are:
++ `SanitizerCoverage`, in [libafl_targets](./libafl_targets)
++ `Frida`, in [libafl_frida](./libafl_frida)
++ `QEMU` user-mode and system mode, including hooks for emulation, in [libafl_qemu](./libafl_qemu)
++ `TinyInst`, in [libafl_tinyinst](./libafl_tinyinst) by [elbiazo](https://github.com/elbiazo)
 
-It offers a main crate that provide building blocks for custom fuzzers, [libafl](./libafl), a library containing common code that can be used for targets instrumentation, [libafl_targets](./libafl_targets), and a library providing facilities to wrap compilers, [libafl_cc](./libafl_cc).
+## Building and installing
 
-LibAFL offers integrations with popular instrumentation frameworks. At the moment, the supported backends are:
-
-+ SanitizerCoverage, in [libafl_targets](./libafl_targets)
-+ Frida, in [libafl_frida](./libafl_frida)
-+ QEMU user-mode, in [libafl_qemu](./libafl_qemu)
-+ TinyInst, in [libafl_tinyinst](./libafl_tinyinst) by [elbiazo](https://github.com/elbiazo)
-
-## Getting started
-
-1. Install the Dependecies
-- The Rust development language.  
-We highly recommend *not* to use e.g. your Linux distribition package as this is likely outdated. So rather install
-Rust directly, instructions can be found [here](https://www.rust-lang.org/tools/install).
-
-- LLVM tools  
-The LLVM tools are needed (newer than LLVM 11.0.0 but older than LLVM 15.0.0)
-
-- Cargo-make  
-We use cargo-make to build the fuzzers in `fuzzers/` directory. You can install it with
-
-```
-cargo install cargo-make
-```
-
-2. Clone the LibAFL repository with
-
-```
+#### Install the Dependencies
+- **The Rust development language**
+    - We highly recommend *not* to use e.g. your Linux distribution package as this is likely outdated. So rather install Rust directly, instructions can be found [here](https://www.rust-lang.org/tools/install).
+- **LLVM tools**
+    - The LLVM tools (including clang, clang++) are needed (newer than LLVM 15.0.0 up to LLVM 18.1.3) If you are using Debian/Ubuntu, again, we highly recommmend that you install the package from [here](https://apt.llvm.org/)
+    - (In `libafl_concolic`, we only support LLVM version newer than 18)
+- Just:
+    - We use [just](https://github.com/casey/just) to build the fuzzers in `fuzzers/` directory. You can find instructions to install it in your environment [in the Just Programmer's Manual](https://just.systems/man/en/packages.html).
+ 
+#### Clone the LibAFL repository with
+```sh
 git clone https://github.com/AFLplusplus/LibAFL
 ```
-
-3. Build the library using
-
-```
+#### Build the library using
+```sh
 cargo build --release
 ```
-
-4. Build the API documentation with
-
-```
+#### Build the API documentation with
+```sh
 cargo doc
 ```
-
-5. Browse the LibAFL book (WIP!) with (requires [mdbook](https://github.com/rust-lang/mdBook))
-
-```
+#### Browse the LibAFL book (WIP!) with (requires [mdbook](https://rust-lang.github.io/mdBook/index.html))
+```sh
 cd docs && mdbook serve
 ```
-
+## Getting started 
 We collect all example fuzzers in [`./fuzzers`](./fuzzers/).
 Be sure to read their documentation (and source), this is *the natural way to get started!*
-
-You can run each example fuzzer with
+```sh
+just run
 ```
-cargo make run
-```
-as long as the fuzzer directory has `Makefile.toml` file.
+You can run each example fuzzer with this following command, as long as the fuzzer directory has a `Justfile` file. The best-tested fuzzer is [`./fuzzers/inprocess/libfuzzer_libpng`](./fuzzers/inprocess/libfuzzer_libpng), a multicore libfuzzer-like fuzzer using LibAFL for a libpng harness.
 
-The best-tested fuzzer is [`./fuzzers/libfuzzer_libpng`](./fuzzers/libfuzzer_libpng), a multicore libfuzzer-like fuzzer using LibAFL for a libpng harness.
+### Resources 
+- [Installation guide](./docs/src/getting_started/setup.md)
+- [Online API documentation](https://docs.rs/libafl/)
+- The LibAFL book (WIP) [online](https://aflplus.plus/libafl-book) or in the [repo](./docs/src/)
+- Our research [paper](https://www.s3.eurecom.fr/docs/ccs22_fioraldi.pdf)
+- Our RC3 [talk](http://www.youtube.com/watch?v=3RWkT1Q5IV0 "Fuzzers Like LEGO") explaining the core concepts
+- Our Fuzzcon Europe [talk](https://www.youtube.com/watch?v=PWB8GIhFAaI "LibAFL: The Advanced Fuzzing Library") with a (a bit but not so much outdated) step-by-step discussion on how to build some example fuzzers
+- The Fuzzing101 [solutions](https://github.com/epi052/fuzzing-101-solutions) & series of [blog posts](https://epi052.gitlab.io/notes-to-self/blog/2021-11-01-fuzzing-101-with-libafl/) by [epi](https://github.com/epi052)
+- Blogpost on binary-only fuzzing lib libaf_qemu, [Hacking TMNF - Fuzzing the game server](https://blog.bricked.tech/posts/tmnf/part1/), by [RickdeJager](https://github.com/RickdeJager).
+- [A LibAFL Introductory Workshop](https://www.atredis.com/blog/2023/12/4/a-libafl-introductory-workshop), by [Jordan Whitehead](https://github.com/jordan9001)
 
-## Resources
+## Contributors
 
-+ [Installation guide](./docs/src/getting_started/setup.md)
+LibAFL is written and maintained by
 
-+ [Online API documentation](https://docs.rs/libafl/)
-
-+ The LibAFL book (WIP) [online](https://aflplus.plus/libafl-book) or in the [repo](./docs/src/)
-
-+ Our research [paper](https://www.s3.eurecom.fr/docs/ccs22_fioraldi.pdf)
-
-+ Our RC3 [talk](http://www.youtube.com/watch?v=3RWkT1Q5IV0 "Fuzzers Like LEGO") explaining the core concepts
-
-+ Our Fuzzcon Europe [talk](https://www.youtube.com/watch?v=PWB8GIhFAaI "LibAFL: The Advanced Fuzzing Library") with a (a bit but not so much outdated) step-by-step discussion on how to build some example fuzzers
-
-+ The Fuzzing101 [solutions](https://github.com/epi052/fuzzing-101-solutions) & series of [blog posts](https://epi052.gitlab.io/notes-to-self/blog/2021-11-01-fuzzing-101-with-libafl/) by [epi](https://github.com/epi052)
-
-+ Blogpost on binary-only fuzzing lib libaf_qemu, [Hacking TMNF - Fuzzing the game server](https://blog.bricked.tech/posts/tmnf/part1/), by [RickdeJager](https://github.com/RickdeJager).
+ * [Andrea Fioraldi](https://twitter.com/andreafioraldi) <andrea@aflplus.plus>
+ * [Dominik Maier](https://twitter.com/domenuk) <dominik@aflplus.plus>
+ * [s1341](https://twitter.com/srubenst1341) <github@shmarya.net>
+ * [Dongjia Zhang](https://github.com/tokatoka) <toka@aflplus.plus>
+ * [Addison Crump](https://github.com/addisoncrump) <me@addisoncrump.info>
+ * [Romain Malmain](https://github.com/rmalmain) <rmalmain@pm.me>
 
 ## Contributing
 
-For bugs, feel free to open issues or contact us directly. Thank you for your support. <3
+Please check out **[CONTRIBUTING.md](CONTRIBUTING.md)** for the contributing guideline.
 
-Even though we will gladly assist you in finishing up your PR, try to
-- keep all the crates compiling with *stable* rust (hide the eventual non-stable code under [`cfg`s](https://github.com/AFLplusplus/LibAFL/blob/main/libafl/build.rs#L26))
-- run `cargo fmt` on your code before pushing
-- check the output of `cargo clippy --all` or `./clippy.sh`
-- run `cargo build --no-default-features` to check for `no_std` compatibility (and possibly add `#[cfg(feature = "std")]`) to hide parts of your code.
+## Debugging
 
-Some of the parts in this list may be hard, don't be afraid to open a PR if you cannot fix them by yourself, so we can help.
+Your fuzzer doesn't work as expected? Try reading [DEBUGGING.md](./docs/src/DEBUGGING.md) to understand how to debug your problems.
 
 ## Cite
-
 If you use LibAFL for your academic work, please cite the following paper:
 
 ```bibtex
@@ -149,11 +116,3 @@ Unless you explicitly state otherwise, any contribution intentionally submitted
 for inclusion in this crate by you, as defined in the Apache-2.0 license, shall
 be dual licensed as above, without any additional terms or conditions.
 </sub>
-
-<br>
-
-<sub>
-Dependencies under more restrictive licenses, such as GPL or AGPL, can be enabled
-using the respective feature in each crate when it is present, such as the
-'agpl' feature of the libafl crate.
-</sub>

TROPHIES.md

@@ -0,0 +1,17 @@
+# Bugs found by `libafl` and `libafl_libfuzzer`
+
+* pdf-rs
+    * <https://github.com/pdf-rs/pdf/issues/183>
+    * <https://github.com/pdf-rs/pdf/issues/184>
+    * <https://github.com/pdf-rs/pdf/issues/185>
+    * <https://github.com/pdf-rs/pdf/issues/186>
+    * <https://github.com/pdf-rs/pdf/issues/187>
+    * <https://github.com/pdf-rs/pdf/issues/189>
+* nu-shell
+    * https://github.com/nushell/nushell/issues/10365
+    * https://github.com/nushell/nushell/issues/9417
+* exrs
+    * https://github.com/johannesvollmer/exrs/pull/221
+* pcre2
+    * https://github.com/PCRE2Project/pcre2/issues/275
+

bindings/pylibafl/.gitignore

@@ -0,0 +1 @@
+dist/

bindings/pylibafl/Cargo.toml

@@ -1,20 +1,36 @@
 [package]
 name = "pylibafl"
-version = "0.8.2"
-edition = "2021"
+description = "Python bindings for LibAFL"
+version = "0.15.3"
+license = "MIT OR Apache-2.0"
+repository = "https://github.com/AFLplusplus/LibAFL/"
+keywords = ["fuzzing", "testing", "security", "python"]
+edition = "2024"
+categories = ["development-tools::testing", "emulators", "embedded", "os"]
 
 [dependencies]
-pyo3 = { version = "0.17", features = ["extension-module"] }
-libafl_qemu = { path = "../../libafl_qemu", version = "0.8.2", features = ["python"] }
-libafl_sugar = { path = "../../libafl_sugar", version = "0.8.2", features = ["python"] }
-libafl = { path = "../../libafl", version = "0.8.2", features = ["python"] }
+pyo3 = { version = "0.24.0", features = ["extension-module"] }
+pyo3-log = { version = "0.12.2" }
+libafl_sugar = { path = "../../libafl_sugar", version = "0.15.3", features = [
+  "python",
+] }
+libafl_bolts = { path = "../../libafl_bolts", version = "0.15.3", features = [
+  "python",
+] }
+
+[target.'cfg(target_os = "linux")'.dependencies]
+libafl_qemu = { path = "../../libafl_qemu", version = "0.15.3", features = [
+  "python",
+] }
 
 [build-dependencies]
-pyo3-build-config = { version = "0.17" }
+pyo3-build-config = "0.24.0"
 
 [lib]
 name = "pylibafl"
 crate-type = ["cdylib"]
 
-[profile.dev]
-panic = "abort"
+# TODO: find a way to fix this when a solution is found
+# https://github.com/rust-lang/cargo/issues/9330
+# [profile.dev]
+# panic = "abort"

bindings/pylibafl/pyproject.toml

@@ -0,0 +1,26 @@
+[build-system]
+requires = ["maturin[patchelf]>=1.0,<2.0"]
+build-backend = "maturin"
+
+[project]
+name = "PyLibAFL"
+version = "0.15.3"
+description = "Advanced Fuzzing Library for Python"
+readme = "README.md"
+requires-python = ">=3.8"
+license = { text = "Apache-2.0" }
+classifiers = [
+  "License :: OSI Approved :: Apache Software License",
+  "License :: OSI Approved :: MIT License",
+  "Programming Language :: Rust",
+  "Topic :: Security",
+]
+
+[project.urls]
+repository = "https://github.com/AFLplusplus/LibAFL.git"
+
+[tool.maturin]
+bindings = "pyo3"
+manifest-path = "Cargo.toml"
+python-source = "src"
+all-features = true

bindings/pylibafl/src/lib.rs

@@ -1,121 +1,33 @@
-use libafl;
-#[cfg(target_os = "linux")]
-use libafl_qemu;
-use libafl_sugar;
-use pyo3::{prelude::*, types::PyDict};
-
-const LIBAFL_CODE: &str = r#"
-class BaseObserver:
-    def flush(self):
-        pass
-    def pre_exec(self, state, input):
-        pass
-    def post_exec(self, state, input, exit_kind):
-        pass
-    def pre_exec_child(self, state, input):
-        pass
-    def post_exec_child(self, state, input, exit_kind):
-        pass
-    def name(self):
-        return type(self).__name__
-    def as_observer(self):
-        return Observer.new_py(self)
-
-class BaseFeedback:
-    def init_state(self, state):
-        pass
-    def is_interesting(self, state, mgr, input, observers, exit_kind) -> bool:
-        return False
-    def append_metadata(self, state, testcase):
-        pass
-    def discard_metadata(self, state, input):
-        pass
-    def name(self):
-        return type(self).__name__
-    def as_feedback(self):
-        return Feedback.new_py(self)
-
-class BaseExecutor:
-    def observers(self) -> ObserversTuple:
-        raise NotImplementedError('Implement this yourself')
-    def run_target(self, fuzzer, state, mgr, input) -> ExitKind:
-        raise NotImplementedError('Implement this yourself')
-    def as_executor(self):
-        return Executor.new_py(self)
-
-class BaseStage:
-    def perform(self, fuzzer, executor, state, manager, corpus_idx):
-        pass
-    def as_stage(self):
-        return Stage.new_py(self)
-
-class BaseMutator:
-    def mutate(self, state, input, stage_idx):
-        pass
-    def post_exec(self, state, stage_idx, corpus_idx):
-        pass
-    def as_mutator(self):
-        return Mutator.new_py(self)
-
-class FnStage(BaseStage):
-    def __init__(self, fn):
-        self.fn = fn
-    def __call__(self, fuzzer, executor, state, manager, corpus_idx):
-        self.fn(fuzzer, executor, state, manager, corpus_idx)
-    def perform(self, fuzzer, executor, state, manager, corpus_idx):
-        self.fn(fuzzer, executor, state, manager, corpus_idx)
-
-def feedback_not(a):
-    return NotFeedback(a).as_feedback()
-
-def feedback_and(a, b):
-    return EagerAndFeedback(a, b).as_feedback()
-
-def feedback_and_fast(a, b):
-    return FastAndFeedback(a, b).as_feedback()
-
-def feedback_or(a, b):
-    return EagerOrFeedback(a, b).as_feedback()
-
-def feedback_or_fast(a, b):
-    return FastOrFeedback(a, b).as_feedback()
-"#;
+use pyo3::prelude::*;
 
+/// Setup python modules for `libafl_qemu` and `libafl_sugar`.
+///
+/// # Errors
+/// Returns error if python libafl setup failed.
 #[pymodule]
 #[pyo3(name = "pylibafl")]
-pub fn python_module(py: Python, m: &PyModule) -> PyResult<()> {
-    let modules = py.import("sys")?.getattr("modules")?;
+pub fn python_module(m: &Bound<'_, PyModule>) -> PyResult<()> {
+    pyo3_log::init();
 
-    let sugar_module = PyModule::new(py, "sugar")?;
-    libafl_sugar::python_module(py, sugar_module)?;
-    m.add_submodule(sugar_module)?;
+    let modules = m.py().import("sys")?.getattr("modules")?;
 
+    let sugar_module = PyModule::new(m.py(), "sugar")?;
+    libafl_sugar::python_module(&sugar_module)?;
+    m.add_submodule(&sugar_module)?;
     modules.set_item("pylibafl.sugar", sugar_module)?;
 
     #[cfg(target_os = "linux")]
-    let qemu_module = PyModule::new(py, "qemu")?;
-    #[cfg(target_os = "linux")]
-    libafl_qemu::python_module(py, qemu_module)?;
-    #[cfg(target_os = "linux")]
-    m.add_submodule(qemu_module)?;
-
-    #[cfg(target_os = "linux")]
-    modules.set_item("pylibafl.qemu", qemu_module)?;
-
-    let libafl_module = PyModule::new(py, "libafl")?;
-    libafl::pybind::python_module(py, libafl_module)?;
-
-    libafl_module.add("__builtins__", py.import("builtins")?)?;
-
-    let locals = PyDict::new(py);
-    py.run(LIBAFL_CODE, Some(libafl_module.dict()), Some(locals))?;
-    for (key, val) in locals.iter() {
-        libafl_module.add(key.extract::<&str>()?, val)?;
+    {
+        let qemu_module = PyModule::new(m.py(), "qemu")?;
+        libafl_qemu::python_module(&qemu_module)?;
+        m.add_submodule(&qemu_module)?;
+        modules.set_item("pylibafl.qemu", qemu_module)?;
     }
 
-    m.add_submodule(libafl_module)?;
-
-    modules.set_item("pylibafl.libafl", libafl_module)?;
+    let bolts_module = PyModule::new(m.py(), "libafl_bolts")?;
+    libafl_bolts::pybind::python_module(&bolts_module)?;
+    m.add_submodule(&bolts_module)?;
+    modules.set_item("pylibafl.libafl_bolts", bolts_module)?;
 
     Ok(())
 }

bindings/pylibafl/test.py

@@ -1,94 +1,9 @@
-from pylibafl.libafl import *
+import pylibafl.sugar as sugar
 import ctypes
+import platform
 
-
-class FooObserver(BaseObserver):
-    def __init__(self):
-        self.n = 0
-
-    def name(self):
-        return "Foo"
-
-    def pre_exec(self, state, input):
-        if self.n % 10000 == 0:
-            print("FOO!", self.n, input)
-        self.n += 1
-
-
-class FooFeedback(BaseFeedback):
-    def is_interesting(self, state, mgr, input, observers, exit_kind):
-        ob = observers.match_name("Foo").unwrap_py()
-        return ob.n % 10000 == 0
-
-
-class FooExecutor(BaseExecutor):
-    def __init__(self, harness, observers: ObserversTuple):
-        self.h = harness
-        self.o = observers
-
-    def observers(self):
-        return self.o
-
-    def run_target(self, fuzzer, state, mgr, input) -> ExitKind:
-        return (self.h)(input)
-
-
-libc = ctypes.cdll.LoadLibrary("libc.so.6")
-
-area_ptr = libc.calloc(1, 4096)
-
-observer = StdMapObserverI8("mymap", area_ptr, 4096)
-
-m = observer.as_map_observer()
-
-observers = ObserversTuple(
-    [observer.as_map_observer().as_observer(), FooObserver().as_observer()]
+print("Starting to fuzz from python!")
+fuzzer = sugar.InProcessBytesCoverageSugar(
+    input_dirs=["./in"], output_dir="out", broker_port=1337, cores=[0, 1]
 )
-
-feedback = feedback_or(MaxMapFeedbackI8(m).as_feedback(), FooFeedback().as_feedback())
-
-objective = feedback_and_fast(
-    CrashFeedback().as_feedback(), MaxMapFeedbackI8(m).as_feedback()
-)
-
-fuzzer = StdFuzzer(feedback, objective)
-
-rand = StdRand.with_current_nanos()
-
-state = StdState(
-    rand.as_rand(),
-    InMemoryCorpus().as_corpus(),
-    InMemoryCorpus().as_corpus(),
-    feedback,
-    objective,
-)
-
-monitor = SimpleMonitor(lambda s: print(s))
-
-mgr = SimpleEventManager(monitor.as_monitor())
-
-
-def harness(buf) -> ExitKind:
-    # print(buf)
-    m[0] = 1
-    if len(buf) > 0 and buf[0] == ord("a"):
-        m[1] = 1
-        if len(buf) > 1 and buf[1] == ord("b"):
-            m[2] = 1
-            if len(buf) > 2 and buf[2] == ord("c"):
-                m[3] = 1
-                return ExitKind.crash()
-    return ExitKind.ok()
-
-
-# executor = InProcessExecutor(harness, observers, fuzzer, state, mgr.as_manager())
-
-executor = FooExecutor(harness, observers)
-
-stage = StdMutationalStage(StdHavocMutator().as_mutator())
-
-stage_tuple_list = StagesTuple([stage.as_stage()])
-
-fuzzer.add_input(state, executor.as_executor(), mgr.as_manager(), b"\0\0")
-
-fuzzer.fuzz_loop(executor.as_executor(), state, mgr.as_manager(), stage_tuple_list)
+fuzzer.run(lambda b: print("foo"))

bindings/pylibafl/test.sh

@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+
+mkdir in || true
+echo "a" > ./in/a
+
+timeout 10 python3 ./test.py
+export exit_code=$?
+if [ $exit_code -eq 124 ]; then
+  # 124 = timeout happened. All good.
+  exit 0
+else
+  exit $exit_code
+fi
+

docs/.gitignore

@@ -1 +1,2 @@
 book
+!listings/**/*

docs/listings/baby_fuzzer/.gitignore

@@ -0,0 +1,2 @@
+target
+crashes

docs/listings/baby_fuzzer/justfile

@@ -0,0 +1,17 @@
+# Justfile to build all example projects
+
+default: build-all
+
+build PROJECT:
+	@echo "Building project in directory: {{PROJECT}}"
+	@cd {{PROJECT}} && cargo build
+	@echo "Finished building project in directory: {{PROJECT}}"
+
+build-all: listing-01 listing-02 listing-03 listing-04 listing-05 listing-06
+
+listing-01: (build "listing-01")
+listing-02: (build "listing-02")
+listing-03: (build "listing-03")
+listing-04: (build "listing-04")
+listing-05: (build "listing-05")
+listing-06: (build "listing-06")

docs/listings/baby_fuzzer/listing-01/Cargo.lock

@@ -0,0 +1,7 @@
+# This file is automatically @generated by Cargo.
+# It is not intended for manual editing.
+version = 4
+
+[[package]]
+name = "baby_fuzzer_listing_01"
+version = "0.15.2"

docs/listings/baby_fuzzer/listing-01/Cargo.toml

@@ -0,0 +1,9 @@
+[package]
+name = "baby_fuzzer_listing_01"
+version = "0.15.3"
+authors = ["Your Name <you@example.com>"]
+edition = "2024"
+
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+
+[dependencies]

docs/listings/baby_fuzzer/listing-01/src/main.rs

@@ -0,0 +1,3 @@
+fn main() {
+    println!("Hello, world!");
+}

docs/listings/baby_fuzzer/listing-02/Cargo.toml

@@ -0,0 +1,13 @@
+[package]
+name = "baby_fuzzer_listing_02"
+version = "0.15.3"
+authors = ["Your Name <you@example.com>"]
+edition = "2024"
+
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+
+[dependencies]
+#libafl = { version = ".." }
+libafl = { path = "../../../../libafl" }
+#libafl_bolts = { version = ".." }
+libafl_bolts = { path = "../../../../libafl_bolts" }

docs/listings/baby_fuzzer/listing-02/src/main.rs

@@ -0,0 +1,3 @@
+fn main() {
+    println!("Hello, world!");
+}

docs/listings/baby_fuzzer/listing-03/Cargo.toml

@@ -0,0 +1,16 @@
+[package]
+name = "baby_fuzzer_listing_03"
+version = "0.15.3"
+authors = ["Your Name <you@example.com>"]
+edition = "2024"
+
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+
+[features]
+test-panic = []
+
+[dependencies]
+#libafl = { version = ".." }
+libafl = { path = "../../../../libafl" }
+#libafl_bolts = { version = ".." }
+libafl_bolts = { path = "../../../../libafl_bolts" }

docs/listings/baby_fuzzer/listing-03/src/main.rs

@@ -0,0 +1,26 @@
+extern crate libafl;
+extern crate libafl_bolts;
+use libafl::{
+    executors::ExitKind,
+    inputs::{BytesInput, HasTargetBytes},
+};
+use libafl_bolts::AsSlice;
+
+fn main() {
+    let mut harness = |input: &BytesInput| {
+        let target = input.target_bytes();
+        let buf = target.as_slice();
+        if buf.len() > 0 && buf[0] == b'a' {
+            if buf.len() > 1 && buf[1] == b'b' {
+                if buf.len() > 2 && buf[2] == b'c' {
+                    panic!("=)");
+                }
+            }
+        }
+        ExitKind::Ok
+    };
+    // To test the panic:
+    let input = BytesInput::new(Vec::from("abc"));
+    #[cfg(feature = "test-panic")]
+    harness(&input);
+}

docs/listings/baby_fuzzer/listing-04/Cargo.toml

@@ -0,0 +1,16 @@
+[package]
+name = "baby_fuzzer_listing_04"
+version = "0.15.3"
+authors = ["Your Name <you@example.com>"]
+edition = "2024"
+
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+
+[features]
+test-panic = []
+
+[dependencies]
+#libafl = { version = ".." }
+libafl = { path = "../../../../libafl" }
+#libafl_bolts = { version = ".." }
+libafl_bolts = { path = "../../../../libafl_bolts" }

docs/listings/baby_fuzzer/listing-04/src/main.rs

@@ -0,0 +1,87 @@
+/* ANCHOR: use */
+extern crate libafl;
+extern crate libafl_bolts;
+
+use std::path::PathBuf;
+
+use libafl::{
+    corpus::{InMemoryCorpus, OnDiskCorpus},
+    events::SimpleEventManager,
+    executors::{ExitKind, inprocess::InProcessExecutor},
+    fuzzer::StdFuzzer,
+    generators::RandPrintablesGenerator,
+    inputs::{BytesInput, HasTargetBytes},
+    monitors::SimpleMonitor,
+    schedulers::QueueScheduler,
+    state::StdState,
+};
+use libafl_bolts::{AsSlice, nonzero, rands::StdRand};
+/* ANCHOR_END: use */
+
+fn main() {
+    let mut harness = |input: &BytesInput| {
+        let target = input.target_bytes();
+        let buf = target.as_slice();
+        if buf.len() > 0 && buf[0] == b'a' {
+            if buf.len() > 1 && buf[1] == b'b' {
+                if buf.len() > 2 && buf[2] == b'c' {
+                    panic!("=)");
+                }
+            }
+        }
+        ExitKind::Ok
+    };
+    // To test the panic:
+    let input = BytesInput::new(Vec::from("abc"));
+    #[cfg(feature = "test-panic")]
+    harness(&input);
+
+    /* ANCHOR: state */
+    // create a State from scratch
+    let mut state = StdState::new(
+        // RNG
+        StdRand::new(),
+        // Corpus that will be evolved, we keep it in memory for performance
+        InMemoryCorpus::new(),
+        // Corpus in which we store solutions (crashes in this example),
+        // on disk so the user can get them after stopping the fuzzer
+        OnDiskCorpus::new(PathBuf::from("./crashes")).unwrap(),
+        &mut (),
+        &mut (),
+    )
+    .unwrap();
+    /* ANCHOR_END: state */
+
+    /* ANCHOR: event_manager */
+    // The Monitor trait defines how the fuzzer stats are displayed to the user
+    let mon = SimpleMonitor::new(|s| println!("{s}"));
+
+    // The event manager handles the various events generated during the fuzzing loop
+    // such as the notification of the addition of a new item to the corpus
+    let mut mgr = SimpleEventManager::new(mon);
+    /* ANCHOR_END: event_manager */
+
+    /* ANCHOR: scheduler_fuzzer */
+    // A queue policy to get testcases from the corpus
+    let scheduler = QueueScheduler::new();
+
+    // A fuzzer with feedbacks and a corpus scheduler
+    let mut fuzzer = StdFuzzer::new(scheduler, (), ());
+    /* ANCHOR_END: scheduler_fuzzer */
+
+    /* ANCHOR: executor */
+    // Create the executor for an in-process function
+    let mut executor = InProcessExecutor::new(&mut harness, (), &mut fuzzer, &mut state, &mut mgr)
+        .expect("Failed to create the Executor");
+    /* ANCHOR_END: executor */
+
+    /* ANCHOR: generator */
+    // Generator of printable bytearrays of max size 32
+    let mut generator = RandPrintablesGenerator::new(nonzero!(32));
+
+    // Generate 8 initial inputs
+    state
+        .generate_initial_inputs(&mut fuzzer, &mut executor, &mut generator, &mut mgr, 8)
+        .expect("Failed to generate the initial corpus");
+    /* ANCHOR_END: generator */
+}

docs/listings/baby_fuzzer/listing-05/Cargo.toml

@@ -0,0 +1,16 @@
+[package]
+name = "baby_fuzzer_listing_05"
+version = "0.15.3"
+authors = ["Your Name <you@example.com>"]
+edition = "2024"
+
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+
+[features]
+test-panic = []
+
+[dependencies]
+#libafl = { version = ".." }
+libafl = { path = "../../../../libafl" }
+#libafl_bolts = { version = ".." }
+libafl_bolts = { path = "../../../../libafl_bolts" }

docs/listings/baby_fuzzer/listing-05/src/main.rs

@@ -0,0 +1,117 @@
+/* ANCHOR: use */
+extern crate libafl;
+extern crate libafl_bolts;
+
+use std::path::PathBuf;
+
+use libafl::{
+    corpus::{InMemoryCorpus, OnDiskCorpus},
+    events::SimpleEventManager,
+    executors::{ExitKind, inprocess::InProcessExecutor},
+    feedbacks::{CrashFeedback, MaxMapFeedback},
+    fuzzer::StdFuzzer,
+    generators::RandPrintablesGenerator,
+    inputs::{BytesInput, HasTargetBytes},
+    monitors::SimpleMonitor,
+    observers::ConstMapObserver,
+    schedulers::QueueScheduler,
+    state::StdState,
+};
+use libafl_bolts::{AsSlice, nonnull_raw_mut, nonzero, rands::StdRand, tuples::tuple_list};
+/* ANCHOR_END: use */
+
+/* ANCHOR: signals */
+// Coverage map with explicit assignments due to the lack of instrumentation
+static mut SIGNALS: [u8; 16] = [0; 16];
+
+fn signals_set(idx: usize) {
+    unsafe { SIGNALS[idx] = 1 };
+}
+
+fn main() {
+    // The closure that we want to fuzz
+    let mut harness = |input: &BytesInput| {
+        let target = input.target_bytes();
+        let buf = target.as_slice();
+        signals_set(0); // set SIGNALS[0]
+        if buf.len() > 0 && buf[0] == b'a' {
+            signals_set(1); // set SIGNALS[1]
+            if buf.len() > 1 && buf[1] == b'b' {
+                signals_set(2); // set SIGNALS[2]
+                if buf.len() > 2 && buf[2] == b'c' {
+                    panic!("=)");
+                }
+            }
+        }
+        ExitKind::Ok
+    };
+    /* ANCHOR_END: signals */
+    // To test the panic:
+    let input = BytesInput::new(Vec::from("abc"));
+    #[cfg(feature = "test-panic")]
+    harness(&input);
+
+    /* ANCHOR: observer */
+    // Create an observation channel using the signals map
+    let observer = unsafe { ConstMapObserver::from_mut_ptr("signals", nonnull_raw_mut!(SIGNALS)) };
+    /* ANCHOR_END: observer */
+
+    /* ANCHOR: state_with_feedback_and_objective */
+    // Feedback to rate the interestingness of an input
+    let mut feedback = MaxMapFeedback::new(&observer);
+
+    // A feedback to choose if an input is a solution or not
+    let mut objective = CrashFeedback::new();
+
+    // create a State from scratch
+    let mut state = StdState::new(
+        // RNG
+        StdRand::new(),
+        // Corpus that will be evolved, we keep it in memory for performance
+        InMemoryCorpus::new(),
+        // Corpus in which we store solutions (crashes in this example),
+        // on disk so the user can get them after stopping the fuzzer
+        OnDiskCorpus::new(PathBuf::from("./crashes")).unwrap(),
+        &mut feedback,
+        &mut objective,
+    )
+    .unwrap();
+    /* ANCHOR_END: state_with_feedback_and_objective */
+
+    // The Monitor trait defines how the fuzzer stats are displayed to the user
+    let mon = SimpleMonitor::new(|s| println!("{s}"));
+
+    // The event manager handles the various events generated during the fuzzing loop
+    // such as the notification of the addition of a new item to the corpus
+    let mut mgr = SimpleEventManager::new(mon);
+
+    // A queue policy to get testcasess from the corpus
+    let scheduler = QueueScheduler::new();
+    /* ANCHOR: state_with_feedback_and_objective */
+
+    // A fuzzer with feedbacks and a corpus scheduler
+    let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);
+    /* ANCHOR_END: state_with_feedback_and_objective */
+
+    /* ANCHOR: executor_with_observer */
+    // Create the executor for an in-process function with just one observer
+    let mut executor = InProcessExecutor::new(
+        &mut harness,
+        tuple_list!(observer),
+        &mut fuzzer,
+        &mut state,
+        &mut mgr,
+    )
+    .expect("Failed to create the Executor");
+    /* ANCHOR_END: executor_with_observer */
+
+    // Generator of printable bytearrays of max size 32
+    let mut generator = RandPrintablesGenerator::new(nonzero!(32));
+
+    // Generate 8 initial inputs
+    state
+        .generate_initial_inputs(&mut fuzzer, &mut executor, &mut generator, &mut mgr, 8)
+        .expect("Failed to generate the initial corpus");
+    /* ANCHOR: signals */
+}
+/* ANCHOR_END: signals */

docs/listings/baby_fuzzer/listing-06/Cargo.toml

@@ -0,0 +1,16 @@
+[package]
+name = "baby_fuzzer_listing_06"
+version = "0.15.3"
+authors = ["Your Name <you@example.com>"]
+edition = "2024"
+
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+
+[features]
+test-panic = []
+
+[dependencies]
+#libafl = { version = ".." }
+libafl = { path = "../../../../libafl" }
+#libafl_bolts = { version = ".." }
+libafl_bolts = { path = "../../../../libafl_bolts" }

docs/listings/baby_fuzzer/listing-06/src/main.rs

@@ -0,0 +1,117 @@
+/* ANCHOR: use */
+extern crate libafl;
+extern crate libafl_bolts;
+
+use std::path::PathBuf;
+
+use libafl::{
+    corpus::{InMemoryCorpus, OnDiskCorpus},
+    events::SimpleEventManager,
+    executors::{ExitKind, inprocess::InProcessExecutor},
+    feedbacks::{CrashFeedback, MaxMapFeedback},
+    fuzzer::{Fuzzer, StdFuzzer},
+    generators::RandPrintablesGenerator,
+    inputs::{BytesInput, HasTargetBytes},
+    monitors::SimpleMonitor,
+    mutators::{havoc_mutations, scheduled::HavocScheduledMutator},
+    observers::ConstMapObserver,
+    schedulers::QueueScheduler,
+    stages::mutational::StdMutationalStage,
+    state::StdState,
+};
+use libafl_bolts::{AsSlice, nonnull_raw_mut, nonzero, rands::StdRand, tuples::tuple_list};
+/* ANCHOR_END: use */
+
+// Coverage map with explicit assignments due to the lack of instrumentation
+static mut SIGNALS: [u8; 16] = [0; 16];
+
+fn signals_set(idx: usize) {
+    unsafe { SIGNALS[idx] = 1 };
+}
+
+fn main() {
+    // The closure that we want to fuzz
+    let mut harness = |input: &BytesInput| {
+        let target = input.target_bytes();
+        let buf = target.as_slice();
+        signals_set(0); // set SIGNALS[0]
+        if buf.len() > 0 && buf[0] == b'a' {
+            signals_set(1); // set SIGNALS[1]
+            if buf.len() > 1 && buf[1] == b'b' {
+                signals_set(2); // set SIGNALS[2]
+                if buf.len() > 2 && buf[2] == b'c' {
+                    panic!("=)");
+                }
+            }
+        }
+        ExitKind::Ok
+    };
+    // To test the panic:
+    let input = BytesInput::new(Vec::from("abc"));
+    #[cfg(feature = "test-panic")]
+    harness(&input);
+
+    // Create an observation channel using the signals map
+    let observer = unsafe { ConstMapObserver::from_mut_ptr("signals", nonnull_raw_mut!(SIGNALS)) };
+
+    // Feedback to rate the interestingness of an input
+    let mut feedback = MaxMapFeedback::new(&observer);
+
+    // A feedback to choose if an input is a solution or not
+    let mut objective = CrashFeedback::new();
+
+    // create a State from scratch
+    let mut state = StdState::new(
+        // RNG
+        StdRand::new(),
+        // Corpus that will be evolved, we keep it in memory for performance
+        InMemoryCorpus::new(),
+        // Corpus in which we store solutions (crashes in this example),
+        // on disk so the user can get them after stopping the fuzzer
+        OnDiskCorpus::new(PathBuf::from("./crashes")).unwrap(),
+        &mut feedback,
+        &mut objective,
+    )
+    .unwrap();
+
+    // The Monitor trait defines how the fuzzer stats are displayed to the user
+    let mon = SimpleMonitor::new(|s| println!("{s}"));
+
+    // The event manager handles the various events generated during the fuzzing loop
+    // such as the notification of the addition of a new item to the corpus
+    let mut mgr = SimpleEventManager::new(mon);
+
+    // A queue policy to get testcasess from the corpus
+    let scheduler = QueueScheduler::new();
+
+    // A fuzzer with feedbacks and a corpus scheduler
+    let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);
+
+    // Create the executor for an in-process function with just one observer
+    let mut executor = InProcessExecutor::new(
+        &mut harness,
+        tuple_list!(observer),
+        &mut fuzzer,
+        &mut state,
+        &mut mgr,
+    )
+    .expect("Failed to create the Executor");
+
+    // Generator of printable bytearrays of max size 32
+    let mut generator = RandPrintablesGenerator::new(nonzero!(32));
+
+    // Generate 8 initial inputs
+    state
+        .generate_initial_inputs(&mut fuzzer, &mut executor, &mut generator, &mut mgr, 8)
+        .expect("Failed to generate the initial corpus");
+
+    /* ANCHOR: mutational_stage */
+    // Setup a mutational stage with a basic bytes mutator
+    let mutator = HavocScheduledMutator::new(havoc_mutations());
+    let mut stages = tuple_list!(StdMutationalStage::new(mutator));
+
+    fuzzer
+        .fuzz_loop(&mut stages, &mut executor, &mut state, &mut mgr)
+        .expect("Error in the fuzzing loop");
+    /* ANCHOR_END: mutational_stage */
+}

docs/src/DEBUGGING.md

@@ -0,0 +1,53 @@
+# General debugging tips
+
+This file answers some common questions that arise when you are writing a fuzzer using LibAFL.
+
+## Q. My fuzzer crashed but the stack trace is useless
+
+You can enable the `errors_backtrace` feature of the `libafl` crate. With this the stacktrace is meaningful.
+
+## Q. I started the fuzzer but the corpus count is 0
+
+Unless the initial corpus is loaded with the "load_initial_inputs_forced" function, we only store the interesting inputs, which is the inputs that triggered the feedback. So this usually means that your input was not interesting, or your target was simply not properly implemented.
+Either way, what you can do is attach to the executable with gdb and set a breakpoint at where the new edges should be reported. If no instrumentation code is executed, then the problem is in the instrumentation. If the instrumentation code is hit, but still your input is not deemed interesting/stored, then the problem could be that you are not passing the observer/feedback correctly to the fuzzer.
+
+## Q. I started the fuzzer but the coverage is 0
+
+This could mean two things. Perhaps your target was not properly instrumented, or you are not using the correct observer, feedback feature.
+In this case, again, what usually should do is to run the fuzzer with gdb and set a breakpoint at where the coverage is recorded (e.g. __sanitizer_coverage_trace_pcguard), and validate that the target is giving the feedback to the fuzzer.
+
+## Q. I started the fuzzer but there's no output
+
+First, verify that your stdout and stderr are not redirected to `/dev/null`. If you get the log, then it should either fall into the previous 2 cases. Either the fuzzer crashed because you didn't have the initial seeds, or the coverage feedback is not working.
+
+## Q. I don't see any output from my fuzzer (println!() or logging)
+
+First, check that you are not redirecting things to `/dev/null` else you will see nothing.
+To see the log that you added with `log::trace!();`, you need to initialize the logger (any logger, `env_logger` or `SimpleStdoutLogger` from `libafl_bolts`) before the fuzzer starts.
+Also you have to make sure that you are runing with `RUST_LOG=<log_level>` and you are *NOT* using `release_max_level_info` feature of `log` crate in your `Cargo.toml` of your fuzzer
+
+## Q. My fuzzer is slow
+
+Try running the fuzzer with the `introspection` feature of the `libafl`. This will show how much time is spent on each module of your fuzzer. Also you might be using a wrong size of the coverage map. If you see `2621440` for the size of the coverage map, you are doing it wrong. One possible mistake is the misuse of `libafl_targets::coverage::EDGES_MAP`
+
+```rust
+let map = StdMapObserver::from_mut_ptr("edges", EDGES_MAP.as_mut_ptr(), EDGES_MAP.len());
+```
+
+You should *never* use the `EDGES_MAP`'s size as this is just the size of the allocated size of the coverage map. Consider using something smaller or our default value `libafl_targets::LIBAFL_EDGES_MAP_DEFAULT_SIZE`.
+
+## Q. I still have problems with my fuzzer
+
+Finally, if you really have no idea what is going on, run your fuzzer with logging enabled. (You can use `env_logger`, `SimpleStdoutLogger`, `SimpleStderrLogger` from `libafl_bolts`. `fuzzbench_text` has an example to show how to use it.) (Don't forget to enable stdout and stderr), and you can open an issue or ask us in Discord.
+
+## Q. My fuzzer died of `Storing state in crashed fuzzer instance did not work`
+
+If the exit code is zero, then this is because either your harness exited or you are using fuzzer_loop_for and forgot to add `mgr.on_restart` at the end of the fuzzer. In the first case, you should patch your harness not to exit. (or use `utils/deexit`).
+
+## Q. I can't leave the TUI screen
+
+Type `q` to leave TUI.
+
+## Q. I see `QEMU internal SIGSEGV {code=MAPERR, addr=0x48}` and my QEMU fuzzer doesn't run
+
+Are you running QEMU fuzzer on WSL? You have to enable vsyscall <https://github.com/microsoft/WSL/issues/4694#issuecomment-556095344>.

docs/src/SUMMARY.md

@@ -25,6 +25,7 @@
   - [Architecture](./design/architecture.md)
   - [Metadata](./design/metadata.md)
   - [Migrating from LibAFL <0.9 to 0.9](./design/migration-0.9.md)
+  - [Migrating from LibAFL <0.11 to 0.11](./design/migration-0.11.md)
 
 - [Message Passing](./message_passing/message_passing.md)
   - [Spawning Instances](./message_passing/spawn_instances.md)
@@ -38,3 +39,4 @@
   - [Concolic Tracing & Hybrid Fuzzing](./advanced_features/concolic.md)
   - [LibAFL in `no_std` environments (Kernels, Hypervisors, ...)](./advanced_features/no_std.md)
   - [Snapshot Fuzzing in Nyx](./advanced_features/nyx.md)
+  - [StatsD Monitor](./advanced_features/statsd_monitor.md)

docs/src/advanced_features/concolic.md

@@ -1,7 +1,8 @@
 # Concolic Tracing and Hybrid Fuzzing
+
 LibAFL has support for concolic tracing based on the [SymCC](https://github.com/eurecom-s3/symcc) instrumenting compiler.
 
-For those uninitiated, the following attempts to describe concolic tracing from the ground up using an example.
+For those uninitiated, the following text attempts to describe concolic tracing from the ground up using an example.
 Then, we'll go through the relationship of SymCC and LibAFL concolic tracing.
 Finally, we'll walk through building a basic hybrid fuzzer using LibAFL.
 
@@ -92,18 +93,18 @@ In hybrid fuzzing, we combine this tracing + solving approach with more traditio
 The concolic tracing support in LibAFL is implemented using SymCC.
 SymCC is a compiler plugin for clang that can be used as a drop-in replacement for a normal C or C++ compiler.
 SymCC will instrument the compiled code with callbacks into a runtime that can be supplied by the user.
-These callbacks allow the runtime to construct a trace that similar to the previous example.
+These callbacks allow the runtime to construct a trace that is similar to the previous example.
 
 ### SymCC and its Runtimes
 
-SymCC ships with 2 runtimes: 
+SymCC ships with 2 runtimes:
 
- * a 'simple' runtime that attempts to solve any branches it comes across using [Z3](https://github.com/Z3Prover/z3/wiki) and
- * a [QSym](https://github.com/sslab-gatech/qsym)-based runtime, which does a bit more filtering on the expressions and also solves using Z3.
+* A 'simple' runtime that attempts to negate and analytically solve any branch conditions it comes across using [Z3](https://github.com/Z3Prover/z3/wiki) and
+* A [QSym](https://github.com/sslab-gatech/qsym)-based runtime, which does a bit more filtering on the expressions and also solves them using Z3.
 
 The integration with LibAFL, however, requires you to **BYORT** (_bring your own runtime_) using the [`symcc_runtime`](https://docs.rs/symcc_runtime/0.1/symcc_runtime) crate.
 This crate allows you to easily build a custom runtime out of the built-in building blocks or create entirely new runtimes with full flexibility.
-Checkout out the `symcc_runtime` docs for more information on how to build your own runtime.
+Check out the `symcc_runtime` docs for more information on how to build your own runtime.
 
 ### SymQEMU
 
@@ -114,7 +115,7 @@ The `symcc_runtime` crate supports this use case and runtimes built with `symcc_
 
 ## Hybrid Fuzzing in LibAFL
 
-The LibAFL repository contains an [example hybrid fuzzer](https://github.com/AFLplusplus/LibAFL/tree/main/fuzzers/libfuzzer_stb_image_concolic).
+The LibAFL repository contains an [example hybrid fuzzer](https://github.com/AFLplusplus/LibAFL/tree/main/fuzzers/structure_aware/libfuzzer_stb_image_concolic).
 
 There are three main steps involved with building a hybrid fuzzer using LibAFL:
 
@@ -123,21 +124,23 @@ There are three main steps involved with building a hybrid fuzzer using LibAFL:
 3. building the fuzzer.
 
 Note that the order of these steps is important.
-For example, we need to have runtime ready before we can do instrumentation with SymCC.
+For example, we need to have a runtime ready before we can do instrumentation with SymCC.
 
 ### Building a Runtime
 
 Building a custom runtime can be done easily using the `symcc_runtime` crate.
 Note, that a custom runtime is a separate shared object file, which means that we need a separate crate for our runtime.
-Check out the [example hybrid fuzzer's runtime](https://github.com/AFLplusplus/LibAFL/tree/main/fuzzers/libfuzzer_stb_image_concolic/runtime) and the [`symcc_runtime` docs](https://docs.rs/symcc_runtime/0.1/symcc_runtime) for inspiration.
+Check out the [example hybrid fuzzer's runtime](https://github.com/AFLplusplus/LibAFL/tree/main/fuzzers/structure_aware/libfuzzer_stb_image_concolic/runtime) and the [`symcc_runtime` docs](https://docs.rs/symcc_runtime/0.1/symcc_runtime) for inspiration.
 
 ### Instrumentation
 
 There are two main instrumentation methods to make use of concolic tracing in LibAFL:
-* Using an **compile-time** instrumented target with **SymCC**. 
+
+* Using a **compile-time** instrumented target with **SymCC**.
 This only works when the source is available for the target and the target is reasonably easy to build using the SymCC compiler wrapper.
 * Using **SymQEMU** to dynamically instrument the target at **runtime**.
-This avoids a separate instrumented target with concolic tracing instrumentation and does not require source code.
+This avoids building a separate instrumented target with concolic tracing instrumentation and so does not require source code.
+
 It should be noted, however, that the 'quality' of the generated expressions can be significantly worse and SymQEMU generally produces significantly more and significantly more convoluted expressions than SymCC.
 Therefore, it is recommended to use SymCC over SymQEMU when possible.
 
@@ -148,7 +151,7 @@ How exactly this is done does not matter.
 However, the SymCC compiler needs to be made aware of the location of the runtime that it should instrument against.
 This is done by setting the `SYMCC_RUNTIME_DIR` environment variable to the directory which contains the runtime (typically the `target/(debug|release)` folder of your runtime crate).
 
-The example hybrid fuzzer instruments the target in its [`build.rs` build script](https://github.com/AFLplusplus/LibAFL/blob/main/fuzzers/libfuzzer_stb_image_concolic/fuzzer/build.rs#L50).
+The example hybrid fuzzer instruments the target in its [`build.rs` build script](https://github.com/AFLplusplus/LibAFL/blob/main/fuzzers/structure_aware/libfuzzer_stb_image_concolic/fuzzer/build.rs#L50).
 It does this by cloning and building a copy of SymCC and then using this version to instrument the target.
 The [`symcc_libafl` crate](https://docs.rs/symcc_libafl) contains helper functions for cloning and building SymCC.
 
@@ -158,27 +161,27 @@ Make sure you satisfy the [build requirements](https://github.com/eurecom-s3/sym
 
 Build SymQEMU according to its [build instructions](https://github.com/eurecom-s3/symqemu#readme).
 By default, SymQEMU looks for the runtime in a sibling directory.
-Since we don't have a runtime there, we need to let it know the path to your runtime by setting `--symcc-build` argument of the `configure` script to the path of your runtime.
+Since we don't have a runtime there, we need to explicitly set the `--symcc-build` argument of the `configure` script to the path of your runtime.
 
 ### Building the Fuzzer
 
 No matter the instrumentation method, the interface between the fuzzer and the instrumented target should now be consistent.
 The only difference between using SymCC and SymQEMU should be the binary that represents the target:
-In the case of SymCC it will be the binary that was build with instrumentation and with SymQEMU it will be the emulator binary (eg. `x86_64-linux-user/symqemu-x86_64`), followed by your uninstrumented target binary and arguments.
+In the case of SymCC it will be the binary that was build with instrumentation and with SymQEMU it will be the emulator binary (eg. `x86_64-linux-user/symqemu-x86_64`), followed by your uninstrumented target binary and its arguments.
 
-You can use the [`CommandExecutor`](https://docs.rs/libafl/0.6.0/libafl/executors/command/struct.CommandExecutor.html) to execute your target ([example](https://github.com/AFLplusplus/LibAFL/blob/main/fuzzers/libfuzzer_stb_image_concolic/fuzzer/src/main.rs#L244)).
-When configuring the command, make sure you pass the `SYMCC_INPUT_FILE` environment variable the input file path, if your target reads input from a file (instead of standard input).
+You can use the [`CommandExecutor`](https://docs.rs/libafl/latest/libafl/executors/command/struct.CommandExecutor.html) to execute your target ([example](https://github.com/AFLplusplus/LibAFL/blob/main/fuzzers/structure_aware/libfuzzer_stb_image_concolic/fuzzer/src/main.rs#L244)).
+When configuring the command, make sure you pass the `SYMCC_INPUT_FILE` environment variable (set to the input file path), if your target reads input from a file (instead of standard input).
 
 #### Serialization and Solving
 
 While it is perfectly possible to build a custom runtime that also performs the solving step of hybrid fuzzing in the context of the target process, the intended use of the LibAFL concolic tracing support is to serialize the (filtered and pre-processed) branch conditions using the [`TracingRuntime`](https://docs.rs/symcc_runtime/0.1/symcc_runtime/tracing/struct.TracingRuntime.html).
-This serialized representation can be deserialized in the fuzzer process for solving using a [`ConcolicObserver`](https://docs.rs/libafl/0.6.0/libafl/observers/concolic/struct.ConcolicObserver.html) wrapped in a [`ConcolicTracingStage`](https://docs.rs/libafl/0.6.0/libafl/stages/concolic/struct.ConcolicTracingStage.html), which will attach a [`ConcolicMetadata`](https://docs.rs/libafl/0.6.0/libafl/observers/concolic/struct.ConcolicMetadata.html) to every [`TestCase`](https://docs.rs/libafl/0.6.0/libafl/corpus/testcase/struct.Testcase.html).
+This serialized representation can be deserialized in the fuzzer process for solving using a [`ConcolicObserver`](https://docs.rs/libafl/latest/libafl/observers/concolic/struct.ConcolicObserver.html) wrapped in a [`ConcolicTracingStage`](https://docs.rs/libafl/latest/libafl/stages/concolic/struct.ConcolicTracingStage.html), which will attach a [`ConcolicMetadata`](https://docs.rs/libafl/latest/libafl/observers/concolic/struct.ConcolicMetadata.html) to every [`TestCase`](https://docs.rs/libafl/latest/libafl/corpus/testcase/struct.Testcase.html).
 
-The `ConcolicMetadata` can be used to replay the concolic trace and solved using an SMT-Solver.
+The `ConcolicMetadata` can be used to replay the concolic trace and to solve the conditions using an SMT-Solver.
 Most use-cases involving concolic tracing, however, will need to define some policy around which branches they want to solve.
-The [`SimpleConcolicMutationalStage`](https://docs.rs/libafl/0.6.0//libafl/stages/concolic/struct.SimpleConcolicMutationalStage.html) can be used for testing purposes.
+The [`SimpleConcolicMutationalStage`](https://docs.rs/libafl/latest/libafl/stages/concolic/struct.SimpleConcolicMutationalStage.html) can be used for testing purposes.
 It will attempt to solve all branches, like the original simple backend from SymCC, using Z3.
 
 ### Example
 
-The example fuzzer shows how to use the [`ConcolicTracingStage` together with the `SimpleConcolicMutationalStage`](https://github.com/AFLplusplus/LibAFL/blob/main/fuzzers/libfuzzer_stb_image_concolic/fuzzer/src/main.rs#L222) to build a basic hybrid fuzzer.
+The example fuzzer shows how to use the [`ConcolicTracingStage` together with the `SimpleConcolicMutationalStage`](https://github.com/AFLplusplus/LibAFL/blob/main/fuzzers/structure_aware/libfuzzer_stb_image_concolic/fuzzer/src/main.rs#L222) to build a basic hybrid fuzzer.

docs/src/advanced_features/frida.md

@@ -4,7 +4,7 @@ LibAFL supports different instrumentation engines for binary-only fuzzing.
 A potent cross-platform (Windows, MacOS, Android, Linux, iOS) option for binary-only fuzzing is Frida; the dynamic instrumentation tool.
 
 In this section, we will talk about the components in fuzzing with `libafl_frida`.
-You can take a look at a working example in our [`fuzzers/frida_libpng`](https://github.com/AFLplusplus/LibAFL/tree/main/fuzzers/frida_libpng) folder for Linux, and [`fuzzers/frida_gdiplus`](https://github.com/AFLplusplus/LibAFL/tree/main/fuzzers/frida_gdiplus) for Windows.
+You can take a look at a working example in our [`fuzzers/binary_only/frida_libpng`](https://github.com/AFLplusplus/LibAFL/tree/main/fuzzers/binary_only/frida_libpng) folder for Linux, and [`fuzzers/binary_only/frida_windows_gdiplus`](https://github.com/AFLplusplus/LibAFL/tree/main/fuzzers/binary_only/frida_windows_gdiplus) for Windows.
 
 ## Dependencies
 
@@ -17,7 +17,7 @@ If you are on Windows, you'll need to install llvm tools.
 LibAFL uses Frida's [__Stalker__](https://frida.re/docs/stalker/) to trace the execution of your program and instrument your harness.
 Thus, you have to compile your harness to a dynamic library. Frida instruments your PUT after dynamically loading it.
 
-For example in our `frida_libpng` example, we load the dynamic library and find the symbol to harness as follows:
+In our `frida_libpng` example, we load the dynamic library and find the symbol to harness as follows:
 
 ```rust,ignore
         let lib = libloading::Library::new(module_name).unwrap();
@@ -28,9 +28,9 @@ For example in our `frida_libpng` example, we load the dynamic library and find
 
 ## `FridaInstrumentationHelper` and Runtimes
 
-To use functionalities that Frida offers, we'll first need to obtain `Gum` object by `Gum::obtain()`.
+To use functionalities that Frida offers, we'll first need to obtain a `Gum` object by `Gum::obtain()`.
 
-In LibAFL, we use the `FridaInstrumentationHelper` struct to manage frida-related state. `FridaInstrumentationHelper` is a key component that sets up the [__Transformer__](https://frida.re/docs/stalker/#transformer) that is used to generate the instrumented code. It also initializes the `Runtimes` that offer various instrumentation.
+In LibAFL, we use the `FridaInstrumentationHelper` struct to manage frida-related state. `FridaInstrumentationHelper` is a key component that sets up the [__Transformer__](https://frida.re/docs/stalker/#transformer) that is used to generate the instrumented code. It also initializes the `Runtimes` that offer various instrumentations.
 
 We have `CoverageRuntime` that can track the edge coverage,  `AsanRuntime` for address sanitizer, `DrCovRuntime` that uses [__DrCov__](https://dynamorio.org/page_drcov.html) for coverage collection (to be imported in coverage tools like Lighthouse, bncov, dragondance,...), and `CmpLogRuntime` for cmplog instrumentation.
 All of these runtimes can be slotted into `FridaInstrumentationHelper` at build time.
@@ -53,12 +53,12 @@ Combined with any `Runtime` you'd like to use, you can initialize the `FridaInst
 
 ## Running the Fuzzer
 
-After setting up the `FridaInstrumentationHelper`. You can obtain the pointer to the coverage map by calling `map_ptr_mut()`.
+After setting up the `FridaInstrumentationHelper` you can obtain the pointer to the coverage map by calling `map_mut_ptr()`.
 
 ```rust,ignore
-        let edges_observer = HitcountsMapObserver::new(StdMapObserver::new_from_ptr(
+        let edges_observer = HitcountsMapObserver::new(StdMapObserver::from_mut_ptr(
             "edges",
-            frida_helper.map_ptr_mut().unwrap(),
+            frida_helper.map_mut_ptr().unwrap(),
             MAP_SIZE,
         ));
 ```
@@ -73,7 +73,7 @@ You can then link this observer to `FridaInProcessExecutor` as follows:
                 tuple_list!(
                     edges_observer,
                     time_observer,
-                    AsanErrorsObserver::new(&ASAN_ERRORS)
+                    AsanErrorsObserver::from_static_asan_errors()
                 ),
                 &mut fuzzer,
                 &mut state,
@@ -83,5 +83,5 @@ You can then link this observer to `FridaInProcessExecutor` as follows:
         );
 ```
 
-And, finally you can run the fuzzer.
-See the `frida_` examples in [`./fuzzers`](https://github.com/AFLplusplus/LibAFL/tree/main/fuzzers/) for more information and, for linux or full-system, play around with `libafl_qemu`, another binary-only tracer.
+And finally you can run the fuzzer.
+See the `frida_` examples in [`./fuzzers/binary_only`](https://github.com/AFLplusplus/LibAFL/tree/main/fuzzers/binary_only/) for more information and, for linux or full-system, play around with `libafl_qemu`, another binary_only tracer.

docs/src/advanced_features/no_std.md

@@ -1,6 +1,6 @@
 # Using LibAFL in `no_std` environments
 
-It is possible to use LibAFL in `no_std` environments e.g. custom platforms like microcontrollers, kernels, hypervisors, and more.
+It is possible to use LibAFL in `no_std` environments e.g. on custom platforms like microcontrollers, kernels, hypervisors, and more.
 
 You can simply add LibAFL to your `Cargo.toml` file:
 
@@ -16,7 +16,7 @@ cargo build --no-default-features --target aarch64-unknown-none
 
 ## Use custom timing
 
-The minimum amount of input LibAFL needs for `no_std` is a monotonically increasing timestamp.
+The minimum amount of support LibAFL needs for a `no_std` environment is a monotonically increasing timestamp.
 For this, anywhere in your project you need to implement the `external_current_millis` function, which returns the current time in milliseconds.
 
 ```c
@@ -31,10 +31,10 @@ Here, we use it in Rust. `external_current_millis` is then called from LibAFL.
 Note that it needs to be `no_mangle` in order to get picked up by LibAFL at linktime:
 
 ```rust,ignore
-#[no_mangle]
+#[unsafe(no_mangle)]
 pub extern "C" fn external_current_millis() -> u64 {
     unsafe { my_real_seconds()*1000 }
 }
 ```
 
-See [./fuzzers/baby_no_std](https://github.com/AFLplusplus/LibAFL/tree/main/fuzzers/baby_no_std) for an example.
+See [./fuzzers/fuzz_anything/baby_no_std](https://github.com/AFLplusplus/LibAFL/tree/main/fuzzers/fuzz_anything/baby_no_std) for an example.

docs/src/advanced_features/nyx.md

@@ -2,12 +2,12 @@
 
 NYX supports both source-based and binary-only fuzzing.
 
-Currently, `libafl_nyx` only supports [afl++](https://github.com/AFLplusplus/AFLplusplus)'s instruction. To install it, you can use `sudo apt install aflplusplus`. Or compile from the source:
+Currently, `libafl_nyx` only supports [afl++](https://github.com/AFLplusplus/AFLplusplus)'s instruction type. To install it, you can use `sudo apt install aflplusplus`. Or compile from the source:
 
 ```bash
 git clone https://github.com/AFLplusplus/AFLplusplus
 cd AFLplusplus
-make all # this will not compile afl's additional extension
+make all # this will not compile afl's additional extensions
 ```
 
 Then you should compile the target with the afl++ compiler wrapper:
@@ -20,11 +20,11 @@ export CXX=afl-clang-fast++
 make
 ```
 
-For binary-only fuzzing, Nyx uses intel-PT(Intel® Processor Trace). You can find the supported CPU at <https://www.intel.com/content/www/us/en/support/articles/000056730/processors.html>.
+For binary-only fuzzing, Nyx uses intel-PT(Intel® Processor Trace). You can find the list of supported CPUs at <https://www.intel.com/content/www/us/en/support/articles/000056730/processors.html>.
 
-## Preparing Nyx working directory
+## Preparing the Nyx working directory
 
-This step is used to pack the target into Nyx's kernel. Don't worry, we have a template shell script in our [example](https://github.com/AFLplusplus/LibAFL/blob/main/fuzzers/nyx_libxml2_parallel/setup_libxml2.sh):
+This step is used to pack the target into Nyx's kernel. Don't worry, we have a template shell script in our [example](https://github.com/AFLplusplus/LibAFL/blob/main/fuzzers/full_system/nyx_libxml2_parallel/setup_libxml2.sh):
 
 the parameter's meaning is listed below:
 
@@ -49,7 +49,7 @@ python3 ./packer/packer/nyx_config_gen.py /tmp/nyx_libxml2/ Kernel || exit
 
 ## Standalone fuzzing
 
-In the [example fuzzer](https://github.com/AFLplusplus/LibAFL/blob/main/fuzzers/nyx_libxml2_standalone/src/main.rs). First you need to run `./setup_libxml2.sh`, It will prepare your target and create your nyx work directory in `/tmp/libxml2`. After that, you can start write your code.
+In the [example fuzzer](https://github.com/AFLplusplus/LibAFL/blob/main/fuzzers/full_system/nyx_libxml2_standalone/src/main.rs) you first need to run `./setup_libxml2.sh`. It will prepare your target and create your nyx work directory in `/tmp/libxml2`. After that, you can start to write your code.
 
 First, to create `Nyxhelper`:
 
@@ -57,22 +57,21 @@ First, to create `Nyxhelper`:
 let share_dir = Path::new("/tmp/nyx_libxml2/");
 let cpu_id = 0; // use first cpu
 let parallel_mode = false; // close parallel_mode
-let mut helper = NyxHelper::new(share_dir, cpu_id, true, parallel_mode, None).unwrap(); // we don't the set the last parameter in standalone mode, we just use None, here
+let mut helper = NyxHelper::new(share_dir, cpu_id, true, parallel_mode, None).unwrap(); // we don't need to set the last parameter in standalone mode, we just use None, here
 ```
 
 Then, fetch `trace_bits`, create an observer and the `NyxExecutor`:
 
 ```rust,ignore
-let trace_bits = unsafe { std::slice::from_raw_parts_mut(helper.trace_bits, helper.map_size) };
-let observer = StdMapObserver::new("trace", trace_bits);
+let observer = unsafe { StdMapObserver::from_mut_ptr("trace", helper.trace_bits, helper.map_size) };
 let mut executor = NyxExecutor::new(&mut helper, tuple_list!(observer)).unwrap();
 ```
 
-Finally, use them as normal and pass them into `fuzzer.fuzz_loop(&mut stages, &mut executor, &mut state, &mut mgr)` to start fuzzing.
+Finally, use them normally and pass them into `fuzzer.fuzz_loop(&mut stages, &mut executor, &mut state, &mut mgr)` to start fuzzing.
 
 ## Parallel fuzzing
 
-In the [example fuzzer](https://github.com/AFLplusplus/LibAFL/blob/main/fuzzers/nyx_libxml2_parallel/src/main.rs). First you need to run `./setup_libxml2.sh` as described before.
+In the [example fuzzer](https://github.com/AFLplusplus/LibAFL/blob/main/fuzzers/full_system/nyx_libxml2_parallel/src/main.rs) you first need to run `./setup_libxml2.sh` as described before.
 
 Parallel fuzzing relies on [`Launcher`](../message_passing/spawn_instances.md), so spawn logic should be written in the scoop of anonymous function `run_client`:
 
@@ -91,7 +90,7 @@ let mut helper = NyxHelper::new(
     cpu_id,    // current cpu id
     true,      // open snap_mode
     parallel_mode, // open parallel mode
-    Some(parent_cpu_id.id as u32), // the cpu-id of master instance, there is only one master instance, other instances will be treated as slaved
+    Some(parent_cpu_id.id as u32), // the cpu-id of main instance, there is only one main instance, other instances will be treated as secondaries
 )
 .unwrap();
 ```
@@ -99,13 +98,11 @@ let mut helper = NyxHelper::new(
 Then you can fetch the trace_bits and create an observer and `NyxExecutor`
 
 ```rust,ignore
-let trace_bits =
-    unsafe { std::slice::from_raw_parts_mut(helper.trace_bits, helper.map_size) };
-let observer = StdMapObserver::new("trace", trace_bits);
+let observer = unsafe { StdMapObserver::from_mut_ptr("trace", helper.trace_bits, helper.map_size) }
 let mut executor = NyxExecutor::new(&mut helper, tuple_list!(observer)).unwrap();
 ```
 
-Finally, open a `Launcher` as normal to start fuzzing:
+Finally, open a `Launcher` as usual to start fuzzing:
 
 ```rust,ignore
 match Launcher::builder()
@@ -121,6 +118,6 @@ match Launcher::builder()
 {
     Ok(()) => (),
     Err(Error::ShuttingDown) => println!("Fuzzing stopped by user. Good bye."),
-    Err(err) => panic!("Failed to run launcher: {:?}", err),
+    Err(err) => panic!("Failed to run launcher: {err:?}"),
 }
 ```

docs/src/advanced_features/statsd_monitor.md

@@ -0,0 +1,185 @@
+# StatsD Monitor
+
+In modern fuzzing situations, it is very common to have multiple fuzzing instances running. LibAFL supports monitoring mutiple fuzzing instances with `StatsdMonitor`, which can be easily enabled by adding `statsd_monitor` feature in `Cargo.toml`:
+
+```toml
+[dependencies]
+libafl = { version = "*", features = ["statsd_monitor"]}
+```
+
+After setting up a StatsD monitor infrastructure, you could view all of your fuzzing instances in a browser like this one (each line represents metrics of one fuzzing instance).
+
+![example visualization with Grafana](../resources/statsd-grafana.png)
+
+## Introduction to StatsD Architecture
+
+A typical StatsD setup involves four participants: multiple StatsD clients, a StatsD aggregator, a Prometheus, and a visualizer.
+
+Normally, each fuzzing instance is bound to a StatsD client (the `StatsdMonitor`). The StatsD client pushes fuzzing metrics (e.g. exec per second) towards the StatsD aggregator consistently. The Prometheus server is the center of StatsD metrics, which polls StatsD metrics from the StatsD aggregator at a specific polling frequency. The visualizer queries the Prometheus server, and display the metrics for further analysis and monitoring.
+
+## Set up a StatsD Monitor Infrastructure
+
+The easiest way to install and set up the infrastructure is with Docker and Docker Compose. To begin with, create a directory with the following files:
+
+* `docker-compose.yml`
+    ```yml
+    networks:
+      statsd-net:
+        driver: bridge
+    
+    volumes:
+      grafana-data:
+
+    services:
+      prometheus:
+        image: prom/prometheus
+        container_name: prometheus
+        volumes:
+          - ./prometheus.yml:/prometheus.yml
+        command:
+          - '--config.file=/prometheus.yml'
+        restart: unless-stopped
+        ports:
+          - "9090:9090"
+        networks:
+          - statsd-net
+
+      statsd_exporter:
+        image: prom/statsd-exporter
+        container_name: statsd_exporter
+        volumes:
+          - ./statsd_mapping.yml:/statsd_mapping.yml
+        command:
+          - "--statsd.mapping-config=/statsd_mapping.yml"
+        ports:
+          - "9102:9102/tcp"
+          - "8125:9125/udp"
+        networks:
+          - statsd-net
+
+      grafana:
+        image: grafana/grafana
+        container_name: grafana
+        volumes:
+          - grafana-data:/var/lib/grafana
+        restart: unless-stopped
+        ports:
+            - "3000:3000"
+        networks:
+          - statsd-net
+    ```
+* `prometheus.yml`
+
+    ```yml
+    global:
+      scrape_interval:      15s
+      evaluation_interval:  15s
+
+    scrape_configs:
+      - job_name: 'fuzzing_metrics'
+        static_configs:
+          - targets: ['statsd_exporter:9102']
+    ```
+* `statsd_mapping.yml`
+
+    ```yml
+    mappings:
+    - match: "fuzzing.*"
+      name: "fuzzing"
+      labels:
+          type: "$1"
+    ```
+
+And use
+
+```shell
+docker compose up -d
+```
+
+Then the basic infrastructure is set up.
+
+It is worth noting that all participants are not necessarily be in the same machine, as long as they could communicate with each other with network. Specifically, the StatsD aggregator should be accessible from StatsD clients and Prometheus server, and the Prometheus server should be accessible from the visualizer.
+
+In this infrastructure setup, we choose the [prometheus/statsd-exporter](https://github.com/prometheus/statsd_exporter) as a StatsD aggregator, which aggregates metrics from multiple StatsD clients, and converts the metrics into Prometheus format. And we choose the [Grafana](https://grafana.com) as the visualizer.
+
+### Configure Grafana
+
+After the infrastructure is set up, you should use a browser and go to `localhost:3000` to configure Grafana, the visualizer, and view StatsD metrics (the default username and password for Grafana docker login is admin/admin).
+
+First, you should add the Prometheus server as data source for Grafana, as described in [Add a data source](https://grafana.com/docs/grafana/latest/datasources/#add-a-data-source). By picking "Prometheus" as datasource type, you could create a data source with name "prometheus", and use `http://prometheus:9090` as Prometheus server URL (Docker network could automatically resolve the host name to the IP of prometheus service, and the port is specified at `docker-compose.yml` above).
+
+Then, you should create a dashboard to view the metrics. You could simply importing [this dashboard template](../resources/grafana-libafl.json), or create a dashboard manually by following [this official guide](https://grafana.com/docs/grafana/latest/dashboards/build-dashboards/create-dashboard/#create-a-dashboard).
+
+After the dashboard is created, all metrics can be viewed directly.
+
+## Use `StatsdMonitor` in LibAFL
+
+It is rather easy to use the `StatsdMonitor` in LibAFL. Let's say you were using a `MultiMonitor` previously:
+
+```rust,ignore
+let monitor = MultiMonitor::new(|s| println!("{s}"));
+```
+
+Then you could just create a `StatsdMonitor` and combine this two monitors with a `tuple_list!`:
+
+```rust,ignore
+let multi_monitor = MultiMonitor::new(|s| println!("{s}"));
+let statsd_monitor = StatsdMonitor::new("localhost".to_string(), 8125, StatsdMonitorTagFlavor::default());
+let monitor = tuple_list!(multi_monitor, statsd_monitor);
+```
+
+Then the monitor will automatically push StatsD metrics towards the StatsD aggregator at localhost:8125, which is specified in the `docker-compose.yml` above.
+
+### Tag Flavor
+
+The vanilla StatsD metrics do not have a mechanism to distinguish different StatsD clients, which is inconvenience to view multiple fuzzing instances. Several StatsD servers have introduced a new mechanism called tag to solve this problem, and in LibAFL, we currently support [Datadog](https://docs.datadoghq.com/developers/dogstatsd/) style tag, which is the default for `StatsdMonitorTagFlavor`.
+
+To use tag correctly, we should create a `StatsdMonitorTagFlavor` with a tag identifier and optional custom tags.
+
+```rust,ignore
+let tag_flavor = StatsdMonitorTagFlavor::DogStatsd {
+    tag_identifier: "unique-name-for-this-fuzzing-instance".into(),
+    custom_tags: vec![
+        ("custom-tag-key".into(), "custom-tag-value".into())
+    ],
+};
+let statsd_monitor = StatsdMonitor::new("localhost".to_string(), 8125, tag_flavor);
+```
+
+The tag identifier is used to differentiate StatsD clients, which should be unique for each fuzzing instances. The optional custom tags could be used by Grafana users to filter clients based on custom informations.
+
+## FAQ
+
+### What can I do if I cannot see any metrics in Grafana?
+
+To debug the `StatsdMonitor`, you could first comment out all other monitors for clarity. The you could setup a log implementation such as [`env_logger`](https://crates.io/crates/env_logger) at the top of your `main` function. For `env_logger`, run the target application with environment `RUST_LOG=info`, and you could see logs from LibAFL. The output logs should contain error logs of `StatsdMonitor` if connection is down or anything unexpected.
+
+If you still have no idea why things went wrong, please [file an issue](https://github.com/AFLplusplus/LibAFL/issues/new/choose) to LibAFL.
+
+### Does network interactions of StatsD decrease the fuzzing throughput?
+
+Thanks to the [`cadence`](https://crates.io/crates/cadence) crate which we used as StatsD client implementation, the network interaction is conduct in an individual thread, so the affect from network interactions could be negligible.
+
+### Can I optionally enable the `StatsdMonitor` via something like commandline options?
+
+You can wrap the `StatsdMonitor` with an `OptionalMonitor`:
+
+```rust,ignore
+let statsd_monitor = if commandline_is_set {
+    Some(StatsdMonitor::new(/* ... */))
+} else {
+    None
+};
+let optional_statsd_monitor = OptionalMonitor::new(statsd_monitor);
+```
+
+### What is the different between `StatsdMonitor` and `PrometheusMonitor`?
+
+The `PrometheusMonitor` could be used to view detailed statistics about one fuzzing instance (with multiple clients maybe), since it can show the statistics about individual clients. And `PrometheusMonitor` is implemented as a Prometheus datasource, which will, based on the pull-architecture of Prometheus, occupy a port for each instance for Prometheus server to access.
+
+The `StatsdMonitor` is used to view aggregated statistics about multiple fuzzing instances (showing individual client statistics will make the visualized graph very distracting). And due to the push-architecture of StatsD server, we only need one port for the StatsD aggregator to receive metrics from each client.
+
+## References
+
+* [AFL++'s docs about rpc_statsd](https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/rpc_statsd.md)
+* [Prometheus wikipedia](https://en.wikipedia.org/wiki/Prometheus_(software))

docs/src/baby_fuzzer/baby_fuzzer.md

@@ -6,7 +6,7 @@ While the following chapters discuss the components of LibAFL in detail, here we
 
 We are going to fuzz a simple Rust function that panics under a condition. The fuzzer will be single-threaded and will stop after the crash, just like libFuzzer normally does.
 
-You can find a complete version of this tutorial as an example fuzzer in [`fuzzers/baby_fuzzer`](https://github.com/AFLplusplus/LibAFL/tree/main/fuzzers/baby_fuzzer).
+You can find a complete version of this tutorial as an example fuzzer in [`fuzzers/baby/baby_fuzzer`](https://github.com/AFLplusplus/LibAFL/tree/main/fuzzers/baby/baby_fuzzer).
 
 > ### Warning
 >
@@ -17,7 +17,7 @@ You can find a complete version of this tutorial as an example fuzzer in [`fuzze
 
 We use cargo to create a new Rust project with LibAFL as a dependency.
 
-```sh
+```console
 $ cargo new baby_fuzzer
 $ cd baby_fuzzer
 ```
@@ -25,18 +25,11 @@ $ cd baby_fuzzer
 The generated `Cargo.toml` looks like the following:
 
 ```toml
-[package]
-name = "baby_fuzzer"
-version = "0.1.0"
-authors = ["Your Name <you@example.com>"]
-edition = "2018"
-
-# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
-
-[dependencies]
+{{#include ../../listings/baby_fuzzer/listing-01/Cargo.toml}}
 ```
 
 In order to use LibAFl we must add it as dependency adding `libafl = { path = "path/to/libafl/" }` under `[dependencies]`.
+That path actually needs to point to the `libafl` directory within the cloned repo, not the root of the repo itself.
 You can use the LibAFL version from [crates.io](https://crates.io/crates/libafl) if you want, in this case, you have to use `libafl = "*"` to get the latest version (or set it to the current version).
 
 As we are going to fuzz Rust code, we want that a panic does not simply cause the program to exit, but raise an `abort` that can then be caught by the fuzzer.
@@ -47,28 +40,10 @@ Alongside this setting, we add some optimization flags for the compilation, when
 The final `Cargo.toml` should look similar to the following:
 
 ```toml
-[package]
-name = "baby_fuzzer"
-version = "0.1.0"
-authors = ["Your Name <you@example.com>"]
-edition = "2018"
-
-# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
-
-[dependencies]
-libafl = { path = "path/to/libafl/" }
-
-[profile.dev]
-panic = "abort"
-
-[profile.release]
-panic = "abort"
-lto = true
-codegen-units = 1
-opt-level = 3
-debug = true
+{{#include ../../listings/baby_fuzzer/listing-02/Cargo.toml}}
 ```
 
+
 ## The function under test
 
 Opening `src/main.rs`, we have an empty `main` function.
@@ -76,52 +51,32 @@ To start, we create the closure that we want to fuzz. It takes a buffer as input
 `ExitKind` is used to inform the fuzzer about the harness' exit status.
 
 ```rust
-extern crate libafl;
-use libafl::{
-    bolts::AsSlice,
-    inputs::{BytesInput, HasTargetBytes},
-    executors::ExitKind,
-};
-
-fn main(){
-    let mut harness = |input: &BytesInput| {
-        let target = input.target_bytes();
-        let buf = target.as_slice();
-        if buf.len() > 0 && buf[0] == 'a' as u8 {
-            if buf.len() > 1 && buf[1] == 'b' as u8 {
-                if buf.len() > 2 && buf[2] == 'c' as u8 {
-                    panic!("=)");
-                }
-            }
-        }
-        ExitKind::Ok
-    };
-    // To test the panic:
-    let input = BytesInput::new(Vec::from("abc"));
-    #[cfg(feature = "panic")]
-    harness(&input);
-}
+{{#rustdoc_include ../../listings/baby_fuzzer/listing-03/src/main.rs}}
 ```
 
+To test the crash manually, you can add a feature in `Cargo.toml` that enables the call that triggers the panic:
+
+```toml
+{{#include ../../listings/baby_fuzzer/listing-03/Cargo.toml:23:25}}
+```
+
+And then run the program with that feature activated:
+
+```console
+$ cargo run -F panic
+```
+
+And you should see the program crash as expected.
+
 ## Generating and running some tests
 
-One of the main components that a LibAFL-based fuzzer uses is the State, a container of the data that is evolved during the fuzzing process.
-Includes all State, such as the Corpus of inputs, the current RNG state, and potential Metadata for the testcases and run.
+One of the main components that a LibAFL-based fuzzer uses is the State, a container of the data that will evolve during the fuzzing process.
+It includes all state, such as the Corpus of inputs, the current RNG state, and potential Metadata for the testcases and run.
 In our `main` we create a basic State instance like the following:
 
-```rust,ignore
-// create a State from scratch
-let mut state = StdState::new(
-    // RNG
-    StdRand::with_seed(current_nanos()),
-    // Corpus that will be evolved, we keep it in memory for performance
-    InMemoryCorpus::new(),
-    // Corpus in which we store solutions (crashes in this example),
-    // on disk so the user can get them after stopping the fuzzer
-    OnDiskCorpus::new(PathBuf::from("./crashes")).unwrap(),
-    &mut (),
-    &mut ()
-).unwrap();
+
+```rust
+{{#rustdoc_include ../../listings/baby_fuzzer/listing-04/src/main.rs:state}}
 ```
 
 - The first parameter is a random number generator, that is part of the fuzzer state, in this case, we use the default one `StdRand`, but you can choose a different one. We seed it with the current nanoseconds.
@@ -129,43 +84,26 @@ let mut state = StdState::new(
 
   To avoid type annotation error, you can use `InMemoryCorpus::<BytesInput>::new()` to replace `InMemoryCorpus::new()`. If not, type annotation will be automatically inferred when adding `executor`.
 
-- third parameter is another corpus that stores the "solution" testcases for the fuzzer. For our purpose, the solution is the input that triggers the panic. In this case, we want to store it to disk under the `crashes` directory, so we can inspect it.
-- last two parameters are feedback and objective, we will discuss them later.
+- The third parameter is another Corpus that stores the "solution" testcases for the fuzzer. For our purpose, the solution is the input that triggers the panic. In this case, we want to store it to disk under the `crashes` directory, so we can inspect it.
+- The last two parameters are feedback and objective, we will discuss them later.
 
 Another required component is the **EventManager**. It handles some events such as the addition of a testcase to the corpus during the fuzzing process. For our purpose, we use the simplest one that just displays the information about these events to the user using a `Monitor` instance.
 
-```rust,ignore
-// The Monitor trait defines how the fuzzer stats are displayed to the user
-let mon = SimpleMonitor::new(|s| println!("{}", s));
-
-// The event manager handle the various events generated during the fuzzing loop
-// such as the notification of the addition of a new item to the corpus
-let mut mgr = SimpleEventManager::new(mon);
+```rust
+{{#rustdoc_include ../../listings/baby_fuzzer/listing-04/src/main.rs:event_manager}}
 ```
 
 In addition, we have the **Fuzzer**, an entity that contains some actions that alter the State. One of these actions is the scheduling of the testcases to the fuzzer using a **Scheduler**.
 We create it as `QueueScheduler`, a scheduler that serves testcases to the fuzzer in a FIFO fashion.
 
-```rust,ignore
-// A queue policy to get testcasess from the corpus
-let scheduler = QueueScheduler::new();
-
-// A fuzzer with feedbacks and a corpus scheduler
-let mut fuzzer = StdFuzzer::new(scheduler, (), ());
+```rust
+{{#rustdoc_include ../../listings/baby_fuzzer/listing-04/src/main.rs:scheduler_fuzzer}}
 ```
 
 Last but not least, we need an **Executor** that is the entity responsible to run our program under test. In this example, we want to run the harness function in-process (without forking off a child, for example), and so we use the `InProcessExecutor`.
 
-```rust,ignore
-// Create the executor for an in-process function
-let mut executor = InProcessExecutor::new(
-    &mut harness,
-    (),
-    &mut fuzzer,
-    &mut state,
-    &mut mgr,
-)
-.expect("Failed to create the Executor");
+```rust
+{{#rustdoc_include ../../listings/baby_fuzzer/listing-04/src/main.rs:executor}}
 ```
 
 It takes a reference to the harness, the state, and the event manager. We will discuss the second parameter later.
@@ -175,41 +113,19 @@ Now we have the 4 major entities ready for running our tests, but we still canno
 
 For this purpose, we use a **Generator**, `RandPrintablesGenerator` that generates a string of printable bytes.
 
-```rust,ignore
-use libafl::generators::RandPrintablesGenerator;
-
-// Generator of printable bytearrays of max size 32
-let mut generator = RandPrintablesGenerator::new(32);
-
-// Generate 8 initial inputs
-state
-    .generate_initial_inputs(&mut fuzzer, &mut executor, &mut generator, &mut mgr, 8)
-    .expect("Failed to generate the initial corpus".into());
+```rust
+{{#rustdoc_include ../../listings/baby_fuzzer/listing-04/src/main.rs:generator}}
 ```
 
 Now you can prepend the necessary `use` directives to your main.rs and compile the fuzzer.
 
 ```rust
-extern crate libafl;
-
-use std::path::PathBuf;
-use libafl::{
-    bolts::{AsSlice, current_nanos, rands::StdRand},
-    corpus::{InMemoryCorpus, OnDiskCorpus},
-    events::SimpleEventManager,
-    executors::{inprocess::InProcessExecutor, ExitKind},
-    fuzzer::StdFuzzer,
-    generators::RandPrintablesGenerator,
-    inputs::{BytesInput, HasTargetBytes},
-    monitors::SimpleMonitor,
-    schedulers::QueueScheduler,
-    state::StdState,
-};
+{{#rustdoc_include ../../listings/baby_fuzzer/listing-04/src/main.rs:use}}
 ```
 
 When running, you should see something similar to:
 
-```sh
+```console
 $ cargo run
     Finished dev [unoptimized + debuginfo] target(s) in 0.04s
      Running `target/debug/baby_fuzzer`
@@ -225,60 +141,22 @@ Now we want to turn our simple fuzzer into a feedback-based one and increase the
 **Observer** can record the information about properties of a fuzzing run and then feeds the fuzzer. We use the `StdMapObserver`, the default observer that uses a map to keep track of covered elements. In our fuzzer, each condition is mapped to an entry of such map.
 
 We represent such map as a `static mut` variable.
-As we don't rely on any instrumentation engine, we have to manually track the satisfied conditions by `singals_set` in our harness:
+As we don't rely on any instrumentation engine, we have to manually track the satisfied conditions by `signals_set` in our harness:
 
 ```rust
-extern crate libafl;
-use libafl::{
-    bolts::AsSlice,
-    inputs::{BytesInput, HasTargetBytes},
-    executors::ExitKind,
-};
-
-// Coverage map with explicit assignments due to the lack of instrumentation
-static mut SIGNALS: [u8; 16] = [0; 16];
-
-fn signals_set(idx: usize) {
-    unsafe { SIGNALS[idx] = 1 };
-}
-
-// The closure that we want to fuzz
-let mut harness = |input: &BytesInput| {
-    let target = input.target_bytes();
-    let buf = target.as_slice();
-    signals_set(0); // set SIGNALS[0]
-    if buf.len() > 0 && buf[0] == 'a' as u8 {
-        signals_set(1); // set SIGNALS[1]
-        if buf.len() > 1 && buf[1] == 'b' as u8 {
-            signals_set(2); // set SIGNALS[2]
-            if buf.len() > 2 && buf[2] == 'c' as u8 {
-                panic!("=)");
-            }
-        }
-    }
-    ExitKind::Ok
-};
+{{#rustdoc_include ../../listings/baby_fuzzer/listing-05/src/main.rs:signals}}
 ```
 
 The observer can be created directly from the `SIGNALS` map, in the following way:
 
-```rust,ignore
-// Create an observation channel using the signals map
-let observer = StdMapObserver::new("signals", unsafe { &mut SIGNALS });
+```rust
+{{#rustdoc_include ../../listings/baby_fuzzer/listing-05/src/main.rs:observer}}
 ```
 
 The observers are usually kept in the corresponding executor as they keep track of information that is valid for just one run. We have then to modify our InProcessExecutor creation to include the observer as follows:
 
-```rust,ignore
-// Create the executor for an in-process function with just one observer
-let mut executor = InProcessExecutor::new(
-    &mut harness,
-    tuple_list!(observer),
-    &mut fuzzer,
-    &mut state,
-    &mut mgr,
-)
-.expect("Failed to create the Executor".into());
+```rust
+{{#rustdoc_include ../../listings/baby_fuzzer/listing-05/src/main.rs:executor_with_observer}}
 ```
 
 Now that the fuzzer can observe which condition is satisfied, we need a way to rate an input as interesting (i.e. worth of addition to the corpus) based on this observation. Here comes the notion of Feedback.
@@ -287,49 +165,23 @@ Now that the fuzzer can observe which condition is satisfied, we need a way to r
 
 We use `MaxMapFeedback`, a feedback that implements a novelty search over the map of the MapObserver. Basically, if there is a value in the observer's map that is greater than the maximum value registered so far for the same entry, it rates the input as interesting and updates its state.
 
-**Objective Feedback** is another kind of Feedback which decide if an input is a "solution". It will save input to solutions(`./crashes` in our case) other than corpus when the input is rated interesting. We use `CrashFeedback` to tell the fuzzer that if an input causes the program to crash it is a solution for us.
+**Objective Feedback** is another kind of Feedback which decides if an input is a "solution". It will save input to solutions(`./crashes` in our case) rather than corpus when the input is rated interesting. We use `CrashFeedback` to tell the fuzzer that if an input causes the program to crash it is a solution for us.
 
 We need to update our State creation including the feedback state and the Fuzzer including the feedback and the objective:
 
-```rust,ignore
-extern crate libafl;
-use libafl::{
-    bolts::{current_nanos, rands::StdRand, tuples::tuple_list},
-    corpus::{InMemoryCorpus, OnDiskCorpus},
-    feedbacks::{MaxMapFeedback, CrashFeedback},
-    fuzzer::StdFuzzer,
-    state::StdState,
-    observers::StdMapObserver,
-};
+```rust
+{{#rustdoc_include ../../listings/baby_fuzzer/listing-05/src/main.rs:state_with_feedback_and_objective}}
+```
 
-// Feedback to rate the interestingness of an input
-let mut feedback = MaxMapFeedback::new(&observer);
+Once again, you need to add the necessary `use` directives for this to work properly:
 
-// A feedback to choose if an input is a solution or not
-let mut objective = CrashFeedback::new();
-
-// create a State from scratch
-let mut state = StdState::new(
-    // RNG
-    StdRand::with_seed(current_nanos()),
-    // Corpus that will be evolved, we keep it in memory for performance
-    InMemoryCorpus::new(),
-    // Corpus in which we store solutions (crashes in this example),
-    // on disk so the user can get them after stopping the fuzzer
-    OnDiskCorpus::new(PathBuf::from("./crashes")).unwrap(),
-    &mut feedback,
-    &mut objective
-).unwrap();
-
-// ...
-
-// A fuzzer with feedbacks and a corpus scheduler
-let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);
+```rust
+{{#rustdoc_include ../../listings/baby_fuzzer/listing-05/src/main.rs:use}}
 ```
 
 ## The actual fuzzing
 
-Now, after including the correct `use`, we can run the program, but the outcome is not so different from the previous one as the random generator does not take into account what we save as interesting in the corpus. To do that, we need to plug a Mutator.
+Now, we can run the program, but the outcome is not so different from the previous one as the random generator does not take into account what we save as interesting in the corpus. To do that, we need to plug a Mutator.
 
 **Stages** perform actions on individual inputs, taken from the corpus.
 For instance, the `MutationalStage` executes the harness several times in a row, every time with mutated inputs.
@@ -337,28 +189,20 @@ For instance, the `MutationalStage` executes the harness several times in a row,
 As the last step, we create a MutationalStage that uses a mutator inspired by the havoc mutator of AFL.
 
 ```rust,ignore
-use libafl::{
-    mutators::scheduled::{havoc_mutations, StdScheduledMutator},
-    stages::mutational::StdMutationalStage,
-    fuzzer::Fuzzer,
-};
-
-// ...
-
-// Setup a mutational stage with a basic bytes mutator
-let mutator = StdScheduledMutator::new(havoc_mutations());
-let mut stages = tuple_list!(StdMutationalStage::new(mutator));
-
-fuzzer
-    .fuzz_loop(&mut stages, &mut executor, &mut state, &mut mgr)
-    .expect("Error in the fuzzing loop");
+{{#rustdoc_include ../../listings/baby_fuzzer/listing-06/src/main.rs:mutational_stage}}
 ```
 
 `fuzz_loop` will request a testcase for each iteration to the fuzzer using the scheduler and then it will invoke the stage.
 
-After adding this code, we have a proper fuzzer, that can run a find the input that panics the function in less than a second.
+Again, we need to add the new `use` directives:
 
-```text
+```rust,ignore
+{{#rustdoc_include ../../listings/baby_fuzzer/listing-06/src/main.rs:use}}
+```
+
+After adding this code, we have a proper fuzzer, that can run and find the input that panics the function in less than a second.
+
+```console
 $ cargo run
    Compiling baby_fuzzer v0.1.0 (/home/andrea/Desktop/baby_fuzzer)
     Finished dev [unoptimized + debuginfo] target(s) in 1.56s
@@ -378,4 +222,4 @@ Bye!
 
 As you can see, after the panic message, the `objectives` count of the log increased by one and you will find the crashing input in `crashes/`.
 
-The complete code can be found in [`./fuzzers/baby_fuzzer`](https://github.com/AFLplusplus/LibAFL/tree/main/fuzzers/baby_fuzzer) alongside other `baby_` fuzzers.
+The complete code can be found in [`./fuzzers/baby/baby_fuzzer`](https://github.com/AFLplusplus/LibAFL/tree/main/fuzzers/baby/baby_fuzzer) alongside other `baby_` fuzzers.

docs/src/baby_fuzzer/more_examples.md

@@ -1,6 +1,6 @@
 # More Examples
 
-Examples can be found under `./fuzzer`.
+Examples can be found under `./fuzzers/baby`.
 
 |fuzzer name|usage|
 |  ----  | ----  |
@@ -9,4 +9,4 @@ Examples can be found under `./fuzzer`.
 | baby_fuzzer_nautilus | [nautilus](https://www.ndss-symposium.org/wp-content/uploads/2019/02/ndss2019_04A-3_Aschermann_paper.pdf) is a **coverage guided, grammar based** fuzzer|
 |baby_fuzzer_tokens| basic **token level** fuzzer with token level mutations|
 |baby_fuzzer_with_forkexecutor| example for **InProcessForkExecutor**|
-|baby_no_std|a minimalistic example how to create a libafl based fuzzer that works on **`no_std`** environments like TEEs, Kernels or on barew metal|
+|baby_no_std|a minimalistic example how to create a libafl based fuzzer that works on **`no_std`** environments like TEEs, Kernels or on bare metal|

docs/src/core_concepts/corpus.md

@@ -4,8 +4,8 @@ The Corpus is where testcases are stored. We define a Testcase as an Input and a
 
 A Corpus can store testcases in different ways, for example on disk, or in memory, or implement a cache to speedup on disk storage.
 
-Usually, a testcase is added to the Corpus when it is considered as interesting, but a Corpus is used also to store testcases that fulfill an objective (like crashing the tested program for instance).
+Usually, a testcase is added to the Corpus when it is considered as interesting, but a Corpus is used also to store testcases that fulfill an objective (like crashing the program under test for instance).
 
-Related to the Corpus, there is the way in which the fuzzer should ask for the next testcase to fuzz picking it from the Corpus. The taxonomy for this in LibAFL is CorpusScheduler, the entity representing the policy to pop testcases from the Corpus, FIFO for instance.
+Related to the Corpus is the way in which the next testcase (the fuzzer would ask for) is retrieved from the Corpus. The taxonomy for this handling in LibAFL is Scheduler, the entity representing the policy to pop testcases from the Corpus, in a FIFO fashion for instance.
 
-Speaking about the code, [`Corpus`](https://docs.rs/libafl/0/libafl/corpus/trait.Corpus.html) and [`CorpusScheduler`](https://docs.rs/libafl/0/libafl/corpus/trait.CorpusScheduler.html) are traits.
+Speaking about the code, [`Corpus`](https://docs.rs/libafl/latest/libafl/corpus/trait.Corpus.html) and [`Scheduler`](https://docs.rs/libafl/latest/libafl/schedulers/trait.Scheduler.html) are traits.

docs/src/core_concepts/executor.md

@@ -1,7 +1,7 @@
 # Executor
 
 In different fuzzers, this concept of executing the program under test means each run is now always the same.
-For instance, for in-memory fuzzers like libFuzzer an execution is a call to an harness function, for hypervisor-based fuzzers like [kAFL](https://github.com/IntelLabs/kAFL) instead an entire operating system is started from a snapshot for each run.
+For instance, for in-process fuzzers like libFuzzer an execution is a call to an harness function, for hypervisor-based fuzzers like [kAFL](https://github.com/IntelLabs/kAFL) instead an entire operating system is started from a snapshot for each run.
 
 In our model, an Executor is the entity that defines not only how to execute the target, but all the volatile operations that are related to just a single run of the target.
 
@@ -9,22 +9,22 @@ So the Executor is for instance responsible to inform the program about the inpu
 
 In our model, it can also hold a set of Observers connected with each execution.
 
-In Rust, we bind this concept to the [`Executor`](https://docs.rs/libafl/0/libafl/executors/trait.Executor.html) trait. A structure implementing this trait must implement [`HasObservers`](https://docs.rs/libafl/0/libafl/executors/trait.HasObservers.html) too if wants to hold a set of Observers.
+In Rust, we bind this concept to the [`Executor`](https://docs.rs/libafl/latest/libafl/executors/trait.Executor.html) trait. A structure implementing this trait must implement [`HasObservers`](https://docs.rs/libafl/latest/libafl/executors/trait.HasObservers.html) too if wants to hold a set of Observers.
 
-By default, we implement some commonly used Executors such as [`InProcessExecutor`](https://docs.rs/libafl/0/libafl/executors/inprocess/struct.InProcessExecutor.html) in which the target is a harness function providing in-process crash detection. Another Executor is the [`ForkserverExecutor`](https://docs.rs/libafl/0/libafl/executors/forkserver/struct.ForkserverExecutor.html) that implements an AFL-like mechanism to spawn child processes to fuzz.
-
-A common pattern when creating an Executor is wrapping an existing one, for instance [`TimeoutExecutor`](https://docs.rs/libafl/0.6.1/libafl/executors/timeout/struct.TimeoutExecutor.html) wraps an executor and install a timeout callback before calling the original run function of the wrapped executor.
+By default, we implement some commonly used Executors such as [`InProcessExecutor`](https://docs.rs/libafl/latest/libafl/executors/inprocess/type.InProcessExecutor.html) in which the target is a harness function providing in-process crash detection. Another Executor is the [`ForkserverExecutor`](https://docs.rs/libafl/latest/libafl/executors/forkserver/struct.ForkserverExecutor.html) that implements an AFL-like mechanism to spawn child processes to fuzz.
 
 ## InProcessExecutor
+
 Let's begin with the base case; `InProcessExecutor`.
 This executor executes the harness program (function) inside the fuzzer process.
 
 When you want to execute the harness as fast as possible, you will most probably want to use this `InprocessExecutor`.
 
- One thing to note here is, when your harness is likely to have heap corruption bugs, you want to use another allocator so that corrupted heap does not affect the fuzzer itself. (For example, we adopt MiMalloc in some of our fuzzers.). Alternatively you can compile your harness with address sanitizer to make sure you can catch these heap bugs.
+One thing to note here is, when your harness is likely to have heap corruption bugs, you want to use another allocator so that corrupted heap does not affect the fuzzer itself. (For example, we adopt MiMalloc in some of our fuzzers.). Alternatively you can compile your harness with address sanitizer to make sure you can catch these heap bugs.
 
 ## ForkserverExecutor
-Next, we'll take a look at the `ForkserverExecutor`. In this case, it is `afl-cc` (from AFLplusplus/AFLplusplus) that compiles the harness code, and therefore, we can't use `EDGES_MAP` anymore. Hopefully, we have [_a way_](https://github.com/AFLplusplus/AFLplusplus/blob/2e15661f184c77ac1fbb6f868c894e946cbb7f17/instrumentation/afl-compiler-rt.o.c#L270) to tell the forkserver which map to record the coverage.
+
+Next, we'll take a look at the `ForkserverExecutor`. In this case, it is `afl-cc` (from AFL/AFLplusplus) that compiles the harness code, and therefore, we can't use `EDGES_MAP` anymore. Fortunately we have [_a way_](https://github.com/AFLplusplus/AFLplusplus/blob/2e15661f184c77ac1fbb6f868c894e946cbb7f17/instrumentation/afl-compiler-rt.o.c#L270) to tell the forkserver which map to record the coverage in.
 
 As you can see from the forkserver example,
 
@@ -32,13 +32,15 @@ As you can see from the forkserver example,
 //Coverage map shared between observer and executor
 let mut shmem = StdShMemProvider::new().unwrap().new_shmem(MAP_SIZE).unwrap();
 //let the forkserver know the shmid
-shmem.write_to_env("__AFL_SHM_ID").unwrap();
-let mut shmem_buf = shmem.as_mut_slice();
+unsafe {
+    shmem.write_to_env("__AFL_SHM_ID").unwrap();
+}
+let mut shmem_buf = shmem.as_slice_mut();
 ```
 
 Here we make a shared memory region; `shmem`, and write this to environmental variable `__AFL_SHM_ID`. Then the instrumented binary, or the forkserver, finds this shared memory region (from the aforementioned env var) to record its coverage. On your fuzzer side, you can pass this shmem map to your `Observer` to obtain coverage feedbacks combined with any `Feedback`.
 
-Another feature of the `ForkserverExecutor` to mention is the shared memory testcases. In normal cases, the mutated input is passed between the forkserver and the instrumented binary via `.cur_input` file. You can improve your forkserver fuzzer's performance by passing the input with shared memory.  
+Another feature of the `ForkserverExecutor` to mention is the shared memory testcases. In normal cases, the mutated input is passed between the forkserver and the instrumented binary via `.cur_input` file. You can improve your forkserver fuzzer's performance by passing the input with shared memory.
 
 If the target is configured to use shared memory testcases, the `ForkserverExecutor` will notice this during the handshake and will automatically set up things accordingly.
 See AFL++'s [_documentation_](https://github.com/AFLplusplus/AFLplusplus/blob/stable/instrumentation/README.persistent_mode.md#5-shared-memory-fuzzing) or the fuzzer example in `forkserver_simple/src/program.c` for reference.
@@ -48,7 +50,7 @@ See AFL++'s [_documentation_](https://github.com/AFLplusplus/AFLplusplus/blob/st
 Finally, we'll talk about the `InProcessForkExecutor`.
 `InProcessForkExecutor` has only one difference from `InprocessExecutor`; It forks before running the harness and that's it.
 
-But why do we want to do so? well, under some circumstances, you may find your harness pretty unstable or your harness wreaks havoc on the global states. In this case, you want to fork it before executing the harness runs in the child process so that it doesn't break things.
+But why do we want to do so? Well, under some circumstances, you may find your harness pretty unstable or your harness wreaks havoc on the global states. In this case, you want to fork it before executing the harness runs in the child process so that it doesn't break things.
 
 However, we have to take care of the shared memory, it's the child process that runs the harness code and writes the coverage to the map.
 
@@ -59,12 +61,25 @@ On your fuzzer side, you can allocate a shared memory region and make the `EDGES
 ```rust,ignore
 let mut shmem;
 unsafe{
-    shmem = StdShMemProvider::new().unwrap().new_shmem(MAX_EDGES_NUM).unwrap();
+    shmem = StdShMemProvider::new().unwrap().new_shmem(EDGES_MAP_DEFAULT_SIZE).unwrap();
 }
-let shmem_buf = shmem.as_mut_slice();
+let shmem_buf = shmem.as_slice_mut();
 unsafe{
     EDGES_PTR = shmem_buf.as_ptr();
 }
 ```
 
 Again, you can pass this shmem map to your `Observer` and `Feedback` to obtain coverage feedbacks.
+
+Additionaly to allow the fuzzer to know when the child has crashed, the program should abort instead of unwinding upon a panic.
+Without it, no crashes are saved by the fuzzer.
+
+Cargo.toml:
+
+```toml
+[profile.dev]
+panic = "abort"
+
+[profile.release]
+panic = "abort"
+```

docs/src/core_concepts/feedback.md

@@ -10,17 +10,25 @@ The concept of "interestingness" is abstract, but typically it is related to a n
 
 As an example, given an Observer that reports all the sizes of memory allocations, a maximization Feedback can be used to maximize these sizes to sport pathological inputs in terms of memory consumption.
 
-In terms of code, the library offers the [`Feedback`](https://docs.rs/libafl/0/libafl/feedbacks/trait.Feedback.html) and the [`FeedbackState`](https://docs.rs/libafl/0/libafl/feedbacks/trait.FeedbackState.html) traits.
-The first is used to implement functors that, given the state of the observers from the last execution, tells if the execution was interesting. The second is tied with `Feedback` and it is the state of the data that the feedback wants to persist in the fuzzers's state, for instance the cumulative map holding all the edges seen so far in the case of a feedback based on edge coverage.
+In terms of code, the library offers the [`Feedback`](https://docs.rs/libafl/latest/libafl/feedbacks/trait.Feedback.html) trait.
+It is used to implement functors that, given the state of the observers from the last execution, tells if the execution was interesting.
+So to speak, it reduces the observations to a boolean result of [`is_interesting`](https://docs.rs/libafl/latest/libafl/feedbacks/trait.Feedback.html#tymethod.is_interesting) - or not.
+For this, a `Feedback` can store anything it wants to persist in the fuzzers's state.
+This might be, for instance, the cumulative map of all edges seen so far, in the case of a feedback based on edge coverage.
+This can be achieved by adding `Metadata` in [`init_state`](https://docs.rs/libafl/latest/libafl/feedbacks/trait.Feedback.html#method.init_state) and accessing it later in `is_interesting`.
+`Feedback` can also add custom metadata to a newly created [`Testcase`](https://docs.rs/libafl/latest/libafl/corpus/testcase/struct.Testcase.html) using [`append_metadata`](https://docs.rs/libafl/latest/libafl/feedbacks/trait.Feedback.html#method.append_metadata).
 
-Multiple Feedbacks can be combined into boolean formula, considering for instance an execution as interesting if it triggers new code paths or execute in less time compared to the average execution time using [`feedback_or`](https://docs.rs/libafl/*/libafl/macro.feedback_or.html).
+Multiple Feedbacks can be combined into a boolean expression, considering for instance an execution as interesting if it triggers new code paths or execute in less time compared to the average execution time using [`feedback_or`](https://docs.rs/libafl/latest/libafl/macro.feedback_or.html).
 
-On top, logic operators like `feedback_or` and `feedback_and` have a `_fast` option (`feedback_or_fast` where the second feedback will not be evaluated, if the first part already answers the `interestingness` question, to save precious performance.
+On top, logic operators like `feedback_or` and `feedback_and` have a `_fast` variant (e.g. `feedback_or_fast`) where the second feedback will not be evaluated, if the value of the first feedback operand already answers the `interestingness` question so as to save precious performance.
 
-Using `feedback_and_fast` in combination with [`ConstFeedback`](https://docs.rs/libafl/*/libafl/feedbacks/enum.ConstFeedback.html#method.new), certain feedbacks can be disabled dynamically.
+Using `feedback_and_fast` in combination with [`ConstFeedback`](https://docs.rs/libafl/latest/libafl/feedbacks/enum.ConstFeedback.html#method.new), certain feedbacks can be disabled dynamically.
 
 ## Objectives
 
-While feedbacks are commonly used to decide if an [`Input`](https://docs.rs/libafl/*/libafl/inputs/trait.Input.html) should be kept for future mutations, they serve a double-purpose, as so-called `Objective Feedbacks`.
-In this case, the `interestingness` of a feedback indicates, if an `Objective` has been hit.
-Commonly, these would be a`crash or a timeout, but they can also be used to find specific parts of the program, for sanitization, or a differential fuzzing success.
+While feedbacks are commonly used to decide if an [`Input`](https://docs.rs/libafl/latest/libafl/inputs/trait.Input.html) should be kept for future mutations, they serve a double-purpose, as so-called `Objective Feedbacks`.
+In this case, the `interestingness` of a feedback indicates if an `Objective` has been hit.
+Commonly, these objectives would be a crash or a timeout, but they can also be used to detect if specific parts of the program have been reached, for sanitization, or a differential fuzzing success.
+Objectives use the same trait as a normal [`Feedback`](https://docs.rs/libafl/latest/libafl/feedbacks/trait.Feedback.html) and the implementations can be used interchangeably.
+
+The only difference is that `interesting` Objectives won't be mutated further, and are counted as `Solutions`, a successful fuzzing campaign.

docs/src/core_concepts/generator.md

@@ -6,4 +6,4 @@ Typically, a random generator is used to generate random inputs.
 
 Generators are traditionally less used in Feedback-driven Fuzzing, but there are exceptions, like Nautilus, that uses a Grammar generator to create the initial corpus and a sub-tree Generator as a mutation of its grammar Mutator.
 
-In the code, [`Generator`](https://docs.rs/libafl/0/libafl/generators/trait.Generator.html) is a trait.
+In the code, [`Generator`](https://docs.rs/libafl/latest/libafl/generators/trait.Generator.html) is a trait.

docs/src/core_concepts/input.md

@@ -6,10 +6,10 @@ In our model of an abstract fuzzer, we define the Input as the internal represen
 
 In the straightforward case, the input of the program is a byte array and in fuzzers such as AFL we store and manipulate exactly these byte arrays.
 
-But it is not always the case. A program can expect inputs that are not byte arrays (e.g. a sequence of syscalls) and the fuzzer does not represent the Input in the same way that the program consumes it.
+But it is not always the case. A program can expect inputs that are not linear byte arrays (e.g. a sequence of syscalls forming a use case or protocol) and the fuzzer does not represent the Input in the same way that the program consumes it.
 
 In case of a grammar fuzzer for instance, the Input is generally an Abstract Syntax Tree because it is a data structure that can be easily manipulated while maintaining the validity, but the program expects a byte array as input, so just before the execution, the tree is serialized to a sequence of bytes.
 
-In the Rust code, an [`Input`](https://docs.rs/libafl/*/libafl/inputs/trait.Input.html) is a trait that can be implemented only by structures that are serializable and have only owned data as fields.
+In the Rust code, an [`Input`](https://docs.rs/libafl/latest/libafl/inputs/trait.Input.html) is a trait that can be implemented only by structures that are serializable and have only owned data as fields.
 
-While most fuzzer use a normal `BytesInput`], more advanced inputs like inputs include special inputs for grammar fuzzing ([GramatronInput](https://docs.rs/libafl/*/libafl/inputs/gramatron/struct.GramatronInput.html) or `NautilusInput` on nightly), as well as the token-level [EncodedInput](https://docs.rs/libafl/*/libafl/inputs/encoded/struct.EncodedInput.html).
+While most fuzzers use a normal `BytesInput`, more advanced ones use inputs that include special inputs for grammar fuzzing ([GramatronInput](https://docs.rs/libafl/latest/libafl/inputs/gramatron/struct.GramatronInput.html) or `NautilusInput` on Rust nightly), as well as the token-level [EncodedInput](https://docs.rs/libafl/latest/libafl/inputs/encoded/struct.EncodedInput.html).

docs/src/core_concepts/mutator.md

@@ -1,9 +1,11 @@
 # Mutator
 
-The Mutator is an entity that takes one or more Inputs and generates a new derived one.
+The Mutator is an entity that takes one or more Inputs and generates a new instance of Input derived by its inputs.
 
 Mutators can be composed, and they are generally linked to a specific Input type.
 
-There can be, for instance, a Mutator that applies more than a single type of mutation on the input. Consider a generic Mutator for a byte stream, bit flip is just one of the possible mutations but not the only one, there is also, for instance, the random replacement of a byte of the copy of a chunk.
+There can be, for instance, a Mutator that applies more than a single type of mutation to the input. Consider a generic Mutator for a byte stream, bit flip is just one of the possible mutations but not the only one, there is also, for instance, the random replacement of a byte of the copy of a chunk.
 
-In LibAFL, [`Mutator`](https://docs.rs/libafl/*/libafl/mutators/trait.Mutator.html) is a trait.
+There are also mutators that always produce valid inputs, say a mutator that generates valid JSON or code, but these grammar based mutators need a grammar to work.
+
+In LibAFL, [`Mutator`](https://docs.rs/libafl/latest/libafl/mutators/trait.Mutator.html) is a trait.

docs/src/core_concepts/observer.md

@@ -4,10 +4,10 @@ An Observer is an entity that provides an information observed during the execut
 
 The information contained in the Observer is not preserved across executions, but it may be serialized and passed on to other nodes if an `Input` is considered `interesting`, and added to the `Corpus`.
 
-As an example, the coverage map, filled during the execution to report the executed edges used by fuzzers such as AFL and `HonggFuzz` can be considered an observation. Another `Observer` can be the time spent executing a run, the program output, or more advanced observation, like maximum stack depth at runtime.
-This information is not preserved across runs, and it is an observation of a dynamic property of the program.
+As an example, the coverage map, filled during the execution to report the executed edges used by fuzzers such as AFL and `HonggFuzz` can be considered an observation. Another `Observer` can collect the time spent executing a run, the program output, or a more advanced observation, like maximum stack depth at runtime.
+This information is an observation of a dynamic property of the program.
 
-In terms of code, in the library this entity is described by the [`Observer`](https://docs.rs/libafl/0/libafl/observers/trait.Observer.html) trait.
+In terms of code, in the library this entity is described by the [`Observer`](https://docs.rs/libafl/latest/libafl/observers/trait.Observer.html) trait.
 
 In addition to holding the volatile data connected with the last execution of the target, the structures implementing this trait can define some execution hooks that are executed before and after each fuzz case. In these hooks, the observer can modify the fuzzer's state.
 

docs/src/core_concepts/stage.md

@@ -1,9 +1,9 @@
 # Stage
 
-A Stage is an entity that operates on a single Input got from the Corpus.
+A Stage is an entity that operates on a single Input received from the Corpus.
 
-For instance, a Mutational Stage, given an input of the corpus, applies a Mutator and executes the generated input one or more time. How many times this has to be done can be scheduled, AFL for instance uses a performance score of the input to choose how many times the havoc mutator should be invoked. This can depend also on other parameters, for instance, the length of the input if we want to just apply a sequential bitflip, or be a fixed value.
+For instance, a Mutational Stage, given an input of the corpus, applies a Mutator and executes the generated input one or more times. How many times this has to be done can be scheduled, AFL for instance uses a performance score of the input to choose how many times the havoc mutator should be invoked. This can depend also on other parameters, for instance, the length of the input if we want to just apply a sequential bitflip, or a fixed value.
 
 A stage can also be an analysis stage, for instance, the Colorization stage of Redqueen that aims to introduce more entropy in a testcase or the Trimming stage of AFL that aims to reduce the size of a testcase.
 
-There are several stages in the LibAFL codebase implementing the [`Stage`](https://docs.rs/libafl/*/libafl/stages/trait.Stage.html) trait.
+There are several stages in the LibAFL codebase implementing the [`Stage`](https://docs.rs/libafl/latest/libafl/stages/trait.Stage.html) trait.

docs/src/design/architecture.md

@@ -8,8 +8,8 @@ The LibAFL code reuse mechanism is based on components, rather than sub-classes,
 
 Thinking about similar fuzzers, you can observe that most of the time the data structures that are modified are the ones related to testcases and the fuzzer global state.
 
-Beside the entities previously described, we introduce the [`Testcase`](https://docs.rs/libafl/0.6/libafl/corpus/testcase/struct.Testcase.html) and [`State`](https://docs.rs/libafl/0.6/libafl/state/struct.StdState.html) entities. The Testcase is a container for an Input stored in the Corpus and its metadata (so, in the implementation, the Corpus stores Testcases) and the State contains all the metadata that are evolved while running the fuzzer, Corpus included.
+Beside the entities previously described, we introduce the [`Testcase`](https://docs.rs/libafl/latest/libafl/corpus/testcase/struct.Testcase.html) and [`State`](https://docs.rs/libafl/latest/libafl/state/struct.StdState.html) entities. The Testcase is a container for an Input stored in the Corpus and its metadata (so, in the implementation, the Corpus stores Testcases) and the State contains all the metadata that are evolved while running the fuzzer, Corpus included.
 
-The State, in the implementation, contains only owned objects that are serializable, and it is serializable itself. Some fuzzers may want to serialize its state when pausing or just, when doing in-process fuzzing, serialize on crash and deserialize in the new process to continue to fuzz with all the metadata preserved.
+The State, in the implementation, contains only owned objects that are serializable, and it is serializable itself. Some fuzzers may want to serialize their state when pausing or just, when doing in-process fuzzing, serialize on crash and deserialize in the new process to continue to fuzz with all the metadata preserved.
 
-Additionally, we group the entities that are "actions", like the `CorpusScheduler` and the `Feedbacks`, in a common place, the [`Fuzzer'](https://docs.rs/libafl/*/libafl/fuzzer/struct.StdFuzzer.html).
+Additionally, we group the entities that are "actions", like the `CorpusScheduler` and the `Feedbacks`, in a common place, the [`Fuzzer`](https://docs.rs/libafl/latest/libafl/fuzzer/struct.StdFuzzer.html).

docs/src/design/metadata.md

@@ -5,10 +5,10 @@ A metadata in LibAFL is a self-contained structure that holds associated data to
 In terms of code, a metadata can be defined as a Rust struct registered in the SerdeAny register.
 
 ```rust
-extern crate libafl;
-extern crate serde;
+# extern crate libafl_bolts;
+# extern crate serde;
 
-use libafl::SerdeAny;
+use libafl_bolts::SerdeAny;
 use serde::{Serialize, Deserialize};
 
 #[derive(Debug, Serialize, Deserialize, SerdeAny)]
@@ -19,15 +19,15 @@ pub struct MyMetadata {
 
 The struct must be static, so it cannot hold references to borrowed objects.
 
-As an alternative to `derive(SerdeAny)` that is a proc-macro in `libafl_derive` the user can use `libafl::impl_serdeany!(MyMetadata);`.
+As an alternative to `derive(SerdeAny)` which is a proc-macro in `libafl_derive` the user can use `libafl_bolts::impl_serdeany!(MyMetadata);`.
 
 ## Usage
 
-Metadata objects are primarly intended to be used inside [`SerdeAnyMap`](https://docs.rs/libafl/0.5.0/libafl/bolts/serdeany/serdeany_registry/struct.SerdeAnyMap.html) and [`NamedSerdeAnyMap`](https://docs.rs/libafl/0.5.0/libafl/bolts/serdeany/serdeany_registry/struct.NamedSerdeAnyMap.html).
+Metadata objects are primarly intended to be used inside [`SerdeAnyMap`](https://docs.rs/libafl_bolts/latest/libafl_bolts/serdeany/serdeany_registry/struct.SerdeAnyMap.html) and [`NamedSerdeAnyMap`](https://docs.rs/libafl_bolts/latest/libafl_bolts/serdeany/serdeany_registry/struct.NamedSerdeAnyMap.html).
 
 With these maps, the user can retrieve instances by type (and name). Internally, the instances are stored as SerdeAny trait objects.
 
-Structs that want to have a set of metadata must implement the [`HasMetadata`](https://docs.rs/libafl/0.5.0/libafl/state/trait.HasMetadata.html) trait.
+Structs that want to have a set of metadata must implement the [`HasMetadata`](https://docs.rs/libafl/latest/libafl/common/trait.HasMetadata.html) trait.
 
 By default, Testcase and State implement it and hold a SerdeAnyMap testcase.
 

docs/src/design/migration-0.11.md

@@ -0,0 +1,27 @@
+# Migrating from LibAFL <0.11 to 0.11
+
+We moved the old `libafl::bolts` module to its own crate called `libafl_bolts`.
+For this, imports for types in LibAFL bolts have changed in version 0.11, everything else should remain the same.
+
+## Reasons for This Change
+
+With the change we can now use a lot of low-level features of LibAFL for projects that are unrelated to fuzzing, or just completely different to LibAFL.
+Some cross-platform things in bolts include
+
+* SerdeAnyMap: a map that stores and retrieves elements by type and is serializable and deserializable
+* ShMem: A cross-platform (Windows, Linux, Android, MacOS) shared memory implementation
+* LLMP: A fast, lock-free IPC mechanism via SharedMap
+* Core_affinity: A maintained version of `core_affinity` that can be used to get core information and bind processes to cores
+* Rands: Fast random number generators for fuzzing (like [RomuRand](https://www.romu-random.org/))
+* MiniBSOD: get and print information about the current process state including important registers.
+* Tuples: Haskel-like compile-time tuple lists
+* Os: OS specific stuff like signal handling, windows exception handling, pipes, and helpers for `fork`
+
+## What changed
+
+You will need to move all `libafl::bolts::` imports to `libafl_bolts:::` and add the crate dependency in your Cargo.toml (and specify feature flags there).
+As only exception, the `libafl::bolts::launcher::Launcher` has moved to `libafl::events::launcher::Launcher` since it has fuzzer and `EventManager` specific code.
+If you are using `prelude`, you may need to also ad `libafl_bolts::prelude`.
+
+That's it.
+Enjoy using `libafl_bolts` in other projects.

docs/src/design/migration-0.12.md

@@ -0,0 +1,9 @@
+# Migrating from <0.12 to 0.12
+
+We deleted `TimeoutExecutor` and `TimeoutForkserverExecutor` and make it mandatory for `InProcessExecutor` and `ForkserverExecutor` to have the timeout. Now `InProcessExecutor` and `ForkserverExecutor` have the default timeout of 5 seconds.
+
+## Reason for This Change.
+In 99% of the case, it is advised to have the timeout for the fuzzer. This is because we do not want the fuzzer to stop forever just because the target has hit a path that resulted in a infinite-loop.
+
+## What changed
+You do not have to wrap the executor with `TimeoutExecutor` anymore. You can just use `InProcessExecutor::new()` to instantiate the executor with the default timeout or use `InProcessExecutor::timeout(duration)` to start the executor with the customized duration of timeout.

docs/src/design/migration-0.9.md

@@ -75,7 +75,7 @@ where
 ```
 
 The executor is constrained to `EM` and `Z`, with each of their respective states being constrained to `E`'s state. It
-is no longer necessary to explicitly defined a generic for the input type, the state type, or the generic type, as these
+is no longer necessary to explicitly define a generic for the input type, the state type, or the generic type, as these
 are all present as associated types for `E`. Additionally, we don't even need to specify any details about the observers
 (`OT` in the previous version) as the type does not need to be constrained and is not shared by other types.
 
@@ -101,7 +101,7 @@ See `fuzzers/` for examples of these changes.
 If you implemented a Mutator, Executor, State, or another kind of component, you must update your implementation. The
 main changes to the API are in the use of "Uses*" for associated types.
 
-In many scenarios, Input, Observers, and State generics have been moved into traits with associated types (namely,
+In many scenarios, Input, Observer, and State generics have been moved into traits with associated types (namely,
 "UsesInput", "UsesObservers", and "UsesState". These traits are required for many existing traits now and are very
 straightforward to implement. In a majority of cases, you will have generics on your custom implementation or a fixed
 type to implement this with. Thankfully, Rust will let you know when you need to implement this type.
@@ -127,7 +127,7 @@ where
 }
 ```
 
-After 0.9, all `Corpus` implementations are required to implement `UsesInput` and `Corpus` no longer has a generic for
+After 0.9, all `Corpus` implementations are required to implement `UsesInput`. Also `Corpus` no longer has a generic for
 the input type (as it is now provided by the UsesInput impl). The migrated implementation is shown below:
 
 ```rust,ignore
@@ -160,3 +160,26 @@ Now, `Corpus` cannot be accidentally implemented for another type other than tha
 is fixed to the associated type for `UsesInput`.
 
 A more complex example of migration can be found in the "Reasons for this change" section of this document.
+
+## Observer Changes
+
+Additionally, we changed the Observer API, as the API in 0.8 led to undefined behavior.
+At the same time, we used the change to simplify the common case: creating an `StdMapObserver`
+from libafl_target's `EDGES_MAP`.
+In the future, instead of using:
+
+```rust,ignore
+let edges = unsafe { &mut EDGES_MAP[0..EDGES_MAP_DEFAULT_SIZE] };
+let edges_observer = StdMapObserver::new("edges", edges);
+```
+
+creating the edges observer is as simple as using the new `std_edges_map_observer` function.
+
+```rust,ignore
+let edges_observer = unsafe { std_edges_map_observer("edges") };
+```
+
+Alternatively, `StdMapObserver::new` will still work, but now the whole method is marked as `unsafe`.
+The reason is that the caller has to make sure `EDGES_MAP` (or other maps) are not moved or freed in memory,
+for the lifetime of the `MapObserver`.
+This means that the buffer should either be `static` or `Pin`.

docs/src/getting_started/build.md

@@ -6,7 +6,7 @@ LibAFL, as most of the Rust projects, can be built using `cargo` from the root d
 $ cargo build --release
 ```
 
-Note that the `--release` flag is optional for development, but you needed to add it to fuzzing at a decent speed.
+Note that the `--release` flag is optional for development, but you need to add it to do fuzzing at a decent speed.
 Slowdowns of 10x or more are not uncommon for Debug builds.
 
 The LibAFL repository is composed of multiple crates.

docs/src/getting_started/crates.md

@@ -10,7 +10,7 @@ libafl = { version = "*" }
 
 ## Crate List
 
-For LibAFL, each crate has its self-contained purpose, and the user may not need to use all of them in its project.
+For LibAFL, each crate has its self-contained purpose, and the user may not need to use all of them in their project.
 Following the naming convention of the folders in the project's root, they are:
 
 ### [`libafl`](https://github.com/AFLplusplus/LibAFL/tree/main/libafl)
@@ -31,20 +31,35 @@ You can choose the features by using `features = ["feature1", "feature2", ...]`
 Out of this list, by default, `std`, `derive`, and `rand_trait` are already set.
 You can choose to disable them by setting `default-features = false` in your `Cargo.toml`.
 
-### libafl_sugar
+### [`libafl_bolts`](https://github.com/AFLplusplus/LibAFL/tree/main/libafl_bolts)
+
+The `libafl_bolts` crate is a minimal tool shed filled with useful low-level rust features, not necessarily related to fuzzers.
+In it, you'll find highlights like:
+
+- `core_affinity` to bind the current process to cores
+- `SerdeAnyMap` a map that can store typed values in a serializable fashion
+- `minibsod` to dump the current process state
+- `LLMP`, "low level message passing", a lock-free IPC mechanism
+- `Rand`, different fast (non-cryptographically secure) RNG implementations like RomuRand
+- `ShMem`, a platform independent shard memory implementation
+- `Tuples`, a compiletime tuple implementation
+
+... and much more.
+
+### [`libafl_sugar`](https://github.com/AFLplusplus/LibAFL/tree/main/libafl_sugar)
 
 The sugar crate abstracts away most of the complexity of LibAFL's API.
 Instead of high flexibility, it aims to be high-level and easy-to-use.
 It is not as flexible as stitching your fuzzer together from each individual component, but allows you to build a fuzzer with minimal lines of code.
-To see it in action, take a look at the [`libfuzzer_stb_image_sugar` example fuzzer](https://github.com/AFLplusplus/LibAFL/tree/main/fuzzers/libfuzzer_stb_image_sugar).
+To see it in action, take a look at the [`libfuzzer_stb_image_sugar` example fuzzer](https://github.com/AFLplusplus/LibAFL/tree/main/fuzzers/inprocess/libfuzzer_stb_image_sugar).
 
-### libafl_derive
+### [`libafl_derive`](https://github.com/AFLplusplus/LibAFL/tree/main/libafl_derive)
 
 This a proc-macro crate paired with the `libafl` crate.
 
 At the moment, it just exposes the `derive(SerdeAny)` macro that can be used to define Metadata structs, see the section about [Metadata](../design/metadata.md) for details.
 
-### libafl_targets
+### [`libafl_targets`](https://github.com/AFLplusplus/LibAFL/tree/main/libafl_targets)
 
 This crate exposes code to interact with, and to instrument, targets.
 To enable and disable features at compile-time, the features are enabled and disabled using feature flags.
@@ -52,36 +67,36 @@ To enable and disable features at compile-time, the features are enabled and dis
 Currently, the supported flags are:
 
 - `pcguard_edges` defines the SanitizerCoverage trace-pc-guard hooks to track the executed edges in a map.
-- `pcguard_hitcounts defines the SanitizerCoverage trace-pc-guard hooks to track the executed edges with the hitcounts (like AFL) in a map.
+- `pcguard_hitcounts` defines the SanitizerCoverage trace-pc-guard hooks to track the executed edges with the hitcounts (like AFL) in a map.
 - `libfuzzer` exposes a compatibility layer with libFuzzer style harnesses.
 - `value_profile` defines the SanitizerCoverage trace-cmp hooks to track the matching bits of each comparison in a map.
 
-### libafl_cc
+### [`libafl_cc`](https://github.com/AFLplusplus/LibAFL/tree/main/libafl_cc)
 
-This is a library that provides utils wrap compilers and create source-level fuzzers.
+This is a library that provides utils to wrap compilers and create source-level fuzzers.
 
 At the moment, only the Clang compiler is supported.
 To understand it deeper, look through the tutorials and examples.
 
-### libafl_frida
+### [`libafl_frida`](https://github.com/AFLplusplus/LibAFL/tree/main/libafl_frida)
 
 This library bridges LibAFL with Frida as instrumentation backend.
 With this crate, you can instrument targets on Linux/macOS/Windows/Android for coverage collection.
 Additionally, it supports CmpLog, and AddressSanitizer instrumentation and runtimes for aarch64.
 See further information, as well as usage instructions, [later in the book](../advanced_features/frida.md).
 
-### libafl_qemu
+### [`libafl_qemu`](https://github.com/AFLplusplus/LibAFL/tree/main/libafl_qemu)
 
 This library bridges LibAFL with QEMU user-mode to fuzz ELF cross-platform binaries.
 
 It works on Linux and can collect edge coverage without collisions!
 It also supports a wide range of hooks and instrumentation options.
 
-### libafl_nyx
+### [`libafl_nyx`](https://github.com/AFLplusplus/LibAFL/tree/main/libafl_nyx)
 
 [Nyx](https://nyx-fuzz.com/) is a KVM-based snapshot fuzzer. `libafl_nyx` adds these capabilities to LibAFL. There is a specific section explaining usage of libafl_nyx [later in the book](../advanced_features/nyx.md).
 
-### libafl_concolic
+### [`libafl_concolic`](https://github.com/AFLplusplus/LibAFL/tree/main/libafl_concolic)
 
 Concolic fuzzing is the combination of fuzzing and a symbolic execution engine.
 This can reach greater depth than normal fuzzing, and is exposed in this crate.

docs/src/getting_started/setup.md

@@ -11,27 +11,27 @@ The first step is to download LibAFL and all dependencies that are not automatic
 > previous command. Additionally, PowerShell-specific examples will use `>`
 > rather than `$`.
 
-While you technically do not need to install LibAFL, but can use the version from crates.io directly, we do recommend to download or clone the GitHub version.
+While technically you do not need to install LibAFL, but can use the version from crates.io directly, we do recommend to download or clone the GitHub version.
 This gets you the example fuzzers, additional utilities, and latest patches.
 The easiest way to do this is to use `git`.
 
 ```sh
-$ git clone git@github.com:AFLplusplus/LibAFL.git
+$ git clone https://github.com/AFLplusplus/LibAFL.git
 ```
 
-You can alternatively, on a UNIX-like machine, download a compressed archive and extract it with:
+Alternatively, on a UNIX-like machine, you can download a compressed archive and extract it with:
 
 ```sh
-wget https://github.com/AFLplusplus/LibAFL/archive/main.tar.gz
-$ tar xvf LibAFL-main.tar.gz
-$ rm LibAFL-main.tar.gz
+$ wget https://github.com/AFLplusplus/LibAFL/archive/main.tar.gz
+$ tar xvf main.tar.gz
+$ rm main.tar.gz
 $ ls LibAFL-main # this is the extracted folder
 ```
 
 ## Clang installation
 
 One of the external dependencies of LibAFL is the Clang C/C++ compiler.
-While most of the code is in pure Rust, we still need a C compiler because stable Rust still does not support features that some parts of LibAFL may need, such as weak linking, and LLVM builtins linking.
+While most of the code is written in pure Rust, we still need a C compiler because stable Rust still does not support features that some parts of LibAFL may need, such as weak linking, and LLVM builtins linking.
 For these parts, we use C to expose the missing functionalities to our Rust codebase.
 
 In addition, if you want to perform source-level fuzz testing of C/C++ applications,
@@ -54,6 +54,6 @@ explained [here](https://clang.llvm.org/get_started.html).
 
 If you do not have Rust installed, you can easily follow the steps described [here](https://www.rust-lang.org/tools/install)
 to install it on any supported system.
-Be aware that Rust versions shipped with Linux distributions may be outdated, LibAFL always targets the latest `stable` version available via `rustup upgrade`.
+Be aware that Rust versions shipped with Linux distributions may be outdated, LibAFL always targets the latest `stable` version available via `rustup update`.
 
 We suggest installing Clang and LLVM first.

docs/src/introduction.md

@@ -4,10 +4,10 @@ Fuzzers are important tools for security researchers and developers alike.
 A wide range of state-of-the-art tools like [AFL++](https://github.com/AFLplusplus/AFLplusplus), [libFuzzer](https://llvm.org/docs/LibFuzzer.html) or [honggfuzz](https://github.com/google/honggfuzz) are available to users. They do their job in a very effective way, finding thousands of bugs.
 
 From the perspective of a power user, however, these tools are limited.
-Their design does not treat extensibility as a first-class citizen.
+Their designs do not treat extensibility as a first-class citizen.
 Usually, a fuzzer developer can choose to either fork one of these existing tools, or to create a new fuzzer from scratch.
 In any case, researchers end up with tons of fuzzers, all of which are incompatible with each other.
-Their outstanding features can not just be combined for new projects.
+Their outstanding features cannot just be combined for new projects.
 By reinventing the wheel over and over, we may completely miss out on features that are complex to reimplement.
 
 To tackle this issue, we created LibAFL, a library that is _not just another fuzzer_, but a collection of reusable pieces for individual fuzzers.
@@ -24,11 +24,11 @@ Some highlight features currently include:
 This means it does not require a specific OS-dependent runtime to function.
 Define an allocator and a way to map pages, and you are good to inject LibAFL in obscure targets like embedded devices, hypervisors, or maybe even WebAssembly?
 - `adaptable`: Given years of experience fine-tuning *AFLplusplus* and our academic fuzzing background, we could incorporate recent fuzzing trends into LibAFL's design and make it future-proof.
-To give an example, as opposed to old-skool fuzzers, a `BytesInput` is just one of the potential forms of inputs:
+To give an example, as opposed to old-school fuzzers, a `BytesInput` is just one of the potential forms of inputs:
 feel free to use and mutate an Abstract Syntax Tree instead, for structured fuzzing.
 - `scalable`: As part of LibAFL, we developed `Low Level Message Passing`, `LLMP` for short, which allows LibAFL to scale almost linearly over cores. That is, if you chose to use this feature - it is your fuzzer, after all.
 Scaling to multiple machines over TCP is also possible, using LLMP's `broker2broker` feature.
 - `fast`: We do everything we can at compile time so that the runtime overhead is as minimal as it can get.
-- `bring your own target`: We support binary-only modes, like QEMU-Mode and Frida-Mode with ASAN and CmpLog, as well as multiple compilation passes for sourced-based instrumentation.
+- `bring your own target`: We support binary-only modes, like (full-system) QEMU-Mode and Frida-Mode with ASan and CmpLog, as well as multiple compilation passes for sourced-based instrumentation.
 Of course, we also support custom instrumentation, as you can see in the Python example based on Google's Atheris.
 - `usable`: This one is on you to decide. Dig right in!

docs/src/libafl.md

@@ -1,11 +1,11 @@
 # The LibAFL Fuzzing Library
 
- <img align="right" src="https://github.com/AFLplusplus/Website/raw/master/static/logo_256x256.png" alt="AFL++ Logo">
+ <img align="right" src="https://raw.githubusercontent.com/AFLplusplus/Website/main/static/libafl_logo.svg" alt="LibAFL Logo" style="width: 256px; height: auto">
 
 *by Andrea Fioraldi and Dominik Maier*
 
 Welcome to LibAFL, the Advanced Fuzzing Library.
-This book shall be a gentle introduction into the library.
+This book shall be a gentle introduction to the library.
 
 This version of the LibAFL book is coupled with the release 1.0 beta of the library.
 

docs/src/message_passing/configurations.md

@@ -3,7 +3,7 @@
 Configurations for individual fuzzer nodes are relevant for multi node fuzzing.
 The chapter describes how to run nodes with different configurations
 in one fuzzing cluster.
-This allows, for example, a node compiled with ASAN, to know that it needs to rerun new testcases for a node without ASAN, while the same binary/configuration does not.
+This allows, for example, a node compiled with ASan, to know that it needs to rerun new testcases for a node without ASan, while the same binary/configuration does not.
 
 Fuzzers with the same configuration can exchange Observers for new testcases and reuse them without rerunning the input.
 A different configuration indicates, that only the raw input can be exchanged, it must be rerun on the other node to capture relevant observations.

docs/src/message_passing/message_passing.md

@@ -1,8 +1,8 @@
 # Message Passing
 
-LibAFL offers a standard mechanism for message passing over processes and machines with a low overhead.
+LibAFL offers a standard mechanism for message passing between processes and machines with a low overhead.
 We use message passing to inform the other connected clients/fuzzers/nodes about new testcases, metadata, and statistics about the current run.
-Depending on individual needs, LibAFL can also write testcase contents to disk, while still using events to notify other fuzzers, using an `OnDiskCorpus`.
+Depending on individual needs, LibAFL can also write testcase contents to disk, while still using events to notify other fuzzers, using the `CachedOnDiskCorpus` or similar.
 
 In our tests, message passing scales very well to share new testcases and metadata between multiple running fuzzer instances for multi-core fuzzing.
 Specifically, it scales _a lot_ better than using memory locks on a shared corpus, and _a lot_ better than sharing the testcases via the filesystem, as AFL traditionally does.
@@ -12,7 +12,7 @@ The `EventManager` interface is used to send Events over the wire using `Low Lev
 
 ## Low Level Message Passing (LLMP)
 
-LibAFL comes with a reasonably lock-free message passing mechanism that scales well across cores and, using its *broker2broker* mechanism, even to connected machines via TCP.
+LibAFL comes with a reasonably lock-free message passing mechanism that scales well across cores and, using its _broker2broker_ mechanism, even to connected machines via TCP.
 Most example fuzzers use this mechanism, and it is the best `EventManager` if you want to fuzz on more than a single core.
 In the following, we will describe the inner workings of `LLMP`.
 
@@ -28,12 +28,12 @@ Shared maps, called shared memory for the sake of not colliding with Rust's `map
 Each client, usually a fuzzer trying to share stats and new testcases, maps an outgoing `ShMem` map.
 With very few exceptions, only this client writes to this map, therefore, we do not run in race conditions and can live without locks.
 The broker reads from all client's `ShMem` maps.
-It checks all incoming client maps periodically and then forwards new messages to its outgoing broadcast-`ShMem`, mapped by all connected clients.
+It periodically checks all incoming client maps and then forwards new messages to its outgoing broadcast-`ShMem`, mapped by all connected clients.
 
 To send new messages, a client places a new message at the end of their shared memory and then updates a static field to notify the broker.
 Once the outgoing map is full, the sender allocates a new `ShMem` using the respective `ShMemProvider`.
 It then sends the information needed to map the newly-allocated page in connected processes to the old page, using an end of page (`EOP`) message.
-Once the receiver maps the new page, flags it as safe for unmapping from the sending process (to avoid race conditions if we have more than a single EOP in a short time), and then continues to read from the new `ShMem`.
+Once the receiver maps the new page, it flags it as safe for unmapping by the sending process (to avoid race conditions if we have more than a single EOP in a short time), and then continues to read from the new `ShMem`.
 
 The schema for client's maps to the broker is as follows:
 
@@ -54,10 +54,10 @@ After the broker received a new message from clientN, (`clientN_out->current_id
 
 The clients periodically, for example after finishing `n` mutations, check for new incoming messages by checking if (`current_broadcast_map->current_id != last_message->message_id`).
 While the broker uses the same EOP mechanism to map new `ShMem`s for its outgoing map, it never unmaps old pages.
-This additional memory overhead serves a good purpose: by keeping all broadcast pages around, we make sure that new clients can join in on a fuzzing campaign at a later point in time
+This additional memory resources serve a good purpose: by keeping all broadcast pages around, we make sure that new clients can join in on a fuzzing campaign at a later point in time.
 They just need to re-read all broadcasted messages from start to finish.
 
-So the outgoing messages flow like this over the outgoing broadcast `Shmem`:
+So the outgoing messages flow is like this over the outgoing broadcast `Shmem`:
 
 ```text
 [broker]
@@ -72,13 +72,13 @@ So the outgoing messages flow like this over the outgoing broadcast `Shmem`:
 [client0]        [client1]    ...    [clientN]
 ```
 
-To use `LLMP` in LibAFL, you usually want to use an `LlmpEventManager` or its restarting variant.
+To use `LLMP` in LibAFL, you usually want to use an `LlmpRestartingEventManager` or its restarting variant.
 They are the default if using LibAFL's `Launcher`.
 
-If you should want to use `LLMP` in its raw form, without any `LibAFL` abstractions, take a look at the `llmp_test` example in [./libafl/examples](https://github.com/AFLplusplus/LibAFL/blob/main/libafl/examples/llmp_test/main.rs).
+If you should want to use `LLMP` in its raw form, without any `LibAFL` abstractions, take a look at the `llmp_test` example in [./libafl/examples](https://github.com/AFLplusplus/LibAFL/blob/main/libafl_bolts/examples/llmp_test/main.rs).
 You can run the example using `cargo run --example llmp_test` with the appropriate modes, as indicated by its help output.
 First, you will have to create a broker using `LlmpBroker::new()`.
-Then, create some `LlmpClient``s` in other threads and register them with the main thread using `LlmpBroker::register_client`.
+Then, create some `LlmpClient`s in other threads and register them with the main thread using `LlmpBroker::register_client`.
 Finally, call `LlmpBroker::loop_forever()`.
 
 ### B2B: Connecting Fuzzers via TCP

docs/src/message_passing/spawn_instances.md

@@ -4,18 +4,18 @@ Multiple fuzzer instances can be spawned using different ways.
 
 ## Manually, via a TCP port
 
-The straightforward way to do Multi-Threading is to use the `LlmpRestartingEventManager`, specifically to use `setup_restarting_mgr_std`.
-It abstracts away all the pesky details about restarts on crash handling (for in-memory fuzzers) and multi-threading.
+The straightforward way to do Multi-Threading is to use the [`LlmpRestartingEventManager`](https://docs.rs/libafl/latest/libafl/events/llmp/restarting/struct.LlmpRestartingEventManager.html), specifically to use [`setup_restarting_mgr_std`](https://docs.rs/libafl/latest/libafl/events/llmp/restarting/fn.setup_restarting_mgr_std.html).
+It abstracts away all the pesky details about restarts on crash handling (for in-process fuzzers) and multi-threading.
 With it, every instance you launch manually tries to connect to a TCP port on the local machine.
 
-If the port is not yet bound, this instance becomes the broker, itself binding to the port to await new clients.
+If the port is not yet bound, this instance becomes the broker, binding itself to the port to await new clients.
 
 If the port is already bound, the EventManager will try to connect to it.
 The instance becomes a client and can now communicate with all other nodes.
 
-Launching nodes manually has the benefit that you can have multiple nodes with different configurations, such as clients fuzzing with and without ASAN.
+Launching nodes manually has the benefit that you can have multiple nodes with different configurations, such as clients fuzzing with and without `ASan`.
 
-While it's called "restarting" manager, it uses `fork` on Unix operating systems as optimization and only actually restarts from scratch on Windows.
+While it's called "restarting" manager, it uses `fork` on Unix-like operating systems as optimization and only actually restarts from scratch on Windows.
 
 
 ## Automated, with Launcher
@@ -23,7 +23,7 @@ While it's called "restarting" manager, it uses `fork` on Unix operating systems
 The Launcher is the lazy way to do multiprocessing.
 You can use the Launcher builder to create a fuzzer that spawns multiple nodes with one click, all using restarting event managers and the same configuration.
 
-To use launcher, first you need to write an anonymous function `let mut run_client = |state: Option<_>, mut mgr, _core_id|{}`, which uses three parameters to create individual fuzzer. Then you can specify the `shmem_provider`,`broker_port`,`monitor`,`cores` and other stuff through `Launcher::builder()`:
+To use launcher, first you need to write an anonymous function `let mut run_client = |state: Option<_>, mut mgr, _core_id|{}`, which uses three parameters to create an individual fuzzer. Then you can specify the `shmem_provider`,`broker_port`,`monitor`,`cores` and other stuff through `Launcher::builder()`:
 
 ```rust,ignore
     Launcher::builder()
@@ -42,18 +42,22 @@ To use launcher, first you need to write an anonymous function `let mut run_clie
 This first starts a broker, then spawns `n` clients, according to the value passed to `cores`.
 The value is a string indicating the cores to bind to, for example, `0,2,5` or `0-3`.
 For each client, `run_client` will be called.
-On Windows, the Launcher will restart each client, while on Unix, it will use `fork`.
+If the launcher uses `fork`, it will hide child output, unless the settings indicate otherwise, or the `LIBAFL_DEBUG_OUTPUT` env variable is set.
+On Windows, the Launcher will restart each client, while on Unix-alikes, it will use `fork`.
 
 Advanced use-cases:
 
 1. To connect multiple nodes together via TCP, you can use the `remote_broker_addr`. this requires the `llmp_bind_public` compile-time feature for `LibAFL`.
-2. To use multiple launchers for individual configurations, you can set `spawn_broker` to `false` on all but one.
+2. To use multiple launchers for individual configurations, you can set `spawn_broker` to `false` on all instances but one.
 3. Launcher will not select the cores automatically, so you need to specify the `cores` that you want.
+4. On `Unix`, you can chose between a forking and non-forking version of Launcher by setting the `fork` feature in LibAFL. Some targets may not like forking, but it is faster than restarting processes from scratch. Windows will never fork.
+5. For simple debugging, first set the `LIBAFL_DEBUG_OUTPUT` env variable to see if a child process printed anything.
+6. For further debugging of fuzzer failures, it may make sense to replace `Launcher` temporarily with a [`SimpleEventManager`](https://docs.rs/libafl/latest/libafl/events/simple/struct.SimpleEventManager.html#method.new) and call your harness fn (`run_client(None, mgr, 0);`) directly, so that fuzzing runs in the same thread and is easier to debug, before moving back to `Launcher` after the bugfix.
 
 For more examples, you can check out `qemu_launcher` and `libfuzzer_libpng_launcher` in [`./fuzzers/`](https://github.com/AFLplusplus/LibAFL/tree/main/fuzzers).
 
 ## Other ways
 
-The `LlmpEventManager` family is the easiest way to spawn instances, but for obscure targets, you may need to come up with other solutions.
+The `LlmpRestartEventManager` is the easiest way to spawn instances, but for obscure targets, you may need to come up with other solutions.
 LLMP is even, in theory, `no_std` compatible, and even completely different EventManagers can be used for message passing.
 If you are in this situation, please either read through the current implementations and/or reach out to us.

docs/src/tutorial/intro.md

@@ -5,4 +5,4 @@
 > This section is under construction.
 > Please check back later (or open a PR)
 >
-> In the meantime, find the final Lain-based fuzzer in [the fuzzers folder](https://github.com/AFLplusplus/LibAFL/tree/main/fuzzers/tutorial)
+> In the meantime, find the final Lain-based fuzzer in [the fuzzers folder](https://github.com/AFLplusplus/LibAFL/tree/main/fuzzers/baby/tutorial)

docs/src/tutorial/tutorial.md

@@ -2,4 +2,4 @@
 
 In this chapter, we will build a custom fuzzer using the [Lain](https://github.com/microsoft/lain) mutator in Rust.
 
-This tutorial will introduce you in writing extensions to LibAFL like Feedbacks and Testcase's metadata.
+This tutorial will introduce you to writing extensions to LibAFL like Feedbacks and Testcase's metadata.

fuzzers/FRET/.gitignore

@@ -0,0 +1,4 @@
+*.qcow2
+corpus
+*.axf
+demo

fuzzers/FRET/Cargo.toml

@@ -0,0 +1,83 @@
+[package]
+name = "fret"
+version = "0.8.2"
+authors = ["Alwin Berger <alwin.berger@tu-dortmund.de>"]
+edition = "2021"
+
+[features]
+default = ["std", "snapshot_fast", "restarting", "do_hash_notify_state", "do_hash_notify_value", "config_stg", "fuzz_int", "shortcut", "trace_job_response_times", "observe_systemstate_unordered" ]
+std = []
+# Exec environemnt basics
+snapshot_restore = []
+snapshot_fast = [ "snapshot_restore" ]
+singlecore = []
+restarting = ['singlecore']
+run_until_saturation = []
+fuzz_int = []
+shortcut = []
+# information capture
+observe_edges = [] # observe cfg edges
+observe_hitcounts = [ "observe_edges" ] # reduces edge granularity
+observe_systemstate = []
+observe_systemstate_unordered = []
+do_hash_notify_state = []
+do_hash_notify_value = []
+trace_job_response_times = [ "trace_stg" ]
+trace_stg = [ "observe_systemstate" ]
+trace_reads = [ "trace_stg", "trace_job_response_times" ]
+# feedbacks
+feed_stg = [ "trace_stg", "observe_systemstate" ]
+feed_stg_edge = [ "feed_stg"]
+feed_stg_abb_woet = [ "feed_stg"]
+feed_stg_pathhash = [ "feed_stg"]
+feed_stg_abbhash = [ "feed_stg"]
+feed_stg_aggregatehash = [ "feed_stg"]
+feed_job_woet = [ "trace_job_response_times"]
+feed_job_wort = [ "trace_job_response_times"]
+mutate_stg = [ "observe_systemstate", "trace_reads" ]
+feed_longest = [ ]
+feed_afl = [ "observe_edges" ]
+feed_genetic = []
+gensize_1 = [ ]
+gensize_10 = [ ]
+gensize_100 = [ ]
+gensize_1000 = [ ]
+# schedulers
+sched_genetic = []
+sched_afl = []
+sched_stg = []
+sched_stg_edge = ['sched_stg'] # every edge in the stg
+sched_stg_pathhash = ['sched_stg'] # every path in the stg
+sched_stg_abbhash = ['sched_stg'] # every path of abbs
+sched_stg_aggregatehash = ['sched_stg'] # every aggregated path (order independent)
+# overall_configs
+config_genetic = ["feed_genetic","sched_genetic","trace_stg"]
+config_afl = ["feed_afl","sched_afl","trace_stg"]
+config_frafl = ["feed_afl","sched_afl","feed_longest","trace_stg"]
+config_stg = ["feed_stg_aggregatehash","sched_stg_aggregatehash","mutate_stg","feed_job_wort"]
+config_stg_woet = ["feed_stg_aggregatehash","sched_stg_aggregatehash","mutate_stg","feed_job_wort","feed_job_woet","feed_stg_abb_woet"]
+# config_stg_aggregate = ["feed_stg_aggregatehash","sched_stg_aggregatehash","mutate_stg"]
+config_stg_abbpath = ["feed_stg_abbhash","sched_stg_abbhash","mutate_stg"]
+config_stg_edge = ["feed_stg_edge","sched_stg_edge","mutate_stg"]
+
+[profile.release]
+lto = true
+codegen-units = 1
+debug = true
+
+[dependencies]
+libafl = { path = "../../libafl/", features = ["multipart_inputs", "prelude"] }
+libafl_bolts = { path = "../../libafl_bolts/" }
+libafl_targets = { path = "../../libafl_targets/" }
+libafl_qemu = { path = "../../libafl_qemu/", features = ["arm", "systemmode"], default-features = false }
+serde = { version = "1.0", default-features = false, features = ["alloc"] } # serialization lib
+serde_json = { version = "1.0", default-features = false, features = ["alloc"] }
+hashbrown =  { version = "0.14.0", features = ["serde"] } # A faster hashmap, nostd compatible
+petgraph = { version="0.6.5", features = ["serde-1"] }
+ron = "0.7" # write serialized data - including hashmaps
+rand = "0.5"
+clap = { version = "4.4.11", features = ["derive"] }
+csv = "1.3.0"
+log = "0.4"
+simple_moving_average = "1.0.2"
+itertools = "0.13.0"

fuzzers/FRET/benchmark/.gitignore

@@ -0,0 +1,16 @@
+*dump
+timedump*
+corpora
+build
+mnt
+.R*
+*.png
+*.pdf
+bins
+.snakemake
+*.zip
+*.tar.*
+*.sqlite
+eval*
+test_*
+bench_*

fuzzers/FRET/benchmark/Makefile

@@ -0,0 +1,57 @@
+TIME=7200
+
+corpora/%/seed:
+	mkdir -p $$(dirname $@)
+	LINE=$$(grep "^$$(basename $*)" target_symbols.csv); \
+	export \
+	KERNEL=benchmark/build/$*.elf \
+	FUZZ_MAIN=$$(echo $$LINE | cut -d, -f2) \
+	FUZZ_INPUT=$$(echo $$LINE | cut -d, -f3) \
+	FUZZ_INPUT_LEN=$$(echo $$LINE | cut -d, -f4) \
+	BREAKPOINT=$$(echo $$LINE | cut -d, -f5) \
+	SEED_DIR=benchmark/corpora/$* \
+	DUMP_SEED=seed; \
+	../fuzzer.sh
+
+timedump/%$(FUZZ_RANDOM)$(SUFFIX): corpora/%/seed
+	mkdir -p $$(dirname $@)
+	LINE=$$(grep "^$$(basename $*)" target_symbols.csv); \
+	export \
+	KERNEL=benchmark/build/$*.elf \
+	FUZZ_MAIN=$$(echo $$LINE | cut -d, -f2) \
+	FUZZ_INPUT=$$(echo $$LINE | cut -d, -f3) \
+	FUZZ_INPUT_LEN=$$(echo $$LINE | cut -d, -f4) \
+	BREAKPOINT=$$(echo $$LINE | cut -d, -f5) \
+	SEED_RANDOM=1 \
+	TIME_DUMP=benchmark/$@ \
+	CASE_DUMP=benchmark/$@; \
+	../fuzzer.sh + + + + + $(TIME) + + + > $@_log
+	#SEED_DIR=benchmark/corpora/$*
+
+all_sequential: timedump/sequential/mpeg2$(FUZZ_RANDOM) timedump/sequential/dijkstra$(FUZZ_RANDOM) timedump/sequential/epic$(FUZZ_RANDOM) \
+	timedump/sequential/g723_enc$(FUZZ_RANDOM) timedump/sequential/audiobeam$(FUZZ_RANDOM) \
+	timedump/sequential/gsm_enc$(FUZZ_RANDOM)
+
+all_kernel: timedump/kernel/bsort$(FUZZ_RANDOM) timedump/kernel/insertsort$(FUZZ_RANDOM) #timedump/kernel/fft$(FUZZ_RANDOM)
+
+all_app: timedump/app/lift$(FUZZ_RANDOM)
+
+all_system: timedump/lift$(FUZZ_RANDOM)$(SUFFIX)
+
+all_period: timedump/waters$(FUZZ_RANDOM)$(SUFFIX)
+
+tacle_rtos: timedump/tacle_rtos$(FUZZ_RANDOM)
+
+graphics:
+	Rscript --vanilla plot_comparison.r mnt/timedump/sequential audiobeam
+	Rscript --vanilla plot_comparison.r mnt/timedump/sequential dijkstra
+	Rscript --vanilla plot_comparison.r mnt/timedump/sequential epic
+	Rscript --vanilla plot_comparison.r mnt/timedump/sequential g723_enc
+	# Rscript --vanilla plot_comparison.r mnt/timedump/sequential gsm_enc
+	# Rscript --vanilla plot_comparison.r mnt/timedump/sequential huff_dec
+	Rscript --vanilla plot_comparison.r mnt/timedump/sequential mpeg2
+	# Rscript --vanilla plot_comparison.r mnt/timedump/sequential rijndael_dec
+	# Rscript --vanilla plot_comparison.r mnt/timedump/sequential rijndael_enc
+
+clean:
+	rm -rf corpora timedump

fuzzers/FRET/benchmark/Snakefile

@@ -0,0 +1,309 @@
+import csv
+import os
+envvars:
+    "BENCHDIR"
+def_flags="--release --no-default-features --features std,snapshot_fast,restarting,do_hash_notify_state,do_hash_notify_value,fuzz_int,trace_job_response_times,observe_systemstate_unordered"
+benchdir=os.environ["BENCHDIR"]
+RUNTIME=(3600*24)
+
+rule copy_kernel:
+    input:
+        "build/{target}.elf"
+    output:
+        "{benchdir}/build/{target}.elf"
+    shell:
+        "mkdir -p {benchdir}/build && cp {input} {output}"
+
+rule rebuild_qemu:
+    shell:
+        "unset CUSTOM_QEMU_NO_BUILD CUSTOM_QEMU_NO_CONFIGURE && cargo build"
+
+rule build_default:
+    input:
+        "../Cargo.toml",
+        "../src"
+    output:
+        directory("{benchdir}/bins/target_default")
+    shell:
+        "cargo build --target-dir {output} {def_flags}"
+
+rule build_showmap:
+    input:
+        "{benchdir}/bins/target_default"
+    output:
+        directory("{benchdir}/bins/target_showmap")
+    shell:
+        "cp -r -a --reflink=auto {input} {output} && cargo build --target-dir {output} {def_flags},config_stg"
+
+rule build_random:
+    input:
+        "{benchdir}/bins/target_default"
+    output:
+        directory("{benchdir}/bins/target_random")
+    shell:
+        "cp -r -a --reflink=auto {input} {output} && cargo build --target-dir {output} {def_flags},feed_longest"
+
+rule build_frafl:
+    input:
+        "{benchdir}/bins/target_default"
+    output:
+        directory("{benchdir}/bins/target_frafl")
+    shell:
+        "cp -r -a --reflink=auto {input} {output} && cargo build --target-dir {output} {def_flags},config_frafl,feed_longest"
+
+rule build_afl:
+    input:
+        "{benchdir}/bins/target_default"
+    output:
+        directory("{benchdir}/bins/target_afl")
+    shell:
+        "cp -r -a --reflink=auto {input} {output} && cargo build --target-dir {output} {def_flags},config_afl"
+
+rule build_stg:
+    input:
+        "{benchdir}/bins/target_default"
+    output:
+        directory("{benchdir}/bins/target_stg")
+    shell:
+        "cp -r -a --reflink=auto {input} {output} && cargo build --target-dir {output} {def_flags},config_stg"
+
+rule build_stgwoet:
+    input:
+        "{benchdir}/bins/target_default"
+    output:
+        directory("{benchdir}/bins/target_stgwoet")
+    shell:
+        "cp -r -a --reflink=auto {input} {output} && cargo build --target-dir {output} {def_flags},config_stg_woet"
+
+rule build_stg_abbpath:
+    input:
+        "{benchdir}/bins/target_default"
+    output:
+        directory("{benchdir}/bins/target_stg_abbpath")
+    shell:
+        "cp -r -a --reflink=auto {input} {output} && cargo build --target-dir {output} {def_flags},config_stg_abbpath"
+
+rule build_stg_edge:
+    input:
+        "{benchdir}/bins/target_default"
+    output:
+        directory("{benchdir}/bins/target_stg_edge")
+    shell:
+        "cp -r -a --reflink=auto {input} {output} && cargo build --target-dir {output} {def_flags},config_stg_edge"
+
+rule build_feedgeneration1:
+    input:
+        "{benchdir}/bins/target_default"
+    output:
+        directory("{benchdir}/bins/target_feedgeneration1")
+    shell:
+        "cp -r -a --reflink=auto {input} {output} && cargo build --target-dir {output} {def_flags},feed_genetic,gensize_1"
+
+rule build_feedgeneration10:
+    input:
+        "{benchdir}/bins/target_default"
+    output:
+        directory("{benchdir}/bins/target_feedgeneration10")
+    shell:
+        "cp -r -a --reflink=auto {input} {output} && cargo build --target-dir {output} {def_flags},feed_genetic,gensize_10"
+
+rule build_feedgeneration100:
+    input:
+        "{benchdir}/bins/target_default"
+    output:
+        directory("{benchdir}/bins/target_feedgeneration100")
+    shell:
+        "cp -r -a --reflink=auto {input} {output} && cargo build --target-dir {output} {def_flags},config_genetic,gensize_100"
+
+rule build_genetic100:
+    input:
+        "{benchdir}/bins/target_default"
+    output:
+        directory("{benchdir}/bins/target_genetic100")
+    shell:
+        "cp -r -a --reflink=auto {input} {output} && cargo build --target-dir {output} {def_flags},config_genetic,mutate_stg,gensize_100"
+
+rule build_feedgeneration1000:
+    input:
+        "{benchdir}/bins/target_default"
+    output:
+        directory("{benchdir}/bins/target_feedgeneration1000")
+    shell:
+        "cp -r -a --reflink=auto {input} {output} && cargo build --target-dir {output} {def_flags},config_genetic,gensize_1000"
+
+rule build_genetic1000:
+    input:
+        "{benchdir}/bins/target_default"
+    output:
+        directory("{benchdir}/bins/target_genetic1000")
+    shell:
+        "cp -r -a --reflink=auto {input} {output} && cargo build --target-dir {output} {def_flags},config_genetic,mutate_stg,gensize_1000"
+
+rule run_bench:
+    input:
+        "{benchdir}/build/{target}.elf",
+        "{benchdir}/bins/target_{fuzzer}"
+    output:
+        multiext("{benchdir}/timedump/{fuzzer}/{target}#{num}", ".time", ".log") # , ".case"
+    run:
+        with open('target_symbols.csv') as csvfile:
+            reader = csv.DictReader(csvfile)
+            line = next((x for x in reader if x['\ufeffkernel']==wildcards.target), None)
+            if line == None:
+                return False
+            kernel=line['\ufeffkernel']
+            fuzz_main=line['main_function']
+            fuzz_input=line['input_symbol']
+            fuzz_len=line['input_size']
+            bkp=line['return_function']
+            select_task=line['select_task']
+            if wildcards.fuzzer.find('random') >= 0:
+                script="""
+                    export RUST_BACKTRACE=1
+                    mkdir -p $(dirname {output[0]})
+                    set +e
+                    echo $(pwd)/{input[1]}/release/fret -n $(pwd)/{benchdir}/timedump/{wildcards.fuzzer}/{wildcards.target}#{wildcards.num} -s {select_task} -t -a -r -g -k {input[0]} -c ./target_symbols.csv fuzz --random -t {RUNTIME} -s {wildcards.num}
+                    $(pwd)/{input[1]}/release/fret -n $(pwd)/{benchdir}/timedump/{wildcards.fuzzer}/{wildcards.target}#{wildcards.num} -s {select_task} -t -a -r -g -k {input[0]} -c ./target_symbols.csv fuzz --random -t {RUNTIME} -s {wildcards.num} > {output[1]} 2>&1
+                    exit 0
+                    """
+            else:
+                script="""
+                    export RUST_BACKTRACE=1
+                    mkdir -p $(dirname {output[0]})
+                    set +e
+                    echo $(pwd)/{input[1]}/release/fret -n $(pwd)/{benchdir}/timedump/{wildcards.fuzzer}/{wildcards.target}#{wildcards.num} -s {select_task} -t -a -r -g -k {input[0]} -c ./target_symbols.csv fuzz -t {RUNTIME} -s {wildcards.num}
+                    $(pwd)/{input[1]}/release/fret -n $(pwd)/{benchdir}/timedump/{wildcards.fuzzer}/{wildcards.target}#{wildcards.num} -s {select_task} -t -a -r -g -k {input[0]} -c ./target_symbols.csv fuzz -t {RUNTIME} -s {wildcards.num} > {output[1]} 2>&1
+                    exit 0
+                    """
+            shell(script)
+
+rule run_showmap:
+    input:
+        "{benchdir}/build/{target}.elf",
+        "{benchdir}/bins/target_showmap",
+        "{benchdir}/timedump/{fuzzer}/{target}#{num}.case"
+    output:
+        "{benchdir}/timedump/{fuzzer}/{target}#{num}_case.trace.ron",
+        "{benchdir}/timedump/{fuzzer}/{target}#{num}_case.time",
+    run:
+        with open('target_symbols.csv') as csvfile:
+            reader = csv.DictReader(csvfile)
+            line = next((x for x in reader if x['\ufeffkernel']==wildcards.target), None)
+            if line == None:
+                return False
+            kernel=line['\ufeffkernel']
+            fuzz_main=line['main_function']
+            fuzz_input=line['input_symbol']
+            fuzz_len=line['input_size']
+            bkp=line['return_function']
+            select_task=line['select_task']
+            script="""
+                export FUZZER=$(pwd)/{input[1]}/release/fret
+                mkdir -p $(dirname {output})
+                set +e
+                echo $FUZZER -n $(pwd)/{benchdir}/timedump/{wildcards.fuzzer}/{wildcards.target}#{wildcards.num}_case -s {select_task} -t -a -r -g -k {input[0]} -c ./target_symbols.csv showmap -i {input[2]}
+                $FUZZER -n $(pwd)/{benchdir}/timedump/{wildcards.fuzzer}/{wildcards.target}#{wildcards.num}_case -s {select_task} -t -a -r -g -k {input[0]} -c ./target_symbols.csv showmap -i {input[2]}
+                exit 0
+                """
+            if wildcards.fuzzer.find('random') >= 0:
+                script="export FUZZ_RANDOM=1\n"+script
+            shell(script)
+
+rule transform_trace:
+    input:
+        "{benchdir}/timedump/{fuzzer}/{target}#{num}_case.trace.ron",
+    output:
+        "{benchdir}/timedump/{fuzzer}/{target}#{num}_case.jobs.csv",
+        "{benchdir}/timedump/{fuzzer}/{target}#{num}_case.resp.csv",
+        "{benchdir}/timedump/{fuzzer}/{target}#{num}_case.abbs.csv"
+    run:
+        with open('target_symbols.csv') as csvfile:
+            reader = csv.DictReader(csvfile)
+            line = next((x for x in reader if x['\ufeffkernel']==wildcards.target), None)
+            if line == None:
+                return False
+            kernel=line['\ufeffkernel']
+            fuzz_main=line['main_function']
+            fuzz_input=line['input_symbol']
+            fuzz_len=line['input_size']
+            bkp=line['return_function']
+            select_task=line['select_task']
+            script="""
+                echo $(pwd)/../../../../state2gantt/target/debug/state2gantt -i {input} -a {output[0]} -r {output[1]} -p {output[2]} -t {select_task}
+                $(pwd)/../../../../state2gantt/target/debug/state2gantt -i {input} -a {output[0]} -r {output[1]} -p {output[2]} -t {select_task}
+                """
+            shell(script)
+
+rule trace2gantt:
+    input:
+        "{benchdir}/timedump/{fuzzer}/{target}#{num}_case.jobs.csv",
+        "{benchdir}/timedump/{fuzzer}/{target}#{num}_case.resp.csv"
+    output:
+        "{benchdir}/timedump/{fuzzer}/{target}#{num}_case.jobs.html",
+    shell:
+        "Rscript $(pwd)/../../../../state2gantt/plot_response.r {input[0]} {input[1]} html"
+
+rule quicktest:
+    params:
+        benchdir=benchdir
+    input:
+        expand("{benchdir}/timedump/{fuzzer}/{target}{variant}#{num}.time", benchdir=benchdir, fuzzer=['feedgeneration100', 'stg', 'random'], target=['polycopter'], variant=['_seq_dataflow_full'], num=range(0,int( 1 ))),
+
+# main scenarios
+# main competitors: 10
+# frafl: 10
+# random: 5
+
+# low prio scenarios
+# main competitors: 8
+# frafl: 8
+# random: 5
+
+rule set128:
+    params:
+        benchdir=benchdir
+    input:
+        # waters full
+        expand("{benchdir}/timedump/{fuzzer}/{target}{variant}#{num}.time", benchdir=benchdir, fuzzer=['feedgeneration100', 'stgwoet'], target=['waters'], variant=['_seq_full', '_seq_unsync_full'], num=range(0,int( 10 ))),
+        expand("{benchdir}/timedump/{fuzzer}/{target}{variant}#{num}.time", benchdir=benchdir, fuzzer=['frafl'], target=['waters'], variant=['_seq_full', '_seq_unsync_full'], num=range(0,int( 10 ))),
+        expand("{benchdir}/timedump/{fuzzer}/{target}{variant}#{num}.time", benchdir=benchdir, fuzzer=['random'], target=['waters'], variant=['_seq_full', '_seq_unsync_full'], num=range(0,int( 5 ))),
+        # release full
+        expand("{benchdir}/timedump/{fuzzer}/{target}{variant}#{num}.time", benchdir=benchdir, fuzzer=['feedgeneration100', 'stgwoet'], target=['release'], variant=['_seq_full'], num=range(0,int( 10 ))),
+        expand("{benchdir}/timedump/{fuzzer}/{target}{variant}#{num}.time", benchdir=benchdir, fuzzer=['frafl'], target=['release'], variant=['_seq_full'], num=range(0,int( 10 ))),
+        expand("{benchdir}/timedump/{fuzzer}/{target}{variant}#{num}.time", benchdir=benchdir, fuzzer=['random'], target=['release'], variant=['_seq_full'], num=range(0,int( 5 ))),
+        # release int (low prio)
+        expand("{benchdir}/timedump/{fuzzer}/{target}{variant}#{num}.time", benchdir=benchdir, fuzzer=['feedgeneration100', 'stgwoet'], target=['release'], variant=['_seq_int'], num=range(0,int( 5 ))),
+        expand("{benchdir}/timedump/{fuzzer}/{target}{variant}#{num}.time", benchdir=benchdir, fuzzer=['random', 'frafl'], target=['release'], variant=['_seq_int'], num=range(0,int( 5 ))),
+
+rule set48:
+    params:
+        benchdir=benchdir
+    input:
+        # polycopter full
+        expand("{benchdir}/timedump/{fuzzer}/{target}{variant}#{num}.time", benchdir=benchdir, fuzzer=['feedgeneration100', 'stgwoet'], target=['polycopter'], variant=['_seq_dataflow_full'], num=range(0,int( 12 ))),
+        expand("{benchdir}/timedump/{fuzzer}/{target}{variant}#{num}.time", benchdir=benchdir, fuzzer=['frafl'], target=['polycopter'], variant=['_seq_dataflow_full'], num=range(0,int( 12 ))),
+        expand("{benchdir}/timedump/{fuzzer}/{target}{variant}#{num}.time", benchdir=benchdir, fuzzer=['random'], target=['polycopter'], variant=['_seq_dataflow_full'], num=range(0,int( 10 ))),
+
+
+rule set64:
+    params:
+        benchdir=benchdir
+    input:
+        # waters int+bytes (low prio)
+        expand("{benchdir}/timedump/{fuzzer}/{target}{variant}#{num}.time", benchdir=benchdir, fuzzer=['feedgeneration100', 'stgwoet', 'frafl'], target=['waters'], variant=['_seq_int', '_seq_bytes'], num=range(0,int( 8 ))),
+        expand("{benchdir}/timedump/{fuzzer}/{target}{variant}#{num}.time", benchdir=benchdir, fuzzer=['random'], target=['waters'], variant=['_seq_int', '_seq_bytes'], num=range(0,int( 5 ))),
+
+
+rule all_bins:
+    params:
+        benchdir=benchdir
+    input:
+        expand("{benchdir}/bins/target_{target}", benchdir=benchdir, target=['random','frafl','stg','stgwoet','feedgeneration100','genetic100'])
+
+rule clean:
+    shell:
+        "rm -rf {benchdir}/timedump"
+
+rule full_clean:
+    shell:
+        "rm -rf {benchdir}/bins & rm -rf {benchdir}/timedump"

fuzzers/FRET/benchmark/bench_rename.sh

@@ -0,0 +1,5 @@
+#!/bin/sh
+export TOPLEVEL="remote/timedump"
+[ -d "$TOPLEVEL/feedgeneration100" ] && mv $TOPLEVEL/feedgeneration100 $TOPLEVEL/evolutionary
+[ -d "$TOPLEVEL/stg" ] && mv $TOPLEVEL/stg $TOPLEVEL/fret
+[ -d "$TOPLEVEL/frafl" ] && mv $TOPLEVEL/frafl $TOPLEVEL/coverage

fuzzers/FRET/benchmark/build_all_bins.sh

@@ -0,0 +1,15 @@
+def_flags="--no-default-features --features std,snapshot_fast,restarting,do_hash_notify_state,trace_job_response_times,fuzz_int"
+set -e
+cargo build --target-dir ./bins/target_showmap ${def_flags},config_stg
+cargo build --target-dir ./bins/target_random ${def_flags},feed_longest
+cargo build --target-dir ./bins/target_frafl ${def_flags},config_frafl,feed_longest
+cargo build --target-dir ./bins/target_afl ${def_flags},config_afl,observe_hitcounts
+cargo build --target-dir ./bins/target_stg ${def_flags},config_stg
+cargo build --target-dir ./bins/target_stgpath ${def_flags},feed_stg_abbhash,sched_stg_abbhash,mutate_stg
+cargo build --target-dir ./bins/target_feedgeneration1 ${def_flags},feed_genetic,gensize_1
+cargo build --target-dir ./bins/target_feedgeneration10 ${def_flags},feed_genetic,gensize_10
+cargo build --target-dir ./bins/target_feedgeneration100 ${def_flags},feed_genetic,gensize_100
+cargo build --target-dir ./bins/target_feedgeneration1000 ${def_flags},feed_genetic,gensize_1000
+cargo build --target-dir ./bins/target_genetic100 ${def_flags},feed_genetic,mutate_stg,gensize_100
+cargo build --target-dir ./bins/target_genetic1000 ${def_flags},feed_genetic,mutate_stg,gensize_1000
+

fuzzers/FRET/benchmark/build_all_demos.sh

@@ -0,0 +1,125 @@
+#!/usr/bin/env bash
+export INSERT_WC=${2:-0}
+export BUILD_DIR=${1:-build}
+mkdir -p $BUILD_DIR
+
+build () {
+    make -C ../../../../FreeRTOS/FreeRTOS/Demo/CORTEX_M3_MPS2_QEMU_GCC clean && make -C ../../../../FreeRTOS/FreeRTOS/Demo/CORTEX_M3_MPS2_QEMU_GCC $1=1 IGNORE_INTERRUPTS=$IGNORE_INTERRUPTS IGNORE_BYTES=$IGNORE_BYTES IGNORE_INTERNAL_STATE=$IGNORE_INTERNAL_STATE INSERT_WC=$INSERT_WC $EXTRA_MAKE_ARGS
+    cp ../../../../FreeRTOS/FreeRTOS/Demo/CORTEX_M3_MPS2_QEMU_GCC/build/RTOSDemo.axf $BUILD_DIR/$(echo $1 | cut -d_ -f1 | tr '[:upper:]' '[:lower:]')$EXTRA_NAME_SUFFIX$2.elf
+}
+
+mkdir -p build
+
+# Sequential inputs!
+export PARTITION_INPUT=0
+unset SPECIAL_CFLAGS
+
+# Baseline
+## Don't keep rng states
+export IGNORE_INTERNAL_STATE=1
+### Only bytes
+export IGNORE_INTERRUPTS=1 IGNORE_BYTES=0 SUFFIX="_seq_bytes"
+build WATERS_DEMO $SUFFIX
+build RELEASE_DEMO $SUFFIX
+build COPTER_DEMO $SUFFIX
+### Only interrupts
+export IGNORE_INTERRUPTS=0 IGNORE_BYTES=1 SUFFIX="_seq_int"
+build WATERS_DEMO $SUFFIX
+build RELEASE_DEMO $SUFFIX
+build COPTER_DEMO $SUFFIX
+### Full
+export IGNORE_INTERRUPTS=0 IGNORE_BYTES=0 SUFFIX="_seq_full"
+build WATERS_DEMO $SUFFIX
+build RELEASE_DEMO $SUFFIX
+build COPTER_DEMO $SUFFIX
+build POLYCOPTER_DEMO $SUFFIX
+
+# Stateful -> presumably bad for us
+## keep rng states
+export IGNORE_INTERNAL_STATE=0
+### Full
+export IGNORE_INTERRUPTS=0 IGNORE_BYTES=0 SUFFIX="_seq_stateful_full"
+build WATERS_DEMO $SUFFIX
+build RELEASE_DEMO $SUFFIX
+build COPTER_DEMO $SUFFIX
+
+# Paritioned inputs
+export PARTITION_INPUT=1
+
+# Alternative input scheme
+## Don't keep rng states
+export IGNORE_INTERNAL_STATE=1
+### Only bytes
+export IGNORE_INTERRUPTS=1 IGNORE_BYTES=0 SUFFIX="_par_bytes"
+build WATERS_DEMO $SUFFIX
+build RELEASE_DEMO $SUFFIX
+build COPTER_DEMO $SUFFIX
+### Only interrupts
+export IGNORE_INTERRUPTS=0 IGNORE_BYTES=1 SUFFIX="_par_int"
+build WATERS_DEMO $SUFFIX
+build RELEASE_DEMO $SUFFIX
+build COPTER_DEMO $SUFFIX
+### Full
+export IGNORE_INTERRUPTS=0 IGNORE_BYTES=0 SUFFIX="_par_full"
+build WATERS_DEMO $SUFFIX
+build RELEASE_DEMO $SUFFIX
+build COPTER_DEMO $SUFFIX
+build POLYCOPTER_DEMO $SUFFIX
+
+# Stateful -> presumably bad for us
+## keep rng states
+export IGNORE_INTERNAL_STATE=0
+### Full
+export IGNORE_INTERRUPTS=0 IGNORE_BYTES=0 SUFFIX="_par_stateful_full"
+build WATERS_DEMO $SUFFIX
+build RELEASE_DEMO $SUFFIX
+build COPTER_DEMO $SUFFIX
+
+# Stateful -> presumably bad for us
+## keep rng states
+export IGNORE_INTERNAL_STATE=0
+export PARTITION_INPUT=0
+export IGNORE_INTERRUPTS=0 IGNORE_BYTES=0 SUFFIX="_seq_stateful_full"
+build POLYCOPTER_DEMO $SUFFIX
+
+# stateless + dataflow
+export PARTITION_INPUT=0
+export IGNORE_INTERNAL_STATE=1
+export IGNORE_INTERRUPTS=0 IGNORE_BYTES=0 SUFFIX="_seq_dataflow_full"
+export SPECIAL_CFLAGS="-DCOPTER_DATAFLOW=1"
+build POLYCOPTER_DEMO $SUFFIX
+unset SPECIAL_CFLAGS
+
+export PARTITION_INPUT=0
+export IGNORE_INTERNAL_STATE=1
+export IGNORE_INTERRUPTS=1 IGNORE_BYTES=0 SUFFIX="_seq_dataflow_bytes"
+export SPECIAL_CFLAGS="-DCOPTER_DATAFLOW=1"
+build POLYCOPTER_DEMO $SUFFIX
+unset SPECIAL_CFLAGS
+
+# stateless + dataflow
+export PARTITION_INPUT=1
+export IGNORE_INTERNAL_STATE=1
+export IGNORE_INTERRUPTS=0 IGNORE_BYTES=0 SUFFIX="_par_dataflow_full"
+export SPECIAL_CFLAGS="-DCOPTER_DATAFLOW=1"
+build POLYCOPTER_DEMO $SUFFIX
+unset SPECIAL_CFLAGS
+
+
+# special waters with no synchronization
+export PARTITION_INPUT=0
+export IGNORE_INTERNAL_STATE=1
+export IGNORE_INTERRUPTS=0 IGNORE_BYTES=0 SUFFIX="_seq_unsync_full"
+export SPECIAL_CFLAGS="-DWATERS_UNSYNCHRONIZED=1"
+build WATERS_DEMO $SUFFIX
+unset SPECIAL_CFLAGS
+
+# special generated waters 2015
+export PARTITION_INPUT=0
+export IGNORE_INTERNAL_STATE=1
+export IGNORE_INTERRUPTS=0 IGNORE_BYTES=0 SUFFIX="_par_bytes"
+export EXTRA_MAKE_ARGS="SEED=1"
+export EXTRA_NAME_SUFFIX="1"
+build WATERSGEN_DEMO $SUFFIX
+unset EXTRA_MAKE_ARGS
+unset EXTRA_NAME_SUFFIX

fuzzers/FRET/benchmark/logtail.sh

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+find $1 -type 'f' -iname "${2}#*.log" | while IFS="" read -r p || [ -n "$p" ]
+do
+    LINE=$(tail -n 100 $p | grep -io "run time: .* corpus: [0-9]*" | tail -n 1)
+    echo $p: $LINE
+    LINE=$(grep -i "interesting corpus elements" $p | tail -n 1)
+    echo $p: $LINE
+done

fuzzers/FRET/benchmark/number_cruncher/.gitignore

@@ -0,0 +1 @@
+*.sqlite

fuzzers/FRET/benchmark/number_cruncher/Cargo.toml

@@ -0,0 +1,11 @@
+[package]
+name = "number_cruncher"
+version = "0.1.0"
+edition = "2021"
+
+[dependencies]
+clap = { version = "4.5.28", features = ["derive"] }
+itertools = "0.14.0"
+rayon = "1.10.0"
+regex = "1.11.1"
+rusqlite = "0.33.0"

fuzzers/FRET/benchmark/number_cruncher/src/main.rs

@@ -0,0 +1,295 @@
+use clap::parser::ValueSource;
+use clap::Parser;
+use itertools::Group;
+use itertools::Itertools;
+use rayon::iter::ParallelBridge;
+use rayon::prelude::*;
+use rayon::result;
+use std::fs;
+use std::fs::File;
+use std::io::Write;
+use std::io::{self, BufRead, BufReader};
+use std::path::Path;
+use std::path::PathBuf;
+use rusqlite::{params, Connection, Result};
+use std::collections::HashMap;
+
+#[derive(clap::ValueEnum, Clone, PartialEq)]
+enum Endpoint {
+    AllMin,
+    ToolMin,
+    ToolMax,
+    Max
+}
+
+#[derive(Parser)]
+struct Config {
+    /// Input
+    #[arg(short, long, value_name = "DIR")]
+    input: PathBuf,
+
+    /// Output
+    #[arg(short, long, value_name = "FILE", default_value = "out.sqlite")]
+    output: PathBuf,
+
+    /// End each group after the first termination
+    #[arg(short, long, default_value = "max")]
+    end_early: Endpoint,
+}
+fn visit_dirs(
+    dir: &Path,
+    results: &mut Vec<(PathBuf, String, String, String)>,
+) -> std::io::Result<()> {
+    if dir.is_dir() {
+        for entry in fs::read_dir(dir)? {
+            let entry = entry?;
+            let path = entry.path();
+            if path.is_dir() {
+                visit_dirs(&path, results)?;
+            } else if path.extension().and_then(|s| s.to_str()) == Some("time") {
+                if let Some(file_name) = path.file_name().and_then(|s| s.to_str()) {
+                    let re = regex::Regex::new(r".*#[0-9]+\.time$").unwrap();
+                    if re.is_match(file_name) {
+                        if let Some(dir_name) = path
+                            .parent()
+                            .and_then(|p| p.file_name())
+                            .and_then(|s| s.to_str())
+                        {
+                            {
+                                let mut file_stem =
+                                    path.file_stem().unwrap().to_str().unwrap().split("#");
+                                let case_name = file_stem.next().unwrap();
+                                let case_number = file_stem.next().unwrap();
+                                results.push((
+                                    path.clone(),
+                                    dir_name.to_string(),
+                                    case_name.to_string(),
+                                    case_number.to_string(),
+                                ));
+                            }
+                        }
+                    }
+                }
+            }
+        }
+    }
+    Ok(())
+}
+
+fn maxpoints_of_file(file_path: &Path) -> io::Result<Vec<(usize, usize)>> {
+    let file = File::open(file_path)?;
+    let reader = BufReader::new(file);
+
+    let mut results = Vec::new();
+    let mut watermark = 0;
+    let mut last_timestamp = 0;
+
+    for line in reader.lines() {
+        let line = line?;
+        let mut parts = line.split(',');
+
+        if let (Some(first_str), Some(second_str)) = (parts.next(), parts.next()) {
+            let first: usize = first_str.trim().parse().unwrap();
+            let second: usize = second_str.trim().parse().unwrap();
+
+            if first > watermark {
+                results.push((first, second));
+                watermark = first;
+            }
+            last_timestamp = second;
+        }
+    }
+    if results.len() > 1 {
+        results[0].1 = 0;
+        results.push((results[results.len() - 1].0, last_timestamp));
+    }
+    if results.len() == 0 {
+        results.push((0, 0));
+        results.push((0, last_timestamp));
+    }
+
+    Ok(results)
+}
+
+fn sample_maxpoints(points: &Vec<(usize, usize)>, samples: &Vec<usize>) -> Vec<(usize, usize)> {
+    let mut todo = samples.iter().peekable();
+    let mut ret = Vec::new();
+    for i in 0..points.len() {
+        if todo.peek().is_none() {
+            // Done
+            break;
+        }
+        while let Some(&&peek) = todo.peek() {
+            if peek >= points[i].1 && (i+1 >= points.len() || peek < points[i+1].1) {
+                // End or inside the interval
+                ret.push((points[i].0, peek));
+                todo.next();
+            } else if peek < points[i].1 {
+                if i == 0 {
+                    // Before the first interval, just take the first
+                    ret.push((points[i].0, peek));
+                    todo.next();
+                } else {
+                    // Already passed
+                    eprintln!("WARNING Skipped: {}", todo.next().unwrap());
+                }
+            } else {
+                // Not yet
+                break;
+            }
+        }
+    }
+    ret
+}
+
+// https://rust-lang-nursery.github.io/rust-cookbook/science/mathematics/statistics.html
+fn mean(data: &[usize]) -> Option<f64> {
+    let sum = data.iter().sum::<usize>() as f64;
+    let count = data.len();
+
+    match count {
+        positive if positive > 0 => Some(sum / count as f64),
+        _ => None,
+    }
+}
+
+fn median(data: &[usize]) -> Option<f64> {
+    let mut data = data.to_vec();
+    data.sort();
+    let size = data.len();
+    if size == 0 {
+        return None;
+    }
+
+    match size {
+        even if even % 2 == 0 => {
+            let fst_med = data[(even / 2) - 1];
+            let snd_med = data[even / 2];
+
+            fst_med.checked_add(snd_med).map(|x| x as f64 / 2.0)
+        },
+        odd => data.get(odd / 2).map(|x| *x as f64)
+    }
+}
+
+// https://rust-lang-nursery.github.io/rust-cookbook/science/mathematics/statistics.html
+fn std_deviation(data: &[usize]) -> Option<f64> {
+    match (mean(data), data.len()) {
+        (Some(data_mean), count) if count > 0 => {
+            let variance = data
+                .iter()
+                .map(|value| {
+                    let diff = data_mean - (*value as f64);
+
+                    diff * diff
+                })
+                .sum::<f64>()
+                / count as f64;
+
+            Some(variance.sqrt())
+        }
+        _ => None,
+    }
+}
+
+fn main() {
+    let conf = Config::parse();
+
+    let mut results = Vec::new();
+
+    if let Err(e) = visit_dirs(&conf.input, &mut results) {
+        eprintln!("Error reading directories: {}", e);
+    }
+
+    println!("Files: {:?}", results);
+    let mut connection = Connection::open(conf.output).unwrap();
+    connection.execute("DROP TABLE IF EXISTS combos", ()).unwrap();
+    connection.execute("CREATE TABLE IF NOT EXISTS combos (casename TEXT, toolname TEXT, fullname TEXT PRIMARY KEY)", ()).unwrap();
+
+    let mut points: Vec<_> = results
+        .par_iter()
+        .map(|(path, fuzzer, case, n)| {
+            (
+                case,
+                fuzzer,
+                n.parse::<usize>().unwrap(),
+                maxpoints_of_file(path).unwrap(),
+            )
+        })
+        .collect();
+    let mut last_common_point = points.iter().map(|x| x.3.last().expect(&format!("Missing maxpoint for {}", x.0)).1).min().unwrap();
+    points.sort_by_key(|x| x.0); // by case for grouping
+    for (case, casegroup) in &points.into_iter().chunk_by(|x| x.0) {
+        let casegroup = casegroup.collect::<Vec<_>>();
+        let last_case_point = casegroup.iter().map(|x| x.3.last().unwrap().1).min().unwrap();
+        println!("Processing case {}: {}", case, casegroup.len());
+        let mut timestamps = Vec::new();
+        for (_, _, _, points) in &casegroup {
+            timestamps.extend(points.iter().map(|(_, t)| *t));
+        }
+        timestamps.sort();
+        if matches!(conf.end_early, Endpoint::AllMin) {
+            // Dont' sample anything after the shortest run
+            timestamps = timestamps.into_iter().filter(|x| x<=&last_common_point).collect();
+        }
+        let least_runtime_per_tool = casegroup.iter().map(|g| (g.1, g.2, g.3.last().unwrap().1)).sorted_by_key(|x| x.0).chunk_by(|x| x.0).into_iter().map(|(tool, toolgroup)| (tool, toolgroup.min_by_key(|y| y.2))).collect::<HashMap<_,_>>();
+        let longest_runtime_per_tool = casegroup.iter().map(|g| (g.1, g.2, g.3.last().unwrap().1)).sorted_by_key(|x| x.0).chunk_by(|x| x.0).into_iter().map(|(tool, toolgroup)| (tool, toolgroup.max_by_key(|y| y.2))).collect::<HashMap<_,_>>();
+        timestamps.dedup();
+        let mut maxpoints_per_tool = casegroup
+            .par_iter()
+            .map(|g| (g.0, g.1, g.2, sample_maxpoints(&g.3, &timestamps)))
+            .collect::<Vec<_>>();
+        maxpoints_per_tool.sort_by_key(|x| x.1); // by tool
+        for (tool, toolgroup) in &maxpoints_per_tool.into_iter().chunk_by(|x| x.1) {
+            let toolgroup = toolgroup.collect::<Vec<_>>();
+            println!("Processing tool {}: {}", tool, toolgroup.len());
+            let mut lowest_common_length = toolgroup
+                .iter()
+                .map(|(_, _, _, points)| points.len())
+                .min()
+                .unwrap();
+            if conf.end_early == Endpoint::ToolMin {
+                lowest_common_length = timestamps.binary_search(&least_runtime_per_tool[tool].unwrap().2).unwrap();
+            }
+            if conf.end_early == Endpoint::ToolMax {
+                lowest_common_length = std::cmp::min(lowest_common_length, timestamps.binary_search(&longest_runtime_per_tool[tool].unwrap().2).unwrap());
+            }
+            let time_min_max_med_mean_sdiv : Vec<(usize,usize,usize,f64,f64,f64)> = (0..lowest_common_length)
+                .into_par_iter()
+                .map(|i| {
+                    let slice = toolgroup.iter().map(|(_, _, _, p)| p[i].0).collect::<Vec<_>>();
+                    assert_eq!(slice.len(), toolgroup.len());
+                    (
+                        toolgroup[0].3[i].1,
+                        *slice.iter().min().unwrap_or(&0),
+                        *slice.iter().max().unwrap_or(&0),
+                        median(&slice).unwrap_or(0.0),
+                        mean(&slice).unwrap_or(0.0),
+                        std_deviation(&slice).unwrap_or(0.0),
+                    )
+                })
+                .collect::<Vec<_>>();
+
+            // Save to db
+            connection.execute("INSERT INTO combos (casename, toolname, fullname) VALUES (?, ?, ?)", (case, tool, format!("{}${}",case, tool))).unwrap();
+            connection.execute(&format!("DROP TABLE IF EXISTS {}${}", case, tool), ()).unwrap();
+            connection.execute(&format!("CREATE TABLE IF NOT EXISTS {}${} (timestamp INTEGER PRIMARY KEY, min INTEGER, max INTEGER, median REAL, mean REAL, sdiv REAL)", case, tool), ()).unwrap();
+
+            // Start a transaction
+            let transaction = connection.transaction().unwrap();
+
+            let mut stmt = transaction.prepare(&format!(
+                "INSERT INTO {}${} (timestamp , min , max , median , mean , sdiv ) VALUES (?, ?, ?, ?, ?, ?)",
+                case, tool
+            )).unwrap();
+
+            for (timestamp, min, max, median, mean, sdiv) in time_min_max_med_mean_sdiv {
+                stmt.execute([(timestamp as i64).to_string(), (min as i64).to_string(), (max as i64).to_string(), median.to_string(), mean.to_string(), sdiv.to_string()]).unwrap();
+            }
+            drop(stmt);
+
+            // Commit the transaction
+            transaction.commit().unwrap();
+        }
+    }
+}

fuzzers/FRET/benchmark/old_plot_all_benchmarks.sh

@@ -0,0 +1,35 @@
+BDIR=remote
+plot () {
+    [ ! -f ../benchmark/$BDIR/${1}${2}_all.png ] && Rscript plot_multi.r $BDIR/timedump ${1}${2} ../benchmark/$BDIR
+}
+
+# Only bytes
+
+export SUFFIX="_seq_bytes"
+
+plot waters $SUFFIX
+#plot release $SUFFIX
+plot copter $SUFFIX
+#plot interact $SUFFIX
+
+# Only interrupts
+
+export SUFFIX="_seq_int"
+
+plot waters $SUFFIX
+plot release $SUFFIX
+plot copter $SUFFIX
+#plot interact $SUFFIX
+
+# Full
+
+export SUFFIX="_seq_full"
+
+plot waters $SUFFIX
+#plot release $SUFFIX
+plot copter $SUFFIX
+#plot interact $SUFFIX
+
+plot copter "_seq_stateless_full"
+
+plot copter "_par_full"

fuzzers/FRET/benchmark/plot_all_benchmarks.sh

@@ -0,0 +1,13 @@
+#!/bin/sh
+if [[ -n "$1" ]]; then
+  TARGET="$1"
+else
+  TARGET=$BENCHDIR
+fi
+
+# Check if bench.sqlite needs to be updated
+if [[ ! -f $TARGET/bench.sqlite || $(find $TARGET/timedump -name '.*[0-9]+\.time' -newer $TARGET/bench.sqlite | wc -l) -gt 0 ]]; then
+  number_cruncher/target/debug/number_cruncher -i $TARGET/timedump -o $TARGET/bench.sqlite
+fi
+
+Rscript plot_sqlite.r $TARGET/bench.sqlite $TARGET

fuzzers/FRET/benchmark/plot_all_icounttrace.sh

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+./sem.sh /tmp/plot reset 20
+declare -a PLOTS
+COUNT=0
+while IFS="" read -r p || [ -n "$p" ];
+do
+    if [[ -z "$p" ]]; then
+        continue
+    fi
+    PLOTS[$COUNT]="$p"
+    COUNT=$((COUNT+1))
+    ../../../../state2gantt/driver_sem.sh $p &
+done < <(find $BENCHDIR/timedump -maxdepth 2 -type 'f' -iregex '.*icounttrace.ron$')

fuzzers/FRET/benchmark/plot_all_stgsizes.sh

@@ -0,0 +1,33 @@
+get_max_nodecount () {
+    rm -f sizecomp && for sizefile in $BENCHDIR/timedump/**/$1*.stgsize;do echo "$(tail -n 1 $sizefile),${sizefile}" >> sizecomp; done; sort -n sizecomp | tail -n 1
+}
+
+get_largest_files () {
+    T=$(get_max_nodecount $1)
+    echo $T | cut -d',' -f6
+}
+
+perform () {
+    T=$(get_max_nodecount $1)
+    echo $T | cut -d',' -f6
+    echo $T | cut -d',' -f6 | xargs -I {} ./plot_stgsize.r {}
+    mv "$(echo $T | cut -d',' -f6 | xargs -I {} basename -s .stgsize {})_nodes.png" $1_nodes.png
+}
+
+# perform copter
+# perform release
+# perform waters
+A=$(get_largest_files polycopter_seq_dataflow_full) 
+B=$(get_largest_files release_seq_full) 
+C=$(get_largest_files waters_seq_full) 
+# A_="$(echo $A | sed 's/polycopter_seq_dataflow_full/UAV w. hid. com./')"
+# B_="$(echo $B | sed 's/release_seq_full/Async. rel./')"
+# C_="$(echo $C | sed 's/waters_seq_full/Waters ind. ch./')"
+A_="UAV"
+B_="Async. rel."
+C_="Waters ind. ch."
+echo $A_ $B_ $C_
+cp $A "$A_"
+cp $B "$B_"
+cp $C "$C_"
+./plot_stgsize_multi.r "$A_" "$B_" "$C_"