151 files changed, 1209 insertions, 47 deletions
diff --git a/sapi/apache2handler/config.m4 b/sapi/apache2handler/config.m4
index 55c16179b8..67c6d9beea 100644
--- a/sapi/apache2handler/config.m4
+++ b/sapi/apache2handler/config.m4
@@ -67,20 +67,20 @@ if test "$PHP_APXS2" != "no"; then
   if test -z `$APXS -q SYSCONFDIR`; then
     INSTALL_IT="\$(mkinstalldirs) '$APXS_LIBEXECDIR' && \
                  $APXS -S LIBEXECDIR='$APXS_LIBEXECDIR' \
-                       -i -n php7"
+                       -i -n php"
   else
     APXS_SYSCONFDIR='$(INSTALL_ROOT)'`$APXS -q SYSCONFDIR`
     INSTALL_IT="\$(mkinstalldirs) '$APXS_LIBEXECDIR' && \
                 \$(mkinstalldirs) '$APXS_SYSCONFDIR' && \
                  $APXS -S LIBEXECDIR='$APXS_LIBEXECDIR' \
                        -S SYSCONFDIR='$APXS_SYSCONFDIR' \
-                       -i -a -n php7"
+                       -i -a -n php"
   fi
 
   case $host_alias in
   *aix*)
     EXTRA_LDFLAGS="$EXTRA_LDFLAGS -Wl,-brtl -Wl,-bI:$APXS_LIBEXECDIR/httpd.exp"
-    PHP_SELECT_SAPI(apache2handler, shared, mod_php7.c sapi_apache2.c apache_config.c php_functions.c, $APACHE_CFLAGS)
+    PHP_SELECT_SAPI(apache2handler, shared, mod_php.c sapi_apache2.c apache_config.c php_functions.c, $APACHE_CFLAGS)
     INSTALL_IT="$INSTALL_IT $SAPI_LIBTOOL"
     ;;
   *darwin*)
@@ -95,12 +95,12 @@ if test "$PHP_APXS2" != "no"; then
     fi
     MH_BUNDLE_FLAGS="-bundle -bundle_loader $APXS_HTTPD $MH_BUNDLE_FLAGS"
     PHP_SUBST(MH_BUNDLE_FLAGS)
-    PHP_SELECT_SAPI(apache2handler, bundle, mod_php7.c sapi_apache2.c apache_config.c php_functions.c, $APACHE_CFLAGS)
-    SAPI_SHARED=libs/libphp7.so
+    PHP_SELECT_SAPI(apache2handler, bundle, mod_php.c sapi_apache2.c apache_config.c php_functions.c, $APACHE_CFLAGS)
+    SAPI_SHARED=libs/libphp.so
     INSTALL_IT="$INSTALL_IT $SAPI_SHARED"
     ;;
   *)
-    PHP_SELECT_SAPI(apache2handler, shared, mod_php7.c sapi_apache2.c apache_config.c php_functions.c, $APACHE_CFLAGS)
+    PHP_SELECT_SAPI(apache2handler, shared, mod_php.c sapi_apache2.c apache_config.c php_functions.c, $APACHE_CFLAGS)
     INSTALL_IT="$INSTALL_IT $SAPI_LIBTOOL"
     ;;
   esac
diff --git a/sapi/apache2handler/config.w32 b/sapi/apache2handler/config.w32
index 45d6353d28..12dd50332a 100644
--- a/sapi/apache2handler/config.w32
+++ b/sapi/apache2handler/config.w32
@@ -10,7 +10,7 @@ if (PHP_APACHE2HANDLER != "no") {
 			CHECK_LIB("libapr.lib", "apache2handler", PHP_PHP_BUILD + "\\lib\\apache2") &&
 			CHECK_LIB("libaprutil.lib", "apache2handler", PHP_PHP_BUILD + "\\lib\\apache2")
 			) {
-		SAPI('apache2handler', 'mod_php7.c sapi_apache2.c apache_config.c php_functions.c',
+		SAPI('apache2handler', 'mod_php.c sapi_apache2.c apache_config.c php_functions.c',
 				'php' + PHP_VERSION + 'apache2.dll',
 				'/D PHP_APACHE2_EXPORTS /I win32 /DZEND_ENABLE_STATIC_TSRMLS_CACHE=1');
 	} else {
@@ -28,7 +28,7 @@ if (PHP_APACHE2_2HANDLER != "no") {
 			CHECK_LIB("libapr-1.lib", "apache2_2handler", PHP_PHP_BUILD + "\\lib\\apache2_2") &&
 			CHECK_LIB("libaprutil-1.lib", "apache2_2handler", PHP_PHP_BUILD + "\\lib\\apache2_2")
 			) {
-		SAPI('apache2_2handler', 'mod_php7.c sapi_apache2.c apache_config.c php_functions.c',
+		SAPI('apache2_2handler', 'mod_php.c sapi_apache2.c apache_config.c php_functions.c',
 				'php' + PHP_VERSION + 'apache2_2.dll',
 				'/D PHP_APACHE2_EXPORTS /I win32 /DZEND_ENABLE_STATIC_TSRMLS_CACHE=1',
 				'sapi\\apache2_2handler');
@@ -46,7 +46,7 @@ if (PHP_APACHE2_4HANDLER != "no") {
 			CHECK_LIB("libapr-1.lib", "apache2_4handler", PHP_PHP_BUILD + "\\lib\\apache2_4") &&
 			CHECK_LIB("libaprutil-1.lib", "apache2_4handler", PHP_PHP_BUILD + "\\lib\\apache2_4")
 			) {
-		SAPI('apache2_4handler', 'mod_php7.c sapi_apache2.c apache_config.c php_functions.c',
+		SAPI('apache2_4handler', 'mod_php.c sapi_apache2.c apache_config.c php_functions.c',
 				'php' + PHP_VERSION + 'apache2_4.dll',
 				'/D PHP_APACHE2_EXPORTS /I win32 /DZEND_ENABLE_STATIC_TSRMLS_CACHE=1',
 				'sapi\\apache2handler');
diff --git a/sapi/apache2handler/mod_php7.c b/sapi/apache2handler/mod_php.c
index 6c44dbaa2c..a740271e94 100644
--- a/sapi/apache2handler/mod_php7.c
+++ b/sapi/apache2handler/mod_php.c
@@ -23,7 +23,7 @@
 #include "php.h"
 #include "php_apache.h"
 
-AP_MODULE_DECLARE_DATA module php7_module = {
+AP_MODULE_DECLARE_DATA module php_module = {
 	STANDARD20_MODULE_STUFF,
 	create_php_config,		/* create per-directory config structure */
 	merge_php_config,		/* merge per-directory config structures */
diff --git a/sapi/apache2handler/php.sym b/sapi/apache2handler/php.sym
index 1469b0314d..571f27e01c 100644
--- a/sapi/apache2handler/php.sym
+++ b/sapi/apache2handler/php.sym
@@ -1 +1 @@
-php7_module
+php_module
diff --git a/sapi/apache2handler/php_apache.h b/sapi/apache2handler/php_apache.h
index 423ada1f9b..c80e124ea0 100644
--- a/sapi/apache2handler/php_apache.h
+++ b/sapi/apache2handler/php_apache.h
@@ -29,11 +29,11 @@
 
 /* Enable per-module logging in Apache 2.4+ */
 #ifdef APLOG_USE_MODULE
-APLOG_USE_MODULE(php7);
+APLOG_USE_MODULE(php);
 #endif
 
 /* Declare this so we can get to it from outside the sapi_apache2.c file */
-extern module AP_MODULE_DECLARE_DATA php7_module;
+extern module AP_MODULE_DECLARE_DATA php_module;
 
 /* A way to specify the location of the php.ini dir in an apache directive */
 extern char *apache2_php_ini_path_override;
diff --git a/sapi/apache2handler/sapi_apache2.c b/sapi/apache2handler/sapi_apache2.c
index 1cc5670eaa..af2826b911 100644
--- a/sapi/apache2handler/sapi_apache2.c
+++ b/sapi/apache2handler/sapi_apache2.c
@@ -55,7 +55,7 @@
 
 #define PHP_MAGIC_TYPE "application/x-httpd-php"
 #define PHP_SOURCE_MAGIC_TYPE "application/x-httpd-php-source"
-#define PHP_SCRIPT "php7-script"
+#define PHP_SCRIPT "php-script"
 
 /* A way to specify the location of the php.ini dir in an apache directive */
 char *apache2_php_ini_path_override = NULL;
@@ -551,7 +551,7 @@ typedef struct {
 	HashTable config;
 } php_conf_rec;
 		zend_string *str;
-		php_conf_rec *c = ap_get_module_config(r->per_dir_config, &php7_module);
+		php_conf_rec *c = ap_get_module_config(r->per_dir_config, &php_module);
 
 		ZEND_HASH_FOREACH_STR_KEY(&c->config, str) {
 			zend_restore_ini_entry(str, ZEND_INI_STAGE_SHUTDOWN);
@@ -582,7 +582,7 @@ static int php_handler(request_rec *r)
 
 #define PHPAP_INI_OFF php_apache_ini_dtor(r, parent_req);
 
-	conf = ap_get_module_config(r->per_dir_config, &php7_module);
+	conf = ap_get_module_config(r->per_dir_config, &php_module);
 
 	/* apply_config() needs r in some cases, so allocate server_context early */
 	ctx = SG(server_context);
diff --git a/sapi/cli/php_cli.c b/sapi/cli/php_cli.c
index a305c36ade..a426220ed6 100644
--- a/sapi/cli/php_cli.c
+++ b/sapi/cli/php_cli.c
@@ -1073,7 +1073,7 @@ static int do_cli(int argc, char **argv) /* {{{ */
 
 					memset(&execute_data, 0, sizeof(zend_execute_data));
 					EG(current_execute_data) = &execute_data;
-					zend_call_method_with_1_params(&ref, pce, &pce->constructor, "__construct", NULL, &arg);
+					zend_call_method_with_1_params(Z_OBJ(ref), pce, &pce->constructor, "__construct", NULL, &arg);
 
 					if (EG(exception)) {
 						zval tmp, *msg, rv;
diff --git a/sapi/cli/tests/006.phpt b/sapi/cli/tests/006.phpt
index 54d1a96a88..4311d9b259 100644
--- a/sapi/cli/tests/006.phpt
+++ b/sapi/cli/tests/006.phpt
@@ -68,21 +68,21 @@ string(%d) "Extension [ <persistent> extension #%d pcre version %s ] {
     Function [ <internal:pcre> function preg_match ] {
 
       - Parameters [5] {
-        Parameter #0 [ <required> $pattern ]
-        Parameter #1 [ <required> $subject ]
+        Parameter #0 [ <required> string $pattern ]
+        Parameter #1 [ <required> string $subject ]
         Parameter #2 [ <optional> &$subpatterns ]
-        Parameter #3 [ <optional> $flags ]
-        Parameter #4 [ <optional> $offset ]
+        Parameter #3 [ <optional> int $flags ]
+        Parameter #4 [ <optional> int $offset ]
       }
     }
     Function [ <internal:pcre> function preg_match_all ] {
 
       - Parameters [5] {
-        Parameter #0 [ <required> $pattern ]
-        Parameter #1 [ <required> $subject ]
+        Parameter #0 [ <required> string $pattern ]
+        Parameter #1 [ <required> string $subject ]
         Parameter #2 [ <optional> &$subpatterns ]
-        Parameter #3 [ <optional> $flags ]
-        Parameter #4 [ <optional> $offset ]
+        Parameter #3 [ <optional> int $flags ]
+        Parameter #4 [ <optional> int $offset ]
       }
     }
     Function [ <internal:pcre> function preg_replace ] {
@@ -91,7 +91,7 @@ string(%d) "Extension [ <persistent> extension #%d pcre version %s ] {
         Parameter #0 [ <required> $regex ]
         Parameter #1 [ <required> $replace ]
         Parameter #2 [ <required> $subject ]
-        Parameter #3 [ <optional> $limit ]
+        Parameter #3 [ <optional> int $limit ]
         Parameter #4 [ <optional> &$count ]
       }
     }
@@ -101,19 +101,19 @@ string(%d) "Extension [ <persistent> extension #%d pcre version %s ] {
         Parameter #0 [ <required> $regex ]
         Parameter #1 [ <required> $callback ]
         Parameter #2 [ <required> $subject ]
-        Parameter #3 [ <optional> $limit ]
+        Parameter #3 [ <optional> int $limit ]
         Parameter #4 [ <optional> &$count ]
-        Parameter #5 [ <optional> $flags ]
+        Parameter #5 [ <optional> int $flags ]
       }
     }
     Function [ <internal:pcre> function preg_replace_callback_array ] {
 
       - Parameters [5] {
-        Parameter #0 [ <required> $pattern ]
+        Parameter #0 [ <required> array $pattern ]
         Parameter #1 [ <required> $subject ]
-        Parameter #2 [ <optional> $limit ]
+        Parameter #2 [ <optional> int $limit ]
         Parameter #3 [ <optional> &$count ]
-        Parameter #4 [ <optional> $flags ]
+        Parameter #4 [ <optional> int $flags ]
       }
     }
     Function [ <internal:pcre> function preg_filter ] {
@@ -122,38 +122,40 @@ string(%d) "Extension [ <persistent> extension #%d pcre version %s ] {
         Parameter #0 [ <required> $regex ]
         Parameter #1 [ <required> $replace ]
         Parameter #2 [ <required> $subject ]
-        Parameter #3 [ <optional> $limit ]
+        Parameter #3 [ <optional> int $limit ]
         Parameter #4 [ <optional> &$count ]
       }
     }
     Function [ <internal:pcre> function preg_split ] {
 
       - Parameters [4] {
-        Parameter #0 [ <required> $pattern ]
-        Parameter #1 [ <required> $subject ]
-        Parameter #2 [ <optional> $limit ]
-        Parameter #3 [ <optional> $flags ]
+        Parameter #0 [ <required> string $pattern ]
+        Parameter #1 [ <required> string $subject ]
+        Parameter #2 [ <optional> int $limit ]
+        Parameter #3 [ <optional> int $flags ]
       }
     }
     Function [ <internal:pcre> function preg_quote ] {
 
       - Parameters [2] {
-        Parameter #0 [ <required> $str ]
-        Parameter #1 [ <optional> $delim_char ]
+        Parameter #0 [ <required> string $str ]
+        Parameter #1 [ <optional> ?string $delim_char ]
       }
+      - Return [ string ]
     }
     Function [ <internal:pcre> function preg_grep ] {
 
       - Parameters [3] {
-        Parameter #0 [ <required> $regex ]
-        Parameter #1 [ <required> $input ]
-        Parameter #2 [ <optional> $flags ]
+        Parameter #0 [ <required> string $regex ]
+        Parameter #1 [ <required> array $input ]
+        Parameter #2 [ <optional> int $flags ]
       }
     }
     Function [ <internal:pcre> function preg_last_error ] {
 
       - Parameters [0] {
       }
+      - Return [ int ]
     }
   }
 }
diff --git a/sapi/fpm/fpm/fpm_main.c b/sapi/fpm/fpm/fpm_main.c
index 9916b8bf7c..2d18b8f41c 100644
--- a/sapi/fpm/fpm/fpm_main.c
+++ b/sapi/fpm/fpm/fpm_main.c
@@ -244,7 +244,7 @@ static inline size_t sapi_cgibin_single_write(const char *str, uint32_t str_leng
 {
 	ssize_t ret;
 
-	/* sapi has started which means everyhting must be send through fcgi */
+	/* sapi has started which means everything must be send through fcgi */
 	if (fpm_is_running) {
 		fcgi_request *request = (fcgi_request*) SG(server_context);
 		ret = fcgi_write(request, FCGI_STDOUT, str, str_length);
diff --git a/sapi/fpm/tests/response.inc b/sapi/fpm/tests/response.inc
index 54f85bcfb6..d6ee6c7afb 100644
--- a/sapi/fpm/tests/response.inc
+++ b/sapi/fpm/tests/response.inc
@@ -174,7 +174,7 @@ class Response
     {
         // check default headers
         return (
-            $this->checkHeader('X-Powered-By', '|^PHP/7|', true) &&
+            $this->checkHeader('X-Powered-By', '|^PHP/8|', true) &&
             $this->checkHeader('Content-type', '|^' . $contentType . '(;\s?charset=\w+)?|', true)
         );
     }
diff --git a/sapi/fpm/www.conf.in b/sapi/fpm/www.conf.in
index a6b6b8ec41..02b1d6e530 100644
--- a/sapi/fpm/www.conf.in
+++ b/sapi/fpm/www.conf.in
@@ -366,7 +366,7 @@ pm.max_spare_servers = 3
 
 ; Redirect worker stdout and stderr into main error log. If not set, stdout and
 ; stderr will be redirected to /dev/null according to FastCGI specs.
-; Note: on highloaded environement, this can cause some delay in the page
+; Note: on highloaded environment, this can cause some delay in the page
 ; process time (several ms).
 ; Default Value: no
 ;catch_workers_output = yes
diff --git a/sapi/fuzzer/Makefile.frag b/sapi/fuzzer/Makefile.frag
new file mode 100644
index 0000000000..57952a8ff4
--- /dev/null
+++ b/sapi/fuzzer/Makefile.frag
@@ -0,0 +1,18 @@
+fuzzer: $(PHP_FUZZER_BINARIES)
+
+FUZZER_BUILD = $(LIBTOOL) --mode=link $(FUZZING_CC) -export-dynamic $(CFLAGS_CLEAN) $(EXTRA_CFLAGS) $(EXTRA_LDFLAGS_PROGRAM) $(LDFLAGS) $(PHP_RPATHS) $(PHP_GLOBAL_OBJS) $(PHP_BINARY_OBJS) $(EXTRA_LIBS) $(ZEND_EXTRA_LIBS) $(FUZZING_LIB) -rpath /ORIGIN/lib
+
+$(SAPI_FUZZER_PATH)/php-fuzz-parser: $(PHP_GLOBAL_OBJS) $(PHP_SAPI_OBJS) $(PHP_FUZZER_PARSER_OBJS)
+	$(FUZZER_BUILD) $(PHP_FUZZER_PARSER_OBJS) -o $@
+
+$(SAPI_FUZZER_PATH)/php-fuzz-unserialize: $(PHP_GLOBAL_OBJS) $(PHP_SAPI_OBJS) $(PHP_FUZZER_UNSERIALIZE_OBJS)
+	$(FUZZER_BUILD) $(PHP_FUZZER_UNSERIALIZE_OBJS) -o $@
+
+$(SAPI_FUZZER_PATH)/php-fuzz-json: $(PHP_GLOBAL_OBJS) $(PHP_SAPI_OBJS) $(PHP_FUZZER_JSON_OBJS)
+	$(FUZZER_BUILD) $(PHP_FUZZER_JSON_OBJS) -o $@
+
+$(SAPI_FUZZER_PATH)/php-fuzz-exif: $(PHP_GLOBAL_OBJS) $(PHP_SAPI_OBJS) $(PHP_FUZZER_EXIF_OBJS)
+	$(FUZZER_BUILD) $(PHP_FUZZER_EXIF_OBJS) -o $@
+
+$(SAPI_FUZZER_PATH)/php-fuzz-mbstring: $(PHP_GLOBAL_OBJS) $(PHP_SAPI_OBJS) $(PHP_FUZZER_MBSTRING_OBJS)
+	$(FUZZER_BUILD) $(PHP_FUZZER_MBSTRING_OBJS) -o $@
diff --git a/sapi/fuzzer/README.md b/sapi/fuzzer/README.md
new file mode 100644
index 0000000000..c753c23c30
--- /dev/null
+++ b/sapi/fuzzer/README.md
@@ -0,0 +1,66 @@
+Fuzzing SAPI for PHP
+--------------------
+
+The following `./configure` options can be used to enable the fuzzing SAPI, as well as all availablefuzzers. If you don't build the exif/json/mbstring extensions, fuzzers for these extensions will not be built.
+
+```sh
+./configure \
+    --enable-fuzzer \
+    --with-pic \
+    --enable-debug-assertions \
+    --enable-exif \
+    --enable-json \
+    --enable-mbstring
+```
+
+The `--with-pic` option is required to avoid a linking failure. The `--enable-debug-assertions` option can be used to enable debug assertions despite the use of a release build.
+
+You will need a recent version of clang that supports the `-fsanitize=fuzzer-no-link` option.
+
+When running `make` it creates these binaries in `sapi/fuzzer/`:
+
+* `php-fuzz-parser`: Fuzzing language parser and compiler
+* `php-fuzz-unserialize`: Fuzzing unserialize() function
+* `php-fuzz-json`: Fuzzing JSON parser (requires --enable-json)
+* `php-fuzz-exif`: Fuzzing `exif_read_data()` function (requires --enable-exif)
+* `php-fuzz-mbstring`: fuzzing `mb_ereg[i]()` (requires --enable-mbstring)
+
+Some fuzzers have a seed corpus in `sapi/fuzzer/corpus`. You can use it as follows:
+
+```sh
+cp -r sapi/fuzzer/corpus/exif ./my-exif-corpus
+sapi/fuzzer/php-fuzz-exif ./my-exif-corpus
+```
+
+For the unserialize fuzzer, a dictionary of internal classes should be generated first:
+
+```sh
+sapi/cli/php sapi/fuzzer/generate_unserialize_dict.php
+cp -r sapi/fuzzer/corpus/unserialize ./my-unserialize-corpus
+sapi/fuzzer/php-fuzz-unserialize -dict=$PWD/sapi/fuzzer/dict/unserialize ./my-unserialize-corpus
+```
+
+For the parser fuzzer, a corpus may be generated from Zend test files:
+
+```sh
+sapi/cli/php sapi/fuzzer/generate_parser_corpus.php
+mkdir ./my-parser-corpus
+sapi/fuzzer/php-fuzz-parser -merge=1 ./my-parser-corpus sapi/fuzzer/corpus/parser
+sapi/fuzzer/php-fuzz-parser -only_ascii=1 ./my-parser-corpus
+```
+
+For the mbstring fuzzer, you may want to build the libonig dependency with instrumentation. At this time, libonig is not clean under ubsan, so only the fuzzer and address sanitizers may be used.
+
+```sh
+git clone https://github.com/kkos/oniguruma.git
+pushd oniguruma
+autoreconf -vfi
+./configure CC=clang CFLAGS="-fsanitize=fuzzer-no-link,address -O2 -g"
+make
+popd
+
+export ONIG_CFLAGS="-I$PWD/oniguruma/src"
+export ONIG_LIBS="-L$PWD/oniguruma/src/.libs -l:libonig.a"
+```
+
+This will link an instrumented libonig statically into the PHP binary.
diff --git a/sapi/fuzzer/config.m4 b/sapi/fuzzer/config.m4
new file mode 100644
index 0000000000..bf08123bfb
--- /dev/null
+++ b/sapi/fuzzer/config.m4
@@ -0,0 +1,76 @@
+AC_MSG_CHECKING(for clang fuzzer SAPI)
+
+PHP_ARG_ENABLE([fuzzer],,
+  [AS_HELP_STRING([--enable-fuzzer],
+    [Build PHP as clang fuzzing test module (for developers)])],
+  [no])
+
+dnl For newer clang versions see https://llvm.org/docs/LibFuzzer.html#fuzzer-usage
+dnl for relevant flags.
+
+dnl Macro to define fuzzing target
+dnl PHP_FUZZER_TARGET(name, target-var)
+dnl
+AC_DEFUN([PHP_FUZZER_TARGET], [
+  PHP_FUZZER_BINARIES="$PHP_FUZZER_BINARIES $SAPI_FUZZER_PATH/php-fuzz-$1"
+  PHP_SUBST($2)
+  PHP_ADD_SOURCES_X([sapi/fuzzer],[fuzzer-$1.c],[],$2)
+  $2="[$]$2 $FUZZER_COMMON_OBJS"
+])
+
+if test "$PHP_FUZZER" != "no"; then
+  AC_MSG_RESULT([yes])
+  PHP_REQUIRE_CXX()
+  PHP_ADD_MAKEFILE_FRAGMENT($abs_srcdir/sapi/fuzzer/Makefile.frag)
+  SAPI_FUZZER_PATH=sapi/fuzzer
+  PHP_SUBST(SAPI_FUZZER_PATH)
+  if test -z "$LIB_FUZZING_ENGINE"; then
+    FUZZING_LIB="-fsanitize=fuzzer"
+    FUZZING_CC="$CC"
+    dnl Don't include -fundefined in CXXFLAGS, because that would also require linking
+    dnl with a C++ compiler.
+    AX_CHECK_COMPILE_FLAG([-fsanitize=fuzzer-no-link], [
+      CFLAGS="$CFLAGS -fsanitize=fuzzer-no-link,address"
+      dnl Disable object-size sanitizer, because it is incompatible with our zend_function
+      dnl union, and this can't be easily fixed.
+      dnl We need to specify -fno-sanitize-recover=undefined here, otherwise ubsan warnings
+      dnl will not be considered failures by the fuzzer.
+      CFLAGS="$CFLAGS -fsanitize=undefined -fno-sanitize=object-size -fno-sanitize-recover=undefined"
+      CXXFLAGS="$CXXFLAGS -fsanitize=fuzzer-no-link,address"
+    ],[
+      AC_MSG_ERROR(Compiler doesn't support -fsanitize=fuzzer-no-link)
+    ])
+  else
+    FUZZING_LIB="-lFuzzingEngine"
+    FUZZING_CC="$CXX -stdlib=libc++"
+  fi
+  PHP_SUBST(FUZZING_LIB)
+  PHP_SUBST(FUZZING_CC)
+
+  dnl PHP_SELECT_SAPI(fuzzer-parser, program, $FUZZER_SOURCES, , '$(SAPI_FUZZER_PATH)')
+
+  PHP_ADD_BUILD_DIR([sapi/fuzzer])
+  PHP_FUZZER_BINARIES=""
+  PHP_BINARIES="$PHP_BINARIES fuzzer"
+  PHP_INSTALLED_SAPIS="$PHP_INSTALLED_SAPIS fuzzer"
+
+  PHP_ADD_SOURCES_X([sapi/fuzzer], [fuzzer-sapi.c], [], FUZZER_COMMON_OBJS)
+
+  PHP_FUZZER_TARGET([parser], PHP_FUZZER_PARSER_OBJS)
+  PHP_FUZZER_TARGET([unserialize], PHP_FUZZER_UNSERIALIZE_OBJS)
+
+  dnl json extension is enabled by default
+  if (test -n "$enable_json" && test "$enable_json" != "no") || test -z "$PHP_ENABLE_ALL"; then
+    PHP_FUZZER_TARGET([json], PHP_FUZZER_JSON_OBJS)
+  fi
+  if test -n "$enable_exif" && test "$enable_exif" != "no"; then
+    PHP_FUZZER_TARGET([exif], PHP_FUZZER_EXIF_OBJS)
+  fi
+  if test -n "$enable_mbstring" && test "$enable_mbstring" != "no"; then
+    PHP_FUZZER_TARGET([mbstring], PHP_FUZZER_MBSTRING_OBJS)
+  fi
+
+  PHP_SUBST(PHP_FUZZER_BINARIES)
+fi
+
+AC_MSG_RESULT($PHP_FUZZER)
diff --git a/sapi/fuzzer/corpus/exif/bug34704.jpg b/sapi/fuzzer/corpus/exif/bug34704.jpg
new file mode 100644
index 0000000000..42b14c1908
--- /dev/null
+++ b/sapi/fuzzer/corpus/exif/bug34704.jpg
diff --git a/sapi/fuzzer/corpus/exif/bug34704_2.jpg b/sapi/fuzzer/corpus/exif/bug34704_2.jpg
new file mode 100644
index 0000000000..42b14c1908
--- /dev/null
+++ b/sapi/fuzzer/corpus/exif/bug34704_2.jpg
diff --git a/sapi/fuzzer/corpus/exif/bug48378.jpeg b/sapi/fuzzer/corpus/exif/bug48378.jpeg
new file mode 100644
index 0000000000..759d805709
--- /dev/null
+++ b/sapi/fuzzer/corpus/exif/bug48378.jpeg
diff --git a/sapi/fuzzer/corpus/exif/bug54002_1.jpeg b/sapi/fuzzer/corpus/exif/bug54002_1.jpeg
new file mode 100644
index 0000000000..a622d6d213
--- /dev/null
+++ b/sapi/fuzzer/corpus/exif/bug54002_1.jpeg
diff --git a/sapi/fuzzer/corpus/exif/bug54002_2.jpeg b/sapi/fuzzer/corpus/exif/bug54002_2.jpeg
new file mode 100644
index 0000000000..a622d6d213
--- /dev/null
+++ b/sapi/fuzzer/corpus/exif/bug54002_2.jpeg
diff --git a/sapi/fuzzer/corpus/exif/bug62523_1.jpg b/sapi/fuzzer/corpus/exif/bug62523_1.jpg
new file mode 100644
index 0000000000..9a63d1e84d
--- /dev/null
+++ b/sapi/fuzzer/corpus/exif/bug62523_1.jpg
@@ -0,0 +1,9 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
+<html><head>
+<title>301 Moved Permanently</title>
+</head><body>
+<h1>Moved Permanently</h1>
+<p>The document has moved <a href="http://www.getid3.org/temp/62523.jpg">here</a>.</p>
+<hr>
+<address>Apache Server at getid3.org Port 80</address>
+</body></html>
diff --git a/sapi/fuzzer/corpus/exif/bug62523_3.jpg b/sapi/fuzzer/corpus/exif/bug62523_3.jpg
new file mode 100644
index 0000000000..3ee91368ce
--- /dev/null
+++ b/sapi/fuzzer/corpus/exif/bug62523_3.jpg
@@ -0,0 +1,12 @@
+<html>
+  <head><title>Found</title></head>
+  <body>
+    <h1>Found</h1>
+    <p>The resource was found at <a href="http://dl.dropboxusercontent.com/u/7562584/Bugs/Php/bad_exif.jpeg">http://dl.dropboxusercontent.com/u/7562584/Bugs/Php/bad_exif.jpeg</a>;
+you should be redirected automatically.
+
+<!--  --></p>
+    <hr noshade>
+    <div align="right">WSGI Server</div>
+  </body>
+</html>
diff --git a/sapi/fuzzer/corpus/exif/bug68113.jpg b/sapi/fuzzer/corpus/exif/bug68113.jpg
new file mode 100644
index 0000000000..3ce7a620fb
--- /dev/null
+++ b/sapi/fuzzer/corpus/exif/bug68113.jpg
diff --git a/sapi/fuzzer/corpus/exif/bug68113_2.jpg b/sapi/fuzzer/corpus/exif/bug68113_2.jpg
new file mode 100644
index 0000000000..3ce7a620fb
--- /dev/null
+++ b/sapi/fuzzer/corpus/exif/bug68113_2.jpg
diff --git a/sapi/fuzzer/corpus/exif/bug68799.jpg b/sapi/fuzzer/corpus/exif/bug68799.jpg
new file mode 100644
index 0000000000..acc326dbbf
--- /dev/null
+++ b/sapi/fuzzer/corpus/exif/bug68799.jpg
diff --git a/sapi/fuzzer/corpus/exif/bug72094_1.jpg b/sapi/fuzzer/corpus/exif/bug72094_1.jpg
new file mode 100644
index 0000000000..d21382b44b
--- /dev/null
+++ b/sapi/fuzzer/corpus/exif/bug72094_1.jpg
diff --git a/sapi/fuzzer/corpus/exif/bug72094_2.jpg b/sapi/fuzzer/corpus/exif/bug72094_2.jpg
new file mode 100644
index 0000000000..ec414ce02b
--- /dev/null
+++ b/sapi/fuzzer/corpus/exif/bug72094_2.jpg
diff --git a/sapi/fuzzer/corpus/exif/bug72094_3.jpg b/sapi/fuzzer/corpus/exif/bug72094_3.jpg
new file mode 100644
index 0000000000..8b05314b67
--- /dev/null
+++ b/sapi/fuzzer/corpus/exif/bug72094_3.jpg
diff --git a/sapi/fuzzer/corpus/exif/bug72094_4.jpg b/sapi/fuzzer/corpus/exif/bug72094_4.jpg
new file mode 100644
index 0000000000..ca6d453c2c
--- /dev/null
+++ b/sapi/fuzzer/corpus/exif/bug72094_4.jpg
diff --git a/sapi/fuzzer/corpus/exif/bug72603.jpeg b/sapi/fuzzer/corpus/exif/bug72603.jpeg
new file mode 100644
index 0000000000..1764c805fb
--- /dev/null
+++ b/sapi/fuzzer/corpus/exif/bug72603.jpeg
diff --git a/sapi/fuzzer/corpus/exif/bug72618.jpg b/sapi/fuzzer/corpus/exif/bug72618.jpg
new file mode 100644
index 0000000000..0a61ae2e02
--- /dev/null
+++ b/sapi/fuzzer/corpus/exif/bug72618.jpg
diff --git a/sapi/fuzzer/corpus/exif/bug72627.tiff b/sapi/fuzzer/corpus/exif/bug72627.tiff
new file mode 100644
index 0000000000..229190a604
--- /dev/null
+++ b/sapi/fuzzer/corpus/exif/bug72627.tiff
diff --git a/sapi/fuzzer/corpus/exif/bug73737.tiff b/sapi/fuzzer/corpus/exif/bug73737.tiff
new file mode 100644
index 0000000000..2cb036fc47
--- /dev/null
+++ b/sapi/fuzzer/corpus/exif/bug73737.tiff
diff --git a/sapi/fuzzer/corpus/exif/bug76130_1.jpg b/sapi/fuzzer/corpus/exif/bug76130_1.jpg
new file mode 100644
index 0000000000..e063e46d22
--- /dev/null
+++ b/sapi/fuzzer/corpus/exif/bug76130_1.jpg
diff --git a/sapi/fuzzer/corpus/exif/bug76130_2.jpg b/sapi/fuzzer/corpus/exif/bug76130_2.jpg
new file mode 100644
index 0000000000..a9e79dca5c
--- /dev/null
+++ b/sapi/fuzzer/corpus/exif/bug76130_2.jpg
diff --git a/sapi/fuzzer/corpus/exif/bug76423.jpg b/sapi/fuzzer/corpus/exif/bug76423.jpg
new file mode 100644
index 0000000000..08fe2bbc57
--- /dev/null
+++ b/sapi/fuzzer/corpus/exif/bug76423.jpg
diff --git a/sapi/fuzzer/corpus/exif/bug76557.jpg b/sapi/fuzzer/corpus/exif/bug76557.jpg
new file mode 100644
index 0000000000..d678f07c0f
--- /dev/null
+++ b/sapi/fuzzer/corpus/exif/bug76557.jpg
diff --git a/sapi/fuzzer/corpus/exif/bug77540.jpg b/sapi/fuzzer/corpus/exif/bug77540.jpg
new file mode 100644
index 0000000000..559022db0e
--- /dev/null
+++ b/sapi/fuzzer/corpus/exif/bug77540.jpg
diff --git a/sapi/fuzzer/corpus/exif/bug77563.jpg b/sapi/fuzzer/corpus/exif/bug77563.jpg
new file mode 100644
index 0000000000..d6280151f0
--- /dev/null
+++ b/sapi/fuzzer/corpus/exif/bug77563.jpg
diff --git a/sapi/fuzzer/corpus/exif/bug77753.tiff b/sapi/fuzzer/corpus/exif/bug77753.tiff
new file mode 100644
index 0000000000..b237f39e2b
--- /dev/null
+++ b/sapi/fuzzer/corpus/exif/bug77753.tiff
diff --git a/sapi/fuzzer/corpus/exif/bug77831.tiff b/sapi/fuzzer/corpus/exif/bug77831.tiff
new file mode 100644
index 0000000000..c7e9f4472b
--- /dev/null
+++ b/sapi/fuzzer/corpus/exif/bug77831.tiff
diff --git a/sapi/fuzzer/corpus/exif/bug77950.tiff b/sapi/fuzzer/corpus/exif/bug77950.tiff
new file mode 100644
index 0000000000..5c8250ab04
--- /dev/null
+++ b/sapi/fuzzer/corpus/exif/bug77950.tiff
diff --git a/sapi/fuzzer/corpus/exif/bug77988.jpg b/sapi/fuzzer/corpus/exif/bug77988.jpg
new file mode 100644
index 0000000000..120ff8565a
--- /dev/null
+++ b/sapi/fuzzer/corpus/exif/bug77988.jpg
diff --git a/sapi/fuzzer/corpus/exif/exif_encoding_crash.jpg b/sapi/fuzzer/corpus/exif/exif_encoding_crash.jpg
new file mode 100644
index 0000000000..55138abe55
--- /dev/null
+++ b/sapi/fuzzer/corpus/exif/exif_encoding_crash.jpg
diff --git a/sapi/fuzzer/corpus/exif/image007.jpg b/sapi/fuzzer/corpus/exif/image007.jpg
new file mode 100644
index 0000000000..852654075a
--- /dev/null
+++ b/sapi/fuzzer/corpus/exif/image007.jpg
diff --git a/sapi/fuzzer/corpus/exif/image008.jpg b/sapi/fuzzer/corpus/exif/image008.jpg
new file mode 100644
index 0000000000..3e8bfe4512
--- /dev/null
+++ b/sapi/fuzzer/corpus/exif/image008.jpg
diff --git a/sapi/fuzzer/corpus/exif/image009.jpg b/sapi/fuzzer/corpus/exif/image009.jpg
new file mode 100644
index 0000000000..8803ddccd4
--- /dev/null
+++ b/sapi/fuzzer/corpus/exif/image009.jpg
diff --git a/sapi/fuzzer/corpus/exif/image010.jpg b/sapi/fuzzer/corpus/exif/image010.jpg
new file mode 100644
index 0000000000..31ed6d678d
--- /dev/null
+++ b/sapi/fuzzer/corpus/exif/image010.jpg
diff --git a/sapi/fuzzer/corpus/exif/image011.jpg b/sapi/fuzzer/corpus/exif/image011.jpg
new file mode 100644
index 0000000000..fcd5783ec7
--- /dev/null
+++ b/sapi/fuzzer/corpus/exif/image011.jpg
diff --git a/sapi/fuzzer/corpus/exif/image012.jpg b/sapi/fuzzer/corpus/exif/image012.jpg
new file mode 100644
index 0000000000..dd25e06181
--- /dev/null
+++ b/sapi/fuzzer/corpus/exif/image012.jpg
diff --git a/sapi/fuzzer/corpus/exif/image013.jpg b/sapi/fuzzer/corpus/exif/image013.jpg
new file mode 100644
index 0000000000..93ded26667
--- /dev/null
+++ b/sapi/fuzzer/corpus/exif/image013.jpg
diff --git a/sapi/fuzzer/corpus/exif/image014.jpg b/sapi/fuzzer/corpus/exif/image014.jpg
new file mode 100644
index 0000000000..7657a0a4c7
--- /dev/null
+++ b/sapi/fuzzer/corpus/exif/image014.jpg
diff --git a/sapi/fuzzer/corpus/exif/image015.jpg b/sapi/fuzzer/corpus/exif/image015.jpg
new file mode 100644
index 0000000000..6f52dec4d7
--- /dev/null
+++ b/sapi/fuzzer/corpus/exif/image015.jpg
diff --git a/sapi/fuzzer/corpus/exif/image016.tiff b/sapi/fuzzer/corpus/exif/image016.tiff
new file mode 100644
index 0000000000..1712113933
--- /dev/null
+++ b/sapi/fuzzer/corpus/exif/image016.tiff
diff --git a/sapi/fuzzer/corpus/exif/image017.tiff b/sapi/fuzzer/corpus/exif/image017.tiff
new file mode 100644
index 0000000000..89800d8796
--- /dev/null
+++ b/sapi/fuzzer/corpus/exif/image017.tiff
diff --git a/sapi/fuzzer/corpus/exif/image018.tiff b/sapi/fuzzer/corpus/exif/image018.tiff
new file mode 100644
index 0000000000..6b4492f7cd
--- /dev/null
+++ b/sapi/fuzzer/corpus/exif/image018.tiff
diff --git a/sapi/fuzzer/corpus/exif/image020.tiff b/sapi/fuzzer/corpus/exif/image020.tiff
new file mode 100644
index 0000000000..87f187821a
--- /dev/null
+++ b/sapi/fuzzer/corpus/exif/image020.tiff
diff --git a/sapi/fuzzer/corpus/exif/image021.tiff b/sapi/fuzzer/corpus/exif/image021.tiff
new file mode 100644
index 0000000000..190f30b93a
--- /dev/null
+++ b/sapi/fuzzer/corpus/exif/image021.tiff
diff --git a/sapi/fuzzer/corpus/exif/image022.tiff b/sapi/fuzzer/corpus/exif/image022.tiff
new file mode 100644
index 0000000000..88f4373341
--- /dev/null
+++ b/sapi/fuzzer/corpus/exif/image022.tiff
diff --git a/sapi/fuzzer/corpus/exif/image023.tiff b/sapi/fuzzer/corpus/exif/image023.tiff
new file mode 100644
index 0000000000..dc33f6ed90
--- /dev/null
+++ b/sapi/fuzzer/corpus/exif/image023.tiff
diff --git a/sapi/fuzzer/corpus/exif/image024.jpg b/sapi/fuzzer/corpus/exif/image024.jpg
new file mode 100644
index 0000000000..0b5a42e894
--- /dev/null
+++ b/sapi/fuzzer/corpus/exif/image024.jpg
diff --git a/sapi/fuzzer/corpus/exif/image025.jpg b/sapi/fuzzer/corpus/exif/image025.jpg
new file mode 100644
index 0000000000..a5c0e17c7a
--- /dev/null
+++ b/sapi/fuzzer/corpus/exif/image025.jpg
diff --git a/sapi/fuzzer/corpus/exif/image026.tiff b/sapi/fuzzer/corpus/exif/image026.tiff
new file mode 100644
index 0000000000..8fdafc738f
--- /dev/null
+++ b/sapi/fuzzer/corpus/exif/image026.tiff
diff --git a/sapi/fuzzer/corpus/exif/image027.tiff b/sapi/fuzzer/corpus/exif/image027.tiff
new file mode 100644
index 0000000000..7c3a37a90a
--- /dev/null
+++ b/sapi/fuzzer/corpus/exif/image027.tiff
diff --git a/sapi/fuzzer/corpus/exif/test1.jpg b/sapi/fuzzer/corpus/exif/test1.jpg
new file mode 100644
index 0000000000..121decb65a
--- /dev/null
+++ b/sapi/fuzzer/corpus/exif/test1.jpg
diff --git a/sapi/fuzzer/corpus/exif/test2.jpg b/sapi/fuzzer/corpus/exif/test2.jpg
new file mode 100644
index 0000000000..f60ecded6f
--- /dev/null
+++ b/sapi/fuzzer/corpus/exif/test2.jpg
diff --git a/sapi/fuzzer/corpus/exif/test22.jpg b/sapi/fuzzer/corpus/exif/test22.jpg
new file mode 100644
index 0000000000..f60ecded6f
--- /dev/null
+++ b/sapi/fuzzer/corpus/exif/test22.jpg
diff --git a/sapi/fuzzer/corpus/exif/test3.jpg b/sapi/fuzzer/corpus/exif/test3.jpg
new file mode 100644
index 0000000000..7547a16630
--- /dev/null
+++ b/sapi/fuzzer/corpus/exif/test3.jpg
diff --git a/sapi/fuzzer/corpus/exif/test4.jpg b/sapi/fuzzer/corpus/exif/test4.jpg
new file mode 100644
index 0000000000..8a23a7b658
--- /dev/null
+++ b/sapi/fuzzer/corpus/exif/test4.jpg
diff --git a/sapi/fuzzer/corpus/exif/test5.jpg b/sapi/fuzzer/corpus/exif/test5.jpg
new file mode 100644
index 0000000000..d03cac18a3
--- /dev/null
+++ b/sapi/fuzzer/corpus/exif/test5.jpg
diff --git a/sapi/fuzzer/corpus/exif/test6.jpg b/sapi/fuzzer/corpus/exif/test6.jpg
new file mode 100644
index 0000000000..073cefdfe0
--- /dev/null
+++ b/sapi/fuzzer/corpus/exif/test6.jpg
diff --git a/sapi/fuzzer/corpus/json/1.json b/sapi/fuzzer/corpus/json/1.json
new file mode 100644
index 0000000000..8161287aab
--- /dev/null
+++ b/sapi/fuzzer/corpus/json/1.json
@@ -0,0 +1 @@
+{"prop":{"prop":null}}
diff --git a/sapi/fuzzer/corpus/json/10.json b/sapi/fuzzer/corpus/json/10.json
new file mode 100644
index 0000000000..59483c2539
--- /dev/null
+++ b/sapi/fuzzer/corpus/json/10.json
@@ -0,0 +1 @@
+{"a":100.1,"b":"foo"}
diff --git a/sapi/fuzzer/corpus/json/11.json b/sapi/fuzzer/corpus/json/11.json
new file mode 100644
index 0000000000..e3907a414c
--- /dev/null
+++ b/sapi/fuzzer/corpus/json/11.json
@@ -0,0 +1 @@
+[100.1,"bar"]
diff --git a/sapi/fuzzer/corpus/json/12.json b/sapi/fuzzer/corpus/json/12.json
new file mode 100644
index 0000000000..222a6678f9
--- /dev/null
+++ b/sapi/fuzzer/corpus/json/12.json
@@ -0,0 +1,2 @@
+{"0":0,"\u0000ab":1,"1":"\u0000null-prefixed value"}
+
diff --git a/sapi/fuzzer/corpus/json/13.json b/sapi/fuzzer/corpus/json/13.json
new file mode 100644
index 0000000000..b9c504cdbe
--- /dev/null
+++ b/sapi/fuzzer/corpus/json/13.json
@@ -0,0 +1 @@
+{ "test": { "foo": "bar" } }
diff --git a/sapi/fuzzer/corpus/json/14.json b/sapi/fuzzer/corpus/json/14.json
new file mode 100644
index 0000000000..0014681471
--- /dev/null
+++ b/sapi/fuzzer/corpus/json/14.json
@@ -0,0 +1,2 @@
+"aa\udbff\udffdzz"
+
diff --git a/sapi/fuzzer/corpus/json/15.json b/sapi/fuzzer/corpus/json/15.json
new file mode 100644
index 0000000000..92591f81a3
--- /dev/null
+++ b/sapi/fuzzer/corpus/json/15.json
@@ -0,0 +1 @@
+"latin 1234 -\/    russian мама мыла раму  specialchars \u0002   \b \n   U+1D11E >𝄞<"
diff --git a/sapi/fuzzer/corpus/json/16.json b/sapi/fuzzer/corpus/json/16.json
new file mode 100644
index 0000000000..2129292029
--- /dev/null
+++ b/sapi/fuzzer/corpus/json/16.json
@@ -0,0 +1 @@
+{"test":"123343e871700"}
diff --git a/sapi/fuzzer/corpus/json/17.json b/sapi/fuzzer/corpus/json/17.json
new file mode 100644
index 0000000000..4e4676b299
--- /dev/null
+++ b/sapi/fuzzer/corpus/json/17.json
@@ -0,0 +1 @@
+[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[["Too deep"]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]
diff --git a/sapi/fuzzer/corpus/json/18.json b/sapi/fuzzer/corpus/json/18.json
new file mode 100644
index 0000000000..81873afdec
--- /dev/null
+++ b/sapi/fuzzer/corpus/json/18.json
@@ -0,0 +1 @@
+{"myInt":99,"myFloat":123.45,"myNull":null,"myBool":true,"myString":"Hello World"}
diff --git a/sapi/fuzzer/corpus/json/19.json b/sapi/fuzzer/corpus/json/19.json
new file mode 100644
index 0000000000..cc33c95a71
--- /dev/null
+++ b/sapi/fuzzer/corpus/json/19.json
@@ -0,0 +1 @@
+"\u65e5\u672c\u8a9e\u30c6\u30ad\u30b9\u30c8\u3067\u3059\u300201234\uff15\uff16\uff17\uff18\uff19\u3002"
diff --git a/sapi/fuzzer/corpus/json/2.json b/sapi/fuzzer/corpus/json/2.json
new file mode 100644
index 0000000000..3a9a9722e2
--- /dev/null
+++ b/sapi/fuzzer/corpus/json/2.json
@@ -0,0 +1 @@
+{"largenum":123456789012345678901234567890}
diff --git a/sapi/fuzzer/corpus/json/3.json b/sapi/fuzzer/corpus/json/3.json
new file mode 100644
index 0000000000..b004f2079d
--- /dev/null
+++ b/sapi/fuzzer/corpus/json/3.json
@@ -0,0 +1 @@
+["<foo>","'bar'","\"baz\"","&blong&"]
diff --git a/sapi/fuzzer/corpus/json/4.json b/sapi/fuzzer/corpus/json/4.json
new file mode 100644
index 0000000000..8e73a26dab
--- /dev/null
+++ b/sapi/fuzzer/corpus/json/4.json
@@ -0,0 +1 @@
+["\u003Cfoo\u003E","\u0027bar\u0027","\u0022baz\u0022","\u0026blong\u0026"]
diff --git a/sapi/fuzzer/corpus/json/5.json b/sapi/fuzzer/corpus/json/5.json
new file mode 100644
index 0000000000..5c7912450d
--- /dev/null
+++ b/sapi/fuzzer/corpus/json/5.json
@@ -0,0 +1,5 @@
+[
+{"":"value"},
+{"":"value", "key":"value"},
+{"key":"value", "":"value"}
+]
diff --git a/sapi/fuzzer/corpus/json/6.json b/sapi/fuzzer/corpus/json/6.json
new file mode 100644
index 0000000000..2d852843f1
--- /dev/null
+++ b/sapi/fuzzer/corpus/json/6.json
@@ -0,0 +1 @@
+[123,13452345,123.13452345]
diff --git a/sapi/fuzzer/corpus/json/7.json b/sapi/fuzzer/corpus/json/7.json
new file mode 100644
index 0000000000..6e74debaf0
--- /dev/null
+++ b/sapi/fuzzer/corpus/json/7.json
@@ -0,0 +1,2 @@
+["\ud834\udd00"]
+
diff --git a/sapi/fuzzer/corpus/json/8.json b/sapi/fuzzer/corpus/json/8.json
new file mode 100644
index 0000000000..7ea60c3af9
--- /dev/null
+++ b/sapi/fuzzer/corpus/json/8.json
@@ -0,0 +1 @@
+{"zero": 0e0}
diff --git a/sapi/fuzzer/corpus/json/9.json b/sapi/fuzzer/corpus/json/9.json
new file mode 100644
index 0000000000..49e7327986
--- /dev/null
+++ b/sapi/fuzzer/corpus/json/9.json
@@ -0,0 +1 @@
+[null,null,"abc"]
diff --git a/sapi/fuzzer/corpus/json/fail1.json b/sapi/fuzzer/corpus/json/fail1.json
new file mode 100644
index 0000000000..6216b865f1
--- /dev/null
+++ b/sapi/fuzzer/corpus/json/fail1.json
@@ -0,0 +1 @@
+"A JSON payload should be an object or array, not a string."
+\ No newline at end of file
diff --git a/sapi/fuzzer/corpus/json/fail10.json b/sapi/fuzzer/corpus/json/fail10.json
new file mode 100644
index 0000000000..5d8c0047bd
--- /dev/null
+++ b/sapi/fuzzer/corpus/json/fail10.json
@@ -0,0 +1 @@
+{"Extra value after close": true} "misplaced quoted value"
+\ No newline at end of file
diff --git a/sapi/fuzzer/corpus/json/fail11.json b/sapi/fuzzer/corpus/json/fail11.json
new file mode 100644
index 0000000000..76eb95b458
--- /dev/null
+++ b/sapi/fuzzer/corpus/json/fail11.json
@@ -0,0 +1 @@
+{"Illegal expression": 1 + 2}
+\ No newline at end of file
diff --git a/sapi/fuzzer/corpus/json/fail12.json b/sapi/fuzzer/corpus/json/fail12.json
new file mode 100644
index 0000000000..77580a4522
--- /dev/null
+++ b/sapi/fuzzer/corpus/json/fail12.json
@@ -0,0 +1 @@
+{"Illegal invocation": alert()}
+\ No newline at end of file
diff --git a/sapi/fuzzer/corpus/json/fail13.json b/sapi/fuzzer/corpus/json/fail13.json
new file mode 100644
index 0000000000..379406b59b
--- /dev/null
+++ b/sapi/fuzzer/corpus/json/fail13.json
@@ -0,0 +1 @@
+{"Numbers cannot have leading zeroes": 013}
+\ No newline at end of file
diff --git a/sapi/fuzzer/corpus/json/fail14.json b/sapi/fuzzer/corpus/json/fail14.json
new file mode 100644
index 0000000000..0ed366b38a
--- /dev/null
+++ b/sapi/fuzzer/corpus/json/fail14.json
@@ -0,0 +1 @@
+{"Numbers cannot be hex": 0x14}
+\ No newline at end of file
diff --git a/sapi/fuzzer/corpus/json/fail15.json b/sapi/fuzzer/corpus/json/fail15.json
new file mode 100644
index 0000000000..fc8376b605
--- /dev/null
+++ b/sapi/fuzzer/corpus/json/fail15.json
@@ -0,0 +1 @@
+["Illegal backslash escape: \x15"]
+\ No newline at end of file
diff --git a/sapi/fuzzer/corpus/json/fail16.json b/sapi/fuzzer/corpus/json/fail16.json
new file mode 100644
index 0000000000..3fe21d4b53
--- /dev/null
+++ b/sapi/fuzzer/corpus/json/fail16.json
@@ -0,0 +1 @@
+[\naked]
+\ No newline at end of file
diff --git a/sapi/fuzzer/corpus/json/fail17.json b/sapi/fuzzer/corpus/json/fail17.json
new file mode 100644
index 0000000000..62b9214aed
--- /dev/null
+++ b/sapi/fuzzer/corpus/json/fail17.json
@@ -0,0 +1 @@
+["Illegal backslash escape: \017"]
+\ No newline at end of file
diff --git a/sapi/fuzzer/corpus/json/fail18.json b/sapi/fuzzer/corpus/json/fail18.json
new file mode 100644
index 0000000000..edac92716f
--- /dev/null
+++ b/sapi/fuzzer/corpus/json/fail18.json
@@ -0,0 +1 @@
+[[[[[[[[[[[[[[[[[[[["Too deep"]]]]]]]]]]]]]]]]]]]]
+\ No newline at end of file
diff --git a/sapi/fuzzer/corpus/json/fail19.json b/sapi/fuzzer/corpus/json/fail19.json
new file mode 100644
index 0000000000..3b9c46fa9a
--- /dev/null
+++ b/sapi/fuzzer/corpus/json/fail19.json
@@ -0,0 +1 @@
+{"Missing colon" null}
+\ No newline at end of file
diff --git a/sapi/fuzzer/corpus/json/fail2.json b/sapi/fuzzer/corpus/json/fail2.json
new file mode 100644
index 0000000000..6b7c11e5a5
--- /dev/null
+++ b/sapi/fuzzer/corpus/json/fail2.json
@@ -0,0 +1 @@
+["Unclosed array"
+\ No newline at end of file
diff --git a/sapi/fuzzer/corpus/json/fail20.json b/sapi/fuzzer/corpus/json/fail20.json
new file mode 100644
index 0000000000..27c1af3e72
--- /dev/null
+++ b/sapi/fuzzer/corpus/json/fail20.json
@@ -0,0 +1 @@
+{"Double colon":: null}
+\ No newline at end of file
diff --git a/sapi/fuzzer/corpus/json/fail21.json b/sapi/fuzzer/corpus/json/fail21.json
new file mode 100644
index 0000000000..62474573b2
--- /dev/null
+++ b/sapi/fuzzer/corpus/json/fail21.json
@@ -0,0 +1 @@
+{"Comma instead of colon", null}
+\ No newline at end of file
diff --git a/sapi/fuzzer/corpus/json/fail22.json b/sapi/fuzzer/corpus/json/fail22.json
new file mode 100644
index 0000000000..a7752581bc
--- /dev/null
+++ b/sapi/fuzzer/corpus/json/fail22.json
@@ -0,0 +1 @@
+["Colon instead of comma": false]
+\ No newline at end of file
diff --git a/sapi/fuzzer/corpus/json/fail23.json b/sapi/fuzzer/corpus/json/fail23.json
new file mode 100644
index 0000000000..494add1ca1
--- /dev/null
+++ b/sapi/fuzzer/corpus/json/fail23.json
@@ -0,0 +1 @@
+["Bad value", truth]
+\ No newline at end of file
diff --git a/sapi/fuzzer/corpus/json/fail24.json b/sapi/fuzzer/corpus/json/fail24.json
new file mode 100644
index 0000000000..caff239bfc
--- /dev/null
+++ b/sapi/fuzzer/corpus/json/fail24.json
@@ -0,0 +1 @@
+['single quote']
+\ No newline at end of file
diff --git a/sapi/fuzzer/corpus/json/fail25.json b/sapi/fuzzer/corpus/json/fail25.json
new file mode 100644
index 0000000000..8b7ad23e01
--- /dev/null
+++ b/sapi/fuzzer/corpus/json/fail25.json
@@ -0,0 +1 @@
+["	tab	character	in	string	"]
+\ No newline at end of file
diff --git a/sapi/fuzzer/corpus/json/fail26.json b/sapi/fuzzer/corpus/json/fail26.json
new file mode 100644
index 0000000000..845d26a6a5
--- /dev/null
+++ b/sapi/fuzzer/corpus/json/fail26.json
@@ -0,0 +1 @@
+["tab\   character\   in\  string\  "]
+\ No newline at end of file
diff --git a/sapi/fuzzer/corpus/json/fail27.json b/sapi/fuzzer/corpus/json/fail27.json
new file mode 100644
index 0000000000..6b01a2ca4a
--- /dev/null
+++ b/sapi/fuzzer/corpus/json/fail27.json
@@ -0,0 +1,2 @@
+["line
+break"]
+\ No newline at end of file
diff --git a/sapi/fuzzer/corpus/json/fail28.json b/sapi/fuzzer/corpus/json/fail28.json
new file mode 100644
index 0000000000..621a0101c6
--- /dev/null
+++ b/sapi/fuzzer/corpus/json/fail28.json
@@ -0,0 +1,2 @@
+["line\
+break"]
+\ No newline at end of file
diff --git a/sapi/fuzzer/corpus/json/fail29.json b/sapi/fuzzer/corpus/json/fail29.json
new file mode 100644
index 0000000000..47ec421bb6
--- /dev/null
+++ b/sapi/fuzzer/corpus/json/fail29.json
@@ -0,0 +1 @@
+[0e]
+\ No newline at end of file
diff --git a/sapi/fuzzer/corpus/json/fail3.json b/sapi/fuzzer/corpus/json/fail3.json
new file mode 100644
index 0000000000..168c81eb78
--- /dev/null
+++ b/sapi/fuzzer/corpus/json/fail3.json
@@ -0,0 +1 @@
+{unquoted_key: "keys must be quoted"}
+\ No newline at end of file
diff --git a/sapi/fuzzer/corpus/json/fail30.json b/sapi/fuzzer/corpus/json/fail30.json
new file mode 100644
index 0000000000..8ab0bc4b8b
--- /dev/null
+++ b/sapi/fuzzer/corpus/json/fail30.json
@@ -0,0 +1 @@
+[0e+]
+\ No newline at end of file
diff --git a/sapi/fuzzer/corpus/json/fail31.json b/sapi/fuzzer/corpus/json/fail31.json
new file mode 100644
index 0000000000..1cce602b51
--- /dev/null
+++ b/sapi/fuzzer/corpus/json/fail31.json
@@ -0,0 +1 @@
+[0e+-1]
+\ No newline at end of file
diff --git a/sapi/fuzzer/corpus/json/fail32.json b/sapi/fuzzer/corpus/json/fail32.json
new file mode 100644
index 0000000000..45cba7396f
--- /dev/null
+++ b/sapi/fuzzer/corpus/json/fail32.json
@@ -0,0 +1 @@
+{"Comma instead if closing brace": true,
+\ No newline at end of file
diff --git a/sapi/fuzzer/corpus/json/fail33.json b/sapi/fuzzer/corpus/json/fail33.json
new file mode 100644
index 0000000000..ca5eb19dc9
--- /dev/null
+++ b/sapi/fuzzer/corpus/json/fail33.json
@@ -0,0 +1 @@
+["mismatch"}
+\ No newline at end of file
diff --git a/sapi/fuzzer/corpus/json/fail4.json b/sapi/fuzzer/corpus/json/fail4.json
new file mode 100644
index 0000000000..9de168bf34
--- /dev/null
+++ b/sapi/fuzzer/corpus/json/fail4.json
@@ -0,0 +1 @@
+["extra comma",]
+\ No newline at end of file
diff --git a/sapi/fuzzer/corpus/json/fail5.json b/sapi/fuzzer/corpus/json/fail5.json
new file mode 100644
index 0000000000..ddf3ce3d24
--- /dev/null
+++ b/sapi/fuzzer/corpus/json/fail5.json
@@ -0,0 +1 @@
+["double extra comma",,]
+\ No newline at end of file
diff --git a/sapi/fuzzer/corpus/json/fail6.json b/sapi/fuzzer/corpus/json/fail6.json
new file mode 100644
index 0000000000..ed91580e1b
--- /dev/null
+++ b/sapi/fuzzer/corpus/json/fail6.json
@@ -0,0 +1 @@
+[   , "<-- missing value"]
+\ No newline at end of file
diff --git a/sapi/fuzzer/corpus/json/fail7.json b/sapi/fuzzer/corpus/json/fail7.json
new file mode 100644
index 0000000000..8a96af3e4e
--- /dev/null
+++ b/sapi/fuzzer/corpus/json/fail7.json
@@ -0,0 +1 @@
+["Comma after the close"],
+\ No newline at end of file
diff --git a/sapi/fuzzer/corpus/json/fail8.json b/sapi/fuzzer/corpus/json/fail8.json
new file mode 100644
index 0000000000..b28479c6ec
--- /dev/null
+++ b/sapi/fuzzer/corpus/json/fail8.json
@@ -0,0 +1 @@
+["Extra close"]]
+\ No newline at end of file
diff --git a/sapi/fuzzer/corpus/json/fail9.json b/sapi/fuzzer/corpus/json/fail9.json
new file mode 100644
index 0000000000..5815574f36
--- /dev/null
+++ b/sapi/fuzzer/corpus/json/fail9.json
@@ -0,0 +1 @@
+{"Extra comma": true,}
+\ No newline at end of file
diff --git a/sapi/fuzzer/corpus/json/pass1.json b/sapi/fuzzer/corpus/json/pass1.json
new file mode 100644
index 0000000000..70e2685436
--- /dev/null
+++ b/sapi/fuzzer/corpus/json/pass1.json
@@ -0,0 +1,58 @@
+[
+    "JSON Test Pattern pass1",
+    {"object with 1 member":["array with 1 element"]},
+    {},
+    [],
+    -42,
+    true,
+    false,
+    null,
+    {
+        "integer": 1234567890,
+        "real": -9876.543210,
+        "e": 0.123456789e-12,
+        "E": 1.234567890E+34,
+        "":  23456789012E66,
+        "zero": 0,
+        "one": 1,
+        "space": " ",
+        "quote": "\"",
+        "backslash": "\\",
+        "controls": "\b\f\n\r\t",
+        "slash": "/ & \/",
+        "alpha": "abcdefghijklmnopqrstuvwyz",
+        "ALPHA": "ABCDEFGHIJKLMNOPQRSTUVWYZ",
+        "digit": "0123456789",
+        "0123456789": "digit",
+        "special": "`1~!@#$%^&*()_+-={':[,]}|;.</>?",
+        "hex": "\u0123\u4567\u89AB\uCDEF\uabcd\uef4A",
+        "true": true,
+        "false": false,
+        "null": null,
+        "array":[  ],
+        "object":{  },
+        "address": "50 St. James Street",
+        "url": "http://www.JSON.org/",
+        "comment": "// /* <!-- --",
+        "# -- --> */": " ",
+        " s p a c e d " :[1,2 , 3
+
+,
+
+4 , 5        ,          6           ,7        ],"compact":[1,2,3,4,5,6,7],
+        "jsontext": "{\"object with 1 member\":[\"array with 1 element\"]}",
+        "quotes": "&#34; \u0022 %22 0x22 034 &#x22;",
+        "\/\\\"\uCAFE\uBABE\uAB98\uFCDE\ubcda\uef4A\b\f\n\r\t`1~!@#$%^&*()_+-=[]{}|;:',./<>?"
+: "A key can be any string"
+    },
+    0.5 ,98.6
+,
+99.44
+,
+
+1066,
+1e1,
+0.1e1,
+1e-1,
+1e00,2e+00,2e-00
+,"rosebud"]
+\ No newline at end of file
diff --git a/sapi/fuzzer/corpus/json/pass2.json b/sapi/fuzzer/corpus/json/pass2.json
new file mode 100644
index 0000000000..d3c63c7ad8
--- /dev/null
+++ b/sapi/fuzzer/corpus/json/pass2.json
@@ -0,0 +1 @@
+[[[[[[[[[[[[[[[[[[["Not too deep"]]]]]]]]]]]]]]]]]]]
+\ No newline at end of file
diff --git a/sapi/fuzzer/corpus/json/pass3.json b/sapi/fuzzer/corpus/json/pass3.json
new file mode 100644
index 0000000000..4528d51f1a
--- /dev/null
+++ b/sapi/fuzzer/corpus/json/pass3.json
@@ -0,0 +1,6 @@
+{
+    "JSON Test Pattern pass3": {
+        "The outermost value": "must be an object or array.",
+        "In this test": "It is an object."
+    }
+}
diff --git a/sapi/fuzzer/corpus/unserialize/__serialize_007 b/sapi/fuzzer/corpus/unserialize/__serialize_007
new file mode 100644
index 0000000000..6709aca303
--- /dev/null
+++ b/sapi/fuzzer/corpus/unserialize/__serialize_007
@@ -0,0 +1 @@
+O:13:"ArrayIterator":2:{i:0;i:0;s:1:"x";R:2;}
diff --git a/sapi/fuzzer/corpus/unserialize/bug7131 b/sapi/fuzzer/corpus/unserialize/bug7131
new file mode 100644
index 0000000000..1ba49d8da1
--- /dev/null
+++ b/sapi/fuzzer/corpus/unserialize/bug7131
@@ -0,0 +1 @@
+C:11:"ArrayObject":11:{x:i:0;r:3;X}
+\ No newline at end of file
diff --git a/sapi/fuzzer/corpus/unserialize/bug71313 b/sapi/fuzzer/corpus/unserialize/bug71313
new file mode 100644
index 0000000000..4163b0350a
--- /dev/null
+++ b/sapi/fuzzer/corpus/unserialize/bug71313
@@ -0,0 +1 @@
+C:16:"SplObjectStorage":113:{x:i:2;O:8:"stdClass":0:{},a:2:{s:4:"prev";i:2;s:4:"next";O:8:"stdClass":0:{}};r:7;,R:2;s:4:"next";;r:3;};m:a:0:{}}
+\ No newline at end of file
diff --git a/sapi/fuzzer/corpus/unserialize/bug73144_1 b/sapi/fuzzer/corpus/unserialize/bug73144_1
new file mode 100644
index 0000000000..0d6d600520
--- /dev/null
+++ b/sapi/fuzzer/corpus/unserialize/bug73144_1
@@ -0,0 +1 @@
+a:2:{i:0;O:1:"0":2:0s:1:"0";i:0;s:1:"0";a:1:{i:0;C:11:"ArrayObject":7:{x:i:0;r}
diff --git a/sapi/fuzzer/corpus/unserialize/bug73144_2 b/sapi/fuzzer/corpus/unserialize/bug73144_2
new file mode 100644
index 0000000000..d1145066c5
--- /dev/null
+++ b/sapi/fuzzer/corpus/unserialize/bug73144_2
@@ -0,0 +1 @@
+C:11:"ArrayObject":34:{x:i:1;O:8:"stdClass":1:{};m:a:0:{}}
+\ No newline at end of file
diff --git a/sapi/fuzzer/corpus/unserialize/bug73825 b/sapi/fuzzer/corpus/unserialize/bug73825
new file mode 100644
index 0000000000..dc9b0e4334
--- /dev/null
+++ b/sapi/fuzzer/corpus/unserialize/bug73825
@@ -0,0 +1 @@
+O:8:"00000000":
diff --git a/sapi/fuzzer/corpus/unserialize/bug74101 b/sapi/fuzzer/corpus/unserialize/bug74101
new file mode 100644
index 0000000000..b8d2fd2308
--- /dev/null
+++ b/sapi/fuzzer/corpus/unserialize/bug74101
@@ -0,0 +1 @@
+O:9:"Exception":799999999999999999999999999997:0i:0;a:0:{}i:2;i:0;i:0;R:2;
diff --git a/sapi/fuzzer/corpus/unserialize/bug74103 b/sapi/fuzzer/corpus/unserialize/bug74103
new file mode 100644
index 0000000000..ab2f70239c
--- /dev/null
+++ b/sapi/fuzzer/corpus/unserialize/bug74103
@@ -0,0 +1 @@
+a:7:{i:0;i:04;s:1:"a";i:2;i:9617006;i:4;s:1:"a";i:4;s:1:"a";R:5;s:1:"7";R:3;s:1:"a";R:5;;s:18;}}
diff --git a/sapi/fuzzer/corpus/unserialize/bug74111 b/sapi/fuzzer/corpus/unserialize/bug74111
new file mode 100644
index 0000000000..c1196ee7de
--- /dev/null
+++ b/sapi/fuzzer/corpus/unserialize/bug74111
@@ -0,0 +1 @@
+O:8:"stdClass":00000000
diff --git a/sapi/fuzzer/corpus/unserialize/bug74614 b/sapi/fuzzer/corpus/unserialize/bug74614
new file mode 100644
index 0000000000..c7174893fe
--- /dev/null
+++ b/sapi/fuzzer/corpus/unserialize/bug74614
@@ -0,0 +1 @@
+a:3020000000000000000000000000000001:{i:0;a:0:{}i:1;i:2;i:2;i:3;i:3;i:4;i:4;i:5;i:5;i:6;i:6;i:7;i:7;i:8;i:8;R:2;}
diff --git a/sapi/fuzzer/corpus/unserialize/bug75054 b/sapi/fuzzer/corpus/unserialize/bug75054
new file mode 100644
index 0000000000..866e5b8fca
--- /dev/null
+++ b/sapi/fuzzer/corpus/unserialize/bug75054
@@ -0,0 +1 @@
+a:9:{i:0;s:4:"0000";i:0;s:4:"0000";i:0;R:2;s:4:"5003";R:2;s:4:"0000";R:2;s:4:"0000";R:2;s:4:"000";R:2;s:4:"0000";d:0;s:4:"0000";a:9:{s:4:"0000";
+\ No newline at end of file
diff --git a/sapi/fuzzer/dict/parser b/sapi/fuzzer/dict/parser
new file mode 100644
index 0000000000..8b382afac9
--- /dev/null
+++ b/sapi/fuzzer/dict/parser
@@ -0,0 +1,85 @@
+"exit"
+"die"
+"fn"
+"function"
+"const"
+"return"
+"yield"
+"yield from"
+"try"
+"catch"
+"finally"
+"throw"
+"if"
+"elseif"
+"endif"
+"else"
+"while"
+"endwhile"
+"do"
+"for"
+"endfor"
+"foreach"
+"endforeach"
+"declare"
+"enddeclare"
+"instanceof"
+"as"
+"switch"
+"endswitch"
+"case"
+"default"
+"break"
+"continue"
+"goto"
+"echo"
+"print"
+"class"
+"interface"
+"trait"
+"extends"
+"implements"
+"new"
+"clone"
+"var"
+"int"
+"integer"
+"float"
+"double"
+"real"
+"string"
+"binary"
+"array"
+"object"
+"bool"
+"boolean"
+"unset"
+"eval"
+"include"
+"include_once"
+"require"
+"require_once"
+"namespace"
+"use"
+"insteadof"
+"global"
+"isset"
+"empty"
+"__halt_compiler"
+"static"
+"abstract"
+"final"
+"private"
+"protected"
+"public"
+"unset"
+"list"
+"callable"
+"__class__"
+"__trait__"
+"__function__"
+"__method__"
+"__line__"
+"__file__"
+"__dir__"
+"__namespace__"
diff --git a/sapi/fuzzer/fuzzer-exif.c b/sapi/fuzzer/fuzzer-exif.c
new file mode 100644
index 0000000000..5217ebf14d
--- /dev/null
+++ b/sapi/fuzzer/fuzzer-exif.c
@@ -0,0 +1,69 @@
+/*
+   +----------------------------------------------------------------------+
+   | PHP Version 7                                                        |
+   +----------------------------------------------------------------------+
+   | Copyright (c) The PHP Group                                          |
+   +----------------------------------------------------------------------+
+   | This source file is subject to version 3.01 of the PHP license,      |
+   | that is bundled with this package in the file LICENSE, and is        |
+   | available through the world-wide-web at the following url:           |
+   | http://www.php.net/license/3_01.txt                                  |
+   | If you did not receive a copy of the PHP license and are unable to   |
+   | obtain it through the world-wide-web, please send a note to          |
+   | license@php.net so we can mail you a copy immediately.               |
+   +----------------------------------------------------------------------+
+   | Authors: Stanislav Malyshev <stas@php.net>                           |
+   +----------------------------------------------------------------------+
+ */
+
+#include "fuzzer.h"
+
+#include "Zend/zend.h"
+#include "main/php_config.h"
+#include "main/php_main.h"
+#include "ext/standard/php_var.h"
+
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+
+#include "fuzzer-sapi.h"
+
+int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+#if HAVE_EXIF
+	char *filename;
+	int filedes;
+
+	if (fuzzer_request_startup() == FAILURE) {
+		return 0;
+	}
+
+	/* put the data in a file */
+	filename = tmpnam(NULL);
+	filedes = open(filename, O_CREAT|O_RDWR);
+	write(filedes, Data, Size);
+	close(filedes);
+
+	fuzzer_call_php_func("exif_read_data", 1, &filename);
+
+	/* cleanup */
+	unlink(filename);
+	php_request_shutdown(NULL);
+
+	return 0;
+#else
+	fprintf(stderr, "\n\nERROR:\nPHP built without EXIF, recompile with --enable-exif to use this fuzzer\n");
+	exit(1);
+#endif
+}
+
+int LLVMFuzzerInitialize(int *argc, char ***argv) {
+	fuzzer_init_php();
+
+	/* fuzzer_shutdown_php(); */
+	return 0;
+}
+
diff --git a/sapi/fuzzer/fuzzer-json.c b/sapi/fuzzer/fuzzer-json.c
new file mode 100644
index 0000000000..4ebc931727
--- /dev/null
+++ b/sapi/fuzzer/fuzzer-json.c
@@ -0,0 +1,72 @@
+/*
+   +----------------------------------------------------------------------+
+   | PHP Version 7                                                        |
+   +----------------------------------------------------------------------+
+   | Copyright (c) The PHP Group                                          |
+   +----------------------------------------------------------------------+
+   | This source file is subject to version 3.01 of the PHP license,      |
+   | that is bundled with this package in the file LICENSE, and is        |
+   | available through the world-wide-web at the following url:           |
+   | http://www.php.net/license/3_01.txt                                  |
+   | If you did not receive a copy of the PHP license and are unable to   |
+   | obtain it through the world-wide-web, please send a note to          |
+   | license@php.net so we can mail you a copy immediately.               |
+   +----------------------------------------------------------------------+
+   | Authors: Johannes Schlüter <johanes@php.net>                         |
+   |          Stanislav Malyshev <stas@php.net>                           |
+   +----------------------------------------------------------------------+
+ */
+
+
+
+#include "fuzzer.h"
+
+#include "Zend/zend.h"
+#include "main/php_config.h"
+#include "main/php_main.h"
+
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
+
+#include "fuzzer-sapi.h"
+
+#ifdef HAVE_JSON
+#include "ext/json/php_json_parser.h"
+#endif
+
+int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+#ifdef HAVE_JSON
+	char *data = malloc(Size+1);
+	memcpy(data, Data, Size);
+	data[Size] = '\0';
+
+	if (fuzzer_request_startup() == FAILURE) {
+		return 0;
+	}
+
+	for (int option = 0; option <=1; ++option) {
+		zval result;
+		php_json_parser parser;
+		php_json_parser_init(&parser, &result, data, Size, option, 10);
+		if (php_json_yyparse(&parser) == SUCCESS) {
+			zval_ptr_dtor(&result);
+		}
+	}
+
+	php_request_shutdown(NULL);
+
+	free(data);
+#else
+	fprintf(stderr, "\n\nERROR:\nPHP built without JSON, recompile with --enable-json to use this fuzzer\n");
+	exit(1);
+#endif
+	return 0;
+}
+
+int LLVMFuzzerInitialize(int *argc, char ***argv) {
+	fuzzer_init_php();
+
+	/* fuzzer_shutdown_php(); */
+	return 0;
+}
diff --git a/sapi/fuzzer/fuzzer-mbstring.c b/sapi/fuzzer/fuzzer-mbstring.c
new file mode 100644
index 0000000000..9837d34205
--- /dev/null
+++ b/sapi/fuzzer/fuzzer-mbstring.c
@@ -0,0 +1,74 @@
+/*
+   +----------------------------------------------------------------------+
+   | PHP Version 7                                                        |
+   +----------------------------------------------------------------------+
+   | Copyright (c) The PHP Group                                          |
+   +----------------------------------------------------------------------+
+   | This source file is subject to version 3.01 of the PHP license,      |
+   | that is bundled with this package in the file LICENSE, and is        |
+   | available through the world-wide-web at the following url:           |
+   | http://www.php.net/license/3_01.txt                                  |
+   | If you did not receive a copy of the PHP license and are unable to   |
+   | obtain it through the world-wide-web, please send a note to          |
+   | license@php.net so we can mail you a copy immediately.               |
+   +----------------------------------------------------------------------+
+   | Authors: Stanislav Malyshev <stas@php.net>                           |
+   +----------------------------------------------------------------------+
+ */
+
+
+#include "fuzzer.h"
+
+#include "Zend/zend.h"
+#include "main/php_config.h"
+#include "main/php_main.h"
+
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
+
+#include "fuzzer-sapi.h"
+
+int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+#ifdef HAVE_MBREGEX
+	char *args[2];
+	char *data = malloc(Size+1);
+	memcpy(data, Data, Size);
+	data[Size] = '\0';
+
+	if (fuzzer_request_startup() == FAILURE) {
+		return 0;
+	}
+
+	args[0] = data;
+	args[1] = "test123";
+	fuzzer_call_php_func("mb_ereg", 2, args);
+
+	args[0] = data;
+	args[1] = "test123";
+	fuzzer_call_php_func("mb_eregi", 2, args);
+
+	args[0] = data;
+	args[1] = data;
+	fuzzer_call_php_func("mb_ereg", 2, args);
+
+	args[0] = data;
+	args[1] = data;
+	fuzzer_call_php_func("mb_eregi", 2, args);
+
+	php_request_shutdown(NULL);
+
+	free(data);
+#else
+	fprintf(stderr, "\n\nERROR:\nPHP built without mbstring, recompile with --enable-mbstring to use this fuzzer\n");
+	exit(1);
+#endif
+	return 0;
+}
+
+int LLVMFuzzerInitialize(int *argc, char ***argv) {
+	fuzzer_init_php();
+
+	/* fuzzer_shutdown_php(); */
+	return 0;
+}
diff --git a/sapi/fuzzer/fuzzer-parser.c b/sapi/fuzzer/fuzzer-parser.c
new file mode 100644
index 0000000000..ac2a1a8f2b
--- /dev/null
+++ b/sapi/fuzzer/fuzzer-parser.c
@@ -0,0 +1,50 @@
+/*
+   +----------------------------------------------------------------------+
+   | PHP Version 7                                                        |
+   +----------------------------------------------------------------------+
+   | Copyright (c) The PHP Group                                          |
+   +----------------------------------------------------------------------+
+   | This source file is subject to version 3.01 of the PHP license,      |
+   | that is bundled with this package in the file LICENSE, and is        |
+   | available through the world-wide-web at the following url:           |
+   | http://www.php.net/license/3_01.txt                                  |
+   | If you did not receive a copy of the PHP license and are unable to   |
+   | obtain it through the world-wide-web, please send a note to          |
+   | license@php.net so we can mail you a copy immediately.               |
+   +----------------------------------------------------------------------+
+   | Authors: Johannes Schlüter <johanes@php.net>                         |
+   |          Stanislav Malyshev <stas@php.net>                           |
+   +----------------------------------------------------------------------+
+ */
+
+#include <main/php.h>
+#include <main/php_main.h>
+#include <main/SAPI.h>
+#include <ext/standard/info.h>
+#include <ext/standard/php_var.h>
+#include <main/php_variables.h>
+
+#include "fuzzer.h"
+#include "fuzzer-sapi.h"
+
+int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+	char *s = malloc(Size+1);
+	memcpy(s, Data, Size);
+	s[Size] = '\0';
+
+	fuzzer_do_request_from_buffer("fuzzer.php", s, Size);
+
+	/* Do not free s: fuzzer_do_request_from_buffer() takes ownership of the allocation. */
+	return 0;
+}
+
+int LLVMFuzzerInitialize(int *argc, char ***argv) {
+	/* Compilation will often trigger fatal errors.
+	 * Use tracked allocation mode to avoid leaks in that case. */
+	putenv("USE_TRACKED_ALLOC=1");
+
+	fuzzer_init_php();
+
+	/* fuzzer_shutdown_php(); */
+	return 0;
+}
diff --git a/sapi/fuzzer/fuzzer-sapi.c b/sapi/fuzzer/fuzzer-sapi.c
new file mode 100644
index 0000000000..da1df37943
--- /dev/null
+++ b/sapi/fuzzer/fuzzer-sapi.c
@@ -0,0 +1,273 @@
+/*
+   +----------------------------------------------------------------------+
+   | PHP Version 7                                                        |
+   +----------------------------------------------------------------------+
+   | Copyright (c) The PHP Group                                          |
+   +----------------------------------------------------------------------+
+   | This source file is subject to version 3.01 of the PHP license,      |
+   | that is bundled with this package in the file LICENSE, and is        |
+   | available through the world-wide-web at the following url:           |
+   | http://www.php.net/license/3_01.txt                                  |
+   | If you did not receive a copy of the PHP license and are unable to   |
+   | obtain it through the world-wide-web, please send a note to          |
+   | license@php.net so we can mail you a copy immediately.               |
+   +----------------------------------------------------------------------+
+   | Authors: Johannes Schlüter <johanes@php.net>                         |
+   |          Stanislav Malyshev <stas@php.net>                           |
+   +----------------------------------------------------------------------+
+ */
+
+#include <main/php.h>
+#include <main/php_main.h>
+#include <main/SAPI.h>
+#include <ext/standard/info.h>
+#include <ext/standard/php_var.h>
+#include <main/php_variables.h>
+
+#ifdef __SANITIZE_ADDRESS__
+# include "sanitizer/lsan_interface.h"
+#endif
+
+#include "fuzzer.h"
+#include "fuzzer-sapi.h"
+
+const char HARDCODED_INI[] =
+	"html_errors=0\n"
+	"implicit_flush=1\n"
+	"max_execution_time=20\n"
+	"output_buffering=0\n"
+	"error_reporting=0";
+
+static int startup(sapi_module_struct *sapi_module)
+{
+	if (php_module_startup(sapi_module, NULL, 0)==FAILURE) {
+		return FAILURE;
+	}
+	return SUCCESS;
+}
+
+static size_t ub_write(const char *str, size_t str_length)
+{
+	/* quiet */
+	return str_length;
+}
+
+static void fuzzer_flush(void *server_context)
+{
+	/* quiet */
+}
+
+static void send_header(sapi_header_struct *sapi_header, void *server_context)
+{
+}
+
+static char* read_cookies()
+{
+	/* TODO: fuzz these! */
+	return NULL;
+}
+
+static void register_variables(zval *track_vars_array)
+{
+	php_import_environment_variables(track_vars_array);
+}
+
+static void log_message(char *message, int level)
+{
+}
+
+
+static sapi_module_struct fuzzer_module = {
+	"fuzzer",               /* name */
+	"clang fuzzer", /* pretty name */
+
+	startup,             /* startup */
+	php_module_shutdown_wrapper,   /* shutdown */
+
+	NULL,                          /* activate */
+	NULL,                          /* deactivate */
+
+	ub_write,            /* unbuffered write */
+	fuzzer_flush,               /* flush */
+	NULL,                          /* get uid */
+	NULL,                          /* getenv */
+
+	php_error,                     /* error handler */
+
+	NULL,                          /* header handler */
+	NULL,                          /* send headers handler */
+	send_header,         /* send header handler */
+
+	NULL,                          /* read POST data */
+	read_cookies,        /* read Cookies */
+
+	register_variables,  /* register server variables */
+	log_message,         /* Log message */
+	NULL,                          /* Get request time */
+	NULL,                          /* Child terminate */
+
+	STANDARD_SAPI_MODULE_PROPERTIES
+};
+
+int fuzzer_init_php()
+{
+#ifdef __SANITIZE_ADDRESS__
+	/* We're going to leak all the memory allocated during startup,
+	 * so disable lsan temporarily. */
+	__lsan_disable();
+#endif
+
+	sapi_startup(&fuzzer_module);
+	fuzzer_module.phpinfo_as_text = 1;
+
+	fuzzer_module.ini_entries = malloc(sizeof(HARDCODED_INI));
+	memcpy(fuzzer_module.ini_entries, HARDCODED_INI, sizeof(HARDCODED_INI));
+
+	/*
+	 * TODO: we might want to test both Zend and malloc MM, but testing with malloc
+	 * is more likely to find bugs, so use that for now.
+	 */
+	putenv("USE_ZEND_ALLOC=0");
+
+	if (fuzzer_module.startup(&fuzzer_module)==FAILURE) {
+		return FAILURE;
+	}
+
+#ifdef __SANITIZE_ADDRESS__
+	__lsan_enable();
+#endif
+
+	return SUCCESS;
+}
+
+int fuzzer_request_startup()
+{
+	if (php_request_startup() == FAILURE) {
+		php_module_shutdown();
+		return FAILURE;
+	}
+
+#ifdef ZEND_SIGNALS
+	/* Some signal handlers will be overriden,
+	 * don't complain about them during shutdown. */
+	SIGG(check) = 0;
+#endif
+
+	return SUCCESS;
+}
+
+void fuzzer_set_ini_file(const char *file)
+{
+	if (fuzzer_module.php_ini_path_override) {
+		free(fuzzer_module.php_ini_path_override);
+	}
+	fuzzer_module.php_ini_path_override = strdup(file);
+}
+
+
+int fuzzer_shutdown_php()
+{
+	php_module_shutdown();
+	sapi_shutdown();
+
+	free(fuzzer_module.ini_entries);
+	return SUCCESS;
+}
+
+int fuzzer_do_request(zend_file_handle *file_handle, char *filename)
+{
+	int retval = FAILURE; /* failure by default */
+
+	SG(options) |= SAPI_OPTION_NO_CHDIR;
+	SG(request_info).argc=0;
+	SG(request_info).argv=NULL;
+
+	if (fuzzer_request_startup() == FAILURE) {
+		return FAILURE;
+	}
+
+	SG(headers_sent) = 1;
+	SG(request_info).no_headers = 1;
+	php_register_variable("PHP_SELF", filename, NULL);
+
+	zend_first_try {
+		zend_op_array *op_array = zend_compile_file(file_handle, ZEND_REQUIRE);
+		if (op_array) {
+			destroy_op_array(op_array);
+			efree(op_array);
+		}
+		if (EG(exception)) {
+			zend_object_release(EG(exception));
+			EG(exception) = NULL;
+		}
+		/*retval = php_execute_script(file_handle);*/
+	} zend_end_try();
+
+	php_request_shutdown((void *) 0);
+
+	return (retval == SUCCESS) ? SUCCESS : FAILURE;
+}
+
+
+int fuzzer_do_request_f(char *filename)
+{
+	zend_file_handle file_handle;
+	file_handle.type = ZEND_HANDLE_FILENAME;
+	file_handle.filename = filename;
+	file_handle.handle.fp = NULL;
+	file_handle.opened_path = NULL;
+
+	return fuzzer_do_request(&file_handle, filename);
+}
+
+int fuzzer_do_request_from_buffer(char *filename, char *data, size_t data_len)
+{
+	zend_file_handle file_handle;
+	file_handle.filename = filename;
+	file_handle.free_filename = 0;
+	file_handle.opened_path = NULL;
+	file_handle.handle.stream.handle = NULL;
+	file_handle.handle.stream.reader = (zend_stream_reader_t)_php_stream_read;
+	file_handle.handle.stream.fsizer = NULL;
+	file_handle.handle.stream.isatty = 0;
+	file_handle.handle.stream.closer   = NULL;
+	file_handle.buf = data;
+	file_handle.len = data_len;
+	file_handle.type = ZEND_HANDLE_STREAM;
+
+	return fuzzer_do_request(&file_handle, filename);
+}
+
+// Call named PHP function with N zval arguments
+void fuzzer_call_php_func_zval(const char *func_name, int nargs, zval *args) {
+	zval retval, func;
+
+	ZVAL_STRING(&func, func_name);
+	ZVAL_UNDEF(&retval);
+	call_user_function(CG(function_table), NULL, &func, &retval, nargs, args);
+
+	// TODO: check result?
+	/* to ensure retval is not broken */
+	php_var_dump(&retval, 0);
+
+	/* cleanup */
+	zval_ptr_dtor(&retval);
+	zval_ptr_dtor(&func);
+}
+
+// Call named PHP function with N string arguments
+void fuzzer_call_php_func(const char *func_name, int nargs, char **params) {
+	zval args[nargs];
+	int i;
+
+	for(i=0;i<nargs;i++) {
+		ZVAL_STRING(&args[i], params[i]);
+	}
+
+	fuzzer_call_php_func_zval(func_name, nargs, args);
+
+	for(i=0;i<nargs;i++) {
+		zval_ptr_dtor(&args[i]);
+		ZVAL_UNDEF(&args[i]);
+	}
+}
diff --git a/sapi/fuzzer/fuzzer-sapi.h b/sapi/fuzzer/fuzzer-sapi.h
new file mode 100644
index 0000000000..cce8080b2c
--- /dev/null
+++ b/sapi/fuzzer/fuzzer-sapi.h
@@ -0,0 +1,24 @@
+/*
+   +----------------------------------------------------------------------+
+   | PHP Version 7                                                        |
+   +----------------------------------------------------------------------+
+   | Copyright (c) The PHP Group                                          |
+   +----------------------------------------------------------------------+
+   | This source file is subject to version 3.01 of the PHP license,      |
+   | that is bundled with this package in the file LICENSE, and is        |
+   | available through the world-wide-web at the following url:           |
+   | http://www.php.net/license/3_01.txt                                  |
+   | If you did not receive a copy of the PHP license and are unable to   |
+   | obtain it through the world-wide-web, please send a note to          |
+   | license@php.net so we can mail you a copy immediately.               |
+   +----------------------------------------------------------------------+
+   | Authors: Johannes Schlüter <johanes@php.net>                         |
+   |          Stanislav Malyshev <stas@php.net>                           |
+   +----------------------------------------------------------------------+
+ */
+
+int fuzzer_init_php();
+int fuzzer_request_startup();
+void fuzzer_call_php_func(const char *func_name, int nargs, char **params);
+void fuzzer_call_php_func_zval(const char *func_name, int nargs, zval *args);
+int fuzzer_do_request_from_buffer(char *filename, char *data, size_t data_len);
diff --git a/sapi/fuzzer/fuzzer-unserialize.c b/sapi/fuzzer/fuzzer-unserialize.c
new file mode 100644
index 0000000000..9cf040944a
--- /dev/null
+++ b/sapi/fuzzer/fuzzer-unserialize.c
@@ -0,0 +1,92 @@
+/*
+   +----------------------------------------------------------------------+
+   | PHP Version 7                                                        |
+   +----------------------------------------------------------------------+
+   | Copyright (c) The PHP Group                                          |
+   +----------------------------------------------------------------------+
+   | This source file is subject to version 3.01 of the PHP license,      |
+   | that is bundled with this package in the file LICENSE, and is        |
+   | available through the world-wide-web at the following url:           |
+   | http://www.php.net/license/3_01.txt                                  |
+   | If you did not receive a copy of the PHP license and are unable to   |
+   | obtain it through the world-wide-web, please send a note to          |
+   | license@php.net so we can mail you a copy immediately.               |
+   +----------------------------------------------------------------------+
+   | Authors: Johannes Schlüter <johanes@php.net>                         |
+   +----------------------------------------------------------------------+
+ */
+
+
+#include "fuzzer.h"
+
+#include "Zend/zend.h"
+#include "main/php_config.h"
+#include "main/php_main.h"
+
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
+
+#include "fuzzer-sapi.h"
+
+#include "ext/standard/php_var.h"
+
+int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+	unsigned char *orig_data = malloc(Size+1);
+	zend_execute_data execute_data;
+	zend_function func;
+
+	memcpy(orig_data, Data, Size);
+	orig_data[Size] = '\0';
+
+	if (fuzzer_request_startup()==FAILURE) {
+		return 0;
+	}
+
+	/* Set up a dummy stack frame so that exceptions may be thrown. */
+	{
+		memset(&execute_data, 0, sizeof(zend_execute_data));
+		memset(&func, 0, sizeof(zend_function));
+
+		func.type = ZEND_INTERNAL_FUNCTION;
+		func.common.function_name = ZSTR_EMPTY_ALLOC();
+		execute_data.func = &func;
+		EG(current_execute_data) = &execute_data;
+	}
+
+	{
+		const unsigned char *data = orig_data;
+		zval result;
+		ZVAL_UNDEF(&result);
+
+		php_unserialize_data_t var_hash;
+		PHP_VAR_UNSERIALIZE_INIT(var_hash);
+		php_var_unserialize(&result, (const unsigned char **) &data, data + Size, &var_hash);
+		PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
+
+		zval_ptr_dtor(&result);
+
+		/* Destroy any thrown exception. */
+		if (EG(exception)) {
+			zend_object_release(EG(exception));
+			EG(exception) = NULL;
+		}
+	}
+
+	/* Unserialize may create circular structure. Make sure we free them.
+	 * Two calls are performed to handle objects with destructors. */
+	zend_gc_collect_cycles();
+	zend_gc_collect_cycles();
+	php_request_shutdown(NULL);
+
+	free(orig_data);
+
+	return 0;
+}
+
+int LLVMFuzzerInitialize(int *argc, char ***argv) {
+	fuzzer_init_php();
+
+	/* fuzzer_shutdown_php(); */
+	return 0;
+}
diff --git a/sapi/fuzzer/fuzzer.h b/sapi/fuzzer/fuzzer.h
new file mode 100644
index 0000000000..b0bae1c7bc
--- /dev/null
+++ b/sapi/fuzzer/fuzzer.h
@@ -0,0 +1,20 @@
+/*
+   +----------------------------------------------------------------------+
+   | PHP Version 7                                                        |
+   +----------------------------------------------------------------------+
+   | Copyright (c) The PHP Group                                          |
+   +----------------------------------------------------------------------+
+   | This source file is subject to version 3.01 of the PHP license,      |
+   | that is bundled with this package in the file LICENSE, and is        |
+   | available through the world-wide-web at the following url:           |
+   | http://www.php.net/license/3_01.txt                                  |
+   | If you did not receive a copy of the PHP license and are unable to   |
+   | obtain it through the world-wide-web, please send a note to          |
+   | license@php.net so we can mail you a copy immediately.               |
+   +----------------------------------------------------------------------+
+   | Authors: Johannes Schlüter <johanes@php.net>                         |
+   +----------------------------------------------------------------------+
+ */
+
+#include "php_version.h"
+#define FUZZER_VERSION PHP_VERSION
diff --git a/sapi/fuzzer/generate_parser_corpus.php b/sapi/fuzzer/generate_parser_corpus.php
new file mode 100644
index 0000000000..e8d27e189b
--- /dev/null
+++ b/sapi/fuzzer/generate_parser_corpus.php
@@ -0,0 +1,22 @@
+<?php
+
+$testsDir = __DIR__ . '/../../Zend/tests/';
+$it = new RecursiveIteratorIterator(
+    new RecursiveDirectoryIterator($testsDir),
+    RecursiveIteratorIterator::LEAVES_ONLY
+);
+
+$corpusDir = __DIR__ . '/corpus/parser';
+@mkdir($corpusDir);
+
+foreach ($it as $file) {
+    if (!preg_match('/\.phpt$/', $file)) continue;
+    $code = file_get_contents($file);
+    if (!preg_match('/--FILE--(.*)--EXPECT/s', $code, $matches)) continue;
+    $code = $matches[1];
+
+    $outFile = str_replace($testsDir, '', $file);
+    $outFile = str_replace('/', '_', $outFile);
+    $outFile = $corpusDir . '/' . $outFile;
+    file_put_contents($outFile, $code);
+}
diff --git a/sapi/fuzzer/generate_unserialize_dict.php b/sapi/fuzzer/generate_unserialize_dict.php
new file mode 100644
index 0000000000..cf270788d3
--- /dev/null
+++ b/sapi/fuzzer/generate_unserialize_dict.php
@@ -0,0 +1,9 @@
+<?php
+
+$dict = "";
+foreach (get_declared_classes() as $class) {
+    $len = strlen($class);
+    $dict .= "\"$len:\\\"$class\\\"\"\n";
+}
+
+file_put_contents(__DIR__ . "/dict/unserialize", $dict);
diff --git a/sapi/fuzzer/json.dict b/sapi/fuzzer/json.dict
new file mode 100644
index 0000000000..e08245a219
--- /dev/null
+++ b/sapi/fuzzer/json.dict
@@ -0,0 +1,52 @@
+#
+# AFL dictionary for JSON
+# -----------------------
+#
+# Just the very basics.
+#
+# Inspired by a dictionary by Jakub Wilk <jwilk@jwilk.net>
+#
+
+"0"
+",0"
+":0"
+"0:"
+"-1.2e+3"
+
+"true"
+"false"
+"null"
+
+"\"\""
+",\"\""
+":\"\""
+"\"\":"
+
+"{}"
+",{}"
+":{}"
+"{\"\":0}"
+"{{}}"
+
+"[]"
+",[]"
+":[]"
+"[0]"
+"[[]]"
+
+"''"
+"\\"
+"\\b"
+"\\f"
+"\\n"
+"\\r"
+"\\t"
+"\\u0000"
+"\\x00"
+"\\0"
+"\\uD800\\uDC00"
+"\\uDBFF\\uDFFF"
+
+"\"\":0"
+"//"
+"/**/"
diff --git a/sapi/phpdbg/phpdbg.h b/sapi/phpdbg/phpdbg.h
index d0e316c78b..d9a66b44bd 100644
--- a/sapi/phpdbg/phpdbg.h
+++ b/sapi/phpdbg/phpdbg.h
@@ -277,7 +277,7 @@ ZEND_BEGIN_MODULE_GLOBALS(phpdbg)
 
 	zend_op_array *(*compile_file)(zend_file_handle *file_handle, int type);
 	zend_op_array *(*init_compile_file)(zend_file_handle *file_handle, int type);
-	zend_op_array *(*compile_string)(zval *source_string, char *filename);
+	zend_op_array *(*compile_string)(zval *source_string, const char *filename);
 	HashTable file_sources;
 
 	FILE *oplog;                                 /* opline log */
diff --git a/sapi/phpdbg/phpdbg_list.c b/sapi/phpdbg/phpdbg_list.c
index 03b4c3526e..901fd0bb1c 100644
--- a/sapi/phpdbg/phpdbg_list.c
+++ b/sapi/phpdbg/phpdbg_list.c
@@ -319,7 +319,7 @@ zend_op_array *phpdbg_init_compile_file(zend_file_handle *file, int type) {
 	return op_array;
 }
 
-zend_op_array *phpdbg_compile_string(zval *source_string, char *filename) {
+zend_op_array *phpdbg_compile_string(zval *source_string, const char *filename) {
 	zend_string *fake_name;
 	zend_op_array *op_array;
 	phpdbg_file_source *dataptr;
diff --git a/sapi/phpdbg/phpdbg_prompt.c b/sapi/phpdbg/phpdbg_prompt.c
index 24155a7860..a291801174 100644
--- a/sapi/phpdbg/phpdbg_prompt.c
+++ b/sapi/phpdbg/phpdbg_prompt.c
@@ -728,7 +728,7 @@ static inline void phpdbg_handle_exception(void) /* {{{ */
 	EG(exception) = NULL;
 
 	ZVAL_OBJ(&zv, ex);
-	zend_call_method_with_0_params(&zv, ex->ce, &ex->ce->__tostring, "__tostring", &tmp);
+	zend_call_method_with_0_params(ex, ex->ce, &ex->ce->__tostring, "__tostring", &tmp);
 	file = zval_get_string(zend_read_property(zend_get_exception_base(&zv), &zv, ZEND_STRL("file"), 1, &rv));
 	line = zval_get_long(zend_read_property(zend_get_exception_base(&zv), &zv, ZEND_STRL("line"), 1, &rv));