diff --git a/.gitignore b/.gitignore index 73b176e72d..6e81bd76db 100644 --- a/.gitignore +++ b/.gitignore @@ -22,6 +22,7 @@ vendor .cur_input .cur_input_* +cur_input .venv crashes @@ -60,3 +61,8 @@ libafl_nyx/QEMU-Nyx libafl_nyx/packer .z3-trace + +# No gdb history +.gdb_history +# No llvm IR +*.ll diff --git a/fuzzers/libfuzzer_stb_image_concolic/Makefile.toml b/fuzzers/libfuzzer_stb_image_concolic/Makefile.toml index d1c77d1ef3..64218aeb10 100644 --- a/fuzzers/libfuzzer_stb_image_concolic/Makefile.toml +++ b/fuzzers/libfuzzer_stb_image_concolic/Makefile.toml @@ -51,6 +51,9 @@ clear = true script=''' cd fuzzer cargo clean -cd ../runtime +cd .. +cd ./runtime cargo clean -''' \ No newline at end of file +cd .. +cargo clean +''' diff --git a/fuzzers/libfuzzer_stb_image_concolic/fuzzer/src/main.rs b/fuzzers/libfuzzer_stb_image_concolic/fuzzer/src/main.rs index faa6b74014..840278baf6 100644 --- a/fuzzers/libfuzzer_stb_image_concolic/fuzzer/src/main.rs +++ b/fuzzers/libfuzzer_stb_image_concolic/fuzzer/src/main.rs @@ -60,13 +60,14 @@ struct Opt { concolic: bool, } +use std::fs; pub fn main() { // Registry the metadata types used in this fuzzer // Needed only on no_std // unsafe { RegistryBuilder::register::(); } let opt = Opt::parse(); - + let _ = fs::remove_file("cur_input"); println!( "Workdir: {:?}", env::current_dir().unwrap().to_string_lossy().to_string() diff --git a/libafl/src/observers/concolic/mod.rs b/libafl/src/observers/concolic/mod.rs index a3a4bbc42e..1f2eea9396 100644 --- a/libafl/src/observers/concolic/mod.rs +++ b/libafl/src/observers/concolic/mod.rs @@ -252,7 +252,9 @@ pub enum SymExpr { a: SymExprRef, b: SymExprRef, }, - + FloatNeg { + op: SymExprRef, + }, FloatAbs { op: SymExprRef, }, @@ -277,6 +279,11 @@ pub enum SymExpr { b: SymExprRef, }, + Ite { + cond: SymExprRef, + a: SymExprRef, + b: SymExprRef, + }, Sext { op: SymExprRef, bits: u8, diff --git a/libafl/src/observers/concolic/serialization_format.rs b/libafl/src/observers/concolic/serialization_format.rs index f980baae24..e30ab5f5cd 100644 --- a/libafl/src/observers/concolic/serialization_format.rs +++ b/libafl/src/observers/concolic/serialization_format.rs @@ -110,6 +110,7 @@ impl MessageFileReader { /// This transforms the given message from it's serialized form into its in-memory form, making relative references /// absolute and counting the `SymExprRef`s. + #[allow(clippy::too_many_lines)] fn transform_message(&mut self, message: &mut SymExpr) -> SymExprRef { let ret = self.current_id; match message { @@ -125,6 +126,7 @@ impl MessageFileReader { } SymExpr::Neg { op } | SymExpr::FloatAbs { op } + | SymExpr::FloatNeg { op } | SymExpr::Not { op } | SymExpr::Sext { op, .. } | SymExpr::Zext { op, .. } @@ -204,6 +206,12 @@ impl MessageFileReader { } } SymExpr::Call { .. } | SymExpr::Return { .. } | SymExpr::BasicBlock { .. } => {} + SymExpr::Ite { cond, a, b } => { + *cond = self.make_absolute(*cond); + *a = self.make_absolute(*a); + *b = self.make_absolute(*b); + self.current_id += 1; + } } SymExprRef::new(ret).unwrap() } @@ -291,6 +299,7 @@ impl MessageFileWriter { } SymExpr::Neg { op } | SymExpr::FloatAbs { op } + | SymExpr::FloatNeg { op } | SymExpr::Not { op } | SymExpr::Sext { op, .. } | SymExpr::Zext { op, .. } @@ -370,6 +379,11 @@ impl MessageFileWriter { } } SymExpr::Call { .. } | SymExpr::Return { .. } | SymExpr::BasicBlock { .. } => {} + SymExpr::Ite { cond, a, b } => { + *cond = self.make_relative(*cond); + *a = self.make_relative(*a); + *b = self.make_relative(*b); + } } self.serialization_options .serialize_into(&mut self.writer, &message)?; diff --git a/libafl_concolic/symcc_libafl/src/lib.rs b/libafl_concolic/symcc_libafl/src/lib.rs index 2e2288ae7c..c4f0c8bcba 100644 --- a/libafl_concolic/symcc_libafl/src/lib.rs +++ b/libafl_concolic/symcc_libafl/src/lib.rs @@ -5,7 +5,7 @@ /// The URL of the `LibAFL` `SymCC` fork. pub const SYMCC_REPO_URL: &str = "https://github.com/AFLplusplus/symcc.git"; /// The commit of the `LibAFL` `SymCC` fork. -pub const SYMCC_REPO_COMMIT: &str = "2a3229da6101596af220f20fef5085e59537abcb"; +pub const SYMCC_REPO_COMMIT: &str = "6909c3f2b98c6e14a25bee0fc6eb29c598250e35"; #[cfg(feature = "clone")] mod clone { diff --git a/libafl_concolic/symcc_runtime/src/filter.rs b/libafl_concolic/symcc_runtime/src/filter.rs index 74740d3ff9..067ae8e9b1 100644 --- a/libafl_concolic/symcc_runtime/src/filter.rs +++ b/libafl_concolic/symcc_runtime/src/filter.rs @@ -240,4 +240,7 @@ impl Filter for NoFloat { fn build_fp_rem(&mut self, _a: RSymExpr, _b: RSymExpr) -> bool { false } + fn build_fp_neg(&mut self, _a: RSymExpr) -> bool { + false + } } diff --git a/libafl_concolic/symcc_runtime/src/tracing.rs b/libafl_concolic/symcc_runtime/src/tracing.rs index 51186e903b..58676d4753 100644 --- a/libafl_concolic/symcc_runtime/src/tracing.rs +++ b/libafl_concolic/symcc_runtime/src/tracing.rs @@ -127,6 +127,7 @@ impl Runtime for TracingRuntime { binary_expression_builder!(build_fp_rem, FloatRem); unary_expression_builder!(build_fp_abs, FloatAbs); + unary_expression_builder!(build_fp_neg, FloatNeg); unary_expression_builder!(build_not, Not); binary_expression_builder!(build_equal, Equal); @@ -135,6 +136,7 @@ impl Runtime for TracingRuntime { binary_expression_builder!(build_bool_or, BoolOr); binary_expression_builder!(build_bool_xor, BoolXor); + expression_builder!(build_ite(cond: RSymExpr, a: RSymExpr, b: RSymExpr) => Ite); expression_builder!(build_sext(op: RSymExpr, bits: u8) => Sext); expression_builder!(build_zext(op: RSymExpr, bits: u8) => Zext); expression_builder!(build_trunc(op: RSymExpr, bits: u8) => Trunc);