├── .gitmodules ├── Baselines ├── __init__.py ├── pure_random.py ├── __VERIFIER.c ├── fuzz_random.py ├── DFS.py └── SymbolicExecution.py ├── Results ├── __init__.py ├── statistics.py ├── statisticQS.py ├── Comparison.py ├── plotter.py └── pie_maker.py ├── ProgramUnderTest ├── sv-instrumented │ ├── zero_sum1.seed │ ├── sanfoundry_24-1.seed │ ├── zero_sum1.instr │ └── sanfoundry_24-1.instr ├── SourceCode │ ├── empty_main.c │ ├── simple_while.c │ ├── test_while.c │ ├── test_strict.c │ ├── test_half.c │ ├── test_2bytes.c │ ├── test_wide.c │ ├── test_bise.c │ ├── test_half.s │ └── replace.c ├── Orignal │ ├── empty_main │ ├── test_half │ └── test_while ├── Instrumented │ ├── test_bise.instr │ ├── test_half.instr │ ├── test_wide.instr │ ├── empty_main.instr │ ├── simple_while.instr │ ├── test_2bytes.instr │ ├── test_strict.instr │ └── test_while.instr ├── TraceJump │ ├── Makefile │ ├── setup.py │ ├── __trace_jump.s │ ├── README.md │ ├── test_instrumentation.py │ ├── tracejump.py │ ├── fuzz.py │ └── test_bise.instr.s └── Assembly │ ├── simple_while.s │ ├── TraceJump.trace │ ├── empty_main.instr.s │ ├── QEMU.trace │ ├── Simgr.trace │ ├── test_half.s │ └── test_while.instr.s ├── legion-sv ├── __VERIFIER_assume.c ├── validate ├── Testing ├── TraceJumpTests │ ├── test_dowhile.c │ ├── test_if.c │ ├── test_for.c │ ├── test_N.c │ ├── test_while.c │ └── test_switch.c ├── ANGRTests │ ├── test_N.c │ └── fauxware.c └── run_tests.py ├── benchmark ├── Dockerfile.sv ├── Dockerfile ├── __trace_jump.s ├── __trace_buffered.c ├── LICENSE ├── trace-cc ├── table ├── Makefile ├── __VERIFIER32.c ├── __VERIFIER.c ├── legion.xml ├── README.md ├── TestComp2020-ASE2020.xml ├── tbf.xml.template ├── .gitignore ├── tracejump.py └── trace-as /.gitmodules: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Baselines/__init__.py: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Results/__init__.py: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /ProgramUnderTest/sv-instrumented/zero_sum1.seed: -------------------------------------------------------------------------------- 1 | 3 2 | 3 3 | 2 4 | 1 5 | 6 | -------------------------------------------------------------------------------- /legion-sv: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | export PYTHONPATH=lib 4 | python3 ./Legion.py $@ 5 | -------------------------------------------------------------------------------- /ProgramUnderTest/sv-instrumented/sanfoundry_24-1.seed: -------------------------------------------------------------------------------- 1 | 3 2 | 9999 3 | 99999 4 | 999999 5 | -------------------------------------------------------------------------------- /ProgramUnderTest/SourceCode/empty_main.c: -------------------------------------------------------------------------------- 1 | int main(int argc, char * argv[]) { 2 | return 0; 3 | } 4 | -------------------------------------------------------------------------------- /ProgramUnderTest/Orignal/empty_main: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DonggeLiu/Legion/HEAD/ProgramUnderTest/Orignal/empty_main -------------------------------------------------------------------------------- /ProgramUnderTest/Orignal/test_half: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DonggeLiu/Legion/HEAD/ProgramUnderTest/Orignal/test_half -------------------------------------------------------------------------------- /ProgramUnderTest/Orignal/test_while: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DonggeLiu/Legion/HEAD/ProgramUnderTest/Orignal/test_while -------------------------------------------------------------------------------- /__VERIFIER_assume.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | void __VERIFIER_assume(int b) { 4 | if (!b) 5 | exit(1); 6 | } 7 | -------------------------------------------------------------------------------- /ProgramUnderTest/Instrumented/test_bise.instr: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DonggeLiu/Legion/HEAD/ProgramUnderTest/Instrumented/test_bise.instr -------------------------------------------------------------------------------- /ProgramUnderTest/Instrumented/test_half.instr: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DonggeLiu/Legion/HEAD/ProgramUnderTest/Instrumented/test_half.instr -------------------------------------------------------------------------------- /ProgramUnderTest/Instrumented/test_wide.instr: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DonggeLiu/Legion/HEAD/ProgramUnderTest/Instrumented/test_wide.instr -------------------------------------------------------------------------------- /ProgramUnderTest/Instrumented/empty_main.instr: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DonggeLiu/Legion/HEAD/ProgramUnderTest/Instrumented/empty_main.instr -------------------------------------------------------------------------------- /ProgramUnderTest/Instrumented/simple_while.instr: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DonggeLiu/Legion/HEAD/ProgramUnderTest/Instrumented/simple_while.instr -------------------------------------------------------------------------------- /ProgramUnderTest/Instrumented/test_2bytes.instr: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DonggeLiu/Legion/HEAD/ProgramUnderTest/Instrumented/test_2bytes.instr -------------------------------------------------------------------------------- /ProgramUnderTest/Instrumented/test_strict.instr: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DonggeLiu/Legion/HEAD/ProgramUnderTest/Instrumented/test_strict.instr -------------------------------------------------------------------------------- /ProgramUnderTest/Instrumented/test_while.instr: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DonggeLiu/Legion/HEAD/ProgramUnderTest/Instrumented/test_while.instr -------------------------------------------------------------------------------- /ProgramUnderTest/sv-instrumented/zero_sum1.instr: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DonggeLiu/Legion/HEAD/ProgramUnderTest/sv-instrumented/zero_sum1.instr -------------------------------------------------------------------------------- /ProgramUnderTest/sv-instrumented/sanfoundry_24-1.instr: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DonggeLiu/Legion/HEAD/ProgramUnderTest/sv-instrumented/sanfoundry_24-1.instr -------------------------------------------------------------------------------- /validate: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # make zips 4 | sed "s/RUNDATE/$1/g" tbf.xml.template > tbf.xml 5 | /home/ernst/workspace/cpachecker/scripts/benchmark.py --cloudPriority URGENT --read-only-dir / --cloud --cloudMaster localhost --cloudClientHeap 8000 tbf.xml 6 | -------------------------------------------------------------------------------- /ProgramUnderTest/TraceJump/Makefile: -------------------------------------------------------------------------------- 1 | 2 | %.s: ../SourceCode/%.c 3 | $(CC) -S -o $@ ../SourceCode/$^ 4 | 5 | %.instr.s: %.s 6 | python3 tracejump.py $^ $@ 7 | 8 | %.instr: %.instr.o __trace_jump.o __VERIFIER.o 9 | $(CC) -o ../Instrumented/$@ $^ -no-pie 10 | objdump -d ../Instrumented/$@ > ../Assembly/$@.s 11 | -------------------------------------------------------------------------------- /Testing/TraceJumpTests/test_dowhile.c: -------------------------------------------------------------------------------- 1 | extern int __VERIFIER_nondet_int(void); 2 | 3 | 4 | unsigned int test(int x) { 5 | do { 6 | x--; 7 | } while (x > 0 && x < 8); 8 | 9 | return 0; 10 | } 11 | 12 | 13 | int main(int argc, char * argv[]) { 14 | int x = __VERIFIER_nondet_int(); 15 | test(x); 16 | return 0; 17 | } 18 | -------------------------------------------------------------------------------- /benchmark: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # rm test/results -r 4 | # /home/ernst/workspace/cpachecker/scripts/benchmark.py --read-only-dir / -t ReachSafety-Arrays --cloud --cloudMaster localhost legion.xml 5 | /home/ernst/workspace/cpachecker/scripts/benchmark.py --cloudClientHeap 8000 --read-only-dir / --no-container --cloud --cloudMaster localhost "$1" 6 | -------------------------------------------------------------------------------- /Testing/TraceJumpTests/test_if.c: -------------------------------------------------------------------------------- 1 | extern int __VERIFIER_nondet_int(void); 2 | 3 | 4 | unsigned int test(int x) { 5 | if (x == 5) { 6 | x = 0; 7 | } 8 | else{ 9 | x = 1; 10 | } 11 | return x; 12 | } 13 | 14 | 15 | int main(int argc, char * argv[]) { 16 | int x = __VERIFIER_nondet_int(); 17 | x = test(x); 18 | return x; 19 | } 20 | -------------------------------------------------------------------------------- /Testing/TraceJumpTests/test_for.c: -------------------------------------------------------------------------------- 1 | extern int __VERIFIER_nondet_int(void); 2 | 3 | 4 | unsigned int test(int x) { 5 | int i; 6 | for (i=0; i < x; i++){ 7 | continue; 8 | } 9 | return 0; 10 | } 11 | 12 | 13 | int main(int argc, char * argv[]) { 14 | int x = __VERIFIER_nondet_int(); 15 | 16 | if (x < 5) { 17 | test(x); 18 | } 19 | return 0; 20 | } 21 | -------------------------------------------------------------------------------- /Testing/ANGRTests/test_N.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int test(unsigned int n) { 5 | if(n == (unsigned) 5) 6 | return 1; 7 | return 0; 8 | } 9 | 10 | 11 | int main () 12 | { 13 | unsigned int n; 14 | read(0, &n, sizeof(n)); 15 | assert(n < (unsigned) 2000); // n < 4906 16 | int x[n]; 17 | int y = test(n); 18 | return y; 19 | } 20 | -------------------------------------------------------------------------------- /ProgramUnderTest/TraceJump/setup.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from distutils.core import setup 4 | 5 | setup(name='tracejump', 6 | version='0.1', 7 | description='Assembly instrumentation of tracing jump targets', 8 | author='Gidon Ernst', 9 | author_email='gidonernst@gmail.com', 10 | url='https://github.com/gernst/tracejump', 11 | packages=['tracejump'], 12 | ) 13 | -------------------------------------------------------------------------------- /Testing/TraceJumpTests/test_N.c: -------------------------------------------------------------------------------- 1 | extern int __VERIFIER_nondet_int(void); 2 | 3 | int N; 4 | 5 | int test(int x) { 6 | int y = 0; 7 | if (x < 0) { 8 | y = 2; 9 | } else if (x == 0) { 10 | y = 0; 11 | } else if (x > 0) { 12 | y = 1; 13 | } 14 | return y; 15 | } 16 | 17 | 18 | int main () 19 | { 20 | int y; 21 | N = __VERIFIER_nondet_int(); 22 | int x[N]; 23 | y = test(N); 24 | return y; 25 | } 26 | -------------------------------------------------------------------------------- /Dockerfile.sv: -------------------------------------------------------------------------------- 1 | FROM ubuntu:bionic 2 | 3 | RUN apt-get -y update 4 | RUN apt-get -y upgrade 5 | 6 | RUN apt-get -y install git 7 | RUN apt-get -y install wget 8 | RUN apt-get -y install build-essential 9 | 10 | RUN apt-get -y install python3 python3-setuptools python3-pip 11 | 12 | WORKDIR /root 13 | RUN git clone https://github.com/Alan32Liu/claripy.git 14 | RUN git clone https://github.com/Alan32Liu/angr.git 15 | 16 | RUN pip3 install --target lib ./claripy ./angr 17 | 18 | -------------------------------------------------------------------------------- /Testing/TraceJumpTests/test_while.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | extern int __VERIFIER_nondet_uint(void); 4 | 5 | 6 | unsigned int test(int x) { 7 | while (x) 8 | { 9 | x --; 10 | // fwrite(&x, 8, 1, stderr); 11 | } 12 | return 0; 13 | } 14 | 15 | 16 | int main(int argc, char * argv[]) { 17 | // printf("%d", BUFSIZ); 18 | // char buf[BUFSIZ]; 19 | // setbuf(stderr, buf); 20 | unsigned int x = __VERIFIER_nondet_uint(); 21 | test(x); 22 | return 0; 23 | } 24 | -------------------------------------------------------------------------------- /Testing/TraceJumpTests/test_switch.c: -------------------------------------------------------------------------------- 1 | extern int __VERIFIER_nondet_int(void); 2 | 3 | unsigned int test(int x) { 4 | switch (x){ 5 | case 2: 6 | x++; 7 | break; 8 | case 1: 9 | x--; 10 | break; 11 | case 3: 12 | x=x; 13 | break; 14 | default: 15 | x = x; 16 | } 17 | 18 | return 0; 19 | } 20 | 21 | 22 | int main(int argc, char * argv[]) { 23 | int x = __VERIFIER_nondet_int(); 24 | test(x); 25 | return 0; 26 | } 27 | -------------------------------------------------------------------------------- /ProgramUnderTest/TraceJump/__trace_jump.s: -------------------------------------------------------------------------------- 1 | .global __trace_jump 2 | 3 | __trace_jump: 4 | push %rbp 5 | mov %rsp,%rbp 6 | mov 0x8(%rbp),%rax # get return address 7 | sub $0x13,%rax # rewind back over call 8 | mov %rax,-0x8(%rbp) # store on stack 9 | 10 | mov $0x1,%rax # system call number 1 = write 11 | mov $0x2,%rdi # file handle 2 = stderr 12 | mov %rbp,%rsi # 13 | sub $0x8,%rsi 14 | mov $0x8,%rdx 15 | syscall 16 | 17 | pop %rbp 18 | ret 19 | -------------------------------------------------------------------------------- /ProgramUnderTest/SourceCode/simple_while.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int region1(unsigned int n) { 5 | while (n>32 && n < 40) 6 | n--; 7 | return n; 8 | } 9 | 10 | int region2(unsigned int n) { 11 | while (n > 100 && n < 108) 12 | n--; 13 | return n; 14 | } 15 | 16 | int main(int argc, char * argv[]) { 17 | 18 | unsigned char buff[2]; 19 | int bytes = read(0, buff, sizeof buff); 20 | if (buff[0] == 25 && ((buff[0] + buff[1])<65)) { 21 | region1(buff[1]); 22 | } 23 | region2(buff[0]); 24 | return 0; 25 | } 26 | -------------------------------------------------------------------------------- /ProgramUnderTest/SourceCode/test_while.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | 5 | unsigned int test(unsigned int x) { 6 | int i = 256; 7 | while (x < i) { 8 | if (x > (i / 2)) { 9 | return i; 10 | } 11 | i -= 8; 12 | } 13 | return i; 14 | } 15 | 16 | 17 | int main(int argc, char * argv[]) { 18 | unsigned char x,y; 19 | 20 | // int n; 21 | // n = read(0, &x, 1); 22 | // printf("read %d bytes, x = %c\n", n, x); 23 | read(0, &x, 1); 24 | read(0, &y, 1); 25 | if (y > 240) 26 | test(x); 27 | else { 28 | 29 | } 30 | return 0; 31 | } 32 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:20.04 2 | 3 | WORKDIR /root 4 | COPY Legion.py Makefile tracejump.py __trace_jump.s __VERIFIER.c __VERIFIER_assume.c __trace_buffered.c /root/ 5 | 6 | RUN apt-get update \ 7 | && apt-get install git -y \ 8 | && apt-get install python3 -y \ 9 | && apt-get install python3-pip -y \ 10 | && git clone https://github.com/Alan32Liu/claripy.git \ 11 | && git clone https://github.com/Alan32Liu/angr.git \ 12 | && pip3 install -e /root/claripy \ 13 | && pip3 install -e /root/angr 14 | 15 | # RUN mkdir -p /root/sv-benchmarks/c 16 | # COPY sv-benchmarks/c /root/sv-benchmarks/c 17 | -------------------------------------------------------------------------------- /ProgramUnderTest/SourceCode/test_strict.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | unsigned int test(unsigned int x) { 5 | if (x > 255) { 6 | return 0; 7 | } 8 | if (x == 147) { 9 | return 1; 10 | } 11 | if (x == 111) { 12 | return 2; 13 | } 14 | if (x == 37) { 15 | return 3; 16 | } 17 | if (x == 23) { 18 | return 4; 19 | } 20 | if (x == 13) { 21 | return 5; 22 | } 23 | if (x == 6) { 24 | return 6; 25 | } 26 | if (x == 3) { 27 | return 7; 28 | } 29 | if (x == 1) { 30 | return 8; 31 | } 32 | return 9; 33 | } 34 | 35 | 36 | int main(int argc, char * argv[]) { 37 | unsigned char x; 38 | read(0, &x, 1); 39 | unsigned int r = test(x); 40 | return r; 41 | } 42 | -------------------------------------------------------------------------------- /ProgramUnderTest/SourceCode/test_half.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | unsigned int test(unsigned int x) { 5 | if (x > 255) { 6 | return 9; 7 | } 8 | if (x > 128) { 9 | return 8; 10 | } 11 | if (x > 64) { 12 | return 7; 13 | } 14 | if (x > 32) { 15 | return 6; 16 | } 17 | if (x > 16) { 18 | return 5; 19 | } 20 | if (x > 8) { 21 | return 4; 22 | } 23 | if (x > 4) { 24 | return 3; 25 | } 26 | if (x > 2) { 27 | return 2; 28 | } 29 | if (x > 1) { 30 | return 1; 31 | } 32 | return 0; 33 | } 34 | 35 | 36 | int main(int argc, char * argv[]) { 37 | unsigned char x; 38 | // int n; 39 | // n = read(0, &x, 1); 40 | // printf("read %d bytes, x = %c\n", n, x); 41 | read(0, &x, 1); 42 | unsigned int r = test(x); 43 | return r; 44 | } 45 | -------------------------------------------------------------------------------- /ProgramUnderTest/SourceCode/test_2bytes.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | unsigned int test(unsigned char *buff) { 5 | if (buff[0] > 100) { 6 | return 9; 7 | } 8 | if (buff[1] > 128) { 9 | return 8; 10 | } 11 | if (buff[1] > 64) { 12 | return 7; 13 | } 14 | 15 | if (buff[1] > 32) { 16 | return 6; 17 | } 18 | // 19 | if (buff[1] > 16) { 20 | return 5; 21 | } 22 | 23 | if (buff[1] > 8) { 24 | return 4; 25 | } 26 | if (buff[1] > 4) { 27 | return 3; 28 | } 29 | if (buff[1] > 2) { 30 | return 2; 31 | } 32 | if (buff[1] > 1) { 33 | return 1; 34 | } 35 | return 0; 36 | } 37 | 38 | 39 | int main(int argc, char * argv[]) { 40 | unsigned char buff[2]; 41 | int bytes = read(0, buff, sizeof buff); 42 | unsigned int r = test(buff); 43 | return r; 44 | } 45 | -------------------------------------------------------------------------------- /ProgramUnderTest/SourceCode/test_wide.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | unsigned int test(unsigned int x) { 5 | if (x > 10) { 6 | return 0; 7 | } 8 | else { 9 | if (x < 5) { 10 | switch (x) { 11 | case 1: 12 | return 1; 13 | break; 14 | case 2: 15 | return 2; 16 | break; 17 | default: 18 | return 3; 19 | } 20 | } 21 | else { 22 | switch (x) { 23 | case 5: 24 | return 4; 25 | break; 26 | case 6: 27 | return 5; 28 | break; 29 | default: 30 | return 6; 31 | } 32 | } 33 | } 34 | 35 | 36 | } 37 | 38 | 39 | int main(int argc, char * argv[]) { 40 | unsigned char x; 41 | // int n; 42 | // n = read(0, &x, 1); 43 | // printf("read %d bytes, x = %c\n", n, x); 44 | read(0, &x, 1); 45 | unsigned int r = test(x); 46 | return r; 47 | } 48 | -------------------------------------------------------------------------------- /__trace_jump.s: -------------------------------------------------------------------------------- 1 | .global __trace_jump 2 | .global __trace_jump_set 3 | 4 | __trace_jump_set: 5 | mov _state@GOTPCREL(%rip), %rax # rax = &state 6 | movl $0, (%rax) # *rax = 0 7 | retq 8 | 9 | __trace_jump: 10 | push %rbp 11 | mov %rsp,%rbp 12 | 13 | movq _state@GOTPCREL(%rip), %rax # rax = &state 14 | cmpl $1, (%rax) # *rax == 0, assume rax == 0 before trace_jump_set 15 | je LBB2_2 # skip tracing 16 | 17 | mov 0x8(%rbp),%edi # get the address in caller to return to 18 | sub $0x13,%edi 19 | mov $0, %eax 20 | call save_to_errbuf@PLT 21 | 22 | movq _state@GOTPCREL(%rip), %rax # clear @state 23 | movl $1, (%rax) # *rax = 1 24 | 25 | LBB2_2: 26 | pop %rbp 27 | ret 28 | 29 | .comm _state,4,2 ## @state 30 | -------------------------------------------------------------------------------- /Testing/run_tests.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import os 4 | import pdb 5 | import subprocess as sp 6 | 7 | 8 | expectations = { 9 | 'test_for.c': 6, 10 | 'test_if.c': 2, 11 | 'test_dowhile.c': 9, 12 | 'test_while.c': 9, 13 | 'test_switch.c': 4, 14 | 'test_N.c': 3, 15 | } 16 | 17 | 18 | for test in os.listdir("./TraceJumpTests/"): 19 | if test[-2:] != ".c": 20 | continue 21 | print("Testing {}:".format(test), end=" ") 22 | output = sp.run( 23 | args=["./Legion.py", "./Testing/TraceJumpTests/{}".format(test)], 24 | cwd="../", 25 | stdout=sp.PIPE 26 | ).stdout 27 | paths = output.decode("utf-8").split("\n")[-2] 28 | try: 29 | assert int(paths) == expectations[test] 30 | except AssertionError: 31 | print("Failed, expected {}, found {} ".format(expectations[test], paths)) 32 | else: 33 | print("Succeeded.") 34 | -------------------------------------------------------------------------------- /__trace_buffered.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | 5 | void register_atexit( void ) __attribute__ ((constructor)); 6 | 7 | 8 | #ifndef MAX_TRACE_LEN 9 | #define MAX_TRACE_LEN 42 10 | #endif 11 | 12 | #ifndef VERBOSE 13 | #define VERBOSE 0 14 | #endif 15 | 16 | void* trace[MAX_TRACE_LEN]; 17 | int trace_index = 0; 18 | 19 | 20 | void save_to_errbuf(void* address) { 21 | if (MAX_TRACE_LEN && trace_index>= MAX_TRACE_LEN){ 22 | if (VERBOSE) printf("Max trace length %d reached\n", (int) MAX_TRACE_LEN); 23 | exit(0); 24 | } 25 | if (VERBOSE) printf("Saving %p to array\n", address); 26 | trace[trace_index] = address; 27 | trace_index++; 28 | } 29 | 30 | 31 | void print_errbuff(void) { 32 | fwrite(trace, sizeof(trace[0]), trace_index, stderr); 33 | for(int j=0; j 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | char *sneaky = "SOSNEAKY"; 8 | 9 | int authenticate(char *username, char *password) 10 | { 11 | char stored_pw[9]; 12 | stored_pw[8] = 0; 13 | int pwfile; 14 | 15 | // evil back d00r 16 | if (strcmp(password, sneaky) == 0) return 1; 17 | 18 | pwfile = open(username, O_RDONLY); 19 | read(pwfile, stored_pw, 8); 20 | 21 | if (strcmp(password, stored_pw) == 0) return 1; 22 | return 0; 23 | 24 | } 25 | 26 | int accepted() 27 | { 28 | printf("Welcome to the admin console, trusted user!\n"); 29 | } 30 | 31 | int rejected() 32 | { 33 | printf("Go away!"); 34 | exit(1); 35 | } 36 | 37 | int main(int argc, char **argv) 38 | { 39 | int n; 40 | read(0, &n, sizeof(int)); 41 | char username[n]; 42 | char password[n]; 43 | int authed; 44 | 45 | //username[8] = 0; 46 | //password[8] = 0; 47 | 48 | printf("Username: \n"); 49 | read(0, username, n); 50 | read(0, &authed, 1); 51 | printf("Password: \n"); 52 | read(0, password, n); 53 | read(0, &authed, 1); 54 | 55 | authed = authenticate(username, password); 56 | if (authed) accepted(); 57 | else rejected(); 58 | } 59 | 60 | -------------------------------------------------------------------------------- /trace-cc: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | 3 | import sys 4 | import os 5 | import subprocess 6 | 7 | if __name__ == "__main__": 8 | args = sys.argv 9 | env = os.environ 10 | use64 = True 11 | 12 | path = os.path.realpath(args[0]) 13 | path = os.path.dirname(path) 14 | path = path+'/trace' 15 | if not os.path.isfile(path+'/as'): 16 | print('assembler not found') 17 | print('path: '+path+'/as') 18 | sys.exit(1) 19 | 20 | if 'TRACE_CC' in env: 21 | cc_bin = env['TRACE_CC'] 22 | else: 23 | cc_bin = 'cc' 24 | 25 | skip = False 26 | cmd = list() 27 | cmd.append(cc_bin) 28 | 29 | for arg in args[1:]: 30 | if arg == '-B': 31 | skip = True 32 | if arg == '-integrated-as': 33 | pass 34 | if arg == '-pipe': 35 | pass 36 | if arg == '-m32': 37 | use64 = False 38 | if not skip: 39 | cmd.append(arg) 40 | skip = False 41 | 42 | # -B adds a directory to the compiler's $PATH 43 | cmd.append('-B') 44 | cmd.append(path) 45 | 46 | cmd.append('-L') 47 | cmd.append(path) 48 | 49 | cmd.append('-legion') 50 | 51 | code = subprocess.call(cmd) 52 | sys.exit(code) 53 | -------------------------------------------------------------------------------- /ProgramUnderTest/SourceCode/test_bise.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | unsigned int test(unsigned int x) { 5 | if (x <= 255) { 6 | if (x <= 128) { 7 | if (x <= 64) { 8 | if (x <= 32) { 9 | if (x <= 16) { 10 | if (x <= 8) { 11 | if (x <= 4) { 12 | if (x <= 2) { 13 | if (x <= 1) { 14 | return 1; 15 | } 16 | return 2; 17 | } 18 | return 3; 19 | } 20 | return 4; 21 | } 22 | return 5; 23 | } 24 | return 6; 25 | } 26 | return 7; 27 | } 28 | return 8; 29 | } 30 | return 9; 31 | } 32 | return 0; 33 | } 34 | 35 | 36 | int main(int argc, char * argv[]) { 37 | unsigned char x; 38 | // int n; 39 | // n = read(0, &x, 1); 40 | // printf("read %d bytes, x = %c\n", n, x); 41 | read(0, &x, 1); 42 | unsigned int r = test(x); 43 | return r; 44 | } 45 | -------------------------------------------------------------------------------- /ProgramUnderTest/TraceJump/README.md: -------------------------------------------------------------------------------- 1 | # tracejump 2 | 3 | Instrument assembly code with tracing of jump targets 4 | 5 | To instrument a single assembly file `test.s` (e.g. for the empty program in `test.c`) 6 | 7 | python tracejump.py test.s test.instr.s 8 | 9 | The `Makefile` contains some rules to produce instrumented assembly files `test.instr.s`, object files `test.instr.o`, and (single source) binaries `test.instr` from a source `test.c`. 10 | For the latter, `__trace_jump.o` will be built and linked in automatically. 11 | 12 | make test.instr.s 13 | make test.instr.o 14 | make test.instr 15 | 16 | 17 | Instrumentation algorithm taken from AFL `afl-as.c`. 18 | See for further details. 19 | 20 | Calls to `__trace_jump` are inserted textually 21 | 22 | - after conditional jumps (not-taken branch) 23 | - after labels 24 | 25 | Assumes ATT syntax (as output by gcc). Here is an example: 26 | 27 | main: 28 | .LFB0: 29 | .cfi_startproc 30 | ... 31 | call __trace_jump 32 | ... 33 | 34 | The supplied `__trace_jump.s` writes the addresses of jump targets to stdout (64bit little endian) 35 | 36 | PoC `fuzz.py` 37 | 38 | make test.instr 39 | echo -n ' ' | python fuzz.py ./test.instr 40 | 41 | Wishlist 42 | 43 | - `as`, `cc`, `ld` wrappers (can instrument arbitrary builds easily as AFL does) 44 | - make the tracing function configurable 45 | -------------------------------------------------------------------------------- /ProgramUnderTest/Assembly/simple_while.s: -------------------------------------------------------------------------------- 1 | .file "simple_while.c" 2 | .text 3 | .globl test 4 | .type test, @function 5 | test: 6 | .LFB0: 7 | .cfi_startproc 8 | pushq %rbp 9 | .cfi_def_cfa_offset 16 10 | .cfi_offset 6, -16 11 | movq %rsp, %rbp 12 | .cfi_def_cfa_register 6 13 | movl %edi, -4(%rbp) 14 | jmp .L2 15 | .L3: 16 | subl $1, -4(%rbp) 17 | .L2: 18 | cmpl $110, -4(%rbp) 19 | ja .L3 20 | movl -4(%rbp), %eax 21 | popq %rbp 22 | .cfi_def_cfa 7, 8 23 | ret 24 | .cfi_endproc 25 | .LFE0: 26 | .size test, .-test 27 | .globl main 28 | .type main, @function 29 | main: 30 | .LFB1: 31 | .cfi_startproc 32 | pushq %rbp 33 | .cfi_def_cfa_offset 16 34 | .cfi_offset 6, -16 35 | movq %rsp, %rbp 36 | .cfi_def_cfa_register 6 37 | subq $32, %rsp 38 | movl %edi, -20(%rbp) 39 | movq %rsi, -32(%rbp) 40 | movq %fs:40, %rax 41 | movq %rax, -8(%rbp) 42 | xorl %eax, %eax 43 | leaq -13(%rbp), %rax 44 | movl $1, %edx 45 | movq %rax, %rsi 46 | movl $0, %edi 47 | call read@PLT 48 | movzbl -13(%rbp), %eax 49 | movzbl %al, %eax 50 | movl %eax, %edi 51 | call test 52 | movl %eax, -12(%rbp) 53 | movzbl -13(%rbp), %eax 54 | movzbl %al, %eax 55 | movq -8(%rbp), %rcx 56 | xorq %fs:40, %rcx 57 | je .L7 58 | call __stack_chk_fail@PLT 59 | .L7: 60 | leave 61 | .cfi_def_cfa 7, 8 62 | ret 63 | .cfi_endproc 64 | .LFE1: 65 | .size main, .-main 66 | .ident "GCC: (Ubuntu 7.3.0-27ubuntu1~18.04) 7.3.0" 67 | .section .note.GNU-stack,"",@progbits 68 | -------------------------------------------------------------------------------- /table: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | ~/tools/benchexec/bin/table-generator \ 4 | "test/results/tbf.$1.results.test-comp19_prop-coverage-branches.ReachSafety-Arrays.xml.bz2" \ 5 | "test/results/tbf.$1.results.test-comp19_prop-coverage-branches.ReachSafety-BitVectors.xml.bz2" \ 6 | "test/results/tbf.$1.results.test-comp19_prop-coverage-branches.ReachSafety-ControlFlow.xml.bz2" \ 7 | "test/results/tbf.$1.results.test-comp19_prop-coverage-branches.ReachSafety-ECA.xml.bz2" \ 8 | "test/results/tbf.$1.results.test-comp19_prop-coverage-branches.ReachSafety-Floats.xml.bz2" \ 9 | "test/results/tbf.$1.results.test-comp19_prop-coverage-branches.ReachSafety-Heap.xml.bz2" \ 10 | "test/results/tbf.$1.results.test-comp19_prop-coverage-branches.ReachSafety-Loops.xml.bz2" \ 11 | "test/results/tbf.$1.results.test-comp19_prop-coverage-branches.ReachSafety-Recursive.xml.bz2" \ 12 | "test/results/tbf.$1.results.test-comp19_prop-coverage-branches.ReachSafety-Sequentialized.xml.bz2" \ 13 | "test/results/tbf.$1.results.test-comp19_prop-coverage-error-call.ReachSafety-Arrays.xml.bz2" \ 14 | "test/results/tbf.$1.results.test-comp19_prop-coverage-error-call.ReachSafety-BitVectors.xml.bz2" \ 15 | "test/results/tbf.$1.results.test-comp19_prop-coverage-error-call.ReachSafety-ControlFlow.xml.bz2" \ 16 | "test/results/tbf.$1.results.test-comp19_prop-coverage-error-call.ReachSafety-ECA.xml.bz2" \ 17 | "test/results/tbf.$1.results.test-comp19_prop-coverage-error-call.ReachSafety-Floats.xml.bz2" \ 18 | "test/results/tbf.$1.results.test-comp19_prop-coverage-error-call.ReachSafety-Heap.xml.bz2" \ 19 | "test/results/tbf.$1.results.test-comp19_prop-coverage-error-call.ReachSafety-Loops.xml.bz2" \ 20 | "test/results/tbf.$1.results.test-comp19_prop-coverage-error-call.ReachSafety-Recursive.xml.bz2" \ 21 | "test/results/tbf.$1.results.test-comp19_prop-coverage-error-call.ReachSafety-Sequentialized.xml.bz2" 22 | -------------------------------------------------------------------------------- /Results/statistics.py: -------------------------------------------------------------------------------- 1 | import subprocess as sp 2 | # import tkinter 3 | 4 | import csv 5 | import time 6 | import traceback 7 | import sys 8 | import time 9 | from matplotlib.pyplot import plot 10 | from fuzz_qs import run as qs_run 11 | from fuzz_legion import run as lg_run 12 | from pure_random import run as rd_run 13 | 14 | 15 | REPETITION = 1 # trials 16 | PUT = 'PUT/SourceCode/test_half' 17 | SEED = 's' 18 | QS_TIME = 0. 19 | RD_TIME = 0. 20 | 21 | def average(nums): 22 | return sum(nums)/len(nums) 23 | 24 | def variance(nums): 25 | avg = average(nums) 26 | return sum([(num-avg)**2 for num in nums]) 27 | 28 | def print_statics(nums): 29 | print(nums, average(nums), variance(nums)) 30 | 31 | def compute_historgram(runner): 32 | histogram = [] 33 | for _ in range(REPETITION): 34 | start = time.time() 35 | history = runner(PUT, SEED) 36 | end = time.time() 37 | cost = int(history[-1][0]) 38 | histogram.append([cost, (end-start)]) 39 | return histogram 40 | 41 | histogram1, histogram3 = [], [] 42 | 43 | 44 | # try: 45 | # histogram1 = compute_historgram(qs_run) 46 | # print_statics([num[0] for num in histogram1]) 47 | # print_statics([num[1] for num in histogram1]) 48 | # except: 49 | # traceback.print_exc(file=sys.stdout) 50 | 51 | # try: 52 | # histogram2 = compute_historgram(lg_run) 53 | # print_statics(histogram2) 54 | # except: 55 | # traceback.print_exc(file=sys.stdout) 56 | 57 | try: 58 | histogram3 = compute_historgram(rd_run) 59 | print_statics([num[0] for num in histogram3]) 60 | print_statics([num[1] for num in histogram3]) 61 | except: 62 | traceback.print_exc(file=sys.stdout) 63 | 64 | 65 | with open( 66 | 'tie_breaking_QS_test_half_50_{}.csv'.format(time.strftime("%Y-%m-%d %H:%M:%S", time.localtime())), 67 | 'wb') as histogram_file: 68 | histo_writer = csv.writer(histogram_file, delimiter = ',', 69 | quotechar="|", quoting=csv.QUOTE_MINIMAL) 70 | histo_writer.writerow(['', 'QS Iter', 'RD Iter', 'QS Time', 'RD Time' ]) 71 | for i in range(REPETITION): 72 | histo_writer.writerow([i, histogram1[i][0], histogram3[i][0], histogram1[i][1], histogram3[i][1]]) 73 | 74 | -------------------------------------------------------------------------------- /ProgramUnderTest/SourceCode/test_half.s: -------------------------------------------------------------------------------- 1 | .file "test_half.c" 2 | .text 3 | .globl test 4 | .type test, @function 5 | test: 6 | .LFB0: 7 | .cfi_startproc 8 | pushq %rbp 9 | .cfi_def_cfa_offset 16 10 | .cfi_offset 6, -16 11 | movq %rsp, %rbp 12 | .cfi_def_cfa_register 6 13 | movl %edi, -4(%rbp) 14 | cmpl $255, -4(%rbp) 15 | jbe .L2 16 | movl $9, %eax 17 | jmp .L3 18 | .L2: 19 | cmpl $128, -4(%rbp) 20 | jbe .L4 21 | movl $8, %eax 22 | jmp .L3 23 | .L4: 24 | cmpl $64, -4(%rbp) 25 | jbe .L5 26 | movl $7, %eax 27 | jmp .L3 28 | .L5: 29 | cmpl $32, -4(%rbp) 30 | jbe .L6 31 | movl $6, %eax 32 | jmp .L3 33 | .L6: 34 | cmpl $16, -4(%rbp) 35 | jbe .L7 36 | movl $5, %eax 37 | jmp .L3 38 | .L7: 39 | cmpl $8, -4(%rbp) 40 | jbe .L8 41 | movl $4, %eax 42 | jmp .L3 43 | .L8: 44 | cmpl $4, -4(%rbp) 45 | jbe .L9 46 | movl $3, %eax 47 | jmp .L3 48 | .L9: 49 | cmpl $2, -4(%rbp) 50 | jbe .L10 51 | movl $2, %eax 52 | jmp .L3 53 | .L10: 54 | cmpl $1, -4(%rbp) 55 | jbe .L11 56 | movl $1, %eax 57 | jmp .L3 58 | .L11: 59 | movl $0, %eax 60 | .L3: 61 | popq %rbp 62 | .cfi_def_cfa 7, 8 63 | ret 64 | .cfi_endproc 65 | .LFE0: 66 | .size test, .-test 67 | .globl main 68 | .type main, @function 69 | main: 70 | .LFB1: 71 | .cfi_startproc 72 | pushq %rbp 73 | .cfi_def_cfa_offset 16 74 | .cfi_offset 6, -16 75 | movq %rsp, %rbp 76 | .cfi_def_cfa_register 6 77 | subq $32, %rsp 78 | movl %edi, -20(%rbp) 79 | movq %rsi, -32(%rbp) 80 | movq %fs:40, %rax 81 | movq %rax, -8(%rbp) 82 | xorl %eax, %eax 83 | leaq -13(%rbp), %rax 84 | movl $1, %edx 85 | movq %rax, %rsi 86 | movl $0, %edi 87 | call read@PLT 88 | movzbl -13(%rbp), %eax 89 | movzbl %al, %eax 90 | movl %eax, %edi 91 | call test 92 | movl %eax, -12(%rbp) 93 | movl -12(%rbp), %eax 94 | movq -8(%rbp), %rcx 95 | xorq %fs:40, %rcx 96 | je .L14 97 | call __stack_chk_fail@PLT 98 | .L14: 99 | leave 100 | .cfi_def_cfa 7, 8 101 | ret 102 | .cfi_endproc 103 | .LFE1: 104 | .size main, .-main 105 | .ident "GCC: (Ubuntu 7.3.0-27ubuntu1~18.04) 7.3.0" 106 | .section .note.GNU-stack,"",@progbits 107 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | .PHONY: clean all install 2 | 3 | PREFIX = /usr/local 4 | 5 | # keep temporary files 6 | # .SECONDARY: 7 | 8 | SO = libegion.so 9 | A = libegion.a 10 | 11 | # optimisation 12 | OFLAG ?= -O0 13 | 14 | # Tracing 15 | MAX_TRACE_LEN ?= 42 16 | VERBOSE ?= 0 17 | 18 | # compiled without -fPIC 19 | O = __VERIFIER.o __trace_jump.o 20 | 21 | # compiled with -fPIC 22 | LO = $(O:.o=.lo) 23 | 24 | # for angr 25 | CFLAGS += -no-pie 26 | 27 | all: $(SO) $(A) trace/as 28 | 29 | clean: 30 | rm -f $(SO) $(A) $(O) $(LO) 31 | rm -rf trace/ 32 | 33 | %.s: %.i 34 | $(CC) -S -g $(OFLAG) -o $@ $^ 35 | 36 | %.s: %.c 37 | $(CC) -S -g $(OFLAG) -o $@ $^ 38 | 39 | %.instr.s: %.s 40 | python3 tracejump.py $^ $@ 41 | 42 | %.instr: %.instr.o __trace_jump.o __VERIFIER.c __VERIFIER_assume.instr.s __trace_buffered.c 43 | $(CC) -g -o $@ $^ -no-pie -DMAX_TRACE_LEN=$(MAX_TRACE_LEN) -DVERBOSE=$(VERBOSE) 44 | 45 | %.instr.obj: %.instr 46 | objdump -d $^ > $@ 47 | 48 | $(SO): CFLAGS += -fPIC 49 | $(SO): LDFLAGS += -shared 50 | 51 | %.lo: %.c 52 | $(CC) $(CFLAGS) -c -o $@ $< 53 | 54 | %.lo: %.s 55 | $(CC) $(CFLAGS) -c -o $@ $< 56 | 57 | $(SO): $(LO) 58 | $(LD) $(LDFLAGS) -o $@ $^ 59 | 60 | $(A): $(O) 61 | $(AR) $(ARFLAGS) $@ $^ 62 | 63 | trace: 64 | mkdir $@ 65 | 66 | trace/as: trace 67 | ln trace-as trace/as 68 | 69 | install: $(SO) $(A) trace-as trace-cc 70 | install -m755 -t $(PREFIX)/bin trace-as 71 | install -m755 -t $(PREFIX)/bin trace-cc 72 | install -m755 -t $(PREFIX)/lib $(SO) 73 | install -m644 -t $(PREFIX)/lib $(A) 74 | mkdir -p $(PREFIX)/bin/trace 75 | ln -sf $(PREFIX)/bin/trace-as $(PREFIX)/bin/trace/as 76 | 77 | uninstall: 78 | rm $(PREFIX)/bin/trace-as 79 | rm $(PREFIX)/bin/trace-cc 80 | rm $(PREFIX)/lib/$(SO) 81 | rm $(PREFIX)/lib/$(A) 82 | rm $(PREFIX)/bin/trace/as 83 | rmdir $(PREFIX)/bin/trace 84 | 85 | LOGS = $(wildcard test/results/legion.*.files/*) 86 | ZIPS = $(addsuffix /test-suite.zip,$(LOGS)) 87 | 88 | .PHONY: zips 89 | 90 | %/test-suite.zip: %/Legion 91 | zip $@ $^ -r 92 | 93 | zips: $(ZIPS) 94 | echo $(ZIPS) 95 | 96 | package.zip: legion-sv Legion.py __VERIFIER.c __trace_jump.s tracejump.py benchmark validate legion.xml 97 | zip -r $@ $^ lib 98 | -------------------------------------------------------------------------------- /Results/statisticQS.py: -------------------------------------------------------------------------------- 1 | import csv 2 | import subprocess as sp 3 | import sys 4 | import time 5 | import traceback 6 | 7 | repetition = 100 # trials 8 | SEED = ''.join(sys.argv[1:]) 9 | 10 | 11 | def average(nums): 12 | return sum(nums)/len(nums) 13 | 14 | 15 | def variance(nums): 16 | avg = average(nums) 17 | return sum([(num-avg)**2 for num in nums]) 18 | 19 | 20 | def print_statics(nums): 21 | iter_count = [] 22 | time_count = [] 23 | for num in nums: 24 | iter_count.append(num[0]) 25 | time_count.append(num[1]) 26 | print( 27 | nums, average(iter_count), variance(iter_count), average(time_count), variance(time_count)) 28 | 29 | 30 | def compute_histogram(command): 31 | c_list = command.split() 32 | print(command) 33 | histogram = [] 34 | for _ in range(repetition): 35 | ts = time.time() 36 | history = sp.check_output(c_list) 37 | te = time.time() 38 | cost = int(history.splitlines()[-1].split(b',')[0]) 39 | histogram.append((cost, te - ts)) 40 | return histogram 41 | 42 | 43 | # try: 44 | # qs_command = \ 45 | # "python3 fuzz_qs.py ProgramUnderTest/Instrumented/test_half.instr " + SEED[0] 46 | # histogram1 = compute_histogram(qs_command) 47 | # print_statics(histogram1) 48 | # except KeyboardInterrupt: 49 | # traceback.print_exc(file=sys.stdout) 50 | # histogram1 = [0] * repetition 51 | 52 | try: 53 | pc_command = \ 54 | "python3 principes.py ProgramUnderTest/Instrumented/simple_while.instr " + SEED 55 | histogram2 = compute_histogram(pc_command) 56 | print_statics(histogram2) 57 | except KeyboardInterrupt: 58 | traceback.print_exc(file=sys.stdout) 59 | histogram2 = [0] * repetition 60 | 61 | try: 62 | rd_command = \ 63 | "python3 Benchmarks/pure_random.py ProgramUnderTest/Instrumented/simple_while.instr " + SEED 64 | histogram3 = compute_histogram(rd_command) 65 | print_statics(histogram3) 66 | except KeyboardInterrupt: 67 | traceback.print_exc(file=sys.stdout) 68 | histogram3 = [0] * repetition 69 | 70 | 71 | with open( 72 | 'QS_simple_while_100_{}.csv'.format(time.strftime("%Y-%m-%d %H:%M:%S", time.localtime())), 'wb') \ 73 | as histogram_file: 74 | histo_writer = csv.writer( 75 | histogram_file, delimiter=',') 76 | histo_writer.writerow(['', 'Current', '', 'Random']) 77 | for i in range(repetition): 78 | histo_writer.writerow( 79 | [i, 80 | # histogram1[i][0], histogram1[i][1], 81 | histogram2[i][0], histogram2[i][1], 82 | histogram3[i][0], histogram3[i][1]]) 83 | -------------------------------------------------------------------------------- /Results/Comparison.py: -------------------------------------------------------------------------------- 1 | import csv 2 | import subprocess as sp 3 | 4 | cut_off = 500 # only for csv plotting 5 | repitition = 50 # trials 6 | max_path = 7 7 | 8 | command = "python fuzz_new_alternative.py ./test_wide.instr" 9 | c_list = command.split() 10 | 11 | sum_data = [0] * cut_off 12 | for _ in range(repitition): 13 | histogram = sp.check_output(c_list + [' ']) 14 | data = [line.split(b',')[1] for line in histogram.splitlines() if line] 15 | data += [max_path] * (len(sum_data) - len(data)) 16 | for i in range(len(sum_data)): 17 | sum_data[i] += float(data[i]) 18 | 19 | 20 | average_data1 = [] 21 | for i in sum_data: 22 | average_data1.append(i / repitition) 23 | 24 | # print(average_data) 25 | # plot(average_data) 26 | 27 | command = "python fuzz_new.py ./test_wide.instr" 28 | c_list = command.split() 29 | c_list.append(' ') 30 | # print(c_list) 31 | # print(sp.check_output(c_list + [' '])) 32 | 33 | sum_data = [0] * cut_off 34 | for _ in range(repitition): 35 | histogram = sp.check_output(c_list) 36 | data = [line.split(b',')[1] for line in histogram.splitlines() if line] 37 | data += [max_path] * (len(sum_data) - len(data)) 38 | for i in range(len(sum_data)): 39 | sum_data[i] += float(data[i]) 40 | 41 | 42 | average_data2 = [] 43 | for i in sum_data: 44 | average_data2.append(i / repitition) 45 | 46 | # print(average_data2) 47 | # plot(average_data) 48 | # 49 | # average_data = [] 50 | # for i in sum_data: 51 | # average_data.append(i/10) 52 | 53 | # print(average_data) 54 | # # plot(average_data) 55 | 56 | command = "python fuzz_random.py ./test_wide.instr" 57 | c_list = command.split() 58 | c_list.append(' ') 59 | # print(c_list) 60 | # print(sp.check_output(c_list + [' '])) 61 | 62 | sum_data = [0] * cut_off 63 | for _ in range(repitition): 64 | histogram = sp.check_output(c_list) 65 | data = [line.split(b',')[1] for line in histogram.splitlines() if line] 66 | data += [max_path] * (len(sum_data) - len(data)) 67 | for i in range(len(sum_data)): 68 | sum_data[i] += float(data[i]) 69 | 70 | 71 | average_data3 = [] 72 | for i in sum_data: 73 | average_data3.append(i / repitition) 74 | 75 | # print(average_data) 76 | # plot(average_data) 77 | 78 | 79 | with open('results.csv', 'wb') as csvfile: 80 | result_writer = csv.writer( 81 | csvfile, delimiter=',', quotechar="|", quoting=csv.QUOTE_MINIMAL) 82 | result_writer.writerow(['Iteration', 'Equal', 'Different', 'Random']) 83 | for i in range(len(average_data1)): 84 | result_writer.writerow( 85 | [i + 1, average_data1[i], average_data2[i], average_data3[i]]) 86 | -------------------------------------------------------------------------------- /Baselines/pure_random.py: -------------------------------------------------------------------------------- 1 | import logging 2 | import random 3 | import struct 4 | import subprocess 5 | import sys 6 | import time 7 | 8 | MAX_PATHS = 18 9 | NUM_SAMPLES = 1 10 | DSC_PATHS = set() 11 | PST_INSTRS = set() 12 | MAX_ROUNDS = float('inf') 13 | CUR_ROUND = 0 14 | SIMUL_TIME = 0. 15 | TIME_LOG = {} 16 | 17 | BINARY = sys.argv[1] 18 | SEED = ''.join(sys.argv[2:]) 19 | print(SEED) 20 | LOGGER = logging.getLogger('rd') 21 | LOGGER.setLevel(logging.ERROR) 22 | LOGGER.addHandler(logging.StreamHandler(sys.stdout)) 23 | 24 | 25 | def timer(method): 26 | global TIME_LOG 27 | 28 | def timeit(*args, **kw): 29 | ts = time.time() 30 | result = method(*args, **kw) 31 | te = time.time() 32 | if method.__name__ in TIME_LOG: 33 | TIME_LOG[method.__name__] += te - ts 34 | else: 35 | TIME_LOG[method.__name__] = te - ts 36 | return result 37 | 38 | return timeit 39 | 40 | 41 | def generate_random(seed): 42 | 43 | new_bytes = bytes([random.randint(0, 255) for _ in seed]) 44 | return new_bytes 45 | 46 | 47 | def program(in_str): 48 | return tuple(traced_with_input(in_str)) 49 | 50 | 51 | def unpack(output): 52 | assert(len(output) % 8 == 0) 53 | 54 | addrs = [] 55 | for i in range(int(len(output) / 8)): 56 | addr = struct.unpack_from('q', output, i * 8) 57 | addrs.append(addr[0]) 58 | return addrs 59 | 60 | 61 | def traced_with_input(in_str): 62 | p = subprocess.Popen(BINARY, stdin=subprocess.PIPE, stderr=subprocess.PIPE) 63 | (output, error) = p.communicate(in_str) 64 | addrs = unpack(error) 65 | 66 | return addrs 67 | 68 | 69 | def cannot_terminate(): 70 | # LOGGER.debug("=== Iter:{} === len(DSC_PATHS):{}".format(CUR_ROUND, len(DSC_PATHS))) 71 | print('{},{}'.format(CUR_ROUND, len(DSC_PATHS))) 72 | return len(DSC_PATHS) < MAX_PATHS and CUR_ROUND < MAX_ROUNDS 73 | 74 | 75 | @timer 76 | def run(): 77 | global CUR_ROUND, SIMUL_TIME 78 | 79 | history = [] 80 | 81 | while cannot_terminate(): 82 | CUR_ROUND += 1 83 | new_in = generate_random(SEED) 84 | # while new_in in PST_INSTRS: 85 | # new_in = generate_random(SEED) 86 | simul_start = time.time() 87 | path = program(new_in) 88 | PST_INSTRS.add(new_in) 89 | simul_end = time.time() 90 | SIMUL_TIME += simul_end - simul_start 91 | DSC_PATHS.add(path) 92 | history.append([CUR_ROUND, len(DSC_PATHS)]) 93 | if CUR_ROUND >= MAX_ROUNDS: 94 | break 95 | return history 96 | 97 | 98 | if __name__ == "__main__" and len(sys.argv) > 1: 99 | 100 | results = run() 101 | print(TIME_LOG) 102 | print(SIMUL_TIME) 103 | print(CUR_ROUND) 104 | -------------------------------------------------------------------------------- /Baselines/__VERIFIER.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | void __VERIFIER_error() { 7 | exit(100); 8 | } 9 | 10 | _Bool __VERIFIER_nondet_bool() { 11 | _Bool x = 0; 12 | read(0, &x, sizeof(x)); 13 | printf(" %d\n", x); 14 | return x; 15 | } 16 | 17 | char __VERIFIER_nondet_char() { 18 | char x = 0; 19 | read(0, &x, sizeof(x)); 20 | printf(" %d\n", x); 21 | return x; 22 | } 23 | 24 | unsigned char __VERIFIER_nondet_uchar() { 25 | unsigned char x = 0; 26 | read(0, &x, sizeof(x)); 27 | printf(" %d\n", x); 28 | return x; 29 | } 30 | 31 | short __VERIFIER_nondet_short() { 32 | short x = 0; 33 | read(0, &x, sizeof(x)); 34 | printf(" %d\n", x); 35 | return x; 36 | } 37 | 38 | unsigned short __VERIFIER_nondet_ushort() { 39 | unsigned short x = 0; 40 | read(0, &x, sizeof(x)); 41 | printf(" %d\n", x); 42 | return x; 43 | } 44 | 45 | unsigned long __VERIFIER_nondet_unsigned_long() { 46 | unsigned long x = 0; 47 | read(0, &x, sizeof(x)); 48 | printf(" %lu\n", x); 49 | return x; 50 | } 51 | 52 | long __VERIFIER_nondet_long() { 53 | long x = 0; 54 | read(0, &x, sizeof(x)); 55 | printf(" %ld\n", x); 56 | return x; 57 | } 58 | 59 | unsigned int __VERIFIER_nondet_uint() { 60 | unsigned int x = 0; 61 | read(0, &x, sizeof(x)); 62 | printf(" %d\n", x); 63 | return x; 64 | } 65 | 66 | int __VERIFIER_nondet_int() { 67 | int x = 0; 68 | read(0, &x, sizeof(x)); 69 | printf(" %d\n", x); 70 | return x; 71 | } 72 | 73 | unsigned __VERIFIER_nondet_unsigned() { 74 | unsigned x = 0; 75 | read(0, &x, sizeof(x)); 76 | printf(" %d\n", x); 77 | return x; 78 | } 79 | 80 | unsigned long __VERIFIER_nondet_ulong() { 81 | unsigned long x = 0; 82 | read(0, &x, sizeof(x)); 83 | printf(" %lu\n", x); 84 | return x; 85 | } 86 | 87 | float __VERIFIER_nondet_float() { 88 | float x = 0.0; 89 | read(0, &x, sizeof(x)); 90 | printf(" %f\n", x); 91 | return x; 92 | } 93 | 94 | float __VERIFIER_nondet_double() { 95 | double x = 0.0; 96 | read(0, &x, sizeof(x)); 97 | printf(" %f\n", x); 98 | return x; 99 | } 100 | 101 | int __VERIFIER_assume(int b) { 102 | return b; 103 | } 104 | 105 | // int __VERIFIER_nondet_const_char_pointer() { 106 | 107 | // } 108 | 109 | //int __VERIFIER_nondet_S8() { 110 | // How many bytes in S8? 111 | // return __my_read_int(8); 112 | //} 113 | -------------------------------------------------------------------------------- /Results/plotter.py: -------------------------------------------------------------------------------- 1 | import subprocess as sp 2 | # import tkinter 3 | from matplotlib.pyplot import plot 4 | import csv 5 | 6 | 7 | cut_off = 500 # only for csv plotting 8 | repitition = 50 # trials 9 | max_path = 7 10 | 11 | command = "python fuzz_new_alternative.py ./test_wide.instr" 12 | c_list = command.split() 13 | # print(c_list) 14 | 15 | sum_data = [0] * cut_off 16 | for _ in range(repitition): 17 | histogram = sp.check_output(c_list + [' ']) 18 | data = [line.split(b',')[1] for line in histogram.splitlines() if line] 19 | data += [max_path] * (len(sum_data) - len(data)) 20 | for i in range(len(sum_data)): 21 | sum_data[i] += float(data[i]) 22 | # print(data) 23 | # print(sum_data) 24 | 25 | 26 | average_data1 = [] 27 | for i in sum_data: 28 | average_data1.append(i/repitition) 29 | 30 | # print(average_data) 31 | # plot(average_data) 32 | 33 | command = "python fuzz_new.py ./test_wide.instr" 34 | c_list = command.split() 35 | c_list.append(' ') 36 | # print(c_list) 37 | # print(sp.check_output(c_list + [' '])) 38 | 39 | sum_data = [0] * cut_off 40 | for _ in range(repitition): 41 | # print(c_list) 42 | histogram = sp.check_output(c_list) 43 | # print(histogram) 44 | data = [line.split(b',')[1] for line in histogram.splitlines() if line] 45 | data += [max_path] * (len(sum_data) - len(data)) 46 | for i in range(len(sum_data)): 47 | sum_data[i] += float(data[i]) 48 | # print(data) 49 | # print(sum_data) 50 | 51 | 52 | average_data2 = [] 53 | for i in sum_data: 54 | average_data2.append(i/repitition) 55 | 56 | # print(average_data2) 57 | # plot(average_data) 58 | # 59 | # average_data = [] 60 | # for i in sum_data: 61 | # average_data.append(i/10) 62 | 63 | # print(average_data) 64 | # # plot(average_data) 65 | 66 | command = "python fuzz_random.py ./test_wide.instr" 67 | c_list = command.split() 68 | c_list.append(' ') 69 | # print(c_list) 70 | # print(sp.check_output(c_list + [' '])) 71 | 72 | sum_data = [0] * cut_off 73 | for _ in range(repitition): 74 | # print(c_list) 75 | histogram = sp.check_output(c_list) 76 | # print(histogram) 77 | data = [line.split(b',')[1] for line in histogram.splitlines() if line] 78 | data += [max_path] * (len(sum_data) - len(data)) 79 | for i in range(len(sum_data)): 80 | sum_data[i] += float(data[i]) 81 | # print(data) 82 | # print(sum_data) 83 | 84 | 85 | average_data3 = [] 86 | for i in sum_data: 87 | average_data3.append(i/repitition) 88 | 89 | # print(average_data) 90 | # plot(average_data) 91 | 92 | 93 | with open('results.csv', 'wb') as csvfile: 94 | result_writer = csv.writer(csvfile, delimiter = ',', 95 | quotechar="|", quoting=csv.QUOTE_MINIMAL) 96 | result_writer.writerow(['Iteration', 'Equal', 'Different', 'Random']) 97 | for i in range(len(average_data1)): 98 | result_writer.writerow( 99 | [i+1, average_data1[i], average_data2[i], average_data3[i]]) 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | -------------------------------------------------------------------------------- /__VERIFIER32.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | void __VERIFIER_error() { 7 | exit(100); 8 | } 9 | 10 | _Bool __VERIFIER_nondet_bool() { 11 | _Bool x = 0; 12 | read(0, &x, sizeof(x)); 13 | printf(" %d\n", x); 14 | return x; 15 | } 16 | 17 | char __VERIFIER_nondet_char() { 18 | char x = 0; 19 | read(0, &x, 1); 20 | printf(" %d\n", x); 21 | return x; 22 | } 23 | 24 | unsigned char __VERIFIER_nondet_uchar() { 25 | unsigned char x = 0; 26 | read(0, &x, 1); 27 | printf(" %u\n", x); 28 | return x; 29 | } 30 | 31 | short __VERIFIER_nondet_short() { 32 | short x = 0; 33 | read(0, &x, 2); 34 | printf(" %hi\n", x); 35 | return x; 36 | } 37 | 38 | unsigned short __VERIFIER_nondet_ushort() { 39 | unsigned short x = 0; 40 | read(0, &x, 2); 41 | printf(" %hu\n", x); 42 | return x; 43 | } 44 | 45 | unsigned long __VERIFIER_nondet_unsigned_long() { 46 | unsigned long x = 0; 47 | read(0, &x, 8); 48 | printf(" %lu\n", x); 49 | return x; 50 | } 51 | 52 | void * __VERIFIER_nondet_pointer() { 53 | unsigned long x = 0; 54 | read(0, &x, 4); 55 | printf(" %lu\n", x); 56 | return (void *) x; 57 | } 58 | 59 | long __VERIFIER_nondet_long() { 60 | long x = 0; 61 | read(0, &x, 8); 62 | printf(" %li\n", x); 63 | return x; 64 | } 65 | 66 | unsigned int __VERIFIER_nondet_uint() { 67 | unsigned int x = 0; 68 | read(0, &x, 4); 69 | printf(" %u\n", x); 70 | return x; 71 | } 72 | 73 | int __VERIFIER_nondet_int() { 74 | int x = 0; 75 | read(0, &x, 4); 76 | printf(" %d\n", x); 77 | return x; 78 | } 79 | 80 | unsigned __VERIFIER_nondet_unsigned() { 81 | unsigned x = 0; 82 | read(0, &x, 4); 83 | printf(" %d\n", x); 84 | return x; 85 | } 86 | 87 | unsigned long __VERIFIER_nondet_ulong() { 88 | unsigned long x = 0; 89 | read(0, &x, 8); 90 | printf(" %lu\n", x); 91 | return x; 92 | } 93 | 94 | float __VERIFIER_nondet_float() { 95 | float x = 0.0; 96 | read(0, &x, 4); 97 | printf(" %f\n", x); 98 | return x; 99 | } 100 | 101 | double __VERIFIER_nondet_double() { 102 | double x = 0.0; 103 | read(0, &x, 8); 104 | printf(" %lf\n", x); 105 | return x; 106 | } 107 | 108 | 109 | // int __VERIFIER_nondet_const_char_pointer() { 110 | 111 | // } 112 | 113 | //int __VERIFIER_nondet_S8() { 114 | // How many bytes in S8? 115 | // return __my_read_int(8); 116 | //} 117 | -------------------------------------------------------------------------------- /__VERIFIER.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | void __VERIFIER_error() { 7 | exit(100); 8 | } 9 | 10 | _Bool __VERIFIER_nondet_bool() { 11 | _Bool x = 0; 12 | read(0, &x, sizeof(x)); 13 | printf(" %d\n", x); 14 | return x; 15 | } 16 | 17 | char __VERIFIER_nondet_char() { 18 | char x = 0; 19 | read(0, &x, sizeof(x)); 20 | printf(" %d\n", x); 21 | return x; 22 | } 23 | 24 | unsigned char __VERIFIER_nondet_uchar() { 25 | unsigned char x = 0; 26 | read(0, &x, sizeof(x)); 27 | printf(" %u\n", x); 28 | return x; 29 | } 30 | 31 | short __VERIFIER_nondet_short() { 32 | short x = 0; 33 | read(0, &x, sizeof(x)); 34 | printf(" %hi\n", x); 35 | return x; 36 | } 37 | 38 | unsigned short __VERIFIER_nondet_ushort() { 39 | unsigned short x = 0; 40 | read(0, &x, sizeof(x)); 41 | printf(" %hu\n", x); 42 | return x; 43 | } 44 | 45 | unsigned long __VERIFIER_nondet_unsigned_long() { 46 | unsigned long x = 0; 47 | read(0, &x, sizeof(x)); 48 | printf(" %lu\n", x); 49 | return x; 50 | } 51 | 52 | void * __VERIFIER_nondet_pointer() { 53 | unsigned long x = 0; 54 | read(0, &x, sizeof(x)); 55 | printf(" %lu\n", x); 56 | return (void *) x; 57 | } 58 | 59 | long __VERIFIER_nondet_long() { 60 | long x = 0; 61 | read(0, &x, sizeof(x)); 62 | printf(" %li\n", x); 63 | return x; 64 | } 65 | 66 | unsigned int __VERIFIER_nondet_uint() { 67 | unsigned int x = 0; 68 | read(0, &x, sizeof(x)); 69 | printf(" %u\n", x); 70 | return x; 71 | } 72 | 73 | int __VERIFIER_nondet_int() { 74 | int x = 0; 75 | read(0, &x, sizeof(x)); 76 | printf(" %d\n", x); 77 | return x; 78 | } 79 | 80 | unsigned __VERIFIER_nondet_unsigned() { 81 | unsigned x = 0; 82 | read(0, &x, sizeof(x)); 83 | printf(" %d\n", x); 84 | return x; 85 | } 86 | 87 | unsigned long __VERIFIER_nondet_ulong() { 88 | unsigned long x = 0; 89 | read(0, &x, sizeof(x)); 90 | printf(" %lu\n", x); 91 | return x; 92 | } 93 | 94 | float __VERIFIER_nondet_float() { 95 | float x = 0.0; 96 | read(0, &x, sizeof(x)); 97 | printf(" %f\n", x); 98 | return x; 99 | } 100 | 101 | double __VERIFIER_nondet_double() { 102 | double x = 0.0; 103 | read(0, &x, sizeof(x)); 104 | printf(" %lf\n", x); 105 | return x; 106 | } 107 | 108 | 109 | // int __VERIFIER_nondet_const_char_pointer() { 110 | 111 | // } 112 | 113 | //int __VERIFIER_nondet_S8() { 114 | // How many bytes in S8? 115 | // return __my_read_int(8); 116 | //} 117 | -------------------------------------------------------------------------------- /ProgramUnderTest/TraceJump/test_instrumentation.py: -------------------------------------------------------------------------------- 1 | import pdb 2 | import struct 3 | import subprocess 4 | import sys 5 | 6 | import angr 7 | 8 | INSTR_BINARY = sys.argv[1] 9 | ORIGN_BINARY = sys.argv[2] 10 | INPUT_STR = str.encode(''.join(sys.argv[3:])) 11 | 12 | 13 | # TraceJump 14 | def program(in_str): 15 | return tuple(traced_with_input(in_str)) 16 | 17 | 18 | def unpack(output): 19 | assert (len(output) % 8 == 0) 20 | 21 | addrs = [] 22 | for i in range(int(len(output) / 8)): 23 | addr = struct.unpack_from('q', output, i * 8) # returns a tuple 24 | addrs.append(addr[0]) 25 | return addrs 26 | 27 | 28 | def traced_with_input(in_str): 29 | p = subprocess.Popen(INSTR_BINARY, stdin=subprocess.PIPE, stderr=subprocess.PIPE, shell=True) 30 | if type(in_str) is not bytes: 31 | pdb.set_trace() 32 | (output, error) = p.communicate(in_str) 33 | addrs = unpack(error) 34 | 35 | return addrs 36 | 37 | 38 | # Angr 39 | def angr_addr(binary): 40 | proj = angr.Project(binary) 41 | entry = proj.factory.entry_state() 42 | entry.preconstrainer.preconstrain_file(INPUT_STR, entry.posix.stdin, True) 43 | simgr = proj.factory.simulation_manager(entry, save_unsat=True) 44 | addrs = [] 45 | while simgr.active: 46 | addrs.append(simgr.active[0].addr) 47 | simgr.step() 48 | return addrs 49 | 50 | 51 | def test_angr(binary, traces): 52 | proj = angr.Project(binary) 53 | entry = proj.factory.entry_state() 54 | simgr = proj.factory.simulation_manager(entry, save_unsat=True) 55 | addrs = [traces[0]] 56 | 57 | while simgr.active: 58 | keep = [state for state in simgr.active if state.addr in traces] 59 | keep.sort(key=lambda state: traces.index(state.addr)) 60 | if keep: 61 | state = keep[0] 62 | pos = traces.index(state.addr) 63 | if len(simgr.active) > 1: 64 | addrs.append(state.addr) 65 | simgr.drop(lambda s: s != state) 66 | traces = traces[pos + 1:] 67 | 68 | assert len(simgr.active) == 1 69 | simgr.step() 70 | 71 | return addrs 72 | 73 | 74 | if __name__ == '__main__': 75 | tj_addrs = program(INPUT_STR) 76 | print("TCJP", [hex(addr) for addr in tj_addrs]) 77 | ar_addrs = angr_addr(INSTR_BINARY) 78 | print("Angr", [hex(addr) for addr in ar_addrs]) 79 | assert (all([addr in ar_addrs for addr in tj_addrs])) 80 | # print("Angr", [hex(addr) for addr in angr_addr(ORIGN_BINARY)]) 81 | print("Both", [hex(addr) for addr in test_angr(INSTR_BINARY, tj_addrs)]) 82 | 83 | # TCJP ['0x400889', '0x400557', '0x4005b3', '0x400608', '0x40062f', '0x400866', '0x400927'] 84 | # Angr ['0x400470', '0x1021ab0', '0x400980', '0x400428', '0x40043a', '0x4009b1', '0x4009b6', '0x400550', '0x4004e0', '0x400518', '0x4009cd', '0x4009d6', '0x4000040', 85 | # '0x400889', '0x40094a', '0x5000147', '0x400978', '0x40089c', '0x400460', '0x1110070', '0x4008de', 86 | # '0x400557', '0x40094a', '0x5000147', '0x400978', '0x40056a', 87 | # '0x4005b3', '0x40094a', '0x5000147', '0x400978', '0x4005c6', 88 | # '0x400608', '0x40094a', '0x5000147', '0x400978', '0x40061b', 89 | # '0x40062f', '0x40094a', '0x5000147', '0x400978', '0x400642', 90 | # '0x400866', '0x40094a', '0x5000147', '0x400978', '0x400879', '0x4008ec', 91 | # '0x400927', '0x40094a', '0x5000147', '0x400978', '0x40093a', '0x4000048', '0x4000048'] 92 | -------------------------------------------------------------------------------- /legion.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | **.xml 17 | 18 | 19 | ../sv-benchmarks/c/properties/coverage-error-call.prp 20 | 21 | 22 | 23 | ../sv-benchmarks/c/properties/coverage-branches.prp 24 | 26 | 27 | 28 | ../sv-benchmarks/c/ReachSafety-Arrays.set 29 | 31 | 32 | ../sv-benchmarks/c/ReachSafety-BitVectors.set 33 | 35 | 36 | ../sv-benchmarks/c/ReachSafety-ControlFlow.set 37 | 39 | 40 | ../sv-benchmarks/c/ReachSafety-ECA.set 41 | 43 | 44 | ../sv-benchmarks/c/ReachSafety-Floats.set 45 | 47 | 48 | ../sv-benchmarks/c/ReachSafety-Heap.set 49 | 51 | 52 | ../sv-benchmarks/c/ReachSafety-Loops.set 53 | 55 | 56 | ../sv-benchmarks/c/ReachSafety-Recursive.set 57 | 59 | 60 | ../sv-benchmarks/c/ReachSafety-Sequentialized.set 61 | 63 | 64 | 65 | ../sv-benchmarks/c/SoftwareSystems-BusyBox-MemSafety.set 66 | 68 | 69 | ../sv-benchmarks/c/SoftwareSystems-DeviceDriversLinux64-ReachSafety.set 70 | 72 | 73 | ../sv-benchmarks/c/SoftwareSystems-SQLite-MemSafety.set 74 | 76 | 77 | ../sv-benchmarks/c/Termination-MainHeap.set 78 | 80 | 81 | 82 | -------------------------------------------------------------------------------- /ProgramUnderTest/Assembly/TraceJump.trace: -------------------------------------------------------------------------------- 1 | '0x400be9', '0x400b4d', '0x400b9c', 2 | '0x400b77', '0x400b9c', 3 | '0x400b77', '0x400b9c', 4 | '0x400b77', '0x400b9c', 5 | '0x400b77', '0x400b9c', 6 | '0x400b77', '0x400b9c', 7 | '0x400b77', '0x400b9c', 8 | '0x400b77', '0x400b9c', 9 | '0x400b77', '0x400b9c', 10 | '0x400b77', '0x400b9c', 11 | '0x400b77', '0x400b9c', 12 | '0x400b77', '0x400b9c', 13 | '0x400b77', '0x400b9c', 14 | '0x400b77', '0x400b9c', 15 | '0x400b77', '0x400b9c', 16 | '0x400b77', '0x400b9c', 17 | '0x400b77', '0x400b9c', 18 | '0x400b77', '0x400b9c', 19 | '0x400b77', '0x400b9c', 20 | '0x400b77', '0x400b9c', 21 | '0x400b77', '0x400b9c', 22 | '0x400b77', '0x400b9c', 23 | '0x400b77', '0x400b9c', 24 | '0x400b77', '0x400b9c', 25 | '0x400b77', '0x400b9c', 26 | '0x400b77', '0x400b9c', 27 | '0x400b77', '0x400b9c', 28 | '0x400b77', '0x400b9c', 29 | '0x400b77', '0x400b9c', 30 | '0x400b77', '0x400b9c', 31 | '0x400b77', '0x400b9c', 32 | '0x400b77', '0x400b9c', 33 | '0x400b77', '0x400b9c', 34 | '0x400b77', '0x400b9c', 35 | '0x400b77', '0x400b9c', 36 | '0x400b77', '0x400b9c', 37 | '0x400b77', '0x400b9c', 38 | '0x400b77', '0x400b9c', 39 | '0x400b77', '0x400b9c', 40 | '0x400b77', '0x400b9c', 41 | '0x400b77', '0x400b9c', 42 | '0x400b77', '0x400b9c', 43 | '0x400b77', '0x400b9c', 44 | '0x400b77', '0x400b9c', 45 | '0x400b77', '0x400b9c', 46 | '0x400b77', '0x400b9c', 47 | '0x400b77', '0x400b9c', 48 | '0x400b77', '0x400b9c', 49 | '0x400b77', '0x400b9c', 50 | '0x400b77', '0x400b9c', 51 | '0x400b77', '0x400b9c', 52 | '0x400b77', '0x400b9c', 53 | '0x400b77', '0x400b9c', 54 | '0x400b77', '0x400b9c', 55 | '0x400b77', '0x400b9c', 56 | '0x400b77', '0x400b9c', 57 | '0x400b77', '0x400b9c', 58 | '0x400b77', '0x400b9c', 59 | '0x400b77', '0x400b9c', 60 | '0x400b77', '0x400b9c', 61 | '0x400b77', '0x400b9c', 62 | '0x400b77', '0x400b9c', 63 | '0x400b77', '0x400b9c', 64 | '0x400b77', '0x400b9c', 65 | '0x400b77', '0x400b9c', 66 | '0x400b77', '0x400b9c', 67 | '0x400b77', '0x400b9c', 68 | '0x400b77', '0x400b9c', 69 | '0x400b77', '0x400b9c', 70 | '0x400b77', '0x400b9c', 71 | '0x400b77', '0x400b9c', 72 | '0x400b77', '0x400b9c', 73 | '0x400b77', '0x400b9c', 74 | '0x400b77', '0x400b9c', 75 | '0x400b77', '0x400b9c', 76 | '0x400b77', '0x400b9c', 77 | '0x400b77', '0x400b9c', 78 | '0x400b77', '0x400b9c', 79 | '0x400b77', '0x400b9c', 80 | '0x400b77', '0x400b9c', 81 | '0x400b77', '0x400b9c', 82 | '0x400b77', '0x400b9c', 83 | '0x400b77', '0x400b9c', 84 | '0x400b77', '0x400b9c', 85 | '0x400b77', '0x400b9c', 86 | '0x400b77', '0x400b9c', 87 | '0x400b77', '0x400b9c', 88 | '0x400b77', '0x400b9c', 89 | '0x400b77', '0x400b9c', 90 | '0x400b77', '0x400b9c', 91 | '0x400b77', '0x400b9c', 92 | '0x400b77', '0x400b9c', 93 | '0x400b77', '0x400b9c', 94 | '0x400b77', '0x400b9c', 95 | '0x400b77', '0x400b9c', 96 | '0x400b77', '0x400b9c', 97 | '0x400b77', '0x400b9c', 98 | '0x400b77', '0x400b9c', 99 | '0x400b77', '0x400b9c', 100 | '0x400b77', '0x400b9c', 101 | '0x400b77', '0x400b9c', 102 | '0x400b77', '0x400b9c', 103 | '0x400b77', '0x400b9c', 104 | '0x400b77', '0x400b9c', 105 | '0x400b77', '0x400b9c', 106 | '0x400b77', '0x400b9c', 107 | '0x400b77', '0x400b9c', 108 | '0x400b77', '0x400b9c', 109 | '0x400b77', '0x400b9c', 110 | '0x400b77', '0x400b9c', 111 | '0x400b77', '0x400b9c', 112 | '0x400b77', '0x400b9c', 113 | '0x400b77', '0x400b9c', 114 | '0x400b77', '0x400b9c', 115 | '0x400b77', '0x400b9c', 116 | '0x400b77', '0x400b9c', '0x400bc3', '0x400c87' 117 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Legion 2 | 3 | A concolic (concrete-symbolic) execution tool assisted by the Monte Carlo tree search algorithm. 4 | 5 | Concolic (concrete-symbolic) testing is a natural combination to balance the complementary nature of fuzzing and symbolic execution and aim for the best of both worlds: 6 | * Fuzzing generates concrete inputs at a low cost, but cannot guarantee the coverage of deep execution paths; 7 | * Conversely, symbolic execution can compute inputs for all paths, despite being expensive and unscalable due to the path explosion problem. 8 | 9 | ## Challenge to solve 10 | During the recent years, a main open challenge that have ben studied in coverage-based concolic execution is an efficient program exploration strategy to determine when and where to apply which technique. 11 | 12 | ## Contribution 13 | ### Main contribution 14 | *Legion* formulates this challenge as a problem of sequential decision-making under uncertainty for the first time. It generalises conconlic execution strategies to the exploration-exploitation problem in machine learning and leverages the *Monte Carlo tree search (MCTS)* - a popular framework from AI literature to solve such problem by marrying search \& planning and statistical estimation. Specifically, through iterations of decision sequences, Legion resolves the trade-off between fuzzing and symbolic execution by balancing the considerations of program structure estimation and program exploration planning. This best-first strategy of MCTS provides a principled approach to determine which constraints to flip in pre-existing concolic testing systems. 15 | 16 | ### Second contribution 17 | Also, it proposes an *approximate path preserving fuzzing (APPFuzzing)* technique as an alternative to the widely used *American Fuzzing Lop (AFL)* to estimate program structure. 18 | 19 | ### Third contribution 20 | Moreover, while most existing fuzzing frameworks are designed for specific metrics, Legion adopts a modularised score function to avoid suffering from degraded performance on other metrics of interests. 21 | 22 | ## How to run 23 | 24 | ### Dependencies 25 | 26 | Legion relies on Approximate-path-preserving fuzzing, which is implemented within the following two `pip3` pacakges: 27 | 28 | [Our fork of claripy](https://github.com/Alan32Liu/claripy) 29 | 30 | [Our fork of angr](https://github.com/Alan32Liu/angr) 31 | 32 | Note that `claripy` should be installed before `angr` to avoid conflicts. 33 | 34 | 35 | ### Command 36 | 37 | ```shell 38 | python3 Legion.py 39 | ```` 40 | 41 | #### Hyper-parameters & Optional flags 42 | 43 | 1. Tree depth, e.g. `--tree-depth-limit 100`; 44 | 2. Exploration factor (rho), e.g. `--rho 0.0025`; 45 | 3. Number of cores, e.g. `--core 1`; 46 | 4. Symbolic execution timeout (in seconds, 0 means no limitation), e.g. `--symex-timeout 0`; 47 | 5. Concrete execution timeout (in seconds, 0 means no limitation), e.g. `--conex-timeout 0`; 48 | 6. Minimum number of simulations in each iteration, e.g. `--min-samples`; 49 | 6. Keep running after finding bugs, `--coverage-only`; 50 | 7. Keep running after the tree is fully explored (in case of symbolic execution error, such as eager concretisation), e.g. `--persistent`; 51 | 8. Score function, e.g. `--score=uct` 52 | 53 | 54 | ## Collaborators 55 | 56 | ### Designers & Developers 57 | 58 | [Dongge Liu](https://github.com/Alan32Liu) 59 | 60 | [Gidon Ernst](https://github.com/gernst) 61 | 62 | [Toby Murray](https://github.com/tobycmurray) 63 | 64 | [Benjamin Rubinstein](https://github.com/brubinstein) 65 | 66 | -------------------------------------------------------------------------------- /TestComp2020-ASE2020.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 16 | 17 | 18 | 19 | 20 | **/**.xml 21 | 22 | 23 | ../sv-benchmarks/c/properties/coverage-error-call.prp 24 | 25 | 26 | 27 | ../sv-benchmarks/c/properties/coverage-branches.prp 28 | 30 | 31 | 32 | ../sv-benchmarks/c/ReachSafety-Arrays.set 33 | 35 | 36 | ../sv-benchmarks/c/ReachSafety-BitVectors.set 37 | 39 | 40 | ../sv-benchmarks/c/ReachSafety-ControlFlow.set 41 | 43 | 44 | ../sv-benchmarks/c/ReachSafety-ECA.set 45 | 47 | 48 | ../sv-benchmarks/c/ReachSafety-Floats.set 49 | 51 | 52 | ../sv-benchmarks/c/ReachSafety-Heap.set 53 | 55 | 56 | ../sv-benchmarks/c/ReachSafety-Loops.set 57 | 59 | 60 | ../sv-benchmarks/c/ReachSafety-Recursive.set 61 | 63 | 64 | ../sv-benchmarks/c/ReachSafety-Sequentialized.set 65 | 67 | 68 | 69 | ../sv-benchmarks/c/SoftwareSystems-BusyBox-MemSafety.set 70 | 72 | 73 | 74 | ../sv-benchmarks/c/SoftwareSystems-DeviceDriversLinux64-ReachSafety.set 75 | 77 | 78 | 79 | ../sv-benchmarks/c/SoftwareSystems-SQLite-MemSafety.set 80 | 82 | 83 | 84 | ../sv-benchmarks/c/Termination-MainHeap.set 85 | 87 | 88 | 89 | 90 | -------------------------------------------------------------------------------- /tbf.xml.template: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | **output/** 8 | 9 | 12 | 13 | 14 | 15 | test/results/legion.RUNDATE.files/${rundefinition_name}.${taskdef_name}/test-suite.zip 16 | 17 | ../sv-benchmarks/c/properties/coverage-error-call.prp 18 | 19 | 20 | 21 | test/results/legion.RUNDATE.files/${rundefinition_name}.${taskdef_name}/test-suite.zip 22 | 23 | ../sv-benchmarks/c/properties/coverage-branches.prp 24 | 25 | 26 | 27 | 28 | ../sv-benchmarks/c/ReachSafety-Arrays.set 29 | 30 | 31 | ../sv-benchmarks/c/ReachSafety-BitVectors.set 32 | 33 | 34 | ../sv-benchmarks/c/ReachSafety-ControlFlow.set 35 | 36 | 37 | ../sv-benchmarks/c/ReachSafety-ECA.set 38 | 39 | 40 | ../sv-benchmarks/c/ReachSafety-Floats.set 41 | 42 | 43 | ../sv-benchmarks/c/ReachSafety-Heap.set 44 | 45 | 46 | ../sv-benchmarks/c/ReachSafety-Loops.set 47 | 48 | 49 | ../sv-benchmarks/c/ReachSafety-Recursive.set 50 | 51 | 52 | ../sv-benchmarks/c/ReachSafety-Sequentialized.set 53 | 54 | 55 | 73 | 74 | 75 | 76 | .INFO:root:Accumulated coverage: 77 | Number of goals 78 | 79 | 80 | 81 | 82 | -------------------------------------------------------------------------------- /ProgramUnderTest/TraceJump/tracejump.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | # See AFL: afl-as.c 4 | # http://lcamtuf.coredump.cx/afl/technical_details.txt 5 | 6 | import sys 7 | 8 | code_sections = [ 9 | '\t.text\n', 10 | '\t.section\t.text', 11 | '\t.section\t__TEXT,__text', 12 | '\t.section __TEXT,__text' 13 | ] 14 | 15 | data_sections = [ 16 | '\t.section', 17 | '\t.', 18 | '\t.', 19 | '\t.' 20 | ] 21 | 22 | is64 = True 23 | 24 | # registers used by __trace_jump 25 | # rax, rdi, rsi, rdx 26 | 27 | # registers used by write 28 | # rcx, r11 29 | 30 | 31 | def trace_jump(output): 32 | assert is64 33 | 34 | # output.write('.align 4\n') 35 | output.write('\tsub $128,%rsp\n') 36 | output.write('\tpush %rax\n') 37 | output.write('\tpush %rdi\n') 38 | output.write('\tpush %rsi\n') 39 | output.write('\tpush %rdx\n') 40 | output.write('\tpush %rcx\n') 41 | output.write('\tpush %r11\n') 42 | output.write('\tcall\t__trace_jump\n') 43 | output.write('\tpop %r11\n') 44 | output.write('\tpop %rcx\n') 45 | output.write('\tpop %rdx\n') 46 | output.write('\tpop %rsi\n') 47 | output.write('\tpop %rdi\n') 48 | output.write('\tpop %rax\n') 49 | output.write('\tadd $128,%rsp\n') 50 | 51 | 52 | # see afl-as.c add_instrumentation 53 | def instrument(): 54 | global data_sections, is64 55 | 56 | ins_lines = 0 57 | instr_ok = False 58 | skip_csect = False 59 | skip_next_label = False 60 | skip_intel = False 61 | skip_app = False 62 | instrument_next = False 63 | 64 | for line in asm_file: 65 | if not skip_intel and not skip_app and not skip_csect and instr_ok and instrument_next and line[0] == '\t' and str.isalpha(line[1]): 66 | trace_jump(ins_file) 67 | ins_lines += 1 68 | instrument_next = False 69 | 70 | ins_file.write(line) 71 | 72 | if line[0] == '\t' and line[1] == '.': 73 | if line == '\t.text\n' or line.startswith('\t.section\t.text') or line.startswith('\t.section\t__TEXT,__text') or line.startswith('\t.section __TEXT,__text'): 74 | instr_ok = True 75 | continue 76 | 77 | if line == '\t.bss\n' or line == '\t.data\n' or line.startswith('\t.section\t') or line.startswith('\t.section '): 78 | instr_ok = False 79 | continue 80 | 81 | if '.code' in line: 82 | if '.code32' in line: 83 | is64 = False 84 | if '.code64' in line: 85 | is64 = True 86 | 87 | if '.intel_syntax' in line: 88 | skip_intel = True 89 | if '.att_syntax' in line: 90 | skip_intel = False 91 | 92 | if line.startswith('##'): 93 | if '#APP' in line: 94 | skip_app = True 95 | if '#NO_APP' in line: 96 | skip_app = False 97 | 98 | if skip_intel or skip_app or skip_csect or not instr_ok or line[0] == '#' or line[0] == ' ': 99 | continue 100 | 101 | if line[0] == '\t': 102 | if line[1] == 'j' and line[2] != 'm': 103 | trace_jump(ins_file) 104 | ins_lines += 1 105 | continue 106 | 107 | if line[0] == '.' and ':' in line: 108 | if str.isdigit(line[2]): 109 | if not skip_next_label: 110 | instrument_next = True 111 | else: 112 | skip_next_label = False 113 | else: 114 | instrument_next = True 115 | 116 | return ins_lines 117 | 118 | 119 | if __name__ == "__main__" and len(sys.argv) > 2: 120 | asm_file = open(sys.argv[1], 'r') 121 | ins_file = open(sys.argv[2], 'w') 122 | print('instrumented {} lines'.format(instrument())) 123 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # VSCode 2 | **/.vscode 3 | 4 | # results 5 | **/*.xlsx 6 | **/*.csv 7 | 8 | # Byte-compiled / optimized / DLL files 9 | __pycache__/ 10 | *.py[cod] 11 | *$py.class 12 | 13 | # C extensions 14 | *.so 15 | *.o 16 | 17 | # Distribution / packaging 18 | .Python 19 | build/ 20 | develop-eggs/ 21 | dist/ 22 | downloads/ 23 | eggs/ 24 | .eggs/ 25 | lib/ 26 | lib64/ 27 | parts/ 28 | sdist/ 29 | var/ 30 | wheels/ 31 | *.egg-info/ 32 | .installed.cfg 33 | *.egg 34 | MANIFEST 35 | 36 | # PyInstaller 37 | # Usually these files are written by a python script from a template 38 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 39 | *.manifest 40 | *.spec 41 | 42 | # Installer logs 43 | pip-log.txt 44 | pip-delete-this-directory.txt 45 | 46 | # Unit test / coverage reports 47 | htmlcov/ 48 | .tox/ 49 | .coverage 50 | .coverage.* 51 | .cache 52 | nosetests.xml 53 | coverage.xml 54 | *.cover 55 | .hypothesis/ 56 | .pytest_cache/ 57 | 58 | # Translations 59 | *.mo 60 | *.pot 61 | 62 | # Django stuff: 63 | *.log 64 | local_settings.py 65 | db.sqlite3 66 | 67 | # Flask stuff: 68 | instance/ 69 | .webassets-cache 70 | 71 | # Scrapy stuff: 72 | .scrapy 73 | 74 | # Sphinx documentation 75 | docs/_build/ 76 | 77 | # PyBuilder 78 | target/ 79 | 80 | # Jupyter Notebook 81 | .ipynb_checkpoints 82 | 83 | # pyenv 84 | .python-version 85 | 86 | # celery beat schedule file 87 | celerybeat-schedule 88 | 89 | # SageMath parsed files 90 | *.sage.py 91 | 92 | # Environments 93 | .env 94 | .venv 95 | env/ 96 | **/venv/ 97 | ENV/ 98 | env.bak/ 99 | venv.bak/ 100 | 101 | # Spyder project settings 102 | .spyderproject 103 | .spyproject 104 | 105 | # Rope project settings 106 | .ropeproject 107 | 108 | # mkdocs documentation 109 | /site 110 | 111 | # mypy 112 | .mypy_cache/ 113 | 114 | # pyc 115 | **/*.pyc 116 | /venv/ 117 | **/*.idea 118 | 119 | 120 | # Ignore input files 121 | **/inputs/ 122 | 123 | # Ignore test cases 124 | **/tests/ 125 | 126 | # Ignore instrumented binaries 127 | **/instrs/ 128 | 129 | # Proof of error 130 | PoE/ 131 | 132 | # Ignore environment 133 | venv/ 134 | 135 | # helpers 136 | coverage_plotter.py 137 | ProgramUnderTest 138 | Results 139 | trace 140 | #Baselines 141 | 142 | # temps 143 | **/*.swp 144 | 145 | # Tests 146 | Testing/**/*[!c] 147 | # !*/ANGRTests/test_2.c 148 | # !*/Testing/ANGTesting/*.c 149 | 150 | ## MacOS 151 | **/.DS_Store 152 | 153 | # Experiments 154 | Legion-status.py 155 | Legion-exp.py 156 | 157 | #Testings 158 | Testing/ANGRTests/test_2 159 | Testing/ANGRTests/test_2.c 160 | Testing/ANGRTests/test_2.instr 161 | Testing/ANGRTests/test_2.instr.s 162 | Testing/ANGRTests/test_2.s 163 | Testing/ANGRTests/test_2NM 164 | Testing/ANGRTests/test_2NM.c 165 | Testing/ANGRTests/test_N 166 | Testing/ANGRTests/test_N.instr 167 | Testing/ANGRTests/test_N.instr.s 168 | Testing/ANGRTests/test_N.s 169 | Testing/ANGRTests/test_NI 170 | Testing/ANGRTests/test_NI.c 171 | Testing/ANGRTests/test_NI.instr 172 | Testing/ANGRTests/test_NI.instr.s 173 | Testing/ANGRTests/test_NI.s 174 | Testing/ANGRTests/test_NM 175 | Testing/ANGRTests/test_NM.c 176 | Testing/ANGRTests/test_NMO 177 | Testing/ANGRTests/test_NMO.c 178 | Testing/ANGRTests/test_NMO.instr 179 | Testing/ANGRTests/test_NMO.instr.s 180 | Testing/ANGRTests/test_NMO.s 181 | Testing/ANGRTests/test_assume_trap.c 182 | Testing/ANGRTests/test_assume_trap.instr 183 | Testing/ANGRTests/test_assume_typeerror.c 184 | Testing/TraceJumpTests/test_2.c 185 | Testing/TraceJumpTests/test_2.instr 186 | Testing/TraceJumpTests/test_2.instr.s 187 | Testing/TraceJumpTests/test_2.s 188 | Testing/TraceJumpTests/test_N 189 | Testing/TraceJumpTests/test_N.instr 190 | Testing/TraceJumpTests/test_N.instr.s 191 | Testing/TraceJumpTests/test_N.s 192 | Testing/TraceJumpTests/test_assume.c 193 | Testing/TraceJumpTests/test_assume.instr 194 | Testing/TraceJumpTests/test_goto.c 195 | Testing/TraceJumpTests/test_goto.instr 196 | Testing/TraceJumpTests/test_if.instr 197 | Testing/TraceJumpTests/test_if.instr.s 198 | Testing/TraceJumpTests/test_if.s 199 | Testing/TraceJumpTests/test_while.instr 200 | Testing/TraceJumpTests/test_while.instr.s 201 | Testing/TraceJumpTests/test_while.s 202 | 203 | # Intermediate files 204 | __VERIFIER.s 205 | __VERIFIER_assume.s 206 | binary 207 | binary.instr.s 208 | binary.s 209 | __VERIFIER_assume.instr.s 210 | binary.instr 211 | binary.instr.instr.s 212 | 213 | # Results 214 | past-scoes.ods 215 | statistics/ 216 | test/results 217 | -------------------------------------------------------------------------------- /tracejump.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | # See AFL: afl-as.c 4 | # http://lcamtuf.coredump.cx/afl/technical_details.txt 5 | 6 | import sys 7 | 8 | # import pdb 9 | 10 | 11 | # registers used by __trace_jump 12 | # rax, rdi, rsi, rdx 13 | 14 | # registers used by write 15 | # rcx, r11 16 | 17 | 18 | NUM_SET = 0 19 | NUM_TRACED = 0 20 | JUMP_TARGETS = set() 21 | 22 | 23 | def set_jump(output): 24 | global NUM_SET 25 | NUM_SET += 1 26 | 27 | output.append('\tsub $128,%rsp\n') 28 | output.append('\tpush %rax\n') 29 | output.append('\tcall\t__trace_jump_set\n') 30 | output.append('\tpop %rax\n') 31 | output.append('\tadd $128,%rsp\n') 32 | 33 | 34 | def trace_jump(output): 35 | global NUM_TRACED 36 | NUM_TRACED += 1 37 | 38 | output.append('\tsub $128,%rsp\n') 39 | output.append('\tpush %rax\n') 40 | output.append('\tpush %rdi\n') 41 | output.append('\tpush %rsi\n') 42 | output.append('\tpush %rdx\n') 43 | output.append('\tpush %rcx\n') 44 | output.append('\tpush %r11\n') 45 | output.append('\tcall\t__trace_jump\n') 46 | output.append('\tpop %r11\n') 47 | output.append('\tpop %rcx\n') 48 | output.append('\tpop %rdx\n') 49 | output.append('\tpop %rsi\n') 50 | output.append('\tpop %rdi\n') 51 | output.append('\tpop %rax\n') 52 | output.append('\tadd $128,%rsp\n') 53 | 54 | 55 | def collect_jump_targets(asm_file): 56 | 57 | # def prepare_for_jump(inst): 58 | # # TODO: An alternative way to solve the other TODO 59 | # if instruction[0] != "\t": 60 | # return False 61 | # if inst[1:4] == "cmp": 62 | # return True 63 | # if inst[1:5] == "test": 64 | # return True 65 | # if inst[1:4] == "xor": 66 | # return True 67 | # return False 68 | 69 | entry_label = False 70 | compare_set = False 71 | file = [] 72 | 73 | lines = asm_file.readlines() 74 | 75 | for i in range(len(lines)): 76 | line = lines[i] 77 | instruction = line[:-1] 78 | if entry_label: 79 | # Case 0: TraceJump the beginning of Main() 80 | JUMP_TARGETS.add(instruction[:-1]) 81 | entry_label = False 82 | 83 | # The Entry 84 | if instruction == "main:": 85 | # instrument the beginning of Main() 86 | entry_label = True 87 | 88 | # If the next instruction is a conditional jump 89 | # TraceJumpSet before the current one: 90 | # TODO: Here it assumes the flag users (je, js, etc.) will always be 91 | # adjacent to the flag setters (cmp, test, etc.) 92 | # This is invalid under some optimisations (e.g. -O0, -O2, -O3) 93 | # But happen to work under -O1 for unknown reasons 94 | if (i + 1) < len(lines): 95 | next_instruction = lines[i + 1] 96 | if next_instruction.startswith("\t"): 97 | if (next_instruction[1] == "j") and ( 98 | next_instruction[2] != "m"): 99 | set_jump(file) 100 | compare_set = True 101 | 102 | file.append(line) 103 | 104 | # Check each instructions: 105 | if instruction.startswith("\t"): 106 | 107 | if (instruction[1] == "j") and (instruction[2] != "m"): 108 | assert compare_set 109 | compare_set = False 110 | # Case 1: TraceJump after a label of conditional jump 111 | JUMP_TARGETS.add(instruction.split("\t")[2]) 112 | # Case 2: TraceJump after conditional jump 113 | trace_jump(file) 114 | return file 115 | 116 | 117 | def instrument_jump_targets(intermediate): 118 | file = [] 119 | for line in intermediate: 120 | file.append(line) 121 | instruction = line[:-2] 122 | if instruction in JUMP_TARGETS: 123 | trace_jump(file) 124 | 125 | return file 126 | 127 | 128 | def instrument(): 129 | asm_file = open(asm, 'rt') 130 | ins_file = open(ins, 'wt') 131 | inter = collect_jump_targets(asm_file) 132 | final = instrument_jump_targets(intermediate=inter) 133 | ins_file.writelines(final) 134 | 135 | 136 | if __name__ == "__main__" and len(sys.argv) > 2: 137 | asm = sys.argv[1] 138 | ins = sys.argv[2] 139 | instrument() 140 | print('SetJump {} lines'.format(NUM_SET)) 141 | print('TraceJump {} lines'.format(NUM_TRACED)) 142 | -------------------------------------------------------------------------------- /trace-as: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | 3 | import sys 4 | import os 5 | import subprocess 6 | 7 | JUMP_TARGETS = set() 8 | 9 | 10 | def set_jump(output): 11 | output.append('\tsub $128,%rsp\n') 12 | output.append('\tpush %rax\n') 13 | output.append('\tcall\t__trace_jump_set\n') 14 | output.append('\tpop %rax\n') 15 | output.append('\tadd $128,%rsp\n') 16 | 17 | 18 | def trace_jump(output): 19 | output.append('\tsub $128,%rsp\n') 20 | output.append('\tpush %rax\n') 21 | output.append('\tpush %rdi\n') 22 | output.append('\tpush %rsi\n') 23 | output.append('\tpush %rdx\n') 24 | output.append('\tpush %rcx\n') 25 | output.append('\tpush %r11\n') 26 | output.append('\tcall\t__trace_jump\n') 27 | output.append('\tpop %r11\n') 28 | output.append('\tpop %rcx\n') 29 | output.append('\tpop %rdx\n') 30 | output.append('\tpop %rsi\n') 31 | output.append('\tpop %rdi\n') 32 | output.append('\tpop %rax\n') 33 | output.append('\tadd $128,%rsp\n') 34 | 35 | 36 | def collect_jump_targets(asm_file): 37 | entry_label = False 38 | compare_set = False 39 | file = [] 40 | 41 | lines = asm_file.readlines() 42 | 43 | for i in range(len(lines)): 44 | line = lines[i] 45 | instruction = line[:-1] 46 | if entry_label: 47 | # Case 0: TraceJump the beginning of Main() 48 | JUMP_TARGETS.add(instruction[:-1]) 49 | entry_label = False 50 | 51 | # The Entry 52 | if instruction == "main:": 53 | # instrument the beginning of Main() 54 | entry_label = True 55 | 56 | # If the next instruction is a conditional jump 57 | # TraceJumpSet before the current one: 58 | if (i + 1) < len(lines): 59 | next_instruction = lines[i + 1] 60 | if next_instruction.startswith("\t"): 61 | if (next_instruction[1] == "j") and ( 62 | next_instruction[2] != "m"): 63 | set_jump(file) 64 | compare_set = True 65 | 66 | file.append(line) 67 | 68 | # Check each instructions: 69 | if instruction.startswith("\t"): 70 | 71 | if (instruction[1] == "j") and (instruction[2] != "m"): 72 | assert compare_set 73 | compare_set = False 74 | # Case 1: TraceJump after a label of conditional jump 75 | JUMP_TARGETS.add(instruction.split("\t")[2]) 76 | # Case 2: TraceJump after conditional jump 77 | trace_jump(file) 78 | return file 79 | 80 | 81 | def instrument_jump_targets(intermediate): 82 | file = [] 83 | for line in intermediate: 84 | file.append(line) 85 | instruction = line[:-2] 86 | if instruction in JUMP_TARGETS: 87 | trace_jump(file) 88 | 89 | return file 90 | 91 | 92 | def instrument(asm, ins): 93 | asm_file = open(asm, 'rt') 94 | ins_file = open(ins, 'wt') 95 | inter = collect_jump_targets(asm_file) 96 | final = instrument_jump_targets(intermediate=inter) 97 | ins_file.writelines(final) 98 | 99 | 100 | if __name__ == "__main__": 101 | args = sys.argv 102 | env = os.environ 103 | use64 = True 104 | doit = False 105 | 106 | # determine location for temporary files 107 | if 'TMPDIR' in env: 108 | tmp = env['TMPDIR'] 109 | elif 'TEMP' in env: 110 | tmp = env['TEMP'] 111 | elif 'TMP' in env: 112 | tmp = env['TMP'] 113 | else: 114 | tmp = '/tmp' 115 | 116 | # determine which assembler to use next 117 | if 'TRACE_AS' in env: 118 | as_bin = env['TRACE_AS'] 119 | else: 120 | as_bin = 'as' 121 | 122 | cmd = list() 123 | cmd.append(as_bin) 124 | 125 | # loop through all arguments, except last one (file name) 126 | for arg in args[1:-1]: 127 | if arg == '--64': 128 | use64 = True 129 | elif arg == '--32': 130 | use64 = False 131 | cmd.append(arg) 132 | 133 | obj = args[-1] 134 | instr = None 135 | if obj == '-version': 136 | cmd.append(obj) 137 | elif len(args) > 1: 138 | instr = "{}/traced-{}".format(tmp, os.path.basename(obj)) 139 | cmd.append(instr) 140 | doit = True 141 | 142 | # instrument the assembly file 143 | if doit: 144 | assert instr 145 | instrument(obj, instr) 146 | 147 | # run the actual assembler program 148 | assert use64 149 | code = subprocess.call(cmd) 150 | 151 | # cleanup 152 | os.remove(instr) 153 | sys.exit(code) 154 | -------------------------------------------------------------------------------- /ProgramUnderTest/TraceJump/fuzz.py: -------------------------------------------------------------------------------- 1 | import sys 2 | import random 3 | from math import sqrt, log 4 | 5 | import subprocess32, struct 6 | 7 | U = 0.5 8 | C = sqrt(2) 9 | 10 | samples = 10 11 | max_rounds = 100 12 | 13 | total = 0 14 | max_iterations = 10 15 | 16 | 17 | class Node(): 18 | 19 | def __init__(self, path): 20 | assert(path) 21 | 22 | self.addr = path[-1] 23 | self.path = path 24 | self.children = {} 25 | self.distinct = 1 26 | self.visited = 1 27 | 28 | def update(self, distinct, visited): 29 | self.distinct += distinct 30 | self.visited += visited 31 | 32 | def insert(self, suffix): 33 | if suffix: 34 | pos = suffix[0] 35 | rest = suffix[1:] 36 | 37 | if not pos in self.children: 38 | path = self.path + (pos,) 39 | child = Node(path) 40 | self.children[pos] = child 41 | else: 42 | child = self.children[pos] 43 | 44 | child.insert(rest) 45 | 46 | def pp(self, indent=0): 47 | i = " " * indent 48 | 49 | s = i 50 | s += hex(self.addr) 51 | s += " " 52 | 53 | s += "(" + str(self.distinct) + "/" + str(self.visited) + ")" 54 | s += " " 55 | 56 | s += "uct = " + str(uct(self)) 57 | s += " " 58 | 59 | print(s) 60 | 61 | if len(self.children) > 1: 62 | indent += 1 63 | 64 | for child in self.children.values(): 65 | child.pp(indent) 66 | 67 | 68 | def generate_random(seed): 69 | bytes = [ random.randint(0, 255) for x in seed ] # WTF Python: range is inclusive 70 | input = "".join(map(chr, bytes)) 71 | return input 72 | 73 | 74 | def mutate(prefix, program, seed, samples): 75 | global max_rounds 76 | result = [] 77 | rounds = 0 78 | print('generating inputs for prefix ' + str(map(hex, prefix))) 79 | while len(result) < samples and rounds < max_rounds: 80 | rounds += 1 81 | input = generate_random(seed) 82 | path = program(input) 83 | n = len(prefix) 84 | if path[:n] == prefix: 85 | print('using input "' + input + '" with path ' + str(map(hex, path))) 86 | result.append(path) 87 | else: 88 | print('discarding input with path ' + str(map(hex, path))) 89 | return result 90 | 91 | 92 | def uct(node): 93 | global total 94 | assert(total > 0) 95 | assert(node.visited > 0) 96 | exploit = node.distinct / node.visited 97 | explore = sqrt(log(total) / node.visited) 98 | return exploit + C * explore 99 | 100 | 101 | def dice(): 102 | return random.random() 103 | 104 | 105 | def sample(node, program, seed): 106 | global total, samples 107 | if not node.children or dice() < U: 108 | suffixes = playout(node, program, seed, samples) 109 | node.distinct += len(suffixes) 110 | node.visited += samples 111 | total += samples 112 | for suffix in suffixes: 113 | node.insert(suffix) 114 | else: 115 | child = max(node.children.values(), key=uct) 116 | return sample(child, program, seed) 117 | 118 | 119 | def playout(node, program, seed, samples): 120 | prefix = node.path 121 | n = len(prefix) 122 | 123 | paths = mutate(prefix, program, seed, samples) 124 | suffixes = { p[n:] for p in paths } 125 | return suffixes 126 | 127 | 128 | def traced(binary): # curry the input argument + convert result to immutable tuple 129 | 130 | def with_input(input): 131 | return tuple(traced_with_input(binary, input)) 132 | 133 | return with_input 134 | 135 | 136 | def unpack(output): 137 | assert(len(output) % 8 == 0) 138 | addrs = [] 139 | for i in xrange(len(output) / 8): 140 | addr = struct.unpack_from('q', output, i * 8) # returns a tuple 141 | addrs.append(addr[0]) 142 | return addrs 143 | 144 | 145 | def traced_with_input(binary, input): 146 | p = subprocess32.Popen(binary, stdin=subprocess32.PIPE, stderr=subprocess32.PIPE) 147 | (output, error) = p.communicate(input) 148 | addrs = unpack(error) 149 | return addrs 150 | 151 | 152 | def run(binary, seed): 153 | global max_iterations 154 | 155 | program = traced(binary) 156 | 157 | # obtain address of main function for the root node by sampling the seed 158 | path = program(seed) 159 | path = path[0:1] 160 | root = Node(path) 161 | 162 | for i in xrange(max_iterations): 163 | sample(root, program, seed) 164 | print('') 165 | root.pp() 166 | print('') 167 | print('') 168 | 169 | 170 | if __name__ == "__main__" and len(sys.argv) > 1: 171 | binary = sys.argv[1] 172 | args = sys.argv[2:] 173 | seed = ''.join(sys.stdin.readlines()) 174 | print('seed') 175 | print(seed) 176 | run(binary, seed) 177 | -------------------------------------------------------------------------------- /Results/pie_maker.py: -------------------------------------------------------------------------------- 1 | ####################################################################### 2 | # 3 | # An example of creating Excel Pie charts with Python and XlsxWriter. 4 | # 5 | # The demo also shows how to set segment colors. It is possible to 6 | # define chart colors for most types of XlsxWriter charts 7 | # via the add_series() method. However, Pie/Doughnut charts are a special 8 | # case since each segment is represented as a point so it is necessary to 9 | # assign formatting to each point in the series. 10 | # 11 | # Copyright 2013-2018, John McNamara, jmcnamara@cpan.org 12 | # 13 | import time 14 | 15 | import xlsxwriter 16 | 17 | 18 | def make_pie(categories, values, units, averages): 19 | workbook = xlsxwriter.Workbook('chart_pie{}.xlsx'.format( 20 | time.strftime("%Y-%m-%d %H:%M:%S", time.localtime()))) 21 | 22 | worksheet = workbook.add_worksheet() 23 | bold = workbook.add_format({'bold': 1}) 24 | 25 | # Add the worksheet data that the charts will refer to. 26 | headings = ['Category', 'Value', 'unit', 'Average'] 27 | worksheet.write_row('A1', headings, bold) 28 | worksheet.write_column('A2', categories) 29 | worksheet.write_column('B2', values) 30 | worksheet.write_column('C2', units) 31 | worksheet.write_column('D2', averages) 32 | 33 | ####################################################################### 34 | # 35 | # Create a new chart object. 36 | # 37 | chart1 = workbook.add_chart({'type': 'pie'}) 38 | 39 | # Configure the series. Note the use of the list syntax to define ranges: 40 | chart1.add_series({ 41 | 'name': 'Time Consumption', 42 | 'categories': ['Sheet1', 4, 0, len(categories), 0], 43 | 'values': ['Sheet1', 4, 1, len(categories), 1], 44 | }) 45 | 46 | # Add a title. 47 | chart1.set_title({'name': 'Time Consumption'}) 48 | 49 | # Set an Excel chart style. Colors with white outline and shadow. 50 | chart1.set_style(10) 51 | 52 | # Insert the chart into the worksheet (with an offset). 53 | worksheet.insert_chart('E1', chart1, {'x_offset': 25, 'y_offset': 10}) 54 | # worksheet.insert_chart('D1', chart1) 55 | 56 | chart2 = workbook.add_chart({'type': 'pie'}) 57 | 58 | # Configure the series. Note the use of the list syntax to define ranges: 59 | chart2.add_series({ 60 | 'name': 'Average Time Consumption', 61 | 'categories': ['Sheet1', 4, 0, len(categories), 0], 62 | 'values': ['Sheet1', 4, 3, len(categories), 3], 63 | }) 64 | 65 | # Add a title. 66 | chart2.set_title({'name': 'Average Time Consumption'}) 67 | 68 | # Set an Excel chart style. Colors with white outline and shadow. 69 | chart2.set_style(10) 70 | 71 | # Insert the chart into the worksheet (with an offset). 72 | # worksheet.insert_chart('D16') 73 | worksheet.insert_chart('E16', chart2, {'x_offset': 25, 'y_offset': 10}) 74 | # ####################################################################### 75 | # # 76 | # # Create a Pie chart with user defined segment colors. 77 | # # 78 | 79 | # # Create an example Pie chart like above. 80 | # chart2 = workbook.add_chart({'type': 'pie'}) 81 | 82 | # # Configure the series and add user defined segment colors. 83 | # chart2.add_series({ 84 | # 'name': 'Pie sales data', 85 | # 'categories': '=Sheet1!$A$2:$A$4', 86 | # 'values': '=Sheet1!$B$2:$B$4', 87 | # 'points': [ 88 | # {'fill': {'color': '#5ABA10'}}, 89 | # {'fill': {'color': '#FE110E'}}, 90 | # {'fill': {'color': '#CA5C05'}}, 91 | # ], 92 | # }) 93 | 94 | # # Add a title. 95 | # chart2.set_title({'name': 'Pie Chart with user defined colors'}) 96 | 97 | # # Insert the chart into the worksheet (with an offset). 98 | # worksheet.insert_chart('C18', chart2, {'x_offset': 25, 'y_offset': 10}) 99 | 100 | # ####################################################################### 101 | # # 102 | # # Create a Pie chart with rotation of the segments. 103 | # # 104 | 105 | # # Create an example Pie chart like above. 106 | # chart3 = workbook.add_chart({'type': 'pie'}) 107 | 108 | # # Configure the series. 109 | # chart3.add_series({ 110 | # 'name': 'Pie sales data', 111 | # 'categories': '=Sheet1!$A$2:$A$4', 112 | # 'values': '=Sheet1!$B$2:$B$4', 113 | # }) 114 | 115 | # # Add a title. 116 | # chart3.set_title({'name': 'Pie Chart with segment rotation'}) 117 | 118 | # # Change the angle/rotation of the first segment. 119 | # chart3.set_rotation(90) 120 | 121 | # # Insert the chart into the worksheet (with an offset). 122 | # worksheet.insert_chart('C34', chart3, {'x_offset': 25, 'y_offset': 10}) 123 | 124 | workbook.close() 125 | 126 | # make_pie( 127 | # categories=['Iteration', 'Total', 'Angr', 'QEMU', 128 | # 'Tracer', 'QuickSampler', 'RandomFuzzing', 129 | # 'TreePolicy', 'TreeExpansion'], 130 | # values=[iter_count, end-start, ANGR_TIME, SIMLTR_TIME, 131 | # TRACER_TIME, FUZZER_TIME, RAN_FUZZER_TIME, 132 | # TREE_POLICY_TIME, EXPANSION_TIME], 133 | # averages=['/', (end-start)/iter_count, ANGR_TIME/iter_count, SIMLTR_TIME/iter_count, 134 | # TRACER_TIME/iter_count, FUZZER_TIME/FUZZER_COUNT, RAN_FUZZER_TIME/RAN_FUZZER_COUNT, 135 | # TREE_POLICY_TIME/iter_count, EXPANSION_TIME/iter_count] 136 | # ) 137 | 138 | -------------------------------------------------------------------------------- /ProgramUnderTest/TraceJump/test_bise.instr.s: -------------------------------------------------------------------------------- 1 | .file "test_bise.c" 2 | .text 3 | .globl test 4 | .type test, @function 5 | test: 6 | .LFB0: 7 | .cfi_startproc 8 | pushq %rbp 9 | .cfi_def_cfa_offset 16 10 | .cfi_offset 6, -16 11 | movq %rsp, %rbp 12 | .cfi_def_cfa_register 6 13 | movl %edi, -4(%rbp) 14 | cmpl $255, -4(%rbp) 15 | ja .L2 16 | sub $128,%rsp 17 | push %rax 18 | push %rdi 19 | push %rsi 20 | push %rdx 21 | push %rcx 22 | push %r11 23 | call __trace_jump 24 | pop %r11 25 | pop %rcx 26 | pop %rdx 27 | pop %rsi 28 | pop %rdi 29 | pop %rax 30 | add $128,%rsp 31 | cmpl $128, -4(%rbp) 32 | ja .L3 33 | sub $128,%rsp 34 | push %rax 35 | push %rdi 36 | push %rsi 37 | push %rdx 38 | push %rcx 39 | push %r11 40 | call __trace_jump 41 | pop %r11 42 | pop %rcx 43 | pop %rdx 44 | pop %rsi 45 | pop %rdi 46 | pop %rax 47 | add $128,%rsp 48 | cmpl $64, -4(%rbp) 49 | ja .L4 50 | sub $128,%rsp 51 | push %rax 52 | push %rdi 53 | push %rsi 54 | push %rdx 55 | push %rcx 56 | push %r11 57 | call __trace_jump 58 | pop %r11 59 | pop %rcx 60 | pop %rdx 61 | pop %rsi 62 | pop %rdi 63 | pop %rax 64 | add $128,%rsp 65 | cmpl $32, -4(%rbp) 66 | ja .L5 67 | sub $128,%rsp 68 | push %rax 69 | push %rdi 70 | push %rsi 71 | push %rdx 72 | push %rcx 73 | push %r11 74 | call __trace_jump 75 | pop %r11 76 | pop %rcx 77 | pop %rdx 78 | pop %rsi 79 | pop %rdi 80 | pop %rax 81 | add $128,%rsp 82 | cmpl $16, -4(%rbp) 83 | ja .L6 84 | sub $128,%rsp 85 | push %rax 86 | push %rdi 87 | push %rsi 88 | push %rdx 89 | push %rcx 90 | push %r11 91 | call __trace_jump 92 | pop %r11 93 | pop %rcx 94 | pop %rdx 95 | pop %rsi 96 | pop %rdi 97 | pop %rax 98 | add $128,%rsp 99 | cmpl $8, -4(%rbp) 100 | ja .L7 101 | sub $128,%rsp 102 | push %rax 103 | push %rdi 104 | push %rsi 105 | push %rdx 106 | push %rcx 107 | push %r11 108 | call __trace_jump 109 | pop %r11 110 | pop %rcx 111 | pop %rdx 112 | pop %rsi 113 | pop %rdi 114 | pop %rax 115 | add $128,%rsp 116 | cmpl $4, -4(%rbp) 117 | ja .L8 118 | sub $128,%rsp 119 | push %rax 120 | push %rdi 121 | push %rsi 122 | push %rdx 123 | push %rcx 124 | push %r11 125 | call __trace_jump 126 | pop %r11 127 | pop %rcx 128 | pop %rdx 129 | pop %rsi 130 | pop %rdi 131 | pop %rax 132 | add $128,%rsp 133 | cmpl $2, -4(%rbp) 134 | ja .L9 135 | sub $128,%rsp 136 | push %rax 137 | push %rdi 138 | push %rsi 139 | push %rdx 140 | push %rcx 141 | push %r11 142 | call __trace_jump 143 | pop %r11 144 | pop %rcx 145 | pop %rdx 146 | pop %rsi 147 | pop %rdi 148 | pop %rax 149 | add $128,%rsp 150 | cmpl $1, -4(%rbp) 151 | ja .L10 152 | sub $128,%rsp 153 | push %rax 154 | push %rdi 155 | push %rsi 156 | push %rdx 157 | push %rcx 158 | push %r11 159 | call __trace_jump 160 | pop %r11 161 | pop %rcx 162 | pop %rdx 163 | pop %rsi 164 | pop %rdi 165 | pop %rax 166 | add $128,%rsp 167 | movl $1, %eax 168 | jmp .L11 169 | .L10: 170 | sub $128,%rsp 171 | push %rax 172 | push %rdi 173 | push %rsi 174 | push %rdx 175 | push %rcx 176 | push %r11 177 | call __trace_jump 178 | pop %r11 179 | pop %rcx 180 | pop %rdx 181 | pop %rsi 182 | pop %rdi 183 | pop %rax 184 | add $128,%rsp 185 | movl $2, %eax 186 | jmp .L11 187 | .L9: 188 | sub $128,%rsp 189 | push %rax 190 | push %rdi 191 | push %rsi 192 | push %rdx 193 | push %rcx 194 | push %r11 195 | call __trace_jump 196 | pop %r11 197 | pop %rcx 198 | pop %rdx 199 | pop %rsi 200 | pop %rdi 201 | pop %rax 202 | add $128,%rsp 203 | movl $3, %eax 204 | jmp .L11 205 | .L8: 206 | sub $128,%rsp 207 | push %rax 208 | push %rdi 209 | push %rsi 210 | push %rdx 211 | push %rcx 212 | push %r11 213 | call __trace_jump 214 | pop %r11 215 | pop %rcx 216 | pop %rdx 217 | pop %rsi 218 | pop %rdi 219 | pop %rax 220 | add $128,%rsp 221 | movl $4, %eax 222 | jmp .L11 223 | .L7: 224 | sub $128,%rsp 225 | push %rax 226 | push %rdi 227 | push %rsi 228 | push %rdx 229 | push %rcx 230 | push %r11 231 | call __trace_jump 232 | pop %r11 233 | pop %rcx 234 | pop %rdx 235 | pop %rsi 236 | pop %rdi 237 | pop %rax 238 | add $128,%rsp 239 | movl $5, %eax 240 | jmp .L11 241 | .L6: 242 | sub $128,%rsp 243 | push %rax 244 | push %rdi 245 | push %rsi 246 | push %rdx 247 | push %rcx 248 | push %r11 249 | call __trace_jump 250 | pop %r11 251 | pop %rcx 252 | pop %rdx 253 | pop %rsi 254 | pop %rdi 255 | pop %rax 256 | add $128,%rsp 257 | movl $6, %eax 258 | jmp .L11 259 | .L5: 260 | sub $128,%rsp 261 | push %rax 262 | push %rdi 263 | push %rsi 264 | push %rdx 265 | push %rcx 266 | push %r11 267 | call __trace_jump 268 | pop %r11 269 | pop %rcx 270 | pop %rdx 271 | pop %rsi 272 | pop %rdi 273 | pop %rax 274 | add $128,%rsp 275 | movl $7, %eax 276 | jmp .L11 277 | .L4: 278 | sub $128,%rsp 279 | push %rax 280 | push %rdi 281 | push %rsi 282 | push %rdx 283 | push %rcx 284 | push %r11 285 | call __trace_jump 286 | pop %r11 287 | pop %rcx 288 | pop %rdx 289 | pop %rsi 290 | pop %rdi 291 | pop %rax 292 | add $128,%rsp 293 | movl $8, %eax 294 | jmp .L11 295 | .L3: 296 | sub $128,%rsp 297 | push %rax 298 | push %rdi 299 | push %rsi 300 | push %rdx 301 | push %rcx 302 | push %r11 303 | call __trace_jump 304 | pop %r11 305 | pop %rcx 306 | pop %rdx 307 | pop %rsi 308 | pop %rdi 309 | pop %rax 310 | add $128,%rsp 311 | movl $9, %eax 312 | jmp .L11 313 | .L2: 314 | sub $128,%rsp 315 | push %rax 316 | push %rdi 317 | push %rsi 318 | push %rdx 319 | push %rcx 320 | push %r11 321 | call __trace_jump 322 | pop %r11 323 | pop %rcx 324 | pop %rdx 325 | pop %rsi 326 | pop %rdi 327 | pop %rax 328 | add $128,%rsp 329 | movl $0, %eax 330 | .L11: 331 | sub $128,%rsp 332 | push %rax 333 | push %rdi 334 | push %rsi 335 | push %rdx 336 | push %rcx 337 | push %r11 338 | call __trace_jump 339 | pop %r11 340 | pop %rcx 341 | pop %rdx 342 | pop %rsi 343 | pop %rdi 344 | pop %rax 345 | add $128,%rsp 346 | popq %rbp 347 | .cfi_def_cfa 7, 8 348 | ret 349 | .cfi_endproc 350 | .LFE0: 351 | .size test, .-test 352 | .globl main 353 | .type main, @function 354 | main: 355 | .LFB1: 356 | .cfi_startproc 357 | pushq %rbp 358 | .cfi_def_cfa_offset 16 359 | .cfi_offset 6, -16 360 | movq %rsp, %rbp 361 | .cfi_def_cfa_register 6 362 | subq $32, %rsp 363 | movl %edi, -20(%rbp) 364 | movq %rsi, -32(%rbp) 365 | movq %fs:40, %rax 366 | movq %rax, -8(%rbp) 367 | xorl %eax, %eax 368 | leaq -13(%rbp), %rax 369 | movl $1, %edx 370 | movq %rax, %rsi 371 | movl $0, %edi 372 | call read@PLT 373 | movzbl -13(%rbp), %eax 374 | movzbl %al, %eax 375 | movl %eax, %edi 376 | call test 377 | movl %eax, -12(%rbp) 378 | movl -12(%rbp), %eax 379 | movq -8(%rbp), %rcx 380 | xorq %fs:40, %rcx 381 | je .L14 382 | sub $128,%rsp 383 | push %rax 384 | push %rdi 385 | push %rsi 386 | push %rdx 387 | push %rcx 388 | push %r11 389 | call __trace_jump 390 | pop %r11 391 | pop %rcx 392 | pop %rdx 393 | pop %rsi 394 | pop %rdi 395 | pop %rax 396 | add $128,%rsp 397 | call __stack_chk_fail@PLT 398 | .L14: 399 | sub $128,%rsp 400 | push %rax 401 | push %rdi 402 | push %rsi 403 | push %rdx 404 | push %rcx 405 | push %r11 406 | call __trace_jump 407 | pop %r11 408 | pop %rcx 409 | pop %rdx 410 | pop %rsi 411 | pop %rdi 412 | pop %rax 413 | add $128,%rsp 414 | leave 415 | .cfi_def_cfa 7, 8 416 | ret 417 | .cfi_endproc 418 | .LFE1: 419 | .size main, .-main 420 | .ident "GCC: (Ubuntu 7.3.0-27ubuntu1~18.04) 7.3.0" 421 | .section .note.GNU-stack,"",@progbits 422 | -------------------------------------------------------------------------------- /Baselines/fuzz_random.py: -------------------------------------------------------------------------------- 1 | import sys 2 | import tracer 3 | import random 4 | from math import sqrt, log 5 | 6 | import subprocess32, struct 7 | 8 | # C = sqrt(2) 9 | C = 1/sqrt(2) 10 | 11 | samples = 1 12 | max_rounds = 100 13 | 14 | total = 30 15 | max_iterations = float('inf') 16 | max_path = 9 17 | 18 | iter_count = 0 19 | 20 | class Node(): 21 | 22 | def __init__(self, path, dummy=False): 23 | assert(path) 24 | 25 | self.path = path 26 | self.children = {} # {addr: Node(tuple(path up to addr))}? 27 | if not dummy: 28 | self.children['Simulation'] = Node(path, dummy=True) 29 | self.distinct = 0. 30 | self.visited = 0. 31 | 32 | def is_path_node(self): 33 | return 'Simulation' in self.children 34 | 35 | def update(self, distinct, visited): 36 | self.distinct += distinct 37 | self.visited += visited 38 | 39 | def insert(self, path): 40 | """ 41 | path represents the full path from root to leaf 42 | """ 43 | self.visited += 1 44 | starts_new_path = False 45 | 46 | if not path: 47 | return starts_new_path 48 | 49 | child_addr = path[0] 50 | 51 | if child_addr not in self.children.keys(): # new child 52 | self.children[child_addr] = Node(self.path + (child_addr,)) 53 | self.children['Simulation'].distinct += 1 54 | starts_new_path = True 55 | 56 | starts_new_path = self.children[child_addr].insert(path[1:]) or starts_new_path 57 | self.distinct += starts_new_path 58 | return starts_new_path 59 | 60 | def info(self): 61 | return '{NodeType}: {NodePath}'.format( 62 | NodeType='PathNode' if self.is_path_node() else 'SimulationChild', 63 | NodePath=[hex(addr) if addr else 'Root' for addr in self.path]) 64 | 65 | def pp(self, indent=0): 66 | i = " " * indent 67 | 68 | s = i 69 | 70 | s += 'Path node: ' if self.is_path_node() else 'Simulation Child: ' 71 | s += hex(self.path[-1]) if self.path[-1] else 'Root' 72 | s += " " 73 | 74 | s += "(" + str(self.distinct) + "/" + str(self.visited) + ")" 75 | s += " " 76 | 77 | s += "score = " + str(uct(self)) 78 | s += " " 79 | 80 | print(s) 81 | 82 | if self.children: 83 | indent += 1 84 | 85 | for addr,child in self.children.items(): 86 | child.pp(indent) 87 | 88 | 89 | def generate_random(seed): 90 | bytes = [ random.randint(0, 255) for x in seed ] # WTF Python: range is inclusive 91 | input = "".join(map(chr, bytes)) 92 | return input 93 | 94 | 95 | def mutate(prefix, program, seed, samples): 96 | global max_rounds 97 | result = [] 98 | rounds = 0 99 | 100 | # print('generating inputs for prefix ' + str(map(hex, prefix))) 101 | while len(result) < samples and rounds < max_rounds: 102 | rounds += 1 103 | input = generate_random(seed) 104 | path = program(input) 105 | n = len(prefix) 106 | if path[:n] == prefix: 107 | # print('using input "' + input + '" with path ' + str(map(hex, path))) 108 | result.append(path) 109 | else: 110 | pass 111 | # print('discarding input with path ' + str(map(hex, path))) 112 | return result 113 | 114 | 115 | def uct(node): 116 | global total 117 | assert(total > 0) 118 | assert(node.visited >= 0) 119 | if not node.visited: 120 | return float('inf') 121 | exploit = (node.distinct / node.visited) 122 | explore = (sqrt(log(total) / node.visited)) 123 | # return exploit + C * explore 124 | # print(node.info()) 125 | if node.is_path_node(): 126 | return max(exploit + C * explore, uct(node.children['Simulation'])) 127 | return exploit + C * explore 128 | 129 | def playout_full(node, program, seed): 130 | prefix = node.path[1:] 131 | n = len(prefix) 132 | paths = mutate(prefix, program, seed, samples) 133 | 134 | return [path for path in paths if path] # paths starts from node.child 135 | 136 | 137 | def traced(binary): # curry the input argument + convert result to immutable tuple 138 | 139 | def with_input(input): 140 | return tuple(traced_with_input(binary, input)) 141 | 142 | return with_input 143 | 144 | 145 | def unpack(output): 146 | assert(len(output) % 8 == 0) 147 | addrs = [] 148 | for i in xrange(len(output) / 8): 149 | addr = struct.unpack_from('q', output, i * 8) # returns a tuple 150 | addrs.append(addr[0]) 151 | return addrs 152 | 153 | 154 | def traced_with_input(binary, input): 155 | runner = tracer.qemu_runner.QEMURunner(binary, input) 156 | addrs = runner.trace 157 | return addrs 158 | 159 | 160 | def run(binary, seed): 161 | global max_iterations 162 | program = traced(binary) 163 | 164 | root = Node((None,)) 165 | iter_count = 0 166 | # while max_iterations: 167 | # mcts(root, program, seed) 168 | # max_iterations -= 1 169 | # root.pp() 170 | pre = 0 171 | while root.distinct < max_path: 172 | mcts(root, program, seed) 173 | iter_count += 1 174 | if root.distinct != pre: 175 | print("{},{}".format(iter_count, root.distinct)) 176 | pre == root.distinct 177 | if iter_count >= max_iterations: 178 | break 179 | # iter_count += 1 180 | # print("{}, {}".format(iter_count, root.distinct)) 181 | # mcts(root, program, seed) 182 | # root.pp() 183 | # print(iter_count) 184 | # def mcts_rec(node, program, seed): 185 | # # child = None if the node is a 'Simulation' node, which has no children. 186 | # child = max(node.children.values(), key=uct) if node.children else None 187 | # # Recursion always stops at a simulation node, 188 | # # no matter its parent is an intermediate node, or a leaf node 189 | # num_win, num_sim = mcts(child) if child else simulate(node, program, seed) 190 | 191 | # node.distinct += num_win 192 | # node.visited += num_sim 193 | 194 | # return num_sim, num_win 195 | 196 | def mcts(root, program, seed): 197 | 198 | node = root 199 | # while node.children: 200 | # node = best_child(node) # will always be a sim_node 201 | 202 | # print('Tree policy gives node = {}'.format(node.info())) 203 | paths = playout_full(root, program, seed) # Full path 204 | num_win, num_sim = 0, len(paths) 205 | for path in paths: 206 | num_win += root.insert(path) 207 | 208 | node.visited += num_sim 209 | # print(node.info()) 210 | 211 | def best_child(node): 212 | uct_tie = [] 213 | max_score = None 214 | for child in node.children.values(): 215 | if not max_score: 216 | max_score = uct(child) 217 | uct_tie.append(child) 218 | continue 219 | 220 | cur_score = uct(child) 221 | if max_score == cur_score: 222 | uct_tie.append(child) 223 | continue 224 | 225 | if cur_score > max_score: 226 | max_score = cur_score 227 | uct_tie = [child] 228 | 229 | assert(uct_tie) 230 | 231 | if len(uct_tie) == 1: 232 | return uct_tie.pop() 233 | 234 | 235 | win_tie = [] 236 | max_win= None 237 | for child in uct_tie: 238 | if not max_win: 239 | max_win = child.distinct 240 | win_tie.append(child) 241 | continue 242 | if max_win == child.distinct: 243 | win_tie.append(child) 244 | continue 245 | if child.distinct > max_win: 246 | win_tie = [child] 247 | 248 | assert(win_tie) 249 | if len(win_tie) == 1: 250 | return win_tie.pop() 251 | 252 | assert(win_tie) 253 | vis_tie = [] 254 | min_vis = None 255 | for child in win_tie: 256 | if not min_vis: 257 | min_vis = child.visited 258 | vis_tie.append(child) 259 | continue 260 | if min_vis == child.visited: 261 | vis_tie.append(child) 262 | continue 263 | if child.visited < vis_tie: 264 | vis_tie = [child] 265 | 266 | 267 | assert(vis_tie) 268 | if len(vis_tie) == 1: 269 | return vis_tie.pop() 270 | 271 | for child in vis_tie: 272 | if not child.is_path_node(): 273 | return child 274 | return vis_tie.pop() 275 | 276 | 277 | def simulate(node, program, seed): 278 | suffixes = playout(node, program, seed) # suffix starts from node.child 279 | 280 | num_win = sum([node.parent.insert(suffix) for suffix in suffixes]) 281 | num_sim = len(suffixes) 282 | 283 | return num_win, num_sim 284 | 285 | 286 | 287 | if __name__ == "__main__" and len(sys.argv) > 1: 288 | binary = sys.argv[1] 289 | args = sys.argv[2:] 290 | seed = ''.join(args) 291 | # print('seed') 292 | # print(seed) 293 | run(binary, seed) 294 | 295 | -------------------------------------------------------------------------------- /ProgramUnderTest/Assembly/empty_main.instr.s: -------------------------------------------------------------------------------- 1 | 2 | ../Instrumented/empty_main.instr: file format elf64-x86-64 3 | 4 | 5 | Disassembly of section .init: 6 | 7 | 0000000000400390 <_init>: 8 | 400390: 48 83 ec 08 sub $0x8,%rsp 9 | 400394: 48 8b 05 5d 0c 20 00 mov 0x200c5d(%rip),%rax # 600ff8 <__gmon_start__> 10 | 40039b: 48 85 c0 test %rax,%rax 11 | 40039e: 74 02 je 4003a2 <_init+0x12> 12 | 4003a0: ff d0 callq *%rax 13 | 4003a2: 48 83 c4 08 add $0x8,%rsp 14 | 4003a6: c3 retq 15 | 16 | Disassembly of section .text: 17 | 18 | 00000000004003b0 <_start>: 19 | 4003b0: 31 ed xor %ebp,%ebp 20 | 4003b2: 49 89 d1 mov %rdx,%r9 21 | 4003b5: 5e pop %rsi 22 | 4003b6: 48 89 e2 mov %rsp,%rdx 23 | 4003b9: 48 83 e4 f0 and $0xfffffffffffffff0,%rsp 24 | 4003bd: 50 push %rax 25 | 4003be: 54 push %rsp 26 | 4003bf: 49 c7 c0 70 05 40 00 mov $0x400570,%r8 27 | 4003c6: 48 c7 c1 00 05 40 00 mov $0x400500,%rcx 28 | 4003cd: 48 c7 c7 97 04 40 00 mov $0x400497,%rdi 29 | 4003d4: ff 15 16 0c 20 00 callq *0x200c16(%rip) # 600ff0 <__libc_start_main@GLIBC_2.2.5> 30 | 4003da: f4 hlt 31 | 4003db: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1) 32 | 33 | 00000000004003e0 <_dl_relocate_static_pie>: 34 | 4003e0: f3 c3 repz retq 35 | 4003e2: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1) 36 | 4003e9: 00 00 00 37 | 4003ec: 0f 1f 40 00 nopl 0x0(%rax) 38 | 39 | 00000000004003f0 : 40 | 4003f0: 55 push %rbp 41 | 4003f1: b8 28 10 60 00 mov $0x601028,%eax 42 | 4003f6: 48 3d 28 10 60 00 cmp $0x601028,%rax 43 | 4003fc: 48 89 e5 mov %rsp,%rbp 44 | 4003ff: 74 17 je 400418 45 | 400401: b8 00 00 00 00 mov $0x0,%eax 46 | 400406: 48 85 c0 test %rax,%rax 47 | 400409: 74 0d je 400418 48 | 40040b: 5d pop %rbp 49 | 40040c: bf 28 10 60 00 mov $0x601028,%edi 50 | 400411: ff e0 jmpq *%rax 51 | 400413: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1) 52 | 400418: 5d pop %rbp 53 | 400419: c3 retq 54 | 40041a: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1) 55 | 56 | 0000000000400420 : 57 | 400420: be 28 10 60 00 mov $0x601028,%esi 58 | 400425: 55 push %rbp 59 | 400426: 48 81 ee 28 10 60 00 sub $0x601028,%rsi 60 | 40042d: 48 89 e5 mov %rsp,%rbp 61 | 400430: 48 c1 fe 03 sar $0x3,%rsi 62 | 400434: 48 89 f0 mov %rsi,%rax 63 | 400437: 48 c1 e8 3f shr $0x3f,%rax 64 | 40043b: 48 01 c6 add %rax,%rsi 65 | 40043e: 48 d1 fe sar %rsi 66 | 400441: 74 15 je 400458 67 | 400443: b8 00 00 00 00 mov $0x0,%eax 68 | 400448: 48 85 c0 test %rax,%rax 69 | 40044b: 74 0b je 400458 70 | 40044d: 5d pop %rbp 71 | 40044e: bf 28 10 60 00 mov $0x601028,%edi 72 | 400453: ff e0 jmpq *%rax 73 | 400455: 0f 1f 00 nopl (%rax) 74 | 400458: 5d pop %rbp 75 | 400459: c3 retq 76 | 40045a: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1) 77 | 78 | 0000000000400460 <__do_global_dtors_aux>: 79 | 400460: 80 3d c1 0b 20 00 00 cmpb $0x0,0x200bc1(%rip) # 601028 <__TMC_END__> 80 | 400467: 75 17 jne 400480 <__do_global_dtors_aux+0x20> 81 | 400469: 55 push %rbp 82 | 40046a: 48 89 e5 mov %rsp,%rbp 83 | 40046d: e8 7e ff ff ff callq 4003f0 84 | 400472: c6 05 af 0b 20 00 01 movb $0x1,0x200baf(%rip) # 601028 <__TMC_END__> 85 | 400479: 5d pop %rbp 86 | 40047a: c3 retq 87 | 40047b: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1) 88 | 400480: f3 c3 repz retq 89 | 400482: 0f 1f 40 00 nopl 0x0(%rax) 90 | 400486: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1) 91 | 40048d: 00 00 00 92 | 93 | 0000000000400490 : 94 | 400490: 55 push %rbp 95 | 400491: 48 89 e5 mov %rsp,%rbp 96 | 400494: 5d pop %rbp 97 | 400495: eb 89 jmp 400420 98 | 99 | 0000000000400497
: 100 | 400497: 48 81 ec 80 00 00 00 sub $0x80,%rsp 101 | 40049e: 50 push %rax 102 | 40049f: 57 push %rdi 103 | 4004a0: 56 push %rsi 104 | 4004a1: 52 push %rdx 105 | 4004a2: 51 push %rcx 106 | 4004a3: 41 53 push %r11 107 | 4004a5: e8 20 00 00 00 callq 4004ca <__trace_jump> 108 | 4004aa: 41 5b pop %r11 109 | 4004ac: 59 pop %rcx 110 | 4004ad: 5a pop %rdx 111 | 4004ae: 5e pop %rsi 112 | 4004af: 5f pop %rdi 113 | 4004b0: 58 pop %rax 114 | 4004b1: 48 81 c4 80 00 00 00 add $0x80,%rsp 115 | 4004b8: 55 push %rbp 116 | 4004b9: 48 89 e5 mov %rsp,%rbp 117 | 4004bc: 89 7d fc mov %edi,-0x4(%rbp) 118 | 4004bf: 48 89 75 f0 mov %rsi,-0x10(%rbp) 119 | 4004c3: b8 00 00 00 00 mov $0x0,%eax 120 | 4004c8: 5d pop %rbp 121 | 4004c9: c3 retq 122 | 123 | 00000000004004ca <__trace_jump>: 124 | 4004ca: 55 push %rbp 125 | 4004cb: 48 89 e5 mov %rsp,%rbp 126 | 4004ce: 48 8b 45 08 mov 0x8(%rbp),%rax 127 | 4004d2: 48 83 e8 13 sub $0x13,%rax 128 | 4004d6: 48 89 45 f8 mov %rax,-0x8(%rbp) 129 | 4004da: 48 c7 c0 01 00 00 00 mov $0x1,%rax 130 | 4004e1: 48 c7 c7 02 00 00 00 mov $0x2,%rdi 131 | 4004e8: 48 89 ee mov %rbp,%rsi 132 | 4004eb: 48 83 ee 08 sub $0x8,%rsi 133 | 4004ef: 48 c7 c2 08 00 00 00 mov $0x8,%rdx 134 | 4004f6: 0f 05 syscall 135 | 4004f8: 5d pop %rbp 136 | 4004f9: c3 retq 137 | 4004fa: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1) 138 | 139 | 0000000000400500 <__libc_csu_init>: 140 | 400500: 41 57 push %r15 141 | 400502: 41 56 push %r14 142 | 400504: 49 89 d7 mov %rdx,%r15 143 | 400507: 41 55 push %r13 144 | 400509: 41 54 push %r12 145 | 40050b: 4c 8d 25 3e 09 20 00 lea 0x20093e(%rip),%r12 # 600e50 <__frame_dummy_init_array_entry> 146 | 400512: 55 push %rbp 147 | 400513: 48 8d 2d 3e 09 20 00 lea 0x20093e(%rip),%rbp # 600e58 <__init_array_end> 148 | 40051a: 53 push %rbx 149 | 40051b: 41 89 fd mov %edi,%r13d 150 | 40051e: 49 89 f6 mov %rsi,%r14 151 | 400521: 4c 29 e5 sub %r12,%rbp 152 | 400524: 48 83 ec 08 sub $0x8,%rsp 153 | 400528: 48 c1 fd 03 sar $0x3,%rbp 154 | 40052c: e8 5f fe ff ff callq 400390 <_init> 155 | 400531: 48 85 ed test %rbp,%rbp 156 | 400534: 74 20 je 400556 <__libc_csu_init+0x56> 157 | 400536: 31 db xor %ebx,%ebx 158 | 400538: 0f 1f 84 00 00 00 00 nopl 0x0(%rax,%rax,1) 159 | 40053f: 00 160 | 400540: 4c 89 fa mov %r15,%rdx 161 | 400543: 4c 89 f6 mov %r14,%rsi 162 | 400546: 44 89 ef mov %r13d,%edi 163 | 400549: 41 ff 14 dc callq *(%r12,%rbx,8) 164 | 40054d: 48 83 c3 01 add $0x1,%rbx 165 | 400551: 48 39 dd cmp %rbx,%rbp 166 | 400554: 75 ea jne 400540 <__libc_csu_init+0x40> 167 | 400556: 48 83 c4 08 add $0x8,%rsp 168 | 40055a: 5b pop %rbx 169 | 40055b: 5d pop %rbp 170 | 40055c: 41 5c pop %r12 171 | 40055e: 41 5d pop %r13 172 | 400560: 41 5e pop %r14 173 | 400562: 41 5f pop %r15 174 | 400564: c3 retq 175 | 400565: 90 nop 176 | 400566: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1) 177 | 40056d: 00 00 00 178 | 179 | 0000000000400570 <__libc_csu_fini>: 180 | 400570: f3 c3 repz retq 181 | 182 | Disassembly of section .fini: 183 | 184 | 0000000000400574 <_fini>: 185 | 400574: 48 83 ec 08 sub $0x8,%rsp 186 | 400578: 48 83 c4 08 add $0x8,%rsp 187 | 40057c: c3 retq 188 | -------------------------------------------------------------------------------- /ProgramUnderTest/Assembly/QEMU.trace: -------------------------------------------------------------------------------- 1 | '0x400be9', 2 | '0x400caa', '0x400cd8', '0x400bfc', '0x4493f0', '0x4493fa', '0x4493fe', '0x449406', '0x400c3e', '0x400b4d', 3 | '0x400caa', '0x400cd8', '0x400b60', '0x400b9c', 4 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77', '0x400caa', '0x400cd8', '0x400b8a', 5 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77', '0x400caa', '0x400cd8', '0x400b8a', 6 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 7 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 8 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 9 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 10 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 11 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 12 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 13 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 14 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 15 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 16 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 17 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 18 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 19 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 20 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 21 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 22 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 23 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 24 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 25 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 26 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 27 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 28 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 29 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 30 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 31 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 32 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 33 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 34 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 35 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 36 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 37 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 38 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 39 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 40 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 41 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 42 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 43 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 44 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 45 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 46 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 47 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 48 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 49 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 50 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 51 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 52 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 53 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 54 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 55 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 56 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 57 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 58 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 59 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 60 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 61 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 62 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 63 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 64 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 65 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 66 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 67 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 68 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 69 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 70 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 71 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 72 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 73 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 74 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 75 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 76 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 77 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 78 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 79 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 80 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 81 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 82 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 83 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 84 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 85 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 86 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 87 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 88 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 89 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 90 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 91 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 92 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 93 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 94 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 95 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 96 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 97 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 98 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 99 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 100 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 101 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 102 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 103 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 104 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 105 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 106 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 107 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 108 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 109 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 110 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 111 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 112 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 113 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 114 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 115 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 116 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 117 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 118 | '0x400caa', '0x400cd8', '0x400baf', '0x400b77','0x400caa', '0x400cd8', '0x400b8a', 119 | '0x400caa', '0x400cd8', '0x400baf', '0x400bc3', '0x400caa', '0x400cd8', '0x400bd6', '0x400c4c', '0x400c87' -------------------------------------------------------------------------------- /ProgramUnderTest/Assembly/Simgr.trace: -------------------------------------------------------------------------------- 1 | 0x400be9, 2 | 0x400caa, 0x3000147, 0x400cd8, 0x400bfc, 0x4493f0, 0x4493fa, 0x3000146, 0x4493fe, 0x449406, 0x400c3e, 0x400b4d, 3 | 0x400caa, 0x3000147, 0x400cd8, 0x400b60, 0x400b9c, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 4 | 5 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 6 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 7 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 8 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 9 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 10 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 11 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 12 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 13 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 14 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 15 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 16 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 17 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 18 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 19 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 20 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 21 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 22 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 23 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 24 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 25 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 26 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 27 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 28 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 29 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 30 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 31 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 32 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 33 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 34 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 35 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 36 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 37 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 38 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 39 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 40 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 41 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 42 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 43 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 44 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 45 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 46 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 47 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 48 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 49 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 50 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 51 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 52 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 53 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 54 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 55 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 56 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 57 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 58 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 59 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 60 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 61 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 62 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 63 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 64 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 65 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 66 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 67 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 68 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 69 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 70 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 71 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 72 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 73 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 74 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 75 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 76 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 77 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 78 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 79 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 80 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 81 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 82 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 83 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 84 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 85 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 86 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 87 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 88 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 89 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 90 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 91 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 92 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 93 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 94 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 95 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 96 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 97 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 98 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 99 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 100 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 101 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 102 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 103 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 104 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 105 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 106 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 107 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 108 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 109 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 110 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 111 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 112 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 113 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 114 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 115 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 116 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 117 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 118 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 119 | 0x400b77, 0x400caa, 0x3000147, 0x400cd8, 0x400b8a, 120 | 0x400caa, 0x3000147, 0x400cd8, 0x400baf, 0x400bc3, 121 | 0x400caa, 0x3000147, 0x400cd8, 0x400bd6, 0x400c4c, 0x400c87, 122 | 0x400caa, 0x3000147, 0x400cd8, 0x400c9a, 0x0 -------------------------------------------------------------------------------- /ProgramUnderTest/Assembly/test_half.s: -------------------------------------------------------------------------------- 1 | 2 | ../Orignal/test_half: file format elf64-x86-64 3 | 4 | 5 | Disassembly of section .init: 6 | 7 | 0000000000000548 <_init>: 8 | 548: 48 83 ec 08 sub $0x8,%rsp 9 | 54c: 48 8b 05 95 0a 20 00 mov 0x200a95(%rip),%rax # 200fe8 <__gmon_start__> 10 | 553: 48 85 c0 test %rax,%rax 11 | 556: 74 02 je 55a <_init+0x12> 12 | 558: ff d0 callq *%rax 13 | 55a: 48 83 c4 08 add $0x8,%rsp 14 | 55e: c3 retq 15 | 16 | Disassembly of section .plt: 17 | 18 | 0000000000000560 <.plt>: 19 | 560: ff 35 52 0a 20 00 pushq 0x200a52(%rip) # 200fb8 <_GLOBAL_OFFSET_TABLE_+0x8> 20 | 566: ff 25 54 0a 20 00 jmpq *0x200a54(%rip) # 200fc0 <_GLOBAL_OFFSET_TABLE_+0x10> 21 | 56c: 0f 1f 40 00 nopl 0x0(%rax) 22 | 23 | 0000000000000570 <__stack_chk_fail@plt>: 24 | 570: ff 25 52 0a 20 00 jmpq *0x200a52(%rip) # 200fc8 <__stack_chk_fail@GLIBC_2.4> 25 | 576: 68 00 00 00 00 pushq $0x0 26 | 57b: e9 e0 ff ff ff jmpq 560 <.plt> 27 | 28 | 0000000000000580 : 29 | 580: ff 25 4a 0a 20 00 jmpq *0x200a4a(%rip) # 200fd0 30 | 586: 68 01 00 00 00 pushq $0x1 31 | 58b: e9 d0 ff ff ff jmpq 560 <.plt> 32 | 33 | Disassembly of section .plt.got: 34 | 35 | 0000000000000590 <__cxa_finalize@plt>: 36 | 590: ff 25 62 0a 20 00 jmpq *0x200a62(%rip) # 200ff8 <__cxa_finalize@GLIBC_2.2.5> 37 | 596: 66 90 xchg %ax,%ax 38 | 39 | Disassembly of section .text: 40 | 41 | 00000000000005a0 <_start>: 42 | 5a0: 31 ed xor %ebp,%ebp 43 | 5a2: 49 89 d1 mov %rdx,%r9 44 | 5a5: 5e pop %rsi 45 | 5a6: 48 89 e2 mov %rsp,%rdx 46 | 5a9: 48 83 e4 f0 and $0xfffffffffffffff0,%rsp 47 | 5ad: 50 push %rax 48 | 5ae: 54 push %rsp 49 | 5af: 4c 8d 05 5a 02 00 00 lea 0x25a(%rip),%r8 # 810 <__libc_csu_fini> 50 | 5b6: 48 8d 0d e3 01 00 00 lea 0x1e3(%rip),%rcx # 7a0 <__libc_csu_init> 51 | 5bd: 48 8d 3d 6f 01 00 00 lea 0x16f(%rip),%rdi # 733
52 | 5c4: ff 15 16 0a 20 00 callq *0x200a16(%rip) # 200fe0 <__libc_start_main@GLIBC_2.2.5> 53 | 5ca: f4 hlt 54 | 5cb: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1) 55 | 56 | 00000000000005d0 : 57 | 5d0: 48 8d 3d 39 0a 20 00 lea 0x200a39(%rip),%rdi # 201010 <__TMC_END__> 58 | 5d7: 55 push %rbp 59 | 5d8: 48 8d 05 31 0a 20 00 lea 0x200a31(%rip),%rax # 201010 <__TMC_END__> 60 | 5df: 48 39 f8 cmp %rdi,%rax 61 | 5e2: 48 89 e5 mov %rsp,%rbp 62 | 5e5: 74 19 je 600 63 | 5e7: 48 8b 05 ea 09 20 00 mov 0x2009ea(%rip),%rax # 200fd8 <_ITM_deregisterTMCloneTable> 64 | 5ee: 48 85 c0 test %rax,%rax 65 | 5f1: 74 0d je 600 66 | 5f3: 5d pop %rbp 67 | 5f4: ff e0 jmpq *%rax 68 | 5f6: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1) 69 | 5fd: 00 00 00 70 | 600: 5d pop %rbp 71 | 601: c3 retq 72 | 602: 0f 1f 40 00 nopl 0x0(%rax) 73 | 606: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1) 74 | 60d: 00 00 00 75 | 76 | 0000000000000610 : 77 | 610: 48 8d 3d f9 09 20 00 lea 0x2009f9(%rip),%rdi # 201010 <__TMC_END__> 78 | 617: 48 8d 35 f2 09 20 00 lea 0x2009f2(%rip),%rsi # 201010 <__TMC_END__> 79 | 61e: 55 push %rbp 80 | 61f: 48 29 fe sub %rdi,%rsi 81 | 622: 48 89 e5 mov %rsp,%rbp 82 | 625: 48 c1 fe 03 sar $0x3,%rsi 83 | 629: 48 89 f0 mov %rsi,%rax 84 | 62c: 48 c1 e8 3f shr $0x3f,%rax 85 | 630: 48 01 c6 add %rax,%rsi 86 | 633: 48 d1 fe sar %rsi 87 | 636: 74 18 je 650 88 | 638: 48 8b 05 b1 09 20 00 mov 0x2009b1(%rip),%rax # 200ff0 <_ITM_registerTMCloneTable> 89 | 63f: 48 85 c0 test %rax,%rax 90 | 642: 74 0c je 650 91 | 644: 5d pop %rbp 92 | 645: ff e0 jmpq *%rax 93 | 647: 66 0f 1f 84 00 00 00 nopw 0x0(%rax,%rax,1) 94 | 64e: 00 00 95 | 650: 5d pop %rbp 96 | 651: c3 retq 97 | 652: 0f 1f 40 00 nopl 0x0(%rax) 98 | 656: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1) 99 | 65d: 00 00 00 100 | 101 | 0000000000000660 <__do_global_dtors_aux>: 102 | 660: 80 3d a9 09 20 00 00 cmpb $0x0,0x2009a9(%rip) # 201010 <__TMC_END__> 103 | 667: 75 2f jne 698 <__do_global_dtors_aux+0x38> 104 | 669: 48 83 3d 87 09 20 00 cmpq $0x0,0x200987(%rip) # 200ff8 <__cxa_finalize@GLIBC_2.2.5> 105 | 670: 00 106 | 671: 55 push %rbp 107 | 672: 48 89 e5 mov %rsp,%rbp 108 | 675: 74 0c je 683 <__do_global_dtors_aux+0x23> 109 | 677: 48 8b 3d 8a 09 20 00 mov 0x20098a(%rip),%rdi # 201008 <__dso_handle> 110 | 67e: e8 0d ff ff ff callq 590 <__cxa_finalize@plt> 111 | 683: e8 48 ff ff ff callq 5d0 112 | 688: c6 05 81 09 20 00 01 movb $0x1,0x200981(%rip) # 201010 <__TMC_END__> 113 | 68f: 5d pop %rbp 114 | 690: c3 retq 115 | 691: 0f 1f 80 00 00 00 00 nopl 0x0(%rax) 116 | 698: f3 c3 repz retq 117 | 69a: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1) 118 | 119 | 00000000000006a0 : 120 | 6a0: 55 push %rbp 121 | 6a1: 48 89 e5 mov %rsp,%rbp 122 | 6a4: 5d pop %rbp 123 | 6a5: e9 66 ff ff ff jmpq 610 124 | 125 | 00000000000006aa : 126 | 6aa: 55 push %rbp 127 | 6ab: 48 89 e5 mov %rsp,%rbp 128 | 6ae: 89 7d fc mov %edi,-0x4(%rbp) 129 | 6b1: 81 7d fc ff 00 00 00 cmpl $0xff,-0x4(%rbp) 130 | 6b8: 76 07 jbe 6c1 131 | 6ba: b8 09 00 00 00 mov $0x9,%eax 132 | 6bf: eb 70 jmp 731 133 | 6c1: 81 7d fc 80 00 00 00 cmpl $0x80,-0x4(%rbp) 134 | 6c8: 76 07 jbe 6d1 135 | 6ca: b8 08 00 00 00 mov $0x8,%eax 136 | 6cf: eb 60 jmp 731 137 | 6d1: 83 7d fc 40 cmpl $0x40,-0x4(%rbp) 138 | 6d5: 76 07 jbe 6de 139 | 6d7: b8 07 00 00 00 mov $0x7,%eax 140 | 6dc: eb 53 jmp 731 141 | 6de: 83 7d fc 20 cmpl $0x20,-0x4(%rbp) 142 | 6e2: 76 07 jbe 6eb 143 | 6e4: b8 06 00 00 00 mov $0x6,%eax 144 | 6e9: eb 46 jmp 731 145 | 6eb: 83 7d fc 10 cmpl $0x10,-0x4(%rbp) 146 | 6ef: 76 07 jbe 6f8 147 | 6f1: b8 05 00 00 00 mov $0x5,%eax 148 | 6f6: eb 39 jmp 731 149 | 6f8: 83 7d fc 08 cmpl $0x8,-0x4(%rbp) 150 | 6fc: 76 07 jbe 705 151 | 6fe: b8 04 00 00 00 mov $0x4,%eax 152 | 703: eb 2c jmp 731 153 | 705: 83 7d fc 04 cmpl $0x4,-0x4(%rbp) 154 | 709: 76 07 jbe 712 155 | 70b: b8 03 00 00 00 mov $0x3,%eax 156 | 710: eb 1f jmp 731 157 | 712: 83 7d fc 02 cmpl $0x2,-0x4(%rbp) 158 | 716: 76 07 jbe 71f 159 | 718: b8 02 00 00 00 mov $0x2,%eax 160 | 71d: eb 12 jmp 731 161 | 71f: 83 7d fc 01 cmpl $0x1,-0x4(%rbp) 162 | 723: 76 07 jbe 72c 163 | 725: b8 01 00 00 00 mov $0x1,%eax 164 | 72a: eb 05 jmp 731 165 | 72c: b8 00 00 00 00 mov $0x0,%eax 166 | 731: 5d pop %rbp 167 | 732: c3 retq 168 | 169 | 0000000000000733
: 170 | 733: 55 push %rbp 171 | 734: 48 89 e5 mov %rsp,%rbp 172 | 737: 48 83 ec 20 sub $0x20,%rsp 173 | 73b: 89 7d ec mov %edi,-0x14(%rbp) 174 | 73e: 48 89 75 e0 mov %rsi,-0x20(%rbp) 175 | 742: 64 48 8b 04 25 28 00 mov %fs:0x28,%rax 176 | 749: 00 00 177 | 74b: 48 89 45 f8 mov %rax,-0x8(%rbp) 178 | 74f: 31 c0 xor %eax,%eax 179 | 751: 48 8d 45 f3 lea -0xd(%rbp),%rax 180 | 755: ba 01 00 00 00 mov $0x1,%edx 181 | 75a: 48 89 c6 mov %rax,%rsi 182 | 75d: bf 00 00 00 00 mov $0x0,%edi 183 | 762: e8 19 fe ff ff callq 580 184 | 767: 0f b6 45 f3 movzbl -0xd(%rbp),%eax 185 | 76b: 0f b6 c0 movzbl %al,%eax 186 | 76e: 89 c7 mov %eax,%edi 187 | 770: e8 35 ff ff ff callq 6aa 188 | 775: 89 45 f4 mov %eax,-0xc(%rbp) 189 | 778: 8b 45 f4 mov -0xc(%rbp),%eax 190 | 77b: 48 8b 4d f8 mov -0x8(%rbp),%rcx 191 | 77f: 64 48 33 0c 25 28 00 xor %fs:0x28,%rcx 192 | 786: 00 00 193 | 788: 74 05 je 78f 194 | 78a: e8 e1 fd ff ff callq 570 <__stack_chk_fail@plt> 195 | 78f: c9 leaveq 196 | 790: c3 retq 197 | 791: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1) 198 | 798: 00 00 00 199 | 79b: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1) 200 | 201 | 00000000000007a0 <__libc_csu_init>: 202 | 7a0: 41 57 push %r15 203 | 7a2: 41 56 push %r14 204 | 7a4: 49 89 d7 mov %rdx,%r15 205 | 7a7: 41 55 push %r13 206 | 7a9: 41 54 push %r12 207 | 7ab: 4c 8d 25 fe 05 20 00 lea 0x2005fe(%rip),%r12 # 200db0 <__frame_dummy_init_array_entry> 208 | 7b2: 55 push %rbp 209 | 7b3: 48 8d 2d fe 05 20 00 lea 0x2005fe(%rip),%rbp # 200db8 <__init_array_end> 210 | 7ba: 53 push %rbx 211 | 7bb: 41 89 fd mov %edi,%r13d 212 | 7be: 49 89 f6 mov %rsi,%r14 213 | 7c1: 4c 29 e5 sub %r12,%rbp 214 | 7c4: 48 83 ec 08 sub $0x8,%rsp 215 | 7c8: 48 c1 fd 03 sar $0x3,%rbp 216 | 7cc: e8 77 fd ff ff callq 548 <_init> 217 | 7d1: 48 85 ed test %rbp,%rbp 218 | 7d4: 74 20 je 7f6 <__libc_csu_init+0x56> 219 | 7d6: 31 db xor %ebx,%ebx 220 | 7d8: 0f 1f 84 00 00 00 00 nopl 0x0(%rax,%rax,1) 221 | 7df: 00 222 | 7e0: 4c 89 fa mov %r15,%rdx 223 | 7e3: 4c 89 f6 mov %r14,%rsi 224 | 7e6: 44 89 ef mov %r13d,%edi 225 | 7e9: 41 ff 14 dc callq *(%r12,%rbx,8) 226 | 7ed: 48 83 c3 01 add $0x1,%rbx 227 | 7f1: 48 39 dd cmp %rbx,%rbp 228 | 7f4: 75 ea jne 7e0 <__libc_csu_init+0x40> 229 | 7f6: 48 83 c4 08 add $0x8,%rsp 230 | 7fa: 5b pop %rbx 231 | 7fb: 5d pop %rbp 232 | 7fc: 41 5c pop %r12 233 | 7fe: 41 5d pop %r13 234 | 800: 41 5e pop %r14 235 | 802: 41 5f pop %r15 236 | 804: c3 retq 237 | 805: 90 nop 238 | 806: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1) 239 | 80d: 00 00 00 240 | 241 | 0000000000000810 <__libc_csu_fini>: 242 | 810: f3 c3 repz retq 243 | 244 | Disassembly of section .fini: 245 | 246 | 0000000000000814 <_fini>: 247 | 814: 48 83 ec 08 sub $0x8,%rsp 248 | 818: 48 83 c4 08 add $0x8,%rsp 249 | 81c: c3 retq 250 | -------------------------------------------------------------------------------- /ProgramUnderTest/SourceCode/replace.c: -------------------------------------------------------------------------------- 1 | /* -*- Last-Edit: Mon Dec 7 10:31:51 1992 by Tarak S. Goradia; -*- */ 2 | 3 | #include 4 | #include 5 | #include 6 | 7 | 8 | void Caseerror(); 9 | 10 | typedef char bool; 11 | # define false 0 12 | # define true 1 13 | 14 | # define MYMAX 10 15 | # define MYLINEMAX 20 16 | 17 | # define MAXSTR 100 18 | # define MAXPAT MAXSTR 19 | 20 | # define ENDSTR '\0' 21 | # define ESCAPE '@' 22 | # define CLOSURE '*' 23 | # define BOL '%' 24 | # define EOL '$' 25 | # define ANY '?' 26 | # define CCL '[' 27 | # define CCLEND ']' 28 | # define NEGATE '^' 29 | # define NCCL '!' 30 | # define LITCHAR 'c' 31 | # define DITTO -1 32 | # define DASH '-' 33 | 34 | # define TAB 9 35 | # define NEWLINE 10 36 | 37 | # define CLOSIZE 1 38 | 39 | typedef char character; 40 | typedef char string[MAXSTR]; 41 | 42 | bool 43 | getline2(s, maxsize) 44 | char *s; 45 | int maxsize; 46 | { 47 | int i; 48 | for (i = 0; i < MYLINEMAX-1; i++) { 49 | // CREST_char(s[i]); 50 | s[i] = __VERIFIER_nondet_char(); 51 | } 52 | s[i] = '\0'; 53 | return true; 54 | } 55 | 56 | int 57 | addstr(c, outset, j, maxset) 58 | char c; 59 | char *outset; 60 | int *j; 61 | int maxset; 62 | { 63 | bool result; 64 | if (*j >= maxset) 65 | result = false; 66 | else { 67 | outset[*j] = c; 68 | *j = *j + 1; 69 | result = true; 70 | } 71 | return result; 72 | } 73 | 74 | char 75 | esc(s, i) 76 | char *s; 77 | int *i; 78 | { 79 | char result; 80 | if (s[*i] != ESCAPE) 81 | result = s[*i]; 82 | else 83 | if (s[*i + 1] == ENDSTR) 84 | result = ESCAPE; 85 | else 86 | { 87 | *i = *i + 1; 88 | if (s[*i] == 'n') 89 | result = NEWLINE; 90 | else 91 | if (s[*i] == 't') 92 | result = TAB; 93 | else 94 | result = s[*i]; 95 | } 96 | return result; 97 | } 98 | 99 | void change(); 100 | 101 | void 102 | dodash(delim, src, i, dest, j, maxset) 103 | char delim; 104 | char *src; 105 | int *i; 106 | char *dest; 107 | int *j; 108 | int maxset; 109 | { 110 | int k; 111 | bool junk; 112 | char escjunk; 113 | 114 | while ((src[*i] != delim) && (src[*i] != ENDSTR)) 115 | { 116 | if (src[*i - 1] == ESCAPE) { 117 | escjunk = esc(src, i); 118 | junk = addstr(escjunk, dest, j, maxset); 119 | } else 120 | if (src[*i] != DASH) 121 | junk = addstr(src[*i], dest, j, maxset); 122 | else if (*j <= 1 || src[*i + 1] == ENDSTR) 123 | junk = addstr(DASH, dest, j, maxset); 124 | else if ((isalnum(src[*i - 1])) && (isalnum(src[*i + 1])) 125 | && (src[*i - 1] <= src[*i + 1])) 126 | { 127 | for (k = src[*i-1]+1; k<=src[*i+1]; k++) 128 | { 129 | junk = addstr(k, dest, j, maxset); 130 | } 131 | *i = *i + 1; 132 | } 133 | else 134 | junk = addstr(DASH, dest, j, maxset); 135 | (*i) = (*i) + 1; 136 | } 137 | } 138 | 139 | bool 140 | getccl(arg, i, pat, j) 141 | char *arg; 142 | int *i; 143 | char *pat; 144 | int *j; 145 | { 146 | int jstart; 147 | bool junk; 148 | 149 | *i = *i + 1; 150 | if (arg[*i] == NEGATE) { 151 | junk = addstr(NCCL, pat, j, MAXPAT); 152 | *i = *i + 1; 153 | } else 154 | junk = addstr(CCL, pat, j, MAXPAT); 155 | jstart = *j; 156 | junk = addstr(0, pat, j, MAXPAT); 157 | dodash(CCLEND, arg, i, pat, j, MAXPAT); 158 | pat[jstart] = *j - jstart - 1; 159 | return (arg[*i] == CCLEND); 160 | } 161 | 162 | void 163 | stclose(pat, j, lastj) 164 | char *pat; 165 | int *j; 166 | int lastj; 167 | { 168 | int jt; 169 | int jp; 170 | bool junk; 171 | 172 | 173 | for (jp = *j - 1; jp >= lastj ; jp--) 174 | { 175 | jt = jp + CLOSIZE; 176 | junk = addstr(pat[jp], pat, &jt, MAXPAT); 177 | } 178 | *j = *j + CLOSIZE; 179 | pat[lastj] = CLOSURE; 180 | } 181 | 182 | bool in_set_2(c) 183 | char c; 184 | { 185 | return (c == BOL || c == EOL || c == CLOSURE); 186 | } 187 | 188 | bool in_pat_set(c) 189 | char c; 190 | { 191 | return ( c == LITCHAR || c == BOL || c == EOL || c == ANY 192 | || c == CCL || c == NCCL || c == CLOSURE); 193 | } 194 | 195 | int 196 | makepat(arg, start, delim, pat) 197 | char *arg; 198 | int start; 199 | char delim; 200 | char *pat; 201 | { 202 | int result; 203 | int i, j, lastj, lj; 204 | bool done, junk; 205 | bool getres; 206 | char escjunk; 207 | 208 | j = 0; 209 | i = start; 210 | lastj = 0; 211 | done = false; 212 | while ((!done) && (arg[i] != delim) && (arg[i] != ENDSTR)) { 213 | lj = j; 214 | if ((arg[i] == ANY)) 215 | junk = addstr(ANY, pat, &j, MAXPAT); 216 | else if ((arg[i] == BOL) && (i == start)) 217 | junk = addstr(BOL, pat, &j, MAXPAT); 218 | else if ((arg[i] == EOL) && (arg[i+1] == delim)) 219 | junk = addstr(EOL, pat, &j, MAXPAT); 220 | else if ((arg[i] == CCL)) 221 | { 222 | getres = getccl(arg, &i, pat, &j); 223 | done = (bool)(getres == false); 224 | } 225 | else if ((arg[i] == CLOSURE) && (i > start)) 226 | { 227 | lj = lastj; 228 | if (in_set_2(pat[lj])) 229 | done = true; 230 | else 231 | stclose(pat, &j, lastj); 232 | } 233 | else 234 | { 235 | junk = addstr(LITCHAR, pat, &j, MAXPAT); 236 | escjunk = esc(arg, &i); 237 | junk = addstr(escjunk, pat, &j, MAXPAT); 238 | } 239 | lastj = lj; 240 | if ((!done)) 241 | i = i + 1; 242 | } 243 | junk = addstr(ENDSTR, pat, &j, MAXPAT); 244 | if ((done) || (arg[i] != delim)) 245 | result = 0; 246 | else 247 | if ((!junk)) 248 | result = 0; 249 | else 250 | result = i; 251 | return result; 252 | } 253 | 254 | int 255 | getpat(arg, pat) 256 | char* arg; 257 | char* pat; 258 | { 259 | int makeres; 260 | 261 | makeres = makepat(arg, 0, ENDSTR, pat); 262 | return (makeres > 0); 263 | } 264 | 265 | int 266 | makesub(arg, from, delim, sub) 267 | char* arg; 268 | int from; 269 | character delim; 270 | char* sub; 271 | { 272 | int result; 273 | int i, j; 274 | bool junk; 275 | character escjunk; 276 | 277 | j = 0; 278 | i = from; 279 | while ((arg[i] != delim) && (arg[i] != ENDSTR)) { 280 | if ((arg[i] == (unsigned)('&'))) 281 | junk = addstr(DITTO, sub, &j, MAXPAT); 282 | else { 283 | escjunk = esc(arg, &i); 284 | junk = addstr(escjunk, sub, &j, MAXPAT); 285 | } 286 | i = i + 1; 287 | } 288 | if (arg[i] != delim) 289 | result = 0; 290 | else { 291 | junk = addstr(ENDSTR, &(*sub), &j, MAXPAT); 292 | if ((!junk)) 293 | result = 0; 294 | else 295 | result = i; 296 | } 297 | return result; 298 | } 299 | 300 | bool 301 | getsub(arg, sub) 302 | char* arg; 303 | char* sub; 304 | { 305 | int makeres; 306 | 307 | makeres = makesub(arg, 0, ENDSTR, sub); 308 | return (makeres > 0); 309 | } 310 | 311 | void subline(); 312 | 313 | bool 314 | locate(c, pat, offset) 315 | character c; 316 | char * pat; 317 | int offset; 318 | { 319 | int i; 320 | bool flag; 321 | 322 | flag = false; 323 | i = offset + pat[offset]; 324 | while ((i > offset)) 325 | { 326 | if (c == pat[i]) { 327 | flag = true; 328 | i = offset; 329 | } else 330 | i = i - 1; 331 | } 332 | return flag; 333 | } 334 | 335 | bool 336 | omatch(lin, i, pat, j) 337 | char* lin; 338 | int *i; 339 | char* pat; 340 | int j; 341 | { 342 | char advance; 343 | bool result; 344 | 345 | advance = -1; 346 | if ((lin[*i] == ENDSTR)) 347 | result = false; 348 | else 349 | { 350 | if (!in_pat_set(pat[j])) 351 | { 352 | (void)fprintf(stdout, "in omatch: can't happen\n"); 353 | abort(); 354 | } else 355 | { 356 | switch (pat[j]) 357 | { 358 | case LITCHAR: 359 | if (lin[*i] == pat[j + 1]) 360 | advance = 1; 361 | break ; 362 | case BOL: 363 | if (*i == 0) 364 | advance = 0; 365 | break ; 366 | case ANY: 367 | if (lin[*i] != NEWLINE) 368 | advance = 1; 369 | break ; 370 | case EOL: 371 | if (lin[*i] == NEWLINE) 372 | advance = 0; 373 | break ; 374 | case CCL: 375 | if (locate(lin[*i], pat, j + 1)) 376 | advance = 1; 377 | break ; 378 | case NCCL: 379 | if ((lin[*i] != NEWLINE) && (!locate(lin[*i], pat, j+1))) 380 | advance = 1; 381 | break ; 382 | default: 383 | Caseerror(pat[j]); 384 | }; 385 | } 386 | } 387 | if ((advance >= 0)) 388 | { 389 | *i = *i + advance; 390 | result = true; 391 | } else 392 | result = false; 393 | return result; 394 | } 395 | 396 | int 397 | patsize(pat, n) 398 | char* pat; 399 | int n; 400 | { 401 | int size; 402 | if (!in_pat_set(pat[n])) { 403 | (void)fprintf(stdout, "in patsize: can't happen\n"); 404 | abort(); 405 | } else 406 | switch (pat[n]) 407 | { 408 | case LITCHAR: size = 2; break; 409 | 410 | case BOL: case EOL: case ANY: 411 | size = 1; 412 | break; 413 | case CCL: case NCCL: 414 | size = pat[n + 1] + 2; 415 | break ; 416 | case CLOSURE: 417 | size = CLOSIZE; 418 | break ; 419 | default: 420 | Caseerror(pat[n]); 421 | } 422 | return size; 423 | } 424 | 425 | int 426 | amatch(lin, offset, pat, j) 427 | char* lin; 428 | int offset; 429 | char* pat; 430 | int j; 431 | { 432 | int i, k; 433 | bool result, done; 434 | 435 | done = false; 436 | while ((!done) && (pat[j] != ENDSTR)) 437 | if ((pat[j] == CLOSURE)) { 438 | j = j + patsize(pat, j); 439 | i = offset; 440 | while ((!done) && (lin[i] != ENDSTR)) { 441 | result = omatch(lin, &i, pat, j); 442 | if (!result) 443 | done = true; 444 | } 445 | done = false; 446 | while ((!done) && (i >= offset)) { 447 | k = amatch(lin, i, pat, j + patsize(pat, j)); 448 | if ((k >= 0)) 449 | done = true; 450 | else 451 | i = i - 1; 452 | } 453 | offset = k; 454 | done = true; 455 | } else { 456 | result = omatch(lin, &offset, pat, j); 457 | if ((!result)) { 458 | offset = -1; 459 | done = true; 460 | } else 461 | j = j + patsize(pat, j); 462 | } 463 | return offset; 464 | } 465 | 466 | void 467 | putsub(lin, s1, s2, sub) 468 | char * lin; 469 | int s1, s2; 470 | char * sub; 471 | { 472 | int i; 473 | int j; 474 | 475 | i = 0; 476 | while ((sub[i] != ENDSTR)) { 477 | if ((sub[i] == DITTO)) 478 | for (j = s1; j < s2; j++) 479 | { 480 | fputc(lin[j],stdout); 481 | } 482 | else 483 | { 484 | fputc(sub[i],stdout); 485 | } 486 | i = i + 1; 487 | } 488 | } 489 | 490 | void 491 | subline(lin, pat, sub) 492 | char *lin; 493 | char *pat; 494 | char *sub; 495 | { 496 | int i, lastm, m; 497 | 498 | lastm = -1; 499 | i = 0; 500 | while ((lin[i] != ENDSTR)) 501 | { 502 | m = amatch(lin, i, pat, 0); 503 | if ((m >= 0) && (lastm != m)) { 504 | putsub(lin, i, m, sub); 505 | lastm = m; 506 | } 507 | if ((m == -1) || (m == i)) { 508 | fputc(lin[i],stdout); 509 | i = i + 1; 510 | } else 511 | i = m; 512 | } 513 | } 514 | 515 | void 516 | change(pat, sub) 517 | char *pat, *sub; 518 | { 519 | string line; 520 | bool result; 521 | 522 | result = getline2(line, MAXSTR); 523 | if (result) { 524 | subline(line, pat, sub); 525 | } 526 | } 527 | 528 | int 529 | main() 530 | { 531 | string pat, sub; 532 | bool result; 533 | 534 | string input1; 535 | string input2; 536 | 537 | int i; 538 | for (i = 0; i < MYMAX-1; i++) { 539 | // CREST_char(input1[i]); 540 | input1[i] = __VERIFIER_nondet_char(); 541 | } 542 | input1[i] = 0; 543 | 544 | result = getpat(input1, pat); 545 | if (!result) 546 | { 547 | (void)fprintf(stdout, "change: illegal \"from\" pattern\n"); 548 | exit(2); 549 | } 550 | 551 | for (i = 0; i < MYMAX-1; i++) { 552 | // CREST_char(input2[i]); 553 | input2[i] = __VERIFIER_nondet_char(); 554 | } 555 | input2[i] = 0; 556 | 557 | result = getsub(input2, sub); 558 | if (!result) 559 | { 560 | (void)fprintf(stdout, "change: illegal \"to\" string\n"); 561 | exit(3); 562 | } 563 | 564 | change(pat, sub); 565 | return 0; 566 | } 567 | 568 | void 569 | Caseerror(n) 570 | int n; 571 | { 572 | (void)fprintf(stdout, "Missing case limb: line %d\n", n); 573 | exit(4); 574 | } 575 | -------------------------------------------------------------------------------- /Baselines/DFS.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import argparse 4 | import datetime 5 | import logging 6 | import os 7 | import signal 8 | import struct 9 | import subprocess as sp 10 | import sys 11 | import time 12 | import random 13 | import pdb 14 | from typing import List 15 | 16 | from multiprocessing import Pool, cpu_count 17 | from angr import Project 18 | from angr.errors import SimProcedureError, SimMemoryAddressError, SimUnsatError 19 | from angr.storage.file import SimFileStream 20 | 21 | BINARY = None 22 | SAVE_TESTCASES = False 23 | SAVE_TESTINPUTS = False 24 | TIME_START = time.time() 25 | MAX_TIME = 0 26 | SYMEX_TIMEOUT = 0 # in secs 27 | CONEX_TIMEOUT = None # in secs 28 | # PATH_COUNT = 0 29 | SIMPOOL = None 30 | RAN_SEED = 0 31 | 32 | # Logging 33 | LOGGER = logging.getLogger("Legion") 34 | LOGGER.setLevel(logging.ERROR) 35 | sthl = logging.StreamHandler() 36 | sthl.setFormatter(fmt=logging.Formatter('%(message)s')) 37 | LOGGER.addHandler(sthl) 38 | logging.getLogger('angr').setLevel('ERROR') 39 | 40 | 41 | def explore(): 42 | project = Project( 43 | thing=UNINSTR_BIN, 44 | ignore_functions=['printf', '__trace_jump', '__trace_jump_set']) 45 | entry = project.factory.entry_state(stdin=SimFileStream) 46 | symex_paths_gen = my_symex_rec(entry, [entry]) 47 | symex_paths = [symex_path for symex_path in symex_paths_gen] 48 | global SIMPOOL 49 | SIMPOOL = Pool(processes=CORE) if (CORE > 1 and not SIMPOOL) else None 50 | 51 | if SIMPOOL: 52 | conex_paths = SIMPOOL.map(enumerate_path, symex_paths) 53 | else: 54 | conex_paths = [enumerate_path(symex_path) for symex_path in symex_paths] 55 | return len(conex_paths) 56 | 57 | 58 | def enumerate_path(symex_path): 59 | LOGGER.info("Starting to enumerate a path...") 60 | value = solve_inputs(symex_path[-1]) 61 | conex_result = my_conex(value) 62 | conex_path, return_code = conex_result 63 | 64 | LOGGER.info("INPUT value: {}; INPUT bytes: {}; RETURN code: {}" 65 | .format(int.from_bytes(value, 'big', signed=True), 66 | value, 67 | return_code)) 68 | LOGGER.info("{} {} {}".format("SymEx".rjust(9), "ConEx".ljust(9), 69 | "Constraints")) 70 | for node in symex_path: 71 | constraints = node.solver.constraints 72 | if conex_path and hex(node.addr) == conex_path[0]: 73 | LOGGER.info(hex(node.addr).rjust(9), 74 | conex_path[0].ljust(9), 75 | constraints) 76 | conex_path.pop(0) 77 | else: 78 | LOGGER.info("{} {} {}".format( 79 | hex(node.addr).rjust(9), ''.rjust(9), constraints)) 80 | for addr in conex_path: 81 | LOGGER.info("ConEx addr not in SymEx:", addr) 82 | LOGGER.info("\n") 83 | return conex_path 84 | 85 | 86 | def symex_step(node): 87 | try: 88 | successors = node.step().successors 89 | except (SimProcedureError, SimMemoryAddressError, SimUnsatError): 90 | successors = [] 91 | return successors 92 | 93 | 94 | def my_symex_rec(root, prefix): 95 | children = symex_step(root) 96 | if children: 97 | for child in children: 98 | for path in my_symex_rec(child, prefix + [child]): 99 | yield path 100 | else: 101 | yield prefix 102 | 103 | 104 | def solve_inputs(leaf): 105 | target = leaf.posix.stdin.load(0, leaf.posix.stdin.size) 106 | value = leaf.solver.eval(target, cast_to=bytes) 107 | return value 108 | 109 | 110 | def my_conex(value): 111 | conex_path = concrete_execute(value) 112 | return conex_path 113 | 114 | 115 | def concrete_execute(input_bytes: bytes) -> (List[str], int): 116 | """ 117 | Execute the binary with an input in bytes 118 | :param input_bytes: the input to feed the binary 119 | :return: the execution trace in a list 120 | """ 121 | 122 | def unpack(output): 123 | return [addr for i in range(int(len(output) / 8)) 124 | for addr in struct.unpack_from('q', output, i * 8)] 125 | 126 | def execute(): 127 | program = sp.Popen(UNINSTR_BIN, stdin=sp.PIPE, stdout=sp.PIPE, 128 | stderr=sp.PIPE, close_fds=True) 129 | try: 130 | msg = program.communicate(input_bytes, timeout=CONEX_TIMEOUT) 131 | ret = program.returncode 132 | 133 | program.kill() 134 | del program 135 | return msg, ret 136 | except sp.TimeoutExpired: 137 | LOGGER.error("Binary execution time out") 138 | exit(2) 139 | 140 | report = execute() 141 | report_msg, return_code = report 142 | error_msg = report_msg[1] 143 | trace = unpack(error_msg) 144 | 145 | if SAVE_TESTCASES or SAVE_TESTINPUTS: 146 | time_stamp = time.clock() 147 | if SAVE_TESTCASES: 148 | output_msg = report_msg[0].decode('utf-8') 149 | save_tests_to_file(time_stamp, output_msg) 150 | if SAVE_TESTINPUTS: 151 | save_input_to_file(input_bytes, time_stamp) 152 | 153 | return [hex(addr) for addr in trace], return_code 154 | 155 | 156 | def save_input_to_file(time_stamp, input_bytes): 157 | os.system("mkdir -p inputs/{}".format(DIR_NAME)) 158 | with open('inputs/{}/{}'.format(DIR_NAME, time_stamp), 'wb+') as input_file: 159 | input_file.write(input_bytes) 160 | 161 | 162 | def save_tests_to_file(time_stamp, data): 163 | with open('tests/{}/{}.xml'.format( 164 | DIR_NAME, time_stamp), 'wt+') as input_file: 165 | input_file.write( 166 | '\n') 167 | input_file.write( 168 | '\n') 169 | input_file.write('\n') 170 | input_file.write(data) 171 | input_file.write('\n') 172 | 173 | 174 | def run_with_timeout() -> int: 175 | """ 176 | A wrapper for run(), break run() when MAX_TIME is reached 177 | """ 178 | 179 | def raise_timeout(signum, frame): 180 | LOGGER.debug("Signum: {};\nFrame: {};".format(signum, frame)) 181 | LOGGER.info("{} seconds time out!".format(MAX_TIME)) 182 | raise TimeoutError 183 | 184 | assert MAX_TIME 185 | # Register a function to raise a TimeoutError on the signal 186 | signal.signal(signal.SIGALRM, raise_timeout) 187 | # Schedule the signal to be sent after MAX_TIME 188 | signal.alarm(MAX_TIME) 189 | try: 190 | return explore() 191 | except TimeoutError: 192 | pass 193 | 194 | 195 | def main() -> int: 196 | """ 197 | MAX_TIME == 0: Unlimited time budget 198 | MAX_TIME > 0: Time budget is MAX_TIME 199 | """ 200 | if MAX_TIME: 201 | return run_with_timeout() 202 | else: 203 | return explore() 204 | 205 | 206 | if __name__ == '__main__': 207 | sys.setrecursionlimit(1000000) 208 | parser = argparse.ArgumentParser(description='DFS') 209 | # parser.add_argument('--sv-comp', action="store_true", 210 | # help='Link __VERIFIER_*() functions, *.i files implies --source') 211 | parser.add_argument('--save-inputs', action='store_true', 212 | help='Save inputs as binary files') 213 | parser.add_argument('--save-tests', action='store_true', 214 | help='Save inputs as TEST-COMP xml files') 215 | parser.add_argument('-v', '--verbose', action="store_true", 216 | help='Increase output verbosity') 217 | parser.add_argument("file", 218 | help='Binary or source file') 219 | parser.add_argument("--random-seed", type=int, default=RAN_SEED, 220 | help='The seed for randomness') 221 | parser.add_argument("--core", type=int, default=cpu_count()-1, 222 | help='Number of cores available') 223 | parser.add_argument("--symex-timeout", type=int, default=SYMEX_TIMEOUT, 224 | help='The time limit for symbolic execution') 225 | parser.add_argument("--conex-timeout", type=int, default=CONEX_TIMEOUT, 226 | help='The time limit for concrete binary execution') 227 | parser.add_argument("-o", default=None, 228 | help='Binary file output location when input is a C source') 229 | parser.add_argument("--compile", default="make", 230 | help='How to compile C input files') 231 | parser.add_argument("-64", dest="m64", action="store_true", 232 | help='Compile with -m64 (override platform default)') 233 | parser.add_argument("-32", dest="m32", action="store_true", 234 | help='Compile with -m32 (override platform default)') 235 | parser.add_argument("--cc", default="cc", 236 | help='C compiler to use together with --compile svcomp') 237 | args = parser.parse_args() 238 | 239 | SAVE_TESTINPUTS = args.save_inputs 240 | SAVE_TESTCASES = args.save_tests 241 | CORE = args.core 242 | SYMEX_TIMEOUT = args.symex_timeout 243 | CONEX_TIMEOUT = args.conex_timeout 244 | RAN_SEED = args.random_seed 245 | LOGGER.setLevel(logging.DEBUG if args.verbose else logging.ERROR) 246 | 247 | if RAN_SEED is not None: 248 | random.seed(RAN_SEED) 249 | 250 | if args.verbose: 251 | LOGGER.setLevel(logging.DEBUG) 252 | 253 | is_source = args.file[-2:] in ['.c', '.i'] 254 | if is_source: 255 | source = args.file 256 | stem = source[:-2] 257 | 258 | if args.m32 and args.m64: 259 | LOGGER.error("-32 is incompatible with -64") 260 | sys.exit(2) 261 | 262 | if args.m32: 263 | verifier_c = "./__VERIFIER32.c" 264 | else: 265 | verifier_c = "./__VERIFIER.c" 266 | 267 | # if args.compile == "make": 268 | # if args.o: 269 | # LOGGER.warning("--compile make overrides -o INSTR_BIN") 270 | # UNINSTR_BIN = stem 271 | # LOGGER.info('Making {}'.format(UNINSTR_BIN)) 272 | # sp.run(["make", "-B", UNINSTR_BIN]) 273 | # elif args.compile == "svcomp": 274 | # if not args.o: 275 | # LOGGER.error("--compile svcomp requires -o UNINSTR_BIN") 276 | # sys.exit(2) 277 | # UNINSTR_BIN = args.o 278 | # asm = UNINSTR_BIN + ".s" 279 | # sp.run([args.cc, "-no-pie", "-o", asm, "-S", source]) 280 | # sp.run([args.cc, "-no-pie", "-O0", "-o", UNINSTR_BIN, verifier_c, 281 | # "./__VERIFIER_assume.s", 282 | # "./__trace_jump.s", 283 | # "./__trace_buffered.c", 284 | # asm]) 285 | # elif args.compile == "trace-cc": 286 | # if args.o: 287 | # UNINSTR_BIN = args.o 288 | # else: 289 | # UNINSTR_BIN = stem 290 | # LOGGER.info('Compiling {} with trace-cc'.format(UNINSTR_BIN)) 291 | # sp.run(["./trace-cc", "-static", "-L.", "-legion", "-o", UNINSTR_BIN, source]) 292 | # else: 293 | # LOGGER.error("Invalid compilation mode: {}".format(args.compile)) 294 | # sys.exit(2) 295 | # 296 | # sp.run(["file", UNINSTR_BIN]) 297 | 298 | UNINSTR_BIN = args.o 299 | sp.run([args.cc, "-no-pie", "-O0", "-o", UNINSTR_BIN, 300 | verifier_c, "./__VERIFIER_assume.c", source]) 301 | sp.run(["file", UNINSTR_BIN]) 302 | else: 303 | UNINSTR_BIN = args.file 304 | sp.run(["file", UNINSTR_BIN]) 305 | 306 | binary_name = UNINSTR_BIN.split("/")[-1] 307 | DIR_NAME = "{}_{}".format(binary_name, TIME_START) 308 | PROGRAM_NAME = args.file.split("/")[-1] 309 | 310 | if is_source and SAVE_TESTCASES: 311 | os.system("mkdir -p tests/{}".format(DIR_NAME)) 312 | with open("tests/{}/metadata.xml".format(DIR_NAME), "wt+") as md: 313 | md.write('\n') 314 | md.write( 315 | '\n') 316 | md.write('\n') 317 | md.write('C\n') 318 | md.write('Legion\n') 319 | md.write( 320 | 'CHECK( LTL(G ! call(__VERIFIER_error())) )\n') 321 | md.write('{}\n'.format(args.file)) 322 | res = sp.run(["sha256sum", args.file], stdout=sp.PIPE) 323 | out = res.stdout.decode('utf-8') 324 | sha256sum = out[:64] 325 | md.write('{}\n'.format(sha256sum)) 326 | md.write('main\n') 327 | md.write('32bit\n') 328 | md.write('{}\n'.format( 329 | datetime.datetime.now())) 330 | md.write('\n') 331 | 332 | print(main()) 333 | -------------------------------------------------------------------------------- /Baselines/SymbolicExecution.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import argparse 4 | import datetime 5 | import logging 6 | import os 7 | import signal 8 | import struct 9 | import subprocess as sp 10 | import sys 11 | import time 12 | import random 13 | import pdb 14 | from typing import List 15 | 16 | from multiprocessing import Pool, cpu_count 17 | from angr import Project 18 | from angr.exploration_techniques import DFS 19 | from angr.errors import SimProcedureError, SimMemoryAddressError, SimUnsatError 20 | from angr.storage.file import SimFileStream 21 | 22 | BINARY = None 23 | SAVE_TESTCASES = False 24 | SAVE_TESTINPUTS = False 25 | TIME_START = time.time() 26 | MAX_TIME = 0 27 | SYMEX_TIMEOUT = 0 # in secs 28 | CONEX_TIMEOUT = None # in secs 29 | # PATH_COUNT = 0 30 | SIMPOOL = None 31 | RAN_SEED = 0 32 | 33 | # Logging 34 | LOGGER = logging.getLogger("Legion") 35 | LOGGER.setLevel(logging.ERROR) 36 | sthl = logging.StreamHandler() 37 | sthl.setFormatter(fmt=logging.Formatter('%(message)s')) 38 | LOGGER.addHandler(sthl) 39 | logging.getLogger('angr').setLevel('ERROR') 40 | 41 | 42 | def main() -> int: 43 | """ 44 | MAX_TIME == 0: Unlimited time budget 45 | MAX_TIME > 0: Time budget is MAX_TIME 46 | """ 47 | simgr = init_project() 48 | path = concrete_execute(b'\x00'*10)[0] 49 | print(path) 50 | # while simgr.active: 51 | # print(simgr.active) 52 | # simgr.step() 53 | 54 | for addr in path: 55 | # while simgr.active and addr not in [node.addr for node in simgr.active]: 56 | # print([(node.addr, addr, node.addr == addr) for node in simgr.active]) 57 | # simgr.step() 58 | simgr.step(until=lambda sm: len(sm.acitve) > 1) 59 | print(simgr.active) 60 | for node in simgr.active: 61 | if node.addr != addr: 62 | node.solve() 63 | pdb.set_trace() 64 | 65 | return 0 66 | # if MAX_TIME: 67 | # return run_with_timeout() 68 | # else: 69 | # return explore() 70 | 71 | 72 | def init_project(): 73 | project = Project( 74 | thing=INSTR_BIN, 75 | ignore_functions=['printf', '__trace_jump', '__trace_jump_set']) 76 | entry = project.factory.entry_state(stdin=SimFileStream) 77 | simgr = project.factory.simulation_manager(entry) 78 | simgr.use_technique(DFS()) 79 | return simgr 80 | 81 | # symex_paths_gen = my_symex_rec(entry, [entry]) 82 | # symex_paths = [symex_path for symex_path in symex_paths_gen] 83 | # global SIMPOOL 84 | # SIMPOOL = Pool(processes=CORE) if (CORE > 1 and not SIMPOOL) else None 85 | # 86 | # if SIMPOOL: 87 | # conex_paths = SIMPOOL.map(enumerate_path, symex_paths) 88 | # else: 89 | # conex_paths = [enumerate_path(symex_path) for symex_path in symex_paths] 90 | # return len(conex_paths) 91 | 92 | 93 | def enumerate_path(symex_path): 94 | LOGGER.info("Starting to enumerate a path...") 95 | value = solve_inputs(symex_path[-1]) 96 | conex_result = my_conex(value) 97 | conex_path, return_code = conex_result 98 | 99 | LOGGER.info("INPUT value: {}; INPUT bytes: {}; RETURN code: {}" 100 | .format(int.from_bytes(value, 'big', signed=True), 101 | value, 102 | return_code)) 103 | LOGGER.info("{} {} {}".format("SymEx".rjust(9), "ConEx".ljust(9), 104 | "Constraints")) 105 | for node in symex_path: 106 | constraints = node.solver.constraints 107 | if conex_path and hex(node.addr) == conex_path[0]: 108 | LOGGER.info(hex(node.addr).rjust(9), 109 | conex_path[0].ljust(9), 110 | constraints) 111 | conex_path.pop(0) 112 | else: 113 | LOGGER.info("{} {} {}".format( 114 | hex(node.addr).rjust(9), ''.rjust(9), constraints)) 115 | for addr in conex_path: 116 | LOGGER.info("ConEx addr not in SymEx:", addr) 117 | LOGGER.info("\n") 118 | return conex_path 119 | 120 | 121 | def symex_step(node): 122 | try: 123 | successors = node.step().successors 124 | except (SimProcedureError, SimMemoryAddressError, SimUnsatError): 125 | successors = [] 126 | return successors 127 | 128 | 129 | def my_symex_rec(root, prefix): 130 | children = symex_step(root) 131 | if children: 132 | for child in children: 133 | for path in my_symex_rec(child, prefix + [child]): 134 | yield path 135 | else: 136 | yield prefix 137 | 138 | 139 | def solve_inputs(leaf): 140 | target = leaf.posix.stdin.load(0, leaf.posix.stdin.size) 141 | value = leaf.solver.eval(target, cast_to=bytes) 142 | return value 143 | 144 | 145 | def my_conex(value): 146 | conex_path = concrete_execute(value) 147 | return conex_path 148 | 149 | 150 | def concrete_execute(input_bytes: bytes) -> (List[str], int): 151 | """ 152 | Execute the binary with an input in bytes 153 | :param input_bytes: the input to feed the binary 154 | :return: the execution trace in a list 155 | """ 156 | 157 | def unpack(output): 158 | return [addr for i in range(int(len(output) / 8)) 159 | for addr in struct.unpack_from('q', output, i * 8)] 160 | 161 | def execute(): 162 | program = sp.Popen(INSTR_BIN, stdin=sp.PIPE, stdout=sp.PIPE, 163 | stderr=sp.PIPE, close_fds=True) 164 | try: 165 | msg = program.communicate(input_bytes, timeout=CONEX_TIMEOUT) 166 | ret = program.returncode 167 | 168 | program.kill() 169 | del program 170 | return msg, ret 171 | except sp.TimeoutExpired: 172 | LOGGER.error("Binary execution time out") 173 | exit(2) 174 | 175 | report = execute() 176 | report_msg, return_code = report 177 | error_msg = report_msg[1] 178 | trace = unpack(error_msg) 179 | 180 | if SAVE_TESTCASES or SAVE_TESTINPUTS: 181 | time_stamp = time.clock() 182 | if SAVE_TESTCASES: 183 | output_msg = report_msg[0].decode('utf-8') 184 | save_tests_to_file(time_stamp, output_msg) 185 | if SAVE_TESTINPUTS: 186 | save_input_to_file(input_bytes, time_stamp) 187 | 188 | return trace, return_code 189 | 190 | 191 | def save_input_to_file(time_stamp, input_bytes): 192 | os.system("mkdir -p inputs/{}".format(DIR_NAME)) 193 | with open('inputs/{}/{}'.format(DIR_NAME, time_stamp), 'wb+') as input_file: 194 | input_file.write(input_bytes) 195 | 196 | 197 | def save_tests_to_file(time_stamp, data): 198 | with open('tests/{}/{}.xml'.format( 199 | DIR_NAME, time_stamp), 'wt+') as input_file: 200 | input_file.write( 201 | '\n') 202 | input_file.write( 203 | '\n') 204 | input_file.write('\n') 205 | input_file.write(data) 206 | input_file.write('\n') 207 | 208 | 209 | # def run_with_timeout() -> int: 210 | # """ 211 | # A wrapper for run(), break run() when MAX_TIME is reached 212 | # """ 213 | # 214 | # def raise_timeout(signum, frame): 215 | # LOGGER.debug("Signum: {};\nFrame: {};".format(signum, frame)) 216 | # LOGGER.info("{} seconds time out!".format(MAX_TIME)) 217 | # raise TimeoutError 218 | # 219 | # assert MAX_TIME 220 | # # Register a function to raise a TimeoutError on the signal 221 | # signal.signal(signal.SIGALRM, raise_timeout) 222 | # # Schedule the signal to be sent after MAX_TIME 223 | # signal.alarm(MAX_TIME) 224 | # try: 225 | # return explore() 226 | # except TimeoutError: 227 | # pass 228 | 229 | 230 | if __name__ == '__main__': 231 | sys.setrecursionlimit(1000000) 232 | parser = argparse.ArgumentParser(description='DFS') 233 | # parser.add_argument('--sv-comp', action="store_true", 234 | # help='Link __VERIFIER_*() functions, *.i files implies --source') 235 | parser.add_argument('--save-inputs', action='store_true', 236 | help='Save inputs as binary files') 237 | parser.add_argument('--save-tests', action='store_true', 238 | help='Save inputs as TEST-COMP xml files') 239 | parser.add_argument('-v', '--verbose', action="store_true", 240 | help='Increase output verbosity') 241 | parser.add_argument("file", 242 | help='Binary or source file') 243 | parser.add_argument("--random-seed", type=int, default=RAN_SEED, 244 | help='The seed for randomness') 245 | parser.add_argument("--core", type=int, default=1, 246 | help='Number of cores available') 247 | parser.add_argument("--symex-timeout", type=int, default=SYMEX_TIMEOUT, 248 | help='The time limit for symbolic execution') 249 | parser.add_argument("--conex-timeout", type=int, default=CONEX_TIMEOUT, 250 | help='The time limit for concrete binary execution') 251 | parser.add_argument("-o", default=None, 252 | help='Binary file output location when input is a C source') 253 | parser.add_argument("--compile", default="make", 254 | help='How to compile C input files') 255 | parser.add_argument("-64", dest="m64", action="store_true", 256 | help='Compile with -m64 (override platform default)') 257 | parser.add_argument("-32", dest="m32", action="store_true", 258 | help='Compile with -m32 (override platform default)') 259 | parser.add_argument("--cc", default="cc", 260 | help='C compiler to use together with --compile svcomp') 261 | args = parser.parse_args() 262 | 263 | SAVE_TESTINPUTS = args.save_inputs 264 | SAVE_TESTCASES = args.save_tests 265 | CORE = args.core 266 | SYMEX_TIMEOUT = args.symex_timeout 267 | CONEX_TIMEOUT = args.conex_timeout 268 | RAN_SEED = args.random_seed 269 | LOGGER.setLevel(logging.DEBUG if args.verbose else logging.ERROR) 270 | 271 | if RAN_SEED is not None: 272 | random.seed(RAN_SEED) 273 | 274 | if args.verbose: 275 | LOGGER.setLevel(logging.DEBUG) 276 | 277 | is_c = args.file[-2:] == '.c' 278 | is_i = args.file[-2:] == '.i' 279 | is_source = is_c or is_i 280 | 281 | if is_source: 282 | source = args.file 283 | stem = source[:-2] 284 | 285 | if args.m32 and args.m64: 286 | LOGGER.error("-32 is incompatible with -64") 287 | sys.exit(2) 288 | 289 | if args.m32: 290 | verifier_c = "__VERIFIER32.c" 291 | else: 292 | verifier_c = "__VERIFIER.c" 293 | 294 | if args.compile == "make": 295 | if args.o: 296 | LOGGER.warning("--compile make overrides -o INSTR_BIN") 297 | INSTR_BIN = stem + ".instr" 298 | LOGGER.info('Making {}'.format(INSTR_BIN)) 299 | sp.run(["make", "-B", INSTR_BIN]) 300 | elif args.compile == "svcomp": 301 | if not args.o: 302 | LOGGER.error("--compile svcomp requires -o INSTR_BIN") 303 | sys.exit(2) 304 | INSTR_BIN = args.o 305 | asm = INSTR_BIN + ".s" 306 | ins = INSTR_BIN + ".instr.s" 307 | sp.run([args.cc, "-no-pie", "-o", asm, "-S", source]) 308 | sp.run(["./tracejump.py", asm, ins]) 309 | sp.run([args.cc, "-no-pie", "-O0", "-o", INSTR_BIN, verifier_c, 310 | "__VERIFIER_assume.instr.s", 311 | "__trace_jump.s", 312 | "__trace_buffered.c", 313 | ins]) 314 | elif args.compile == "trace-cc": 315 | if args.o: 316 | INSTR_BIN = args.o 317 | else: 318 | INSTR_BIN = stem 319 | LOGGER.info('Compiling {} with trace-cc'.format(INSTR_BIN)) 320 | sp.run(["./trace-cc", "-static", "-L.", "-legion", "-o", INSTR_BIN, source]) 321 | else: 322 | LOGGER.error("Invalid compilation mode: {}".format(args.compile)) 323 | sys.exit(2) 324 | 325 | sp.run(["file", INSTR_BIN]) 326 | 327 | UNINSTR_BIN = ".".join(INSTR_BIN.split(".")[:-1]) 328 | sp.run(["file", INSTR_BIN]) 329 | sp.run([args.cc, "-no-pie", "-O0", "-o", UNINSTR_BIN, 330 | verifier_c, "__VERIFIER_assume.c", source]) 331 | else: 332 | INSTR_BIN = args.file 333 | 334 | binary_name = INSTR_BIN.split("/")[-1] 335 | DIR_NAME = "{}_{}_{}_{}".format(binary_name, 1, 0, TIME_START) 336 | PROGRAM_NAME = args.file.split("/")[-1] 337 | # 338 | # if is_source and SAVE_TESTCASES: 339 | # os.system("mkdir -p tests/{}".format(DIR_NAME)) 340 | # with open("tests/{}/metadata.xml".format(DIR_NAME), "wt+") as md: 341 | # md.write('\n') 342 | # md.write( 343 | # '\n') 344 | # md.write('\n') 345 | # md.write('C\n') 346 | # md.write('Legion\n') 347 | # md.write( 348 | # 'CHECK( LTL(G ! call(__VERIFIER_error())) )\n') 349 | # md.write('{}\n'.format(args.file)) 350 | # res = sp.run(["sha256sum", args.file], stdout=sp.PIPE) 351 | # out = res.stdout.decode('utf-8') 352 | # sha256sum = out[:64] 353 | # md.write('{}\n'.format(sha256sum)) 354 | # md.write('main\n') 355 | # md.write('32bit\n') 356 | # md.write('{}\n'.format( 357 | # datetime.datetime.now())) 358 | # md.write('\n') 359 | 360 | print(main()) 361 | -------------------------------------------------------------------------------- /ProgramUnderTest/Assembly/test_while.instr.s: -------------------------------------------------------------------------------- 1 | 2 | ../Instrumented/test_while.instr: file format elf64-x86-64 3 | 4 | 5 | Disassembly of section .init: 6 | 7 | 0000000000400428 <_init>: 8 | 400428: 48 83 ec 08 sub $0x8,%rsp 9 | 40042c: 48 8b 05 c5 0b 20 00 mov 0x200bc5(%rip),%rax # 600ff8 <__gmon_start__> 10 | 400433: 48 85 c0 test %rax,%rax 11 | 400436: 74 02 je 40043a <_init+0x12> 12 | 400438: ff d0 callq *%rax 13 | 40043a: 48 83 c4 08 add $0x8,%rsp 14 | 40043e: c3 retq 15 | 16 | Disassembly of section .plt: 17 | 18 | 0000000000400440 <.plt>: 19 | 400440: ff 35 c2 0b 20 00 pushq 0x200bc2(%rip) # 601008 <_GLOBAL_OFFSET_TABLE_+0x8> 20 | 400446: ff 25 c4 0b 20 00 jmpq *0x200bc4(%rip) # 601010 <_GLOBAL_OFFSET_TABLE_+0x10> 21 | 40044c: 0f 1f 40 00 nopl 0x0(%rax) 22 | 23 | 0000000000400450 <__stack_chk_fail@plt>: 24 | 400450: ff 25 c2 0b 20 00 jmpq *0x200bc2(%rip) # 601018 <__stack_chk_fail@GLIBC_2.4> 25 | 400456: 68 00 00 00 00 pushq $0x0 26 | 40045b: e9 e0 ff ff ff jmpq 400440 <.plt> 27 | 28 | 0000000000400460 : 29 | 400460: ff 25 ba 0b 20 00 jmpq *0x200bba(%rip) # 601020 30 | 400466: 68 01 00 00 00 pushq $0x1 31 | 40046b: e9 d0 ff ff ff jmpq 400440 <.plt> 32 | 33 | Disassembly of section .text: 34 | 35 | 0000000000400470 <_start>: 36 | 400470: 31 ed xor %ebp,%ebp 37 | 400472: 49 89 d1 mov %rdx,%r9 38 | 400475: 5e pop %rsi 39 | 400476: 48 89 e2 mov %rsp,%rdx 40 | 400479: 48 83 e4 f0 and $0xfffffffffffffff0,%rsp 41 | 40047d: 50 push %rax 42 | 40047e: 54 push %rsp 43 | 40047f: 49 c7 c0 40 08 40 00 mov $0x400840,%r8 44 | 400486: 48 c7 c1 d0 07 40 00 mov $0x4007d0,%rcx 45 | 40048d: 48 c7 c7 79 06 40 00 mov $0x400679,%rdi 46 | 400494: ff 15 56 0b 20 00 callq *0x200b56(%rip) # 600ff0 <__libc_start_main@GLIBC_2.2.5> 47 | 40049a: f4 hlt 48 | 40049b: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1) 49 | 50 | 00000000004004a0 <_dl_relocate_static_pie>: 51 | 4004a0: f3 c3 repz retq 52 | 4004a2: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1) 53 | 4004a9: 00 00 00 54 | 4004ac: 0f 1f 40 00 nopl 0x0(%rax) 55 | 56 | 00000000004004b0 : 57 | 4004b0: 55 push %rbp 58 | 4004b1: b8 38 10 60 00 mov $0x601038,%eax 59 | 4004b6: 48 3d 38 10 60 00 cmp $0x601038,%rax 60 | 4004bc: 48 89 e5 mov %rsp,%rbp 61 | 4004bf: 74 17 je 4004d8 62 | 4004c1: b8 00 00 00 00 mov $0x0,%eax 63 | 4004c6: 48 85 c0 test %rax,%rax 64 | 4004c9: 74 0d je 4004d8 65 | 4004cb: 5d pop %rbp 66 | 4004cc: bf 38 10 60 00 mov $0x601038,%edi 67 | 4004d1: ff e0 jmpq *%rax 68 | 4004d3: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1) 69 | 4004d8: 5d pop %rbp 70 | 4004d9: c3 retq 71 | 4004da: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1) 72 | 73 | 00000000004004e0 : 74 | 4004e0: be 38 10 60 00 mov $0x601038,%esi 75 | 4004e5: 55 push %rbp 76 | 4004e6: 48 81 ee 38 10 60 00 sub $0x601038,%rsi 77 | 4004ed: 48 89 e5 mov %rsp,%rbp 78 | 4004f0: 48 c1 fe 03 sar $0x3,%rsi 79 | 4004f4: 48 89 f0 mov %rsi,%rax 80 | 4004f7: 48 c1 e8 3f shr $0x3f,%rax 81 | 4004fb: 48 01 c6 add %rax,%rsi 82 | 4004fe: 48 d1 fe sar %rsi 83 | 400501: 74 15 je 400518 84 | 400503: b8 00 00 00 00 mov $0x0,%eax 85 | 400508: 48 85 c0 test %rax,%rax 86 | 40050b: 74 0b je 400518 87 | 40050d: 5d pop %rbp 88 | 40050e: bf 38 10 60 00 mov $0x601038,%edi 89 | 400513: ff e0 jmpq *%rax 90 | 400515: 0f 1f 00 nopl (%rax) 91 | 400518: 5d pop %rbp 92 | 400519: c3 retq 93 | 40051a: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1) 94 | 95 | 0000000000400520 <__do_global_dtors_aux>: 96 | 400520: 80 3d 11 0b 20 00 00 cmpb $0x0,0x200b11(%rip) # 601038 <__TMC_END__> 97 | 400527: 75 17 jne 400540 <__do_global_dtors_aux+0x20> 98 | 400529: 55 push %rbp 99 | 40052a: 48 89 e5 mov %rsp,%rbp 100 | 40052d: e8 7e ff ff ff callq 4004b0 101 | 400532: c6 05 ff 0a 20 00 01 movb $0x1,0x200aff(%rip) # 601038 <__TMC_END__> 102 | 400539: 5d pop %rbp 103 | 40053a: c3 retq 104 | 40053b: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1) 105 | 400540: f3 c3 repz retq 106 | 400542: 0f 1f 40 00 nopl 0x0(%rax) 107 | 400546: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1) 108 | 40054d: 00 00 00 109 | 110 | 0000000000400550 : 111 | 400550: 55 push %rbp 112 | 400551: 48 89 e5 mov %rsp,%rbp 113 | 400554: 5d pop %rbp 114 | 400555: eb 89 jmp 4004e0 115 | 116 | 0000000000400557 : 117 | 400557: 48 81 ec 80 00 00 00 sub $0x80,%rsp 118 | 40055e: 50 push %rax 119 | 40055f: 57 push %rdi 120 | 400560: 56 push %rsi 121 | 400561: 52 push %rdx 122 | 400562: 51 push %rcx 123 | 400563: 41 53 push %r11 124 | 400565: e8 2f 02 00 00 callq 400799 <__trace_jump> 125 | 40056a: 41 5b pop %r11 126 | 40056c: 59 pop %rcx 127 | 40056d: 5a pop %rdx 128 | 40056e: 5e pop %rsi 129 | 40056f: 5f pop %rdi 130 | 400570: 58 pop %rax 131 | 400571: 48 81 c4 80 00 00 00 add $0x80,%rsp 132 | 400578: 55 push %rbp 133 | 400579: 48 89 e5 mov %rsp,%rbp 134 | 40057c: 89 7d ec mov %edi,-0x14(%rbp) 135 | 40057f: c7 45 fc 00 01 00 00 movl $0x100,-0x4(%rbp) 136 | 400586: eb 7d jmp 400605 137 | 400588: 48 81 ec 80 00 00 00 sub $0x80,%rsp 138 | 40058f: 50 push %rax 139 | 400590: 57 push %rdi 140 | 400591: 56 push %rsi 141 | 400592: 52 push %rdx 142 | 400593: 51 push %rcx 143 | 400594: 41 53 push %r11 144 | 400596: e8 fe 01 00 00 callq 400799 <__trace_jump> 145 | 40059b: 41 5b pop %r11 146 | 40059d: 59 pop %rcx 147 | 40059e: 5a pop %rdx 148 | 40059f: 5e pop %rsi 149 | 4005a0: 5f pop %rdi 150 | 4005a1: 58 pop %rax 151 | 4005a2: 48 81 c4 80 00 00 00 add $0x80,%rsp 152 | 4005a9: 8b 45 fc mov -0x4(%rbp),%eax 153 | 4005ac: 89 c2 mov %eax,%edx 154 | 4005ae: c1 ea 1f shr $0x1f,%edx 155 | 4005b1: 01 d0 add %edx,%eax 156 | 4005b3: d1 f8 sar %eax 157 | 4005b5: 39 45 ec cmp %eax,-0x14(%rbp) 158 | 4005b8: 76 26 jbe 4005e0 159 | 4005ba: 48 81 ec 80 00 00 00 sub $0x80,%rsp 160 | 4005c1: 50 push %rax 161 | 4005c2: 57 push %rdi 162 | 4005c3: 56 push %rsi 163 | 4005c4: 52 push %rdx 164 | 4005c5: 51 push %rcx 165 | 4005c6: 41 53 push %r11 166 | 4005c8: e8 cc 01 00 00 callq 400799 <__trace_jump> 167 | 4005cd: 41 5b pop %r11 168 | 4005cf: 59 pop %rcx 169 | 4005d0: 5a pop %rdx 170 | 4005d1: 5e pop %rsi 171 | 4005d2: 5f pop %rdi 172 | 4005d3: 58 pop %rax 173 | 4005d4: 48 81 c4 80 00 00 00 add $0x80,%rsp 174 | 4005db: 8b 45 fc mov -0x4(%rbp),%eax 175 | 4005de: eb 76 jmp 400656 176 | 4005e0: 48 81 ec 80 00 00 00 sub $0x80,%rsp 177 | 4005e7: 50 push %rax 178 | 4005e8: 57 push %rdi 179 | 4005e9: 56 push %rsi 180 | 4005ea: 52 push %rdx 181 | 4005eb: 51 push %rcx 182 | 4005ec: 41 53 push %r11 183 | 4005ee: e8 a6 01 00 00 callq 400799 <__trace_jump> 184 | 4005f3: 41 5b pop %r11 185 | 4005f5: 59 pop %rcx 186 | 4005f6: 5a pop %rdx 187 | 4005f7: 5e pop %rsi 188 | 4005f8: 5f pop %rdi 189 | 4005f9: 58 pop %rax 190 | 4005fa: 48 81 c4 80 00 00 00 add $0x80,%rsp 191 | 400601: 83 6d fc 08 subl $0x8,-0x4(%rbp) 192 | 400605: 48 81 ec 80 00 00 00 sub $0x80,%rsp 193 | 40060c: 50 push %rax 194 | 40060d: 57 push %rdi 195 | 40060e: 56 push %rsi 196 | 40060f: 52 push %rdx 197 | 400610: 51 push %rcx 198 | 400611: 41 53 push %r11 199 | 400613: e8 81 01 00 00 callq 400799 <__trace_jump> 200 | 400618: 41 5b pop %r11 201 | 40061a: 59 pop %rcx 202 | 40061b: 5a pop %rdx 203 | 40061c: 5e pop %rsi 204 | 40061d: 5f pop %rdi 205 | 40061e: 58 pop %rax 206 | 40061f: 48 81 c4 80 00 00 00 add $0x80,%rsp 207 | 400626: 8b 45 fc mov -0x4(%rbp),%eax 208 | 400629: 39 45 ec cmp %eax,-0x14(%rbp) 209 | 40062c: 0f 82 56 ff ff ff jb 400588 210 | 400632: 48 81 ec 80 00 00 00 sub $0x80,%rsp 211 | 400639: 50 push %rax 212 | 40063a: 57 push %rdi 213 | 40063b: 56 push %rsi 214 | 40063c: 52 push %rdx 215 | 40063d: 51 push %rcx 216 | 40063e: 41 53 push %r11 217 | 400640: e8 54 01 00 00 callq 400799 <__trace_jump> 218 | 400645: 41 5b pop %r11 219 | 400647: 59 pop %rcx 220 | 400648: 5a pop %rdx 221 | 400649: 5e pop %rsi 222 | 40064a: 5f pop %rdi 223 | 40064b: 58 pop %rax 224 | 40064c: 48 81 c4 80 00 00 00 add $0x80,%rsp 225 | 400653: 8b 45 fc mov -0x4(%rbp),%eax 226 | 400656: 48 81 ec 80 00 00 00 sub $0x80,%rsp 227 | 40065d: 50 push %rax 228 | 40065e: 57 push %rdi 229 | 40065f: 56 push %rsi 230 | 400660: 52 push %rdx 231 | 400661: 51 push %rcx 232 | 400662: 41 53 push %r11 233 | 400664: e8 30 01 00 00 callq 400799 <__trace_jump> 234 | 400669: 41 5b pop %r11 235 | 40066b: 59 pop %rcx 236 | 40066c: 5a pop %rdx 237 | 40066d: 5e pop %rsi 238 | 40066e: 5f pop %rdi 239 | 40066f: 58 pop %rax 240 | 400670: 48 81 c4 80 00 00 00 add $0x80,%rsp 241 | 400677: 5d pop %rbp 242 | 400678: c3 retq 243 | 244 | 0000000000400679
: 245 | 400679: 48 81 ec 80 00 00 00 sub $0x80,%rsp 246 | 400680: 50 push %rax 247 | 400681: 57 push %rdi 248 | 400682: 56 push %rsi 249 | 400683: 52 push %rdx 250 | 400684: 51 push %rcx 251 | 400685: 41 53 push %r11 252 | 400687: e8 0d 01 00 00 callq 400799 <__trace_jump> 253 | 40068c: 41 5b pop %r11 254 | 40068e: 59 pop %rcx 255 | 40068f: 5a pop %rdx 256 | 400690: 5e pop %rsi 257 | 400691: 5f pop %rdi 258 | 400692: 58 pop %rax 259 | 400693: 48 81 c4 80 00 00 00 add $0x80,%rsp 260 | 40069a: 55 push %rbp 261 | 40069b: 48 89 e5 mov %rsp,%rbp 262 | 40069e: 48 83 ec 20 sub $0x20,%rsp 263 | 4006a2: 89 7d ec mov %edi,-0x14(%rbp) 264 | 4006a5: 48 89 75 e0 mov %rsi,-0x20(%rbp) 265 | 4006a9: 64 48 8b 04 25 28 00 mov %fs:0x28,%rax 266 | 4006b0: 00 00 267 | 4006b2: 48 89 45 f8 mov %rax,-0x8(%rbp) 268 | 4006b6: 31 c0 xor %eax,%eax 269 | 4006b8: 48 8d 45 f6 lea -0xa(%rbp),%rax 270 | 4006bc: ba 01 00 00 00 mov $0x1,%edx 271 | 4006c1: 48 89 c6 mov %rax,%rsi 272 | 4006c4: bf 00 00 00 00 mov $0x0,%edi 273 | 4006c9: e8 92 fd ff ff callq 400460 274 | 4006ce: 48 8d 45 f7 lea -0x9(%rbp),%rax 275 | 4006d2: ba 01 00 00 00 mov $0x1,%edx 276 | 4006d7: 48 89 c6 mov %rax,%rsi 277 | 4006da: bf 00 00 00 00 mov $0x0,%edi 278 | 4006df: e8 7c fd ff ff callq 400460 279 | 4006e4: 0f b6 45 f7 movzbl -0x9(%rbp),%eax 280 | 4006e8: 3c f0 cmp $0xf0,%al 281 | 4006ea: 76 2f jbe 40071b 282 | 4006ec: 48 81 ec 80 00 00 00 sub $0x80,%rsp 283 | 4006f3: 50 push %rax 284 | 4006f4: 57 push %rdi 285 | 4006f5: 56 push %rsi 286 | 4006f6: 52 push %rdx 287 | 4006f7: 51 push %rcx 288 | 4006f8: 41 53 push %r11 289 | 4006fa: e8 9a 00 00 00 callq 400799 <__trace_jump> 290 | 4006ff: 41 5b pop %r11 291 | 400701: 59 pop %rcx 292 | 400702: 5a pop %rdx 293 | 400703: 5e pop %rsi 294 | 400704: 5f pop %rdi 295 | 400705: 58 pop %rax 296 | 400706: 48 81 c4 80 00 00 00 add $0x80,%rsp 297 | 40070d: 0f b6 45 f6 movzbl -0xa(%rbp),%eax 298 | 400711: 0f b6 c0 movzbl %al,%eax 299 | 400714: 89 c7 mov %eax,%edi 300 | 400716: e8 3c fe ff ff callq 400557 301 | 40071b: 48 81 ec 80 00 00 00 sub $0x80,%rsp 302 | 400722: 50 push %rax 303 | 400723: 57 push %rdi 304 | 400724: 56 push %rsi 305 | 400725: 52 push %rdx 306 | 400726: 51 push %rcx 307 | 400727: 41 53 push %r11 308 | 400729: e8 6b 00 00 00 callq 400799 <__trace_jump> 309 | 40072e: 41 5b pop %r11 310 | 400730: 59 pop %rcx 311 | 400731: 5a pop %rdx 312 | 400732: 5e pop %rsi 313 | 400733: 5f pop %rdi 314 | 400734: 58 pop %rax 315 | 400735: 48 81 c4 80 00 00 00 add $0x80,%rsp 316 | 40073c: b8 00 00 00 00 mov $0x0,%eax 317 | 400741: 48 8b 4d f8 mov -0x8(%rbp),%rcx 318 | 400745: 64 48 33 0c 25 28 00 xor %fs:0x28,%rcx 319 | 40074c: 00 00 320 | 40074e: 74 26 je 400776 321 | 400750: 48 81 ec 80 00 00 00 sub $0x80,%rsp 322 | 400757: 50 push %rax 323 | 400758: 57 push %rdi 324 | 400759: 56 push %rsi 325 | 40075a: 52 push %rdx 326 | 40075b: 51 push %rcx 327 | 40075c: 41 53 push %r11 328 | 40075e: e8 36 00 00 00 callq 400799 <__trace_jump> 329 | 400763: 41 5b pop %r11 330 | 400765: 59 pop %rcx 331 | 400766: 5a pop %rdx 332 | 400767: 5e pop %rsi 333 | 400768: 5f pop %rdi 334 | 400769: 58 pop %rax 335 | 40076a: 48 81 c4 80 00 00 00 add $0x80,%rsp 336 | 400771: e8 da fc ff ff callq 400450 <__stack_chk_fail@plt> 337 | 400776: 48 81 ec 80 00 00 00 sub $0x80,%rsp 338 | 40077d: 50 push %rax 339 | 40077e: 57 push %rdi 340 | 40077f: 56 push %rsi 341 | 400780: 52 push %rdx 342 | 400781: 51 push %rcx 343 | 400782: 41 53 push %r11 344 | 400784: e8 10 00 00 00 callq 400799 <__trace_jump> 345 | 400789: 41 5b pop %r11 346 | 40078b: 59 pop %rcx 347 | 40078c: 5a pop %rdx 348 | 40078d: 5e pop %rsi 349 | 40078e: 5f pop %rdi 350 | 40078f: 58 pop %rax 351 | 400790: 48 81 c4 80 00 00 00 add $0x80,%rsp 352 | 400797: c9 leaveq 353 | 400798: c3 retq 354 | 355 | 0000000000400799 <__trace_jump>: 356 | 400799: 55 push %rbp 357 | 40079a: 48 89 e5 mov %rsp,%rbp 358 | 40079d: 48 8b 45 08 mov 0x8(%rbp),%rax 359 | 4007a1: 48 83 e8 13 sub $0x13,%rax 360 | 4007a5: 48 89 45 f8 mov %rax,-0x8(%rbp) 361 | 4007a9: 48 c7 c0 01 00 00 00 mov $0x1,%rax 362 | 4007b0: 48 c7 c7 02 00 00 00 mov $0x2,%rdi 363 | 4007b7: 48 89 ee mov %rbp,%rsi 364 | 4007ba: 48 83 ee 08 sub $0x8,%rsi 365 | 4007be: 48 c7 c2 08 00 00 00 mov $0x8,%rdx 366 | 4007c5: 0f 05 syscall 367 | 4007c7: 5d pop %rbp 368 | 4007c8: c3 retq 369 | 4007c9: 0f 1f 80 00 00 00 00 nopl 0x0(%rax) 370 | 371 | 00000000004007d0 <__libc_csu_init>: 372 | 4007d0: 41 57 push %r15 373 | 4007d2: 41 56 push %r14 374 | 4007d4: 49 89 d7 mov %rdx,%r15 375 | 4007d7: 41 55 push %r13 376 | 4007d9: 41 54 push %r12 377 | 4007db: 4c 8d 25 2e 06 20 00 lea 0x20062e(%rip),%r12 # 600e10 <__frame_dummy_init_array_entry> 378 | 4007e2: 55 push %rbp 379 | 4007e3: 48 8d 2d 2e 06 20 00 lea 0x20062e(%rip),%rbp # 600e18 <__init_array_end> 380 | 4007ea: 53 push %rbx 381 | 4007eb: 41 89 fd mov %edi,%r13d 382 | 4007ee: 49 89 f6 mov %rsi,%r14 383 | 4007f1: 4c 29 e5 sub %r12,%rbp 384 | 4007f4: 48 83 ec 08 sub $0x8,%rsp 385 | 4007f8: 48 c1 fd 03 sar $0x3,%rbp 386 | 4007fc: e8 27 fc ff ff callq 400428 <_init> 387 | 400801: 48 85 ed test %rbp,%rbp 388 | 400804: 74 20 je 400826 <__libc_csu_init+0x56> 389 | 400806: 31 db xor %ebx,%ebx 390 | 400808: 0f 1f 84 00 00 00 00 nopl 0x0(%rax,%rax,1) 391 | 40080f: 00 392 | 400810: 4c 89 fa mov %r15,%rdx 393 | 400813: 4c 89 f6 mov %r14,%rsi 394 | 400816: 44 89 ef mov %r13d,%edi 395 | 400819: 41 ff 14 dc callq *(%r12,%rbx,8) 396 | 40081d: 48 83 c3 01 add $0x1,%rbx 397 | 400821: 48 39 dd cmp %rbx,%rbp 398 | 400824: 75 ea jne 400810 <__libc_csu_init+0x40> 399 | 400826: 48 83 c4 08 add $0x8,%rsp 400 | 40082a: 5b pop %rbx 401 | 40082b: 5d pop %rbp 402 | 40082c: 41 5c pop %r12 403 | 40082e: 41 5d pop %r13 404 | 400830: 41 5e pop %r14 405 | 400832: 41 5f pop %r15 406 | 400834: c3 retq 407 | 400835: 90 nop 408 | 400836: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1) 409 | 40083d: 00 00 00 410 | 411 | 0000000000400840 <__libc_csu_fini>: 412 | 400840: f3 c3 repz retq 413 | 414 | Disassembly of section .fini: 415 | 416 | 0000000000400844 <_fini>: 417 | 400844: 48 83 ec 08 sub $0x8,%rsp 418 | 400848: 48 83 c4 08 add $0x8,%rsp 419 | 40084c: c3 retq 420 | --------------------------------------------------------------------------------