├── .gitmodules ├── README.md ├── docs ├── install.md ├── todo.md └── usage.md ├── fuzzer ├── afl-2.51b-bbcheck │ ├── .gitignore │ ├── Makefile │ ├── QuickStartGuide.txt │ ├── README │ ├── README.hh │ ├── afl-analyze.c │ ├── afl-as.c │ ├── afl-as.h │ ├── afl-cmin │ ├── afl-cmin-bak │ ├── afl-fuzz.c │ ├── afl-gcc.c │ ├── afl-gotcpu.c │ ├── afl-plot │ ├── afl-showmap.c │ ├── afl-tmin.c │ ├── afl-whatsup │ ├── alloc-inl.h │ ├── config.h │ ├── debug.h │ ├── dictionaries │ │ ├── README.dictionaries │ │ ├── gif.dict │ │ ├── html_tags.dict │ │ ├── jpeg.dict │ │ ├── js.dict │ │ ├── json.dict │ │ ├── pdf.dict │ │ ├── png.dict │ │ ├── sql.dict │ │ ├── tiff.dict │ │ ├── webp.dict │ │ └── xml.dict │ ├── docs │ │ ├── COPYING │ │ ├── ChangeLog │ │ ├── INSTALL │ │ ├── QuickStartGuide.txt │ │ ├── README │ │ ├── env_variables.txt │ │ ├── historical_notes.txt │ │ ├── life_pro_tips.txt │ │ ├── notes_for_asan.txt │ │ ├── parallel_fuzzing.txt │ │ ├── perf_tips.txt │ │ ├── sister_projects.txt │ │ ├── status_screen.txt │ │ ├── technical_details.txt │ │ ├── visualization │ │ │ └── afl_gzip.png │ │ └── vuln_samples │ │ │ ├── bash-cmd-exec.var │ │ │ ├── bash-uninit-mem.var │ │ │ ├── ffmpeg-h264-bad-ptr-800m.mp4 │ │ │ ├── ffmpeg-h264-bad-read.mp4 │ │ │ ├── ffmpeg-h264-call-stack-overflow.mp4 │ │ │ ├── firefox-bmp-leak.bmp │ │ │ ├── firefox-chrome-leak.jpg │ │ │ ├── firefox-gif-leak.gif │ │ │ ├── firefox-gif-leak2.gif │ │ │ ├── jxrlib-crash.jxr │ │ │ ├── jxrlib-crash2.jxr │ │ │ ├── jxrlib-crash3.jxr │ │ │ ├── jxrlib-crash4.jxr │ │ │ ├── lesspipe-cpio-bad-write.cpio │ │ │ ├── libjpeg-sos-leak.jpg │ │ │ ├── libjpeg-turbo-dht-leak.jpg │ │ │ ├── libtiff-bad-write.tif │ │ │ ├── libtiff-uninit-mem.tif │ │ │ ├── libtiff-uninit-mem2.tif │ │ │ ├── libtiff-uninit-mem3.tif │ │ │ ├── libtiff-uninit-mem4.tif │ │ │ ├── libxml2-bad-read.xml │ │ │ ├── msie-dht-leak.jpg │ │ │ ├── msie-jxr-mem-leak.jxr │ │ │ ├── msie-png-mem-leak.png │ │ │ ├── msie-tiff-mem-leak.tif │ │ │ ├── msie-zlib-dos.png │ │ │ ├── openssl-null-ptr.der │ │ │ ├── openssl-null-ptr2.der │ │ │ ├── photoshop-mem-leak.jpg │ │ │ ├── sqlite-bad-free.sql │ │ │ ├── sqlite-bad-ptr.sql │ │ │ ├── sqlite-bad-ptr2.sql │ │ │ ├── sqlite-bad-ptr3.sql │ │ │ ├── sqlite-heap-overflow.sql │ │ │ ├── sqlite-heap-overwrite.sql │ │ │ ├── sqlite-negative-memset.sql │ │ │ ├── sqlite-null-ptr1.sql │ │ │ ├── sqlite-null-ptr10.sql │ │ │ ├── sqlite-null-ptr11.sql │ │ │ ├── sqlite-null-ptr12.sql │ │ │ ├── sqlite-null-ptr13.sql │ │ │ ├── sqlite-null-ptr14.sql │ │ │ ├── sqlite-null-ptr15.sql │ │ │ ├── sqlite-null-ptr2.sql │ │ │ ├── sqlite-null-ptr3.sql │ │ │ ├── sqlite-null-ptr4.sql │ │ │ ├── sqlite-null-ptr5.sql │ │ │ ├── sqlite-null-ptr6.sql │ │ │ ├── sqlite-null-ptr7.sql │ │ │ ├── sqlite-null-ptr8.sql │ │ │ ├── sqlite-null-ptr9.sql │ │ │ ├── sqlite-oob-read.sql │ │ │ ├── sqlite-oob-write.sql │ │ │ ├── sqlite-stack-buf-overflow.sql │ │ │ ├── sqlite-stack-exhaustion.sql │ │ │ ├── sqlite-unint-mem.sql │ │ │ ├── sqlite-use-after-free.sql │ │ │ ├── strings-stack-overflow │ │ │ ├── tcpdump-arp-crash.pcap │ │ │ ├── tcpdump-ppp-crash.pcap │ │ │ ├── unrtf-arbitrary-read.rtf │ │ │ └── unzip-t-mem-corruption.zip │ ├── experimental │ │ ├── README.experiments │ │ ├── argv_fuzzing │ │ │ └── argv-fuzz-inl.h │ │ ├── asan_cgroups │ │ │ └── limit_memory.sh │ │ ├── bash_shellshock │ │ │ └── shellshock-fuzz.diff │ │ ├── canvas_harness │ │ │ └── canvas_harness.html │ │ ├── crash_triage │ │ │ └── triage_crashes.sh │ │ ├── distributed_fuzzing │ │ │ └── sync_script.sh │ │ ├── libpng_no_checksum │ │ │ └── libpng-nocrc.patch │ │ └── persistent_demo │ │ │ └── persistent_demo.c │ ├── hash.h │ ├── libdislocator │ │ ├── Makefile │ │ └── README.dislocator │ ├── libtokencap │ │ ├── Makefile │ │ └── README.tokencap │ ├── llvm_mode │ │ ├── Makefile │ │ ├── README.llvm │ │ ├── afl-clang-fast.c │ │ ├── afl-llvm-pass.so.cc │ │ └── afl-llvm-rt.o.c │ ├── qemu_mode │ │ ├── README.qemu │ │ ├── build_qemu_support.sh │ │ └── patches │ │ │ ├── afl-qemu-cpu-inl.h │ │ │ ├── cpu-exec.diff │ │ │ ├── elfload.diff │ │ │ ├── syscall.diff │ │ │ └── translate-all.diff │ ├── test-instr.c │ ├── test.c │ └── types.h └── afl-2.51b-normal │ ├── Makefile │ ├── QuickStartGuide.txt │ ├── README │ ├── afl-analyze.c │ ├── afl-as.c │ ├── afl-as.h │ ├── afl-cmin │ ├── afl-fuzz.c │ ├── afl-gcc.c │ ├── afl-gotcpu.c │ ├── afl-plot │ ├── afl-showmap.c │ ├── afl-tmin.c │ ├── afl-whatsup │ ├── alloc-inl.h │ ├── config.h │ ├── debug.h │ ├── dictionaries │ ├── README.dictionaries │ ├── gif.dict │ ├── html_tags.dict │ ├── jpeg.dict │ ├── js.dict │ ├── json.dict │ ├── pdf.dict │ ├── png.dict │ ├── sql.dict │ ├── tiff.dict │ ├── webp.dict │ └── xml.dict │ ├── docs │ ├── COPYING │ ├── ChangeLog │ ├── INSTALL │ ├── QuickStartGuide.txt │ ├── README │ ├── env_variables.txt │ ├── historical_notes.txt │ ├── life_pro_tips.txt │ ├── notes_for_asan.txt │ ├── parallel_fuzzing.txt │ ├── perf_tips.txt │ ├── sister_projects.txt │ ├── status_screen.txt │ ├── technical_details.txt │ ├── visualization │ │ └── afl_gzip.png │ └── vuln_samples │ │ ├── bash-cmd-exec.var │ │ ├── bash-uninit-mem.var │ │ ├── ffmpeg-h264-bad-ptr-800m.mp4 │ │ ├── ffmpeg-h264-bad-read.mp4 │ │ ├── ffmpeg-h264-call-stack-overflow.mp4 │ │ ├── file-fpu-exception.elf │ │ ├── firefox-bmp-leak.bmp │ │ ├── firefox-chrome-leak.jpg │ │ ├── firefox-gif-leak.gif │ │ ├── firefox-gif-leak2.gif │ │ ├── jxrlib-crash.jxr │ │ ├── jxrlib-crash2.jxr │ │ ├── jxrlib-crash3.jxr │ │ ├── jxrlib-crash4.jxr │ │ ├── lesspipe-cpio-bad-write.cpio │ │ ├── libjpeg-sos-leak.jpg │ │ ├── libjpeg-turbo-dht-leak.jpg │ │ ├── libtiff-bad-write.tif │ │ ├── libtiff-uninit-mem.tif │ │ ├── libtiff-uninit-mem2.tif │ │ ├── libtiff-uninit-mem3.tif │ │ ├── libtiff-uninit-mem4.tif │ │ ├── libxml2-bad-read.xml │ │ ├── msie-dht-leak.jpg │ │ ├── msie-jxr-mem-leak.jxr │ │ ├── msie-png-mem-leak.png │ │ ├── msie-tiff-mem-leak.tif │ │ ├── msie-zlib-dos.png │ │ ├── openssl-null-ptr.der │ │ ├── openssl-null-ptr2.der │ │ ├── photoshop-mem-leak.jpg │ │ ├── sqlite-bad-free.sql │ │ ├── sqlite-bad-ptr.sql │ │ ├── sqlite-bad-ptr2.sql │ │ ├── sqlite-bad-ptr3.sql │ │ ├── sqlite-heap-overflow.sql │ │ ├── sqlite-heap-overwrite.sql │ │ ├── sqlite-negative-memset.sql │ │ ├── sqlite-null-ptr1.sql │ │ ├── sqlite-null-ptr10.sql │ │ ├── sqlite-null-ptr11.sql │ │ ├── sqlite-null-ptr12.sql │ │ ├── sqlite-null-ptr13.sql │ │ ├── sqlite-null-ptr14.sql │ │ ├── sqlite-null-ptr15.sql │ │ ├── sqlite-null-ptr2.sql │ │ ├── sqlite-null-ptr3.sql │ │ ├── sqlite-null-ptr4.sql │ │ ├── sqlite-null-ptr5.sql │ │ ├── sqlite-null-ptr6.sql │ │ ├── sqlite-null-ptr7.sql │ │ ├── sqlite-null-ptr8.sql │ │ ├── sqlite-null-ptr9.sql │ │ ├── sqlite-oob-read.sql │ │ ├── sqlite-oob-write.sql │ │ ├── sqlite-stack-buf-overflow.sql │ │ ├── sqlite-stack-exhaustion.sql │ │ ├── sqlite-unint-mem.sql │ │ ├── sqlite-use-after-free.sql │ │ ├── strings-bfd-badptr.elf │ │ ├── strings-bfd-badptr2.elf │ │ ├── strings-stack-overflow │ │ ├── strings-unchecked-ctr.elf │ │ ├── tcpdump-arp-crash.pcap │ │ ├── tcpdump-ppp-crash.pcap │ │ ├── unrtf-arbitrary-read.rtf │ │ └── unzip-t-mem-corruption.zip │ ├── experimental │ ├── README.experiments │ ├── argv_fuzzing │ │ └── argv-fuzz-inl.h │ ├── asan_cgroups │ │ └── limit_memory.sh │ ├── bash_shellshock │ │ └── shellshock-fuzz.diff │ ├── canvas_harness │ │ └── canvas_harness.html │ ├── clang_asm_normalize │ │ └── as │ ├── crash_triage │ │ └── triage_crashes.sh │ ├── distributed_fuzzing │ │ └── sync_script.sh │ ├── libpng_no_checksum │ │ └── libpng-nocrc.patch │ ├── persistent_demo │ │ └── persistent_demo.c │ └── post_library │ │ ├── post_library.so.c │ │ └── post_library_png.so.c │ ├── hash.h │ ├── libdislocator │ ├── Makefile │ ├── README.dislocator │ └── libdislocator.so.c │ ├── libtokencap │ ├── Makefile │ ├── README.tokencap │ └── libtokencap.so.c │ ├── llvm_mode │ ├── Makefile │ ├── README.llvm │ ├── afl-clang-fast.c │ ├── afl-llvm-pass.so.cc │ └── afl-llvm-rt.o.c │ ├── qemu_mode │ ├── README.qemu │ ├── build_qemu_support.sh │ └── patches │ │ ├── afl-qemu-cpu-inl.h │ │ ├── cpu-exec.diff │ │ ├── elfload.diff │ │ ├── syscall.diff │ │ └── translate-all.diff │ ├── test-instr.c │ ├── testcases │ ├── README.testcases │ ├── archives │ │ ├── common │ │ │ ├── ar │ │ │ │ └── small_archive.a │ │ │ ├── bzip2 │ │ │ │ └── small_archive.bz2 │ │ │ ├── cab │ │ │ │ └── small_archive.cab │ │ │ ├── compress │ │ │ │ └── small_archive.Z │ │ │ ├── cpio │ │ │ │ └── small_archive.cpio │ │ │ ├── gzip │ │ │ │ └── small_archive.gz │ │ │ ├── lzo │ │ │ │ └── small_archive.lzo │ │ │ ├── rar │ │ │ │ └── small_archive.rar │ │ │ ├── tar │ │ │ │ └── small_archive.tar │ │ │ ├── xz │ │ │ │ └── small_archive.xz │ │ │ └── zip │ │ │ │ └── small_archive.zip │ │ └── exotic │ │ │ ├── arj │ │ │ └── small_archive.arj │ │ │ ├── lha │ │ │ └── small_archive.lha │ │ │ ├── lrzip │ │ │ └── small_archive.lrz │ │ │ ├── lzip │ │ │ └── small_archive.lz │ │ │ ├── lzma │ │ │ └── small_archive.lzma │ │ │ ├── rzip │ │ │ └── small_archive.rz │ │ │ └── zoo │ │ │ └── small_archive.zoo │ ├── images │ │ ├── bmp │ │ │ └── not_kitty.bmp │ │ ├── gif │ │ │ └── not_kitty.gif │ │ ├── ico │ │ │ └── not_kitty.ico │ │ ├── jp2 │ │ │ └── not_kitty.jp2 │ │ ├── jpeg │ │ │ └── not_kitty.jpg │ │ ├── jxr │ │ │ └── not_kitty.jxr │ │ ├── png │ │ │ ├── not_kitty.png │ │ │ ├── not_kitty_alpha.png │ │ │ ├── not_kitty_gamma.png │ │ │ └── not_kitty_icc.png │ │ ├── tiff │ │ │ └── not_kitty.tiff │ │ └── webp │ │ │ └── not_kitty.webp │ ├── multimedia │ │ └── h264 │ │ │ └── small_movie.mp4 │ └── others │ │ ├── elf │ │ └── small_exec.elf │ │ ├── js │ │ └── small_script.js │ │ ├── pcap │ │ └── small_capture.pcap │ │ ├── pdf │ │ └── small.pdf │ │ ├── rtf │ │ └── small_document.rtf │ │ ├── sql │ │ └── simple_queries.sql │ │ ├── text │ │ └── hello_world.txt │ │ └── xml │ │ └── small_document.xml │ └── types.h ├── lib └── csmith │ ├── CMakeLists.txt │ ├── Makefile │ ├── Makefile.am │ ├── Makefile.in │ ├── command │ ├── csmith │ ├── csmith.h │ ├── csmith_minimal.h │ ├── custom_limits.h │ ├── custom_stdint_x86.h │ ├── libcsmith.a │ ├── libcsmith.la │ ├── libcsmith_la-volatile_runtime.lo │ ├── platform.info │ ├── platform_avr.h │ ├── platform_generic.h │ ├── platform_msp430.h │ ├── probability │ ├── random_inc.h │ ├── safe_abbrev.h │ ├── safe_math.h │ ├── safe_math.m4 │ ├── safe_math_macros.h │ ├── safe_math_macros.m4 │ ├── safe_math_macros_notmp.h │ ├── safe_math_macros_notmp.m4 │ ├── src │ ├── AbsExtension.cpp │ ├── AbsExtension.h │ ├── AbsProgramGenerator.cpp │ ├── AbsProgramGenerator.h │ ├── AbsRndNumGenerator.cpp │ ├── AbsRndNumGenerator.h │ ├── ArrayVariable.cpp │ ├── ArrayVariable.h │ ├── Block.cpp │ ├── Block.h │ ├── Bookkeeper.cpp │ ├── Bookkeeper.h │ ├── CFGEdge.cpp │ ├── CFGEdge.h │ ├── CGContext.cpp │ ├── CGContext.h │ ├── CGOptions.cpp │ ├── CGOptions.h │ ├── CVQualifiers.cpp │ ├── CVQualifiers.h │ ├── Common.h │ ├── CommonMacros.h │ ├── CompatibleChecker.cpp │ ├── CompatibleChecker.h │ ├── Constant.cpp │ ├── Constant.h │ ├── CoverageTestExtension.cpp │ ├── CoverageTestExtension.h │ ├── CrestExtension.cpp │ ├── CrestExtension.h │ ├── DFSOutputMgr.cpp │ ├── DFSOutputMgr.h │ ├── DFSProgramGenerator.cpp │ ├── DFSProgramGenerator.h │ ├── DFSRndNumGenerator.cpp │ ├── DFSRndNumGenerator.h │ ├── DefaultOutputMgr.cpp │ ├── DefaultOutputMgr.h │ ├── DefaultProgramGenerator.cpp │ ├── DefaultProgramGenerator.h │ ├── DefaultRndNumGenerator.cpp │ ├── DefaultRndNumGenerator.h │ ├── DeltaMonitor.cpp │ ├── DeltaMonitor.h │ ├── DepthSpec.cpp │ ├── DepthSpec.h │ ├── Effect.cpp │ ├── Effect.h │ ├── Enumerator.h │ ├── Error.cpp │ ├── Error.h │ ├── Expression.cpp │ ├── Expression.h │ ├── ExpressionAssign.cpp │ ├── ExpressionAssign.h │ ├── ExpressionComma.cpp │ ├── ExpressionComma.h │ ├── ExpressionFuncall.cpp │ ├── ExpressionFuncall.h │ ├── ExpressionVariable.cpp │ ├── ExpressionVariable.h │ ├── ExtensionMgr.cpp │ ├── ExtensionMgr.h │ ├── ExtensionValue.cpp │ ├── ExtensionValue.h │ ├── Fact.cpp │ ├── Fact.h │ ├── FactMgr.cpp │ ├── FactMgr.h │ ├── FactPointTo.cpp │ ├── FactPointTo.h │ ├── FactUnion.cpp │ ├── FactUnion.h │ ├── Filter.cpp │ ├── Filter.h │ ├── Finalization.cpp │ ├── Finalization.h │ ├── Function.cpp │ ├── Function.h │ ├── FunctionInvocation.cpp │ ├── FunctionInvocation.h │ ├── FunctionInvocationBinary.cpp │ ├── FunctionInvocationBinary.h │ ├── FunctionInvocationUnary.cpp │ ├── FunctionInvocationUnary.h │ ├── FunctionInvocationUser.cpp │ ├── FunctionInvocationUser.h │ ├── KleeExtension.cpp │ ├── KleeExtension.h │ ├── Lhs.cpp │ ├── Lhs.h │ ├── LinearSequence.cpp │ ├── LinearSequence.h │ ├── MspFilters.cpp │ ├── MspFilters.h │ ├── OutputMgr.cpp │ ├── OutputMgr.h │ ├── PartialExpander.cpp │ ├── PartialExpander.h │ ├── Probabilities.cpp │ ├── Probabilities.h │ ├── ProbabilityTable.h │ ├── RandomNumber.cpp │ ├── RandomNumber.h │ ├── RandomProgramGenerator.cpp │ ├── Reducer.cpp │ ├── Reducer.h │ ├── ReducerOutputMgr.cpp │ ├── ReducerOutputMgr.h │ ├── SafeOpFlags.cpp │ ├── SafeOpFlags.h │ ├── Sequence.cpp │ ├── Sequence.h │ ├── SequenceFactory.cpp │ ├── SequenceFactory.h │ ├── SequenceLineParser.h │ ├── SimpleDeltaRndNumGenerator.cpp │ ├── SimpleDeltaRndNumGenerator.h │ ├── SimpleDeltaSequence.cpp │ ├── SimpleDeltaSequence.h │ ├── SplatExtension.cpp │ ├── SplatExtension.h │ ├── Statement.cpp │ ├── Statement.h │ ├── StatementArrayOp.cpp │ ├── StatementArrayOp.h │ ├── StatementAssign.cpp │ ├── StatementAssign.h │ ├── StatementBreak.cpp │ ├── StatementBreak.h │ ├── StatementContinue.cpp │ ├── StatementContinue.h │ ├── StatementExpr.cpp │ ├── StatementExpr.h │ ├── StatementFor.cpp │ ├── StatementFor.h │ ├── StatementGoto.cpp │ ├── StatementGoto.h │ ├── StatementIf.cpp │ ├── StatementIf.h │ ├── StatementReturn.cpp │ ├── StatementReturn.h │ ├── StringUtils.cpp │ ├── StringUtils.h │ ├── Type.cpp │ ├── Type.h │ ├── Variable.cpp │ ├── Variable.h │ ├── VariableSelector.cpp │ ├── VariableSelector.h │ ├── VectorFilter.cpp │ ├── VectorFilter.h │ ├── git_version.cpp │ ├── git_version.h │ ├── platform.cpp │ ├── platform.h │ ├── random.cpp │ ├── random.h │ ├── util.cpp │ └── util.h │ ├── stdint_avr.h │ ├── stdint_ia32.h │ ├── stdint_ia64.h │ ├── stdint_msp430.h │ ├── test.c │ ├── test.o │ ├── volatile_runtime.c │ └── volatile_runtime.h └── src ├── .gitignore ├── antifuzz_all.py ├── code_injector ├── anti-taint.py ├── jtable_inject.py └── simple_injector.py ├── compile_pass.sh ├── conf.py ├── csmith ├── factory ├── make_all.sh ├── make_anti.sh ├── make_bump.sh ├── make_coverage.sh └── make_rop.sh ├── llvm_pass ├── .gitignore ├── anti │ ├── CMakeLists.txt │ ├── antilib.c │ ├── antilib_dummy.c │ └── skeleton │ │ ├── CMakeLists.txt │ │ ├── Skeleton.cpp │ │ ├── modify.cpp │ │ └── modify.h ├── antitaint │ ├── .gitignore │ └── anti-taint.py ├── bump │ ├── CMakeLists.txt │ ├── delaysrc │ │ ├── delay_1.c │ │ ├── delay_10.c │ │ ├── delay_100.c │ │ ├── delay_2.c │ │ ├── delay_20.c │ │ ├── delay_200.c │ │ ├── delay_3.c │ │ ├── delay_30.c │ │ ├── delay_300.c │ │ ├── delay_4.c │ │ ├── delay_40.c │ │ ├── delay_5.c │ │ ├── delay_50.c │ │ ├── delay_6.c │ │ ├── delay_60.c │ │ ├── delay_7.c │ │ ├── delay_70.c │ │ ├── delay_8.c │ │ ├── delay_80.c │ │ ├── delay_9.c │ │ └── delay_90.c │ └── skeleton │ │ ├── CMakeLists.txt │ │ └── Skeleton.cpp ├── pandora │ ├── CMakeLists.txt │ └── skeleton │ │ ├── CMakeLists.txt │ │ └── Skeleton.cpp └── trap │ ├── CMakeLists.txt │ ├── csmith.h │ ├── csmith_minimal.h │ ├── custom_limits.h │ ├── custom_stdint_x86.h │ ├── delay_slp1.c │ ├── delay_slp2.c │ ├── delay_slp3.c │ ├── delay_slp4.c │ ├── delay_slp5.c │ ├── delay_slp6.c │ ├── huge.c │ ├── huge_dummy.c │ ├── huge_injector.py │ ├── jtable_inject.py │ ├── patch.py │ ├── platform_avr.h │ ├── platform_generic.h │ ├── platform_msp430.h │ ├── random_inc.h │ ├── rop_dummy.c │ ├── safe_abbrev.h │ ├── safe_math.h │ ├── safe_math_macros.h │ ├── safe_math_macros_notmp.h │ ├── script │ ├── first.sh │ ├── genrop.sh │ ├── make.sh │ ├── readelf.sh │ ├── run.sh │ ├── second.sh │ └── toy.sh │ ├── simple_injector.py │ ├── skeleton │ ├── .gitignore │ ├── CMakeLists.txt │ ├── Skeleton.bak │ ├── Skeleton.cpp │ └── X86GenInstrInfo.inc │ ├── stdint_avr.h │ ├── stdint_ia32.h │ ├── stdint_ia64.h │ ├── stdint_msp430.h │ └── volatile_runtime.h ├── randomcode.py └── util ├── benchmark_eval.py ├── measure.py ├── measure_bb.py ├── normalbb.py └── prob /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "antifuzz-tutorial"] 2 | path = antifuzz-tutorial 3 | url = https://github.com/jinhojun/antifuzz-tutorial.git 4 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # About Fuzzification 2 | 3 | **Fuzzification** helps developers protect the released, binary-only software from attackers who are capable of applying state-of-the-art fuzzing techniques. Given a performance budget, this approach aims to hinder the fuzzing process from adversaries as much as possible. 4 | 5 | 6 | # Existing Fuzzification components 7 | 8 | * **SpeedBump**: Amplifies the slowdown in normal executions by hundreds of times to the fuzzed execution. 9 | * **BranchTrap**: Interfers with feedback logic by hiding paths and polluting coverage maps. 10 | * **AntiHybrid**: Hinders taint-analysis and symbolic execution. 11 | 12 | # Envorinment 13 | 14 | Tested on Ubuntu 16.04 64bit and LLVM 5.0 (with gold plugin) 15 | 16 | # Quick start 17 | 18 | * [Install instructions](docs/install.md) 19 | * [Usage instructions](docs/usage.md) 20 | 21 | # Authors 22 | 23 | * **Jinho Jung (Point of Contact)** 24 | * Hong Hu 25 | * David Solodukhin 26 | * Daniel Pagan 27 | * Kyu Hyung Lee 28 | * Taesoo Kim 29 | 30 | # Publications 31 | 32 | ``` 33 | @inproceedings{jung2019fuzzification, 34 | title={FUZZIFICATION: Anti-Fuzzing Techniques}, 35 | author={Jung, Jinho and Hu, Hong and Solodukhin, David and Pagan, Daniel and Lee, Kyu Hyung and Kim, Taesoo}, 36 | booktitle={28th USENIX Security Symposium (USENIX Security 19)}, 37 | pages={1913--1930}, 38 | year={2019} 39 | } 40 | ``` -------------------------------------------------------------------------------- /docs/todo.md: -------------------------------------------------------------------------------- 1 | 2 | - [ ] Different delay primitives on error-handling and cold paths 3 | - [ ] Remove AFL-LLVM-PASS from the final binary 4 | - [ ] Recover the original workflow 5 | - [ ] check overhead per component 6 | - [ ] ROP-based BranchTrap 7 | - [ ] optimize the number of injected functions 8 | - [ ] scramble existing code snippet (epilogue) for better protection 9 | 10 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-bbcheck/.gitignore: -------------------------------------------------------------------------------- 1 | afl-analyze 2 | afl-clang-fast 3 | afl-clang-fast++ 4 | afl-as 5 | afl-clang 6 | afl-clang++ 7 | afl-fuzz 8 | afl-g++ 9 | afl-gcc 10 | afl-gotcpu 11 | afl-showmap 12 | afl-tmin 13 | afl-llvm-pass.so 14 | afl-llvm-rt-32.o 15 | afl-llvm-rt-64.o 16 | afl-llvm-rt.o 17 | as 18 | .gdb_history 19 | *.ll 20 | *.bc 21 | *llvm-COV-hash 22 | *.dwo 23 | tmp_log 24 | .test-instr0.2 25 | .test-instr1.2 26 | afl-qemu-trace 27 | qemu_mode/qemu-2.3.0/ 28 | qemu_mode/qemu-2.3.0.tar.bz2 29 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-bbcheck/QuickStartGuide.txt: -------------------------------------------------------------------------------- 1 | docs/QuickStartGuide.txt -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-bbcheck/README: -------------------------------------------------------------------------------- 1 | docs/README -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-bbcheck/README.hh: -------------------------------------------------------------------------------- 1 | Modified afl to insert an extra map in the compiled binary to record the hit number for each basic block 2 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-bbcheck/dictionaries/README.dictionaries: -------------------------------------------------------------------------------- 1 | ================ 2 | AFL dictionaries 3 | ================ 4 | 5 | (See ../docs/README for the general instruction manual.) 6 | 7 | This subdirectory contains a set of dictionaries that can be used in 8 | conjunction with the -x option to allow the fuzzer to effortlessly explore the 9 | grammar of some of the more verbose data formats or languages. The basic 10 | principle behind the operation of fuzzer dictionaries is outlined in section 9 11 | of the "main" README for the project. 12 | 13 | Custom dictionaries can be added at will. They should consist of a 14 | reasonably-sized set of rudimentary syntax units that the fuzzer will then try 15 | to clobber together in various ways. Snippets between 2 and 16 bytes are usually 16 | the sweet spot. 17 | 18 | Custom dictionaries can be created in two ways: 19 | 20 | - By creating a new directory and placing each token in a separate file, in 21 | which case, there is no need to escape or otherwise format the data. 22 | 23 | - By creating a flat text file where tokens are listed one per line in the 24 | format of name="value". The alphanumeric name is ignored and can be omitted, 25 | although it is a convenient way to document the meaning of a particular 26 | token. The value must appear in quotes, with hex escaping (\xNN) applied to 27 | all non-printable, high-bit, or otherwise problematic characters (\\ and \" 28 | shorthands are recognized, too). 29 | 30 | The fuzzer auto-selects the appropriate mode depending on whether the -x 31 | parameter is a file or a directory. 32 | 33 | In the file mode, every name field can be optionally followed by @, e.g.: 34 | 35 | keyword_foo@1 = "foo" 36 | 37 | Such entries will be loaded only if the requested dictionary level is equal or 38 | higher than this number. The default level is zero; a higher value can be set 39 | by appending @ to the dictionary file name, like so: 40 | 41 | -x path/to/dictionary.dct@2 42 | 43 | Good examples of dictionaries can be found in xml.dict and png.dict. 44 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-bbcheck/dictionaries/gif.dict: -------------------------------------------------------------------------------- 1 | # 2 | # AFL dictionary for GIF images 3 | # ----------------------------- 4 | # 5 | # Created by Michal Zalewski 6 | # 7 | 8 | header_87a="87a" 9 | header_89a="89a" 10 | header_gif="GIF" 11 | 12 | marker_2c="," 13 | marker_3b=";" 14 | 15 | section_2101="!\x01\x12" 16 | section_21f9="!\xf9\x04" 17 | section_21fe="!\xfe" 18 | section_21ff="!\xff\x11" 19 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-bbcheck/dictionaries/jpeg.dict: -------------------------------------------------------------------------------- 1 | # 2 | # AFL dictionary for JPEG images 3 | # ------------------------------ 4 | # 5 | # Created by Michal Zalewski 6 | # 7 | 8 | header_jfif="JFIF\x00" 9 | header_jfxx="JFXX\x00" 10 | 11 | section_ffc0="\xff\xc0" 12 | section_ffc2="\xff\xc2" 13 | section_ffc4="\xff\xc4" 14 | section_ffd0="\xff\xd0" 15 | section_ffd8="\xff\xd8" 16 | section_ffd9="\xff\xd9" 17 | section_ffda="\xff\xda" 18 | section_ffdb="\xff\xdb" 19 | section_ffdd="\xff\xdd" 20 | section_ffe0="\xff\xe0" 21 | section_ffe1="\xff\xe1" 22 | section_fffe="\xff\xfe" 23 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-bbcheck/dictionaries/json.dict: -------------------------------------------------------------------------------- 1 | # 2 | # AFL dictionary for JSON 3 | # ----------------------- 4 | # 5 | # Just the very basics. 6 | # 7 | # Inspired by a dictionary by Jakub Wilk 8 | # 9 | 10 | "0" 11 | ",0" 12 | ":0" 13 | "0:" 14 | "-1.2e+3" 15 | 16 | "true" 17 | "false" 18 | "null" 19 | 20 | "\"\"" 21 | ",\"\"" 22 | ":\"\"" 23 | "\"\":" 24 | 25 | "{}" 26 | ",{}" 27 | ":{}" 28 | "{\"\":0}" 29 | "{{}}" 30 | 31 | "[]" 32 | ",[]" 33 | ":[]" 34 | "[0]" 35 | "[[]]" 36 | 37 | "''" 38 | "\\" 39 | "\\b" 40 | "\\f" 41 | "\\n" 42 | "\\r" 43 | "\\t" 44 | "\\u0000" 45 | "\\x00" 46 | "\\0" 47 | "\\uD800\\uDC00" 48 | "\\uDBFF\\uDFFF" 49 | 50 | "\"\":0" 51 | "//" 52 | "/**/" 53 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-bbcheck/dictionaries/png.dict: -------------------------------------------------------------------------------- 1 | # 2 | # AFL dictionary for PNG images 3 | # ----------------------------- 4 | # 5 | # Just the basic, standard-originating sections; does not include vendor 6 | # extensions. 7 | # 8 | # Created by Michal Zalewski 9 | # 10 | 11 | header_png="\x89PNG\x0d\x0a\x1a\x0a" 12 | 13 | section_IDAT="IDAT" 14 | section_IEND="IEND" 15 | section_IHDR="IHDR" 16 | section_PLTE="PLTE" 17 | section_bKGD="bKGD" 18 | section_cHRM="cHRM" 19 | section_fRAc="fRAc" 20 | section_gAMA="gAMA" 21 | section_gIFg="gIFg" 22 | section_gIFt="gIFt" 23 | section_gIFx="gIFx" 24 | section_hIST="hIST" 25 | section_iCCP="iCCP" 26 | section_iTXt="iTXt" 27 | section_oFFs="oFFs" 28 | section_pCAL="pCAL" 29 | section_pHYs="pHYs" 30 | section_sBIT="sBIT" 31 | section_sCAL="sCAL" 32 | section_sPLT="sPLT" 33 | section_sRGB="sRGB" 34 | section_sTER="sTER" 35 | section_tEXt="tEXt" 36 | section_tIME="tIME" 37 | section_tRNS="tRNS" 38 | section_zTXt="zTXt" 39 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-bbcheck/dictionaries/tiff.dict: -------------------------------------------------------------------------------- 1 | # 2 | # AFL dictionary for TIFF images 3 | # ------------------------------ 4 | # 5 | # Just the basic, standard-originating sections; does not include vendor 6 | # extensions. 7 | # 8 | # Created by Michal Zalewski 9 | # 10 | 11 | header_ii="II*\x00" 12 | header_mm="MM\x00*" 13 | 14 | section_100="\x00\x01" 15 | section_101="\x01\x01" 16 | section_102="\x02\x01" 17 | section_103="\x03\x01" 18 | section_106="\x06\x01" 19 | section_107="\x07\x01" 20 | section_10D="\x0d\x01" 21 | section_10E="\x0e\x01" 22 | section_10F="\x0f\x01" 23 | section_110="\x10\x01" 24 | section_111="\x11\x01" 25 | section_112="\x12\x01" 26 | section_115="\x15\x01" 27 | section_116="\x16\x01" 28 | section_117="\x17\x01" 29 | section_11A="\x1a\x01" 30 | section_11B="\x1b\x01" 31 | section_11C="\x1c\x01" 32 | section_11D="\x1d\x01" 33 | section_11E="\x1e\x01" 34 | section_11F="\x1f\x01" 35 | section_122="\"\x01" 36 | section_123="#\x01" 37 | section_124="$\x01" 38 | section_125="%\x01" 39 | section_128="(\x01" 40 | section_129=")\x01" 41 | section_12D="-\x01" 42 | section_131="1\x01" 43 | section_132="2\x01" 44 | section_13B=";\x01" 45 | section_13C="<\x01" 46 | section_13D="=\x01" 47 | section_13E=">\x01" 48 | section_13F="?\x01" 49 | section_140="@\x01" 50 | section_FE="\xfe\x00" 51 | section_FF="\xff\x00" 52 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-bbcheck/dictionaries/webp.dict: -------------------------------------------------------------------------------- 1 | # 2 | # AFL dictionary for WebP images 3 | # ------------------------------ 4 | # 5 | # Created by Michal Zalewski 6 | # 7 | 8 | header_RIFF="RIFF" 9 | header_WEBP="WEBP" 10 | 11 | section_ALPH="ALPH" 12 | section_ANIM="ANIM" 13 | section_ANMF="ANMF" 14 | section_EXIF="EXIF" 15 | section_FRGM="FRGM" 16 | section_ICCP="ICCP" 17 | section_VP8="VP8 " 18 | section_VP8L="VP8L" 19 | section_VP8X="VP8X" 20 | section_XMP="XMP " 21 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-bbcheck/dictionaries/xml.dict: -------------------------------------------------------------------------------- 1 | # 2 | # AFL dictionary for XML 3 | # ---------------------- 4 | # 5 | # Several basic syntax elements and attributes, modeled on libxml2. 6 | # 7 | # Created by Michal Zalewski 8 | # 9 | 10 | attr_encoding=" encoding=\"1\"" 11 | attr_generic=" a=\"1\"" 12 | attr_href=" href=\"1\"" 13 | attr_standalone=" standalone=\"no\"" 14 | attr_version=" version=\"1\"" 15 | attr_xml_base=" xml:base=\"1\"" 16 | attr_xml_id=" xml:id=\"1\"" 17 | attr_xml_lang=" xml:lang=\"1\"" 18 | attr_xml_space=" xml:space=\"1\"" 19 | attr_xmlns=" xmlns=\"1\"" 20 | 21 | entity_builtin="<" 22 | entity_decimal="" 23 | entity_external="&a;" 24 | entity_hex="" 25 | 26 | string_any="ANY" 27 | string_brackets="[]" 28 | string_cdata="CDATA" 29 | string_col_fallback=":fallback" 30 | string_col_generic=":a" 31 | string_col_include=":include" 32 | string_dashes="--" 33 | string_empty="EMPTY" 34 | string_empty_dblquotes="\"\"" 35 | string_empty_quotes="''" 36 | string_entities="ENTITIES" 37 | string_entity="ENTITY" 38 | string_fixed="#FIXED" 39 | string_id="ID" 40 | string_idref="IDREF" 41 | string_idrefs="IDREFS" 42 | string_implied="#IMPLIED" 43 | string_nmtoken="NMTOKEN" 44 | string_nmtokens="NMTOKENS" 45 | string_notation="NOTATION" 46 | string_parentheses="()" 47 | string_pcdata="#PCDATA" 48 | string_percent="%a" 49 | string_public="PUBLIC" 50 | string_required="#REQUIRED" 51 | string_schema=":schema" 52 | string_system="SYSTEM" 53 | string_ucs4="UCS-4" 54 | string_utf16="UTF-16" 55 | string_utf8="UTF-8" 56 | string_xmlns="xmlns:" 57 | 58 | tag_attlist="" 61 | tag_doctype="" 68 | tag_open_close="" 69 | tag_open_exclamation="" 72 | tag_xml_q="" 73 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-bbcheck/docs/QuickStartGuide.txt: -------------------------------------------------------------------------------- 1 | ===================== 2 | AFL quick start guide 3 | ===================== 4 | 5 | You should read docs/README. It's pretty short. If you really can't, here's 6 | how to hit the ground running: 7 | 8 | 1) Compile AFL with 'make'. If build fails, see docs/INSTALL for tips. 9 | 10 | 2) Find or write a reasonably fast and simple program that takes data from 11 | a file or stdin, processes it in a test-worthy way, then exits cleanly. 12 | If testing a network service, modify it to run in the foreground and read 13 | from stdin. When fuzzing a format that uses checksums, comment out the 14 | checksum verification code, too. 15 | 16 | The program must crash properly when a fault is encountered. Watch out for 17 | custom SIGSEGV or SIGABRT handlers and background processes. For tips on 18 | detecting non-crashing flaws, see section 11 in docs/README. 19 | 20 | 3) Compile the program / library to be fuzzed using afl-gcc. A common way to 21 | do this would be: 22 | 23 | CC=/path/to/afl-gcc CXX=/path/to/afl-g++ ./configure --disable-shared 24 | make clean all 25 | 26 | If program build fails, ping . 27 | 28 | 4) Get a small but valid input file that makes sense to the program. When 29 | fuzzing verbose syntax (SQL, HTTP, etc), create a dictionary as described in 30 | dictionaries/README.dictionaries, too. 31 | 32 | 5) If the program reads from stdin, run 'afl-fuzz' like so: 33 | 34 | ./afl-fuzz -i testcase_dir -o findings_dir -- \ 35 | /path/to/tested/program [...program's cmdline...] 36 | 37 | If the program takes input from a file, you can put @@ in the program's 38 | command line; AFL will put an auto-generated file name in there for you. 39 | 40 | 6) Investigate anything shown in red in the fuzzer UI by promptly consulting 41 | docs/status_screen.txt. 42 | 43 | That's it. Sit back, relax, and - time permitting - try to skim through the 44 | following files: 45 | 46 | - docs/README - A general introduction to AFL, 47 | - docs/perf_tips.txt - Simple tips on how to fuzz more quickly, 48 | - docs/status_screen.txt - An explanation of the tidbits shown in the UI, 49 | - docs/parallel_fuzzing.txt - Advice on running AFL on multiple cores. 50 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-bbcheck/docs/visualization/afl_gzip.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sslab-gatech/fuzzification/085c23b6c02d59cf33195955320ca8ce5705957b/fuzzer/afl-2.51b-bbcheck/docs/visualization/afl_gzip.png -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-bbcheck/docs/vuln_samples/bash-cmd-exec.var: -------------------------------------------------------------------------------- 1 | () { _; } >_[$($())] { id; } -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-bbcheck/docs/vuln_samples/bash-uninit-mem.var: -------------------------------------------------------------------------------- 1 | () { x() { _; }; x() { _; } <O));insert into t0 2 | select randomblob(0)-trim(0); 3 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-bbcheck/docs/vuln_samples/sqlite-bad-ptr.sql: -------------------------------------------------------------------------------- 1 | SELECT 0 UNION SELECT 0 ORDER BY 1 COLLATE""""""""; 2 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-bbcheck/docs/vuln_samples/sqlite-bad-ptr2.sql: -------------------------------------------------------------------------------- 1 | PRAGMA foreign_keys=1;CREATE TABLE t1("""0"PRIMARY KEy REFERENCES t1 ON DELETE SET NULL);REPLACE INTO t1 SELECT(0); 2 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-bbcheck/docs/vuln_samples/sqlite-bad-ptr3.sql: -------------------------------------------------------------------------------- 1 | create table t(l);PRAGMA writable_schema=ON; 2 | UPDATE sqlite_master SET sql='00000000000000000000000000000000000000000000000000000000000000000000000000000000[%S';PRAGMA t;SAVEPOINT x;ROLLBACK;VACUUM; 3 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-bbcheck/docs/vuln_samples/sqlite-heap-overflow.sql: -------------------------------------------------------------------------------- 1 | DROP TABLE IF EXISTS t;CREATE VIRTUAL TABLE t0 USING fts4();insert into t0 select zeroblob(0);SAVEPOINT O;insert into t0 2 | select(0);SAVEPOINT E;insert into t0 SELECT 0 UNION SELECT 0'x'ORDER BY x; 3 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-bbcheck/docs/vuln_samples/sqlite-negative-memset.sql: -------------------------------------------------------------------------------- 1 | SELECT*from(select"",zeroblob(0),zeroblob(1E9),zeroblob(0),zeroblob(150000000),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(1E9),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0)),(select"",zeroblob(1E9),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(1E9),(0),zeroblob(150000000),(0),zeroblob(0),(0)EXCEPT select zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0)); 2 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-bbcheck/docs/vuln_samples/sqlite-null-ptr1.sql: -------------------------------------------------------------------------------- 1 | create table t0(t);insert into t0 2 | select strftime(); 3 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-bbcheck/docs/vuln_samples/sqlite-null-ptr10.sql: -------------------------------------------------------------------------------- 1 | SELECT fts3_tokenizer(@0()); 2 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-bbcheck/docs/vuln_samples/sqlite-null-ptr11.sql: -------------------------------------------------------------------------------- 1 | select''like''like''like#0; 2 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-bbcheck/docs/vuln_samples/sqlite-null-ptr12.sql: -------------------------------------------------------------------------------- 1 | PRAGMA e;select lower(0);select lower(0)"a",""GROUP BY a ORDER BY a; 2 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-bbcheck/docs/vuln_samples/sqlite-null-ptr13.sql: -------------------------------------------------------------------------------- 1 | WITH x AS(SELECT*FROM t)SELECT""EXCEPT SELECT 0 ORDER BY 0 COLLATE""; 2 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-bbcheck/docs/vuln_samples/sqlite-null-ptr14.sql: -------------------------------------------------------------------------------- 1 | CREATE VIRTUAL TABLE x USING fts4();VALUES(0,0),(0,0),(0,0),(0,0);PRAGMA writable_schema=ON;UPDATE sqlite_master SET sql=''WHERE name='';UPDATE sqlite_master SET sql='CREATE table t(d CHECK(T(#0)';SAVEPOINT K;SAVEPOINT T;SAVEPOINT T;ANALYZE;ROLLBACK;SAVEPOINT E;DROP TABLE IF EXISTS t; 2 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-bbcheck/docs/vuln_samples/sqlite-null-ptr15.sql: -------------------------------------------------------------------------------- 1 | CREATE VIRTUAL TABLE t4 USING fts4(0,b,c,notindexed=0);INSERT INTO t4 VALUES('','','0');BEGIN;INSERT INTO t4 VALUES('','','0');INSERT INTO t4(t4)VALUES('integrity-check'); 2 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-bbcheck/docs/vuln_samples/sqlite-null-ptr2.sql: -------------------------------------------------------------------------------- 1 | DETACH(select group_concat(q)); 2 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-bbcheck/docs/vuln_samples/sqlite-null-ptr3.sql: -------------------------------------------------------------------------------- 1 | select(select strftime()); 2 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-bbcheck/docs/vuln_samples/sqlite-null-ptr4.sql: -------------------------------------------------------------------------------- 1 | select n()AND+#00; 2 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-bbcheck/docs/vuln_samples/sqlite-null-ptr5.sql: -------------------------------------------------------------------------------- 1 | select e.*,0 from(s,(L))e; 2 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-bbcheck/docs/vuln_samples/sqlite-null-ptr6.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sslab-gatech/fuzzification/085c23b6c02d59cf33195955320ca8ce5705957b/fuzzer/afl-2.51b-bbcheck/docs/vuln_samples/sqlite-null-ptr6.sql -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-bbcheck/docs/vuln_samples/sqlite-null-ptr7.sql: -------------------------------------------------------------------------------- 1 | CREATE VIRTUAL TABLE t USING fts4(tokenize=); 2 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-bbcheck/docs/vuln_samples/sqlite-null-ptr8.sql: -------------------------------------------------------------------------------- 1 | CREATE TABLE p(a UNIQUE,PRIMARY KEY('a'))WITHOUT rowid; 2 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-bbcheck/docs/vuln_samples/sqlite-null-ptr9.sql: -------------------------------------------------------------------------------- 1 | CREATE TABLE t0(z);WITH d(x)AS(SELECT*UNION SELECT 0)INSERT INTO t0 SELECT 0 FROM d; 2 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-bbcheck/docs/vuln_samples/sqlite-oob-read.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sslab-gatech/fuzzification/085c23b6c02d59cf33195955320ca8ce5705957b/fuzzer/afl-2.51b-bbcheck/docs/vuln_samples/sqlite-oob-read.sql -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-bbcheck/docs/vuln_samples/sqlite-oob-write.sql: -------------------------------------------------------------------------------- 1 | CREATE VIRTUAL TABLE t0 USING fts4(x,order=DESC); 2 | INSERT INTO t0(docid,x)VALUES(-1E0,'0(o'); 3 | INSERT INTO t0 VALUES(''); 4 | INSERT INTO t0 VALUES(''); 5 | INSeRT INTO t0 VALUES('o'); 6 | SELECT docid FROM t0 WHERE t0 MATCH'"0*o"'; 7 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-bbcheck/docs/vuln_samples/sqlite-stack-buf-overflow.sql: -------------------------------------------------------------------------------- 1 | SELECT printf('%*.*f',90000||006000000&6600000000,00000000000000000909000000000000.0000000000000000)""WHERE"">""; 2 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-bbcheck/docs/vuln_samples/sqlite-stack-exhaustion.sql: -------------------------------------------------------------------------------- 1 | CREATE VIRTUAL TABLE t0 USING fts4(content=t0); 2 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-bbcheck/docs/vuln_samples/sqlite-unint-mem.sql: -------------------------------------------------------------------------------- 1 | REATE VIRTUAL TABLE t0 USING fts4(prefix=0);INSERT INTO t0 VALUES(0); 2 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-bbcheck/docs/vuln_samples/sqlite-use-after-free.sql: -------------------------------------------------------------------------------- 1 | create table t(s);PRAGMA writable_schema=ON;UPDATE sqlite_master SET sql='ANALYZE;CREATE VIRTUAL TABLE t USING fts3;DROP TABLE t;DROP TABLE EXISTS t';PRAGMA r;SAVEPOINT T;ANALYZE;ROLLBACK;SAVEPOINT E;DROP TABLE IF EXISTS t; 2 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-bbcheck/docs/vuln_samples/strings-stack-overflow: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sslab-gatech/fuzzification/085c23b6c02d59cf33195955320ca8ce5705957b/fuzzer/afl-2.51b-bbcheck/docs/vuln_samples/strings-stack-overflow -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-bbcheck/docs/vuln_samples/tcpdump-arp-crash.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sslab-gatech/fuzzification/085c23b6c02d59cf33195955320ca8ce5705957b/fuzzer/afl-2.51b-bbcheck/docs/vuln_samples/tcpdump-arp-crash.pcap -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-bbcheck/docs/vuln_samples/tcpdump-ppp-crash.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sslab-gatech/fuzzification/085c23b6c02d59cf33195955320ca8ce5705957b/fuzzer/afl-2.51b-bbcheck/docs/vuln_samples/tcpdump-ppp-crash.pcap -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-bbcheck/docs/vuln_samples/unrtf-arbitrary-read.rtf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sslab-gatech/fuzzification/085c23b6c02d59cf33195955320ca8ce5705957b/fuzzer/afl-2.51b-bbcheck/docs/vuln_samples/unrtf-arbitrary-read.rtf -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-bbcheck/docs/vuln_samples/unzip-t-mem-corruption.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sslab-gatech/fuzzification/085c23b6c02d59cf33195955320ca8ce5705957b/fuzzer/afl-2.51b-bbcheck/docs/vuln_samples/unzip-t-mem-corruption.zip -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-bbcheck/experimental/README.experiments: -------------------------------------------------------------------------------- 1 | Here's a quick overview of the stuff you can find in this directory: 2 | 3 | - argv_fuzzing - a simple wrapper to allow cmdline to be fuzzed 4 | (e.g., to test setuid programs). 5 | 6 | - asan_cgroups - a contributed script to simplify fuzzing ASAN 7 | binaries with robust memory limits on Linux. 8 | 9 | - bash_shellshock - a simple hack used to find a bunch of 10 | post-Shellshock bugs in bash. 11 | 12 | - canvas_harness - a test harness used to find browser bugs with a 13 | corpus generated using simple image parsing 14 | binaries & afl-fuzz. 15 | 16 | - clang_asm_normalize - a script that makes it easy to instrument 17 | hand-written assembly, provided that you have clang. 18 | 19 | - crash_triage - a very rudimentary example of how to annotate crashes 20 | with additional gdb metadata. 21 | 22 | - distributed_fuzzing - a sample script for synchronizing fuzzer instances 23 | across multiple machines (see parallel_fuzzing.txt). 24 | 25 | - libpng_no_checksum - a sample patch for removing CRC checks in libpng. 26 | 27 | - persistent_demo - an example of how to use the LLVM persistent process 28 | mode to speed up certain fuzzing jobs. 29 | 30 | - post_library - an example of how to build postprocessors for AFL. 31 | 32 | Note that the minimize_corpus.sh tool has graduated from the experimental/ 33 | directory and is now available as ../afl-cmin. The LLVM mode has likewise 34 | graduated to ../llvm_mode/*. 35 | 36 | Most of the tools in this directory are meant chiefly as examples that need to 37 | be tweaked for your specific needs. They come with some basic documentation, 38 | but are not necessarily production-grade. 39 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-bbcheck/experimental/argv_fuzzing/argv-fuzz-inl.h: -------------------------------------------------------------------------------- 1 | /* 2 | american fuzzy lop - sample argv fuzzing wrapper 3 | ------------------------------------------------ 4 | 5 | Written by Michal Zalewski 6 | 7 | Copyright 2015 Google Inc. All rights reserved. 8 | 9 | Licensed under the Apache License, Version 2.0 (the "License"); 10 | you may not use this file except in compliance with the License. 11 | You may obtain a copy of the License at: 12 | 13 | http://www.apache.org/licenses/LICENSE-2.0 14 | 15 | This file shows a simple way to fuzz command-line parameters with stock 16 | afl-fuzz. To use, add: 17 | 18 | #include "/path/to/argv-fuzz-inl.h" 19 | 20 | ...to the file containing main(), ideally placing it after all the 21 | standard includes. Next, put AFL_INIT_ARGV(); near the very beginning of 22 | main(). 23 | 24 | This will cause the program to read NUL-delimited input from stdin and 25 | put it in argv[]. Two subsequent NULs terminate the array. Empty 26 | params are encoded as a lone 0x02. Lone 0x02 can't be generated, but 27 | that shouldn't matter in real life. 28 | 29 | If you would like to always preserve argv[0], use this instead: 30 | AFL_INIT_SET0("prog_name"); 31 | 32 | */ 33 | 34 | #ifndef _HAVE_ARGV_FUZZ_INL 35 | #define _HAVE_ARGV_FUZZ_INL 36 | 37 | #include 38 | 39 | #define AFL_INIT_ARGV() do { argv = afl_init_argv(&argc); } while (0) 40 | 41 | #define AFL_INIT_SET0(_p) do { \ 42 | argv = afl_init_argv(&argc); \ 43 | argv[0] = (_p); \ 44 | if (!argc) argc = 1; \ 45 | } while (0) 46 | 47 | #define MAX_CMDLINE_LEN 100000 48 | #define MAX_CMDLINE_PAR 1000 49 | 50 | static char** afl_init_argv(int* argc) { 51 | 52 | static char in_buf[MAX_CMDLINE_LEN]; 53 | static char* ret[MAX_CMDLINE_PAR]; 54 | 55 | char* ptr = in_buf; 56 | int rc = 0; 57 | 58 | if (read(0, in_buf, MAX_CMDLINE_LEN - 2) < 0); 59 | 60 | while (*ptr) { 61 | 62 | ret[rc] = ptr; 63 | if (ret[rc][0] == 0x02 && !ret[rc][1]) ret[rc]++; 64 | rc++; 65 | 66 | while (*ptr) ptr++; 67 | ptr++; 68 | 69 | } 70 | 71 | *argc = rc; 72 | 73 | return ret; 74 | 75 | } 76 | 77 | #undef MAX_CMDLINE_LEN 78 | #undef MAX_CMDLINE_PAR 79 | 80 | #endif /* !_HAVE_ARGV_FUZZ_INL */ 81 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-bbcheck/experimental/bash_shellshock/shellshock-fuzz.diff: -------------------------------------------------------------------------------- 1 | This patch shows a very simple way to find post-Shellshock bugs in bash, as 2 | discussed here: 3 | 4 | http://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.html 5 | 6 | In essence, it shows a way to fuzz environmental variables. Instructions: 7 | 8 | 1) Download bash 4.3, apply this patch, compile with: 9 | 10 | CC=/path/to/afl-gcc ./configure 11 | make clean all 12 | 13 | Note that the harness puts the fuzzed output in $TEST_VARIABLE. With 14 | Florian's Shellshock patch (bash43-028), this is no longer passed down 15 | to the parser. 16 | 17 | 2) Create and cd to an empty directory, put the compiled bash binary in 18 | there, and run these commands: 19 | 20 | mkdir in_dir 21 | echo -n '() { a() { a; }; : >b; }' >in_dir/script.txt 22 | 23 | 3) Run the fuzzer with: 24 | 25 | /path/to/afl-fuzz -d -i in_dir -o out_dir ./bash -c : 26 | 27 | The -d parameter is advisable only if the tested shell is fairly slow 28 | or if you are in a hurry; will cover more ground faster, but 29 | less systematically. 30 | 31 | 4) Watch for crashes in out_dir/crashes/. Also watch for any new files 32 | created in cwd if you're interested in non-crash RCEs (files will be 33 | created whenever the shell executes "foo>bar" or something like 34 | that). You can correlate their creation date with new entries in 35 | out_dir/queue/. 36 | 37 | You can also modify the bash binary to directly check for more subtle 38 | fault conditions, or use the synthesized entries in out_dir/queue/ 39 | as a seed for other, possibly slower or more involved testing regimes. 40 | 41 | Expect several hours to get decent coverage. 42 | 43 | --- bash-4.3/shell.c.orig 2014-01-14 14:04:32.000000000 +0100 44 | +++ bash-4.3/shell.c 2015-04-30 05:56:46.000000000 +0200 45 | @@ -371,6 +371,14 @@ 46 | env = environ; 47 | #endif /* __OPENNT */ 48 | 49 | + { 50 | + 51 | + static char val[1024 * 16]; 52 | + read(0, val, sizeof(val) - 1); 53 | + setenv("TEST_VARIABLE", val, 1); 54 | + 55 | + } 56 | + 57 | USE_VAR(argc); 58 | USE_VAR(argv); 59 | USE_VAR(env); 60 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-bbcheck/experimental/libpng_no_checksum/libpng-nocrc.patch: -------------------------------------------------------------------------------- 1 | --- pngrutil.c.orig 2014-06-12 03:35:16.000000000 +0200 2 | +++ pngrutil.c 2014-07-01 05:08:31.000000000 +0200 3 | @@ -268,7 +268,11 @@ 4 | if (need_crc != 0) 5 | { 6 | crc = png_get_uint_32(crc_bytes); 7 | - return ((int)(crc != png_ptr->crc)); 8 | + 9 | + if (crc != png_ptr->crc) 10 | + fprintf(stderr, "NOTE: CRC in the file is 0x%08x, change to 0x%08x\n", crc, png_ptr->crc); 11 | + 12 | + return ((int)(1 != 1)); 13 | } 14 | 15 | else 16 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-bbcheck/libdislocator/Makefile: -------------------------------------------------------------------------------- 1 | # 2 | # american fuzzy lop - libdislocator 3 | # ---------------------------------- 4 | # 5 | # Written by Michal Zalewski 6 | # 7 | # Copyright 2016 Google Inc. All rights reserved. 8 | # 9 | # Licensed under the Apache License, Version 2.0 (the "License"); 10 | # you may not use this file except in compliance with the License. 11 | # You may obtain a copy of the License at: 12 | # 13 | # http://www.apache.org/licenses/LICENSE-2.0 14 | # 15 | 16 | PREFIX ?= /usr/local 17 | HELPER_PATH = $(PREFIX)/lib/afl 18 | 19 | VERSION = $(shell grep '^\#define VERSION ' ../config.h | cut -d '"' -f2) 20 | 21 | CFLAGS ?= -O3 -funroll-loops 22 | CFLAGS += -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign 23 | 24 | all: libdislocator.so 25 | 26 | libdislocator.so: libdislocator.so.c ../config.h 27 | $(CC) $(CFLAGS) -shared -fPIC $< -o $@ $(LDFLAGS) 28 | 29 | .NOTPARALLEL: clean 30 | 31 | clean: 32 | rm -f *.o *.so *~ a.out core core.[1-9][0-9]* 33 | rm -f libdislocator.so 34 | 35 | install: all 36 | install -m 755 libdislocator.so $${DESTDIR}$(HELPER_PATH) 37 | install -m 644 README.dislocator $${DESTDIR}$(HELPER_PATH) 38 | 39 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-bbcheck/libtokencap/Makefile: -------------------------------------------------------------------------------- 1 | # 2 | # american fuzzy lop - libtokencap 3 | # -------------------------------- 4 | # 5 | # Written by Michal Zalewski 6 | # 7 | # Copyright 2016 Google Inc. All rights reserved. 8 | # 9 | # Licensed under the Apache License, Version 2.0 (the "License"); 10 | # you may not use this file except in compliance with the License. 11 | # You may obtain a copy of the License at: 12 | # 13 | # http://www.apache.org/licenses/LICENSE-2.0 14 | # 15 | 16 | PREFIX ?= /usr/local 17 | HELPER_PATH = $(PREFIX)/lib/afl 18 | 19 | VERSION = $(shell grep '^\#define VERSION ' ../config.h | cut -d '"' -f2) 20 | 21 | CFLAGS ?= -O3 -funroll-loops 22 | CFLAGS += -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign 23 | 24 | all: libtokencap.so 25 | 26 | libtokencap.so: libtokencap.so.c ../config.h 27 | $(CC) $(CFLAGS) -shared -fPIC $< -o $@ $(LDFLAGS) 28 | 29 | .NOTPARALLEL: clean 30 | 31 | clean: 32 | rm -f *.o *.so *~ a.out core core.[1-9][0-9]* 33 | rm -f libtokencap.so 34 | 35 | install: all 36 | install -m 755 libtokencap.so $${DESTDIR}$(HELPER_PATH) 37 | install -m 644 README.tokencap $${DESTDIR}$(HELPER_PATH) 38 | 39 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-bbcheck/qemu_mode/patches/cpu-exec.diff: -------------------------------------------------------------------------------- 1 | --- qemu-2.3.0/cpu-exec.c.orig 2014-12-09 14:45:40.000000000 +0000 2 | +++ qemu-2.3.0/cpu-exec.c 2015-02-20 22:07:02.966000000 +0000 3 | @@ -28,6 +28,8 @@ 4 | #include "exec/memory-internal.h" 5 | #include "qemu/rcu.h" 6 | 7 | +#include "../patches/afl-qemu-cpu-inl.h" 8 | + 9 | /* -icount align implementation. */ 10 | 11 | typedef struct SyncClocks { 12 | @@ -296,8 +298,11 @@ 13 | } 14 | not_found: 15 | /* if no translated code available, then translate it now */ 16 | + 17 | tb = tb_gen_code(cpu, pc, cs_base, flags, 0); 18 | 19 | + AFL_QEMU_CPU_SNIPPET1; 20 | + 21 | found: 22 | /* Move the last found TB to the head of the list */ 23 | if (likely(*ptb1)) { 24 | @@ -492,6 +497,9 @@ 25 | next_tb = 0; 26 | tcg_ctx.tb_ctx.tb_invalidated_flag = 0; 27 | } 28 | + 29 | + AFL_QEMU_CPU_SNIPPET2; 30 | + 31 | if (qemu_loglevel_mask(CPU_LOG_EXEC)) { 32 | qemu_log("Trace %p [" TARGET_FMT_lx "] %s\n", 33 | tb->tc_ptr, tb->pc, lookup_symbol(tb->pc)); 34 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-bbcheck/qemu_mode/patches/elfload.diff: -------------------------------------------------------------------------------- 1 | --- qemu-2.3.0/linux-user/elfload.c.orig 2014-12-09 14:45:42.000000000 +0000 2 | +++ qemu-2.3.0/linux-user/elfload.c 2015-01-28 02:51:23.719000000 +0000 3 | @@ -28,6 +28,8 @@ 4 | 5 | #define ELF_OSABI ELFOSABI_SYSV 6 | 7 | +extern abi_ulong afl_entry_point, afl_start_code, afl_end_code; 8 | + 9 | /* from personality.h */ 10 | 11 | /* 12 | @@ -1889,6 +1891,8 @@ 13 | info->brk = 0; 14 | info->elf_flags = ehdr->e_flags; 15 | 16 | + if (!afl_entry_point) afl_entry_point = info->entry; 17 | + 18 | for (i = 0; i < ehdr->e_phnum; i++) { 19 | struct elf_phdr *eppnt = phdr + i; 20 | if (eppnt->p_type == PT_LOAD) { 21 | @@ -1922,9 +1926,11 @@ 22 | if (elf_prot & PROT_EXEC) { 23 | if (vaddr < info->start_code) { 24 | info->start_code = vaddr; 25 | + if (!afl_start_code) afl_start_code = vaddr; 26 | } 27 | if (vaddr_ef > info->end_code) { 28 | info->end_code = vaddr_ef; 29 | + if (!afl_end_code) afl_end_code = vaddr_ef; 30 | } 31 | } 32 | if (elf_prot & PROT_WRITE) { 33 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-bbcheck/qemu_mode/patches/syscall.diff: -------------------------------------------------------------------------------- 1 | --- qemu-2.3.0/linux-user/syscall.c.orig 2014-12-09 14:45:43.000000000 +0000 2 | +++ qemu-2.3.0/linux-user/syscall.c 2015-03-27 06:33:00.736000000 +0000 3 | @@ -227,7 +227,21 @@ 4 | _syscall3(int,sys_rt_sigqueueinfo,int,pid,int,sig,siginfo_t *,uinfo) 5 | _syscall3(int,sys_syslog,int,type,char*,bufp,int,len) 6 | #if defined(TARGET_NR_tgkill) && defined(__NR_tgkill) 7 | -_syscall3(int,sys_tgkill,int,tgid,int,pid,int,sig) 8 | + 9 | +extern unsigned int afl_forksrv_pid; 10 | + 11 | +static int sys_tgkill(int tgid, int pid, int sig) { 12 | + 13 | + /* Workaround for -lpthread to make abort() work properly, without 14 | + killing the forkserver due to a prematurely cached PID. */ 15 | + 16 | + if (afl_forksrv_pid && afl_forksrv_pid == pid && sig == SIGABRT) 17 | + pid = tgid = getpid(); 18 | + 19 | + return syscall(__NR_sys_tgkill, pid, tgid, sig); 20 | + 21 | +} 22 | + 23 | #endif 24 | #if defined(TARGET_NR_tkill) && defined(__NR_tkill) 25 | _syscall2(int,sys_tkill,int,tid,int,sig) 26 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-bbcheck/qemu_mode/patches/translate-all.diff: -------------------------------------------------------------------------------- 1 | --- qemu-2.3.0/translate-all.c.orig 2014-12-09 14:45:46.000000000 +0000 2 | +++ qemu-2.3.0/translate-all.c 2015-01-28 22:37:42.383000000 +0000 3 | @@ -393,8 +393,13 @@ 4 | /* We can't use g_malloc because it may recurse into a locked mutex. */ 5 | # define ALLOC(P, SIZE) \ 6 | do { \ 7 | - P = mmap(NULL, SIZE, PROT_READ | PROT_WRITE, \ 8 | - MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); \ 9 | + void* _tmp = mmap(NULL, SIZE, PROT_READ | PROT_WRITE, \ 10 | + MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); \ 11 | + if (_tmp == (void*)-1) { \ 12 | + qemu_log(">>> Out of memory for stack, bailing out. <<<\n"); \ 13 | + exit(1); \ 14 | + } \ 15 | + (P) = _tmp; \ 16 | } while (0) 17 | #else 18 | # define ALLOC(P, SIZE) \ 19 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-bbcheck/test-instr.c: -------------------------------------------------------------------------------- 1 | /* 2 | american fuzzy lop - a trivial program to test the build 3 | -------------------------------------------------------- 4 | 5 | Written and maintained by Michal Zalewski 6 | 7 | Copyright 2014 Google Inc. All rights reserved. 8 | 9 | Licensed under the Apache License, Version 2.0 (the "License"); 10 | you may not use this file except in compliance with the License. 11 | You may obtain a copy of the License at: 12 | 13 | http://www.apache.org/licenses/LICENSE-2.0 14 | 15 | */ 16 | 17 | #include 18 | #include 19 | #include 20 | 21 | int main(int argc, char** argv) { 22 | 23 | char buf[8]; 24 | 25 | if (read(0, buf, 8) < 1) { 26 | printf("Hum?\n"); 27 | exit(1); 28 | } 29 | 30 | if (buf[0] == '0') 31 | printf("Looks like a zero to me!\n"); 32 | else 33 | printf("A non-zero value? How quaint!\n"); 34 | 35 | exit(0); 36 | 37 | } 38 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-bbcheck/test.c: -------------------------------------------------------------------------------- 1 | /* 2 | american fuzzy lop - a trivial program to test the build 3 | -------------------------------------------------------- 4 | 5 | Written and maintained by Michal Zalewski 6 | 7 | Copyright 2014 Google Inc. All rights reserved. 8 | 9 | Licensed under the Apache License, Version 2.0 (the "License"); 10 | you may not use this file except in compliance with the License. 11 | You may obtain a copy of the License at: 12 | 13 | http://www.apache.org/licenses/LICENSE-2.0 14 | 15 | */ 16 | 17 | #include 18 | #include 19 | #include 20 | 21 | int main(int argc, char** argv) { 22 | 23 | char buf[8]; 24 | 25 | if (read(0, buf, 8) < 1) { 26 | printf("Hum?\n"); 27 | exit(1); 28 | } 29 | 30 | if (buf[0] == '0') 31 | printf("Looks like a zero to me!\n"); 32 | else 33 | printf("A non-zero value? How quaint!\n"); 34 | 35 | if (buf[0] == '1'){ 36 | printf("1\n"); 37 | } 38 | 39 | if (buf[0] == '2'){ 40 | printf("2\n"); 41 | } 42 | 43 | if (buf[0] == '3'){ 44 | printf("3\n"); 45 | } 46 | 47 | if (buf[0] == '4'){ 48 | printf("4\n"); 49 | } 50 | 51 | exit(0); 52 | 53 | } 54 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/QuickStartGuide.txt: -------------------------------------------------------------------------------- 1 | docs/QuickStartGuide.txt -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/README: -------------------------------------------------------------------------------- 1 | docs/README -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/dictionaries/README.dictionaries: -------------------------------------------------------------------------------- 1 | ================ 2 | AFL dictionaries 3 | ================ 4 | 5 | (See ../docs/README for the general instruction manual.) 6 | 7 | This subdirectory contains a set of dictionaries that can be used in 8 | conjunction with the -x option to allow the fuzzer to effortlessly explore the 9 | grammar of some of the more verbose data formats or languages. The basic 10 | principle behind the operation of fuzzer dictionaries is outlined in section 9 11 | of the "main" README for the project. 12 | 13 | Custom dictionaries can be added at will. They should consist of a 14 | reasonably-sized set of rudimentary syntax units that the fuzzer will then try 15 | to clobber together in various ways. Snippets between 2 and 16 bytes are usually 16 | the sweet spot. 17 | 18 | Custom dictionaries can be created in two ways: 19 | 20 | - By creating a new directory and placing each token in a separate file, in 21 | which case, there is no need to escape or otherwise format the data. 22 | 23 | - By creating a flat text file where tokens are listed one per line in the 24 | format of name="value". The alphanumeric name is ignored and can be omitted, 25 | although it is a convenient way to document the meaning of a particular 26 | token. The value must appear in quotes, with hex escaping (\xNN) applied to 27 | all non-printable, high-bit, or otherwise problematic characters (\\ and \" 28 | shorthands are recognized, too). 29 | 30 | The fuzzer auto-selects the appropriate mode depending on whether the -x 31 | parameter is a file or a directory. 32 | 33 | In the file mode, every name field can be optionally followed by @, e.g.: 34 | 35 | keyword_foo@1 = "foo" 36 | 37 | Such entries will be loaded only if the requested dictionary level is equal or 38 | higher than this number. The default level is zero; a higher value can be set 39 | by appending @ to the dictionary file name, like so: 40 | 41 | -x path/to/dictionary.dct@2 42 | 43 | Good examples of dictionaries can be found in xml.dict and png.dict. 44 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/dictionaries/gif.dict: -------------------------------------------------------------------------------- 1 | # 2 | # AFL dictionary for GIF images 3 | # ----------------------------- 4 | # 5 | # Created by Michal Zalewski 6 | # 7 | 8 | header_87a="87a" 9 | header_89a="89a" 10 | header_gif="GIF" 11 | 12 | marker_2c="," 13 | marker_3b=";" 14 | 15 | section_2101="!\x01\x12" 16 | section_21f9="!\xf9\x04" 17 | section_21fe="!\xfe" 18 | section_21ff="!\xff\x11" 19 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/dictionaries/jpeg.dict: -------------------------------------------------------------------------------- 1 | # 2 | # AFL dictionary for JPEG images 3 | # ------------------------------ 4 | # 5 | # Created by Michal Zalewski 6 | # 7 | 8 | header_jfif="JFIF\x00" 9 | header_jfxx="JFXX\x00" 10 | 11 | section_ffc0="\xff\xc0" 12 | section_ffc2="\xff\xc2" 13 | section_ffc4="\xff\xc4" 14 | section_ffd0="\xff\xd0" 15 | section_ffd8="\xff\xd8" 16 | section_ffd9="\xff\xd9" 17 | section_ffda="\xff\xda" 18 | section_ffdb="\xff\xdb" 19 | section_ffdd="\xff\xdd" 20 | section_ffe0="\xff\xe0" 21 | section_ffe1="\xff\xe1" 22 | section_fffe="\xff\xfe" 23 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/dictionaries/json.dict: -------------------------------------------------------------------------------- 1 | # 2 | # AFL dictionary for JSON 3 | # ----------------------- 4 | # 5 | # Just the very basics. 6 | # 7 | # Inspired by a dictionary by Jakub Wilk 8 | # 9 | 10 | "0" 11 | ",0" 12 | ":0" 13 | "0:" 14 | "-1.2e+3" 15 | 16 | "true" 17 | "false" 18 | "null" 19 | 20 | "\"\"" 21 | ",\"\"" 22 | ":\"\"" 23 | "\"\":" 24 | 25 | "{}" 26 | ",{}" 27 | ":{}" 28 | "{\"\":0}" 29 | "{{}}" 30 | 31 | "[]" 32 | ",[]" 33 | ":[]" 34 | "[0]" 35 | "[[]]" 36 | 37 | "''" 38 | "\\" 39 | "\\b" 40 | "\\f" 41 | "\\n" 42 | "\\r" 43 | "\\t" 44 | "\\u0000" 45 | "\\x00" 46 | "\\0" 47 | "\\uD800\\uDC00" 48 | "\\uDBFF\\uDFFF" 49 | 50 | "\"\":0" 51 | "//" 52 | "/**/" 53 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/dictionaries/png.dict: -------------------------------------------------------------------------------- 1 | # 2 | # AFL dictionary for PNG images 3 | # ----------------------------- 4 | # 5 | # Just the basic, standard-originating sections; does not include vendor 6 | # extensions. 7 | # 8 | # Created by Michal Zalewski 9 | # 10 | 11 | header_png="\x89PNG\x0d\x0a\x1a\x0a" 12 | 13 | section_IDAT="IDAT" 14 | section_IEND="IEND" 15 | section_IHDR="IHDR" 16 | section_PLTE="PLTE" 17 | section_bKGD="bKGD" 18 | section_cHRM="cHRM" 19 | section_fRAc="fRAc" 20 | section_gAMA="gAMA" 21 | section_gIFg="gIFg" 22 | section_gIFt="gIFt" 23 | section_gIFx="gIFx" 24 | section_hIST="hIST" 25 | section_iCCP="iCCP" 26 | section_iTXt="iTXt" 27 | section_oFFs="oFFs" 28 | section_pCAL="pCAL" 29 | section_pHYs="pHYs" 30 | section_sBIT="sBIT" 31 | section_sCAL="sCAL" 32 | section_sPLT="sPLT" 33 | section_sRGB="sRGB" 34 | section_sTER="sTER" 35 | section_tEXt="tEXt" 36 | section_tIME="tIME" 37 | section_tRNS="tRNS" 38 | section_zTXt="zTXt" 39 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/dictionaries/tiff.dict: -------------------------------------------------------------------------------- 1 | # 2 | # AFL dictionary for TIFF images 3 | # ------------------------------ 4 | # 5 | # Just the basic, standard-originating sections; does not include vendor 6 | # extensions. 7 | # 8 | # Created by Michal Zalewski 9 | # 10 | 11 | header_ii="II*\x00" 12 | header_mm="MM\x00*" 13 | 14 | section_100="\x00\x01" 15 | section_101="\x01\x01" 16 | section_102="\x02\x01" 17 | section_103="\x03\x01" 18 | section_106="\x06\x01" 19 | section_107="\x07\x01" 20 | section_10D="\x0d\x01" 21 | section_10E="\x0e\x01" 22 | section_10F="\x0f\x01" 23 | section_110="\x10\x01" 24 | section_111="\x11\x01" 25 | section_112="\x12\x01" 26 | section_115="\x15\x01" 27 | section_116="\x16\x01" 28 | section_117="\x17\x01" 29 | section_11A="\x1a\x01" 30 | section_11B="\x1b\x01" 31 | section_11C="\x1c\x01" 32 | section_11D="\x1d\x01" 33 | section_11E="\x1e\x01" 34 | section_11F="\x1f\x01" 35 | section_122="\"\x01" 36 | section_123="#\x01" 37 | section_124="$\x01" 38 | section_125="%\x01" 39 | section_128="(\x01" 40 | section_129=")\x01" 41 | section_12D="-\x01" 42 | section_131="1\x01" 43 | section_132="2\x01" 44 | section_13B=";\x01" 45 | section_13C="<\x01" 46 | section_13D="=\x01" 47 | section_13E=">\x01" 48 | section_13F="?\x01" 49 | section_140="@\x01" 50 | section_FE="\xfe\x00" 51 | section_FF="\xff\x00" 52 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/dictionaries/webp.dict: -------------------------------------------------------------------------------- 1 | # 2 | # AFL dictionary for WebP images 3 | # ------------------------------ 4 | # 5 | # Created by Michal Zalewski 6 | # 7 | 8 | header_RIFF="RIFF" 9 | header_WEBP="WEBP" 10 | 11 | section_ALPH="ALPH" 12 | section_ANIM="ANIM" 13 | section_ANMF="ANMF" 14 | section_EXIF="EXIF" 15 | section_FRGM="FRGM" 16 | section_ICCP="ICCP" 17 | section_VP8="VP8 " 18 | section_VP8L="VP8L" 19 | section_VP8X="VP8X" 20 | section_XMP="XMP " 21 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/dictionaries/xml.dict: -------------------------------------------------------------------------------- 1 | # 2 | # AFL dictionary for XML 3 | # ---------------------- 4 | # 5 | # Several basic syntax elements and attributes, modeled on libxml2. 6 | # 7 | # Created by Michal Zalewski 8 | # 9 | 10 | attr_encoding=" encoding=\"1\"" 11 | attr_generic=" a=\"1\"" 12 | attr_href=" href=\"1\"" 13 | attr_standalone=" standalone=\"no\"" 14 | attr_version=" version=\"1\"" 15 | attr_xml_base=" xml:base=\"1\"" 16 | attr_xml_id=" xml:id=\"1\"" 17 | attr_xml_lang=" xml:lang=\"1\"" 18 | attr_xml_space=" xml:space=\"1\"" 19 | attr_xmlns=" xmlns=\"1\"" 20 | 21 | entity_builtin="<" 22 | entity_decimal="" 23 | entity_external="&a;" 24 | entity_hex="" 25 | 26 | string_any="ANY" 27 | string_brackets="[]" 28 | string_cdata="CDATA" 29 | string_col_fallback=":fallback" 30 | string_col_generic=":a" 31 | string_col_include=":include" 32 | string_dashes="--" 33 | string_empty="EMPTY" 34 | string_empty_dblquotes="\"\"" 35 | string_empty_quotes="''" 36 | string_entities="ENTITIES" 37 | string_entity="ENTITY" 38 | string_fixed="#FIXED" 39 | string_id="ID" 40 | string_idref="IDREF" 41 | string_idrefs="IDREFS" 42 | string_implied="#IMPLIED" 43 | string_nmtoken="NMTOKEN" 44 | string_nmtokens="NMTOKENS" 45 | string_notation="NOTATION" 46 | string_parentheses="()" 47 | string_pcdata="#PCDATA" 48 | string_percent="%a" 49 | string_public="PUBLIC" 50 | string_required="#REQUIRED" 51 | string_schema=":schema" 52 | string_system="SYSTEM" 53 | string_ucs4="UCS-4" 54 | string_utf16="UTF-16" 55 | string_utf8="UTF-8" 56 | string_xmlns="xmlns:" 57 | 58 | tag_attlist="" 61 | tag_doctype="" 68 | tag_open_close="" 69 | tag_open_exclamation="" 72 | tag_xml_q="" 73 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/docs/QuickStartGuide.txt: -------------------------------------------------------------------------------- 1 | ===================== 2 | AFL quick start guide 3 | ===================== 4 | 5 | You should read docs/README. It's pretty short. If you really can't, here's 6 | how to hit the ground running: 7 | 8 | 1) Compile AFL with 'make'. If build fails, see docs/INSTALL for tips. 9 | 10 | 2) Find or write a reasonably fast and simple program that takes data from 11 | a file or stdin, processes it in a test-worthy way, then exits cleanly. 12 | If testing a network service, modify it to run in the foreground and read 13 | from stdin. When fuzzing a format that uses checksums, comment out the 14 | checksum verification code, too. 15 | 16 | The program must crash properly when a fault is encountered. Watch out for 17 | custom SIGSEGV or SIGABRT handlers and background processes. For tips on 18 | detecting non-crashing flaws, see section 11 in docs/README. 19 | 20 | 3) Compile the program / library to be fuzzed using afl-gcc. A common way to 21 | do this would be: 22 | 23 | CC=/path/to/afl-gcc CXX=/path/to/afl-g++ ./configure --disable-shared 24 | make clean all 25 | 26 | If program build fails, ping . 27 | 28 | 4) Get a small but valid input file that makes sense to the program. When 29 | fuzzing verbose syntax (SQL, HTTP, etc), create a dictionary as described in 30 | dictionaries/README.dictionaries, too. 31 | 32 | 5) If the program reads from stdin, run 'afl-fuzz' like so: 33 | 34 | ./afl-fuzz -i testcase_dir -o findings_dir -- \ 35 | /path/to/tested/program [...program's cmdline...] 36 | 37 | If the program takes input from a file, you can put @@ in the program's 38 | command line; AFL will put an auto-generated file name in there for you. 39 | 40 | 6) Investigate anything shown in red in the fuzzer UI by promptly consulting 41 | docs/status_screen.txt. 42 | 43 | That's it. Sit back, relax, and - time permitting - try to skim through the 44 | following files: 45 | 46 | - docs/README - A general introduction to AFL, 47 | - docs/perf_tips.txt - Simple tips on how to fuzz more quickly, 48 | - docs/status_screen.txt - An explanation of the tidbits shown in the UI, 49 | - docs/parallel_fuzzing.txt - Advice on running AFL on multiple cores. 50 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/docs/visualization/afl_gzip.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sslab-gatech/fuzzification/085c23b6c02d59cf33195955320ca8ce5705957b/fuzzer/afl-2.51b-normal/docs/visualization/afl_gzip.png -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/docs/vuln_samples/bash-cmd-exec.var: -------------------------------------------------------------------------------- 1 | () { _; } >_[$($())] { id; } -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/docs/vuln_samples/bash-uninit-mem.var: -------------------------------------------------------------------------------- 1 | () { x() { _; }; x() { _; } <O));insert into t0 2 | select randomblob(0)-trim(0); 3 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/docs/vuln_samples/sqlite-bad-ptr.sql: -------------------------------------------------------------------------------- 1 | SELECT 0 UNION SELECT 0 ORDER BY 1 COLLATE""""""""; 2 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/docs/vuln_samples/sqlite-bad-ptr2.sql: -------------------------------------------------------------------------------- 1 | PRAGMA foreign_keys=1;CREATE TABLE t1("""0"PRIMARY KEy REFERENCES t1 ON DELETE SET NULL);REPLACE INTO t1 SELECT(0); 2 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/docs/vuln_samples/sqlite-bad-ptr3.sql: -------------------------------------------------------------------------------- 1 | create table t(l);PRAGMA writable_schema=ON; 2 | UPDATE sqlite_master SET sql='00000000000000000000000000000000000000000000000000000000000000000000000000000000[%S';PRAGMA t;SAVEPOINT x;ROLLBACK;VACUUM; 3 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/docs/vuln_samples/sqlite-heap-overflow.sql: -------------------------------------------------------------------------------- 1 | DROP TABLE IF EXISTS t;CREATE VIRTUAL TABLE t0 USING fts4();insert into t0 select zeroblob(0);SAVEPOINT O;insert into t0 2 | select(0);SAVEPOINT E;insert into t0 SELECT 0 UNION SELECT 0'x'ORDER BY x; 3 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/docs/vuln_samples/sqlite-negative-memset.sql: -------------------------------------------------------------------------------- 1 | SELECT*from(select"",zeroblob(0),zeroblob(1E9),zeroblob(0),zeroblob(150000000),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(1E9),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0)),(select"",zeroblob(1E9),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(1E9),(0),zeroblob(150000000),(0),zeroblob(0),(0)EXCEPT select zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0)); 2 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/docs/vuln_samples/sqlite-null-ptr1.sql: -------------------------------------------------------------------------------- 1 | create table t0(t);insert into t0 2 | select strftime(); 3 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/docs/vuln_samples/sqlite-null-ptr10.sql: -------------------------------------------------------------------------------- 1 | SELECT fts3_tokenizer(@0()); 2 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/docs/vuln_samples/sqlite-null-ptr11.sql: -------------------------------------------------------------------------------- 1 | select''like''like''like#0; 2 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/docs/vuln_samples/sqlite-null-ptr12.sql: -------------------------------------------------------------------------------- 1 | PRAGMA e;select lower(0);select lower(0)"a",""GROUP BY a ORDER BY a; 2 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/docs/vuln_samples/sqlite-null-ptr13.sql: -------------------------------------------------------------------------------- 1 | WITH x AS(SELECT*FROM t)SELECT""EXCEPT SELECT 0 ORDER BY 0 COLLATE""; 2 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/docs/vuln_samples/sqlite-null-ptr14.sql: -------------------------------------------------------------------------------- 1 | CREATE VIRTUAL TABLE x USING fts4();VALUES(0,0),(0,0),(0,0),(0,0);PRAGMA writable_schema=ON;UPDATE sqlite_master SET sql=''WHERE name='';UPDATE sqlite_master SET sql='CREATE table t(d CHECK(T(#0)';SAVEPOINT K;SAVEPOINT T;SAVEPOINT T;ANALYZE;ROLLBACK;SAVEPOINT E;DROP TABLE IF EXISTS t; 2 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/docs/vuln_samples/sqlite-null-ptr15.sql: -------------------------------------------------------------------------------- 1 | CREATE VIRTUAL TABLE t4 USING fts4(0,b,c,notindexed=0);INSERT INTO t4 VALUES('','','0');BEGIN;INSERT INTO t4 VALUES('','','0');INSERT INTO t4(t4)VALUES('integrity-check'); 2 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/docs/vuln_samples/sqlite-null-ptr2.sql: -------------------------------------------------------------------------------- 1 | DETACH(select group_concat(q)); 2 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/docs/vuln_samples/sqlite-null-ptr3.sql: -------------------------------------------------------------------------------- 1 | select(select strftime()); 2 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/docs/vuln_samples/sqlite-null-ptr4.sql: -------------------------------------------------------------------------------- 1 | select n()AND+#00; 2 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/docs/vuln_samples/sqlite-null-ptr5.sql: -------------------------------------------------------------------------------- 1 | select e.*,0 from(s,(L))e; 2 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/docs/vuln_samples/sqlite-null-ptr6.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sslab-gatech/fuzzification/085c23b6c02d59cf33195955320ca8ce5705957b/fuzzer/afl-2.51b-normal/docs/vuln_samples/sqlite-null-ptr6.sql -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/docs/vuln_samples/sqlite-null-ptr7.sql: -------------------------------------------------------------------------------- 1 | CREATE VIRTUAL TABLE t USING fts4(tokenize=); 2 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/docs/vuln_samples/sqlite-null-ptr8.sql: -------------------------------------------------------------------------------- 1 | CREATE TABLE p(a UNIQUE,PRIMARY KEY('a'))WITHOUT rowid; 2 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/docs/vuln_samples/sqlite-null-ptr9.sql: -------------------------------------------------------------------------------- 1 | CREATE TABLE t0(z);WITH d(x)AS(SELECT*UNION SELECT 0)INSERT INTO t0 SELECT 0 FROM d; 2 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/docs/vuln_samples/sqlite-oob-read.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sslab-gatech/fuzzification/085c23b6c02d59cf33195955320ca8ce5705957b/fuzzer/afl-2.51b-normal/docs/vuln_samples/sqlite-oob-read.sql -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/docs/vuln_samples/sqlite-oob-write.sql: -------------------------------------------------------------------------------- 1 | CREATE VIRTUAL TABLE t0 USING fts4(x,order=DESC); 2 | INSERT INTO t0(docid,x)VALUES(-1E0,'0(o'); 3 | INSERT INTO t0 VALUES(''); 4 | INSERT INTO t0 VALUES(''); 5 | INSeRT INTO t0 VALUES('o'); 6 | SELECT docid FROM t0 WHERE t0 MATCH'"0*o"'; 7 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/docs/vuln_samples/sqlite-stack-buf-overflow.sql: -------------------------------------------------------------------------------- 1 | SELECT printf('%*.*f',90000||006000000&6600000000,00000000000000000909000000000000.0000000000000000)""WHERE"">""; 2 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/docs/vuln_samples/sqlite-stack-exhaustion.sql: -------------------------------------------------------------------------------- 1 | CREATE VIRTUAL TABLE t0 USING fts4(content=t0); 2 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/docs/vuln_samples/sqlite-unint-mem.sql: -------------------------------------------------------------------------------- 1 | REATE VIRTUAL TABLE t0 USING fts4(prefix=0);INSERT INTO t0 VALUES(0); 2 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/docs/vuln_samples/sqlite-use-after-free.sql: -------------------------------------------------------------------------------- 1 | create table t(s);PRAGMA writable_schema=ON;UPDATE sqlite_master SET sql='ANALYZE;CREATE VIRTUAL TABLE t USING fts3;DROP TABLE t;DROP TABLE EXISTS t';PRAGMA r;SAVEPOINT T;ANALYZE;ROLLBACK;SAVEPOINT E;DROP TABLE IF EXISTS t; 2 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/docs/vuln_samples/strings-bfd-badptr.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sslab-gatech/fuzzification/085c23b6c02d59cf33195955320ca8ce5705957b/fuzzer/afl-2.51b-normal/docs/vuln_samples/strings-bfd-badptr.elf -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/docs/vuln_samples/strings-bfd-badptr2.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sslab-gatech/fuzzification/085c23b6c02d59cf33195955320ca8ce5705957b/fuzzer/afl-2.51b-normal/docs/vuln_samples/strings-bfd-badptr2.elf -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/docs/vuln_samples/strings-stack-overflow: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sslab-gatech/fuzzification/085c23b6c02d59cf33195955320ca8ce5705957b/fuzzer/afl-2.51b-normal/docs/vuln_samples/strings-stack-overflow -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/docs/vuln_samples/strings-unchecked-ctr.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sslab-gatech/fuzzification/085c23b6c02d59cf33195955320ca8ce5705957b/fuzzer/afl-2.51b-normal/docs/vuln_samples/strings-unchecked-ctr.elf -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/docs/vuln_samples/tcpdump-arp-crash.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sslab-gatech/fuzzification/085c23b6c02d59cf33195955320ca8ce5705957b/fuzzer/afl-2.51b-normal/docs/vuln_samples/tcpdump-arp-crash.pcap -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/docs/vuln_samples/tcpdump-ppp-crash.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sslab-gatech/fuzzification/085c23b6c02d59cf33195955320ca8ce5705957b/fuzzer/afl-2.51b-normal/docs/vuln_samples/tcpdump-ppp-crash.pcap -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/docs/vuln_samples/unrtf-arbitrary-read.rtf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sslab-gatech/fuzzification/085c23b6c02d59cf33195955320ca8ce5705957b/fuzzer/afl-2.51b-normal/docs/vuln_samples/unrtf-arbitrary-read.rtf -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/docs/vuln_samples/unzip-t-mem-corruption.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sslab-gatech/fuzzification/085c23b6c02d59cf33195955320ca8ce5705957b/fuzzer/afl-2.51b-normal/docs/vuln_samples/unzip-t-mem-corruption.zip -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/experimental/README.experiments: -------------------------------------------------------------------------------- 1 | Here's a quick overview of the stuff you can find in this directory: 2 | 3 | - argv_fuzzing - a simple wrapper to allow cmdline to be fuzzed 4 | (e.g., to test setuid programs). 5 | 6 | - asan_cgroups - a contributed script to simplify fuzzing ASAN 7 | binaries with robust memory limits on Linux. 8 | 9 | - bash_shellshock - a simple hack used to find a bunch of 10 | post-Shellshock bugs in bash. 11 | 12 | - canvas_harness - a test harness used to find browser bugs with a 13 | corpus generated using simple image parsing 14 | binaries & afl-fuzz. 15 | 16 | - clang_asm_normalize - a script that makes it easy to instrument 17 | hand-written assembly, provided that you have clang. 18 | 19 | - crash_triage - a very rudimentary example of how to annotate crashes 20 | with additional gdb metadata. 21 | 22 | - distributed_fuzzing - a sample script for synchronizing fuzzer instances 23 | across multiple machines (see parallel_fuzzing.txt). 24 | 25 | - libpng_no_checksum - a sample patch for removing CRC checks in libpng. 26 | 27 | - persistent_demo - an example of how to use the LLVM persistent process 28 | mode to speed up certain fuzzing jobs. 29 | 30 | - post_library - an example of how to build postprocessors for AFL. 31 | 32 | Note that the minimize_corpus.sh tool has graduated from the experimental/ 33 | directory and is now available as ../afl-cmin. The LLVM mode has likewise 34 | graduated to ../llvm_mode/*. 35 | 36 | Most of the tools in this directory are meant chiefly as examples that need to 37 | be tweaked for your specific needs. They come with some basic documentation, 38 | but are not necessarily production-grade. 39 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/experimental/argv_fuzzing/argv-fuzz-inl.h: -------------------------------------------------------------------------------- 1 | /* 2 | american fuzzy lop - sample argv fuzzing wrapper 3 | ------------------------------------------------ 4 | 5 | Written by Michal Zalewski 6 | 7 | Copyright 2015 Google Inc. All rights reserved. 8 | 9 | Licensed under the Apache License, Version 2.0 (the "License"); 10 | you may not use this file except in compliance with the License. 11 | You may obtain a copy of the License at: 12 | 13 | http://www.apache.org/licenses/LICENSE-2.0 14 | 15 | This file shows a simple way to fuzz command-line parameters with stock 16 | afl-fuzz. To use, add: 17 | 18 | #include "/path/to/argv-fuzz-inl.h" 19 | 20 | ...to the file containing main(), ideally placing it after all the 21 | standard includes. Next, put AFL_INIT_ARGV(); near the very beginning of 22 | main(). 23 | 24 | This will cause the program to read NUL-delimited input from stdin and 25 | put it in argv[]. Two subsequent NULs terminate the array. Empty 26 | params are encoded as a lone 0x02. Lone 0x02 can't be generated, but 27 | that shouldn't matter in real life. 28 | 29 | If you would like to always preserve argv[0], use this instead: 30 | AFL_INIT_SET0("prog_name"); 31 | 32 | */ 33 | 34 | #ifndef _HAVE_ARGV_FUZZ_INL 35 | #define _HAVE_ARGV_FUZZ_INL 36 | 37 | #include 38 | 39 | #define AFL_INIT_ARGV() do { argv = afl_init_argv(&argc); } while (0) 40 | 41 | #define AFL_INIT_SET0(_p) do { \ 42 | argv = afl_init_argv(&argc); \ 43 | argv[0] = (_p); \ 44 | if (!argc) argc = 1; \ 45 | } while (0) 46 | 47 | #define MAX_CMDLINE_LEN 100000 48 | #define MAX_CMDLINE_PAR 1000 49 | 50 | static char** afl_init_argv(int* argc) { 51 | 52 | static char in_buf[MAX_CMDLINE_LEN]; 53 | static char* ret[MAX_CMDLINE_PAR]; 54 | 55 | char* ptr = in_buf; 56 | int rc = 0; 57 | 58 | if (read(0, in_buf, MAX_CMDLINE_LEN - 2) < 0); 59 | 60 | while (*ptr) { 61 | 62 | ret[rc] = ptr; 63 | if (ret[rc][0] == 0x02 && !ret[rc][1]) ret[rc]++; 64 | rc++; 65 | 66 | while (*ptr) ptr++; 67 | ptr++; 68 | 69 | } 70 | 71 | *argc = rc; 72 | 73 | return ret; 74 | 75 | } 76 | 77 | #undef MAX_CMDLINE_LEN 78 | #undef MAX_CMDLINE_PAR 79 | 80 | #endif /* !_HAVE_ARGV_FUZZ_INL */ 81 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/experimental/bash_shellshock/shellshock-fuzz.diff: -------------------------------------------------------------------------------- 1 | This patch shows a very simple way to find post-Shellshock bugs in bash, as 2 | discussed here: 3 | 4 | http://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.html 5 | 6 | In essence, it shows a way to fuzz environmental variables. Instructions: 7 | 8 | 1) Download bash 4.3, apply this patch, compile with: 9 | 10 | CC=/path/to/afl-gcc ./configure 11 | make clean all 12 | 13 | Note that the harness puts the fuzzed output in $TEST_VARIABLE. With 14 | Florian's Shellshock patch (bash43-028), this is no longer passed down 15 | to the parser. 16 | 17 | 2) Create and cd to an empty directory, put the compiled bash binary in 18 | there, and run these commands: 19 | 20 | mkdir in_dir 21 | echo -n '() { a() { a; }; : >b; }' >in_dir/script.txt 22 | 23 | 3) Run the fuzzer with: 24 | 25 | /path/to/afl-fuzz -d -i in_dir -o out_dir ./bash -c : 26 | 27 | The -d parameter is advisable only if the tested shell is fairly slow 28 | or if you are in a hurry; will cover more ground faster, but 29 | less systematically. 30 | 31 | 4) Watch for crashes in out_dir/crashes/. Also watch for any new files 32 | created in cwd if you're interested in non-crash RCEs (files will be 33 | created whenever the shell executes "foo>bar" or something like 34 | that). You can correlate their creation date with new entries in 35 | out_dir/queue/. 36 | 37 | You can also modify the bash binary to directly check for more subtle 38 | fault conditions, or use the synthesized entries in out_dir/queue/ 39 | as a seed for other, possibly slower or more involved testing regimes. 40 | 41 | Expect several hours to get decent coverage. 42 | 43 | --- bash-4.3/shell.c.orig 2014-01-14 14:04:32.000000000 +0100 44 | +++ bash-4.3/shell.c 2015-04-30 05:56:46.000000000 +0200 45 | @@ -371,6 +371,14 @@ 46 | env = environ; 47 | #endif /* __OPENNT */ 48 | 49 | + { 50 | + 51 | + static char val[1024 * 16]; 52 | + read(0, val, sizeof(val) - 1); 53 | + setenv("TEST_VARIABLE", val, 1); 54 | + 55 | + } 56 | + 57 | USE_VAR(argc); 58 | USE_VAR(argv); 59 | USE_VAR(env); 60 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/experimental/clang_asm_normalize/as: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # american fuzzy lop - clang assembly normalizer 4 | # ---------------------------------------------- 5 | # 6 | # Written and maintained by Michal Zalewski 7 | # The idea for this wrapper comes from Ryan Govostes. 8 | # 9 | # Copyright 2013, 2014 Google Inc. All rights reserved. 10 | # 11 | # Licensed under the Apache License, Version 2.0 (the "License"); 12 | # you may not use this file except in compliance with the License. 13 | # You may obtain a copy of the License at: 14 | # 15 | # http://www.apache.org/licenses/LICENSE-2.0 16 | # 17 | # This 'as' wrapper should allow you to instrument unruly, hand-written 18 | # assembly with afl-as. 19 | # 20 | # Usage: 21 | # 22 | # export AFL_REAL_PATH=/path/to/directory/with/afl-as/ 23 | # AFL_PATH=/path/to/this/directory/ make clean all 24 | 25 | if [ "$#" -lt "2" ]; then 26 | echo "[-] Error: this utility can't be called directly." 1>&2 27 | exit 1 28 | fi 29 | 30 | if [ "$AFL_REAL_PATH" = "" ]; then 31 | echo "[-] Error: AFL_REAL_PATH not set!" 1>&2 32 | exit 1 33 | fi 34 | 35 | if [ ! -x "$AFL_REAL_PATH/afl-as" ]; then 36 | echo "[-] Error: AFL_REAL_PATH does not contain the 'afl-as' binary." 1>&2 37 | exit 1 38 | fi 39 | 40 | unset __AFL_AS_CMDLINE __AFL_FNAME 41 | 42 | while [ ! "$#" = "0" ]; do 43 | 44 | if [ "$#" = "1" ]; then 45 | __AFL_FNAME="$1" 46 | else 47 | __AFL_AS_CMDLINE="${__AFL_AS_CMDLINE} $1" 48 | fi 49 | 50 | shift 51 | 52 | done 53 | 54 | test "$TMPDIR" = "" && TMPDIR=/tmp 55 | 56 | TMPFILE=`mktemp $TMPDIR/.afl-XXXXXXXXXX.s` 57 | 58 | test "$TMPFILE" = "" && exit 1 59 | 60 | clang -cc1as -filetype asm -output-asm-variant 0 "${__AFL_FNAME}" >"$TMPFILE" 61 | 62 | ERR="$?" 63 | 64 | if [ ! "$ERR" = "0" ]; then 65 | rm -f "$TMPFILE" 66 | exit $ERR 67 | fi 68 | 69 | "$AFL_REAL_PATH/afl-as" ${__AFL_AS_CMDLINE} "$TMPFILE" 70 | 71 | ERR="$?" 72 | 73 | rm -f "$TMPFILE" 74 | 75 | exit "$ERR" 76 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/experimental/libpng_no_checksum/libpng-nocrc.patch: -------------------------------------------------------------------------------- 1 | --- pngrutil.c.orig 2014-06-12 03:35:16.000000000 +0200 2 | +++ pngrutil.c 2014-07-01 05:08:31.000000000 +0200 3 | @@ -268,7 +268,11 @@ 4 | if (need_crc != 0) 5 | { 6 | crc = png_get_uint_32(crc_bytes); 7 | - return ((int)(crc != png_ptr->crc)); 8 | + 9 | + if (crc != png_ptr->crc) 10 | + fprintf(stderr, "NOTE: CRC in the file is 0x%08x, change to 0x%08x\n", crc, png_ptr->crc); 11 | + 12 | + return ((int)(1 != 1)); 13 | } 14 | 15 | else 16 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/libdislocator/Makefile: -------------------------------------------------------------------------------- 1 | # 2 | # american fuzzy lop - libdislocator 3 | # ---------------------------------- 4 | # 5 | # Written by Michal Zalewski 6 | # 7 | # Copyright 2016 Google Inc. All rights reserved. 8 | # 9 | # Licensed under the Apache License, Version 2.0 (the "License"); 10 | # you may not use this file except in compliance with the License. 11 | # You may obtain a copy of the License at: 12 | # 13 | # http://www.apache.org/licenses/LICENSE-2.0 14 | # 15 | 16 | PREFIX ?= /usr/local 17 | HELPER_PATH = $(PREFIX)/lib/afl 18 | 19 | VERSION = $(shell grep '^\#define VERSION ' ../config.h | cut -d '"' -f2) 20 | 21 | CFLAGS ?= -O3 -funroll-loops 22 | CFLAGS += -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign 23 | 24 | all: libdislocator.so 25 | 26 | libdislocator.so: libdislocator.so.c ../config.h 27 | $(CC) $(CFLAGS) -shared -fPIC $< -o $@ $(LDFLAGS) 28 | 29 | .NOTPARALLEL: clean 30 | 31 | clean: 32 | rm -f *.o *.so *~ a.out core core.[1-9][0-9]* 33 | rm -f libdislocator.so 34 | 35 | install: all 36 | install -m 755 libdislocator.so $${DESTDIR}$(HELPER_PATH) 37 | install -m 644 README.dislocator $${DESTDIR}$(HELPER_PATH) 38 | 39 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/libtokencap/Makefile: -------------------------------------------------------------------------------- 1 | # 2 | # american fuzzy lop - libtokencap 3 | # -------------------------------- 4 | # 5 | # Written by Michal Zalewski 6 | # 7 | # Copyright 2016 Google Inc. All rights reserved. 8 | # 9 | # Licensed under the Apache License, Version 2.0 (the "License"); 10 | # you may not use this file except in compliance with the License. 11 | # You may obtain a copy of the License at: 12 | # 13 | # http://www.apache.org/licenses/LICENSE-2.0 14 | # 15 | 16 | PREFIX ?= /usr/local 17 | HELPER_PATH = $(PREFIX)/lib/afl 18 | 19 | VERSION = $(shell grep '^\#define VERSION ' ../config.h | cut -d '"' -f2) 20 | 21 | CFLAGS ?= -O3 -funroll-loops 22 | CFLAGS += -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign 23 | 24 | all: libtokencap.so 25 | 26 | libtokencap.so: libtokencap.so.c ../config.h 27 | $(CC) $(CFLAGS) -shared -fPIC $< -o $@ $(LDFLAGS) 28 | 29 | .NOTPARALLEL: clean 30 | 31 | clean: 32 | rm -f *.o *.so *~ a.out core core.[1-9][0-9]* 33 | rm -f libtokencap.so 34 | 35 | install: all 36 | install -m 755 libtokencap.so $${DESTDIR}$(HELPER_PATH) 37 | install -m 644 README.tokencap $${DESTDIR}$(HELPER_PATH) 38 | 39 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/qemu_mode/patches/cpu-exec.diff: -------------------------------------------------------------------------------- 1 | --- qemu-2.3.0/cpu-exec.c.orig 2014-12-09 14:45:40.000000000 +0000 2 | +++ qemu-2.3.0/cpu-exec.c 2015-02-20 22:07:02.966000000 +0000 3 | @@ -28,6 +28,8 @@ 4 | #include "exec/memory-internal.h" 5 | #include "qemu/rcu.h" 6 | 7 | +#include "../patches/afl-qemu-cpu-inl.h" 8 | + 9 | /* -icount align implementation. */ 10 | 11 | typedef struct SyncClocks { 12 | @@ -296,8 +298,11 @@ 13 | } 14 | not_found: 15 | /* if no translated code available, then translate it now */ 16 | + 17 | tb = tb_gen_code(cpu, pc, cs_base, flags, 0); 18 | 19 | + AFL_QEMU_CPU_SNIPPET1; 20 | + 21 | found: 22 | /* Move the last found TB to the head of the list */ 23 | if (likely(*ptb1)) { 24 | @@ -492,6 +497,9 @@ 25 | next_tb = 0; 26 | tcg_ctx.tb_ctx.tb_invalidated_flag = 0; 27 | } 28 | + 29 | + AFL_QEMU_CPU_SNIPPET2; 30 | + 31 | if (qemu_loglevel_mask(CPU_LOG_EXEC)) { 32 | qemu_log("Trace %p [" TARGET_FMT_lx "] %s\n", 33 | tb->tc_ptr, tb->pc, lookup_symbol(tb->pc)); 34 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/qemu_mode/patches/elfload.diff: -------------------------------------------------------------------------------- 1 | --- qemu-2.3.0/linux-user/elfload.c.orig 2014-12-09 14:45:42.000000000 +0000 2 | +++ qemu-2.3.0/linux-user/elfload.c 2015-01-28 02:51:23.719000000 +0000 3 | @@ -28,6 +28,8 @@ 4 | 5 | #define ELF_OSABI ELFOSABI_SYSV 6 | 7 | +extern abi_ulong afl_entry_point, afl_start_code, afl_end_code; 8 | + 9 | /* from personality.h */ 10 | 11 | /* 12 | @@ -1889,6 +1891,8 @@ 13 | info->brk = 0; 14 | info->elf_flags = ehdr->e_flags; 15 | 16 | + if (!afl_entry_point) afl_entry_point = info->entry; 17 | + 18 | for (i = 0; i < ehdr->e_phnum; i++) { 19 | struct elf_phdr *eppnt = phdr + i; 20 | if (eppnt->p_type == PT_LOAD) { 21 | @@ -1922,9 +1926,11 @@ 22 | if (elf_prot & PROT_EXEC) { 23 | if (vaddr < info->start_code) { 24 | info->start_code = vaddr; 25 | + if (!afl_start_code) afl_start_code = vaddr; 26 | } 27 | if (vaddr_ef > info->end_code) { 28 | info->end_code = vaddr_ef; 29 | + if (!afl_end_code) afl_end_code = vaddr_ef; 30 | } 31 | } 32 | if (elf_prot & PROT_WRITE) { 33 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/qemu_mode/patches/syscall.diff: -------------------------------------------------------------------------------- 1 | --- qemu-2.3.0/linux-user/syscall.c.orig 2014-12-09 14:45:43.000000000 +0000 2 | +++ qemu-2.3.0/linux-user/syscall.c 2015-03-27 06:33:00.736000000 +0000 3 | @@ -227,7 +227,21 @@ 4 | _syscall3(int,sys_rt_sigqueueinfo,int,pid,int,sig,siginfo_t *,uinfo) 5 | _syscall3(int,sys_syslog,int,type,char*,bufp,int,len) 6 | #if defined(TARGET_NR_tgkill) && defined(__NR_tgkill) 7 | -_syscall3(int,sys_tgkill,int,tgid,int,pid,int,sig) 8 | + 9 | +extern unsigned int afl_forksrv_pid; 10 | + 11 | +static int sys_tgkill(int tgid, int pid, int sig) { 12 | + 13 | + /* Workaround for -lpthread to make abort() work properly, without 14 | + killing the forkserver due to a prematurely cached PID. */ 15 | + 16 | + if (afl_forksrv_pid && afl_forksrv_pid == pid && sig == SIGABRT) 17 | + pid = tgid = getpid(); 18 | + 19 | + return syscall(__NR_sys_tgkill, pid, tgid, sig); 20 | + 21 | +} 22 | + 23 | #endif 24 | #if defined(TARGET_NR_tkill) && defined(__NR_tkill) 25 | _syscall2(int,sys_tkill,int,tid,int,sig) 26 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/qemu_mode/patches/translate-all.diff: -------------------------------------------------------------------------------- 1 | --- qemu-2.3.0/translate-all.c.orig 2014-12-09 14:45:46.000000000 +0000 2 | +++ qemu-2.3.0/translate-all.c 2015-01-28 22:37:42.383000000 +0000 3 | @@ -393,8 +393,13 @@ 4 | /* We can't use g_malloc because it may recurse into a locked mutex. */ 5 | # define ALLOC(P, SIZE) \ 6 | do { \ 7 | - P = mmap(NULL, SIZE, PROT_READ | PROT_WRITE, \ 8 | - MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); \ 9 | + void* _tmp = mmap(NULL, SIZE, PROT_READ | PROT_WRITE, \ 10 | + MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); \ 11 | + if (_tmp == (void*)-1) { \ 12 | + qemu_log(">>> Out of memory for stack, bailing out. <<<\n"); \ 13 | + exit(1); \ 14 | + } \ 15 | + (P) = _tmp; \ 16 | } while (0) 17 | #else 18 | # define ALLOC(P, SIZE) \ 19 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/test-instr.c: -------------------------------------------------------------------------------- 1 | /* 2 | american fuzzy lop - a trivial program to test the build 3 | -------------------------------------------------------- 4 | 5 | Written and maintained by Michal Zalewski 6 | 7 | Copyright 2014 Google Inc. All rights reserved. 8 | 9 | Licensed under the Apache License, Version 2.0 (the "License"); 10 | you may not use this file except in compliance with the License. 11 | You may obtain a copy of the License at: 12 | 13 | http://www.apache.org/licenses/LICENSE-2.0 14 | 15 | */ 16 | 17 | #include 18 | #include 19 | #include 20 | 21 | int main(int argc, char** argv) { 22 | 23 | char buf[8]; 24 | 25 | if (read(0, buf, 8) < 1) { 26 | printf("Hum?\n"); 27 | exit(1); 28 | } 29 | 30 | if (buf[0] == '0') 31 | printf("Looks like a zero to me!\n"); 32 | else 33 | printf("A non-zero value? How quaint!\n"); 34 | 35 | exit(0); 36 | 37 | } 38 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/testcases/README.testcases: -------------------------------------------------------------------------------- 1 | ======================= 2 | AFL starting test cases 3 | ======================= 4 | 5 | (See ../docs/README for the general instruction manual.) 6 | 7 | The archives/, images/, multimedia/, and others/ subdirectories contain small, 8 | standalone files that can be used to seed afl-fuzz when testing parsers for a 9 | variety of common data formats. 10 | 11 | There is probably not much to be said about these files, except that they were 12 | optimized for size and stripped of any non-essential fluff. Some directories 13 | contain several examples that exercise various features of the underlying format. 14 | For example, there is a PNG file with and without a color profile. 15 | 16 | Additional test cases are always welcome. 17 | 18 | In addition to well-chosen starting files, many fuzzing jobs benefit from a 19 | small and concise dictionary. See ../dictionaries/README.dictionaries for more. 20 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/testcases/archives/common/ar/small_archive.a: -------------------------------------------------------------------------------- 1 | ! 2 | limerick/ 1415337776 500 500 100640 191 ` 3 | There was a young man from Japan 4 | Whose limericks never would scan. 5 | When asked why that was, 6 | He replied "It's because 7 | I always try to cram as many words into the last line as I possibly can." 8 | 9 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/testcases/archives/common/bzip2/small_archive.bz2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sslab-gatech/fuzzification/085c23b6c02d59cf33195955320ca8ce5705957b/fuzzer/afl-2.51b-normal/testcases/archives/common/bzip2/small_archive.bz2 -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/testcases/archives/common/cab/small_archive.cab: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sslab-gatech/fuzzification/085c23b6c02d59cf33195955320ca8ce5705957b/fuzzer/afl-2.51b-normal/testcases/archives/common/cab/small_archive.cab -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/testcases/archives/common/compress/small_archive.Z: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sslab-gatech/fuzzification/085c23b6c02d59cf33195955320ca8ce5705957b/fuzzer/afl-2.51b-normal/testcases/archives/common/compress/small_archive.Z -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/testcases/archives/common/cpio/small_archive.cpio: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sslab-gatech/fuzzification/085c23b6c02d59cf33195955320ca8ce5705957b/fuzzer/afl-2.51b-normal/testcases/archives/common/cpio/small_archive.cpio -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/testcases/archives/common/gzip/small_archive.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sslab-gatech/fuzzification/085c23b6c02d59cf33195955320ca8ce5705957b/fuzzer/afl-2.51b-normal/testcases/archives/common/gzip/small_archive.gz -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/testcases/archives/common/lzo/small_archive.lzo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sslab-gatech/fuzzification/085c23b6c02d59cf33195955320ca8ce5705957b/fuzzer/afl-2.51b-normal/testcases/archives/common/lzo/small_archive.lzo -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/testcases/archives/common/rar/small_archive.rar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sslab-gatech/fuzzification/085c23b6c02d59cf33195955320ca8ce5705957b/fuzzer/afl-2.51b-normal/testcases/archives/common/rar/small_archive.rar -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/testcases/archives/common/tar/small_archive.tar: -------------------------------------------------------------------------------- 1 | limerick0000640000076400007640000000027712427053460012465 0ustar lcamtuflcamtufThere was a young man from Japan 2 | Whose limericks never would scan. 3 | When asked why that was, 4 | He replied "It's because 5 | I always try to cram as many words into the last line as I possibly can." 6 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/testcases/archives/common/xz/small_archive.xz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sslab-gatech/fuzzification/085c23b6c02d59cf33195955320ca8ce5705957b/fuzzer/afl-2.51b-normal/testcases/archives/common/xz/small_archive.xz -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/testcases/archives/common/zip/small_archive.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sslab-gatech/fuzzification/085c23b6c02d59cf33195955320ca8ce5705957b/fuzzer/afl-2.51b-normal/testcases/archives/common/zip/small_archive.zip -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/testcases/archives/exotic/arj/small_archive.arj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sslab-gatech/fuzzification/085c23b6c02d59cf33195955320ca8ce5705957b/fuzzer/afl-2.51b-normal/testcases/archives/exotic/arj/small_archive.arj -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/testcases/archives/exotic/lha/small_archive.lha: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sslab-gatech/fuzzification/085c23b6c02d59cf33195955320ca8ce5705957b/fuzzer/afl-2.51b-normal/testcases/archives/exotic/lha/small_archive.lha -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/testcases/archives/exotic/lrzip/small_archive.lrz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sslab-gatech/fuzzification/085c23b6c02d59cf33195955320ca8ce5705957b/fuzzer/afl-2.51b-normal/testcases/archives/exotic/lrzip/small_archive.lrz -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/testcases/archives/exotic/lzip/small_archive.lz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sslab-gatech/fuzzification/085c23b6c02d59cf33195955320ca8ce5705957b/fuzzer/afl-2.51b-normal/testcases/archives/exotic/lzip/small_archive.lz -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/testcases/archives/exotic/lzma/small_archive.lzma: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sslab-gatech/fuzzification/085c23b6c02d59cf33195955320ca8ce5705957b/fuzzer/afl-2.51b-normal/testcases/archives/exotic/lzma/small_archive.lzma -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/testcases/archives/exotic/rzip/small_archive.rz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sslab-gatech/fuzzification/085c23b6c02d59cf33195955320ca8ce5705957b/fuzzer/afl-2.51b-normal/testcases/archives/exotic/rzip/small_archive.rz -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/testcases/archives/exotic/zoo/small_archive.zoo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sslab-gatech/fuzzification/085c23b6c02d59cf33195955320ca8ce5705957b/fuzzer/afl-2.51b-normal/testcases/archives/exotic/zoo/small_archive.zoo -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/testcases/images/bmp/not_kitty.bmp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sslab-gatech/fuzzification/085c23b6c02d59cf33195955320ca8ce5705957b/fuzzer/afl-2.51b-normal/testcases/images/bmp/not_kitty.bmp -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/testcases/images/gif/not_kitty.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sslab-gatech/fuzzification/085c23b6c02d59cf33195955320ca8ce5705957b/fuzzer/afl-2.51b-normal/testcases/images/gif/not_kitty.gif -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/testcases/images/ico/not_kitty.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sslab-gatech/fuzzification/085c23b6c02d59cf33195955320ca8ce5705957b/fuzzer/afl-2.51b-normal/testcases/images/ico/not_kitty.ico -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/testcases/images/jp2/not_kitty.jp2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sslab-gatech/fuzzification/085c23b6c02d59cf33195955320ca8ce5705957b/fuzzer/afl-2.51b-normal/testcases/images/jp2/not_kitty.jp2 -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/testcases/images/jpeg/not_kitty.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sslab-gatech/fuzzification/085c23b6c02d59cf33195955320ca8ce5705957b/fuzzer/afl-2.51b-normal/testcases/images/jpeg/not_kitty.jpg -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/testcases/images/jxr/not_kitty.jxr: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sslab-gatech/fuzzification/085c23b6c02d59cf33195955320ca8ce5705957b/fuzzer/afl-2.51b-normal/testcases/images/jxr/not_kitty.jxr -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/testcases/images/png/not_kitty.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sslab-gatech/fuzzification/085c23b6c02d59cf33195955320ca8ce5705957b/fuzzer/afl-2.51b-normal/testcases/images/png/not_kitty.png -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/testcases/images/png/not_kitty_alpha.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sslab-gatech/fuzzification/085c23b6c02d59cf33195955320ca8ce5705957b/fuzzer/afl-2.51b-normal/testcases/images/png/not_kitty_alpha.png -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/testcases/images/png/not_kitty_gamma.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sslab-gatech/fuzzification/085c23b6c02d59cf33195955320ca8ce5705957b/fuzzer/afl-2.51b-normal/testcases/images/png/not_kitty_gamma.png -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/testcases/images/png/not_kitty_icc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sslab-gatech/fuzzification/085c23b6c02d59cf33195955320ca8ce5705957b/fuzzer/afl-2.51b-normal/testcases/images/png/not_kitty_icc.png -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/testcases/images/tiff/not_kitty.tiff: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sslab-gatech/fuzzification/085c23b6c02d59cf33195955320ca8ce5705957b/fuzzer/afl-2.51b-normal/testcases/images/tiff/not_kitty.tiff -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/testcases/images/webp/not_kitty.webp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sslab-gatech/fuzzification/085c23b6c02d59cf33195955320ca8ce5705957b/fuzzer/afl-2.51b-normal/testcases/images/webp/not_kitty.webp -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/testcases/multimedia/h264/small_movie.mp4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sslab-gatech/fuzzification/085c23b6c02d59cf33195955320ca8ce5705957b/fuzzer/afl-2.51b-normal/testcases/multimedia/h264/small_movie.mp4 -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/testcases/others/elf/small_exec.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sslab-gatech/fuzzification/085c23b6c02d59cf33195955320ca8ce5705957b/fuzzer/afl-2.51b-normal/testcases/others/elf/small_exec.elf -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/testcases/others/js/small_script.js: -------------------------------------------------------------------------------- 1 | if (1==1) eval('1'); -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/testcases/others/pcap/small_capture.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sslab-gatech/fuzzification/085c23b6c02d59cf33195955320ca8ce5705957b/fuzzer/afl-2.51b-normal/testcases/others/pcap/small_capture.pcap -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/testcases/others/pdf/small.pdf: -------------------------------------------------------------------------------- 1 | %PDF-1.0 2 | 1 0 obj<>endobj 2 0 obj<>endobj 3 0 obj<>endobj trailer<> -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/testcases/others/rtf/small_document.rtf: -------------------------------------------------------------------------------- 1 | {\rtf1\pard Test\par} -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/testcases/others/sql/simple_queries.sql: -------------------------------------------------------------------------------- 1 | create table t1(one smallint); 2 | insert into t1 values(1); 3 | select * from t1; 4 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/testcases/others/text/hello_world.txt: -------------------------------------------------------------------------------- 1 | hello 2 | -------------------------------------------------------------------------------- /fuzzer/afl-2.51b-normal/testcases/others/xml/small_document.xml: -------------------------------------------------------------------------------- 1 | d 2 | -------------------------------------------------------------------------------- /lib/csmith/command: -------------------------------------------------------------------------------- 1 | ./csmith --concise --max-funcs 400 --no-builtins --no-checksum --no-arrays --no-compound-assignment --no-embedded-assigns --no-const-pointers --no-global-variables --no-longlong --no-pointers --max-array-dim 1 --max-array-len-per-dim 2 --max-expr-complexity 2 --max-pointer-depth 1 --max-struct-fields 2 --max-union-fields 2 --no-bitfields --no-comma-operators --no-compound-assignment --no-inline-function --no-structs --no-unions --probability-configuration ./probability > /tmp/out 2 | -------------------------------------------------------------------------------- /lib/csmith/csmith: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sslab-gatech/fuzzification/085c23b6c02d59cf33195955320ca8ce5705957b/lib/csmith/csmith -------------------------------------------------------------------------------- /lib/csmith/custom_limits.h: -------------------------------------------------------------------------------- 1 | /* -*- mode: C -*- 2 | * 3 | * Copyright (c) 2014 The University of Utah 4 | */ 5 | /* Copyright (C) 1997,1998,1999,2000,2001,2006 Free Software Foundation, Inc. 6 | This file is part of the GNU C Library. 7 | 8 | The GNU C Library is free software; you can redistribute it and/or 9 | modify it under the terms of the GNU Lesser General Public 10 | License as published by the Free Software Foundation; either 11 | version 2.1 of the License, or (at your option) any later version. 12 | 13 | The GNU C Library is distributed in the hope that it will be useful, 14 | but WITHOUT ANY WARRANTY; without even the implied warranty of 15 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 16 | Lesser General Public License for more details. 17 | 18 | You should have received a copy of the GNU Lesser General Public 19 | License along with the GNU C Library; if not, write to the Free 20 | Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 21 | 02110-1301 USA. */ 22 | 23 | /* 24 | * ISO C99: 7.18 Integer types 25 | */ 26 | 27 | /* 28 | * Our custom limits.h based on the system header file. 29 | */ 30 | 31 | #ifndef _CUSTOM_LIMITS_H 32 | #define _CUSTOM_LIMITS_H 1 33 | 34 | /* Limits of integral types. */ 35 | 36 | /* Minimum of signed integral types. */ 37 | # define INT8_MIN (-128) 38 | # define INT16_MIN (-32767-1) 39 | # define INT32_MIN (-2147483647-1) 40 | #ifndef NO_LONGLONG 41 | # define INT64_MIN (-(9223372036854775807LL)-1) 42 | #endif 43 | /* Maximum of signed integral types. */ 44 | # define INT8_MAX (127) 45 | # define INT16_MAX (32767) 46 | # define INT32_MAX (2147483647) 47 | #ifndef NO_LONGLONG 48 | # define INT64_MAX (9223372036854775807LL) 49 | #endif 50 | 51 | /* Maximum of unsigned integral types. */ 52 | # define UINT8_MAX (255) 53 | # define UINT16_MAX (65535) 54 | # define UINT32_MAX (4294967295U) 55 | #ifndef NO_LONGLONG 56 | # define UINT64_MAX (18446744073709551615ULL) 57 | #endif 58 | 59 | # define CHAR_BIT 8 60 | 61 | /* Limits of FP types. */ 62 | 63 | #define FLT_MAX 3.40282347e+38F 64 | #define DBL_MAX 1.7976931348623158e+308 65 | 66 | #endif 67 | -------------------------------------------------------------------------------- /lib/csmith/custom_stdint_x86.h: -------------------------------------------------------------------------------- 1 | /* -*- mode: C -*- 2 | * 3 | * Copyright (c) 2011, 2016 The University of Utah 4 | * All rights reserved. 5 | * 6 | * This file is part of `csmith', a random generator of C programs. 7 | * 8 | * Redistribution and use in source and binary forms, with or without 9 | * modification, are permitted provided that the following conditions are met: 10 | * 11 | * * Redistributions of source code must retain the above copyright notice, 12 | * this list of conditions and the following disclaimer. 13 | * 14 | * * Redistributions in binary form must reproduce the above copyright 15 | * notice, this list of conditions and the following disclaimer in the 16 | * documentation and/or other materials provided with the distribution. 17 | * 18 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 22 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 23 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 24 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 25 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 26 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 27 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28 | * POSSIBILITY OF SUCH DAMAGE. 29 | */ 30 | 31 | #define int8_t signed char 32 | #define uint8_t unsigned char 33 | 34 | #define int16_t short 35 | #define uint16_t unsigned short 36 | 37 | #define int32_t int 38 | #define uint32_t unsigned 39 | 40 | #define int64_t long long 41 | #define uint64_t unsigned long long 42 | -------------------------------------------------------------------------------- /lib/csmith/libcsmith.a: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sslab-gatech/fuzzification/085c23b6c02d59cf33195955320ca8ce5705957b/lib/csmith/libcsmith.a -------------------------------------------------------------------------------- /lib/csmith/libcsmith.la: -------------------------------------------------------------------------------- 1 | # libcsmith.la - a libtool library file 2 | # Generated by libtool (GNU libtool) 2.4.6 3 | # 4 | # Please DO NOT delete this file! 5 | # It is necessary for linking the library. 6 | 7 | # The name that we can dlopen(3). 8 | dlname='libcsmith.so.0' 9 | 10 | # Names of this library. 11 | library_names='libcsmith.so.0.0.0 libcsmith.so.0 libcsmith.so' 12 | 13 | # The name of the static archive. 14 | old_library='libcsmith.a' 15 | 16 | # Linker flags that cannot go in dependency_libs. 17 | inherited_linker_flags='' 18 | 19 | # Libraries that this one depends upon. 20 | dependency_libs='' 21 | 22 | # Names of additional weak libraries provided by this library 23 | weak_library_names='' 24 | 25 | # Version information for libcsmith. 26 | current=0 27 | age=0 28 | revision=0 29 | 30 | # Is this an already installed library? 31 | installed=no 32 | 33 | # Should we warn about portability when linking against -modules? 34 | shouldnotlink=no 35 | 36 | # Files to dlopen/dlpreopen 37 | dlopen='' 38 | dlpreopen='' 39 | 40 | # Directory that this library needs to be installed in: 41 | libdir='/usr/local/lib' 42 | -------------------------------------------------------------------------------- /lib/csmith/libcsmith_la-volatile_runtime.lo: -------------------------------------------------------------------------------- 1 | # libcsmith_la-volatile_runtime.lo - a libtool object file 2 | # Generated by libtool (GNU libtool) 2.4.6 3 | # 4 | # Please DO NOT delete this file! 5 | # It is necessary for linking the library. 6 | 7 | # Name of the PIC object. 8 | pic_object='.libs/libcsmith_la-volatile_runtime.o' 9 | 10 | # Name of the non-PIC object 11 | non_pic_object='libcsmith_la-volatile_runtime.o' 12 | 13 | -------------------------------------------------------------------------------- /lib/csmith/platform.info: -------------------------------------------------------------------------------- 1 | integer size = 4 2 | pointer size = 8 3 | -------------------------------------------------------------------------------- /lib/csmith/probability: -------------------------------------------------------------------------------- 1 | more_struct_union_type_prob=50 2 | 3 | bitfields_creation_prob=50 4 | 5 | bitfields_signed_prob=50 6 | 7 | bitfield_in_normal_struct_prob=10 8 | 9 | scalar_field_in_full_bitfields_struct_prob=10 10 | 11 | exhaustive_bitfield_prob=10 12 | 13 | safe_ops_signed_prob=50 14 | 15 | select_deref_pointer_prob=80 16 | 17 | regular_volatile_prob=50 18 | 19 | regular_const_prob=10 20 | 21 | stricter_const_prob=50 22 | 23 | looser_const_prob=50 24 | 25 | field_volatile_prob=30 26 | 27 | field_const_prob=20 28 | 29 | std_unary_func_prob=5 30 | 31 | shift_by_non_constant_prob=50 32 | 33 | pointer_as_ltype_prob=50 34 | 35 | struct_as_ltype_prob=30 36 | 37 | union_as_ltype_prob=25 38 | 39 | float_as_ltype_prob=0 40 | 41 | new_array_var_prob=1 42 | 43 | access_once_var_prob=20 44 | 45 | inline_function_prob=50 46 | 47 | builtin_function_prob=50 48 | 49 | [statement_prob,statement_assign_prob=1,statement_block_prob=10,statement_for_prob=11,statement_ifelse_prob=100,statement_return_prob=35,statement_continue_prob=40,statement_break_prob=45,statement_goto_prob=50,statement_arrayop_prob=2] 50 | 51 | (assign_unary_ops_prob,unary_plus_prob=1,unary_minus_prob=1,unary_not_prob=1,unary_bit_not_prob=1) 52 | 53 | (assign_binary_ops_prob,binary_add_prob=1,binary_sub_prob=1,binary_mul_prob=1,binary_div_prob=1,binary_mod_prob=1,binary_gt_prob=1,binary_lt_prob=1,binary_ge_prob=1,binary_le_prob=1,binary_eq_prob=1,binary_ne_prob=1,binary_and_prob=1,binary_or_prob=1,binary_bit_xor_prob=1,binary_bit_and_prob=1,binary_bit_or_prob=1,binary_bit_rshift_prob=1,binary_bit_lshift_prob=1) 54 | 55 | (simple_types_prob,void_prob=0,char_prob=1,int_prob=1,short_prob=1,long_prob=1,long_long_prob=1,uchar_prob=1,uint_prob=1,ushort_prob=1,ulong_prob=1,ulong_long_prob=1,float_prob=0) 56 | 57 | (safe_ops_size_prob,safe_ops_size_int8=1,safe_ops_size_int16=1,safe_ops_size_int32=1,safe_ops_size_int64=1) 58 | 59 | -------------------------------------------------------------------------------- /lib/csmith/src/AbsProgramGenerator.h: -------------------------------------------------------------------------------- 1 | // -*- mode: C++ -*- 2 | // 3 | // Copyright (c) 2007, 2008, 2009, 2010, 2011 The University of Utah 4 | // All rights reserved. 5 | // 6 | // This file is part of `csmith', a random generator of C programs. 7 | // 8 | // Redistribution and use in source and binary forms, with or without 9 | // modification, are permitted provided that the following conditions are met: 10 | // 11 | // * Redistributions of source code must retain the above copyright notice, 12 | // this list of conditions and the following disclaimer. 13 | // 14 | // * Redistributions in binary form must reproduce the above copyright 15 | // notice, this list of conditions and the following disclaimer in the 16 | // documentation and/or other materials provided with the distribution. 17 | // 18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | // AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | // ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 22 | // LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 23 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 24 | // SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 25 | // INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 26 | // CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 27 | // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28 | // POSSIBILITY OF SUCH DAMAGE. 29 | 30 | #ifndef ABS_PROGRAM_GENERATOR_H 31 | #define ABS_PROGRAM_GENERATOR_H 32 | 33 | #include 34 | 35 | class OutputMgr; 36 | 37 | class AbsProgramGenerator { 38 | public: 39 | static AbsProgramGenerator* CreateInstance(int argc, char *argv[], unsigned long seed); 40 | 41 | static AbsProgramGenerator* GetInstance(); 42 | 43 | AbsProgramGenerator(); 44 | 45 | virtual ~AbsProgramGenerator(); 46 | 47 | static OutputMgr* GetOutputMgr(); 48 | 49 | virtual void goGenerator() = 0; 50 | 51 | virtual OutputMgr* getOutputMgr() = 0; 52 | 53 | virtual std::string get_count_prefix(const std::string &name) = 0; 54 | 55 | protected: 56 | virtual void initialize() = 0; 57 | 58 | private: 59 | static AbsProgramGenerator *current_generator_; 60 | 61 | static OutputMgr *getmgr(AbsProgramGenerator *gen); 62 | }; 63 | 64 | #endif 65 | -------------------------------------------------------------------------------- /lib/csmith/src/CFGEdge.h: -------------------------------------------------------------------------------- 1 | // -*- mode: C++ -*- 2 | // 3 | // Copyright (c) 2007, 2008, 2009, 2010, 2011, 2015 The University of Utah 4 | // All rights reserved. 5 | // 6 | // This file is part of `csmith', a random generator of C programs. 7 | // 8 | // Redistribution and use in source and binary forms, with or without 9 | // modification, are permitted provided that the following conditions are met: 10 | // 11 | // * Redistributions of source code must retain the above copyright notice, 12 | // this list of conditions and the following disclaimer. 13 | // 14 | // * Redistributions in binary form must reproduce the above copyright 15 | // notice, this list of conditions and the following disclaimer in the 16 | // documentation and/or other materials provided with the distribution. 17 | // 18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | // AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | // ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 22 | // LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 23 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 24 | // SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 25 | // INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 26 | // CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 27 | // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28 | // POSSIBILITY OF SUCH DAMAGE. 29 | 30 | #ifndef CFG_EDGE_H 31 | #define CFG_EDGE_H 32 | 33 | #include 34 | #include 35 | using namespace std; 36 | 37 | /////////////////////////////////////////////////////////////////////////////// 38 | class Statement; 39 | class Block; 40 | 41 | /* 42 | * 43 | */ 44 | class CFGEdge 45 | { 46 | public: 47 | CFGEdge(const Statement* src, const Statement* dest, bool post_dest, bool back_link); 48 | CFGEdge(const CFGEdge &edge); 49 | virtual ~CFGEdge(void); 50 | 51 | // void Output(std::ostream &out) const; 52 | 53 | const Statement* src; 54 | const Statement* dest; 55 | bool post_dest; 56 | bool back_link; 57 | }; 58 | 59 | /////////////////////////////////////////////////////////////////////////////// 60 | 61 | #endif // CFG_EDGE_H 62 | 63 | // Local Variables: 64 | // c-basic-offset: 4 65 | // tab-width: 4 66 | // End: 67 | 68 | // End of file. 69 | -------------------------------------------------------------------------------- /lib/csmith/src/CommonMacros.h: -------------------------------------------------------------------------------- 1 | // -*- mode: C++ -*- 2 | // 3 | // Copyright (c) 2007, 2008, 2010, 2011 The University of Utah 4 | // All rights reserved. 5 | // 6 | // This file is part of `csmith', a random generator of C programs. 7 | // 8 | // Redistribution and use in source and binary forms, with or without 9 | // modification, are permitted provided that the following conditions are met: 10 | // 11 | // * Redistributions of source code must retain the above copyright notice, 12 | // this list of conditions and the following disclaimer. 13 | // 14 | // * Redistributions in binary form must reproduce the above copyright 15 | // notice, this list of conditions and the following disclaimer in the 16 | // documentation and/or other materials provided with the distribution. 17 | // 18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | // AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | // ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 22 | // LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 23 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 24 | // SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 25 | // INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 26 | // CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 27 | // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28 | // POSSIBILITY OF SUCH DAMAGE. 29 | 30 | #ifndef COMMON_MACROS_H 31 | #define COMMON_MACROS_H 32 | 33 | // Macro for disallowing copy and assign constructors 34 | #define DISALLOW_COPY_AND_ASSIGN(ClassName) \ 35 | ClassName(const ClassName&); \ 36 | void operator=(const ClassName&) 37 | 38 | #endif // COMMON_MACROS_H 39 | -------------------------------------------------------------------------------- /lib/csmith/src/CompatibleChecker.h: -------------------------------------------------------------------------------- 1 | // -*- mode: C++ -*- 2 | // 3 | // Copyright (c) 2007, 2008, 2009, 2010, 2011 The University of Utah 4 | // All rights reserved. 5 | // 6 | // This file is part of `csmith', a random generator of C programs. 7 | // 8 | // Redistribution and use in source and binary forms, with or without 9 | // modification, are permitted provided that the following conditions are met: 10 | // 11 | // * Redistributions of source code must retain the above copyright notice, 12 | // this list of conditions and the following disclaimer. 13 | // 14 | // * Redistributions in binary form must reproduce the above copyright 15 | // notice, this list of conditions and the following disclaimer in the 16 | // documentation and/or other materials provided with the distribution. 17 | // 18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | // AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | // ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 22 | // LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 23 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 24 | // SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 25 | // INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 26 | // CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 27 | // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28 | // POSSIBILITY OF SUCH DAMAGE. 29 | 30 | #ifndef COMPATIBLE_CHECKER_H 31 | #define COMPATIBLE_CHECKER_H 32 | 33 | class Variable; 34 | class Expression; 35 | 36 | class CompatibleChecker { 37 | public: 38 | // return true if two args are identical 39 | static bool compatible_check(const Variable *v, const Expression *exp); 40 | 41 | static bool compatible_check(const Expression *exp1, const Expression *exp2); 42 | 43 | static void enable_compatible_check(); 44 | 45 | private: 46 | static bool compatible_check_; 47 | }; 48 | 49 | #endif // COMPATIBLE_CHECKER_H 50 | -------------------------------------------------------------------------------- /lib/csmith/src/DFSOutputMgr.h: -------------------------------------------------------------------------------- 1 | // -*- mode: C++ -*- 2 | // 3 | // Copyright (c) 2007, 2008, 2009, 2010, 2011, 2015 The University of Utah 4 | // All rights reserved. 5 | // 6 | // This file is part of `csmith', a random generator of C programs. 7 | // 8 | // Redistribution and use in source and binary forms, with or without 9 | // modification, are permitted provided that the following conditions are met: 10 | // 11 | // * Redistributions of source code must retain the above copyright notice, 12 | // this list of conditions and the following disclaimer. 13 | // 14 | // * Redistributions in binary form must reproduce the above copyright 15 | // notice, this list of conditions and the following disclaimer in the 16 | // documentation and/or other materials provided with the distribution. 17 | // 18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | // AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | // ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 22 | // LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 23 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 24 | // SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 25 | // INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 26 | // CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 27 | // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28 | // POSSIBILITY OF SUCH DAMAGE. 29 | 30 | #ifndef DFS_OUTPUT_MGR_H 31 | #define DFS_OUTPUT_MGR_H 32 | 33 | #include "OutputMgr.h" 34 | 35 | #define DEFAULT_STRUCT_OUTPUT "csmith_structs.h" 36 | 37 | class DFSOutputMgr : public OutputMgr { 38 | public: 39 | static DFSOutputMgr *CreateInstance(); 40 | 41 | virtual ~DFSOutputMgr(); 42 | 43 | virtual void OutputHeader(int argc, char *argv[], unsigned long seed); 44 | 45 | virtual void OutputStructUnions(ostream& /*out*/); 46 | 47 | virtual void Output(); 48 | 49 | virtual void outputln(ostream &out); 50 | 51 | virtual void output_comment_line(ostream &out, const std::string &comment); 52 | 53 | virtual void output_tab(ostream &out, int indent); 54 | 55 | private: 56 | DFSOutputMgr(); 57 | 58 | virtual std::ostream &get_main_out(); 59 | 60 | static DFSOutputMgr *instance_; 61 | 62 | std::string struct_output_; 63 | }; 64 | 65 | #endif // DFS_OUTPUT_MGR_H 66 | -------------------------------------------------------------------------------- /lib/csmith/src/DFSProgramGenerator.h: -------------------------------------------------------------------------------- 1 | // -*- mode: C++ -*- 2 | // 3 | // Copyright (c) 2007, 2008, 2009, 2010, 2011 The University of Utah 4 | // All rights reserved. 5 | // 6 | // This file is part of `csmith', a random generator of C programs. 7 | // 8 | // Redistribution and use in source and binary forms, with or without 9 | // modification, are permitted provided that the following conditions are met: 10 | // 11 | // * Redistributions of source code must retain the above copyright notice, 12 | // this list of conditions and the following disclaimer. 13 | // 14 | // * Redistributions in binary form must reproduce the above copyright 15 | // notice, this list of conditions and the following disclaimer in the 16 | // documentation and/or other materials provided with the distribution. 17 | // 18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | // AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | // ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 22 | // LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 23 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 24 | // SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 25 | // INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 26 | // CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 27 | // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28 | // POSSIBILITY OF SUCH DAMAGE. 29 | 30 | #ifndef DFS_PROGRAM_GENERATOR_H 31 | #define DFS_PROGRAM_GENERATOR_H 32 | 33 | #include "AbsProgramGenerator.h" 34 | #include "Common.h" 35 | 36 | class OutputMgr; 37 | 38 | class DFSProgramGenerator : public AbsProgramGenerator { 39 | public: 40 | DFSProgramGenerator(int argc, char *argv[], unsigned long seed); 41 | 42 | virtual ~DFSProgramGenerator(); 43 | 44 | virtual OutputMgr* getOutputMgr() { return output_mgr_; } 45 | 46 | virtual void goGenerator(); 47 | 48 | virtual void initialize(); 49 | 50 | virtual std::string get_count_prefix(const std::string &name); 51 | 52 | private: 53 | int argc_; 54 | 55 | char **argv_; 56 | 57 | unsigned long seed_; 58 | 59 | INT64 good_count_; 60 | 61 | OutputMgr *output_mgr_; 62 | }; 63 | 64 | #endif 65 | -------------------------------------------------------------------------------- /lib/csmith/src/DefaultProgramGenerator.h: -------------------------------------------------------------------------------- 1 | // -*- mode: C++ -*- 2 | // 3 | // Copyright (c) 2007, 2008, 2009, 2010, 2011 The University of Utah 4 | // All rights reserved. 5 | // 6 | // This file is part of `csmith', a random generator of C programs. 7 | // 8 | // Redistribution and use in source and binary forms, with or without 9 | // modification, are permitted provided that the following conditions are met: 10 | // 11 | // * Redistributions of source code must retain the above copyright notice, 12 | // this list of conditions and the following disclaimer. 13 | // 14 | // * Redistributions in binary form must reproduce the above copyright 15 | // notice, this list of conditions and the following disclaimer in the 16 | // documentation and/or other materials provided with the distribution. 17 | // 18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | // AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | // ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 22 | // LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 23 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 24 | // SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 25 | // INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 26 | // CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 27 | // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28 | // POSSIBILITY OF SUCH DAMAGE. 29 | 30 | #ifndef DEFAULT_PROGRAM_GENERATOR_H 31 | #define DEFAULT_PROGRAM_GENERATOR_H 32 | 33 | #include "AbsProgramGenerator.h" 34 | 35 | class OutputMgr; 36 | 37 | class DefaultProgramGenerator : public AbsProgramGenerator { 38 | public: 39 | DefaultProgramGenerator(int argc, char *argv[], unsigned long seed); 40 | 41 | virtual ~DefaultProgramGenerator(); 42 | 43 | virtual OutputMgr* getOutputMgr() { return output_mgr_; } 44 | 45 | virtual void goGenerator(); 46 | 47 | virtual void initialize(); 48 | 49 | virtual std::string get_count_prefix(const std::string &name); 50 | 51 | private: 52 | int argc_; 53 | 54 | char **argv_; 55 | 56 | unsigned long seed_; 57 | 58 | OutputMgr *output_mgr_; 59 | }; 60 | 61 | #endif 62 | -------------------------------------------------------------------------------- /lib/csmith/src/Error.cpp: -------------------------------------------------------------------------------- 1 | // -*- mode: C++ -*- 2 | // 3 | // Copyright (c) 2007, 2008, 2009, 2010, 2011, 2017 The University of Utah 4 | // All rights reserved. 5 | // 6 | // This file is part of `csmith', a random generator of C programs. 7 | // 8 | // Redistribution and use in source and binary forms, with or without 9 | // modification, are permitted provided that the following conditions are met: 10 | // 11 | // * Redistributions of source code must retain the above copyright notice, 12 | // this list of conditions and the following disclaimer. 13 | // 14 | // * Redistributions in binary form must reproduce the above copyright 15 | // notice, this list of conditions and the following disclaimer in the 16 | // documentation and/or other materials provided with the distribution. 17 | // 18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | // AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | // ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 22 | // LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 23 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 24 | // SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 25 | // INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 26 | // CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 27 | // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28 | // POSSIBILITY OF SUCH DAMAGE. 29 | 30 | #if HAVE_CONFIG_H 31 | # include 32 | #endif 33 | 34 | #include "Error.h" 35 | 36 | int Error::r_error_ = SUCCESS; 37 | 38 | Error::Error() 39 | { 40 | 41 | } 42 | 43 | Error::~Error() 44 | { 45 | 46 | } 47 | -------------------------------------------------------------------------------- /lib/csmith/src/ExtensionValue.cpp: -------------------------------------------------------------------------------- 1 | // -*- mode: C++ -*- 2 | // 3 | // Copyright (c) 2008, 2009, 2010, 2011, 2017 The University of Utah 4 | // All rights reserved. 5 | // 6 | // This file is part of `csmith', a random generator of C programs. 7 | // 8 | // Redistribution and use in source and binary forms, with or without 9 | // modification, are permitted provided that the following conditions are met: 10 | // 11 | // * Redistributions of source code must retain the above copyright notice, 12 | // this list of conditions and the following disclaimer. 13 | // 14 | // * Redistributions in binary form must reproduce the above copyright 15 | // notice, this list of conditions and the following disclaimer in the 16 | // documentation and/or other materials provided with the distribution. 17 | // 18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | // AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | // ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 22 | // LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 23 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 24 | // SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 25 | // INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 26 | // CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 27 | // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28 | // POSSIBILITY OF SUCH DAMAGE. 29 | 30 | #if HAVE_CONFIG_H 31 | # include 32 | #endif 33 | 34 | #include "ExtensionValue.h" 35 | #include 36 | #include "Type.h" 37 | #include "Constant.h" 38 | 39 | ExtensionValue::ExtensionValue(const Type *type, string name) 40 | : type_(type), 41 | value_(NULL), 42 | name_(name) 43 | { 44 | vector isConsts; 45 | vector isVolatiles; 46 | isConsts.push_back(false); 47 | isVolatiles.push_back(false); 48 | qfer_ = CVQualifiers(isConsts, isVolatiles); 49 | } 50 | 51 | ExtensionValue::~ExtensionValue() 52 | { 53 | delete value_; 54 | } 55 | 56 | -------------------------------------------------------------------------------- /lib/csmith/src/ExtensionValue.h: -------------------------------------------------------------------------------- 1 | // -*- mode: C++ -*- 2 | // 3 | // Copyright (c) 2008, 2009, 2010, 2011 The University of Utah 4 | // All rights reserved. 5 | // 6 | // This file is part of `csmith', a random generator of C programs. 7 | // 8 | // Redistribution and use in source and binary forms, with or without 9 | // modification, are permitted provided that the following conditions are met: 10 | // 11 | // * Redistributions of source code must retain the above copyright notice, 12 | // this list of conditions and the following disclaimer. 13 | // 14 | // * Redistributions in binary form must reproduce the above copyright 15 | // notice, this list of conditions and the following disclaimer in the 16 | // documentation and/or other materials provided with the distribution. 17 | // 18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | // AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | // ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 22 | // LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 23 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 24 | // SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 25 | // INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 26 | // CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 27 | // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28 | // POSSIBILITY OF SUCH DAMAGE. 29 | 30 | #ifndef EXTENSION_VALUE_H 31 | #define EXTENSION_VALUE_H 32 | 33 | #include 34 | #include "CVQualifiers.h" 35 | 36 | class Type; 37 | class Constant; 38 | 39 | class ExtensionValue { 40 | public: 41 | ExtensionValue(const Type *type, std::string name); 42 | 43 | ~ExtensionValue(); 44 | 45 | const Type *get_type(void) { return type_; } 46 | 47 | Constant *get_value(void) { return value_; } 48 | 49 | const std::string &get_name(void) { return name_; } 50 | 51 | CVQualifiers get_qfer() { return qfer_; } 52 | 53 | void set_value(Constant *value) { value_ = value; } 54 | 55 | private: 56 | const Type *type_; 57 | 58 | Constant *value_; 59 | 60 | const std::string name_; 61 | 62 | CVQualifiers qfer_; 63 | }; 64 | 65 | #endif // EXTENSION_VALUE_H 66 | -------------------------------------------------------------------------------- /lib/csmith/src/Filter.h: -------------------------------------------------------------------------------- 1 | // -*- mode: C++ -*- 2 | // 3 | // Copyright (c) 2007, 2008, 2009, 2010, 2011, 2015 The University of Utah 4 | // All rights reserved. 5 | // 6 | // This file is part of `csmith', a random generator of C programs. 7 | // 8 | // Redistribution and use in source and binary forms, with or without 9 | // modification, are permitted provided that the following conditions are met: 10 | // 11 | // * Redistributions of source code must retain the above copyright notice, 12 | // this list of conditions and the following disclaimer. 13 | // 14 | // * Redistributions in binary form must reproduce the above copyright 15 | // notice, this list of conditions and the following disclaimer in the 16 | // documentation and/or other materials provided with the distribution. 17 | // 18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | // AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | // ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 22 | // LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 23 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 24 | // SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 25 | // INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 26 | // CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 27 | // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28 | // POSSIBILITY OF SUCH DAMAGE. 29 | 30 | #ifndef FILTER_H 31 | #define FILTER_H 32 | 33 | #include 34 | 35 | enum FilterKind { 36 | fDefault, 37 | fDFS, 38 | }; 39 | 40 | #define MAX_FILTER_KIND_SIZE ((FilterKind) (fDFS + 1)) 41 | 42 | // Filter base class 43 | class Filter 44 | { 45 | public: 46 | Filter(); 47 | virtual ~Filter(void); 48 | 49 | virtual bool filter(int v) const = 0; 50 | 51 | void enable(FilterKind kind); 52 | 53 | void disable(FilterKind kind); 54 | 55 | protected: 56 | bool valid_filter() const; 57 | 58 | // What kind of mode this filter can apply to 59 | // By default, it can work for all modes. 60 | std::bitset kinds_; 61 | 62 | private: 63 | FilterKind current_kind() const; 64 | }; 65 | 66 | #endif // FILTER_H 67 | -------------------------------------------------------------------------------- /lib/csmith/src/Finalization.cpp: -------------------------------------------------------------------------------- 1 | // -*- mode: C++ -*- 2 | // 3 | // Copyright (c) 2007, 2008, 2009, 2010, 2011, 2017 The University of Utah 4 | // All rights reserved. 5 | // 6 | // This file is part of `csmith', a random generator of C programs. 7 | // 8 | // Redistribution and use in source and binary forms, with or without 9 | // modification, are permitted provided that the following conditions are met: 10 | // 11 | // * Redistributions of source code must retain the above copyright notice, 12 | // this list of conditions and the following disclaimer. 13 | // 14 | // * Redistributions in binary form must reproduce the above copyright 15 | // notice, this list of conditions and the following disclaimer in the 16 | // documentation and/or other materials provided with the distribution. 17 | // 18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | // AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | // ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 22 | // LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 23 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 24 | // SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 25 | // INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 26 | // CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 27 | // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28 | // POSSIBILITY OF SUCH DAMAGE. 29 | 30 | #if HAVE_CONFIG_H 31 | # include 32 | #endif 33 | 34 | #include "Finalization.h" 35 | 36 | #include "Function.h" 37 | #include "RandomNumber.h" 38 | #include "VariableSelector.h" 39 | #include "Type.h" 40 | #include "FunctionInvocationUser.h" 41 | #include "Bookkeeper.h" 42 | #include "Probabilities.h" 43 | #include "StatementGoto.h" 44 | #include "ExtensionMgr.h" 45 | 46 | void 47 | Finalization::doFinalization() 48 | { 49 | Function::doFinalization(); 50 | VariableSelector::doFinalization(); 51 | Variable::doFinalization(); 52 | Type::doFinalization(); 53 | RandomNumber::doFinalization(); 54 | FunctionInvocationUser::doFinalization(); 55 | Probabilities::DestroyInstance(); 56 | StatementGoto::doFinalization(); 57 | ExtensionMgr::DestroyExtension(); 58 | } 59 | 60 | -------------------------------------------------------------------------------- /lib/csmith/src/Finalization.h: -------------------------------------------------------------------------------- 1 | // -*- mode: C++ -*- 2 | // 3 | // Copyright (c) 2007, 2008, 2009, 2010, 2011 The University of Utah 4 | // All rights reserved. 5 | // 6 | // This file is part of `csmith', a random generator of C programs. 7 | // 8 | // Redistribution and use in source and binary forms, with or without 9 | // modification, are permitted provided that the following conditions are met: 10 | // 11 | // * Redistributions of source code must retain the above copyright notice, 12 | // this list of conditions and the following disclaimer. 13 | // 14 | // * Redistributions in binary form must reproduce the above copyright 15 | // notice, this list of conditions and the following disclaimer in the 16 | // documentation and/or other materials provided with the distribution. 17 | // 18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | // AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | // ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 22 | // LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 23 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 24 | // SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 25 | // INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 26 | // CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 27 | // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28 | // POSSIBILITY OF SUCH DAMAGE. 29 | 30 | #ifndef FINALIZATION_H 31 | #define FINALIZATION_H 32 | 33 | class Finalization { 34 | public: 35 | static void doFinalization(); 36 | private: 37 | Finalization(); 38 | ~Finalization(); 39 | }; 40 | 41 | #endif // FINALIZATION_H 42 | -------------------------------------------------------------------------------- /lib/csmith/src/LinearSequence.h: -------------------------------------------------------------------------------- 1 | // -*- mode: C++ -*- 2 | // 3 | // Copyright (c) 2007, 2008, 2009, 2010, 2011 The University of Utah 4 | // All rights reserved. 5 | // 6 | // This file is part of `csmith', a random generator of C programs. 7 | // 8 | // Redistribution and use in source and binary forms, with or without 9 | // modification, are permitted provided that the following conditions are met: 10 | // 11 | // * Redistributions of source code must retain the above copyright notice, 12 | // this list of conditions and the following disclaimer. 13 | // 14 | // * Redistributions in binary form must reproduce the above copyright 15 | // notice, this list of conditions and the following disclaimer in the 16 | // documentation and/or other materials provided with the distribution. 17 | // 18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | // AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | // ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 22 | // LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 23 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 24 | // SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 25 | // INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 26 | // CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 27 | // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28 | // POSSIBILITY OF SUCH DAMAGE. 29 | 30 | #ifndef LINEAR_SEQUENCE_H 31 | #define LINEAR_SEQUENCE_H 32 | 33 | #include 34 | #include 35 | 36 | #include "Sequence.h" 37 | 38 | class LinearSequence : public Sequence { 39 | public: 40 | explicit LinearSequence(const char sep_char); 41 | 42 | virtual ~LinearSequence(); 43 | 44 | virtual void init_sequence(); 45 | 46 | virtual unsigned INT64 sequence_length(); 47 | 48 | virtual void add_number(int v, int bound, int k); 49 | 50 | virtual int get_number(int bound); 51 | 52 | virtual int get_number_by_pos(int pos); 53 | 54 | virtual void clear(); 55 | 56 | virtual void get_sequence(std::ostream &); 57 | 58 | virtual char get_sep_char() const { return sep_char_; } 59 | 60 | static const char default_sep_char; 61 | 62 | private: 63 | std::map seq_map_; 64 | 65 | const char sep_char_; 66 | }; 67 | 68 | #endif // LINEAR_SEQUENCE_H 69 | -------------------------------------------------------------------------------- /lib/csmith/src/MspFilters.h: -------------------------------------------------------------------------------- 1 | // -*- mode: C++ -*- 2 | // 3 | // Copyright (c) 2007, 2008, 2009, 2010, 2011, 2015 The University of Utah 4 | // All rights reserved. 5 | // 6 | // This file is part of `csmith', a random generator of C programs. 7 | // 8 | // Redistribution and use in source and binary forms, with or without 9 | // modification, are permitted provided that the following conditions are met: 10 | // 11 | // * Redistributions of source code must retain the above copyright notice, 12 | // this list of conditions and the following disclaimer. 13 | // 14 | // * Redistributions in binary form must reproduce the above copyright 15 | // notice, this list of conditions and the following disclaimer in the 16 | // documentation and/or other materials provided with the distribution. 17 | // 18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | // AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | // ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 22 | // LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 23 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 24 | // SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 25 | // INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 26 | // CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 27 | // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28 | // POSSIBILITY OF SUCH DAMAGE. 29 | 30 | #ifndef MSP_FILTERS_H 31 | #define MSP_FILTERS_H 32 | 33 | #include "Filter.h" 34 | #include "FunctionInvocation.h" 35 | 36 | class MspBinaryFilter : public Filter 37 | { 38 | public: 39 | MspBinaryFilter(); 40 | 41 | virtual ~MspBinaryFilter(); 42 | 43 | virtual bool filter(int v) const; 44 | }; 45 | 46 | class MspSafeOpSizeFilter : public Filter 47 | { 48 | public: 49 | MspSafeOpSizeFilter(eBinaryOps op); 50 | 51 | virtual ~MspSafeOpSizeFilter(); 52 | 53 | virtual bool filter(int v) const; 54 | private: 55 | eBinaryOps bin_op_; 56 | }; 57 | 58 | #endif //MSP_FILTERS_H 59 | -------------------------------------------------------------------------------- /lib/csmith/src/Sequence.cpp: -------------------------------------------------------------------------------- 1 | // -*- mode: C++ -*- 2 | // 3 | // Copyright (c) 2007, 2008, 2009, 2010, 2011, 2017 The University of Utah 4 | // All rights reserved. 5 | // 6 | // This file is part of `csmith', a random generator of C programs. 7 | // 8 | // Redistribution and use in source and binary forms, with or without 9 | // modification, are permitted provided that the following conditions are met: 10 | // 11 | // * Redistributions of source code must retain the above copyright notice, 12 | // this list of conditions and the following disclaimer. 13 | // 14 | // * Redistributions in binary form must reproduce the above copyright 15 | // notice, this list of conditions and the following disclaimer in the 16 | // documentation and/or other materials provided with the distribution. 17 | // 18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | // AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | // ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 22 | // LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 23 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 24 | // SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 25 | // INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 26 | // CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 27 | // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28 | // POSSIBILITY OF SUCH DAMAGE. 29 | 30 | #if HAVE_CONFIG_H 31 | # include 32 | #endif 33 | 34 | #include "Sequence.h" 35 | 36 | Sequence::Sequence() 37 | { 38 | 39 | } 40 | 41 | Sequence::~Sequence() 42 | { 43 | 44 | } 45 | 46 | -------------------------------------------------------------------------------- /lib/csmith/src/Sequence.h: -------------------------------------------------------------------------------- 1 | // -*- mode: C++ -*- 2 | // 3 | // Copyright (c) 2007, 2008, 2009, 2010, 2011 The University of Utah 4 | // All rights reserved. 5 | // 6 | // This file is part of `csmith', a random generator of C programs. 7 | // 8 | // Redistribution and use in source and binary forms, with or without 9 | // modification, are permitted provided that the following conditions are met: 10 | // 11 | // * Redistributions of source code must retain the above copyright notice, 12 | // this list of conditions and the following disclaimer. 13 | // 14 | // * Redistributions in binary form must reproduce the above copyright 15 | // notice, this list of conditions and the following disclaimer in the 16 | // documentation and/or other materials provided with the distribution. 17 | // 18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | // AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | // ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 22 | // LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 23 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 24 | // SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 25 | // INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 26 | // CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 27 | // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28 | // POSSIBILITY OF SUCH DAMAGE. 29 | 30 | #ifndef SEQUENCE_H 31 | #define SEQUENCE_H 32 | 33 | #include 34 | #include 35 | #include 36 | #include "Common.h" 37 | 38 | class Sequence { 39 | public: 40 | Sequence(); 41 | 42 | virtual ~Sequence(); 43 | 44 | static Sequence *make_sequence(); 45 | 46 | virtual void init_sequence() = 0; 47 | 48 | virtual unsigned INT64 sequence_length() = 0; 49 | 50 | virtual void add_number(int v, int bound, int k) = 0; 51 | 52 | virtual int get_number(int bound) = 0; 53 | 54 | virtual int get_number_by_pos(int pos) = 0; 55 | 56 | virtual void clear() = 0; 57 | 58 | virtual void get_sequence(std::ostream &out) = 0; 59 | 60 | virtual char get_sep_char() const = 0; 61 | }; 62 | 63 | #endif // SEQUENCE_H 64 | -------------------------------------------------------------------------------- /lib/csmith/src/SequenceFactory.h: -------------------------------------------------------------------------------- 1 | // -*- mode: C++ -*- 2 | // 3 | // Copyright (c) 2007, 2008, 2009, 2010, 2011 The University of Utah 4 | // All rights reserved. 5 | // 6 | // This file is part of `csmith', a random generator of C programs. 7 | // 8 | // Redistribution and use in source and binary forms, with or without 9 | // modification, are permitted provided that the following conditions are met: 10 | // 11 | // * Redistributions of source code must retain the above copyright notice, 12 | // this list of conditions and the following disclaimer. 13 | // 14 | // * Redistributions in binary form must reproduce the above copyright 15 | // notice, this list of conditions and the following disclaimer in the 16 | // documentation and/or other materials provided with the distribution. 17 | // 18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | // AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | // ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 22 | // LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 23 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 24 | // SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 25 | // INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 26 | // CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 27 | // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28 | // POSSIBILITY OF SUCH DAMAGE. 29 | 30 | #ifndef SEQUENCE_FACTORY_H 31 | #define SEQUENCE_FACTORY_H 32 | 33 | #include 34 | 35 | class Sequence; 36 | 37 | class SequenceFactory { 38 | public: 39 | static Sequence *make_sequence(); 40 | 41 | static void destroy_sequences(); 42 | 43 | static char current_sep_char() { return current_sep_char_; } 44 | 45 | private: 46 | static std::set seqs_; 47 | 48 | static char current_sep_char_; 49 | }; 50 | 51 | #endif // SEQUENCE_FACTORY_H 52 | -------------------------------------------------------------------------------- /lib/csmith/src/VectorFilter.h: -------------------------------------------------------------------------------- 1 | // -*- mode: C++ -*- 2 | // 3 | // Copyright (c) 2007, 2008, 2009, 2010, 2011, 2015 The University of Utah 4 | // All rights reserved. 5 | // 6 | // This file is part of `csmith', a random generator of C programs. 7 | // 8 | // Redistribution and use in source and binary forms, with or without 9 | // modification, are permitted provided that the following conditions are met: 10 | // 11 | // * Redistributions of source code must retain the above copyright notice, 12 | // this list of conditions and the following disclaimer. 13 | // 14 | // * Redistributions in binary form must reproduce the above copyright 15 | // notice, this list of conditions and the following disclaimer in the 16 | // documentation and/or other materials provided with the distribution. 17 | // 18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | // AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | // ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 22 | // LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 23 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 24 | // SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 25 | // INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 26 | // CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 27 | // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28 | // POSSIBILITY OF SUCH DAMAGE. 29 | 30 | #ifndef VECTOR_FILTER_H 31 | #define VECTOR_FILTER_H 32 | 33 | #include 34 | #include "Filter.h" 35 | 36 | class DistributionTable; 37 | 38 | // Filter out elements from the vector, i.e., elements in the vector 39 | // is invalid. 40 | #define FILTER_OUT 0 41 | // Elements in the vector are valid 42 | #define NOT_FILTER_OUT 1 43 | 44 | class VectorFilter : public Filter 45 | { 46 | public: 47 | VectorFilter(void); 48 | VectorFilter(DistributionTable *table); 49 | explicit VectorFilter(std::vector &vs, int flag = FILTER_OUT); 50 | 51 | VectorFilter& add(unsigned int item); 52 | 53 | int get_max_prob(void) const; 54 | 55 | int lookup(int v) const; 56 | 57 | virtual ~VectorFilter(void); 58 | 59 | virtual bool filter(int v) const; 60 | private: 61 | std::vector vs_; 62 | 63 | DistributionTable *ptable; 64 | 65 | int flag_; 66 | }; 67 | 68 | #endif // VECTOR_FILTER_H 69 | -------------------------------------------------------------------------------- /lib/csmith/src/git_version.cpp: -------------------------------------------------------------------------------- 1 | // -*- mode: C++ -*- 2 | // 3 | // Copyright (c) 2017 The University of Utah 4 | // All rights reserved. 5 | // 6 | // This file is part of `csmith', a random generator of C programs. 7 | // 8 | // Redistribution and use in source and binary forms, with or without 9 | // modification, are permitted provided that the following conditions are met: 10 | // 11 | // * Redistributions of source code must retain the above copyright notice, 12 | // this list of conditions and the following disclaimer. 13 | // 14 | // * Redistributions in binary form must reproduce the above copyright 15 | // notice, this list of conditions and the following disclaimer in the 16 | // documentation and/or other materials provided with the distribution. 17 | // 18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | // AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | // ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 22 | // LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 23 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 24 | // SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 25 | // INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 26 | // CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 27 | // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28 | // POSSIBILITY OF SUCH DAMAGE. 29 | 30 | #if HAVE_CONFIG_H 31 | # include 32 | #endif 33 | 34 | #include "git_version.h" 35 | 36 | /////////////////////////////////////////////////////////////////////////////// 37 | 38 | const char git_version[] = "30dccd7"; 39 | 40 | /////////////////////////////////////////////////////////////////////////////// 41 | 42 | // Local Variables: 43 | // c-basic-offset: 4 44 | // tab-width: 4 45 | // End: 46 | 47 | // End of file. 48 | -------------------------------------------------------------------------------- /lib/csmith/src/git_version.h: -------------------------------------------------------------------------------- 1 | // -*- mode: C++ -*- 2 | // 3 | // Copyright (c) 2017 The University of Utah 4 | // All rights reserved. 5 | // 6 | // This file is part of `csmith', a random generator of C programs. 7 | // 8 | // Redistribution and use in source and binary forms, with or without 9 | // modification, are permitted provided that the following conditions are met: 10 | // 11 | // * Redistributions of source code must retain the above copyright notice, 12 | // this list of conditions and the following disclaimer. 13 | // 14 | // * Redistributions in binary form must reproduce the above copyright 15 | // notice, this list of conditions and the following disclaimer in the 16 | // documentation and/or other materials provided with the distribution. 17 | // 18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | // AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | // ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 22 | // LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 23 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 24 | // SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 25 | // INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 26 | // CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 27 | // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28 | // POSSIBILITY OF SUCH DAMAGE. 29 | 30 | #ifndef GIT_VERSION_H 31 | #define GIT_VERSION_H 32 | 33 | /////////////////////////////////////////////////////////////////////////////// 34 | 35 | extern const char git_version[]; 36 | 37 | /////////////////////////////////////////////////////////////////////////////// 38 | 39 | #endif // GIT_VERSION_H 40 | 41 | // Local Variables: 42 | // c-basic-offset: 4 43 | // tab-width: 4 44 | // End: 45 | 46 | // End of file. 47 | -------------------------------------------------------------------------------- /lib/csmith/src/platform.h: -------------------------------------------------------------------------------- 1 | // -*- mode: C++ -*- 2 | // 3 | // Copyright (c) 2007, 2008, 2010, 2011 The University of Utah 4 | // All rights reserved. 5 | // 6 | // This file is part of `csmith', a random generator of C programs. 7 | // 8 | // Redistribution and use in source and binary forms, with or without 9 | // modification, are permitted provided that the following conditions are met: 10 | // 11 | // * Redistributions of source code must retain the above copyright notice, 12 | // this list of conditions and the following disclaimer. 13 | // 14 | // * Redistributions in binary form must reproduce the above copyright 15 | // notice, this list of conditions and the following disclaimer in the 16 | // documentation and/or other materials provided with the distribution. 17 | // 18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | // AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | // ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 22 | // LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 23 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 24 | // SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 25 | // INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 26 | // CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 27 | // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28 | // POSSIBILITY OF SUCH DAMAGE. 29 | 30 | #ifndef PLATFORM_H 31 | #define PLATFORM_H 32 | 33 | /////////////////////////////////////////////////////////////////////////////// 34 | 35 | unsigned long platform_gen_seed(); 36 | 37 | bool create_dir(const char* dir); 38 | 39 | /////////////////////////////////////////////////////////////////////////////// 40 | 41 | #endif // PLATFORM_H 42 | 43 | // Local Variables: 44 | // c-basic-offset: 4 45 | // tab-width: 4 46 | // End: 47 | 48 | // End of file. 49 | -------------------------------------------------------------------------------- /lib/csmith/stdint_avr.h: -------------------------------------------------------------------------------- 1 | /* Copyright (C) 1997,1998,1999,2000,2001,2006 Free Software Foundation, Inc. 2 | This file is part of the GNU C Library. 3 | 4 | The GNU C Library is free software; you can redistribute it and/or 5 | modify it under the terms of the GNU Lesser General Public 6 | License as published by the Free Software Foundation; either 7 | version 2.1 of the License, or (at your option) any later version. 8 | 9 | The GNU C Library is distributed in the hope that it will be useful, 10 | but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 12 | Lesser General Public License for more details. 13 | 14 | You should have received a copy of the GNU Lesser General Public 15 | License along with the GNU C Library; if not, write to the Free 16 | Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 17 | 02110-1301 USA. */ 18 | 19 | /* 20 | * ISO C99: 7.18 Integer types 21 | */ 22 | 23 | /* 24 | * ISSUE: 25 | * This file is based on the system stdint.h for avr 26 | */ 27 | #ifndef _STDINT_AVR_H 28 | #define _STDINT_AVR_H 1 29 | 30 | #include "custom_limits.h" 31 | 32 | /* Exact integral types. */ 33 | 34 | /* Signed. */ 35 | 36 | typedef signed char int8_t; 37 | typedef int int16_t; 38 | typedef long int int32_t; 39 | typedef long long int int64_t; 40 | 41 | /* Unsigned. */ 42 | typedef unsigned char uint8_t; 43 | typedef unsigned int uint16_t; 44 | typedef unsigned long int uint32_t; 45 | typedef unsigned long long int uint64_t; 46 | 47 | #endif /* stdint_avr.h */ 48 | -------------------------------------------------------------------------------- /lib/csmith/stdint_ia32.h: -------------------------------------------------------------------------------- 1 | /* Copyright (C) 1997,1998,1999,2000,2001,2006 Free Software Foundation, Inc. 2 | This file is part of the GNU C Library. 3 | 4 | The GNU C Library is free software; you can redistribute it and/or 5 | modify it under the terms of the GNU Lesser General Public 6 | License as published by the Free Software Foundation; either 7 | version 2.1 of the License, or (at your option) any later version. 8 | 9 | The GNU C Library is distributed in the hope that it will be useful, 10 | but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 12 | Lesser General Public License for more details. 13 | 14 | You should have received a copy of the GNU Lesser General Public 15 | License along with the GNU C Library; if not, write to the Free 16 | Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 17 | 02110-1301 USA. */ 18 | 19 | /* 20 | * ISO C99: 7.18 Integer types 21 | */ 22 | 23 | /* 24 | * ISSUE: 25 | * This file is based on the system stdint.h for ia32 26 | */ 27 | #ifndef _STDINT_IA32_H 28 | #define _STDINT_IA32_H 1 29 | 30 | #include "custom_limits.h" 31 | 32 | /* Exact integral types. */ 33 | 34 | /* Signed. */ 35 | 36 | /* There is some amount of overlap with as known by inet code */ 37 | typedef signed char int8_t; 38 | typedef short int int16_t; 39 | typedef int int32_t; 40 | #ifndef NO_LONGLONG 41 | typedef long long int int64_t; 42 | #endif 43 | 44 | /* Unsigned. */ 45 | typedef unsigned char uint8_t; 46 | typedef unsigned short int uint16_t; 47 | typedef unsigned int uint32_t; 48 | #ifndef NO_LONGLONG 49 | typedef unsigned long long int uint64_t; 50 | #endif 51 | 52 | #endif /* stdint_ia32.h */ 53 | -------------------------------------------------------------------------------- /lib/csmith/stdint_ia64.h: -------------------------------------------------------------------------------- 1 | /* Copyright (C) 1997,1998,1999,2000,2001,2006 Free Software Foundation, Inc. 2 | This file is part of the GNU C Library. 3 | 4 | The GNU C Library is free software; you can redistribute it and/or 5 | modify it under the terms of the GNU Lesser General Public 6 | License as published by the Free Software Foundation; either 7 | version 2.1 of the License, or (at your option) any later version. 8 | 9 | The GNU C Library is distributed in the hope that it will be useful, 10 | but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 12 | Lesser General Public License for more details. 13 | 14 | You should have received a copy of the GNU Lesser General Public 15 | License along with the GNU C Library; if not, write to the Free 16 | Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 17 | 02110-1301 USA. */ 18 | 19 | /* 20 | * ISO C99: 7.18 Integer types 21 | */ 22 | 23 | /* 24 | * ISSUE: 25 | * This file is based on the system stdint.h for ia64 26 | */ 27 | #ifndef _STDINT_IA64_H 28 | #define _STDINT_IA64_H 1 29 | 30 | #include "custom_limits.h" 31 | 32 | /* Exact integral types. */ 33 | 34 | /* Signed. */ 35 | 36 | /* There is some amount of overlap with as known by inet code */ 37 | typedef signed char int8_t; 38 | typedef short int int16_t; 39 | typedef int int32_t; 40 | typedef long int int64_t; 41 | 42 | /* Unsigned. */ 43 | typedef unsigned char uint8_t; 44 | typedef unsigned short int uint16_t; 45 | typedef unsigned int uint32_t; 46 | typedef unsigned long int uint64_t; 47 | 48 | #endif /* stdint_ia64.h */ 49 | -------------------------------------------------------------------------------- /lib/csmith/stdint_msp430.h: -------------------------------------------------------------------------------- 1 | /* Copyright (C) 1997,1998,1999,2000,2001,2006 Free Software Foundation, Inc. 2 | This file is part of the GNU C Library. 3 | 4 | The GNU C Library is free software; you can redistribute it and/or 5 | modify it under the terms of the GNU Lesser General Public 6 | License as published by the Free Software Foundation; either 7 | version 2.1 of the License, or (at your option) any later version. 8 | 9 | The GNU C Library is distributed in the hope that it will be useful, 10 | but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 12 | Lesser General Public License for more details. 13 | 14 | You should have received a copy of the GNU Lesser General Public 15 | License along with the GNU C Library; if not, write to the Free 16 | Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 17 | 02110-1301 USA. */ 18 | 19 | /* 20 | * ISO C99: 7.18 Integer types 21 | */ 22 | 23 | /* 24 | * ISSUE: 25 | * This file is based on the system stdint.h for msp430 26 | */ 27 | #ifndef _STDINT_MSP430_H 28 | #define _STDINT_MSP430_H 1 29 | 30 | #include "custom_limits.h" 31 | 32 | /* Exact integral types. */ 33 | 34 | /* Signed. */ 35 | 36 | /* There is some amount of overlap with as known by inet code */ 37 | typedef signed char int8_t; 38 | typedef int int16_t; 39 | typedef long int int32_t; 40 | __extension__ typedef long long int int64_t; 41 | 42 | /* Unsigned. */ 43 | typedef unsigned char uint8_t; 44 | typedef unsigned int uint16_t; 45 | typedef unsigned long int uint32_t; 46 | __extension__ typedef unsigned long long int uint64_t; 47 | 48 | #endif /* stdint_msp430.h */ 49 | -------------------------------------------------------------------------------- /lib/csmith/test.c: -------------------------------------------------------------------------------- 1 | /* 2 | gcc -c test.c 3 | gcc -o out test.o delay_1.o 4 | */ 5 | #include 6 | #include 7 | #include 8 | #include "csmith.h" 9 | 10 | int global1; 11 | int global2; 12 | 13 | void main(){ 14 | struct timespec start, stop; 15 | clock_gettime(CLOCK_PROCESS_CPUTIME_ID, &start); 16 | slp(0); 17 | //usleep(1000); 18 | clock_gettime(CLOCK_PROCESS_CPUTIME_ID, &stop); 19 | double result = (stop.tv_sec - start.tv_sec) / 1000 + (stop.tv_nsec - start.tv_nsec) / 1e6; // in microseconds 20 | 21 | 22 | printf("%f\n", result); 23 | } 24 | -------------------------------------------------------------------------------- /lib/csmith/test.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sslab-gatech/fuzzification/085c23b6c02d59cf33195955320ca8ce5705957b/lib/csmith/test.o -------------------------------------------------------------------------------- /src/.gitignore: -------------------------------------------------------------------------------- 1 | .work3 2 | *.o 3 | *.so 4 | platform.info 5 | .csmith 6 | *.pyc 7 | -------------------------------------------------------------------------------- /src/code_injector/jtable_inject.py: -------------------------------------------------------------------------------- 1 | INJECT1 = """struct addrarry{ 2 | void *jt[1000]; 3 | } jtable = {0xeeeeeeeeeeeeeeee, 0xdddddddddddddddd}; 4 | 5 | void func1(void){ 6 | int a=0; 7 | } 8 | """ 9 | 10 | INJECT2 = """ jtable.jt[0] = &func1; 11 | """ 12 | 13 | import os, sys 14 | 15 | filename = sys.argv[1] 16 | inject2 = int( sys.argv[2] ) 17 | 18 | f = open(filename, "r") 19 | contents = f.readlines() 20 | f.close() 21 | 22 | if "addr" not in contents[0]: 23 | contents.insert(inject2, INJECT2) 24 | contents.insert(0, INJECT1) 25 | 26 | f = open(filename, "w") 27 | contents = "".join(contents) 28 | f.write(contents) 29 | f.close() 30 | 31 | -------------------------------------------------------------------------------- /src/code_injector/simple_injector.py: -------------------------------------------------------------------------------- 1 | HUGE2 = """ 2 | 3 | huge_raw_input(argv[{0}]); 4 | """ 5 | 6 | import os, sys 7 | 8 | filename = sys.argv[1] 9 | huge2 = int( sys.argv[2] ) 10 | argv_num = sys.argv[3] 11 | 12 | HUGE2 = HUGE2.replace("{0}", argv_num) 13 | 14 | f = open(filename, "r") 15 | contents = f.readlines() 16 | f.close() 17 | 18 | contents.insert(huge2, HUGE2) 19 | 20 | f = open(filename, "w") 21 | contents = "".join(contents) 22 | f.write(contents) 23 | f.close() 24 | -------------------------------------------------------------------------------- /src/compile_pass.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | mkdir factory 3 | 4 | echo "Compile SpeedBump" 5 | cd llvm_pass/bump 6 | rm -rf build 7 | mkdir build 8 | cd build 9 | cmake .. 10 | make 11 | cp skeleton/libSkeletonPass.so ../../../factory/libSkeletonPass_bump.so 12 | cd ../../.. 13 | 14 | 15 | echo "Compile Anti-symbolic execution" 16 | cd llvm_pass/anti 17 | rm -rf build 18 | mkdir build 19 | cd build 20 | cmake .. 21 | make 22 | cp skeleton/libSkeletonPass.so ../../../factory/libSkeletonPass_antisym.so 23 | cd ../../.. 24 | 25 | echo "Compile delay-primitives" 26 | cd llvm_pass/bump/delaysrc 27 | cp ../../../../lib/csmith/*.h . 28 | clang -c *.c 29 | rm -f *.h 30 | cd ../../.. 31 | 32 | echo "Compile ROP-based trap's dummy file" 33 | cd llvm_pass/trap 34 | clang -c rop_dummy.c 35 | rm -rf build 36 | mkdir build 37 | cd build 38 | cmake .. 39 | make 40 | cp skeleton/libSkeletonPass.so ../../../factory/libSkeletonPass_rop.so 41 | cd ../../.. 42 | 43 | echo "Compile pandora-pass file" 44 | cd llvm_pass/pandora 45 | rm -rf build 46 | mkdir build 47 | cd build 48 | cmake .. 49 | make 50 | cp skeleton/libSkeletonPass.so ../../../factory/libSkeletonPass_coverage.so 51 | cd ../../.. 52 | 53 | echo "compile huge.o" 54 | cd llvm_pass/trap 55 | clang -c huge.c 56 | clang -c huge_dummy.c 57 | clang -c delay_slp* > /dev/null 2> /dev/null 58 | cd ../.. 59 | 60 | echo "compile anti-analysis library - anti-symbolic execution" 61 | cd llvm_pass/anti 62 | clang -c antilib.c 63 | clang -c antilib_dummy.c 64 | cd ../.. 65 | 66 | echo "Done" 67 | -------------------------------------------------------------------------------- /src/conf.py: -------------------------------------------------------------------------------- 1 | import os 2 | import sys 3 | 4 | # working directory 5 | COMPILE_ROOT = "../antifuzz-tutorial/temp" 6 | #COMP_DIR = os.path.join(COMPILE_ROOT, "binutils") 7 | 8 | # sample directory 9 | TMP_DIR = "/tmp" 10 | EVAL_REPO = "../antifuzz-tutorial" 11 | EVAL_REPO_TEST = "samples" 12 | EVAL_REPO_SAMPLE = "binaries" 13 | EVAL_REPO_PATCH = "patches" 14 | INFO_DIR = os.path.join(TMP_DIR, "antifuzz") 15 | 16 | 17 | ##### customize target 18 | SAMPLE = "readelf" 19 | ARGS = " -a " 20 | COMP_DIR = os.path.join(COMPILE_ROOT, "binutils") 21 | 22 | #SAMPLE = "objdump" 23 | #ARGS = " -d " 24 | #COMP_DIR = os.path.join(COMPILE_ROOT, "binutils") 25 | 26 | #SAMPLE = "nm-new" 27 | #ARGS = " " 28 | #COMP_DIR = os.path.join(COMPILE_ROOT, "binutils") 29 | 30 | #SAMPLE = "objcopy" 31 | #ARGS = " -S " 32 | #COMP_DIR = os.path.join(COMPILE_ROOT, "binutils") 33 | 34 | MID_ARGS = False 35 | DEFAULT_ARG = " test" 36 | if MID_ARGS == True: 37 | ARGS = " " 38 | 39 | ##### customize fuzzer 40 | MOD_AFL = "../fuzzer/afl-2.51b-bbcheck" 41 | SHOWMAP = os.path.join(MOD_AFL, "afl-showmap") 42 | AFL_FUZ = os.path.join(MOD_AFL, "afl-fuzz") 43 | 44 | ##### setup working directory 45 | CSMITH_DIR = "../lib/csmith" 46 | CORRECT_FUZ_INPUT = "cor_fuzz" 47 | 48 | SAMPLE_DIR = os.path.join(EVAL_REPO, "test", EVAL_REPO_SAMPLE) 49 | PATCH_DIR = os.path.join(EVAL_REPO, "test", EVAL_REPO_PATCH) 50 | CORRECT_INPUT = os.path.join(EVAL_REPO, "test", EVAL_REPO_TEST, SAMPLE, "cor") 51 | INCORRECT_INPUT = os.path.join(EVAL_REPO, "test", EVAL_REPO_TEST, SAMPLE, "incor") 52 | OUTPUT_DIR = os.path.join(EVAL_REPO, "test", "output") 53 | CORRECT_BB_DIR = os.path.join(INFO_DIR, "corbb") 54 | INCORRECT_BB_DIR = os.path.join(INFO_DIR, "incorbb") 55 | 56 | BB_NAME = "BB_count" 57 | BB_EXTENTION = ".bb" 58 | INST_TARGET = "INST_BB" 59 | TOTAL_BB = "/tmp/makeout" 60 | TOTAL_BB_DIR = TOTAL_BB 61 | 62 | DELAYPASS = "bump" 63 | DELAY_COLLISION = os.path.join(".", "llvm_pass", "trap") 64 | DELAY_USLP = os.path.join(".", "llvm_pass", "bump", "delaysrc") 65 | DEFENSE = os.path.join(".", "llvm_pass", "trap") 66 | SCRIPTPASS = "factory" 67 | WORKING_DIR = "./.work3" 68 | TARGET_FILES = "/tmp/target_files" 69 | 70 | FUZZ_INPUT_DIR = "/tmp/fuzzinput" 71 | FUZZ_OUTPUT_DIR = "/tmp/fuzzoutput" 72 | TOTAL_FUZZ_TIMEOUT = 120 # seconds 73 | FUZZ_TIMEOUT = "2000" #ms 74 | 75 | # relative reference 76 | COMPILER = " ../fuzzer/afl-2.51b-bbcheck/afl-clang-fast" 77 | COMPILE_ROOT = "../antifuzz-tutorial/temp" 78 | DELAYOBJ = "huge.o" # default name 79 | -------------------------------------------------------------------------------- /src/csmith: -------------------------------------------------------------------------------- 1 | ../lib/csmith/csmith -------------------------------------------------------------------------------- /src/factory/make_all.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | opt -load ./libSkeletonPass_coverage.so -SkeletonPass <$1_bump.o> $1.o2 3 | cp bb_cov INST_BB 4 | opt -always-inline -load ./libSkeletonPass_rop.so -SkeletonPass <$1.o2> $1.o3 5 | cp bb_anti INST_BB 6 | opt -load ./libSkeletonPass_antisym.so -symb <$1.o3> $1_all.o 7 | 8 | 9 | -------------------------------------------------------------------------------- /src/factory/make_anti.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | opt -load ./libSkeletonPass_antisym.so -symb <$1.o> $1_anti.o 3 | 4 | -------------------------------------------------------------------------------- /src/factory/make_bump.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | opt -load ./libSkeletonPass_bump.so -SkeletonPass <$1.o> $1_bump.o 3 | 4 | -------------------------------------------------------------------------------- /src/factory/make_coverage.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | opt -load ./libSkeletonPass_coverage.so -SkeletonPass <$1.o> $1.o2 3 | 4 | -------------------------------------------------------------------------------- /src/factory/make_rop.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | opt -always-inline -load ./libSkeletonPass_rop.so -SkeletonPass <$1.o2> $1_coverage.o 3 | -------------------------------------------------------------------------------- /src/llvm_pass/.gitignore: -------------------------------------------------------------------------------- 1 | Makefile 2 | CMakeLists.txt.user 3 | CMakeCache.txt 4 | CMakeFiles 5 | CMakeScripts 6 | Testing 7 | cmake_install.cmake 8 | install_manifest.txt 9 | compile_commands.json 10 | CTestTestfile.cmake 11 | _deps 12 | -------------------------------------------------------------------------------- /src/llvm_pass/anti/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | cmake_minimum_required(VERSION 3.1) 2 | 3 | find_package(LLVM REQUIRED CONFIG) 4 | add_definitions(${LLVM_DEFINITIONS}) 5 | include_directories(${LLVM_INCLUDE_DIRS}) 6 | link_directories(${LLVM_LIBRARY_DIRS}) 7 | 8 | add_subdirectory(skeleton) # Use your pass name here. 9 | -------------------------------------------------------------------------------- /src/llvm_pass/anti/antilib.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | unsigned reverse(unsigned x) { 5 | x = ((x & 0x55555555) << 1) | ((x >> 1) & 0x55555555); 6 | x = ((x & 0x33333333) << 2) | ((x >> 2) & 0x33333333); 7 | x = ((x & 0x0F0F0F0F) << 4) | ((x >> 4) & 0x0F0F0F0F); 8 | x = (x << 24) | ((x & 0xFF00) << 8) | 9 | ((x >> 8) & 0xFF00) | (x >> 24); 10 | return x; 11 | } 12 | 13 | unsigned int crc32(unsigned char *message) { 14 | int i, j; 15 | unsigned int byte, crc; 16 | 17 | i = 0; 18 | crc = 0xFFFFFFFF; 19 | while (message[i] != 0) { 20 | byte = message[i]; // Get next byte. 21 | byte = reverse(byte); // 32-bit reversal. 22 | for (j = 0; j <= 7; j++) { // Do eight times. 23 | if ((int)(crc ^ byte) < 0) 24 | crc = (crc << 1) ^ 0x04C11DB7; 25 | else crc = crc << 1; 26 | byte = byte << 1; // Ready next msg bit. 27 | } 28 | i = i + 1; 29 | } 30 | return reverse(~crc); 31 | } 32 | 33 | int modifyInt(int in) { //no overloading in C 34 | char buffer [200]; 35 | sprintf(buffer, "%d", in + 100000); 36 | int crc = (int)crc32(buffer); 37 | int diff = crc - in; 38 | return crc - diff; 39 | } 40 | double modifyDouble(double in) { 41 | char buffer [200]; 42 | sprintf(buffer, "%lf", in + 100000.0); 43 | double crc = (double)crc32(buffer); 44 | double diff = crc - in; 45 | return crc - diff; 46 | } 47 | 48 | float modifyFloat(float in) { 49 | char buffer [200]; 50 | sprintf(buffer, "%f", in + 100000.0); 51 | float crc = (float)crc32(buffer); 52 | float diff = crc - in; 53 | return crc - diff; 54 | } 55 | 56 | /* 57 | char modifyBool(char a) { //for c++ bools since they are represented as i8 ints in IR 58 | printf("anti-symb bool function here - operand: %d \n",a); 59 | return a | 0; 60 | } 61 | */ 62 | 63 | // for now, we are just using the same wrapper function above 64 | int retWrapInt(int in){ 65 | char buffer [200]; 66 | sprintf(buffer, "%d", in + 100000); 67 | int crc = (int)crc32(buffer); 68 | int diff = crc - in; 69 | return crc - diff; 70 | } 71 | double retWrapDouble(double in){ 72 | char buffer [200]; 73 | sprintf(buffer, "%lf", in + 100000.0); 74 | double crc = (double)crc32(buffer); 75 | double diff = crc - in; 76 | return crc - diff; 77 | } 78 | float retWrapFloat(float in){ 79 | char buffer [200]; 80 | sprintf(buffer, "%f", in + 100000.0); 81 | float crc = (float)crc32(buffer); 82 | float diff = crc - in; 83 | return crc - diff; 84 | } 85 | -------------------------------------------------------------------------------- /src/llvm_pass/anti/antilib_dummy.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int modifyInt(int in) { //no overloading in C 4 | usleep(20000); 5 | return in; 6 | } 7 | double modifyDouble(double in) { 8 | usleep(20000); 9 | return in; 10 | } 11 | 12 | float modifyFloat(float in) { 13 | usleep(20000); 14 | return in; 15 | } 16 | 17 | // for now, we are just using the same wrapper function above 18 | int retWrapInt(int in){ 19 | usleep(20000); 20 | return in; 21 | } 22 | double retWrapDouble(double in){ 23 | usleep(20000); 24 | return in; 25 | } 26 | float retWrapFloat(float in){ 27 | usleep(20000); 28 | return in; 29 | } 30 | -------------------------------------------------------------------------------- /src/llvm_pass/anti/skeleton/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | add_library(SkeletonPass MODULE 2 | # List your source files here. 3 | Skeleton.cpp 4 | modify.cpp 5 | modify.h 6 | ) 7 | 8 | # Use C++11 to compile our pass (i.e., supply -std=c++11). 9 | target_compile_features(SkeletonPass PRIVATE cxx_range_for cxx_auto_type) 10 | 11 | # LLVM is (typically) built with no C++ RTTI. We need to match that; 12 | # otherwise, we'll get linker errors about missing RTTI data. 13 | set_target_properties(SkeletonPass PROPERTIES 14 | COMPILE_FLAGS "-fno-rtti" 15 | ) 16 | 17 | # Get proper shared-library behavior (where symbols are not necessarily 18 | # resolved when the shared library is linked) on OS X. 19 | if(APPLE) 20 | set_target_properties(SkeletonPass PROPERTIES 21 | LINK_FLAGS "-undefined dynamic_lookup" 22 | ) 23 | endif(APPLE) 24 | -------------------------------------------------------------------------------- /src/llvm_pass/anti/skeleton/modify.cpp: -------------------------------------------------------------------------------- 1 | #include "modify.h" 2 | 3 | int modify(int a) { 4 | return a + 1; 5 | } -------------------------------------------------------------------------------- /src/llvm_pass/anti/skeleton/modify.h: -------------------------------------------------------------------------------- 1 | int modify(int a); -------------------------------------------------------------------------------- /src/llvm_pass/antitaint/.gitignore: -------------------------------------------------------------------------------- 1 | a.out 2 | -------------------------------------------------------------------------------- /src/llvm_pass/bump/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | cmake_minimum_required(VERSION 3.1) 2 | 3 | find_package(LLVM REQUIRED CONFIG) 4 | add_definitions(${LLVM_DEFINITIONS}) 5 | include_directories(${LLVM_INCLUDE_DIRS}) 6 | link_directories(${LLVM_LIBRARY_DIRS}) 7 | 8 | add_subdirectory(skeleton) # Use your pass name here. 9 | 10 | -------------------------------------------------------------------------------- /src/llvm_pass/bump/skeleton/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | add_library(SkeletonPass MODULE 2 | # List your source files here. 3 | Skeleton.cpp 4 | ) 5 | 6 | # Use C++11 to compile our pass (i.e., supply -std=c++11). 7 | target_compile_features(SkeletonPass PRIVATE cxx_range_for cxx_auto_type) 8 | 9 | # LLVM is (typically) built with no C++ RTTI. We need to match that. 10 | set_target_properties(SkeletonPass PROPERTIES 11 | COMPILE_FLAGS "-fno-rtti" 12 | ) 13 | 14 | # Get proper shared-library behavior (where symbols are not necessarily 15 | # resolved when the shared library is linked) on OS X. 16 | if(APPLE) 17 | set_target_properties(SkeletonPass PROPERTIES 18 | LINK_FLAGS "-undefined dynamic_lookup" 19 | ) 20 | endif(APPLE) 21 | -------------------------------------------------------------------------------- /src/llvm_pass/pandora/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | cmake_minimum_required(VERSION 3.1) 2 | 3 | find_package(LLVM REQUIRED CONFIG) 4 | add_definitions(${LLVM_DEFINITIONS}) 5 | include_directories(${LLVM_INCLUDE_DIRS}) 6 | link_directories(${LLVM_LIBRARY_DIRS}) 7 | 8 | add_subdirectory(skeleton) # Use your pass name here. 9 | -------------------------------------------------------------------------------- /src/llvm_pass/pandora/skeleton/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | add_library(SkeletonPass MODULE 2 | # List your source files here. 3 | Skeleton.cpp 4 | ) 5 | 6 | # Use C++11 to compile our pass (i.e., supply -std=c++11). 7 | target_compile_features(SkeletonPass PRIVATE cxx_range_for cxx_auto_type) 8 | 9 | # LLVM is (typically) built with no C++ RTTI. We need to match that. 10 | set_target_properties(SkeletonPass PROPERTIES 11 | COMPILE_FLAGS "-fno-rtti" 12 | ) 13 | 14 | # Get proper shared-library behavior (where symbols are not necessarily 15 | # resolved when the shared library is linked) on OS X. 16 | if(APPLE) 17 | set_target_properties(SkeletonPass PROPERTIES 18 | LINK_FLAGS "-undefined dynamic_lookup" 19 | ) 20 | endif(APPLE) 21 | -------------------------------------------------------------------------------- /src/llvm_pass/trap/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | cmake_minimum_required(VERSION 3.1) 2 | 3 | find_package(LLVM REQUIRED CONFIG) 4 | add_definitions(${LLVM_DEFINITIONS}) 5 | include_directories(${LLVM_INCLUDE_DIRS}) 6 | link_directories(${LLVM_LIBRARY_DIRS}) 7 | 8 | add_subdirectory(skeleton) # Use your pass name here. 9 | -------------------------------------------------------------------------------- /src/llvm_pass/trap/custom_limits.h: -------------------------------------------------------------------------------- 1 | /* -*- mode: C -*- 2 | * 3 | * Copyright (c) 2014 The University of Utah 4 | */ 5 | /* Copyright (C) 1997,1998,1999,2000,2001,2006 Free Software Foundation, Inc. 6 | This file is part of the GNU C Library. 7 | 8 | The GNU C Library is free software; you can redistribute it and/or 9 | modify it under the terms of the GNU Lesser General Public 10 | License as published by the Free Software Foundation; either 11 | version 2.1 of the License, or (at your option) any later version. 12 | 13 | The GNU C Library is distributed in the hope that it will be useful, 14 | but WITHOUT ANY WARRANTY; without even the implied warranty of 15 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 16 | Lesser General Public License for more details. 17 | 18 | You should have received a copy of the GNU Lesser General Public 19 | License along with the GNU C Library; if not, write to the Free 20 | Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 21 | 02110-1301 USA. */ 22 | 23 | /* 24 | * ISO C99: 7.18 Integer types 25 | */ 26 | 27 | /* 28 | * Our custom limits.h based on the system header file. 29 | */ 30 | 31 | #ifndef _CUSTOM_LIMITS_H 32 | #define _CUSTOM_LIMITS_H 1 33 | 34 | /* Limits of integral types. */ 35 | 36 | /* Minimum of signed integral types. */ 37 | # define INT8_MIN (-128) 38 | # define INT16_MIN (-32767-1) 39 | # define INT32_MIN (-2147483647-1) 40 | #ifndef NO_LONGLONG 41 | # define INT64_MIN (-(9223372036854775807LL)-1) 42 | #endif 43 | /* Maximum of signed integral types. */ 44 | # define INT8_MAX (127) 45 | # define INT16_MAX (32767) 46 | # define INT32_MAX (2147483647) 47 | #ifndef NO_LONGLONG 48 | # define INT64_MAX (9223372036854775807LL) 49 | #endif 50 | 51 | /* Maximum of unsigned integral types. */ 52 | # define UINT8_MAX (255) 53 | # define UINT16_MAX (65535) 54 | # define UINT32_MAX (4294967295U) 55 | #ifndef NO_LONGLONG 56 | # define UINT64_MAX (18446744073709551615ULL) 57 | #endif 58 | 59 | # define CHAR_BIT 8 60 | 61 | /* Limits of FP types. */ 62 | 63 | #define FLT_MAX 3.40282347e+38F 64 | #define DBL_MAX 1.7976931348623158e+308 65 | 66 | #endif 67 | -------------------------------------------------------------------------------- /src/llvm_pass/trap/custom_stdint_x86.h: -------------------------------------------------------------------------------- 1 | /* -*- mode: C -*- 2 | * 3 | * Copyright (c) 2011, 2016 The University of Utah 4 | * All rights reserved. 5 | * 6 | * This file is part of `csmith', a random generator of C programs. 7 | * 8 | * Redistribution and use in source and binary forms, with or without 9 | * modification, are permitted provided that the following conditions are met: 10 | * 11 | * * Redistributions of source code must retain the above copyright notice, 12 | * this list of conditions and the following disclaimer. 13 | * 14 | * * Redistributions in binary form must reproduce the above copyright 15 | * notice, this list of conditions and the following disclaimer in the 16 | * documentation and/or other materials provided with the distribution. 17 | * 18 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 22 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 23 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 24 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 25 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 26 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 27 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28 | * POSSIBILITY OF SUCH DAMAGE. 29 | */ 30 | 31 | #define int8_t signed char 32 | #define uint8_t unsigned char 33 | 34 | #define int16_t short 35 | #define uint16_t unsigned short 36 | 37 | #define int32_t int 38 | #define uint32_t unsigned 39 | 40 | #define int64_t long long 41 | #define uint64_t unsigned long long 42 | -------------------------------------------------------------------------------- /src/llvm_pass/trap/huge_dummy.c: -------------------------------------------------------------------------------- 1 | int huge_raw_input(char* file_name){ 2 | return 0; 3 | } 4 | -------------------------------------------------------------------------------- /src/llvm_pass/trap/jtable_inject.py: -------------------------------------------------------------------------------- 1 | INJECT1 = """struct addrarry{ 2 | void *jt[1000]; 3 | } jtable = {0xeeeeeeeeeeeeeeee, 0xdddddddddddddddd}; 4 | 5 | void func1(void){ 6 | int a=0; 7 | } 8 | """ 9 | 10 | INJECT2 = """ jtable.jt[0] = &func1; 11 | """ 12 | 13 | import os, sys 14 | 15 | filename = sys.argv[1] 16 | inject2 = int( sys.argv[2] ) 17 | 18 | f = open(filename, "r") 19 | contents = f.readlines() 20 | f.close() 21 | 22 | if "addr" not in contents[0]: 23 | contents.insert(inject2, INJECT2) 24 | contents.insert(0, INJECT1) 25 | 26 | f = open(filename, "w") 27 | contents = "".join(contents) 28 | f.write(contents) 29 | f.close() 30 | 31 | -------------------------------------------------------------------------------- /src/llvm_pass/trap/rop_dummy.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | //#define DEBUG 7 | #define MAX 256 8 | 9 | 10 | #include 11 | #include 12 | #include 13 | #include 14 | 15 | int rem(int retval, int group){ 16 | printf("ren\n"); 17 | return (unsigned int)retval % group; 18 | } 19 | 20 | int markfunc(int a){ 21 | return 0; 22 | } 23 | 24 | int dummy2(int a){ 25 | return 0; 26 | } 27 | 28 | void dummy(int a, int b, int c, int d){ 29 | __asm__ ( 30 | "nop\n" 31 | "nop\n" 32 | "nop" 33 | ); 34 | } 35 | 36 | -------------------------------------------------------------------------------- /src/llvm_pass/trap/script/first.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | $CC -DHAVE_CONFIG_H -I. -I. -I. -I../bfd -I./../bfd -I./../include -DLOCALEDIR="\"/usr/local/share/locale\"" -Dbin_dummy_emulation=bin_vanilla_emulation -W -Wall -Wstrict-prototypes -Wmissing-prototypes -Wshadow -flto -std=gnu99 -MT readelf.o -MD -MP -MF .deps/readelf.Tpo -c -o readelf.o readelf.c 3 | 4 | $CC -W -Wall -Wstrict-prototypes -Wmissing-prototypes -Wshadow -flto -std=gnu99 -flto -fuse-ld=gold -o readelf readelf.o version.o unwind-ia64.o dwarf.o elfcomm.o ../libiberty/libiberty.a -lz -ldl 5 | -------------------------------------------------------------------------------- /src/llvm_pass/trap/script/genrop.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | ROPgadget --only "pop|ret" --nojop --nosys --all --binary $1 |grep " : " |grep -v "ret\ " > ropgadget_temp 3 | #ROPgadget --depth=2 --only "ret" --all --binary $1 |grep " : " |grep -v "ret\ " > ropgadget 4 | -------------------------------------------------------------------------------- /src/llvm_pass/trap/script/make.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | cd skeleton;make 3 | -------------------------------------------------------------------------------- /src/llvm_pass/trap/script/readelf.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | cp /data/fuzz/sample/binutils-2.25/binutils/readelf.o . 3 | opt -always-inline -load skeleton/libSkeletonPass.so -SkeletonPass readelf2.o 4 | cp ./readelf2.o /data/fuzz/sample/binutils-2.25/binutils/readelf2.o 5 | cp ./dummy.o /data/fuzz/sample/binutils-2.25/binutils/dummy.o 6 | -------------------------------------------------------------------------------- /src/llvm_pass/trap/script/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | (cd /data/fuzz/sample/binutils-2.25/binutils;sh ./first.sh) 4 | sh ./readelf.sh 5 | (cd /data/fuzz/sample/binutils-2.25/binutils;sh ./second.sh) 6 | -------------------------------------------------------------------------------- /src/llvm_pass/trap/script/second.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | $CC -W -Wall -Wstrict-prototypes -Wmissing-prototypes -Wshadow -flto -std=gnu99 -flto -fuse-ld=gold -o readelf readelf2.o version.o unwind-ia64.o dwarf.o elfcomm.o dummy.o ../libiberty/libiberty.a -lz -ldl 4 | 5 | cp ./readelf /data/sslab/anti-fuzz/src/defense/ 6 | -------------------------------------------------------------------------------- /src/llvm_pass/trap/script/toy.sh: -------------------------------------------------------------------------------- 1 | 2 | #!/bin/bash 3 | cd skeleton 4 | make clean 5 | make 6 | cd .. 7 | cp skeleton/libSkeletonPass.so ./toytest/ 8 | cd toytest 9 | make clean 10 | make 11 | cd .. 12 | cp toytest/toy . 13 | cp toytest/dummy.o . 14 | -------------------------------------------------------------------------------- /src/llvm_pass/trap/simple_injector.py: -------------------------------------------------------------------------------- 1 | HUGE2 = """ 2 | 3 | huge_raw_input(argv[{0}]); 4 | """ 5 | 6 | import os, sys 7 | 8 | filename = sys.argv[1] 9 | huge2 = int( sys.argv[2] ) 10 | argv_num = sys.argv[3] 11 | 12 | HUGE2 = HUGE2.replace("{0}", argv_num) 13 | 14 | f = open(filename, "r") 15 | contents = f.readlines() 16 | f.close() 17 | 18 | contents.insert(huge2, HUGE2) 19 | 20 | f = open(filename, "w") 21 | contents = "".join(contents) 22 | f.write(contents) 23 | f.close() 24 | -------------------------------------------------------------------------------- /src/llvm_pass/trap/skeleton/.gitignore: -------------------------------------------------------------------------------- 1 | CMakeFiles/ 2 | -------------------------------------------------------------------------------- /src/llvm_pass/trap/skeleton/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | add_library(SkeletonPass MODULE 2 | # List your source files here. 3 | Skeleton.cpp 4 | ) 5 | 6 | # Use C++11 to compile our pass (i.e., supply -std=c++11). 7 | target_compile_features(SkeletonPass PRIVATE cxx_range_for cxx_auto_type) 8 | 9 | # LLVM is (typically) built with no C++ RTTI. We need to match that. 10 | set_target_properties(SkeletonPass PROPERTIES 11 | COMPILE_FLAGS "-fno-rtti" 12 | ) 13 | 14 | # Get proper shared-library behavior (where symbols are not necessarily 15 | # resolved when the shared library is linked) on OS X. 16 | if(APPLE) 17 | set_target_properties(SkeletonPass PROPERTIES 18 | LINK_FLAGS "-undefined dynamic_lookup" 19 | ) 20 | endif(APPLE) 21 | -------------------------------------------------------------------------------- /src/llvm_pass/trap/stdint_avr.h: -------------------------------------------------------------------------------- 1 | /* Copyright (C) 1997,1998,1999,2000,2001,2006 Free Software Foundation, Inc. 2 | This file is part of the GNU C Library. 3 | 4 | The GNU C Library is free software; you can redistribute it and/or 5 | modify it under the terms of the GNU Lesser General Public 6 | License as published by the Free Software Foundation; either 7 | version 2.1 of the License, or (at your option) any later version. 8 | 9 | The GNU C Library is distributed in the hope that it will be useful, 10 | but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 12 | Lesser General Public License for more details. 13 | 14 | You should have received a copy of the GNU Lesser General Public 15 | License along with the GNU C Library; if not, write to the Free 16 | Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 17 | 02110-1301 USA. */ 18 | 19 | /* 20 | * ISO C99: 7.18 Integer types 21 | */ 22 | 23 | /* 24 | * ISSUE: 25 | * This file is based on the system stdint.h for avr 26 | */ 27 | #ifndef _STDINT_AVR_H 28 | #define _STDINT_AVR_H 1 29 | 30 | #include "custom_limits.h" 31 | 32 | /* Exact integral types. */ 33 | 34 | /* Signed. */ 35 | 36 | typedef signed char int8_t; 37 | typedef int int16_t; 38 | typedef long int int32_t; 39 | typedef long long int int64_t; 40 | 41 | /* Unsigned. */ 42 | typedef unsigned char uint8_t; 43 | typedef unsigned int uint16_t; 44 | typedef unsigned long int uint32_t; 45 | typedef unsigned long long int uint64_t; 46 | 47 | #endif /* stdint_avr.h */ 48 | -------------------------------------------------------------------------------- /src/llvm_pass/trap/stdint_ia32.h: -------------------------------------------------------------------------------- 1 | /* Copyright (C) 1997,1998,1999,2000,2001,2006 Free Software Foundation, Inc. 2 | This file is part of the GNU C Library. 3 | 4 | The GNU C Library is free software; you can redistribute it and/or 5 | modify it under the terms of the GNU Lesser General Public 6 | License as published by the Free Software Foundation; either 7 | version 2.1 of the License, or (at your option) any later version. 8 | 9 | The GNU C Library is distributed in the hope that it will be useful, 10 | but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 12 | Lesser General Public License for more details. 13 | 14 | You should have received a copy of the GNU Lesser General Public 15 | License along with the GNU C Library; if not, write to the Free 16 | Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 17 | 02110-1301 USA. */ 18 | 19 | /* 20 | * ISO C99: 7.18 Integer types 21 | */ 22 | 23 | /* 24 | * ISSUE: 25 | * This file is based on the system stdint.h for ia32 26 | */ 27 | #ifndef _STDINT_IA32_H 28 | #define _STDINT_IA32_H 1 29 | 30 | #include "custom_limits.h" 31 | 32 | /* Exact integral types. */ 33 | 34 | /* Signed. */ 35 | 36 | /* There is some amount of overlap with as known by inet code */ 37 | typedef signed char int8_t; 38 | typedef short int int16_t; 39 | typedef int int32_t; 40 | #ifndef NO_LONGLONG 41 | typedef long long int int64_t; 42 | #endif 43 | 44 | /* Unsigned. */ 45 | typedef unsigned char uint8_t; 46 | typedef unsigned short int uint16_t; 47 | typedef unsigned int uint32_t; 48 | #ifndef NO_LONGLONG 49 | typedef unsigned long long int uint64_t; 50 | #endif 51 | 52 | #endif /* stdint_ia32.h */ 53 | -------------------------------------------------------------------------------- /src/llvm_pass/trap/stdint_ia64.h: -------------------------------------------------------------------------------- 1 | /* Copyright (C) 1997,1998,1999,2000,2001,2006 Free Software Foundation, Inc. 2 | This file is part of the GNU C Library. 3 | 4 | The GNU C Library is free software; you can redistribute it and/or 5 | modify it under the terms of the GNU Lesser General Public 6 | License as published by the Free Software Foundation; either 7 | version 2.1 of the License, or (at your option) any later version. 8 | 9 | The GNU C Library is distributed in the hope that it will be useful, 10 | but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 12 | Lesser General Public License for more details. 13 | 14 | You should have received a copy of the GNU Lesser General Public 15 | License along with the GNU C Library; if not, write to the Free 16 | Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 17 | 02110-1301 USA. */ 18 | 19 | /* 20 | * ISO C99: 7.18 Integer types 21 | */ 22 | 23 | /* 24 | * ISSUE: 25 | * This file is based on the system stdint.h for ia64 26 | */ 27 | #ifndef _STDINT_IA64_H 28 | #define _STDINT_IA64_H 1 29 | 30 | #include "custom_limits.h" 31 | 32 | /* Exact integral types. */ 33 | 34 | /* Signed. */ 35 | 36 | /* There is some amount of overlap with as known by inet code */ 37 | typedef signed char int8_t; 38 | typedef short int int16_t; 39 | typedef int int32_t; 40 | typedef long int int64_t; 41 | 42 | /* Unsigned. */ 43 | typedef unsigned char uint8_t; 44 | typedef unsigned short int uint16_t; 45 | typedef unsigned int uint32_t; 46 | typedef unsigned long int uint64_t; 47 | 48 | #endif /* stdint_ia64.h */ 49 | -------------------------------------------------------------------------------- /src/llvm_pass/trap/stdint_msp430.h: -------------------------------------------------------------------------------- 1 | /* Copyright (C) 1997,1998,1999,2000,2001,2006 Free Software Foundation, Inc. 2 | This file is part of the GNU C Library. 3 | 4 | The GNU C Library is free software; you can redistribute it and/or 5 | modify it under the terms of the GNU Lesser General Public 6 | License as published by the Free Software Foundation; either 7 | version 2.1 of the License, or (at your option) any later version. 8 | 9 | The GNU C Library is distributed in the hope that it will be useful, 10 | but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 12 | Lesser General Public License for more details. 13 | 14 | You should have received a copy of the GNU Lesser General Public 15 | License along with the GNU C Library; if not, write to the Free 16 | Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 17 | 02110-1301 USA. */ 18 | 19 | /* 20 | * ISO C99: 7.18 Integer types 21 | */ 22 | 23 | /* 24 | * ISSUE: 25 | * This file is based on the system stdint.h for msp430 26 | */ 27 | #ifndef _STDINT_MSP430_H 28 | #define _STDINT_MSP430_H 1 29 | 30 | #include "custom_limits.h" 31 | 32 | /* Exact integral types. */ 33 | 34 | /* Signed. */ 35 | 36 | /* There is some amount of overlap with as known by inet code */ 37 | typedef signed char int8_t; 38 | typedef int int16_t; 39 | typedef long int int32_t; 40 | __extension__ typedef long long int int64_t; 41 | 42 | /* Unsigned. */ 43 | typedef unsigned char uint8_t; 44 | typedef unsigned int uint16_t; 45 | typedef unsigned long int uint32_t; 46 | __extension__ typedef unsigned long long int uint64_t; 47 | 48 | #endif /* stdint_msp430.h */ 49 | -------------------------------------------------------------------------------- /src/util/prob: -------------------------------------------------------------------------------- 1 | more_struct_union_type_prob=50 2 | 3 | bitfields_creation_prob=50 4 | 5 | bitfields_signed_prob=50 6 | 7 | bitfield_in_normal_struct_prob=10 8 | 9 | scalar_field_in_full_bitfields_struct_prob=10 10 | 11 | exhaustive_bitfield_prob=10 12 | 13 | safe_ops_signed_prob=50 14 | 15 | select_deref_pointer_prob=80 16 | 17 | regular_volatile_prob=50 18 | 19 | regular_const_prob=10 20 | 21 | stricter_const_prob=50 22 | 23 | looser_const_prob=50 24 | 25 | field_volatile_prob=30 26 | 27 | field_const_prob=20 28 | 29 | std_unary_func_prob=5 30 | 31 | shift_by_non_constant_prob=50 32 | 33 | pointer_as_ltype_prob=50 34 | 35 | struct_as_ltype_prob=30 36 | 37 | union_as_ltype_prob=25 38 | 39 | float_as_ltype_prob=0 40 | 41 | new_array_var_prob=20 42 | 43 | access_once_var_prob=20 44 | 45 | inline_function_prob=50 46 | 47 | builtin_function_prob=50 48 | 49 | [statement_prob,statement_assign_prob=100,statement_block_prob=0,statement_for_prob=30,statement_ifelse_prob=15,statement_return_prob=35,statement_continue_prob=40,statement_break_prob=45,statement_goto_prob=50,statement_arrayop_prob=60] 50 | 51 | (assign_unary_ops_prob,unary_plus_prob=1,unary_minus_prob=1,unary_not_prob=1,unary_bit_not_prob=1) 52 | 53 | (assign_binary_ops_prob,binary_add_prob=1,binary_sub_prob=1,binary_mul_prob=1,binary_div_prob=1,binary_mod_prob=1,binary_gt_prob=1,binary_lt_prob=1,binary_ge_prob=1,binary_le_prob=1,binary_eq_prob=1,binary_ne_prob=1,binary_and_prob=1,binary_or_prob=1,binary_bit_xor_prob=1,binary_bit_and_prob=1,binary_bit_or_prob=1,binary_bit_rshift_prob=1,binary_bit_lshift_prob=1) 54 | 55 | (simple_types_prob,void_prob=0,char_prob=1,int_prob=1,short_prob=1,long_prob=1,long_long_prob=1,uchar_prob=1,uint_prob=1,ushort_prob=1,ulong_prob=1,ulong_long_prob=1,float_prob=0) 56 | 57 | (safe_ops_size_prob,safe_ops_size_int8=1,safe_ops_size_int16=1,safe_ops_size_int32=1,safe_ops_size_int64=1) 58 | 59 | --------------------------------------------------------------------------------