Update LibAFL concolic (#1634)

tokatoka · web-flow · commit 02cd260af0ca · 2023-10-22T13:44:01.000+02:00
* concolic upd

* more

* working

* clippy

* rev

* fix

* remove cur_input

* rev

* gitignore
diff --git a/.gitignore b/.gitignore
@@ -22,6 +22,7 @@ vendor
 
 .cur_input
 .cur_input_*
+cur_input
 .venv
 
 crashes
@@ -60,3 +61,8 @@ libafl_nyx/QEMU-Nyx
 libafl_nyx/packer
 
 .z3-trace
+
+# No gdb history
+.gdb_history
+# No llvm IR
+*.ll
diff --git a/fuzzers/libfuzzer_stb_image_concolic/Makefile.toml b/fuzzers/libfuzzer_stb_image_concolic/Makefile.toml
@@ -51,6 +51,9 @@ clear = true
 script='''
 cd fuzzer 
 cargo clean
-cd ../runtime
+cd ..
+cd ./runtime
 cargo clean
-'''
+cd ..
+cargo clean
+'''
diff --git a/fuzzers/libfuzzer_stb_image_concolic/fuzzer/src/main.rs b/fuzzers/libfuzzer_stb_image_concolic/fuzzer/src/main.rs
@@ -60,13 +60,14 @@ struct Opt {
     concolic: bool,
 }
 
+use std::fs;
 pub fn main() {
     // Registry the metadata types used in this fuzzer
     // Needed only on no_std
     // unsafe { RegistryBuilder::register::<Tokens>(); }
 
     let opt = Opt::parse();
-
+    let _ = fs::remove_file("cur_input");
     println!(
         "Workdir: {:?}",
         env::current_dir().unwrap().to_string_lossy().to_string()
diff --git a/libafl/src/observers/concolic/mod.rs b/libafl/src/observers/concolic/mod.rs
@@ -252,7 +252,9 @@ pub enum SymExpr {
         a: SymExprRef,
         b: SymExprRef,
     },
-
+    FloatNeg {
+        op: SymExprRef,
+    },
     FloatAbs {
         op: SymExprRef,
     },
@@ -277,6 +279,11 @@ pub enum SymExpr {
         b: SymExprRef,
     },
 
+    Ite {
+        cond: SymExprRef,
+        a: SymExprRef,
+        b: SymExprRef,
+    },
     Sext {
         op: SymExprRef,
         bits: u8,
diff --git a/libafl/src/observers/concolic/serialization_format.rs b/libafl/src/observers/concolic/serialization_format.rs
@@ -110,6 +110,7 @@ impl<R: Read> MessageFileReader<R> {
 
     /// This transforms the given message from it's serialized form into its in-memory form, making relative references
     /// absolute and counting the `SymExprRef`s.
+    #[allow(clippy::too_many_lines)]
     fn transform_message(&mut self, message: &mut SymExpr) -> SymExprRef {
         let ret = self.current_id;
         match message {
@@ -125,6 +126,7 @@ impl<R: Read> MessageFileReader<R> {
             }
             SymExpr::Neg { op }
             | SymExpr::FloatAbs { op }
+            | SymExpr::FloatNeg { op }
             | SymExpr::Not { op }
             | SymExpr::Sext { op, .. }
             | SymExpr::Zext { op, .. }
@@ -204,6 +206,12 @@ impl<R: Read> MessageFileReader<R> {
                 }
             }
             SymExpr::Call { .. } | SymExpr::Return { .. } | SymExpr::BasicBlock { .. } => {}
+            SymExpr::Ite { cond, a, b } => {
+                *cond = self.make_absolute(*cond);
+                *a = self.make_absolute(*a);
+                *b = self.make_absolute(*b);
+                self.current_id += 1;
+            }
         }
         SymExprRef::new(ret).unwrap()
     }
@@ -291,6 +299,7 @@ impl<W: Write + Seek> MessageFileWriter<W> {
             }
             SymExpr::Neg { op }
             | SymExpr::FloatAbs { op }
+            | SymExpr::FloatNeg { op }
             | SymExpr::Not { op }
             | SymExpr::Sext { op, .. }
             | SymExpr::Zext { op, .. }
@@ -370,6 +379,11 @@ impl<W: Write + Seek> MessageFileWriter<W> {
                 }
             }
             SymExpr::Call { .. } | SymExpr::Return { .. } | SymExpr::BasicBlock { .. } => {}
+            SymExpr::Ite { cond, a, b } => {
+                *cond = self.make_relative(*cond);
+                *a = self.make_relative(*a);
+                *b = self.make_relative(*b);
+            }
         }
         self.serialization_options
             .serialize_into(&mut self.writer, &message)?;
diff --git a/libafl_concolic/symcc_libafl/src/lib.rs b/libafl_concolic/symcc_libafl/src/lib.rs
@@ -5,7 +5,7 @@
 /// The URL of the `LibAFL` `SymCC` fork.
 pub const SYMCC_REPO_URL: &str = "https://github.com/AFLplusplus/symcc.git";
 /// The commit of the `LibAFL` `SymCC` fork.
-pub const SYMCC_REPO_COMMIT: &str = "2a3229da6101596af220f20fef5085e59537abcb";
+pub const SYMCC_REPO_COMMIT: &str = "6909c3f2b98c6e14a25bee0fc6eb29c598250e35";
 
 #[cfg(feature = "clone")]
 mod clone {
diff --git a/libafl_concolic/symcc_runtime/src/filter.rs b/libafl_concolic/symcc_runtime/src/filter.rs
@@ -240,4 +240,7 @@ impl Filter for NoFloat {
     fn build_fp_rem(&mut self, _a: RSymExpr, _b: RSymExpr) -> bool {
         false
     }
+    fn build_fp_neg(&mut self, _a: RSymExpr) -> bool {
+        false
+    }
 }
diff --git a/libafl_concolic/symcc_runtime/src/tracing.rs b/libafl_concolic/symcc_runtime/src/tracing.rs
@@ -127,6 +127,7 @@ impl Runtime for TracingRuntime {
     binary_expression_builder!(build_fp_rem, FloatRem);
 
     unary_expression_builder!(build_fp_abs, FloatAbs);
+    unary_expression_builder!(build_fp_neg, FloatNeg);
 
     unary_expression_builder!(build_not, Not);
     binary_expression_builder!(build_equal, Equal);
@@ -135,6 +136,7 @@ impl Runtime for TracingRuntime {
     binary_expression_builder!(build_bool_or, BoolOr);
     binary_expression_builder!(build_bool_xor, BoolXor);
 
+    expression_builder!(build_ite(cond: RSymExpr, a: RSymExpr, b: RSymExpr) => Ite);
     expression_builder!(build_sext(op: RSymExpr, bits: u8) => Sext);
     expression_builder!(build_zext(op: RSymExpr, bits: u8) => Zext);
     expression_builder!(build_trunc(op: RSymExpr, bits: u8) => Trunc);

Original file line number	Diff line number	Diff line change
`@@ -110,6 +110,7 @@ impl<R: Read> MessageFileReader<R> {`
`110`	`110`
`111`	`111`	`/// This transforms the given message from it's serialized form into its in-memory form, making relative references`
`112`	`112`	/// absolute and counting the `SymExprRef`s.
	`113`	`+ #[allow(clippy::too_many_lines)]`
`113`	`114`	`fn transform_message(&mut self, message: &mut SymExpr) -> SymExprRef {`
`114`	`115`	`let ret = self.current_id;`
`115`	`116`	`match message {`
`@@ -125,6 +126,7 @@ impl<R: Read> MessageFileReader<R> {`
`125`	`126`	`}`
`126`	`127`	`SymExpr::Neg { op }`
`127`	`128`	`\| SymExpr::FloatAbs { op }`
	`129`	`+ \| SymExpr::FloatNeg { op }`
`128`	`130`	`\| SymExpr::Not { op }`
`129`	`131`	`\| SymExpr::Sext { op, .. }`
`130`	`132`	`\| SymExpr::Zext { op, .. }`
`@@ -204,6 +206,12 @@ impl<R: Read> MessageFileReader<R> {`
`204`	`206`	`}`
`205`	`207`	`}`
`206`	`208`	`SymExpr::Call { .. } \| SymExpr::Return { .. } \| SymExpr::BasicBlock { .. } => {}`
	`209`	`+ SymExpr::Ite { cond, a, b } => {`
	`210`	`+ cond = self.make_absolute(cond);`
	`211`	`+ a = self.make_absolute(a);`
	`212`	`+ b = self.make_absolute(b);`
	`213`	`+ self.current_id += 1;`
	`214`	`+ }`
`207`	`215`	`}`
`208`	`216`	`SymExprRef::new(ret).unwrap()`
`209`	`217`	`}`
`@@ -291,6 +299,7 @@ impl<W: Write + Seek> MessageFileWriter<W> {`
`291`	`299`	`}`
`292`	`300`	`SymExpr::Neg { op }`
`293`	`301`	`\| SymExpr::FloatAbs { op }`
	`302`	`+ \| SymExpr::FloatNeg { op }`
`294`	`303`	`\| SymExpr::Not { op }`
`295`	`304`	`\| SymExpr::Sext { op, .. }`
`296`	`305`	`\| SymExpr::Zext { op, .. }`
`@@ -370,6 +379,11 @@ impl<W: Write + Seek> MessageFileWriter<W> {`
`370`	`379`	`}`
`371`	`380`	`}`
`372`	`381`	`SymExpr::Call { .. } \| SymExpr::Return { .. } \| SymExpr::BasicBlock { .. } => {}`
	`382`	`+ SymExpr::Ite { cond, a, b } => {`
	`383`	`+ cond = self.make_relative(cond);`
	`384`	`+ a = self.make_relative(a);`
	`385`	`+ b = self.make_relative(b);`
	`386`	`+ }`
`373`	`387`	`}`
`374`	`388`	`self.serialization_options`
`375`	`389`	`.serialize_into(&mut self.writer, &message)?;`
Original file line number	Diff line number	Diff line change
`@@ -240,4 +240,7 @@ impl Filter for NoFloat {`
`240`	`240`	`fn build_fp_rem(&mut self, _a: RSymExpr, _b: RSymExpr) -> bool {`
`241`	`241`	`false`
`242`	`242`	`}`
	`243`	`+ fn build_fp_neg(&mut self, _a: RSymExpr) -> bool {`
	`244`	`+ false`
	`245`	`+ }`
`243`	`246`	`}`