This is an archive of the discontinued LLVM Phabricator instance.

[libFuzzer] add a symbolic execution puzzle (difficult for today's libFuzzer).
ClosedPublic

Authored by Dor1s on May 15 2018, 7:33 PM.

Details

Summary

This can be solved just in seconds with KLEE. Current libFuzzer
is able to satistfy 101 constraints out of 410 constraints presented during
the first hour of running with -use_value_profile=1 and -max_len=20.
During the next 3 hours, libFuzzer is able to generate ~50 NEW inputs,
bot none of those solve any new constraint.
During the next 20 hours, it didn't find any NEW inputs.

This test might be interesting for experimenting with the data flow tracing
approach started in https://reviews.llvm.org/D46666.

For the solution with KLEE and other information, see
https://github.com/Dor1s/codegate2017-quals-angrybird

Diff Detail

Event Timeline

Dor1s created this revision.May 15 2018, 7:33 PM
Herald added subscribers: Restricted Project, llvm-commits, delcypher. · View Herald TranscriptMay 15 2018, 7:33 PM
Dor1s edited the summary of this revision. (Show Details)May 15 2018, 7:36 PM
Dor1s edited the summary of this revision. (Show Details)May 16 2018, 10:22 AM

Neat. Was this generated programmatically?

test/fuzzer/MultipleConstraintsOnSmallInputTest.c
7

You don't need this include. You don't seem to be using assert() anywhere.

delcypher added inline comments.May 16 2018, 10:42 AM
test/fuzzer/MultipleConstraintsOnSmallInputTest.c
14

Why don't you want these functions inlined? A comment explaining your reasoning would be nice.

Dor1s updated this revision to Diff 147132.May 16 2018, 10:57 AM
Dor1s marked 2 inline comments as done.

Address review comments: remove unused header + add a comment regarding "noinline"

Neat. Was this generated programmatically?

Yes, there is a generator script and some extra info at https://github.com/Dor1s/codegate2017-quals-angrybird

Dor1s edited the summary of this revision. (Show Details)May 16 2018, 10:58 AM
kcc accepted this revision.May 16 2018, 11:03 AM

LGTM++

Looking forward to trying to attack it.
But indeed, for examples like this, KLEE (or other symexec) is clearly more powerful... today.

btw, thanks for supplying the reproducer in the top comment.

This revision is now accepted and ready to land.May 16 2018, 11:03 AM
This revision was automatically updated to reflect the committed changes.