Fuzzing with AFL and Symcc does not work

eurecom-s3 / symcc

SymCC: efficient compiler-based symbolic execution

http://www.s3.eurecom.fr/tools/symbolic_execution/symcc.html

GNU General Public License v3.0

791 stars 139 forks source link

Fuzzing with AFL and Symcc does not work #152

Open jiliguluss opened 1 year ago

jiliguluss commented 1 year ago

The source code file is int_check.c. I build the afl target and symcc target with commands:

afl-clang -O0 int_check.c -o afl-target
symcc -O0 int_check.c -o symcc-target

First I run afl process, and then I run symcc process:

afl-fuzz -S fuzz2 -i corpus/ -o out -m none -- ./afl-target @@
~/.cargo/bin/symcc_fuzzing_helper -o out -a fuzz2 -n symcc -- ./symcc-target @@

However, symcc can't generate any test case: Snipaste_2023-11-30_13-48-22 Snipaste_2023-11-30_13-49-49

iamsh4shank commented 10 months ago

Hey @jiliguluss could you tell me how did you build SymCC, did you get some error related to Z3?

sebastianpoeplau commented 10 months ago

In addition to what @iamsh4shank said, it would also be good to see the output of symcc-target outside the afl run, i.e., just ./symcc-target some-dummy-input.