Open cryptomadco opened 4 years ago
evanmak
commented
4 years ago Hi,
Please refer to the test folder for examples, specifically, you will need to prepare a config file similar to this and then run the coordinator by providing the required parameters
cryptomadco
commented
4 years ago Hey thanks! got that and run it with the following command :
root@cryoto-Standard-PC-i440FX-PIIX-1996:~/work/savior/tests/jpeg-9c/obj-savior# python ~/work/savior/coordinator/moriarty.py -t /root/work/savior/tests/jpeg-9c/obj-savior -c /root/work/savior/tests/jpeg-9c/obj-savior/fuzz.cfg
But seems it has a problem :
Initialize concolic explorer
Using default free mode value
Using default optimisitc mode
['rm', '-rf', '/root/work/savior/tests/jpeg-9c/obj-savior/klee_new_input']
[KleeConc-Info] Concolic Explorer using searcher[AFLUnCovSearcherSANGuidedSearcher]
[Coordinator-Info] Number of explorers: 1, each batch run 20 inputs
[Coordinator-Info] Will not save explored inputs
Fuzzer run 59 secs
SE run 8200 secs
[Switch-Oracle-Info] Using oracle pool: (Switch Oracle: Random)
[Edge-Oracle-Info] Using oracle pool: (san-guided)
[Coordinator-Info] Using Switch_Oracle[Switch Oracle: Random], Edge_Oracle[san-guided]
starting Fuzzer: /root/work/savior/AFL/afl-fuzz -t 100+ -m none -i/root/work/savior/tests/jpeg-9c/obj-savior/in -o/root/work/savior/tests/jpeg-9c/obj-savior/out -Mmaster /root/work/savior/tests/jpeg-9c/obj-savior/savior-djpeg
[INFO/Process-1] child process calling self.run()
[INFO/Process-1] process shutting down
[INFO/Process-1] process exiting with exitcode 0
starting Fuzzer: /root/work/savior/AFL/afl-fuzz -t 100+ -m none -i/root/work/savior/tests/jpeg-9c/obj-savior/in -o/root/work/savior/tests/jpeg-9c/obj-savior/out -Mmaster /root/work/savior/tests/jpeg-9c/obj-savior/savior-djpeg
[INFO/Process-2] child process calling self.run()
[INFO/Process-2] process shutting down
[INFO/Process-2] process exiting with exitcode 0
starting Fuzzer: /root/work/savior/AFL/afl-fuzz -t 100+ -m none -i/root/work/savior/tests/jpeg-9c/obj-savior/in -o/root/work/savior/tests/jpeg-9c/obj-savior/out -Mmaster /root/work/savior/tests/jpeg-9c/obj-savior/savior-djpeg
[INFO/Process-3] child process calling self.run()
[INFO/Process-3] process shutting down
[INFO/Process-3] process exiting with exitcode 0
starting Fuzzer: /root/work/savior/AFL/afl-fuzz -t 100+ -m none -i/root/work/savior/tests/jpeg-9c/obj-savior/in -o/root/work/savior/tests/jpeg-9c/obj-savior/out -Mmaster /root/work/savior/tests/jpeg-9c/obj-savior/savior-djpeg
[INFO/Process-4] child process calling self.run()
[INFO/Process-4] process shutting down
[INFO/Process-4] process exiting with exitcode 0
starting Fuzzer: /root/work/savior/AFL/afl-fuzz -t 100+ -m none -i/root/work/savior/tests/jpeg-9c/obj-savior/in -o/root/work/savior/tests/jpeg-9c/obj-savior/out -Mmaster /root/work/savior/tests/jpeg-9c/obj-savior/savior-djpeg
[INFO/Process-5] child process calling self.run()
[INFO/Process-5] process shutting down
[INFO/Process-5] process exiting with exitcode 0
starting Fuzzer: /root/work/savior/AFL/afl-fuzz -t 100+ -m none -i/root/work/savior/tests/jpeg-9c/obj-savior/in -o/root/work/savior/tests/jpeg-9c/obj-savior/out -Mmaster /root/work/savior/tests/jpeg-9c/obj-savior/savior-djpeg
[INFO/Process-6] child process calling self.run()
[INFO/Process-6] process shutting down
[INFO/Process-6] process exiting with exitcode 0
^C[KleeConc-Info] packing klee error cases into [/root/work/savior/tests/jpeg-9c/obj-savior/klee_errors]
[Coordinator-Info] Professor Moriarty terminated, have a nice day : )
Seems it's not going to do the job correct .
Would you please help in this case ?
I am sure that I am doing all steps correctly .
These are the files I have in my /jpeg-9c/obj-savior directory :
djpeg.bc
djpeg.reach.bug
locmap.csv
savior-djpeg.bc
djpeg.dma
djpeg.reach.cov
savior-djpeg.dma
djpeg.dma.bc
paired_edges.csv
savior-djpeg.dma.bc
djpeg.edge
fuzz.cfg
labelmap.csv
savior-djpegI spotted the problem, before running the fuzzing job I should do this :
echo core >/proc/sys/kernel/core_pattern
Now I can run the job but the new problem is encountered :
root@cryoto-Standard-PC-i440FX-PIIX-1996:~/work/savior/tests/jpeg-9c/obj-savior# python /root/work/savior/coordinator/moriarty.py -t /root/work/savior/tests/jpeg-9c/obj-savior/ -c /root/work/savior/tests/jpeg-9c/obj-savior/fuzz.cfg
Initialize concolic explorer
Using default free mode value
Using default optimisitc mode
['rm', '-rf', '/root/work/savior/tests/jpeg-9c/obj-savior/klee_new_input']
[KleeConc-Info] Concolic Explorer using searcher[AFLUnCovSearcherSANGuidedSearcher]
[Coordinator-Info] Number of explorers: 1, each batch run 20 inputs
[Coordinator-Info] Will not save explored inputs
Fuzzer run 50 secs
SE run 8300 secs
[Switch-Oracle-Info] Using oracle pool: (Switch Oracle: Random)
[Edge-Oracle-Info] Using oracle pool: (san-guided)
[Coordinator-Info] Using Switch_Oracle[Switch Oracle: Random], Edge_Oracle[san-guided]
starting Fuzzer: /root/work/savior/AFL/afl-fuzz -t 100+ -m none -i/root/work/savior/tests/jpeg-9c/obj-savior/in -o/root/work/savior/tests/jpeg-9c/obj-savior/out -Mmaster /root/work/savior/tests/jpeg-9c/obj-savior/savior-djpeg
[INFO/Process-1] child process calling self.run()
/root/work/savior/AFL/afl-fuzz -t 100+ -m none -i/root/work/savior/tests/jpeg-9c/obj-savior/in -o/root/work/savior/tests/jpeg-9c/obj-savior/out -Mmaster /root/work/savior/tests/jpeg-9c/obj-savior/savior-djpeg
starting Fuzzer: /root/work/savior/AFL/afl-fuzz -t 100+ -m none -i/root/work/savior/tests/jpeg-9c/obj-savior/in -o/root/work/savior/tests/jpeg-9c/obj-savior/out -S slave_000001 /root/work/savior/tests/jpeg-9c/obj-savior/savior-djpeg
[INFO/Process-2] child process calling self.run()
/root/work/savior/AFL/afl-fuzz -t 100+ -m none -i/root/work/savior/tests/jpeg-9c/obj-savior/in -o/root/work/savior/tests/jpeg-9c/obj-savior/out -S slave_000001 /root/work/savior/tests/jpeg-9c/obj-savior/savior-djpeg
[Oracle-Info] collecting fuzzer stats
[Oracle-Info] 34.0 secs away from activating se
[Oracle-Info] collecting fuzzer stats
[Oracle-Info] 24.0 secs away from activating se
[Oracle-Info] collecting fuzzer stats
[Oracle-Info] 14.0 secs away from activating se
[Oracle-Info] collecting fuzzer stats
[Oracle-Info] 4.0 secs away from activating se
[Oracle-Info] collecting fuzzer stats
[Oracle-Info] -6.0 secs away from activating se
err: /root/work/savior/tests/jpeg-9c/obj-savior/.afl_coverage_combination not exists
['/root/work/savior/tests/jpeg-9c/obj-savior/out/.tmp_se_0.cov']
[ERROR] can not apend new merge coverage files/root/work/savior/tests/jpeg-9c/obj-savior/.afl_coverage_combination
[Coordinator-Info] can't append the merged se cov files, using the old one
[Edge-Oracle-Info] /root/work/savior/tests/jpeg-9c/obj-savior/.afl_coverage_combination is not available yet
[Edge-Oracle-Info] Using oracle san-guided, only counting se cov #0
[Coordinator-Info] No meaningful seeds found......
explored seeds:
[]
[Coordinator-Info] Switching to [san-guided] heuristic
[Oracle-Info] collecting se stats
[Oracle-Info] 8300.0 secs away from terminating se
[Oracle-Info] Next time SE will run 10000 secs
[KleeConc-Info] SE Engine: KLEE Symbolic Explorer deactivated
[Oracle-Info] collecting fuzzer stats
[Oracle-Info] -9.0 secs away from activating se
err: /root/work/savior/tests/jpeg-9c/obj-savior/.afl_coverage_combination not exists
['/root/work/savior/tests/jpeg-9c/obj-savior/out/.tmp_se_0.cov']
[ERROR] can not apend new merge coverage files/root/work/savior/tests/jpeg-9c/obj-savior/.afl_coverage_combination
[Coordinator-Info] can't append the merged se cov files, using the old one
[Edge-Oracle-Info] /root/work/savior/tests/jpeg-9c/obj-savior/.afl_coverage_combination is not available yet
[Edge-Oracle-Info] Using oracle san-guided, only counting se cov #0
[KleeConc-Info] SE Engine: KLEE Symbolic Explorer activated. input list : ['/root/work/savior/tests/jpeg-9c/obj-savior/out/master/queue/id_000324', '/root/work/savior/tests/jpeg-9c/obj-savior/out/master/queue/id_000185', '/root/work/savior/tests/jpeg-9c/obj-savior/out/master/queue/id_000186', '/root/work/savior/tests/jpeg-9c/obj-savior/out/master/queue/id_000187', '/root/work/savior/tests/jpeg-9c/obj-savior/out/slave_000001/queue/id_000327', '/root/work/savior/tests/jpeg-9c/obj-savior/out/slave_000001/queue/id_000224', '/root/work/savior/tests/jpeg-9c/obj-savior/out/slave_000001/queue/id_000328', '/root/work/savior/tests/jpeg-9c/obj-savior/out/master/queue/id_000189', '/root/work/savior/tests/jpeg-9c/obj-savior/out/master/queue/id_000207', '/root/work/savior/tests/jpeg-9c/obj-savior/out/master/queue/id_000066', '/root/work/savior/tests/jpeg-9c/obj-savior/out/slave_000001/queue/id_000402', '/root/work/savior/tests/jpeg-9c/obj-savior/out/master/queue/id_000204', '/root/work/savior/tests/jpeg-9c/obj-savior/out/master/queue/id_000203', '/root/work/savior/tests/jpeg-9c/obj-savior/out/master/queue/id_000085', '/root/work/savior/tests/jpeg-9c/obj-savior/out/master/queue/id_000068', '/root/work/savior/tests/jpeg-9c/obj-savior/out/master/queue/id_000243', '/root/work/savior/tests/jpeg-9c/obj-savior/out/master/queue/id_000006', '/root/work/savior/tests/jpeg-9c/obj-savior/out/master/queue/id_000001', '/root/work/savior/tests/jpeg-9c/obj-savior/out/master/queue/id_000260', '/root/work/savior/tests/jpeg-9c/obj-savior/out/master/queue/id_000263']
[KleeConc-Info] SE Engine: KLEE Symbolic Explorer activated. input score : [1003160806830170644, 8449795294797039355, 6600314349421502373, 8988051847817974566, 4905723253220023229, 2508383510811918307, 648375870906193041, 5464048705851743217, 8503276538590357037, 5197138386662837316, 8977462229361223347, 7946088903867822024, 5774093282788214458, 5540177817593332504, 9165950550237866860, 9196081054152298174, 8904459672079476913, 8554855792993199235, 7861902455125429804, 7405655917300089610]
Traceback (most recent call last):
File "/root/work/savior/coordinator/moriarty.py", line 276, in <module>
init(args.target, args.config);
File "/root/work/savior/coordinator/moriarty.py", line 266, in init
moriarty.start()
File "/root/work/savior/coordinator/moriarty.py", line 239, in start
utils.loop_every(self.epoch, self.poke_switch_oracle)
File "/root/work/savior/coordinator/utils/utils.py", line 226, in loop_every
func();
File "/root/work/savior/coordinator/moriarty.py", line 156, in poke_switch_oracle
self.se_factory.run(deduplicated_list, self.explorer_cov_file_list, self.batch_run_seed_num)
File "/root/work/savior/coordinator/SEs/klee_explorer.py", line 63, in run
_.run(input_list[input_base : input_base + batch_run_input_num], cov_file_list[explorer_base : explorer_base + self.se_num][i])
File "/root/work/savior/coordinator/SEs/klee_conc_explorer.py", line 152, in run
if max_input_size < os.path.getsize(afl_input):
File "/usr/lib/python2.7/genericpath.py", line 57, in getsize
return os.stat(filename).st_size
OSError: [Errno 2] No such file or directory: '/root/work/savior/tests/jpeg-9c/obj-savior/out/master/queue/id_000324'Seems there is a small problem with the script so it can not find a specific path .
I think it's looking for " id:000324,src:000000,op:arith8,pos:291,val:+20,+cov " but in this case it can not find it and it throws error for id_000324 .
So how to solve this problem ?
Thanks!
evanmak
commented
4 years ago Hmmm, thanks for reporting.
Can you please take a look at /root/work/savior/tests/jpeg-9c/obj-savior/out/master/queue and check what's the format for the inputs? if it is like id:000324,src:000000,op:arith8,pos:291,val:+20,+cov, afl-fuzz is not complied with the right flag.
To fix that, please revert this commit: https://github.com/evanmak/savior-source/commit/e2c18d9bf9613487a58b6cd12ed2e127085baefe and check if it still repro
Thanks
cryptomadco
commented
4 years ago Thanks for the reply .
I checked the Makefile and it's already correct. this is my AFL/Makefile 👍 #
# american fuzzy lop - makefile
# -----------------------------
#
# Written and maintained by Michal Zalewski <lcamtuf@google.com>
#
# Copyright 2013, 2014, 2015, 2016 Google Inc. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
PROGNAME = afl
VERSION = $(shell grep '^\#define VERSION ' config.h | cut -d '"' -f2)
PREFIX ?= /usr/local
BIN_PATH = $(PREFIX)/bin
HELPER_PATH = $(PREFIX)/lib/afl
DOC_PATH = $(PREFIX)/share/doc/afl
MISC_PATH = $(PREFIX)/share/afl
# PROGS intentionally omit afl-as, which gets installed elsewhere.
PROGS = afl-gcc afl-fuzz afl-showmap afl-tmin afl-gotcpu afl-analyze
SH_PROGS = afl-plot afl-cmin afl-whatsup
CFLAGS ?= -O3 -funroll-loops
CFLAGS += -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign \
-DAFL_PATH=\"$(HELPER_PATH)\" -DDOC_PATH=\"$(DOC_PATH)\" \
-DBIN_PATH=\"$(BIN_PATH)\"
ifneq "$(filter Linux GNU%,$(shell uname))" ""
LDFLAGS += -ldl
endif
ifeq "$(findstring clang, $(shell $(CC) --version 2>/dev/null))" ""
TEST_CC = afl-gcc
else
TEST_CC = afl-clang
endif
COMM_HDR = alloc-inl.h config.h debug.h types.h
all: test_x86 $(PROGS) afl-as test_build all_done
ifndef AFL_NO_X86
test_x86:
@echo "[*] Checking for the ability to compile x86 code..."
@echo 'main() { __asm__("xorb %al, %al"); }' | $(CC) -w -x c - -o .test || ( echo; echo "Oops, looks like your compiler can't generate x86 code."; echo; echo "Don't panic! You can use the LLVM or QEMU mode, but see docs/INSTALL first."; echo "(To ignore this error, set AFL_NO_X86=1 and try again.)"; echo; exit 1 )
@rm -f .test
@echo "[+] Everything seems to be working, ready to compile."
else
test_x86:
@echo "[!] Note: skipping x86 compilation checks (AFL_NO_X86 set)."
endif
afl-gcc: afl-gcc.c $(COMM_HDR) | test_x86
$(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS)
set -e; for i in afl-g++ afl-clang afl-clang++; do ln -sf afl-gcc $$i; done
afl-as: afl-as.c afl-as.h $(COMM_HDR) | test_x86
$(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS)
ln -sf afl-as as
afl-fuzz: afl-fuzz.c $(COMM_HDR) | test_x86
$(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS)
afl-showmap: afl-showmap.c $(COMM_HDR) | test_x86
$(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS)
afl-tmin: afl-tmin.c $(COMM_HDR) | test_x86
$(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS)
afl-analyze: afl-analyze.c $(COMM_HDR) | test_x86
$(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS)
afl-gotcpu: afl-gotcpu.c $(COMM_HDR) | test_x86
$(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS)
ifndef AFL_NO_X86
test_build: afl-gcc afl-as afl-showmap
@echo "[*] Testing the CC wrapper and instrumentation output..."
unset AFL_USE_ASAN AFL_USE_MSAN; AFL_QUIET=1 AFL_INST_RATIO=100 AFL_PATH=. ./$(TEST_CC) $(CFLAGS) test-instr.c -o test-instr $(LDFLAGS)
echo 0 | ./afl-showmap -m none -q -o .test-instr0 ./test-instr
echo 1 | ./afl-showmap -m none -q -o .test-instr1 ./test-instr
@rm -f test-instr
@cmp -s .test-instr0 .test-instr1; DR="$$?"; rm -f .test-instr0 .test-instr1; if [ "$$DR" = "0" ]; then echo; echo "Oops, the instrumentation does not seem to be behaving correctly!"; echo; echo "Please ping <lcamtuf@google.com> to troubleshoot the issue."; echo; exit 1; fi
@echo "[+] All right, the instrumentation seems to be working!"
else
test_build: afl-gcc afl-as afl-showmap
@echo "[!] Note: skipping build tests (you may need to use LLVM or QEMU mode)."
endif
all_done: test_build
@if [ ! "`which clang 2>/dev/null`" = "" ]; then echo "[+] LLVM users: see llvm_mode/README.llvm for a faster alternative to afl-gcc."; fi
@echo "[+] All done! Be sure to review README - it's pretty short and useful."
@if [ "`uname`" = "Darwin" ]; then printf "\nWARNING: Fuzzing on MacOS X is slow because of the unusually high overhead of\nfork() on this OS. Consider using Linux or *BSD. You can also use VirtualBox\n(virtualbox.org) to put AFL inside a Linux or *BSD VM.\n\n"; fi
@! tty <&1 >/dev/null || printf "\033[0;30mNOTE: If you can read this, your terminal probably uses white background.\nThis will make the UI hard to read. See docs/status_screen.txt for advice.\033[0m\n" 2>/dev/null
.NOTPARALLEL: clean
clean:
rm -f $(PROGS) afl-as as afl-g++ afl-clang afl-clang++ *.o *~ a.out core core.[1-9][0-9]* *.stackdump test .test test-instr .test-instr0 .test-instr1 qemu_mode/qemu-2.3.0.tar.bz2 afl-qemu-trace
rm -rf out_dir qemu_mode/qemu-2.3.0
$(MAKE) -C llvm_mode clean
$(MAKE) -C libdislocator clean
$(MAKE) -C libtokencap clean
install: all
mkdir -p -m 755 $${DESTDIR}$(BIN_PATH) $${DESTDIR}$(HELPER_PATH) $${DESTDIR}$(DOC_PATH) $${DESTDIR}$(MISC_PATH) rm -f $${DESTDIR}$(BIN_PATH)/afl-plot.sh
install -m 755 $(PROGS) $(SH_PROGS) $${DESTDIR}$(BIN_PATH)
rm -f $${DESTDIR}$(BIN_PATH)/afl-as
if [ -f afl-qemu-trace ]; then install -m 755 afl-qemu-trace $${DESTDIR}$(BIN_PATH); fi
ifndef AFL_TRACE_PC
if [ -f afl-clang-fast -a -f afl-llvm-pass.so -a -f afl-llvm-rt.o ]; then set -e; install -m 755 afl-clang-fast $${DESTDIR}$(BIN_PATH); ln -sf afl-clang-fast $${DESTDIR}$(BIN_PATH)/afl-clang-fast++; install -m 755 afl-llvm-pass.so afl-llvm-rt.o $${DESTDIR}$(HELPER_PATH); fi
else
if [ -f afl-clang-fast -a -f afl-llvm-rt.o ]; then set -e; install -m 755 afl-clang-fast $${DESTDIR}$(BIN_PATH); ln -sf afl-clang-fast $${DESTDIR}$(BIN_PATH)/afl-clang-fast++; install -m 755 afl-llvm-rt.o $${DESTDIR}$(HELPER_PATH); fi
endif
if [ -f afl-llvm-rt-32.o ]; then set -e; install -m 755 afl-llvm-rt-32.o $${DESTDIR}$(HELPER_PATH); fi
if [ -f afl-llvm-rt-64.o ]; then set -e; install -m 755 afl-llvm-rt-64.o $${DESTDIR}$(HELPER_PATH); fi
set -e; for i in afl-g++ afl-clang afl-clang++; do ln -sf afl-gcc $${DESTDIR}$(BIN_PATH)/$$i; done
install -m 755 afl-as $${DESTDIR}$(HELPER_PATH)
ln -sf afl-as $${DESTDIR}$(HELPER_PATH)/as
install -m 644 docs/README docs/ChangeLog docs/*.txt $${DESTDIR}$(DOC_PATH)
cp -r testcases/ $${DESTDIR}$(MISC_PATH)
cp -r dictionaries/ $${DESTDIR}$(MISC_PATH)
publish: clean
test "`basename $$PWD`" = "afl" || exit 1
test -f ~/www/afl/releases/$(PROGNAME)-$(VERSION).tgz; if [ "$$?" = "0" ]; then echo; echo "Change program version in config.h, mmkay?"; echo; exit 1; fi
cd ..; rm -rf $(PROGNAME)-$(VERSION); cp -pr $(PROGNAME) $(PROGNAME)-$(VERSION); \
tar -cvz -f ~/www/afl/releases/$(PROGNAME)-$(VERSION).tgz $(PROGNAME)-$(VERSION)
chmod 644 ~/www/afl/releases/$(PROGNAME)-$(VERSION).tgz
( cd ~/www/afl/releases/; ln -s -f $(PROGNAME)-$(VERSION).tgz $(PROGNAME)-latest.tgz )
cat docs/README >~/www/afl/README.txt
cat docs/status_screen.txt >~/www/afl/status_screen.txt
cat docs/historical_notes.txt >~/www/afl/historical_notes.txt
cat docs/technical_details.txt >~/www/afl/technical_details.txt
cat docs/ChangeLog >~/www/afl/ChangeLog.txt
cat docs/QuickStartGuide.txt >~/www/afl/QuickStartGuide.txt
echo -n "$(VERSION)" >~/www/afl/version.txtSeems line 73 is as what you already said for the commit .
And yes I checked the format of the input and it's like this :
id:000324,src:000000,op:arith8,pos:291,val:+20,+cov
Any other fix to that?
Seems the main problem is exactly from input format .
Looking for solution to this .
cryptomadco
commented
4 years ago OK, now I got it . I should revert this commit .
I reverted this and seems it's running without problem .
But 3 questions here :
How many bugs expected to be discovered in the test sample jpeg by the savior ?
What's the point of this patch apply and why did you apply this when it's not working? probably is there another version of savior maybe which is more complete ?
Does Savior scales to large applications for hybrid fuzzing ?
Thanks!
cryptomadco
commented
4 years ago @evanmak It seems that there is no problem to run the savior now, but I guess it's not functioning as expected .
This is the output of a very simple program which I expect at least one crash in minutes :
explored seeds:
[]
[Coordinator-Info] Switching to [avg-bug-potential] heuristic
[Oracle-Info] collecting se stats
[Oracle-Info] 9050.0 secs away from terminating se
[Oracle-Info] Next time SE will run 11150 secs
[KleeConc-Info] SE Engine: KLEE Symbolic Explorer deactivated
[Oracle-Info] collecting fuzzer stats
[Oracle-Info] -8.0 secs away from activating se
err: /root/work/savior/tests/lava_corpus/LAVA-M/who/coreutils-8.24-lava-safe/mytest2/.afl_coverage_combination not exists
['/root/work/savior/tests/lava_corpus/LAVA-M/who/coreutils-8.24-lava-safe/mytest2/out/.tmp_se_0.cov']
[ERROR] can not apend new merge coverage files/root/work/savior/tests/lava_corpus/LAVA-M/who/coreutils-8.24-lava-safe/mytest2/.afl_coverage_combination
[Coordinator-Info] can't append the merged se cov files, using the old one
[Edge-Oracle-Info] /root/work/savior/tests/lava_corpus/LAVA-M/who/coreutils-8.24-lava-safe/mytest2/.afl_coverage_combination is not available yet
[Edge-Oracle-Info] Using oracle avg-bug-potential, only counting se cov #0
[Edge-Oracle-Info] read 1 seeds
[Coordinator-Info] No meaningful seeds found......
explored seeds:
[]
[Coordinator-Info] Switching to [avg-bug-potential] heuristic
[Oracle-Info] collecting se stats
[Oracle-Info] 11150.0 secs away from terminating se
[Oracle-Info] Next time SE will run 10050 secs
[KleeConc-Info] SE Engine: KLEE Symbolic Explorer deactivated
[Oracle-Info] collecting fuzzer stats
[Oracle-Info] -8.0 secs away from activating se
err: /root/work/savior/tests/lava_corpus/LAVA-M/who/coreutils-8.24-lava-safe/mytest2/.afl_coverage_combination not exists
['/root/work/savior/tests/lava_corpus/LAVA-M/who/coreutils-8.24-lava-safe/mytest2/out/.tmp_se_0.cov']
[ERROR] can not apend new merge coverage files/root/work/savior/tests/lava_corpus/LAVA-M/who/coreutils-8.24-lava-safe/mytest2/.afl_coverage_combination
[Coordinator-Info] can't append the merged se cov files, using the old one
[Edge-Oracle-Info] /root/work/savior/tests/lava_corpus/LAVA-M/who/coreutils-8.24-lava-safe/mytest2/.afl_coverage_combination is not available yet
[Edge-Oracle-Info] Using oracle avg-bug-potential, only counting se cov #0
[Edge-Oracle-Info] read 1 seeds
[Coordinator-Info] No meaningful seeds found......
explored seeds:
[]
[Coordinator-Info] Switching to [avg-bug-potential] heuristic
[Oracle-Info] collecting se stats
[Oracle-Info] 10050.0 secs away from terminating se
[Oracle-Info] Next time SE will run 9700 secs
[KleeConc-Info] SE Engine: KLEE Symbolic Explorer deactivated
[Oracle-Info] collecting fuzzer stats
[Oracle-Info] -8.0 secs away from activating se
err: /root/work/savior/tests/lava_corpus/LAVA-M/who/coreutils-8.24-lava-safe/mytest2/.afl_coverage_combination not exists
['/root/work/savior/tests/lava_corpus/LAVA-M/who/coreutils-8.24-lava-safe/mytest2/out/.tmp_se_0.cov']
[ERROR] can not apend new merge coverage files/root/work/savior/tests/lava_corpus/LAVA-M/who/coreutils-8.24-lava-safe/mytest2/.afl_coverage_combination
[Coordinator-Info] can't append the merged se cov files, using the old one
[Edge-Oracle-Info] /root/work/savior/tests/lava_corpus/LAVA-M/who/coreutils-8.24-lava-safe/mytest2/.afl_coverage_combination is not available yet
[Edge-Oracle-Info] Using oracle avg-bug-potential, only counting se cov #0
[Edge-Oracle-Info] read 1 seeds
[Coordinator-Info] No meaningful seeds found......
explored seeds:
[]
[Coordinator-Info] Switching to [avg-bug-potential] heuristic
[Oracle-Info] collecting se stats
[Oracle-Info] 9700.0 secs away from terminating se
[Oracle-Info] Next time SE will run 11550 secs
[KleeConc-Info] SE Engine: KLEE Symbolic Explorer deactivated
^C[KleeConc-Info] packing klee error cases into [/root/work/savior/tests/lava_corpus/LAVA-M/who/coreutils-8.24-lava-safe/mytest2/klee_errors]
[KleeConc-Info] packing klee error cases into [/root/work/savior/tests/lava_corpus/LAVA-M/who/coreutils-8.24-lava-safe/mytest2/klee_errors]
[Coordinator-Info] Professor Moriarty terminated, have a nice day : )I went to crashes folders of both master and slave_000001 but there is nothing found !
The simple program is as (Which I get it basically from QSYM repo) :
#include <stdio.h>
#include <stdlib.h>
void ck_fread(void* ptr, size_t size, size_t nitems, FILE *stream) {
if (fread(ptr, size, nitems, stream) != nitems) {
printf("[-] Failed to read\n");
exit(-1);
}
}
int main(int argc, char** argv) {
if (argc < 2) {
printf("Usage: %s [input]\n", argv[0]);
exit(-1);
}
FILE* fp = fopen(argv[1], "rb");
if (fp == NULL) {
printf("[-] Failed to open\n");
exit(-1);
}
int x, y;
char buf[32];
ck_fread(&x, sizeof(x), 1, fp);
ck_fread(buf, 1, sizeof(buf), fp);
ck_fread(&y, sizeof(y), 1, fp);
// Challenge for fuzzing
if (x == 0xdeadbeef) {
printf("Step 1 passed\n");
// Challenge for symbolic execution
int count = 0;
for (int i = 0; i < 32; i++) {
if (buf[i] >= 'a')
count++;
}
if (count >= 8) {
printf("Step 2 passed\n");
// Challenge for fuzzing, again
if ((x ^ y) == 0xbadf00d) {
printf("Step 3 passed\n");
((void(*)())0)();
}
}
}
}[Edge-Oracle-Info] read 1 seeds
it seems there's no input to choose from for symex, can you verify AFL is running correctly?
evanmak
commented
4 years ago for your questions,
How many bugs expected to be discovered in the test sample jpeg by the savior ?
Most of the bugs found are UBSAN bugs, please refer to our paper for the number.
What's the point of this patch apply and why did you apply this when it's not working? probably is there another version of savior maybe which is more complete ?
Yes, there's another version used in Baidu. Inc, internally, which is more well maintained. But unfortunately I do not have access to it.
Does Savior scales to large applications for hybrid fuzzing ?
It scales fine, I tested it on several modules in https://github.com/ApolloAuto/apollo, it was able to run tens of millions of instructions in like 15 minutes.
cryptomadco
commented
4 years ago [Edge-Oracle-Info] read 1 seeds
it seems there's no input to choose from for symex, can you verify AFL is running correctly?
Let me check it and reply that back to you. but before that, this is the output of running Savior on Jpeg sample :
wrote 413 bytes to /root/work/savior/tests/jpeg-9c/obj-savior/out//klee_instance_conc_000001/queue/id:000940
KLEE: State 1601 finishes/terminates
terminate selected generated state #: 1601
KLEE: solved generated state branch id:110865012, priority:2
wrote 413 bytes to /root/work/savior/tests/jpeg-9c/obj-savior/out//klee_instance_conc_000001/queue/id:000941
KLEE: State 1605 finishes/terminates
terminate selected generated state #: 1605
KLEE: solved generated state branch id:110321066, priority:2
wrote 413 bytes to /root/work/savior/tests/jpeg-9c/obj-savior/out//klee_instance_conc_000001/queue/id:000942
KLEE: State 1609 finishes/terminates
terminate selected generated state #: 1609
[Oracle-Info] collecting se stats
[Oracle-Info] 11019.0 secs away from terminating se
conc_explorer pid: 31693 is alive
KLEE: solved generated state branch id:79052, priority:2
wrote 413 bytes to /root/work/savior/tests/jpeg-9c/obj-savior/out//klee_instance_conc_000001/queue/id:000943
KLEE: State 1642 finishes/terminates
terminate selected generated state #: 1642
KLEE: solved generated state branch id:177216, priority:2
wrote 413 bytes to /root/work/savior/tests/jpeg-9c/obj-savior/out//klee_instance_conc_000001/queue/id:000944
KLEE: State 1641 finishes/terminates
terminate selected generated state #: 1641
KLEE: solved generated state branch id:177216, priority:2
wrote 413 bytes to /root/work/savior/tests/jpeg-9c/obj-savior/out//klee_instance_conc_000001/queue/id:000945Does this output proofs that Savior is running and working correctly ?
cryptomadco
commented
4 years ago [Edge-Oracle-Info] read 1 seeds
it seems there's no input to choose from for symex, can you verify AFL is running correctly?
@evanmak
This is my fuzz.cfg file :
[moriarty]
;if INPUTTYPE is symfile, insert INPUT_FILE at proper location
target_bin=@target/savior-ex
target_bc=@target/savior-ex.dma.bc
sync_dir=/root/work/savior/tests/mytest2/out/
bitmodel=64
;inputtype can be [stdin|symfile]
inputtype=symfile
;moriarty will inovke each explorer $(max_instance) times
max_explorer_instance=1
;how many seed each explorer will run in a batch
batch_run_input_num=20
[afl]
root=/root/work/savior/AFL/
in_dir=@target/in
slave_num=1
; use_dict=@target/png.dict
use_ui=0
[klee conc_explorer]
bin=/root/work/savior/KLEE/klee-build/bin/klee
;klee searcher could be [AFLUnCovSearcher|SANGuidedSearcher]
;use ':' to separate the heuristics, klee will apply both searchers
search_heuristic=AFLUnCovSearcher:SANGuidedSearcher
klee_seed_dir=@target/klee_new_input
converter=/root/work/savior/KLEE/klee-build/bin/converter
max_interesting_output=65536
;location of klee errors will be stored
error_dir=@target/klee_errors
;how many seconds we allow each seed to run.
max_time_per_seed=150
;c++ options
;klee_ctor_stub = 1
;klee_uclibcxx = 1
[switch oracle]
;fuzzing switching heuristic can be [random|saturate|driller_saturate]
strategy=random
[edge oracle]
;seed selecting heurisitic could be [sequential|random|san-guided|bug-potential|avg-bug-potential]
;use ':' to separate the heuristics, edge oracle will use them in round-robin
heuristics=san-guided
bug_potential_weight=10
code_potential_weight=50
[auxiliary info]
code_reach_map=@target/ex.reach.cov
bug_reach_map=@target/ex.reach.bugAnd this is actually what's going on my current directory (files in the target directory):
ex
ex.c
ex.reach.bug
fuzz2.cfg in
locmap.csv
savior-ex
savior-ex.dma
ex.bc
ex.edge
ex.reach.cov
fuzz.cfg
labelmap.csv
paired_edges.csv
savior-ex.bc
savior-ex.dma.bcBasically, as you can see from the source code from sample program (Originally get from QSYM), the program get a file as :
./savior-ex [ input file ]
So I choosed this in my config file :
inputtype=symfile
Is it correct ?
Basically when I run this normally with afl as :
/root/work/savior/AFL/afl-fuzz -i in -o out -- ./savior-ex
It's not going to be correct and it outputs :
│ last new path : none yet **(odd, check syntax!)** │ total paths : 1 │
But when I run it as it should be (with @@ ):
/root/work/savior/AFL/afl-fuzz -i in -o out -- ./savior-ex @@
It's running well .
I don't know If It's running correctly with Savior or not in the aforementioned config but I would like to know, how is possible to make the input type more customizable ? for example, for testing Savior against LAVA-M , I should pass base64 as :
./base64 -d [file]
How to pass this correctly to Savior ?
Also, I like to know how is it possible to run a fuzzing job separately of using moriarty.py and directly with afl and savior concolic executor to test if it's working or not . If you can paste the commands here I'll appreciate you .
Thanks!
cryptomadco
commented
4 years ago @evanmak Looking forward for a reply .
At the moment, it's important to me to know how to pass parameters and different switches (Like the one in base64 -d) of a program to Savior so savior and afl would be know how to fuzz the program and parameters in the right way .
Thanks!
evanmak
commented
4 years ago Hi,
For how to config SAVIOR to take input from command line argument see the tcpdump example: https://github.com/evanmak/savior-source/blob/master/tests/config_samples/fuzz_tcpdump.cfg
For how to run the job's separately you may try to look at the command line constructed by moriarty.py, which is just a wrapper for starting AFL and KLEE, you can check the printed log to find the command lines for testing separately.
cryptomadco
commented
4 years ago @evanmak Thanks about this!
I have two instances of Savior, applying everything you said and they are running against base64 (LAVA-M) and the tcpdump sample . (Just checked every step to be sure that everything is going to be fine)
To now, it's about 24 hours that base64 is running and unfortunately I didn't see any sign of even one crash !
Same is for tcpdump as it's running about 1 hours and didn't receive any sign of crashes (I manually check the master and slave_* folders and crashes folder inside them) .
This is the summarized output of Savior running against Tcpdump to now :
...
...
...
remove unwanted state#: 3398
KLEE: solved generated state branch id:127605027, priority:2
wrote 1224 bytes to /root/work/savior/tests/tcpdump/obj-savior/out/klee_instance_conc_000001/queue/id:000617
KLEE: State 3405 finishes/terminates
terminate selected generated state #: 3405
KLEE: solved generated state branch id:127605027, priority:2
wrote 1224 bytes to /root/work/savior/tests/tcpdump/obj-savior/out/klee_instance_conc_000001/queue/id:000618
KLEE: State 3407 finishes/terminates
terminate selected generated state #: 3407
KLEE: solved generated state branch id:2056086739, priority:2
wrote 1224 bytes to /root/work/savior/tests/tcpdump/obj-savior/out/klee_instance_conc_000001/queue/id:000619
KLEE: State 3401 finishes/terminates
terminate selected generated state #: 3401
remove unwanted state#: 3402
remove unwanted state#: 3404
remove unwanted state#: 3406
remove unwanted state#: 3408
remove unwanted state#: 3410
savior-tcpdump.dma.bc: pcap_loop: invalid packet capture length
wrote 1224 bytes to /root/work/savior/tests/tcpdump/obj-savior/out/klee_instance_conc_000001/queue/id:000620
KLEE: State 3411 finishes/terminates
The current seed is /root/work/savior/tests/tcpdump/obj-savior/klee_new_input/klee_instance_conc_1/000011.ktest
KLEE: KLEE: using 1 seeds
KLEE: using AFL-Uncovered-Edge-ID heurisitc searcher
KLEE: WARNING: setgid: silently ignoring (returning 0)
KLEE: WARNING: setuid: silently ignoring (returning 0)
KLEE: solved generated state branch id:1086836088, priority:2
wrote 1243 bytes to /root/work/savior/tests/tcpdump/obj-savior/out/klee_instance_conc_000001/queue/id:000621
KLEE: State 0 finishes/terminates
terminate selected generated state #: 0
KLEE: solved generated state branch id:1793080214, priority:2
wrote 1243 bytes to /root/work/savior/tests/tcpdump/obj-savior/out/klee_instance_conc_000001/queue/id:000622
KLEE: State 3412 finishes/terminates
terminate selected generated state #: 3412
remove unwanted state#: 3420
remove unwanted state#: 3428
remove unwanted state#: 3444
remove unwanted state#: 3445
remove unwanted state#: 3446
remove unwanted state#: 3447
remove unwanted state#: 3448
remove unwanted state#: 3449
remove unwanted state#: 3450
remove unwanted state#: 3451
remove unwanted state#: 3452
remove unwanted state#: 3453
remove unwanted state#: 3454
remove unwanted state#: 3455
remove unwanted state#: 3456
remove unwanted state#: 3457
remove unwanted state#: 3458
remove unwanted state#: 3459
remove unwanted state#: 3460
KLEE: solved generated state branch id:348087, priority:2
wrote 1243 bytes to /root/work/savior/tests/tcpdump/obj-savior/out/klee_instance_conc_000001/queue/id:000623
KLEE: State 3462 finishes/terminates
terminate selected generated state #: 3462
reading from file A, link-type JUNIPER_ATM2 (Juniper ATM2 PIC), snapshot length 262144
KLEE: WARNING ONCE: Alignment of memory from call "realloc" is not modelled. Using alignment of 8.
remove unwanted state#: 3470
remove unwanted state#: 3471
remove unwanted state#: 3472
remove unwanted state#: 3473
remove unwanted state#: 3474
remove unwanted state#: 3475
remove unwanted state#: 3476
remove unwanted state#: 3477
remove unwanted state#: 3478
remove unwanted state#: 3479
remove unwanted state#: 3480
remove unwanted state#: 3481
remove unwanted state#: 3482
remove unwanted state#: 3483
remove unwanted state#: 3484
remove unwanted state#: 3485
remove unwanted state#: 3486
remove unwanted state#: 3487
remove unwanted state#: 3488
remove unwanted state#: 3489
remove unwanted state#: 3490
remove unwanted state#: 3491
remove unwanted state#: 3492
remove unwanted state#: 3493
remove unwanted state#: 3494
remove unwanted state#: 3495
remove unwanted state#: 3496
remove unwanted state#: 3497
remove unwanted state#: 3498
remove unwanted state#: 3499
remove unwanted state#: 3500
remove unwanted state#: 3501
remove unwanted state#: 3502
remove unwanted state#: 3503
remove unwanted state#: 3504
remove unwanted state#: 3505
remove unwanted state#: 3506
remove unwanted state#: 3507
remove unwanted state#: 3508
remove unwanted state#: 3509
remove unwanted state#: 3510
remove unwanted state#: 3511
remove unwanted state#: 3512
remove unwanted state#: 3513
remove unwanted state#: 3514
remove unwanted state#: 3515
remove unwanted state#: 3516
remove unwanted state#: 3517
remove unwanted state#: 3518
remove unwanted state#: 3519
remove unwanted state#: 3520
remove unwanted state#: 3521
remove unwanted state#: 3522
remove unwanted state#: 3523
remove unwanted state#: 3524
remove unwanted state#: 3525
remove unwanted state#: 3526
remove unwanted state#: 3527
remove unwanted state#: 3528
remove unwanted state#: 3529
remove unwanted state#: 3530
remove unwanted state#: 3531
remove unwanted state#: 3532
remove unwanted state#: 3533
remove unwanted state#: 3534
remove unwanted state#: 3535
remove unwanted state#: 3536
remove unwanted state#: 3537
remove unwanted state#: 3538
remove unwanted state#: 3539
remove unwanted state#: 3540
remove unwanted state#: 3541
remove unwanted state#: 3542
remove unwanted state#: 3543
remove unwanted state#: 3544
remove unwanted state#: 3545
remove unwanted state#: 3546
remove unwanted state#: 3547
remove unwanted state#: 3548
remove unwanted state#: 3549
remove unwanted state#: 3550
remove unwanted state#: 3551
remove unwanted state#: 3552
remove unwanted state#: 3553
remove unwanted state#: 3554
remove unwanted state#: 3555
remove unwanted state#: 3556
remove unwanted state#: 3557
remove unwanted state#: 3558
remove unwanted state#: 3559
remove unwanted state#: 3560
remove unwanted state#: 3561
remove unwanted state#: 3562
remove unwanted state#: 3563
remove unwanted state#: 3564
remove unwanted state#: 3565
remove unwanted state#: 3566
remove unwanted state#: 3567
remove unwanted state#: 3568
remove unwanted state#: 3569
remove unwanted state#: 3570
remove unwanted state#: 3571
remove unwanted state#: 3572
remove unwanted state#: 3573
remove unwanted state#: 3574
remove unwanted state#: 3575
remove unwanted state#: 3576
remove unwanted state#: 3577
remove unwanted state#: 3578
remove unwanted state#: 3579
remove unwanted state#: 3580
remove unwanted state#: 3581
remove unwanted state#: 3582
remove unwanted state#: 3583
remove unwanted state#: 3584
remove unwanted state#: 3585
remove unwanted state#: 3586
remove unwanted state#: 3587
remove unwanted state#: 3588
remove unwanted state#: 3589
remove unwanted state#: 3590
remove unwanted state#: 3591
remove unwanted state#: 3592
remove unwanted state#: 3593
remove unwanted state#: 3594
remove unwanted state#: 3595
remove unwanted state#: 3596
remove unwanted state#: 3597
remove unwanted state#: 3598
remove unwanted state#: 3599
remove unwanted state#: 3600
remove unwanted state#: 3601
remove unwanted state#: 3602
remove unwanted state#: 3603
remove unwanted state#: 3604
remove unwanted state#: 3605
remove unwanted state#: 3606
remove unwanted state#: 3607
remove unwanted state#: 3608
remove unwanted state#: 3609
remove unwanted state#: 3610
remove unwanted state#: 3611
remove unwanted state#: 3612
remove unwanted state#: 3613
remove unwanted state#: 3614
remove unwanted state#: 3615
remove unwanted state#: 3616
remove unwanted state#: 3617
remove unwanted state#: 3618
remove unwanted state#: 3619
remove unwanted state#: 3620
remove unwanted state#: 3621
remove unwanted state#: 3622
remove unwanted state#: 3623
remove unwanted state#: 3624
remove unwanted state#: 3625
remove unwanted state#: 3626
remove unwanted state#: 3627
remove unwanted state#: 3628
remove unwanted state#: 3629
remove unwanted state#: 3630
remove unwanted state#: 3631
remove unwanted state#: 3632
remove unwanted state#: 3633
remove unwanted state#: 3634
remove unwanted state#: 3635
remove unwanted state#: 3636
remove unwanted state#: 3637
remove unwanted state#: 3638
remove unwanted state#: 3639
remove unwanted state#: 3640
remove unwanted state#: 3641
remove unwanted state#: 3642
remove unwanted state#: 3643
remove unwanted state#: 3644
remove unwanted state#: 3645
remove unwanted state#: 3646
remove unwanted state#: 3647
remove unwanted state#: 3648
remove unwanted state#: 3649
remove unwanted state#: 3650
remove unwanted state#: 3651
remove unwanted state#: 3652
remove unwanted state#: 3653
remove unwanted state#: 3654
remove unwanted state#: 3655
remove unwanted state#: 3656
remove unwanted state#: 3657
remove unwanted state#: 3658
remove unwanted state#: 3659
remove unwanted state#: 3660
remove unwanted state#: 3661
remove unwanted state#: 3662
remove unwanted state#: 3663
remove unwanted state#: 3664
remove unwanted state#: 3665
remove unwanted state#: 3666
remove unwanted state#: 3667
remove unwanted state#: 3668
remove unwanted state#: 3669
remove unwanted state#: 3670
remove unwanted state#: 3671
remove unwanted state#: 3672
remove unwanted state#: 3673
remove unwanted state#: 3674
remove unwanted state#: 3675
remove unwanted state#: 3676
remove unwanted state#: 3677
remove unwanted state#: 3678
remove unwanted state#: 3679
remove unwanted state#: 3680
remove unwanted state#: 3681
remove unwanted state#: 3682
remove unwanted state#: 3683
remove unwanted state#: 3684
remove unwanted state#: 3685
remove unwanted state#: 3686
remove unwanted state#: 3687
remove unwanted state#: 3688
remove unwanted state#: 3689
remove unwanted state#: 3690
remove unwanted state#: 3691
remove unwanted state#: 3692
remove unwanted state#: 3693
remove unwanted state#: 3694
remove unwanted state#: 3695
remove unwanted state#: 3696
remove unwanted state#: 3697
remove unwanted state#: 3698
remove unwanted state#: 3699
remove unwanted state#: 3700
remove unwanted state#: 3701
remove unwanted state#: 3702
remove unwanted state#: 3703
remove unwanted state#: 3704
remove unwanted state#: 3705
remove unwanted state#: 3706
remove unwanted state#: 3707
remove unwanted state#: 3708
remove unwanted state#: 3709
remove unwanted state#: 3710
remove unwanted state#: 3711
remove unwanted state#: 3712
remove unwanted state#: 3713
remove unwanted state#: 3714
remove unwanted state#: 3715
remove unwanted state#: 3716
remove unwanted state#: 3717
remove unwanted state#: 3718
remove unwanted state#: 3719
remove unwanted state#: 3720
remove unwanted state#: 3721
remove unwanted state#: 3722
remove unwanted state#: 3723
remove unwanted state#: 3724
remove unwanted state#: 3725
remove unwanted state#: 3726
remove unwanted state#: 3727
remove unwanted state#: 3728
remove unwanted state#: 3729
remove unwanted state#: 3730
remove unwanted state#: 3731
remove unwanted state#: 3732
remove unwanted state#: 3733
remove unwanted state#: 3734
remove unwanted state#: 3735
remove unwanted state#: 3736
remove unwanted state#: 3737
remove unwanted state#: 3738
remove unwanted state#: 3739
remove unwanted state#: 3740
remove unwanted state#: 3741
remove unwanted state#: 3742
remove unwanted state#: 3743
remove unwanted state#: 3744
remove unwanted state#: 3745
remove unwanted state#: 3746
remove unwanted state#: 3747
remove unwanted state#: 3748
remove unwanted state#: 3749
remove unwanted state#: 3750
remove unwanted state#: 3751
remove unwanted state#: 3752
remove unwanted state#: 3753
remove unwanted state#: 3754
remove unwanted state#: 3755
remove unwanted state#: 3756
remove unwanted state#: 3757
remove unwanted state#: 3758
remove unwanted state#: 3759
remove unwanted state#: 3760
remove unwanted state#: 3761
remove unwanted state#: 3762
remove unwanted state#: 3763
remove unwanted state#: 3764
remove unwanted state#: 3765
remove unwanted state#: 3766
remove unwanted state#: 3767
remove unwanted state#: 3768
remove unwanted state#: 3769
remove unwanted state#: 3770
remove unwanted state#: 3771
remove unwanted state#: 3772
remove unwanted state#: 3773
remove unwanted state#: 3774
remove unwanted state#: 3775
remove unwanted state#: 3776
remove unwanted state#: 3777
remove unwanted state#: 3778
remove unwanted state#: 3779
remove unwanted state#: 3780
remove unwanted state#: 3781
remove unwanted state#: 3782
remove unwanted state#: 3783
remove unwanted state#: 3784
remove unwanted state#: 3785
remove unwanted state#: 3786
remove unwanted state#: 3787
remove unwanted state#: 3788
remove unwanted state#: 3789
remove unwanted state#: 3790
remove unwanted state#: 3791
remove unwanted state#: 3792
remove unwanted state#: 3793
remove unwanted state#: 3794
remove unwanted state#: 3795
remove unwanted state#: 3796
remove unwanted state#: 3797
remove unwanted state#: 3798
remove unwanted state#: 3799
remove unwanted state#: 3800
remove unwanted state#: 3801
remove unwanted state#: 3802
remove unwanted state#: 3803
remove unwanted state#: 3804
remove unwanted state#: 3805
remove unwanted state#: 3806
remove unwanted state#: 3807
remove unwanted state#: 3808
remove unwanted state#: 3809
remove unwanted state#: 3810
remove unwanted state#: 3811
remove unwanted state#: 3812
remove unwanted state#: 3813
remove unwanted state#: 3814
remove unwanted state#: 3815
remove unwanted state#: 3816
remove unwanted state#: 3817
remove unwanted state#: 3818
remove unwanted state#: 3819
remove unwanted state#: 3820
remove unwanted state#: 3821
remove unwanted state#: 3822
remove unwanted state#: 3823
remove unwanted state#: 3824
remove unwanted state#: 3825
remove unwanted state#: 3826
remove unwanted state#: 3827
remove unwanted state#: 3828
remove unwanted state#: 3829
remove unwanted state#: 3830
remove unwanted state#: 3831
remove unwanted state#: 3832
remove unwanted state#: 3833
remove unwanted state#: 3834
remove unwanted state#: 3835
remove unwanted state#: 3836
remove unwanted state#: 3837
remove unwanted state#: 3838
remove unwanted state#: 3839
remove unwanted state#: 3840
remove unwanted state#: 3841
remove unwanted state#: 3842
remove unwanted state#: 3843
remove unwanted state#: 3844
remove unwanted state#: 3845
remove unwanted state#: 3846
remove unwanted state#: 3847
remove unwanted state#: 3848
remove unwanted state#: 3849
remove unwanted state#: 3850
remove unwanted state#: 3851
remove unwanted state#: 3852
remove unwanted state#: 3853
remove unwanted state#: 3854
remove unwanted state#: 3855
remove unwanted state#: 3856
remove unwanted state#: 3857
remove unwanted state#: 3858
remove unwanted state#: 3859
remove unwanted state#: 3860
remove unwanted state#: 3861
remove unwanted state#: 3862
remove unwanted state#: 3863
remove unwanted state#: 3864
remove unwanted state#: 3865
remove unwanted state#: 3866
remove unwanted state#: 3867
remove unwanted state#: 3868
remove unwanted state#: 3869
remove unwanted state#: 3870
remove unwanted state#: 3871
remove unwanted state#: 3872
remove unwanted state#: 3873
remove unwanted state#: 3874
remove unwanted state#: 3875
remove unwanted state#: 3876
remove unwanted state#: 3877
remove unwanted state#: 3878
remove unwanted state#: 3879
remove unwanted state#: 3880
remove unwanted state#: 3881
remove unwanted state#: 3882
remove unwanted state#: 3883
remove unwanted state#: 3884
remove unwanted state#: 3885
remove unwanted state#: 3886
remove unwanted state#: 3887
remove unwanted state#: 3888
remove unwanted state#: 3889
remove unwanted state#: 3890
remove unwanted state#: 3891
remove unwanted state#: 3892
remove unwanted state#: 3893
remove unwanted state#: 3894
remove unwanted state#: 3895
remove unwanted state#: 3896
remove unwanted state#: 3897
remove unwanted state#: 3898
remove unwanted state#: 3899
remove unwanted state#: 3900
remove unwanted state#: 3901
remove unwanted state#: 3902
remove unwanted state#: 3903
remove unwanted state#: 3904
remove unwanted state#: 3905
remove unwanted state#: 3906
remove unwanted state#: 3907
remove unwanted state#: 3908
remove unwanted state#: 3909
remove unwanted state#: 3910
remove unwanted state#: 3911
remove unwanted state#: 3912
remove unwanted state#: 3913
remove unwanted state#: 3914
remove unwanted state#: 3915
remove unwanted state#: 3916
remove unwanted state#: 3917
remove unwanted state#: 3918
remove unwanted state#: 3919
remove unwanted state#: 3920
remove unwanted state#: 3921
remove unwanted state#: 3922
remove unwanted state#: 3923
remove unwanted state#: 3924
remove unwanted state#: 3925
remove unwanted state#: 3926
remove unwanted state#: 3927
remove unwanted state#: 3928
remove unwanted state#: 3929
remove unwanted state#: 3930
remove unwanted state#: 3931
remove unwanted state#: 3932
remove unwanted state#: 3933
remove unwanted state#: 3934
remove unwanted state#: 3935
remove unwanted state#: 3936
remove unwanted state#: 3937
remove unwanted state#: 3938
remove unwanted state#: 3939
remove unwanted state#: 3940
remove unwanted state#: 3941
remove unwanted state#: 3942
remove unwanted state#: 3943
remove unwanted state#: 3944
remove unwanted state#: 3945
remove unwanted state#: 3946
remove unwanted state#: 3947
remove unwanted state#: 3948
remove unwanted state#: 3949
remove unwanted state#: 3950
remove unwanted state#: 3951
remove unwanted state#: 3952
remove unwanted state#: 3953
remove unwanted state#: 3954
remove unwanted state#: 3955
remove unwanted state#: 3956
remove unwanted state#: 3957
remove unwanted state#: 3958
remove unwanted state#: 3959
remove unwanted state#: 3960
remove unwanted state#: 3961
remove unwanted state#: 3962
remove unwanted state#: 3963
remove unwanted state#: 3964
remove unwanted state#: 3965
remove unwanted state#: 3966
remove unwanted state#: 3967
remove unwanted state#: 3968
remove unwanted state#: 3969
remove unwanted state#: 3970
remove unwanted state#: 3971
remove unwanted state#: 3972
remove unwanted state#: 3973
remove unwanted state#: 3974
remove unwanted state#: 3975
remove unwanted state#: 3976
remove unwanted state#: 3977
remove unwanted state#: 3978
remove unwanted state#: 3979
remove unwanted state#: 3980
remove unwanted state#: 3981
remove unwanted state#: 3982
remove unwanted state#: 3983
remove unwanted state#: 3984
remove unwanted state#: 3985
remove unwanted state#: 3986
remove unwanted state#: 3987
remove unwanted state#: 3988
remove unwanted state#: 3989
remove unwanted state#: 3990
remove unwanted state#: 3991
remove unwanted state#: 3992
remove unwanted state#: 3993
remove unwanted state#: 3994
remove unwanted state#: 3995
remove unwanted state#: 3996
remove unwanted state#: 3997
remove unwanted state#: 3998
remove unwanted state#: 3999
remove unwanted state#: 4000
remove unwanted state#: 4001
remove unwanted state#: 4002
remove unwanted state#: 4003
remove unwanted state#: 4004
remove unwanted state#: 4005
remove unwanted state#: 4006
remove unwanted state#: 4007
remove unwanted state#: 4008
remove unwanted state#: 4009
remove unwanted state#: 4010
remove unwanted state#: 4011
remove unwanted state#: 4012
remove unwanted state#: 4013
remove unwanted state#: 4014
remove unwanted state#: 4015
remove unwanted state#: 4016
remove unwanted state#: 4017
remove unwanted state#: 4018
remove unwanted state#: 4019
remove unwanted state#: 4020
remove unwanted state#: 4021
remove unwanted state#: 4022
remove unwanted state#: 4023
remove unwanted state#: 4024
remove unwanted state#: 4025
remove unwanted state#: 4026
remove unwanted state#: 4027
remove unwanted state#: 4028
remove unwanted state#: 4029
remove unwanted state#: 4030
remove unwanted state#: 4031
remove unwanted state#: 4032
remove unwanted state#: 4033
remove unwanted state#: 4034
remove unwanted state#: 4035
remove unwanted state#: 4036
remove unwanted state#: 4037
remove unwanted state#: 4038
remove unwanted state#: 4039
remove unwanted state#: 4040
remove unwanted state#: 4041
remove unwanted state#: 4042
remove unwanted state#: 4043
remove unwanted state#: 4044
remove unwanted state#: 4045
remove unwanted state#: 4046
remove unwanted state#: 4047
remove unwanted state#: 4048
remove unwanted state#: 4049
remove unwanted state#: 4050
remove unwanted state#: 4051
remove unwanted state#: 4052
remove unwanted state#: 4053
remove unwanted state#: 4054
remove unwanted state#: 4055
remove unwanted state#: 4056
remove unwanted state#: 4057
remove unwanted state#: 4058
remove unwanted state#: 4059
remove unwanted state#: 4060
remove unwanted state#: 4061
remove unwanted state#: 4062
remove unwanted state#: 4063
remove unwanted state#: 4064
remove unwanted state#: 4065
remove unwanted state#: 4066
remove unwanted state#: 4067
remove unwanted state#: 4068
remove unwanted state#: 4069
remove unwanted state#: 4070
remove unwanted state#: 4071
remove unwanted state#: 4072
remove unwanted state#: 4073
remove unwanted state#: 4074
remove unwanted state#: 4075
remove unwanted state#: 4076
remove unwanted state#: 4077
remove unwanted state#: 4078
remove unwanted state#: 4079
remove unwanted state#: 4080
remove unwanted state#: 4081
remove unwanted state#: 4082
remove unwanted state#: 4083
remove unwanted state#: 4084
remove unwanted state#: 4085
remove unwanted state#: 4086
remove unwanted state#: 4087
remove unwanted state#: 4088
remove unwanted state#: 4089
remove unwanted state#: 4090
remove unwanted state#: 4091
remove unwanted state#: 4092
remove unwanted state#: 4093
remove unwanted state#: 4094
remove unwanted state#: 4095
remove unwanted state#: 4096
remove unwanted state#: 4097
remove unwanted state#: 4098
remove unwanted state#: 4099
remove unwanted state#: 4100
remove unwanted state#: 4101
remove unwanted state#: 4102
remove unwanted state#: 4103
remove unwanted state#: 4104
remove unwanted state#: 4105
remove unwanted state#: 4106
remove unwanted state#: 4107
remove unwanted state#: 4108
remove unwanted state#: 4109
remove unwanted state#: 4110
remove unwanted state#: 4111
remove unwanted state#: 4112
remove unwanted state#: 4113
remove unwanted state#: 4114
remove unwanted state#: 4115
remove unwanted state#: 4116
remove unwanted state#: 4117
remove unwanted state#: 4118
remove unwanted state#: 4119
remove unwanted state#: 4120
remove unwanted state#: 4121
remove unwanted state#: 4122
remove unwanted state#: 4123
remove unwanted state#: 4124
remove unwanted state#: 4125
remove unwanted state#: 4126
remove unwanted state#: 4127
remove unwanted state#: 4128
remove unwanted state#: 4129
remove unwanted state#: 4130
remove unwanted state#: 4131
remove unwanted state#: 4132
remove unwanted state#: 4133
remove unwanted state#: 4134
remove unwanted state#: 4135
remove unwanted state#: 4136
remove unwanted state#: 4137
remove unwanted state#: 4138
remove unwanted state#: 4139
remove unwanted state#: 4140
remove unwanted state#: 4141
remove unwanted state#: 4142
remove unwanted state#: 4143
remove unwanted state#: 4144
remove unwanted state#: 4145
remove unwanted state#: 4146
remove unwanted state#: 4147
remove unwanted state#: 4148
remove unwanted state#: 4149
remove unwanted state#: 4150
remove unwanted state#: 4151
remove unwanted state#: 4152
remove unwanted state#: 4153
remove unwanted state#: 4154
remove unwanted state#: 4155
remove unwanted state#: 4156
remove unwanted state#: 4157
remove unwanted state#: 4158
remove unwanted state#: 4159
remove unwanted state#: 4160
remove unwanted state#: 4161
remove unwanted state#: 4162
remove unwanted state#: 4163
remove unwanted state#: 4164
remove unwanted state#: 4165
remove unwanted state#: 4166
remove unwanted state#: 4167
remove unwanted state#: 4168
remove unwanted state#: 4169
remove unwanted state#: 4170
remove unwanted state#: 4171
remove unwanted state#: 4172
remove unwanted state#: 4173
remove unwanted state#: 4174
remove unwanted state#: 4175
remove unwanted state#: 4176
remove unwanted state#: 4177
remove unwanted state#: 4178
remove unwanted state#: 4179
remove unwanted state#: 4180
remove unwanted state#: 4181
remove unwanted state#: 4182
remove unwanted state#: 4183
remove unwanted state#: 4184
remove unwanted state#: 4185
remove unwanted state#: 4186
remove unwanted state#: 4187
remove unwanted state#: 4188
remove unwanted state#: 4189
remove unwanted state#: 4190
remove unwanted state#: 4191
remove unwanted state#: 4192
remove unwanted state#: 4193
remove unwanted state#: 4194
remove unwanted state#: 4195
remove unwanted state#: 4196
remove unwanted state#: 4197
remove unwanted state#: 4198
remove unwanted state#: 4199
remove unwanted state#: 4200
remove unwanted state#: 4201
remove unwanted state#: 4202
remove unwanted state#: 4203
remove unwanted state#: 4204
remove unwanted state#: 4205
remove unwanted state#: 4206
remove unwanted state#: 4207
remove unwanted state#: 4208
remove unwanted state#: 4209
remove unwanted state#: 4210
remove unwanted state#: 4211
remove unwanted state#: 4212
remove unwanted state#: 4213
remove unwanted state#: 4214
remove unwanted state#: 4215
remove unwanted state#: 4216
remove unwanted state#: 4217
remove unwanted state#: 4218
remove unwanted state#: 4219
remove unwanted state#: 4220
remove unwanted state#: 4221
remove unwanted state#: 4222
remove unwanted state#: 4223
remove unwanted state#: 4224
remove unwanted state#: 4225
remove unwanted state#: 4226
remove unwanted state#: 4227
remove unwanted state#: 4228
remove unwanted state#: 4229
remove unwanted state#: 4230
remove unwanted state#: 4231
remove unwanted state#: 4232
remove unwanted state#: 4233
remove unwanted state#: 4234
remove unwanted state#: 4235
remove unwanted state#: 4236
remove unwanted state#: 4237
remove unwanted state#: 4238
remove unwanted state#: 4239
remove unwanted state#: 4240
remove unwanted state#: 4241
remove unwanted state#: 4242
remove unwanted state#: 4243
remove unwanted state#: 4244
remove unwanted state#: 4245
remove unwanted state#: 4246
remove unwanted state#: 4247
remove unwanted state#: 4248
remove unwanted state#: 4249
remove unwanted state#: 4250
remove unwanted state#: 4251
remove unwanted state#: 4252
remove unwanted state#: 4253
remove unwanted state#: 4254
remove unwanted state#: 4255
remove unwanted state#: 4256
remove unwanted state#: 4257
remove unwanted state#: 4258
remove unwanted state#: 4259
remove unwanted state#: 4260
remove unwanted state#: 4261
remove unwanted state#: 4262
remove unwanted state#: 4263
remove unwanted state#: 4264
remove unwanted state#: 4265
remove unwanted state#: 4266
remove unwanted state#: 4267
remove unwanted state#: 4268
remove unwanted state#: 4269
remove unwanted state#: 4270
remove unwanted state#: 4271
remove unwanted state#: 4272
remove unwanted state#: 4273
remove unwanted state#: 4274
remove unwanted state#: 4275
remove unwanted state#: 4276
remove unwanted state#: 4277
remove unwanted state#: 4278
remove unwanted state#: 4279
remove unwanted state#: 4280
remove unwanted state#: 4281
remove unwanted state#: 4282
remove unwanted state#: 4283
remove unwanted state#: 4284
remove unwanted state#: 4285
remove unwanted state#: 4286
remove unwanted state#: 4287
remove unwanted state#: 4288
remove unwanted state#: 4289
remove unwanted state#: 4290
remove unwanted state#: 4291
remove unwanted state#: 4292
remove unwanted state#: 4293
remove unwanted state#: 4294
remove unwanted state#: 4295
remove unwanted state#: 4296
remove unwanted state#: 4297
remove unwanted state#: 4298
remove unwanted state#: 4299
remove unwanted state#: 4300
remove unwanted state#: 4301
remove unwanted state#: 4302
remove unwanted state#: 4303
remove unwanted state#: 4304
remove unwanted state#: 4305
remove unwanted state#: 4306
remove unwanted state#: 4307
remove unwanted state#: 4308
remove unwanted state#: 4309
remove unwanted state#: 4310
remove unwanted state#: 4311
remove unwanted state#: 4312
remove unwanted state#: 4313
remove unwanted state#: 4314
remove unwanted state#: 4315
remove unwanted state#: 4316
remove unwanted state#: 4317
remove unwanted state#: 4318
remove unwanted state#: 4319
remove unwanted state#: 4320
remove unwanted state#: 4321
remove unwanted state#: 4322
remove unwanted state#: 4323
remove unwanted state#: 4324
remove unwanted state#: 4325
remove unwanted state#: 4326
remove unwanted state#: 4327
remove unwanted state#: 4328
remove unwanted state#: 4329
remove unwanted state#: 4330
remove unwanted state#: 4331
remove unwanted state#: 4332
remove unwanted state#: 4333
remove unwanted state#: 4334
remove unwanted state#: 4335
remove unwanted state#: 4336
remove unwanted state#: 4337
remove unwanted state#: 4338
remove unwanted state#: 4339
remove unwanted state#: 4340
remove unwanted state#: 4341
remove unwanted state#: 4342
remove unwanted state#: 4343
remove unwanted state#: 4344
remove unwanted state#: 4345
remove unwanted state#: 4346
remove unwanted state#: 4347
remove unwanted state#: 4348
remove unwanted state#: 4349
remove unwanted state#: 4350
remove unwanted state#: 4351
remove unwanted state#: 4352
remove unwanted state#: 4353
remove unwanted state#: 4354
remove unwanted state#: 4355
remove unwanted state#: 4356
remove unwanted state#: 4357
remove unwanted state#: 4358
remove unwanted state#: 4359
remove unwanted state#: 4360
remove unwanted state#: 4361
remove unwanted state#: 4362
remove unwanted state#: 4363
remove unwanted state#: 4364
remove unwanted state#: 4365
remove unwanted state#: 4366
remove unwanted state#: 4367
remove unwanted state#: 4368
remove unwanted state#: 4369
remove unwanted state#: 4370
remove unwanted state#: 4371
remove unwanted state#: 4372
remove unwanted state#: 4373
remove unwanted state#: 4374
remove unwanted state#: 4375
remove unwanted state#: 4376
remove unwanted state#: 4377
remove unwanted state#: 4378
remove unwanted state#: 4379
remove unwanted state#: 4380
remove unwanted state#: 4381
remove unwanted state#: 4382
remove unwanted state#: 4383
remove unwanted state#: 4384
remove unwanted state#: 4385
remove unwanted state#: 4386
remove unwanted state#: 4387
remove unwanted state#: 4388
remove unwanted state#: 4389
remove unwanted state#: 4390
remove unwanted state#: 4391
remove unwanted state#: 4392
remove unwanted state#: 4393
remove unwanted state#: 4394
remove unwanted state#: 4395
remove unwanted state#: 4396
remove unwanted state#: 4397
remove unwanted state#: 4398
remove unwanted state#: 4399
remove unwanted state#: 4400
remove unwanted state#: 4401
remove unwanted state#: 4402
remove unwanted state#: 4403
remove unwanted state#: 4404
remove unwanted state#: 4405
remove unwanted state#: 4406
remove unwanted state#: 4407
remove unwanted state#: 4408
remove unwanted state#: 4409
remove unwanted state#: 4410
remove unwanted state#: 4411
remove unwanted state#: 4412
remove unwanted state#: 4413
remove unwanted state#: 4414
remove unwanted state#: 4415
remove unwanted state#: 4416
remove unwanted state#: 4417
remove unwanted state#: 4418
remove unwanted state#: 4419
remove unwanted state#: 4420
remove unwanted state#: 4421
remove unwanted state#: 4422
remove unwanted state#: 4423
remove unwanted state#: 4424
remove unwanted state#: 4425
remove unwanted state#: 4426
remove unwanted state#: 4427
remove unwanted state#: 4428
remove unwanted state#: 4429
remove unwanted state#: 4430
remove unwanted state#: 4431
remove unwanted state#: 4432
remove unwanted state#: 4433
remove unwanted state#: 4434
remove unwanted state#: 4435
remove unwanted state#: 4436
remove unwanted state#: 4437
remove unwanted state#: 4438
remove unwanted state#: 4439
remove unwanted state#: 4440
remove unwanted state#: 4441
remove unwanted state#: 4442
remove unwanted state#: 4443
remove unwanted state#: 4444
remove unwanted state#: 4445
remove unwanted state#: 4446
remove unwanted state#: 4447
remove unwanted state#: 4448
remove unwanted state#: 4449
remove unwanted state#: 4450
remove unwanted state#: 4451
remove unwanted state#: 4452
remove unwanted state#: 4453
remove unwanted state#: 4454
remove unwanted state#: 4455
remove unwanted state#: 4456
remove unwanted state#: 4457
remove unwanted state#: 4458
remove unwanted state#: 4459
remove unwanted state#: 4460
remove unwanted state#: 4461
remove unwanted state#: 4462
remove unwanted state#: 4463
remove unwanted state#: 4464
remove unwanted state#: 4465
remove unwanted state#: 4466
remove unwanted state#: 4467
remove unwanted state#: 4468
remove unwanted state#: 4469
remove unwanted state#: 4470
remove unwanted state#: 4471
remove unwanted state#: 4472
remove unwanted state#: 4473
remove unwanted state#: 4474
remove unwanted state#: 4475
remove unwanted state#: 4476
remove unwanted state#: 4477
remove unwanted state#: 4478
remove unwanted state#: 4479
remove unwanted state#: 4480
remove unwanted state#: 4481
remove unwanted state#: 4482
remove unwanted state#: 4483
remove unwanted state#: 4484
remove unwanted state#: 4485
remove unwanted state#: 4486
remove unwanted state#: 4487
remove unwanted state#: 4488
remove unwanted state#: 4489
remove unwanted state#: 4490
remove unwanted state#: 4491
remove unwanted state#: 4492
remove unwanted state#: 4493
remove unwanted state#: 4494
remove unwanted state#: 4495
remove unwanted state#: 4496
remove unwanted state#: 4497
remove unwanted state#: 4498
remove unwanted state#: 4499
remove unwanted state#: 4500
remove unwanted state#: 4501
remove unwanted state#: 4502
remove unwanted state#: 4503
remove unwanted state#: 4504
remove unwanted state#: 4505
remove unwanted state#: 4506
remove unwanted state#: 4507
remove unwanted state#: 4508
remove unwanted state#: 4509
remove unwanted state#: 4510
remove unwanted state#: 4511
remove unwanted state#: 4512
remove unwanted state#: 4513
remove unwanted state#: 4514
remove unwanted state#: 4515
remove unwanted state#: 4516
remove unwanted state#: 4517
remove unwanted state#: 4518
remove unwanted state#: 4519
remove unwanted state#: 4520
remove unwanted state#: 4521
remove unwanted state#: 4522
remove unwanted state#: 4523
remove unwanted state#: 4524
remove unwanted state#: 4525
remove unwanted state#: 4526
remove unwanted state#: 4527
remove unwanted state#: 4528
remove unwanted state#: 4529
remove unwanted state#: 4530
remove unwanted state#: 4531
remove unwanted state#: 4532
remove unwanted state#: 4533
remove unwanted state#: 4534
remove unwanted state#: 4535
remove unwanted state#: 4536
remove unwanted state#: 4537
remove unwanted state#: 4538
remove unwanted state#: 4539
remove unwanted state#: 4540
remove unwanted state#: 4541
remove unwanted state#: 4542
remove unwanted state#: 4543
remove unwanted state#: 4544
remove unwanted state#: 4545
remove unwanted state#: 4546
remove unwanted state#: 4547
remove unwanted state#: 4548
remove unwanted state#: 4549
remove unwanted state#: 4550
remove unwanted state#: 4551
remove unwanted state#: 4552
remove unwanted state#: 4553
remove unwanted state#: 4554
remove unwanted state#: 4555
remove unwanted state#: 4556
remove unwanted state#: 4557
remove unwanted state#: 4558
remove unwanted state#: 4559
remove unwanted state#: 4560
remove unwanted state#: 4561
remove unwanted state#: 4562
remove unwanted state#: 4563
remove unwanted state#: 4564
remove unwanted state#: 4565
remove unwanted state#: 4566
remove unwanted state#: 4567
remove unwanted state#: 4568
remove unwanted state#: 4569
remove unwanted state#: 4570
remove unwanted state#: 4571
remove unwanted state#: 4572
remove unwanted state#: 4573
remove unwanted state#: 4574
remove unwanted state#: 4575
remove unwanted state#: 4576
remove unwanted state#: 4577
remove unwanted state#: 4578
remove unwanted state#: 4579
remove unwanted state#: 4580
remove unwanted state#: 4581
remove unwanted state#: 4582
remove unwanted state#: 4583
remove unwanted state#: 4584
remove unwanted state#: 4585
remove unwanted state#: 4586
remove unwanted state#: 4587
remove unwanted state#: 4588
remove unwanted state#: 4589
remove unwanted state#: 4590
remove unwanted state#: 4591
remove unwanted state#: 4592
remove unwanted state#: 4593
remove unwanted state#: 4594
remove unwanted state#: 4595
remove unwanted state#: 4596
remove unwanted state#: 4597
remove unwanted state#: 4598
remove unwanted state#: 4599
remove unwanted state#: 4600
remove unwanted state#: 4601
remove unwanted state#: 4602
remove unwanted state#: 4603
remove unwanted state#: 4604
remove unwanted state#: 4605
remove unwanted state#: 4606
remove unwanted state#: 4607
remove unwanted state#: 4608
remove unwanted state#: 4609
remove unwanted state#: 4610
remove unwanted state#: 4611
remove unwanted state#: 4612
remove unwanted state#: 4613
remove unwanted state#: 4614
remove unwanted state#: 4615
remove unwanted state#: 4616
remove unwanted state#: 4617
remove unwanted state#: 4618
remove unwanted state#: 4619
remove unwanted state#: 4620
remove unwanted state#: 4621
remove unwanted state#: 4622
remove unwanted state#: 4623
remove unwanted state#: 4624
remove unwanted state#: 4625
remove unwanted state#: 4626
remove unwanted state#: 4627
remove unwanted state#: 4628
remove unwanted state#: 4629
remove unwanted state#: 4630
remove unwanted state#: 4631
remove unwanted state#: 4632
remove unwanted state#: 4633
remove unwanted state#: 4634
remove unwanted state#: 4635
remove unwanted state#: 4636
remove unwanted state#: 4637
remove unwanted state#: 4638
remove unwanted state#: 4639
remove unwanted state#: 4640
remove unwanted state#: 4641
remove unwanted state#: 4642
remove unwanted state#: 4643
remove unwanted state#: 4644
remove unwanted state#: 4645
remove unwanted state#: 4646
remove unwanted state#: 4647
remove unwanted state#: 4648
remove unwanted state#: 4649
remove unwanted state#: 4650
remove unwanted state#: 4651
remove unwanted state#: 4652
remove unwanted state#: 4653
remove unwanted state#: 4654
remove unwanted state#: 4655
remove unwanted state#: 4656
remove unwanted state#: 4657
remove unwanted state#: 4658
remove unwanted state#: 4659
remove unwanted state#: 4660
remove unwanted state#: 4661
remove unwanted state#: 4662
remove unwanted state#: 4663
remove unwanted state#: 4664
remove unwanted state#: 4665
remove unwanted state#: 4666
remove unwanted state#: 4667
remove unwanted state#: 4668
remove unwanted state#: 4669
remove unwanted state#: 4670
remove unwanted state#: 4671
remove unwanted state#: 4672
remove unwanted state#: 4673
remove unwanted state#: 4676
KLEE: solved generated state branch id:2056086739, priority:2
wrote 1243 bytes to /root/work/savior/tests/tcpdump/obj-savior/out/klee_instance_conc_000001/queue/id:000624
KLEE: State 4678 finishes/terminates
terminate selected generated state #: 4678
remove unwanted state#: 4679
remove unwanted state#: 4680
remove unwanted state#: 4681
remove unwanted state#: 4682
remove unwanted state#: 4683
remove unwanted state#: 4684
remove unwanted state#: 4685
remove unwanted state#: 4686
remove unwanted state#: 4687
remove unwanted state#: 4688
savior-tcpdump.dma.bc: pcap_loop: truncated dump file; tried to read
wrote 1243 bytes to /root/work/savior/tests/tcpdump/obj-savior/out/klee_instance_conc_000001/queue/id:000625
KLEE: State 4689 finishes/terminates
The current seed is /root/work/savior/tests/tcpdump/obj-savior/klee_new_input/klee_instance_conc_1/000008.ktest
KLEE: KLEE: using 1 seeds
[Oracle-Info] collecting se stats
[Oracle-Info] 7520.0 secs away from terminating se
conc_explorer pid: 9114 is alive
KLEE: using AFL-Uncovered-Edge-ID heurisitc searcher
KLEE: WARNING: setgid: silently ignoring (returning 0)
KLEE: WARNING: setuid: silently ignoring (returning 0)
KLEE: solved generated state branch id:1086836088, priority:2
wrote 1338 bytes to /root/work/savior/tests/tcpdump/obj-savior/out/klee_instance_conc_000001/queue/id:000626
KLEE: State 0 finishes/terminates
terminate selected generated state #: 0
KLEE: solved generated state branch id:1793080214, priority:2
wrote 1338 bytes to /root/work/savior/tests/tcpdump/obj-savior/out/klee_instance_conc_000001/queue/id:000627
KLEE: State 4690 finishes/terminates
terminate selected generated state #: 4690
remove unwanted state#: 4698
remove unwanted state#: 4699
remove unwanted state#: 4700
remove unwanted state#: 4701
remove unwanted state#: 4702
remove unwanted state#: 4703
remove unwanted state#: 4704
remove unwanted state#: 4705
remove unwanted state#: 4706
remove unwanted state#: 4707
remove unwanted state#: 4708
remove unwanted state#: 4709
remove unwanted state#: 4711
reading from file A, link-type ATM_RFC1483 (RFC 1483 LLC-encapsulated ATM), snapshot length 0
remove unwanted state#: 4720
KLEE: solved generated state branch id:376242466, priority:2
wrote 1338 bytes to /root/work/savior/tests/tcpdump/obj-savior/out/klee_instance_conc_000001/queue/id:000628
KLEE: State 4722 finishes/terminates
terminate selected generated state #: 4722
remove unwanted state#: 4724
remove unwanted state#: 4725
remove unwanted state#: 4726
remove unwanted state#: 4727
remove unwanted state#: 4728
remove unwanted state#: 4729
remove unwanted state#: 4730
remove unwanted state#: 4731
remove unwanted state#: 4732
remove unwanted state#: 4733
remove unwanted state#: 4734
remove unwanted state#: 4735
remove unwanted state#: 4736
remove unwanted state#: 4737
remove unwanted state#: 4738
remove unwanted state#: 4739
remove unwanted state#: 4740
remove unwanted state#: 4741
remove unwanted state#: 4742
remove unwanted state#: 4743
remove unwanted state#: 4744
remove unwanted state#: 4745
remove unwanted state#: 4746
remove unwanted state#: 4747
remove unwanted state#: 4748
remove unwanted state#: 4749
remove unwanted state#: 4750
remove unwanted state#: 4751
remove unwanted state#: 4752
remove unwanted state#: 4753
remove unwanted state#: 4754
remove unwanted state#: 4755
remove unwanted state#: 4756
remove unwanted state#: 4757
remove unwanted state#: 4758
remove unwanted state#: 4759
remove unwanted state#: 4760
remove unwanted state#: 4761
remove unwanted state#: 4762
remove unwanted state#: 4763
remove unwanted state#: 4764
remove unwanted state#: 4765
remove unwanted state#: 4766
remove unwanted state#: 4767
remove unwanted state#: 4768
remove unwanted state#: 4769
remove unwanted state#: 4770
remove unwanted state#: 4771
remove unwanted state#: 4772
remove unwanted state#: 4773
remove unwanted state#: 4774
remove unwanted state#: 4775
remove unwanted state#: 4776
remove unwanted state#: 4777
remove unwanted state#: 4778
remove unwanted state#: 4779
remove unwanted state#: 4780
remove unwanted state#: 4781
remove unwanted state#: 4782
remove unwanted state#: 4783
remove unwanted state#: 4784
remove unwanted state#: 4785
remove unwanted state#: 4786
remove unwanted state#: 4787
remove unwanted state#: 4788
remove unwanted state#: 4789
remove unwanted state#: 4790
remove unwanted state#: 4791
remove unwanted state#: 4792
remove unwanted state#: 4793
remove unwanted state#: 4794
remove unwanted state#: 4795
remove unwanted state#: 4796
remove unwanted state#: 4797
remove unwanted state#: 4798
remove unwanted state#: 4799
remove unwanted state#: 4800
remove unwanted state#: 4801
remove unwanted state#: 4802
remove unwanted state#: 4803
remove unwanted state#: 4804
remove unwanted state#: 4805
remove unwanted state#: 4806
remove unwanted state#: 4807
remove unwanted state#: 4808
remove unwanted state#: 4809
remove unwanted state#: 4810
remove unwanted state#: 4811
remove unwanted state#: 4812
remove unwanted state#: 4813
remove unwanted state#: 4814
remove unwanted state#: 4815
remove unwanted state#: 4816
remove unwanted state#: 4817
remove unwanted state#: 4818
remove unwanted state#: 4819
remove unwanted state#: 4820
remove unwanted state#: 4821
remove unwanted state#: 4822
remove unwanted state#: 4823
remove unwanted state#: 4824
remove unwanted state#: 4825
remove unwanted state#: 4826
remove unwanted state#: 4827
remove unwanted state#: 4828
remove unwanted state#: 4829
remove unwanted state#: 4830
remove unwanted state#: 4831
remove unwanted state#: 4832
remove unwanted state#: 4833
remove unwanted state#: 4834
remove unwanted state#: 4835
remove unwanted state#: 4836
remove unwanted state#: 4837
remove unwanted state#: 4838
remove unwanted state#: 4839
remove unwanted state#: 4840
remove unwanted state#: 4841
remove unwanted state#: 4842
remove unwanted state#: 4843
remove unwanted state#: 4844
remove unwanted state#: 4845
remove unwanted state#: 4846
remove unwanted state#: 4847
remove unwanted state#: 4848
remove unwanted state#: 4849
remove unwanted state#: 4850
remove unwanted state#: 4851
remove unwanted state#: 4852
remove unwanted state#: 4853
remove unwanted state#: 4854
remove unwanted state#: 4855
remove unwanted state#: 4856
remove unwanted state#: 4857
remove unwanted state#: 4858
remove unwanted state#: 4859
remove unwanted state#: 4860
remove unwanted state#: 4861
remove unwanted state#: 4862
remove unwanted state#: 4863
remove unwanted state#: 4864
remove unwanted state#: 4865
remove unwanted state#: 4866
remove unwanted state#: 4867
remove unwanted state#: 4868
remove unwanted state#: 4869
remove unwanted state#: 4870
remove unwanted state#: 4871
remove unwanted state#: 4872
remove unwanted state#: 4873
remove unwanted state#: 4874
remove unwanted state#: 4875
KLEE: solved generated state branch id:405811, priority:2
wrote 1338 bytes to /root/work/savior/tests/tcpdump/obj-savior/out/klee_instance_conc_000001/queue/id:000629
KLEE: State 4876 finishes/terminates
terminate selected generated state #: 4876
KLEE: solved generated state branch id:1025300, priority:2
wrote 1338 bytes to /root/work/savior/tests/tcpdump/obj-savior/out/klee_instance_conc_000001/queue/id:000630
KLEE: State 4878 finishes/terminates
terminate selected generated state #: 4878
KLEE: solved generated state branch id:325977, priority:2
wrote 1338 bytes to /root/work/savior/tests/tcpdump/obj-savior/out/klee_instance_conc_000001/queue/id:000631
KLEE: State 4879 finishes/terminates
terminate selected generated state #: 4879
KLEE: solved generated state branch id:1180892285, priority:2
wrote 1338 bytes to /root/work/savior/tests/tcpdump/obj-savior/out/klee_instance_conc_000001/queue/id:000632
KLEE: State 4887 finishes/terminates
terminate selected generated state #: 4887
[Oracle-Info] collecting se stats
[Oracle-Info] 7510.0 secs away from terminating se
conc_explorer pid: 9114 is alive
KLEE: solved generated state branch id:1765004676, priority:2
wrote 1338 bytes to /root/work/savior/tests/tcpdump/obj-savior/out/klee_instance_conc_000001/queue/id:000633
KLEE: State 4891 finishes/terminates
terminate selected generated state #: 4891
KLEE: solved generated state branch id:1826346229, priority:2
wrote 1338 bytes to /root/work/savior/tests/tcpdump/obj-savior/out/klee_instance_conc_000001/queue/id:000634
KLEE: State 4892 finishes/terminates
terminate selected generated state #: 4892
[Oracle-Info] collecting se stats
[Oracle-Info] 7500.0 secs away from terminating se
conc_explorer pid: 9114 is alive
[Oracle-Info] collecting se stats
[Oracle-Info] 7490.0 secs away from terminating se
conc_explorer pid: 9114 is alive
[Oracle-Info] collecting se stats
[Oracle-Info] 7480.0 secs away from terminating se
conc_explorer pid: 9114 is alive
[Oracle-Info] collecting se stats
[Oracle-Info] 7470.0 secs away from terminating se
conc_explorer pid: 9114 is alive
[Oracle-Info] collecting se stats
[Oracle-Info] 7460.0 secs away from terminating se
conc_explorer pid: 9114 is alive
[Oracle-Info] collecting se stats
[Oracle-Info] 7450.0 secs away from terminating se
conc_explorer pid: 9114 is alive
[Oracle-Info] collecting se stats
[Oracle-Info] 7440.0 secs away from terminating se
conc_explorer pid: 9114 is alive
[Oracle-Info] collecting se stats
[Oracle-Info] 7430.0 secs away from terminating se
conc_explorer pid: 9114 is alive
[Oracle-Info] collecting se stats
[Oracle-Info] 7420.0 secs away from terminating se
conc_explorer pid: 9114 is alive
[Oracle-Info] collecting se stats
[Oracle-Info] 7410.0 secs away from terminating se
conc_explorer pid: 9114 is alive
[Oracle-Info] collecting se stats
[Oracle-Info] 7400.0 secs away from terminating se
conc_explorer pid: 9114 is alive
[Oracle-Info] collecting se stats
[Oracle-Info] 7390.0 secs away from terminating se
conc_explorer pid: 9114 is alive
[Oracle-Info] collecting se stats
[Oracle-Info] 7380.0 secs away from terminating se
conc_explorer pid: 9114 is alive
[Oracle-Info] collecting se stats
[Oracle-Info] 7370.0 secs away from terminating se
conc_explorer pid: 9114 is alive
KLEE: WARNING: The current seed has used up its time limit, terminating now.
KLEE: halting execution, dumping remaining states
KLEE: WARNING: unable to get symbolic solution, losing test case
KLEE: WARNING: main.cpp: got 0 object ktest solution, discarding, out size:0
KLEE: State 4920 finishes/terminates
The current seed is /root/work/savior/tests/tcpdump/obj-savior/klee_new_input/klee_instance_conc_1/000003.ktest
KLEE: KLEE: using 1 seeds
KLEE: using AFL-Uncovered-Edge-ID heurisitc searcher
KLEE: WARNING: setgid: silently ignoring (returning 0)
KLEE: WARNING: setuid: silently ignoring (returning 0)
KLEE: solved generated state branch id:1086836088, priority:2
wrote 1358 bytes to /root/work/savior/tests/tcpdump/obj-savior/out/klee_instance_conc_000001/queue/id:000636
KLEE: State 0 finishes/terminates
terminate selected generated state #: 0
KLEE: solved generated state branch id:1793080214, priority:2
wrote 1358 bytes to /root/work/savior/tests/tcpdump/obj-savior/out/klee_instance_conc_000001/queue/id:000637
KLEE: State 4923 finishes/terminates
terminate selected generated state #: 4923
remove unwanted state#: 4931
KLEE: solved generated state branch id:894645, priority:2
wrote 1358 bytes to /root/work/savior/tests/tcpdump/obj-savior/out/klee_instance_conc_000001/queue/id:000638
KLEE: State 4933 finishes/terminates
terminate selected generated state #: 4933
reading from file A, link-type EN10MB (Ethernet), snapshot length 0
remove unwanted state#: 4942
KLEE: solved generated state branch id:376242466, priority:2
wrote 1358 bytes to /root/work/savior/tests/tcpdump/obj-savior/out/klee_instance_conc_000001/queue/id:000639
KLEE: State 4944 finishes/terminates
terminate selected generated state #: 4944
remove unwanted state#: 4946
remove unwanted state#: 4947
remove unwanted state#: 4948
remove unwanted state#: 4949
remove unwanted state#: 4950
remove unwanted state#: 4951
remove unwanted state#: 4952
remove unwanted state#: 4953
remove unwanted state#: 4954
remove unwanted state#: 4955
remove unwanted state#: 4956
remove unwanted state#: 4957
remove unwanted state#: 4958
remove unwanted state#: 4959
remove unwanted state#: 4960
remove unwanted state#: 4961
remove unwanted state#: 4962
remove unwanted state#: 4963
remove unwanted state#: 4964
remove unwanted state#: 4965
remove unwanted state#: 4966
remove unwanted state#: 4967
remove unwanted state#: 4968
remove unwanted state#: 4969
remove unwanted state#: 4970
remove unwanted state#: 4971
remove unwanted state#: 4972
remove unwanted state#: 4973
remove unwanted state#: 4974
remove unwanted state#: 4975
remove unwanted state#: 4976
remove unwanted state#: 4977
remove unwanted state#: 4978
remove unwanted state#: 4979
remove unwanted state#: 4980
remove unwanted state#: 4981
remove unwanted state#: 4982
remove unwanted state#: 4983
remove unwanted state#: 4984
remove unwanted state#: 4985
remove unwanted state#: 4986
remove unwanted state#: 4987
remove unwanted state#: 4988
remove unwanted state#: 4989
remove unwanted state#: 4990
remove unwanted state#: 4991
remove unwanted state#: 4992
remove unwanted state#: 4993
remove unwanted state#: 4994
remove unwanted state#: 4995
remove unwanted state#: 4996
remove unwanted state#: 4997
remove unwanted state#: 4998
remove unwanted state#: 4999
remove unwanted state#: 5000
remove unwanted state#: 5001
remove unwanted state#: 5002
remove unwanted state#: 5003
remove unwanted state#: 5004
remove unwanted state#: 5005
remove unwanted state#: 5006
remove unwanted state#: 5007
remove unwanted state#: 5008
remove unwanted state#: 5009
remove unwanted state#: 5010
remove unwanted state#: 5011
remove unwanted state#: 5012
remove unwanted state#: 5013
remove unwanted state#: 5014
remove unwanted state#: 5015
remove unwanted state#: 5016
remove unwanted state#: 5017
remove unwanted state#: 5018
remove unwanted state#: 5019
remove unwanted state#: 5020
remove unwanted state#: 5021
remove unwanted state#: 5022
remove unwanted state#: 5023
remove unwanted state#: 5024
remove unwanted state#: 5025
remove unwanted state#: 5026
remove unwanted state#: 5027
remove unwanted state#: 5028
remove unwanted state#: 5029
remove unwanted state#: 5030
remove unwanted state#: 5031
remove unwanted state#: 5032
remove unwanted state#: 5033
remove unwanted state#: 5034
remove unwanted state#: 5035
remove unwanted state#: 5036
remove unwanted state#: 5037
remove unwanted state#: 5038
remove unwanted state#: 5039
remove unwanted state#: 5040
remove unwanted state#: 5041
remove unwanted state#: 5042
remove unwanted state#: 5043
remove unwanted state#: 5044
remove unwanted state#: 5045
remove unwanted state#: 5046
remove unwanted state#: 5047
remove unwanted state#: 5048
remove unwanted state#: 5049
remove unwanted state#: 5050
remove unwanted state#: 5051
remove unwanted state#: 5052
remove unwanted state#: 5053
remove unwanted state#: 5054
remove unwanted state#: 5055
remove unwanted state#: 5056
remove unwanted state#: 5057
remove unwanted state#: 5058
remove unwanted state#: 5059
remove unwanted state#: 5060
remove unwanted state#: 5061
remove unwanted state#: 5062
remove unwanted state#: 5063
remove unwanted state#: 5064
remove unwanted state#: 5065
remove unwanted state#: 5066
remove unwanted state#: 5067
remove unwanted state#: 5068
remove unwanted state#: 5069
remove unwanted state#: 5070
remove unwanted state#: 5071
remove unwanted state#: 5072
remove unwanted state#: 5073
remove unwanted state#: 5074
remove unwanted state#: 5075
remove unwanted state#: 5076
remove unwanted state#: 5077
remove unwanted state#: 5078
remove unwanted state#: 5079
remove unwanted state#: 5080
remove unwanted state#: 5081
remove unwanted state#: 5082
remove unwanted state#: 5083
remove unwanted state#: 5084
remove unwanted state#: 5085
remove unwanted state#: 5086
remove unwanted state#: 5087
remove unwanted state#: 5088
remove unwanted state#: 5089
remove unwanted state#: 5090
remove unwanted state#: 5091
remove unwanted state#: 5092
remove unwanted state#: 5093
remove unwanted state#: 5094
remove unwanted state#: 5095
remove unwanted state#: 5096
remove unwanted state#: 5097
KLEE: solved generated state branch id:405811, priority:2
wrote 1358 bytes to /root/work/savior/tests/tcpdump/obj-savior/out/klee_instance_conc_000001/queue/id:000640
KLEE: State 5098 finishes/terminates
terminate selected generated state #: 5098
KLEE: solved generated state branch id:1025300, priority:2
wrote 1358 bytes to /root/work/savior/tests/tcpdump/obj-savior/out/klee_instance_conc_000001/queue/id:000641
KLEE: State 5100 finishes/terminates
terminate selected generated state #: 5100
KLEE: solved generated state branch id:325977, priority:2
wrote 1358 bytes to /root/work/savior/tests/tcpdump/obj-savior/out/klee_instance_conc_000001/queue/id:000642
KLEE: State 5101 finishes/terminates
terminate selected generated state #: 5101
KLEE: solved generated state branch id:1180892285, priority:2
wrote 1358 bytes to /root/work/savior/tests/tcpdump/obj-savior/out/klee_instance_conc_000001/queue/id:000643
KLEE: State 5109 finishes/terminates
terminate selected generated state #: 5109
[Oracle-Info] collecting se stats
[Oracle-Info] 7360.0 secs away from terminating se
conc_explorer pid: 9114 is alive
KLEE: solved gener
Any idea about if Savior is running well or possibly there's a problem around that ?
I'd appreciate all your replies but I'm confused about why it is not finding any crashes :-(
Thanks!
evanmak
commented
4 years ago The tcpdump output looks correct, KLEE is contributing seeds.
As for crashes, note that SAVIOR instruments the programs with UBSAN, and If the tested program is instrumented with UBSAN, by default UBSAN is not crashing the program, instead it will just print a log message and resume the program execution.
If you want to change the UBSAN behavior, you can use the flag -fno-sanitize-recover= that shall inform the fuzzer about a triggered UBSAN violation.
As for LAVA program, please read our paper https://yaohway.github.io/savior.pdf section V.A, its instrumentation is A bit different. Long story short, the UBSAN labels are not able to guide SAVIOR to solve LAVA's instrumented branch, so SAVIOR does not know it should solve the branch constraint for these (artificial) bugs. You will have to rebuild a different version of SAVIOR, specifically, enable this branch of the code: https://github.com/evanmak/savior-source/blob/master/AFL/llvm_mode/afl-llvm-pass.so.cc#L314-L323
last piece of suggestion, if you would like to evaluate fuzzer effectiveness, LAVA-M is now considered deprecated, I recommend checking out Google's new fuzzbench project.
cryptomadco
commented
4 years ago Hello @evanmak and thanks for your reply .
I activated that branch of the code in the llvm pass and run it again, against base64 lava and this is the output :
eue/id_000034', '/root/work/savior/tests/mybase64/test2/out/slave_000001/queue/id_000132', '/root/work/savior/tests/mybase64/test2/out/slave_000001/queue/id_000133', '/root/work/savior/tests/mybase64/test2/out/slave_000001/queue/id_000039', '/root/work/savior/tests/mybase64/test2/out/slave_000001/queue/id_000922']
[KleeConc-Info] SE Engine: KLEE Symbolic Explorer activated. input score : [155.0, 155.0, 103.0, 144.0, 103.0, 103.0, 103.0, 144.0, 103.0, 103.0, 103.0, 155.0, 103.0, 144.0, 103.0, 103.0, 103.0, 103.0, 103.0, 144.0]
/root/work/savior/KLEE/klee-build/bin/klee --libc=uclibc --disable-inject-ctor-and-dtor=true --posix-runtime --concolic-explorer=true --named-seed-matching=true --allow-external-sym-calls --use-non-intrinsics-memops=false --check-overshift=false --solver-backend=z3 --max-solver-time=5 --disable-bound-check=true --disable-ubsan-check=true -remove-unprioritized-states --free-mode=false --fixup-afl-ids=true --relax-constraint-solving=false --savior-ubsan=false --max-memory=0 --max-time-per-seed=500 --afl-covered-branchid-file=/root/work/savior/tests/mybase64/test2/.afl_coverage_combination --klee-covered-branchid-outfile=/root/work/savior/tests/mybase64/test2//out/.tmp_se_0.cov --edge-sanitizer-heuristic --seed-out-dir=/root/work/savior/tests/mybase64/test2//klee_new_input/klee_instance_conc_19 --sync-dir=/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000019/queue /root/work/savior/tests/mybase64/test2//savior-base64-4.dma.bc -d A --sym-files 1 43056
['rm', '-rf', '/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000019/queue']
/root/work/savior/KLEE/klee-build/bin/klee --libc=uclibc --disable-inject-ctor-and-dtor=true --posix-runtime --concolic-explorer=true --named-seed-matching=true --allow-external-sym-calls --use-non-intrinsics-memops=false --check-overshift=false --solver-backend=z3 --max-solver-time=5 --disable-bound-check=true --disable-ubsan-check=true -remove-unprioritized-states --free-mode=false --fixup-afl-ids=true --relax-constraint-solving=false --savior-ubsan=false --max-memory=0 --max-time-per-seed=500 --afl-covered-branchid-file=/root/work/savior/tests/mybase64/test2/.afl_coverage_combination --klee-covered-branchid-outfile=/root/work/savior/tests/mybase64/test2//out/.tmp_se_0.cov --edge-sanitizer-heuristic --seed-out-dir=/root/work/savior/tests/mybase64/test2//klee_new_input/klee_instance_conc_19 --sync-dir=/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000019/queue /root/work/savior/tests/mybase64/test2//savior-base64-4.dma.bc -d A --sym-files 1 43056
['rm', '-rf', '/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000019/queue']
/root/work/savior/KLEE/klee-build/bin/klee --libc=uclibc --disable-inject-ctor-and-dtor=true --posix-runtime --concolic-explorer=true --named-seed-matching=true --allow-external-sym-calls --use-non-intrinsics-memops=false --check-overshift=false --solver-backend=z3 --max-solver-time=5 --disable-bound-check=true --disable-ubsan-check=true -remove-unprioritized-states --free-mode=false --fixup-afl-ids=true --relax-constraint-solving=false --savior-ubsan=false --max-memory=0 --max-time-per-seed=500 --afl-covered-branchid-file=/root/work/savior/tests/mybase64/test2/.afl_coverage_combination --klee-covered-branchid-outfile=/root/work/savior/tests/mybase64/test2//out/.tmp_se_0.cov --edge-sanitizer-heuristic --seed-out-dir=/root/work/savior/tests/mybase64/test2//klee_new_input/klee_instance_conc_19 --sync-dir=/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000019/queue /root/work/savior/tests/mybase64/test2//savior-base64-4.dma.bc -d A --sym-files 1 43056
['rm', '-rf', '/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000019/queue']
/root/work/savior/KLEE/klee-build/bin/klee --libc=uclibc --disable-inject-ctor-and-dtor=true --posix-runtime --concolic-explorer=true --named-seed-matching=true --allow-external-sym-calls --use-non-intrinsics-memops=false --check-overshift=false --solver-backend=z3 --max-solver-time=5 --disable-bound-check=true --disable-ubsan-check=true -remove-unprioritized-states --free-mode=false --fixup-afl-ids=true --relax-constraint-solving=false --savior-ubsan=false --max-memory=0 --max-time-per-seed=500 --afl-covered-branchid-file=/root/work/savior/tests/mybase64/test2/.afl_coverage_combination --klee-covered-branchid-outfile=/root/work/savior/tests/mybase64/test2//out/.tmp_se_0.cov --edge-sanitizer-heuristic --seed-out-dir=/root/work/savior/tests/mybase64/test2//klee_new_input/klee_instance_conc_19 --sync-dir=/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000019/queue /root/work/savior/tests/mybase64/test2//savior-base64-4.dma.bc -d A --sym-files 1 43056
['rm', '-rf', '/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000019/queue']
/root/work/savior/KLEE/klee-build/bin/klee --libc=uclibc --disable-inject-ctor-and-dtor=true --posix-runtime --concolic-explorer=true --named-seed-matching=true --allow-external-sym-calls --use-non-intrinsics-memops=false --check-overshift=false --solver-backend=z3 --max-solver-time=5 --disable-bound-check=true --disable-ubsan-check=true -remove-unprioritized-states --free-mode=false --fixup-afl-ids=true --relax-constraint-solving=false --savior-ubsan=false --max-memory=0 --max-time-per-seed=500 --afl-covered-branchid-file=/root/work/savior/tests/mybase64/test2/.afl_coverage_combination --klee-covered-branchid-outfile=/root/work/savior/tests/mybase64/test2//out/.tmp_se_0.cov --edge-sanitizer-heuristic --seed-out-dir=/root/work/savior/tests/mybase64/test2//klee_new_input/klee_instance_conc_19 --sync-dir=/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000019/queue /root/work/savior/tests/mybase64/test2//savior-base64-4.dma.bc -d A --sym-files 1 43056
['rm', '-rf', '/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000019/queue']
/root/work/savior/KLEE/klee-build/bin/klee --libc=uclibc --disable-inject-ctor-and-dtor=true --posix-runtime --concolic-explorer=true --named-seed-matching=true --allow-external-sym-calls --use-non-intrinsics-memops=false --check-overshift=false --solver-backend=z3 --max-solver-time=5 --disable-bound-check=true --disable-ubsan-check=true -remove-unprioritized-states --free-mode=false --fixup-afl-ids=true --relax-constraint-solving=false --savior-ubsan=false --max-memory=0 --max-time-per-seed=500 --afl-covered-branchid-file=/root/work/savior/tests/mybase64/test2/.afl_coverage_combination --klee-covered-branchid-outfile=/root/work/savior/tests/mybase64/test2//out/.tmp_se_0.cov --edge-sanitizer-heuristic --seed-out-dir=/root/work/savior/tests/mybase64/test2//klee_new_input/klee_instance_conc_19 --sync-dir=/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000019/queue /root/work/savior/tests/mybase64/test2//savior-base64-4.dma.bc -d A --sym-files 1 43056
['rm', '-rf', '/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000019/queue']
/root/work/savior/KLEE/klee-build/bin/klee --libc=uclibc --disable-inject-ctor-and-dtor=true --posix-runtime --concolic-explorer=true --named-seed-matching=true --allow-external-sym-calls --use-non-intrinsics-memops=false --check-overshift=false --solver-backend=z3 --max-solver-time=5 --disable-bound-check=true --disable-ubsan-check=true -remove-unprioritized-states --free-mode=false --fixup-afl-ids=true --relax-constraint-solving=false --savior-ubsan=false --max-memory=0 --max-time-per-seed=500 --afl-covered-branchid-file=/root/work/savior/tests/mybase64/test2/.afl_coverage_combination --klee-covered-branchid-outfile=/root/work/savior/tests/mybase64/test2//out/.tmp_se_0.cov --edge-sanitizer-heuristic --seed-out-dir=/root/work/savior/tests/mybase64/test2//klee_new_input/klee_instance_conc_19 --sync-dir=/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000019/queue /root/work/savior/tests/mybase64/test2//savior-base64-4.dma.bc -d A --sym-files 1 43056
['rm', '-rf', '/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000019/queue']
/root/work/savior/KLEE/klee-build/bin/klee --libc=uclibc --disable-inject-ctor-and-dtor=true --posix-runtime --concolic-explorer=true --named-seed-matching=true --allow-external-sym-calls --use-non-intrinsics-memops=false --check-overshift=false --solver-backend=z3 --max-solver-time=5 --disable-bound-check=true --disable-ubsan-check=true -remove-unprioritized-states --free-mode=false --fixup-afl-ids=true --relax-constraint-solving=false --savior-ubsan=false --max-memory=0 --max-time-per-seed=500 --afl-covered-branchid-file=/root/work/savior/tests/mybase64/test2/.afl_coverage_combination --klee-covered-branchid-outfile=/root/work/savior/tests/mybase64/test2//out/.tmp_se_0.cov --edge-sanitizer-heuristic --seed-out-dir=/root/work/savior/tests/mybase64/test2//klee_new_input/klee_instance_conc_19 --sync-dir=/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000019/queue /root/work/savior/tests/mybase64/test2//savior-base64-4.dma.bc -d A --sym-files 1 43056
['rm', '-rf', '/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000019/queue']
/root/work/savior/KLEE/klee-build/bin/klee --libc=uclibc --disable-inject-ctor-and-dtor=true --posix-runtime --concolic-explorer=true --named-seed-matching=true --allow-external-sym-calls --use-non-intrinsics-memops=false --check-overshift=false --solver-backend=z3 --max-solver-time=5 --disable-bound-check=true --disable-ubsan-check=true -remove-unprioritized-states --free-mode=false --fixup-afl-ids=true --relax-constraint-solving=false --savior-ubsan=false --max-memory=0 --max-time-per-seed=500 --afl-covered-branchid-file=/root/work/savior/tests/mybase64/test2/.afl_coverage_combination --klee-covered-branchid-outfile=/root/work/savior/tests/mybase64/test2//out/.tmp_se_0.cov --edge-sanitizer-heuristic --seed-out-dir=/root/work/savior/tests/mybase64/test2//klee_new_input/klee_instance_conc_19 --sync-dir=/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000019/queue /root/work/savior/tests/mybase64/test2//savior-base64-4.dma.bc -d A --sym-files 1 43056
['rm', '-rf', '/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000019/queue']
/root/work/savior/KLEE/klee-build/bin/klee --libc=uclibc --disable-inject-ctor-and-dtor=true --posix-runtime --concolic-explorer=true --named-seed-matching=true --allow-external-sym-calls --use-non-intrinsics-memops=false --check-overshift=false --solver-backend=z3 --max-solver-time=5 --disable-bound-check=true --disable-ubsan-check=true -remove-unprioritized-states --free-mode=false --fixup-afl-ids=true --relax-constraint-solving=false --savior-ubsan=false --max-memory=0 --max-time-per-seed=500 --afl-covered-branchid-file=/root/work/savior/tests/mybase64/test2/.afl_coverage_combination --klee-covered-branchid-outfile=/root/work/savior/tests/mybase64/test2//out/.tmp_se_0.cov --edge-sanitizer-heuristic --seed-out-dir=/root/work/savior/tests/mybase64/test2//klee_new_input/klee_instance_conc_19 --sync-dir=/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000019/queue /root/work/savior/tests/mybase64/test2//savior-base64-4.dma.bc -d A --sym-files 1 43056
['rm', '-rf', '/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000019/queue']
/root/work/savior/KLEE/klee-build/bin/klee --libc=uclibc --disable-inject-ctor-and-dtor=true --posix-runtime --concolic-explorer=true --named-seed-matching=true --allow-external-sym-calls --use-non-intrinsics-memops=false --check-overshift=false --solver-backend=z3 --max-solver-time=5 --disable-bound-check=true --disable-ubsan-check=true -remove-unprioritized-states --free-mode=false --fixup-afl-ids=true --relax-constraint-solving=false --savior-ubsan=false --max-memory=0 --max-time-per-seed=500 --afl-covered-branchid-file=/root/work/savior/tests/mybase64/test2/.afl_coverage_combination --klee-covered-branchid-outfile=/root/work/savior/tests/mybase64/test2//out/.tmp_se_0.cov --edge-sanitizer-heuristic --seed-out-dir=/root/work/savior/tests/mybase64/test2//klee_new_input/klee_instance_conc_19 --sync-dir=/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000019/queue /root/work/savior/tests/mybase64/test2//savior-base64-4.dma.bc -d A --sym-files 1 43056
['rm', '-rf', '/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000019/queue']
/root/work/savior/KLEE/klee-build/bin/klee --libc=uclibc --disable-inject-ctor-and-dtor=true --posix-runtime --concolic-explorer=true --named-seed-matching=true --allow-external-sym-calls --use-non-intrinsics-memops=false --check-overshift=false --solver-backend=z3 --max-solver-time=5 --disable-bound-check=true --disable-ubsan-check=true -remove-unprioritized-states --free-mode=false --fixup-afl-ids=true --relax-constraint-solving=false --savior-ubsan=false --max-memory=0 --max-time-per-seed=500 --afl-covered-branchid-file=/root/work/savior/tests/mybase64/test2/.afl_coverage_combination --klee-covered-branchid-outfile=/root/work/savior/tests/mybase64/test2//out/.tmp_se_0.cov --edge-sanitizer-heuristic --seed-out-dir=/root/work/savior/tests/mybase64/test2//klee_new_input/klee_instance_conc_19 --sync-dir=/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000019/queue /root/work/savior/tests/mybase64/test2//savior-base64-4.dma.bc -d A --sym-files 1 43056
['rm', '-rf', '/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000019/queue']
/root/work/savior/KLEE/klee-build/bin/klee --libc=uclibc --disable-inject-ctor-and-dtor=true --posix-runtime --concolic-explorer=true --named-seed-matching=true --allow-external-sym-calls --use-non-intrinsics-memops=false --check-overshift=false --solver-backend=z3 --max-solver-time=5 --disable-bound-check=true --disable-ubsan-check=true -remove-unprioritized-states --free-mode=false --fixup-afl-ids=true --relax-constraint-solving=false --savior-ubsan=false --max-memory=0 --max-time-per-seed=500 --afl-covered-branchid-file=/root/work/savior/tests/mybase64/test2/.afl_coverage_combination --klee-covered-branchid-outfile=/root/work/savior/tests/mybase64/test2//out/.tmp_se_0.cov --edge-sanitizer-heuristic --seed-out-dir=/root/work/savior/tests/mybase64/test2//klee_new_input/klee_instance_conc_19 --sync-dir=/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000019/queue /root/work/savior/tests/mybase64/test2//savior-base64-4.dma.bc -d A --sym-files 1 43056
['rm', '-rf', '/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000019/queue']
/root/work/savior/KLEE/klee-build/bin/klee --libc=uclibc --disable-inject-ctor-and-dtor=true --posix-runtime --concolic-explorer=true --named-seed-matching=true --allow-external-sym-calls --use-non-intrinsics-memops=false --check-overshift=false --solver-backend=z3 --max-solver-time=5 --disable-bound-check=true --disable-ubsan-check=true -remove-unprioritized-states --free-mode=false --fixup-afl-ids=true --relax-constraint-solving=false --savior-ubsan=false --max-memory=0 --max-time-per-seed=500 --afl-covered-branchid-file=/root/work/savior/tests/mybase64/test2/.afl_coverage_combination --klee-covered-branchid-outfile=/root/work/savior/tests/mybase64/test2//out/.tmp_se_0.cov --edge-sanitizer-heuristic --seed-out-dir=/root/work/savior/tests/mybase64/test2//klee_new_input/klee_instance_conc_19 --sync-dir=/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000019/queue /root/work/savior/tests/mybase64/test2//savior-base64-4.dma.bc -d A --sym-files 1 43056
['rm', '-rf', '/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000019/queue']
/root/work/savior/KLEE/klee-build/bin/klee --libc=uclibc --disable-inject-ctor-and-dtor=true --posix-runtime --concolic-explorer=true --named-seed-matching=true --allow-external-sym-calls --use-non-intrinsics-memops=false --check-overshift=false --solver-backend=z3 --max-solver-time=5 --disable-bound-check=true --disable-ubsan-check=true -remove-unprioritized-states --free-mode=false --fixup-afl-ids=true --relax-constraint-solving=false --savior-ubsan=false --max-memory=0 --max-time-per-seed=500 --afl-covered-branchid-file=/root/work/savior/tests/mybase64/test2/.afl_coverage_combination --klee-covered-branchid-outfile=/root/work/savior/tests/mybase64/test2//out/.tmp_se_0.cov --edge-sanitizer-heuristic --seed-out-dir=/root/work/savior/tests/mybase64/test2//klee_new_input/klee_instance_conc_19 --sync-dir=/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000019/queue /root/work/savior/tests/mybase64/test2//savior-base64-4.dma.bc -d A --sym-files 1 43056
['rm', '-rf', '/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000019/queue']
/root/work/savior/KLEE/klee-build/bin/klee --libc=uclibc --disable-inject-ctor-and-dtor=true --posix-runtime --concolic-explorer=true --named-seed-matching=true --allow-external-sym-calls --use-non-intrinsics-memops=false --check-overshift=false --solver-backend=z3 --max-solver-time=5 --disable-bound-check=true --disable-ubsan-check=true -remove-unprioritized-states --free-mode=false --fixup-afl-ids=true --relax-constraint-solving=false --savior-ubsan=false --max-memory=0 --max-time-per-seed=500 --afl-covered-branchid-file=/root/work/savior/tests/mybase64/test2/.afl_coverage_combination --klee-covered-branchid-outfile=/root/work/savior/tests/mybase64/test2//out/.tmp_se_0.cov --edge-sanitizer-heuristic --seed-out-dir=/root/work/savior/tests/mybase64/test2//klee_new_input/klee_instance_conc_19 --sync-dir=/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000019/queue /root/work/savior/tests/mybase64/test2//savior-base64-4.dma.bc -d A --sym-files 1 43056
['rm', '-rf', '/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000019/queue']
/root/work/savior/KLEE/klee-build/bin/klee --libc=uclibc --disable-inject-ctor-and-dtor=true --posix-runtime --concolic-explorer=true --named-seed-matching=true --allow-external-sym-calls --use-non-intrinsics-memops=false --check-overshift=false --solver-backend=z3 --max-solver-time=5 --disable-bound-check=true --disable-ubsan-check=true -remove-unprioritized-states --free-mode=false --fixup-afl-ids=true --relax-constraint-solving=false --savior-ubsan=false --max-memory=0 --max-time-per-seed=500 --afl-covered-branchid-file=/root/work/savior/tests/mybase64/test2/.afl_coverage_combination --klee-covered-branchid-outfile=/root/work/savior/tests/mybase64/test2//out/.tmp_se_0.cov --edge-sanitizer-heuristic --seed-out-dir=/root/work/savior/tests/mybase64/test2//klee_new_input/klee_instance_conc_19 --sync-dir=/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000019/queue /root/work/savior/tests/mybase64/test2//savior-base64-4.dma.bc -d A --sym-files 1 43056
['rm', '-rf', '/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000019/queue']
/root/work/savior/KLEE/klee-build/bin/klee --libc=uclibc --disable-inject-ctor-and-dtor=true --posix-runtime --concolic-explorer=true --named-seed-matching=true --allow-external-sym-calls --use-non-intrinsics-memops=false --check-overshift=false --solver-backend=z3 --max-solver-time=5 --disable-bound-check=true --disable-ubsan-check=true -remove-unprioritized-states --free-mode=false --fixup-afl-ids=true --relax-constraint-solving=false --savior-ubsan=false --max-memory=0 --max-time-per-seed=500 --afl-covered-branchid-file=/root/work/savior/tests/mybase64/test2/.afl_coverage_combination --klee-covered-branchid-outfile=/root/work/savior/tests/mybase64/test2//out/.tmp_se_0.cov --edge-sanitizer-heuristic --seed-out-dir=/root/work/savior/tests/mybase64/test2//klee_new_input/klee_instance_conc_19 --sync-dir=/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000019/queue /root/work/savior/tests/mybase64/test2//savior-base64-4.dma.bc -d A --sym-files 1 43056
['rm', '-rf', '/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000019/queue']
/root/work/savior/KLEE/klee-build/bin/klee --libc=uclibc --disable-inject-ctor-and-dtor=true --posix-runtime --concolic-explorer=true --named-seed-matching=true --allow-external-sym-calls --use-non-intrinsics-memops=false --check-overshift=false --solver-backend=z3 --max-solver-time=5 --disable-bound-check=true --disable-ubsan-check=true -remove-unprioritized-states --free-mode=false --fixup-afl-ids=true --relax-constraint-solving=false --savior-ubsan=false --max-memory=0 --max-time-per-seed=500 --afl-covered-branchid-file=/root/work/savior/tests/mybase64/test2/.afl_coverage_combination --klee-covered-branchid-outfile=/root/work/savior/tests/mybase64/test2//out/.tmp_se_0.cov --edge-sanitizer-heuristic --seed-out-dir=/root/work/savior/tests/mybase64/test2//klee_new_input/klee_instance_conc_19 --sync-dir=/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000019/queue /root/work/savior/tests/mybase64/test2//savior-base64-4.dma.bc -d A --sym-files 1 43056
['rm', '-rf', '/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000019/queue']
/root/work/savior/KLEE/klee-build/bin/klee --libc=uclibc --disable-inject-ctor-and-dtor=true --posix-runtime --concolic-explorer=true --named-seed-matching=true --allow-external-sym-calls --use-non-intrinsics-memops=false --check-overshift=false --solver-backend=z3 --max-solver-time=5 --disable-bound-check=true --disable-ubsan-check=true -remove-unprioritized-states --free-mode=false --fixup-afl-ids=true --relax-constraint-solving=false --savior-ubsan=false --max-memory=0 --max-time-per-seed=500 --afl-covered-branchid-file=/root/work/savior/tests/mybase64/test2/.afl_coverage_combination --klee-covered-branchid-outfile=/root/work/savior/tests/mybase64/test2//out/.tmp_se_0.cov --edge-sanitizer-heuristic --seed-out-dir=/root/work/savior/tests/mybase64/test2//klee_new_input/klee_instance_conc_19 --sync-dir=/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000019/queue /root/work/savior/tests/mybase64/test2//savior-base64-4.dma.bc -d A --sym-files 1 43056
[KleeConc-Info] SE Engine: KLEE Symbolic Explorer activated. input list : ['/root/work/savior/tests/mybase64/test2/out/slave_000001/queue/id_000136', '/root/work/savior/tests/mybase64/test2/out/slave_000001/queue/id_000137', '/root/work/savior/tests/mybase64/test2/out/slave_000001/queue/id_000134', '/root/work/savior/tests/mybase64/test2/out/slave_000001/queue/id_000135', '/root/work/savior/tests/mybase64/test2/out/slave_000001/queue/id_000673', '/root/work/savior/tests/mybase64/test2/out/slave_000001/queue/id_000179', '/root/work/savior/tests/mybase64/test2/out/slave_000001/queue/id_000459', '/root/work/savior/tests/mybase64/test2/out/slave_000001/queue/id_000245', '/root/work/savior/tests/mybase64/test2/out/slave_000001/queue/id_000761', '/root/work/savior/tests/mybase64/test2/out/slave_000001/queue/id_000409', '/root/work/savior/tests/mybase64/test2/out/slave_000001/queue/id_000917', '/root/work/savior/tests/mybase64/test2/out/slave_000001/queue/id_000458', '/root/work/savior/tests/mybase64/test2/out/slave_000001/queue/id_000685', '/root/work/savior/tests/mybase64/test2/out/slave_000001/queue/id_000021', '/root/work/savior/tests/mybase64/test2/out/slave_000001/queue/id_000565', '/root/work/savior/tests/mybase64/test2/out/slave_000001/queue/id_000564', '/root/work/savior/tests/mybase64/test2/out/slave_000001/queue/id_000567', '/root/work/savior/tests/mybase64/test2/out/slave_000001/queue/id_000566', '/root/work/savior/tests/mybase64/test2/out/slave_000001/queue/id_000561', '/root/work/savior/tests/mybase64/test2/out/slave_000001/queue/id_000560']
[KleeConc-Info] SE Engine: KLEE Symbolic Explorer activated. input score : [103.0, 103.0, 118.0, 155.0, 103.0, 103.0, 144.0, 118.0, 103.0, 144.0, 103.0, 144.0, 103.0, 103.0, 155.0, 103.0, 155.0, 155.0, 155.0, 155.0]
[INFO/Process-382] child process calling self.run()
/root/work/savior/KLEE/klee-build/bin/klee --libc=uclibc --disable-inject-ctor-and-dtor=true --posix-runtime --concolic-explorer=true --named-seed-matching=true --allow-external-sym-calls --use-non-intrinsics-memops=false --check-overshift=false --solver-backend=z3 --max-solver-time=5 --disable-bound-check=true --disable-ubsan-check=true -remove-unprioritized-states --free-mode=false --fixup-afl-ids=true --relax-constraint-solving=false --savior-ubsan=false --max-memory=0 --max-time-per-seed=500 --afl-covered-branchid-file=/root/work/savior/tests/mybase64/test2/.afl_coverage_combination --klee-covered-branchid-outfile=/root/work/savior/tests/mybase64/test2//out/.tmp_se_1.cov --edge-sanitizer-heuristic --seed-out-dir=/root/work/savior/tests/mybase64/test2//klee_new_input/klee_instance_conc_20 --sync-dir=/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000020/queue /root/work/savior/tests/mybase64/test2//savior-base64-4.dma.bc -d A --sym-files 1 31872
['rm', '-rf', '/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000020/queue']
/root/work/savior/KLEE/klee-build/bin/klee --libc=uclibc --disable-inject-ctor-and-dtor=true --posix-runtime --concolic-explorer=true --named-seed-matching=true --allow-external-sym-calls --use-non-intrinsics-memops=false --check-overshift=false --solver-backend=z3 --max-solver-time=5 --disable-bound-check=true --disable-ubsan-check=true -remove-unprioritized-states --free-mode=false --fixup-afl-ids=true --relax-constraint-solving=false --savior-ubsan=false --max-memory=0 --max-time-per-seed=500 --afl-covered-branchid-file=/root/work/savior/tests/mybase64/test2/.afl_coverage_combination --klee-covered-branchid-outfile=/root/work/savior/tests/mybase64/test2//out/.tmp_se_1.cov --edge-sanitizer-heuristic --seed-out-dir=/root/work/savior/tests/mybase64/test2//klee_new_input/klee_instance_conc_20 --sync-dir=/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000020/queue /root/work/savior/tests/mybase64/test2//savior-base64-4.dma.bc -d A --sym-files 1 43056
['rm', '-rf', '/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000020/queue']
/root/work/savior/KLEE/klee-build/bin/klee --libc=uclibc --disable-inject-ctor-and-dtor=true --posix-runtime --concolic-explorer=true --named-seed-matching=true --allow-external-sym-calls --use-non-intrinsics-memops=false --check-overshift=false --solver-backend=z3 --max-solver-time=5 --disable-bound-check=true --disable-ubsan-check=true -remove-unprioritized-states --free-mode=false --fixup-afl-ids=true --relax-constraint-solving=false --savior-ubsan=false --max-memory=0 --max-time-per-seed=500 --afl-covered-branchid-file=/root/work/savior/tests/mybase64/test2/.afl_coverage_combination --klee-covered-branchid-outfile=/root/work/savior/tests/mybase64/test2//out/.tmp_se_1.cov --edge-sanitizer-heuristic --seed-out-dir=/root/work/savior/tests/mybase64/test2//klee_new_input/klee_instance_conc_20 --sync-dir=/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000020/queue /root/work/savior/tests/mybase64/test2//savior-base64-4.dma.bc -d A --sym-files 1 43056
['rm', '-rf', '/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000020/queue']
/root/work/savior/KLEE/klee-build/bin/klee --libc=uclibc --disable-inject-ctor-and-dtor=true --posix-runtime --concolic-explorer=true --named-seed-matching=true --allow-external-sym-calls --use-non-intrinsics-memops=false --check-overshift=false --solver-backend=z3 --max-solver-time=5 --disable-bound-check=true --disable-ubsan-check=true -remove-unprioritized-states --free-mode=false --fixup-afl-ids=true --relax-constraint-solving=false --savior-ubsan=false --max-memory=0 --max-time-per-seed=500 --afl-covered-branchid-file=/root/work/savior/tests/mybase64/test2/.afl_coverage_combination --klee-covered-branchid-outfile=/root/work/savior/tests/mybase64/test2//out/.tmp_se_1.cov --edge-sanitizer-heuristic --seed-out-dir=/root/work/savior/tests/mybase64/test2//klee_new_input/klee_instance_conc_20 --sync-dir=/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000020/queue /root/work/savior/tests/mybase64/test2//savior-base64-4.dma.bc -d A --sym-files 1 43056
['rm', '-rf', '/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000020/queue']
/root/work/savior/KLEE/klee-build/bin/klee --libc=uclibc --disable-inject-ctor-and-dtor=true --posix-runtime --concolic-explorer=true --named-seed-matching=true --allow-external-sym-calls --use-non-intrinsics-memops=false --check-overshift=false --solver-backend=z3 --max-solver-time=5 --disable-bound-check=true --disable-ubsan-check=true -remove-unprioritized-states --free-mode=false --fixup-afl-ids=true --relax-constraint-solving=false --savior-ubsan=false --max-memory=0 --max-time-per-seed=500 --afl-covered-branchid-file=/root/work/savior/tests/mybase64/test2/.afl_coverage_combination --klee-covered-branchid-outfile=/root/work/savior/tests/mybase64/test2//out/.tmp_se_1.cov --edge-sanitizer-heuristic --seed-out-dir=/root/work/savior/tests/mybase64/test2//klee_new_input/klee_instance_conc_20 --sync-dir=/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000020/queue /root/work/savior/tests/mybase64/test2//savior-base64-4.dma.bc -d A --sym-files 1 43056
['rm', '-rf', '/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000020/queue']
/root/work/savior/KLEE/klee-build/bin/klee --libc=uclibc --disable-inject-ctor-and-dtor=true --posix-runtime --concolic-explorer=true --named-seed-matching=true --allow-external-sym-calls --use-non-intrinsics-memops=false --check-overshift=false --solver-backend=z3 --max-solver-time=5 --disable-bound-check=true --disable-ubsan-check=true -remove-unprioritized-states --free-mode=false --fixup-afl-ids=true --relax-constraint-solving=false --savior-ubsan=false --max-memory=0 --max-time-per-seed=500 --afl-covered-branchid-file=/root/work/savior/tests/mybase64/test2/.afl_coverage_combination --klee-covered-branchid-outfile=/root/work/savior/tests/mybase64/test2//out/.tmp_se_1.cov --edge-sanitizer-heuristic --seed-out-dir=/root/work/savior/tests/mybase64/test2//klee_new_input/klee_instance_conc_20 --sync-dir=/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000020/queue /root/work/savior/tests/mybase64/test2//savior-base64-4.dma.bc -d A --sym-files 1 43056
['rm', '-rf', '/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000020/queue']
/root/work/savior/KLEE/klee-build/bin/klee --libc=uclibc --disable-inject-ctor-and-dtor=true --posix-runtime --concolic-explorer=true --named-seed-matching=true --allow-external-sym-calls --use-non-intrinsics-memops=false --check-overshift=false --solver-backend=z3 --max-solver-time=5 --disable-bound-check=true --disable-ubsan-check=true -remove-unprioritized-states --free-mode=false --fixup-afl-ids=true --relax-constraint-solving=false --savior-ubsan=false --max-memory=0 --max-time-per-seed=500 --afl-covered-branchid-file=/root/work/savior/tests/mybase64/test2/.afl_coverage_combination --klee-covered-branchid-outfile=/root/work/savior/tests/mybase64/test2//out/.tmp_se_1.cov --edge-sanitizer-heuristic --seed-out-dir=/root/work/savior/tests/mybase64/test2//klee_new_input/klee_instance_conc_20 --sync-dir=/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000020/queue /root/work/savior/tests/mybase64/test2//savior-base64-4.dma.bc -d A --sym-files 1 43056
['rm', '-rf', '/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000020/queue']
/root/work/savior/KLEE/klee-build/bin/klee --libc=uclibc --disable-inject-ctor-and-dtor=true --posix-runtime --concolic-explorer=true --named-seed-matching=true --allow-external-sym-calls --use-non-intrinsics-memops=false --check-overshift=false --solver-backend=z3 --max-solver-time=5 --disable-bound-check=true --disable-ubsan-check=true -remove-unprioritized-states --free-mode=false --fixup-afl-ids=true --relax-constraint-solving=false --savior-ubsan=false --max-memory=0 --max-time-per-seed=500 --afl-covered-branchid-file=/root/work/savior/tests/mybase64/test2/.afl_coverage_combination --klee-covered-branchid-outfile=/root/work/savior/tests/mybase64/test2//out/.tmp_se_1.cov --edge-sanitizer-heuristic --seed-out-dir=/root/work/savior/tests/mybase64/test2//klee_new_input/klee_instance_conc_20 --sync-dir=/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000020/queue /root/work/savior/tests/mybase64/test2//savior-base64-4.dma.bc -d A --sym-files 1 43056
['rm', '-rf', '/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000020/queue']
/root/work/savior/KLEE/klee-build/bin/klee --libc=uclibc --disable-inject-ctor-and-dtor=true --posix-runtime --concolic-explorer=true --named-seed-matching=true --allow-external-sym-calls --use-non-intrinsics-memops=false --check-overshift=false --solver-backend=z3 --max-solver-time=5 --disable-bound-check=true --disable-ubsan-check=true -remove-unprioritized-states --free-mode=false --fixup-afl-ids=true --relax-constraint-solving=false --savior-ubsan=false --max-memory=0 --max-time-per-seed=500 --afl-covered-branchid-file=/root/work/savior/tests/mybase64/test2/.afl_coverage_combination --klee-covered-branchid-outfile=/root/work/savior/tests/mybase64/test2//out/.tmp_se_1.cov --edge-sanitizer-heuristic --seed-out-dir=/root/work/savior/tests/mybase64/test2//klee_new_input/klee_instance_conc_20 --sync-dir=/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000020/queue /root/work/savior/tests/mybase64/test2//savior-base64-4.dma.bc -d A --sym-files 1 43056
['rm', '-rf', '/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000020/queue']
/root/work/savior/KLEE/klee-build/bin/klee --libc=uclibc --disable-inject-ctor-and-dtor=true --posix-runtime --concolic-explorer=true --named-seed-matching=true --allow-external-sym-calls --use-non-intrinsics-memops=false --check-overshift=false --solver-backend=z3 --max-solver-time=5 --disable-bound-check=true --disable-ubsan-check=true -remove-unprioritized-states --free-mode=false --fixup-afl-ids=true --relax-constraint-solving=false --savior-ubsan=false --max-memory=0 --max-time-per-seed=500 --afl-covered-branchid-file=/root/work/savior/tests/mybase64/test2/.afl_coverage_combination --klee-covered-branchid-outfile=/root/work/savior/tests/mybase64/test2//out/.tmp_se_1.cov --edge-sanitizer-heuristic --seed-out-dir=/root/work/savior/tests/mybase64/test2//klee_new_input/klee_instance_conc_20 --sync-dir=/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000020/queue /root/work/savior/tests/mybase64/test2//savior-base64-4.dma.bc -d A --sym-files 1 43056
['rm', '-rf', '/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000020/queue']
/root/work/savior/KLEE/klee-build/bin/klee --libc=uclibc --disable-inject-ctor-and-dtor=true --posix-runtime --concolic-explorer=true --named-seed-matching=true --allow-external-sym-calls --use-non-intrinsics-memops=false --check-overshift=false --solver-backend=z3 --max-solver-time=5 --disable-bound-check=true --disable-ubsan-check=true -remove-unprioritized-states --free-mode=false --fixup-afl-ids=true --relax-constraint-solving=false --savior-ubsan=false --max-memory=0 --max-time-per-seed=500 --afl-covered-branchid-file=/root/work/savior/tests/mybase64/test2/.afl_coverage_combination --klee-covered-branchid-outfile=/root/work/savior/tests/mybase64/test2//out/.tmp_se_1.cov --edge-sanitizer-heuristic --seed-out-dir=/root/work/savior/tests/mybase64/test2//klee_new_input/klee_instance_conc_20 --sync-dir=/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000020/queue /root/work/savior/tests/mybase64/test2//savior-base64-4.dma.bc -d A --sym-files 1 43056
['rm', '-rf', '/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000020/queue']
/root/work/savior/KLEE/klee-build/bin/klee --libc=uclibc --disable-inject-ctor-and-dtor=true --posix-runtime --concolic-explorer=true --named-seed-matching=true --allow-external-sym-calls --use-non-intrinsics-memops=false --check-overshift=false --solver-backend=z3 --max-solver-time=5 --disable-bound-check=true --disable-ubsan-check=true -remove-unprioritized-states --free-mode=false --fixup-afl-ids=true --relax-constraint-solving=false --savior-ubsan=false --max-memory=0 --max-time-per-seed=500 --afl-covered-branchid-file=/root/work/savior/tests/mybase64/test2/.afl_coverage_combination --klee-covered-branchid-outfile=/root/work/savior/tests/mybase64/test2//out/.tmp_se_1.cov --edge-sanitizer-heuristic --seed-out-dir=/root/work/savior/tests/mybase64/test2//klee_new_input/klee_instance_conc_20 --sync-dir=/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000020/queue /root/work/savior/tests/mybase64/test2//savior-base64-4.dma.bc -d A --sym-files 1 43056
['rm', '-rf', '/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000020/queue']
/root/work/savior/KLEE/klee-build/bin/klee --libc=uclibc --disable-inject-ctor-and-dtor=true --posix-runtime --concolic-explorer=true --named-seed-matching=true --allow-external-sym-calls --use-non-intrinsics-memops=false --check-overshift=false --solver-backend=z3 --max-solver-time=5 --disable-bound-check=true --disable-ubsan-check=true -remove-unprioritized-states --free-mode=false --fixup-afl-ids=true --relax-constraint-solving=false --savior-ubsan=false --max-memory=0 --max-time-per-seed=500 --afl-covered-branchid-file=/root/work/savior/tests/mybase64/test2/.afl_coverage_combination --klee-covered-branchid-outfile=/root/work/savior/tests/mybase64/test2//out/.tmp_se_1.cov --edge-sanitizer-heuristic --seed-out-dir=/root/work/savior/tests/mybase64/test2//klee_new_input/klee_instance_conc_20 --sync-dir=/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000020/queue /root/work/savior/tests/mybase64/test2//savior-base64-4.dma.bc -d A --sym-files 1 43056
['rm', '-rf', '/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000020/queue']
/root/work/savior/KLEE/klee-build/bin/klee --libc=uclibc --disable-inject-ctor-and-dtor=true --posix-runtime --concolic-explorer=true --named-seed-matching=true --allow-external-sym-calls --use-non-intrinsics-memops=false --check-overshift=false --solver-backend=z3 --max-solver-time=5 --disable-bound-check=true --disable-ubsan-check=true -remove-unprioritized-states --free-mode=false --fixup-afl-ids=true --relax-constraint-solving=false --savior-ubsan=false --max-memory=0 --max-time-per-seed=500 --afl-covered-branchid-file=/root/work/savior/tests/mybase64/test2/.afl_coverage_combination --klee-covered-branchid-outfile=/root/work/savior/tests/mybase64/test2//out/.tmp_se_1.cov --edge-sanitizer-heuristic --seed-out-dir=/root/work/savior/tests/mybase64/test2//klee_new_input/klee_instance_conc_20 --sync-dir=/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000020/queue /root/work/savior/tests/mybase64/test2//savior-base64-4.dma.bc -d A --sym-files 1 43056
['rm', '-rf', '/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000020/queue']
/root/work/savior/KLEE/klee-build/bin/klee --libc=uclibc --disable-inject-ctor-and-dtor=true --posix-runtime --concolic-explorer=true --named-seed-matching=true --allow-external-sym-calls --use-non-intrinsics-memops=false --check-overshift=false --solver-backend=z3 --max-solver-time=5 --disable-bound-check=true --disable-ubsan-check=true -remove-unprioritized-states --free-mode=false --fixup-afl-ids=true --relax-constraint-solving=false --savior-ubsan=false --max-memory=0 --max-time-per-seed=500 --afl-covered-branchid-file=/root/work/savior/tests/mybase64/test2/.afl_coverage_combination --klee-covered-branchid-outfile=/root/work/savior/tests/mybase64/test2//out/.tmp_se_1.cov --edge-sanitizer-heuristic --seed-out-dir=/root/work/savior/tests/mybase64/test2//klee_new_input/klee_instance_conc_20 --sync-dir=/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000020/queue /root/work/savior/tests/mybase64/test2//savior-base64-4.dma.bc -d A --sym-files 1 43056
['rm', '-rf', '/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000020/queue']
/root/work/savior/KLEE/klee-build/bin/klee --libc=uclibc --disable-inject-ctor-and-dtor=true --posix-runtime --concolic-explorer=true --named-seed-matching=true --allow-external-sym-calls --use-non-intrinsics-memops=false --check-overshift=false --solver-backend=z3 --max-solver-time=5 --disable-bound-check=true --disable-ubsan-check=true -remove-unprioritized-states --free-mode=false --fixup-afl-ids=true --relax-constraint-solving=false --savior-ubsan=false --max-memory=0 --max-time-per-seed=500 --afl-covered-branchid-file=/root/work/savior/tests/mybase64/test2/.afl_coverage_combination --klee-covered-branchid-outfile=/root/work/savior/tests/mybase64/test2//out/.tmp_se_1.cov --edge-sanitizer-heuristic --seed-out-dir=/root/work/savior/tests/mybase64/test2//klee_new_input/klee_instance_conc_20 --sync-dir=/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000020/queue /root/work/savior/tests/mybase64/test2//savior-base64-4.dma.bc -d A --sym-files 1 43056
['rm', '-rf', '/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000020/queue']
/root/work/savior/KLEE/klee-build/bin/klee --libc=uclibc --disable-inject-ctor-and-dtor=true --posix-runtime --concolic-explorer=true --named-seed-matching=true --allow-external-sym-calls --use-non-intrinsics-memops=false --check-overshift=false --solver-backend=z3 --max-solver-time=5 --disable-bound-check=true --disable-ubsan-check=true -remove-unprioritized-states --free-mode=false --fixup-afl-ids=true --relax-constraint-solving=false --savior-ubsan=false --max-memory=0 --max-time-per-seed=500 --afl-covered-branchid-file=/root/work/savior/tests/mybase64/test2/.afl_coverage_combination --klee-covered-branchid-outfile=/root/work/savior/tests/mybase64/test2//out/.tmp_se_1.cov --edge-sanitizer-heuristic --seed-out-dir=/root/work/savior/tests/mybase64/test2//klee_new_input/klee_instance_conc_20 --sync-dir=/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000020/queue /root/work/savior/tests/mybase64/test2//savior-base64-4.dma.bc -d A --sym-files 1 43056
['rm', '-rf', '/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000020/queue']
/root/work/savior/KLEE/klee-build/bin/klee --libc=uclibc --disable-inject-ctor-and-dtor=true --posix-runtime --concolic-explorer=true --named-seed-matching=true --allow-external-sym-calls --use-non-intrinsics-memops=false --check-overshift=false --solver-backend=z3 --max-solver-time=5 --disable-bound-check=true --disable-ubsan-check=true -remove-unprioritized-states --free-mode=false --fixup-afl-ids=true --relax-constraint-solving=false --savior-ubsan=false --max-memory=0 --max-time-per-seed=500 --afl-covered-branchid-file=/root/work/savior/tests/mybase64/test2/.afl_coverage_combination --klee-covered-branchid-outfile=/root/work/savior/tests/mybase64/test2//out/.tmp_se_1.cov --edge-sanitizer-heuristic --seed-out-dir=/root/work/savior/tests/mybase64/test2//klee_new_input/klee_instance_conc_20 --sync-dir=/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000020/queue /root/work/savior/tests/mybase64/test2//savior-base64-4.dma.bc -d A --sym-files 1 43056
['rm', '-rf', '/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000020/queue']
/root/work/savior/KLEE/klee-build/bin/klee --libc=uclibc --disable-inject-ctor-and-dtor=true --posix-runtime --concolic-explorer=true --named-seed-matching=true --allow-external-sym-calls --use-non-intrinsics-memops=false --check-overshift=false --solver-backend=z3 --max-solver-time=5 --disable-bound-check=true --disable-ubsan-check=true -remove-unprioritized-states --free-mode=false --fixup-afl-ids=true --relax-constraint-solving=false --savior-ubsan=false --max-memory=0 --max-time-per-seed=500 --afl-covered-branchid-file=/root/work/savior/tests/mybase64/test2/.afl_coverage_combination --klee-covered-branchid-outfile=/root/work/savior/tests/mybase64/test2//out/.tmp_se_1.cov --edge-sanitizer-heuristic --seed-out-dir=/root/work/savior/tests/mybase64/test2//klee_new_input/klee_instance_conc_20 --sync-dir=/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000020/queue /root/work/savior/tests/mybase64/test2//savior-base64-4.dma.bc -d A --sym-files 1 43056
['rm', '-rf', '/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000020/queue']
/root/work/savior/KLEE/klee-build/bin/klee --libc=uclibc --disable-inject-ctor-and-dtor=true --posix-runtime --concolic-explorer=true --named-seed-matching=true --allow-external-sym-calls --use-non-intrinsics-memops=false --check-overshift=false --solver-backend=z3 --max-solver-time=5 --disable-bound-check=true --disable-ubsan-check=true -remove-unprioritized-states --free-mode=false --fixup-afl-ids=true --relax-constraint-solving=false --savior-ubsan=false --max-memory=0 --max-time-per-seed=500 --afl-covered-branchid-file=/root/work/savior/tests/mybase64/test2/.afl_coverage_combination --klee-covered-branchid-outfile=/root/work/savior/tests/mybase64/test2//out/.tmp_se_1.cov --edge-sanitizer-heuristic --seed-out-dir=/root/work/savior/tests/mybase64/test2//klee_new_input/klee_instance_conc_20 --sync-dir=/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000020/queue /root/work/savior/tests/mybase64/test2//savior-base64-4.dma.bc -d A --sym-files 1 43056
[KleeConc-Info] WTF the process 19 is already started
[KleeConc-Info] SE Engine: KLEE Symbolic Explorer activated. input list : ['/root/work/savior/tests/mybase64/test2/out/slave_000001/queue/id_000563', '/root/work/savior/tests/mybase64/test2/out/slave_000001/queue/id_000562', '/root/work/savior/tests/mybase64/test2/out/slave_000001/queue/id_000401', '/root/work/savior/tests/mybase64/test2/out/slave_000001/queue/id_000569', '/root/work/savior/tests/mybase64/test2/out/slave_000001/queue/id_000568', '/root/work/savior/tests/mybase64/test2/out/slave_000001/queue/id_000767', '/root/work/savior/tests/mybase64/test2/out/slave_000001/queue/id_000766', '/root/work/savior/tests/mybase64/test2/out/slave_000001/queue/id_000765', '/root/work/savior/tests/mybase64/test2/out/slave_000001/queue/id_000764', '/root/work/savior/tests/mybase64/test2/out/slave_000001/queue/id_000763', '/root/work/savior/tests/mybase64/test2/out/slave_000001/queue/id_000762', '/root/work/savior/tests/mybase64/test2/out/slave_000001/queue/id_000408', '/root/work/savior/tests/mybase64/test2/out/slave_000001/queue/id_000760', '/root/work/savior/tests/mybase64/test2/out/slave_000001/queue/id_000406', '/root/work/savior/tests/mybase64/test2/out/slave_000001/queue/id_000407', '/root/work/savior/tests/mybase64/test2/out/slave_000001/queue/id_000404', '/root/work/savior/tests/mybase64/test2/out/slave_000001/queue/id_000405', '/root/work/savior/tests/mybase64/test2/out/slave_000001/queue/id_000402', '/root/work/savior/tests/mybase64/test2/out/slave_000001/queue/id_000403', '/root/work/savior/tests/mybase64/test2/out/slave_000001/queue/id_000400']
[KleeConc-Info] SE Engine: KLEE Symbolic Explorer activated. input score : [103.0, 155.0, 144.0, 144.0, 144.0, 144.0, 155.0, 103.0, 155.0, 103.0, 155.0, 144.0, 155.0, 144.0, 144.0, 103.0, 144.0, 144.0, 103.0, 144.0]
[INFO/Process-402] child process calling self.run()
/root/work/savior/KLEE/klee-build/bin/klee --libc=uclibc --disable-inject-ctor-and-dtor=true --posix-runtime --concolic-explorer=true --named-seed-matching=true --allow-external-sym-calls --use-non-intrinsics-memops=false --check-overshift=false --solver-backend=z3 --max-solver-time=5 --disable-bound-check=true --disable-ubsan-check=true -remove-unprioritized-states --free-mode=false --fixup-afl-ids=true --relax-constraint-solving=false --savior-ubsan=false --max-memory=0 --max-time-per-seed=500 --afl-covered-branchid-file=/root/work/savior/tests/mybase64/test2/.afl_coverage_combination --klee-covered-branchid-outfile=/root/work/savior/tests/mybase64/test2//out/.tmp_se_2.cov --edge-sanitizer-heuristic --seed-out-dir=/root/work/savior/tests/mybase64/test2//klee_new_input/klee_instance_conc_21 --sync-dir=/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000021/queue /root/work/savior/tests/mybase64/test2//savior-base64-4.dma.bc -d A --sym-files 1 31872
['rm', '-rf', '/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000021/queue']
/root/work/savior/KLEE/klee-build/bin/klee --libc=uclibc --disable-inject-ctor-and-dtor=true --posix-runtime --concolic-explorer=true --named-seed-matching=true --allow-external-sym-calls --use-non-intrinsics-memops=false --check-overshift=false --solver-backend=z3 --max-solver-time=5 --disable-bound-check=true --disable-ubsan-check=true -remove-unprioritized-states --free-mode=false --fixup-afl-ids=true --relax-constraint-solving=false --savior-ubsan=false --max-memory=0 --max-time-per-seed=500 --afl-covered-branchid-file=/root/work/savior/tests/mybase64/test2/.afl_coverage_combination --klee-covered-branchid-outfile=/root/work/savior/tests/mybase64/test2//out/.tmp_se_2.cov --edge-sanitizer-heuristic --seed-out-dir=/root/work/savior/tests/mybase64/test2//klee_new_input/klee_instance_conc_21 --sync-dir=/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000021/queue /root/work/savior/tests/mybase64/test2//savior-base64-4.dma.bc -d A --sym-files 1 43056
['rm', '-rf', '/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000021/queue']
/root/work/savior/KLEE/klee-build/bin/klee --libc=uclibc --disable-inject-ctor-and-dtor=true --posix-runtime --concolic-explorer=true --named-seed-matching=true --allow-external-sym-calls --use-non-intrinsics-memops=false --check-overshift=false --solver-backend=z3 --max-solver-time=5 --disable-bound-check=true --disable-ubsan-check=true -remove-unprioritized-states --free-mode=false --fixup-afl-ids=true --relax-constraint-solving=false --savior-ubsan=false --max-memory=0 --max-time-per-seed=500 --afl-covered-branchid-file=/root/work/savior/tests/mybase64/test2/.afl_coverage_combination --klee-covered-branchid-outfile=/root/work/savior/tests/mybase64/test2//out/.tmp_se_2.cov --edge-sanitizer-heuristic --seed-out-dir=/root/work/savior/tests/mybase64/test2//klee_new_input/klee_instance_conc_21 --sync-dir=/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000021/queue /root/work/savior/tests/mybase64/test2//savior-base64-4.dma.bc -d A --sym-files 1 43056
['rm', '-rf', '/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000021/queue']
/root/work/savior/KLEE/klee-build/bin/klee --libc=uclibc --disable-inject-ctor-and-dtor=true --posix-runtime --concolic-explorer=true --named-seed-matching=true --allow-external-sym-calls --use-non-intrinsics-memops=false --check-overshift=false --solver-backend=z3 --max-solver-time=5 --disable-bound-check=true --disable-ubsan-check=true -remove-unprioritized-states --free-mode=false --fixup-afl-ids=true --relax-constraint-solving=false --savior-ubsan=false --max-memory=0 --max-time-per-seed=500 --afl-covered-branchid-file=/root/work/savior/tests/mybase64/test2/.afl_coverage_combination --klee-covered-branchid-outfile=/root/work/savior/tests/mybase64/test2//out/.tmp_se_2.cov --edge-sanitizer-heuristic --seed-out-dir=/root/work/savior/tests/mybase64/test2//klee_new_input/klee_instance_conc_21 --sync-dir=/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000021/queue /root/work/savior/tests/mybase64/test2//savior-base64-4.dma.bc -d A --sym-files 1 43056
['rm', '-rf', '/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000021/queue']
/root/work/savior/KLEE/klee-build/bin/klee --libc=uclibc --disable-inject-ctor-and-dtor=true --posix-runtime --concolic-explorer=true --named-seed-matching=true --allow-external-sym-calls --use-non-intrinsics-memops=false --check-overshift=false --solver-backend=z3 --max-solver-time=5 --disable-bound-check=true --disable-ubsan-check=true -remove-unprioritized-states --free-mode=false --fixup-afl-ids=true --relax-constraint-solving=false --savior-ubsan=false --max-memory=0 --max-time-per-seed=500 --afl-covered-branchid-file=/root/work/savior/tests/mybase64/test2/.afl_coverage_combination --klee-covered-branchid-outfile=/root/work/savior/tests/mybase64/test2//out/.tmp_se_2.cov --edge-sanitizer-heuristic --seed-out-dir=/root/work/savior/tests/mybase64/test2//klee_new_input/klee_instance_conc_21 --sync-dir=/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000021/queue /root/work/savior/tests/mybase64/test2//savior-base64-4.dma.bc -d A --sym-files 1 43056
['rm', '-rf', '/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000021/queue']
/root/work/savior/KLEE/klee-build/bin/klee --libc=uclibc --disable-inject-ctor-and-dtor=true --posix-runtime --concolic-explorer=true --named-seed-matching=true --allow-external-sym-calls --use-non-intrinsics-memops=false --check-overshift=false --solver-backend=z3 --max-solver-time=5 --disable-bound-check=true --disable-ubsan-check=true -remove-unprioritized-states --free-mode=false --fixup-afl-ids=true --relax-constraint-solving=false --savior-ubsan=false --max-memory=0 --max-time-per-seed=500 --afl-covered-branchid-file=/root/work/savior/tests/mybase64/test2/.afl_coverage_combination --klee-covered-branchid-outfile=/root/work/savior/tests/mybase64/test2//out/.tmp_se_2.cov --edge-sanitizer-heuristic --seed-out-dir=/root/work/savior/tests/mybase64/test2//klee_new_input/klee_instance_conc_21 --sync-dir=/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000021/queue /root/work/savior/tests/mybase64/test2//savior-base64-4.dma.bc -d A --sym-files 1 43056
['rm', '-rf', '/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000021/queue']
/root/work/savior/KLEE/klee-build/bin/klee --libc=uclibc --disable-inject-ctor-and-dtor=true --posix-runtime --concolic-explorer=true --named-seed-matching=true --allow-external-sym-calls --use-non-intrinsics-memops=false --check-overshift=false --solver-backend=z3 --max-solver-time=5 --disable-bound-check=true --disable-ubsan-check=true -remove-unprioritized-states --free-mode=false --fixup-afl-ids=true --relax-constraint-solving=false --savior-ubsan=false --max-memory=0 --max-time-per-seed=500 --afl-covered-branchid-file=/root/work/savior/tests/mybase64/test2/.afl_coverage_combination --klee-covered-branchid-outfile=/root/work/savior/tests/mybase64/test2//out/.tmp_se_2.cov --edge-sanitizer-heuristic --seed-out-dir=/root/work/savior/tests/mybase64/test2//klee_new_input/klee_instance_conc_21 --sync-dir=/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000021/queue /root/work/savior/tests/mybase64/test2//savior-base64-4.dma.bc -d A --sym-files 1 43056
['rm', '-rf', '/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000021/queue']
/root/work/savior/KLEE/klee-build/bin/klee --libc=uclibc --disable-inject-ctor-and-dtor=true --posix-runtime --concolic-explorer=true --named-seed-matching=true --allow-external-sym-calls --use-non-intrinsics-memops=false --check-overshift=false --solver-backend=z3 --max-solver-time=5 --disable-bound-check=true --disable-ubsan-check=true -remove-unprioritized-states --free-mode=false --fixup-afl-ids=true --relax-constraint-solving=false --savior-ubsan=false --max-memory=0 --max-time-per-seed=500 --afl-covered-branchid-file=/root/work/savior/tests/mybase64/test2/.afl_coverage_combination --klee-covered-branchid-outfile=/root/work/savior/tests/mybase64/test2//out/.tmp_se_2.cov --edge-sanitizer-heuristic --seed-out-dir=/root/work/savior/tests/mybase64/test2//klee_new_input/klee_instance_conc_21 --sync-dir=/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000021/queue /root/work/savior/tests/mybase64/test2//savior-base64-4.dma.bc -d A --sym-files 1 43056
['rm', '-rf', '/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000021/queue']
/root/work/savior/KLEE/klee-build/bin/klee --libc=uclibc --disable-inject-ctor-and-dtor=true --posix-runtime --concolic-explorer=true --named-seed-matching=true --allow-external-sym-calls --use-non-intrinsics-memops=false --check-overshift=false --solver-backend=z3 --max-solver-time=5 --disable-bound-check=true --disable-ubsan-check=true -remove-unprioritized-states --free-mode=false --fixup-afl-ids=true --relax-constraint-solving=false --savior-ubsan=false --max-memory=0 --max-time-per-seed=500 --afl-covered-branchid-file=/root/work/savior/tests/mybase64/test2/.afl_coverage_combination --klee-covered-branchid-outfile=/root/work/savior/tests/mybase64/test2//out/.tmp_se_2.cov --edge-sanitizer-heuristic --seed-out-dir=/root/work/savior/tests/mybase64/test2//klee_new_input/klee_instance_conc_21 --sync-dir=/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000021/queue /root/work/savior/tests/mybase64/test2//savior-base64-4.dma.bc -d A --sym-files 1 43056
['rm', '-rf', '/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000021/queue']
/root/work/savior/KLEE/klee-build/bin/klee --libc=uclibc --disable-inject-ctor-and-dtor=true --posix-runtime --concolic-explorer=true --named-seed-matching=true --allow-external-sym-calls --use-non-intrinsics-memops=false --check-overshift=false --solver-backend=z3 --max-solver-time=5 --disable-bound-check=true --disable-ubsan-check=true -remove-unprioritized-states --free-mode=false --fixup-afl-ids=true --relax-constraint-solving=false --savior-ubsan=false --max-memory=0 --max-time-per-seed=500 --afl-covered-branchid-file=/root/work/savior/tests/mybase64/test2/.afl_coverage_combination --klee-covered-branchid-outfile=/root/work/savior/tests/mybase64/test2//out/.tmp_se_2.cov --edge-sanitizer-heuristic --seed-out-dir=/root/work/savior/tests/mybase64/test2//klee_new_input/klee_instance_conc_21 --sync-dir=/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000021/queue /root/work/savior/tests/mybase64/test2//savior-base64-4.dma.bc -d A --sym-files 1 43056
['rm', '-rf', '/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000021/queue']
/root/work/savior/KLEE/klee-build/bin/klee --libc=uclibc --disable-inject-ctor-and-dtor=true --posix-runtime --concolic-explorer=true --named-seed-matching=true --allow-external-sym-calls --use-non-intrinsics-memops=false --check-overshift=false --solver-backend=z3 --max-solver-time=5 --disable-bound-check=true --disable-ubsan-check=true -remove-unprioritized-states --free-mode=false --fixup-afl-ids=true --relax-constraint-solving=false --savior-ubsan=false --max-memory=0 --max-time-per-seed=500 --afl-covered-branchid-file=/root/work/savior/tests/mybase64/test2/.afl_coverage_combination --klee-covered-branchid-outfile=/root/work/savior/tests/mybase64/test2//out/.tmp_se_2.cov --edge-sanitizer-heuristic --seed-out-dir=/root/work/savior/tests/mybase64/test2//klee_new_input/klee_instance_conc_21 --sync-dir=/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000021/queue /root/work/savior/tests/mybase64/test2//savior-base64-4.dma.bc -d A --sym-files 1 43056
['rm', '-rf', '/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000021/queue']
/root/work/savior/KLEE/klee-build/bin/klee --libc=uclibc --disable-inject-ctor-and-dtor=true --posix-runtime --concolic-explorer=true --named-seed-matching=true --allow-external-sym-calls --use-non-intrinsics-memops=false --check-overshift=false --solver-backend=z3 --max-solver-time=5 --disable-bound-check=true --disable-ubsan-check=true -remove-unprioritized-states --free-mode=false --fixup-afl-ids=true --relax-constraint-solving=false --savior-ubsan=false --max-memory=0 --max-time-per-seed=500 --afl-covered-branchid-file=/root/work/savior/tests/mybase64/test2/.afl_coverage_combination --klee-covered-branchid-outfile=/root/work/savior/tests/mybase64/test2//out/.tmp_se_2.cov --edge-sanitizer-heuristic --seed-out-dir=/root/work/savior/tests/mybase64/test2//klee_new_input/klee_instance_conc_21 --sync-dir=/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000021/queue /root/work/savior/tests/mybase64/test2//savior-base64-4.dma.bc -d A --sym-files 1 43056
['rm', '-rf', '/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000021/queue']
/root/work/savior/KLEE/klee-build/bin/klee --libc=uclibc --disable-inject-ctor-and-dtor=true --posix-runtime --concolic-explorer=true --named-seed-matching=true --allow-external-sym-calls --use-non-intrinsics-memops=false --check-overshift=false --solver-backend=z3 --max-solver-time=5 --disable-bound-check=true --disable-ubsan-check=true -remove-unprioritized-states --free-mode=false --fixup-afl-ids=true --relax-constraint-solving=false --savior-ubsan=false --max-memory=0 --max-time-per-seed=500 --afl-covered-branchid-file=/root/work/savior/tests/mybase64/test2/.afl_coverage_combination --klee-covered-branchid-outfile=/root/work/savior/tests/mybase64/test2//out/.tmp_se_2.cov --edge-sanitizer-heuristic --seed-out-dir=/root/work/savior/tests/mybase64/test2//klee_new_input/klee_instance_conc_21 --sync-dir=/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000021/queue /root/work/savior/tests/mybase64/test2//savior-base64-4.dma.bc -d A --sym-files 1 43056
['rm', '-rf', '/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000021/queue']
/root/work/savior/KLEE/klee-build/bin/klee --libc=uclibc --disable-inject-ctor-and-dtor=true --posix-runtime --concolic-explorer=true --named-seed-matching=true --allow-external-sym-calls --use-non-intrinsics-memops=false --check-overshift=false --solver-backend=z3 --max-solver-time=5 --disable-bound-check=true --disable-ubsan-check=true -remove-unprioritized-states --free-mode=false --fixup-afl-ids=true --relax-constraint-solving=false --savior-ubsan=false --max-memory=0 --max-time-per-seed=500 --afl-covered-branchid-file=/root/work/savior/tests/mybase64/test2/.afl_coverage_combination --klee-covered-branchid-outfile=/root/work/savior/tests/mybase64/test2//out/.tmp_se_2.cov --edge-sanitizer-heuristic --seed-out-dir=/root/work/savior/tests/mybase64/test2//klee_new_input/klee_instance_conc_21 --sync-dir=/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000021/queue /root/work/savior/tests/mybase64/test2//savior-base64-4.dma.bc -d A --sym-files 1 43056
['rm', '-rf', '/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000021/queue']
/root/work/savior/KLEE/klee-build/bin/klee --libc=uclibc --disable-inject-ctor-and-dtor=true --posix-runtime --concolic-explorer=true --named-seed-matching=true --allow-external-sym-calls --use-non-intrinsics-memops=false --check-overshift=false --solver-backend=z3 --max-solver-time=5 --disable-bound-check=true --disable-ubsan-check=true -remove-unprioritized-states --free-mode=false --fixup-afl-ids=true --relax-constraint-solving=false --savior-ubsan=false --max-memory=0 --max-time-per-seed=500 --afl-covered-branchid-file=/root/work/savior/tests/mybase64/test2/.afl_coverage_combination --klee-covered-branchid-outfile=/root/work/savior/tests/mybase64/test2//out/.tmp_se_2.cov --edge-sanitizer-heuristic --seed-out-dir=/root/work/savior/tests/mybase64/test2//klee_new_input/klee_instance_conc_21 --sync-dir=/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000021/queue /root/work/savior/tests/mybase64/test2//savior-base64-4.dma.bc -d A --sym-files 1 43056
['rm', '-rf', '/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000021/queue']
/root/work/savior/KLEE/klee-build/bin/klee --libc=uclibc --disable-inject-ctor-and-dtor=true --posix-runtime --concolic-explorer=true --named-seed-matching=true --allow-external-sym-calls --use-non-intrinsics-memops=false --check-overshift=false --solver-backend=z3 --max-solver-time=5 --disable-bound-check=true --disable-ubsan-check=true -remove-unprioritized-states --free-mode=false --fixup-afl-ids=true --relax-constraint-solving=false --savior-ubsan=false --max-memory=0 --max-time-per-seed=500 --afl-covered-branchid-file=/root/work/savior/tests/mybase64/test2/.afl_coverage_combination --klee-covered-branchid-outfile=/root/work/savior/tests/mybase64/test2//out/.tmp_se_2.cov --edge-sanitizer-heuristic --seed-out-dir=/root/work/savior/tests/mybase64/test2//klee_new_input/klee_instance_conc_21 --sync-dir=/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000021/queue /root/work/savior/tests/mybase64/test2//savior-base64-4.dma.bc -d A --sym-files 1 43056
['rm', '-rf', '/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000021/queue']
/root/work/savior/KLEE/klee-build/bin/klee --libc=uclibc --disable-inject-ctor-and-dtor=true --posix-runtime --concolic-explorer=true --named-seed-matching=true --allow-external-sym-calls --use-non-intrinsics-memops=false --check-overshift=false --solver-backend=z3 --max-solver-time=5 --disable-bound-check=true --disable-ubsan-check=true -remove-unprioritized-states --free-mode=false --fixup-afl-ids=true --relax-constraint-solving=false --savior-ubsan=false --max-memory=0 --max-time-per-seed=500 --afl-covered-branchid-file=/root/work/savior/tests/mybase64/test2/.afl_coverage_combination --klee-covered-branchid-outfile=/root/work/savior/tests/mybase64/test2//out/.tmp_se_2.cov --edge-sanitizer-heuristic --seed-out-dir=/root/work/savior/tests/mybase64/test2//klee_new_input/klee_instance_conc_21 --sync-dir=/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000021/queue /root/work/savior/tests/mybase64/test2//savior-base64-4.dma.bc -d A --sym-files 1 43056
['rm', '-rf', '/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000021/queue']
/root/work/savior/KLEE/klee-build/bin/klee --libc=uclibc --disable-inject-ctor-and-dtor=true --posix-runtime --concolic-explorer=true --named-seed-matching=true --allow-external-sym-calls --use-non-intrinsics-memops=false --check-overshift=false --solver-backend=z3 --max-solver-time=5 --disable-bound-check=true --disable-ubsan-check=true -remove-unprioritized-states --free-mode=false --fixup-afl-ids=true --relax-constraint-solving=false --savior-ubsan=false --max-memory=0 --max-time-per-seed=500 --afl-covered-branchid-file=/root/work/savior/tests/mybase64/test2/.afl_coverage_combination --klee-covered-branchid-outfile=/root/work/savior/tests/mybase64/test2//out/.tmp_se_2.cov --edge-sanitizer-heuristic --seed-out-dir=/root/work/savior/tests/mybase64/test2//klee_new_input/klee_instance_conc_21 --sync-dir=/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000021/queue /root/work/savior/tests/mybase64/test2//savior-base64-4.dma.bc -d A --sym-files 1 43056
['rm', '-rf', '/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000021/queue']
/root/work/savior/KLEE/klee-build/bin/klee --libc=uclibc --disable-inject-ctor-and-dtor=true --posix-runtime --concolic-explorer=true --named-seed-matching=true --allow-external-sym-calls --use-non-intrinsics-memops=false --check-overshift=false --solver-backend=z3 --max-solver-time=5 --disable-bound-check=true --disable-ubsan-check=true -remove-unprioritized-states --free-mode=false --fixup-afl-ids=true --relax-constraint-solving=false --savior-ubsan=false --max-memory=0 --max-time-per-seed=500 --afl-covered-branchid-file=/root/work/savior/tests/mybase64/test2/.afl_coverage_combination --klee-covered-branchid-outfile=/root/work/savior/tests/mybase64/test2//out/.tmp_se_2.cov --edge-sanitizer-heuristic --seed-out-dir=/root/work/savior/tests/mybase64/test2//klee_new_input/klee_instance_conc_21 --sync-dir=/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000021/queue /root/work/savior/tests/mybase64/test2//savior-base64-4.dma.bc -d A --sym-files 1 43056
['rm', '-rf', '/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000021/queue']
/root/work/savior/KLEE/klee-build/bin/klee --libc=uclibc --disable-inject-ctor-and-dtor=true --posix-runtime --concolic-explorer=true --named-seed-matching=true --allow-external-sym-calls --use-non-intrinsics-memops=false --check-overshift=false --solver-backend=z3 --max-solver-time=5 --disable-bound-check=true --disable-ubsan-check=true -remove-unprioritized-states --free-mode=false --fixup-afl-ids=true --relax-constraint-solving=false --savior-ubsan=false --max-memory=0 --max-time-per-seed=500 --afl-covered-branchid-file=/root/work/savior/tests/mybase64/test2/.afl_coverage_combination --klee-covered-branchid-outfile=/root/work/savior/tests/mybase64/test2//out/.tmp_se_2.cov --edge-sanitizer-heuristic --seed-out-dir=/root/work/savior/tests/mybase64/test2//klee_new_input/klee_instance_conc_21 --sync-dir=/root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000021/queue /root/work/savior/tests/mybase64/test2//savior-base64-4.dma.bc -d A --sym-files 1 43056
[KleeConc-Info] WTF the process 19 is already started
[KleeConc-Info] WTF the process 20 is already started
[Oracle-Info] collecting se stats
[Oracle-Info] 12399.0 secs away from terminating se
conc_explorer pid: 9787 is alive
conc_explorer pid: 10056 is alive
conc_explorer pid: 10333 is alive
[INFO/Process-422] child process calling self.run()
KLEE: NOTE: Using klee-uclibc : /root/work/savior/KLEE/klee-build/Release+Debug+Asserts/lib/klee-uclibc.bca
KLEE: NOTE: Using model: /root/work/savior/KLEE/klee-build/Release+Debug+Asserts/lib/libkleeRuntimePOSIX.bca
KLEE: NOTE: Using klee-uclibc : /root/work/savior/KLEE/klee-build/Release+Debug+Asserts/lib/klee-uclibc.bca
KLEE: NOTE: Using model: /root/work/savior/KLEE/klee-build/Release+Debug+Asserts/lib/libkleeRuntimePOSIX.bca
KLEE: output directory is "/root/work/savior/tests/mybase64/test2/klee-out-18"
KLEE: Using Z3 solver backend
KLEE: start concolic execution
KLEE: NOTE: Using klee-uclibc : /root/work/savior/KLEE/klee-build/Release+Debug+Asserts/lib/klee-uclibc.bca
KLEE: NOTE: Using model: /root/work/savior/KLEE/klee-build/Release+Debug+Asserts/lib/libkleeRuntimePOSIX.bca
KLEE: output directory is "/root/work/savior/tests/mybase64/test2/klee-out-19"
KLEE: Using Z3 solver backend
KLEE: start concolic execution
KLEE: output directory is "/root/work/savior/tests/mybase64/test2/klee-out-20"
KLEE: Using Z3 solver backend
KLEE: start concolic execution
KLEE: WARNING: undefined reference to function: bindtextdomain
KLEE: WARNING: undefined reference to function: gettext
KLEE: WARNING: undefined reference to function: posix_fadvise
KLEE: WARNING: undefined reference to function: textdomain
[KLEE Info:] Started BB ID assignment
[KLEE Info:] Finished BB ID assignment
The current seed is /root/work/savior/tests/mybase64/test2//klee_new_input/klee_instance_conc_19/000013.ktest
KLEE: KLEE: using 1 seeds
KLEE: WARNING: executable has module level assembly (ignoring)
KLEE: WARNING: undefined reference to function: bindtextdomain
KLEE: WARNING: undefined reference to function: gettext
KLEE: WARNING: undefined reference to function: posix_fadvise
KLEE: WARNING: undefined reference to function: textdomain
[KLEE Info:] Started BB ID assignment
[KLEE Info:] Finished BB ID assignment
The current seed is /root/work/savior/tests/mybase64/test2//klee_new_input/klee_instance_conc_20/000013.ktest
KLEE: KLEE: using 1 seeds
KLEE: WARNING: executable has module level assembly (ignoring)
KLEE: using AFL-Uncovered-Edge-ID heurisitc searcher
KLEE: WARNING ONCE: calling external: syscall(16, 0, 21505, 107632544) at /root/work/savior/KLEE/runtime/POSIX/fd.c:1100
KLEE: WARNING ONCE: calling __user_main with extra arguments.
KLEE: WARNING ONCE: Alignment of memory from call "malloc" is not modelled. Using alignment of 8.
KLEE: WARNING: undefined reference to function: bindtextdomain
KLEE: WARNING: undefined reference to function: gettext
KLEE: WARNING: undefined reference to function: posix_fadvise
KLEE: WARNING: undefined reference to function: textdomain
[KLEE Info:] Started BB ID assignment
[KLEE Info:] Finished BB ID assignment
The current seed is /root/work/savior/tests/mybase64/test2//klee_new_input/klee_instance_conc_21/000013.ktest
KLEE: KLEE: using 1 seeds
KLEE: WARNING: executable has module level assembly (ignoring)
KLEE: using AFL-Uncovered-Edge-ID heurisitc searcher
KLEE: WARNING ONCE: Alignment of memory from call "calloc" is not modelled. Using alignment of 8.
KLEE: WARNING ONCE: calling external: syscall(16, 0, 21505, 77379360) at /root/work/savior/KLEE/runtime/POSIX/fd.c:1100KLEE: WARNING ONCE: calling __user_main with extra arguments.
KLEE: WARNING ONCE: Alignment of memory from call "malloc" is not modelled. Using alignment of 8.
KLEE: WARNING ONCE: calling external: bindtextdomain(104676160, 104993600) at /root/work/savior/tests/lava_corpus/LAVA-M/who/coreutils-8.24-lava-safe/src/base64.c:258
KLEE: WARNING ONCE: Alignment of memory from call "calloc" is not modelled. Using alignment of 8.
KLEE: WARNING ONCE: calling external: textdomain(104676160) at /root/work/savior/tests/lava_corpus/LAVA-M/who/coreutils-8.24-lava-safe/src/base64.c:260
KLEE: WARNING ONCE: Alignment of memory from call "realloc" is not modelled. Using alignment of 8.
remove unwanted state#: 0
KLEE: WARNING ONCE: ioctl: (TCGETS) symbolic file, incomplete model
KLEE: solved generated state branch id:1826805230, priority:2
klee-uclibc : /root/work/savior/KLEE/klee-build/Release+Debug+Asserts/lib/klee-uclibc.bcawrote 43056 bytes to /root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000019/queue/id:000001
KLEE: State 1 finishes/terminates
terminate selected generated state #: 1
KLEE: WARNING ONCE: calling external: posix_fadvise(3, 0, 0, 2) at /root/work/savior/tests/lava_corpus/LAVA-M/who/coreutils-8.24-lava-safe/lib/fadvise.c:42
KLEE: using AFL-Uncovered-Edge-ID heurisitc searcher
KLEE: WARNING ONCE: calling external: syscall(16, 0, 21505, 84406992) at /root/work/savior/KLEE/runtime/POSIX/fd.c:1100KLEE: WARNING ONCE: calling __user_main with extra arguments.
KLEE: WARNING ONCE: Alignment of memory from call "malloc" is not modelled. Using alignment of 8.
KLEE: WARNING ONCE: calling external: bindtextdomain(78568256, 78885696) at /root/work/savior/tests/lava_corpus/LAVA-M/who/coreutils-8.24-lava-safe/src/base64.c:258
KLEE: WARNING ONCE: calling external: textdomain(78568256) at /root/work/savior/tests/lava_corpus/LAVA-M/who/coreutils-8.24-lava-safe/src/base64.c:260
KLEE: WARNING ONCE: Alignment of memory from call "realloc" is not modelled. Using alignment of 8.
remove unwanted state#: 0
KLEE: WARNING ONCE: ioctl: (TCGETS) symbolic file, incomplete model
KLEE: solved generated state branch id:1826805230, priority:2
klee-uclibc : /root/work/savior/KLEE/klee-build/Release+Debug+Asserts/lib/klee-uclibc.bcawrote 43056 bytes to /root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000020/queue/id:000001
KLEE: State 1 finishes/terminates
terminate selected generated state #: 1
KLEE: WARNING ONCE: calling external: posix_fadvise(3, 0, 0, 2) at /root/work/savior/tests/lava_corpus/LAVA-M/who/coreutils-8.24-lava-safe/lib/fadvise.c:42
KLEE: WARNING ONCE: Alignment of memory from call "calloc" is not modelled. Using alignment of 8.
remove unwanted state#: 2
remove unwanted state#: 3
remove unwanted state#: 4
KLEE: WARNING ONCE: calling external: gettext(78568384) at /root/work/savior/tests/lava_corpus/LAVA-M/who/coreutils-8.24-lava-safe/src/base64.c:234
invalid input
KLEE: WARNING ONCE: calling close_stdout with extra arguments.
KLEE: WARNING ONCE: calling external: bindtextdomain(87669568, 88003392) at /root/work/savior/tests/lava_corpus/LAVA-M/who/coreutils-8.24-lava-safe/src/base64.c:258
KLEE: WARNING ONCE: calling external: textdomain(87669568) at /root/work/savior/tests/lava_corpus/LAVA-M/who/coreutils-8.24-lava-safe/src/base64.c:260
KLEE: WARNING ONCE: Alignment of memory from call "realloc" is not modelled. Using alignment of 8.
remove unwanted state#: 0
KLEE: WARNING ONCE: ioctl: (TCGETS) symbolic file, incomplete model
KLEE: solved generated state branch id:1826805230, priority:2
klee-uclibc : /root/work/savior/KLEE/klee-build/Release+Debug+Asserts/lib/klee-uclibc.bcawrote 43056 bytes to /root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000021/queue/id:000001
KLEE: State 1 finishes/terminates
terminate selected generated state #: 1
KLEE: WARNING ONCE: calling external: posix_fadvise(3, 0, 0, 2) at /root/work/savior/tests/lava_corpus/LAVA-M/who/coreutils-8.24-lava-safe/lib/fadvise.c:42
wrote 43056 bytes to /root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000020/queue/id:000002
KLEE: State 5 finishes/terminates
The current seed is /root/work/savior/tests/mybase64/test2//klee_new_input/klee_instance_conc_20/000003.ktest
KLEE: KLEE: using 1 seeds
KLEE: WARNING: executable has module level assembly (ignoring)
KLEE: using AFL-Uncovered-Edge-ID heurisitc searcher
remove unwanted state#: 0
KLEE: solved generated state branch id:1826805230, priority:2
wrote 43056 bytes to /root/work/savior/tests/mybase64/test2//out/klee_instance_conc_000020/queue/id:000003
KLEE: State 6 finishes/terminates
terminate selected generated state #: 6
[Oracle-Info] collecting se stats
[Oracle-Info] 12389.0 secs away from terminating se
conc_explorer pid: 9787 is alive
conc_explorer pid: 10056 is alive
conc_explorer pid: 10333 is alive
[Oracle-Info] collecting se stats
[Oracle-Info] 12379.0 secs away from terminating se
conc_explorer pid: 9787 is alive
conc_explorer pid: 10056 is alive
conc_explorer pid: 10333 is alive
[Oracle-Info] collecting se stats
[Oracle-Info] 12369.0 secs away from terminating se
conc_explorer pid: 9787 is alive
conc_explorer pid: 10056 is alive
conc_explorer pid: 10333 is alive
�sij��U�� ~~~rebootj��U
� 2N~~~runlevelj��U� � l2{��U��
pts/2ts/2q��U��~�wpts/0ts/0phulinnortheast-fortyfive-one-seventy-eight.mit.edu2d%V�~��5tty8:0user:0(��U��xtty11LOGINx{�remove unwanted state#: 2024
remove unwanted state#: 2025
remove unwanted state#: 2026
remove unwanted state#: 2027
remove unwanted state#: 2028
�U~KLEE: WARNING ONCE: calling external: gettext(104676288) at /root/work/savior/tests/lava_corpus/LAVA-M/who/coreutils-8.24-lava-safe/src/base64.c:234
invalid input
KLEE: WARNING ONCE: calling close_stdout with extra arguments.
�sij��U�� ~~~rebootj��U
� 2N~~~runlevelj��U� � l2{��U��
pts/2ts/2q��U��~�wpts/0ts/0phulinnortheast-fortyfive-one-seventy-eight.mit.edu2d%V�~��5tty8:0user:0(��U��xtty11LOGINx{�remove unwanted state#: 2024
��KLEE: WARNING ONCE: calling external: gettext(87669696) at /root/work/savior/tests/lava_corpus/LAVA-M/who/coreutils-8.24-lava-safe/src/base64.c:234
invalid input
KLEE: WARNING ONCE: calling close_stdout with extra arguments.
B���sij��U�� ~~~rebootj��U
� 2N~~~runlevelj��U� � l2{��U��
pts/2ts/2q��U��~�wpts/0ts/0phulinnortheast-fortyfive-one-seventy-eight.mit.edu2d%V�~��5tty8:0user:0(��U��xtty11LOGINx{�remove unwanted state#: 2029
remove unwanted state#: 2030
remove unwanted state#: 2031
remove unwanted state#: 2032
remove unwanted state#: 2033
remove unwanted state#: 2036
remove unwanted state#: 2037
remove unwanted state#: 2038
remove unwanted state#: 2039
remove unwanted state#: 2042
remove unwanted state#: 2043
remove unwanted state#: 2044
remove unwanted state#: 2045
remove unwanted state#: 2048
remove unwanted state#: 2049
remove unwanted state#: 2050
remove unwanted state#: 2051
remove unwanted state#: 2054
remove unwanted state#: 2055
remove unwanted state#: 2056
remove unwanted state#: 2057
remove unwanted state#: 2060
remove unwanted state#: 2061
remove unwanted state#: 2062
remove unwanted state#: 2063
remove unwanted state#: 2066
remove unwanted state#: 2067
remove unwanted state#: 2068
remove unwanted state#: 2069
remove unwanted state#: 2072
remove unwanted state#: 2073
remove unwanted state#: 2074
remove unwanted state#: 2075
remove unwanted state#: 2078
remove unwanted state#: 2079
remove unwanted state#: 2080
remove unwanted state#: 2081
remove unwanted state#: 2084
remove unwanted state#: 2085
remove unwanted state#: 2086
remove unwanted state#: 2087
remove unwanted state#: 2090
remove unwanted state#: 2091
remove unwanted state#: 2092
remove unwanted state#: 2093
remove unwanted state#: 2096
remove unwanted state#: 2097
remove unwanted state#: 2098
remove unwanted state#: 2099
remove unwanted state#: 2102
remove unwanted state#: 2103
remove unwanted state#: 2104
remove unwanted state#: 2105
remove unwanted state#: 2108
remove unwanted state#: 2109
remove unwanted state#: 2110
remove unwanted state#: 2111
remove unwanted state#: 2114
remove unwanted state#: 2115
remove unwanted state#: 2116
remove unwanted state#: 2117
[Oracle-Info] collecting se stats
[Oracle-Info] 12359.0 secs away from terminating se
conc_explorer pid: 9787 is alive
conc_explorer pid: 10056 is alive
conc_explorer pid: 10333 is alive
[Oracle-Info] collecting se stats
[Oracle-Info] 12349.0 secs away from terminating se
conc_explorer pid: 9787 is alive
conc_explorer pid: 10056 is alive
conc_explorer pid: 10333 is alive
[Oracle-Info] collecting se stats
[Oracle-Info] 12339.0 secs away from terminating se
conc_explorer pid: 9787 is alive
conc_explorer pid: 10056 is alive
conc_explorer pid: 10333 is alive
[Oracle-Info] collecting se stats
[Oracle-Info] 12329.0 secs away from terminating se
conc_explorer pid: 9787 is alive
conc_explorer pid: 10056 is alive
conc_explorer pid: 10333 is alive
[Oracle-Info] collecting se stats
[Oracle-Info] 12319.0 secs away from terminating se
conc_explorer pid: 9787 is alive
conc_explorer pid: 10056 is alive
conc_explorer pid: 10333 is alive
[Oracle-Info] collecting se stats
[Oracle-Info] 12309.0 secs away from terminating se
conc_explorer pid: 9787 is alive
conc_explorer pid: 10056 is alive
conc_explorer pid: 10333 is alive
[Oracle-Info] collecting se stats
[Oracle-Info] 12299.0 secs away from terminating se
conc_explorer pid: 9787 is alive
conc_explorer pid: 10056 is alive
conc_explorer pid: 10333 is alive
[Oracle-Info] collecting se stats
[Oracle-Info] 12289.0 secs away from terminating se
conc_explorer pid: 9787 is alive
conc_explorer pid: 10056 is alive
conc_explorer pid: 10333 is alive
[Oracle-Info] collecting se stats
[Oracle-Info] 12279.0 secs away from terminating se
conc_explorer pid: 9787 is alive
conc_explorer pid: 10056 is alive
conc_explorer pid: 10333 is alive
[Oracle-Info] collecting se stats
[Oracle-Info] 12269.0 secs away from terminating se
conc_explorer pid: 9787 is alive
conc_explorer pid: 10056 is alive
conc_explorer pid: 10333 is alive
[Oracle-Info] collecting se stats
[Oracle-Info] 12259.0 secs away from terminating se
conc_explorer pid: 9787 is alive
conc_explorer pid: 10056 is alive
conc_explorer pid: 10333 is alive
[Oracle-Info] collecting se stats
[Oracle-Info] 12249.0 secs away from terminating se
conc_explorer pid: 9787 is alive
conc_explorer pid: 10056 is alive
conc_explorer pid: 10333 is alive
[Oracle-Info] collecting se stats
[Oracle-Info] 12239.0 secs away from terminating se
conc_explorer pid: 9787 is alive
conc_explorer pid: 10056 is alive
conc_explorer pid: 10333 is alive
[Oracle-Info] collecting se stats
[Oracle-Info] 12229.0 secs away from terminating se
conc_explorer pid: 9787 is alive
conc_explorer pid: 10056 is alive
conc_explorer pid: 10333 is alive
[Oracle-Info] collecting se stats
[Oracle-Info] 12219.0 secs away from terminating se
conc_explorer pid: 9787 is alive
conc_explorer pid: 10056 is alive
conc_explorer pid: 10333 is alive
[Oracle-Info] collecting se stats
[Oracle-Info] 12209.0 secs away from terminating se
conc_explorer pid: 9787 is alive
conc_explorer pid: 10056 is alive
conc_explorer pid: 10333 is alive
[Oracle-Info] collecting se stats
[Oracle-Info] 12199.0 secs away from terminating se
conc_explorer pid: 9787 is alive
conc_explorer pid: 10056 is alive
conc_explorer pid: 10333 is alive
[Oracle-Info] collecting se stats
[Oracle-Info] 12189.0 secs away from terminating se
conc_explorer pid: 9787 is alive
conc_explorer pid: 10056 is alive
conc_explorer pid: 10333 is alive
[Oracle-Info] collecting se stats
[Oracle-Info] 12179.0 secs away from terminating se
conc_explorer pid: 9787 is alive
conc_explorer pid: 10056 is alive
conc_explorer pid: 10333 is alive
[Oracle-Info] collecting se stats
[Oracle-Info] 12169.0 secs away from terminating se
conc_explorer pid: 9787 is alive
conc_explorer pid: 10056 is alive
conc_explorer pid: 10333 is alive
[Oracle-Info] collecting se stats
[Oracle-Info] 12159.0 secs away from terminating se
conc_explorer pid: 9787 is alive
conc_explorer pid: 10056 is alive
conc_explorer pid: 10333 is alive
[Oracle-Info] collecting se stats
[Oracle-Info] 12149.0 secs away from terminating se
conc_explorer pid: 9787 is alive
conc_explorer pid: 10056 is alive
conc_explorer pid: 10333 is alive
[Oracle-Info] collecting se stats
[Oracle-Info] 12139.0 secs away from terminating se
conc_explorer pid: 9787 is alive
conc_explorer pid: 10056 is alive
conc_explorer pid: 10333 is alive
[Oracle-Info] collecting se stats
[Oracle-Info] 12129.0 secs away from terminating se
conc_explorer pid: 9787 is alive
conc_explorer pid: 10056 is alive
conc_explorer pid: 10333 is alive
[Oracle-Info] collecting se stats
[Oracle-Info] 12119.0 secs away from terminating se
conc_explorer pid: 9787 is alive
conc_explorer pid: 10056 is alive
conc_explorer pid: 10333 is alive
[Oracle-Info] collecting se stats
[Oracle-Info] 12109.0 secs away from terminating se
conc_explorer pid: 9787 is alive
conc_explorer pid: 10056 is alive
conc_explorer pid: 10333 is alive
[Oracle-Info] collecting se stats
[Oracle-Info] 12099.0 secs away from terminating se
conc_explorer pid: 9787 is alive
conc_explorer pid: 10056 is alive
conc_explorer pid: 10333 is alive
[Oracle-Info] collecting se stats
[Oracle-Info] 12089.0 secs away from terminating se
conc_explorer pid: 9787 is alive
conc_explorer pid: 10056 is alive
conc_explorer pid: 10333 is alive
[Oracle-Info] collecting se stats
[Oracle-Info] 12079.0 secs away from terminating se
conc_explorer pid: 9787 is alive
conc_explorer pid: 10056 is alive
conc_explorer pid: 10333 is alive
[Oracle-Info] collecting se stats
[Oracle-Info] 12069.0 secs away from terminating se
conc_explorer pid: 9787 is alive
conc_explorer pid: 10056 is alive
conc_explorer pid: 10333 is alive
[Oracle-Info] collecting se stats
[Oracle-Info] 12059.0 secs away from terminating se
conc_explorer pid: 9787 is alive
conc_explorer pid: 10056 is alive
conc_explorer pid: 10333 is alive
[Oracle-Info] collecting se stats
[Oracle-Info] 12049.0 secs away from terminating se
conc_explorer pid: 9787 is alive
conc_explorer pid: 10056 is alive
conc_explorer pid: 10333 is alive
I think this output shows that the Savior fuzzer along with the Concolic execution engine is running well and working properly (Please fix me if I'm wrong) .
As for crashes, note that SAVIOR instruments the programs with UBSAN, and If the tested program is instrumented with UBSAN, by default UBSAN is not crashing the program, instead it will just print a log message and resume the program execution. If you want to change the UBSAN behavior, you can use the flag
-fno-sanitize-recover=that shall inform the fuzzer about a triggered UBSAN violation.
So, how is the proper way of fuzzing with savior so we can find the crash file / corpus ? You mean for that type of fuzzing to have the saved crash corpus, we should disable ubsan ?
last piece of suggestion, if you would like to evaluate fuzzer effectiveness, LAVA-M is now considered deprecated, I recommend checking out Google's new fuzzbench project.
By this, Do you mean us to port savior into Google Fuzzbench and use that benchmark Service instead of LAVA ?
Is it possible to you to make a VM (possibly vmware / virtualbox) of Savior or at-least send here your exact configurations or files for your lava tests that you mentioned in the paper ?
Thanks! Regards.
evanmak
commented
4 years ago So, how is the proper way of fuzzing with savior so we can find the crash file / corpus ?
there are two ways to make it work. 1) replay the inputs in the queue on the UBSAN instrumented binary and try to parse the log printed by UBSAN (I used to have a script to automate that but can't find it anymore).
2) pass in the option to tell UBSAN to terminate the program when an error is triggered, see https://github.com/google/sanitizers/issues/1136
By this, Do you mean us to port savior into Google Fuzzbench and use that benchmark Service instead of LAVA ?
it is going to take some work for that, if you can make it work with FuzzBench that will be greatly appreciated, given that I don't have extra cycle to work on that these days : - /
Is it possible to you to make a VM (possibly vmware / virtualbox) of Savior or at-least send here your exact configurations or files for your lava tests that you mentioned in the paper ?
I no longer have the old configuration for lava unfortunately.
Hey ! I successfully compiled the savior and followed along the readme of savior .
but finally I don't know how to run the fuzzing job in order to run fuzzing with savior .
Would you please give a sample here so I can run savior for a fuzzing job ? the fuzzing command to run fuzzing with savior is enough .
thanks .