Newer
Older
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$SECURITY_TRANSFORMS_HOME/lib/:.
export AFL_SKIP_CPUFREQ=1
export AFL_SKIP_BIN_CHECK=1
export AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1
TEST_SRC_DIR=$ZAFL_HOME/test/eightqueens
user=$(whoami)
session=/tmp/tmp.${user}.zafl.bc.$$
echo "$unamestr" | grep "centos" - > /dev/null
if [ $? -eq 0 ]; then
UBUNTU16_FOUND=0
UBUNTU18_FOUND=0
echo "$unamestr" | grep "ubuntu" - > /dev/null
if [ $? -eq 0 ]; then
echo "$unamestr" | grep "16.0" - > /dev/null
if [ $? -eq 0 ]; then
UBUNTU16_FOUND=1
echo "Found Ubuntu16"
fi
echo "$unamestr" | grep "18.0" - > /dev/null
if [ $? -eq 0 ]; then
UBUNTU18_FOUND=1
echo "Found Ubuntu18"
else
echo "Ubuntu found, but neither Ubuntu16 nor Ubuntu18 found."
fi
if [ $UBUNTU16_FOUND ]; then
GPROF_ARG=""
else
GPROF_ARG=" -pg "
fi
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
cleanup()
{
rm -fr $session
}
log_error()
{
echo "TEST FAIL: $1"
cleanup
exit 1
}
log_message()
{
echo "TEST MSG: $1"
}
log_success()
{
echo "TEST PASS: $1"
}
fuzz_with_zafl()
{
queens_zafl=$1
# setup AFL directories
mkdir zafl_in
echo "1" > zafl_in/1
if [ -d zafl_out ]; then
rm -fr zafl_out
fi
# run for 30 seconds
timeout $AFL_TIMEOUT afl-fuzz -i zafl_in -o zafl_out -- $queens_zafl
if [ $? -eq 124 ]; then
if [ ! -e zafl_out/fuzzer_stats ]; then
log_error "$queens_zafl: something went wrong with afl -- no fuzzer stats file"
fi
cat zafl_out/fuzzer_stats
execs_per_sec=$( grep execs_per_sec zafl_out/fuzzer_stats )
log_success "$queens_zafl: $execs_per_sec"
else
log_error "$queens_zafl: unable to run with afl"
fi
}
build_all_exes()
{
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
gcc -m64 -fno-stack-protector -O1 -std=c99 -o eightqueens_c_O1.ncexe $TEST_SRC_DIR/eightqueens.c
if [ $? -ne 0 ]; then
log_error "C build failure for O1 optimization level"
fi
gcc -m64 -fno-stack-protector -Og -std=c99 -o eightqueens_c_Og.ncexe $TEST_SRC_DIR/eightqueens.c
if [ $? -ne 0 ]; then
log_error "C build failure for Og optimization level"
fi
gcc -m64 -fno-stack-protector -O3 -std=c99 -o eightqueens_c_O3.ncexe $TEST_SRC_DIR/eightqueens.c
if [ $? -ne 0 ]; then
log_error "C build failure for O3 optimization level"
fi
g++ -m64 -fno-stack-protector -O1 -std=c++1y -o eightqueens_cpp_O1.ncexe $TEST_SRC_DIR/eightqueens.cpp
if [ $? -ne 0 ]; then
log_error "C++ build failure for O1 optimization level"
fi
g++ -m64 -fno-stack-protector -Og -std=c++1y -o eightqueens_cpp_Og.ncexe $TEST_SRC_DIR/eightqueens.cpp
if [ $? -ne 0 ]; then
log_error "C++ build failure for Og optimization level"
fi
g++ -m64 -fno-stack-protector -O3 -std=c++1y -o eightqueens_cpp_O3.ncexe $TEST_SRC_DIR/eightqueens.cpp
if [ $? -ne 0 ]; then
log_error "C++ build failure for O3 optimization level"
fi
# Kitchen sink: tons of options at once.
g++ -m64 -fno-stack-protector -falign-functions -falign-loops -falign-jumps -falign-labels -ffast-math -fomit-frame-pointer -funroll-all-loops $ALIGN_ARG -O3 -std=c++1y -o eightqueens_cpp_ks.ncexe $TEST_SRC_DIR/eightqueens.cpp
if [ $? -ne 0 ]; then
log_error "C++ build failure for O3 kitchen sink optimization level"
fi
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
clang -m64 -O1 -o eightqueens_c_clang_O1.ncexe $TEST_SRC_DIR/eightqueens.c
if [ $? -ne 0 ]; then
log_error "C build failure for clang O1 optimization level"
fi
clang -m64 -O2 -o eightqueens_c_clang_O2.ncexe $TEST_SRC_DIR/eightqueens.c
if [ $? -ne 0 ]; then
log_error "C build failure for clang O2 optimization level"
fi
clang -m64 -O3 -o eightqueens_c_clang_O3.ncexe $TEST_SRC_DIR/eightqueens.c
if [ $? -ne 0 ]; then
log_error "C build failure for clang O3 optimization level"
fi
clang++ -m64 -O1 -o eightqueens_cpp_clang_O1.ncexe $TEST_SRC_DIR/eightqueens.cpp
if [ $? -ne 0 ]; then
log_error "C++ build failure for clang O1 optimization level"
fi
clang++ -m64 -O2 -o eightqueens_cpp_clang_O2.ncexe $TEST_SRC_DIR/eightqueens.cpp
if [ $? -ne 0 ]; then
log_error "C++ build failure for clang O2 optimization level"
fi
clang++ -m64 -O3 -o eightqueens_cpp_clang_O3.ncexe $TEST_SRC_DIR/eightqueens.cpp
if [ $? -ne 0 ]; then
log_error "C++ build failure for clang O3 optimization level"
fi
# Kitchen sink: tons of options at once.
if [ "$CENTOS_FOUND" == "0" ]; then
clang++ -m64 -ffast-math -funroll-loops $GPROF_ARG $INLINE_ARG -O3 $CLANG_STD_ARG -o eightqueens_cpp_clang_ks.ncexe $TEST_SRC_DIR/eightqueens.cpp
if [ $? -ne 0 ]; then
log_error "C++ build failure for clang O3 kitchen sink optimization level"
fi
log_success "All builds of exes succeeded."
}
test_one_exe()
{
test_exe=$1
# Run original binary early so that we can confirm valid build
# happened before we invoke zafl.
./$test_exe > out.eightqueens.orig
if [ $? -ne 0 ]; then
log_error "Original run on $test_exe failed."
fi
# Test sanity with zipr-only before zafl.sh is invoked.
$PSZ ./$test_exe ./$test_exe.zipr -c rida
if [ $? -ne 0 ]; then
log_error "Zipr-only build of $test_exe failed."
fi
./$test_exe.zipr > /dev/null
if [ $? -ne 0 ]; then
log_error "Zipr-only run of $test_exe failed."
else
log_success "Zipr-only run of $test_exe succeeded."
# build with graph optimization
zafl.sh $test_exe $test_exe.stars.zafl.d.g.r.cs -d -g -c all --tempdir analysis.eightqueens.$test_exe.stars.zafl.d.g.r.cs -r 123 --enable-context-sensitivity function
if [ $? -eq 0 ]; then
log_success "build $test_exe.stars.zafl.d.g.r.cs"
else
log_error "build $test_exe.stars.zafl.d.g.r.cs"
fi
# test functionality
./$test_exe.stars.zafl.d.g.r.cs > out.eightqueens.stars.zafl.d.g.r.cs
if [ $? -ne 0 ]; then
log_error "d.g.c run on $test_exe failed."
fi
diff out.eightqueens.orig out.eightqueens.stars.zafl.d.g.r.cs >/dev/null 2>&1
if [ $? -eq 0 ]; then
log_success "$test_exe.stars.zafl.d.g.r.cs basic functionality"
else
log_error "$test_exe.stars.zafl.d.g.r.cs basic functionality"
fi
# Fuzz with AFL
log_message "Fuzz for $AFL_TIMEOUT secs"
fuzz_with_zafl $(realpath ./$test_exe.stars.zafl.d.g.r.cs)
#Do again with -D -G -C instead of -d -g -c
zafl.sh $test_exe $test_exe.stars.zafl.D.G.r.cs -D -G -C all --tempdir analysis.eightqueens.$test_exe.stars.zafl.D.G.r.cs -r 123 --enable-context-sensitivity function
if [ $? -eq 0 ]; then
log_success "build $test_exe.stars.zafl.D.G.r.cs"
else
log_error "build $test_exe.stars.zafl.D.G.r.cs"
fi
# test functionality
./$test_exe.stars.zafl.D.G.r.cs > out.eightqueens.stars.zafl.D.G.r.cs
if [ $? -ne 0 ]; then
log_error "D.G.C run on $test_exe failed."
fi
diff out.eightqueens.orig out.eightqueens.stars.zafl.D.G.r.cs >/dev/null 2>&1
if [ $? -eq 0 ]; then
log_success "$test_exe.stars.zafl.D.G.r.cs basic functionality"
else
log_error "$test_exe.stars.zafl.D.G.r.cs basic functionality"
fi
# Fuzz with AFL
log_message "Fuzz for $AFL_TIMEOUT secs"
fuzz_with_zafl $(realpath ./$test_exe.stars.zafl.D.G.r.cs)
}
mkdir -p $session
pushd $session
build_all_exes
test_one_exe "eightqueens_c_O1.ncexe"
test_one_exe "eightqueens_c_Og.ncexe"
test_one_exe "eightqueens_c_O3.ncexe"
test_one_exe "eightqueens_cpp_O1.ncexe"
test_one_exe "eightqueens_cpp_Og.ncexe"
test_one_exe "eightqueens_cpp_O3.ncexe"
test_one_exe "eightqueens_cpp_ks.ncexe"
test_one_exe "eightqueens_c_clang_O1.ncexe"
test_one_exe "eightqueens_c_clang_O2.ncexe"
test_one_exe "eightqueens_c_clang_O3.ncexe"
test_one_exe "eightqueens_cpp_clang_O1.ncexe"
test_one_exe "eightqueens_cpp_clang_O2.ncexe"
test_one_exe "eightqueens_cpp_clang_O3.ncexe"
if [ "$CENTOS_FOUND" == "0" ]; then
test_one_exe "eightqueens_cpp_clang_ks.ncexe"
fi
popd
cleanup