Crack Concolic cannot Dump Valid Constraint

[chinggg]

I am trying to understand how CoFuzz's concolic execution works by running the readelf target.

https://github.com/Tricker-z/CoFuzz/blob/main/src/fuzz/executor.py#L130-L154 The main loop in HybridExecutor.run() keeps calling __crack_seed, but I found this function did not work at all because constraint_info = self.concolic.crack(seed_input, crack_addr) doesn't contain valid patterns for dump_constraint to parse constraint. So constraint_dict is always empty and no seeds are generated by 'crack'.
https://github.com/Tricker-z/CoFuzz/blob/main/src/fuzz/executor.py#L101-L102

I followed the setup in run_target.md, here is the script I used to build the readelf target:

# start in top folder
cd binutils-2.37
export LLVM_CC_NAME=clang-10 LLVM_CXX_NAME=clang++-10
CC=wllvm LLVM_COMPILER=clang ./configure --disable-shared
LLVM_COMPILER=clang make -j$(nproc)

cd binutils
extract-bc readelf
cp readelf.bc ../../

# back in top folder
cd ../..
# The random seed can be set with $AFL_RAND_SEED
BB_IDENT_FILE=/tmp/bb_ident_file Trace_CC=clang-10 Trace_CXX=clang++-10 trace/build/clang-trace readelf.bc -o readelf_trace
AFL_CC=clang-10 AFL_CXX=clang++-10 fuzzer/afl-clang-fast readelf.bc -o readelf_afl
third_party/concolic/qsym/symcc readelf.bc -o readelf_cofuzz

mkdir test
cp readelf* test/

Create readelf.cfg under test/:

[put]
# Program under test
cohuzz_bin=readelf_cofuzz
trace_bin=readelf_trace
argument=-a @@

Run the two commands concurrently under test/ to execute afl and cofuzz:

../fuzzer/afl-fuzz -m none -i fuzz_in/ -o fuzz_out/ -S afl -- ./readelf_afl -a @@
python3 ../src/cofuzz.py -c ./readelf.cfg -o fuzz_out/ -a afl

[amie0]

I found the same problem, eventually cofuzz generated code from conolic.