Thanks for the reply and for the idea. To generate index out of bounds errors through Csmith, which class in the Csmith code would recommend I look at?
While going through the advanced options using the -hh flag, I noticed a --null-ptr-deref-prob flag. Many times, it results in csmith to crash and when it runs the output that is generated using flag, contains only a single function. Is this its expected behavior? From the name, I have a feeling this flag be useful for my case. Is there any way do you feel I can help improve on it?
Hi Ali, I can think of several ways to make this happen. If Xuejun is
available to help a bit, perhaps he can direct you to the correct spot
to generate a null pointer access or OOB array use.
If he isn't available, then I would recommend just finding a spot in the
Csmith source code where an array index is generated, and then 1% of the
time (or whatever), generate -1000 instead of whatever index Csmith
wanted to generate. Of course not all such programs will crash, but some
of them will.
On 12/11/20 9:27 AM, Ali Shuja Siddiqui (alissidd) wrote:
> In our team at Cisco, we are looking towards making testcases for our
> crash analysis tools. Csmith is a useful tool for generating code for
> testing compilers. We are investigating different ways of generating
> binaries that would crash and result in a core dump. Csmith offers us a
> great base for this purpose.
> I would like your feedback to get an idea and pointers on how to modify
> Csmith. Our goal is to generate C code using csmith that when compiled
> successfully and executed may result in a crash. Please also let me know
> of any known work that you may know of, already done in this regard.
> Thank you,
> Ali Shuja Siddiqui