diff --git a/fuzzer/Fuzzer.java b/fuzzer/Fuzzer.java
index 69c59a658c3568a4abae375d79bad7fe7a086689..70afc3fc834857597f7823e2b84ef318cf67e061 100644
--- a/fuzzer/Fuzzer.java
+++ b/fuzzer/Fuzzer.java
@@ -43,10 +43,6 @@ public class Fuzzer {
private static ArrayList<String> vars = new ArrayList<>();
- // Instruction Count Array
- private static int[] counts = {0,0,0,0,0,0,0,0,0,0,0,0};
- // Instruction Added Probability Array
- private static int[] addProb = {0,0,0,0,0,0,0,0,0,0,0,0};
// Pathway Prob Map, E.g. key = [PUSH, POP, STORE] - value = 2, this value is added to base prob
private static HashMap<List<Instruction>, Integer> pathwayProb = new HashMap<List<Instruction>, Integer>();
// Current stack of instructions
@@ -122,36 +118,22 @@ public class Fuzzer {
switch (runCount){
case 0:
// Test with stack full
- return generateInput(true, INSTRUCTION_MAX, MAX_STACK_SIZE, false, false);
+ return generateInput(true, INSTRUCTION_MAX, MAX_STACK_SIZE, true, false);
case 1:
// Test with stack full
- return generateInput(true, INSTRUCTION_MAX, MAX_STACK_SIZE - 1, false, false);
+ return generateInput(true, INSTRUCTION_MAX, MAX_STACK_SIZE - 1, true, false);
case 3:
// Run static tests and empty stack
- return getStaticTests() + generateInput(true, INSTRUCTION_MAX, 0, false, false);
+ return getStaticTests() + generateInput(true, INSTRUCTION_MAX, 0, true, false);
case 4:
// Test with dynamic probability
return generateInput(true, INSTRUCTION_MAX, 0, true, false);
case 5:
// Test with long var names
- return generateInput(true, INSTRUCTION_MAX, 0, false, true);
+ return generateInput(true, INSTRUCTION_MAX, 0, true, true);
}
// Run from random stack
- return generateInput(true, INSTRUCTION_MAX, 0, false, false);
- }
-
- /*
- * Given an instruction, adds the instruction count to the global array
- * and adds probability to the other instructions
- */
- private static void addCountProb(Instruction instruction) {
- int index = instruction.ordinal();
- for (int i = 0; i < 12; i++) {
- if (i != index) {
- counts[i] += 1;
- addProb[i] += Instruction.values()[i].getProbability();
- }
- }
+ return generateInput(true, INSTRUCTION_MAX, 0, true, false);
}
diff --git a/fuzzer/Instruction.java b/fuzzer/Instruction.java
index ea2185779502f54df5a0f039d8e565115a47ff3b..d3d2690fab0d5bc8b09fd0c3c5b93a2994780081 100644
--- a/fuzzer/Instruction.java
+++ b/fuzzer/Instruction.java
@@ -86,7 +86,6 @@ public enum Instruction {
Map<List<Instruction>, Integer> pathwayProb) {
// Check if cumlative probabilities have been calculated
checkProbability(instructionStack, pathwayProb);
- System.out.println(max);
ArrayList<Instruction> instructions;
ArrayList<Integer> instCumlProbs;
diff --git a/poc/vuln-4.poc b/poc/vuln-4.poc
index f26318d3130ada10814a524c98b0b1e9d32dab0f..e5d699dfcf22fe074a91a850e3ea810aac5c17e2 100644
--- a/poc/vuln-4.poc
+++ b/poc/vuln-4.poc
@@ -1,4 +1,4 @@
push 10
-store x
+store 10
push 10
-store x
+store 10
diff --git a/src/vuln-4/dc.c b/src/vuln-4/dc.c
index 68ab539490483f319cb0abf3138706c9e9933160..0a1588eff1b5cbbc93c8fe3d7d77d11427c0aab2 100644
--- a/src/vuln-4/dc.c
+++ b/src/vuln-4/dc.c
@@ -83,8 +83,9 @@ static node_t *node_new(const char *varname, const value_t value){
/* updates a node's value in place:
replaces p's value with that from q and frees q */
static void node_edit_value(node_t * p, node_t *q){
- if (p->value == q->value) {
- free(q);
+ char *ptr;
+ if (q->value == strtol(q->varname, &ptr, 10)) {
+ free(q->value);
}
p->value = q->value;
free(q->varname);