Bugchain
The Magma (https://hexhive.epfl.ch/magma/docs/preprint.pdf) benchmark shows an interesting example of bug chain. When tmp.len is zero, the divide-by-zero bug is triggered. When tmp.len > 16, the OOB bug is triggered. When tmp.len == 16, both bugs are triggered.
void libfoo_baz ( char * str ) {
2 struct {
3 char buf [16];
4 size_t len ;
5 } tmp ;
6 tmp . len = strlen ( str ) ;
7
8 // possible OOB write in strcpy ()
9 magma_log (17 , tmp . len >= sizeof ( tmp . buf ) ) ;
10 strcpy ( tmp . buf , str ) ;
11
12 // Possible div -by - zero if tmp.len == 0
13 magma_log (9 , tmp . len == 0) ;
14 int repeat = 64 / tmp . len ;
15 int padlen = 64 % tmp . len ;
16 }
Magma uses always-evaluate memory writes to avoid leaky oracles (to prevent fuzzers from overfitting: try to flip branches)
void libfoo_bar () {
2 // uint32_t a, b, c;
3 magma_log (42 , ( a == 0) | ( b == 0) ) ;
4 // possible divide -by - zero
5 uint32_t x = c / ( a * b ) ;
6 }
7 void magma_log ( int id , bool condition ) {
8 extern struct magma_bug * bugs ; // = mmap (...)
9 extern bool faulty ; // = false initially
10 bugs [ id ]. reached += 1 & ( faulty ^ 1) ;
11 bugs [ id ]. triggered += condition & ( faulty ^ 1) ;
12 faulty = faulty | condition ;
13 }