Fix CI

.gitattributes

@@ -0,0 +1 @@
+Cargo.lock linguist-generated=true

.github/workflows/build_and_test.yml

@@ -11,9 +11,10 @@ on:
   workflow_dispatch:
   merge_group:
 env:
+  AFL_PIZZA_MODE: "-1" # this is sad, I know, but it breaks on a certain spring day otherwise :(
   CARGO_TERM_COLOR: always
   CARGO_NET_GIT_FETCH_WITH_CLI: true
-  MAIN_LLVM_VERSION: 18
+  MAIN_LLVM_VERSION: 21
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -50,14 +51,11 @@ jobs:
       - name: Install LLVM
         if: runner.os == 'MacOS'
         run: brew install llvm@${{env.MAIN_LLVM_VERSION}}
-      - uses: Swatinem/rust-cache@v2
-        with: { shared-key: "ubuntu" }
-        if: runner.os == 'Linux'
-      - uses: Swatinem/rust-cache@v2
-        if: runner.os != 'Linux'
       - name: Check for binary blobs
         if: runner.os == 'Linux'
         run: just check-blobs
+      - name: Check for conflicting versions
+        run: cargo tree -d --workspace
       - name: Build libafl debug
         run: just build-libafl
       - name: Test the book (Linux)
@@ -73,6 +71,12 @@ jobs:
       - name: Doc
         if: runner.os == 'Linux'
         run: just doc
+      # DO NOT move the cache pull before this point, as it causes mdbook to fail due to duplicated deps
+      - uses: Swatinem/rust-cache@v2
+        with: { shared-key: "ubuntu" }
+        if: runner.os == 'Linux'
+      - uses: Swatinem/rust-cache@v2
+        if: runner.os != 'Linux'
       - name: Run tests (Windows)
         if: runner.os == 'Windows'
         run: just test-serial
@@ -189,20 +193,6 @@ jobs:
         # `sancov_pcguard_edges` is tested seperatelyc
         run: just check-features ${{ matrix.instance_idx }}
 
-#  idk why bindgen generates a corrupted file only on CI.
-#  ubuntu-concolic:
-#    runs-on: ubuntu-24.04
-#    needs: ubuntu
-#    steps:
-#      - uses: dtolnay/rust-toolchain@stable
-#      - uses: actions/checkout@v4
-#      - uses: Swatinem/rust-cache@v2
-#        with: { shared-key: "ubuntu" }
-#      - name: Install smoke test deps
-#        run: sudo ./crates/libafl_concolic/test/smoke_test_ubuntu_deps.sh
-#      - name: Run smoke test
-#        run: ./crates/libafl_concolic/test/smoke_test.sh
-#
   python-bindings:
     runs-on: ubuntu-24.04
     steps:
@@ -340,7 +330,6 @@ jobs:
           # - inprocess/libfuzzer_windows_asan
           - inprocess/libfuzzer_stb_image_sugar
           - inprocess/libfuzzer_stb_image
-          - structure_aware/libfuzzer_stb_image_concolic
           # - inprocess/sqlite_centralized_multi_machine
           # - inprocess/libafl_libfuzzer_windows
 

.github/workflows/ubuntu-prepare/action.yml

@@ -24,6 +24,7 @@ runs:
         sudo apt-get install -y \
           curl lsb-release wget software-properties-common gnupg shellcheck pax-utils \
           libsqlite3-dev libpixman-1-dev libc6-dev gcc g++ build-essential libglib2.0-dev
+        echo "export LLVM_CONFIG_PATH=$(which llvm-config-${{ env.MAIN_LLVM_VERSION }})" | sudo tee -a /etc/environment
 
     # ---------- toolchain selection ----------
     - name: Install Rust (stable)

Cargo.toml

@@ -11,10 +11,6 @@ members = [
   "crates/libafl_bolts",
   "crates/libafl_build",
   "crates/libafl_cc",
-  "crates/libafl_concolic/symcc_libafl",
-  "crates/libafl_concolic/symcc_runtime",
-  "crates/libafl_concolic/test/dump_constraints",
-  "crates/libafl_concolic/test/runtime_test",
   "crates/libafl_core",
   "crates/libafl_derive",
   "crates/libafl_frida",
@@ -68,8 +64,6 @@ exclude = [
   "utils/libafl_repo_tools",
   "utils/multi_machine_generator",
   "utils/noaslr",
-  # additional crates
-  "crates/libafl_concolic/test/symcc/util/symcc_fuzzing_helper",
 ]
 
 [workspace.package]
@@ -109,12 +103,6 @@ serde_anymap = { path = "./crates/serde_anymap", version = "0.16.0", default-fea
 shmem_providers = { path = "./crates/shmem_providers", version = "0.16.0", default-features = false }
 tuple_list_ex = { path = "./crates/tuple_list_ex", version = "0.16.0", default-features = false }
 
-# Concolic fuzzing crates
-dump_constraints = { path = "./crates/libafl_concolic/test/dump_constraints", version = "0.16.0", default-features = false }
-runtime_test = { path = "./crates/libafl_concolic/test/runtime_test", version = "0.16.0", default-features = false }
-symcc_libafl = { path = "./crates/libafl_concolic/symcc_libafl", version = "0.16.0", default-features = false }
-symcc_runtime = { path = "./crates/libafl_concolic/symcc_runtime", version = "0.16.0", default-features = false }
-
 # Utils
 build_and_test_fuzzers = { path = "./utils/build_and_test_fuzzers", version = "0.16.0", default-features = false }
 construct_automata = { path = "./utils/gramatron/construct_automata", version = "0.16.0", default-features = false }

Justfile

@@ -177,7 +177,7 @@ check-blobs:
 check-toml:
     taplo format --check
 
-test-fuzzers: fuzzers-preflight test-os-specific-fuzzers (nop "Baby") (test-fuzzer "./fuzzers/baby/baby_fuzzer_swap_differential") (test-fuzzer "./fuzzers/baby/tutorial") (test-fuzzer "./fuzzers/baby/baby_fuzzer") (nop "./fuzzers/baby/backtrace_baby_fuzzers") (test-fuzzer "./fuzzers/baby/baby_fuzzer_unicode") (test-fuzzer "./fuzzers/baby/baby_fuzzer_minimizing") (test-fuzzer "./fuzzers/baby/backtrace_baby_fuzzers/c_code_with_fork_executor") (test-fuzzer "./fuzzers/baby/backtrace_baby_fuzzers/c_code_with_inprocess_executor") (test-fuzzer "./fuzzers/baby/backtrace_baby_fuzzers/rust_code_with_fork_executor") (test-fuzzer "./fuzzers/baby/backtrace_baby_fuzzers/rust_code_with_inprocess_executor") (test-fuzzer "./fuzzers/baby/backtrace_baby_fuzzers/command_executor") (test-fuzzer "./fuzzers/baby/backtrace_baby_fuzzers/forkserver_executor") (test-fuzzer "./fuzzers/baby/baby_fuzzer_custom_executor") (nop "Binary-only") (test-fuzzer "./fuzzers/binary_only/frida_executable_libpng") (test-fuzzer "./fuzzers/binary_only/frida_libpng") (test-fuzzer "./fuzzers/binary_only/intel_pt_baby_fuzzer") (test-fuzzer "./fuzzers/binary_only/intel_pt_command_executor") (test-fuzzer "./fuzzers/binary_only/tinyinst_simple") (nop "Forkserver") (test-fuzzer "./fuzzers/forkserver/forkserver_simple") (test-fuzzer "./fuzzers/forkserver/forkserver_libafl_cc") (test-fuzzer "./fuzzers/forkserver/fuzzbench_forkserver") (test-fuzzer "./fuzzers/forkserver/fuzzbench_forkserver_cmplog") (test-fuzzer "./fuzzers/forkserver/fuzzbench_forkserver_sand") (test-fuzzer "./fuzzers/forkserver/libafl-fuzz") (test-fuzzer "./fuzzers/forkserver/baby_fuzzer_with_forkexecutor") (nop "Full-system") (test-fuzzer "./fuzzers/full_system/nyx_launcher") (test-fuzzer "./fuzzers/full_system/nyx_libxml2_standalone") (test-fuzzer "./fuzzers/full_system/nyx_libxml2_parallel") (test-fuzzer "./fuzzers/full_system/unicorn") (nop "Structure-aware") (test-fuzzer "./fuzzers/structure_aware/nautilus_sync") (test-fuzzer "./fuzzers/structure_aware/baby_fuzzer_grimoire") (test-fuzzer "./fuzzers/structure_aware/baby_fuzzer_gramatron") (test-fuzzer "./fuzzers/structure_aware/baby_fuzzer_tokens") (test-fuzzer "./fuzzers/structure_aware/baby_fuzzer_multi") (test-fuzzer "./fuzzers/structure_aware/baby_fuzzer_custom_input") (test-fuzzer "./fuzzers/structure_aware/baby_fuzzer_nautilus") (test-fuzzer "./fuzzers/structure_aware/forkserver_simple_nautilus") (nop "In-process") (test-fuzzer "./fuzzers/fuzz_anything/cargo_fuzz") (test-fuzzer "./fuzzers/inprocess/fuzzbench") (test-fuzzer "./fuzzers/inprocess/fuzzbench_text") (test-fuzzer "./fuzzers/inprocess/fuzzbench_ctx") (test-fuzzer "./fuzzers/inprocess/libfuzzer_libmozjpeg") (test-fuzzer "./fuzzers/inprocess/libfuzzer_libpng") (test-fuzzer "./fuzzers/inprocess/libfuzzer_libpng_launcher") (test-fuzzer "./fuzzers/inprocess/libfuzzer_libpng_accounting") (test-fuzzer "./fuzzers/inprocess/libfuzzer_libpng_centralized") (test-fuzzer "./fuzzers/inprocess/libfuzzer_libpng_cmin") (test-fuzzer "./fuzzers/inprocess/libfuzzer_libpng_norestart") (nop "./fuzzers/inprocess/libfuzzer_libpng_tcp_manager") (test-fuzzer "./fuzzers/inprocess/libfuzzer_stb_image_sugar") (test-fuzzer "./fuzzers/inprocess/libfuzzer_stb_image") (nop "./fuzzers/structure_aware/libfuzzer_stb_image_concolic") (nop "./fuzzers/inprocess/sqlite_centralized_multi_machine") (nop "Fuzz Anything") (test-fuzzer "./fuzzers/fuzz_anything/push_harness") (test-fuzzer "./fuzzers/fuzz_anything/push_stage_harness") (test-fuzzer "./fuzzers/fuzz_anything/libafl_atheris") (test-fuzzer "./fuzzers/fuzz_anything/baby_no_std") (test-fuzzer "./fuzzers/fuzz_anything/baby_fuzzer_wasm")
+test-fuzzers: fuzzers-preflight test-os-specific-fuzzers (nop "Baby") (test-fuzzer "./fuzzers/baby/baby_fuzzer_swap_differential") (test-fuzzer "./fuzzers/baby/tutorial") (test-fuzzer "./fuzzers/baby/baby_fuzzer") (nop "./fuzzers/baby/backtrace_baby_fuzzers") (test-fuzzer "./fuzzers/baby/baby_fuzzer_unicode") (test-fuzzer "./fuzzers/baby/baby_fuzzer_minimizing") (test-fuzzer "./fuzzers/baby/backtrace_baby_fuzzers/c_code_with_fork_executor") (test-fuzzer "./fuzzers/baby/backtrace_baby_fuzzers/c_code_with_inprocess_executor") (test-fuzzer "./fuzzers/baby/backtrace_baby_fuzzers/rust_code_with_fork_executor") (test-fuzzer "./fuzzers/baby/backtrace_baby_fuzzers/rust_code_with_inprocess_executor") (test-fuzzer "./fuzzers/baby/backtrace_baby_fuzzers/command_executor") (test-fuzzer "./fuzzers/baby/backtrace_baby_fuzzers/forkserver_executor") (test-fuzzer "./fuzzers/baby/baby_fuzzer_custom_executor") (nop "Binary-only") (test-fuzzer "./fuzzers/binary_only/frida_executable_libpng") (test-fuzzer "./fuzzers/binary_only/frida_libpng") (test-fuzzer "./fuzzers/binary_only/intel_pt_baby_fuzzer") (test-fuzzer "./fuzzers/binary_only/intel_pt_command_executor") (test-fuzzer "./fuzzers/binary_only/tinyinst_simple") (nop "Forkserver") (test-fuzzer "./fuzzers/forkserver/forkserver_simple") (test-fuzzer "./fuzzers/forkserver/forkserver_libafl_cc") (test-fuzzer "./fuzzers/forkserver/fuzzbench_forkserver") (test-fuzzer "./fuzzers/forkserver/fuzzbench_forkserver_cmplog") (test-fuzzer "./fuzzers/forkserver/fuzzbench_forkserver_sand") (test-fuzzer "./fuzzers/forkserver/libafl-fuzz") (test-fuzzer "./fuzzers/forkserver/baby_fuzzer_with_forkexecutor") (nop "Full-system") (test-fuzzer "./fuzzers/full_system/nyx_launcher") (test-fuzzer "./fuzzers/full_system/nyx_libxml2_standalone") (test-fuzzer "./fuzzers/full_system/nyx_libxml2_parallel") (test-fuzzer "./fuzzers/full_system/unicorn") (nop "Structure-aware") (test-fuzzer "./fuzzers/structure_aware/nautilus_sync") (test-fuzzer "./fuzzers/structure_aware/baby_fuzzer_grimoire") (test-fuzzer "./fuzzers/structure_aware/baby_fuzzer_gramatron") (test-fuzzer "./fuzzers/structure_aware/baby_fuzzer_tokens") (test-fuzzer "./fuzzers/structure_aware/baby_fuzzer_multi") (test-fuzzer "./fuzzers/structure_aware/baby_fuzzer_custom_input") (test-fuzzer "./fuzzers/structure_aware/baby_fuzzer_nautilus") (test-fuzzer "./fuzzers/structure_aware/forkserver_simple_nautilus") (nop "In-process") (test-fuzzer "./fuzzers/fuzz_anything/cargo_fuzz") (test-fuzzer "./fuzzers/inprocess/fuzzbench") (test-fuzzer "./fuzzers/inprocess/fuzzbench_text") (test-fuzzer "./fuzzers/inprocess/fuzzbench_ctx") (test-fuzzer "./fuzzers/inprocess/libfuzzer_libmozjpeg") (test-fuzzer "./fuzzers/inprocess/libfuzzer_libpng") (test-fuzzer "./fuzzers/inprocess/libfuzzer_libpng_launcher") (test-fuzzer "./fuzzers/inprocess/libfuzzer_libpng_accounting") (test-fuzzer "./fuzzers/inprocess/libfuzzer_libpng_centralized") (test-fuzzer "./fuzzers/inprocess/libfuzzer_libpng_cmin") (test-fuzzer "./fuzzers/inprocess/libfuzzer_libpng_norestart") (nop "./fuzzers/inprocess/libfuzzer_libpng_tcp_manager") (test-fuzzer "./fuzzers/inprocess/libfuzzer_stb_image_sugar") (test-fuzzer "./fuzzers/inprocess/libfuzzer_stb_image") (nop "./fuzzers/inprocess/sqlite_centralized_multi_machine") (nop "Fuzz Anything") (test-fuzzer "./fuzzers/fuzz_anything/push_harness") (test-fuzzer "./fuzzers/fuzz_anything/push_stage_harness") (test-fuzzer "./fuzzers/fuzz_anything/libafl_atheris") (test-fuzzer "./fuzzers/fuzz_anything/baby_no_std") (test-fuzzer "./fuzzers/fuzz_anything/baby_fuzzer_wasm")
 
 # Windows-specific cmplog test
 [windows]
@@ -257,18 +257,13 @@ build-ios:
 increase-mem-limits:
     {{ SCRIPTS_DIR }}/shmem_limits_macos.sh
 
-# Run Smoketest for the libafl concolic executor
-[linux]
-concolic-smoke-test:
-    {{ ROOT_DIR }}/libafl_concolic/test/smoke_test.sh
-
 [unix]
 test-repro-qemu-tmin:
     cd {{ FUZZERS_DIR }}/binary_only/qemu_tmin && ./repro
 
 # Tests everything (crates, fuzzers, docs, repro)
 [linux]
-test-all: test test-fuzzers test-docs test-repro-qemu-tmin concolic-smoke-test doc
+test-all: test test-fuzzers test-docs test-repro-qemu-tmin doc
 
 # Tests everything (crates, fuzzers, docs, repro)
 [macos]

README.md

@@ -38,7 +38,6 @@ feel free to add an AST-based input for structured fuzzing, and more.
     ```
 - **LLVM tools**
   - The LLVM tools (including clang, clang++) are needed (newer than LLVM 15.0.0 up to LLVM 18.1.3) If you are using Debian/Ubuntu, again, we highly recommmend that you install the package from [here](https://apt.llvm.org/)
-  - (In `libafl_concolic`, we only support LLVM version newer than 18)
 - Just:
   - We use [just](https://github.com/casey/just) to build the fuzzers in `fuzzers/` directory. You can find instructions to install it in your environment [in the Just Programmer's Manual](https://just.systems/man/en/packages.html).
 

bindings/pylibafl/pyproject.toml

@@ -22,5 +22,4 @@ repository = "https://github.com/AFLplusplus/LibAFL.git"
 [tool.maturin]
 bindings = "pyo3"
 manifest-path = "Cargo.toml"
-python-source = "src"
 all-features = true

crates/README.md

@@ -11,7 +11,6 @@ This directory contains the various crates that make up the LibAFL ecosystem. He
 
 ## Backends & Instrumentation
 
-- **[libafl_concolic](./libafl_concolic)**: Concolic execution related crates (SymCC integration).
 - **[libafl_frida](./libafl_frida)**: Frida backend library for LibAFL.
 - **[libafl_intelpt](./libafl_intelpt)**: Intel Processor Trace wrapper for libafl.
 - **[libafl_nyx](./libafl_nyx)**: libafl using nyx, only avaliable on linux.

crates/fast_rands/src/lib.rs

@@ -294,7 +294,7 @@ pub trait SubRng {
 
 impl<R> SubRng for R
 where
-    R: Rand + Sized + Clone
+    R: Rand + Sized + Clone,
 {
     /// Creates and returns a sub-RNG.
     fn sub_rng(&mut self) -> Self {

crates/libafl/Cargo.toml

@@ -121,7 +121,7 @@ intel_pt = ["std", "dep:libafl_intelpt", "dep:nix", "dep:num_enum"]
 intel_pt_export_raw = ["intel_pt", "libafl_intelpt/export_raw"]
 
 ## Enables features for corpus minimization
-cmin = ["z3"]
+cmin = ["dep:z3"]
 
 ## Enables the `PrometheusMonitor` which will monitor stats via UDP, for `Grafana` and others.
 prometheus_monitor = [
@@ -135,9 +135,6 @@ prometheus_monitor = [
 ## Enables the `StatsdMonitor`.
 statsd_monitor = ["std", "cadence"]
 
-## Include a simple concolic mutator based on z3
-concolic_mutation = ["z3"]
-
 ## Enable the fancy TuiMonitor for a termanal UI using crossterm
 tui_monitor = ["ratatui", "crossterm"]
 
@@ -291,7 +288,7 @@ wait-timeout = { version = "0.2.0", optional = true } # used by CommandExecutor
 regex = { workspace = true, optional = true }
 regex-syntax = { version = "0.8.4", optional = true } # For nautilus
 
-z3 = { workspace = true, optional = true } # for concolic mutation
+z3 = { workspace = true, optional = true } # for corpus minimization
 
 # optional-dev deps (change when target.'cfg(accessible(::std))'.test-dependencies will be stable)
 serial_test = { workspace = true, optional = true, default-features = false, features = [

crates/libafl/src/feedbacks/mod.rs

@@ -8,8 +8,6 @@ use alloc::borrow::Cow;
 use alloc::vec::Vec;
 use core::{fmt::Debug, marker::PhantomData};
 
-#[cfg(feature = "std")]
-pub use concolic::ConcolicFeedback;
 pub use differential::DiffFeedback;
 use libafl_bolts::{
     Named,
@@ -33,8 +31,6 @@ pub mod capture_feedback;
 pub mod bool;
 pub use bool::BoolValueFeedback;
 
-#[cfg(feature = "std")]
-pub mod concolic;
 #[cfg(feature = "std")]
 /// The module for `CustomFilenameToTestcaseFeedback`
 pub mod custom_filename;

crates/libafl/src/monitors/mod.rs

@@ -31,6 +31,8 @@ pub mod statsd;
 
 #[cfg(feature = "std")]
 use alloc::vec::Vec;
+#[cfg(feature = "std")]
+use core::str::FromStr;
 use core::{
     fmt,
     fmt::{Debug, Write},
@@ -51,23 +53,29 @@ pub use statsd::StatsdMonitor;
 pub(crate) fn pizza_is_served() -> bool {
     static PIZZA_IS_SERVED: OnceLock<bool> = OnceLock::new();
     *PIZZA_IS_SERVED.get_or_init(|| {
-        std::env::var("AFL_PIZZA_MODE").is_ok_and(|v| v != "0") || {
-            #[cfg(unix)]
-            // SAFETY: `localtime` and `time` are standard libc functions. `t` is initialized.
-            unsafe {
-                let mut t = 0;
-                libc::time(&raw mut t);
-                let tm = libc::localtime(&raw const t);
-                !tm.is_null() && (*tm).tm_mon == 3 && (*tm).tm_mday == 1
-            }
-            #[cfg(windows)]
-            // SAFETY: `GetLocalTime` is a standard Win32 API.
-            unsafe {
-                let lt = windows::Win32::System::SystemInformation::GetLocalTime();
-                lt.wMonth == 4 && lt.wDay == 1
+        match std::env::var("AFL_PIZZA_MODE")
+            .map(|s| i64::from_str(&s).expect("AFL_PIZZA_MODE must be set to a signed integer!"))
+        {
+            Ok(v) if v < 1 => false,
+            Ok(_) => true,
+            Err(_) => {
+                #[cfg(unix)]
+                // SAFETY: `localtime` and `time` are standard libc functions. `t` is initialized.
+                unsafe {
+                    let mut t = 0;
+                    libc::time(&raw mut t);
+                    let tm = libc::localtime(&raw const t);
+                    !tm.is_null() && (*tm).tm_mon == 3 && (*tm).tm_mday == 1
+                }
+                #[cfg(windows)]
+                // SAFETY: `GetLocalTime` is a standard Win32 API.
+                unsafe {
+                    let lt = windows::Win32::System::SystemInformation::GetLocalTime();
+                    lt.wMonth == 4 && lt.wDay == 1
+                }
+                #[cfg(not(any(unix, windows)))]
+                false
             }
-            #[cfg(not(any(unix, windows)))]
-            false
         }
     })
 }