Please try to perform following command:
# setup the environment variables in the root directory of the tool
$ source tool/init_env.sh
# compile the program and get bit code
$ cd $ROOT_DIR/evaluation/ConVul-CVE-Benchmarks/CVE-2017-6346
$ ./cleanDIR.sh
$ clang -g -emit-llvm -c ./2017-6346.cpp -o 2017-6346.bc
# perform static analysis
$ $ROOT_DIR/tool/staticAnalysis/staticAnalysis.sh 2017-6346
# complie the instrumented program with ASAN
$ export Con_PATH=$ROOT_DIR/evaluation/ConVul-CVE-Benchmarks/CVE-2017-6346/ConConfig.2017-6346
$ $ROOT_DIR/tool/staticAnalysis/DBDS-INSTRU/dbds-clang-fast++ -g -fsanitize=address ./2017-6346.cpp -o 2017-6346 -lpthread -ldl
# perform DBDS
$ $ROOT_DIR/tool/DBDS/run_PDS.py -d 3 ./2017-6346Then you will get the results.
Start Testing!
test 0001
test 0002
...The ASAN output for use-after-free Bug:
=================================================================
==97656==ERROR: AddressSanitizer: heap-use-after-free on address 0x602000001014 at pc 0x0000004c9527 bp 0x7feb159d2e80 sp 0x7feb159d2e78
WRITE of size 4 at 0x602000001014 thread T2
#0 0x4c9526 (/ConcurrencyFuzzer/evaluation/ConVul-CVE-Benchmarks/CVE-2017-6346/2017-6346+0x4c9526)
#1 0x4c9210 (/ConcurrencyFuzzer/evaluation/ConVul-CVE-Benchmarks/CVE-2017-6346/2017-6346+0x4c9210)
#2 0x7feb19da56b9 (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
#3 0x7feb18e2e4dc (/lib/x86_64-linux-gnu/libc.so.6+0x1074dc)
0x602000001014 is located 4 bytes inside of 8-byte region [0x602000001010,0x602000001018)
freed by thread T1 here:
#0 0x4948fd (/ConcurrencyFuzzer/evaluation/ConVul-CVE-Benchmarks/CVE-2017-6346/2017-6346+0x4948fd)
#1 0x4c9484 (/ConcurrencyFuzzer/evaluation/ConVul-CVE-Benchmarks/CVE-2017-6346/2017-6346+0x4c9484)
previously allocated by thread T2 here:
#0 0x495292 (/ConcurrencyFuzzer/evaluation/ConVul-CVE-Benchmarks/CVE-2017-6346/2017-6346+0x495292)
#1 0x4c92b9 (/ConcurrencyFuzzer/evaluation/ConVul-CVE-Benchmarks/CVE-2017-6346/2017-6346+0x4c92b9)
Thread T2 created by T0 here:
#0 0x47f30a (/ConcurrencyFuzzer/evaluation/ConVul-CVE-Benchmarks/CVE-2017-6346/2017-6346+0x47f30a)
#1 0x4c974a (/ConcurrencyFuzzer/evaluation/ConVul-CVE-Benchmarks/CVE-2017-6346/2017-6346+0x4c974a)
#2 0x7feb18d4783f (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
Thread T1 created by T0 here:
#0 0x47f30a (/ConcurrencyFuzzer/evaluation/ConVul-CVE-Benchmarks/CVE-2017-6346/2017-6346+0x47f30a)
#1 0x4c9723 (/ConcurrencyFuzzer/evaluation/ConVul-CVE-Benchmarks/CVE-2017-6346/2017-6346+0x4c9723)
#2 0x7feb18d4783f (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
SUMMARY: AddressSanitizer: heap-use-after-free (/ConcurrencyFuzzer/evaluation/ConVul-CVE-Benchmarks/CVE-2017-6346/2017-6346+0x4c9526)
Shadow bytes around the buggy address:
0x0c047fff81b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff81c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff81d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff81e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff81f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff8200: fa fa[fd]fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8210: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8220: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==97656==ABORTINGUse addr2line -e ./2017-6346 0x4c9526 and addr2line -e ./2017-6346 0x4c9210 to see the debug info
/usr/lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/bits/atomic_base.h:374
/ConcurrencyFuzzer/evaluation/ConVul-CVE-Benchmarks/CVE-2017-6346/./2017-6346.cpp:134
The ASAN output for Null-Pointer-Dereference Bug:
=================================================================
==98019==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000004 (pc 0x0000004c93e2 bp 0x000000000004 sp 0x7f2ddd1c6e90 T2)
==98019==The signal is caused by a WRITE memory access.
==98019==Hint: address points to the zero page.
#0 0x4c93e1 (/ConcurrencyFuzzer/evaluation/ConVul-CVE-Benchmarks/CVE-2017-6346/2017-6346+0x4c93e1)
#1 0x4c9210 (/ConcurrencyFuzzer/evaluation/ConVul-CVE-Benchmarks/CVE-2017-6346/2017-6346+0x4c9210)
#2 0x7f2de15996b9 (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
#3 0x7f2de06224dc (/lib/x86_64-linux-gnu/libc.so.6+0x1074dc)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/ConcurrencyFuzzer/evaluation/ConVul-CVE-Benchmarks/CVE-2017-6346/2017-6346+0x4c93e1)
Thread T2 created by T0 here:
#0 0x47f30a (/ConcurrencyFuzzer/evaluation/ConVul-CVE-Benchmarks/CVE-2017-6346/2017-6346+0x47f30a)
#1 0x4c974a (/ConcurrencyFuzzer/evaluation/ConVul-CVE-Benchmarks/CVE-2017-6346/2017-6346+0x4c974a)
#2 0x7f2de053b83f (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
==98019==ABORTINGUse addr2line -e ./2017-6346 0x4c93e1 and addr2line -e ./2017-6346 0x4c9210 to see the debug info
/usr/lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/bits/atomic_base.h:374
/ConcurrencyFuzzer/evaluation/ConVul-CVE-Benchmarks/CVE-2017-6346/./2017-6346.cpp:134
The ASAN output for double-free Bug:
=================================================================
==98904==ERROR: AddressSanitizer: attempting double-free on 0x602000001010 in thread T1:
#0 0x4948fd (/ConcurrencyFuzzer/evaluation/ConVul-CVE-Benchmarks/CVE-2017-6346/2017-6346+0x4948fd)
#1 0x4c9484 (/ConcurrencyFuzzer/evaluation/ConVul-CVE-Benchmarks/CVE-2017-6346/2017-6346+0x4c9484)
#2 0x4c9210 (/ConcurrencyFuzzer/evaluation/ConVul-CVE-Benchmarks/CVE-2017-6346/2017-6346+0x4c9210)
#3 0x7f1d3e9a86b9 (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
#4 0x7f1d3da314dc (/lib/x86_64-linux-gnu/libc.so.6+0x1074dc)
0x602000001010 is located 0 bytes inside of 8-byte region [0x602000001010,0x602000001018)
freed by thread T2 here:
#0 0x4948fd (/ConcurrencyFuzzer/evaluation/ConVul-CVE-Benchmarks/CVE-2017-6346/2017-6346+0x4948fd)
#1 0x4c9484 (/ConcurrencyFuzzer/evaluation/ConVul-CVE-Benchmarks/CVE-2017-6346/2017-6346+0x4c9484)
previously allocated by thread T2 here:
#0 0x495292 (/ConcurrencyFuzzer/evaluation/ConVul-CVE-Benchmarks/CVE-2017-6346/2017-6346+0x495292)
#1 0x4c92b9 (/ConcurrencyFuzzer/evaluation/ConVul-CVE-Benchmarks/CVE-2017-6346/2017-6346+0x4c92b9)
Thread T1 created by T0 here:
#0 0x47f30a (/ConcurrencyFuzzer/evaluation/ConVul-CVE-Benchmarks/CVE-2017-6346/2017-6346+0x47f30a)
#1 0x4c9723 (/ConcurrencyFuzzer/evaluation/ConVul-CVE-Benchmarks/CVE-2017-6346/2017-6346+0x4c9723)
#2 0x7f1d3d94a83f (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
Thread T2 created by T0 here:
#0 0x47f30a (/ConcurrencyFuzzer/evaluation/ConVul-CVE-Benchmarks/CVE-2017-6346/2017-6346+0x47f30a)
#1 0x4c974a (/ConcurrencyFuzzer/evaluation/ConVul-CVE-Benchmarks/CVE-2017-6346/2017-6346+0x4c974a)
#2 0x7f1d3d94a83f (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
SUMMARY: AddressSanitizer: double-free (/ConcurrencyFuzzer/evaluation/ConVul-CVE-Benchmarks/CVE-2017-6346/2017-6346+0x4948fd)
==98904==ABORTINGUse addr2line -e ./2017-6346 0x4c9484 and addr2line -e ./2017-6346 0x4c9210 to see the debug info
/ConcurrencyFuzzer/evaluation/ConVul-CVE-Benchmarks/CVE-2017-6346/./2017-6346.cpp:76
/ConcurrencyFuzzer/evaluation/ConVul-CVE-Benchmarks/CVE-2017-6346/./2017-6346.cpp:134