Avalanche 0.6.0 does not build on Fedora 16 about avalanche HOT 9 OPEN

Sorry.. misleading title.  I was originally trying this on Fedora 16 and got 
this error, but valgrind included with 0.4 does not support the 3.x kernel 
series, so I moved to the CentOS 5.8 where I could compare both versions.

More info... even though I could get 0.6.0 to build in the manner described 
above, it failed to solve the sample file input example.  Version 0.4 worked 
correctly.

Unfortunately, it looks like the update to PL.y due to yacc/bison compatibility 
problem slipped being commited. Replacing stp-ver-0.1-11-18-2008/parser/PL.y 
with this version should fix make process for non-bison users.

Can you provide more info (avalanche output etc.) on sample failing?

tar zxf Desktop/avalanche-0.6.tar.gz
cp Desktop/PL.y avalanche-0.6.0/stp-ver-0.1-11-18-2008/parser/PL.y
cd avalanche-0.6.0/
./configure
make
su -c "make install"

everything built cleanly... but the sample still fails...

$ od seed
0000000 000000 000000
0000004

$ avalanche -v --filename=seed ./sample2 seed
Avalanche, a dynamic analysis tool. Mon May 14 07:35:55 2012
Iteration 1. Mon May 14 07:35:55 2012
Inputs size = 1.
Selected next input with score 1346.
Unique error(s) found: 0.

Time statistics: 0 sec, tracegrind: 0, covgrind: 0, stp: 0.


If I explicitly run it with a bad file, then it works...

$ echo 'bad!' > bad
$ avalanche -v --filename=bad ./sample2 bad
Avalanche, a dynamic analysis tool. Mon May 14 07:38:03 2012

Error detected. Mon May 14 07:38:03 2012
  Process terminating with default action of signal 6 (SIGABRT)
     at 0x3E0F030285: raise (in /lib64/libc-2.5.so)
     by 0x3E0F031D2F: abort (in /lib64/libc-2.5.so)
     by 0x4005AB: main (in /home/vegs-usr/avalanche-0.4/samples/simple/sample2)
  Dumping input to file exploit_0_0.
  Command:  ./sample2 exploit_0_0

Iteration 1. Mon May 14 07:38:03 2012
Inputs size = 1.
Selected next input with score 1277.
Unique error(s) found: 1.

 Error #0: Received SIGABRT
  Inputs:   exploit_0_0; 
  Command:  ./sample2 exploit_0_0


Time statistics: 0 sec, tracegrind: 0, covgrind: 0, stp: 0.

And with the debug flag...

$ avalanche -v --debug --filename=seed ./sample2 seed
Avalanche, a dynamic analysis tool. Mon May 14 07:55:12 2012
Running plugin Covgrind.
Executing command: /usr/local/bin/../lib/avalanche/valgrind, with args:  
/usr/local/bin/../lib/avalanche/valgrind --tool=covgrind --trace-children=no -v 
--alarm=300 --log-file=/tmp/avalanche-jfilik/execution.log 
--filename=/tmp/avalanche-jfilik/basic_blocks.log ./sample2 seed
Covgrind is finished.
First score = 1346.
Iteration 1. Mon May 14 07:55:12 2012
Inputs size = 1.
Selected next input with score 1346.
Running plugin Tracegrind.
Executing command: /usr/local/bin/../lib/avalanche/valgrind, with args:  
/usr/local/bin/../lib/avalanche/valgrind --tool=tracegrind --trace-children=no 
--startdepth=1 --temp-dir=/tmp/avalanche-jfilik/ --invertdepth=100 
--dump-prediction=yes --file=seed 
--log-file=/tmp/avalanche-jfilik/execution.log ./sample2 seed
Tracegrind exited on signal.
Failure in Tracegrind.
No QUERY's found.
Unique error(s) found: 0.

Time statistics: 0 sec, tracegrind: 0, covgrind: 0, stp: 0.

It looks like tracegrind fails to produce trace for STP. Can you run tracegrind 
explicitly? You'll need to omit temp-dir and log-file options:
/usr/local/bin/../lib/avalanche/valgrind --tool=tracegrind --trace-children=no 
--startdepth=1 --invertdepth=100 --dump-prediction=yes --file=seed ./sample2 
seed

==4875== Tracegrind-1.0, valgrind IR to STP declarations converter
==4875== Copyright (C) iisaev
==4875== Using Valgrind-3.7.0.SVN and LibVEX; rerun with -h for copyright info
==4875== Command: ./sample2 seed
==4875== 
==4875== 
==4875== Process terminating with default action of signal 11 (SIGSEGV)
==4875==  Access not within mapped region at address 0x1C
==4875==    at 0x3E0EC00A70: ??? (in /lib64/ld-2.5.so)
==4875==    by 0x1: ???
==4875==    by 0x7FEFFFF7E: ???
==4875==    by 0x7FEFFFF88: ???
==4875==  If you believe this happened as a result of a stack
==4875==  overflow in your program's main thread (unlikely but
==4875==  possible), you can try to increase the size of the
==4875==  main thread stack using the --main-stacksize= flag.
==4875==  The main thread stack size used in this run was 10485760.
==4875== 
==4875== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
Segmentation fault

GDB shows:

Program received signal SIGSEGV, Segmentation fault.
createTaintedTemp (basicBlockLowerBytes=<value optimized out>, 
    basicBlockUpperBytes=<value optimized out>) at tg_main.c:3440
3440      curNode->visited++;

curNode is null...

Could you try this patch?
cd avalanche-0.6.0
patch -p0 -i tracegrind_patch

Thanks!  That seems to have fixed it on CentOS 5.8 and Fedora 16.  Great job.