Antitaint variable names

[two-heart]

The transformation performed in anti-taint.py will create invalid c code in some cases. This is due to a missing check for the existence of variables named newvar_X.
A minimal example of where this will be a problem is:

int newvar_1 = 1;
char str1[20];
strcpy(str1, "hello");
if(strcmp(str1, "hello")) {
    printf("True");
} else {
    printf("False");
}

which will be transformed to:

int newvar_1 = 1;
char str1[20];
strcpy(str1, "hello");
//////////////// ANTI-TAINT-STR //////////////////
char newvar_1[strlen(str1)];
if (strlen(str1) < 30){    
    for (int i=0;i<strlen(str1);i++){
        int ch=0;
        int temp = 0;
        int temp2 = 0;
        for (int j=0; j<8;j++){
            temp = str1[i];
            temp2 = temp & (1<<j);
            if (temp2 !=0){
                ch |= 1<<j;
            }
        }
        newvar_1[i] = ch;
    }
}
else{    
    strncpy(newvar_1, str1, strlen(str1));
}
//////////////////////////////////////////////////
   if(strcmp(newvar_1, "hello")) {
      printf("True");
   } else {
      printf("False");
   }

where newvar_1 is already in use.

Further i would like to ask you where you apply the crc checksum replacements of the form:

// original code: if (value == 12345)
if (CRC_LOOP(value) == OUTPUT_CRC) { ... }

that you write about in your paper.

[two-heart]

In some rare cases fuzzification will even produce valid C code that has a different meaning:

strcpy(str1, "if(strcmp(str2,str1))");

[jinhojun]

Thanks for the report.

We confirmed the problem. We will fix shortly.