I'm already cache-thrashing with all of my side projects, so if anyone's interested I'll leave this to them.
A few days ago, I wanted to try American Fuzzy Lop (afl), and bc(1) seemed like a good first target: it pretty much just goes from stdin to stdout, so there's no code reorganization needed. For those not familiar, bc compiles its input to dc(1)'s syntax and forks to dc. There are many unique crash paths - 1041 before I killed afl. Most center around emit(), which emits a dc instr. Many pass NULL to fputs() in emit(). I found at least one (crashes/id:001041*) that nondeterministically passes the str pointer 0xdfdfdfdfdfdfdfdf to fputs(), which is probably uninitialized or already-freed memory. Backtrace below. malloc.conf(5) may be useful. Here's the full afl directory: http://www.sccs.swarthmore.edu/users/16/mmcconv1/bc-afl/ Core was generated by `bc'. Program terminated with signal SIGBUS, Bus error. #0 strlen () at /usr/src/lib/libc/arch/amd64/string/strlen.S:152 152 movq (%rax),%rdx /* first data in high bytes */ (gdb) bt #0 strlen () at /usr/src/lib/libc/arch/amd64/string/strlen.S:152 #1 0x000019f79fa7c43d in *_libc_fputs (s=0xdfdfdfdfdfdfdfdf <error: Cannot access memory at address 0xdfdfdfdfdfdfdfdf>, fp=0x1) at /usr/src/lib/libc/stdio/fputs.c:50 #2 0x000019f4ecb0f401 in emit (i=28548786530304) at /usr/src/usr.bin/bc/bc.y:810 #3 yyparse () at /usr/src/usr.bin/bc/bc.y:178 #4 0x000019f4ecb13f3e in main (argc=1, argv=0x7f7fffffa570) at /usr/src/usr.bin/bc/bc.y:1188