From 1e9c90c079c76766b37eb38a7fcd99177f73e978 Mon Sep 17 00:00:00 2001
From: SonicStark <50692172+SonicStark@users.noreply.github.com>
Date: Wed, 19 Jul 2023 14:25:25 +0000
Subject: [PATCH] Fix several bugs

New implementation had been tested with all fuzz scripts in *./examples* since the last commit.

Bugs found and fixed in the new implementation:

build.sh
 - `info` method has been [removed from networkx 3](https://networkx.org/documentation/stable/release/release_3.0.html). *add_edges.py* and *distance.py* give `AttributeError: module 'networkx' has no attribute 'info'`.
 - Incorrect work directory when compling aflgo.

Readme.md
 - Should also install older versions of networkx.
 - Should remind users for libxml2 in another level-1 title.
 - Should info users that the dependencies aren't installed by fuzzing scripts.

afl-2.57b/Makefile
 - Missing link of libm (for math.h)

instrument/aflgo-clang.c
 - Incorrect construction of obj_path

instrument/aflgo-runtime.c
 - Incorrect relative include path

instrument/Makefile
 - Missing "./"

distance/distance_calculator/CMakeLists.txt
 - Incorrect file extension

distance/gen_distance_orig.sh
 - Redundant `set -euo pipefail`. The script has its own error handling processes such as `|| FAIL=1`.
 - Inconsistent behavior with *gen_distance_fast.py* because of `find`. The python script uses `Path.glob`, which won't search recursively without "**/". However GNU find searches the whole directory tree. So use `-maxdepth` to constrain it.

examples
 - All scripts should fit new *gen_distance_orig.sh* (consistent with *gen_distance_fast.py*) and stop abusing $SUBJECT everywhere :(
 - *KTY_Pretty_Printer.sh*, *LMS.sh* and *Palindrome.sh*: https://github.com/trailofbits/cb-multios/pull/86 force it to use clang in cmake/32.cmake and cmake/64.cmake, making $CC and $CXX useless.
 - *libming-CVE-2018-8962.sh* and *libming-CVE-2018-8962.sh*: Without "-fcommon" the linker called by clang will fail. See https://github.com/squaresLab/security-repair-benchmarks/issues/19
 - *libxml2-ef709ce2.sh*: Should undo `set -e` because `cp $SUBJECT/test/dtd* in` needs to ignore directory *$SUBJECT/test/dtds* as normal.
---
 Readme.md                                   |  6 ++++--
 afl-2.57b/Makefile                          |  2 +-
 build.sh                                    |  4 +++-
 distance/distance_calculator/CMakeLists.txt |  2 +-
 distance/gen_distance_orig.sh               |  6 ++----
 examples/KTY_Pretty_Printer.sh              |  7 ++++---
 examples/LMS.sh                             |  7 ++++---
 examples/Palindrome.sh                      |  7 ++++---
 examples/cxxfilt-CVE-2016-4487.sh           |  4 ++--
 examples/giflib-bugs-74.sh                  |  4 ++--
 examples/jasper-CVE-2015-5221.sh            |  4 ++--
 examples/libming-CVE-2018-8807.sh           | 15 ++++++++++-----
 examples/libming-CVE-2018-8962.sh           | 15 ++++++++++-----
 examples/libxml2-ef709ce2.sh                |  3 ++-
 examples/lrzip-CVE-2017-8846.sh             |  4 ++--
 examples/lrzip-CVE-2018-11496.sh            |  4 ++--
 examples/mjs-issues-57.sh                   |  4 ++--
 examples/mjs-issues-78.sh                   |  4 ++--
 examples/objdump-CVE-2017-8392.sh           |  4 ++--
 instrument/Makefile                         |  2 +-
 instrument/aflgo-clang.c                    |  4 ++--
 instrument/aflgo-runtime.o.c                |  8 ++++----
 22 files changed, 68 insertions(+), 52 deletions(-)

diff --git a/Readme.md b/Readme.md
index aae65f5d..c51b79f0 100644
--- a/Readme.md
+++ b/Readme.md
@@ -38,7 +38,7 @@ The easiest way to use AFLGo is as patch testing tool in OSS-Fuzz. Here is our i
    sudo apt-get install python3-pip
    sudo apt-get install libboost-all-dev  # boost is not required if you use gen_distance_orig.sh in step 7
    sudo pip3 install --upgrade pip
-   sudo pip3 install networkx
+   sudo pip3 install "networkx<3.0"
    sudo pip3 install pydot
    sudo pip3 install pydotplus
    ```
@@ -165,6 +165,8 @@ The easiest way to use AFLGo is as patch testing tool in OSS-Fuzz. Here is our i
 # How to fuzz the instrumented binary
 * We set the exponential annealing-based power schedule (`-z exp`).
 * We set the time-to-exploitation to 45min (`-c 45m`), assuming the fuzzer is run for about an hour.
+
+(Still take the previous libxml2 as an example)
 ```bash
 # Construct seed corpus
 mkdir in
@@ -177,4 +179,4 @@ $AFLGO/afl-2.57b/afl-fuzz -S ef709ce2 -z exp -c 45m -i in -o out $SUBJECT/xmllin
 ```bash
 $AFL/afl-fuzz -M master -i in -o out $MASTER/xmllint --valid --recover @@
 ```
-* Run more [fuzzing scripts](./examples) of various real programs like Binutils, jasper, lrzip, libming and DARPA CGC. 
+* Run more [fuzzing scripts](./examples) of various real programs like *Binutils*, *jasper*, *lrzip*, *libming* and *DARPA CGC*. Those scripts haven't contained any dependencies installing steps yet. So it's recommended that see READMEs of those projects first to check their requirements.
diff --git a/afl-2.57b/Makefile b/afl-2.57b/Makefile
index 0fd97622..c918b335 100644
--- a/afl-2.57b/Makefile
+++ b/afl-2.57b/Makefile
@@ -34,7 +34,7 @@ CFLAGS     += -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign \
 	      -DAFLGO_IMPL=1
 
 ifneq "$(filter Linux GNU%,$(shell uname))" ""
-  LDFLAGS  += -ldl
+  LDFLAGS  += -ldl -lm
 endif
 
 ifeq "$(findstring clang, $(shell $(CC) --version 2>/dev/null))" ""
diff --git a/build.sh b/build.sh
index 45bf5801..e919b1f0 100755
--- a/build.sh
+++ b/build.sh
@@ -73,7 +73,7 @@ export LC_ALL=C
 apt-get update
 apt install -y python-dev python3 python3-dev python3-pip autoconf automake libtool-bin python-bs4 libboost-all-dev # libclang-11.0-dev
 python3 -m pip install --upgrade pip
-python3 -m pip install networkx pydot pydotplus
+python3 -m pip install "networkx<3.0" pydot pydotplus
 
 ##############################
 ### Build AFLGo components ###
@@ -83,6 +83,8 @@ export CXX=/usr/bin/clang++
 export CC=/usr/bin/clang
 export LLVM_CONFIG=/usr/bin/llvm-config
 
+cd $( dirname "${BASH_SOURCE[0]}" )
+
 pushd afl-2.57b
 make clean all
 popd
diff --git a/distance/distance_calculator/CMakeLists.txt b/distance/distance_calculator/CMakeLists.txt
index a360e408..3e2dd581 100644
--- a/distance/distance_calculator/CMakeLists.txt
+++ b/distance/distance_calculator/CMakeLists.txt
@@ -18,5 +18,5 @@ find_package(Boost
 
 set(CMAKE_CXX_STANDARD 14)
 
-add_executable(distance.bin distance.bin.cpp)
+add_executable(distance.bin distance.bin.cc)
 target_link_libraries(distance.bin ${Boost_LIBRARIES})
diff --git a/distance/gen_distance_orig.sh b/distance/gen_distance_orig.sh
index 9fdd613d..c3a5e4fb 100755
--- a/distance/gen_distance_orig.sh
+++ b/distance/gen_distance_orig.sh
@@ -1,7 +1,5 @@
 #!/bin/bash
 
-set -euo pipefail
-
 if [ $# -lt 2 ]; then
   echo "Usage: $0 <binaries-directory> <temporary-directory> [fuzzer-name]"
   echo ""
@@ -13,7 +11,7 @@ TMPDIR=$(readlink -e $2)
 AFLGO="$( cd "$( dirname "${BASH_SOURCE[0]}" )/../" && pwd )"
 fuzzer=""
 if [ $# -eq 3 ]; then
-  fuzzer=$(find $BINARIES -name "$3.0.0.*.bc" | rev | cut -d. -f5- | rev)
+  fuzzer=$(find $BINARIES -maxdepth 1 -name "$3.0.0.*.bc" | rev | cut -d. -f5- | rev)
   if [ $(echo "$fuzzer" | wc -l) -ne 1 ]; then
     echo "Couldn't find bytecode for fuzzer $3 in folder $BINARIES."
     exit 1
@@ -28,7 +26,7 @@ if [ -z "$BINARIES" ]; then echo "Couldn't find binaries folder ($1)."; exit 1;
 if ! [ -d "$BINARIES" ]; then echo "No directory: $BINARIES."; exit 1; fi
 if [ -z "$TMPDIR" ]; then echo "Couldn't find temporary directory ($3)."; exit 1; fi
 
-binaries=$(find $BINARIES -name "*.0.0.*.bc" | rev | cut -d. -f5- | rev)
+binaries=$(find $BINARIES -maxdepth 1 -name "*.0.0.*.bc" | rev | cut -d. -f5- | rev)
 if [ -z "$binaries" ]; then echo "Couldn't find any binaries in folder $BINARIES."; exit; fi
 
 if [ -z $(which python) ] && [ -z $(which python3) ]; then echo "Please install Python"; exit 1; fi
diff --git a/examples/KTY_Pretty_Printer.sh b/examples/KTY_Pretty_Printer.sh
index 85a9bae9..348a7278 100755
--- a/examples/KTY_Pretty_Printer.sh
+++ b/examples/KTY_Pretty_Printer.sh
@@ -3,9 +3,10 @@
 set -euo pipefail
 
 git clone https://github.com/trailofbits/cb-multios KTY_Pretty_Printer
-cd KTY_Pretty_Printer; mv challenges all-challenges; mkdir -p challenges/KTY_Pretty_Printer; cp -r all-challenges/KTY_Pretty_Printer challenges
+cd KTY_Pretty_Printer; git checkout ad6695055cbfc13d8daf1def79f44f0c6e4cb858
+mv challenges all-challenges; mkdir -p challenges/KTY_Pretty_Printer; cp -r all-challenges/KTY_Pretty_Printer challenges
 mkdir obj-aflgo; mkdir obj-aflgo/temp
-export SUBJECT=$PWD; export TMP_DIR=$PWD/obj-aflgo/temp
+export TMP_DIR=$PWD/obj-aflgo/temp
 export CC=$AFLGO/instrument/aflgo-clang; export CXX=$AFLGO/instrument/aflgo-clang++
 export LDFLAGS=-lpthread
 export ADDITIONAL="-targets=$TMP_DIR/BBtargets.txt -outdir=$TMP_DIR -flto -fuse-ld=gold -Wl,-plugin-opt=save-temps"
@@ -13,7 +14,7 @@ echo $'main.c:164\nmain.c:62\nkty.c:532\nkty.c:498\nkty.c:371\nkty.c:568\nfree.c
 LINK=STATIC CFLAGS="$ADDITIONAL" CXXFLAGS="$ADDITIONAL" ./build.sh
 cat $TMP_DIR/BBnames.txt | rev | cut -d: -f2- | rev | sort | uniq > $TMP_DIR/BBnames2.txt && mv $TMP_DIR/BBnames2.txt $TMP_DIR/BBnames.txt
 cat $TMP_DIR/BBcalls.txt | sort | uniq > $TMP_DIR/BBcalls2.txt && mv $TMP_DIR/BBcalls2.txt $TMP_DIR/BBcalls.txt
-cd build/challenges/KTY_Pretty_Printer; $AFLGO/distance/gen_distance_orig.sh $SUBJECT $TMP_DIR KTY_Pretty_Printer
+cd build/challenges/KTY_Pretty_Printer; $AFLGO/distance/gen_distance_orig.sh $PWD $TMP_DIR KTY_Pretty_Printer
 cd -; rm -rf build; LINK=STATIC CFLAGS="-g -distance=$TMP_DIR/distance.cfg.txt" CXXFLAGS="-g -distance=$TMP_DIR/distance.cfg.txt" ./build.sh
 cd -; mkdir in; echo "" > in/in
 $AFLGO/afl-2.57b/afl-fuzz -m none -z exp -c 45m -i in -o out ./KTY_Pretty_Printer
\ No newline at end of file
diff --git a/examples/LMS.sh b/examples/LMS.sh
index f077253d..314aa227 100755
--- a/examples/LMS.sh
+++ b/examples/LMS.sh
@@ -3,9 +3,10 @@
 set -euo pipefail
 
 git clone https://github.com/trailofbits/cb-multios LMS
-cd LMS; mv challenges all-challenges; mkdir -p challenges/LMS; cp -r all-challenges/LMS challenges
+cd LMS; git checkout ad6695055cbfc13d8daf1def79f44f0c6e4cb858
+mv challenges all-challenges; mkdir -p challenges/LMS; cp -r all-challenges/LMS challenges
 mkdir obj-aflgo; mkdir obj-aflgo/temp
-export SUBJECT=$PWD; export TMP_DIR=$PWD/obj-aflgo/temp
+export TMP_DIR=$PWD/obj-aflgo/temp
 export CC=$AFLGO/instrument/aflgo-clang; export CXX=$AFLGO/instrument/aflgo-clang++
 export LDFLAGS=-lpthread
 export ADDITIONAL="-targets=$TMP_DIR/BBtargets.txt -outdir=$TMP_DIR -flto -fuse-ld=gold -Wl,-plugin-opt=save-temps"
@@ -13,7 +14,7 @@ echo $'service.c:227\nservice.c:183\nservice.c:91\nlibc.c:503\nlibc.c:385' > $TM
 LINK=STATIC CFLAGS="$ADDITIONAL" CXXFLAGS="$ADDITIONAL" ./build.sh
 cat $TMP_DIR/BBnames.txt | rev | cut -d: -f2- | rev | sort | uniq > $TMP_DIR/BBnames2.txt && mv $TMP_DIR/BBnames2.txt $TMP_DIR/BBnames.txt
 cat $TMP_DIR/BBcalls.txt | sort | uniq > $TMP_DIR/BBcalls2.txt && mv $TMP_DIR/BBcalls2.txt $TMP_DIR/BBcalls.txt
-cd build/challenges/LMS; $AFLGO/distance/gen_distance_orig.sh $SUBJECT $TMP_DIR LMS
+cd build/challenges/LMS; $AFLGO/distance/gen_distance_orig.sh $PWD $TMP_DIR LMS
 cd -; rm -rf build; LINK=STATIC CFLAGS="-g -distance=$TMP_DIR/distance.cfg.txt" CXXFLAGS="-g -distance=$TMP_DIR/distance.cfg.txt" ./build.sh
 cd -; mkdir in; echo "" > in/in
 $AFLGO/afl-2.57b/afl-fuzz -m none -z exp -c 45m -i in -o out ./LMS
\ No newline at end of file
diff --git a/examples/Palindrome.sh b/examples/Palindrome.sh
index 2e6ae288..4a7bbee1 100755
--- a/examples/Palindrome.sh
+++ b/examples/Palindrome.sh
@@ -3,9 +3,10 @@
 set -euo pipefail
 
 git clone https://github.com/trailofbits/cb-multios
-cd cb-multios; mv challenges all-challenges; mkdir -p challenges/Palindrome; cp -r all-challenges/Palindrome challenges
+cd cb-multios; git checkout ad6695055cbfc13d8daf1def79f44f0c6e4cb858
+mv challenges all-challenges; mkdir -p challenges/Palindrome; cp -r all-challenges/Palindrome challenges
 mkdir obj-aflgo; mkdir obj-aflgo/temp
-export SUBJECT=$PWD; export TMP_DIR=$PWD/obj-aflgo/temp
+export TMP_DIR=$PWD/obj-aflgo/temp
 export CC=$AFLGO/instrument/aflgo-clang; export CXX=$AFLGO/instrument/aflgo-clang++
 export LDFLAGS=-lpthread
 export ADDITIONAL="-targets=$TMP_DIR/BBtargets.txt -outdir=$TMP_DIR -flto -fuse-ld=gold -Wl,-plugin-opt=save-temps"
@@ -13,7 +14,7 @@ echo $'service.c:65' > $TMP_DIR/BBtargets.txt
 LINK=STATIC CFLAGS="$ADDITIONAL" CXXFLAGS="$ADDITIONAL" ./build.sh
 cat $TMP_DIR/BBnames.txt | rev | cut -d: -f2- | rev | sort | uniq > $TMP_DIR/BBnames2.txt && mv $TMP_DIR/BBnames2.txt $TMP_DIR/BBnames.txt
 cat $TMP_DIR/BBcalls.txt | sort | uniq > $TMP_DIR/BBcalls2.txt && mv $TMP_DIR/BBcalls2.txt $TMP_DIR/BBcalls.txt
-cd build/challenges/Palindrome; $AFLGO/distance/gen_distance_orig.sh $SUBJECT $TMP_DIR Palindrome
+cd build/challenges/Palindrome; $AFLGO/distance/gen_distance_orig.sh $PWD $TMP_DIR Palindrome
 cd -; rm -rf build; LINK=STATIC CFLAGS="-g -distance=$TMP_DIR/distance.cfg.txt" CXXFLAGS="-g -distance=$TMP_DIR/distance.cfg.txt" ./build.sh
 cd -; mkdir in; echo "" > in/in
 $AFLGO/afl-2.57b/afl-fuzz -m none -z exp -c 45m -i in -o out ./Palindrome
\ No newline at end of file
diff --git a/examples/cxxfilt-CVE-2016-4487.sh b/examples/cxxfilt-CVE-2016-4487.sh
index 1a23e9bb..5e09a9f8 100755
--- a/examples/cxxfilt-CVE-2016-4487.sh
+++ b/examples/cxxfilt-CVE-2016-4487.sh
@@ -5,7 +5,7 @@ set -euo pipefail
 git clone git://sourceware.org/git/binutils-gdb.git cxxfilt-CVE-2016-4487
 cd cxxfilt-CVE-2016-4487; git checkout 2c49145
 mkdir obj-aflgo; mkdir obj-aflgo/temp
-export SUBJECT=$PWD; export TMP_DIR=$PWD/obj-aflgo/temp
+export TMP_DIR=$PWD/obj-aflgo/temp
 export CC=$AFLGO/instrument/aflgo-clang; export CXX=$AFLGO/instrument/aflgo-clang++
 export LDFLAGS=-lpthread
 export ADDITIONAL="-targets=$TMP_DIR/BBtargets.txt -outdir=$TMP_DIR -flto -fuse-ld=gold -Wl,-plugin-opt=save-temps"
@@ -14,7 +14,7 @@ cd obj-aflgo; CFLAGS="-DFORTIFY_SOURCE=2 -fstack-protector-all -fno-omit-frame-p
 make clean; make
 cat $TMP_DIR/BBnames.txt | rev | cut -d: -f2- | rev | sort | uniq > $TMP_DIR/BBnames2.txt && mv $TMP_DIR/BBnames2.txt $TMP_DIR/BBnames.txt
 cat $TMP_DIR/BBcalls.txt | sort | uniq > $TMP_DIR/BBcalls2.txt && mv $TMP_DIR/BBcalls2.txt $TMP_DIR/BBcalls.txt
-cd binutils; $AFLGO/distance/gen_distance_orig.sh $SUBJECT $TMP_DIR cxxfilt
+cd binutils; $AFLGO/distance/gen_distance_orig.sh $PWD $TMP_DIR cxxfilt
 cd ../../; mkdir obj-dist; cd obj-dist; # work around because cannot run make distclean
 CFLAGS="-DFORTIFY_SOURCE=2 -fstack-protector-all -fno-omit-frame-pointer -g -Wno-error -distance=$TMP_DIR/distance.cfg.txt" LDFLAGS="-ldl -lutil" ../configure --disable-shared --disable-gdb --disable-libdecnumber --disable-readline --disable-sim --disable-ld
 make
diff --git a/examples/giflib-bugs-74.sh b/examples/giflib-bugs-74.sh
index aff7337e..4d5a8ecc 100755
--- a/examples/giflib-bugs-74.sh
+++ b/examples/giflib-bugs-74.sh
@@ -5,7 +5,7 @@ set -euo pipefail
 git clone https://git.code.sf.net/p/giflib/code giflib-bugs-74
 cd giflib-bugs-74; git checkout 72e31ff
 mkdir obj-aflgo; mkdir obj-aflgo/temp
-export SUBJECT=$PWD; export TMP_DIR=$PWD/obj-aflgo/temp
+export TMP_DIR=$PWD/obj-aflgo/temp
 export CC=$AFLGO/instrument/aflgo-clang; export CXX=$AFLGO/instrument/aflgo-clang++
 export LDFLAGS=-lpthread
 export ADDITIONAL="-targets=$TMP_DIR/BBtargets.txt -outdir=$TMP_DIR -flto -fuse-ld=gold -Wl,-plugin-opt=save-temps"
@@ -15,7 +15,7 @@ cd obj-aflgo; CFLAGS="$ADDITIONAL" CXXFLAGS="$ADDITIONAL" ../configure --disable
 make clean; make -j4
 cat $TMP_DIR/BBnames.txt | rev | cut -d: -f2- | rev | sort | uniq > $TMP_DIR/BBnames2.txt && mv $TMP_DIR/BBnames2.txt $TMP_DIR/BBnames.txt
 cat $TMP_DIR/BBcalls.txt | sort | uniq > $TMP_DIR/BBcalls2.txt && mv $TMP_DIR/BBcalls2.txt $TMP_DIR/BBcalls.txt
-$AFLGO/distance/gen_distance_orig.sh $SUBJECT $TMP_DIR gifsponge
+$AFLGO/distance/gen_distance_orig.sh $PWD/util $TMP_DIR gifsponge
 CFLAGS="-distance=$TMP_DIR/distance.cfg.txt" CXXFLAGS="-distance=$TMP_DIR/distance.cfg.txt" ../configure --disable-shared --prefix=`pwd`
 make clean; make -j4
 mkdir in; echo "GIF" > in/in
diff --git a/examples/jasper-CVE-2015-5221.sh b/examples/jasper-CVE-2015-5221.sh
index 4f256011..92f26599 100755
--- a/examples/jasper-CVE-2015-5221.sh
+++ b/examples/jasper-CVE-2015-5221.sh
@@ -5,7 +5,7 @@ set -euo pipefail
 git clone https://github.com/mdadams/jasper.git jasper-CVE-2015-5221
 cd jasper-CVE-2015-5221; git checkout 142245b
 mkdir obj-aflgo; mkdir obj-aflgo/temp
-export SUBJECT=$PWD; export TMP_DIR=$PWD/obj-aflgo/temp
+export TMP_DIR=$PWD/obj-aflgo/temp
 export CC=$AFLGO/instrument/aflgo-clang; export CXX=$AFLGO/instrument/aflgo-clang++
 export LDFLAGS=-lpthread
 export ADDITIONAL="-targets=$TMP_DIR/BBtargets.txt -outdir=$TMP_DIR -flto -fuse-ld=gold -Wl,-plugin-opt=save-temps"
@@ -14,7 +14,7 @@ cd obj-aflgo; CFLAGS="$ADDITIONAL" CXXFLAGS="$ADDITIONAL" ../configure --disable
 make clean; make -j4
 cat $TMP_DIR/BBnames.txt | rev | cut -d: -f2- | rev | sort | uniq > $TMP_DIR/BBnames2.txt && mv $TMP_DIR/BBnames2.txt $TMP_DIR/BBnames.txt
 cat $TMP_DIR/BBcalls.txt | sort | uniq > $TMP_DIR/BBcalls2.txt && mv $TMP_DIR/BBcalls2.txt $TMP_DIR/BBcalls.txt
-cd src/appl; $AFLGO/distance/gen_distance_orig.sh $SUBJECT $TMP_DIR jasper
+cd src/appl; $AFLGO/distance/gen_distance_orig.sh $PWD $TMP_DIR jasper
 cd -; CFLAGS="-distance=$TMP_DIR/distance.cfg.txt" CXXFLAGS="-distance=$TMP_DIR/distance.cfg.txt" ../configure --disable-shared --prefix=`pwd`
 make clean; make -j4
 mkdir in; echo "" > in/in
diff --git a/examples/libming-CVE-2018-8807.sh b/examples/libming-CVE-2018-8807.sh
index dcca8c89..5ab99a80 100755
--- a/examples/libming-CVE-2018-8807.sh
+++ b/examples/libming-CVE-2018-8807.sh
@@ -5,18 +5,23 @@ set -euo pipefail
 git clone https://github.com/libming/libming.git libming-CVE-2018-8807
 cd libming-CVE-2018-8807/; git checkout b72cc2f # version 0.4.8
 mkdir obj-aflgo; mkdir obj-aflgo/temp
-export SUBJECT=$PWD; export TMP_DIR=$PWD/obj-aflgo/temp
+export TMP_DIR=$PWD/obj-aflgo/temp
 export CC=$AFLGO/instrument/aflgo-clang; export CXX=$AFLGO/instrument/aflgo-clang++
 export LDFLAGS=-lpthread
 export ADDITIONAL="-targets=$TMP_DIR/BBtargets.txt -outdir=$TMP_DIR -flto -fuse-ld=gold -Wl,-plugin-opt=save-temps"
 echo $'decompile.c:349' > $TMP_DIR/BBtargets.txt
 ./autogen.sh;
-cd obj-aflgo; CFLAGS="$ADDITIONAL" CXXFLAGS="$ADDITIONAL" ../configure --disable-shared --prefix=`pwd`
+cd obj-aflgo; CFLAGS="-fcommon $ADDITIONAL" CXXFLAGS="$ADDITIONAL" ../configure --disable-shared --prefix=`pwd`
 make clean; make
 cat $TMP_DIR/BBnames.txt | rev | cut -d: -f2- | rev | sort | uniq > $TMP_DIR/BBnames2.txt && mv $TMP_DIR/BBnames2.txt $TMP_DIR/BBnames.txt
 cat $TMP_DIR/BBcalls.txt | sort | uniq > $TMP_DIR/BBcalls2.txt && mv $TMP_DIR/BBcalls2.txt $TMP_DIR/BBcalls.txt
-cd util; $AFLGO/distance/gen_distance_orig.sh $SUBJECT $TMP_DIR swftophp
-cd -; CFLAGS="-distance=$TMP_DIR/distance.cfg.txt" CXXFLAGS="-distance=$TMP_DIR/distance.cfg.txt" ../configure --disable-shared --prefix=`pwd`
+cd util; $AFLGO/distance/gen_distance_orig.sh $PWD $TMP_DIR swftophp
+cd -; CFLAGS="-fcommon -distance=$TMP_DIR/distance.cfg.txt" CXXFLAGS="-distance=$TMP_DIR/distance.cfg.txt" ../configure --disable-shared --prefix=`pwd`
 make clean; make
 mkdir in; wget -P in http://condor.depaul.edu/sjost/hci430/flash-examples/swf/bumble-bee1.swf
-$AFLGO/afl-2.57b/afl-fuzz -m none -z exp -c 45m -i in -o out ./util/swftophp @@
\ No newline at end of file
+$AFLGO/afl-2.57b/afl-fuzz -m none -z exp -c 45m -i in -o out ./util/swftophp @@
+
+# For "-fcommon" in CFLAGS please see
+#  - https://github.com/libming/libming/issues/55
+#  - https://github.com/libming/libming/issues/199
+#  - https://github.com/squaresLab/security-repair-benchmarks/issues/19
diff --git a/examples/libming-CVE-2018-8962.sh b/examples/libming-CVE-2018-8962.sh
index 0620eca7..7e541fc3 100755
--- a/examples/libming-CVE-2018-8962.sh
+++ b/examples/libming-CVE-2018-8962.sh
@@ -5,18 +5,23 @@ set -euo pipefail
 git clone https://github.com/libming/libming.git libming-CVE-2018-8962
 cd libming-CVE-2018-8962/; git checkout b72cc2f # version 0.4.8
 mkdir obj-aflgo; mkdir obj-aflgo/temp
-export SUBJECT=$PWD; export TMP_DIR=$PWD/obj-aflgo/temp
+export TMP_DIR=$PWD/obj-aflgo/temp
 export CC=$AFLGO/instrument/aflgo-clang; export CXX=$AFLGO/instrument/aflgo-clang++
 export LDFLAGS=-lpthread
 export ADDITIONAL="-targets=$TMP_DIR/BBtargets.txt -outdir=$TMP_DIR -flto -fuse-ld=gold -Wl,-plugin-opt=save-temps"
 echo $'decompile.c:398' > $TMP_DIR/BBtargets.txt
 ./autogen.sh;
-cd obj-aflgo; CFLAGS="$ADDITIONAL" CXXFLAGS="$ADDITIONAL" ../configure --disable-shared --prefix=`pwd`
+cd obj-aflgo; CFLAGS="-fcommon $ADDITIONAL" CXXFLAGS="$ADDITIONAL" ../configure --disable-shared --prefix=`pwd`
 make clean; make
 cat $TMP_DIR/BBnames.txt | rev | cut -d: -f2- | rev | sort | uniq > $TMP_DIR/BBnames2.txt && mv $TMP_DIR/BBnames2.txt $TMP_DIR/BBnames.txt
 cat $TMP_DIR/BBcalls.txt | sort | uniq > $TMP_DIR/BBcalls2.txt && mv $TMP_DIR/BBcalls2.txt $TMP_DIR/BBcalls.txt
-cd util; $AFLGO/distance/gen_distance_orig.sh $SUBJECT $TMP_DIR swftophp
-cd -; CFLAGS="-distance=$TMP_DIR/distance.cfg.txt" CXXFLAGS="-distance=$TMP_DIR/distance.cfg.txt" ../configure --disable-shared --prefix=`pwd`
+cd util; $AFLGO/distance/gen_distance_orig.sh $PWD $TMP_DIR swftophp
+cd -; CFLAGS="-fcommon -distance=$TMP_DIR/distance.cfg.txt" CXXFLAGS="-distance=$TMP_DIR/distance.cfg.txt" ../configure --disable-shared --prefix=`pwd`
 make clean; make
 mkdir in; wget -P in http://condor.depaul.edu/sjost/hci430/flash-examples/swf/bumble-bee1.swf
-$AFLGO/afl-2.57b/afl-fuzz -m none -z exp -c 45m -i in -o out ./util/swftophp @@
\ No newline at end of file
+$AFLGO/afl-2.57b/afl-fuzz -m none -z exp -c 45m -i in -o out ./util/swftophp @@
+
+# For "-fcommon" in CFLAGS please see
+#  - https://github.com/libming/libming/issues/55
+#  - https://github.com/libming/libming/issues/199
+#  - https://github.com/squaresLab/security-repair-benchmarks/issues/19
diff --git a/examples/libxml2-ef709ce2.sh b/examples/libxml2-ef709ce2.sh
index 319e74a4..00f057bc 100755
--- a/examples/libxml2-ef709ce2.sh
+++ b/examples/libxml2-ef709ce2.sh
@@ -19,8 +19,9 @@ cd obj-aflgo; CFLAGS="$ADDITIONAL" CXXFLAGS="$ADDITIONAL" ../configure --disable
 make clean; make -j4
 cat $TMP_DIR/BBnames.txt | rev | cut -d: -f2- | rev | sort | uniq > $TMP_DIR/BBnames2.txt && mv $TMP_DIR/BBnames2.txt $TMP_DIR/BBnames.txt
 cat $TMP_DIR/BBcalls.txt | sort | uniq > $TMP_DIR/BBcalls2.txt && mv $TMP_DIR/BBcalls2.txt $TMP_DIR/BBcalls.txt
-$AFLGO/distance/gen_distance_orig.sh $SUBJECT $TMP_DIR xmllint
+$AFLGO/distance/gen_distance_orig.sh $SUBJECT/obj-aflgo $TMP_DIR xmllint
 CFLAGS="-distance=$TMP_DIR/distance.cfg.txt" CXXFLAGS="-distance=$TMP_DIR/distance.cfg.txt" ../configure --disable-shared --prefix=`pwd`
 make clean; make -j4
+set +e
 mkdir in; cp $SUBJECT/test/dtd* in; cp $SUBJECT/test/dtds/* in
 $AFLGO/afl-2.57b/afl-fuzz -m none -z exp -c 45m -i in -o out ./xmllint --valid --recover @@
diff --git a/examples/lrzip-CVE-2017-8846.sh b/examples/lrzip-CVE-2017-8846.sh
index 0cb0dc67..f0820100 100755
--- a/examples/lrzip-CVE-2017-8846.sh
+++ b/examples/lrzip-CVE-2017-8846.sh
@@ -5,7 +5,7 @@ set -euo pipefail
 git clone https://github.com/ckolivas/lrzip.git lrzip-CVE-2017-8846
 cd lrzip-CVE-2017-8846; git checkout 9de7ccb
 mkdir obj-aflgo; mkdir obj-aflgo/temp
-export SUBJECT=$PWD; export TMP_DIR=$PWD/obj-aflgo/temp
+export TMP_DIR=$PWD/obj-aflgo/temp
 export CC=$AFLGO/instrument/aflgo-clang; export CXX=$AFLGO/instrument/aflgo-clang++
 export LDFLAGS=-lpthread
 export ADDITIONAL="-targets=$TMP_DIR/BBtargets.txt -outdir=$TMP_DIR -flto -fuse-ld=gold -Wl,-plugin-opt=save-temps"
@@ -15,7 +15,7 @@ cd obj-aflgo; CFLAGS="$ADDITIONAL" CXXFLAGS="$ADDITIONAL" ../configure --prefix=
 make clean; make -j4
 cat $TMP_DIR/BBnames.txt | rev | cut -d: -f2- | rev | sort | uniq > $TMP_DIR/BBnames2.txt && mv $TMP_DIR/BBnames2.txt $TMP_DIR/BBnames.txt
 cat $TMP_DIR/BBcalls.txt | sort | uniq > $TMP_DIR/BBcalls2.txt && mv $TMP_DIR/BBcalls2.txt $TMP_DIR/BBcalls.txt
-$AFLGO/distance/gen_distance_orig.sh $SUBJECT $TMP_DIR lrzip
+$AFLGO/distance/gen_distance_orig.sh $PWD $TMP_DIR lrzip
 CFLAGS="-distance=$TMP_DIR/distance.cfg.txt" CXXFLAGS="-distance=$TMP_DIR/distance.cfg.txt" ../configure --prefix=`pwd`
 make clean; make -j4
 mkdir in; echo "" > in/in
diff --git a/examples/lrzip-CVE-2018-11496.sh b/examples/lrzip-CVE-2018-11496.sh
index 78e5d7c4..cae4df69 100755
--- a/examples/lrzip-CVE-2018-11496.sh
+++ b/examples/lrzip-CVE-2018-11496.sh
@@ -5,7 +5,7 @@ set -euo pipefail
 git clone https://github.com/ckolivas/lrzip.git lrzip-CVE-2018-11496
 cd lrzip-CVE-2018-11496/; git checkout ed51e14
 mkdir obj-aflgo; mkdir obj-aflgo/temp
-export SUBJECT=$PWD; export TMP_DIR=$PWD/obj-aflgo/temp
+export TMP_DIR=$PWD/obj-aflgo/temp
 export CC=$AFLGO/instrument/aflgo-clang; export CXX=$AFLGO/instrument/aflgo-clang++
 export LDFLAGS=-lpthread
 export ADDITIONAL="-targets=$TMP_DIR/BBtargets.txt -outdir=$TMP_DIR -flto -fuse-ld=gold -Wl,-plugin-opt=save-temps"
@@ -15,7 +15,7 @@ cd obj-aflgo; CFLAGS="$ADDITIONAL" CXXFLAGS="$ADDITIONAL" ../configure --prefix=
 make clean; make -j4
 cat $TMP_DIR/BBnames.txt | rev | cut -d: -f2- | rev | sort | uniq > $TMP_DIR/BBnames2.txt && mv $TMP_DIR/BBnames2.txt $TMP_DIR/BBnames.txt
 cat $TMP_DIR/BBcalls.txt | sort | uniq > $TMP_DIR/BBcalls2.txt && mv $TMP_DIR/BBcalls2.txt $TMP_DIR/BBcalls.txt
-$AFLGO/distance/gen_distance_orig.sh $SUBJECT $TMP_DIR lrzip
+$AFLGO/distance/gen_distance_orig.sh $PWD $TMP_DIR lrzip
 CFLAGS="-distance=$TMP_DIR/distance.cfg.txt" CXXFLAGS="-distance=$TMP_DIR/distance.cfg.txt" ../configure --prefix=`pwd`
 make clean; make -j4
 mkdir in; echo "" > in/in
diff --git a/examples/mjs-issues-57.sh b/examples/mjs-issues-57.sh
index 053f5509..834fefd9 100755
--- a/examples/mjs-issues-57.sh
+++ b/examples/mjs-issues-57.sh
@@ -5,7 +5,7 @@ set -euo pipefail
 git clone https://github.com/cesanta/mjs.git mjs-issues-57
 cd mjs-issues-57; git checkout d6c06a6
 mkdir obj-aflgo; mkdir obj-aflgo/temp
-export SUBJECT=$PWD; export TMP_DIR=$PWD/obj-aflgo/temp
+export TMP_DIR=$PWD/obj-aflgo/temp
 export CC=$AFLGO/instrument/aflgo-clang; export CXX=$AFLGO/instrument/aflgo-clang++
 export LDFLAGS=-lpthread
 export ADDITIONAL="-targets=$TMP_DIR/BBtargets.txt -outdir=$TMP_DIR -flto -fuse-ld=gold -Wl,-plugin-opt=save-temps"
@@ -13,7 +13,7 @@ echo $'mjs.c:13732' > $TMP_DIR/BBtargets.txt
 $CC -DMJS_MAIN mjs.c $ADDITIONAL -ldl -g -o mjs-bin
 cat $TMP_DIR/BBnames.txt | rev | cut -d: -f2- | rev | sort | uniq > $TMP_DIR/BBnames2.txt && mv $TMP_DIR/BBnames2.txt $TMP_DIR/BBnames.txt
 cat $TMP_DIR/BBcalls.txt | sort | uniq > $TMP_DIR/BBcalls2.txt && mv $TMP_DIR/BBcalls2.txt $TMP_DIR/BBcalls.txt
-$AFLGO/distance/gen_distance_orig.sh $SUBJECT $TMP_DIR mjs-bin
+$AFLGO/distance/gen_distance_orig.sh $PWD $TMP_DIR mjs-bin
 $CC -DMJS_MAIN mjs.c -distance=$TMP_DIR/distance.cfg.txt -ldl -g -o mjs-bin
 cd obj-aflgo; mkdir in; echo "" > in/in
 $AFLGO/afl-2.57b/afl-fuzz -m none -z exp -c 45m -i in -o out ../mjs-bin -f @@
diff --git a/examples/mjs-issues-78.sh b/examples/mjs-issues-78.sh
index 94d11f80..a6d728cb 100755
--- a/examples/mjs-issues-78.sh
+++ b/examples/mjs-issues-78.sh
@@ -5,7 +5,7 @@ set -euo pipefail
 git clone https://github.com/cesanta/mjs.git mjs-issues-78
 cd mjs-issues-78; git checkout 9eae0e6
 mkdir obj-aflgo; mkdir obj-aflgo/temp
-export SUBJECT=$PWD; export TMP_DIR=$PWD/obj-aflgo/temp
+export TMP_DIR=$PWD/obj-aflgo/temp
 export CC=$AFLGO/instrument/aflgo-clang; export CXX=$AFLGO/instrument/aflgo-clang++
 export LDFLAGS=-lpthread
 export ADDITIONAL="-targets=$TMP_DIR/BBtargets.txt -outdir=$TMP_DIR -flto -fuse-ld=gold -Wl,-plugin-opt=save-temps"
@@ -13,7 +13,7 @@ echo $'mjs.c:4908' > $TMP_DIR/BBtargets.txt
 $CC -DMJS_MAIN mjs.c $ADDITIONAL -ldl -g -o mjs-bin
 cat $TMP_DIR/BBnames.txt | rev | cut -d: -f2- | rev | sort | uniq > $TMP_DIR/BBnames2.txt && mv $TMP_DIR/BBnames2.txt $TMP_DIR/BBnames.txt
 cat $TMP_DIR/BBcalls.txt | sort | uniq > $TMP_DIR/BBcalls2.txt && mv $TMP_DIR/BBcalls2.txt $TMP_DIR/BBcalls.txt
-$AFLGO/distance/gen_distance_orig.sh $SUBJECT $TMP_DIR mjs-bin
+$AFLGO/distance/gen_distance_orig.sh $PWD $TMP_DIR mjs-bin
 $CC -DMJS_MAIN mjs.c -distance=$TMP_DIR/distance.cfg.txt -ldl -g -o mjs-bin
 cd obj-aflgo; mkdir in; echo "" > in/in
 $AFLGO/afl-2.57b/afl-fuzz -m none -z exp -c 45m -i in -o out ../mjs-bin -f @@
diff --git a/examples/objdump-CVE-2017-8392.sh b/examples/objdump-CVE-2017-8392.sh
index 2b229e01..08899c3e 100755
--- a/examples/objdump-CVE-2017-8392.sh
+++ b/examples/objdump-CVE-2017-8392.sh
@@ -5,7 +5,7 @@ set -euo pipefail
 git clone git://sourceware.org/git/binutils-gdb.git CVE-2017-8392
 cd CVE-2017-8392; git checkout a6c21d4a553de184562fd8409a5bcd3f2cc2561a
 mkdir obj-aflgo; mkdir obj-aflgo/temp
-export SUBJECT=$PWD; export TMP_DIR=$PWD/obj-aflgo/temp
+export TMP_DIR=$PWD/obj-aflgo/temp
 export CC=$AFLGO/instrument/aflgo-clang; export CXX=$AFLGO/instrument/aflgo-clang++
 export LDFLAGS=-lpthread
 export ADDITIONAL="-targets=$TMP_DIR/BBtargets.txt -outdir=$TMP_DIR -flto -fuse-ld=gold -Wl,-plugin-opt=save-temps"
@@ -14,7 +14,7 @@ cd obj-aflgo; CFLAGS="-DFORTIFY_SOURCE=2 -fstack-protector-all -fno-omit-frame-p
 make clean; make
 cat $TMP_DIR/BBnames.txt | rev | cut -d: -f2- | rev | sort | uniq > $TMP_DIR/BBnames2.txt && mv $TMP_DIR/BBnames2.txt $TMP_DIR/BBnames.txt
 cat $TMP_DIR/BBcalls.txt | sort | uniq > $TMP_DIR/BBcalls2.txt && mv $TMP_DIR/BBcalls2.txt $TMP_DIR/BBcalls.txt
-cd binutils; $AFLGO/distance/gen_distance_orig.sh $SUBJECT $TMP_DIR objdump -SD @@
+cd binutils; $AFLGO/distance/gen_distance_orig.sh $PWD $TMP_DIR objdump -SD @@
 cd ../../; mkdir obj-dist; cd obj-dist; # work around because cannot run make distclean
 CFLAGS="-DFORTIFY_SOURCE=2 -fstack-protector-all -fno-omit-frame-pointer -g -Wno-error -distance=$TMP_DIR/distance.cfg.txt" LDFLAGS="-ldl -lutil" ../configure --disable-shared --disable-gdb --disable-libdecnumber --disable-readline --disable-sim --disable-ld
 make
diff --git a/instrument/Makefile b/instrument/Makefile
index 774e388c..759f02e6 100644
--- a/instrument/Makefile
+++ b/instrument/Makefile
@@ -81,7 +81,7 @@ aflgo-runtime-64.o: aflgo-runtime.o.c | test_deps
 
 test_build: $(PROGS)
 	@echo "[*] Testing the CC wrapper and instrumentation output..."
-	unset AFL_USE_ASAN AFL_USE_MSAN AFL_INST_RATIO; AFL_QUIET=1 AFL_PATH=. AFL_CC=$(CC) aflgo-clang $(CFLAGS) test-instr.c -o test-instr $(LDFLAGS)
+	unset AFL_USE_ASAN AFL_USE_MSAN AFL_INST_RATIO; AFL_QUIET=1 AFL_CC=$(CC) ./aflgo-clang $(CFLAGS) ./test-instr.c -o test-instr $(LDFLAGS)
 # Use /dev/null to avoid problems with optimization messing up expected
 # branches. See https://github.com/google/AFL/issues/30.
 	../afl-2.57b/afl-showmap -m none -q -o .test-instr0 ./test-instr < /dev/null
diff --git a/instrument/aflgo-clang.c b/instrument/aflgo-clang.c
index 60d84812..a7ebc11d 100644
--- a/instrument/aflgo-clang.c
+++ b/instrument/aflgo-clang.c
@@ -39,7 +39,7 @@ static void find_obj(u8* argv0) {
     tmp = alloc_printf("%s/instrument/aflgo-runtime.o", afl_path);
 
     if (!access(tmp, R_OK)) {
-      obj_path = afl_path;
+      obj_path = alloc_printf("%s/instrument", afl_path);
       ck_free(tmp);
       return;
     }
@@ -58,7 +58,7 @@ static void find_obj(u8* argv0) {
     dir = ck_strdup(argv0);
     *slash = '/';
 
-    tmp = alloc_printf("%s/instrument/aflgo-runtime.o", dir);
+    tmp = alloc_printf("%s/aflgo-runtime.o", dir);
 
     if (!access(tmp, R_OK)) {
       obj_path = dir;
diff --git a/instrument/aflgo-runtime.o.c b/instrument/aflgo-runtime.o.c
index e3c1ddfd..92fd7c58 100644
--- a/instrument/aflgo-runtime.o.c
+++ b/instrument/aflgo-runtime.o.c
@@ -12,8 +12,8 @@
 
 */
 
-#include "../config.h"
-#include "../types.h"
+#include "../afl-2.57b/config.h"
+#include "../afl-2.57b/types.h"
 
 #include <stdio.h>
 #include <stdlib.h>
@@ -38,8 +38,8 @@
 //#define AFLGO_TRACING
 
 #ifdef AFLGO_TRACING
-#include "../hash.h"
-#include "../hashset.h"
+#include "../afl-2.57b/hash.h"
+#include "hashset.h"
 #include <assert.h>
 
 /* Variables for profiling */