AFLplusplus
diff --git a/‎.gitattributes‎
Lines changed: 1 addition & 0 deletions b/‎.gitattributes‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎.github/workflows/build_and_test.yml‎
Lines changed: 10 additions & 21 deletions b/‎.github/workflows/build_and_test.yml‎
Lines changed: 10 additions & 21 deletions
diff --git a/‎.github/workflows/ubuntu-prepare/action.yml‎
Lines changed: 1 addition & 0 deletions b/‎.github/workflows/ubuntu-prepare/action.yml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎Cargo.toml‎
Lines changed: 0 additions & 12 deletions b/‎Cargo.toml‎
Lines changed: 0 additions & 12 deletions
diff --git a/‎Justfile‎
Lines changed: 2 additions & 7 deletions b/‎Justfile‎
Lines changed: 2 additions & 7 deletions
diff --git a/‎README.md‎
Lines changed: 0 additions & 1 deletion b/‎README.md‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎bindings/pylibafl/pyproject.toml‎
Lines changed: 0 additions & 1 deletion b/‎bindings/pylibafl/pyproject.toml‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎crates/README.md‎
Lines changed: 0 additions & 1 deletion b/‎crates/README.md‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎crates/fast_rands/src/lib.rs‎
Lines changed: 1 addition & 1 deletion b/‎crates/fast_rands/src/lib.rs‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎crates/libafl/Cargo.toml‎
Lines changed: 2 additions & 5 deletions b/‎crates/libafl/Cargo.toml‎
Lines changed: 2 additions & 5 deletions
@@ -0,0 +1 @@
+Cargo.lock linguist-generated=true
@@ -11,9 +11,10 @@ on:
   workflow_dispatch:
   merge_group:
 env:
+  AFL_PIZZA_MODE: "-1" # this is sad, I know, but it breaks on a certain spring day otherwise :(
   CARGO_TERM_COLOR: always
   CARGO_NET_GIT_FETCH_WITH_CLI: true
-  MAIN_LLVM_VERSION: 18
+  MAIN_LLVM_VERSION: 21
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -50,14 +51,11 @@ jobs:
       - name: Install LLVM
         if: runner.os == 'MacOS'
         run: brew install llvm@${{env.MAIN_LLVM_VERSION}}
-      - uses: Swatinem/rust-cache@v2
-        with: { shared-key: "ubuntu" }
-        if: runner.os == 'Linux'
-      - uses: Swatinem/rust-cache@v2
-        if: runner.os != 'Linux'
       - name: Check for binary blobs
         if: runner.os == 'Linux'
         run: just check-blobs
+      - name: Check for conflicting versions
+        run: cargo tree -d --workspace
       - name: Build libafl debug
         run: just build-libafl
       - name: Test the book (Linux)
@@ -73,6 +71,12 @@ jobs:
       - name: Doc
         if: runner.os == 'Linux'
         run: just doc
+      # DO NOT move the cache pull before this point, as it causes mdbook to fail due to duplicated deps
+      - uses: Swatinem/rust-cache@v2
+        with: { shared-key: "ubuntu" }
+        if: runner.os == 'Linux'
+      - uses: Swatinem/rust-cache@v2
+        if: runner.os != 'Linux'
       - name: Run tests (Windows)
         if: runner.os == 'Windows'
         run: just test-serial
@@ -189,20 +193,6 @@ jobs:
         # `sancov_pcguard_edges` is tested seperatelyc
         run: just check-features ${{ matrix.instance_idx }}
 
-#  idk why bindgen generates a corrupted file only on CI.
-#  ubuntu-concolic:
-#    runs-on: ubuntu-24.04
-#    needs: ubuntu
-#    steps:
-#      - uses: dtolnay/rust-toolchain@stable
-#      - uses: actions/checkout@v4
-#      - uses: Swatinem/rust-cache@v2
-#        with: { shared-key: "ubuntu" }
-#      - name: Install smoke test deps
-#        run: sudo ./crates/libafl_concolic/test/smoke_test_ubuntu_deps.sh
-#      - name: Run smoke test
-#        run: ./crates/libafl_concolic/test/smoke_test.sh
-#
   python-bindings:
     runs-on: ubuntu-24.04
     steps:
@@ -340,7 +330,6 @@ jobs:
           # - inprocess/libfuzzer_windows_asan
           - inprocess/libfuzzer_stb_image_sugar
           - inprocess/libfuzzer_stb_image
-          - structure_aware/libfuzzer_stb_image_concolic
           # - inprocess/sqlite_centralized_multi_machine
           # - inprocess/libafl_libfuzzer_windows
 
 
@@ -24,6 +24,7 @@ runs:
         sudo apt-get install -y \
           curl lsb-release wget software-properties-common gnupg shellcheck pax-utils \
           libsqlite3-dev libpixman-1-dev libc6-dev gcc g++ build-essential libglib2.0-dev
+        echo "export LLVM_CONFIG_PATH=$(which llvm-config-${{ env.MAIN_LLVM_VERSION }})" | sudo tee -a /etc/environment
 
     # ---------- toolchain selection ----------
     - name: Install Rust (stable)
 
@@ -11,10 +11,6 @@ members = [
   "crates/libafl_bolts",
   "crates/libafl_build",
   "crates/libafl_cc",
-  "crates/libafl_concolic/symcc_libafl",
-  "crates/libafl_concolic/symcc_runtime",
-  "crates/libafl_concolic/test/dump_constraints",
-  "crates/libafl_concolic/test/runtime_test",
   "crates/libafl_core",
   "crates/libafl_derive",
   "crates/libafl_frida",
@@ -68,8 +64,6 @@ exclude = [
   "utils/libafl_repo_tools",
   "utils/multi_machine_generator",
   "utils/noaslr",
-  # additional crates
-  "crates/libafl_concolic/test/symcc/util/symcc_fuzzing_helper",
 ]
 
 [workspace.package]
@@ -109,12 +103,6 @@ serde_anymap = { path = "./crates/serde_anymap", version = "0.16.0", default-fea
 shmem_providers = { path = "./crates/shmem_providers", version = "0.16.0", default-features = false }
 tuple_list_ex = { path = "./crates/tuple_list_ex", version = "0.16.0", default-features = false }
 
-# Concolic fuzzing crates
-dump_constraints = { path = "./crates/libafl_concolic/test/dump_constraints", version = "0.16.0", default-features = false }
-runtime_test = { path = "./crates/libafl_concolic/test/runtime_test", version = "0.16.0", default-features = false }
-symcc_libafl = { path = "./crates/libafl_concolic/symcc_libafl", version = "0.16.0", default-features = false }
-symcc_runtime = { path = "./crates/libafl_concolic/symcc_runtime", version = "0.16.0", default-features = false }
-
 # Utils
 build_and_test_fuzzers = { path = "./utils/build_and_test_fuzzers", version = "0.16.0", default-features = false }
 construct_automata = { path = "./utils/gramatron/construct_automata", version = "0.16.0", default-features = false }
 
@@ -177,7 +177,7 @@ check-blobs:
 check-toml:
     taplo format --check
 
-test-fuzzers: fuzzers-preflight test-os-specific-fuzzers (nop "Baby") (test-fuzzer "./fuzzers/baby/baby_fuzzer_swap_differential") (test-fuzzer "./fuzzers/baby/tutorial") (test-fuzzer "./fuzzers/baby/baby_fuzzer") (nop "./fuzzers/baby/backtrace_baby_fuzzers") (test-fuzzer "./fuzzers/baby/baby_fuzzer_unicode") (test-fuzzer "./fuzzers/baby/baby_fuzzer_minimizing") (test-fuzzer "./fuzzers/baby/backtrace_baby_fuzzers/c_code_with_fork_executor") (test-fuzzer "./fuzzers/baby/backtrace_baby_fuzzers/c_code_with_inprocess_executor") (test-fuzzer "./fuzzers/baby/backtrace_baby_fuzzers/rust_code_with_fork_executor") (test-fuzzer "./fuzzers/baby/backtrace_baby_fuzzers/rust_code_with_inprocess_executor") (test-fuzzer "./fuzzers/baby/backtrace_baby_fuzzers/command_executor") (test-fuzzer "./fuzzers/baby/backtrace_baby_fuzzers/forkserver_executor") (test-fuzzer "./fuzzers/baby/baby_fuzzer_custom_executor") (nop "Binary-only") (test-fuzzer "./fuzzers/binary_only/frida_executable_libpng") (test-fuzzer "./fuzzers/binary_only/frida_libpng") (test-fuzzer "./fuzzers/binary_only/intel_pt_baby_fuzzer") (test-fuzzer "./fuzzers/binary_only/intel_pt_command_executor") (test-fuzzer "./fuzzers/binary_only/tinyinst_simple") (nop "Forkserver") (test-fuzzer "./fuzzers/forkserver/forkserver_simple") (test-fuzzer "./fuzzers/forkserver/forkserver_libafl_cc") (test-fuzzer "./fuzzers/forkserver/fuzzbench_forkserver") (test-fuzzer "./fuzzers/forkserver/fuzzbench_forkserver_cmplog") (test-fuzzer "./fuzzers/forkserver/fuzzbench_forkserver_sand") (test-fuzzer "./fuzzers/forkserver/libafl-fuzz") (test-fuzzer "./fuzzers/forkserver/baby_fuzzer_with_forkexecutor") (nop "Full-system") (test-fuzzer "./fuzzers/full_system/nyx_launcher") (test-fuzzer "./fuzzers/full_system/nyx_libxml2_standalone") (test-fuzzer "./fuzzers/full_system/nyx_libxml2_parallel") (test-fuzzer "./fuzzers/full_system/unicorn") (nop "Structure-aware") (test-fuzzer "./fuzzers/structure_aware/nautilus_sync") (test-fuzzer "./fuzzers/structure_aware/baby_fuzzer_grimoire") (test-fuzzer "./fuzzers/structure_aware/baby_fuzzer_gramatron") (test-fuzzer "./fuzzers/structure_aware/baby_fuzzer_tokens") (test-fuzzer "./fuzzers/structure_aware/baby_fuzzer_multi") (test-fuzzer "./fuzzers/structure_aware/baby_fuzzer_custom_input") (test-fuzzer "./fuzzers/structure_aware/baby_fuzzer_nautilus") (test-fuzzer "./fuzzers/structure_aware/forkserver_simple_nautilus") (nop "In-process") (test-fuzzer "./fuzzers/fuzz_anything/cargo_fuzz") (test-fuzzer "./fuzzers/inprocess/fuzzbench") (test-fuzzer "./fuzzers/inprocess/fuzzbench_text") (test-fuzzer "./fuzzers/inprocess/fuzzbench_ctx") (test-fuzzer "./fuzzers/inprocess/libfuzzer_libmozjpeg") (test-fuzzer "./fuzzers/inprocess/libfuzzer_libpng") (test-fuzzer "./fuzzers/inprocess/libfuzzer_libpng_launcher") (test-fuzzer "./fuzzers/inprocess/libfuzzer_libpng_accounting") (test-fuzzer "./fuzzers/inprocess/libfuzzer_libpng_centralized") (test-fuzzer "./fuzzers/inprocess/libfuzzer_libpng_cmin") (test-fuzzer "./fuzzers/inprocess/libfuzzer_libpng_norestart") (nop "./fuzzers/inprocess/libfuzzer_libpng_tcp_manager") (test-fuzzer "./fuzzers/inprocess/libfuzzer_stb_image_sugar") (test-fuzzer "./fuzzers/inprocess/libfuzzer_stb_image") (nop "./fuzzers/structure_aware/libfuzzer_stb_image_concolic") (nop "./fuzzers/inprocess/sqlite_centralized_multi_machine") (nop "Fuzz Anything") (test-fuzzer "./fuzzers/fuzz_anything/push_harness") (test-fuzzer "./fuzzers/fuzz_anything/push_stage_harness") (test-fuzzer "./fuzzers/fuzz_anything/libafl_atheris") (test-fuzzer "./fuzzers/fuzz_anything/baby_no_std") (test-fuzzer "./fuzzers/fuzz_anything/baby_fuzzer_wasm")
+test-fuzzers: fuzzers-preflight test-os-specific-fuzzers (nop "Baby") (test-fuzzer "./fuzzers/baby/baby_fuzzer_swap_differential") (test-fuzzer "./fuzzers/baby/tutorial") (test-fuzzer "./fuzzers/baby/baby_fuzzer") (nop "./fuzzers/baby/backtrace_baby_fuzzers") (test-fuzzer "./fuzzers/baby/baby_fuzzer_unicode") (test-fuzzer "./fuzzers/baby/baby_fuzzer_minimizing") (test-fuzzer "./fuzzers/baby/backtrace_baby_fuzzers/c_code_with_fork_executor") (test-fuzzer "./fuzzers/baby/backtrace_baby_fuzzers/c_code_with_inprocess_executor") (test-fuzzer "./fuzzers/baby/backtrace_baby_fuzzers/rust_code_with_fork_executor") (test-fuzzer "./fuzzers/baby/backtrace_baby_fuzzers/rust_code_with_inprocess_executor") (test-fuzzer "./fuzzers/baby/backtrace_baby_fuzzers/command_executor") (test-fuzzer "./fuzzers/baby/backtrace_baby_fuzzers/forkserver_executor") (test-fuzzer "./fuzzers/baby/baby_fuzzer_custom_executor") (nop "Binary-only") (test-fuzzer "./fuzzers/binary_only/frida_executable_libpng") (test-fuzzer "./fuzzers/binary_only/frida_libpng") (test-fuzzer "./fuzzers/binary_only/intel_pt_baby_fuzzer") (test-fuzzer "./fuzzers/binary_only/intel_pt_command_executor") (test-fuzzer "./fuzzers/binary_only/tinyinst_simple") (nop "Forkserver") (test-fuzzer "./fuzzers/forkserver/forkserver_simple") (test-fuzzer "./fuzzers/forkserver/forkserver_libafl_cc") (test-fuzzer "./fuzzers/forkserver/fuzzbench_forkserver") (test-fuzzer "./fuzzers/forkserver/fuzzbench_forkserver_cmplog") (test-fuzzer "./fuzzers/forkserver/fuzzbench_forkserver_sand") (test-fuzzer "./fuzzers/forkserver/libafl-fuzz") (test-fuzzer "./fuzzers/forkserver/baby_fuzzer_with_forkexecutor") (nop "Full-system") (test-fuzzer "./fuzzers/full_system/nyx_launcher") (test-fuzzer "./fuzzers/full_system/nyx_libxml2_standalone") (test-fuzzer "./fuzzers/full_system/nyx_libxml2_parallel") (test-fuzzer "./fuzzers/full_system/unicorn") (nop "Structure-aware") (test-fuzzer "./fuzzers/structure_aware/nautilus_sync") (test-fuzzer "./fuzzers/structure_aware/baby_fuzzer_grimoire") (test-fuzzer "./fuzzers/structure_aware/baby_fuzzer_gramatron") (test-fuzzer "./fuzzers/structure_aware/baby_fuzzer_tokens") (test-fuzzer "./fuzzers/structure_aware/baby_fuzzer_multi") (test-fuzzer "./fuzzers/structure_aware/baby_fuzzer_custom_input") (test-fuzzer "./fuzzers/structure_aware/baby_fuzzer_nautilus") (test-fuzzer "./fuzzers/structure_aware/forkserver_simple_nautilus") (nop "In-process") (test-fuzzer "./fuzzers/fuzz_anything/cargo_fuzz") (test-fuzzer "./fuzzers/inprocess/fuzzbench") (test-fuzzer "./fuzzers/inprocess/fuzzbench_text") (test-fuzzer "./fuzzers/inprocess/fuzzbench_ctx") (test-fuzzer "./fuzzers/inprocess/libfuzzer_libmozjpeg") (test-fuzzer "./fuzzers/inprocess/libfuzzer_libpng") (test-fuzzer "./fuzzers/inprocess/libfuzzer_libpng_launcher") (test-fuzzer "./fuzzers/inprocess/libfuzzer_libpng_accounting") (test-fuzzer "./fuzzers/inprocess/libfuzzer_libpng_centralized") (test-fuzzer "./fuzzers/inprocess/libfuzzer_libpng_cmin") (test-fuzzer "./fuzzers/inprocess/libfuzzer_libpng_norestart") (nop "./fuzzers/inprocess/libfuzzer_libpng_tcp_manager") (test-fuzzer "./fuzzers/inprocess/libfuzzer_stb_image_sugar") (test-fuzzer "./fuzzers/inprocess/libfuzzer_stb_image") (nop "./fuzzers/inprocess/sqlite_centralized_multi_machine") (nop "Fuzz Anything") (test-fuzzer "./fuzzers/fuzz_anything/push_harness") (test-fuzzer "./fuzzers/fuzz_anything/push_stage_harness") (test-fuzzer "./fuzzers/fuzz_anything/libafl_atheris") (test-fuzzer "./fuzzers/fuzz_anything/baby_no_std") (test-fuzzer "./fuzzers/fuzz_anything/baby_fuzzer_wasm")
 
 # Windows-specific cmplog test
 [windows]
@@ -257,18 +257,13 @@ build-ios:
 increase-mem-limits:
     {{ SCRIPTS_DIR }}/shmem_limits_macos.sh
 
-# Run Smoketest for the libafl concolic executor
-[linux]
-concolic-smoke-test:
-    {{ ROOT_DIR }}/libafl_concolic/test/smoke_test.sh
-
 [unix]
 test-repro-qemu-tmin:
     cd {{ FUZZERS_DIR }}/binary_only/qemu_tmin && ./repro
 
 # Tests everything (crates, fuzzers, docs, repro)
 [linux]
-test-all: test test-fuzzers test-docs test-repro-qemu-tmin concolic-smoke-test doc
+test-all: test test-fuzzers test-docs test-repro-qemu-tmin doc
 
 # Tests everything (crates, fuzzers, docs, repro)
 [macos]
 
@@ -38,7 +38,6 @@ feel free to add an AST-based input for structured fuzzing, and more.
     ```
 - **LLVM tools**
   - The LLVM tools (including clang, clang++) are needed (newer than LLVM 15.0.0 up to LLVM 18.1.3) If you are using Debian/Ubuntu, again, we highly recommmend that you install the package from [here](https://apt.llvm.org/)
-  - (In `libafl_concolic`, we only support LLVM version newer than 18)
 - Just:
   - We use [just](https://github.com/casey/just) to build the fuzzers in `fuzzers/` directory. You can find instructions to install it in your environment [in the Just Programmer's Manual](https://just.systems/man/en/packages.html).
 
 
@@ -22,5 +22,4 @@ repository = "https://github.com/AFLplusplus/LibAFL.git"
 [tool.maturin]
 bindings = "pyo3"
 manifest-path = "Cargo.toml"
-python-source = "src"
 all-features = true
@@ -11,7 +11,6 @@ This directory contains the various crates that make up the LibAFL ecosystem. He
 
 ## Backends & Instrumentation
 
-- **[libafl_concolic](./libafl_concolic)**: Concolic execution related crates (SymCC integration).
 - **[libafl_frida](./libafl_frida)**: Frida backend library for LibAFL.
 - **[libafl_intelpt](./libafl_intelpt)**: Intel Processor Trace wrapper for libafl.
 - **[libafl_nyx](./libafl_nyx)**: libafl using nyx, only avaliable on linux.
 
@@ -294,7 +294,7 @@ pub trait SubRng {
 
 impl<R> SubRng for R
 where
-    R: Rand + Sized + Clone
+    R: Rand + Sized + Clone,
 {
     /// Creates and returns a sub-RNG.
     fn sub_rng(&mut self) -> Self {
 
@@ -121,7 +121,7 @@ intel_pt = ["std", "dep:libafl_intelpt", "dep:nix", "dep:num_enum"]
 intel_pt_export_raw = ["intel_pt", "libafl_intelpt/export_raw"]
 
 ## Enables features for corpus minimization
-cmin = ["z3"]
+cmin = ["dep:z3"]
 
 ## Enables the `PrometheusMonitor` which will monitor stats via UDP, for `Grafana` and others.
 prometheus_monitor = [
@@ -135,9 +135,6 @@ prometheus_monitor = [
 ## Enables the `StatsdMonitor`.
 statsd_monitor = ["std", "cadence"]
 
-## Include a simple concolic mutator based on z3
-concolic_mutation = ["z3"]
-
 ## Enable the fancy TuiMonitor for a termanal UI using crossterm
 tui_monitor = ["ratatui", "crossterm"]
 
@@ -291,7 +288,7 @@ wait-timeout = { version = "0.2.0", optional = true } # used by CommandExecutor
 regex = { workspace = true, optional = true }
 regex-syntax = { version = "0.8.4", optional = true } # For nautilus
 
-z3 = { workspace = true, optional = true } # for concolic mutation
+z3 = { workspace = true, optional = true } # for corpus minimization
 
 # optional-dev deps (change when target.'cfg(accessible(::std))'.test-dependencies will be stable)
 serial_test = { workspace = true, optional = true, default-features = false, features = [
Original file line number	Diff line number	Diff line change
`@@ -294,7 +294,7 @@ pub trait SubRng {`
`294`	`294`
`295`	`295`	`impl<R> SubRng for R`
`296`	`296`	`where`
`297`		`- R: Rand + Sized + Clone`
	`297`	`+ R: Rand + Sized + Clone,`
`298`	`298`	`{`
`299`	`299`	`/// Creates and returns a sub-RNG.`
`300`	`300`	`fn sub_rng(&mut self) -> Self {`