Final afl++ integration (#5191)

* final afl++ integration * remove afl++ cmplog tests * update afl++ commit id * support rebuild * llvm 13 workaround * apply fix for llvm 13 * fix nits * Fix nits. * Fix name nit. * update commit id * update commit id * update commit id to stable Co-authored-by: Abhishek Arya <inferno@chromium.org>
author: van Hauser <vh@thc.org> 2021-02-18 21:55:07 +0100
committer: GitHub <noreply@github.com> 2021-02-18 12:55:07 -0800
commit: 4bb61df7905c6005000f5766e966e6fe30ab4559 (patch)
tree: 3ac2f4562536797982fe00fd57aaa7f51cbb9745 /infra
parent: f682792936f489550fe26c475d79468d82b9c7fe (diff)
download: oss-fuzz-4bb61df7905c6005000f5766e966e6fe30ab4559.tar.gz
3 files changed, 67 insertions, 12 deletions
diff --git a/infra/base-images/base-builder/Dockerfile b/infra/base-images/base-builder/Dockerfile
index 68c44be66..4ac72a190 100644
--- a/infra/base-images/base-builder/Dockerfile
+++ b/infra/base-images/base-builder/Dockerfile
@@ -177,7 +177,7 @@ WORKDIR $SRC
 # TODO: switch to -b stable once we can.
 RUN git clone https://github.com/AFLplusplus/AFLplusplus.git aflplusplus && \
     cd aflplusplus && \
-    git checkout aeb7d7048371cd91ab9280c3958f1c35e5d5e758
+    git checkout 5dd35f5281afec0955c08fe9f99e3c83222b7764
 
 RUN cd $SRC && \
     curl -L -O https://github.com/google/honggfuzz/archive/oss-fuzz.tar.gz && \
diff --git a/infra/base-images/base-builder/compile_afl b/infra/base-images/base-builder/compile_afl
index 318eca44e..17762d38e 100644
--- a/infra/base-images/base-builder/compile_afl
+++ b/infra/base-images/base-builder/compile_afl
@@ -15,6 +15,22 @@
 #
 ################################################################################
 
+# afl++ configuration options.
+# The 'env|grep' setup ensures we do not trigger the linter.
+# The variables need to be set to "1" here - or before running this script.
+
+# If enabled this provides a safe work around if afl-clang-fast ever break:
+env | grep -qw AFL_LLVM_MODE_WORKAROUND || {
+  # needed until llvm 13 works:
+  AFL_LLVM_MODE_WORKAROUND=0
+}
+
+# If a dictionary should be generated based on comparisons at compile time:
+env | grep -qw AFL_ENABLE_DICTIONARY || {
+  AFL_ENABLE_DICTIONARY=1
+}
+
+# Start compiling afl++.
 echo "Compiling afl++"
 
 # Build and copy afl++ tools necessary for fuzzing.
@@ -22,24 +38,23 @@ pushd $SRC/aflplusplus > /dev/null
 
 # Unset CFLAGS and CXXFLAGS while building AFL since we don't want to slow it
 # down with sanitizers.
-INITIAL_CXXFLAGS=$CXXFLAGS
-INITIAL_CFLAGS=$CFLAGS
+SAVE_CXXFLAGS=$CXXFLAGS
+SAVE_CFLAGS=$CFLAGS
 unset CXXFLAGS
 unset CFLAGS
+export AFL_IGNORE_UNKNOWN_ENVS=1
 make clean
 AFL_NO_X86=1 PYTHON_INCLUDE=/ make
-CFLAGS=$INITIAL_CFLAGS
-CXXFLAGS=$INITIAL_CXXFLAGS
+CFLAGS=$SAVE_CFLAGS
+CXXFLAGS=$SAVE_CXXFLAGS
 
 # Build afl++ driver with existing CFLAGS, CXXFLAGS.
 make -C utils/aflpp_driver
-cp libAFLDriver.a $LIB_FUZZING_ENGINE
+cp -f libAFLDriver.a $LIB_FUZZING_ENGINE
 
 # Some important projects include libraries, copy those even when they don't
 # start with "afl-". Use "sort -u" to avoid a warning about duplicates.
 ls afl-* *.txt *.a *.o *.so | sort -u | xargs cp -t $OUT
-popd > /dev/null
-
 export CC="$SRC/aflplusplus/afl-clang-fast"
 export CXX="$SRC/aflplusplus/afl-clang-fast++"
 
@@ -50,8 +65,46 @@ export AFL_QUIET=1
 export AFL_MAP_SIZE=4194304
 # No leak errors during builds.
 export ASAN_OPTIONS="detect_leaks=0:symbolize=0"
-#
-# Placeholder for the upcoming afl++ build options roulette
-#
+
+# AFL compile option roulette. It is OK if they all happen together.
+
+# 40% chance to perform CMPLOG
+rm -f "$OUT/afl_cmplog.txt"
+test $(($RANDOM % 10)) -lt 4 && {
+  export AFL_LLVM_CMPLOG=1
+  # We need to notify afl-fuzz to activate CMPLOG
+  touch "$OUT/afl_cmplog.txt"
+}
+
+# 10% chance to perform LAF_INTEL
+test $(($RANDOM % 10)) -lt 1 && {
+  export AFL_LLVM_LAF_ALL=1
+}
+
+# In case afl-clang-fast ever breaks, this is a workaround:
+test "$AFL_LLVM_MODE_WORKAROUND" = "1" && {
+  export CC=clang
+  export CXX=clang++
+  WORKAROUND_FLAGS=-fsanitize-coverage=trace-pc-guard
+  # We can still do CMPLOG light:
+  test -e "$OUT/afl_cmplog.txt" && {
+    WORKAROUND_FLAGS="$WORKAROUND_FLAGS",trace-cmp
+  }
+  export CFLAGS="$CFLAGS $WORKAROUND_FLAGS"
+  export CXXFLAGS="$CXXFLAGS $WORKAROUND_FLAGS"
+  # We need to create a new fuzzer lib however.
+  ar ru libAFLDrivernew.a afl-compiler-rt.o utils/aflpp_driver/aflpp_driver.o
+  cp -f libAFLDrivernew.a $LIB_FUZZING_ENGINE
+}
+
+# If the targets whishes a dictionary - then create one.
+test "$AFL_ENABLE_DICTIONARY" = "1" && {
+  export AFL_LLVM_DICT2FILE="$OUT/afl++.dict"
+}
+
+# Provide a way to document the afl++ options used in this build:
+env | grep AFL_ > "$OUT/afl_options.txt"
+
+popd > /dev/null
 
 echo " done."
diff --git a/infra/base-images/base-runner/run_fuzzer b/infra/base-images/base-runner/run_fuzzer
index 6464ddc2c..8d137e330 100755
--- a/infra/base-images/base-runner/run_fuzzer
+++ b/infra/base-images/base-runner/run_fuzzer
@@ -111,7 +111,9 @@ if [[ "$FUZZING_ENGINE" = afl ]]; then
   # CMPLOG level 2, which will colorize larger files but not huge files and
   # not enable transform analysis unless there have been several cycles without
   # any finds.
-  test -e $OUT/afl_cmplog.txt && AFL_FUZZER_ARGS="$AFL_FUZZER_ARGS -l 2 -c $OUT/$FUZZER"
+  test -e "$OUT/afl_cmplog.txt" && AFL_FUZZER_ARGS="$AFL_FUZZER_ARGS -l 2 -c $OUT/$FUZZER"
+  # If $OUT/afl++.dict we load it as a dictionary for afl-fuzz.
+  test -e "$OUT/afl++.dict" && AFL_FUZZER_ARGS="$AFL_FUZZER_ARGS -x $OUT/afl++.dict"
   # AFL expects at least 1 file in the input dir.
   echo input > ${CORPUS_DIR}/input
   CMD_LINE="$OUT/afl-fuzz $AFL_FUZZER_ARGS -i $CORPUS_DIR -o $FUZZER_OUT $(get_dictionary) $* -- $OUT/$FUZZER"
author	van Hauser <vh@thc.org>	2021-02-18 21:55:07 +0100
committer	GitHub <noreply@github.com>	2021-02-18 12:55:07 -0800
commit	4bb61df7905c6005000f5766e966e6fe30ab4559 (patch)
tree	3ac2f4562536797982fe00fd57aaa7f51cbb9745 /infra
parent	f682792936f489550fe26c475d79468d82b9c7fe (diff)
download	oss-fuzz-4bb61df7905c6005000f5766e966e6fe30ab4559.tar.gz