From 39455bdbfb3dbf1e8188c9b66100174587033084 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sat, 25 Mar 2023 02:30:09 +0100 Subject: [PATCH] current state experiment (#1797) --- fuzzers/aflplusplus_405c/builder.Dockerfile | 50 --- fuzzers/aflplusplus_405c/description.md | 14 - fuzzers/aflplusplus_405c/fuzzer.py | 281 -------------- fuzzers/aflplusplus_405c/runner.Dockerfile | 23 -- fuzzers/aflplusplus_comp/builder.Dockerfile | 50 --- fuzzers/aflplusplus_comp/description.md | 14 - fuzzers/aflplusplus_comp/fuzzer.py | 281 -------------- fuzzers/aflplusplus_comp/runner.Dockerfile | 23 -- .../aflplusplus_comp_dd/builder.Dockerfile | 56 --- fuzzers/aflplusplus_comp_dd/description.md | 14 - fuzzers/aflplusplus_comp_dd/fuzzer.py | 281 -------------- fuzzers/aflplusplus_comp_dd/runner.Dockerfile | 23 -- .../aflplusplus_comp_pge/builder.Dockerfile | 50 --- fuzzers/aflplusplus_comp_pge/description.md | 14 - fuzzers/aflplusplus_comp_pge/fuzzer.py | 281 -------------- .../aflplusplus_comp_pge/runner.Dockerfile | 23 -- fuzzers/aflplusplus_ddfuzz/builder.Dockerfile | 53 --- fuzzers/aflplusplus_ddfuzz/description.md | 14 - fuzzers/aflplusplus_ddfuzz/fuzzer.py | 283 -------------- fuzzers/aflplusplus_ddfuzz/runner.Dockerfile | 23 -- fuzzers/aflplusplus_haste/builder.Dockerfile | 50 --- fuzzers/aflplusplus_haste/description.md | 14 - fuzzers/aflplusplus_haste/fuzzer.py | 281 -------------- fuzzers/aflplusplus_haste/runner.Dockerfile | 23 -- fuzzers/aflplusplus_pge/builder.Dockerfile | 47 --- fuzzers/aflplusplus_pge/description.md | 14 - fuzzers/aflplusplus_pge/fuzzer.py | 283 -------------- fuzzers/aflplusplus_pge/runner.Dockerfile | 23 -- fuzzers/aflplusplus_pge10/builder.Dockerfile | 47 --- fuzzers/aflplusplus_pge10/description.md | 14 - fuzzers/aflplusplus_pge10/fuzzer.py | 283 -------------- fuzzers/aflplusplus_pge10/runner.Dockerfile | 23 -- fuzzers/aflplusplus_pge100/builder.Dockerfile | 47 --- fuzzers/aflplusplus_pge100/description.md | 14 - fuzzers/aflplusplus_pge100/fuzzer.py | 283 -------------- fuzzers/aflplusplus_pge100/runner.Dockerfile | 23 -- fuzzers/aflplusplus_zafl/aflpp_driver.c | 352 ------------------ fuzzers/aflplusplus_zafl/builder.Dockerfile | 91 ----- fuzzers/aflplusplus_zafl/cc.sh | 89 ----- fuzzers/aflplusplus_zafl/cxx.sh | 91 ----- fuzzers/aflplusplus_zafl/fuzzer.py | 60 --- fuzzers/aflplusplus_zafl/null.c | 15 - fuzzers/aflplusplus_zafl/runner.Dockerfile | 8 - fuzzers/aflplusplus_zafl/zafl_bins.sh | 77 ---- service/experiment-requests.yaml | 11 + 45 files changed, 11 insertions(+), 4103 deletions(-) delete mode 100644 fuzzers/aflplusplus_405c/builder.Dockerfile delete mode 100644 fuzzers/aflplusplus_405c/description.md delete mode 100755 fuzzers/aflplusplus_405c/fuzzer.py delete mode 100644 fuzzers/aflplusplus_405c/runner.Dockerfile delete mode 100644 fuzzers/aflplusplus_comp/builder.Dockerfile delete mode 100644 fuzzers/aflplusplus_comp/description.md delete mode 100755 fuzzers/aflplusplus_comp/fuzzer.py delete mode 100644 fuzzers/aflplusplus_comp/runner.Dockerfile delete mode 100644 fuzzers/aflplusplus_comp_dd/builder.Dockerfile delete mode 100644 fuzzers/aflplusplus_comp_dd/description.md delete mode 100755 fuzzers/aflplusplus_comp_dd/fuzzer.py delete mode 100644 fuzzers/aflplusplus_comp_dd/runner.Dockerfile delete mode 100644 fuzzers/aflplusplus_comp_pge/builder.Dockerfile delete mode 100644 fuzzers/aflplusplus_comp_pge/description.md delete mode 100755 fuzzers/aflplusplus_comp_pge/fuzzer.py delete mode 100644 fuzzers/aflplusplus_comp_pge/runner.Dockerfile delete mode 100644 fuzzers/aflplusplus_ddfuzz/builder.Dockerfile delete mode 100644 fuzzers/aflplusplus_ddfuzz/description.md delete mode 100755 fuzzers/aflplusplus_ddfuzz/fuzzer.py delete mode 100644 fuzzers/aflplusplus_ddfuzz/runner.Dockerfile delete mode 100644 fuzzers/aflplusplus_haste/builder.Dockerfile delete mode 100644 fuzzers/aflplusplus_haste/description.md delete mode 100755 fuzzers/aflplusplus_haste/fuzzer.py delete mode 100644 fuzzers/aflplusplus_haste/runner.Dockerfile delete mode 100644 fuzzers/aflplusplus_pge/builder.Dockerfile delete mode 100644 fuzzers/aflplusplus_pge/description.md delete mode 100755 fuzzers/aflplusplus_pge/fuzzer.py delete mode 100644 fuzzers/aflplusplus_pge/runner.Dockerfile delete mode 100644 fuzzers/aflplusplus_pge10/builder.Dockerfile delete mode 100644 fuzzers/aflplusplus_pge10/description.md delete mode 100755 fuzzers/aflplusplus_pge10/fuzzer.py delete mode 100644 fuzzers/aflplusplus_pge10/runner.Dockerfile delete mode 100644 fuzzers/aflplusplus_pge100/builder.Dockerfile delete mode 100644 fuzzers/aflplusplus_pge100/description.md delete mode 100755 fuzzers/aflplusplus_pge100/fuzzer.py delete mode 100644 fuzzers/aflplusplus_pge100/runner.Dockerfile delete mode 100644 fuzzers/aflplusplus_zafl/aflpp_driver.c delete mode 100644 fuzzers/aflplusplus_zafl/builder.Dockerfile delete mode 100755 fuzzers/aflplusplus_zafl/cc.sh delete mode 100755 fuzzers/aflplusplus_zafl/cxx.sh delete mode 100755 fuzzers/aflplusplus_zafl/fuzzer.py delete mode 100644 fuzzers/aflplusplus_zafl/null.c delete mode 100644 fuzzers/aflplusplus_zafl/runner.Dockerfile delete mode 100755 fuzzers/aflplusplus_zafl/zafl_bins.sh diff --git a/fuzzers/aflplusplus_405c/builder.Dockerfile b/fuzzers/aflplusplus_405c/builder.Dockerfile deleted file mode 100644 index 3de2a9e31..000000000 --- a/fuzzers/aflplusplus_405c/builder.Dockerfile +++ /dev/null @@ -1,50 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -RUN apt-get update && \ - apt-get install -y \ - build-essential \ - python3-dev \ - python3-setuptools \ - automake \ - cmake \ - git \ - flex \ - bison \ - libglib2.0-dev \ - libpixman-1-dev \ - cargo \ - libgtk-3-dev \ - # for QEMU mode - ninja-build \ - gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-plugin-dev \ - libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev - -# Download afl++. -RUN git clone -b dev https://github.com/AFLplusplus/AFLplusplus /afl && \ - cd /afl && \ - git checkout 05cc21e9d68bcf9ddf00ad0c8e97c0dc253a4b8e || \ - true - -# Build without Python support as we don't need it. -# Set AFL_NO_X86 to skip flaky tests. -RUN cd /afl && \ - unset CFLAGS CXXFLAGS && \ - export CC=clang AFL_NO_X86=1 && \ - PYTHON_INCLUDE=/ make && \ - make install && \ - cp utils/aflpp_driver/libAFLDriver.a / diff --git a/fuzzers/aflplusplus_405c/description.md b/fuzzers/aflplusplus_405c/description.md deleted file mode 100644 index f7eb407ad..000000000 --- a/fuzzers/aflplusplus_405c/description.md +++ /dev/null @@ -1,14 +0,0 @@ -# aflplusplus - -AFL++ fuzzer instance that has the following config active for all benchmarks: - - PCGUARD instrumentation - - cmplog feature - - dict2file feature - - "fast" power schedule - - persistent mode + shared memory test cases - -Repository: [https://github.com/AFLplusplus/AFLplusplus/](https://github.com/AFLplusplus/AFLplusplus/) - -[builder.Dockerfile](builder.Dockerfile) -[fuzzer.py](fuzzer.py) -[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/aflplusplus_405c/fuzzer.py b/fuzzers/aflplusplus_405c/fuzzer.py deleted file mode 100755 index 8836eb40d..000000000 --- a/fuzzers/aflplusplus_405c/fuzzer.py +++ /dev/null @@ -1,281 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -"""Integration code for AFLplusplus fuzzer.""" - -import os -import shutil - -from fuzzers.afl import fuzzer as afl_fuzzer -from fuzzers import utils - - -def get_cmplog_build_directory(target_directory): - """Return path to CmpLog target directory.""" - return os.path.join(target_directory, 'cmplog') - - -def get_uninstrumented_build_directory(target_directory): - """Return path to CmpLog target directory.""" - return os.path.join(target_directory, 'uninstrumented') - - -def build(*args): # pylint: disable=too-many-branches,too-many-statements - """Build benchmark.""" - # BUILD_MODES is not already supported by fuzzbench, meanwhile we provide - # a default configuration. - - build_modes = list(args) - if 'BUILD_MODES' in os.environ: - build_modes = os.environ['BUILD_MODES'].split(',') - - # Placeholder comment. - build_directory = os.environ['OUT'] - - # If nothing was set this is the default: - if not build_modes: - build_modes = ['tracepc', 'cmplog', 'dict2file'] - - # For bug type benchmarks we have to instrument via native clang pcguard :( - build_flags = os.environ['CFLAGS'] - - if build_flags.find( - 'array-bounds' - ) != -1 and 'qemu' not in build_modes and 'classic' not in build_modes: - if 'gcc' not in build_modes: - build_modes[0] = 'native' - - # Instrumentation coverage modes: - if 'lto' in build_modes: - os.environ['CC'] = '/afl/afl-clang-lto' - os.environ['CXX'] = '/afl/afl-clang-lto++' - edge_file = build_directory + '/aflpp_edges.txt' - os.environ['AFL_LLVM_DOCUMENT_IDS'] = edge_file - if os.path.isfile('/usr/local/bin/llvm-ranlib-13'): - os.environ['RANLIB'] = 'llvm-ranlib-13' - os.environ['AR'] = 'llvm-ar-13' - os.environ['AS'] = 'llvm-as-13' - elif os.path.isfile('/usr/local/bin/llvm-ranlib-12'): - os.environ['RANLIB'] = 'llvm-ranlib-12' - os.environ['AR'] = 'llvm-ar-12' - os.environ['AS'] = 'llvm-as-12' - else: - os.environ['RANLIB'] = 'llvm-ranlib' - os.environ['AR'] = 'llvm-ar' - os.environ['AS'] = 'llvm-as' - elif 'qemu' in build_modes: - os.environ['CC'] = 'clang' - os.environ['CXX'] = 'clang++' - elif 'gcc' in build_modes: - os.environ['CC'] = 'afl-gcc-fast' - os.environ['CXX'] = 'afl-g++-fast' - if build_flags.find('array-bounds') != -1: - os.environ['CFLAGS'] = '-fsanitize=address -O1' - os.environ['CXXFLAGS'] = '-fsanitize=address -O1' - else: - os.environ['CFLAGS'] = '' - os.environ['CXXFLAGS'] = '' - os.environ['CPPFLAGS'] = '' - else: - os.environ['CC'] = '/afl/afl-clang-fast' - os.environ['CXX'] = '/afl/afl-clang-fast++' - - print('AFL++ build: ') - print(build_modes) - - if 'qemu' in build_modes or 'symcc' in build_modes: - os.environ['CFLAGS'] = ' '.join(utils.NO_SANITIZER_COMPAT_CFLAGS) - cxxflags = [utils.LIBCPLUSPLUS_FLAG] + utils.NO_SANITIZER_COMPAT_CFLAGS - os.environ['CXXFLAGS'] = ' '.join(cxxflags) - - if 'tracepc' in build_modes or 'pcguard' in build_modes: - os.environ['AFL_LLVM_USE_TRACE_PC'] = '1' - elif 'classic' in build_modes: - os.environ['AFL_LLVM_INSTRUMENT'] = 'CLASSIC' - elif 'native' in build_modes: - os.environ['AFL_LLVM_INSTRUMENT'] = 'LLVMNATIVE' - - # Instrumentation coverage options: - # Do not use a fixed map location (LTO only) - if 'dynamic' in build_modes: - os.environ['AFL_LLVM_MAP_DYNAMIC'] = '1' - # Use a fixed map location (LTO only) - if 'fixed' in build_modes: - os.environ['AFL_LLVM_MAP_ADDR'] = '0x10000' - # Generate an extra dictionary. - if 'dict2file' in build_modes or 'native' in build_modes: - os.environ['AFL_LLVM_DICT2FILE'] = build_directory + '/afl++.dict' - os.environ['AFL_LLVM_DICT2FILE_NO_MAIN'] = '1' - # Enable context sentitivity for LLVM mode (non LTO only) - if 'ctx' in build_modes: - os.environ['AFL_LLVM_CTX'] = '1' - # Enable N-gram coverage for LLVM mode (non LTO only) - if 'ngram2' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '2' - elif 'ngram3' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '3' - elif 'ngram4' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '4' - elif 'ngram5' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '5' - elif 'ngram6' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '6' - elif 'ngram7' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '7' - elif 'ngram8' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '8' - elif 'ngram16' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '16' - if 'ctx1' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '1' - elif 'ctx2' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '2' - elif 'ctx3' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '3' - elif 'ctx4' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '4' - - # Only one of the following OR cmplog - # enable laf-intel compare splitting - if 'laf' in build_modes: - os.environ['AFL_LLVM_LAF_SPLIT_SWITCHES'] = '1' - os.environ['AFL_LLVM_LAF_SPLIT_COMPARES'] = '1' - os.environ['AFL_LLVM_LAF_SPLIT_FLOATS'] = '1' - if 'autodict' not in build_modes: - os.environ['AFL_LLVM_LAF_TRANSFORM_COMPARES'] = '1' - - if 'eclipser' in build_modes: - os.environ['FUZZER_LIB'] = '/libStandaloneFuzzTarget.a' - else: - os.environ['FUZZER_LIB'] = '/libAFLDriver.a' - - # Some benchmarks like lcms. (see: - # https://github.com/mm2/Little-CMS/commit/ab1093539b4287c233aca6a3cf53b234faceb792#diff-f0e6d05e72548974e852e8e55dffc4ccR212) - # fail to compile if the compiler outputs things to stderr in unexpected - # cases. Prevent these failures by using AFL_QUIET to stop afl-clang-fast - # from writing AFL specific messages to stderr. - os.environ['AFL_QUIET'] = '1' - os.environ['AFL_MAP_SIZE'] = '2621440' - - src = os.getenv('SRC') - work = os.getenv('WORK') - - with utils.restore_directory(src), utils.restore_directory(work): - # Restore SRC to its initial state so we can build again without any - # trouble. For some OSS-Fuzz projects, build_benchmark cannot be run - # twice in the same directory without this. - utils.build_benchmark() - - if 'cmplog' in build_modes and 'qemu' not in build_modes: - - # CmpLog requires an build with different instrumentation. - new_env = os.environ.copy() - new_env['AFL_LLVM_CMPLOG'] = '1' - - # For CmpLog build, set the OUT and FUZZ_TARGET environment - # variable to point to the new CmpLog build directory. - cmplog_build_directory = get_cmplog_build_directory(build_directory) - os.mkdir(cmplog_build_directory) - new_env['OUT'] = cmplog_build_directory - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - new_env['FUZZ_TARGET'] = os.path.join(cmplog_build_directory, - os.path.basename(fuzz_target)) - - print('Re-building benchmark for CmpLog fuzzing target') - utils.build_benchmark(env=new_env) - - if 'symcc' in build_modes: - - symcc_build_directory = get_uninstrumented_build_directory( - build_directory) - os.mkdir(symcc_build_directory) - - # symcc requires an build with different instrumentation. - new_env = os.environ.copy() - new_env['CC'] = '/symcc/build/symcc' - new_env['CXX'] = '/symcc/build/sym++' - new_env['SYMCC_OUTPUT_DIR'] = '/tmp' - new_env['CXXFLAGS'] = new_env['CXXFLAGS'].replace('-stlib=libc++', '') - new_env['FUZZER_LIB'] = '/libfuzzer-harness.o' - new_env['OUT'] = symcc_build_directory - new_env['SYMCC_LIBCXX_PATH'] = '/libcxx_native_build' - new_env['SYMCC_NO_SYMBOLIC_INPUT'] = '1' - new_env['SYMCC_SILENT'] = '1' - - # For symcc build, set the OUT and FUZZ_TARGET environment - # variable to point to the new symcc build directory. - new_env['OUT'] = symcc_build_directory - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - new_env['FUZZ_TARGET'] = os.path.join(symcc_build_directory, - os.path.basename(fuzz_target)) - - print('Re-building benchmark for symcc fuzzing target') - utils.build_benchmark(env=new_env) - - shutil.copy('/afl/afl-fuzz', build_directory) - if os.path.exists('/afl/afl-qemu-trace'): - shutil.copy('/afl/afl-qemu-trace', build_directory) - if os.path.exists('/aflpp_qemu_driver_hook.so'): - shutil.copy('/aflpp_qemu_driver_hook.so', build_directory) - if os.path.exists('/get_frida_entry.sh'): - shutil.copy('/afl/afl-frida-trace.so', build_directory) - shutil.copy('/get_frida_entry.sh', build_directory) - - -# pylint: disable=too-many-arguments -def fuzz(input_corpus, - output_corpus, - target_binary, - flags=tuple(), - skip=False, - no_cmplog=False): # pylint: disable=too-many-arguments - """Run fuzzer.""" - # Calculate CmpLog binary path from the instrumented target binary. - target_binary_directory = os.path.dirname(target_binary) - cmplog_target_binary_directory = ( - get_cmplog_build_directory(target_binary_directory)) - target_binary_name = os.path.basename(target_binary) - cmplog_target_binary = os.path.join(cmplog_target_binary_directory, - target_binary_name) - - afl_fuzzer.prepare_fuzz_environment(input_corpus) - # decomment this to enable libdislocator. - # os.environ['AFL_ALIGNED_ALLOC'] = '1' # align malloc to max_align_t - # os.environ['AFL_PRELOAD'] = '/afl/libdislocator.so' - - flags = list(flags) - - if os.path.exists('./afl++.dict'): - flags += ['-x', './afl++.dict'] - - # Move the following to skip for upcoming _double tests: - if os.path.exists(cmplog_target_binary) and no_cmplog is False: - flags += ['-c', cmplog_target_binary] - - #os.environ['AFL_IGNORE_TIMEOUTS'] = '1' - os.environ['AFL_IGNORE_UNKNOWN_ENVS'] = '1' - os.environ['AFL_FAST_CAL'] = '1' - - if not skip: - os.environ['AFL_DISABLE_TRIM'] = '1' - os.environ['AFL_CMPLOG_ONLY_NEW'] = '1' - if 'ADDITIONAL_ARGS' in os.environ: - flags += os.environ['ADDITIONAL_ARGS'].split(' ') - - afl_fuzzer.run_afl_fuzz(input_corpus, - output_corpus, - target_binary, - additional_flags=flags) diff --git a/fuzzers/aflplusplus_405c/runner.Dockerfile b/fuzzers/aflplusplus_405c/runner.Dockerfile deleted file mode 100644 index 7aa1da8e4..000000000 --- a/fuzzers/aflplusplus_405c/runner.Dockerfile +++ /dev/null @@ -1,23 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -# This makes interactive docker runs painless: -ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" -#ENV AFL_MAP_SIZE=2621440 -ENV PATH="$PATH:/out" -ENV AFL_SKIP_CPUFREQ=1 -ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 -ENV AFL_TESTCACHE_SIZE=2 diff --git a/fuzzers/aflplusplus_comp/builder.Dockerfile b/fuzzers/aflplusplus_comp/builder.Dockerfile deleted file mode 100644 index aaee4af92..000000000 --- a/fuzzers/aflplusplus_comp/builder.Dockerfile +++ /dev/null @@ -1,50 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -RUN apt-get update && \ - apt-get install -y \ - build-essential \ - python3-dev \ - python3-setuptools \ - automake \ - cmake \ - git \ - flex \ - bison \ - libglib2.0-dev \ - libpixman-1-dev \ - cargo \ - libgtk-3-dev \ - # for QEMU mode - ninja-build \ - gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-plugin-dev \ - libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev - -# Download afl++. -RUN git clone -b dev https://github.com/AFLplusplus/AFLplusplus /afl && \ - cd /afl && \ - git checkout d80cedcf02f56351bb08e7520ddcd76b0ff3f84e || \ - true - -# Build without Python support as we don't need it. -# Set AFL_NO_X86 to skip flaky tests. -RUN cd /afl && \ - unset CFLAGS CXXFLAGS && \ - export CC=clang AFL_NO_X86=1 && \ - PYTHON_INCLUDE=/ make && \ - make install && \ - cp utils/aflpp_driver/libAFLDriver.a / diff --git a/fuzzers/aflplusplus_comp/description.md b/fuzzers/aflplusplus_comp/description.md deleted file mode 100644 index f7eb407ad..000000000 --- a/fuzzers/aflplusplus_comp/description.md +++ /dev/null @@ -1,14 +0,0 @@ -# aflplusplus - -AFL++ fuzzer instance that has the following config active for all benchmarks: - - PCGUARD instrumentation - - cmplog feature - - dict2file feature - - "fast" power schedule - - persistent mode + shared memory test cases - -Repository: [https://github.com/AFLplusplus/AFLplusplus/](https://github.com/AFLplusplus/AFLplusplus/) - -[builder.Dockerfile](builder.Dockerfile) -[fuzzer.py](fuzzer.py) -[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/aflplusplus_comp/fuzzer.py b/fuzzers/aflplusplus_comp/fuzzer.py deleted file mode 100755 index 6256cc281..000000000 --- a/fuzzers/aflplusplus_comp/fuzzer.py +++ /dev/null @@ -1,281 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -"""Integration code for AFLplusplus fuzzer.""" - -import os -import shutil - -from fuzzers.afl import fuzzer as afl_fuzzer -from fuzzers import utils - - -def get_cmplog_build_directory(target_directory): - """Return path to CmpLog target directory.""" - return os.path.join(target_directory, 'cmplog') - - -def get_uninstrumented_build_directory(target_directory): - """Return path to CmpLog target directory.""" - return os.path.join(target_directory, 'uninstrumented') - - -def build(*args): # pylint: disable=too-many-branches,too-many-statements - """Build benchmark.""" - # BUILD_MODES is not already supported by fuzzbench, meanwhile we provide - # a default configuration. - - build_modes = list(args) - if 'BUILD_MODES' in os.environ: - build_modes = os.environ['BUILD_MODES'].split(',') - - # Placeholder comment. - build_directory = os.environ['OUT'] - - # If nothing was set this is the default: - if not build_modes: - build_modes = ['tracepc', 'cmplog', 'dict2file'] - - # For bug type benchmarks we have to instrument via native clang pcguard :( - build_flags = os.environ['CFLAGS'] - - if build_flags.find( - 'array-bounds' - ) != -1 and 'qemu' not in build_modes and 'classic' not in build_modes: - if 'gcc' not in build_modes: - build_modes[0] = 'native' - - # Instrumentation coverage modes: - if 'lto' in build_modes: - os.environ['CC'] = '/afl/afl-clang-lto' - os.environ['CXX'] = '/afl/afl-clang-lto++' - edge_file = build_directory + '/aflpp_edges.txt' - os.environ['AFL_LLVM_DOCUMENT_IDS'] = edge_file - if os.path.isfile('/usr/local/bin/llvm-ranlib-13'): - os.environ['RANLIB'] = 'llvm-ranlib-13' - os.environ['AR'] = 'llvm-ar-13' - os.environ['AS'] = 'llvm-as-13' - elif os.path.isfile('/usr/local/bin/llvm-ranlib-12'): - os.environ['RANLIB'] = 'llvm-ranlib-12' - os.environ['AR'] = 'llvm-ar-12' - os.environ['AS'] = 'llvm-as-12' - else: - os.environ['RANLIB'] = 'llvm-ranlib' - os.environ['AR'] = 'llvm-ar' - os.environ['AS'] = 'llvm-as' - elif 'qemu' in build_modes: - os.environ['CC'] = 'clang' - os.environ['CXX'] = 'clang++' - elif 'gcc' in build_modes: - os.environ['CC'] = 'afl-gcc-fast' - os.environ['CXX'] = 'afl-g++-fast' - if build_flags.find('array-bounds') != -1: - os.environ['CFLAGS'] = '-fsanitize=address -O1' - os.environ['CXXFLAGS'] = '-fsanitize=address -O1' - else: - os.environ['CFLAGS'] = '' - os.environ['CXXFLAGS'] = '' - os.environ['CPPFLAGS'] = '' - else: - os.environ['CC'] = '/afl/afl-clang-fast' - os.environ['CXX'] = '/afl/afl-clang-fast++' - - print('AFL++ build: ') - print(build_modes) - - if 'qemu' in build_modes or 'symcc' in build_modes: - os.environ['CFLAGS'] = ' '.join(utils.NO_SANITIZER_COMPAT_CFLAGS) - cxxflags = [utils.LIBCPLUSPLUS_FLAG] + utils.NO_SANITIZER_COMPAT_CFLAGS - os.environ['CXXFLAGS'] = ' '.join(cxxflags) - - if 'tracepc' in build_modes or 'pcguard' in build_modes: - os.environ['AFL_LLVM_USE_TRACE_PC'] = '1' - elif 'classic' in build_modes: - os.environ['AFL_LLVM_INSTRUMENT'] = 'CLASSIC' - elif 'native' in build_modes: - os.environ['AFL_LLVM_INSTRUMENT'] = 'LLVMNATIVE' - - # Instrumentation coverage options: - # Do not use a fixed map location (LTO only) - if 'dynamic' in build_modes: - os.environ['AFL_LLVM_MAP_DYNAMIC'] = '1' - # Use a fixed map location (LTO only) - if 'fixed' in build_modes: - os.environ['AFL_LLVM_MAP_ADDR'] = '0x10000' - # Generate an extra dictionary. - if 'dict2file' in build_modes or 'native' in build_modes: - os.environ['AFL_LLVM_DICT2FILE'] = build_directory + '/afl++.dict' - #os.environ['AFL_LLVM_DICT2FILE_NO_MAIN'] = '1' - # Enable context sentitivity for LLVM mode (non LTO only) - if 'ctx' in build_modes: - os.environ['AFL_LLVM_CTX'] = '1' - # Enable N-gram coverage for LLVM mode (non LTO only) - if 'ngram2' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '2' - elif 'ngram3' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '3' - elif 'ngram4' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '4' - elif 'ngram5' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '5' - elif 'ngram6' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '6' - elif 'ngram7' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '7' - elif 'ngram8' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '8' - elif 'ngram16' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '16' - if 'ctx1' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '1' - elif 'ctx2' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '2' - elif 'ctx3' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '3' - elif 'ctx4' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '4' - - # Only one of the following OR cmplog - # enable laf-intel compare splitting - if 'laf' in build_modes: - os.environ['AFL_LLVM_LAF_SPLIT_SWITCHES'] = '1' - os.environ['AFL_LLVM_LAF_SPLIT_COMPARES'] = '1' - os.environ['AFL_LLVM_LAF_SPLIT_FLOATS'] = '1' - if 'autodict' not in build_modes: - os.environ['AFL_LLVM_LAF_TRANSFORM_COMPARES'] = '1' - - if 'eclipser' in build_modes: - os.environ['FUZZER_LIB'] = '/libStandaloneFuzzTarget.a' - else: - os.environ['FUZZER_LIB'] = '/libAFLDriver.a' - - # Some benchmarks like lcms. (see: - # https://github.com/mm2/Little-CMS/commit/ab1093539b4287c233aca6a3cf53b234faceb792#diff-f0e6d05e72548974e852e8e55dffc4ccR212) - # fail to compile if the compiler outputs things to stderr in unexpected - # cases. Prevent these failures by using AFL_QUIET to stop afl-clang-fast - # from writing AFL specific messages to stderr. - os.environ['AFL_QUIET'] = '1' - os.environ['AFL_MAP_SIZE'] = '2621440' - - src = os.getenv('SRC') - work = os.getenv('WORK') - - with utils.restore_directory(src), utils.restore_directory(work): - # Restore SRC to its initial state so we can build again without any - # trouble. For some OSS-Fuzz projects, build_benchmark cannot be run - # twice in the same directory without this. - utils.build_benchmark() - - if 'cmplog' in build_modes and 'qemu' not in build_modes: - - # CmpLog requires an build with different instrumentation. - new_env = os.environ.copy() - new_env['AFL_LLVM_CMPLOG'] = '1' - - # For CmpLog build, set the OUT and FUZZ_TARGET environment - # variable to point to the new CmpLog build directory. - cmplog_build_directory = get_cmplog_build_directory(build_directory) - os.mkdir(cmplog_build_directory) - new_env['OUT'] = cmplog_build_directory - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - new_env['FUZZ_TARGET'] = os.path.join(cmplog_build_directory, - os.path.basename(fuzz_target)) - - print('Re-building benchmark for CmpLog fuzzing target') - utils.build_benchmark(env=new_env) - - if 'symcc' in build_modes: - - symcc_build_directory = get_uninstrumented_build_directory( - build_directory) - os.mkdir(symcc_build_directory) - - # symcc requires an build with different instrumentation. - new_env = os.environ.copy() - new_env['CC'] = '/symcc/build/symcc' - new_env['CXX'] = '/symcc/build/sym++' - new_env['SYMCC_OUTPUT_DIR'] = '/tmp' - new_env['CXXFLAGS'] = new_env['CXXFLAGS'].replace('-stlib=libc++', '') - new_env['FUZZER_LIB'] = '/libfuzzer-harness.o' - new_env['OUT'] = symcc_build_directory - new_env['SYMCC_LIBCXX_PATH'] = '/libcxx_native_build' - new_env['SYMCC_NO_SYMBOLIC_INPUT'] = '1' - new_env['SYMCC_SILENT'] = '1' - - # For symcc build, set the OUT and FUZZ_TARGET environment - # variable to point to the new symcc build directory. - new_env['OUT'] = symcc_build_directory - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - new_env['FUZZ_TARGET'] = os.path.join(symcc_build_directory, - os.path.basename(fuzz_target)) - - print('Re-building benchmark for symcc fuzzing target') - utils.build_benchmark(env=new_env) - - shutil.copy('/afl/afl-fuzz', build_directory) - if os.path.exists('/afl/afl-qemu-trace'): - shutil.copy('/afl/afl-qemu-trace', build_directory) - if os.path.exists('/aflpp_qemu_driver_hook.so'): - shutil.copy('/aflpp_qemu_driver_hook.so', build_directory) - if os.path.exists('/get_frida_entry.sh'): - shutil.copy('/afl/afl-frida-trace.so', build_directory) - shutil.copy('/get_frida_entry.sh', build_directory) - - -# pylint: disable=too-many-arguments -def fuzz(input_corpus, - output_corpus, - target_binary, - flags=tuple(), - skip=False, - no_cmplog=False): # pylint: disable=too-many-arguments - """Run fuzzer.""" - # Calculate CmpLog binary path from the instrumented target binary. - target_binary_directory = os.path.dirname(target_binary) - cmplog_target_binary_directory = ( - get_cmplog_build_directory(target_binary_directory)) - target_binary_name = os.path.basename(target_binary) - cmplog_target_binary = os.path.join(cmplog_target_binary_directory, - target_binary_name) - - afl_fuzzer.prepare_fuzz_environment(input_corpus) - # decomment this to enable libdislocator. - # os.environ['AFL_ALIGNED_ALLOC'] = '1' # align malloc to max_align_t - # os.environ['AFL_PRELOAD'] = '/afl/libdislocator.so' - - flags = list(flags) - - if os.path.exists('./afl++.dict'): - flags += ['-x', './afl++.dict'] - - # Move the following to skip for upcoming _double tests: - if os.path.exists(cmplog_target_binary) and no_cmplog is False: - flags += ['-c', cmplog_target_binary] - - #os.environ['AFL_IGNORE_TIMEOUTS'] = '1' - os.environ['AFL_IGNORE_UNKNOWN_ENVS'] = '1' - os.environ['AFL_FAST_CAL'] = '1' - - if not skip: - os.environ['AFL_DISABLE_TRIM'] = '1' - os.environ['AFL_CMPLOG_ONLY_NEW'] = '1' - if 'ADDITIONAL_ARGS' in os.environ: - flags += os.environ['ADDITIONAL_ARGS'].split(' ') - - afl_fuzzer.run_afl_fuzz(input_corpus, - output_corpus, - target_binary, - additional_flags=flags) diff --git a/fuzzers/aflplusplus_comp/runner.Dockerfile b/fuzzers/aflplusplus_comp/runner.Dockerfile deleted file mode 100644 index 7aa1da8e4..000000000 --- a/fuzzers/aflplusplus_comp/runner.Dockerfile +++ /dev/null @@ -1,23 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -# This makes interactive docker runs painless: -ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" -#ENV AFL_MAP_SIZE=2621440 -ENV PATH="$PATH:/out" -ENV AFL_SKIP_CPUFREQ=1 -ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 -ENV AFL_TESTCACHE_SIZE=2 diff --git a/fuzzers/aflplusplus_comp_dd/builder.Dockerfile b/fuzzers/aflplusplus_comp_dd/builder.Dockerfile deleted file mode 100644 index 27baa3325..000000000 --- a/fuzzers/aflplusplus_comp_dd/builder.Dockerfile +++ /dev/null @@ -1,56 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -RUN apt-get update && \ - apt-get install -y \ - build-essential \ - python3-dev \ - python3-setuptools \ - automake \ - cmake \ - git \ - flex \ - bison \ - libglib2.0-dev \ - libpixman-1-dev \ - cargo \ - libgtk-3-dev \ - # for QEMU mode - ninja-build \ - gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-plugin-dev \ - libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev - -# Download afl++. -RUN git clone -b dev https://github.com/AFLplusplus/AFLplusplus /afl && \ - cd /afl && \ - git checkout 48c878a76ddec2c133fd5708b185b2ac27740084 || \ - true - -RUN apt install -y lsb-release wget software-properties-common gnupg - -RUN wget https://apt.llvm.org/llvm.sh && chmod +x llvm.sh && ./llvm.sh 13 - -ENV LLVM_CONFIG llvm-config-13 - -# Build without Python support as we don't need it. -# Set AFL_NO_X86 to skip flaky tests. -RUN cd /afl && \ - unset CFLAGS CXXFLAGS && \ - export CC=clang AFL_NO_X86=1 && \ - PYTHON_INCLUDE=/ make && \ - make -C utils/aflpp_driver && \ - cp utils/aflpp_driver/libAFLDriver.a / diff --git a/fuzzers/aflplusplus_comp_dd/description.md b/fuzzers/aflplusplus_comp_dd/description.md deleted file mode 100644 index f7eb407ad..000000000 --- a/fuzzers/aflplusplus_comp_dd/description.md +++ /dev/null @@ -1,14 +0,0 @@ -# aflplusplus - -AFL++ fuzzer instance that has the following config active for all benchmarks: - - PCGUARD instrumentation - - cmplog feature - - dict2file feature - - "fast" power schedule - - persistent mode + shared memory test cases - -Repository: [https://github.com/AFLplusplus/AFLplusplus/](https://github.com/AFLplusplus/AFLplusplus/) - -[builder.Dockerfile](builder.Dockerfile) -[fuzzer.py](fuzzer.py) -[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/aflplusplus_comp_dd/fuzzer.py b/fuzzers/aflplusplus_comp_dd/fuzzer.py deleted file mode 100755 index 8836eb40d..000000000 --- a/fuzzers/aflplusplus_comp_dd/fuzzer.py +++ /dev/null @@ -1,281 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -"""Integration code for AFLplusplus fuzzer.""" - -import os -import shutil - -from fuzzers.afl import fuzzer as afl_fuzzer -from fuzzers import utils - - -def get_cmplog_build_directory(target_directory): - """Return path to CmpLog target directory.""" - return os.path.join(target_directory, 'cmplog') - - -def get_uninstrumented_build_directory(target_directory): - """Return path to CmpLog target directory.""" - return os.path.join(target_directory, 'uninstrumented') - - -def build(*args): # pylint: disable=too-many-branches,too-many-statements - """Build benchmark.""" - # BUILD_MODES is not already supported by fuzzbench, meanwhile we provide - # a default configuration. - - build_modes = list(args) - if 'BUILD_MODES' in os.environ: - build_modes = os.environ['BUILD_MODES'].split(',') - - # Placeholder comment. - build_directory = os.environ['OUT'] - - # If nothing was set this is the default: - if not build_modes: - build_modes = ['tracepc', 'cmplog', 'dict2file'] - - # For bug type benchmarks we have to instrument via native clang pcguard :( - build_flags = os.environ['CFLAGS'] - - if build_flags.find( - 'array-bounds' - ) != -1 and 'qemu' not in build_modes and 'classic' not in build_modes: - if 'gcc' not in build_modes: - build_modes[0] = 'native' - - # Instrumentation coverage modes: - if 'lto' in build_modes: - os.environ['CC'] = '/afl/afl-clang-lto' - os.environ['CXX'] = '/afl/afl-clang-lto++' - edge_file = build_directory + '/aflpp_edges.txt' - os.environ['AFL_LLVM_DOCUMENT_IDS'] = edge_file - if os.path.isfile('/usr/local/bin/llvm-ranlib-13'): - os.environ['RANLIB'] = 'llvm-ranlib-13' - os.environ['AR'] = 'llvm-ar-13' - os.environ['AS'] = 'llvm-as-13' - elif os.path.isfile('/usr/local/bin/llvm-ranlib-12'): - os.environ['RANLIB'] = 'llvm-ranlib-12' - os.environ['AR'] = 'llvm-ar-12' - os.environ['AS'] = 'llvm-as-12' - else: - os.environ['RANLIB'] = 'llvm-ranlib' - os.environ['AR'] = 'llvm-ar' - os.environ['AS'] = 'llvm-as' - elif 'qemu' in build_modes: - os.environ['CC'] = 'clang' - os.environ['CXX'] = 'clang++' - elif 'gcc' in build_modes: - os.environ['CC'] = 'afl-gcc-fast' - os.environ['CXX'] = 'afl-g++-fast' - if build_flags.find('array-bounds') != -1: - os.environ['CFLAGS'] = '-fsanitize=address -O1' - os.environ['CXXFLAGS'] = '-fsanitize=address -O1' - else: - os.environ['CFLAGS'] = '' - os.environ['CXXFLAGS'] = '' - os.environ['CPPFLAGS'] = '' - else: - os.environ['CC'] = '/afl/afl-clang-fast' - os.environ['CXX'] = '/afl/afl-clang-fast++' - - print('AFL++ build: ') - print(build_modes) - - if 'qemu' in build_modes or 'symcc' in build_modes: - os.environ['CFLAGS'] = ' '.join(utils.NO_SANITIZER_COMPAT_CFLAGS) - cxxflags = [utils.LIBCPLUSPLUS_FLAG] + utils.NO_SANITIZER_COMPAT_CFLAGS - os.environ['CXXFLAGS'] = ' '.join(cxxflags) - - if 'tracepc' in build_modes or 'pcguard' in build_modes: - os.environ['AFL_LLVM_USE_TRACE_PC'] = '1' - elif 'classic' in build_modes: - os.environ['AFL_LLVM_INSTRUMENT'] = 'CLASSIC' - elif 'native' in build_modes: - os.environ['AFL_LLVM_INSTRUMENT'] = 'LLVMNATIVE' - - # Instrumentation coverage options: - # Do not use a fixed map location (LTO only) - if 'dynamic' in build_modes: - os.environ['AFL_LLVM_MAP_DYNAMIC'] = '1' - # Use a fixed map location (LTO only) - if 'fixed' in build_modes: - os.environ['AFL_LLVM_MAP_ADDR'] = '0x10000' - # Generate an extra dictionary. - if 'dict2file' in build_modes or 'native' in build_modes: - os.environ['AFL_LLVM_DICT2FILE'] = build_directory + '/afl++.dict' - os.environ['AFL_LLVM_DICT2FILE_NO_MAIN'] = '1' - # Enable context sentitivity for LLVM mode (non LTO only) - if 'ctx' in build_modes: - os.environ['AFL_LLVM_CTX'] = '1' - # Enable N-gram coverage for LLVM mode (non LTO only) - if 'ngram2' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '2' - elif 'ngram3' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '3' - elif 'ngram4' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '4' - elif 'ngram5' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '5' - elif 'ngram6' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '6' - elif 'ngram7' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '7' - elif 'ngram8' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '8' - elif 'ngram16' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '16' - if 'ctx1' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '1' - elif 'ctx2' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '2' - elif 'ctx3' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '3' - elif 'ctx4' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '4' - - # Only one of the following OR cmplog - # enable laf-intel compare splitting - if 'laf' in build_modes: - os.environ['AFL_LLVM_LAF_SPLIT_SWITCHES'] = '1' - os.environ['AFL_LLVM_LAF_SPLIT_COMPARES'] = '1' - os.environ['AFL_LLVM_LAF_SPLIT_FLOATS'] = '1' - if 'autodict' not in build_modes: - os.environ['AFL_LLVM_LAF_TRANSFORM_COMPARES'] = '1' - - if 'eclipser' in build_modes: - os.environ['FUZZER_LIB'] = '/libStandaloneFuzzTarget.a' - else: - os.environ['FUZZER_LIB'] = '/libAFLDriver.a' - - # Some benchmarks like lcms. (see: - # https://github.com/mm2/Little-CMS/commit/ab1093539b4287c233aca6a3cf53b234faceb792#diff-f0e6d05e72548974e852e8e55dffc4ccR212) - # fail to compile if the compiler outputs things to stderr in unexpected - # cases. Prevent these failures by using AFL_QUIET to stop afl-clang-fast - # from writing AFL specific messages to stderr. - os.environ['AFL_QUIET'] = '1' - os.environ['AFL_MAP_SIZE'] = '2621440' - - src = os.getenv('SRC') - work = os.getenv('WORK') - - with utils.restore_directory(src), utils.restore_directory(work): - # Restore SRC to its initial state so we can build again without any - # trouble. For some OSS-Fuzz projects, build_benchmark cannot be run - # twice in the same directory without this. - utils.build_benchmark() - - if 'cmplog' in build_modes and 'qemu' not in build_modes: - - # CmpLog requires an build with different instrumentation. - new_env = os.environ.copy() - new_env['AFL_LLVM_CMPLOG'] = '1' - - # For CmpLog build, set the OUT and FUZZ_TARGET environment - # variable to point to the new CmpLog build directory. - cmplog_build_directory = get_cmplog_build_directory(build_directory) - os.mkdir(cmplog_build_directory) - new_env['OUT'] = cmplog_build_directory - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - new_env['FUZZ_TARGET'] = os.path.join(cmplog_build_directory, - os.path.basename(fuzz_target)) - - print('Re-building benchmark for CmpLog fuzzing target') - utils.build_benchmark(env=new_env) - - if 'symcc' in build_modes: - - symcc_build_directory = get_uninstrumented_build_directory( - build_directory) - os.mkdir(symcc_build_directory) - - # symcc requires an build with different instrumentation. - new_env = os.environ.copy() - new_env['CC'] = '/symcc/build/symcc' - new_env['CXX'] = '/symcc/build/sym++' - new_env['SYMCC_OUTPUT_DIR'] = '/tmp' - new_env['CXXFLAGS'] = new_env['CXXFLAGS'].replace('-stlib=libc++', '') - new_env['FUZZER_LIB'] = '/libfuzzer-harness.o' - new_env['OUT'] = symcc_build_directory - new_env['SYMCC_LIBCXX_PATH'] = '/libcxx_native_build' - new_env['SYMCC_NO_SYMBOLIC_INPUT'] = '1' - new_env['SYMCC_SILENT'] = '1' - - # For symcc build, set the OUT and FUZZ_TARGET environment - # variable to point to the new symcc build directory. - new_env['OUT'] = symcc_build_directory - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - new_env['FUZZ_TARGET'] = os.path.join(symcc_build_directory, - os.path.basename(fuzz_target)) - - print('Re-building benchmark for symcc fuzzing target') - utils.build_benchmark(env=new_env) - - shutil.copy('/afl/afl-fuzz', build_directory) - if os.path.exists('/afl/afl-qemu-trace'): - shutil.copy('/afl/afl-qemu-trace', build_directory) - if os.path.exists('/aflpp_qemu_driver_hook.so'): - shutil.copy('/aflpp_qemu_driver_hook.so', build_directory) - if os.path.exists('/get_frida_entry.sh'): - shutil.copy('/afl/afl-frida-trace.so', build_directory) - shutil.copy('/get_frida_entry.sh', build_directory) - - -# pylint: disable=too-many-arguments -def fuzz(input_corpus, - output_corpus, - target_binary, - flags=tuple(), - skip=False, - no_cmplog=False): # pylint: disable=too-many-arguments - """Run fuzzer.""" - # Calculate CmpLog binary path from the instrumented target binary. - target_binary_directory = os.path.dirname(target_binary) - cmplog_target_binary_directory = ( - get_cmplog_build_directory(target_binary_directory)) - target_binary_name = os.path.basename(target_binary) - cmplog_target_binary = os.path.join(cmplog_target_binary_directory, - target_binary_name) - - afl_fuzzer.prepare_fuzz_environment(input_corpus) - # decomment this to enable libdislocator. - # os.environ['AFL_ALIGNED_ALLOC'] = '1' # align malloc to max_align_t - # os.environ['AFL_PRELOAD'] = '/afl/libdislocator.so' - - flags = list(flags) - - if os.path.exists('./afl++.dict'): - flags += ['-x', './afl++.dict'] - - # Move the following to skip for upcoming _double tests: - if os.path.exists(cmplog_target_binary) and no_cmplog is False: - flags += ['-c', cmplog_target_binary] - - #os.environ['AFL_IGNORE_TIMEOUTS'] = '1' - os.environ['AFL_IGNORE_UNKNOWN_ENVS'] = '1' - os.environ['AFL_FAST_CAL'] = '1' - - if not skip: - os.environ['AFL_DISABLE_TRIM'] = '1' - os.environ['AFL_CMPLOG_ONLY_NEW'] = '1' - if 'ADDITIONAL_ARGS' in os.environ: - flags += os.environ['ADDITIONAL_ARGS'].split(' ') - - afl_fuzzer.run_afl_fuzz(input_corpus, - output_corpus, - target_binary, - additional_flags=flags) diff --git a/fuzzers/aflplusplus_comp_dd/runner.Dockerfile b/fuzzers/aflplusplus_comp_dd/runner.Dockerfile deleted file mode 100644 index 7aa1da8e4..000000000 --- a/fuzzers/aflplusplus_comp_dd/runner.Dockerfile +++ /dev/null @@ -1,23 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -# This makes interactive docker runs painless: -ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" -#ENV AFL_MAP_SIZE=2621440 -ENV PATH="$PATH:/out" -ENV AFL_SKIP_CPUFREQ=1 -ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 -ENV AFL_TESTCACHE_SIZE=2 diff --git a/fuzzers/aflplusplus_comp_pge/builder.Dockerfile b/fuzzers/aflplusplus_comp_pge/builder.Dockerfile deleted file mode 100644 index 0d28cacb3..000000000 --- a/fuzzers/aflplusplus_comp_pge/builder.Dockerfile +++ /dev/null @@ -1,50 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -RUN apt-get update && \ - apt-get install -y \ - build-essential \ - python3-dev \ - python3-setuptools \ - automake \ - cmake \ - git \ - flex \ - bison \ - libglib2.0-dev \ - libpixman-1-dev \ - cargo \ - libgtk-3-dev \ - # for QEMU mode - ninja-build \ - gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-plugin-dev \ - libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev - -# Download afl++. -RUN git clone -b dev https://github.com/AFLplusplus/AFLplusplus /afl && \ - cd /afl && \ - git checkout 40947508037b874020c8dd1251359fecaab04b9d || \ - true - -# Build without Python support as we don't need it. -# Set AFL_NO_X86 to skip flaky tests. -RUN cd /afl && \ - unset CFLAGS CXXFLAGS && \ - export CC=clang AFL_NO_X86=1 && \ - PYTHON_INCLUDE=/ make && \ - make install && \ - cp utils/aflpp_driver/libAFLDriver.a / diff --git a/fuzzers/aflplusplus_comp_pge/description.md b/fuzzers/aflplusplus_comp_pge/description.md deleted file mode 100644 index f7eb407ad..000000000 --- a/fuzzers/aflplusplus_comp_pge/description.md +++ /dev/null @@ -1,14 +0,0 @@ -# aflplusplus - -AFL++ fuzzer instance that has the following config active for all benchmarks: - - PCGUARD instrumentation - - cmplog feature - - dict2file feature - - "fast" power schedule - - persistent mode + shared memory test cases - -Repository: [https://github.com/AFLplusplus/AFLplusplus/](https://github.com/AFLplusplus/AFLplusplus/) - -[builder.Dockerfile](builder.Dockerfile) -[fuzzer.py](fuzzer.py) -[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/aflplusplus_comp_pge/fuzzer.py b/fuzzers/aflplusplus_comp_pge/fuzzer.py deleted file mode 100755 index 8836eb40d..000000000 --- a/fuzzers/aflplusplus_comp_pge/fuzzer.py +++ /dev/null @@ -1,281 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -"""Integration code for AFLplusplus fuzzer.""" - -import os -import shutil - -from fuzzers.afl import fuzzer as afl_fuzzer -from fuzzers import utils - - -def get_cmplog_build_directory(target_directory): - """Return path to CmpLog target directory.""" - return os.path.join(target_directory, 'cmplog') - - -def get_uninstrumented_build_directory(target_directory): - """Return path to CmpLog target directory.""" - return os.path.join(target_directory, 'uninstrumented') - - -def build(*args): # pylint: disable=too-many-branches,too-many-statements - """Build benchmark.""" - # BUILD_MODES is not already supported by fuzzbench, meanwhile we provide - # a default configuration. - - build_modes = list(args) - if 'BUILD_MODES' in os.environ: - build_modes = os.environ['BUILD_MODES'].split(',') - - # Placeholder comment. - build_directory = os.environ['OUT'] - - # If nothing was set this is the default: - if not build_modes: - build_modes = ['tracepc', 'cmplog', 'dict2file'] - - # For bug type benchmarks we have to instrument via native clang pcguard :( - build_flags = os.environ['CFLAGS'] - - if build_flags.find( - 'array-bounds' - ) != -1 and 'qemu' not in build_modes and 'classic' not in build_modes: - if 'gcc' not in build_modes: - build_modes[0] = 'native' - - # Instrumentation coverage modes: - if 'lto' in build_modes: - os.environ['CC'] = '/afl/afl-clang-lto' - os.environ['CXX'] = '/afl/afl-clang-lto++' - edge_file = build_directory + '/aflpp_edges.txt' - os.environ['AFL_LLVM_DOCUMENT_IDS'] = edge_file - if os.path.isfile('/usr/local/bin/llvm-ranlib-13'): - os.environ['RANLIB'] = 'llvm-ranlib-13' - os.environ['AR'] = 'llvm-ar-13' - os.environ['AS'] = 'llvm-as-13' - elif os.path.isfile('/usr/local/bin/llvm-ranlib-12'): - os.environ['RANLIB'] = 'llvm-ranlib-12' - os.environ['AR'] = 'llvm-ar-12' - os.environ['AS'] = 'llvm-as-12' - else: - os.environ['RANLIB'] = 'llvm-ranlib' - os.environ['AR'] = 'llvm-ar' - os.environ['AS'] = 'llvm-as' - elif 'qemu' in build_modes: - os.environ['CC'] = 'clang' - os.environ['CXX'] = 'clang++' - elif 'gcc' in build_modes: - os.environ['CC'] = 'afl-gcc-fast' - os.environ['CXX'] = 'afl-g++-fast' - if build_flags.find('array-bounds') != -1: - os.environ['CFLAGS'] = '-fsanitize=address -O1' - os.environ['CXXFLAGS'] = '-fsanitize=address -O1' - else: - os.environ['CFLAGS'] = '' - os.environ['CXXFLAGS'] = '' - os.environ['CPPFLAGS'] = '' - else: - os.environ['CC'] = '/afl/afl-clang-fast' - os.environ['CXX'] = '/afl/afl-clang-fast++' - - print('AFL++ build: ') - print(build_modes) - - if 'qemu' in build_modes or 'symcc' in build_modes: - os.environ['CFLAGS'] = ' '.join(utils.NO_SANITIZER_COMPAT_CFLAGS) - cxxflags = [utils.LIBCPLUSPLUS_FLAG] + utils.NO_SANITIZER_COMPAT_CFLAGS - os.environ['CXXFLAGS'] = ' '.join(cxxflags) - - if 'tracepc' in build_modes or 'pcguard' in build_modes: - os.environ['AFL_LLVM_USE_TRACE_PC'] = '1' - elif 'classic' in build_modes: - os.environ['AFL_LLVM_INSTRUMENT'] = 'CLASSIC' - elif 'native' in build_modes: - os.environ['AFL_LLVM_INSTRUMENT'] = 'LLVMNATIVE' - - # Instrumentation coverage options: - # Do not use a fixed map location (LTO only) - if 'dynamic' in build_modes: - os.environ['AFL_LLVM_MAP_DYNAMIC'] = '1' - # Use a fixed map location (LTO only) - if 'fixed' in build_modes: - os.environ['AFL_LLVM_MAP_ADDR'] = '0x10000' - # Generate an extra dictionary. - if 'dict2file' in build_modes or 'native' in build_modes: - os.environ['AFL_LLVM_DICT2FILE'] = build_directory + '/afl++.dict' - os.environ['AFL_LLVM_DICT2FILE_NO_MAIN'] = '1' - # Enable context sentitivity for LLVM mode (non LTO only) - if 'ctx' in build_modes: - os.environ['AFL_LLVM_CTX'] = '1' - # Enable N-gram coverage for LLVM mode (non LTO only) - if 'ngram2' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '2' - elif 'ngram3' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '3' - elif 'ngram4' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '4' - elif 'ngram5' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '5' - elif 'ngram6' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '6' - elif 'ngram7' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '7' - elif 'ngram8' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '8' - elif 'ngram16' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '16' - if 'ctx1' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '1' - elif 'ctx2' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '2' - elif 'ctx3' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '3' - elif 'ctx4' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '4' - - # Only one of the following OR cmplog - # enable laf-intel compare splitting - if 'laf' in build_modes: - os.environ['AFL_LLVM_LAF_SPLIT_SWITCHES'] = '1' - os.environ['AFL_LLVM_LAF_SPLIT_COMPARES'] = '1' - os.environ['AFL_LLVM_LAF_SPLIT_FLOATS'] = '1' - if 'autodict' not in build_modes: - os.environ['AFL_LLVM_LAF_TRANSFORM_COMPARES'] = '1' - - if 'eclipser' in build_modes: - os.environ['FUZZER_LIB'] = '/libStandaloneFuzzTarget.a' - else: - os.environ['FUZZER_LIB'] = '/libAFLDriver.a' - - # Some benchmarks like lcms. (see: - # https://github.com/mm2/Little-CMS/commit/ab1093539b4287c233aca6a3cf53b234faceb792#diff-f0e6d05e72548974e852e8e55dffc4ccR212) - # fail to compile if the compiler outputs things to stderr in unexpected - # cases. Prevent these failures by using AFL_QUIET to stop afl-clang-fast - # from writing AFL specific messages to stderr. - os.environ['AFL_QUIET'] = '1' - os.environ['AFL_MAP_SIZE'] = '2621440' - - src = os.getenv('SRC') - work = os.getenv('WORK') - - with utils.restore_directory(src), utils.restore_directory(work): - # Restore SRC to its initial state so we can build again without any - # trouble. For some OSS-Fuzz projects, build_benchmark cannot be run - # twice in the same directory without this. - utils.build_benchmark() - - if 'cmplog' in build_modes and 'qemu' not in build_modes: - - # CmpLog requires an build with different instrumentation. - new_env = os.environ.copy() - new_env['AFL_LLVM_CMPLOG'] = '1' - - # For CmpLog build, set the OUT and FUZZ_TARGET environment - # variable to point to the new CmpLog build directory. - cmplog_build_directory = get_cmplog_build_directory(build_directory) - os.mkdir(cmplog_build_directory) - new_env['OUT'] = cmplog_build_directory - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - new_env['FUZZ_TARGET'] = os.path.join(cmplog_build_directory, - os.path.basename(fuzz_target)) - - print('Re-building benchmark for CmpLog fuzzing target') - utils.build_benchmark(env=new_env) - - if 'symcc' in build_modes: - - symcc_build_directory = get_uninstrumented_build_directory( - build_directory) - os.mkdir(symcc_build_directory) - - # symcc requires an build with different instrumentation. - new_env = os.environ.copy() - new_env['CC'] = '/symcc/build/symcc' - new_env['CXX'] = '/symcc/build/sym++' - new_env['SYMCC_OUTPUT_DIR'] = '/tmp' - new_env['CXXFLAGS'] = new_env['CXXFLAGS'].replace('-stlib=libc++', '') - new_env['FUZZER_LIB'] = '/libfuzzer-harness.o' - new_env['OUT'] = symcc_build_directory - new_env['SYMCC_LIBCXX_PATH'] = '/libcxx_native_build' - new_env['SYMCC_NO_SYMBOLIC_INPUT'] = '1' - new_env['SYMCC_SILENT'] = '1' - - # For symcc build, set the OUT and FUZZ_TARGET environment - # variable to point to the new symcc build directory. - new_env['OUT'] = symcc_build_directory - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - new_env['FUZZ_TARGET'] = os.path.join(symcc_build_directory, - os.path.basename(fuzz_target)) - - print('Re-building benchmark for symcc fuzzing target') - utils.build_benchmark(env=new_env) - - shutil.copy('/afl/afl-fuzz', build_directory) - if os.path.exists('/afl/afl-qemu-trace'): - shutil.copy('/afl/afl-qemu-trace', build_directory) - if os.path.exists('/aflpp_qemu_driver_hook.so'): - shutil.copy('/aflpp_qemu_driver_hook.so', build_directory) - if os.path.exists('/get_frida_entry.sh'): - shutil.copy('/afl/afl-frida-trace.so', build_directory) - shutil.copy('/get_frida_entry.sh', build_directory) - - -# pylint: disable=too-many-arguments -def fuzz(input_corpus, - output_corpus, - target_binary, - flags=tuple(), - skip=False, - no_cmplog=False): # pylint: disable=too-many-arguments - """Run fuzzer.""" - # Calculate CmpLog binary path from the instrumented target binary. - target_binary_directory = os.path.dirname(target_binary) - cmplog_target_binary_directory = ( - get_cmplog_build_directory(target_binary_directory)) - target_binary_name = os.path.basename(target_binary) - cmplog_target_binary = os.path.join(cmplog_target_binary_directory, - target_binary_name) - - afl_fuzzer.prepare_fuzz_environment(input_corpus) - # decomment this to enable libdislocator. - # os.environ['AFL_ALIGNED_ALLOC'] = '1' # align malloc to max_align_t - # os.environ['AFL_PRELOAD'] = '/afl/libdislocator.so' - - flags = list(flags) - - if os.path.exists('./afl++.dict'): - flags += ['-x', './afl++.dict'] - - # Move the following to skip for upcoming _double tests: - if os.path.exists(cmplog_target_binary) and no_cmplog is False: - flags += ['-c', cmplog_target_binary] - - #os.environ['AFL_IGNORE_TIMEOUTS'] = '1' - os.environ['AFL_IGNORE_UNKNOWN_ENVS'] = '1' - os.environ['AFL_FAST_CAL'] = '1' - - if not skip: - os.environ['AFL_DISABLE_TRIM'] = '1' - os.environ['AFL_CMPLOG_ONLY_NEW'] = '1' - if 'ADDITIONAL_ARGS' in os.environ: - flags += os.environ['ADDITIONAL_ARGS'].split(' ') - - afl_fuzzer.run_afl_fuzz(input_corpus, - output_corpus, - target_binary, - additional_flags=flags) diff --git a/fuzzers/aflplusplus_comp_pge/runner.Dockerfile b/fuzzers/aflplusplus_comp_pge/runner.Dockerfile deleted file mode 100644 index 7aa1da8e4..000000000 --- a/fuzzers/aflplusplus_comp_pge/runner.Dockerfile +++ /dev/null @@ -1,23 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -# This makes interactive docker runs painless: -ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" -#ENV AFL_MAP_SIZE=2621440 -ENV PATH="$PATH:/out" -ENV AFL_SKIP_CPUFREQ=1 -ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 -ENV AFL_TESTCACHE_SIZE=2 diff --git a/fuzzers/aflplusplus_ddfuzz/builder.Dockerfile b/fuzzers/aflplusplus_ddfuzz/builder.Dockerfile deleted file mode 100644 index 5e48257c7..000000000 --- a/fuzzers/aflplusplus_ddfuzz/builder.Dockerfile +++ /dev/null @@ -1,53 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -RUN apt-get update && \ - apt-get install -y \ - build-essential \ - python3-dev \ - python3-setuptools \ - automake \ - cmake \ - git \ - flex \ - bison \ - libglib2.0-dev \ - libpixman-1-dev \ - cargo \ - libgtk-3-dev \ - # for QEMU mode - ninja-build \ - gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-plugin-dev \ - libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev - -# Download afl++. -RUN git clone --depth=1 https://github.com/elManto/DDFuzz /afl - -RUN apt install -y lsb-release wget software-properties-common gnupg - -RUN wget https://apt.llvm.org/llvm.sh && chmod +x llvm.sh && ./llvm.sh 13 - -ENV LLVM_CONFIG llvm-config-13 - -# Build without Python support as we don't need it. -# Set AFL_NO_X86 to skip flaky tests. -RUN cd /afl && \ - unset CFLAGS CXXFLAGS && \ - export CC=clang AFL_NO_X86=1 && \ - PYTHON_INCLUDE=/ make && \ - make -C utils/aflpp_driver && \ - cp utils/aflpp_driver/libAFLDriver.a / diff --git a/fuzzers/aflplusplus_ddfuzz/description.md b/fuzzers/aflplusplus_ddfuzz/description.md deleted file mode 100644 index f7eb407ad..000000000 --- a/fuzzers/aflplusplus_ddfuzz/description.md +++ /dev/null @@ -1,14 +0,0 @@ -# aflplusplus - -AFL++ fuzzer instance that has the following config active for all benchmarks: - - PCGUARD instrumentation - - cmplog feature - - dict2file feature - - "fast" power schedule - - persistent mode + shared memory test cases - -Repository: [https://github.com/AFLplusplus/AFLplusplus/](https://github.com/AFLplusplus/AFLplusplus/) - -[builder.Dockerfile](builder.Dockerfile) -[fuzzer.py](fuzzer.py) -[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/aflplusplus_ddfuzz/fuzzer.py b/fuzzers/aflplusplus_ddfuzz/fuzzer.py deleted file mode 100755 index 03b5d932a..000000000 --- a/fuzzers/aflplusplus_ddfuzz/fuzzer.py +++ /dev/null @@ -1,283 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -"""Integration code for AFLplusplus fuzzer.""" - -import os -import shutil - -from fuzzers.afl import fuzzer as afl_fuzzer -from fuzzers import utils - - -def get_cmplog_build_directory(target_directory): - """Return path to CmpLog target directory.""" - return os.path.join(target_directory, 'cmplog') - - -def get_uninstrumented_build_directory(target_directory): - """Return path to CmpLog target directory.""" - return os.path.join(target_directory, 'uninstrumented') - - -def build(*args): # pylint: disable=too-many-branches,too-many-statements - """Build benchmark.""" - # BUILD_MODES is not already supported by fuzzbench, meanwhile we provide - # a default configuration. - - build_modes = list(args) - if 'BUILD_MODES' in os.environ: - build_modes = os.environ['BUILD_MODES'].split(',') - - # Placeholder comment. - build_directory = os.environ['OUT'] - - # If nothing was set this is the default: - if not build_modes: - build_modes = ['classic', 'cmplog', 'dict2file'] - - # For bug type benchmarks we have to instrument via native clang pcguard :( - build_flags = os.environ['CFLAGS'] - - if build_flags.find( - 'array-bounds' - ) != -1 and 'qemu' not in build_modes and 'classic' not in build_modes: - if 'gcc' not in build_modes: - build_modes[0] = 'native' - - os.environ['DDG_INSTR'] = '1' - - # Instrumentation coverage modes: - if 'lto' in build_modes: - os.environ['CC'] = '/afl/afl-clang-lto' - os.environ['CXX'] = '/afl/afl-clang-lto++' - edge_file = build_directory + '/aflpp_edges.txt' - os.environ['AFL_LLVM_DOCUMENT_IDS'] = edge_file - if os.path.isfile('/usr/local/bin/llvm-ranlib-13'): - os.environ['RANLIB'] = 'llvm-ranlib-13' - os.environ['AR'] = 'llvm-ar-13' - os.environ['AS'] = 'llvm-as-13' - elif os.path.isfile('/usr/local/bin/llvm-ranlib-12'): - os.environ['RANLIB'] = 'llvm-ranlib-12' - os.environ['AR'] = 'llvm-ar-12' - os.environ['AS'] = 'llvm-as-12' - else: - os.environ['RANLIB'] = 'llvm-ranlib' - os.environ['AR'] = 'llvm-ar' - os.environ['AS'] = 'llvm-as' - elif 'qemu' in build_modes: - os.environ['CC'] = 'clang' - os.environ['CXX'] = 'clang++' - elif 'gcc' in build_modes: - os.environ['CC'] = 'afl-gcc-fast' - os.environ['CXX'] = 'afl-g++-fast' - if build_flags.find('array-bounds') != -1: - os.environ['CFLAGS'] = '-fsanitize=address -O1' - os.environ['CXXFLAGS'] = '-fsanitize=address -O1' - else: - os.environ['CFLAGS'] = '' - os.environ['CXXFLAGS'] = '' - os.environ['CPPFLAGS'] = '' - else: - os.environ['CC'] = '/afl/afl-clang-fast' - os.environ['CXX'] = '/afl/afl-clang-fast++' - - print('AFL++ build: ') - print(build_modes) - - if 'qemu' in build_modes or 'symcc' in build_modes: - os.environ['CFLAGS'] = ' '.join(utils.NO_SANITIZER_COMPAT_CFLAGS) - cxxflags = [utils.LIBCPLUSPLUS_FLAG] + utils.NO_SANITIZER_COMPAT_CFLAGS - os.environ['CXXFLAGS'] = ' '.join(cxxflags) - - if 'tracepc' in build_modes or 'pcguard' in build_modes: - os.environ['AFL_LLVM_USE_TRACE_PC'] = '1' - elif 'classic' in build_modes: - os.environ['AFL_LLVM_INSTRUMENT'] = 'CLASSIC' - elif 'native' in build_modes: - os.environ['AFL_LLVM_INSTRUMENT'] = 'LLVMNATIVE' - - # Instrumentation coverage options: - # Do not use a fixed map location (LTO only) - if 'dynamic' in build_modes: - os.environ['AFL_LLVM_MAP_DYNAMIC'] = '1' - # Use a fixed map location (LTO only) - if 'fixed' in build_modes: - os.environ['AFL_LLVM_MAP_ADDR'] = '0x10000' - # Generate an extra dictionary. - if 'dict2file' in build_modes or 'native' in build_modes: - os.environ['AFL_LLVM_DICT2FILE'] = build_directory + '/afl++.dict' - os.environ['AFL_LLVM_DICT2FILE_NO_MAIN'] = '1' - # Enable context sentitivity for LLVM mode (non LTO only) - if 'ctx' in build_modes: - os.environ['AFL_LLVM_CTX'] = '1' - # Enable N-gram coverage for LLVM mode (non LTO only) - if 'ngram2' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '2' - elif 'ngram3' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '3' - elif 'ngram4' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '4' - elif 'ngram5' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '5' - elif 'ngram6' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '6' - elif 'ngram7' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '7' - elif 'ngram8' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '8' - elif 'ngram16' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '16' - if 'ctx1' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '1' - elif 'ctx2' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '2' - elif 'ctx3' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '3' - elif 'ctx4' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '4' - - # Only one of the following OR cmplog - # enable laf-intel compare splitting - if 'laf' in build_modes: - os.environ['AFL_LLVM_LAF_SPLIT_SWITCHES'] = '1' - os.environ['AFL_LLVM_LAF_SPLIT_COMPARES'] = '1' - os.environ['AFL_LLVM_LAF_SPLIT_FLOATS'] = '1' - if 'autodict' not in build_modes: - os.environ['AFL_LLVM_LAF_TRANSFORM_COMPARES'] = '1' - - if 'eclipser' in build_modes: - os.environ['FUZZER_LIB'] = '/libStandaloneFuzzTarget.a' - else: - os.environ['FUZZER_LIB'] = '/libAFLDriver.a' - - # Some benchmarks like lcms. (see: - # https://github.com/mm2/Little-CMS/commit/ab1093539b4287c233aca6a3cf53b234faceb792#diff-f0e6d05e72548974e852e8e55dffc4ccR212) - # fail to compile if the compiler outputs things to stderr in unexpected - # cases. Prevent these failures by using AFL_QUIET to stop afl-clang-fast - # from writing AFL specific messages to stderr. - os.environ['AFL_QUIET'] = '1' - os.environ['AFL_MAP_SIZE'] = '2621440' - - src = os.getenv('SRC') - work = os.getenv('WORK') - - with utils.restore_directory(src), utils.restore_directory(work): - # Restore SRC to its initial state so we can build again without any - # trouble. For some OSS-Fuzz projects, build_benchmark cannot be run - # twice in the same directory without this. - utils.build_benchmark() - - if 'cmplog' in build_modes and 'qemu' not in build_modes: - - # CmpLog requires an build with different instrumentation. - new_env = os.environ.copy() - new_env['AFL_LLVM_CMPLOG'] = '1' - - # For CmpLog build, set the OUT and FUZZ_TARGET environment - # variable to point to the new CmpLog build directory. - cmplog_build_directory = get_cmplog_build_directory(build_directory) - os.mkdir(cmplog_build_directory) - new_env['OUT'] = cmplog_build_directory - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - new_env['FUZZ_TARGET'] = os.path.join(cmplog_build_directory, - os.path.basename(fuzz_target)) - - print('Re-building benchmark for CmpLog fuzzing target') - utils.build_benchmark(env=new_env) - - if 'symcc' in build_modes: - - symcc_build_directory = get_uninstrumented_build_directory( - build_directory) - os.mkdir(symcc_build_directory) - - # symcc requires an build with different instrumentation. - new_env = os.environ.copy() - new_env['CC'] = '/symcc/build/symcc' - new_env['CXX'] = '/symcc/build/sym++' - new_env['SYMCC_OUTPUT_DIR'] = '/tmp' - new_env['CXXFLAGS'] = new_env['CXXFLAGS'].replace('-stlib=libc++', '') - new_env['FUZZER_LIB'] = '/libfuzzer-harness.o' - new_env['OUT'] = symcc_build_directory - new_env['SYMCC_LIBCXX_PATH'] = '/libcxx_native_build' - new_env['SYMCC_NO_SYMBOLIC_INPUT'] = '1' - new_env['SYMCC_SILENT'] = '1' - - # For symcc build, set the OUT and FUZZ_TARGET environment - # variable to point to the new symcc build directory. - new_env['OUT'] = symcc_build_directory - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - new_env['FUZZ_TARGET'] = os.path.join(symcc_build_directory, - os.path.basename(fuzz_target)) - - print('Re-building benchmark for symcc fuzzing target') - utils.build_benchmark(env=new_env) - - shutil.copy('/afl/afl-fuzz', build_directory) - if os.path.exists('/afl/afl-qemu-trace'): - shutil.copy('/afl/afl-qemu-trace', build_directory) - if os.path.exists('/aflpp_qemu_driver_hook.so'): - shutil.copy('/aflpp_qemu_driver_hook.so', build_directory) - if os.path.exists('/get_frida_entry.sh'): - shutil.copy('/afl/afl-frida-trace.so', build_directory) - shutil.copy('/get_frida_entry.sh', build_directory) - - -# pylint: disable=too-many-arguments -def fuzz(input_corpus, - output_corpus, - target_binary, - flags=tuple(), - skip=False, - no_cmplog=False): # pylint: disable=too-many-arguments - """Run fuzzer.""" - # Calculate CmpLog binary path from the instrumented target binary. - target_binary_directory = os.path.dirname(target_binary) - cmplog_target_binary_directory = ( - get_cmplog_build_directory(target_binary_directory)) - target_binary_name = os.path.basename(target_binary) - cmplog_target_binary = os.path.join(cmplog_target_binary_directory, - target_binary_name) - - afl_fuzzer.prepare_fuzz_environment(input_corpus) - # decomment this to enable libdislocator. - # os.environ['AFL_ALIGNED_ALLOC'] = '1' # align malloc to max_align_t - # os.environ['AFL_PRELOAD'] = '/afl/libdislocator.so' - - flags = list(flags) - - if os.path.exists('./afl++.dict'): - flags += ['-x', './afl++.dict'] - - # Move the following to skip for upcoming _double tests: - if os.path.exists(cmplog_target_binary) and no_cmplog is False: - flags += ['-c', cmplog_target_binary] - - #os.environ['AFL_IGNORE_TIMEOUTS'] = '1' - os.environ['AFL_IGNORE_UNKNOWN_ENVS'] = '1' - os.environ['AFL_FAST_CAL'] = '1' - - if not skip: - os.environ['AFL_DISABLE_TRIM'] = '1' - os.environ['AFL_CMPLOG_ONLY_NEW'] = '1' - if 'ADDITIONAL_ARGS' in os.environ: - flags += os.environ['ADDITIONAL_ARGS'].split(' ') - - afl_fuzzer.run_afl_fuzz(input_corpus, - output_corpus, - target_binary, - additional_flags=flags) diff --git a/fuzzers/aflplusplus_ddfuzz/runner.Dockerfile b/fuzzers/aflplusplus_ddfuzz/runner.Dockerfile deleted file mode 100644 index 7aa1da8e4..000000000 --- a/fuzzers/aflplusplus_ddfuzz/runner.Dockerfile +++ /dev/null @@ -1,23 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -# This makes interactive docker runs painless: -ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" -#ENV AFL_MAP_SIZE=2621440 -ENV PATH="$PATH:/out" -ENV AFL_SKIP_CPUFREQ=1 -ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 -ENV AFL_TESTCACHE_SIZE=2 diff --git a/fuzzers/aflplusplus_haste/builder.Dockerfile b/fuzzers/aflplusplus_haste/builder.Dockerfile deleted file mode 100644 index 6ef1f82f7..000000000 --- a/fuzzers/aflplusplus_haste/builder.Dockerfile +++ /dev/null @@ -1,50 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -RUN apt-get update && \ - apt-get install -y \ - build-essential \ - python3-dev \ - python3-setuptools \ - automake \ - cmake \ - git \ - flex \ - bison \ - libglib2.0-dev \ - libpixman-1-dev \ - cargo \ - libgtk-3-dev \ - # for QEMU mode - ninja-build \ - gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-plugin-dev \ - libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev - -# Download afl++. -RUN git clone -b dev https://github.com/AFLplusplus/AFLplusplus /afl && \ - cd /afl && \ - git checkout 33eba1fc5652060e8d877b02135fce2325813d0c || \ - true - -# Build without Python support as we don't need it. -# Set AFL_NO_X86 to skip flaky tests. -RUN cd /afl && \ - unset CFLAGS CXXFLAGS && \ - export CC=clang AFL_NO_X86=1 && \ - PYTHON_INCLUDE=/ make && \ - make install && \ - cp utils/aflpp_driver/libAFLDriver.a / diff --git a/fuzzers/aflplusplus_haste/description.md b/fuzzers/aflplusplus_haste/description.md deleted file mode 100644 index f7eb407ad..000000000 --- a/fuzzers/aflplusplus_haste/description.md +++ /dev/null @@ -1,14 +0,0 @@ -# aflplusplus - -AFL++ fuzzer instance that has the following config active for all benchmarks: - - PCGUARD instrumentation - - cmplog feature - - dict2file feature - - "fast" power schedule - - persistent mode + shared memory test cases - -Repository: [https://github.com/AFLplusplus/AFLplusplus/](https://github.com/AFLplusplus/AFLplusplus/) - -[builder.Dockerfile](builder.Dockerfile) -[fuzzer.py](fuzzer.py) -[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/aflplusplus_haste/fuzzer.py b/fuzzers/aflplusplus_haste/fuzzer.py deleted file mode 100755 index 8836eb40d..000000000 --- a/fuzzers/aflplusplus_haste/fuzzer.py +++ /dev/null @@ -1,281 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -"""Integration code for AFLplusplus fuzzer.""" - -import os -import shutil - -from fuzzers.afl import fuzzer as afl_fuzzer -from fuzzers import utils - - -def get_cmplog_build_directory(target_directory): - """Return path to CmpLog target directory.""" - return os.path.join(target_directory, 'cmplog') - - -def get_uninstrumented_build_directory(target_directory): - """Return path to CmpLog target directory.""" - return os.path.join(target_directory, 'uninstrumented') - - -def build(*args): # pylint: disable=too-many-branches,too-many-statements - """Build benchmark.""" - # BUILD_MODES is not already supported by fuzzbench, meanwhile we provide - # a default configuration. - - build_modes = list(args) - if 'BUILD_MODES' in os.environ: - build_modes = os.environ['BUILD_MODES'].split(',') - - # Placeholder comment. - build_directory = os.environ['OUT'] - - # If nothing was set this is the default: - if not build_modes: - build_modes = ['tracepc', 'cmplog', 'dict2file'] - - # For bug type benchmarks we have to instrument via native clang pcguard :( - build_flags = os.environ['CFLAGS'] - - if build_flags.find( - 'array-bounds' - ) != -1 and 'qemu' not in build_modes and 'classic' not in build_modes: - if 'gcc' not in build_modes: - build_modes[0] = 'native' - - # Instrumentation coverage modes: - if 'lto' in build_modes: - os.environ['CC'] = '/afl/afl-clang-lto' - os.environ['CXX'] = '/afl/afl-clang-lto++' - edge_file = build_directory + '/aflpp_edges.txt' - os.environ['AFL_LLVM_DOCUMENT_IDS'] = edge_file - if os.path.isfile('/usr/local/bin/llvm-ranlib-13'): - os.environ['RANLIB'] = 'llvm-ranlib-13' - os.environ['AR'] = 'llvm-ar-13' - os.environ['AS'] = 'llvm-as-13' - elif os.path.isfile('/usr/local/bin/llvm-ranlib-12'): - os.environ['RANLIB'] = 'llvm-ranlib-12' - os.environ['AR'] = 'llvm-ar-12' - os.environ['AS'] = 'llvm-as-12' - else: - os.environ['RANLIB'] = 'llvm-ranlib' - os.environ['AR'] = 'llvm-ar' - os.environ['AS'] = 'llvm-as' - elif 'qemu' in build_modes: - os.environ['CC'] = 'clang' - os.environ['CXX'] = 'clang++' - elif 'gcc' in build_modes: - os.environ['CC'] = 'afl-gcc-fast' - os.environ['CXX'] = 'afl-g++-fast' - if build_flags.find('array-bounds') != -1: - os.environ['CFLAGS'] = '-fsanitize=address -O1' - os.environ['CXXFLAGS'] = '-fsanitize=address -O1' - else: - os.environ['CFLAGS'] = '' - os.environ['CXXFLAGS'] = '' - os.environ['CPPFLAGS'] = '' - else: - os.environ['CC'] = '/afl/afl-clang-fast' - os.environ['CXX'] = '/afl/afl-clang-fast++' - - print('AFL++ build: ') - print(build_modes) - - if 'qemu' in build_modes or 'symcc' in build_modes: - os.environ['CFLAGS'] = ' '.join(utils.NO_SANITIZER_COMPAT_CFLAGS) - cxxflags = [utils.LIBCPLUSPLUS_FLAG] + utils.NO_SANITIZER_COMPAT_CFLAGS - os.environ['CXXFLAGS'] = ' '.join(cxxflags) - - if 'tracepc' in build_modes or 'pcguard' in build_modes: - os.environ['AFL_LLVM_USE_TRACE_PC'] = '1' - elif 'classic' in build_modes: - os.environ['AFL_LLVM_INSTRUMENT'] = 'CLASSIC' - elif 'native' in build_modes: - os.environ['AFL_LLVM_INSTRUMENT'] = 'LLVMNATIVE' - - # Instrumentation coverage options: - # Do not use a fixed map location (LTO only) - if 'dynamic' in build_modes: - os.environ['AFL_LLVM_MAP_DYNAMIC'] = '1' - # Use a fixed map location (LTO only) - if 'fixed' in build_modes: - os.environ['AFL_LLVM_MAP_ADDR'] = '0x10000' - # Generate an extra dictionary. - if 'dict2file' in build_modes or 'native' in build_modes: - os.environ['AFL_LLVM_DICT2FILE'] = build_directory + '/afl++.dict' - os.environ['AFL_LLVM_DICT2FILE_NO_MAIN'] = '1' - # Enable context sentitivity for LLVM mode (non LTO only) - if 'ctx' in build_modes: - os.environ['AFL_LLVM_CTX'] = '1' - # Enable N-gram coverage for LLVM mode (non LTO only) - if 'ngram2' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '2' - elif 'ngram3' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '3' - elif 'ngram4' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '4' - elif 'ngram5' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '5' - elif 'ngram6' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '6' - elif 'ngram7' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '7' - elif 'ngram8' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '8' - elif 'ngram16' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '16' - if 'ctx1' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '1' - elif 'ctx2' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '2' - elif 'ctx3' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '3' - elif 'ctx4' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '4' - - # Only one of the following OR cmplog - # enable laf-intel compare splitting - if 'laf' in build_modes: - os.environ['AFL_LLVM_LAF_SPLIT_SWITCHES'] = '1' - os.environ['AFL_LLVM_LAF_SPLIT_COMPARES'] = '1' - os.environ['AFL_LLVM_LAF_SPLIT_FLOATS'] = '1' - if 'autodict' not in build_modes: - os.environ['AFL_LLVM_LAF_TRANSFORM_COMPARES'] = '1' - - if 'eclipser' in build_modes: - os.environ['FUZZER_LIB'] = '/libStandaloneFuzzTarget.a' - else: - os.environ['FUZZER_LIB'] = '/libAFLDriver.a' - - # Some benchmarks like lcms. (see: - # https://github.com/mm2/Little-CMS/commit/ab1093539b4287c233aca6a3cf53b234faceb792#diff-f0e6d05e72548974e852e8e55dffc4ccR212) - # fail to compile if the compiler outputs things to stderr in unexpected - # cases. Prevent these failures by using AFL_QUIET to stop afl-clang-fast - # from writing AFL specific messages to stderr. - os.environ['AFL_QUIET'] = '1' - os.environ['AFL_MAP_SIZE'] = '2621440' - - src = os.getenv('SRC') - work = os.getenv('WORK') - - with utils.restore_directory(src), utils.restore_directory(work): - # Restore SRC to its initial state so we can build again without any - # trouble. For some OSS-Fuzz projects, build_benchmark cannot be run - # twice in the same directory without this. - utils.build_benchmark() - - if 'cmplog' in build_modes and 'qemu' not in build_modes: - - # CmpLog requires an build with different instrumentation. - new_env = os.environ.copy() - new_env['AFL_LLVM_CMPLOG'] = '1' - - # For CmpLog build, set the OUT and FUZZ_TARGET environment - # variable to point to the new CmpLog build directory. - cmplog_build_directory = get_cmplog_build_directory(build_directory) - os.mkdir(cmplog_build_directory) - new_env['OUT'] = cmplog_build_directory - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - new_env['FUZZ_TARGET'] = os.path.join(cmplog_build_directory, - os.path.basename(fuzz_target)) - - print('Re-building benchmark for CmpLog fuzzing target') - utils.build_benchmark(env=new_env) - - if 'symcc' in build_modes: - - symcc_build_directory = get_uninstrumented_build_directory( - build_directory) - os.mkdir(symcc_build_directory) - - # symcc requires an build with different instrumentation. - new_env = os.environ.copy() - new_env['CC'] = '/symcc/build/symcc' - new_env['CXX'] = '/symcc/build/sym++' - new_env['SYMCC_OUTPUT_DIR'] = '/tmp' - new_env['CXXFLAGS'] = new_env['CXXFLAGS'].replace('-stlib=libc++', '') - new_env['FUZZER_LIB'] = '/libfuzzer-harness.o' - new_env['OUT'] = symcc_build_directory - new_env['SYMCC_LIBCXX_PATH'] = '/libcxx_native_build' - new_env['SYMCC_NO_SYMBOLIC_INPUT'] = '1' - new_env['SYMCC_SILENT'] = '1' - - # For symcc build, set the OUT and FUZZ_TARGET environment - # variable to point to the new symcc build directory. - new_env['OUT'] = symcc_build_directory - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - new_env['FUZZ_TARGET'] = os.path.join(symcc_build_directory, - os.path.basename(fuzz_target)) - - print('Re-building benchmark for symcc fuzzing target') - utils.build_benchmark(env=new_env) - - shutil.copy('/afl/afl-fuzz', build_directory) - if os.path.exists('/afl/afl-qemu-trace'): - shutil.copy('/afl/afl-qemu-trace', build_directory) - if os.path.exists('/aflpp_qemu_driver_hook.so'): - shutil.copy('/aflpp_qemu_driver_hook.so', build_directory) - if os.path.exists('/get_frida_entry.sh'): - shutil.copy('/afl/afl-frida-trace.so', build_directory) - shutil.copy('/get_frida_entry.sh', build_directory) - - -# pylint: disable=too-many-arguments -def fuzz(input_corpus, - output_corpus, - target_binary, - flags=tuple(), - skip=False, - no_cmplog=False): # pylint: disable=too-many-arguments - """Run fuzzer.""" - # Calculate CmpLog binary path from the instrumented target binary. - target_binary_directory = os.path.dirname(target_binary) - cmplog_target_binary_directory = ( - get_cmplog_build_directory(target_binary_directory)) - target_binary_name = os.path.basename(target_binary) - cmplog_target_binary = os.path.join(cmplog_target_binary_directory, - target_binary_name) - - afl_fuzzer.prepare_fuzz_environment(input_corpus) - # decomment this to enable libdislocator. - # os.environ['AFL_ALIGNED_ALLOC'] = '1' # align malloc to max_align_t - # os.environ['AFL_PRELOAD'] = '/afl/libdislocator.so' - - flags = list(flags) - - if os.path.exists('./afl++.dict'): - flags += ['-x', './afl++.dict'] - - # Move the following to skip for upcoming _double tests: - if os.path.exists(cmplog_target_binary) and no_cmplog is False: - flags += ['-c', cmplog_target_binary] - - #os.environ['AFL_IGNORE_TIMEOUTS'] = '1' - os.environ['AFL_IGNORE_UNKNOWN_ENVS'] = '1' - os.environ['AFL_FAST_CAL'] = '1' - - if not skip: - os.environ['AFL_DISABLE_TRIM'] = '1' - os.environ['AFL_CMPLOG_ONLY_NEW'] = '1' - if 'ADDITIONAL_ARGS' in os.environ: - flags += os.environ['ADDITIONAL_ARGS'].split(' ') - - afl_fuzzer.run_afl_fuzz(input_corpus, - output_corpus, - target_binary, - additional_flags=flags) diff --git a/fuzzers/aflplusplus_haste/runner.Dockerfile b/fuzzers/aflplusplus_haste/runner.Dockerfile deleted file mode 100644 index 7aa1da8e4..000000000 --- a/fuzzers/aflplusplus_haste/runner.Dockerfile +++ /dev/null @@ -1,23 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -# This makes interactive docker runs painless: -ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" -#ENV AFL_MAP_SIZE=2621440 -ENV PATH="$PATH:/out" -ENV AFL_SKIP_CPUFREQ=1 -ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 -ENV AFL_TESTCACHE_SIZE=2 diff --git a/fuzzers/aflplusplus_pge/builder.Dockerfile b/fuzzers/aflplusplus_pge/builder.Dockerfile deleted file mode 100644 index 8dfa5d5fe..000000000 --- a/fuzzers/aflplusplus_pge/builder.Dockerfile +++ /dev/null @@ -1,47 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -RUN apt-get update && \ - apt-get install -y \ - build-essential \ - python3-dev \ - python3-setuptools \ - automake \ - cmake \ - git \ - flex \ - bison \ - libglib2.0-dev \ - libpixman-1-dev \ - cargo \ - libgtk-3-dev \ - # for QEMU mode - ninja-build \ - gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-plugin-dev \ - libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev - -# Download afl++. -RUN git clone --depth=1 https://github.com/vanhauser-thc/pge /afl - -# Build without Python support as we don't need it. -# Set AFL_NO_X86 to skip flaky tests. -RUN cd /afl && \ - unset CFLAGS CXXFLAGS && \ - export CC=clang AFL_NO_X86=1 && \ - PYTHON_INCLUDE=/ make && \ - make install && \ - cp utils/aflpp_driver/libAFLDriver.a / diff --git a/fuzzers/aflplusplus_pge/description.md b/fuzzers/aflplusplus_pge/description.md deleted file mode 100644 index f7eb407ad..000000000 --- a/fuzzers/aflplusplus_pge/description.md +++ /dev/null @@ -1,14 +0,0 @@ -# aflplusplus - -AFL++ fuzzer instance that has the following config active for all benchmarks: - - PCGUARD instrumentation - - cmplog feature - - dict2file feature - - "fast" power schedule - - persistent mode + shared memory test cases - -Repository: [https://github.com/AFLplusplus/AFLplusplus/](https://github.com/AFLplusplus/AFLplusplus/) - -[builder.Dockerfile](builder.Dockerfile) -[fuzzer.py](fuzzer.py) -[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/aflplusplus_pge/fuzzer.py b/fuzzers/aflplusplus_pge/fuzzer.py deleted file mode 100755 index 7818c635f..000000000 --- a/fuzzers/aflplusplus_pge/fuzzer.py +++ /dev/null @@ -1,283 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -"""Integration code for AFLplusplus fuzzer.""" - -import os -import shutil - -from fuzzers.afl import fuzzer as afl_fuzzer -from fuzzers import utils - - -def get_cmplog_build_directory(target_directory): - """Return path to CmpLog target directory.""" - return os.path.join(target_directory, 'cmplog') - - -def get_uninstrumented_build_directory(target_directory): - """Return path to CmpLog target directory.""" - return os.path.join(target_directory, 'uninstrumented') - - -def build(*args): # pylint: disable=too-many-branches,too-many-statements - """Build benchmark.""" - # BUILD_MODES is not already supported by fuzzbench, meanwhile we provide - # a default configuration. - - build_modes = list(args) - if 'BUILD_MODES' in os.environ: - build_modes = os.environ['BUILD_MODES'].split(',') - - # Placeholder comment. - build_directory = os.environ['OUT'] - - # If nothing was set this is the default: - if not build_modes: - build_modes = ['tracepc', 'cmplog', 'dict2file'] - - # For bug type benchmarks we have to instrument via native clang pcguard :( - build_flags = os.environ['CFLAGS'] - - if build_flags.find( - 'array-bounds' - ) != -1 and 'qemu' not in build_modes and 'classic' not in build_modes: - if 'gcc' not in build_modes: - build_modes[0] = 'native' - - # Instrumentation coverage modes: - if 'lto' in build_modes: - os.environ['CC'] = '/afl/afl-clang-lto' - os.environ['CXX'] = '/afl/afl-clang-lto++' - edge_file = build_directory + '/aflpp_edges.txt' - os.environ['AFL_LLVM_DOCUMENT_IDS'] = edge_file - if os.path.isfile('/usr/local/bin/llvm-ranlib-13'): - os.environ['RANLIB'] = 'llvm-ranlib-13' - os.environ['AR'] = 'llvm-ar-13' - os.environ['AS'] = 'llvm-as-13' - elif os.path.isfile('/usr/local/bin/llvm-ranlib-12'): - os.environ['RANLIB'] = 'llvm-ranlib-12' - os.environ['AR'] = 'llvm-ar-12' - os.environ['AS'] = 'llvm-as-12' - else: - os.environ['RANLIB'] = 'llvm-ranlib' - os.environ['AR'] = 'llvm-ar' - os.environ['AS'] = 'llvm-as' - elif 'qemu' in build_modes: - os.environ['CC'] = 'clang' - os.environ['CXX'] = 'clang++' - elif 'gcc' in build_modes: - os.environ['CC'] = 'afl-gcc-fast' - os.environ['CXX'] = 'afl-g++-fast' - if build_flags.find('array-bounds') != -1: - os.environ['CFLAGS'] = '-fsanitize=address -O1' - os.environ['CXXFLAGS'] = '-fsanitize=address -O1' - else: - os.environ['CFLAGS'] = '' - os.environ['CXXFLAGS'] = '' - os.environ['CPPFLAGS'] = '' - else: - os.environ['CC'] = '/afl/afl-clang-fast' - os.environ['CXX'] = '/afl/afl-clang-fast++' - - print('AFL++ build: ') - print(build_modes) - - if 'qemu' in build_modes or 'symcc' in build_modes: - os.environ['CFLAGS'] = ' '.join(utils.NO_SANITIZER_COMPAT_CFLAGS) - cxxflags = [utils.LIBCPLUSPLUS_FLAG] + utils.NO_SANITIZER_COMPAT_CFLAGS - os.environ['CXXFLAGS'] = ' '.join(cxxflags) - - if 'tracepc' in build_modes or 'pcguard' in build_modes: - os.environ['AFL_LLVM_USE_TRACE_PC'] = '1' - elif 'classic' in build_modes: - os.environ['AFL_LLVM_INSTRUMENT'] = 'CLASSIC' - elif 'native' in build_modes: - os.environ['AFL_LLVM_INSTRUMENT'] = 'LLVMNATIVE' - - # Instrumentation coverage options: - # Do not use a fixed map location (LTO only) - if 'dynamic' in build_modes: - os.environ['AFL_LLVM_MAP_DYNAMIC'] = '1' - # Use a fixed map location (LTO only) - if 'fixed' in build_modes: - os.environ['AFL_LLVM_MAP_ADDR'] = '0x10000' - # Generate an extra dictionary. - if 'dict2file' in build_modes or 'native' in build_modes: - os.environ['AFL_LLVM_DICT2FILE'] = build_directory + '/afl++.dict' - os.environ['AFL_LLVM_DICT2FILE_NO_MAIN'] = '1' - # Enable context sentitivity for LLVM mode (non LTO only) - if 'ctx' in build_modes: - os.environ['AFL_LLVM_CTX'] = '1' - # Enable N-gram coverage for LLVM mode (non LTO only) - if 'ngram2' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '2' - elif 'ngram3' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '3' - elif 'ngram4' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '4' - elif 'ngram5' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '5' - elif 'ngram6' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '6' - elif 'ngram7' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '7' - elif 'ngram8' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '8' - elif 'ngram16' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '16' - if 'ctx1' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '1' - elif 'ctx2' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '2' - elif 'ctx3' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '3' - elif 'ctx4' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '4' - - # Only one of the following OR cmplog - # enable laf-intel compare splitting - if 'laf' in build_modes: - os.environ['AFL_LLVM_LAF_SPLIT_SWITCHES'] = '1' - os.environ['AFL_LLVM_LAF_SPLIT_COMPARES'] = '1' - os.environ['AFL_LLVM_LAF_SPLIT_FLOATS'] = '1' - if 'autodict' not in build_modes: - os.environ['AFL_LLVM_LAF_TRANSFORM_COMPARES'] = '1' - - if 'eclipser' in build_modes: - os.environ['FUZZER_LIB'] = '/libStandaloneFuzzTarget.a' - else: - os.environ['FUZZER_LIB'] = '/libAFLDriver.a' - - # Some benchmarks like lcms. (see: - # https://github.com/mm2/Little-CMS/commit/ab1093539b4287c233aca6a3cf53b234faceb792#diff-f0e6d05e72548974e852e8e55dffc4ccR212) - # fail to compile if the compiler outputs things to stderr in unexpected - # cases. Prevent these failures by using AFL_QUIET to stop afl-clang-fast - # from writing AFL specific messages to stderr. - os.environ['AFL_QUIET'] = '1' - os.environ['AFL_MAP_SIZE'] = '2621440' - - src = os.getenv('SRC') - work = os.getenv('WORK') - - with utils.restore_directory(src), utils.restore_directory(work): - # Restore SRC to its initial state so we can build again without any - # trouble. For some OSS-Fuzz projects, build_benchmark cannot be run - # twice in the same directory without this. - utils.build_benchmark() - - if 'cmplog' in build_modes and 'qemu' not in build_modes: - - # CmpLog requires an build with different instrumentation. - new_env = os.environ.copy() - new_env['AFL_LLVM_CMPLOG'] = '1' - - # For CmpLog build, set the OUT and FUZZ_TARGET environment - # variable to point to the new CmpLog build directory. - cmplog_build_directory = get_cmplog_build_directory(build_directory) - os.mkdir(cmplog_build_directory) - new_env['OUT'] = cmplog_build_directory - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - new_env['FUZZ_TARGET'] = os.path.join(cmplog_build_directory, - os.path.basename(fuzz_target)) - - print('Re-building benchmark for CmpLog fuzzing target') - utils.build_benchmark(env=new_env) - - if 'symcc' in build_modes: - - symcc_build_directory = get_uninstrumented_build_directory( - build_directory) - os.mkdir(symcc_build_directory) - - # symcc requires an build with different instrumentation. - new_env = os.environ.copy() - new_env['CC'] = '/symcc/build/symcc' - new_env['CXX'] = '/symcc/build/sym++' - new_env['SYMCC_OUTPUT_DIR'] = '/tmp' - new_env['CXXFLAGS'] = new_env['CXXFLAGS'].replace('-stlib=libc++', '') - new_env['FUZZER_LIB'] = '/libfuzzer-harness.o' - new_env['OUT'] = symcc_build_directory - new_env['SYMCC_LIBCXX_PATH'] = '/libcxx_native_build' - new_env['SYMCC_NO_SYMBOLIC_INPUT'] = '1' - new_env['SYMCC_SILENT'] = '1' - - # For symcc build, set the OUT and FUZZ_TARGET environment - # variable to point to the new symcc build directory. - new_env['OUT'] = symcc_build_directory - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - new_env['FUZZ_TARGET'] = os.path.join(symcc_build_directory, - os.path.basename(fuzz_target)) - - print('Re-building benchmark for symcc fuzzing target') - utils.build_benchmark(env=new_env) - - shutil.copy('/afl/afl-fuzz', build_directory) - if os.path.exists('/afl/afl-qemu-trace'): - shutil.copy('/afl/afl-qemu-trace', build_directory) - if os.path.exists('/aflpp_qemu_driver_hook.so'): - shutil.copy('/aflpp_qemu_driver_hook.so', build_directory) - if os.path.exists('/get_frida_entry.sh'): - shutil.copy('/afl/afl-frida-trace.so', build_directory) - shutil.copy('/get_frida_entry.sh', build_directory) - - -# pylint: disable=too-many-arguments -def fuzz(input_corpus, - output_corpus, - target_binary, - flags=tuple(), - skip=False, - no_cmplog=False): # pylint: disable=too-many-arguments - """Run fuzzer.""" - # Calculate CmpLog binary path from the instrumented target binary. - target_binary_directory = os.path.dirname(target_binary) - cmplog_target_binary_directory = ( - get_cmplog_build_directory(target_binary_directory)) - target_binary_name = os.path.basename(target_binary) - cmplog_target_binary = os.path.join(cmplog_target_binary_directory, - target_binary_name) - - afl_fuzzer.prepare_fuzz_environment(input_corpus) - # decomment this to enable libdislocator. - # os.environ['AFL_ALIGNED_ALLOC'] = '1' # align malloc to max_align_t - # os.environ['AFL_PRELOAD'] = '/afl/libdislocator.so' - - flags = list(flags) - - if os.path.exists('./afl++.dict'): - flags += ['-x', './afl++.dict'] - - flags += ['-r', '1'] - - # Move the following to skip for upcoming _double tests: - if os.path.exists(cmplog_target_binary) and no_cmplog is False: - flags += ['-c', cmplog_target_binary] - - #os.environ['AFL_IGNORE_TIMEOUTS'] = '1' - os.environ['AFL_IGNORE_UNKNOWN_ENVS'] = '1' - os.environ['AFL_FAST_CAL'] = '1' - - if not skip: - os.environ['AFL_DISABLE_TRIM'] = '1' - os.environ['AFL_CMPLOG_ONLY_NEW'] = '1' - if 'ADDITIONAL_ARGS' in os.environ: - flags += os.environ['ADDITIONAL_ARGS'].split(' ') - - afl_fuzzer.run_afl_fuzz(input_corpus, - output_corpus, - target_binary, - additional_flags=flags) diff --git a/fuzzers/aflplusplus_pge/runner.Dockerfile b/fuzzers/aflplusplus_pge/runner.Dockerfile deleted file mode 100644 index 7aa1da8e4..000000000 --- a/fuzzers/aflplusplus_pge/runner.Dockerfile +++ /dev/null @@ -1,23 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -# This makes interactive docker runs painless: -ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" -#ENV AFL_MAP_SIZE=2621440 -ENV PATH="$PATH:/out" -ENV AFL_SKIP_CPUFREQ=1 -ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 -ENV AFL_TESTCACHE_SIZE=2 diff --git a/fuzzers/aflplusplus_pge10/builder.Dockerfile b/fuzzers/aflplusplus_pge10/builder.Dockerfile deleted file mode 100644 index 8dfa5d5fe..000000000 --- a/fuzzers/aflplusplus_pge10/builder.Dockerfile +++ /dev/null @@ -1,47 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -RUN apt-get update && \ - apt-get install -y \ - build-essential \ - python3-dev \ - python3-setuptools \ - automake \ - cmake \ - git \ - flex \ - bison \ - libglib2.0-dev \ - libpixman-1-dev \ - cargo \ - libgtk-3-dev \ - # for QEMU mode - ninja-build \ - gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-plugin-dev \ - libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev - -# Download afl++. -RUN git clone --depth=1 https://github.com/vanhauser-thc/pge /afl - -# Build without Python support as we don't need it. -# Set AFL_NO_X86 to skip flaky tests. -RUN cd /afl && \ - unset CFLAGS CXXFLAGS && \ - export CC=clang AFL_NO_X86=1 && \ - PYTHON_INCLUDE=/ make && \ - make install && \ - cp utils/aflpp_driver/libAFLDriver.a / diff --git a/fuzzers/aflplusplus_pge10/description.md b/fuzzers/aflplusplus_pge10/description.md deleted file mode 100644 index f7eb407ad..000000000 --- a/fuzzers/aflplusplus_pge10/description.md +++ /dev/null @@ -1,14 +0,0 @@ -# aflplusplus - -AFL++ fuzzer instance that has the following config active for all benchmarks: - - PCGUARD instrumentation - - cmplog feature - - dict2file feature - - "fast" power schedule - - persistent mode + shared memory test cases - -Repository: [https://github.com/AFLplusplus/AFLplusplus/](https://github.com/AFLplusplus/AFLplusplus/) - -[builder.Dockerfile](builder.Dockerfile) -[fuzzer.py](fuzzer.py) -[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/aflplusplus_pge10/fuzzer.py b/fuzzers/aflplusplus_pge10/fuzzer.py deleted file mode 100755 index 51293f4fc..000000000 --- a/fuzzers/aflplusplus_pge10/fuzzer.py +++ /dev/null @@ -1,283 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -"""Integration code for AFLplusplus fuzzer.""" - -import os -import shutil - -from fuzzers.afl import fuzzer as afl_fuzzer -from fuzzers import utils - - -def get_cmplog_build_directory(target_directory): - """Return path to CmpLog target directory.""" - return os.path.join(target_directory, 'cmplog') - - -def get_uninstrumented_build_directory(target_directory): - """Return path to CmpLog target directory.""" - return os.path.join(target_directory, 'uninstrumented') - - -def build(*args): # pylint: disable=too-many-branches,too-many-statements - """Build benchmark.""" - # BUILD_MODES is not already supported by fuzzbench, meanwhile we provide - # a default configuration. - - build_modes = list(args) - if 'BUILD_MODES' in os.environ: - build_modes = os.environ['BUILD_MODES'].split(',') - - # Placeholder comment. - build_directory = os.environ['OUT'] - - # If nothing was set this is the default: - if not build_modes: - build_modes = ['tracepc', 'cmplog', 'dict2file'] - - # For bug type benchmarks we have to instrument via native clang pcguard :( - build_flags = os.environ['CFLAGS'] - - if build_flags.find( - 'array-bounds' - ) != -1 and 'qemu' not in build_modes and 'classic' not in build_modes: - if 'gcc' not in build_modes: - build_modes[0] = 'native' - - # Instrumentation coverage modes: - if 'lto' in build_modes: - os.environ['CC'] = '/afl/afl-clang-lto' - os.environ['CXX'] = '/afl/afl-clang-lto++' - edge_file = build_directory + '/aflpp_edges.txt' - os.environ['AFL_LLVM_DOCUMENT_IDS'] = edge_file - if os.path.isfile('/usr/local/bin/llvm-ranlib-13'): - os.environ['RANLIB'] = 'llvm-ranlib-13' - os.environ['AR'] = 'llvm-ar-13' - os.environ['AS'] = 'llvm-as-13' - elif os.path.isfile('/usr/local/bin/llvm-ranlib-12'): - os.environ['RANLIB'] = 'llvm-ranlib-12' - os.environ['AR'] = 'llvm-ar-12' - os.environ['AS'] = 'llvm-as-12' - else: - os.environ['RANLIB'] = 'llvm-ranlib' - os.environ['AR'] = 'llvm-ar' - os.environ['AS'] = 'llvm-as' - elif 'qemu' in build_modes: - os.environ['CC'] = 'clang' - os.environ['CXX'] = 'clang++' - elif 'gcc' in build_modes: - os.environ['CC'] = 'afl-gcc-fast' - os.environ['CXX'] = 'afl-g++-fast' - if build_flags.find('array-bounds') != -1: - os.environ['CFLAGS'] = '-fsanitize=address -O1' - os.environ['CXXFLAGS'] = '-fsanitize=address -O1' - else: - os.environ['CFLAGS'] = '' - os.environ['CXXFLAGS'] = '' - os.environ['CPPFLAGS'] = '' - else: - os.environ['CC'] = '/afl/afl-clang-fast' - os.environ['CXX'] = '/afl/afl-clang-fast++' - - print('AFL++ build: ') - print(build_modes) - - if 'qemu' in build_modes or 'symcc' in build_modes: - os.environ['CFLAGS'] = ' '.join(utils.NO_SANITIZER_COMPAT_CFLAGS) - cxxflags = [utils.LIBCPLUSPLUS_FLAG] + utils.NO_SANITIZER_COMPAT_CFLAGS - os.environ['CXXFLAGS'] = ' '.join(cxxflags) - - if 'tracepc' in build_modes or 'pcguard' in build_modes: - os.environ['AFL_LLVM_USE_TRACE_PC'] = '1' - elif 'classic' in build_modes: - os.environ['AFL_LLVM_INSTRUMENT'] = 'CLASSIC' - elif 'native' in build_modes: - os.environ['AFL_LLVM_INSTRUMENT'] = 'LLVMNATIVE' - - # Instrumentation coverage options: - # Do not use a fixed map location (LTO only) - if 'dynamic' in build_modes: - os.environ['AFL_LLVM_MAP_DYNAMIC'] = '1' - # Use a fixed map location (LTO only) - if 'fixed' in build_modes: - os.environ['AFL_LLVM_MAP_ADDR'] = '0x10000' - # Generate an extra dictionary. - if 'dict2file' in build_modes or 'native' in build_modes: - os.environ['AFL_LLVM_DICT2FILE'] = build_directory + '/afl++.dict' - os.environ['AFL_LLVM_DICT2FILE_NO_MAIN'] = '1' - # Enable context sentitivity for LLVM mode (non LTO only) - if 'ctx' in build_modes: - os.environ['AFL_LLVM_CTX'] = '1' - # Enable N-gram coverage for LLVM mode (non LTO only) - if 'ngram2' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '2' - elif 'ngram3' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '3' - elif 'ngram4' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '4' - elif 'ngram5' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '5' - elif 'ngram6' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '6' - elif 'ngram7' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '7' - elif 'ngram8' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '8' - elif 'ngram16' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '16' - if 'ctx1' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '1' - elif 'ctx2' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '2' - elif 'ctx3' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '3' - elif 'ctx4' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '4' - - # Only one of the following OR cmplog - # enable laf-intel compare splitting - if 'laf' in build_modes: - os.environ['AFL_LLVM_LAF_SPLIT_SWITCHES'] = '1' - os.environ['AFL_LLVM_LAF_SPLIT_COMPARES'] = '1' - os.environ['AFL_LLVM_LAF_SPLIT_FLOATS'] = '1' - if 'autodict' not in build_modes: - os.environ['AFL_LLVM_LAF_TRANSFORM_COMPARES'] = '1' - - if 'eclipser' in build_modes: - os.environ['FUZZER_LIB'] = '/libStandaloneFuzzTarget.a' - else: - os.environ['FUZZER_LIB'] = '/libAFLDriver.a' - - # Some benchmarks like lcms. (see: - # https://github.com/mm2/Little-CMS/commit/ab1093539b4287c233aca6a3cf53b234faceb792#diff-f0e6d05e72548974e852e8e55dffc4ccR212) - # fail to compile if the compiler outputs things to stderr in unexpected - # cases. Prevent these failures by using AFL_QUIET to stop afl-clang-fast - # from writing AFL specific messages to stderr. - os.environ['AFL_QUIET'] = '1' - os.environ['AFL_MAP_SIZE'] = '2621440' - - src = os.getenv('SRC') - work = os.getenv('WORK') - - with utils.restore_directory(src), utils.restore_directory(work): - # Restore SRC to its initial state so we can build again without any - # trouble. For some OSS-Fuzz projects, build_benchmark cannot be run - # twice in the same directory without this. - utils.build_benchmark() - - if 'cmplog' in build_modes and 'qemu' not in build_modes: - - # CmpLog requires an build with different instrumentation. - new_env = os.environ.copy() - new_env['AFL_LLVM_CMPLOG'] = '1' - - # For CmpLog build, set the OUT and FUZZ_TARGET environment - # variable to point to the new CmpLog build directory. - cmplog_build_directory = get_cmplog_build_directory(build_directory) - os.mkdir(cmplog_build_directory) - new_env['OUT'] = cmplog_build_directory - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - new_env['FUZZ_TARGET'] = os.path.join(cmplog_build_directory, - os.path.basename(fuzz_target)) - - print('Re-building benchmark for CmpLog fuzzing target') - utils.build_benchmark(env=new_env) - - if 'symcc' in build_modes: - - symcc_build_directory = get_uninstrumented_build_directory( - build_directory) - os.mkdir(symcc_build_directory) - - # symcc requires an build with different instrumentation. - new_env = os.environ.copy() - new_env['CC'] = '/symcc/build/symcc' - new_env['CXX'] = '/symcc/build/sym++' - new_env['SYMCC_OUTPUT_DIR'] = '/tmp' - new_env['CXXFLAGS'] = new_env['CXXFLAGS'].replace('-stlib=libc++', '') - new_env['FUZZER_LIB'] = '/libfuzzer-harness.o' - new_env['OUT'] = symcc_build_directory - new_env['SYMCC_LIBCXX_PATH'] = '/libcxx_native_build' - new_env['SYMCC_NO_SYMBOLIC_INPUT'] = '1' - new_env['SYMCC_SILENT'] = '1' - - # For symcc build, set the OUT and FUZZ_TARGET environment - # variable to point to the new symcc build directory. - new_env['OUT'] = symcc_build_directory - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - new_env['FUZZ_TARGET'] = os.path.join(symcc_build_directory, - os.path.basename(fuzz_target)) - - print('Re-building benchmark for symcc fuzzing target') - utils.build_benchmark(env=new_env) - - shutil.copy('/afl/afl-fuzz', build_directory) - if os.path.exists('/afl/afl-qemu-trace'): - shutil.copy('/afl/afl-qemu-trace', build_directory) - if os.path.exists('/aflpp_qemu_driver_hook.so'): - shutil.copy('/aflpp_qemu_driver_hook.so', build_directory) - if os.path.exists('/get_frida_entry.sh'): - shutil.copy('/afl/afl-frida-trace.so', build_directory) - shutil.copy('/get_frida_entry.sh', build_directory) - - -# pylint: disable=too-many-arguments -def fuzz(input_corpus, - output_corpus, - target_binary, - flags=tuple(), - skip=False, - no_cmplog=False): # pylint: disable=too-many-arguments - """Run fuzzer.""" - # Calculate CmpLog binary path from the instrumented target binary. - target_binary_directory = os.path.dirname(target_binary) - cmplog_target_binary_directory = ( - get_cmplog_build_directory(target_binary_directory)) - target_binary_name = os.path.basename(target_binary) - cmplog_target_binary = os.path.join(cmplog_target_binary_directory, - target_binary_name) - - afl_fuzzer.prepare_fuzz_environment(input_corpus) - # decomment this to enable libdislocator. - # os.environ['AFL_ALIGNED_ALLOC'] = '1' # align malloc to max_align_t - # os.environ['AFL_PRELOAD'] = '/afl/libdislocator.so' - - flags = list(flags) - - if os.path.exists('./afl++.dict'): - flags += ['-x', './afl++.dict'] - - flags += ['-r', '10'] - - # Move the following to skip for upcoming _double tests: - if os.path.exists(cmplog_target_binary) and no_cmplog is False: - flags += ['-c', cmplog_target_binary] - - #os.environ['AFL_IGNORE_TIMEOUTS'] = '1' - os.environ['AFL_IGNORE_UNKNOWN_ENVS'] = '1' - os.environ['AFL_FAST_CAL'] = '1' - - if not skip: - os.environ['AFL_DISABLE_TRIM'] = '1' - os.environ['AFL_CMPLOG_ONLY_NEW'] = '1' - if 'ADDITIONAL_ARGS' in os.environ: - flags += os.environ['ADDITIONAL_ARGS'].split(' ') - - afl_fuzzer.run_afl_fuzz(input_corpus, - output_corpus, - target_binary, - additional_flags=flags) diff --git a/fuzzers/aflplusplus_pge10/runner.Dockerfile b/fuzzers/aflplusplus_pge10/runner.Dockerfile deleted file mode 100644 index 7aa1da8e4..000000000 --- a/fuzzers/aflplusplus_pge10/runner.Dockerfile +++ /dev/null @@ -1,23 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -# This makes interactive docker runs painless: -ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" -#ENV AFL_MAP_SIZE=2621440 -ENV PATH="$PATH:/out" -ENV AFL_SKIP_CPUFREQ=1 -ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 -ENV AFL_TESTCACHE_SIZE=2 diff --git a/fuzzers/aflplusplus_pge100/builder.Dockerfile b/fuzzers/aflplusplus_pge100/builder.Dockerfile deleted file mode 100644 index 8dfa5d5fe..000000000 --- a/fuzzers/aflplusplus_pge100/builder.Dockerfile +++ /dev/null @@ -1,47 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -RUN apt-get update && \ - apt-get install -y \ - build-essential \ - python3-dev \ - python3-setuptools \ - automake \ - cmake \ - git \ - flex \ - bison \ - libglib2.0-dev \ - libpixman-1-dev \ - cargo \ - libgtk-3-dev \ - # for QEMU mode - ninja-build \ - gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-plugin-dev \ - libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev - -# Download afl++. -RUN git clone --depth=1 https://github.com/vanhauser-thc/pge /afl - -# Build without Python support as we don't need it. -# Set AFL_NO_X86 to skip flaky tests. -RUN cd /afl && \ - unset CFLAGS CXXFLAGS && \ - export CC=clang AFL_NO_X86=1 && \ - PYTHON_INCLUDE=/ make && \ - make install && \ - cp utils/aflpp_driver/libAFLDriver.a / diff --git a/fuzzers/aflplusplus_pge100/description.md b/fuzzers/aflplusplus_pge100/description.md deleted file mode 100644 index f7eb407ad..000000000 --- a/fuzzers/aflplusplus_pge100/description.md +++ /dev/null @@ -1,14 +0,0 @@ -# aflplusplus - -AFL++ fuzzer instance that has the following config active for all benchmarks: - - PCGUARD instrumentation - - cmplog feature - - dict2file feature - - "fast" power schedule - - persistent mode + shared memory test cases - -Repository: [https://github.com/AFLplusplus/AFLplusplus/](https://github.com/AFLplusplus/AFLplusplus/) - -[builder.Dockerfile](builder.Dockerfile) -[fuzzer.py](fuzzer.py) -[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/aflplusplus_pge100/fuzzer.py b/fuzzers/aflplusplus_pge100/fuzzer.py deleted file mode 100755 index ea30612a2..000000000 --- a/fuzzers/aflplusplus_pge100/fuzzer.py +++ /dev/null @@ -1,283 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -"""Integration code for AFLplusplus fuzzer.""" - -import os -import shutil - -from fuzzers.afl import fuzzer as afl_fuzzer -from fuzzers import utils - - -def get_cmplog_build_directory(target_directory): - """Return path to CmpLog target directory.""" - return os.path.join(target_directory, 'cmplog') - - -def get_uninstrumented_build_directory(target_directory): - """Return path to CmpLog target directory.""" - return os.path.join(target_directory, 'uninstrumented') - - -def build(*args): # pylint: disable=too-many-branches,too-many-statements - """Build benchmark.""" - # BUILD_MODES is not already supported by fuzzbench, meanwhile we provide - # a default configuration. - - build_modes = list(args) - if 'BUILD_MODES' in os.environ: - build_modes = os.environ['BUILD_MODES'].split(',') - - # Placeholder comment. - build_directory = os.environ['OUT'] - - # If nothing was set this is the default: - if not build_modes: - build_modes = ['tracepc', 'cmplog', 'dict2file'] - - # For bug type benchmarks we have to instrument via native clang pcguard :( - build_flags = os.environ['CFLAGS'] - - if build_flags.find( - 'array-bounds' - ) != -1 and 'qemu' not in build_modes and 'classic' not in build_modes: - if 'gcc' not in build_modes: - build_modes[0] = 'native' - - # Instrumentation coverage modes: - if 'lto' in build_modes: - os.environ['CC'] = '/afl/afl-clang-lto' - os.environ['CXX'] = '/afl/afl-clang-lto++' - edge_file = build_directory + '/aflpp_edges.txt' - os.environ['AFL_LLVM_DOCUMENT_IDS'] = edge_file - if os.path.isfile('/usr/local/bin/llvm-ranlib-13'): - os.environ['RANLIB'] = 'llvm-ranlib-13' - os.environ['AR'] = 'llvm-ar-13' - os.environ['AS'] = 'llvm-as-13' - elif os.path.isfile('/usr/local/bin/llvm-ranlib-12'): - os.environ['RANLIB'] = 'llvm-ranlib-12' - os.environ['AR'] = 'llvm-ar-12' - os.environ['AS'] = 'llvm-as-12' - else: - os.environ['RANLIB'] = 'llvm-ranlib' - os.environ['AR'] = 'llvm-ar' - os.environ['AS'] = 'llvm-as' - elif 'qemu' in build_modes: - os.environ['CC'] = 'clang' - os.environ['CXX'] = 'clang++' - elif 'gcc' in build_modes: - os.environ['CC'] = 'afl-gcc-fast' - os.environ['CXX'] = 'afl-g++-fast' - if build_flags.find('array-bounds') != -1: - os.environ['CFLAGS'] = '-fsanitize=address -O1' - os.environ['CXXFLAGS'] = '-fsanitize=address -O1' - else: - os.environ['CFLAGS'] = '' - os.environ['CXXFLAGS'] = '' - os.environ['CPPFLAGS'] = '' - else: - os.environ['CC'] = '/afl/afl-clang-fast' - os.environ['CXX'] = '/afl/afl-clang-fast++' - - print('AFL++ build: ') - print(build_modes) - - if 'qemu' in build_modes or 'symcc' in build_modes: - os.environ['CFLAGS'] = ' '.join(utils.NO_SANITIZER_COMPAT_CFLAGS) - cxxflags = [utils.LIBCPLUSPLUS_FLAG] + utils.NO_SANITIZER_COMPAT_CFLAGS - os.environ['CXXFLAGS'] = ' '.join(cxxflags) - - if 'tracepc' in build_modes or 'pcguard' in build_modes: - os.environ['AFL_LLVM_USE_TRACE_PC'] = '1' - elif 'classic' in build_modes: - os.environ['AFL_LLVM_INSTRUMENT'] = 'CLASSIC' - elif 'native' in build_modes: - os.environ['AFL_LLVM_INSTRUMENT'] = 'LLVMNATIVE' - - # Instrumentation coverage options: - # Do not use a fixed map location (LTO only) - if 'dynamic' in build_modes: - os.environ['AFL_LLVM_MAP_DYNAMIC'] = '1' - # Use a fixed map location (LTO only) - if 'fixed' in build_modes: - os.environ['AFL_LLVM_MAP_ADDR'] = '0x10000' - # Generate an extra dictionary. - if 'dict2file' in build_modes or 'native' in build_modes: - os.environ['AFL_LLVM_DICT2FILE'] = build_directory + '/afl++.dict' - os.environ['AFL_LLVM_DICT2FILE_NO_MAIN'] = '1' - # Enable context sentitivity for LLVM mode (non LTO only) - if 'ctx' in build_modes: - os.environ['AFL_LLVM_CTX'] = '1' - # Enable N-gram coverage for LLVM mode (non LTO only) - if 'ngram2' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '2' - elif 'ngram3' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '3' - elif 'ngram4' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '4' - elif 'ngram5' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '5' - elif 'ngram6' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '6' - elif 'ngram7' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '7' - elif 'ngram8' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '8' - elif 'ngram16' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '16' - if 'ctx1' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '1' - elif 'ctx2' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '2' - elif 'ctx3' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '3' - elif 'ctx4' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '4' - - # Only one of the following OR cmplog - # enable laf-intel compare splitting - if 'laf' in build_modes: - os.environ['AFL_LLVM_LAF_SPLIT_SWITCHES'] = '1' - os.environ['AFL_LLVM_LAF_SPLIT_COMPARES'] = '1' - os.environ['AFL_LLVM_LAF_SPLIT_FLOATS'] = '1' - if 'autodict' not in build_modes: - os.environ['AFL_LLVM_LAF_TRANSFORM_COMPARES'] = '1' - - if 'eclipser' in build_modes: - os.environ['FUZZER_LIB'] = '/libStandaloneFuzzTarget.a' - else: - os.environ['FUZZER_LIB'] = '/libAFLDriver.a' - - # Some benchmarks like lcms. (see: - # https://github.com/mm2/Little-CMS/commit/ab1093539b4287c233aca6a3cf53b234faceb792#diff-f0e6d05e72548974e852e8e55dffc4ccR212) - # fail to compile if the compiler outputs things to stderr in unexpected - # cases. Prevent these failures by using AFL_QUIET to stop afl-clang-fast - # from writing AFL specific messages to stderr. - os.environ['AFL_QUIET'] = '1' - os.environ['AFL_MAP_SIZE'] = '2621440' - - src = os.getenv('SRC') - work = os.getenv('WORK') - - with utils.restore_directory(src), utils.restore_directory(work): - # Restore SRC to its initial state so we can build again without any - # trouble. For some OSS-Fuzz projects, build_benchmark cannot be run - # twice in the same directory without this. - utils.build_benchmark() - - if 'cmplog' in build_modes and 'qemu' not in build_modes: - - # CmpLog requires an build with different instrumentation. - new_env = os.environ.copy() - new_env['AFL_LLVM_CMPLOG'] = '1' - - # For CmpLog build, set the OUT and FUZZ_TARGET environment - # variable to point to the new CmpLog build directory. - cmplog_build_directory = get_cmplog_build_directory(build_directory) - os.mkdir(cmplog_build_directory) - new_env['OUT'] = cmplog_build_directory - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - new_env['FUZZ_TARGET'] = os.path.join(cmplog_build_directory, - os.path.basename(fuzz_target)) - - print('Re-building benchmark for CmpLog fuzzing target') - utils.build_benchmark(env=new_env) - - if 'symcc' in build_modes: - - symcc_build_directory = get_uninstrumented_build_directory( - build_directory) - os.mkdir(symcc_build_directory) - - # symcc requires an build with different instrumentation. - new_env = os.environ.copy() - new_env['CC'] = '/symcc/build/symcc' - new_env['CXX'] = '/symcc/build/sym++' - new_env['SYMCC_OUTPUT_DIR'] = '/tmp' - new_env['CXXFLAGS'] = new_env['CXXFLAGS'].replace('-stlib=libc++', '') - new_env['FUZZER_LIB'] = '/libfuzzer-harness.o' - new_env['OUT'] = symcc_build_directory - new_env['SYMCC_LIBCXX_PATH'] = '/libcxx_native_build' - new_env['SYMCC_NO_SYMBOLIC_INPUT'] = '1' - new_env['SYMCC_SILENT'] = '1' - - # For symcc build, set the OUT and FUZZ_TARGET environment - # variable to point to the new symcc build directory. - new_env['OUT'] = symcc_build_directory - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - new_env['FUZZ_TARGET'] = os.path.join(symcc_build_directory, - os.path.basename(fuzz_target)) - - print('Re-building benchmark for symcc fuzzing target') - utils.build_benchmark(env=new_env) - - shutil.copy('/afl/afl-fuzz', build_directory) - if os.path.exists('/afl/afl-qemu-trace'): - shutil.copy('/afl/afl-qemu-trace', build_directory) - if os.path.exists('/aflpp_qemu_driver_hook.so'): - shutil.copy('/aflpp_qemu_driver_hook.so', build_directory) - if os.path.exists('/get_frida_entry.sh'): - shutil.copy('/afl/afl-frida-trace.so', build_directory) - shutil.copy('/get_frida_entry.sh', build_directory) - - -# pylint: disable=too-many-arguments -def fuzz(input_corpus, - output_corpus, - target_binary, - flags=tuple(), - skip=False, - no_cmplog=False): # pylint: disable=too-many-arguments - """Run fuzzer.""" - # Calculate CmpLog binary path from the instrumented target binary. - target_binary_directory = os.path.dirname(target_binary) - cmplog_target_binary_directory = ( - get_cmplog_build_directory(target_binary_directory)) - target_binary_name = os.path.basename(target_binary) - cmplog_target_binary = os.path.join(cmplog_target_binary_directory, - target_binary_name) - - afl_fuzzer.prepare_fuzz_environment(input_corpus) - # decomment this to enable libdislocator. - # os.environ['AFL_ALIGNED_ALLOC'] = '1' # align malloc to max_align_t - # os.environ['AFL_PRELOAD'] = '/afl/libdislocator.so' - - flags = list(flags) - - if os.path.exists('./afl++.dict'): - flags += ['-x', './afl++.dict'] - - flags += ['-r', '100'] - - # Move the following to skip for upcoming _double tests: - if os.path.exists(cmplog_target_binary) and no_cmplog is False: - flags += ['-c', cmplog_target_binary] - - #os.environ['AFL_IGNORE_TIMEOUTS'] = '1' - os.environ['AFL_IGNORE_UNKNOWN_ENVS'] = '1' - os.environ['AFL_FAST_CAL'] = '1' - - if not skip: - os.environ['AFL_DISABLE_TRIM'] = '1' - os.environ['AFL_CMPLOG_ONLY_NEW'] = '1' - if 'ADDITIONAL_ARGS' in os.environ: - flags += os.environ['ADDITIONAL_ARGS'].split(' ') - - afl_fuzzer.run_afl_fuzz(input_corpus, - output_corpus, - target_binary, - additional_flags=flags) diff --git a/fuzzers/aflplusplus_pge100/runner.Dockerfile b/fuzzers/aflplusplus_pge100/runner.Dockerfile deleted file mode 100644 index 7aa1da8e4..000000000 --- a/fuzzers/aflplusplus_pge100/runner.Dockerfile +++ /dev/null @@ -1,23 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -# This makes interactive docker runs painless: -ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" -#ENV AFL_MAP_SIZE=2621440 -ENV PATH="$PATH:/out" -ENV AFL_SKIP_CPUFREQ=1 -ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 -ENV AFL_TESTCACHE_SIZE=2 diff --git a/fuzzers/aflplusplus_zafl/aflpp_driver.c b/fuzzers/aflplusplus_zafl/aflpp_driver.c deleted file mode 100644 index 1b4b50e36..000000000 --- a/fuzzers/aflplusplus_zafl/aflpp_driver.c +++ /dev/null @@ -1,352 +0,0 @@ -// Copyright 2020 Google LLC -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. -// - -//===- afl_driver.cpp - a glue between AFL++ and libFuzzer ------*- C++ -* ===// -//===----------------------------------------------------------------------===// - -/* This file allows to fuzz libFuzzer-style target functions - (LLVMFuzzerTestOneInput) with AFL++ using persistent in-memory fuzzing. - -Usage: -################################################################################ -cat << EOF > test_fuzzer.cc -#include -#include -extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { - -if (size > 0 && data[0] == 'H') -if (size > 1 && data[1] == 'I') -if (size > 2 && data[2] == '!') -__builtin_trap(); -return 0; - -} - -EOF -# Build your target with -fsanitize-coverage=trace-pc-guard using fresh clang. -clang -c aflpp_driver.c -# Build afl-compiler-rt.o.c from the AFL distribution. -clang -c $AFL_HOME/instrumentation/afl-compiler-rt.o.c -# Build this file, link it with afl-compiler-rt.o.o and the target code. -afl-clang-fast -o test_fuzzer test_fuzzer.cc afl-compiler-rt.o aflpp_driver.o -# Run AFL: -rm -rf IN OUT; mkdir IN OUT; echo z > IN/z; -$AFL_HOME/afl-fuzz -i IN -o OUT ./a.out -################################################################################ -*/ - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - - -#include "config.h" -#include "types.h" -#include "cmplog.h" - -#ifdef _DEBUG -#include "hash.h" -#endif - -int __afl_sharedmem_fuzzing = 1; -extern unsigned int * __afl_fuzz_len; -extern unsigned char *__afl_fuzz_ptr; - -// libFuzzer interface is thin, so we don't include any libFuzzer headers. -static int (*LLVMFuzzerTestOneInput)(const uint8_t *Data, size_t Size); -static int (*LLVMFuzzerInitialize)(int *argc, char ***argv); - -// Notify AFL about persistent mode. -static volatile char AFL_PERSISTENT[] = "##SIG_AFL_PERSISTENT##"; -int __afl_persistent_loop(unsigned int); - -// Notify AFL about deferred forkserver. -static volatile char AFL_DEFER_FORKSVR[] = "##SIG_AFL_DEFER_FORKSRV##"; -void __afl_manual_init(); - -// Use this optionally defined function to output sanitizer messages even if -// user asks to close stderr. -__attribute__((weak)) void __sanitizer_set_report_fd(void *); - -// Keep track of where stderr content is being written to, so that -// dup_and_close_stderr can use the correct one. -static FILE *output_file; - -// Experimental feature to use afl_driver without AFL's deferred mode. -// Needs to run before __afl_auto_init. -__attribute__((constructor(0))) static void __decide_deferred_forkserver(void) { - - if (getenv("AFL_DRIVER_DONT_DEFER")) { - - if (unsetenv("__AFL_DEFER_FORKSRV")) { - - perror("Failed to unset __AFL_DEFER_FORKSRV"); - abort(); - - } - - } - -} - -// If the user asks us to duplicate stderr, then do it. -static void maybe_duplicate_stderr() { - - char *stderr_duplicate_filename = - getenv("AFL_DRIVER_STDERR_DUPLICATE_FILENAME"); - - if (!stderr_duplicate_filename) return; - - FILE *stderr_duplicate_stream = - freopen(stderr_duplicate_filename, "a+", stderr); - - if (!stderr_duplicate_stream) { - - fprintf( - stderr, - "Failed to duplicate stderr to AFL_DRIVER_STDERR_DUPLICATE_FILENAME"); - abort(); - - } - - output_file = stderr_duplicate_stream; - -} - -// Most of these I/O functions were inspired by/copied from libFuzzer's code. -static void discard_output(int fd) { - - FILE *temp = fopen("/dev/null", "w"); - if (!temp) abort(); - dup2(fileno(temp), fd); - fclose(temp); - -} - -static void close_stdout() { - - discard_output(STDOUT_FILENO); - -} - -// Prevent the targeted code from writing to "stderr" but allow sanitizers and -// this driver to do so. -static void dup_and_close_stderr() { - - int output_fileno = fileno(output_file); - int output_fd = dup(output_fileno); - if (output_fd <= 0) abort(); - FILE *new_output_file = fdopen(output_fd, "w"); - if (!new_output_file) abort(); - if (!__sanitizer_set_report_fd) return; - __sanitizer_set_report_fd((void *)(long int)output_fd); - discard_output(output_fileno); - -} - -// Close stdout and/or stderr if user asks for it. -static void maybe_close_fd_mask() { - - char *fd_mask_str = getenv("AFL_DRIVER_CLOSE_FD_MASK"); - if (!fd_mask_str) return; - int fd_mask = atoi(fd_mask_str); - if (fd_mask & 2) dup_and_close_stderr(); - if (fd_mask & 1) close_stdout(); - -} - -// Define LLVMFuzzerMutate to avoid link failures for targets that use it -// with libFuzzer's LLVMFuzzerCustomMutator. -size_t LLVMFuzzerMutate(uint8_t *Data, size_t Size, size_t MaxSize) { - - // assert(false && "LLVMFuzzerMutate should not be called from afl_driver"); - return 0; - -} - -// Execute any files provided as parameters. -static int ExecuteFilesOnyByOne(int argc, char **argv) { - - unsigned char *buf = (unsigned char *)malloc(MAX_FILE); - - for (int i = 1; i < argc; i++) { - - int fd = 0; - - if (strcmp(argv[i], "-") != 0) { fd = open(argv[i], O_RDONLY); } - - if (fd == -1) { continue; } - - ssize_t length = read(fd, buf, MAX_FILE); - - if (length > 0) { - - printf("Reading %zu bytes from %s\n", length, argv[i]); - LLVMFuzzerTestOneInput(buf, length); - printf("Execution successful.\n"); - - } - - if (fd > 0) { close(fd); } - - } - - free(buf); - return 0; - -} - -int main(int argc, char **argv) { - - printf( - "============================== INFO ================================\n" - "This binary is built for afl++.\n" - "To use with afl-cmin or afl-cmin.bash pass '-' as single command line " - "option\n" - "To run the target function on individual input(s) execute this:\n" - " %s INPUT_FILE1 [INPUT_FILE2 ... ]\n" - "To fuzz with afl-fuzz execute this:\n" - " afl-fuzz [afl-flags] -- %s [-N]\n" - "afl-fuzz will run N iterations before re-spawning the process (default: " - "INT_MAX)\n" - "For stdin input processing, pass '-' as single command line option.\n" - "For file input processing, pass '@@' as single command line option.\n" - "===================================================================\n", - argv[0], argv[0]); - - if (getenv("AFL_GDB")) { - - char cmd[64]; - snprintf(cmd, sizeof(cmd), "cat /proc/%d/maps", getpid()); - system(cmd); - fprintf(stderr, "DEBUG: aflpp_driver pid is %d\n", getpid()); - sleep(1); - - } - - /* - * We want to dlopen the right library file here so that this driver code - * cannot call any instrumented initializers before the AFL map is properly set up. - * Dlopen delays library init until the map is setup, thus avoiding a "race" to - * access the map. - */ - void *handle = dlopen(FUZZER_LIB_NAME, RTLD_LAZY); - if (!handle) { - fprintf(stderr, "Cannot open input file " FUZZER_LIB_NAME ": %s\n", dlerror()); - exit(EXIT_FAILURE); - } - - dlerror(); /* Clear any existing error */ - LLVMFuzzerInitialize = (int (*)(int *argc, char ***argv)) dlsym(handle, "LLVMFuzzerInitialize"); - dlerror(); /* Clear any existing error */ - LLVMFuzzerTestOneInput = (int (*)(const uint8_t *data, int len)) dlsym(handle, "LLVMFuzzerTestOneInput"); - if(LLVMFuzzerTestOneInput == NULL) - { - fprintf(stderr, "Could not find symbol LLVMFuzzerTestOneInput: %s\n", dlerror()); - exit(EXIT_FAILURE); - } - - - output_file = stderr; - maybe_duplicate_stderr(); - maybe_close_fd_mask(); - if (LLVMFuzzerInitialize) { - - fprintf(stderr, "Running LLVMFuzzerInitialize ...\n"); - LLVMFuzzerInitialize(&argc, &argv); - fprintf(stderr, "continue...\n"); - - } - - // Do any other expensive one-time initialization here. - - uint8_t dummy_input[64] = {0}; - memcpy(dummy_input, (void *)AFL_PERSISTENT, sizeof(AFL_PERSISTENT)); - memcpy(dummy_input + 32, (void *)AFL_DEFER_FORKSVR, - sizeof(AFL_DEFER_FORKSVR)); - - int N = INT_MAX; - - if (argc == 2 && !strcmp(argv[1], "-")) { - - __afl_sharedmem_fuzzing = 0; - __afl_manual_init(); - return ExecuteFilesOnyByOne(argc, argv); - - } else if (argc == 2 && argv[1][0] == '-') { - - N = atoi(argv[1] + 1); - - } else if (argc == 2 && (N = atoi(argv[1])) > 0) { - - printf("WARNING: using the deprecated call style `%s %d`\n", argv[0], N); - - } else if (argc > 1) { - - __afl_sharedmem_fuzzing = 0; - - if (argc == 2) { __afl_manual_init(); } - - return ExecuteFilesOnyByOne(argc, argv); - - } - - assert(N > 0); - - __afl_manual_init(); - - // Call LLVMFuzzerTestOneInput here so that coverage caused by initialization - // on the first execution of LLVMFuzzerTestOneInput is ignored. - LLVMFuzzerTestOneInput(dummy_input, 1); - - int num_runs = 0; - while (__afl_persistent_loop(N)) { - -#ifdef _DEBUG - fprintf(stderr, "CLIENT crc: %016llx len: %u\n", - hash64(__afl_fuzz_ptr, *__afl_fuzz_len, 0xa5b35705), - *__afl_fuzz_len); - fprintf(stderr, "RECV:"); - for (int i = 0; i < *__afl_fuzz_len; i++) - fprintf(stderr, "%02x", __afl_fuzz_ptr[i]); - fprintf(stderr, "\n"); -#endif - - if (*__afl_fuzz_len) { - - num_runs++; - LLVMFuzzerTestOneInput(__afl_fuzz_ptr, *__afl_fuzz_len); - - } - - } - - printf("%s: successfully executed %d input(s)\n", argv[0], num_runs); - -} - diff --git a/fuzzers/aflplusplus_zafl/builder.Dockerfile b/fuzzers/aflplusplus_zafl/builder.Dockerfile deleted file mode 100644 index 8bb4225f3..000000000 --- a/fuzzers/aflplusplus_zafl/builder.Dockerfile +++ /dev/null @@ -1,91 +0,0 @@ -# Copyright 2021 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -# Install libstdc++ to use llvm_mode. -RUN apt-get update && \ - DEBIAN_FRONTEND=noninteractive apt-get install -y wget libtool-bin automake flex bison \ - libglib2.0-dev libpixman-1-dev python3-setuptools unzip \ - apt-utils apt-transport-https ca-certificates libc-ares-dev - -run printf "deb http://apt.llvm.org/xenial/ llvm-toolchain-xenial-12 main" |tee /etc/apt/sources.list.d/llvm-toolchain-xenial-12.list && wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key |apt-key add - && apt update - - -RUN echo $parent_image && apt-get update -y && env DEBIAN_FRONTEND=noninteractive apt install --no-install-recommends -y scons bison flex g++ nasm sharutils gcc-multilib g++-multilib autoconf libelf-dev coreutils makeself postgresql-client libpqxx-dev cmake git unzip wget build-essential python3-dev automake git flex bison libglib2.0-dev libpixman-1-dev python3-setuptools ninja-build tzdata openssl sudo fakeroot file postgresql -RUN env DEBIAN_FRONTEND=noninteractive apt-get install -y lld-12 llvm-12 llvm-12-dev clang-12 -RUN env DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends --reinstall ca-certificates - -# Download and compile afl++. -RUN git clone https://github.com/AFLplusplus/AFLplusplus.git /afl && \ - cd /afl && \ - git checkout 65e63b9cf107ae914630a4fff7381cee150df5fe - -# Build without Python support as we don't need it. -# Set AFL_NO_X86 to skip flaky tests. -RUN cd /afl && unset CFLAGS && unset CXXFLAGS && \ - export CC=clang && export AFL_NO_X86=1 && LLVM_CONFIG=llvm-config \ - PYTHON_INCLUDE=/ make && make install && \ - make -C utils/aflpp_driver && \ - cp utils/aflpp_driver/libAFLDriver.a / - - - -# Get the hash from Zephyr's Gitlab for the projects to force Docker's cache to invalidate -# itself if an update to one of these projects occurs. -# the gitlab API uses project IDs instead of project names, making the URL harder to read. -# decoder ring: id:27=zipr, id:117=zafl -# These project name->id mappings do not change unless someone deletes/forks/moves the project's repository, -# so they should be long-term stable. -ADD https://git.zephyr-software.com/api/v4/projects/27/repository/branches/master /tmp/zipr.killcache -ADD https://git.zephyr-software.com/api/v4/projects/117/repository/branches/master /tmp/zafl.killcache - -ENV USER=root -# checkout and build zipr/zafl, and setup postgres -RUN cd / && \ - git config --global http.sslVerify false && \ - git clone --recursive --depth 1 https://git.zephyr-software.com/opensrc/zipr.git &&\ - git clone --recursive --depth 1 https://git.zephyr-software.com/opensrc/zafl.git - -RUN bash -c 'unset CC ; unset CXX; unset CFLAGS; unset CXXFLAGS; cd /zipr ; \ - service postgresql start ; \ - while ! pg_isready ; do sleep 1 ; done ; \ - . set_env_vars ; \ - scons -j3 ; \ - ./postgres_setup.sh ; \ - cd /zafl ; \ - . set_env_vars ; \ - scons -j3 ; \ - cd / ; \ - rm -rf /zipr/irdb-libs /zipr/SMPStaticAnalyzer /*/.git' ; \ - cp /zafl/libzafl/lib/*so /out - -RUN cp /afl/afl-fuzz /out -COPY cc.sh /cc.sh -COPY cxx.sh /cxx.sh -COPY zafl_bins.sh /zafl_bins.sh -COPY null.c /tmp -COPY aflpp_driver.c /tmp -RUN clang -c -fPIC /tmp/null.c -o /tmp/null.o; ar crs /out/fakeLibrary.a /tmp/null.o; cp /out/fakeLibrary.a /usr/lib/libFuzzingEngine.a - -ENV LD_LIBRARY_PATH=/zafl/libzafl/lib/ - -# some benchmarks need this file which isn't copied by the default setup. -RUN if [ -f /usr/lib/x86_64-linux-gnu/hdf5/serial/libhdf5.so ] ;then echo copying libhdf5 ; cp /usr/lib/x86_64-linux-gnu/hdf5/serial/libhdf5.so /out ; chmod +x /out/libhdf5.so ; ln -s /out/libhdf5.so /out/libhdf5_serial.so.10; fi -RUN if [ -f /usr/lib/x86_64-linux-gnu/libsz.so.2 ] ;then echo copying ssl ; cp /usr/lib/x86_64-linux-gnu/libsz.so.2 /out/libsz.so ; chmod +x /out/libsz.so ; ln -s /out/libsz.so /out/libsz.so.2; fi -RUN if [ -f /usr/lib/x86_64-linux-gnu/libaec.so.0.0.3 ] ;then echo copying libaec ; cp /usr/lib/x86_64-linux-gnu/libaec.so.0.0.3 /out/libaec.so ; chmod +x /out/libaec.so ; ln -s /out/libaec.so /out/libaec.so.0; fi -RUN if [ -f /usr/lib/x86_64-linux-gnu/libcares.so ] ;then echo copying libcares ; cp /usr/lib/x86_64-linux-gnu/libcares.so /out ; chmod +x /out/libcares.so; ln -s /out/libcares.so /out/libcares.so.2; fi - - diff --git a/fuzzers/aflplusplus_zafl/cc.sh b/fuzzers/aflplusplus_zafl/cc.sh deleted file mode 100755 index 9c009ebe0..000000000 --- a/fuzzers/aflplusplus_zafl/cc.sh +++ /dev/null @@ -1,89 +0,0 @@ -#!/bin/bash -e -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - - -main() { - local args=("$@") - local argsWithoutSanitize=("${args[@]}") - local fakePattern1="/out/fakeLibrary.a" - local fakePattern2="-lFuzzingEngine" - local fakePattern3="/usr/lib/libFuzzingEngine.a" - declare -a dashLs=() - for index in "${!argsWithoutSanitize[@]}"; do - if [[ ${argsWithoutSanitize[$index]} == *"-fsanitize"* ]] || - [[ ${argsWithoutSanitize[$index]} == *"-Wl,-Bstatic"* ]] || - [[ ${argsWithoutSanitize[$index]} == *"-Werror"* ]] || - [[ ${argsWithoutSanitize[$index]} == *"-fvisibility=hidden"* ]] ; then - unset -v 'argsWithoutSanitize[$index]' - elif [[ ${argsWithoutSanitize[$index]} == *"/usr/lib/x86_64-linux-gnu/libsqlite3.a"* ]]; then - argsWithoutSanitize[$index]="/usr/lib/x86_64-linux-gnu/libsqlite3.so" - elif [[ ${argsWithoutSanitize[$index]} == *"/usr/lib/x86_64-linux-gnu/libssl.a"* ]]; then - argsWithoutSanitize[$index]="/usr/lib/x86_64-linux-gnu/libssl.so" - elif [[ ${argsWithoutSanitize[$index]} == *"/usr/lib/x86_64-linux-gnu/libcrypto.a"* ]]; then - argsWithoutSanitize[$index]="/usr/lib/x86_64-linux-gnu/libcrypto.so" - elif [[ ${argsWithoutSanitize[$index]} == *"/usr/lib/x86_64-linux-gnu/hdf5/serial/libhdf5.a"* ]]; then - argsWithoutSanitize[$index]="/out/libhdf5.so" - fi - - # memorize -L and -l options. - if [[ ${argsWithoutSanitize[$index]} == "-l"* || ${argsWithoutSanitize[$index]} == "-L"* ]]; then - dashLs=("${dashLs[@]}" "${argsWithoutSanitize[$index]}") - fi - done - argsWithoutSanitize=("${argsWithoutSanitize[@]}") - # if it has the fake library listed, and isn't complining, detecting dependencies, preprocessing, - # creating assembly, or linking a shared library, then - # it must be linking a main executable, and we want to control the link - # by building a shared library, and building a stand-along persistent mode driver - # that invokes the library. - if [[ ${args[@]} == *"$fakePattern1"* || ${args[@]} == *"$fakePattern2"* || ${args[@]} == *"$fakePattern3"* ]] && - [[ ${args[@]} != *" -c "* ]] && - [[ ${args[@]} != *" -M "* ]] && - [[ ${args[@]} != *" -E "* ]] && - [[ ${args[@]} != *" -S "* ]] && - [[ ${args[@]} != *" -shared "* ]] ; then - echo "in cxx.sh with args=${args[@]}" - set -x - local argsWithoutFakeLib=("${argsWithoutSanitize[@]}") - # remove fakePatterns - for index in "${!argsWithoutFakeLib[@]}"; do - if [[ ${argsWithoutFakeLib[$index]} == *"$fakePattern1"* || - ${argsWithoutFakeLib[$index]} == *"$fakePattern2"* || - ${argsWithoutFakeLib[$index]} == *"$fakePattern3"* - ]]; then - unset -v 'argsWithoutFakeLib[$index]' - fi - - done - argsWithoutFakeLib=("${argsWithoutFakeLib[@]}") - - local outfile=$(echo "bob ${args[@]}" | sed -e 's|.* -o *||' -e "s/ .*//" ) - local outfileBn=$(basename $outfile) - local libname=/out/lib${outfileBn}.so - if [[ $BENCHMARK == *"wireshark"* ]]; then - krb_str="/usr/lib/x86_64-linux-gnu/libkrb5.so.3" - fi - clang -fPIC -shared "${argsWithoutFakeLib[@]}" -lcares $krb_str - mv $outfile $libname - AFL_LLVM_LTO_DONTWRITEID=1 AFL_MAP_SIZE=65536 AFL_LLVM_MAP_ADDR=0x1000000 /afl/afl-clang-fast -DFUZZER_LIB_NAME='"'"/out/lib${outfileBn}.so"'"' -I/src/aflplusplus/include -O3 -funroll-loops -fPIC /tmp/aflpp_driver.c -c -o /tmp/aflpp_driver.o - AFL_LLVM_LTO_DONTWRITEID=1 AFL_MAP_SIZE=65536 AFL_LLVM_MAP_ADDR=0x1000000 /afl/afl-clang-fast++ -I/src/aflplusplus/include -O3 -funroll-loops -fPIC /tmp/aflpp_driver.o -o $outfile -lpthread -lm -lz -ldl - - else - - clang -fPIC "${argsWithoutSanitize[@]}" - - fi -} -main "$@" diff --git a/fuzzers/aflplusplus_zafl/cxx.sh b/fuzzers/aflplusplus_zafl/cxx.sh deleted file mode 100755 index ea6730bef..000000000 --- a/fuzzers/aflplusplus_zafl/cxx.sh +++ /dev/null @@ -1,91 +0,0 @@ -#!/bin/bash -e -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - - -main() { - local args=("$@") - local argsWithoutSanitize=("${args[@]}") - local fakePattern1="/out/fakeLibrary.a" - local fakePattern2="-lFuzzingEngine" - local fakePattern3="/usr/lib/libFuzzingEngine.a" - declare -a dashLs=() - for index in "${!argsWithoutSanitize[@]}"; do - if [[ ${argsWithoutSanitize[$index]} == *"-fsanitize"* ]] || - [[ ${argsWithoutSanitize[$index]} == *"-Wl,-Bstatic"* ]] || - [[ ${argsWithoutSanitize[$index]} == *"-Werror"* ]] || - [[ ${argsWithoutSanitize[$index]} == *"-fvisibility=hidden"* ]]; then - unset -v 'argsWithoutSanitize[$index]' - elif [[ ${argsWithoutSanitize[$index]} == *"/usr/lib/x86_64-linux-gnu/libsqlite3.a"* ]]; then - argsWithoutSanitize[$index]="/usr/lib/x86_64-linux-gnu/libsqlite3.so" - elif [[ ${argsWithoutSanitize[$index]} == *"/usr/lib/x86_64-linux-gnu/libssl.a"* ]]; then - argsWithoutSanitize[$index]="/usr/lib/x86_64-linux-gnu/libssl.so" - elif [[ ${argsWithoutSanitize[$index]} == *"/usr/lib/x86_64-linux-gnu/libcrypto.a"* ]]; then - argsWithoutSanitize[$index]="/usr/lib/x86_64-linux-gnu/libcrypto.so" - elif [[ ${argsWithoutSanitize[$index]} == *"/usr/lib/x86_64-linux-gnu/hdf5/serial/libhdf5.a"* ]]; then - argsWithoutSanitize[$index]="/out/libhdf5.so" - fi - - - # memorize -L and -l options. - if [[ ${argsWithoutSanitize[$index]} == "-l"* || ${argsWithoutSanitize[$index]} == "-L"* ]]; then - dashLs=("${dashLs[@]}" "${argsWithoutSanitize[$index]}") - fi - done - argsWithoutSanitize=("${argsWithoutSanitize[@]}") - # if it has the fake library listed, and isn't complaining, detecting dependencies, preprocessing, - # creating assembly, or linking a shared library, then - # it must be linking a main executable, and we want to control the link - # by building a shared library, and building a stand-along persistent mode driver - # that invokes the library. - if [[ ${args[@]} == *"$fakePattern1"* || ${args[@]} == *"$fakePattern2"* || ${args[@]} == *"$fakePattern3"* ]] && - [[ ${args[@]} != *" -c "* ]] && - [[ ${args[@]} != *" -M "* ]] && - [[ ${args[@]} != *" -E "* ]] && - [[ ${args[@]} != *" -S "* ]] && - [[ ${args[@]} != *" -shared "* ]] ; then - echo "in cxx.sh with args=${args[@]}" - set -x - local argsWithoutFakeLib=("${argsWithoutSanitize[@]}") - # remove fakePatterns - for index in "${!argsWithoutFakeLib[@]}"; do - if [[ ${argsWithoutFakeLib[$index]} == *"$fakePattern1"* || - ${argsWithoutFakeLib[$index]} == *"$fakePattern2"* || - ${argsWithoutFakeLib[$index]} == *"$fakePattern3"* - ]]; then - unset -v 'argsWithoutFakeLib[$index]' - fi - - done - argsWithoutFakeLib=("${argsWithoutFakeLib[@]}") - - local outfile=$(echo "bob ${args[@]}" | sed -e 's|.* -o *||' -e "s/ .*//" ) - local outfileBn=$(basename $outfile) - local libname=/out/lib${outfileBn}.so - local krb_str="" - if [[ $BENCHMARK == *"wireshark"* ]]; then - krb_str="/usr/lib/x86_64-linux-gnu/libkrb5.so.3" - fi - clang++ -fPIC -shared "${argsWithoutFakeLib[@]}" -lcares $krb_str - mv $outfile $libname - AFL_LLVM_LTO_DONTWRITEID=1 AFL_MAP_SIZE=65536 AFL_LLVM_MAP_ADDR=0x1000000 /afl/afl-clang-fast -DFUZZER_LIB_NAME='"'"/out/lib${outfileBn}.so"'"' -I/src/aflplusplus/include -O3 -funroll-loops -fPIC /tmp/aflpp_driver.c -c -o /tmp/aflpp_driver.o - AFL_LLVM_LTO_DONTWRITEID=1 AFL_MAP_SIZE=65536 AFL_LLVM_MAP_ADDR=0x1000000 /afl/afl-clang-fast++ -I/src/aflplusplus/include -O3 -funroll-loops -fPIC /tmp/aflpp_driver.o -o $outfile -lpthread -lm -lz -ldl - - else - - clang++ -fPIC "${argsWithoutSanitize[@]}" - - fi -} -main "$@" diff --git a/fuzzers/aflplusplus_zafl/fuzzer.py b/fuzzers/aflplusplus_zafl/fuzzer.py deleted file mode 100755 index 113e8eb70..000000000 --- a/fuzzers/aflplusplus_zafl/fuzzer.py +++ /dev/null @@ -1,60 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -"""Integration code for Zafl fuzzer-prep binary rewriter.""" - -import os - -from fuzzers import utils -from fuzzers.aflplusplus import fuzzer as aflplusplus_fuzzer - - -# -# how to build a fuzzbench benchmark -# -def build(): - """Build benchmark.""" - os.environ['AFL_MAP_SIZE'] = '65536' - os.environ['AFL_LLVM_MAP_ADDR'] = '0x1000000' - os.environ['ZAFL_FIXED_MAP_ADDR'] = '0x1000000' - os.environ['CC'] = '/cc.sh' - os.environ['CXX'] = '/cxx.sh' - if 'LD_LIBRARY_PATH' in os.environ: - os.environ['LD_LIBRARY_PATH'] = os.environ['LD_LIBRARY_PATH'] + ':/out' - else: - os.environ['LD_LIBRARY_PATH'] = '/out' - - utils.append_flags('CFLAGS', ['-fPIC', '-lpthread']) - utils.append_flags('CXXFLAGS', ['-fPIC', '-lpthread']) - os.environ['FUZZER_LIB'] = '/out/fakeLibrary.a' - utils.build_benchmark() - res = os.system('bash -x /zafl_bins.sh') - if res != 0: - os.system('rm -rf /out') - - -# -# how to fuzz a fuzzbench benchmark -# -def fuzz(input_corpus, output_corpus, target_binary): - """Run fuzzer.""" - run_options = [] - os.environ['AFL_MAP_SIZE'] = '65536' - os.environ['AFL_LLVM_MAP_ADDR'] = '0x1000000' - os.environ['ZAFL_DRIVER_SETS_UP_MAP'] = '1' - print(os.environ) - aflplusplus_fuzzer.fuzz(input_corpus, - output_corpus, - target_binary, - flags=(run_options)) diff --git a/fuzzers/aflplusplus_zafl/null.c b/fuzzers/aflplusplus_zafl/null.c deleted file mode 100644 index af0a2b06c..000000000 --- a/fuzzers/aflplusplus_zafl/null.c +++ /dev/null @@ -1,15 +0,0 @@ -// Copyright 2020 Google LLC -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. -// - diff --git a/fuzzers/aflplusplus_zafl/runner.Dockerfile b/fuzzers/aflplusplus_zafl/runner.Dockerfile deleted file mode 100644 index 9d0aba50f..000000000 --- a/fuzzers/aflplusplus_zafl/runner.Dockerfile +++ /dev/null @@ -1,8 +0,0 @@ -FROM gcr.io/fuzzbench/base-image - -ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" -ENV AFL_MAP_SIZE=65536 -ENV PATH="$PATH:/out" -ENV AFL_SKIP_CPUFREQ=1 -ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 -ENV AFL_TESTCACHE_SIZE=2 diff --git a/fuzzers/aflplusplus_zafl/zafl_bins.sh b/fuzzers/aflplusplus_zafl/zafl_bins.sh deleted file mode 100755 index 56cb1b671..000000000 --- a/fuzzers/aflplusplus_zafl/zafl_bins.sh +++ /dev/null @@ -1,77 +0,0 @@ -#!/bin/bash -ex -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - - - -setup_zafl() { - service postgresql start - pushd /zipr - source set_env_vars - popd - pushd /zafl - source set_env_vars - popd - while ! pg_isready; do sleep 1; done -} - -zafl_bins() { - cd /out - for i in *.so; do - if [[ $i == "libzafl.so" ]] || - [[ $i == "libhdf5.so" ]] || - [[ $i == "libsz.so" ]] || - [[ $i == "libaec.so" ]] || - [[ $i == "libfuzzshark_ip_proto-ospf.so" ]] || - [[ $i == "libfuzzshark_ip_proto-udp.so" ]] || - [[ $i == "libfuzzshark_media_type-json.so" ]] || - [[ $i == "libfuzzshark_tcp_port-bgp.so" ]] || - [[ $i == "libfuzzshark_udp_port-dhcp.so" ]] || - [[ $i == "libfuzzshark_udp_port-dns.so" ]] || - [[ $i == "libautozafl.so" ]] ; then - continue - fi - local filesize=$(wc -c $i | cut -d' ' -f1 ) - mv $i $i.orig - - # wireshark exceeds memory with full analysis, so - # skip full opts on programs that are too big, e.g. 10mb. - if (( $filesize < 104857600 )) ; then - zafl.sh $i.orig $i -s -d -g -m 0x1000000 || true - else - zafl.sh $i.orig $i --no-stars -m 0x1000000 || true - fi - if [[ ! -x $i ]]; then - echo "Unable to zafl $i" - exit 1 - fi - - # rebuild the driver if it exists. - local driverNameWithoutLib="${i#lib}" - local driverName=$(basename ${driverNameWithoutLib} .so) - if [[ -x $driverName ]]; then - AFL_LLVM_LTO_DONTWRITEID=1 AFL_MAP_SIZE=65536 AFL_LLVM_MAP_ADDR=0x1000000 /afl/afl-clang-lto -DFUZZER_LIB_NAME='"'"/out/${i}"'"' -I/src/aflplusplus/include -O3 -funroll-loops -fPIC /tmp/aflpp_driver.c -c -o /tmp/aflpp_driver.o - AFL_LLVM_LTO_DONTWRITEID=1 AFL_MAP_SIZE=65536 AFL_LLVM_MAP_ADDR=0x1000000 /afl/afl-clang-lto++ -I/src/aflplusplus/include -O3 -funroll-loops -fPIC /tmp/aflpp_driver.o -o $driverName -ldl - fi - - done -} - -main() { - setup_zafl - zafl_bins - exit 0 -} - -main "$@" diff --git a/service/experiment-requests.yaml b/service/experiment-requests.yaml index 7a3b3b017..cbd6a5ae7 100644 --- a/service/experiment-requests.yaml +++ b/service/experiment-requests.yaml @@ -20,6 +20,17 @@ # Please add new experiment requests towards the top of this file. # +- experiment: 2023-03-24-main + description: "Tests main fuzzers" + fuzzers: + - aflplusplus + - libafl + - aflrustrust + - honggfuzz + - entropic + - libfuzzer + - centipede + - experiment: 2023-03-23-various description: "Tests darwin, pcg, ddfuzz" fuzzers: