From 73b488f6c4c3fc5f1912e66ff7200e0eec3e8376 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 6 Apr 2023 02:28:41 +0200 Subject: [PATCH] afl++ mutation experiment (#1817) this tests the new mutation engine plus checks if a minor regression is fixed. --- fuzzers/aflplusplus/builder.Dockerfile | 2 +- fuzzers/aflplusplus_314/builder.Dockerfile | 2 +- fuzzers/aflplusplus_403/builder.Dockerfile | 56 ---- fuzzers/aflplusplus_403/description.md | 14 - fuzzers/aflplusplus_403/fuzzer.py | 282 ------------------ fuzzers/aflplusplus_403/runner.Dockerfile | 23 -- fuzzers/aflplusplus_404/builder.Dockerfile | 56 ---- fuzzers/aflplusplus_404/description.md | 14 - fuzzers/aflplusplus_404/fuzzer.py | 282 ------------------ fuzzers/aflplusplus_404/runner.Dockerfile | 23 -- fuzzers/aflplusplus_405/builder.Dockerfile | 56 ---- fuzzers/aflplusplus_405/description.md | 14 - fuzzers/aflplusplus_405/fuzzer.py | 282 ------------------ fuzzers/aflplusplus_405/runner.Dockerfile | 23 -- .../builder.Dockerfile | 11 +- .../description.md | 0 .../fuzzer.py | 2 +- .../runner.Dockerfile | 0 .../builder.Dockerfile | 11 +- .../description.md | 0 .../fuzzer.py | 2 +- .../runner.Dockerfile | 0 .../builder.Dockerfile | 12 +- .../description.md | 0 .../fuzzer.py | 2 +- .../runner.Dockerfile | 0 .../builder.Dockerfile | 12 +- .../description.md | 0 .../fuzzer.py | 4 +- .../runner.Dockerfile | 0 service/experiment-requests.yaml | 24 ++ 31 files changed, 42 insertions(+), 1167 deletions(-) delete mode 100644 fuzzers/aflplusplus_403/builder.Dockerfile delete mode 100644 fuzzers/aflplusplus_403/description.md delete mode 100755 fuzzers/aflplusplus_403/fuzzer.py delete mode 100644 fuzzers/aflplusplus_403/runner.Dockerfile delete mode 100644 fuzzers/aflplusplus_404/builder.Dockerfile delete mode 100644 fuzzers/aflplusplus_404/description.md delete mode 100755 fuzzers/aflplusplus_404/fuzzer.py delete mode 100644 fuzzers/aflplusplus_404/runner.Dockerfile delete mode 100644 fuzzers/aflplusplus_405/builder.Dockerfile delete mode 100644 fuzzers/aflplusplus_405/description.md delete mode 100755 fuzzers/aflplusplus_405/fuzzer.py delete mode 100644 fuzzers/aflplusplus_405/runner.Dockerfile rename fuzzers/{aflplusplus_313 => aflplusplus_mutnewhavoc}/builder.Dockerfile (83%) rename fuzzers/{aflplusplus_313 => aflplusplus_mutnewhavoc}/description.md (100%) rename fuzzers/{aflplusplus_401 => aflplusplus_mutnewhavoc}/fuzzer.py (99%) rename fuzzers/{aflplusplus_313 => aflplusplus_mutnewhavoc}/runner.Dockerfile (100%) rename fuzzers/{aflplusplus_401 => aflplusplus_mutsamehavoc}/builder.Dockerfile (83%) rename fuzzers/{aflplusplus_400 => aflplusplus_mutsamehavoc}/description.md (100%) rename fuzzers/{aflplusplus_313 => aflplusplus_mutsamehavoc}/fuzzer.py (99%) rename fuzzers/{aflplusplus_400 => aflplusplus_mutsamehavoc}/runner.Dockerfile (100%) rename fuzzers/{aflplusplus_400 => aflplusplus_newqueue}/builder.Dockerfile (80%) rename fuzzers/{aflplusplus_401 => aflplusplus_newqueue}/description.md (100%) rename fuzzers/{aflplusplus_402 => aflplusplus_newqueue}/fuzzer.py (99%) rename fuzzers/{aflplusplus_401 => aflplusplus_newqueue}/runner.Dockerfile (100%) rename fuzzers/{aflplusplus_402 => aflplusplus_newqueuez}/builder.Dockerfile (80%) rename fuzzers/{aflplusplus_402 => aflplusplus_newqueuez}/description.md (100%) rename fuzzers/{aflplusplus_400 => aflplusplus_newqueuez}/fuzzer.py (99%) rename fuzzers/{aflplusplus_402 => aflplusplus_newqueuez}/runner.Dockerfile (100%) diff --git a/fuzzers/aflplusplus/builder.Dockerfile b/fuzzers/aflplusplus/builder.Dockerfile index aaee4af92..b80f9d1e3 100644 --- a/fuzzers/aflplusplus/builder.Dockerfile +++ b/fuzzers/aflplusplus/builder.Dockerfile @@ -37,7 +37,7 @@ RUN apt-get update && \ # Download afl++. RUN git clone -b dev https://github.com/AFLplusplus/AFLplusplus /afl && \ cd /afl && \ - git checkout d80cedcf02f56351bb08e7520ddcd76b0ff3f84e || \ + git checkout 5fea071ae99dc68d634afd996fcd280f57f78002 || \ true # Build without Python support as we don't need it. diff --git a/fuzzers/aflplusplus_314/builder.Dockerfile b/fuzzers/aflplusplus_314/builder.Dockerfile index 34bd88197..6d5913722 100644 --- a/fuzzers/aflplusplus_314/builder.Dockerfile +++ b/fuzzers/aflplusplus_314/builder.Dockerfile @@ -37,7 +37,7 @@ RUN apt-get update && \ # Download afl++. RUN git clone https://github.com/AFLplusplus/AFLplusplus /afl && \ cd /afl && \ - git checkout 1e23a8d67832eb296fa9abef0745b61ac74ae889 || \ + git checkout 48c878a76ddec2c133fd5708b185b2ac27740084 || \ true RUN apt install -y lsb-release wget software-properties-common gnupg diff --git a/fuzzers/aflplusplus_403/builder.Dockerfile b/fuzzers/aflplusplus_403/builder.Dockerfile deleted file mode 100644 index bd1cd3138..000000000 --- a/fuzzers/aflplusplus_403/builder.Dockerfile +++ /dev/null @@ -1,56 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -RUN apt-get update && \ - apt-get install -y \ - build-essential \ - python3-dev \ - python3-setuptools \ - automake \ - cmake \ - git \ - flex \ - bison \ - libglib2.0-dev \ - libpixman-1-dev \ - cargo \ - libgtk-3-dev \ - # for QEMU mode - ninja-build \ - gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-plugin-dev \ - libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev - -# Download afl++. -RUN git clone https://github.com/AFLplusplus/AFLplusplus /afl && \ - cd /afl && \ - git checkout ad4b7274766418d2006177edebf0d242b49c5fef || \ - true - -RUN apt install -y lsb-release wget software-properties-common gnupg - -RUN wget https://apt.llvm.org/llvm.sh && chmod +x llvm.sh && ./llvm.sh 13 - -ENV LLVM_CONFIG llvm-config-13 - -# Build without Python support as we don't need it. -# Set AFL_NO_X86 to skip flaky tests. -RUN cd /afl && \ - unset CFLAGS CXXFLAGS && \ - export CC=clang AFL_NO_X86=1 && \ - PYTHON_INCLUDE=/ make && \ - make -C utils/aflpp_driver && \ - cp utils/aflpp_driver/libAFLDriver.a / diff --git a/fuzzers/aflplusplus_403/description.md b/fuzzers/aflplusplus_403/description.md deleted file mode 100644 index f7eb407ad..000000000 --- a/fuzzers/aflplusplus_403/description.md +++ /dev/null @@ -1,14 +0,0 @@ -# aflplusplus - -AFL++ fuzzer instance that has the following config active for all benchmarks: - - PCGUARD instrumentation - - cmplog feature - - dict2file feature - - "fast" power schedule - - persistent mode + shared memory test cases - -Repository: [https://github.com/AFLplusplus/AFLplusplus/](https://github.com/AFLplusplus/AFLplusplus/) - -[builder.Dockerfile](builder.Dockerfile) -[fuzzer.py](fuzzer.py) -[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/aflplusplus_403/fuzzer.py b/fuzzers/aflplusplus_403/fuzzer.py deleted file mode 100755 index 8738dc9ee..000000000 --- a/fuzzers/aflplusplus_403/fuzzer.py +++ /dev/null @@ -1,282 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -"""Integration code for AFLplusplus fuzzer.""" - -import os -import shutil - -from fuzzers.afl import fuzzer as afl_fuzzer -from fuzzers import utils - - -def get_cmplog_build_directory(target_directory): - """Return path to CmpLog target directory.""" - return os.path.join(target_directory, 'cmplog') - - -def get_uninstrumented_build_directory(target_directory): - """Return path to CmpLog target directory.""" - return os.path.join(target_directory, 'uninstrumented') - - -def build(*args): # pylint: disable=too-many-branches,too-many-statements - """Build benchmark.""" - # BUILD_MODES is not already supported by fuzzbench, meanwhile we provide - # a default configuration. - - build_modes = list(args) - if 'BUILD_MODES' in os.environ: - build_modes = os.environ['BUILD_MODES'].split(',') - - # Placeholder comment. - build_directory = os.environ['OUT'] - - # If nothing was set this is the default: - if not build_modes: - build_modes = ['tracepc', 'cmplog', 'dict2file'] - - # For bug type benchmarks we have to instrument via native clang pcguard :( - build_flags = os.environ['CFLAGS'] - - if build_flags.find( - 'array-bounds' - ) != -1 and 'qemu' not in build_modes and 'classic' not in build_modes: - if 'gcc' not in build_modes: - build_modes[0] = 'native' - - # Instrumentation coverage modes: - if 'lto' in build_modes: - os.environ['CC'] = '/afl/afl-clang-lto' - os.environ['CXX'] = '/afl/afl-clang-lto++' - edge_file = build_directory + '/aflpp_edges.txt' - os.environ['AFL_LLVM_DOCUMENT_IDS'] = edge_file - if os.path.isfile('/usr/local/bin/llvm-ranlib-13'): - os.environ['RANLIB'] = 'llvm-ranlib-13' - os.environ['AR'] = 'llvm-ar-13' - os.environ['AS'] = 'llvm-as-13' - elif os.path.isfile('/usr/local/bin/llvm-ranlib-12'): - os.environ['RANLIB'] = 'llvm-ranlib-12' - os.environ['AR'] = 'llvm-ar-12' - os.environ['AS'] = 'llvm-as-12' - else: - os.environ['RANLIB'] = 'llvm-ranlib' - os.environ['AR'] = 'llvm-ar' - os.environ['AS'] = 'llvm-as' - elif 'qemu' in build_modes: - os.environ['CC'] = 'clang' - os.environ['CXX'] = 'clang++' - elif 'gcc' in build_modes: - os.environ['CC'] = 'afl-gcc-fast' - os.environ['CXX'] = 'afl-g++-fast' - if build_flags.find('array-bounds') != -1: - os.environ['CFLAGS'] = '-fsanitize=address -O1' - os.environ['CXXFLAGS'] = '-fsanitize=address -O1' - else: - os.environ['CFLAGS'] = '' - os.environ['CXXFLAGS'] = '' - os.environ['CPPFLAGS'] = '' - else: - os.environ['CC'] = '/afl/afl-clang-fast' - os.environ['CXX'] = '/afl/afl-clang-fast++' - - print('AFL++ build: ') - print(build_modes) - - if 'qemu' in build_modes or 'symcc' in build_modes: - os.environ['CFLAGS'] = ' '.join(utils.NO_SANITIZER_COMPAT_CFLAGS) - cxxflags = [utils.LIBCPLUSPLUS_FLAG] + utils.NO_SANITIZER_COMPAT_CFLAGS - os.environ['CXXFLAGS'] = ' '.join(cxxflags) - - if 'tracepc' in build_modes or 'pcguard' in build_modes: - os.environ['AFL_LLVM_USE_TRACE_PC'] = '1' - elif 'classic' in build_modes: - os.environ['AFL_LLVM_INSTRUMENT'] = 'CLASSIC' - elif 'native' in build_modes: - os.environ['AFL_LLVM_INSTRUMENT'] = 'LLVMNATIVE' - - # Instrumentation coverage options: - # Do not use a fixed map location (LTO only) - if 'dynamic' in build_modes: - os.environ['AFL_LLVM_MAP_DYNAMIC'] = '1' - # Use a fixed map location (LTO only) - if 'fixed' in build_modes: - os.environ['AFL_LLVM_MAP_ADDR'] = '0x10000' - # Generate an extra dictionary. - if 'dict2file' in build_modes or 'native' in build_modes: - os.environ['AFL_LLVM_DICT2FILE'] = build_directory + '/afl++.dict' - #os.environ['AFL_LLVM_DICT2FILE_NO_MAIN'] = '1' - # Enable context sentitivity for LLVM mode (non LTO only) - if 'ctx' in build_modes: - os.environ['AFL_LLVM_CTX'] = '1' - # Enable N-gram coverage for LLVM mode (non LTO only) - if 'ngram2' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '2' - elif 'ngram3' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '3' - elif 'ngram4' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '4' - elif 'ngram5' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '5' - elif 'ngram6' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '6' - elif 'ngram7' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '7' - elif 'ngram8' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '8' - elif 'ngram16' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '16' - if 'ctx1' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '1' - elif 'ctx2' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '2' - elif 'ctx3' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '3' - elif 'ctx4' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '4' - - # Only one of the following OR cmplog - # enable laf-intel compare splitting - if 'laf' in build_modes: - os.environ['AFL_LLVM_LAF_SPLIT_SWITCHES'] = '1' - os.environ['AFL_LLVM_LAF_SPLIT_COMPARES'] = '1' - os.environ['AFL_LLVM_LAF_SPLIT_FLOATS'] = '1' - if 'autodict' not in build_modes: - os.environ['AFL_LLVM_LAF_TRANSFORM_COMPARES'] = '1' - - if 'eclipser' in build_modes: - os.environ['FUZZER_LIB'] = '/libStandaloneFuzzTarget.a' - else: - os.environ['FUZZER_LIB'] = '/libAFLDriver.a' - - # Some benchmarks like lcms. (see: - # https://github.com/mm2/Little-CMS/commit/ab1093539b4287c233aca6a3cf53b234faceb792#diff-f0e6d05e72548974e852e8e55dffc4ccR212) - # fail to compile if the compiler outputs things to stderr in unexpected - # cases. Prevent these failures by using AFL_QUIET to stop afl-clang-fast - # from writing AFL specific messages to stderr. - os.environ['AFL_QUIET'] = '1' - os.environ['AFL_MAP_SIZE'] = '2621440' - - src = os.getenv('SRC') - work = os.getenv('WORK') - - with utils.restore_directory(src), utils.restore_directory(work): - # Restore SRC to its initial state so we can build again without any - # trouble. For some OSS-Fuzz projects, build_benchmark cannot be run - # twice in the same directory without this. - utils.build_benchmark() - - if 'cmplog' in build_modes and 'qemu' not in build_modes: - - # CmpLog requires an build with different instrumentation. - new_env = os.environ.copy() - new_env['AFL_LLVM_CMPLOG'] = '1' - - # For CmpLog build, set the OUT and FUZZ_TARGET environment - # variable to point to the new CmpLog build directory. - cmplog_build_directory = get_cmplog_build_directory(build_directory) - os.mkdir(cmplog_build_directory) - new_env['OUT'] = cmplog_build_directory - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - new_env['FUZZ_TARGET'] = os.path.join(cmplog_build_directory, - os.path.basename(fuzz_target)) - - print('Re-building benchmark for CmpLog fuzzing target') - utils.build_benchmark(env=new_env) - - if 'symcc' in build_modes: - - symcc_build_directory = get_uninstrumented_build_directory( - build_directory) - os.mkdir(symcc_build_directory) - - # symcc requires an build with different instrumentation. - new_env = os.environ.copy() - new_env['CC'] = '/symcc/build/symcc' - new_env['CXX'] = '/symcc/build/sym++' - new_env['SYMCC_OUTPUT_DIR'] = '/tmp' - new_env['CXXFLAGS'] = new_env['CXXFLAGS'].replace('-stlib=libc++', '') - new_env['FUZZER_LIB'] = '/libfuzzer-harness.o' - new_env['OUT'] = symcc_build_directory - new_env['SYMCC_LIBCXX_PATH'] = '/libcxx_native_build' - new_env['SYMCC_NO_SYMBOLIC_INPUT'] = '1' - new_env['SYMCC_SILENT'] = '1' - - # For symcc build, set the OUT and FUZZ_TARGET environment - # variable to point to the new symcc build directory. - new_env['OUT'] = symcc_build_directory - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - new_env['FUZZ_TARGET'] = os.path.join(symcc_build_directory, - os.path.basename(fuzz_target)) - - print('Re-building benchmark for symcc fuzzing target') - utils.build_benchmark(env=new_env) - - shutil.copy('/afl/afl-fuzz', build_directory) - if os.path.exists('/afl/afl-qemu-trace'): - shutil.copy('/afl/afl-qemu-trace', build_directory) - if os.path.exists('/aflpp_qemu_driver_hook.so'): - shutil.copy('/aflpp_qemu_driver_hook.so', build_directory) - if os.path.exists('/get_frida_entry.sh'): - shutil.copy('/afl/afl-frida-trace.so', build_directory) - shutil.copy('/get_frida_entry.sh', build_directory) - - -# pylint: disable=too-many-arguments -def fuzz(input_corpus, - output_corpus, - target_binary, - flags=tuple(), - skip=False, - no_cmplog=False): # pylint: disable=too-many-arguments - """Run fuzzer.""" - # Calculate CmpLog binary path from the instrumented target binary. - target_binary_directory = os.path.dirname(target_binary) - cmplog_target_binary_directory = ( - get_cmplog_build_directory(target_binary_directory)) - target_binary_name = os.path.basename(target_binary) - cmplog_target_binary = os.path.join(cmplog_target_binary_directory, - target_binary_name) - - afl_fuzzer.prepare_fuzz_environment(input_corpus) - # decomment this to enable libdislocator. - # os.environ['AFL_ALIGNED_ALLOC'] = '1' # align malloc to max_align_t - # os.environ['AFL_PRELOAD'] = '/afl/libdislocator.so' - - flags = list(flags) - - if os.path.exists('./afl++.dict'): - flags += ['-x', './afl++.dict'] - - # Move the following to skip for upcoming _double tests: - if os.path.exists(cmplog_target_binary) and no_cmplog is False: - flags += ['-c', cmplog_target_binary] - - #os.environ['AFL_IGNORE_TIMEOUTS'] = '1' - os.environ['AFL_IGNORE_UNKNOWN_ENVS'] = '1' - os.environ['AFL_FAST_CAL'] = '1' - os.environ['AFL_NO_WARN_INSTABILITY'] = '1' - - if not skip: - os.environ['AFL_DISABLE_TRIM'] = '1' - os.environ['AFL_CMPLOG_ONLY_NEW'] = '1' - if 'ADDITIONAL_ARGS' in os.environ: - flags += os.environ['ADDITIONAL_ARGS'].split(' ') - - afl_fuzzer.run_afl_fuzz(input_corpus, - output_corpus, - target_binary, - additional_flags=flags) diff --git a/fuzzers/aflplusplus_403/runner.Dockerfile b/fuzzers/aflplusplus_403/runner.Dockerfile deleted file mode 100644 index 7aa1da8e4..000000000 --- a/fuzzers/aflplusplus_403/runner.Dockerfile +++ /dev/null @@ -1,23 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -# This makes interactive docker runs painless: -ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" -#ENV AFL_MAP_SIZE=2621440 -ENV PATH="$PATH:/out" -ENV AFL_SKIP_CPUFREQ=1 -ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 -ENV AFL_TESTCACHE_SIZE=2 diff --git a/fuzzers/aflplusplus_404/builder.Dockerfile b/fuzzers/aflplusplus_404/builder.Dockerfile deleted file mode 100644 index b16057e19..000000000 --- a/fuzzers/aflplusplus_404/builder.Dockerfile +++ /dev/null @@ -1,56 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -RUN apt-get update && \ - apt-get install -y \ - build-essential \ - python3-dev \ - python3-setuptools \ - automake \ - cmake \ - git \ - flex \ - bison \ - libglib2.0-dev \ - libpixman-1-dev \ - cargo \ - libgtk-3-dev \ - # for QEMU mode - ninja-build \ - gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-plugin-dev \ - libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev - -# Download afl++. -RUN git clone https://github.com/AFLplusplus/AFLplusplus /afl && \ - cd /afl && \ - git checkout cbfa5207ba2853e249ffb256d99880368ee224e0 || \ - true - -RUN apt install -y lsb-release wget software-properties-common gnupg - -RUN wget https://apt.llvm.org/llvm.sh && chmod +x llvm.sh && ./llvm.sh 13 - -ENV LLVM_CONFIG llvm-config-13 - -# Build without Python support as we don't need it. -# Set AFL_NO_X86 to skip flaky tests. -RUN cd /afl && \ - unset CFLAGS CXXFLAGS && \ - export CC=clang AFL_NO_X86=1 && \ - PYTHON_INCLUDE=/ make && \ - make -C utils/aflpp_driver && \ - cp utils/aflpp_driver/libAFLDriver.a / diff --git a/fuzzers/aflplusplus_404/description.md b/fuzzers/aflplusplus_404/description.md deleted file mode 100644 index f7eb407ad..000000000 --- a/fuzzers/aflplusplus_404/description.md +++ /dev/null @@ -1,14 +0,0 @@ -# aflplusplus - -AFL++ fuzzer instance that has the following config active for all benchmarks: - - PCGUARD instrumentation - - cmplog feature - - dict2file feature - - "fast" power schedule - - persistent mode + shared memory test cases - -Repository: [https://github.com/AFLplusplus/AFLplusplus/](https://github.com/AFLplusplus/AFLplusplus/) - -[builder.Dockerfile](builder.Dockerfile) -[fuzzer.py](fuzzer.py) -[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/aflplusplus_404/fuzzer.py b/fuzzers/aflplusplus_404/fuzzer.py deleted file mode 100755 index 8738dc9ee..000000000 --- a/fuzzers/aflplusplus_404/fuzzer.py +++ /dev/null @@ -1,282 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -"""Integration code for AFLplusplus fuzzer.""" - -import os -import shutil - -from fuzzers.afl import fuzzer as afl_fuzzer -from fuzzers import utils - - -def get_cmplog_build_directory(target_directory): - """Return path to CmpLog target directory.""" - return os.path.join(target_directory, 'cmplog') - - -def get_uninstrumented_build_directory(target_directory): - """Return path to CmpLog target directory.""" - return os.path.join(target_directory, 'uninstrumented') - - -def build(*args): # pylint: disable=too-many-branches,too-many-statements - """Build benchmark.""" - # BUILD_MODES is not already supported by fuzzbench, meanwhile we provide - # a default configuration. - - build_modes = list(args) - if 'BUILD_MODES' in os.environ: - build_modes = os.environ['BUILD_MODES'].split(',') - - # Placeholder comment. - build_directory = os.environ['OUT'] - - # If nothing was set this is the default: - if not build_modes: - build_modes = ['tracepc', 'cmplog', 'dict2file'] - - # For bug type benchmarks we have to instrument via native clang pcguard :( - build_flags = os.environ['CFLAGS'] - - if build_flags.find( - 'array-bounds' - ) != -1 and 'qemu' not in build_modes and 'classic' not in build_modes: - if 'gcc' not in build_modes: - build_modes[0] = 'native' - - # Instrumentation coverage modes: - if 'lto' in build_modes: - os.environ['CC'] = '/afl/afl-clang-lto' - os.environ['CXX'] = '/afl/afl-clang-lto++' - edge_file = build_directory + '/aflpp_edges.txt' - os.environ['AFL_LLVM_DOCUMENT_IDS'] = edge_file - if os.path.isfile('/usr/local/bin/llvm-ranlib-13'): - os.environ['RANLIB'] = 'llvm-ranlib-13' - os.environ['AR'] = 'llvm-ar-13' - os.environ['AS'] = 'llvm-as-13' - elif os.path.isfile('/usr/local/bin/llvm-ranlib-12'): - os.environ['RANLIB'] = 'llvm-ranlib-12' - os.environ['AR'] = 'llvm-ar-12' - os.environ['AS'] = 'llvm-as-12' - else: - os.environ['RANLIB'] = 'llvm-ranlib' - os.environ['AR'] = 'llvm-ar' - os.environ['AS'] = 'llvm-as' - elif 'qemu' in build_modes: - os.environ['CC'] = 'clang' - os.environ['CXX'] = 'clang++' - elif 'gcc' in build_modes: - os.environ['CC'] = 'afl-gcc-fast' - os.environ['CXX'] = 'afl-g++-fast' - if build_flags.find('array-bounds') != -1: - os.environ['CFLAGS'] = '-fsanitize=address -O1' - os.environ['CXXFLAGS'] = '-fsanitize=address -O1' - else: - os.environ['CFLAGS'] = '' - os.environ['CXXFLAGS'] = '' - os.environ['CPPFLAGS'] = '' - else: - os.environ['CC'] = '/afl/afl-clang-fast' - os.environ['CXX'] = '/afl/afl-clang-fast++' - - print('AFL++ build: ') - print(build_modes) - - if 'qemu' in build_modes or 'symcc' in build_modes: - os.environ['CFLAGS'] = ' '.join(utils.NO_SANITIZER_COMPAT_CFLAGS) - cxxflags = [utils.LIBCPLUSPLUS_FLAG] + utils.NO_SANITIZER_COMPAT_CFLAGS - os.environ['CXXFLAGS'] = ' '.join(cxxflags) - - if 'tracepc' in build_modes or 'pcguard' in build_modes: - os.environ['AFL_LLVM_USE_TRACE_PC'] = '1' - elif 'classic' in build_modes: - os.environ['AFL_LLVM_INSTRUMENT'] = 'CLASSIC' - elif 'native' in build_modes: - os.environ['AFL_LLVM_INSTRUMENT'] = 'LLVMNATIVE' - - # Instrumentation coverage options: - # Do not use a fixed map location (LTO only) - if 'dynamic' in build_modes: - os.environ['AFL_LLVM_MAP_DYNAMIC'] = '1' - # Use a fixed map location (LTO only) - if 'fixed' in build_modes: - os.environ['AFL_LLVM_MAP_ADDR'] = '0x10000' - # Generate an extra dictionary. - if 'dict2file' in build_modes or 'native' in build_modes: - os.environ['AFL_LLVM_DICT2FILE'] = build_directory + '/afl++.dict' - #os.environ['AFL_LLVM_DICT2FILE_NO_MAIN'] = '1' - # Enable context sentitivity for LLVM mode (non LTO only) - if 'ctx' in build_modes: - os.environ['AFL_LLVM_CTX'] = '1' - # Enable N-gram coverage for LLVM mode (non LTO only) - if 'ngram2' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '2' - elif 'ngram3' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '3' - elif 'ngram4' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '4' - elif 'ngram5' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '5' - elif 'ngram6' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '6' - elif 'ngram7' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '7' - elif 'ngram8' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '8' - elif 'ngram16' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '16' - if 'ctx1' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '1' - elif 'ctx2' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '2' - elif 'ctx3' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '3' - elif 'ctx4' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '4' - - # Only one of the following OR cmplog - # enable laf-intel compare splitting - if 'laf' in build_modes: - os.environ['AFL_LLVM_LAF_SPLIT_SWITCHES'] = '1' - os.environ['AFL_LLVM_LAF_SPLIT_COMPARES'] = '1' - os.environ['AFL_LLVM_LAF_SPLIT_FLOATS'] = '1' - if 'autodict' not in build_modes: - os.environ['AFL_LLVM_LAF_TRANSFORM_COMPARES'] = '1' - - if 'eclipser' in build_modes: - os.environ['FUZZER_LIB'] = '/libStandaloneFuzzTarget.a' - else: - os.environ['FUZZER_LIB'] = '/libAFLDriver.a' - - # Some benchmarks like lcms. (see: - # https://github.com/mm2/Little-CMS/commit/ab1093539b4287c233aca6a3cf53b234faceb792#diff-f0e6d05e72548974e852e8e55dffc4ccR212) - # fail to compile if the compiler outputs things to stderr in unexpected - # cases. Prevent these failures by using AFL_QUIET to stop afl-clang-fast - # from writing AFL specific messages to stderr. - os.environ['AFL_QUIET'] = '1' - os.environ['AFL_MAP_SIZE'] = '2621440' - - src = os.getenv('SRC') - work = os.getenv('WORK') - - with utils.restore_directory(src), utils.restore_directory(work): - # Restore SRC to its initial state so we can build again without any - # trouble. For some OSS-Fuzz projects, build_benchmark cannot be run - # twice in the same directory without this. - utils.build_benchmark() - - if 'cmplog' in build_modes and 'qemu' not in build_modes: - - # CmpLog requires an build with different instrumentation. - new_env = os.environ.copy() - new_env['AFL_LLVM_CMPLOG'] = '1' - - # For CmpLog build, set the OUT and FUZZ_TARGET environment - # variable to point to the new CmpLog build directory. - cmplog_build_directory = get_cmplog_build_directory(build_directory) - os.mkdir(cmplog_build_directory) - new_env['OUT'] = cmplog_build_directory - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - new_env['FUZZ_TARGET'] = os.path.join(cmplog_build_directory, - os.path.basename(fuzz_target)) - - print('Re-building benchmark for CmpLog fuzzing target') - utils.build_benchmark(env=new_env) - - if 'symcc' in build_modes: - - symcc_build_directory = get_uninstrumented_build_directory( - build_directory) - os.mkdir(symcc_build_directory) - - # symcc requires an build with different instrumentation. - new_env = os.environ.copy() - new_env['CC'] = '/symcc/build/symcc' - new_env['CXX'] = '/symcc/build/sym++' - new_env['SYMCC_OUTPUT_DIR'] = '/tmp' - new_env['CXXFLAGS'] = new_env['CXXFLAGS'].replace('-stlib=libc++', '') - new_env['FUZZER_LIB'] = '/libfuzzer-harness.o' - new_env['OUT'] = symcc_build_directory - new_env['SYMCC_LIBCXX_PATH'] = '/libcxx_native_build' - new_env['SYMCC_NO_SYMBOLIC_INPUT'] = '1' - new_env['SYMCC_SILENT'] = '1' - - # For symcc build, set the OUT and FUZZ_TARGET environment - # variable to point to the new symcc build directory. - new_env['OUT'] = symcc_build_directory - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - new_env['FUZZ_TARGET'] = os.path.join(symcc_build_directory, - os.path.basename(fuzz_target)) - - print('Re-building benchmark for symcc fuzzing target') - utils.build_benchmark(env=new_env) - - shutil.copy('/afl/afl-fuzz', build_directory) - if os.path.exists('/afl/afl-qemu-trace'): - shutil.copy('/afl/afl-qemu-trace', build_directory) - if os.path.exists('/aflpp_qemu_driver_hook.so'): - shutil.copy('/aflpp_qemu_driver_hook.so', build_directory) - if os.path.exists('/get_frida_entry.sh'): - shutil.copy('/afl/afl-frida-trace.so', build_directory) - shutil.copy('/get_frida_entry.sh', build_directory) - - -# pylint: disable=too-many-arguments -def fuzz(input_corpus, - output_corpus, - target_binary, - flags=tuple(), - skip=False, - no_cmplog=False): # pylint: disable=too-many-arguments - """Run fuzzer.""" - # Calculate CmpLog binary path from the instrumented target binary. - target_binary_directory = os.path.dirname(target_binary) - cmplog_target_binary_directory = ( - get_cmplog_build_directory(target_binary_directory)) - target_binary_name = os.path.basename(target_binary) - cmplog_target_binary = os.path.join(cmplog_target_binary_directory, - target_binary_name) - - afl_fuzzer.prepare_fuzz_environment(input_corpus) - # decomment this to enable libdislocator. - # os.environ['AFL_ALIGNED_ALLOC'] = '1' # align malloc to max_align_t - # os.environ['AFL_PRELOAD'] = '/afl/libdislocator.so' - - flags = list(flags) - - if os.path.exists('./afl++.dict'): - flags += ['-x', './afl++.dict'] - - # Move the following to skip for upcoming _double tests: - if os.path.exists(cmplog_target_binary) and no_cmplog is False: - flags += ['-c', cmplog_target_binary] - - #os.environ['AFL_IGNORE_TIMEOUTS'] = '1' - os.environ['AFL_IGNORE_UNKNOWN_ENVS'] = '1' - os.environ['AFL_FAST_CAL'] = '1' - os.environ['AFL_NO_WARN_INSTABILITY'] = '1' - - if not skip: - os.environ['AFL_DISABLE_TRIM'] = '1' - os.environ['AFL_CMPLOG_ONLY_NEW'] = '1' - if 'ADDITIONAL_ARGS' in os.environ: - flags += os.environ['ADDITIONAL_ARGS'].split(' ') - - afl_fuzzer.run_afl_fuzz(input_corpus, - output_corpus, - target_binary, - additional_flags=flags) diff --git a/fuzzers/aflplusplus_404/runner.Dockerfile b/fuzzers/aflplusplus_404/runner.Dockerfile deleted file mode 100644 index 7aa1da8e4..000000000 --- a/fuzzers/aflplusplus_404/runner.Dockerfile +++ /dev/null @@ -1,23 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -# This makes interactive docker runs painless: -ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" -#ENV AFL_MAP_SIZE=2621440 -ENV PATH="$PATH:/out" -ENV AFL_SKIP_CPUFREQ=1 -ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 -ENV AFL_TESTCACHE_SIZE=2 diff --git a/fuzzers/aflplusplus_405/builder.Dockerfile b/fuzzers/aflplusplus_405/builder.Dockerfile deleted file mode 100644 index 8074be02c..000000000 --- a/fuzzers/aflplusplus_405/builder.Dockerfile +++ /dev/null @@ -1,56 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -RUN apt-get update && \ - apt-get install -y \ - build-essential \ - python3-dev \ - python3-setuptools \ - automake \ - cmake \ - git \ - flex \ - bison \ - libglib2.0-dev \ - libpixman-1-dev \ - cargo \ - libgtk-3-dev \ - # for QEMU mode - ninja-build \ - gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-plugin-dev \ - libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev - -# Download afl++. -RUN git clone https://github.com/AFLplusplus/AFLplusplus /afl && \ - cd /afl && \ - git checkout 3b6fcd911a860a8c823c912c4b08b423734e4cfe || \ - true - -RUN apt install -y lsb-release wget software-properties-common gnupg - -RUN wget https://apt.llvm.org/llvm.sh && chmod +x llvm.sh && ./llvm.sh 13 - -ENV LLVM_CONFIG llvm-config-13 - -# Build without Python support as we don't need it. -# Set AFL_NO_X86 to skip flaky tests. -RUN cd /afl && \ - unset CFLAGS CXXFLAGS && \ - export CC=clang AFL_NO_X86=1 && \ - PYTHON_INCLUDE=/ make && \ - make -C utils/aflpp_driver && \ - cp utils/aflpp_driver/libAFLDriver.a / diff --git a/fuzzers/aflplusplus_405/description.md b/fuzzers/aflplusplus_405/description.md deleted file mode 100644 index f7eb407ad..000000000 --- a/fuzzers/aflplusplus_405/description.md +++ /dev/null @@ -1,14 +0,0 @@ -# aflplusplus - -AFL++ fuzzer instance that has the following config active for all benchmarks: - - PCGUARD instrumentation - - cmplog feature - - dict2file feature - - "fast" power schedule - - persistent mode + shared memory test cases - -Repository: [https://github.com/AFLplusplus/AFLplusplus/](https://github.com/AFLplusplus/AFLplusplus/) - -[builder.Dockerfile](builder.Dockerfile) -[fuzzer.py](fuzzer.py) -[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/aflplusplus_405/fuzzer.py b/fuzzers/aflplusplus_405/fuzzer.py deleted file mode 100755 index 8738dc9ee..000000000 --- a/fuzzers/aflplusplus_405/fuzzer.py +++ /dev/null @@ -1,282 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -"""Integration code for AFLplusplus fuzzer.""" - -import os -import shutil - -from fuzzers.afl import fuzzer as afl_fuzzer -from fuzzers import utils - - -def get_cmplog_build_directory(target_directory): - """Return path to CmpLog target directory.""" - return os.path.join(target_directory, 'cmplog') - - -def get_uninstrumented_build_directory(target_directory): - """Return path to CmpLog target directory.""" - return os.path.join(target_directory, 'uninstrumented') - - -def build(*args): # pylint: disable=too-many-branches,too-many-statements - """Build benchmark.""" - # BUILD_MODES is not already supported by fuzzbench, meanwhile we provide - # a default configuration. - - build_modes = list(args) - if 'BUILD_MODES' in os.environ: - build_modes = os.environ['BUILD_MODES'].split(',') - - # Placeholder comment. - build_directory = os.environ['OUT'] - - # If nothing was set this is the default: - if not build_modes: - build_modes = ['tracepc', 'cmplog', 'dict2file'] - - # For bug type benchmarks we have to instrument via native clang pcguard :( - build_flags = os.environ['CFLAGS'] - - if build_flags.find( - 'array-bounds' - ) != -1 and 'qemu' not in build_modes and 'classic' not in build_modes: - if 'gcc' not in build_modes: - build_modes[0] = 'native' - - # Instrumentation coverage modes: - if 'lto' in build_modes: - os.environ['CC'] = '/afl/afl-clang-lto' - os.environ['CXX'] = '/afl/afl-clang-lto++' - edge_file = build_directory + '/aflpp_edges.txt' - os.environ['AFL_LLVM_DOCUMENT_IDS'] = edge_file - if os.path.isfile('/usr/local/bin/llvm-ranlib-13'): - os.environ['RANLIB'] = 'llvm-ranlib-13' - os.environ['AR'] = 'llvm-ar-13' - os.environ['AS'] = 'llvm-as-13' - elif os.path.isfile('/usr/local/bin/llvm-ranlib-12'): - os.environ['RANLIB'] = 'llvm-ranlib-12' - os.environ['AR'] = 'llvm-ar-12' - os.environ['AS'] = 'llvm-as-12' - else: - os.environ['RANLIB'] = 'llvm-ranlib' - os.environ['AR'] = 'llvm-ar' - os.environ['AS'] = 'llvm-as' - elif 'qemu' in build_modes: - os.environ['CC'] = 'clang' - os.environ['CXX'] = 'clang++' - elif 'gcc' in build_modes: - os.environ['CC'] = 'afl-gcc-fast' - os.environ['CXX'] = 'afl-g++-fast' - if build_flags.find('array-bounds') != -1: - os.environ['CFLAGS'] = '-fsanitize=address -O1' - os.environ['CXXFLAGS'] = '-fsanitize=address -O1' - else: - os.environ['CFLAGS'] = '' - os.environ['CXXFLAGS'] = '' - os.environ['CPPFLAGS'] = '' - else: - os.environ['CC'] = '/afl/afl-clang-fast' - os.environ['CXX'] = '/afl/afl-clang-fast++' - - print('AFL++ build: ') - print(build_modes) - - if 'qemu' in build_modes or 'symcc' in build_modes: - os.environ['CFLAGS'] = ' '.join(utils.NO_SANITIZER_COMPAT_CFLAGS) - cxxflags = [utils.LIBCPLUSPLUS_FLAG] + utils.NO_SANITIZER_COMPAT_CFLAGS - os.environ['CXXFLAGS'] = ' '.join(cxxflags) - - if 'tracepc' in build_modes or 'pcguard' in build_modes: - os.environ['AFL_LLVM_USE_TRACE_PC'] = '1' - elif 'classic' in build_modes: - os.environ['AFL_LLVM_INSTRUMENT'] = 'CLASSIC' - elif 'native' in build_modes: - os.environ['AFL_LLVM_INSTRUMENT'] = 'LLVMNATIVE' - - # Instrumentation coverage options: - # Do not use a fixed map location (LTO only) - if 'dynamic' in build_modes: - os.environ['AFL_LLVM_MAP_DYNAMIC'] = '1' - # Use a fixed map location (LTO only) - if 'fixed' in build_modes: - os.environ['AFL_LLVM_MAP_ADDR'] = '0x10000' - # Generate an extra dictionary. - if 'dict2file' in build_modes or 'native' in build_modes: - os.environ['AFL_LLVM_DICT2FILE'] = build_directory + '/afl++.dict' - #os.environ['AFL_LLVM_DICT2FILE_NO_MAIN'] = '1' - # Enable context sentitivity for LLVM mode (non LTO only) - if 'ctx' in build_modes: - os.environ['AFL_LLVM_CTX'] = '1' - # Enable N-gram coverage for LLVM mode (non LTO only) - if 'ngram2' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '2' - elif 'ngram3' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '3' - elif 'ngram4' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '4' - elif 'ngram5' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '5' - elif 'ngram6' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '6' - elif 'ngram7' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '7' - elif 'ngram8' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '8' - elif 'ngram16' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '16' - if 'ctx1' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '1' - elif 'ctx2' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '2' - elif 'ctx3' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '3' - elif 'ctx4' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '4' - - # Only one of the following OR cmplog - # enable laf-intel compare splitting - if 'laf' in build_modes: - os.environ['AFL_LLVM_LAF_SPLIT_SWITCHES'] = '1' - os.environ['AFL_LLVM_LAF_SPLIT_COMPARES'] = '1' - os.environ['AFL_LLVM_LAF_SPLIT_FLOATS'] = '1' - if 'autodict' not in build_modes: - os.environ['AFL_LLVM_LAF_TRANSFORM_COMPARES'] = '1' - - if 'eclipser' in build_modes: - os.environ['FUZZER_LIB'] = '/libStandaloneFuzzTarget.a' - else: - os.environ['FUZZER_LIB'] = '/libAFLDriver.a' - - # Some benchmarks like lcms. (see: - # https://github.com/mm2/Little-CMS/commit/ab1093539b4287c233aca6a3cf53b234faceb792#diff-f0e6d05e72548974e852e8e55dffc4ccR212) - # fail to compile if the compiler outputs things to stderr in unexpected - # cases. Prevent these failures by using AFL_QUIET to stop afl-clang-fast - # from writing AFL specific messages to stderr. - os.environ['AFL_QUIET'] = '1' - os.environ['AFL_MAP_SIZE'] = '2621440' - - src = os.getenv('SRC') - work = os.getenv('WORK') - - with utils.restore_directory(src), utils.restore_directory(work): - # Restore SRC to its initial state so we can build again without any - # trouble. For some OSS-Fuzz projects, build_benchmark cannot be run - # twice in the same directory without this. - utils.build_benchmark() - - if 'cmplog' in build_modes and 'qemu' not in build_modes: - - # CmpLog requires an build with different instrumentation. - new_env = os.environ.copy() - new_env['AFL_LLVM_CMPLOG'] = '1' - - # For CmpLog build, set the OUT and FUZZ_TARGET environment - # variable to point to the new CmpLog build directory. - cmplog_build_directory = get_cmplog_build_directory(build_directory) - os.mkdir(cmplog_build_directory) - new_env['OUT'] = cmplog_build_directory - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - new_env['FUZZ_TARGET'] = os.path.join(cmplog_build_directory, - os.path.basename(fuzz_target)) - - print('Re-building benchmark for CmpLog fuzzing target') - utils.build_benchmark(env=new_env) - - if 'symcc' in build_modes: - - symcc_build_directory = get_uninstrumented_build_directory( - build_directory) - os.mkdir(symcc_build_directory) - - # symcc requires an build with different instrumentation. - new_env = os.environ.copy() - new_env['CC'] = '/symcc/build/symcc' - new_env['CXX'] = '/symcc/build/sym++' - new_env['SYMCC_OUTPUT_DIR'] = '/tmp' - new_env['CXXFLAGS'] = new_env['CXXFLAGS'].replace('-stlib=libc++', '') - new_env['FUZZER_LIB'] = '/libfuzzer-harness.o' - new_env['OUT'] = symcc_build_directory - new_env['SYMCC_LIBCXX_PATH'] = '/libcxx_native_build' - new_env['SYMCC_NO_SYMBOLIC_INPUT'] = '1' - new_env['SYMCC_SILENT'] = '1' - - # For symcc build, set the OUT and FUZZ_TARGET environment - # variable to point to the new symcc build directory. - new_env['OUT'] = symcc_build_directory - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - new_env['FUZZ_TARGET'] = os.path.join(symcc_build_directory, - os.path.basename(fuzz_target)) - - print('Re-building benchmark for symcc fuzzing target') - utils.build_benchmark(env=new_env) - - shutil.copy('/afl/afl-fuzz', build_directory) - if os.path.exists('/afl/afl-qemu-trace'): - shutil.copy('/afl/afl-qemu-trace', build_directory) - if os.path.exists('/aflpp_qemu_driver_hook.so'): - shutil.copy('/aflpp_qemu_driver_hook.so', build_directory) - if os.path.exists('/get_frida_entry.sh'): - shutil.copy('/afl/afl-frida-trace.so', build_directory) - shutil.copy('/get_frida_entry.sh', build_directory) - - -# pylint: disable=too-many-arguments -def fuzz(input_corpus, - output_corpus, - target_binary, - flags=tuple(), - skip=False, - no_cmplog=False): # pylint: disable=too-many-arguments - """Run fuzzer.""" - # Calculate CmpLog binary path from the instrumented target binary. - target_binary_directory = os.path.dirname(target_binary) - cmplog_target_binary_directory = ( - get_cmplog_build_directory(target_binary_directory)) - target_binary_name = os.path.basename(target_binary) - cmplog_target_binary = os.path.join(cmplog_target_binary_directory, - target_binary_name) - - afl_fuzzer.prepare_fuzz_environment(input_corpus) - # decomment this to enable libdislocator. - # os.environ['AFL_ALIGNED_ALLOC'] = '1' # align malloc to max_align_t - # os.environ['AFL_PRELOAD'] = '/afl/libdislocator.so' - - flags = list(flags) - - if os.path.exists('./afl++.dict'): - flags += ['-x', './afl++.dict'] - - # Move the following to skip for upcoming _double tests: - if os.path.exists(cmplog_target_binary) and no_cmplog is False: - flags += ['-c', cmplog_target_binary] - - #os.environ['AFL_IGNORE_TIMEOUTS'] = '1' - os.environ['AFL_IGNORE_UNKNOWN_ENVS'] = '1' - os.environ['AFL_FAST_CAL'] = '1' - os.environ['AFL_NO_WARN_INSTABILITY'] = '1' - - if not skip: - os.environ['AFL_DISABLE_TRIM'] = '1' - os.environ['AFL_CMPLOG_ONLY_NEW'] = '1' - if 'ADDITIONAL_ARGS' in os.environ: - flags += os.environ['ADDITIONAL_ARGS'].split(' ') - - afl_fuzzer.run_afl_fuzz(input_corpus, - output_corpus, - target_binary, - additional_flags=flags) diff --git a/fuzzers/aflplusplus_405/runner.Dockerfile b/fuzzers/aflplusplus_405/runner.Dockerfile deleted file mode 100644 index 7aa1da8e4..000000000 --- a/fuzzers/aflplusplus_405/runner.Dockerfile +++ /dev/null @@ -1,23 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -# This makes interactive docker runs painless: -ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" -#ENV AFL_MAP_SIZE=2621440 -ENV PATH="$PATH:/out" -ENV AFL_SKIP_CPUFREQ=1 -ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 -ENV AFL_TESTCACHE_SIZE=2 diff --git a/fuzzers/aflplusplus_313/builder.Dockerfile b/fuzzers/aflplusplus_mutnewhavoc/builder.Dockerfile similarity index 83% rename from fuzzers/aflplusplus_313/builder.Dockerfile rename to fuzzers/aflplusplus_mutnewhavoc/builder.Dockerfile index 099f722c8..f0e421779 100644 --- a/fuzzers/aflplusplus_313/builder.Dockerfile +++ b/fuzzers/aflplusplus_mutnewhavoc/builder.Dockerfile @@ -37,14 +37,7 @@ RUN apt-get update && \ # Download afl++. RUN git clone https://github.com/AFLplusplus/AFLplusplus /afl && \ cd /afl && \ - git checkout cda62bab0837f1cbec2a1245de32b04a09e61af5 || \ - true - -RUN apt install -y lsb-release wget software-properties-common gnupg - -RUN wget https://apt.llvm.org/llvm.sh && chmod +x llvm.sh && ./llvm.sh 13 - -ENV LLVM_CONFIG llvm-config-13 + git checkout e313180e4d3f7ba44b773e43af40d4af21088576 # Build without Python support as we don't need it. # Set AFL_NO_X86 to skip flaky tests. @@ -52,5 +45,5 @@ RUN cd /afl && \ unset CFLAGS CXXFLAGS && \ export CC=clang AFL_NO_X86=1 && \ PYTHON_INCLUDE=/ make && \ - make -C utils/aflpp_driver && \ + make install && \ cp utils/aflpp_driver/libAFLDriver.a / diff --git a/fuzzers/aflplusplus_313/description.md b/fuzzers/aflplusplus_mutnewhavoc/description.md similarity index 100% rename from fuzzers/aflplusplus_313/description.md rename to fuzzers/aflplusplus_mutnewhavoc/description.md diff --git a/fuzzers/aflplusplus_401/fuzzer.py b/fuzzers/aflplusplus_mutnewhavoc/fuzzer.py similarity index 99% rename from fuzzers/aflplusplus_401/fuzzer.py rename to fuzzers/aflplusplus_mutnewhavoc/fuzzer.py index 8738dc9ee..7016da75e 100755 --- a/fuzzers/aflplusplus_401/fuzzer.py +++ b/fuzzers/aflplusplus_mutnewhavoc/fuzzer.py @@ -116,7 +116,7 @@ def build(*args): # pylint: disable=too-many-branches,too-many-statements # Generate an extra dictionary. if 'dict2file' in build_modes or 'native' in build_modes: os.environ['AFL_LLVM_DICT2FILE'] = build_directory + '/afl++.dict' - #os.environ['AFL_LLVM_DICT2FILE_NO_MAIN'] = '1' + os.environ['AFL_LLVM_DICT2FILE_NO_MAIN'] = '1' # Enable context sentitivity for LLVM mode (non LTO only) if 'ctx' in build_modes: os.environ['AFL_LLVM_CTX'] = '1' diff --git a/fuzzers/aflplusplus_313/runner.Dockerfile b/fuzzers/aflplusplus_mutnewhavoc/runner.Dockerfile similarity index 100% rename from fuzzers/aflplusplus_313/runner.Dockerfile rename to fuzzers/aflplusplus_mutnewhavoc/runner.Dockerfile diff --git a/fuzzers/aflplusplus_401/builder.Dockerfile b/fuzzers/aflplusplus_mutsamehavoc/builder.Dockerfile similarity index 83% rename from fuzzers/aflplusplus_401/builder.Dockerfile rename to fuzzers/aflplusplus_mutsamehavoc/builder.Dockerfile index 2a9efcae2..ba8025603 100644 --- a/fuzzers/aflplusplus_401/builder.Dockerfile +++ b/fuzzers/aflplusplus_mutsamehavoc/builder.Dockerfile @@ -37,14 +37,7 @@ RUN apt-get update && \ # Download afl++. RUN git clone https://github.com/AFLplusplus/AFLplusplus /afl && \ cd /afl && \ - git checkout 40947508037b874020c8dd1251359fecaab04b9d || \ - true - -RUN apt install -y lsb-release wget software-properties-common gnupg - -RUN wget https://apt.llvm.org/llvm.sh && chmod +x llvm.sh && ./llvm.sh 13 - -ENV LLVM_CONFIG llvm-config-13 + git checkout 61e31551fca170e0afe0c7a2faa4e9b4fe4a751f # Build without Python support as we don't need it. # Set AFL_NO_X86 to skip flaky tests. @@ -52,5 +45,5 @@ RUN cd /afl && \ unset CFLAGS CXXFLAGS && \ export CC=clang AFL_NO_X86=1 && \ PYTHON_INCLUDE=/ make && \ - make -C utils/aflpp_driver && \ + make install && \ cp utils/aflpp_driver/libAFLDriver.a / diff --git a/fuzzers/aflplusplus_400/description.md b/fuzzers/aflplusplus_mutsamehavoc/description.md similarity index 100% rename from fuzzers/aflplusplus_400/description.md rename to fuzzers/aflplusplus_mutsamehavoc/description.md diff --git a/fuzzers/aflplusplus_313/fuzzer.py b/fuzzers/aflplusplus_mutsamehavoc/fuzzer.py similarity index 99% rename from fuzzers/aflplusplus_313/fuzzer.py rename to fuzzers/aflplusplus_mutsamehavoc/fuzzer.py index 8738dc9ee..7016da75e 100755 --- a/fuzzers/aflplusplus_313/fuzzer.py +++ b/fuzzers/aflplusplus_mutsamehavoc/fuzzer.py @@ -116,7 +116,7 @@ def build(*args): # pylint: disable=too-many-branches,too-many-statements # Generate an extra dictionary. if 'dict2file' in build_modes or 'native' in build_modes: os.environ['AFL_LLVM_DICT2FILE'] = build_directory + '/afl++.dict' - #os.environ['AFL_LLVM_DICT2FILE_NO_MAIN'] = '1' + os.environ['AFL_LLVM_DICT2FILE_NO_MAIN'] = '1' # Enable context sentitivity for LLVM mode (non LTO only) if 'ctx' in build_modes: os.environ['AFL_LLVM_CTX'] = '1' diff --git a/fuzzers/aflplusplus_400/runner.Dockerfile b/fuzzers/aflplusplus_mutsamehavoc/runner.Dockerfile similarity index 100% rename from fuzzers/aflplusplus_400/runner.Dockerfile rename to fuzzers/aflplusplus_mutsamehavoc/runner.Dockerfile diff --git a/fuzzers/aflplusplus_400/builder.Dockerfile b/fuzzers/aflplusplus_newqueue/builder.Dockerfile similarity index 80% rename from fuzzers/aflplusplus_400/builder.Dockerfile rename to fuzzers/aflplusplus_newqueue/builder.Dockerfile index cd701017f..9cf55f6cc 100644 --- a/fuzzers/aflplusplus_400/builder.Dockerfile +++ b/fuzzers/aflplusplus_newqueue/builder.Dockerfile @@ -35,22 +35,16 @@ RUN apt-get update && \ libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev # Download afl++. -RUN git clone https://github.com/AFLplusplus/AFLplusplus /afl && \ +RUN git clone -b dev https://github.com/AFLplusplus/AFLplusplus /afl && \ cd /afl && \ - git checkout 143c9d175e9357ba548413ee7dcee6a8de23f733 || \ + git checkout d67ee1777859b55b1660cef15fc09219fb165140 || \ true -RUN apt install -y lsb-release wget software-properties-common gnupg - -RUN wget https://apt.llvm.org/llvm.sh && chmod +x llvm.sh && ./llvm.sh 13 - -ENV LLVM_CONFIG llvm-config-13 - # Build without Python support as we don't need it. # Set AFL_NO_X86 to skip flaky tests. RUN cd /afl && \ unset CFLAGS CXXFLAGS && \ export CC=clang AFL_NO_X86=1 && \ PYTHON_INCLUDE=/ make && \ - make -C utils/aflpp_driver && \ + make install && \ cp utils/aflpp_driver/libAFLDriver.a / diff --git a/fuzzers/aflplusplus_401/description.md b/fuzzers/aflplusplus_newqueue/description.md similarity index 100% rename from fuzzers/aflplusplus_401/description.md rename to fuzzers/aflplusplus_newqueue/description.md diff --git a/fuzzers/aflplusplus_402/fuzzer.py b/fuzzers/aflplusplus_newqueue/fuzzer.py similarity index 99% rename from fuzzers/aflplusplus_402/fuzzer.py rename to fuzzers/aflplusplus_newqueue/fuzzer.py index 8738dc9ee..7016da75e 100755 --- a/fuzzers/aflplusplus_402/fuzzer.py +++ b/fuzzers/aflplusplus_newqueue/fuzzer.py @@ -116,7 +116,7 @@ def build(*args): # pylint: disable=too-many-branches,too-many-statements # Generate an extra dictionary. if 'dict2file' in build_modes or 'native' in build_modes: os.environ['AFL_LLVM_DICT2FILE'] = build_directory + '/afl++.dict' - #os.environ['AFL_LLVM_DICT2FILE_NO_MAIN'] = '1' + os.environ['AFL_LLVM_DICT2FILE_NO_MAIN'] = '1' # Enable context sentitivity for LLVM mode (non LTO only) if 'ctx' in build_modes: os.environ['AFL_LLVM_CTX'] = '1' diff --git a/fuzzers/aflplusplus_401/runner.Dockerfile b/fuzzers/aflplusplus_newqueue/runner.Dockerfile similarity index 100% rename from fuzzers/aflplusplus_401/runner.Dockerfile rename to fuzzers/aflplusplus_newqueue/runner.Dockerfile diff --git a/fuzzers/aflplusplus_402/builder.Dockerfile b/fuzzers/aflplusplus_newqueuez/builder.Dockerfile similarity index 80% rename from fuzzers/aflplusplus_402/builder.Dockerfile rename to fuzzers/aflplusplus_newqueuez/builder.Dockerfile index 7517b4f5b..9cf55f6cc 100644 --- a/fuzzers/aflplusplus_402/builder.Dockerfile +++ b/fuzzers/aflplusplus_newqueuez/builder.Dockerfile @@ -35,22 +35,16 @@ RUN apt-get update && \ libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev # Download afl++. -RUN git clone https://github.com/AFLplusplus/AFLplusplus /afl && \ +RUN git clone -b dev https://github.com/AFLplusplus/AFLplusplus /afl && \ cd /afl && \ - git checkout 3e2986dd78dbc45035b47a34eedd7dd1b9a4d0b3 || \ + git checkout d67ee1777859b55b1660cef15fc09219fb165140 || \ true -RUN apt install -y lsb-release wget software-properties-common gnupg - -RUN wget https://apt.llvm.org/llvm.sh && chmod +x llvm.sh && ./llvm.sh 13 - -ENV LLVM_CONFIG llvm-config-13 - # Build without Python support as we don't need it. # Set AFL_NO_X86 to skip flaky tests. RUN cd /afl && \ unset CFLAGS CXXFLAGS && \ export CC=clang AFL_NO_X86=1 && \ PYTHON_INCLUDE=/ make && \ - make -C utils/aflpp_driver && \ + make install && \ cp utils/aflpp_driver/libAFLDriver.a / diff --git a/fuzzers/aflplusplus_402/description.md b/fuzzers/aflplusplus_newqueuez/description.md similarity index 100% rename from fuzzers/aflplusplus_402/description.md rename to fuzzers/aflplusplus_newqueuez/description.md diff --git a/fuzzers/aflplusplus_400/fuzzer.py b/fuzzers/aflplusplus_newqueuez/fuzzer.py similarity index 99% rename from fuzzers/aflplusplus_400/fuzzer.py rename to fuzzers/aflplusplus_newqueuez/fuzzer.py index 8738dc9ee..c5ae76f8d 100755 --- a/fuzzers/aflplusplus_400/fuzzer.py +++ b/fuzzers/aflplusplus_newqueuez/fuzzer.py @@ -116,7 +116,7 @@ def build(*args): # pylint: disable=too-many-branches,too-many-statements # Generate an extra dictionary. if 'dict2file' in build_modes or 'native' in build_modes: os.environ['AFL_LLVM_DICT2FILE'] = build_directory + '/afl++.dict' - #os.environ['AFL_LLVM_DICT2FILE_NO_MAIN'] = '1' + os.environ['AFL_LLVM_DICT2FILE_NO_MAIN'] = '1' # Enable context sentitivity for LLVM mode (non LTO only) if 'ctx' in build_modes: os.environ['AFL_LLVM_CTX'] = '1' @@ -261,6 +261,8 @@ def fuzz(input_corpus, if os.path.exists('./afl++.dict'): flags += ['-x', './afl++.dict'] + flags += ['-z'] + # Move the following to skip for upcoming _double tests: if os.path.exists(cmplog_target_binary) and no_cmplog is False: flags += ['-c', cmplog_target_binary] diff --git a/fuzzers/aflplusplus_402/runner.Dockerfile b/fuzzers/aflplusplus_newqueuez/runner.Dockerfile similarity index 100% rename from fuzzers/aflplusplus_402/runner.Dockerfile rename to fuzzers/aflplusplus_newqueuez/runner.Dockerfile diff --git a/service/experiment-requests.yaml b/service/experiment-requests.yaml index 57a4e3191..00a74b3b8 100644 --- a/service/experiment-requests.yaml +++ b/service/experiment-requests.yaml @@ -20,6 +20,30 @@ # Please add new experiment requests towards the top of this file. # +- experiment: 2023-04-05-aflpp + description: "Test new mutation engine" + fuzzers: + - aflplusplus + - aflplusplus_314 + - aflplusplus_mutsamehavoc + - aflplusplus_mutnewhavoc + - aflplusplus_406 + - aflplusplus_newqueue + - aflplusplus_newqueuez + benchmarks: + - bloaty_fuzz_target + - curl_curl_fuzzer_http + - freetype2_ftfuzzer + - lcms_cms_transform_fuzzer + - libpcap_fuzz_both + - libxml2_xml + - mbedtls_fuzz_dtlsclient + - openthread_ot-ip6-send-fuzzer + - proj4_proj_crs_to_crs_fuzzer + - sqlite3_ossfuzz + - stb_stbi_read_fuzzer + - woff2_convert_woff2ttf_fuzzer + - experiment: 2023-03-25-aflpp-comp description: "Tests main fuzzers" fuzzers: