From 4bb61df7905c6005000f5766e966e6fe30ab4559 Mon Sep 17 00:00:00 2001
From: van Hauser <vh@thc.org>
Date: Thu, 18 Feb 2021 21:55:07 +0100
Subject: [PATCH] Final afl++ integration (#5191)

* final afl++ integration

* remove afl++ cmplog tests

* update afl++ commit id

* support rebuild

* llvm 13 workaround

* apply fix for llvm 13

* fix nits

* Fix nits.

* Fix name nit.

* update commit id

* update commit id

* update commit id to stable

Co-authored-by: Abhishek Arya <inferno@chromium.org>
---
 infra/base-images/base-builder/Dockerfile  |  2 +-
 infra/base-images/base-builder/compile_afl | 73 +++++++++++++++++++---
 infra/base-images/base-runner/run_fuzzer   |  4 +-
 projects/libavif/build.sh                  |  6 --
 projects/libcacard/build.sh                |  6 --
 projects/libxml2/build.sh                  |  6 --
 projects/openssl/build.sh                  |  6 --
 projects/skia/build.sh                     |  6 --
 projects/wireshark/build.sh                |  6 --
 9 files changed, 67 insertions(+), 48 deletions(-)

diff --git a/infra/base-images/base-builder/Dockerfile b/infra/base-images/base-builder/Dockerfile
index 68c44be66..4ac72a190 100644
--- a/infra/base-images/base-builder/Dockerfile
+++ b/infra/base-images/base-builder/Dockerfile
@@ -177,7 +177,7 @@ WORKDIR $SRC
 # TODO: switch to -b stable once we can.
 RUN git clone https://github.com/AFLplusplus/AFLplusplus.git aflplusplus && \
     cd aflplusplus && \
-    git checkout aeb7d7048371cd91ab9280c3958f1c35e5d5e758
+    git checkout 5dd35f5281afec0955c08fe9f99e3c83222b7764
 
 RUN cd $SRC && \
     curl -L -O https://github.com/google/honggfuzz/archive/oss-fuzz.tar.gz && \
diff --git a/infra/base-images/base-builder/compile_afl b/infra/base-images/base-builder/compile_afl
index 318eca44e..17762d38e 100644
--- a/infra/base-images/base-builder/compile_afl
+++ b/infra/base-images/base-builder/compile_afl
@@ -15,6 +15,22 @@
 #
 ################################################################################
 
+# afl++ configuration options.
+# The 'env|grep' setup ensures we do not trigger the linter.
+# The variables need to be set to "1" here - or before running this script.
+
+# If enabled this provides a safe work around if afl-clang-fast ever break:
+env | grep -qw AFL_LLVM_MODE_WORKAROUND || {
+  # needed until llvm 13 works:
+  AFL_LLVM_MODE_WORKAROUND=0
+}
+
+# If a dictionary should be generated based on comparisons at compile time:
+env | grep -qw AFL_ENABLE_DICTIONARY || {
+  AFL_ENABLE_DICTIONARY=1
+}
+
+# Start compiling afl++.
 echo "Compiling afl++"
 
 # Build and copy afl++ tools necessary for fuzzing.
@@ -22,24 +38,23 @@ pushd $SRC/aflplusplus > /dev/null
 
 # Unset CFLAGS and CXXFLAGS while building AFL since we don't want to slow it
 # down with sanitizers.
-INITIAL_CXXFLAGS=$CXXFLAGS
-INITIAL_CFLAGS=$CFLAGS
+SAVE_CXXFLAGS=$CXXFLAGS
+SAVE_CFLAGS=$CFLAGS
 unset CXXFLAGS
 unset CFLAGS
+export AFL_IGNORE_UNKNOWN_ENVS=1
 make clean
 AFL_NO_X86=1 PYTHON_INCLUDE=/ make
-CFLAGS=$INITIAL_CFLAGS
-CXXFLAGS=$INITIAL_CXXFLAGS
+CFLAGS=$SAVE_CFLAGS
+CXXFLAGS=$SAVE_CXXFLAGS
 
 # Build afl++ driver with existing CFLAGS, CXXFLAGS.
 make -C utils/aflpp_driver
-cp libAFLDriver.a $LIB_FUZZING_ENGINE
+cp -f libAFLDriver.a $LIB_FUZZING_ENGINE
 
 # Some important projects include libraries, copy those even when they don't
 # start with "afl-". Use "sort -u" to avoid a warning about duplicates.
 ls afl-* *.txt *.a *.o *.so | sort -u | xargs cp -t $OUT
-popd > /dev/null
-
 export CC="$SRC/aflplusplus/afl-clang-fast"
 export CXX="$SRC/aflplusplus/afl-clang-fast++"
 
@@ -50,8 +65,46 @@ export AFL_QUIET=1
 export AFL_MAP_SIZE=4194304
 # No leak errors during builds.
 export ASAN_OPTIONS="detect_leaks=0:symbolize=0"
-#
-# Placeholder for the upcoming afl++ build options roulette
-#
+
+# AFL compile option roulette. It is OK if they all happen together.
+
+# 40% chance to perform CMPLOG
+rm -f "$OUT/afl_cmplog.txt"
+test $(($RANDOM % 10)) -lt 4 && {
+  export AFL_LLVM_CMPLOG=1
+  # We need to notify afl-fuzz to activate CMPLOG
+  touch "$OUT/afl_cmplog.txt"
+}
+
+# 10% chance to perform LAF_INTEL
+test $(($RANDOM % 10)) -lt 1 && {
+  export AFL_LLVM_LAF_ALL=1
+}
+
+# In case afl-clang-fast ever breaks, this is a workaround:
+test "$AFL_LLVM_MODE_WORKAROUND" = "1" && {
+  export CC=clang
+  export CXX=clang++
+  WORKAROUND_FLAGS=-fsanitize-coverage=trace-pc-guard
+  # We can still do CMPLOG light:
+  test -e "$OUT/afl_cmplog.txt" && {
+    WORKAROUND_FLAGS="$WORKAROUND_FLAGS",trace-cmp
+  }
+  export CFLAGS="$CFLAGS $WORKAROUND_FLAGS"
+  export CXXFLAGS="$CXXFLAGS $WORKAROUND_FLAGS"
+  # We need to create a new fuzzer lib however.
+  ar ru libAFLDrivernew.a afl-compiler-rt.o utils/aflpp_driver/aflpp_driver.o
+  cp -f libAFLDrivernew.a $LIB_FUZZING_ENGINE
+}
+
+# If the targets whishes a dictionary - then create one.
+test "$AFL_ENABLE_DICTIONARY" = "1" && {
+  export AFL_LLVM_DICT2FILE="$OUT/afl++.dict"
+}
+
+# Provide a way to document the afl++ options used in this build:
+env | grep AFL_ > "$OUT/afl_options.txt"
+
+popd > /dev/null
 
 echo " done."
diff --git a/infra/base-images/base-runner/run_fuzzer b/infra/base-images/base-runner/run_fuzzer
index 6464ddc2c..8d137e330 100755
--- a/infra/base-images/base-runner/run_fuzzer
+++ b/infra/base-images/base-runner/run_fuzzer
@@ -111,7 +111,9 @@ if [[ "$FUZZING_ENGINE" = afl ]]; then
   # CMPLOG level 2, which will colorize larger files but not huge files and
   # not enable transform analysis unless there have been several cycles without
   # any finds.
-  test -e $OUT/afl_cmplog.txt && AFL_FUZZER_ARGS="$AFL_FUZZER_ARGS -l 2 -c $OUT/$FUZZER"
+  test -e "$OUT/afl_cmplog.txt" && AFL_FUZZER_ARGS="$AFL_FUZZER_ARGS -l 2 -c $OUT/$FUZZER"
+  # If $OUT/afl++.dict we load it as a dictionary for afl-fuzz.
+  test -e "$OUT/afl++.dict" && AFL_FUZZER_ARGS="$AFL_FUZZER_ARGS -x $OUT/afl++.dict"
   # AFL expects at least 1 file in the input dir.
   echo input > ${CORPUS_DIR}/input
   CMD_LINE="$OUT/afl-fuzz $AFL_FUZZER_ARGS -i $CORPUS_DIR -o $FUZZER_OUT $(get_dictionary) $* -- $OUT/$FUZZER"
diff --git a/projects/libavif/build.sh b/projects/libavif/build.sh
index a981fa250..130709fb9 100755
--- a/projects/libavif/build.sh
+++ b/projects/libavif/build.sh
@@ -15,12 +15,6 @@
 #
 ################################################################################
 
-# afl++ CMPLOG test:
-test "$FUZZING_ENGINE" = "afl" && {
-  export AFL_LLVM_CMPLOG=1
-  touch $OUT/afl_cmplog.txt
-}
-
 # build dav1d
 cd ext && bash dav1d.cmd && cd ..
 
diff --git a/projects/libcacard/build.sh b/projects/libcacard/build.sh
index 9c0c974de..719502e90 100755
--- a/projects/libcacard/build.sh
+++ b/projects/libcacard/build.sh
@@ -15,12 +15,6 @@
 #
 ################################################################################
 
-# afl++ CMPLOG test:
-test "$FUZZING_ENGINE" = "afl" && {
-  export AFL_LLVM_CMPLOG=1
-  touch $OUT/afl_cmplog.txt
-}
-
 # Workaround for fixing AFL++ build, discarded for others.
 # See https://github.com/google/oss-fuzz/issues/4280#issuecomment-773977943
 export AFL_LLVM_INSTRUMENT=CLASSIC,NGRAM-4
diff --git a/projects/libxml2/build.sh b/projects/libxml2/build.sh
index 7485bc27d..4240ba7f9 100755
--- a/projects/libxml2/build.sh
+++ b/projects/libxml2/build.sh
@@ -16,12 +16,6 @@
 #
 ################################################################################
 
-# afl++ CMPLOG test:
-test "$FUZZING_ENGINE" = "afl" && {
-  export AFL_LLVM_CMPLOG=1
-  touch $OUT/afl_cmplog.txt
-}
-
 if [ "$SANITIZER" = undefined ]; then
     export CFLAGS="$CFLAGS -fsanitize=unsigned-integer-overflow -fno-sanitize-recover=unsigned-integer-overflow"
     export CXXFLAGS="$CXXFLAGS -fsanitize=unsigned-integer-overflow -fno-sanitize-recover=unsigned-integer-overflow"
diff --git a/projects/openssl/build.sh b/projects/openssl/build.sh
index 0832c6ad0..14768c973 100755
--- a/projects/openssl/build.sh
+++ b/projects/openssl/build.sh
@@ -15,12 +15,6 @@
 #
 ################################################################################
 
-# afl++ CMPLOG test:
-test "$FUZZING_ENGINE" = "afl" && {
-  export AFL_LLVM_CMPLOG=1
-  touch $OUT/afl_cmplog.txt
-}
-
 CONFIGURE_FLAGS=""
 if [[ $CFLAGS = *sanitize=memory* ]]
 then
diff --git a/projects/skia/build.sh b/projects/skia/build.sh
index a8b111d42..899bfc535 100644
--- a/projects/skia/build.sh
+++ b/projects/skia/build.sh
@@ -15,12 +15,6 @@
 #
 ################################################################################
 
-# afl++ CMPLOG test:
-test "$FUZZING_ENGINE" = "afl" && {
-  export AFL_LLVM_CMPLOG=1
-  touch $OUT/afl_cmplog.txt
-}
-
 # Build SwiftShader
 pushd third_party/externals/swiftshader/
 export SWIFTSHADER_INCLUDE_PATH=$PWD/include
diff --git a/projects/wireshark/build.sh b/projects/wireshark/build.sh
index de41e0709..bdb34eb52 100755
--- a/projects/wireshark/build.sh
+++ b/projects/wireshark/build.sh
@@ -15,12 +15,6 @@
 #
 ################################################################################
 
-# afl++ CMPLOG test:
-test "$FUZZING_ENGINE" = "afl" && {
-  export AFL_LLVM_CMPLOG=1
-  touch $OUT/afl_cmplog.txt
-}
-
 WIRESHARK_BUILD_PATH="$WORK/build"
 mkdir -p "$WIRESHARK_BUILD_PATH"