From 31bfd7c68c8df0b0e3e45a4d2ffba2cd09e4b580 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 24 Aug 2023 16:15:38 +0200 Subject: [PATCH 01/39] update afl++ commit id --- fuzzers/aflplusplus/builder.Dockerfile | 2 +- fuzzers/aflplusplus_exploit/builder.Dockerfile | 2 +- fuzzers/aflplusplus_frida/builder.Dockerfile | 2 +- fuzzers/aflplusplus_qemu/builder.Dockerfile | 2 +- fuzzers/aflplusplus_symqemu/builder.Dockerfile | 2 +- fuzzers/aflplusplus_text/builder.Dockerfile | 2 +- fuzzers/aflplusplusplus/builder.Dockerfile | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/fuzzers/aflplusplus/builder.Dockerfile b/fuzzers/aflplusplus/builder.Dockerfile index fa5835a1c..044df5255 100644 --- a/fuzzers/aflplusplus/builder.Dockerfile +++ b/fuzzers/aflplusplus/builder.Dockerfile @@ -37,7 +37,7 @@ RUN apt-get update && \ # Download afl++. RUN git clone -b dev https://github.com/AFLplusplus/AFLplusplus /afl && \ cd /afl && \ - git checkout 091d66fa92cd9e4caa5829d579b1b996c49db8c9 || \ + git checkout 4a7e35b29c6711b68d3d579716685c3752ff62a8 || \ true # Build without Python support as we don't need it. diff --git a/fuzzers/aflplusplus_exploit/builder.Dockerfile b/fuzzers/aflplusplus_exploit/builder.Dockerfile index fa5835a1c..044df5255 100644 --- a/fuzzers/aflplusplus_exploit/builder.Dockerfile +++ b/fuzzers/aflplusplus_exploit/builder.Dockerfile @@ -37,7 +37,7 @@ RUN apt-get update && \ # Download afl++. RUN git clone -b dev https://github.com/AFLplusplus/AFLplusplus /afl && \ cd /afl && \ - git checkout 091d66fa92cd9e4caa5829d579b1b996c49db8c9 || \ + git checkout 4a7e35b29c6711b68d3d579716685c3752ff62a8 || \ true # Build without Python support as we don't need it. diff --git a/fuzzers/aflplusplus_frida/builder.Dockerfile b/fuzzers/aflplusplus_frida/builder.Dockerfile index ac439d829..fa13cdf43 100644 --- a/fuzzers/aflplusplus_frida/builder.Dockerfile +++ b/fuzzers/aflplusplus_frida/builder.Dockerfile @@ -28,7 +28,7 @@ RUN apt-get update && \ # Download afl++ RUN git clone https://github.com/AFLplusplus/AFLplusplus.git /afl && \ - cd /afl && git checkout 091d66fa92cd9e4caa5829d579b1b996c49db8c9 + cd /afl && git checkout 4a7e35b29c6711b68d3d579716685c3752ff62a8 # Build afl++ without Python support as we don't need it. # Set AFL_NO_X86 to skip flaky tests. diff --git a/fuzzers/aflplusplus_qemu/builder.Dockerfile b/fuzzers/aflplusplus_qemu/builder.Dockerfile index e4a38bae3..503b34113 100644 --- a/fuzzers/aflplusplus_qemu/builder.Dockerfile +++ b/fuzzers/aflplusplus_qemu/builder.Dockerfile @@ -30,7 +30,7 @@ RUN apt-get update && \ # Download afl++ RUN git clone https://github.com/AFLplusplus/AFLplusplus.git /afl && \ - cd /afl && git checkout 091d66fa92cd9e4caa5829d579b1b996c49db8c9 || true + cd /afl && git checkout 4a7e35b29c6711b68d3d579716685c3752ff62a8 || true # Build afl++ without Python support as we don't need it. # Set AFL_NO_X86 to skip flaky tests. diff --git a/fuzzers/aflplusplus_symqemu/builder.Dockerfile b/fuzzers/aflplusplus_symqemu/builder.Dockerfile index d496a7031..c8e401522 100644 --- a/fuzzers/aflplusplus_symqemu/builder.Dockerfile +++ b/fuzzers/aflplusplus_symqemu/builder.Dockerfile @@ -37,7 +37,7 @@ RUN apt-get update && \ # Download afl++. RUN git clone -b dev https://github.com/AFLplusplus/AFLplusplus /afl && \ cd /afl && \ - git checkout 091d66fa92cd9e4caa5829d579b1b996c49db8c9 || \ + git checkout 4a7e35b29c6711b68d3d579716685c3752ff62a8 || \ true # Build without Python support as we don't need it. diff --git a/fuzzers/aflplusplus_text/builder.Dockerfile b/fuzzers/aflplusplus_text/builder.Dockerfile index fa5835a1c..044df5255 100644 --- a/fuzzers/aflplusplus_text/builder.Dockerfile +++ b/fuzzers/aflplusplus_text/builder.Dockerfile @@ -37,7 +37,7 @@ RUN apt-get update && \ # Download afl++. RUN git clone -b dev https://github.com/AFLplusplus/AFLplusplus /afl && \ cd /afl && \ - git checkout 091d66fa92cd9e4caa5829d579b1b996c49db8c9 || \ + git checkout 4a7e35b29c6711b68d3d579716685c3752ff62a8 || \ true # Build without Python support as we don't need it. diff --git a/fuzzers/aflplusplusplus/builder.Dockerfile b/fuzzers/aflplusplusplus/builder.Dockerfile index 0084feb44..5e7cf39ea 100644 --- a/fuzzers/aflplusplusplus/builder.Dockerfile +++ b/fuzzers/aflplusplusplus/builder.Dockerfile @@ -37,7 +37,7 @@ RUN apt-get update && \ # Download afl++. RUN git clone -b dev https://github.com/AFLplusplus/AFLplusplus /afl && \ cd /afl && \ - git checkout 091d66fa92cd9e4caa5829d579b1b996c49db8c9 || \ + git checkout 4a7e35b29c6711b68d3d579716685c3752ff62a8 || \ true # Build without Python support as we don't need it. From ef090861bb64484094d3e3702adb76bc44346b05 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 25 Aug 2023 09:19:57 +0200 Subject: [PATCH 02/39] remove outdated variants --- .../aflplusplus_exploit/builder.Dockerfile | 49 --- fuzzers/aflplusplus_exploit/description.md | 14 - fuzzers/aflplusplus_exploit/fuzzer.py | 284 ----------------- fuzzers/aflplusplus_exploit/runner.Dockerfile | 24 -- .../aflplusplus_ff_comp/builder.Dockerfile | 89 ------ fuzzers/aflplusplus_ff_comp/description.md | 14 - fuzzers/aflplusplus_ff_comp/fuzzer.py | 284 ----------------- fuzzers/aflplusplus_ff_comp/runner.Dockerfile | 42 --- .../aflplusplus_fishfuzz/builder.Dockerfile | 107 ------- fuzzers/aflplusplus_fishfuzz/description.md | 5 - fuzzers/aflplusplus_fishfuzz/fuzzer.py | 185 ----------- .../aflplusplus_fishfuzz/runner.Dockerfile | 42 --- .../aflplusplus_mutcomp/builder.Dockerfile | 49 --- fuzzers/aflplusplus_mutcomp/description.md | 14 - fuzzers/aflplusplus_mutcomp/fuzzer.py | 282 ----------------- fuzzers/aflplusplus_mutcomp/runner.Dockerfile | 24 -- fuzzers/aflplusplus_mutnew/builder.Dockerfile | 49 --- fuzzers/aflplusplus_mutnew/description.md | 14 - fuzzers/aflplusplus_mutnew/fuzzer.py | 282 ----------------- fuzzers/aflplusplus_mutnew/runner.Dockerfile | 24 -- fuzzers/aflplusplus_text/builder.Dockerfile | 49 --- fuzzers/aflplusplus_text/description.md | 14 - fuzzers/aflplusplus_text/fuzzer.py | 284 ----------------- fuzzers/aflplusplus_text/runner.Dockerfile | 24 -- fuzzers/aflplusplusplus/builder.Dockerfile | 54 ---- fuzzers/aflplusplusplus/description.md | 18 -- fuzzers/aflplusplusplus/fuzzer.py | 297 ------------------ fuzzers/aflplusplusplus/runner.Dockerfile | 23 -- 28 files changed, 2640 deletions(-) delete mode 100644 fuzzers/aflplusplus_exploit/builder.Dockerfile delete mode 100644 fuzzers/aflplusplus_exploit/description.md delete mode 100755 fuzzers/aflplusplus_exploit/fuzzer.py delete mode 100644 fuzzers/aflplusplus_exploit/runner.Dockerfile delete mode 100644 fuzzers/aflplusplus_ff_comp/builder.Dockerfile delete mode 100644 fuzzers/aflplusplus_ff_comp/description.md delete mode 100755 fuzzers/aflplusplus_ff_comp/fuzzer.py delete mode 100644 fuzzers/aflplusplus_ff_comp/runner.Dockerfile delete mode 100644 fuzzers/aflplusplus_fishfuzz/builder.Dockerfile delete mode 100644 fuzzers/aflplusplus_fishfuzz/description.md delete mode 100755 fuzzers/aflplusplus_fishfuzz/fuzzer.py delete mode 100644 fuzzers/aflplusplus_fishfuzz/runner.Dockerfile delete mode 100644 fuzzers/aflplusplus_mutcomp/builder.Dockerfile delete mode 100644 fuzzers/aflplusplus_mutcomp/description.md delete mode 100755 fuzzers/aflplusplus_mutcomp/fuzzer.py delete mode 100644 fuzzers/aflplusplus_mutcomp/runner.Dockerfile delete mode 100644 fuzzers/aflplusplus_mutnew/builder.Dockerfile delete mode 100644 fuzzers/aflplusplus_mutnew/description.md delete mode 100755 fuzzers/aflplusplus_mutnew/fuzzer.py delete mode 100644 fuzzers/aflplusplus_mutnew/runner.Dockerfile delete mode 100644 fuzzers/aflplusplus_text/builder.Dockerfile delete mode 100644 fuzzers/aflplusplus_text/description.md delete mode 100755 fuzzers/aflplusplus_text/fuzzer.py delete mode 100644 fuzzers/aflplusplus_text/runner.Dockerfile delete mode 100644 fuzzers/aflplusplusplus/builder.Dockerfile delete mode 100644 fuzzers/aflplusplusplus/description.md delete mode 100755 fuzzers/aflplusplusplus/fuzzer.py delete mode 100644 fuzzers/aflplusplusplus/runner.Dockerfile diff --git a/fuzzers/aflplusplus_exploit/builder.Dockerfile b/fuzzers/aflplusplus_exploit/builder.Dockerfile deleted file mode 100644 index 044df5255..000000000 --- a/fuzzers/aflplusplus_exploit/builder.Dockerfile +++ /dev/null @@ -1,49 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -RUN apt-get update && \ - apt-get install -y \ - build-essential \ - python3-dev \ - python3-setuptools \ - automake \ - cmake \ - git \ - flex \ - bison \ - libglib2.0-dev \ - libpixman-1-dev \ - cargo \ - libgtk-3-dev \ - # for QEMU mode - ninja-build \ - gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-plugin-dev \ - libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev - -# Download afl++. -RUN git clone -b dev https://github.com/AFLplusplus/AFLplusplus /afl && \ - cd /afl && \ - git checkout 4a7e35b29c6711b68d3d579716685c3752ff62a8 || \ - true - -# Build without Python support as we don't need it. -# Set AFL_NO_X86 to skip flaky tests. -RUN cd /afl && \ - unset CFLAGS CXXFLAGS && \ - export CC=clang AFL_NO_X86=1 && \ - PYTHON_INCLUDE=/ make && \ - cp utils/aflpp_driver/libAFLDriver.a / diff --git a/fuzzers/aflplusplus_exploit/description.md b/fuzzers/aflplusplus_exploit/description.md deleted file mode 100644 index f7eb407ad..000000000 --- a/fuzzers/aflplusplus_exploit/description.md +++ /dev/null @@ -1,14 +0,0 @@ -# aflplusplus - -AFL++ fuzzer instance that has the following config active for all benchmarks: - - PCGUARD instrumentation - - cmplog feature - - dict2file feature - - "fast" power schedule - - persistent mode + shared memory test cases - -Repository: [https://github.com/AFLplusplus/AFLplusplus/](https://github.com/AFLplusplus/AFLplusplus/) - -[builder.Dockerfile](builder.Dockerfile) -[fuzzer.py](fuzzer.py) -[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/aflplusplus_exploit/fuzzer.py b/fuzzers/aflplusplus_exploit/fuzzer.py deleted file mode 100755 index 2c632da80..000000000 --- a/fuzzers/aflplusplus_exploit/fuzzer.py +++ /dev/null @@ -1,284 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -"""Integration code for AFLplusplus fuzzer.""" - -import os -import shutil - -from fuzzers.afl import fuzzer as afl_fuzzer -from fuzzers import utils - - -def get_cmplog_build_directory(target_directory): - """Return path to CmpLog target directory.""" - return os.path.join(target_directory, 'cmplog') - - -def get_uninstrumented_build_directory(target_directory): - """Return path to CmpLog target directory.""" - return os.path.join(target_directory, 'uninstrumented') - - -def build(*args): # pylint: disable=too-many-branches,too-many-statements - """Build benchmark.""" - # BUILD_MODES is not already supported by fuzzbench, meanwhile we provide - # a default configuration. - - build_modes = list(args) - if 'BUILD_MODES' in os.environ: - build_modes = os.environ['BUILD_MODES'].split(',') - - # Placeholder comment. - build_directory = os.environ['OUT'] - - # If nothing was set this is the default: - if not build_modes: - build_modes = ['tracepc', 'cmplog', 'dict2file'] - - # For bug type benchmarks we have to instrument via native clang pcguard :( - build_flags = os.environ['CFLAGS'] - - if build_flags.find( - 'array-bounds' - ) != -1 and 'qemu' not in build_modes and 'classic' not in build_modes: - if 'gcc' not in build_modes: - build_modes[0] = 'native' - - # Instrumentation coverage modes: - if 'lto' in build_modes: - os.environ['CC'] = '/afl/afl-clang-lto' - os.environ['CXX'] = '/afl/afl-clang-lto++' - edge_file = build_directory + '/aflpp_edges.txt' - os.environ['AFL_LLVM_DOCUMENT_IDS'] = edge_file - if os.path.isfile('/usr/local/bin/llvm-ranlib-13'): - os.environ['RANLIB'] = 'llvm-ranlib-13' - os.environ['AR'] = 'llvm-ar-13' - os.environ['AS'] = 'llvm-as-13' - elif os.path.isfile('/usr/local/bin/llvm-ranlib-12'): - os.environ['RANLIB'] = 'llvm-ranlib-12' - os.environ['AR'] = 'llvm-ar-12' - os.environ['AS'] = 'llvm-as-12' - else: - os.environ['RANLIB'] = 'llvm-ranlib' - os.environ['AR'] = 'llvm-ar' - os.environ['AS'] = 'llvm-as' - elif 'qemu' in build_modes: - os.environ['CC'] = 'clang' - os.environ['CXX'] = 'clang++' - elif 'gcc' in build_modes: - os.environ['CC'] = 'afl-gcc-fast' - os.environ['CXX'] = 'afl-g++-fast' - if build_flags.find('array-bounds') != -1: - os.environ['CFLAGS'] = '-fsanitize=address -O1' - os.environ['CXXFLAGS'] = '-fsanitize=address -O1' - else: - os.environ['CFLAGS'] = '' - os.environ['CXXFLAGS'] = '' - os.environ['CPPFLAGS'] = '' - else: - os.environ['CC'] = '/afl/afl-clang-fast' - os.environ['CXX'] = '/afl/afl-clang-fast++' - - print('AFL++ build: ') - print(build_modes) - - if 'qemu' in build_modes or 'symcc' in build_modes: - os.environ['CFLAGS'] = ' '.join(utils.NO_SANITIZER_COMPAT_CFLAGS) - cxxflags = [utils.LIBCPLUSPLUS_FLAG] + utils.NO_SANITIZER_COMPAT_CFLAGS - os.environ['CXXFLAGS'] = ' '.join(cxxflags) - - if 'tracepc' in build_modes or 'pcguard' in build_modes: - os.environ['AFL_LLVM_USE_TRACE_PC'] = '1' - elif 'classic' in build_modes: - os.environ['AFL_LLVM_INSTRUMENT'] = 'CLASSIC' - elif 'native' in build_modes: - os.environ['AFL_LLVM_INSTRUMENT'] = 'LLVMNATIVE' - - # Instrumentation coverage options: - # Do not use a fixed map location (LTO only) - if 'dynamic' in build_modes: - os.environ['AFL_LLVM_MAP_DYNAMIC'] = '1' - # Use a fixed map location (LTO only) - if 'fixed' in build_modes: - os.environ['AFL_LLVM_MAP_ADDR'] = '0x10000' - # Generate an extra dictionary. - if 'dict2file' in build_modes or 'native' in build_modes: - os.environ['AFL_LLVM_DICT2FILE'] = build_directory + '/afl++.dict' - os.environ['AFL_LLVM_DICT2FILE_NO_MAIN'] = '1' - # Enable context sentitivity for LLVM mode (non LTO only) - if 'ctx' in build_modes: - os.environ['AFL_LLVM_CTX'] = '1' - # Enable N-gram coverage for LLVM mode (non LTO only) - if 'ngram2' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '2' - elif 'ngram3' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '3' - elif 'ngram4' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '4' - elif 'ngram5' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '5' - elif 'ngram6' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '6' - elif 'ngram7' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '7' - elif 'ngram8' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '8' - elif 'ngram16' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '16' - if 'ctx1' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '1' - elif 'ctx2' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '2' - elif 'ctx3' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '3' - elif 'ctx4' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '4' - - # Only one of the following OR cmplog - # enable laf-intel compare splitting - if 'laf' in build_modes: - os.environ['AFL_LLVM_LAF_SPLIT_SWITCHES'] = '1' - os.environ['AFL_LLVM_LAF_SPLIT_COMPARES'] = '1' - os.environ['AFL_LLVM_LAF_SPLIT_FLOATS'] = '1' - if 'autodict' not in build_modes: - os.environ['AFL_LLVM_LAF_TRANSFORM_COMPARES'] = '1' - - if 'eclipser' in build_modes: - os.environ['FUZZER_LIB'] = '/libStandaloneFuzzTarget.a' - else: - os.environ['FUZZER_LIB'] = '/libAFLDriver.a' - - # Some benchmarks like lcms. (see: - # https://github.com/mm2/Little-CMS/commit/ab1093539b4287c233aca6a3cf53b234faceb792#diff-f0e6d05e72548974e852e8e55dffc4ccR212) - # fail to compile if the compiler outputs things to stderr in unexpected - # cases. Prevent these failures by using AFL_QUIET to stop afl-clang-fast - # from writing AFL specific messages to stderr. - os.environ['AFL_QUIET'] = '1' - os.environ['AFL_MAP_SIZE'] = '2621440' - - src = os.getenv('SRC') - work = os.getenv('WORK') - - with utils.restore_directory(src), utils.restore_directory(work): - # Restore SRC to its initial state so we can build again without any - # trouble. For some OSS-Fuzz projects, build_benchmark cannot be run - # twice in the same directory without this. - utils.build_benchmark() - - if 'cmplog' in build_modes and 'qemu' not in build_modes: - - # CmpLog requires an build with different instrumentation. - new_env = os.environ.copy() - new_env['AFL_LLVM_CMPLOG'] = '1' - - # For CmpLog build, set the OUT and FUZZ_TARGET environment - # variable to point to the new CmpLog build directory. - cmplog_build_directory = get_cmplog_build_directory(build_directory) - os.mkdir(cmplog_build_directory) - new_env['OUT'] = cmplog_build_directory - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - new_env['FUZZ_TARGET'] = os.path.join(cmplog_build_directory, - os.path.basename(fuzz_target)) - - print('Re-building benchmark for CmpLog fuzzing target') - utils.build_benchmark(env=new_env) - - if 'symcc' in build_modes: - - symcc_build_directory = get_uninstrumented_build_directory( - build_directory) - os.mkdir(symcc_build_directory) - - # symcc requires an build with different instrumentation. - new_env = os.environ.copy() - new_env['CC'] = '/symcc/build/symcc' - new_env['CXX'] = '/symcc/build/sym++' - new_env['SYMCC_OUTPUT_DIR'] = '/tmp' - new_env['CXXFLAGS'] = new_env['CXXFLAGS'].replace('-stlib=libc++', '') - new_env['FUZZER_LIB'] = '/libfuzzer-harness.o' - new_env['OUT'] = symcc_build_directory - new_env['SYMCC_LIBCXX_PATH'] = '/libcxx_native_build' - new_env['SYMCC_NO_SYMBOLIC_INPUT'] = '1' - new_env['SYMCC_SILENT'] = '1' - - # For symcc build, set the OUT and FUZZ_TARGET environment - # variable to point to the new symcc build directory. - new_env['OUT'] = symcc_build_directory - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - new_env['FUZZ_TARGET'] = os.path.join(symcc_build_directory, - os.path.basename(fuzz_target)) - - print('Re-building benchmark for symcc fuzzing target') - utils.build_benchmark(env=new_env) - - shutil.copy('/afl/afl-fuzz', build_directory) - if os.path.exists('/afl/afl-qemu-trace'): - shutil.copy('/afl/afl-qemu-trace', build_directory) - if os.path.exists('/aflpp_qemu_driver_hook.so'): - shutil.copy('/aflpp_qemu_driver_hook.so', build_directory) - if os.path.exists('/get_frida_entry.sh'): - shutil.copy('/afl/afl-frida-trace.so', build_directory) - shutil.copy('/get_frida_entry.sh', build_directory) - - -# pylint: disable=too-many-arguments -def fuzz(input_corpus, - output_corpus, - target_binary, - flags=tuple(), - skip=False, - no_cmplog=False): # pylint: disable=too-many-arguments - """Run fuzzer.""" - # Calculate CmpLog binary path from the instrumented target binary. - target_binary_directory = os.path.dirname(target_binary) - cmplog_target_binary_directory = ( - get_cmplog_build_directory(target_binary_directory)) - target_binary_name = os.path.basename(target_binary) - cmplog_target_binary = os.path.join(cmplog_target_binary_directory, - target_binary_name) - - afl_fuzzer.prepare_fuzz_environment(input_corpus) - # decomment this to enable libdislocator. - # os.environ['AFL_ALIGNED_ALLOC'] = '1' # align malloc to max_align_t - # os.environ['AFL_PRELOAD'] = '/afl/libdislocator.so' - - flags = list(flags) - - if os.path.exists('./afl++.dict'): - flags += ['-x', './afl++.dict'] - - flags += ['-P', 'exploit'] - - # Move the following to skip for upcoming _double tests: - if os.path.exists(cmplog_target_binary) and no_cmplog is False: - flags += ['-c', cmplog_target_binary] - - #os.environ['AFL_IGNORE_TIMEOUTS'] = '1' - os.environ['AFL_IGNORE_UNKNOWN_ENVS'] = '1' - os.environ['AFL_FAST_CAL'] = '1' - os.environ['AFL_NO_WARN_INSTABILITY'] = '1' - - if not skip: - os.environ['AFL_DISABLE_TRIM'] = '1' - os.environ['AFL_CMPLOG_ONLY_NEW'] = '1' - if 'ADDITIONAL_ARGS' in os.environ: - flags += os.environ['ADDITIONAL_ARGS'].split(' ') - - afl_fuzzer.run_afl_fuzz(input_corpus, - output_corpus, - target_binary, - additional_flags=flags) diff --git a/fuzzers/aflplusplus_exploit/runner.Dockerfile b/fuzzers/aflplusplus_exploit/runner.Dockerfile deleted file mode 100644 index 1a10f861c..000000000 --- a/fuzzers/aflplusplus_exploit/runner.Dockerfile +++ /dev/null @@ -1,24 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -# This makes interactive docker runs painless: -ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" -#ENV AFL_MAP_SIZE=2621440 -ENV PATH="$PATH:/out" -ENV AFL_SKIP_CPUFREQ=1 -ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 -ENV AFL_TESTCACHE_SIZE=2 -RUN apt install -y unzip git gdb joe diff --git a/fuzzers/aflplusplus_ff_comp/builder.Dockerfile b/fuzzers/aflplusplus_ff_comp/builder.Dockerfile deleted file mode 100644 index 221a95ecc..000000000 --- a/fuzzers/aflplusplus_ff_comp/builder.Dockerfile +++ /dev/null @@ -1,89 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -RUN apt-get update && \ - apt-get install -y \ - build-essential \ - python3-dev \ - python3-setuptools \ - automake \ - cmake \ - git \ - flex \ - bison \ - libglib2.0-dev \ - libpixman-1-dev \ - cargo \ - libgtk-3-dev \ - # for QEMU mode - ninja-build \ - gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-plugin-dev \ - libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev - -RUN apt install -y lsb-release wget software-properties-common - -RUN wget https://apt.llvm.org/llvm.sh && chmod +x llvm.sh && ./llvm.sh 12 all - -ENV LLVM_CONFIG=llvm-config-12 - -RUN update-alternatives \ - --install /usr/lib/llvm llvm /usr/lib/llvm-12 100 \ - --slave /usr/bin/llvm-config llvm-config /usr/bin/llvm-config-12 \ - --slave /usr/bin/llvm-ar llvm-ar /usr/bin/llvm-ar-12 \ - --slave /usr/bin/llvm-as llvm-as /usr/bin/llvm-as-12 \ - --slave /usr/bin/llvm-bcanalyzer llvm-bcanalyzer /usr/bin/llvm-bcanalyzer-12 \ - --slave /usr/bin/llvm-c-test llvm-c-test /usr/bin/llvm-c-test-12 \ - --slave /usr/bin/llvm-cov llvm-cov /usr/bin/llvm-cov-12 \ - --slave /usr/bin/llvm-diff llvm-diff /usr/bin/llvm-diff-12 \ - --slave /usr/bin/llvm-dis llvm-dis /usr/bin/llvm-dis-12 \ - --slave /usr/bin/llvm-dwarfdump llvm-dwarfdump /usr/bin/llvm-dwarfdump-12 \ - --slave /usr/bin/llvm-extract llvm-extract /usr/bin/llvm-extract-12 \ - --slave /usr/bin/llvm-link llvm-link /usr/bin/llvm-link-12 \ - --slave /usr/bin/llvm-mc llvm-mc /usr/bin/llvm-mc-12 \ - --slave /usr/bin/llvm-nm llvm-nm /usr/bin/llvm-nm-12 \ - --slave /usr/bin/llvm-objdump llvm-objdump /usr/bin/llvm-objdump-12 \ - --slave /usr/bin/llvm-ranlib llvm-ranlib /usr/bin/llvm-ranlib-12 \ - --slave /usr/bin/llvm-readobj llvm-readobj /usr/bin/llvm-readobj-12 \ - --slave /usr/bin/llvm-rtdyld llvm-rtdyld /usr/bin/llvm-rtdyld-12 \ - --slave /usr/bin/llvm-size llvm-size /usr/bin/llvm-size-12 \ - --slave /usr/bin/llvm-stress llvm-stress /usr/bin/llvm-stress-12 \ - --slave /usr/bin/llvm-symbolizer llvm-symbolizer /usr/bin/llvm-symbolizer-12 \ - --slave /usr/bin/llvm-tblgen llvm-tblgen /usr/bin/llvm-tblgen-12 \ - --slave /usr/bin/llc llc /usr/bin/llc-12 \ - --slave /usr/bin/opt opt /usr/bin/opt-12 && \ - update-alternatives \ - --install /usr/bin/clang clang /usr/bin/clang-12 100 \ - --slave /usr/bin/clang++ clang++ /usr/bin/clang++-12 \ - --slave /usr/bin/clang-cpp clang-cpp /usr/bin/clang-cpp-12 - -# put the /usr/bin of the highest priority, to make sure clang-12 is called before clang-15, which is in /usr/local/bin -ENV PATH="/usr/bin:${PATH}" - -# Download afl++. -RUN git clone -b dev https://github.com/AFLplusplus/AFLplusplus /afl && \ - cd /afl && \ - git checkout 1d4f1e48797c064ee71441ba555b29fc3f467983 || \ - true - -# Build without Python support as we don't need it. -# Set AFL_NO_X86 to skip flaky tests. -RUN cd /afl && \ - unset CFLAGS CXXFLAGS && \ - export CC=clang AFL_NO_X86=1 && \ - PYTHON_INCLUDE=/ make && \ - make install && \ - cp utils/aflpp_driver/libAFLDriver.a / diff --git a/fuzzers/aflplusplus_ff_comp/description.md b/fuzzers/aflplusplus_ff_comp/description.md deleted file mode 100644 index f7eb407ad..000000000 --- a/fuzzers/aflplusplus_ff_comp/description.md +++ /dev/null @@ -1,14 +0,0 @@ -# aflplusplus - -AFL++ fuzzer instance that has the following config active for all benchmarks: - - PCGUARD instrumentation - - cmplog feature - - dict2file feature - - "fast" power schedule - - persistent mode + shared memory test cases - -Repository: [https://github.com/AFLplusplus/AFLplusplus/](https://github.com/AFLplusplus/AFLplusplus/) - -[builder.Dockerfile](builder.Dockerfile) -[fuzzer.py](fuzzer.py) -[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/aflplusplus_ff_comp/fuzzer.py b/fuzzers/aflplusplus_ff_comp/fuzzer.py deleted file mode 100755 index e2b10bf47..000000000 --- a/fuzzers/aflplusplus_ff_comp/fuzzer.py +++ /dev/null @@ -1,284 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -"""Integration code for AFLplusplus fuzzer.""" - -import os -import shutil - -from fuzzers.afl import fuzzer as afl_fuzzer -from fuzzers import utils - - -def get_cmplog_build_directory(target_directory): - """Return path to CmpLog target directory.""" - return os.path.join(target_directory, 'cmplog') - - -def get_uninstrumented_build_directory(target_directory): - """Return path to CmpLog target directory.""" - return os.path.join(target_directory, 'uninstrumented') - - -def build(*args): # pylint: disable=too-many-branches,too-many-statements - """Build benchmark.""" - # BUILD_MODES is not already supported by fuzzbench, meanwhile we provide - # a default configuration. - - build_modes = list(args) - if 'BUILD_MODES' in os.environ: - build_modes = os.environ['BUILD_MODES'].split(',') - - # Placeholder comment. - build_directory = os.environ['OUT'] - - # If nothing was set this is the default: - if not build_modes: - build_modes = ['tracepc'] - - # For bug type benchmarks we have to instrument via native clang pcguard :( - build_flags = os.environ['CFLAGS'] - build_flags += ' -fsanitize=address' - os.environ['CFLAGS'] = build_flags - - #if build_flags.find( - # 'array-bounds' - #) != -1 and 'qemu' not in build_modes and 'classic' not in build_modes: - # if 'gcc' not in build_modes: - # build_modes[0] = 'native' - - # Instrumentation coverage modes: - if 'lto' in build_modes: - os.environ['CC'] = '/afl/afl-clang-lto' - os.environ['CXX'] = '/afl/afl-clang-lto++' - edge_file = build_directory + '/aflpp_edges.txt' - os.environ['AFL_LLVM_DOCUMENT_IDS'] = edge_file - if os.path.isfile('/usr/local/bin/llvm-ranlib-13'): - os.environ['RANLIB'] = 'llvm-ranlib-13' - os.environ['AR'] = 'llvm-ar-13' - os.environ['AS'] = 'llvm-as-13' - elif os.path.isfile('/usr/local/bin/llvm-ranlib-12'): - os.environ['RANLIB'] = 'llvm-ranlib-12' - os.environ['AR'] = 'llvm-ar-12' - os.environ['AS'] = 'llvm-as-12' - else: - os.environ['RANLIB'] = 'llvm-ranlib' - os.environ['AR'] = 'llvm-ar' - os.environ['AS'] = 'llvm-as' - elif 'qemu' in build_modes: - os.environ['CC'] = 'clang' - os.environ['CXX'] = 'clang++' - elif 'gcc' in build_modes: - os.environ['CC'] = 'afl-gcc-fast' - os.environ['CXX'] = 'afl-g++-fast' - if build_flags.find('array-bounds') != -1: - os.environ['CFLAGS'] = '-fsanitize=address -O1' - os.environ['CXXFLAGS'] = '-fsanitize=address -O1' - else: - os.environ['CFLAGS'] = '' - os.environ['CXXFLAGS'] = '' - os.environ['CPPFLAGS'] = '' - else: - os.environ['CC'] = '/afl/afl-clang-fast' - os.environ['CXX'] = '/afl/afl-clang-fast++' - - print('AFL++ build: ') - print(build_modes) - - if 'qemu' in build_modes or 'symcc' in build_modes: - os.environ['CFLAGS'] = ' '.join(utils.NO_SANITIZER_COMPAT_CFLAGS) - cxxflags = [utils.LIBCPLUSPLUS_FLAG] + utils.NO_SANITIZER_COMPAT_CFLAGS - os.environ['CXXFLAGS'] = ' '.join(cxxflags) - - if 'tracepc' in build_modes or 'pcguard' in build_modes: - os.environ['AFL_LLVM_USE_TRACE_PC'] = '1' - elif 'classic' in build_modes: - os.environ['AFL_LLVM_INSTRUMENT'] = 'CLASSIC' - elif 'native' in build_modes: - os.environ['AFL_LLVM_INSTRUMENT'] = 'LLVMNATIVE' - - # Instrumentation coverage options: - # Do not use a fixed map location (LTO only) - if 'dynamic' in build_modes: - os.environ['AFL_LLVM_MAP_DYNAMIC'] = '1' - # Use a fixed map location (LTO only) - if 'fixed' in build_modes: - os.environ['AFL_LLVM_MAP_ADDR'] = '0x10000' - # Generate an extra dictionary. - if 'dict2file' in build_modes or 'native' in build_modes: - os.environ['AFL_LLVM_DICT2FILE'] = build_directory + '/afl++.dict' - os.environ['AFL_LLVM_DICT2FILE_NO_MAIN'] = '1' - # Enable context sentitivity for LLVM mode (non LTO only) - if 'ctx' in build_modes: - os.environ['AFL_LLVM_CTX'] = '1' - # Enable N-gram coverage for LLVM mode (non LTO only) - if 'ngram2' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '2' - elif 'ngram3' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '3' - elif 'ngram4' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '4' - elif 'ngram5' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '5' - elif 'ngram6' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '6' - elif 'ngram7' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '7' - elif 'ngram8' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '8' - elif 'ngram16' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '16' - if 'ctx1' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '1' - elif 'ctx2' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '2' - elif 'ctx3' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '3' - elif 'ctx4' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '4' - - # Only one of the following OR cmplog - # enable laf-intel compare splitting - if 'laf' in build_modes: - os.environ['AFL_LLVM_LAF_SPLIT_SWITCHES'] = '1' - os.environ['AFL_LLVM_LAF_SPLIT_COMPARES'] = '1' - os.environ['AFL_LLVM_LAF_SPLIT_FLOATS'] = '1' - if 'autodict' not in build_modes: - os.environ['AFL_LLVM_LAF_TRANSFORM_COMPARES'] = '1' - - if 'eclipser' in build_modes: - os.environ['FUZZER_LIB'] = '/libStandaloneFuzzTarget.a' - else: - os.environ['FUZZER_LIB'] = '/libAFLDriver.a' - - # Some benchmarks like lcms. (see: - # https://github.com/mm2/Little-CMS/commit/ab1093539b4287c233aca6a3cf53b234faceb792#diff-f0e6d05e72548974e852e8e55dffc4ccR212) - # fail to compile if the compiler outputs things to stderr in unexpected - # cases. Prevent these failures by using AFL_QUIET to stop afl-clang-fast - # from writing AFL specific messages to stderr. - os.environ['AFL_QUIET'] = '1' - os.environ['AFL_MAP_SIZE'] = '2621440' - - src = os.getenv('SRC') - work = os.getenv('WORK') - - with utils.restore_directory(src), utils.restore_directory(work): - # Restore SRC to its initial state so we can build again without any - # trouble. For some OSS-Fuzz projects, build_benchmark cannot be run - # twice in the same directory without this. - utils.build_benchmark() - - if 'cmplog' in build_modes and 'qemu' not in build_modes: - - # CmpLog requires an build with different instrumentation. - new_env = os.environ.copy() - new_env['AFL_LLVM_CMPLOG'] = '1' - - # For CmpLog build, set the OUT and FUZZ_TARGET environment - # variable to point to the new CmpLog build directory. - cmplog_build_directory = get_cmplog_build_directory(build_directory) - os.mkdir(cmplog_build_directory) - new_env['OUT'] = cmplog_build_directory - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - new_env['FUZZ_TARGET'] = os.path.join(cmplog_build_directory, - os.path.basename(fuzz_target)) - - print('Re-building benchmark for CmpLog fuzzing target') - utils.build_benchmark(env=new_env) - - if 'symcc' in build_modes: - - symcc_build_directory = get_uninstrumented_build_directory( - build_directory) - os.mkdir(symcc_build_directory) - - # symcc requires an build with different instrumentation. - new_env = os.environ.copy() - new_env['CC'] = '/symcc/build/symcc' - new_env['CXX'] = '/symcc/build/sym++' - new_env['SYMCC_OUTPUT_DIR'] = '/tmp' - new_env['CXXFLAGS'] = new_env['CXXFLAGS'].replace('-stlib=libc++', '') - new_env['FUZZER_LIB'] = '/libfuzzer-harness.o' - new_env['OUT'] = symcc_build_directory - new_env['SYMCC_LIBCXX_PATH'] = '/libcxx_native_build' - new_env['SYMCC_NO_SYMBOLIC_INPUT'] = '1' - new_env['SYMCC_SILENT'] = '1' - - # For symcc build, set the OUT and FUZZ_TARGET environment - # variable to point to the new symcc build directory. - new_env['OUT'] = symcc_build_directory - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - new_env['FUZZ_TARGET'] = os.path.join(symcc_build_directory, - os.path.basename(fuzz_target)) - - print('Re-building benchmark for symcc fuzzing target') - utils.build_benchmark(env=new_env) - - shutil.copy('/afl/afl-fuzz', build_directory) - if os.path.exists('/afl/afl-qemu-trace'): - shutil.copy('/afl/afl-qemu-trace', build_directory) - if os.path.exists('/aflpp_qemu_driver_hook.so'): - shutil.copy('/aflpp_qemu_driver_hook.so', build_directory) - if os.path.exists('/get_frida_entry.sh'): - shutil.copy('/afl/afl-frida-trace.so', build_directory) - shutil.copy('/get_frida_entry.sh', build_directory) - - -# pylint: disable=too-many-arguments -def fuzz(input_corpus, - output_corpus, - target_binary, - flags=tuple(), - skip=False, - no_cmplog=False): # pylint: disable=too-many-arguments - """Run fuzzer.""" - # Calculate CmpLog binary path from the instrumented target binary. - target_binary_directory = os.path.dirname(target_binary) - cmplog_target_binary_directory = ( - get_cmplog_build_directory(target_binary_directory)) - target_binary_name = os.path.basename(target_binary) - cmplog_target_binary = os.path.join(cmplog_target_binary_directory, - target_binary_name) - - afl_fuzzer.prepare_fuzz_environment(input_corpus) - # decomment this to enable libdislocator. - # os.environ['AFL_ALIGNED_ALLOC'] = '1' # align malloc to max_align_t - # os.environ['AFL_PRELOAD'] = '/afl/libdislocator.so' - - flags = list(flags) - - if os.path.exists('./afl++.dict'): - flags += ['-x', './afl++.dict'] - - # Move the following to skip for upcoming _double tests: - if os.path.exists(cmplog_target_binary) and no_cmplog is False: - flags += ['-c', cmplog_target_binary] - - #os.environ['AFL_IGNORE_TIMEOUTS'] = '1' - os.environ['AFL_IGNORE_UNKNOWN_ENVS'] = '1' - os.environ['AFL_FAST_CAL'] = '1' - os.environ['AFL_NO_WARN_INSTABILITY'] = '1' - - if not skip: - os.environ['AFL_DISABLE_TRIM'] = '1' - os.environ['AFL_CMPLOG_ONLY_NEW'] = '1' - if 'ADDITIONAL_ARGS' in os.environ: - flags += os.environ['ADDITIONAL_ARGS'].split(' ') - - afl_fuzzer.run_afl_fuzz(input_corpus, - output_corpus, - target_binary, - additional_flags=flags) diff --git a/fuzzers/aflplusplus_ff_comp/runner.Dockerfile b/fuzzers/aflplusplus_ff_comp/runner.Dockerfile deleted file mode 100644 index a17c457ec..000000000 --- a/fuzzers/aflplusplus_ff_comp/runner.Dockerfile +++ /dev/null @@ -1,42 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -ENV DEBIAN_FRONTEND=noninteractive -ENV TZ=Etc/UTC - -RUN apt update && apt install -y git gcc g++ make cmake wget \ - libgmp-dev libmpfr-dev texinfo bison python3 - -# for runtime library, we just need libc++-12-dev libc++abi-12-dev -RUN wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key|apt-key add - && \ - printf "deb http://apt.llvm.org/focal/ llvm-toolchain-focal main\n" \ - "deb-src http://apt.llvm.org/focal/ llvm-toolchain-focal main\n" \ - "deb http://apt.llvm.org/focal/ llvm-toolchain-focal-12 main\n" \ - "deb-src http://apt.llvm.org/focal/ llvm-toolchain-focal-12 main\n" \ - >> /etc/apt/sources.list && \ - apt update && \ - apt install libc++-12-dev libc++abi-12-dev -y - -RUN apt-get install -y libboost-all-dev libjsoncpp-dev libgraphviz-dev \ - pkg-config libglib2.0-dev libunwind-17 - -# This makes interactive docker runs painless: -ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" -#ENV AFL_MAP_SIZE=2621440 -ENV PATH="$PATH:/out" -ENV AFL_SKIP_CPUFREQ=1 -ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 -ENV AFL_TESTCACHE_SIZE=2 diff --git a/fuzzers/aflplusplus_fishfuzz/builder.Dockerfile b/fuzzers/aflplusplus_fishfuzz/builder.Dockerfile deleted file mode 100644 index 4e5d12129..000000000 --- a/fuzzers/aflplusplus_fishfuzz/builder.Dockerfile +++ /dev/null @@ -1,107 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -ENV DEBIAN_FRONTEND=noninteractive -ENV TZ=Etc/UTC - -RUN apt-get update && \ - apt-get install -y \ - build-essential \ - python3-dev \ - python3-setuptools \ - automake \ - cmake \ - git \ - flex \ - bison \ - libglib2.0-dev \ - libpixman-1-dev \ - cargo \ - libgtk-3-dev \ - # for QEMU mode - ninja-build \ - gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-plugin-dev \ - libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev - -RUN apt install -y git gcc g++ make cmake wget \ - libgmp-dev libmpfr-dev texinfo bison python3 - -RUN apt-get install -y libboost-all-dev libjsoncpp-dev libgraphviz-dev \ - pkg-config libglib2.0-dev findutils - -RUN apt install -y lsb-release wget software-properties-common - -RUN wget https://apt.llvm.org/llvm.sh && chmod +x llvm.sh && ./llvm.sh 12 all && \ - cp /usr/lib/llvm-12/lib/LLVMgold.so /usr/lib/bfd-plugins/ && \ - cp /usr/lib/llvm-12/lib/libLTO.so /usr/lib/bfd-plugins/ - -ENV LLVM_CONFIG=llvm-config-12 - -RUN update-alternatives \ - --install /usr/lib/llvm llvm /usr/lib/llvm-12 100 \ - --slave /usr/bin/llvm-config llvm-config /usr/bin/llvm-config-12 \ - --slave /usr/bin/llvm-ar llvm-ar /usr/bin/llvm-ar-12 \ - --slave /usr/bin/llvm-as llvm-as /usr/bin/llvm-as-12 \ - --slave /usr/bin/llvm-bcanalyzer llvm-bcanalyzer /usr/bin/llvm-bcanalyzer-12 \ - --slave /usr/bin/llvm-c-test llvm-c-test /usr/bin/llvm-c-test-12 \ - --slave /usr/bin/llvm-cov llvm-cov /usr/bin/llvm-cov-12 \ - --slave /usr/bin/llvm-diff llvm-diff /usr/bin/llvm-diff-12 \ - --slave /usr/bin/llvm-dis llvm-dis /usr/bin/llvm-dis-12 \ - --slave /usr/bin/llvm-dwarfdump llvm-dwarfdump /usr/bin/llvm-dwarfdump-12 \ - --slave /usr/bin/llvm-extract llvm-extract /usr/bin/llvm-extract-12 \ - --slave /usr/bin/llvm-link llvm-link /usr/bin/llvm-link-12 \ - --slave /usr/bin/llvm-mc llvm-mc /usr/bin/llvm-mc-12 \ - --slave /usr/bin/llvm-nm llvm-nm /usr/bin/llvm-nm-12 \ - --slave /usr/bin/llvm-objdump llvm-objdump /usr/bin/llvm-objdump-12 \ - --slave /usr/bin/llvm-ranlib llvm-ranlib /usr/bin/llvm-ranlib-12 \ - --slave /usr/bin/llvm-readobj llvm-readobj /usr/bin/llvm-readobj-12 \ - --slave /usr/bin/llvm-rtdyld llvm-rtdyld /usr/bin/llvm-rtdyld-12 \ - --slave /usr/bin/llvm-size llvm-size /usr/bin/llvm-size-12 \ - --slave /usr/bin/llvm-stress llvm-stress /usr/bin/llvm-stress-12 \ - --slave /usr/bin/llvm-symbolizer llvm-symbolizer /usr/bin/llvm-symbolizer-12 \ - --slave /usr/bin/llvm-tblgen llvm-tblgen /usr/bin/llvm-tblgen-12 \ - --slave /usr/bin/llc llc /usr/bin/llc-12 \ - --slave /usr/bin/opt opt /usr/bin/opt-12 && \ - update-alternatives \ - --install /usr/bin/clang clang /usr/bin/clang-12 100 \ - --slave /usr/bin/clang++ clang++ /usr/bin/clang++-12 \ - --slave /usr/bin/clang-cpp clang-cpp /usr/bin/clang-cpp-12 - -# put the /usr/bin of the highest priority, to make sure clang-12 is called before clang-15, which is in /usr/local/bin -ENV PATH="/usr/bin:${PATH}" - -## Download fishfuzz. -RUN git clone https://github.com/HexHive/FishFuzz/ /afl && \ - mv /afl/FF_AFL++ /FishFuzz - -ENV PATH="/usr/bin/:$PATH" - -# Build without Python support as we don't need it. -# Set AFL_NO_X86 to skip flaky tests. -RUN cd /FishFuzz/ && \ - unset CFLAGS CXXFLAGS && \ - export CC=clang AFL_NO_X86=1 && \ - make clean && \ - rm -f ff-all-in-one ff-all-in-one++ && \ - PYTHON_INCLUDE=/ make && \ - make -C dyncfg && \ - chmod +x scripts/*.py && \ - make install - -RUN wget https://raw.githubusercontent.com/llvm/llvm-project/5feb80e748924606531ba28c97fe65145c65372e/compiler-rt/lib/fuzzer/afl/afl_driver.cpp -O /FishFuzz/afl_driver.cpp && \ - clang++ -stdlib=libc++ -std=c++11 -O2 -c /FishFuzz/afl_driver.cpp -o /FishFuzz/afl_driver.o && \ - ar r /libAFL.a /FishFuzz/afl_driver.o /FishFuzz/afl-compiler-rt.o diff --git a/fuzzers/aflplusplus_fishfuzz/description.md b/fuzzers/aflplusplus_fishfuzz/description.md deleted file mode 100644 index 68791d538..000000000 --- a/fuzzers/aflplusplus_fishfuzz/description.md +++ /dev/null @@ -1,5 +0,0 @@ -# aflplusplus + fishfuzz - -[builder.Dockerfile](builder.Dockerfile) -[fuzzer.py](fuzzer.py) -[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/aflplusplus_fishfuzz/fuzzer.py b/fuzzers/aflplusplus_fishfuzz/fuzzer.py deleted file mode 100755 index a81159c09..000000000 --- a/fuzzers/aflplusplus_fishfuzz/fuzzer.py +++ /dev/null @@ -1,185 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -"""Integration code for FishFuzz_AFL fuzzer.""" - -import json -import os -import shutil -import subprocess -import sys - -from fuzzers import utils - - -def find_files(filename, search_path, mode): - """Helper function to find path of TEMP, mode 0 for file and 1 for dir""" - result = '' - for root, directory, files in os.walk(search_path): - if mode == 0: - if filename in files: - # result.append(os.path.join(root, filename)) - return os.path.join(root, filename) - else: - if filename in directory: - return os.path.join(root, filename) - return result - - -def prepare_build_environment(): - """Set environment variables used to build targets for AFL-based - fuzzers.""" - - cflags = ['-fsanitize=address'] - utils.append_flags('CFLAGS', cflags) - utils.append_flags('CXXFLAGS', cflags) - - os.environ['CC'] = '/FishFuzz/ff-all-in-one' - os.environ['CXX'] = '/FishFuzz/ff-all-in-one++' - os.environ['FF_DRIVER_NAME'] = os.getenv('FUZZ_TARGET') - os.environ['FUZZER_LIB'] = '/libAFL.a' - - os.environ['AFL_QUIET'] = '1' - os.environ['AFL_LLVM_USE_TRACE_PC'] = '1' - - -def build(): - """Build benchmark.""" - prepare_build_environment() - - #with utils.restore_directory(src), utils.restore_directory(work): - utils.build_benchmark() - - print('[post_build] Copying afl-fuzz to $OUT directory') - # Copy out the afl-fuzz binary as a build artifact. - shutil.copy('/FishFuzz/afl-fuzz', os.environ['OUT']) - print(os.environ['FF_DRIVER_NAME']) - os.environ['AFL_CC'] = 'clang-12' - os.environ['AFL_CXX'] = 'clang++-12' - bin_fuzz_dst = os.environ['OUT'] + '/' + os.environ['FF_DRIVER_NAME'] - bin_fuzz_src = find_files(os.environ['FF_DRIVER_NAME'] + '.fuzz', '/', 0) - os.system('find / -name "*' + os.environ['FF_DRIVER_NAME'] + - '*" 2> /dev/null') - if bin_fuzz_src: - shutil.copy(bin_fuzz_src, bin_fuzz_dst) - else: - #print('NOT FOUND: ' + f'%s.fuzz' % (os.environ['FF_DRIVER_NAME'])) - sys.exit(1) - tmp_dir_dst = os.environ['OUT'] + '/TEMP' - tmp_dir_src = find_files('TEMP_' + os.environ['FF_DRIVER_NAME'], '/', 1) - if tmp_dir_src: - shutil.copytree(tmp_dir_src, tmp_dir_dst) - else: - #print('NOT FOUND: ' + f'TEMP_%s' % (os.environ['FF_DRIVER_NAME'])) - sys.exit(1) - #print('done') - - -def get_stats(output_corpus, fuzzer_log): # pylint: disable=unused-argument - """Gets fuzzer stats for AFL.""" - # Get a dictionary containing the stats AFL reports. - stats_file = os.path.join(output_corpus, 'fuzzer_stats') - if not os.path.exists(stats_file): - print('Can\'t find fuzzer_stats') - return '{}' - with open(stats_file, encoding='utf-8') as file_handle: - stats_file_lines = file_handle.read().splitlines() - stats_file_dict = {} - for stats_line in stats_file_lines: - key, value = stats_line.split(': ') - stats_file_dict[key.strip()] = value.strip() - - # Report to FuzzBench the stats it accepts. - stats = {'execs_per_sec': float(stats_file_dict['execs_per_sec'])} - return json.dumps(stats) - - -def prepare_fuzz_environment(input_corpus): - """Prepare to fuzz with AFL or another AFL-based fuzzer.""" - # Tell AFL to not use its terminal UI so we get usable logs. - os.environ['AFL_NO_UI'] = '1' - # Skip AFL's CPU frequency check (fails on Docker). - os.environ['AFL_SKIP_CPUFREQ'] = '1' - # No need to bind affinity to one core, Docker enforces 1 core usage. - os.environ['AFL_NO_AFFINITY'] = '1' - # AFL will abort on startup if the core pattern sends notifications to - # external programs. We don't care about this. - os.environ['AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES'] = '1' - # Don't exit when crashes are found. This can happen when corpus from - # OSS-Fuzz is used. - os.environ['AFL_SKIP_CRASHES'] = '1' - # Shuffle the queue - #os.environ['AFL_SHUFFLE_QUEUE'] = '1' - - # Set temporary dir path - tmp_dir_src = os.environ['OUT'] + '/TEMP' - os.environ['TMP_DIR'] = tmp_dir_src - - # AFL needs at least one non-empty seed to start. - utils.create_seed_file_for_empty_corpus(input_corpus) - - -def run_afl_fuzz(input_corpus, - output_corpus, - target_binary, - additional_flags=None, - hide_output=False): - """Run afl-fuzz.""" - # Spawn the afl fuzzing process. - - os.environ['AFL_IGNORE_UNKNOWN_ENVS'] = '1' - os.environ['AFL_FAST_CAL'] = '1' - os.environ['AFL_NO_WARN_INSTABILITY'] = '1' - os.environ['AFL_DISABLE_TRIM'] = '1' - os.environ['AFL_CMPLOG_ONLY_NEW'] = '1' - - print('[run_afl_fuzz] Running target with afl-fuzz') - command = [ - './afl-fuzz', - '-i', - input_corpus, - '-o', - output_corpus, - '-t', - '1000+', # Use same default 1 sec timeout, but add '+' to skip hangs. - ] - - if additional_flags: - command.extend(additional_flags) - - dictionary_path = utils.get_dictionary_path(target_binary) - if dictionary_path: - command.extend(['-x', dictionary_path]) - - #command += ['-x', './afl++.dict'] - #command += ['-c', cmplog_target_binary] - - command += [ - '--', - target_binary, - # Pass INT_MAX to afl the maximize the number of persistent loops it - # performs. - '2147483647' - ] - - print('[run_afl_fuzz] Running command: ' + ' '.join(command)) - output_stream = subprocess.DEVNULL if hide_output else None - subprocess.check_call(command, stdout=output_stream, stderr=output_stream) - - -def fuzz(input_corpus, output_corpus, target_binary): - """Run afl-fuzz on target.""" - - prepare_fuzz_environment(input_corpus) - - run_afl_fuzz(input_corpus, output_corpus, target_binary) diff --git a/fuzzers/aflplusplus_fishfuzz/runner.Dockerfile b/fuzzers/aflplusplus_fishfuzz/runner.Dockerfile deleted file mode 100644 index 22c9755a8..000000000 --- a/fuzzers/aflplusplus_fishfuzz/runner.Dockerfile +++ /dev/null @@ -1,42 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -ENV DEBIAN_FRONTEND=noninteractive -ENV TZ=Etc/UTC - -RUN apt update && apt install -y git gcc g++ make cmake wget \ - libgmp-dev libmpfr-dev texinfo bison python3 - -# for runtime library, we just need libc++-12-dev libc++abi-12-dev -RUN wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key|apt-key add - && \ - printf "deb http://apt.llvm.org/focal/ llvm-toolchain-focal main\n" \ - "deb-src http://apt.llvm.org/focal/ llvm-toolchain-focal main\n" \ - "deb http://apt.llvm.org/focal/ llvm-toolchain-focal-12 main\n" \ - "deb-src http://apt.llvm.org/focal/ llvm-toolchain-focal-12 main\n" \ - >> /etc/apt/sources.list && \ - apt update && \ - apt install libc++-12-dev libc++abi-12-dev -y - -# for FF runtime -RUN apt-get install -y libboost-all-dev libjsoncpp-dev libgraphviz-dev \ - pkg-config libglib2.0-dev libunwind-17 - -ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" -ENV PATH="$PATH:/out" -ENV AFL_SKIP_CPUFREQ=1 -ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 -ENV AFL_TESTCACHE_SIZE=2 - diff --git a/fuzzers/aflplusplus_mutcomp/builder.Dockerfile b/fuzzers/aflplusplus_mutcomp/builder.Dockerfile deleted file mode 100644 index f9c63b48a..000000000 --- a/fuzzers/aflplusplus_mutcomp/builder.Dockerfile +++ /dev/null @@ -1,49 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -RUN apt-get update && \ - apt-get install -y \ - build-essential \ - python3-dev \ - python3-setuptools \ - automake \ - cmake \ - git \ - flex \ - bison \ - libglib2.0-dev \ - libpixman-1-dev \ - cargo \ - libgtk-3-dev \ - # for QEMU mode - ninja-build \ - gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-plugin-dev \ - libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev - -# Download afl++. -RUN git clone -b mncomp https://github.com/AFLplusplus/AFLplusplus /afl && \ - cd /afl && \ - git checkout 14e25340fb7b9e13357a9059dd1c128a2d7d9d5b || \ - true - -# Build without Python support as we don't need it. -# Set AFL_NO_X86 to skip flaky tests. -RUN cd /afl && \ - unset CFLAGS CXXFLAGS && \ - export CC=clang AFL_NO_X86=1 && \ - PYTHON_INCLUDE=/ make && \ - cp utils/aflpp_driver/libAFLDriver.a / diff --git a/fuzzers/aflplusplus_mutcomp/description.md b/fuzzers/aflplusplus_mutcomp/description.md deleted file mode 100644 index f7eb407ad..000000000 --- a/fuzzers/aflplusplus_mutcomp/description.md +++ /dev/null @@ -1,14 +0,0 @@ -# aflplusplus - -AFL++ fuzzer instance that has the following config active for all benchmarks: - - PCGUARD instrumentation - - cmplog feature - - dict2file feature - - "fast" power schedule - - persistent mode + shared memory test cases - -Repository: [https://github.com/AFLplusplus/AFLplusplus/](https://github.com/AFLplusplus/AFLplusplus/) - -[builder.Dockerfile](builder.Dockerfile) -[fuzzer.py](fuzzer.py) -[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/aflplusplus_mutcomp/fuzzer.py b/fuzzers/aflplusplus_mutcomp/fuzzer.py deleted file mode 100755 index 7016da75e..000000000 --- a/fuzzers/aflplusplus_mutcomp/fuzzer.py +++ /dev/null @@ -1,282 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -"""Integration code for AFLplusplus fuzzer.""" - -import os -import shutil - -from fuzzers.afl import fuzzer as afl_fuzzer -from fuzzers import utils - - -def get_cmplog_build_directory(target_directory): - """Return path to CmpLog target directory.""" - return os.path.join(target_directory, 'cmplog') - - -def get_uninstrumented_build_directory(target_directory): - """Return path to CmpLog target directory.""" - return os.path.join(target_directory, 'uninstrumented') - - -def build(*args): # pylint: disable=too-many-branches,too-many-statements - """Build benchmark.""" - # BUILD_MODES is not already supported by fuzzbench, meanwhile we provide - # a default configuration. - - build_modes = list(args) - if 'BUILD_MODES' in os.environ: - build_modes = os.environ['BUILD_MODES'].split(',') - - # Placeholder comment. - build_directory = os.environ['OUT'] - - # If nothing was set this is the default: - if not build_modes: - build_modes = ['tracepc', 'cmplog', 'dict2file'] - - # For bug type benchmarks we have to instrument via native clang pcguard :( - build_flags = os.environ['CFLAGS'] - - if build_flags.find( - 'array-bounds' - ) != -1 and 'qemu' not in build_modes and 'classic' not in build_modes: - if 'gcc' not in build_modes: - build_modes[0] = 'native' - - # Instrumentation coverage modes: - if 'lto' in build_modes: - os.environ['CC'] = '/afl/afl-clang-lto' - os.environ['CXX'] = '/afl/afl-clang-lto++' - edge_file = build_directory + '/aflpp_edges.txt' - os.environ['AFL_LLVM_DOCUMENT_IDS'] = edge_file - if os.path.isfile('/usr/local/bin/llvm-ranlib-13'): - os.environ['RANLIB'] = 'llvm-ranlib-13' - os.environ['AR'] = 'llvm-ar-13' - os.environ['AS'] = 'llvm-as-13' - elif os.path.isfile('/usr/local/bin/llvm-ranlib-12'): - os.environ['RANLIB'] = 'llvm-ranlib-12' - os.environ['AR'] = 'llvm-ar-12' - os.environ['AS'] = 'llvm-as-12' - else: - os.environ['RANLIB'] = 'llvm-ranlib' - os.environ['AR'] = 'llvm-ar' - os.environ['AS'] = 'llvm-as' - elif 'qemu' in build_modes: - os.environ['CC'] = 'clang' - os.environ['CXX'] = 'clang++' - elif 'gcc' in build_modes: - os.environ['CC'] = 'afl-gcc-fast' - os.environ['CXX'] = 'afl-g++-fast' - if build_flags.find('array-bounds') != -1: - os.environ['CFLAGS'] = '-fsanitize=address -O1' - os.environ['CXXFLAGS'] = '-fsanitize=address -O1' - else: - os.environ['CFLAGS'] = '' - os.environ['CXXFLAGS'] = '' - os.environ['CPPFLAGS'] = '' - else: - os.environ['CC'] = '/afl/afl-clang-fast' - os.environ['CXX'] = '/afl/afl-clang-fast++' - - print('AFL++ build: ') - print(build_modes) - - if 'qemu' in build_modes or 'symcc' in build_modes: - os.environ['CFLAGS'] = ' '.join(utils.NO_SANITIZER_COMPAT_CFLAGS) - cxxflags = [utils.LIBCPLUSPLUS_FLAG] + utils.NO_SANITIZER_COMPAT_CFLAGS - os.environ['CXXFLAGS'] = ' '.join(cxxflags) - - if 'tracepc' in build_modes or 'pcguard' in build_modes: - os.environ['AFL_LLVM_USE_TRACE_PC'] = '1' - elif 'classic' in build_modes: - os.environ['AFL_LLVM_INSTRUMENT'] = 'CLASSIC' - elif 'native' in build_modes: - os.environ['AFL_LLVM_INSTRUMENT'] = 'LLVMNATIVE' - - # Instrumentation coverage options: - # Do not use a fixed map location (LTO only) - if 'dynamic' in build_modes: - os.environ['AFL_LLVM_MAP_DYNAMIC'] = '1' - # Use a fixed map location (LTO only) - if 'fixed' in build_modes: - os.environ['AFL_LLVM_MAP_ADDR'] = '0x10000' - # Generate an extra dictionary. - if 'dict2file' in build_modes or 'native' in build_modes: - os.environ['AFL_LLVM_DICT2FILE'] = build_directory + '/afl++.dict' - os.environ['AFL_LLVM_DICT2FILE_NO_MAIN'] = '1' - # Enable context sentitivity for LLVM mode (non LTO only) - if 'ctx' in build_modes: - os.environ['AFL_LLVM_CTX'] = '1' - # Enable N-gram coverage for LLVM mode (non LTO only) - if 'ngram2' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '2' - elif 'ngram3' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '3' - elif 'ngram4' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '4' - elif 'ngram5' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '5' - elif 'ngram6' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '6' - elif 'ngram7' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '7' - elif 'ngram8' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '8' - elif 'ngram16' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '16' - if 'ctx1' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '1' - elif 'ctx2' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '2' - elif 'ctx3' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '3' - elif 'ctx4' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '4' - - # Only one of the following OR cmplog - # enable laf-intel compare splitting - if 'laf' in build_modes: - os.environ['AFL_LLVM_LAF_SPLIT_SWITCHES'] = '1' - os.environ['AFL_LLVM_LAF_SPLIT_COMPARES'] = '1' - os.environ['AFL_LLVM_LAF_SPLIT_FLOATS'] = '1' - if 'autodict' not in build_modes: - os.environ['AFL_LLVM_LAF_TRANSFORM_COMPARES'] = '1' - - if 'eclipser' in build_modes: - os.environ['FUZZER_LIB'] = '/libStandaloneFuzzTarget.a' - else: - os.environ['FUZZER_LIB'] = '/libAFLDriver.a' - - # Some benchmarks like lcms. (see: - # https://github.com/mm2/Little-CMS/commit/ab1093539b4287c233aca6a3cf53b234faceb792#diff-f0e6d05e72548974e852e8e55dffc4ccR212) - # fail to compile if the compiler outputs things to stderr in unexpected - # cases. Prevent these failures by using AFL_QUIET to stop afl-clang-fast - # from writing AFL specific messages to stderr. - os.environ['AFL_QUIET'] = '1' - os.environ['AFL_MAP_SIZE'] = '2621440' - - src = os.getenv('SRC') - work = os.getenv('WORK') - - with utils.restore_directory(src), utils.restore_directory(work): - # Restore SRC to its initial state so we can build again without any - # trouble. For some OSS-Fuzz projects, build_benchmark cannot be run - # twice in the same directory without this. - utils.build_benchmark() - - if 'cmplog' in build_modes and 'qemu' not in build_modes: - - # CmpLog requires an build with different instrumentation. - new_env = os.environ.copy() - new_env['AFL_LLVM_CMPLOG'] = '1' - - # For CmpLog build, set the OUT and FUZZ_TARGET environment - # variable to point to the new CmpLog build directory. - cmplog_build_directory = get_cmplog_build_directory(build_directory) - os.mkdir(cmplog_build_directory) - new_env['OUT'] = cmplog_build_directory - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - new_env['FUZZ_TARGET'] = os.path.join(cmplog_build_directory, - os.path.basename(fuzz_target)) - - print('Re-building benchmark for CmpLog fuzzing target') - utils.build_benchmark(env=new_env) - - if 'symcc' in build_modes: - - symcc_build_directory = get_uninstrumented_build_directory( - build_directory) - os.mkdir(symcc_build_directory) - - # symcc requires an build with different instrumentation. - new_env = os.environ.copy() - new_env['CC'] = '/symcc/build/symcc' - new_env['CXX'] = '/symcc/build/sym++' - new_env['SYMCC_OUTPUT_DIR'] = '/tmp' - new_env['CXXFLAGS'] = new_env['CXXFLAGS'].replace('-stlib=libc++', '') - new_env['FUZZER_LIB'] = '/libfuzzer-harness.o' - new_env['OUT'] = symcc_build_directory - new_env['SYMCC_LIBCXX_PATH'] = '/libcxx_native_build' - new_env['SYMCC_NO_SYMBOLIC_INPUT'] = '1' - new_env['SYMCC_SILENT'] = '1' - - # For symcc build, set the OUT and FUZZ_TARGET environment - # variable to point to the new symcc build directory. - new_env['OUT'] = symcc_build_directory - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - new_env['FUZZ_TARGET'] = os.path.join(symcc_build_directory, - os.path.basename(fuzz_target)) - - print('Re-building benchmark for symcc fuzzing target') - utils.build_benchmark(env=new_env) - - shutil.copy('/afl/afl-fuzz', build_directory) - if os.path.exists('/afl/afl-qemu-trace'): - shutil.copy('/afl/afl-qemu-trace', build_directory) - if os.path.exists('/aflpp_qemu_driver_hook.so'): - shutil.copy('/aflpp_qemu_driver_hook.so', build_directory) - if os.path.exists('/get_frida_entry.sh'): - shutil.copy('/afl/afl-frida-trace.so', build_directory) - shutil.copy('/get_frida_entry.sh', build_directory) - - -# pylint: disable=too-many-arguments -def fuzz(input_corpus, - output_corpus, - target_binary, - flags=tuple(), - skip=False, - no_cmplog=False): # pylint: disable=too-many-arguments - """Run fuzzer.""" - # Calculate CmpLog binary path from the instrumented target binary. - target_binary_directory = os.path.dirname(target_binary) - cmplog_target_binary_directory = ( - get_cmplog_build_directory(target_binary_directory)) - target_binary_name = os.path.basename(target_binary) - cmplog_target_binary = os.path.join(cmplog_target_binary_directory, - target_binary_name) - - afl_fuzzer.prepare_fuzz_environment(input_corpus) - # decomment this to enable libdislocator. - # os.environ['AFL_ALIGNED_ALLOC'] = '1' # align malloc to max_align_t - # os.environ['AFL_PRELOAD'] = '/afl/libdislocator.so' - - flags = list(flags) - - if os.path.exists('./afl++.dict'): - flags += ['-x', './afl++.dict'] - - # Move the following to skip for upcoming _double tests: - if os.path.exists(cmplog_target_binary) and no_cmplog is False: - flags += ['-c', cmplog_target_binary] - - #os.environ['AFL_IGNORE_TIMEOUTS'] = '1' - os.environ['AFL_IGNORE_UNKNOWN_ENVS'] = '1' - os.environ['AFL_FAST_CAL'] = '1' - os.environ['AFL_NO_WARN_INSTABILITY'] = '1' - - if not skip: - os.environ['AFL_DISABLE_TRIM'] = '1' - os.environ['AFL_CMPLOG_ONLY_NEW'] = '1' - if 'ADDITIONAL_ARGS' in os.environ: - flags += os.environ['ADDITIONAL_ARGS'].split(' ') - - afl_fuzzer.run_afl_fuzz(input_corpus, - output_corpus, - target_binary, - additional_flags=flags) diff --git a/fuzzers/aflplusplus_mutcomp/runner.Dockerfile b/fuzzers/aflplusplus_mutcomp/runner.Dockerfile deleted file mode 100644 index 1a10f861c..000000000 --- a/fuzzers/aflplusplus_mutcomp/runner.Dockerfile +++ /dev/null @@ -1,24 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -# This makes interactive docker runs painless: -ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" -#ENV AFL_MAP_SIZE=2621440 -ENV PATH="$PATH:/out" -ENV AFL_SKIP_CPUFREQ=1 -ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 -ENV AFL_TESTCACHE_SIZE=2 -RUN apt install -y unzip git gdb joe diff --git a/fuzzers/aflplusplus_mutnew/builder.Dockerfile b/fuzzers/aflplusplus_mutnew/builder.Dockerfile deleted file mode 100644 index e8e7c77e8..000000000 --- a/fuzzers/aflplusplus_mutnew/builder.Dockerfile +++ /dev/null @@ -1,49 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -RUN apt-get update && \ - apt-get install -y \ - build-essential \ - python3-dev \ - python3-setuptools \ - automake \ - cmake \ - git \ - flex \ - bison \ - libglib2.0-dev \ - libpixman-1-dev \ - cargo \ - libgtk-3-dev \ - # for QEMU mode - ninja-build \ - gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-plugin-dev \ - libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev - -# Download afl++. -RUN git clone -b mutationnew https://github.com/AFLplusplus/AFLplusplus /afl && \ - cd /afl && \ - git checkout 6ec70fc0847a0624692e868743080bf4e6935523 || \ - true - -# Build without Python support as we don't need it. -# Set AFL_NO_X86 to skip flaky tests. -RUN cd /afl && \ - unset CFLAGS CXXFLAGS && \ - export CC=clang AFL_NO_X86=1 && \ - PYTHON_INCLUDE=/ make && \ - cp utils/aflpp_driver/libAFLDriver.a / diff --git a/fuzzers/aflplusplus_mutnew/description.md b/fuzzers/aflplusplus_mutnew/description.md deleted file mode 100644 index f7eb407ad..000000000 --- a/fuzzers/aflplusplus_mutnew/description.md +++ /dev/null @@ -1,14 +0,0 @@ -# aflplusplus - -AFL++ fuzzer instance that has the following config active for all benchmarks: - - PCGUARD instrumentation - - cmplog feature - - dict2file feature - - "fast" power schedule - - persistent mode + shared memory test cases - -Repository: [https://github.com/AFLplusplus/AFLplusplus/](https://github.com/AFLplusplus/AFLplusplus/) - -[builder.Dockerfile](builder.Dockerfile) -[fuzzer.py](fuzzer.py) -[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/aflplusplus_mutnew/fuzzer.py b/fuzzers/aflplusplus_mutnew/fuzzer.py deleted file mode 100755 index 7016da75e..000000000 --- a/fuzzers/aflplusplus_mutnew/fuzzer.py +++ /dev/null @@ -1,282 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -"""Integration code for AFLplusplus fuzzer.""" - -import os -import shutil - -from fuzzers.afl import fuzzer as afl_fuzzer -from fuzzers import utils - - -def get_cmplog_build_directory(target_directory): - """Return path to CmpLog target directory.""" - return os.path.join(target_directory, 'cmplog') - - -def get_uninstrumented_build_directory(target_directory): - """Return path to CmpLog target directory.""" - return os.path.join(target_directory, 'uninstrumented') - - -def build(*args): # pylint: disable=too-many-branches,too-many-statements - """Build benchmark.""" - # BUILD_MODES is not already supported by fuzzbench, meanwhile we provide - # a default configuration. - - build_modes = list(args) - if 'BUILD_MODES' in os.environ: - build_modes = os.environ['BUILD_MODES'].split(',') - - # Placeholder comment. - build_directory = os.environ['OUT'] - - # If nothing was set this is the default: - if not build_modes: - build_modes = ['tracepc', 'cmplog', 'dict2file'] - - # For bug type benchmarks we have to instrument via native clang pcguard :( - build_flags = os.environ['CFLAGS'] - - if build_flags.find( - 'array-bounds' - ) != -1 and 'qemu' not in build_modes and 'classic' not in build_modes: - if 'gcc' not in build_modes: - build_modes[0] = 'native' - - # Instrumentation coverage modes: - if 'lto' in build_modes: - os.environ['CC'] = '/afl/afl-clang-lto' - os.environ['CXX'] = '/afl/afl-clang-lto++' - edge_file = build_directory + '/aflpp_edges.txt' - os.environ['AFL_LLVM_DOCUMENT_IDS'] = edge_file - if os.path.isfile('/usr/local/bin/llvm-ranlib-13'): - os.environ['RANLIB'] = 'llvm-ranlib-13' - os.environ['AR'] = 'llvm-ar-13' - os.environ['AS'] = 'llvm-as-13' - elif os.path.isfile('/usr/local/bin/llvm-ranlib-12'): - os.environ['RANLIB'] = 'llvm-ranlib-12' - os.environ['AR'] = 'llvm-ar-12' - os.environ['AS'] = 'llvm-as-12' - else: - os.environ['RANLIB'] = 'llvm-ranlib' - os.environ['AR'] = 'llvm-ar' - os.environ['AS'] = 'llvm-as' - elif 'qemu' in build_modes: - os.environ['CC'] = 'clang' - os.environ['CXX'] = 'clang++' - elif 'gcc' in build_modes: - os.environ['CC'] = 'afl-gcc-fast' - os.environ['CXX'] = 'afl-g++-fast' - if build_flags.find('array-bounds') != -1: - os.environ['CFLAGS'] = '-fsanitize=address -O1' - os.environ['CXXFLAGS'] = '-fsanitize=address -O1' - else: - os.environ['CFLAGS'] = '' - os.environ['CXXFLAGS'] = '' - os.environ['CPPFLAGS'] = '' - else: - os.environ['CC'] = '/afl/afl-clang-fast' - os.environ['CXX'] = '/afl/afl-clang-fast++' - - print('AFL++ build: ') - print(build_modes) - - if 'qemu' in build_modes or 'symcc' in build_modes: - os.environ['CFLAGS'] = ' '.join(utils.NO_SANITIZER_COMPAT_CFLAGS) - cxxflags = [utils.LIBCPLUSPLUS_FLAG] + utils.NO_SANITIZER_COMPAT_CFLAGS - os.environ['CXXFLAGS'] = ' '.join(cxxflags) - - if 'tracepc' in build_modes or 'pcguard' in build_modes: - os.environ['AFL_LLVM_USE_TRACE_PC'] = '1' - elif 'classic' in build_modes: - os.environ['AFL_LLVM_INSTRUMENT'] = 'CLASSIC' - elif 'native' in build_modes: - os.environ['AFL_LLVM_INSTRUMENT'] = 'LLVMNATIVE' - - # Instrumentation coverage options: - # Do not use a fixed map location (LTO only) - if 'dynamic' in build_modes: - os.environ['AFL_LLVM_MAP_DYNAMIC'] = '1' - # Use a fixed map location (LTO only) - if 'fixed' in build_modes: - os.environ['AFL_LLVM_MAP_ADDR'] = '0x10000' - # Generate an extra dictionary. - if 'dict2file' in build_modes or 'native' in build_modes: - os.environ['AFL_LLVM_DICT2FILE'] = build_directory + '/afl++.dict' - os.environ['AFL_LLVM_DICT2FILE_NO_MAIN'] = '1' - # Enable context sentitivity for LLVM mode (non LTO only) - if 'ctx' in build_modes: - os.environ['AFL_LLVM_CTX'] = '1' - # Enable N-gram coverage for LLVM mode (non LTO only) - if 'ngram2' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '2' - elif 'ngram3' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '3' - elif 'ngram4' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '4' - elif 'ngram5' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '5' - elif 'ngram6' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '6' - elif 'ngram7' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '7' - elif 'ngram8' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '8' - elif 'ngram16' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '16' - if 'ctx1' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '1' - elif 'ctx2' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '2' - elif 'ctx3' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '3' - elif 'ctx4' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '4' - - # Only one of the following OR cmplog - # enable laf-intel compare splitting - if 'laf' in build_modes: - os.environ['AFL_LLVM_LAF_SPLIT_SWITCHES'] = '1' - os.environ['AFL_LLVM_LAF_SPLIT_COMPARES'] = '1' - os.environ['AFL_LLVM_LAF_SPLIT_FLOATS'] = '1' - if 'autodict' not in build_modes: - os.environ['AFL_LLVM_LAF_TRANSFORM_COMPARES'] = '1' - - if 'eclipser' in build_modes: - os.environ['FUZZER_LIB'] = '/libStandaloneFuzzTarget.a' - else: - os.environ['FUZZER_LIB'] = '/libAFLDriver.a' - - # Some benchmarks like lcms. (see: - # https://github.com/mm2/Little-CMS/commit/ab1093539b4287c233aca6a3cf53b234faceb792#diff-f0e6d05e72548974e852e8e55dffc4ccR212) - # fail to compile if the compiler outputs things to stderr in unexpected - # cases. Prevent these failures by using AFL_QUIET to stop afl-clang-fast - # from writing AFL specific messages to stderr. - os.environ['AFL_QUIET'] = '1' - os.environ['AFL_MAP_SIZE'] = '2621440' - - src = os.getenv('SRC') - work = os.getenv('WORK') - - with utils.restore_directory(src), utils.restore_directory(work): - # Restore SRC to its initial state so we can build again without any - # trouble. For some OSS-Fuzz projects, build_benchmark cannot be run - # twice in the same directory without this. - utils.build_benchmark() - - if 'cmplog' in build_modes and 'qemu' not in build_modes: - - # CmpLog requires an build with different instrumentation. - new_env = os.environ.copy() - new_env['AFL_LLVM_CMPLOG'] = '1' - - # For CmpLog build, set the OUT and FUZZ_TARGET environment - # variable to point to the new CmpLog build directory. - cmplog_build_directory = get_cmplog_build_directory(build_directory) - os.mkdir(cmplog_build_directory) - new_env['OUT'] = cmplog_build_directory - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - new_env['FUZZ_TARGET'] = os.path.join(cmplog_build_directory, - os.path.basename(fuzz_target)) - - print('Re-building benchmark for CmpLog fuzzing target') - utils.build_benchmark(env=new_env) - - if 'symcc' in build_modes: - - symcc_build_directory = get_uninstrumented_build_directory( - build_directory) - os.mkdir(symcc_build_directory) - - # symcc requires an build with different instrumentation. - new_env = os.environ.copy() - new_env['CC'] = '/symcc/build/symcc' - new_env['CXX'] = '/symcc/build/sym++' - new_env['SYMCC_OUTPUT_DIR'] = '/tmp' - new_env['CXXFLAGS'] = new_env['CXXFLAGS'].replace('-stlib=libc++', '') - new_env['FUZZER_LIB'] = '/libfuzzer-harness.o' - new_env['OUT'] = symcc_build_directory - new_env['SYMCC_LIBCXX_PATH'] = '/libcxx_native_build' - new_env['SYMCC_NO_SYMBOLIC_INPUT'] = '1' - new_env['SYMCC_SILENT'] = '1' - - # For symcc build, set the OUT and FUZZ_TARGET environment - # variable to point to the new symcc build directory. - new_env['OUT'] = symcc_build_directory - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - new_env['FUZZ_TARGET'] = os.path.join(symcc_build_directory, - os.path.basename(fuzz_target)) - - print('Re-building benchmark for symcc fuzzing target') - utils.build_benchmark(env=new_env) - - shutil.copy('/afl/afl-fuzz', build_directory) - if os.path.exists('/afl/afl-qemu-trace'): - shutil.copy('/afl/afl-qemu-trace', build_directory) - if os.path.exists('/aflpp_qemu_driver_hook.so'): - shutil.copy('/aflpp_qemu_driver_hook.so', build_directory) - if os.path.exists('/get_frida_entry.sh'): - shutil.copy('/afl/afl-frida-trace.so', build_directory) - shutil.copy('/get_frida_entry.sh', build_directory) - - -# pylint: disable=too-many-arguments -def fuzz(input_corpus, - output_corpus, - target_binary, - flags=tuple(), - skip=False, - no_cmplog=False): # pylint: disable=too-many-arguments - """Run fuzzer.""" - # Calculate CmpLog binary path from the instrumented target binary. - target_binary_directory = os.path.dirname(target_binary) - cmplog_target_binary_directory = ( - get_cmplog_build_directory(target_binary_directory)) - target_binary_name = os.path.basename(target_binary) - cmplog_target_binary = os.path.join(cmplog_target_binary_directory, - target_binary_name) - - afl_fuzzer.prepare_fuzz_environment(input_corpus) - # decomment this to enable libdislocator. - # os.environ['AFL_ALIGNED_ALLOC'] = '1' # align malloc to max_align_t - # os.environ['AFL_PRELOAD'] = '/afl/libdislocator.so' - - flags = list(flags) - - if os.path.exists('./afl++.dict'): - flags += ['-x', './afl++.dict'] - - # Move the following to skip for upcoming _double tests: - if os.path.exists(cmplog_target_binary) and no_cmplog is False: - flags += ['-c', cmplog_target_binary] - - #os.environ['AFL_IGNORE_TIMEOUTS'] = '1' - os.environ['AFL_IGNORE_UNKNOWN_ENVS'] = '1' - os.environ['AFL_FAST_CAL'] = '1' - os.environ['AFL_NO_WARN_INSTABILITY'] = '1' - - if not skip: - os.environ['AFL_DISABLE_TRIM'] = '1' - os.environ['AFL_CMPLOG_ONLY_NEW'] = '1' - if 'ADDITIONAL_ARGS' in os.environ: - flags += os.environ['ADDITIONAL_ARGS'].split(' ') - - afl_fuzzer.run_afl_fuzz(input_corpus, - output_corpus, - target_binary, - additional_flags=flags) diff --git a/fuzzers/aflplusplus_mutnew/runner.Dockerfile b/fuzzers/aflplusplus_mutnew/runner.Dockerfile deleted file mode 100644 index 1a10f861c..000000000 --- a/fuzzers/aflplusplus_mutnew/runner.Dockerfile +++ /dev/null @@ -1,24 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -# This makes interactive docker runs painless: -ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" -#ENV AFL_MAP_SIZE=2621440 -ENV PATH="$PATH:/out" -ENV AFL_SKIP_CPUFREQ=1 -ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 -ENV AFL_TESTCACHE_SIZE=2 -RUN apt install -y unzip git gdb joe diff --git a/fuzzers/aflplusplus_text/builder.Dockerfile b/fuzzers/aflplusplus_text/builder.Dockerfile deleted file mode 100644 index 044df5255..000000000 --- a/fuzzers/aflplusplus_text/builder.Dockerfile +++ /dev/null @@ -1,49 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -RUN apt-get update && \ - apt-get install -y \ - build-essential \ - python3-dev \ - python3-setuptools \ - automake \ - cmake \ - git \ - flex \ - bison \ - libglib2.0-dev \ - libpixman-1-dev \ - cargo \ - libgtk-3-dev \ - # for QEMU mode - ninja-build \ - gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-plugin-dev \ - libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev - -# Download afl++. -RUN git clone -b dev https://github.com/AFLplusplus/AFLplusplus /afl && \ - cd /afl && \ - git checkout 4a7e35b29c6711b68d3d579716685c3752ff62a8 || \ - true - -# Build without Python support as we don't need it. -# Set AFL_NO_X86 to skip flaky tests. -RUN cd /afl && \ - unset CFLAGS CXXFLAGS && \ - export CC=clang AFL_NO_X86=1 && \ - PYTHON_INCLUDE=/ make && \ - cp utils/aflpp_driver/libAFLDriver.a / diff --git a/fuzzers/aflplusplus_text/description.md b/fuzzers/aflplusplus_text/description.md deleted file mode 100644 index f7eb407ad..000000000 --- a/fuzzers/aflplusplus_text/description.md +++ /dev/null @@ -1,14 +0,0 @@ -# aflplusplus - -AFL++ fuzzer instance that has the following config active for all benchmarks: - - PCGUARD instrumentation - - cmplog feature - - dict2file feature - - "fast" power schedule - - persistent mode + shared memory test cases - -Repository: [https://github.com/AFLplusplus/AFLplusplus/](https://github.com/AFLplusplus/AFLplusplus/) - -[builder.Dockerfile](builder.Dockerfile) -[fuzzer.py](fuzzer.py) -[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/aflplusplus_text/fuzzer.py b/fuzzers/aflplusplus_text/fuzzer.py deleted file mode 100755 index 1ff22fa94..000000000 --- a/fuzzers/aflplusplus_text/fuzzer.py +++ /dev/null @@ -1,284 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -"""Integration code for AFLplusplus fuzzer.""" - -import os -import shutil - -from fuzzers.afl import fuzzer as afl_fuzzer -from fuzzers import utils - - -def get_cmplog_build_directory(target_directory): - """Return path to CmpLog target directory.""" - return os.path.join(target_directory, 'cmplog') - - -def get_uninstrumented_build_directory(target_directory): - """Return path to CmpLog target directory.""" - return os.path.join(target_directory, 'uninstrumented') - - -def build(*args): # pylint: disable=too-many-branches,too-many-statements - """Build benchmark.""" - # BUILD_MODES is not already supported by fuzzbench, meanwhile we provide - # a default configuration. - - build_modes = list(args) - if 'BUILD_MODES' in os.environ: - build_modes = os.environ['BUILD_MODES'].split(',') - - # Placeholder comment. - build_directory = os.environ['OUT'] - - # If nothing was set this is the default: - if not build_modes: - build_modes = ['tracepc', 'cmplog', 'dict2file'] - - # For bug type benchmarks we have to instrument via native clang pcguard :( - build_flags = os.environ['CFLAGS'] - - if build_flags.find( - 'array-bounds' - ) != -1 and 'qemu' not in build_modes and 'classic' not in build_modes: - if 'gcc' not in build_modes: - build_modes[0] = 'native' - - # Instrumentation coverage modes: - if 'lto' in build_modes: - os.environ['CC'] = '/afl/afl-clang-lto' - os.environ['CXX'] = '/afl/afl-clang-lto++' - edge_file = build_directory + '/aflpp_edges.txt' - os.environ['AFL_LLVM_DOCUMENT_IDS'] = edge_file - if os.path.isfile('/usr/local/bin/llvm-ranlib-13'): - os.environ['RANLIB'] = 'llvm-ranlib-13' - os.environ['AR'] = 'llvm-ar-13' - os.environ['AS'] = 'llvm-as-13' - elif os.path.isfile('/usr/local/bin/llvm-ranlib-12'): - os.environ['RANLIB'] = 'llvm-ranlib-12' - os.environ['AR'] = 'llvm-ar-12' - os.environ['AS'] = 'llvm-as-12' - else: - os.environ['RANLIB'] = 'llvm-ranlib' - os.environ['AR'] = 'llvm-ar' - os.environ['AS'] = 'llvm-as' - elif 'qemu' in build_modes: - os.environ['CC'] = 'clang' - os.environ['CXX'] = 'clang++' - elif 'gcc' in build_modes: - os.environ['CC'] = 'afl-gcc-fast' - os.environ['CXX'] = 'afl-g++-fast' - if build_flags.find('array-bounds') != -1: - os.environ['CFLAGS'] = '-fsanitize=address -O1' - os.environ['CXXFLAGS'] = '-fsanitize=address -O1' - else: - os.environ['CFLAGS'] = '' - os.environ['CXXFLAGS'] = '' - os.environ['CPPFLAGS'] = '' - else: - os.environ['CC'] = '/afl/afl-clang-fast' - os.environ['CXX'] = '/afl/afl-clang-fast++' - - print('AFL++ build: ') - print(build_modes) - - if 'qemu' in build_modes or 'symcc' in build_modes: - os.environ['CFLAGS'] = ' '.join(utils.NO_SANITIZER_COMPAT_CFLAGS) - cxxflags = [utils.LIBCPLUSPLUS_FLAG] + utils.NO_SANITIZER_COMPAT_CFLAGS - os.environ['CXXFLAGS'] = ' '.join(cxxflags) - - if 'tracepc' in build_modes or 'pcguard' in build_modes: - os.environ['AFL_LLVM_USE_TRACE_PC'] = '1' - elif 'classic' in build_modes: - os.environ['AFL_LLVM_INSTRUMENT'] = 'CLASSIC' - elif 'native' in build_modes: - os.environ['AFL_LLVM_INSTRUMENT'] = 'LLVMNATIVE' - - # Instrumentation coverage options: - # Do not use a fixed map location (LTO only) - if 'dynamic' in build_modes: - os.environ['AFL_LLVM_MAP_DYNAMIC'] = '1' - # Use a fixed map location (LTO only) - if 'fixed' in build_modes: - os.environ['AFL_LLVM_MAP_ADDR'] = '0x10000' - # Generate an extra dictionary. - if 'dict2file' in build_modes or 'native' in build_modes: - os.environ['AFL_LLVM_DICT2FILE'] = build_directory + '/afl++.dict' - os.environ['AFL_LLVM_DICT2FILE_NO_MAIN'] = '1' - # Enable context sentitivity for LLVM mode (non LTO only) - if 'ctx' in build_modes: - os.environ['AFL_LLVM_CTX'] = '1' - # Enable N-gram coverage for LLVM mode (non LTO only) - if 'ngram2' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '2' - elif 'ngram3' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '3' - elif 'ngram4' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '4' - elif 'ngram5' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '5' - elif 'ngram6' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '6' - elif 'ngram7' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '7' - elif 'ngram8' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '8' - elif 'ngram16' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '16' - if 'ctx1' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '1' - elif 'ctx2' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '2' - elif 'ctx3' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '3' - elif 'ctx4' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '4' - - # Only one of the following OR cmplog - # enable laf-intel compare splitting - if 'laf' in build_modes: - os.environ['AFL_LLVM_LAF_SPLIT_SWITCHES'] = '1' - os.environ['AFL_LLVM_LAF_SPLIT_COMPARES'] = '1' - os.environ['AFL_LLVM_LAF_SPLIT_FLOATS'] = '1' - if 'autodict' not in build_modes: - os.environ['AFL_LLVM_LAF_TRANSFORM_COMPARES'] = '1' - - if 'eclipser' in build_modes: - os.environ['FUZZER_LIB'] = '/libStandaloneFuzzTarget.a' - else: - os.environ['FUZZER_LIB'] = '/libAFLDriver.a' - - # Some benchmarks like lcms. (see: - # https://github.com/mm2/Little-CMS/commit/ab1093539b4287c233aca6a3cf53b234faceb792#diff-f0e6d05e72548974e852e8e55dffc4ccR212) - # fail to compile if the compiler outputs things to stderr in unexpected - # cases. Prevent these failures by using AFL_QUIET to stop afl-clang-fast - # from writing AFL specific messages to stderr. - os.environ['AFL_QUIET'] = '1' - os.environ['AFL_MAP_SIZE'] = '2621440' - - src = os.getenv('SRC') - work = os.getenv('WORK') - - with utils.restore_directory(src), utils.restore_directory(work): - # Restore SRC to its initial state so we can build again without any - # trouble. For some OSS-Fuzz projects, build_benchmark cannot be run - # twice in the same directory without this. - utils.build_benchmark() - - if 'cmplog' in build_modes and 'qemu' not in build_modes: - - # CmpLog requires an build with different instrumentation. - new_env = os.environ.copy() - new_env['AFL_LLVM_CMPLOG'] = '1' - - # For CmpLog build, set the OUT and FUZZ_TARGET environment - # variable to point to the new CmpLog build directory. - cmplog_build_directory = get_cmplog_build_directory(build_directory) - os.mkdir(cmplog_build_directory) - new_env['OUT'] = cmplog_build_directory - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - new_env['FUZZ_TARGET'] = os.path.join(cmplog_build_directory, - os.path.basename(fuzz_target)) - - print('Re-building benchmark for CmpLog fuzzing target') - utils.build_benchmark(env=new_env) - - if 'symcc' in build_modes: - - symcc_build_directory = get_uninstrumented_build_directory( - build_directory) - os.mkdir(symcc_build_directory) - - # symcc requires an build with different instrumentation. - new_env = os.environ.copy() - new_env['CC'] = '/symcc/build/symcc' - new_env['CXX'] = '/symcc/build/sym++' - new_env['SYMCC_OUTPUT_DIR'] = '/tmp' - new_env['CXXFLAGS'] = new_env['CXXFLAGS'].replace('-stlib=libc++', '') - new_env['FUZZER_LIB'] = '/libfuzzer-harness.o' - new_env['OUT'] = symcc_build_directory - new_env['SYMCC_LIBCXX_PATH'] = '/libcxx_native_build' - new_env['SYMCC_NO_SYMBOLIC_INPUT'] = '1' - new_env['SYMCC_SILENT'] = '1' - - # For symcc build, set the OUT and FUZZ_TARGET environment - # variable to point to the new symcc build directory. - new_env['OUT'] = symcc_build_directory - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - new_env['FUZZ_TARGET'] = os.path.join(symcc_build_directory, - os.path.basename(fuzz_target)) - - print('Re-building benchmark for symcc fuzzing target') - utils.build_benchmark(env=new_env) - - shutil.copy('/afl/afl-fuzz', build_directory) - if os.path.exists('/afl/afl-qemu-trace'): - shutil.copy('/afl/afl-qemu-trace', build_directory) - if os.path.exists('/aflpp_qemu_driver_hook.so'): - shutil.copy('/aflpp_qemu_driver_hook.so', build_directory) - if os.path.exists('/get_frida_entry.sh'): - shutil.copy('/afl/afl-frida-trace.so', build_directory) - shutil.copy('/get_frida_entry.sh', build_directory) - - -# pylint: disable=too-many-arguments -def fuzz(input_corpus, - output_corpus, - target_binary, - flags=tuple(), - skip=False, - no_cmplog=False): # pylint: disable=too-many-arguments - """Run fuzzer.""" - # Calculate CmpLog binary path from the instrumented target binary. - target_binary_directory = os.path.dirname(target_binary) - cmplog_target_binary_directory = ( - get_cmplog_build_directory(target_binary_directory)) - target_binary_name = os.path.basename(target_binary) - cmplog_target_binary = os.path.join(cmplog_target_binary_directory, - target_binary_name) - - afl_fuzzer.prepare_fuzz_environment(input_corpus) - # decomment this to enable libdislocator. - # os.environ['AFL_ALIGNED_ALLOC'] = '1' # align malloc to max_align_t - # os.environ['AFL_PRELOAD'] = '/afl/libdislocator.so' - - flags = list(flags) - - if os.path.exists('./afl++.dict'): - flags += ['-x', './afl++.dict'] - - flags += ['-a'] - - # Move the following to skip for upcoming _double tests: - if os.path.exists(cmplog_target_binary) and no_cmplog is False: - flags += ['-c', cmplog_target_binary] - - #os.environ['AFL_IGNORE_TIMEOUTS'] = '1' - os.environ['AFL_IGNORE_UNKNOWN_ENVS'] = '1' - os.environ['AFL_FAST_CAL'] = '1' - os.environ['AFL_NO_WARN_INSTABILITY'] = '1' - - if not skip: - os.environ['AFL_DISABLE_TRIM'] = '1' - os.environ['AFL_CMPLOG_ONLY_NEW'] = '1' - if 'ADDITIONAL_ARGS' in os.environ: - flags += os.environ['ADDITIONAL_ARGS'].split(' ') - - afl_fuzzer.run_afl_fuzz(input_corpus, - output_corpus, - target_binary, - additional_flags=flags) diff --git a/fuzzers/aflplusplus_text/runner.Dockerfile b/fuzzers/aflplusplus_text/runner.Dockerfile deleted file mode 100644 index 1a10f861c..000000000 --- a/fuzzers/aflplusplus_text/runner.Dockerfile +++ /dev/null @@ -1,24 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -# This makes interactive docker runs painless: -ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" -#ENV AFL_MAP_SIZE=2621440 -ENV PATH="$PATH:/out" -ENV AFL_SKIP_CPUFREQ=1 -ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 -ENV AFL_TESTCACHE_SIZE=2 -RUN apt install -y unzip git gdb joe diff --git a/fuzzers/aflplusplusplus/builder.Dockerfile b/fuzzers/aflplusplusplus/builder.Dockerfile deleted file mode 100644 index 5e7cf39ea..000000000 --- a/fuzzers/aflplusplusplus/builder.Dockerfile +++ /dev/null @@ -1,54 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -RUN apt-get update && \ - apt-get install -y \ - build-essential \ - python3-dev \ - python3-setuptools \ - automake \ - cmake \ - git \ - flex \ - bison \ - libglib2.0-dev \ - libpixman-1-dev \ - cargo \ - libgtk-3-dev \ - # for QEMU mode - ninja-build \ - gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-plugin-dev \ - libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev - -# Download afl++. -RUN git clone -b dev https://github.com/AFLplusplus/AFLplusplus /afl && \ - cd /afl && \ - git checkout 4a7e35b29c6711b68d3d579716685c3752ff62a8 || \ - true - -# Build without Python support as we don't need it. -# Set AFL_NO_X86 to skip flaky tests. -RUN cd /afl && \ - unset CFLAGS CXXFLAGS && \ - export CC=clang AFL_NO_X86=1 && \ - PYTHON_INCLUDE=/ make && \ - make install && \ - cp utils/aflpp_driver/libAFLDriver.a / - -RUN cd /afl && \ - make -C custom_mutators/autotokens && \ - cp -f custom_mutators/autotokens/autotokens.so . diff --git a/fuzzers/aflplusplusplus/description.md b/fuzzers/aflplusplusplus/description.md deleted file mode 100644 index d1267e5aa..000000000 --- a/fuzzers/aflplusplusplus/description.md +++ /dev/null @@ -1,18 +0,0 @@ -# aflplusplusplus - -AFL++ fuzzer instance that has the following config active for all benchmarks: - - PCGUARD instrumentation - - cmplog feature - - autodictionary - - "fast" power schedule - - persistent mode + shared memory test cases - -And as a special feature for SBFT23: autotoken, an implementation to create -grammar for targets with textual inputs (e.g. json, xml), without knowing -their structure. - -Repository: [https://github.com/AFLplusplus/AFLplusplus/](https://github.com/AFLplusplus/AFLplusplus/) - -[builder.Dockerfile](builder.Dockerfile) -[fuzzer.py](fuzzer.py) -[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/aflplusplusplus/fuzzer.py b/fuzzers/aflplusplusplus/fuzzer.py deleted file mode 100755 index 991b94230..000000000 --- a/fuzzers/aflplusplusplus/fuzzer.py +++ /dev/null @@ -1,297 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -"""Integration code for AFLplusplus fuzzer.""" - -import glob -import os -import shutil - -from fuzzers.afl import fuzzer as afl_fuzzer -from fuzzers import utils - - -def get_cmplog_build_directory(target_directory): - """Return path to CmpLog target directory.""" - return os.path.join(target_directory, 'cmplog') - - -def get_uninstrumented_build_directory(target_directory): - """Return path to CmpLog target directory.""" - return os.path.join(target_directory, 'uninstrumented') - - -def build(*args): # pylint: disable=too-many-branches,too-many-statements - """Build benchmark.""" - # BUILD_MODES is not already supported by fuzzbench, meanwhile we provide - # a default configuration. - - build_modes = list(args) - if 'BUILD_MODES' in os.environ: - build_modes = os.environ['BUILD_MODES'].split(',') - - # Placeholder comment. - build_directory = os.environ['OUT'] - - # If nothing was set this is the default: - if not build_modes: - build_modes = ['tracepc', 'cmplog', 'dict2file'] - - # For bug type benchmarks we have to instrument via native clang pcguard :( - build_flags = os.environ['CFLAGS'] - - if build_flags.find( - 'array-bounds' - ) != -1 and 'qemu' not in build_modes and 'classic' not in build_modes: - if 'gcc' not in build_modes: - build_modes[0] = 'native' - - # Instrumentation coverage modes: - if 'lto' in build_modes: - os.environ['CC'] = '/afl/afl-clang-lto' - os.environ['CXX'] = '/afl/afl-clang-lto++' - edge_file = build_directory + '/aflpp_edges.txt' - os.environ['AFL_LLVM_DOCUMENT_IDS'] = edge_file - if os.path.isfile('/usr/local/bin/llvm-ranlib-13'): - os.environ['RANLIB'] = 'llvm-ranlib-13' - os.environ['AR'] = 'llvm-ar-13' - os.environ['AS'] = 'llvm-as-13' - elif os.path.isfile('/usr/local/bin/llvm-ranlib-12'): - os.environ['RANLIB'] = 'llvm-ranlib-12' - os.environ['AR'] = 'llvm-ar-12' - os.environ['AS'] = 'llvm-as-12' - else: - os.environ['RANLIB'] = 'llvm-ranlib' - os.environ['AR'] = 'llvm-ar' - os.environ['AS'] = 'llvm-as' - elif 'qemu' in build_modes: - os.environ['CC'] = 'clang' - os.environ['CXX'] = 'clang++' - elif 'gcc' in build_modes: - os.environ['CC'] = 'afl-gcc-fast' - os.environ['CXX'] = 'afl-g++-fast' - if build_flags.find('array-bounds') != -1: - os.environ['CFLAGS'] = '-fsanitize=address -O1' - os.environ['CXXFLAGS'] = '-fsanitize=address -O1' - else: - os.environ['CFLAGS'] = '' - os.environ['CXXFLAGS'] = '' - os.environ['CPPFLAGS'] = '' - else: - os.environ['CC'] = '/afl/afl-clang-fast' - os.environ['CXX'] = '/afl/afl-clang-fast++' - - print('AFL++ build: ') - print(build_modes) - - if 'qemu' in build_modes or 'symcc' in build_modes: - os.environ['CFLAGS'] = ' '.join(utils.NO_SANITIZER_COMPAT_CFLAGS) - cxxflags = [utils.LIBCPLUSPLUS_FLAG] + utils.NO_SANITIZER_COMPAT_CFLAGS - os.environ['CXXFLAGS'] = ' '.join(cxxflags) - - if 'tracepc' in build_modes or 'pcguard' in build_modes: - os.environ['AFL_LLVM_USE_TRACE_PC'] = '1' - elif 'classic' in build_modes: - os.environ['AFL_LLVM_INSTRUMENT'] = 'CLASSIC' - elif 'native' in build_modes: - os.environ['AFL_LLVM_INSTRUMENT'] = 'LLVMNATIVE' - - # Instrumentation coverage options: - # Do not use a fixed map location (LTO only) - if 'dynamic' in build_modes: - os.environ['AFL_LLVM_MAP_DYNAMIC'] = '1' - # Use a fixed map location (LTO only) - if 'fixed' in build_modes: - os.environ['AFL_LLVM_MAP_ADDR'] = '0x10000' - # Generate an extra dictionary. - if 'dict2file' in build_modes or 'native' in build_modes: - os.environ['AFL_LLVM_DICT2FILE'] = build_directory + '/afl++.dict' - # Enable context sentitivity for LLVM mode (non LTO only) - if 'ctx' in build_modes: - os.environ['AFL_LLVM_CTX'] = '1' - # Enable N-gram coverage for LLVM mode (non LTO only) - if 'ngram2' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '2' - elif 'ngram3' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '3' - elif 'ngram4' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '4' - elif 'ngram5' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '5' - elif 'ngram6' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '6' - elif 'ngram7' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '7' - elif 'ngram8' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '8' - elif 'ngram16' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '16' - if 'ctx1' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '1' - elif 'ctx2' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '2' - elif 'ctx3' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '3' - elif 'ctx4' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '4' - - # Only one of the following OR cmplog - # enable laf-intel compare splitting - if 'laf' in build_modes: - os.environ['AFL_LLVM_LAF_SPLIT_SWITCHES'] = '1' - os.environ['AFL_LLVM_LAF_SPLIT_COMPARES'] = '1' - os.environ['AFL_LLVM_LAF_SPLIT_FLOATS'] = '1' - if 'autodict' not in build_modes: - os.environ['AFL_LLVM_LAF_TRANSFORM_COMPARES'] = '1' - - if 'eclipser' in build_modes: - os.environ['FUZZER_LIB'] = '/libStandaloneFuzzTarget.a' - else: - os.environ['FUZZER_LIB'] = '/libAFLDriver.a' - - # Some benchmarks like lcms. (see: - # https://github.com/mm2/Little-CMS/commit/ab1093539b4287c233aca6a3cf53b234faceb792#diff-f0e6d05e72548974e852e8e55dffc4ccR212) - # fail to compile if the compiler outputs things to stderr in unexpected - # cases. Prevent these failures by using AFL_QUIET to stop afl-clang-fast - # from writing AFL specific messages to stderr. - os.environ['AFL_QUIET'] = '1' - os.environ['AFL_MAP_SIZE'] = '2621440' - - src = os.getenv('SRC') - work = os.getenv('WORK') - - with utils.restore_directory(src), utils.restore_directory(work): - # Restore SRC to its initial state so we can build again without any - # trouble. For some OSS-Fuzz projects, build_benchmark cannot be run - # twice in the same directory without this. - utils.build_benchmark() - - if 'cmplog' in build_modes and 'qemu' not in build_modes: - - # CmpLog requires an build with different instrumentation. - new_env = os.environ.copy() - new_env['AFL_LLVM_CMPLOG'] = '1' - - # For CmpLog build, set the OUT and FUZZ_TARGET environment - # variable to point to the new CmpLog build directory. - cmplog_build_directory = get_cmplog_build_directory(build_directory) - os.mkdir(cmplog_build_directory) - new_env['OUT'] = cmplog_build_directory - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - new_env['FUZZ_TARGET'] = os.path.join(cmplog_build_directory, - os.path.basename(fuzz_target)) - - print('Re-building benchmark for CmpLog fuzzing target') - utils.build_benchmark(env=new_env) - - if 'symcc' in build_modes: - - symcc_build_directory = get_uninstrumented_build_directory( - build_directory) - os.mkdir(symcc_build_directory) - - # symcc requires an build with different instrumentation. - new_env = os.environ.copy() - new_env['CC'] = '/symcc/build/symcc' - new_env['CXX'] = '/symcc/build/sym++' - new_env['SYMCC_OUTPUT_DIR'] = '/tmp' - new_env['CXXFLAGS'] = new_env['CXXFLAGS'].replace('-stlib=libc++', '') - new_env['FUZZER_LIB'] = '/libfuzzer-harness.o' - new_env['OUT'] = symcc_build_directory - new_env['SYMCC_LIBCXX_PATH'] = '/libcxx_native_build' - new_env['SYMCC_NO_SYMBOLIC_INPUT'] = '1' - new_env['SYMCC_SILENT'] = '1' - - # For symcc build, set the OUT and FUZZ_TARGET environment - # variable to point to the new symcc build directory. - new_env['OUT'] = symcc_build_directory - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - new_env['FUZZ_TARGET'] = os.path.join(symcc_build_directory, - os.path.basename(fuzz_target)) - - print('Re-building benchmark for symcc fuzzing target') - utils.build_benchmark(env=new_env) - - shutil.copy('/afl/afl-fuzz', build_directory) - if os.path.exists('/afl/afl-qemu-trace'): - shutil.copy('/afl/afl-qemu-trace', build_directory) - if os.path.exists('/aflpp_qemu_driver_hook.so'): - shutil.copy('/aflpp_qemu_driver_hook.so', build_directory) - if os.path.exists('/get_frida_entry.sh'): - shutil.copy('/afl/afl-frida-trace.so', build_directory) - shutil.copy('/get_frida_entry.sh', build_directory) - shutil.copy('/afl/autotokens.so', build_directory) - - -# pylint: disable=too-many-arguments -def fuzz(input_corpus, - output_corpus, - target_binary, - flags=tuple(), - skip=False, - no_cmplog=False): # pylint: disable=too-many-arguments - """Run fuzzer.""" - # Calculate CmpLog binary path from the instrumented target binary. - target_binary_directory = os.path.dirname(target_binary) - cmplog_target_binary_directory = ( - get_cmplog_build_directory(target_binary_directory)) - target_binary_name = os.path.basename(target_binary) - cmplog_target_binary = os.path.join(cmplog_target_binary_directory, - target_binary_name) - - afl_fuzzer.prepare_fuzz_environment(input_corpus) - # decomment this to enable libdislocator. - # os.environ['AFL_ALIGNED_ALLOC'] = '1' # align malloc to max_align_t - # os.environ['AFL_PRELOAD'] = '/afl/libdislocator.so' - - flags = list(flags) - - dicts = glob.glob('*.dic*') - if len(dicts) == 1 and os.path.exists('./afl++.dict'): - flags += ['-x', './afl++.dict'] - - # Move the following to skip for upcoming _double tests: - if os.path.exists(cmplog_target_binary) and no_cmplog is False: - flags += ['-c', cmplog_target_binary] - flags += ['-l2'] - - #os.environ['AFL_IGNORE_TIMEOUTS'] = '1' - os.environ['AFL_IGNORE_UNKNOWN_ENVS'] = '1' - os.environ['AFL_FAST_CAL'] = '1' - - os.environ['AFL_NO_WARN_INSTABILITY'] = '1' - os.environ['AFL_CMPLOG_ONLY_NEW'] = '1' - os.environ['AFL_LLVM_DICT2FILE_NO_MAIN'] = '1' - - os.environ['AFL_CUSTOM_MUTATOR_LIBRARY'] = './autotokens.so' - os.environ['AUTOTOKENS_FUZZ_COUNT_SHIFT'] = '1' - os.environ['AUTOTOKENS_AUTO_DISABLE'] = '1' - os.environ['AUTOTOKENS_ONLY_FAV'] = '1' - os.environ['AUTOTOKENS_LEARN_DICT'] = '2' - - #os.environ['AUTOTOKENS_DEBUG'] = '1' - #os.environ['AFL_BENCH_JUST_ONE'] = '1' - - if not skip: - #os.environ['AFL_DISABLE_TRIM'] = '1' - #os.environ['AFL_CMPLOG_ONLY_NEW'] = '1' - if 'ADDITIONAL_ARGS' in os.environ: - flags += os.environ['ADDITIONAL_ARGS'].split(' ') - - afl_fuzzer.run_afl_fuzz(input_corpus, - output_corpus, - target_binary, - additional_flags=flags) diff --git a/fuzzers/aflplusplusplus/runner.Dockerfile b/fuzzers/aflplusplusplus/runner.Dockerfile deleted file mode 100644 index 7aa1da8e4..000000000 --- a/fuzzers/aflplusplusplus/runner.Dockerfile +++ /dev/null @@ -1,23 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -# This makes interactive docker runs painless: -ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" -#ENV AFL_MAP_SIZE=2621440 -ENV PATH="$PATH:/out" -ENV AFL_SKIP_CPUFREQ=1 -ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 -ENV AFL_TESTCACHE_SIZE=2 From cbaf1b00118573a1e95d32e5ad1f404ab34f0117 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 31 Aug 2023 09:26:03 +0200 Subject: [PATCH 03/39] pendfav --- fuzzers/aflplusplus/builder.Dockerfile | 2 +- fuzzers/aflplusplus/fuzzer.py | 1 + fuzzers/aflplusplus_frida/builder.Dockerfile | 2 +- fuzzers/aflplusplus_frida/fuzzer.py | 1 + .../aflplusplus_pendfav/builder.Dockerfile | 49 +++ fuzzers/aflplusplus_pendfav/description.md | 14 + fuzzers/aflplusplus_pendfav/fuzzer.py | 283 ++++++++++++++++++ fuzzers/aflplusplus_pendfav/runner.Dockerfile | 24 ++ fuzzers/aflplusplus_qemu/builder.Dockerfile | 2 +- fuzzers/aflplusplus_qemu/fuzzer.py | 2 + .../aflplusplus_symqemu/builder.Dockerfile | 2 +- 11 files changed, 378 insertions(+), 4 deletions(-) create mode 100644 fuzzers/aflplusplus_pendfav/builder.Dockerfile create mode 100644 fuzzers/aflplusplus_pendfav/description.md create mode 100755 fuzzers/aflplusplus_pendfav/fuzzer.py create mode 100644 fuzzers/aflplusplus_pendfav/runner.Dockerfile diff --git a/fuzzers/aflplusplus/builder.Dockerfile b/fuzzers/aflplusplus/builder.Dockerfile index 044df5255..a88093309 100644 --- a/fuzzers/aflplusplus/builder.Dockerfile +++ b/fuzzers/aflplusplus/builder.Dockerfile @@ -37,7 +37,7 @@ RUN apt-get update && \ # Download afl++. RUN git clone -b dev https://github.com/AFLplusplus/AFLplusplus /afl && \ cd /afl && \ - git checkout 4a7e35b29c6711b68d3d579716685c3752ff62a8 || \ + git checkout c60431247e971881bc159a84e5505dfec7adcf6d || \ true # Build without Python support as we don't need it. diff --git a/fuzzers/aflplusplus/fuzzer.py b/fuzzers/aflplusplus/fuzzer.py index 7016da75e..11e128c6a 100755 --- a/fuzzers/aflplusplus/fuzzer.py +++ b/fuzzers/aflplusplus/fuzzer.py @@ -269,6 +269,7 @@ def fuzz(input_corpus, os.environ['AFL_IGNORE_UNKNOWN_ENVS'] = '1' os.environ['AFL_FAST_CAL'] = '1' os.environ['AFL_NO_WARN_INSTABILITY'] = '1' + os.environ['AFL_IGNORE_SEED_PROBLEMS'] = '1' if not skip: os.environ['AFL_DISABLE_TRIM'] = '1' diff --git a/fuzzers/aflplusplus_frida/builder.Dockerfile b/fuzzers/aflplusplus_frida/builder.Dockerfile index fa13cdf43..18271d1b1 100644 --- a/fuzzers/aflplusplus_frida/builder.Dockerfile +++ b/fuzzers/aflplusplus_frida/builder.Dockerfile @@ -28,7 +28,7 @@ RUN apt-get update && \ # Download afl++ RUN git clone https://github.com/AFLplusplus/AFLplusplus.git /afl && \ - cd /afl && git checkout 4a7e35b29c6711b68d3d579716685c3752ff62a8 + cd /afl && git checkout c60431247e971881bc159a84e5505dfec7adcf6d # Build afl++ without Python support as we don't need it. # Set AFL_NO_X86 to skip flaky tests. diff --git a/fuzzers/aflplusplus_frida/fuzzer.py b/fuzzers/aflplusplus_frida/fuzzer.py index 520bbdbf2..64f3eb632 100755 --- a/fuzzers/aflplusplus_frida/fuzzer.py +++ b/fuzzers/aflplusplus_frida/fuzzer.py @@ -47,6 +47,7 @@ def fuzz(input_corpus, output_corpus, target_binary): os.environ['AFL_FRIDA_PERSISTENT_CNT'] = '1000000' os.environ['AFL_FRIDA_PERSISTENT_HOOK'] = '/out/frida_hook.so' os.environ['AFL_PATH'] = '/out' + os.environ['AFL_IGNORE_SEED_PROBLEMS'] = '1' # resource.setrlimit(resource.RLIMIT_CORE, # (resource.RLIM_INFINITY, resource.RLIM_INFINITY)) diff --git a/fuzzers/aflplusplus_pendfav/builder.Dockerfile b/fuzzers/aflplusplus_pendfav/builder.Dockerfile new file mode 100644 index 000000000..5cafc50e9 --- /dev/null +++ b/fuzzers/aflplusplus_pendfav/builder.Dockerfile @@ -0,0 +1,49 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ARG parent_image +FROM $parent_image + +RUN apt-get update && \ + apt-get install -y \ + build-essential \ + python3-dev \ + python3-setuptools \ + automake \ + cmake \ + git \ + flex \ + bison \ + libglib2.0-dev \ + libpixman-1-dev \ + cargo \ + libgtk-3-dev \ + # for QEMU mode + ninja-build \ + gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-plugin-dev \ + libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev + +# Download afl++. +RUN git clone -b pendfav https://github.com/AFLplusplus/AFLplusplus /afl && \ + cd /afl && \ + git checkout 78848f863767cee6543166bd52d67e0051641360 || \ + true + +# Build without Python support as we don't need it. +# Set AFL_NO_X86 to skip flaky tests. +RUN cd /afl && \ + unset CFLAGS CXXFLAGS && \ + export CC=clang AFL_NO_X86=1 && \ + PYTHON_INCLUDE=/ make && \ + cp utils/aflpp_driver/libAFLDriver.a / diff --git a/fuzzers/aflplusplus_pendfav/description.md b/fuzzers/aflplusplus_pendfav/description.md new file mode 100644 index 000000000..f7eb407ad --- /dev/null +++ b/fuzzers/aflplusplus_pendfav/description.md @@ -0,0 +1,14 @@ +# aflplusplus + +AFL++ fuzzer instance that has the following config active for all benchmarks: + - PCGUARD instrumentation + - cmplog feature + - dict2file feature + - "fast" power schedule + - persistent mode + shared memory test cases + +Repository: [https://github.com/AFLplusplus/AFLplusplus/](https://github.com/AFLplusplus/AFLplusplus/) + +[builder.Dockerfile](builder.Dockerfile) +[fuzzer.py](fuzzer.py) +[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/aflplusplus_pendfav/fuzzer.py b/fuzzers/aflplusplus_pendfav/fuzzer.py new file mode 100755 index 000000000..11e128c6a --- /dev/null +++ b/fuzzers/aflplusplus_pendfav/fuzzer.py @@ -0,0 +1,283 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +"""Integration code for AFLplusplus fuzzer.""" + +import os +import shutil + +from fuzzers.afl import fuzzer as afl_fuzzer +from fuzzers import utils + + +def get_cmplog_build_directory(target_directory): + """Return path to CmpLog target directory.""" + return os.path.join(target_directory, 'cmplog') + + +def get_uninstrumented_build_directory(target_directory): + """Return path to CmpLog target directory.""" + return os.path.join(target_directory, 'uninstrumented') + + +def build(*args): # pylint: disable=too-many-branches,too-many-statements + """Build benchmark.""" + # BUILD_MODES is not already supported by fuzzbench, meanwhile we provide + # a default configuration. + + build_modes = list(args) + if 'BUILD_MODES' in os.environ: + build_modes = os.environ['BUILD_MODES'].split(',') + + # Placeholder comment. + build_directory = os.environ['OUT'] + + # If nothing was set this is the default: + if not build_modes: + build_modes = ['tracepc', 'cmplog', 'dict2file'] + + # For bug type benchmarks we have to instrument via native clang pcguard :( + build_flags = os.environ['CFLAGS'] + + if build_flags.find( + 'array-bounds' + ) != -1 and 'qemu' not in build_modes and 'classic' not in build_modes: + if 'gcc' not in build_modes: + build_modes[0] = 'native' + + # Instrumentation coverage modes: + if 'lto' in build_modes: + os.environ['CC'] = '/afl/afl-clang-lto' + os.environ['CXX'] = '/afl/afl-clang-lto++' + edge_file = build_directory + '/aflpp_edges.txt' + os.environ['AFL_LLVM_DOCUMENT_IDS'] = edge_file + if os.path.isfile('/usr/local/bin/llvm-ranlib-13'): + os.environ['RANLIB'] = 'llvm-ranlib-13' + os.environ['AR'] = 'llvm-ar-13' + os.environ['AS'] = 'llvm-as-13' + elif os.path.isfile('/usr/local/bin/llvm-ranlib-12'): + os.environ['RANLIB'] = 'llvm-ranlib-12' + os.environ['AR'] = 'llvm-ar-12' + os.environ['AS'] = 'llvm-as-12' + else: + os.environ['RANLIB'] = 'llvm-ranlib' + os.environ['AR'] = 'llvm-ar' + os.environ['AS'] = 'llvm-as' + elif 'qemu' in build_modes: + os.environ['CC'] = 'clang' + os.environ['CXX'] = 'clang++' + elif 'gcc' in build_modes: + os.environ['CC'] = 'afl-gcc-fast' + os.environ['CXX'] = 'afl-g++-fast' + if build_flags.find('array-bounds') != -1: + os.environ['CFLAGS'] = '-fsanitize=address -O1' + os.environ['CXXFLAGS'] = '-fsanitize=address -O1' + else: + os.environ['CFLAGS'] = '' + os.environ['CXXFLAGS'] = '' + os.environ['CPPFLAGS'] = '' + else: + os.environ['CC'] = '/afl/afl-clang-fast' + os.environ['CXX'] = '/afl/afl-clang-fast++' + + print('AFL++ build: ') + print(build_modes) + + if 'qemu' in build_modes or 'symcc' in build_modes: + os.environ['CFLAGS'] = ' '.join(utils.NO_SANITIZER_COMPAT_CFLAGS) + cxxflags = [utils.LIBCPLUSPLUS_FLAG] + utils.NO_SANITIZER_COMPAT_CFLAGS + os.environ['CXXFLAGS'] = ' '.join(cxxflags) + + if 'tracepc' in build_modes or 'pcguard' in build_modes: + os.environ['AFL_LLVM_USE_TRACE_PC'] = '1' + elif 'classic' in build_modes: + os.environ['AFL_LLVM_INSTRUMENT'] = 'CLASSIC' + elif 'native' in build_modes: + os.environ['AFL_LLVM_INSTRUMENT'] = 'LLVMNATIVE' + + # Instrumentation coverage options: + # Do not use a fixed map location (LTO only) + if 'dynamic' in build_modes: + os.environ['AFL_LLVM_MAP_DYNAMIC'] = '1' + # Use a fixed map location (LTO only) + if 'fixed' in build_modes: + os.environ['AFL_LLVM_MAP_ADDR'] = '0x10000' + # Generate an extra dictionary. + if 'dict2file' in build_modes or 'native' in build_modes: + os.environ['AFL_LLVM_DICT2FILE'] = build_directory + '/afl++.dict' + os.environ['AFL_LLVM_DICT2FILE_NO_MAIN'] = '1' + # Enable context sentitivity for LLVM mode (non LTO only) + if 'ctx' in build_modes: + os.environ['AFL_LLVM_CTX'] = '1' + # Enable N-gram coverage for LLVM mode (non LTO only) + if 'ngram2' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '2' + elif 'ngram3' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '3' + elif 'ngram4' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '4' + elif 'ngram5' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '5' + elif 'ngram6' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '6' + elif 'ngram7' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '7' + elif 'ngram8' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '8' + elif 'ngram16' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '16' + if 'ctx1' in build_modes: + os.environ['AFL_LLVM_CTX_K'] = '1' + elif 'ctx2' in build_modes: + os.environ['AFL_LLVM_CTX_K'] = '2' + elif 'ctx3' in build_modes: + os.environ['AFL_LLVM_CTX_K'] = '3' + elif 'ctx4' in build_modes: + os.environ['AFL_LLVM_CTX_K'] = '4' + + # Only one of the following OR cmplog + # enable laf-intel compare splitting + if 'laf' in build_modes: + os.environ['AFL_LLVM_LAF_SPLIT_SWITCHES'] = '1' + os.environ['AFL_LLVM_LAF_SPLIT_COMPARES'] = '1' + os.environ['AFL_LLVM_LAF_SPLIT_FLOATS'] = '1' + if 'autodict' not in build_modes: + os.environ['AFL_LLVM_LAF_TRANSFORM_COMPARES'] = '1' + + if 'eclipser' in build_modes: + os.environ['FUZZER_LIB'] = '/libStandaloneFuzzTarget.a' + else: + os.environ['FUZZER_LIB'] = '/libAFLDriver.a' + + # Some benchmarks like lcms. (see: + # https://github.com/mm2/Little-CMS/commit/ab1093539b4287c233aca6a3cf53b234faceb792#diff-f0e6d05e72548974e852e8e55dffc4ccR212) + # fail to compile if the compiler outputs things to stderr in unexpected + # cases. Prevent these failures by using AFL_QUIET to stop afl-clang-fast + # from writing AFL specific messages to stderr. + os.environ['AFL_QUIET'] = '1' + os.environ['AFL_MAP_SIZE'] = '2621440' + + src = os.getenv('SRC') + work = os.getenv('WORK') + + with utils.restore_directory(src), utils.restore_directory(work): + # Restore SRC to its initial state so we can build again without any + # trouble. For some OSS-Fuzz projects, build_benchmark cannot be run + # twice in the same directory without this. + utils.build_benchmark() + + if 'cmplog' in build_modes and 'qemu' not in build_modes: + + # CmpLog requires an build with different instrumentation. + new_env = os.environ.copy() + new_env['AFL_LLVM_CMPLOG'] = '1' + + # For CmpLog build, set the OUT and FUZZ_TARGET environment + # variable to point to the new CmpLog build directory. + cmplog_build_directory = get_cmplog_build_directory(build_directory) + os.mkdir(cmplog_build_directory) + new_env['OUT'] = cmplog_build_directory + fuzz_target = os.getenv('FUZZ_TARGET') + if fuzz_target: + new_env['FUZZ_TARGET'] = os.path.join(cmplog_build_directory, + os.path.basename(fuzz_target)) + + print('Re-building benchmark for CmpLog fuzzing target') + utils.build_benchmark(env=new_env) + + if 'symcc' in build_modes: + + symcc_build_directory = get_uninstrumented_build_directory( + build_directory) + os.mkdir(symcc_build_directory) + + # symcc requires an build with different instrumentation. + new_env = os.environ.copy() + new_env['CC'] = '/symcc/build/symcc' + new_env['CXX'] = '/symcc/build/sym++' + new_env['SYMCC_OUTPUT_DIR'] = '/tmp' + new_env['CXXFLAGS'] = new_env['CXXFLAGS'].replace('-stlib=libc++', '') + new_env['FUZZER_LIB'] = '/libfuzzer-harness.o' + new_env['OUT'] = symcc_build_directory + new_env['SYMCC_LIBCXX_PATH'] = '/libcxx_native_build' + new_env['SYMCC_NO_SYMBOLIC_INPUT'] = '1' + new_env['SYMCC_SILENT'] = '1' + + # For symcc build, set the OUT and FUZZ_TARGET environment + # variable to point to the new symcc build directory. + new_env['OUT'] = symcc_build_directory + fuzz_target = os.getenv('FUZZ_TARGET') + if fuzz_target: + new_env['FUZZ_TARGET'] = os.path.join(symcc_build_directory, + os.path.basename(fuzz_target)) + + print('Re-building benchmark for symcc fuzzing target') + utils.build_benchmark(env=new_env) + + shutil.copy('/afl/afl-fuzz', build_directory) + if os.path.exists('/afl/afl-qemu-trace'): + shutil.copy('/afl/afl-qemu-trace', build_directory) + if os.path.exists('/aflpp_qemu_driver_hook.so'): + shutil.copy('/aflpp_qemu_driver_hook.so', build_directory) + if os.path.exists('/get_frida_entry.sh'): + shutil.copy('/afl/afl-frida-trace.so', build_directory) + shutil.copy('/get_frida_entry.sh', build_directory) + + +# pylint: disable=too-many-arguments +def fuzz(input_corpus, + output_corpus, + target_binary, + flags=tuple(), + skip=False, + no_cmplog=False): # pylint: disable=too-many-arguments + """Run fuzzer.""" + # Calculate CmpLog binary path from the instrumented target binary. + target_binary_directory = os.path.dirname(target_binary) + cmplog_target_binary_directory = ( + get_cmplog_build_directory(target_binary_directory)) + target_binary_name = os.path.basename(target_binary) + cmplog_target_binary = os.path.join(cmplog_target_binary_directory, + target_binary_name) + + afl_fuzzer.prepare_fuzz_environment(input_corpus) + # decomment this to enable libdislocator. + # os.environ['AFL_ALIGNED_ALLOC'] = '1' # align malloc to max_align_t + # os.environ['AFL_PRELOAD'] = '/afl/libdislocator.so' + + flags = list(flags) + + if os.path.exists('./afl++.dict'): + flags += ['-x', './afl++.dict'] + + # Move the following to skip for upcoming _double tests: + if os.path.exists(cmplog_target_binary) and no_cmplog is False: + flags += ['-c', cmplog_target_binary] + + #os.environ['AFL_IGNORE_TIMEOUTS'] = '1' + os.environ['AFL_IGNORE_UNKNOWN_ENVS'] = '1' + os.environ['AFL_FAST_CAL'] = '1' + os.environ['AFL_NO_WARN_INSTABILITY'] = '1' + os.environ['AFL_IGNORE_SEED_PROBLEMS'] = '1' + + if not skip: + os.environ['AFL_DISABLE_TRIM'] = '1' + os.environ['AFL_CMPLOG_ONLY_NEW'] = '1' + if 'ADDITIONAL_ARGS' in os.environ: + flags += os.environ['ADDITIONAL_ARGS'].split(' ') + + afl_fuzzer.run_afl_fuzz(input_corpus, + output_corpus, + target_binary, + additional_flags=flags) diff --git a/fuzzers/aflplusplus_pendfav/runner.Dockerfile b/fuzzers/aflplusplus_pendfav/runner.Dockerfile new file mode 100644 index 000000000..1a10f861c --- /dev/null +++ b/fuzzers/aflplusplus_pendfav/runner.Dockerfile @@ -0,0 +1,24 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FROM gcr.io/fuzzbench/base-image + +# This makes interactive docker runs painless: +ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" +#ENV AFL_MAP_SIZE=2621440 +ENV PATH="$PATH:/out" +ENV AFL_SKIP_CPUFREQ=1 +ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 +ENV AFL_TESTCACHE_SIZE=2 +RUN apt install -y unzip git gdb joe diff --git a/fuzzers/aflplusplus_qemu/builder.Dockerfile b/fuzzers/aflplusplus_qemu/builder.Dockerfile index 503b34113..806bbbf74 100644 --- a/fuzzers/aflplusplus_qemu/builder.Dockerfile +++ b/fuzzers/aflplusplus_qemu/builder.Dockerfile @@ -30,7 +30,7 @@ RUN apt-get update && \ # Download afl++ RUN git clone https://github.com/AFLplusplus/AFLplusplus.git /afl && \ - cd /afl && git checkout 4a7e35b29c6711b68d3d579716685c3752ff62a8 || true + cd /afl && git checkout c60431247e971881bc159a84e5505dfec7adcf6d || true # Build afl++ without Python support as we don't need it. # Set AFL_NO_X86 to skip flaky tests. diff --git a/fuzzers/aflplusplus_qemu/fuzzer.py b/fuzzers/aflplusplus_qemu/fuzzer.py index f2f6c2945..5bab908c1 100755 --- a/fuzzers/aflplusplus_qemu/fuzzer.py +++ b/fuzzers/aflplusplus_qemu/fuzzer.py @@ -43,6 +43,8 @@ def fuzz(input_corpus, output_corpus, target_binary): os.environ['AFL_ENTRYPOINT'] = target_func os.environ['AFL_QEMU_PERSISTENT_CNT'] = '1000000' os.environ['AFL_QEMU_DRIVER_NO_HOOK'] = '1' + os.environ['AFL_IGNORE_SEED_PROBLEMS'] = '1' + aflplusplus_fuzzer.fuzz(input_corpus, output_corpus, target_binary, diff --git a/fuzzers/aflplusplus_symqemu/builder.Dockerfile b/fuzzers/aflplusplus_symqemu/builder.Dockerfile index c8e401522..9f1be91b0 100644 --- a/fuzzers/aflplusplus_symqemu/builder.Dockerfile +++ b/fuzzers/aflplusplus_symqemu/builder.Dockerfile @@ -37,7 +37,7 @@ RUN apt-get update && \ # Download afl++. RUN git clone -b dev https://github.com/AFLplusplus/AFLplusplus /afl && \ cd /afl && \ - git checkout 4a7e35b29c6711b68d3d579716685c3752ff62a8 || \ + git checkout c60431247e971881bc159a84e5505dfec7adcf6d || \ true # Build without Python support as we don't need it. From 87179cb789ddafcfb215100f02583af51a3a9131 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sat, 2 Sep 2023 08:14:17 +0200 Subject: [PATCH 04/39] dummy --- service/gcbrun_experiment.py | 1 + 1 file changed, 1 insertion(+) diff --git a/service/gcbrun_experiment.py b/service/gcbrun_experiment.py index e9b9c5371..a2890fd31 100644 --- a/service/gcbrun_experiment.py +++ b/service/gcbrun_experiment.py @@ -13,6 +13,7 @@ # limitations under the License. # ################################################################################ +# dummy """Entrypoint for gcbrun into run_experiment. This script will get the command from the last PR comment containing "/gcbrun" and pass it to run_experiment.py which will run an experiment.""" From a136bcaf169383042bf140d53497c1d8f79d3c10 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sat, 2 Sep 2023 09:11:29 +0200 Subject: [PATCH 05/39] frida + qemu variants --- .../aflplusplus_frida_perf/builder.Dockerfile | 42 ++++++++++++ fuzzers/aflplusplus_frida_perf/description.md | 15 +++++ fuzzers/aflplusplus_frida_perf/fuzzer.py | 67 +++++++++++++++++++ .../aflplusplus_frida_perf/get_frida_entry.sh | 25 +++++++ .../aflplusplus_frida_perf/runner.Dockerfile | 27 ++++++++ .../builder.Dockerfile | 43 ++++++++++++ .../aflplusplus_qemu_tcgcov/description.md | 14 ++++ fuzzers/aflplusplus_qemu_tcgcov/fuzzer.py | 51 ++++++++++++++ .../aflplusplus_qemu_tcgcov/runner.Dockerfile | 23 +++++++ 9 files changed, 307 insertions(+) create mode 100644 fuzzers/aflplusplus_frida_perf/builder.Dockerfile create mode 100644 fuzzers/aflplusplus_frida_perf/description.md create mode 100755 fuzzers/aflplusplus_frida_perf/fuzzer.py create mode 100755 fuzzers/aflplusplus_frida_perf/get_frida_entry.sh create mode 100644 fuzzers/aflplusplus_frida_perf/runner.Dockerfile create mode 100644 fuzzers/aflplusplus_qemu_tcgcov/builder.Dockerfile create mode 100644 fuzzers/aflplusplus_qemu_tcgcov/description.md create mode 100755 fuzzers/aflplusplus_qemu_tcgcov/fuzzer.py create mode 100644 fuzzers/aflplusplus_qemu_tcgcov/runner.Dockerfile diff --git a/fuzzers/aflplusplus_frida_perf/builder.Dockerfile b/fuzzers/aflplusplus_frida_perf/builder.Dockerfile new file mode 100644 index 000000000..15df016c7 --- /dev/null +++ b/fuzzers/aflplusplus_frida_perf/builder.Dockerfile @@ -0,0 +1,42 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ARG parent_image +FROM $parent_image + +# Install the necessary packages. +RUN apt-get update && \ + apt-get install -y \ + build-essential \ + git \ + flex \ + bison \ + libglib2.0-dev \ + libpixman-1-dev \ + libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev + +# Download afl++ +RUN git clone -b frida-perf https://github.com/WorksButNotTested/AFLplusplus /afl && \ + cd /afl && git checkout 6e80109 || true + +# Build afl++ without Python support as we don't need it. +# Set AFL_NO_X86 to skip flaky tests. +RUN cd /afl && \ + unset CFLAGS && unset CXXFLAGS && \ + AFL_NO_X86=1 CC=clang PYTHON_INCLUDE=/ make && \ + make -C utils/aflpp_driver && \ + cd frida_mode && make && cd .. && \ + cp utils/aflpp_driver/libAFLQemuDriver.a /libAFLDriver.a + +COPY get_frida_entry.sh / diff --git a/fuzzers/aflplusplus_frida_perf/description.md b/fuzzers/aflplusplus_frida_perf/description.md new file mode 100644 index 000000000..9ced871ec --- /dev/null +++ b/fuzzers/aflplusplus_frida_perf/description.md @@ -0,0 +1,15 @@ +# aflplusplus_qemu + +AFL++ fuzzer instance for binary-only fuzzing with frida_mode. +The following config active for all benchmarks: + - qemu_mode with: + - entrypoint set to LLVMFuzzerTestOneInput + - persisten mode set to LLVMFuzzerTestOneInput + - shared memory testcases + - cmplog + +Repository: [https://github.com/AFLplusplus/AFLplusplus/](https://github.com/AFLplusplus/AFLplusplus/) + +[builder.Dockerfile](builder.Dockerfile) +[fuzzer.py](fuzzer.py) +[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/aflplusplus_frida_perf/fuzzer.py b/fuzzers/aflplusplus_frida_perf/fuzzer.py new file mode 100755 index 000000000..64f3eb632 --- /dev/null +++ b/fuzzers/aflplusplus_frida_perf/fuzzer.py @@ -0,0 +1,67 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +"""Integration code for AFLplusplus fuzzer.""" + +import os +import subprocess +import shutil +# import resource + +from fuzzers.aflplusplus import fuzzer as aflplusplus_fuzzer + + +def build(): + """Build benchmark.""" + aflplusplus_fuzzer.build('qemu') + shutil.copy('/afl/frida_mode/build/frida_hook.so', os.environ['OUT']) + + +def fuzz(input_corpus, output_corpus, target_binary): + """Run fuzzer.""" + # Get LLVMFuzzerTestOneInput address. + nm_proc = subprocess.run([ + 'sh', '-c', + 'get_frida_entry.sh \'' + target_binary + '\' LLVMFuzzerTestOneInput' + ], + stdout=subprocess.PIPE, + check=True) + target_func = nm_proc.stdout.split()[0].decode('utf-8') + print('[fuzz] LLVMFuzzerTestOneInput() address =', target_func) + + # Fuzzer options for qemu_mode. + flags = ['-O', '-c0'] + + os.environ['AFL_FRIDA_PERSISTENT_ADDR'] = target_func + os.environ['AFL_ENTRYPOINT'] = target_func + os.environ['AFL_FRIDA_PERSISTENT_CNT'] = '1000000' + os.environ['AFL_FRIDA_PERSISTENT_HOOK'] = '/out/frida_hook.so' + os.environ['AFL_PATH'] = '/out' + os.environ['AFL_IGNORE_SEED_PROBLEMS'] = '1' + + # resource.setrlimit(resource.RLIMIT_CORE, + # (resource.RLIM_INFINITY, resource.RLIM_INFINITY)) + + # The systemd benchmark fails without full library instrumentation :( + benchmark_name = os.environ['BENCHMARK'] + if benchmark_name == 'systemd_fuzz-link-parser': + os.environ['AFL_INST_LIBS'] = '1' + + aflplusplus_fuzzer.fuzz(input_corpus, + output_corpus, + target_binary, + flags=flags) + + # sts = os.system('cp -v *core* corpus') + # if sts == 0: + # print('Copied cores') diff --git a/fuzzers/aflplusplus_frida_perf/get_frida_entry.sh b/fuzzers/aflplusplus_frida_perf/get_frida_entry.sh new file mode 100755 index 000000000..7d72a1124 --- /dev/null +++ b/fuzzers/aflplusplus_frida_perf/get_frida_entry.sh @@ -0,0 +1,25 @@ +#!/bin/bash +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +test -z "$1" -o -z "$2" -o '!' -e "$1" && exit 0 + +file "$1" | grep -q executable && { + nm "$1" | grep -i "T $2" | awk '{print"0x"$1}' + exit 0 +} + +nm "$1" | grep -i "T $2" | '{print$1}' | tr a-f A-F | \ + xargs echo "ibase=16;obase=10;555555554000 + " | bc | tr A-F a-f +exit 0 diff --git a/fuzzers/aflplusplus_frida_perf/runner.Dockerfile b/fuzzers/aflplusplus_frida_perf/runner.Dockerfile new file mode 100644 index 000000000..4a7be9403 --- /dev/null +++ b/fuzzers/aflplusplus_frida_perf/runner.Dockerfile @@ -0,0 +1,27 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FROM gcr.io/fuzzbench/base-image + +RUN apt update -y && apt-get upgrade -y && \ + apt-get install -y python3-pyelftools bc + +# This makes interactive docker run painless: +ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" +#ENV AFL_MAP_SIZE=2621440 +ENV PATH="$PATH:/out" +ENV AFL_SKIP_CPUFREQ=1 +ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 +ENV AFL_TESTCACHE_SIZE=2 + diff --git a/fuzzers/aflplusplus_qemu_tcgcov/builder.Dockerfile b/fuzzers/aflplusplus_qemu_tcgcov/builder.Dockerfile new file mode 100644 index 000000000..7283bff92 --- /dev/null +++ b/fuzzers/aflplusplus_qemu_tcgcov/builder.Dockerfile @@ -0,0 +1,43 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ARG parent_image +FROM $parent_image + +# Install the necessary packages. +RUN apt-get update && \ + apt-get install -y \ + build-essential \ + git \ + flex \ + bison \ + libglib2.0-dev \ + libpixman-1-dev \ + ninja-build \ + libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev + + +# Download afl++ +RUN git clone -b tcg_cov https://github.com/WorksButNotTested/AFLplusplus /afl && \ + cd /afl && git checkout 54fb2d0 || true + +# Build afl++ without Python support as we don't need it. +# Set AFL_NO_X86 to skip flaky tests. +RUN cd /afl && \ + unset CFLAGS && unset CXXFLAGS && \ + AFL_NO_X86=1 CC=clang PYTHON_INCLUDE=/ make && \ + cd qemu_mode && ./build_qemu_support.sh && cd .. && \ + make -C utils/aflpp_driver && \ + cp utils/aflpp_driver/libAFLQemuDriver.a /libAFLDriver.a && \ + cp utils/aflpp_driver/aflpp_qemu_driver_hook.so / diff --git a/fuzzers/aflplusplus_qemu_tcgcov/description.md b/fuzzers/aflplusplus_qemu_tcgcov/description.md new file mode 100644 index 000000000..f93c35897 --- /dev/null +++ b/fuzzers/aflplusplus_qemu_tcgcov/description.md @@ -0,0 +1,14 @@ +# aflplusplus_qemu + +AFL++ fuzzer instance for binary-only fuzzing with qemu_mode. +The following config active for all benchmarks: + - qemu_mode with: + - entrypoint set to afl_qemu_driver_stdin_input + - persisten mode set to afl_qemu_driver_stdin_input + - cmplog + +Repository: [https://github.com/AFLplusplus/AFLplusplus/](https://github.com/AFLplusplus/AFLplusplus/) + +[builder.Dockerfile](builder.Dockerfile) +[fuzzer.py](fuzzer.py) +[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/aflplusplus_qemu_tcgcov/fuzzer.py b/fuzzers/aflplusplus_qemu_tcgcov/fuzzer.py new file mode 100755 index 000000000..5bab908c1 --- /dev/null +++ b/fuzzers/aflplusplus_qemu_tcgcov/fuzzer.py @@ -0,0 +1,51 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +"""Integration code for AFLplusplus fuzzer.""" + +import os +import subprocess + +from fuzzers.aflplusplus import fuzzer as aflplusplus_fuzzer + + +def build(): + """Build benchmark.""" + aflplusplus_fuzzer.build('qemu') + + +def fuzz(input_corpus, output_corpus, target_binary): + """Run fuzzer.""" + # Get LLVMFuzzerTestOneInput address. + nm_proc = subprocess.run([ + 'sh', '-c', + 'nm \'' + target_binary + '\' | grep -i \'T afl_qemu_driver_stdin\'' + ], + stdout=subprocess.PIPE, + check=True) + target_func = '0x' + nm_proc.stdout.split()[0].decode('utf-8') + print('[fuzz] afl_qemu_driver_stdin_input() address =', target_func) + + # Fuzzer options for qemu_mode. + flags = ['-Q', '-c0'] + + os.environ['AFL_QEMU_PERSISTENT_ADDR'] = target_func + os.environ['AFL_ENTRYPOINT'] = target_func + os.environ['AFL_QEMU_PERSISTENT_CNT'] = '1000000' + os.environ['AFL_QEMU_DRIVER_NO_HOOK'] = '1' + os.environ['AFL_IGNORE_SEED_PROBLEMS'] = '1' + + aflplusplus_fuzzer.fuzz(input_corpus, + output_corpus, + target_binary, + flags=flags) diff --git a/fuzzers/aflplusplus_qemu_tcgcov/runner.Dockerfile b/fuzzers/aflplusplus_qemu_tcgcov/runner.Dockerfile new file mode 100644 index 000000000..7aa1da8e4 --- /dev/null +++ b/fuzzers/aflplusplus_qemu_tcgcov/runner.Dockerfile @@ -0,0 +1,23 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FROM gcr.io/fuzzbench/base-image + +# This makes interactive docker runs painless: +ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" +#ENV AFL_MAP_SIZE=2621440 +ENV PATH="$PATH:/out" +ENV AFL_SKIP_CPUFREQ=1 +ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 +ENV AFL_TESTCACHE_SIZE=2 From d66b97b0b64d108ee9faf7752b5334ae30af3ef3 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sun, 3 Sep 2023 13:55:19 +0200 Subject: [PATCH 06/39] update --- fuzzers/aflplusplus_pendfav/builder.Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fuzzers/aflplusplus_pendfav/builder.Dockerfile b/fuzzers/aflplusplus_pendfav/builder.Dockerfile index 5cafc50e9..7bae7eb2b 100644 --- a/fuzzers/aflplusplus_pendfav/builder.Dockerfile +++ b/fuzzers/aflplusplus_pendfav/builder.Dockerfile @@ -37,7 +37,7 @@ RUN apt-get update && \ # Download afl++. RUN git clone -b pendfav https://github.com/AFLplusplus/AFLplusplus /afl && \ cd /afl && \ - git checkout 78848f863767cee6543166bd52d67e0051641360 || \ + git checkout cd6b89eb74cc501a67b1c14a4433a496b2053eec || \ true # Build without Python support as we don't need it. From 7620bbe42326a0e12d69f8acf53d0adfbf3c2d50 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 4 Sep 2023 13:38:58 +0200 Subject: [PATCH 07/39] new testcase --- fuzzers/aflplusplus_pendfav/builder.Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fuzzers/aflplusplus_pendfav/builder.Dockerfile b/fuzzers/aflplusplus_pendfav/builder.Dockerfile index 5cafc50e9..bccd7e99f 100644 --- a/fuzzers/aflplusplus_pendfav/builder.Dockerfile +++ b/fuzzers/aflplusplus_pendfav/builder.Dockerfile @@ -35,9 +35,9 @@ RUN apt-get update && \ libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev # Download afl++. -RUN git clone -b pendfav https://github.com/AFLplusplus/AFLplusplus /afl && \ +RUN git clone -b reinit https://github.com/AFLplusplus/AFLplusplus /afl && \ cd /afl && \ - git checkout 78848f863767cee6543166bd52d67e0051641360 || \ + git checkout 87b33740ea426bac276a9eb4bc5f201bd396b6dc || \ true # Build without Python support as we don't need it. From 172db4bd2708ee30e846104ce510ebaf66584599 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 6 Sep 2023 17:05:14 +0200 Subject: [PATCH 08/39] fix --- .../aflplusplus_pendfav/builder.Dockerfile | 4 +- fuzzers/aflplusplus_reinit/builder.Dockerfile | 49 +++ fuzzers/aflplusplus_reinit/description.md | 14 + fuzzers/aflplusplus_reinit/fuzzer.py | 283 ++++++++++++++++++ fuzzers/aflplusplus_reinit/runner.Dockerfile | 24 ++ 5 files changed, 372 insertions(+), 2 deletions(-) create mode 100644 fuzzers/aflplusplus_reinit/builder.Dockerfile create mode 100644 fuzzers/aflplusplus_reinit/description.md create mode 100755 fuzzers/aflplusplus_reinit/fuzzer.py create mode 100644 fuzzers/aflplusplus_reinit/runner.Dockerfile diff --git a/fuzzers/aflplusplus_pendfav/builder.Dockerfile b/fuzzers/aflplusplus_pendfav/builder.Dockerfile index bccd7e99f..7bae7eb2b 100644 --- a/fuzzers/aflplusplus_pendfav/builder.Dockerfile +++ b/fuzzers/aflplusplus_pendfav/builder.Dockerfile @@ -35,9 +35,9 @@ RUN apt-get update && \ libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev # Download afl++. -RUN git clone -b reinit https://github.com/AFLplusplus/AFLplusplus /afl && \ +RUN git clone -b pendfav https://github.com/AFLplusplus/AFLplusplus /afl && \ cd /afl && \ - git checkout 87b33740ea426bac276a9eb4bc5f201bd396b6dc || \ + git checkout cd6b89eb74cc501a67b1c14a4433a496b2053eec || \ true # Build without Python support as we don't need it. diff --git a/fuzzers/aflplusplus_reinit/builder.Dockerfile b/fuzzers/aflplusplus_reinit/builder.Dockerfile new file mode 100644 index 000000000..bccd7e99f --- /dev/null +++ b/fuzzers/aflplusplus_reinit/builder.Dockerfile @@ -0,0 +1,49 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ARG parent_image +FROM $parent_image + +RUN apt-get update && \ + apt-get install -y \ + build-essential \ + python3-dev \ + python3-setuptools \ + automake \ + cmake \ + git \ + flex \ + bison \ + libglib2.0-dev \ + libpixman-1-dev \ + cargo \ + libgtk-3-dev \ + # for QEMU mode + ninja-build \ + gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-plugin-dev \ + libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev + +# Download afl++. +RUN git clone -b reinit https://github.com/AFLplusplus/AFLplusplus /afl && \ + cd /afl && \ + git checkout 87b33740ea426bac276a9eb4bc5f201bd396b6dc || \ + true + +# Build without Python support as we don't need it. +# Set AFL_NO_X86 to skip flaky tests. +RUN cd /afl && \ + unset CFLAGS CXXFLAGS && \ + export CC=clang AFL_NO_X86=1 && \ + PYTHON_INCLUDE=/ make && \ + cp utils/aflpp_driver/libAFLDriver.a / diff --git a/fuzzers/aflplusplus_reinit/description.md b/fuzzers/aflplusplus_reinit/description.md new file mode 100644 index 000000000..f7eb407ad --- /dev/null +++ b/fuzzers/aflplusplus_reinit/description.md @@ -0,0 +1,14 @@ +# aflplusplus + +AFL++ fuzzer instance that has the following config active for all benchmarks: + - PCGUARD instrumentation + - cmplog feature + - dict2file feature + - "fast" power schedule + - persistent mode + shared memory test cases + +Repository: [https://github.com/AFLplusplus/AFLplusplus/](https://github.com/AFLplusplus/AFLplusplus/) + +[builder.Dockerfile](builder.Dockerfile) +[fuzzer.py](fuzzer.py) +[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/aflplusplus_reinit/fuzzer.py b/fuzzers/aflplusplus_reinit/fuzzer.py new file mode 100755 index 000000000..11e128c6a --- /dev/null +++ b/fuzzers/aflplusplus_reinit/fuzzer.py @@ -0,0 +1,283 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +"""Integration code for AFLplusplus fuzzer.""" + +import os +import shutil + +from fuzzers.afl import fuzzer as afl_fuzzer +from fuzzers import utils + + +def get_cmplog_build_directory(target_directory): + """Return path to CmpLog target directory.""" + return os.path.join(target_directory, 'cmplog') + + +def get_uninstrumented_build_directory(target_directory): + """Return path to CmpLog target directory.""" + return os.path.join(target_directory, 'uninstrumented') + + +def build(*args): # pylint: disable=too-many-branches,too-many-statements + """Build benchmark.""" + # BUILD_MODES is not already supported by fuzzbench, meanwhile we provide + # a default configuration. + + build_modes = list(args) + if 'BUILD_MODES' in os.environ: + build_modes = os.environ['BUILD_MODES'].split(',') + + # Placeholder comment. + build_directory = os.environ['OUT'] + + # If nothing was set this is the default: + if not build_modes: + build_modes = ['tracepc', 'cmplog', 'dict2file'] + + # For bug type benchmarks we have to instrument via native clang pcguard :( + build_flags = os.environ['CFLAGS'] + + if build_flags.find( + 'array-bounds' + ) != -1 and 'qemu' not in build_modes and 'classic' not in build_modes: + if 'gcc' not in build_modes: + build_modes[0] = 'native' + + # Instrumentation coverage modes: + if 'lto' in build_modes: + os.environ['CC'] = '/afl/afl-clang-lto' + os.environ['CXX'] = '/afl/afl-clang-lto++' + edge_file = build_directory + '/aflpp_edges.txt' + os.environ['AFL_LLVM_DOCUMENT_IDS'] = edge_file + if os.path.isfile('/usr/local/bin/llvm-ranlib-13'): + os.environ['RANLIB'] = 'llvm-ranlib-13' + os.environ['AR'] = 'llvm-ar-13' + os.environ['AS'] = 'llvm-as-13' + elif os.path.isfile('/usr/local/bin/llvm-ranlib-12'): + os.environ['RANLIB'] = 'llvm-ranlib-12' + os.environ['AR'] = 'llvm-ar-12' + os.environ['AS'] = 'llvm-as-12' + else: + os.environ['RANLIB'] = 'llvm-ranlib' + os.environ['AR'] = 'llvm-ar' + os.environ['AS'] = 'llvm-as' + elif 'qemu' in build_modes: + os.environ['CC'] = 'clang' + os.environ['CXX'] = 'clang++' + elif 'gcc' in build_modes: + os.environ['CC'] = 'afl-gcc-fast' + os.environ['CXX'] = 'afl-g++-fast' + if build_flags.find('array-bounds') != -1: + os.environ['CFLAGS'] = '-fsanitize=address -O1' + os.environ['CXXFLAGS'] = '-fsanitize=address -O1' + else: + os.environ['CFLAGS'] = '' + os.environ['CXXFLAGS'] = '' + os.environ['CPPFLAGS'] = '' + else: + os.environ['CC'] = '/afl/afl-clang-fast' + os.environ['CXX'] = '/afl/afl-clang-fast++' + + print('AFL++ build: ') + print(build_modes) + + if 'qemu' in build_modes or 'symcc' in build_modes: + os.environ['CFLAGS'] = ' '.join(utils.NO_SANITIZER_COMPAT_CFLAGS) + cxxflags = [utils.LIBCPLUSPLUS_FLAG] + utils.NO_SANITIZER_COMPAT_CFLAGS + os.environ['CXXFLAGS'] = ' '.join(cxxflags) + + if 'tracepc' in build_modes or 'pcguard' in build_modes: + os.environ['AFL_LLVM_USE_TRACE_PC'] = '1' + elif 'classic' in build_modes: + os.environ['AFL_LLVM_INSTRUMENT'] = 'CLASSIC' + elif 'native' in build_modes: + os.environ['AFL_LLVM_INSTRUMENT'] = 'LLVMNATIVE' + + # Instrumentation coverage options: + # Do not use a fixed map location (LTO only) + if 'dynamic' in build_modes: + os.environ['AFL_LLVM_MAP_DYNAMIC'] = '1' + # Use a fixed map location (LTO only) + if 'fixed' in build_modes: + os.environ['AFL_LLVM_MAP_ADDR'] = '0x10000' + # Generate an extra dictionary. + if 'dict2file' in build_modes or 'native' in build_modes: + os.environ['AFL_LLVM_DICT2FILE'] = build_directory + '/afl++.dict' + os.environ['AFL_LLVM_DICT2FILE_NO_MAIN'] = '1' + # Enable context sentitivity for LLVM mode (non LTO only) + if 'ctx' in build_modes: + os.environ['AFL_LLVM_CTX'] = '1' + # Enable N-gram coverage for LLVM mode (non LTO only) + if 'ngram2' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '2' + elif 'ngram3' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '3' + elif 'ngram4' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '4' + elif 'ngram5' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '5' + elif 'ngram6' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '6' + elif 'ngram7' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '7' + elif 'ngram8' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '8' + elif 'ngram16' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '16' + if 'ctx1' in build_modes: + os.environ['AFL_LLVM_CTX_K'] = '1' + elif 'ctx2' in build_modes: + os.environ['AFL_LLVM_CTX_K'] = '2' + elif 'ctx3' in build_modes: + os.environ['AFL_LLVM_CTX_K'] = '3' + elif 'ctx4' in build_modes: + os.environ['AFL_LLVM_CTX_K'] = '4' + + # Only one of the following OR cmplog + # enable laf-intel compare splitting + if 'laf' in build_modes: + os.environ['AFL_LLVM_LAF_SPLIT_SWITCHES'] = '1' + os.environ['AFL_LLVM_LAF_SPLIT_COMPARES'] = '1' + os.environ['AFL_LLVM_LAF_SPLIT_FLOATS'] = '1' + if 'autodict' not in build_modes: + os.environ['AFL_LLVM_LAF_TRANSFORM_COMPARES'] = '1' + + if 'eclipser' in build_modes: + os.environ['FUZZER_LIB'] = '/libStandaloneFuzzTarget.a' + else: + os.environ['FUZZER_LIB'] = '/libAFLDriver.a' + + # Some benchmarks like lcms. (see: + # https://github.com/mm2/Little-CMS/commit/ab1093539b4287c233aca6a3cf53b234faceb792#diff-f0e6d05e72548974e852e8e55dffc4ccR212) + # fail to compile if the compiler outputs things to stderr in unexpected + # cases. Prevent these failures by using AFL_QUIET to stop afl-clang-fast + # from writing AFL specific messages to stderr. + os.environ['AFL_QUIET'] = '1' + os.environ['AFL_MAP_SIZE'] = '2621440' + + src = os.getenv('SRC') + work = os.getenv('WORK') + + with utils.restore_directory(src), utils.restore_directory(work): + # Restore SRC to its initial state so we can build again without any + # trouble. For some OSS-Fuzz projects, build_benchmark cannot be run + # twice in the same directory without this. + utils.build_benchmark() + + if 'cmplog' in build_modes and 'qemu' not in build_modes: + + # CmpLog requires an build with different instrumentation. + new_env = os.environ.copy() + new_env['AFL_LLVM_CMPLOG'] = '1' + + # For CmpLog build, set the OUT and FUZZ_TARGET environment + # variable to point to the new CmpLog build directory. + cmplog_build_directory = get_cmplog_build_directory(build_directory) + os.mkdir(cmplog_build_directory) + new_env['OUT'] = cmplog_build_directory + fuzz_target = os.getenv('FUZZ_TARGET') + if fuzz_target: + new_env['FUZZ_TARGET'] = os.path.join(cmplog_build_directory, + os.path.basename(fuzz_target)) + + print('Re-building benchmark for CmpLog fuzzing target') + utils.build_benchmark(env=new_env) + + if 'symcc' in build_modes: + + symcc_build_directory = get_uninstrumented_build_directory( + build_directory) + os.mkdir(symcc_build_directory) + + # symcc requires an build with different instrumentation. + new_env = os.environ.copy() + new_env['CC'] = '/symcc/build/symcc' + new_env['CXX'] = '/symcc/build/sym++' + new_env['SYMCC_OUTPUT_DIR'] = '/tmp' + new_env['CXXFLAGS'] = new_env['CXXFLAGS'].replace('-stlib=libc++', '') + new_env['FUZZER_LIB'] = '/libfuzzer-harness.o' + new_env['OUT'] = symcc_build_directory + new_env['SYMCC_LIBCXX_PATH'] = '/libcxx_native_build' + new_env['SYMCC_NO_SYMBOLIC_INPUT'] = '1' + new_env['SYMCC_SILENT'] = '1' + + # For symcc build, set the OUT and FUZZ_TARGET environment + # variable to point to the new symcc build directory. + new_env['OUT'] = symcc_build_directory + fuzz_target = os.getenv('FUZZ_TARGET') + if fuzz_target: + new_env['FUZZ_TARGET'] = os.path.join(symcc_build_directory, + os.path.basename(fuzz_target)) + + print('Re-building benchmark for symcc fuzzing target') + utils.build_benchmark(env=new_env) + + shutil.copy('/afl/afl-fuzz', build_directory) + if os.path.exists('/afl/afl-qemu-trace'): + shutil.copy('/afl/afl-qemu-trace', build_directory) + if os.path.exists('/aflpp_qemu_driver_hook.so'): + shutil.copy('/aflpp_qemu_driver_hook.so', build_directory) + if os.path.exists('/get_frida_entry.sh'): + shutil.copy('/afl/afl-frida-trace.so', build_directory) + shutil.copy('/get_frida_entry.sh', build_directory) + + +# pylint: disable=too-many-arguments +def fuzz(input_corpus, + output_corpus, + target_binary, + flags=tuple(), + skip=False, + no_cmplog=False): # pylint: disable=too-many-arguments + """Run fuzzer.""" + # Calculate CmpLog binary path from the instrumented target binary. + target_binary_directory = os.path.dirname(target_binary) + cmplog_target_binary_directory = ( + get_cmplog_build_directory(target_binary_directory)) + target_binary_name = os.path.basename(target_binary) + cmplog_target_binary = os.path.join(cmplog_target_binary_directory, + target_binary_name) + + afl_fuzzer.prepare_fuzz_environment(input_corpus) + # decomment this to enable libdislocator. + # os.environ['AFL_ALIGNED_ALLOC'] = '1' # align malloc to max_align_t + # os.environ['AFL_PRELOAD'] = '/afl/libdislocator.so' + + flags = list(flags) + + if os.path.exists('./afl++.dict'): + flags += ['-x', './afl++.dict'] + + # Move the following to skip for upcoming _double tests: + if os.path.exists(cmplog_target_binary) and no_cmplog is False: + flags += ['-c', cmplog_target_binary] + + #os.environ['AFL_IGNORE_TIMEOUTS'] = '1' + os.environ['AFL_IGNORE_UNKNOWN_ENVS'] = '1' + os.environ['AFL_FAST_CAL'] = '1' + os.environ['AFL_NO_WARN_INSTABILITY'] = '1' + os.environ['AFL_IGNORE_SEED_PROBLEMS'] = '1' + + if not skip: + os.environ['AFL_DISABLE_TRIM'] = '1' + os.environ['AFL_CMPLOG_ONLY_NEW'] = '1' + if 'ADDITIONAL_ARGS' in os.environ: + flags += os.environ['ADDITIONAL_ARGS'].split(' ') + + afl_fuzzer.run_afl_fuzz(input_corpus, + output_corpus, + target_binary, + additional_flags=flags) diff --git a/fuzzers/aflplusplus_reinit/runner.Dockerfile b/fuzzers/aflplusplus_reinit/runner.Dockerfile new file mode 100644 index 000000000..1a10f861c --- /dev/null +++ b/fuzzers/aflplusplus_reinit/runner.Dockerfile @@ -0,0 +1,24 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FROM gcr.io/fuzzbench/base-image + +# This makes interactive docker runs painless: +ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" +#ENV AFL_MAP_SIZE=2621440 +ENV PATH="$PATH:/out" +ENV AFL_SKIP_CPUFREQ=1 +ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 +ENV AFL_TESTCACHE_SIZE=2 +RUN apt install -y unzip git gdb joe From 73a28e35a401090796fe6979cd475a8515cb9926 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 12 Sep 2023 17:21:16 +0200 Subject: [PATCH 09/39] opt test --- fuzzers/aflplusplus/builder.Dockerfile | 2 +- fuzzers/aflplusplus_frida/builder.Dockerfile | 2 +- .../builder.Dockerfile | 5 +- .../description.md | 0 .../fuzzer.py | 0 .../runner.Dockerfile | 0 .../builder.Dockerfile | 5 +- .../description.md | 0 .../fuzzer.py | 0 .../runner.Dockerfile | 0 .../builder.Dockerfile | 31 +- fuzzers/aflplusplus_o2/description.md | 14 + fuzzers/aflplusplus_o2/fuzzer.py | 283 ++++++++++++++++++ .../runner.Dockerfile | 1 + fuzzers/aflplusplus_qemu/builder.Dockerfile | 2 +- .../aflplusplus_qemu_tcgcov/description.md | 14 - fuzzers/aflplusplus_qemu_tcgcov/fuzzer.py | 51 ---- .../aflplusplus_symqemu/builder.Dockerfile | 2 +- 18 files changed, 327 insertions(+), 85 deletions(-) rename fuzzers/{aflplusplus_pendfav => aflplusplus_o0}/builder.Dockerfile (88%) rename fuzzers/{aflplusplus_pendfav => aflplusplus_o0}/description.md (100%) rename fuzzers/{aflplusplus_pendfav => aflplusplus_o0}/fuzzer.py (100%) rename fuzzers/{aflplusplus_pendfav => aflplusplus_o0}/runner.Dockerfile (100%) rename fuzzers/{aflplusplus_reinit => aflplusplus_o1}/builder.Dockerfile (88%) rename fuzzers/{aflplusplus_reinit => aflplusplus_o1}/description.md (100%) rename fuzzers/{aflplusplus_reinit => aflplusplus_o1}/fuzzer.py (100%) rename fuzzers/{aflplusplus_reinit => aflplusplus_o1}/runner.Dockerfile (100%) rename fuzzers/{aflplusplus_qemu_tcgcov => aflplusplus_o2}/builder.Dockerfile (58%) create mode 100644 fuzzers/aflplusplus_o2/description.md create mode 100755 fuzzers/aflplusplus_o2/fuzzer.py rename fuzzers/{aflplusplus_qemu_tcgcov => aflplusplus_o2}/runner.Dockerfile (95%) delete mode 100644 fuzzers/aflplusplus_qemu_tcgcov/description.md delete mode 100755 fuzzers/aflplusplus_qemu_tcgcov/fuzzer.py diff --git a/fuzzers/aflplusplus/builder.Dockerfile b/fuzzers/aflplusplus/builder.Dockerfile index a88093309..a0c276695 100644 --- a/fuzzers/aflplusplus/builder.Dockerfile +++ b/fuzzers/aflplusplus/builder.Dockerfile @@ -37,7 +37,7 @@ RUN apt-get update && \ # Download afl++. RUN git clone -b dev https://github.com/AFLplusplus/AFLplusplus /afl && \ cd /afl && \ - git checkout c60431247e971881bc159a84e5505dfec7adcf6d || \ + git checkout 3b835b7c8b2f73be6d5972951d049cef66c24abd || \ true # Build without Python support as we don't need it. diff --git a/fuzzers/aflplusplus_frida/builder.Dockerfile b/fuzzers/aflplusplus_frida/builder.Dockerfile index 18271d1b1..2ebb98b1f 100644 --- a/fuzzers/aflplusplus_frida/builder.Dockerfile +++ b/fuzzers/aflplusplus_frida/builder.Dockerfile @@ -28,7 +28,7 @@ RUN apt-get update && \ # Download afl++ RUN git clone https://github.com/AFLplusplus/AFLplusplus.git /afl && \ - cd /afl && git checkout c60431247e971881bc159a84e5505dfec7adcf6d + cd /afl && git checkout 3b835b7c8b2f73be6d5972951d049cef66c24abd # Build afl++ without Python support as we don't need it. # Set AFL_NO_X86 to skip flaky tests. diff --git a/fuzzers/aflplusplus_pendfav/builder.Dockerfile b/fuzzers/aflplusplus_o0/builder.Dockerfile similarity index 88% rename from fuzzers/aflplusplus_pendfav/builder.Dockerfile rename to fuzzers/aflplusplus_o0/builder.Dockerfile index 7bae7eb2b..567161ccd 100644 --- a/fuzzers/aflplusplus_pendfav/builder.Dockerfile +++ b/fuzzers/aflplusplus_o0/builder.Dockerfile @@ -35,14 +35,15 @@ RUN apt-get update && \ libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev # Download afl++. -RUN git clone -b pendfav https://github.com/AFLplusplus/AFLplusplus /afl && \ +RUN git clone -b dev https://github.com/AFLplusplus/AFLplusplus /afl && \ cd /afl && \ - git checkout cd6b89eb74cc501a67b1c14a4433a496b2053eec || \ + git checkout 3b835b7c8b2f73be6d5972951d049cef66c24abd || \ true # Build without Python support as we don't need it. # Set AFL_NO_X86 to skip flaky tests. RUN cd /afl && \ + sed -i 's/"-O3"/"-O0"/' src/afl-cc.c && \ unset CFLAGS CXXFLAGS && \ export CC=clang AFL_NO_X86=1 && \ PYTHON_INCLUDE=/ make && \ diff --git a/fuzzers/aflplusplus_pendfav/description.md b/fuzzers/aflplusplus_o0/description.md similarity index 100% rename from fuzzers/aflplusplus_pendfav/description.md rename to fuzzers/aflplusplus_o0/description.md diff --git a/fuzzers/aflplusplus_pendfav/fuzzer.py b/fuzzers/aflplusplus_o0/fuzzer.py similarity index 100% rename from fuzzers/aflplusplus_pendfav/fuzzer.py rename to fuzzers/aflplusplus_o0/fuzzer.py diff --git a/fuzzers/aflplusplus_pendfav/runner.Dockerfile b/fuzzers/aflplusplus_o0/runner.Dockerfile similarity index 100% rename from fuzzers/aflplusplus_pendfav/runner.Dockerfile rename to fuzzers/aflplusplus_o0/runner.Dockerfile diff --git a/fuzzers/aflplusplus_reinit/builder.Dockerfile b/fuzzers/aflplusplus_o1/builder.Dockerfile similarity index 88% rename from fuzzers/aflplusplus_reinit/builder.Dockerfile rename to fuzzers/aflplusplus_o1/builder.Dockerfile index bccd7e99f..0d196c859 100644 --- a/fuzzers/aflplusplus_reinit/builder.Dockerfile +++ b/fuzzers/aflplusplus_o1/builder.Dockerfile @@ -35,14 +35,15 @@ RUN apt-get update && \ libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev # Download afl++. -RUN git clone -b reinit https://github.com/AFLplusplus/AFLplusplus /afl && \ +RUN git clone -b dev https://github.com/AFLplusplus/AFLplusplus /afl && \ cd /afl && \ - git checkout 87b33740ea426bac276a9eb4bc5f201bd396b6dc || \ + git checkout 3b835b7c8b2f73be6d5972951d049cef66c24abd || \ true # Build without Python support as we don't need it. # Set AFL_NO_X86 to skip flaky tests. RUN cd /afl && \ + sed -i 's/"-O3"/"-O1"/' src/afl-cc.c && \ unset CFLAGS CXXFLAGS && \ export CC=clang AFL_NO_X86=1 && \ PYTHON_INCLUDE=/ make && \ diff --git a/fuzzers/aflplusplus_reinit/description.md b/fuzzers/aflplusplus_o1/description.md similarity index 100% rename from fuzzers/aflplusplus_reinit/description.md rename to fuzzers/aflplusplus_o1/description.md diff --git a/fuzzers/aflplusplus_reinit/fuzzer.py b/fuzzers/aflplusplus_o1/fuzzer.py similarity index 100% rename from fuzzers/aflplusplus_reinit/fuzzer.py rename to fuzzers/aflplusplus_o1/fuzzer.py diff --git a/fuzzers/aflplusplus_reinit/runner.Dockerfile b/fuzzers/aflplusplus_o1/runner.Dockerfile similarity index 100% rename from fuzzers/aflplusplus_reinit/runner.Dockerfile rename to fuzzers/aflplusplus_o1/runner.Dockerfile diff --git a/fuzzers/aflplusplus_qemu_tcgcov/builder.Dockerfile b/fuzzers/aflplusplus_o2/builder.Dockerfile similarity index 58% rename from fuzzers/aflplusplus_qemu_tcgcov/builder.Dockerfile rename to fuzzers/aflplusplus_o2/builder.Dockerfile index 7283bff92..0c965b181 100644 --- a/fuzzers/aflplusplus_qemu_tcgcov/builder.Dockerfile +++ b/fuzzers/aflplusplus_o2/builder.Dockerfile @@ -15,29 +15,36 @@ ARG parent_image FROM $parent_image -# Install the necessary packages. RUN apt-get update && \ apt-get install -y \ build-essential \ + python3-dev \ + python3-setuptools \ + automake \ + cmake \ git \ flex \ bison \ libglib2.0-dev \ libpixman-1-dev \ + cargo \ + libgtk-3-dev \ + # for QEMU mode ninja-build \ + gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-plugin-dev \ libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev +# Download afl++. +RUN git clone -b dev https://github.com/AFLplusplus/AFLplusplus /afl && \ + cd /afl && \ + git checkout 3b835b7c8b2f73be6d5972951d049cef66c24abd || \ + true -# Download afl++ -RUN git clone -b tcg_cov https://github.com/WorksButNotTested/AFLplusplus /afl && \ - cd /afl && git checkout 54fb2d0 || true - -# Build afl++ without Python support as we don't need it. +# Build without Python support as we don't need it. # Set AFL_NO_X86 to skip flaky tests. RUN cd /afl && \ - unset CFLAGS && unset CXXFLAGS && \ - AFL_NO_X86=1 CC=clang PYTHON_INCLUDE=/ make && \ - cd qemu_mode && ./build_qemu_support.sh && cd .. && \ - make -C utils/aflpp_driver && \ - cp utils/aflpp_driver/libAFLQemuDriver.a /libAFLDriver.a && \ - cp utils/aflpp_driver/aflpp_qemu_driver_hook.so / + sed -i 's/"-O3"/"-O2"/' src/afl-cc.c && \ + unset CFLAGS CXXFLAGS && \ + export CC=clang AFL_NO_X86=1 && \ + PYTHON_INCLUDE=/ make && \ + cp utils/aflpp_driver/libAFLDriver.a / diff --git a/fuzzers/aflplusplus_o2/description.md b/fuzzers/aflplusplus_o2/description.md new file mode 100644 index 000000000..f7eb407ad --- /dev/null +++ b/fuzzers/aflplusplus_o2/description.md @@ -0,0 +1,14 @@ +# aflplusplus + +AFL++ fuzzer instance that has the following config active for all benchmarks: + - PCGUARD instrumentation + - cmplog feature + - dict2file feature + - "fast" power schedule + - persistent mode + shared memory test cases + +Repository: [https://github.com/AFLplusplus/AFLplusplus/](https://github.com/AFLplusplus/AFLplusplus/) + +[builder.Dockerfile](builder.Dockerfile) +[fuzzer.py](fuzzer.py) +[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/aflplusplus_o2/fuzzer.py b/fuzzers/aflplusplus_o2/fuzzer.py new file mode 100755 index 000000000..11e128c6a --- /dev/null +++ b/fuzzers/aflplusplus_o2/fuzzer.py @@ -0,0 +1,283 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +"""Integration code for AFLplusplus fuzzer.""" + +import os +import shutil + +from fuzzers.afl import fuzzer as afl_fuzzer +from fuzzers import utils + + +def get_cmplog_build_directory(target_directory): + """Return path to CmpLog target directory.""" + return os.path.join(target_directory, 'cmplog') + + +def get_uninstrumented_build_directory(target_directory): + """Return path to CmpLog target directory.""" + return os.path.join(target_directory, 'uninstrumented') + + +def build(*args): # pylint: disable=too-many-branches,too-many-statements + """Build benchmark.""" + # BUILD_MODES is not already supported by fuzzbench, meanwhile we provide + # a default configuration. + + build_modes = list(args) + if 'BUILD_MODES' in os.environ: + build_modes = os.environ['BUILD_MODES'].split(',') + + # Placeholder comment. + build_directory = os.environ['OUT'] + + # If nothing was set this is the default: + if not build_modes: + build_modes = ['tracepc', 'cmplog', 'dict2file'] + + # For bug type benchmarks we have to instrument via native clang pcguard :( + build_flags = os.environ['CFLAGS'] + + if build_flags.find( + 'array-bounds' + ) != -1 and 'qemu' not in build_modes and 'classic' not in build_modes: + if 'gcc' not in build_modes: + build_modes[0] = 'native' + + # Instrumentation coverage modes: + if 'lto' in build_modes: + os.environ['CC'] = '/afl/afl-clang-lto' + os.environ['CXX'] = '/afl/afl-clang-lto++' + edge_file = build_directory + '/aflpp_edges.txt' + os.environ['AFL_LLVM_DOCUMENT_IDS'] = edge_file + if os.path.isfile('/usr/local/bin/llvm-ranlib-13'): + os.environ['RANLIB'] = 'llvm-ranlib-13' + os.environ['AR'] = 'llvm-ar-13' + os.environ['AS'] = 'llvm-as-13' + elif os.path.isfile('/usr/local/bin/llvm-ranlib-12'): + os.environ['RANLIB'] = 'llvm-ranlib-12' + os.environ['AR'] = 'llvm-ar-12' + os.environ['AS'] = 'llvm-as-12' + else: + os.environ['RANLIB'] = 'llvm-ranlib' + os.environ['AR'] = 'llvm-ar' + os.environ['AS'] = 'llvm-as' + elif 'qemu' in build_modes: + os.environ['CC'] = 'clang' + os.environ['CXX'] = 'clang++' + elif 'gcc' in build_modes: + os.environ['CC'] = 'afl-gcc-fast' + os.environ['CXX'] = 'afl-g++-fast' + if build_flags.find('array-bounds') != -1: + os.environ['CFLAGS'] = '-fsanitize=address -O1' + os.environ['CXXFLAGS'] = '-fsanitize=address -O1' + else: + os.environ['CFLAGS'] = '' + os.environ['CXXFLAGS'] = '' + os.environ['CPPFLAGS'] = '' + else: + os.environ['CC'] = '/afl/afl-clang-fast' + os.environ['CXX'] = '/afl/afl-clang-fast++' + + print('AFL++ build: ') + print(build_modes) + + if 'qemu' in build_modes or 'symcc' in build_modes: + os.environ['CFLAGS'] = ' '.join(utils.NO_SANITIZER_COMPAT_CFLAGS) + cxxflags = [utils.LIBCPLUSPLUS_FLAG] + utils.NO_SANITIZER_COMPAT_CFLAGS + os.environ['CXXFLAGS'] = ' '.join(cxxflags) + + if 'tracepc' in build_modes or 'pcguard' in build_modes: + os.environ['AFL_LLVM_USE_TRACE_PC'] = '1' + elif 'classic' in build_modes: + os.environ['AFL_LLVM_INSTRUMENT'] = 'CLASSIC' + elif 'native' in build_modes: + os.environ['AFL_LLVM_INSTRUMENT'] = 'LLVMNATIVE' + + # Instrumentation coverage options: + # Do not use a fixed map location (LTO only) + if 'dynamic' in build_modes: + os.environ['AFL_LLVM_MAP_DYNAMIC'] = '1' + # Use a fixed map location (LTO only) + if 'fixed' in build_modes: + os.environ['AFL_LLVM_MAP_ADDR'] = '0x10000' + # Generate an extra dictionary. + if 'dict2file' in build_modes or 'native' in build_modes: + os.environ['AFL_LLVM_DICT2FILE'] = build_directory + '/afl++.dict' + os.environ['AFL_LLVM_DICT2FILE_NO_MAIN'] = '1' + # Enable context sentitivity for LLVM mode (non LTO only) + if 'ctx' in build_modes: + os.environ['AFL_LLVM_CTX'] = '1' + # Enable N-gram coverage for LLVM mode (non LTO only) + if 'ngram2' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '2' + elif 'ngram3' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '3' + elif 'ngram4' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '4' + elif 'ngram5' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '5' + elif 'ngram6' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '6' + elif 'ngram7' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '7' + elif 'ngram8' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '8' + elif 'ngram16' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '16' + if 'ctx1' in build_modes: + os.environ['AFL_LLVM_CTX_K'] = '1' + elif 'ctx2' in build_modes: + os.environ['AFL_LLVM_CTX_K'] = '2' + elif 'ctx3' in build_modes: + os.environ['AFL_LLVM_CTX_K'] = '3' + elif 'ctx4' in build_modes: + os.environ['AFL_LLVM_CTX_K'] = '4' + + # Only one of the following OR cmplog + # enable laf-intel compare splitting + if 'laf' in build_modes: + os.environ['AFL_LLVM_LAF_SPLIT_SWITCHES'] = '1' + os.environ['AFL_LLVM_LAF_SPLIT_COMPARES'] = '1' + os.environ['AFL_LLVM_LAF_SPLIT_FLOATS'] = '1' + if 'autodict' not in build_modes: + os.environ['AFL_LLVM_LAF_TRANSFORM_COMPARES'] = '1' + + if 'eclipser' in build_modes: + os.environ['FUZZER_LIB'] = '/libStandaloneFuzzTarget.a' + else: + os.environ['FUZZER_LIB'] = '/libAFLDriver.a' + + # Some benchmarks like lcms. (see: + # https://github.com/mm2/Little-CMS/commit/ab1093539b4287c233aca6a3cf53b234faceb792#diff-f0e6d05e72548974e852e8e55dffc4ccR212) + # fail to compile if the compiler outputs things to stderr in unexpected + # cases. Prevent these failures by using AFL_QUIET to stop afl-clang-fast + # from writing AFL specific messages to stderr. + os.environ['AFL_QUIET'] = '1' + os.environ['AFL_MAP_SIZE'] = '2621440' + + src = os.getenv('SRC') + work = os.getenv('WORK') + + with utils.restore_directory(src), utils.restore_directory(work): + # Restore SRC to its initial state so we can build again without any + # trouble. For some OSS-Fuzz projects, build_benchmark cannot be run + # twice in the same directory without this. + utils.build_benchmark() + + if 'cmplog' in build_modes and 'qemu' not in build_modes: + + # CmpLog requires an build with different instrumentation. + new_env = os.environ.copy() + new_env['AFL_LLVM_CMPLOG'] = '1' + + # For CmpLog build, set the OUT and FUZZ_TARGET environment + # variable to point to the new CmpLog build directory. + cmplog_build_directory = get_cmplog_build_directory(build_directory) + os.mkdir(cmplog_build_directory) + new_env['OUT'] = cmplog_build_directory + fuzz_target = os.getenv('FUZZ_TARGET') + if fuzz_target: + new_env['FUZZ_TARGET'] = os.path.join(cmplog_build_directory, + os.path.basename(fuzz_target)) + + print('Re-building benchmark for CmpLog fuzzing target') + utils.build_benchmark(env=new_env) + + if 'symcc' in build_modes: + + symcc_build_directory = get_uninstrumented_build_directory( + build_directory) + os.mkdir(symcc_build_directory) + + # symcc requires an build with different instrumentation. + new_env = os.environ.copy() + new_env['CC'] = '/symcc/build/symcc' + new_env['CXX'] = '/symcc/build/sym++' + new_env['SYMCC_OUTPUT_DIR'] = '/tmp' + new_env['CXXFLAGS'] = new_env['CXXFLAGS'].replace('-stlib=libc++', '') + new_env['FUZZER_LIB'] = '/libfuzzer-harness.o' + new_env['OUT'] = symcc_build_directory + new_env['SYMCC_LIBCXX_PATH'] = '/libcxx_native_build' + new_env['SYMCC_NO_SYMBOLIC_INPUT'] = '1' + new_env['SYMCC_SILENT'] = '1' + + # For symcc build, set the OUT and FUZZ_TARGET environment + # variable to point to the new symcc build directory. + new_env['OUT'] = symcc_build_directory + fuzz_target = os.getenv('FUZZ_TARGET') + if fuzz_target: + new_env['FUZZ_TARGET'] = os.path.join(symcc_build_directory, + os.path.basename(fuzz_target)) + + print('Re-building benchmark for symcc fuzzing target') + utils.build_benchmark(env=new_env) + + shutil.copy('/afl/afl-fuzz', build_directory) + if os.path.exists('/afl/afl-qemu-trace'): + shutil.copy('/afl/afl-qemu-trace', build_directory) + if os.path.exists('/aflpp_qemu_driver_hook.so'): + shutil.copy('/aflpp_qemu_driver_hook.so', build_directory) + if os.path.exists('/get_frida_entry.sh'): + shutil.copy('/afl/afl-frida-trace.so', build_directory) + shutil.copy('/get_frida_entry.sh', build_directory) + + +# pylint: disable=too-many-arguments +def fuzz(input_corpus, + output_corpus, + target_binary, + flags=tuple(), + skip=False, + no_cmplog=False): # pylint: disable=too-many-arguments + """Run fuzzer.""" + # Calculate CmpLog binary path from the instrumented target binary. + target_binary_directory = os.path.dirname(target_binary) + cmplog_target_binary_directory = ( + get_cmplog_build_directory(target_binary_directory)) + target_binary_name = os.path.basename(target_binary) + cmplog_target_binary = os.path.join(cmplog_target_binary_directory, + target_binary_name) + + afl_fuzzer.prepare_fuzz_environment(input_corpus) + # decomment this to enable libdislocator. + # os.environ['AFL_ALIGNED_ALLOC'] = '1' # align malloc to max_align_t + # os.environ['AFL_PRELOAD'] = '/afl/libdislocator.so' + + flags = list(flags) + + if os.path.exists('./afl++.dict'): + flags += ['-x', './afl++.dict'] + + # Move the following to skip for upcoming _double tests: + if os.path.exists(cmplog_target_binary) and no_cmplog is False: + flags += ['-c', cmplog_target_binary] + + #os.environ['AFL_IGNORE_TIMEOUTS'] = '1' + os.environ['AFL_IGNORE_UNKNOWN_ENVS'] = '1' + os.environ['AFL_FAST_CAL'] = '1' + os.environ['AFL_NO_WARN_INSTABILITY'] = '1' + os.environ['AFL_IGNORE_SEED_PROBLEMS'] = '1' + + if not skip: + os.environ['AFL_DISABLE_TRIM'] = '1' + os.environ['AFL_CMPLOG_ONLY_NEW'] = '1' + if 'ADDITIONAL_ARGS' in os.environ: + flags += os.environ['ADDITIONAL_ARGS'].split(' ') + + afl_fuzzer.run_afl_fuzz(input_corpus, + output_corpus, + target_binary, + additional_flags=flags) diff --git a/fuzzers/aflplusplus_qemu_tcgcov/runner.Dockerfile b/fuzzers/aflplusplus_o2/runner.Dockerfile similarity index 95% rename from fuzzers/aflplusplus_qemu_tcgcov/runner.Dockerfile rename to fuzzers/aflplusplus_o2/runner.Dockerfile index 7aa1da8e4..1a10f861c 100644 --- a/fuzzers/aflplusplus_qemu_tcgcov/runner.Dockerfile +++ b/fuzzers/aflplusplus_o2/runner.Dockerfile @@ -21,3 +21,4 @@ ENV PATH="$PATH:/out" ENV AFL_SKIP_CPUFREQ=1 ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 ENV AFL_TESTCACHE_SIZE=2 +RUN apt install -y unzip git gdb joe diff --git a/fuzzers/aflplusplus_qemu/builder.Dockerfile b/fuzzers/aflplusplus_qemu/builder.Dockerfile index 806bbbf74..fbba9ed7b 100644 --- a/fuzzers/aflplusplus_qemu/builder.Dockerfile +++ b/fuzzers/aflplusplus_qemu/builder.Dockerfile @@ -30,7 +30,7 @@ RUN apt-get update && \ # Download afl++ RUN git clone https://github.com/AFLplusplus/AFLplusplus.git /afl && \ - cd /afl && git checkout c60431247e971881bc159a84e5505dfec7adcf6d || true + cd /afl && git checkout 3b835b7c8b2f73be6d5972951d049cef66c24abd || true # Build afl++ without Python support as we don't need it. # Set AFL_NO_X86 to skip flaky tests. diff --git a/fuzzers/aflplusplus_qemu_tcgcov/description.md b/fuzzers/aflplusplus_qemu_tcgcov/description.md deleted file mode 100644 index f93c35897..000000000 --- a/fuzzers/aflplusplus_qemu_tcgcov/description.md +++ /dev/null @@ -1,14 +0,0 @@ -# aflplusplus_qemu - -AFL++ fuzzer instance for binary-only fuzzing with qemu_mode. -The following config active for all benchmarks: - - qemu_mode with: - - entrypoint set to afl_qemu_driver_stdin_input - - persisten mode set to afl_qemu_driver_stdin_input - - cmplog - -Repository: [https://github.com/AFLplusplus/AFLplusplus/](https://github.com/AFLplusplus/AFLplusplus/) - -[builder.Dockerfile](builder.Dockerfile) -[fuzzer.py](fuzzer.py) -[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/aflplusplus_qemu_tcgcov/fuzzer.py b/fuzzers/aflplusplus_qemu_tcgcov/fuzzer.py deleted file mode 100755 index 5bab908c1..000000000 --- a/fuzzers/aflplusplus_qemu_tcgcov/fuzzer.py +++ /dev/null @@ -1,51 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -"""Integration code for AFLplusplus fuzzer.""" - -import os -import subprocess - -from fuzzers.aflplusplus import fuzzer as aflplusplus_fuzzer - - -def build(): - """Build benchmark.""" - aflplusplus_fuzzer.build('qemu') - - -def fuzz(input_corpus, output_corpus, target_binary): - """Run fuzzer.""" - # Get LLVMFuzzerTestOneInput address. - nm_proc = subprocess.run([ - 'sh', '-c', - 'nm \'' + target_binary + '\' | grep -i \'T afl_qemu_driver_stdin\'' - ], - stdout=subprocess.PIPE, - check=True) - target_func = '0x' + nm_proc.stdout.split()[0].decode('utf-8') - print('[fuzz] afl_qemu_driver_stdin_input() address =', target_func) - - # Fuzzer options for qemu_mode. - flags = ['-Q', '-c0'] - - os.environ['AFL_QEMU_PERSISTENT_ADDR'] = target_func - os.environ['AFL_ENTRYPOINT'] = target_func - os.environ['AFL_QEMU_PERSISTENT_CNT'] = '1000000' - os.environ['AFL_QEMU_DRIVER_NO_HOOK'] = '1' - os.environ['AFL_IGNORE_SEED_PROBLEMS'] = '1' - - aflplusplus_fuzzer.fuzz(input_corpus, - output_corpus, - target_binary, - flags=flags) diff --git a/fuzzers/aflplusplus_symqemu/builder.Dockerfile b/fuzzers/aflplusplus_symqemu/builder.Dockerfile index 9f1be91b0..2588652c0 100644 --- a/fuzzers/aflplusplus_symqemu/builder.Dockerfile +++ b/fuzzers/aflplusplus_symqemu/builder.Dockerfile @@ -37,7 +37,7 @@ RUN apt-get update && \ # Download afl++. RUN git clone -b dev https://github.com/AFLplusplus/AFLplusplus /afl && \ cd /afl && \ - git checkout c60431247e971881bc159a84e5505dfec7adcf6d || \ + git checkout 3b835b7c8b2f73be6d5972951d049cef66c24abd || \ true # Build without Python support as we don't need it. From e39414104007efec3973306691987fef7bcd49a8 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 25 Sep 2023 12:27:00 +0200 Subject: [PATCH 10/39] fishfuzz bench --- .../aflplusplus_ff_comp/builder.Dockerfile | 89 +++++ fuzzers/aflplusplus_ff_comp/description.md | 14 + fuzzers/aflplusplus_ff_comp/fuzzer.py | 284 ++++++++++++++++ fuzzers/aflplusplus_ff_comp/runner.Dockerfile | 42 +++ .../aflplusplus_fishfuzz/builder.Dockerfile | 104 ++++++ fuzzers/aflplusplus_fishfuzz/description.md | 5 + fuzzers/aflplusplus_fishfuzz/fuzzer.py | 309 ++++++++++++++++++ .../aflplusplus_fishfuzz/runner.Dockerfile | 42 +++ 8 files changed, 889 insertions(+) create mode 100644 fuzzers/aflplusplus_ff_comp/builder.Dockerfile create mode 100644 fuzzers/aflplusplus_ff_comp/description.md create mode 100755 fuzzers/aflplusplus_ff_comp/fuzzer.py create mode 100644 fuzzers/aflplusplus_ff_comp/runner.Dockerfile create mode 100644 fuzzers/aflplusplus_fishfuzz/builder.Dockerfile create mode 100644 fuzzers/aflplusplus_fishfuzz/description.md create mode 100755 fuzzers/aflplusplus_fishfuzz/fuzzer.py create mode 100644 fuzzers/aflplusplus_fishfuzz/runner.Dockerfile diff --git a/fuzzers/aflplusplus_ff_comp/builder.Dockerfile b/fuzzers/aflplusplus_ff_comp/builder.Dockerfile new file mode 100644 index 000000000..221a95ecc --- /dev/null +++ b/fuzzers/aflplusplus_ff_comp/builder.Dockerfile @@ -0,0 +1,89 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ARG parent_image +FROM $parent_image + +RUN apt-get update && \ + apt-get install -y \ + build-essential \ + python3-dev \ + python3-setuptools \ + automake \ + cmake \ + git \ + flex \ + bison \ + libglib2.0-dev \ + libpixman-1-dev \ + cargo \ + libgtk-3-dev \ + # for QEMU mode + ninja-build \ + gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-plugin-dev \ + libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev + +RUN apt install -y lsb-release wget software-properties-common + +RUN wget https://apt.llvm.org/llvm.sh && chmod +x llvm.sh && ./llvm.sh 12 all + +ENV LLVM_CONFIG=llvm-config-12 + +RUN update-alternatives \ + --install /usr/lib/llvm llvm /usr/lib/llvm-12 100 \ + --slave /usr/bin/llvm-config llvm-config /usr/bin/llvm-config-12 \ + --slave /usr/bin/llvm-ar llvm-ar /usr/bin/llvm-ar-12 \ + --slave /usr/bin/llvm-as llvm-as /usr/bin/llvm-as-12 \ + --slave /usr/bin/llvm-bcanalyzer llvm-bcanalyzer /usr/bin/llvm-bcanalyzer-12 \ + --slave /usr/bin/llvm-c-test llvm-c-test /usr/bin/llvm-c-test-12 \ + --slave /usr/bin/llvm-cov llvm-cov /usr/bin/llvm-cov-12 \ + --slave /usr/bin/llvm-diff llvm-diff /usr/bin/llvm-diff-12 \ + --slave /usr/bin/llvm-dis llvm-dis /usr/bin/llvm-dis-12 \ + --slave /usr/bin/llvm-dwarfdump llvm-dwarfdump /usr/bin/llvm-dwarfdump-12 \ + --slave /usr/bin/llvm-extract llvm-extract /usr/bin/llvm-extract-12 \ + --slave /usr/bin/llvm-link llvm-link /usr/bin/llvm-link-12 \ + --slave /usr/bin/llvm-mc llvm-mc /usr/bin/llvm-mc-12 \ + --slave /usr/bin/llvm-nm llvm-nm /usr/bin/llvm-nm-12 \ + --slave /usr/bin/llvm-objdump llvm-objdump /usr/bin/llvm-objdump-12 \ + --slave /usr/bin/llvm-ranlib llvm-ranlib /usr/bin/llvm-ranlib-12 \ + --slave /usr/bin/llvm-readobj llvm-readobj /usr/bin/llvm-readobj-12 \ + --slave /usr/bin/llvm-rtdyld llvm-rtdyld /usr/bin/llvm-rtdyld-12 \ + --slave /usr/bin/llvm-size llvm-size /usr/bin/llvm-size-12 \ + --slave /usr/bin/llvm-stress llvm-stress /usr/bin/llvm-stress-12 \ + --slave /usr/bin/llvm-symbolizer llvm-symbolizer /usr/bin/llvm-symbolizer-12 \ + --slave /usr/bin/llvm-tblgen llvm-tblgen /usr/bin/llvm-tblgen-12 \ + --slave /usr/bin/llc llc /usr/bin/llc-12 \ + --slave /usr/bin/opt opt /usr/bin/opt-12 && \ + update-alternatives \ + --install /usr/bin/clang clang /usr/bin/clang-12 100 \ + --slave /usr/bin/clang++ clang++ /usr/bin/clang++-12 \ + --slave /usr/bin/clang-cpp clang-cpp /usr/bin/clang-cpp-12 + +# put the /usr/bin of the highest priority, to make sure clang-12 is called before clang-15, which is in /usr/local/bin +ENV PATH="/usr/bin:${PATH}" + +# Download afl++. +RUN git clone -b dev https://github.com/AFLplusplus/AFLplusplus /afl && \ + cd /afl && \ + git checkout 1d4f1e48797c064ee71441ba555b29fc3f467983 || \ + true + +# Build without Python support as we don't need it. +# Set AFL_NO_X86 to skip flaky tests. +RUN cd /afl && \ + unset CFLAGS CXXFLAGS && \ + export CC=clang AFL_NO_X86=1 && \ + PYTHON_INCLUDE=/ make && \ + make install && \ + cp utils/aflpp_driver/libAFLDriver.a / diff --git a/fuzzers/aflplusplus_ff_comp/description.md b/fuzzers/aflplusplus_ff_comp/description.md new file mode 100644 index 000000000..f7eb407ad --- /dev/null +++ b/fuzzers/aflplusplus_ff_comp/description.md @@ -0,0 +1,14 @@ +# aflplusplus + +AFL++ fuzzer instance that has the following config active for all benchmarks: + - PCGUARD instrumentation + - cmplog feature + - dict2file feature + - "fast" power schedule + - persistent mode + shared memory test cases + +Repository: [https://github.com/AFLplusplus/AFLplusplus/](https://github.com/AFLplusplus/AFLplusplus/) + +[builder.Dockerfile](builder.Dockerfile) +[fuzzer.py](fuzzer.py) +[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/aflplusplus_ff_comp/fuzzer.py b/fuzzers/aflplusplus_ff_comp/fuzzer.py new file mode 100755 index 000000000..e2b10bf47 --- /dev/null +++ b/fuzzers/aflplusplus_ff_comp/fuzzer.py @@ -0,0 +1,284 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +"""Integration code for AFLplusplus fuzzer.""" + +import os +import shutil + +from fuzzers.afl import fuzzer as afl_fuzzer +from fuzzers import utils + + +def get_cmplog_build_directory(target_directory): + """Return path to CmpLog target directory.""" + return os.path.join(target_directory, 'cmplog') + + +def get_uninstrumented_build_directory(target_directory): + """Return path to CmpLog target directory.""" + return os.path.join(target_directory, 'uninstrumented') + + +def build(*args): # pylint: disable=too-many-branches,too-many-statements + """Build benchmark.""" + # BUILD_MODES is not already supported by fuzzbench, meanwhile we provide + # a default configuration. + + build_modes = list(args) + if 'BUILD_MODES' in os.environ: + build_modes = os.environ['BUILD_MODES'].split(',') + + # Placeholder comment. + build_directory = os.environ['OUT'] + + # If nothing was set this is the default: + if not build_modes: + build_modes = ['tracepc'] + + # For bug type benchmarks we have to instrument via native clang pcguard :( + build_flags = os.environ['CFLAGS'] + build_flags += ' -fsanitize=address' + os.environ['CFLAGS'] = build_flags + + #if build_flags.find( + # 'array-bounds' + #) != -1 and 'qemu' not in build_modes and 'classic' not in build_modes: + # if 'gcc' not in build_modes: + # build_modes[0] = 'native' + + # Instrumentation coverage modes: + if 'lto' in build_modes: + os.environ['CC'] = '/afl/afl-clang-lto' + os.environ['CXX'] = '/afl/afl-clang-lto++' + edge_file = build_directory + '/aflpp_edges.txt' + os.environ['AFL_LLVM_DOCUMENT_IDS'] = edge_file + if os.path.isfile('/usr/local/bin/llvm-ranlib-13'): + os.environ['RANLIB'] = 'llvm-ranlib-13' + os.environ['AR'] = 'llvm-ar-13' + os.environ['AS'] = 'llvm-as-13' + elif os.path.isfile('/usr/local/bin/llvm-ranlib-12'): + os.environ['RANLIB'] = 'llvm-ranlib-12' + os.environ['AR'] = 'llvm-ar-12' + os.environ['AS'] = 'llvm-as-12' + else: + os.environ['RANLIB'] = 'llvm-ranlib' + os.environ['AR'] = 'llvm-ar' + os.environ['AS'] = 'llvm-as' + elif 'qemu' in build_modes: + os.environ['CC'] = 'clang' + os.environ['CXX'] = 'clang++' + elif 'gcc' in build_modes: + os.environ['CC'] = 'afl-gcc-fast' + os.environ['CXX'] = 'afl-g++-fast' + if build_flags.find('array-bounds') != -1: + os.environ['CFLAGS'] = '-fsanitize=address -O1' + os.environ['CXXFLAGS'] = '-fsanitize=address -O1' + else: + os.environ['CFLAGS'] = '' + os.environ['CXXFLAGS'] = '' + os.environ['CPPFLAGS'] = '' + else: + os.environ['CC'] = '/afl/afl-clang-fast' + os.environ['CXX'] = '/afl/afl-clang-fast++' + + print('AFL++ build: ') + print(build_modes) + + if 'qemu' in build_modes or 'symcc' in build_modes: + os.environ['CFLAGS'] = ' '.join(utils.NO_SANITIZER_COMPAT_CFLAGS) + cxxflags = [utils.LIBCPLUSPLUS_FLAG] + utils.NO_SANITIZER_COMPAT_CFLAGS + os.environ['CXXFLAGS'] = ' '.join(cxxflags) + + if 'tracepc' in build_modes or 'pcguard' in build_modes: + os.environ['AFL_LLVM_USE_TRACE_PC'] = '1' + elif 'classic' in build_modes: + os.environ['AFL_LLVM_INSTRUMENT'] = 'CLASSIC' + elif 'native' in build_modes: + os.environ['AFL_LLVM_INSTRUMENT'] = 'LLVMNATIVE' + + # Instrumentation coverage options: + # Do not use a fixed map location (LTO only) + if 'dynamic' in build_modes: + os.environ['AFL_LLVM_MAP_DYNAMIC'] = '1' + # Use a fixed map location (LTO only) + if 'fixed' in build_modes: + os.environ['AFL_LLVM_MAP_ADDR'] = '0x10000' + # Generate an extra dictionary. + if 'dict2file' in build_modes or 'native' in build_modes: + os.environ['AFL_LLVM_DICT2FILE'] = build_directory + '/afl++.dict' + os.environ['AFL_LLVM_DICT2FILE_NO_MAIN'] = '1' + # Enable context sentitivity for LLVM mode (non LTO only) + if 'ctx' in build_modes: + os.environ['AFL_LLVM_CTX'] = '1' + # Enable N-gram coverage for LLVM mode (non LTO only) + if 'ngram2' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '2' + elif 'ngram3' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '3' + elif 'ngram4' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '4' + elif 'ngram5' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '5' + elif 'ngram6' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '6' + elif 'ngram7' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '7' + elif 'ngram8' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '8' + elif 'ngram16' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '16' + if 'ctx1' in build_modes: + os.environ['AFL_LLVM_CTX_K'] = '1' + elif 'ctx2' in build_modes: + os.environ['AFL_LLVM_CTX_K'] = '2' + elif 'ctx3' in build_modes: + os.environ['AFL_LLVM_CTX_K'] = '3' + elif 'ctx4' in build_modes: + os.environ['AFL_LLVM_CTX_K'] = '4' + + # Only one of the following OR cmplog + # enable laf-intel compare splitting + if 'laf' in build_modes: + os.environ['AFL_LLVM_LAF_SPLIT_SWITCHES'] = '1' + os.environ['AFL_LLVM_LAF_SPLIT_COMPARES'] = '1' + os.environ['AFL_LLVM_LAF_SPLIT_FLOATS'] = '1' + if 'autodict' not in build_modes: + os.environ['AFL_LLVM_LAF_TRANSFORM_COMPARES'] = '1' + + if 'eclipser' in build_modes: + os.environ['FUZZER_LIB'] = '/libStandaloneFuzzTarget.a' + else: + os.environ['FUZZER_LIB'] = '/libAFLDriver.a' + + # Some benchmarks like lcms. (see: + # https://github.com/mm2/Little-CMS/commit/ab1093539b4287c233aca6a3cf53b234faceb792#diff-f0e6d05e72548974e852e8e55dffc4ccR212) + # fail to compile if the compiler outputs things to stderr in unexpected + # cases. Prevent these failures by using AFL_QUIET to stop afl-clang-fast + # from writing AFL specific messages to stderr. + os.environ['AFL_QUIET'] = '1' + os.environ['AFL_MAP_SIZE'] = '2621440' + + src = os.getenv('SRC') + work = os.getenv('WORK') + + with utils.restore_directory(src), utils.restore_directory(work): + # Restore SRC to its initial state so we can build again without any + # trouble. For some OSS-Fuzz projects, build_benchmark cannot be run + # twice in the same directory without this. + utils.build_benchmark() + + if 'cmplog' in build_modes and 'qemu' not in build_modes: + + # CmpLog requires an build with different instrumentation. + new_env = os.environ.copy() + new_env['AFL_LLVM_CMPLOG'] = '1' + + # For CmpLog build, set the OUT and FUZZ_TARGET environment + # variable to point to the new CmpLog build directory. + cmplog_build_directory = get_cmplog_build_directory(build_directory) + os.mkdir(cmplog_build_directory) + new_env['OUT'] = cmplog_build_directory + fuzz_target = os.getenv('FUZZ_TARGET') + if fuzz_target: + new_env['FUZZ_TARGET'] = os.path.join(cmplog_build_directory, + os.path.basename(fuzz_target)) + + print('Re-building benchmark for CmpLog fuzzing target') + utils.build_benchmark(env=new_env) + + if 'symcc' in build_modes: + + symcc_build_directory = get_uninstrumented_build_directory( + build_directory) + os.mkdir(symcc_build_directory) + + # symcc requires an build with different instrumentation. + new_env = os.environ.copy() + new_env['CC'] = '/symcc/build/symcc' + new_env['CXX'] = '/symcc/build/sym++' + new_env['SYMCC_OUTPUT_DIR'] = '/tmp' + new_env['CXXFLAGS'] = new_env['CXXFLAGS'].replace('-stlib=libc++', '') + new_env['FUZZER_LIB'] = '/libfuzzer-harness.o' + new_env['OUT'] = symcc_build_directory + new_env['SYMCC_LIBCXX_PATH'] = '/libcxx_native_build' + new_env['SYMCC_NO_SYMBOLIC_INPUT'] = '1' + new_env['SYMCC_SILENT'] = '1' + + # For symcc build, set the OUT and FUZZ_TARGET environment + # variable to point to the new symcc build directory. + new_env['OUT'] = symcc_build_directory + fuzz_target = os.getenv('FUZZ_TARGET') + if fuzz_target: + new_env['FUZZ_TARGET'] = os.path.join(symcc_build_directory, + os.path.basename(fuzz_target)) + + print('Re-building benchmark for symcc fuzzing target') + utils.build_benchmark(env=new_env) + + shutil.copy('/afl/afl-fuzz', build_directory) + if os.path.exists('/afl/afl-qemu-trace'): + shutil.copy('/afl/afl-qemu-trace', build_directory) + if os.path.exists('/aflpp_qemu_driver_hook.so'): + shutil.copy('/aflpp_qemu_driver_hook.so', build_directory) + if os.path.exists('/get_frida_entry.sh'): + shutil.copy('/afl/afl-frida-trace.so', build_directory) + shutil.copy('/get_frida_entry.sh', build_directory) + + +# pylint: disable=too-many-arguments +def fuzz(input_corpus, + output_corpus, + target_binary, + flags=tuple(), + skip=False, + no_cmplog=False): # pylint: disable=too-many-arguments + """Run fuzzer.""" + # Calculate CmpLog binary path from the instrumented target binary. + target_binary_directory = os.path.dirname(target_binary) + cmplog_target_binary_directory = ( + get_cmplog_build_directory(target_binary_directory)) + target_binary_name = os.path.basename(target_binary) + cmplog_target_binary = os.path.join(cmplog_target_binary_directory, + target_binary_name) + + afl_fuzzer.prepare_fuzz_environment(input_corpus) + # decomment this to enable libdislocator. + # os.environ['AFL_ALIGNED_ALLOC'] = '1' # align malloc to max_align_t + # os.environ['AFL_PRELOAD'] = '/afl/libdislocator.so' + + flags = list(flags) + + if os.path.exists('./afl++.dict'): + flags += ['-x', './afl++.dict'] + + # Move the following to skip for upcoming _double tests: + if os.path.exists(cmplog_target_binary) and no_cmplog is False: + flags += ['-c', cmplog_target_binary] + + #os.environ['AFL_IGNORE_TIMEOUTS'] = '1' + os.environ['AFL_IGNORE_UNKNOWN_ENVS'] = '1' + os.environ['AFL_FAST_CAL'] = '1' + os.environ['AFL_NO_WARN_INSTABILITY'] = '1' + + if not skip: + os.environ['AFL_DISABLE_TRIM'] = '1' + os.environ['AFL_CMPLOG_ONLY_NEW'] = '1' + if 'ADDITIONAL_ARGS' in os.environ: + flags += os.environ['ADDITIONAL_ARGS'].split(' ') + + afl_fuzzer.run_afl_fuzz(input_corpus, + output_corpus, + target_binary, + additional_flags=flags) diff --git a/fuzzers/aflplusplus_ff_comp/runner.Dockerfile b/fuzzers/aflplusplus_ff_comp/runner.Dockerfile new file mode 100644 index 000000000..a17c457ec --- /dev/null +++ b/fuzzers/aflplusplus_ff_comp/runner.Dockerfile @@ -0,0 +1,42 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FROM gcr.io/fuzzbench/base-image + +ENV DEBIAN_FRONTEND=noninteractive +ENV TZ=Etc/UTC + +RUN apt update && apt install -y git gcc g++ make cmake wget \ + libgmp-dev libmpfr-dev texinfo bison python3 + +# for runtime library, we just need libc++-12-dev libc++abi-12-dev +RUN wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key|apt-key add - && \ + printf "deb http://apt.llvm.org/focal/ llvm-toolchain-focal main\n" \ + "deb-src http://apt.llvm.org/focal/ llvm-toolchain-focal main\n" \ + "deb http://apt.llvm.org/focal/ llvm-toolchain-focal-12 main\n" \ + "deb-src http://apt.llvm.org/focal/ llvm-toolchain-focal-12 main\n" \ + >> /etc/apt/sources.list && \ + apt update && \ + apt install libc++-12-dev libc++abi-12-dev -y + +RUN apt-get install -y libboost-all-dev libjsoncpp-dev libgraphviz-dev \ + pkg-config libglib2.0-dev libunwind-17 + +# This makes interactive docker runs painless: +ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" +#ENV AFL_MAP_SIZE=2621440 +ENV PATH="$PATH:/out" +ENV AFL_SKIP_CPUFREQ=1 +ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 +ENV AFL_TESTCACHE_SIZE=2 diff --git a/fuzzers/aflplusplus_fishfuzz/builder.Dockerfile b/fuzzers/aflplusplus_fishfuzz/builder.Dockerfile new file mode 100644 index 000000000..02f552c91 --- /dev/null +++ b/fuzzers/aflplusplus_fishfuzz/builder.Dockerfile @@ -0,0 +1,104 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ARG parent_image +FROM $parent_image + +ENV DEBIAN_FRONTEND=noninteractive +ENV TZ=Etc/UTC + +RUN apt-get update && \ + apt-get install -y \ + build-essential \ + python3-dev \ + python3-setuptools \ + automake \ + cmake \ + git \ + flex \ + bison \ + libglib2.0-dev \ + libpixman-1-dev \ + cargo \ + libgtk-3-dev \ + # for QEMU mode + ninja-build \ + gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-plugin-dev \ + libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev + +RUN apt install -y git gcc g++ make cmake wget \ + libgmp-dev libmpfr-dev texinfo bison python3 + +RUN apt-get install -y libboost-all-dev libjsoncpp-dev libgraphviz-dev \ + pkg-config libglib2.0-dev findutils + +RUN apt install -y lsb-release wget software-properties-common python3-pip + +RUN pip3 install networkx pydot + +# copy Fish++ earlier to patch the llvm +# COPY FishFuzz/FF_AFL++ /FishFuzz +RUN git clone https://github.com/kdsjZh/FishFuzz/ /ff_src && \ + cd /ff_src && git checkout 72e07551dcf712bddf5cf5f8feb0af1f6f0c4afd && \ + mv /ff_src/FF_AFL++ /FishFuzz && cd / && rm -r /ff_src + +# build clang-12 with gold plugin +RUN mkdir -p /build && \ + git clone \ + --depth 1 \ + --branch release/12.x \ + https://github.com/llvm/llvm-project /llvm && \ + git clone \ + --depth 1 \ + --branch binutils-2_40-branch \ + git://sourceware.org/git/binutils-gdb.git /llvm/binutils && \ + cd /llvm/ && git apply /FishFuzz/asan_patch/FishFuzzASan.patch && \ + cp /FishFuzz/asan_patch/FishFuzzAddressSanitizer.cpp llvm/lib/Transforms/Instrumentation/ && \ + mkdir /llvm/binutils/build && cd /llvm/binutils/build && \ + CFLAGS="" CXXFLAGS="" CC=gcc CXX=g++ \ + ../configure --enable-gold --enable-plugins --disable-werror && \ + make all-gold -j$(nproc) && \ + cd /llvm/ && mkdir build && cd build &&\ + CFLAGS="" CXXFLAGS="" CC=gcc CXX=g++ \ + cmake -DCMAKE_BUILD_TYPE=Release \ + -DLLVM_BINUTILS_INCDIR=/llvm/binutils/include \ + -DLLVM_ENABLE_PROJECTS="compiler-rt;clang" \ + -DLLVM_ENABLE_RUNTIMES="libcxx;libcxxabi" ../llvm && \ + make -j$(nproc) && \ + cp /llvm/build/lib/LLVMgold.so //usr/lib/bfd-plugins/ && \ + cp /llvm/build/lib/libLTO.so //usr/lib/bfd-plugins/ + + +ENV LLVM_CONFIG=llvm-config + +# make sure our modified clang-12 is called before clang-15, which is in /usr/local/bin +ENV PATH="/llvm/build/bin:${PATH}" +ENV LD_LIBRARY_PATH="/llvm/build/lib/x86_64-unknown-linux-gnu/c++/:${LD_LIBRARY_PATH}" + + +# Build without Python support as we don't need it. +# Set AFL_NO_X86 to skip flaky tests. +RUN cd /FishFuzz/ && \ + unset CFLAGS CXXFLAGS CC CXX && \ + export AFL_NO_X86=1 && \ + make clean && \ + PYTHON_INCLUDE=/ make && \ + # make -C dyncfg && \ + chmod +x distance/*.py && \ + make install + +RUN wget https://raw.githubusercontent.com/llvm/llvm-project/5feb80e748924606531ba28c97fe65145c65372e/compiler-rt/lib/fuzzer/afl/afl_driver.cpp -O /FishFuzz/afl_driver.cpp && \ + clang++ -stdlib=libc++ -std=c++11 -O2 -c /FishFuzz/afl_driver.cpp -o /FishFuzz/afl_driver.o && \ + ar r /libAFLDriver.a /FishFuzz/afl_driver.o /FishFuzz/afl-compiler-rt.o + diff --git a/fuzzers/aflplusplus_fishfuzz/description.md b/fuzzers/aflplusplus_fishfuzz/description.md new file mode 100644 index 000000000..68791d538 --- /dev/null +++ b/fuzzers/aflplusplus_fishfuzz/description.md @@ -0,0 +1,5 @@ +# aflplusplus + fishfuzz + +[builder.Dockerfile](builder.Dockerfile) +[fuzzer.py](fuzzer.py) +[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/aflplusplus_fishfuzz/fuzzer.py b/fuzzers/aflplusplus_fishfuzz/fuzzer.py new file mode 100755 index 000000000..f87aba5b9 --- /dev/null +++ b/fuzzers/aflplusplus_fishfuzz/fuzzer.py @@ -0,0 +1,309 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +"""Integration code for FishFuzz-AFLplusplus fuzzer.""" + +import os +import shutil + +from fuzzers.afl import fuzzer as afl_fuzzer +from fuzzers import utils + + +def get_cmplog_build_directory(target_directory): + """Return path to CmpLog target directory.""" + return os.path.join(target_directory, 'cmplog') + + +def get_uninstrumented_build_directory(target_directory): + """Return path to CmpLog target directory.""" + return os.path.join(target_directory, 'uninstrumented') + +def prepare_tmp_files(tmp_dir): + if not os.path.isdir(tmp_dir) or os.path.exists(tmp_dir): + os.mkdir(tmp_dir) + os.mkdir('%s/idlog' % (tmp_dir)) + os.mkdir('%s/cg' % (tmp_dir)) + os.mkdir('%s/fid' % (tmp_dir)) + os.system('touch %s/idlog/fid %s/idlog/targid' % (tmp_dir, tmp_dir)) + +def set_ff_env(): + # set FishFuzz Env before build + os.environ['TMP_DIR'] = os.environ['OUT'] + '/TEMP' + os.environ['FF_TMP_DIR'] = os.environ['OUT'] + '/TEMP' + prepare_tmp_files(os.environ['TMP_DIR']) + +def build(*args): # pylint: disable=too-many-branches,too-many-statements + """Build benchmark.""" + # BUILD_MODES is not already supported by fuzzbench, meanwhile we provide + # a default configuration. + + build_modes = list(args) + if 'BUILD_MODES' in os.environ: + build_modes = os.environ['BUILD_MODES'].split(',') + + # Placeholder comment. + build_directory = os.environ['OUT'] + + # If nothing was set this is the default: + if not build_modes: + build_modes = ['tracepc'] + + # For bug type benchmarks we have to instrument via native clang pcguard :( + build_flags = os.environ['CFLAGS'] + os.environ['CFLAGS'] = build_flags + os.environ['AFL_USE_ASAN'] = '1' + + #if build_flags.find( + # 'array-bounds' + #) != -1 and 'qemu' not in build_modes and 'classic' not in build_modes: + # if 'gcc' not in build_modes: + # build_modes[0] = 'native' + + # Instrumentation coverage modes: + if 'lto' in build_modes: + os.environ['CC'] = '/FishFuzz/afl-clang-lto' + os.environ['CXX'] = '/FishFuzz/afl-clang-lto++' + edge_file = build_directory + '/aflpp_edges.txt' + os.environ['AFL_LLVM_DOCUMENT_IDS'] = edge_file + if os.path.isfile('/usr/local/bin/llvm-ranlib-13'): + os.environ['RANLIB'] = 'llvm-ranlib-13' + os.environ['AR'] = 'llvm-ar-13' + os.environ['AS'] = 'llvm-as-13' + elif os.path.isfile('/usr/local/bin/llvm-ranlib-12'): + os.environ['RANLIB'] = 'llvm-ranlib-12' + os.environ['AR'] = 'llvm-ar-12' + os.environ['AS'] = 'llvm-as-12' + else: + os.environ['RANLIB'] = 'llvm-ranlib' + os.environ['AR'] = 'llvm-ar' + os.environ['AS'] = 'llvm-as' + elif 'qemu' in build_modes: + os.environ['CC'] = 'clang' + os.environ['CXX'] = 'clang++' + elif 'gcc' in build_modes: + os.environ['CC'] = 'afl-gcc-fast' + os.environ['CXX'] = 'afl-g++-fast' + if build_flags.find('array-bounds') != -1: + os.environ['CFLAGS'] = '-fsanitize=address -O1' + os.environ['CXXFLAGS'] = '-fsanitize=address -O1' + else: + os.environ['CFLAGS'] = '' + os.environ['CXXFLAGS'] = '' + os.environ['CPPFLAGS'] = '' + else: + os.environ['CC'] = '/FishFuzz/afl-clang-fast' + os.environ['CXX'] = '/FishFuzz/afl-clang-fast++' + + print('AFL++ build: ') + print(build_modes) + + if 'qemu' in build_modes or 'symcc' in build_modes: + os.environ['CFLAGS'] = ' '.join(utils.NO_SANITIZER_COMPAT_CFLAGS) + cxxflags = [utils.LIBCPLUSPLUS_FLAG] + utils.NO_SANITIZER_COMPAT_CFLAGS + os.environ['CXXFLAGS'] = ' '.join(cxxflags) + + if 'tracepc' in build_modes or 'pcguard' in build_modes: + os.environ['AFL_LLVM_USE_TRACE_PC'] = '1' + elif 'classic' in build_modes: + os.environ['AFL_LLVM_INSTRUMENT'] = 'CLASSIC' + elif 'native' in build_modes: + os.environ['AFL_LLVM_INSTRUMENT'] = 'LLVMNATIVE' + + # Instrumentation coverage options: + # Do not use a fixed map location (LTO only) + if 'dynamic' in build_modes: + os.environ['AFL_LLVM_MAP_DYNAMIC'] = '1' + # Use a fixed map location (LTO only) + if 'fixed' in build_modes: + os.environ['AFL_LLVM_MAP_ADDR'] = '0x10000' + # Generate an extra dictionary. + if 'dict2file' in build_modes or 'native' in build_modes: + os.environ['AFL_LLVM_DICT2FILE'] = build_directory + '/afl++.dict' + os.environ['AFL_LLVM_DICT2FILE_NO_MAIN'] = '1' + # Enable context sentitivity for LLVM mode (non LTO only) + if 'ctx' in build_modes: + os.environ['AFL_LLVM_CTX'] = '1' + # Enable N-gram coverage for LLVM mode (non LTO only) + if 'ngram2' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '2' + elif 'ngram3' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '3' + elif 'ngram4' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '4' + elif 'ngram5' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '5' + elif 'ngram6' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '6' + elif 'ngram7' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '7' + elif 'ngram8' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '8' + elif 'ngram16' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '16' + if 'ctx1' in build_modes: + os.environ['AFL_LLVM_CTX_K'] = '1' + elif 'ctx2' in build_modes: + os.environ['AFL_LLVM_CTX_K'] = '2' + elif 'ctx3' in build_modes: + os.environ['AFL_LLVM_CTX_K'] = '3' + elif 'ctx4' in build_modes: + os.environ['AFL_LLVM_CTX_K'] = '4' + + # Only one of the following OR cmplog + # enable laf-intel compare splitting + if 'laf' in build_modes: + os.environ['AFL_LLVM_LAF_SPLIT_SWITCHES'] = '1' + os.environ['AFL_LLVM_LAF_SPLIT_COMPARES'] = '1' + os.environ['AFL_LLVM_LAF_SPLIT_FLOATS'] = '1' + if 'autodict' not in build_modes: + os.environ['AFL_LLVM_LAF_TRANSFORM_COMPARES'] = '1' + + if 'eclipser' in build_modes: + os.environ['FUZZER_LIB'] = '/libStandaloneFuzzTarget.a' + else: + os.environ['FUZZER_LIB'] = '/FishFuzz/afl_driver.o' # '/libAFLDriver.a' + + # Some benchmarks like lcms. (see: + # https://github.com/mm2/Little-CMS/commit/ab1093539b4287c233aca6a3cf53b234faceb792#diff-f0e6d05e72548974e852e8e55dffc4ccR212) + # fail to compile if the compiler outputs things to stderr in unexpected + # cases. Prevent these failures by using AFL_QUIET to stop afl-clang-fast + # from writing AFL specific messages to stderr. + os.environ['AFL_QUIET'] = '1' + os.environ['AFL_MAP_SIZE'] = '2621440' + + src = os.getenv('SRC') + work = os.getenv('WORK') + set_ff_env() + + with utils.restore_directory(src), utils.restore_directory(work): + # Restore SRC to its initial state so we can build again without any + # trouble. For some OSS-Fuzz projects, build_benchmark cannot be run + # twice in the same directory without this. + utils.build_benchmark() + + if 'cmplog' in build_modes and 'qemu' not in build_modes: + + # CmpLog requires an build with different instrumentation. + new_env = os.environ.copy() + new_env['AFL_LLVM_CMPLOG'] = '1' + + # For CmpLog build, set the OUT and FUZZ_TARGET environment + # variable to point to the new CmpLog build directory. + cmplog_build_directory = get_cmplog_build_directory(build_directory) + os.mkdir(cmplog_build_directory) + new_env['OUT'] = cmplog_build_directory + fuzz_target = os.getenv('FUZZ_TARGET') + if fuzz_target: + new_env['FUZZ_TARGET'] = os.path.join(cmplog_build_directory, + os.path.basename(fuzz_target)) + + print('Re-building benchmark for CmpLog fuzzing target') + utils.build_benchmark(env=new_env) + + if 'symcc' in build_modes: + + symcc_build_directory = get_uninstrumented_build_directory( + build_directory) + os.mkdir(symcc_build_directory) + + # symcc requires an build with different instrumentation. + new_env = os.environ.copy() + new_env['CC'] = '/symcc/build/symcc' + new_env['CXX'] = '/symcc/build/sym++' + new_env['SYMCC_OUTPUT_DIR'] = '/tmp' + new_env['CXXFLAGS'] = new_env['CXXFLAGS'].replace('-stlib=libc++', '') + new_env['FUZZER_LIB'] = '/libfuzzer-harness.o' + new_env['OUT'] = symcc_build_directory + new_env['SYMCC_LIBCXX_PATH'] = '/libcxx_native_build' + new_env['SYMCC_NO_SYMBOLIC_INPUT'] = '1' + new_env['SYMCC_SILENT'] = '1' + + # For symcc build, set the OUT and FUZZ_TARGET environment + # variable to point to the new symcc build directory. + new_env['OUT'] = symcc_build_directory + fuzz_target = os.getenv('FUZZ_TARGET') + if fuzz_target: + new_env['FUZZ_TARGET'] = os.path.join(symcc_build_directory, + os.path.basename(fuzz_target)) + + print('Re-building benchmark for symcc fuzzing target') + utils.build_benchmark(env=new_env) + + shutil.copy('/FishFuzz/afl-fuzz', build_directory) + if os.path.exists('/FishFuzz/afl-qemu-trace'): + shutil.copy('/FishFuzz/afl-qemu-trace', build_directory) + if os.path.exists('/aflpp_qemu_driver_hook.so'): + shutil.copy('/aflpp_qemu_driver_hook.so', build_directory) + if os.path.exists('/get_frida_entry.sh'): + shutil.copy('/FishFuzz/afl-frida-trace.so', build_directory) + shutil.copy('/get_frida_entry.sh', build_directory) + + tmp_dir_dst = os.environ['OUT'] + '/TEMP' + print('[post_build] generating distance files') + # python3 /Fish++/distance/match_function.py -i $FF_TMP_DIR + # python3 /Fish++/distance/merge_callgraph.py -i $FF_TMP_DIR + # python3 /Fish++/distance/calculate_distance.py -i $FF_TMP_DIR + os.system('python3 /FishFuzz/distance/match_function.py -i %s' % (tmp_dir_dst)) + os.system('python3 /FishFuzz/distance/merge_callgraph.py -i %s' % (tmp_dir_dst)) + os.system('python3 /FishFuzz/distance/calculate_distance.py -i %s' % (tmp_dir_dst)) + + +# pylint: disable=too-many-arguments +def fuzz(input_corpus, + output_corpus, + target_binary, + flags=tuple(), + skip=False, + no_cmplog=False): # pylint: disable=too-many-arguments + """Run fuzzer.""" + # Calculate CmpLog binary path from the instrumented target binary. + target_binary_directory = os.path.dirname(target_binary) + cmplog_target_binary_directory = ( + get_cmplog_build_directory(target_binary_directory)) + target_binary_name = os.path.basename(target_binary) + cmplog_target_binary = os.path.join(cmplog_target_binary_directory, + target_binary_name) + + afl_fuzzer.prepare_fuzz_environment(input_corpus) + # decomment this to enable libdislocator. + # os.environ['AFL_ALIGNED_ALLOC'] = '1' # align malloc to max_align_t + # os.environ['AFL_PRELOAD'] = '/FishFuzz/libdislocator.so' + + flags = list(flags) + + if os.path.exists('./afl++.dict'): + flags += ['-x', './afl++.dict'] + + # Move the following to skip for upcoming _double tests: + if os.path.exists(cmplog_target_binary) and no_cmplog is False: + flags += ['-c', cmplog_target_binary] + + #os.environ['AFL_IGNORE_TIMEOUTS'] = '1' + os.environ['AFL_IGNORE_UNKNOWN_ENVS'] = '1' + os.environ['AFL_FAST_CAL'] = '1' + os.environ['AFL_NO_WARN_INSTABILITY'] = '1' + + if not skip: + os.environ['AFL_DISABLE_TRIM'] = '1' + os.environ['AFL_CMPLOG_ONLY_NEW'] = '1' + if 'ADDITIONAL_ARGS' in os.environ: + flags += os.environ['ADDITIONAL_ARGS'].split(' ') + + os.environ['TMP_DIR'] = os.environ['OUT'] + '/TEMP' + + afl_fuzzer.run_afl_fuzz(input_corpus, + output_corpus, + target_binary, + additional_flags=flags) diff --git a/fuzzers/aflplusplus_fishfuzz/runner.Dockerfile b/fuzzers/aflplusplus_fishfuzz/runner.Dockerfile new file mode 100644 index 000000000..cf202eb1b --- /dev/null +++ b/fuzzers/aflplusplus_fishfuzz/runner.Dockerfile @@ -0,0 +1,42 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FROM gcr.io/fuzzbench/base-image + +ENV DEBIAN_FRONTEND=noninteractive +ENV TZ=Etc/UTC + +RUN apt update && apt install -y git gcc g++ make cmake wget \ + libgmp-dev libmpfr-dev texinfo bison python3 + +# for runtime library, we just need libc++-12-dev libc++abi-12-dev +RUN wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key|apt-key add - && \ + printf "deb http://apt.llvm.org/focal/ llvm-toolchain-focal main\n" \ + "deb-src http://apt.llvm.org/focal/ llvm-toolchain-focal main\n" \ + "deb http://apt.llvm.org/focal/ llvm-toolchain-focal-12 main\n" \ + "deb-src http://apt.llvm.org/focal/ llvm-toolchain-focal-12 main\n" \ + >> /etc/apt/sources.list && \ + apt update && \ + apt install libc++-12-dev libc++abi-12-dev -y + +# for FF runtime +RUN apt-get install -y libboost-all-dev libjsoncpp-dev libgraphviz-dev \ + pkg-config libglib2.0-dev # libunwind-17 + +ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" +ENV PATH="$PATH:/out" +ENV AFL_SKIP_CPUFREQ=1 +ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 +ENV AFL_TESTCACHE_SIZE=2 + From 1579bfeb4b08be810d5960dd98689a26d9deff77 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 25 Sep 2023 12:44:29 +0200 Subject: [PATCH 11/39] ci --- fuzzers/aflplusplus_fishfuzz/fuzzer.py | 26 +++++++++++++++----------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/fuzzers/aflplusplus_fishfuzz/fuzzer.py b/fuzzers/aflplusplus_fishfuzz/fuzzer.py index f87aba5b9..ccb200c25 100755 --- a/fuzzers/aflplusplus_fishfuzz/fuzzer.py +++ b/fuzzers/aflplusplus_fishfuzz/fuzzer.py @@ -30,13 +30,16 @@ def get_uninstrumented_build_directory(target_directory): """Return path to CmpLog target directory.""" return os.path.join(target_directory, 'uninstrumented') + def prepare_tmp_files(tmp_dir): + """ Prepare tmp files.""" if not os.path.isdir(tmp_dir) or os.path.exists(tmp_dir): os.mkdir(tmp_dir) - os.mkdir('%s/idlog' % (tmp_dir)) - os.mkdir('%s/cg' % (tmp_dir)) - os.mkdir('%s/fid' % (tmp_dir)) - os.system('touch %s/idlog/fid %s/idlog/targid' % (tmp_dir, tmp_dir)) + os.mkdir(f'%s/idlog' % (tmp_dir)) + os.mkdir(f'%s/cg' % (tmp_dir)) + os.mkdir(f'%s/fid' % (tmp_dir)) + os.system(f'touch %s/idlog/fid %s/idlog/targid' % (tmp_dir, tmp_dir)) + def set_ff_env(): # set FishFuzz Env before build @@ -44,6 +47,7 @@ def set_ff_env(): os.environ['FF_TMP_DIR'] = os.environ['OUT'] + '/TEMP' prepare_tmp_files(os.environ['TMP_DIR']) + def build(*args): # pylint: disable=too-many-branches,too-many-statements """Build benchmark.""" # BUILD_MODES is not already supported by fuzzbench, meanwhile we provide @@ -173,7 +177,7 @@ def build(*args): # pylint: disable=too-many-branches,too-many-statements if 'eclipser' in build_modes: os.environ['FUZZER_LIB'] = '/libStandaloneFuzzTarget.a' else: - os.environ['FUZZER_LIB'] = '/FishFuzz/afl_driver.o' # '/libAFLDriver.a' + os.environ['FUZZER_LIB'] = '/FishFuzz/afl_driver.o' # Some benchmarks like lcms. (see: # https://github.com/mm2/Little-CMS/commit/ab1093539b4287c233aca6a3cf53b234faceb792#diff-f0e6d05e72548974e852e8e55dffc4ccR212) @@ -252,12 +256,12 @@ def build(*args): # pylint: disable=too-many-branches,too-many-statements tmp_dir_dst = os.environ['OUT'] + '/TEMP' print('[post_build] generating distance files') - # python3 /Fish++/distance/match_function.py -i $FF_TMP_DIR - # python3 /Fish++/distance/merge_callgraph.py -i $FF_TMP_DIR - # python3 /Fish++/distance/calculate_distance.py -i $FF_TMP_DIR - os.system('python3 /FishFuzz/distance/match_function.py -i %s' % (tmp_dir_dst)) - os.system('python3 /FishFuzz/distance/merge_callgraph.py -i %s' % (tmp_dir_dst)) - os.system('python3 /FishFuzz/distance/calculate_distance.py -i %s' % (tmp_dir_dst)) + os.system('python3 /FishFuzz/distance/match_function.py -i %s' % + (tmp_dir_dst)) + os.system('python3 /FishFuzz/distance/merge_callgraph.py -i %s' % + (tmp_dir_dst)) + os.system('python3 /FishFuzz/distance/calculate_distance.py -i %s' % + (tmp_dir_dst)) # pylint: disable=too-many-arguments From c9e822cc7f7fc4888ce9e200d09380c022ef2edd Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 25 Sep 2023 12:53:03 +0200 Subject: [PATCH 12/39] ci --- fuzzers/aflplusplus_fishfuzz/fuzzer.py | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/fuzzers/aflplusplus_fishfuzz/fuzzer.py b/fuzzers/aflplusplus_fishfuzz/fuzzer.py index ccb200c25..3f566598a 100755 --- a/fuzzers/aflplusplus_fishfuzz/fuzzer.py +++ b/fuzzers/aflplusplus_fishfuzz/fuzzer.py @@ -31,18 +31,19 @@ def get_uninstrumented_build_directory(target_directory): return os.path.join(target_directory, 'uninstrumented') +# pylint: disable=consider-using-f-string def prepare_tmp_files(tmp_dir): """ Prepare tmp files.""" if not os.path.isdir(tmp_dir) or os.path.exists(tmp_dir): os.mkdir(tmp_dir) - os.mkdir(f'%s/idlog' % (tmp_dir)) - os.mkdir(f'%s/cg' % (tmp_dir)) - os.mkdir(f'%s/fid' % (tmp_dir)) - os.system(f'touch %s/idlog/fid %s/idlog/targid' % (tmp_dir, tmp_dir)) + os.mkdir('%s/idlog' % (tmp_dir)) + os.mkdir('%s/cg' % (tmp_dir)) + os.mkdir('%s/fid' % (tmp_dir)) + os.system('touch %s/idlog/fid %s/idlog/targid' % (tmp_dir, tmp_dir)) def set_ff_env(): - # set FishFuzz Env before build + """ set FishFuzz Env before build. """ os.environ['TMP_DIR'] = os.environ['OUT'] + '/TEMP' os.environ['FF_TMP_DIR'] = os.environ['OUT'] + '/TEMP' prepare_tmp_files(os.environ['TMP_DIR']) From 19ff038b5d0be9318e41a11905d2b0bdf5c1ef82 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Thu, 28 Sep 2023 10:07:48 +0200 Subject: [PATCH 13/39] test2 --- fuzzers/aflplusplus_ff_comp/fuzzer.py | 3 +- .../aflplusplus_ff_comp2/builder.Dockerfile | 49 +++ fuzzers/aflplusplus_ff_comp2/description.md | 14 + fuzzers/aflplusplus_ff_comp2/fuzzer.py | 285 ++++++++++++++++++ .../aflplusplus_ff_comp2/runner.Dockerfile | 24 ++ 5 files changed, 374 insertions(+), 1 deletion(-) create mode 100644 fuzzers/aflplusplus_ff_comp2/builder.Dockerfile create mode 100644 fuzzers/aflplusplus_ff_comp2/description.md create mode 100755 fuzzers/aflplusplus_ff_comp2/fuzzer.py create mode 100644 fuzzers/aflplusplus_ff_comp2/runner.Dockerfile diff --git a/fuzzers/aflplusplus_ff_comp/fuzzer.py b/fuzzers/aflplusplus_ff_comp/fuzzer.py index e2b10bf47..0912f0a97 100755 --- a/fuzzers/aflplusplus_ff_comp/fuzzer.py +++ b/fuzzers/aflplusplus_ff_comp/fuzzer.py @@ -49,7 +49,6 @@ def build(*args): # pylint: disable=too-many-branches,too-many-statements # For bug type benchmarks we have to instrument via native clang pcguard :( build_flags = os.environ['CFLAGS'] - build_flags += ' -fsanitize=address' os.environ['CFLAGS'] = build_flags #if build_flags.find( @@ -197,6 +196,8 @@ def build(*args): # pylint: disable=too-many-branches,too-many-statements print('Re-building benchmark for CmpLog fuzzing target') utils.build_benchmark(env=new_env) + else: + os.environ['AFL_USE_ASAN'] = '1' if 'symcc' in build_modes: diff --git a/fuzzers/aflplusplus_ff_comp2/builder.Dockerfile b/fuzzers/aflplusplus_ff_comp2/builder.Dockerfile new file mode 100644 index 000000000..a0c276695 --- /dev/null +++ b/fuzzers/aflplusplus_ff_comp2/builder.Dockerfile @@ -0,0 +1,49 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ARG parent_image +FROM $parent_image + +RUN apt-get update && \ + apt-get install -y \ + build-essential \ + python3-dev \ + python3-setuptools \ + automake \ + cmake \ + git \ + flex \ + bison \ + libglib2.0-dev \ + libpixman-1-dev \ + cargo \ + libgtk-3-dev \ + # for QEMU mode + ninja-build \ + gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-plugin-dev \ + libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev + +# Download afl++. +RUN git clone -b dev https://github.com/AFLplusplus/AFLplusplus /afl && \ + cd /afl && \ + git checkout 3b835b7c8b2f73be6d5972951d049cef66c24abd || \ + true + +# Build without Python support as we don't need it. +# Set AFL_NO_X86 to skip flaky tests. +RUN cd /afl && \ + unset CFLAGS CXXFLAGS && \ + export CC=clang AFL_NO_X86=1 && \ + PYTHON_INCLUDE=/ make && \ + cp utils/aflpp_driver/libAFLDriver.a / diff --git a/fuzzers/aflplusplus_ff_comp2/description.md b/fuzzers/aflplusplus_ff_comp2/description.md new file mode 100644 index 000000000..f7eb407ad --- /dev/null +++ b/fuzzers/aflplusplus_ff_comp2/description.md @@ -0,0 +1,14 @@ +# aflplusplus + +AFL++ fuzzer instance that has the following config active for all benchmarks: + - PCGUARD instrumentation + - cmplog feature + - dict2file feature + - "fast" power schedule + - persistent mode + shared memory test cases + +Repository: [https://github.com/AFLplusplus/AFLplusplus/](https://github.com/AFLplusplus/AFLplusplus/) + +[builder.Dockerfile](builder.Dockerfile) +[fuzzer.py](fuzzer.py) +[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/aflplusplus_ff_comp2/fuzzer.py b/fuzzers/aflplusplus_ff_comp2/fuzzer.py new file mode 100755 index 000000000..df979ab44 --- /dev/null +++ b/fuzzers/aflplusplus_ff_comp2/fuzzer.py @@ -0,0 +1,285 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +"""Integration code for AFLplusplus fuzzer.""" + +import os +import shutil + +from fuzzers.afl import fuzzer as afl_fuzzer +from fuzzers import utils + + +def get_cmplog_build_directory(target_directory): + """Return path to CmpLog target directory.""" + return os.path.join(target_directory, 'cmplog') + + +def get_uninstrumented_build_directory(target_directory): + """Return path to CmpLog target directory.""" + return os.path.join(target_directory, 'uninstrumented') + + +def build(*args): # pylint: disable=too-many-branches,too-many-statements + """Build benchmark.""" + # BUILD_MODES is not already supported by fuzzbench, meanwhile we provide + # a default configuration. + + build_modes = list(args) + if 'BUILD_MODES' in os.environ: + build_modes = os.environ['BUILD_MODES'].split(',') + + # Placeholder comment. + build_directory = os.environ['OUT'] + + # If nothing was set this is the default: + if not build_modes: + build_modes = ['tracepc', 'cmplog', 'dict2file'] + + # For bug type benchmarks we have to instrument via native clang pcguard :( + build_flags = os.environ['CFLAGS'] + + if build_flags.find( + 'array-bounds' + ) != -1 and 'qemu' not in build_modes and 'classic' not in build_modes: + if 'gcc' not in build_modes: + build_modes[0] = 'native' + + # Instrumentation coverage modes: + if 'lto' in build_modes: + os.environ['CC'] = '/afl/afl-clang-lto' + os.environ['CXX'] = '/afl/afl-clang-lto++' + edge_file = build_directory + '/aflpp_edges.txt' + os.environ['AFL_LLVM_DOCUMENT_IDS'] = edge_file + if os.path.isfile('/usr/local/bin/llvm-ranlib-13'): + os.environ['RANLIB'] = 'llvm-ranlib-13' + os.environ['AR'] = 'llvm-ar-13' + os.environ['AS'] = 'llvm-as-13' + elif os.path.isfile('/usr/local/bin/llvm-ranlib-12'): + os.environ['RANLIB'] = 'llvm-ranlib-12' + os.environ['AR'] = 'llvm-ar-12' + os.environ['AS'] = 'llvm-as-12' + else: + os.environ['RANLIB'] = 'llvm-ranlib' + os.environ['AR'] = 'llvm-ar' + os.environ['AS'] = 'llvm-as' + elif 'qemu' in build_modes: + os.environ['CC'] = 'clang' + os.environ['CXX'] = 'clang++' + elif 'gcc' in build_modes: + os.environ['CC'] = 'afl-gcc-fast' + os.environ['CXX'] = 'afl-g++-fast' + if build_flags.find('array-bounds') != -1: + os.environ['CFLAGS'] = '-fsanitize=address -O1' + os.environ['CXXFLAGS'] = '-fsanitize=address -O1' + else: + os.environ['CFLAGS'] = '' + os.environ['CXXFLAGS'] = '' + os.environ['CPPFLAGS'] = '' + else: + os.environ['CC'] = '/afl/afl-clang-fast' + os.environ['CXX'] = '/afl/afl-clang-fast++' + + print('AFL++ build: ') + print(build_modes) + + if 'qemu' in build_modes or 'symcc' in build_modes: + os.environ['CFLAGS'] = ' '.join(utils.NO_SANITIZER_COMPAT_CFLAGS) + cxxflags = [utils.LIBCPLUSPLUS_FLAG] + utils.NO_SANITIZER_COMPAT_CFLAGS + os.environ['CXXFLAGS'] = ' '.join(cxxflags) + + if 'tracepc' in build_modes or 'pcguard' in build_modes: + os.environ['AFL_LLVM_USE_TRACE_PC'] = '1' + elif 'classic' in build_modes: + os.environ['AFL_LLVM_INSTRUMENT'] = 'CLASSIC' + elif 'native' in build_modes: + os.environ['AFL_LLVM_INSTRUMENT'] = 'LLVMNATIVE' + + # Instrumentation coverage options: + # Do not use a fixed map location (LTO only) + if 'dynamic' in build_modes: + os.environ['AFL_LLVM_MAP_DYNAMIC'] = '1' + # Use a fixed map location (LTO only) + if 'fixed' in build_modes: + os.environ['AFL_LLVM_MAP_ADDR'] = '0x10000' + # Generate an extra dictionary. + if 'dict2file' in build_modes or 'native' in build_modes: + os.environ['AFL_LLVM_DICT2FILE'] = build_directory + '/afl++.dict' + os.environ['AFL_LLVM_DICT2FILE_NO_MAIN'] = '1' + # Enable context sentitivity for LLVM mode (non LTO only) + if 'ctx' in build_modes: + os.environ['AFL_LLVM_CTX'] = '1' + # Enable N-gram coverage for LLVM mode (non LTO only) + if 'ngram2' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '2' + elif 'ngram3' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '3' + elif 'ngram4' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '4' + elif 'ngram5' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '5' + elif 'ngram6' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '6' + elif 'ngram7' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '7' + elif 'ngram8' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '8' + elif 'ngram16' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '16' + if 'ctx1' in build_modes: + os.environ['AFL_LLVM_CTX_K'] = '1' + elif 'ctx2' in build_modes: + os.environ['AFL_LLVM_CTX_K'] = '2' + elif 'ctx3' in build_modes: + os.environ['AFL_LLVM_CTX_K'] = '3' + elif 'ctx4' in build_modes: + os.environ['AFL_LLVM_CTX_K'] = '4' + + # Only one of the following OR cmplog + # enable laf-intel compare splitting + if 'laf' in build_modes: + os.environ['AFL_LLVM_LAF_SPLIT_SWITCHES'] = '1' + os.environ['AFL_LLVM_LAF_SPLIT_COMPARES'] = '1' + os.environ['AFL_LLVM_LAF_SPLIT_FLOATS'] = '1' + if 'autodict' not in build_modes: + os.environ['AFL_LLVM_LAF_TRANSFORM_COMPARES'] = '1' + + if 'eclipser' in build_modes: + os.environ['FUZZER_LIB'] = '/libStandaloneFuzzTarget.a' + else: + os.environ['FUZZER_LIB'] = '/libAFLDriver.a' + + # Some benchmarks like lcms. (see: + # https://github.com/mm2/Little-CMS/commit/ab1093539b4287c233aca6a3cf53b234faceb792#diff-f0e6d05e72548974e852e8e55dffc4ccR212) + # fail to compile if the compiler outputs things to stderr in unexpected + # cases. Prevent these failures by using AFL_QUIET to stop afl-clang-fast + # from writing AFL specific messages to stderr. + os.environ['AFL_QUIET'] = '1' + os.environ['AFL_MAP_SIZE'] = '2621440' + + src = os.getenv('SRC') + work = os.getenv('WORK') + + with utils.restore_directory(src), utils.restore_directory(work): + # Restore SRC to its initial state so we can build again without any + # trouble. For some OSS-Fuzz projects, build_benchmark cannot be run + # twice in the same directory without this. + utils.build_benchmark() + + if 'cmplog' in build_modes and 'qemu' not in build_modes: + + # CmpLog requires an build with different instrumentation. + new_env = os.environ.copy() + new_env['AFL_LLVM_CMPLOG'] = '1' + + # For CmpLog build, set the OUT and FUZZ_TARGET environment + # variable to point to the new CmpLog build directory. + cmplog_build_directory = get_cmplog_build_directory(build_directory) + os.mkdir(cmplog_build_directory) + new_env['OUT'] = cmplog_build_directory + fuzz_target = os.getenv('FUZZ_TARGET') + if fuzz_target: + new_env['FUZZ_TARGET'] = os.path.join(cmplog_build_directory, + os.path.basename(fuzz_target)) + + print('Re-building benchmark for CmpLog fuzzing target') + utils.build_benchmark(env=new_env) + else: + os.environ['AFL_USE_ASAN'] = '1' + + if 'symcc' in build_modes: + + symcc_build_directory = get_uninstrumented_build_directory( + build_directory) + os.mkdir(symcc_build_directory) + + # symcc requires an build with different instrumentation. + new_env = os.environ.copy() + new_env['CC'] = '/symcc/build/symcc' + new_env['CXX'] = '/symcc/build/sym++' + new_env['SYMCC_OUTPUT_DIR'] = '/tmp' + new_env['CXXFLAGS'] = new_env['CXXFLAGS'].replace('-stlib=libc++', '') + new_env['FUZZER_LIB'] = '/libfuzzer-harness.o' + new_env['OUT'] = symcc_build_directory + new_env['SYMCC_LIBCXX_PATH'] = '/libcxx_native_build' + new_env['SYMCC_NO_SYMBOLIC_INPUT'] = '1' + new_env['SYMCC_SILENT'] = '1' + + # For symcc build, set the OUT and FUZZ_TARGET environment + # variable to point to the new symcc build directory. + new_env['OUT'] = symcc_build_directory + fuzz_target = os.getenv('FUZZ_TARGET') + if fuzz_target: + new_env['FUZZ_TARGET'] = os.path.join(symcc_build_directory, + os.path.basename(fuzz_target)) + + print('Re-building benchmark for symcc fuzzing target') + utils.build_benchmark(env=new_env) + + shutil.copy('/afl/afl-fuzz', build_directory) + if os.path.exists('/afl/afl-qemu-trace'): + shutil.copy('/afl/afl-qemu-trace', build_directory) + if os.path.exists('/aflpp_qemu_driver_hook.so'): + shutil.copy('/aflpp_qemu_driver_hook.so', build_directory) + if os.path.exists('/get_frida_entry.sh'): + shutil.copy('/afl/afl-frida-trace.so', build_directory) + shutil.copy('/get_frida_entry.sh', build_directory) + + +# pylint: disable=too-many-arguments +def fuzz(input_corpus, + output_corpus, + target_binary, + flags=tuple(), + skip=False, + no_cmplog=False): # pylint: disable=too-many-arguments + """Run fuzzer.""" + # Calculate CmpLog binary path from the instrumented target binary. + target_binary_directory = os.path.dirname(target_binary) + cmplog_target_binary_directory = ( + get_cmplog_build_directory(target_binary_directory)) + target_binary_name = os.path.basename(target_binary) + cmplog_target_binary = os.path.join(cmplog_target_binary_directory, + target_binary_name) + + afl_fuzzer.prepare_fuzz_environment(input_corpus) + # decomment this to enable libdislocator. + # os.environ['AFL_ALIGNED_ALLOC'] = '1' # align malloc to max_align_t + # os.environ['AFL_PRELOAD'] = '/afl/libdislocator.so' + + flags = list(flags) + + if os.path.exists('./afl++.dict'): + flags += ['-x', './afl++.dict'] + + # Move the following to skip for upcoming _double tests: + if os.path.exists(cmplog_target_binary) and no_cmplog is False: + flags += ['-c', cmplog_target_binary] + + #os.environ['AFL_IGNORE_TIMEOUTS'] = '1' + os.environ['AFL_IGNORE_UNKNOWN_ENVS'] = '1' + os.environ['AFL_FAST_CAL'] = '1' + os.environ['AFL_NO_WARN_INSTABILITY'] = '1' + os.environ['AFL_IGNORE_SEED_PROBLEMS'] = '1' + + if not skip: + os.environ['AFL_DISABLE_TRIM'] = '1' + os.environ['AFL_CMPLOG_ONLY_NEW'] = '1' + if 'ADDITIONAL_ARGS' in os.environ: + flags += os.environ['ADDITIONAL_ARGS'].split(' ') + + afl_fuzzer.run_afl_fuzz(input_corpus, + output_corpus, + target_binary, + additional_flags=flags) diff --git a/fuzzers/aflplusplus_ff_comp2/runner.Dockerfile b/fuzzers/aflplusplus_ff_comp2/runner.Dockerfile new file mode 100644 index 000000000..1a10f861c --- /dev/null +++ b/fuzzers/aflplusplus_ff_comp2/runner.Dockerfile @@ -0,0 +1,24 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FROM gcr.io/fuzzbench/base-image + +# This makes interactive docker runs painless: +ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" +#ENV AFL_MAP_SIZE=2621440 +ENV PATH="$PATH:/out" +ENV AFL_SKIP_CPUFREQ=1 +ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 +ENV AFL_TESTCACHE_SIZE=2 +RUN apt install -y unzip git gdb joe From f1f0344af6fbca72fe5edcae80f75e94385858d5 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 6 Oct 2023 21:51:06 +0200 Subject: [PATCH 14/39] new variant --- fuzzers/aflplusplus/builder.Dockerfile | 2 +- fuzzers/aflplusplus_early/builder.Dockerfile | 49 ++++ fuzzers/aflplusplus_early/description.md | 14 + fuzzers/aflplusplus_early/fuzzer.py | 283 +++++++++++++++++++ fuzzers/aflplusplus_early/runner.Dockerfile | 24 ++ 5 files changed, 371 insertions(+), 1 deletion(-) create mode 100644 fuzzers/aflplusplus_early/builder.Dockerfile create mode 100644 fuzzers/aflplusplus_early/description.md create mode 100755 fuzzers/aflplusplus_early/fuzzer.py create mode 100644 fuzzers/aflplusplus_early/runner.Dockerfile diff --git a/fuzzers/aflplusplus/builder.Dockerfile b/fuzzers/aflplusplus/builder.Dockerfile index a0c276695..1fdde66e0 100644 --- a/fuzzers/aflplusplus/builder.Dockerfile +++ b/fuzzers/aflplusplus/builder.Dockerfile @@ -37,7 +37,7 @@ RUN apt-get update && \ # Download afl++. RUN git clone -b dev https://github.com/AFLplusplus/AFLplusplus /afl && \ cd /afl && \ - git checkout 3b835b7c8b2f73be6d5972951d049cef66c24abd || \ + git checkout a3806158116ae4c5b8a30c19533975cb41dd497f || \ true # Build without Python support as we don't need it. diff --git a/fuzzers/aflplusplus_early/builder.Dockerfile b/fuzzers/aflplusplus_early/builder.Dockerfile new file mode 100644 index 000000000..1b3f94cf3 --- /dev/null +++ b/fuzzers/aflplusplus_early/builder.Dockerfile @@ -0,0 +1,49 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ARG parent_image +FROM $parent_image + +RUN apt-get update && \ + apt-get install -y \ + build-essential \ + python3-dev \ + python3-setuptools \ + automake \ + cmake \ + git \ + flex \ + bison \ + libglib2.0-dev \ + libpixman-1-dev \ + cargo \ + libgtk-3-dev \ + # for QEMU mode + ninja-build \ + gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-plugin-dev \ + libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev + +# Download afl++. +RUN git clone -b chg_pass_entrypoint https://github.com/AFLplusplus/AFLplusplus /afl && \ + cd /afl && \ + git checkout 7dec7fb || \ + true + +# Build without Python support as we don't need it. +# Set AFL_NO_X86 to skip flaky tests. +RUN cd /afl && \ + unset CFLAGS CXXFLAGS && \ + export CC=clang AFL_NO_X86=1 && \ + PYTHON_INCLUDE=/ make && \ + cp utils/aflpp_driver/libAFLDriver.a / diff --git a/fuzzers/aflplusplus_early/description.md b/fuzzers/aflplusplus_early/description.md new file mode 100644 index 000000000..f7eb407ad --- /dev/null +++ b/fuzzers/aflplusplus_early/description.md @@ -0,0 +1,14 @@ +# aflplusplus + +AFL++ fuzzer instance that has the following config active for all benchmarks: + - PCGUARD instrumentation + - cmplog feature + - dict2file feature + - "fast" power schedule + - persistent mode + shared memory test cases + +Repository: [https://github.com/AFLplusplus/AFLplusplus/](https://github.com/AFLplusplus/AFLplusplus/) + +[builder.Dockerfile](builder.Dockerfile) +[fuzzer.py](fuzzer.py) +[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/aflplusplus_early/fuzzer.py b/fuzzers/aflplusplus_early/fuzzer.py new file mode 100755 index 000000000..11e128c6a --- /dev/null +++ b/fuzzers/aflplusplus_early/fuzzer.py @@ -0,0 +1,283 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +"""Integration code for AFLplusplus fuzzer.""" + +import os +import shutil + +from fuzzers.afl import fuzzer as afl_fuzzer +from fuzzers import utils + + +def get_cmplog_build_directory(target_directory): + """Return path to CmpLog target directory.""" + return os.path.join(target_directory, 'cmplog') + + +def get_uninstrumented_build_directory(target_directory): + """Return path to CmpLog target directory.""" + return os.path.join(target_directory, 'uninstrumented') + + +def build(*args): # pylint: disable=too-many-branches,too-many-statements + """Build benchmark.""" + # BUILD_MODES is not already supported by fuzzbench, meanwhile we provide + # a default configuration. + + build_modes = list(args) + if 'BUILD_MODES' in os.environ: + build_modes = os.environ['BUILD_MODES'].split(',') + + # Placeholder comment. + build_directory = os.environ['OUT'] + + # If nothing was set this is the default: + if not build_modes: + build_modes = ['tracepc', 'cmplog', 'dict2file'] + + # For bug type benchmarks we have to instrument via native clang pcguard :( + build_flags = os.environ['CFLAGS'] + + if build_flags.find( + 'array-bounds' + ) != -1 and 'qemu' not in build_modes and 'classic' not in build_modes: + if 'gcc' not in build_modes: + build_modes[0] = 'native' + + # Instrumentation coverage modes: + if 'lto' in build_modes: + os.environ['CC'] = '/afl/afl-clang-lto' + os.environ['CXX'] = '/afl/afl-clang-lto++' + edge_file = build_directory + '/aflpp_edges.txt' + os.environ['AFL_LLVM_DOCUMENT_IDS'] = edge_file + if os.path.isfile('/usr/local/bin/llvm-ranlib-13'): + os.environ['RANLIB'] = 'llvm-ranlib-13' + os.environ['AR'] = 'llvm-ar-13' + os.environ['AS'] = 'llvm-as-13' + elif os.path.isfile('/usr/local/bin/llvm-ranlib-12'): + os.environ['RANLIB'] = 'llvm-ranlib-12' + os.environ['AR'] = 'llvm-ar-12' + os.environ['AS'] = 'llvm-as-12' + else: + os.environ['RANLIB'] = 'llvm-ranlib' + os.environ['AR'] = 'llvm-ar' + os.environ['AS'] = 'llvm-as' + elif 'qemu' in build_modes: + os.environ['CC'] = 'clang' + os.environ['CXX'] = 'clang++' + elif 'gcc' in build_modes: + os.environ['CC'] = 'afl-gcc-fast' + os.environ['CXX'] = 'afl-g++-fast' + if build_flags.find('array-bounds') != -1: + os.environ['CFLAGS'] = '-fsanitize=address -O1' + os.environ['CXXFLAGS'] = '-fsanitize=address -O1' + else: + os.environ['CFLAGS'] = '' + os.environ['CXXFLAGS'] = '' + os.environ['CPPFLAGS'] = '' + else: + os.environ['CC'] = '/afl/afl-clang-fast' + os.environ['CXX'] = '/afl/afl-clang-fast++' + + print('AFL++ build: ') + print(build_modes) + + if 'qemu' in build_modes or 'symcc' in build_modes: + os.environ['CFLAGS'] = ' '.join(utils.NO_SANITIZER_COMPAT_CFLAGS) + cxxflags = [utils.LIBCPLUSPLUS_FLAG] + utils.NO_SANITIZER_COMPAT_CFLAGS + os.environ['CXXFLAGS'] = ' '.join(cxxflags) + + if 'tracepc' in build_modes or 'pcguard' in build_modes: + os.environ['AFL_LLVM_USE_TRACE_PC'] = '1' + elif 'classic' in build_modes: + os.environ['AFL_LLVM_INSTRUMENT'] = 'CLASSIC' + elif 'native' in build_modes: + os.environ['AFL_LLVM_INSTRUMENT'] = 'LLVMNATIVE' + + # Instrumentation coverage options: + # Do not use a fixed map location (LTO only) + if 'dynamic' in build_modes: + os.environ['AFL_LLVM_MAP_DYNAMIC'] = '1' + # Use a fixed map location (LTO only) + if 'fixed' in build_modes: + os.environ['AFL_LLVM_MAP_ADDR'] = '0x10000' + # Generate an extra dictionary. + if 'dict2file' in build_modes or 'native' in build_modes: + os.environ['AFL_LLVM_DICT2FILE'] = build_directory + '/afl++.dict' + os.environ['AFL_LLVM_DICT2FILE_NO_MAIN'] = '1' + # Enable context sentitivity for LLVM mode (non LTO only) + if 'ctx' in build_modes: + os.environ['AFL_LLVM_CTX'] = '1' + # Enable N-gram coverage for LLVM mode (non LTO only) + if 'ngram2' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '2' + elif 'ngram3' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '3' + elif 'ngram4' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '4' + elif 'ngram5' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '5' + elif 'ngram6' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '6' + elif 'ngram7' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '7' + elif 'ngram8' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '8' + elif 'ngram16' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '16' + if 'ctx1' in build_modes: + os.environ['AFL_LLVM_CTX_K'] = '1' + elif 'ctx2' in build_modes: + os.environ['AFL_LLVM_CTX_K'] = '2' + elif 'ctx3' in build_modes: + os.environ['AFL_LLVM_CTX_K'] = '3' + elif 'ctx4' in build_modes: + os.environ['AFL_LLVM_CTX_K'] = '4' + + # Only one of the following OR cmplog + # enable laf-intel compare splitting + if 'laf' in build_modes: + os.environ['AFL_LLVM_LAF_SPLIT_SWITCHES'] = '1' + os.environ['AFL_LLVM_LAF_SPLIT_COMPARES'] = '1' + os.environ['AFL_LLVM_LAF_SPLIT_FLOATS'] = '1' + if 'autodict' not in build_modes: + os.environ['AFL_LLVM_LAF_TRANSFORM_COMPARES'] = '1' + + if 'eclipser' in build_modes: + os.environ['FUZZER_LIB'] = '/libStandaloneFuzzTarget.a' + else: + os.environ['FUZZER_LIB'] = '/libAFLDriver.a' + + # Some benchmarks like lcms. (see: + # https://github.com/mm2/Little-CMS/commit/ab1093539b4287c233aca6a3cf53b234faceb792#diff-f0e6d05e72548974e852e8e55dffc4ccR212) + # fail to compile if the compiler outputs things to stderr in unexpected + # cases. Prevent these failures by using AFL_QUIET to stop afl-clang-fast + # from writing AFL specific messages to stderr. + os.environ['AFL_QUIET'] = '1' + os.environ['AFL_MAP_SIZE'] = '2621440' + + src = os.getenv('SRC') + work = os.getenv('WORK') + + with utils.restore_directory(src), utils.restore_directory(work): + # Restore SRC to its initial state so we can build again without any + # trouble. For some OSS-Fuzz projects, build_benchmark cannot be run + # twice in the same directory without this. + utils.build_benchmark() + + if 'cmplog' in build_modes and 'qemu' not in build_modes: + + # CmpLog requires an build with different instrumentation. + new_env = os.environ.copy() + new_env['AFL_LLVM_CMPLOG'] = '1' + + # For CmpLog build, set the OUT and FUZZ_TARGET environment + # variable to point to the new CmpLog build directory. + cmplog_build_directory = get_cmplog_build_directory(build_directory) + os.mkdir(cmplog_build_directory) + new_env['OUT'] = cmplog_build_directory + fuzz_target = os.getenv('FUZZ_TARGET') + if fuzz_target: + new_env['FUZZ_TARGET'] = os.path.join(cmplog_build_directory, + os.path.basename(fuzz_target)) + + print('Re-building benchmark for CmpLog fuzzing target') + utils.build_benchmark(env=new_env) + + if 'symcc' in build_modes: + + symcc_build_directory = get_uninstrumented_build_directory( + build_directory) + os.mkdir(symcc_build_directory) + + # symcc requires an build with different instrumentation. + new_env = os.environ.copy() + new_env['CC'] = '/symcc/build/symcc' + new_env['CXX'] = '/symcc/build/sym++' + new_env['SYMCC_OUTPUT_DIR'] = '/tmp' + new_env['CXXFLAGS'] = new_env['CXXFLAGS'].replace('-stlib=libc++', '') + new_env['FUZZER_LIB'] = '/libfuzzer-harness.o' + new_env['OUT'] = symcc_build_directory + new_env['SYMCC_LIBCXX_PATH'] = '/libcxx_native_build' + new_env['SYMCC_NO_SYMBOLIC_INPUT'] = '1' + new_env['SYMCC_SILENT'] = '1' + + # For symcc build, set the OUT and FUZZ_TARGET environment + # variable to point to the new symcc build directory. + new_env['OUT'] = symcc_build_directory + fuzz_target = os.getenv('FUZZ_TARGET') + if fuzz_target: + new_env['FUZZ_TARGET'] = os.path.join(symcc_build_directory, + os.path.basename(fuzz_target)) + + print('Re-building benchmark for symcc fuzzing target') + utils.build_benchmark(env=new_env) + + shutil.copy('/afl/afl-fuzz', build_directory) + if os.path.exists('/afl/afl-qemu-trace'): + shutil.copy('/afl/afl-qemu-trace', build_directory) + if os.path.exists('/aflpp_qemu_driver_hook.so'): + shutil.copy('/aflpp_qemu_driver_hook.so', build_directory) + if os.path.exists('/get_frida_entry.sh'): + shutil.copy('/afl/afl-frida-trace.so', build_directory) + shutil.copy('/get_frida_entry.sh', build_directory) + + +# pylint: disable=too-many-arguments +def fuzz(input_corpus, + output_corpus, + target_binary, + flags=tuple(), + skip=False, + no_cmplog=False): # pylint: disable=too-many-arguments + """Run fuzzer.""" + # Calculate CmpLog binary path from the instrumented target binary. + target_binary_directory = os.path.dirname(target_binary) + cmplog_target_binary_directory = ( + get_cmplog_build_directory(target_binary_directory)) + target_binary_name = os.path.basename(target_binary) + cmplog_target_binary = os.path.join(cmplog_target_binary_directory, + target_binary_name) + + afl_fuzzer.prepare_fuzz_environment(input_corpus) + # decomment this to enable libdislocator. + # os.environ['AFL_ALIGNED_ALLOC'] = '1' # align malloc to max_align_t + # os.environ['AFL_PRELOAD'] = '/afl/libdislocator.so' + + flags = list(flags) + + if os.path.exists('./afl++.dict'): + flags += ['-x', './afl++.dict'] + + # Move the following to skip for upcoming _double tests: + if os.path.exists(cmplog_target_binary) and no_cmplog is False: + flags += ['-c', cmplog_target_binary] + + #os.environ['AFL_IGNORE_TIMEOUTS'] = '1' + os.environ['AFL_IGNORE_UNKNOWN_ENVS'] = '1' + os.environ['AFL_FAST_CAL'] = '1' + os.environ['AFL_NO_WARN_INSTABILITY'] = '1' + os.environ['AFL_IGNORE_SEED_PROBLEMS'] = '1' + + if not skip: + os.environ['AFL_DISABLE_TRIM'] = '1' + os.environ['AFL_CMPLOG_ONLY_NEW'] = '1' + if 'ADDITIONAL_ARGS' in os.environ: + flags += os.environ['ADDITIONAL_ARGS'].split(' ') + + afl_fuzzer.run_afl_fuzz(input_corpus, + output_corpus, + target_binary, + additional_flags=flags) diff --git a/fuzzers/aflplusplus_early/runner.Dockerfile b/fuzzers/aflplusplus_early/runner.Dockerfile new file mode 100644 index 000000000..1a10f861c --- /dev/null +++ b/fuzzers/aflplusplus_early/runner.Dockerfile @@ -0,0 +1,24 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FROM gcr.io/fuzzbench/base-image + +# This makes interactive docker runs painless: +ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" +#ENV AFL_MAP_SIZE=2621440 +ENV PATH="$PATH:/out" +ENV AFL_SKIP_CPUFREQ=1 +ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 +ENV AFL_TESTCACHE_SIZE=2 +RUN apt install -y unzip git gdb joe From 2fef512a44f10dff36ebe53709e6540a877414c3 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 6 Oct 2023 22:03:59 +0200 Subject: [PATCH 15/39] fish again --- .../builder.Dockerfile | 2 +- .../description.md | 0 .../fuzzer.py | 6 +++--- .../runner.Dockerfile | 0 4 files changed, 4 insertions(+), 4 deletions(-) rename fuzzers/{aflplusplus_ff_comp2 => aflplusplus_ff_comp3}/builder.Dockerfile (95%) rename fuzzers/{aflplusplus_ff_comp2 => aflplusplus_ff_comp3}/description.md (100%) rename fuzzers/{aflplusplus_ff_comp2 => aflplusplus_ff_comp3}/fuzzer.py (99%) rename fuzzers/{aflplusplus_ff_comp2 => aflplusplus_ff_comp3}/runner.Dockerfile (100%) diff --git a/fuzzers/aflplusplus_ff_comp2/builder.Dockerfile b/fuzzers/aflplusplus_ff_comp3/builder.Dockerfile similarity index 95% rename from fuzzers/aflplusplus_ff_comp2/builder.Dockerfile rename to fuzzers/aflplusplus_ff_comp3/builder.Dockerfile index a0c276695..1fdde66e0 100644 --- a/fuzzers/aflplusplus_ff_comp2/builder.Dockerfile +++ b/fuzzers/aflplusplus_ff_comp3/builder.Dockerfile @@ -37,7 +37,7 @@ RUN apt-get update && \ # Download afl++. RUN git clone -b dev https://github.com/AFLplusplus/AFLplusplus /afl && \ cd /afl && \ - git checkout 3b835b7c8b2f73be6d5972951d049cef66c24abd || \ + git checkout a3806158116ae4c5b8a30c19533975cb41dd497f || \ true # Build without Python support as we don't need it. diff --git a/fuzzers/aflplusplus_ff_comp2/description.md b/fuzzers/aflplusplus_ff_comp3/description.md similarity index 100% rename from fuzzers/aflplusplus_ff_comp2/description.md rename to fuzzers/aflplusplus_ff_comp3/description.md diff --git a/fuzzers/aflplusplus_ff_comp2/fuzzer.py b/fuzzers/aflplusplus_ff_comp3/fuzzer.py similarity index 99% rename from fuzzers/aflplusplus_ff_comp2/fuzzer.py rename to fuzzers/aflplusplus_ff_comp3/fuzzer.py index df979ab44..f5ef33076 100755 --- a/fuzzers/aflplusplus_ff_comp2/fuzzer.py +++ b/fuzzers/aflplusplus_ff_comp3/fuzzer.py @@ -45,7 +45,7 @@ def build(*args): # pylint: disable=too-many-branches,too-many-statements # If nothing was set this is the default: if not build_modes: - build_modes = ['tracepc', 'cmplog', 'dict2file'] + build_modes = ['tracepc', 'dict2file'] # For bug type benchmarks we have to instrument via native clang pcguard :( build_flags = os.environ['CFLAGS'] @@ -99,6 +99,8 @@ def build(*args): # pylint: disable=too-many-branches,too-many-statements cxxflags = [utils.LIBCPLUSPLUS_FLAG] + utils.NO_SANITIZER_COMPAT_CFLAGS os.environ['CXXFLAGS'] = ' '.join(cxxflags) + os.environ['AFL_USE_ASAN'] = '1' + if 'tracepc' in build_modes or 'pcguard' in build_modes: os.environ['AFL_LLVM_USE_TRACE_PC'] = '1' elif 'classic' in build_modes: @@ -195,8 +197,6 @@ def build(*args): # pylint: disable=too-many-branches,too-many-statements print('Re-building benchmark for CmpLog fuzzing target') utils.build_benchmark(env=new_env) - else: - os.environ['AFL_USE_ASAN'] = '1' if 'symcc' in build_modes: diff --git a/fuzzers/aflplusplus_ff_comp2/runner.Dockerfile b/fuzzers/aflplusplus_ff_comp3/runner.Dockerfile similarity index 100% rename from fuzzers/aflplusplus_ff_comp2/runner.Dockerfile rename to fuzzers/aflplusplus_ff_comp3/runner.Dockerfile From 36377054ac849d37b32193eb07d6bc39fedd4b9a Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 6 Oct 2023 22:04:41 +0200 Subject: [PATCH 16/39] fish fuzz --- fuzzers/aflplusplus_ff_comp3/fuzzer.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fuzzers/aflplusplus_ff_comp3/fuzzer.py b/fuzzers/aflplusplus_ff_comp3/fuzzer.py index f5ef33076..f9b769eb7 100755 --- a/fuzzers/aflplusplus_ff_comp3/fuzzer.py +++ b/fuzzers/aflplusplus_ff_comp3/fuzzer.py @@ -45,7 +45,7 @@ def build(*args): # pylint: disable=too-many-branches,too-many-statements # If nothing was set this is the default: if not build_modes: - build_modes = ['tracepc', 'dict2file'] + build_modes = ['tracepc'] # For bug type benchmarks we have to instrument via native clang pcguard :( build_flags = os.environ['CFLAGS'] From 2492e72ceba49d5717b6310e3c04a2e1e4e5060c Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 6 Oct 2023 23:19:05 +0200 Subject: [PATCH 17/39] fix --- fuzzers/aflplusplus_early/builder.Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fuzzers/aflplusplus_early/builder.Dockerfile b/fuzzers/aflplusplus_early/builder.Dockerfile index 1b3f94cf3..555f3516b 100644 --- a/fuzzers/aflplusplus_early/builder.Dockerfile +++ b/fuzzers/aflplusplus_early/builder.Dockerfile @@ -37,7 +37,7 @@ RUN apt-get update && \ # Download afl++. RUN git clone -b chg_pass_entrypoint https://github.com/AFLplusplus/AFLplusplus /afl && \ cd /afl && \ - git checkout 7dec7fb || \ + git checkout 7dec7fb538465974ee4c94db22dfd35d044e45ef || \ true # Build without Python support as we don't need it. From 0cf2b965e41daf84e55d1891baa4318060ef7f97 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sat, 7 Oct 2023 08:39:52 +0200 Subject: [PATCH 18/39] remove not working variants --- fuzzers/afl/builder.Dockerfile | 33 -- fuzzers/afl/fuzzer.py | 141 -------- fuzzers/afl/runner.Dockerfile | 15 - fuzzers/afl_2_52_b/builder.Dockerfile | 30 -- fuzzers/afl_2_52_b/fuzzer.py | 139 -------- fuzzers/afl_2_52_b/runner.Dockerfile | 15 - fuzzers/afl_random_favored/builder.Dockerfile | 32 -- fuzzers/afl_random_favored/fuzzer.py | 138 -------- fuzzers/afl_random_favored/runner.Dockerfile | 15 - fuzzers/afl_virginmap/builder.Dockerfile | 31 -- fuzzers/afl_virginmap/fuzzer.py | 138 -------- fuzzers/afl_virginmap/runner.Dockerfile | 15 - fuzzers/aflcc/aflcc_mock.c | 23 -- fuzzers/aflcc/builder.Dockerfile | 69 ---- fuzzers/aflcc/fuzzer.py | 313 ------------------ fuzzers/aflcc/runner.Dockerfile | 22 -- fuzzers/aflfast/builder.Dockerfile | 31 -- fuzzers/aflfast/fuzzer.py | 34 -- fuzzers/aflfast/runner.Dockerfile | 15 - .../builder.Dockerfile | 40 --- .../aflplusplus_um_parallel/description.md | 9 - fuzzers/aflplusplus_um_parallel/fuzzer.py | 212 ------------ .../aflplusplus_um_parallel/runner.Dockerfile | 23 -- .../builder.Dockerfile | 40 --- .../aflplusplus_um_prioritize/description.md | 9 - fuzzers/aflplusplus_um_prioritize/fuzzer.py | 259 --------------- .../runner.Dockerfile | 23 -- .../builder.Dockerfile | 40 --- .../description.md | 9 - .../aflplusplus_um_prioritize_75/fuzzer.py | 259 --------------- .../runner.Dockerfile | 23 -- .../aflplusplus_um_random/builder.Dockerfile | 40 --- fuzzers/aflplusplus_um_random/description.md | 10 - fuzzers/aflplusplus_um_random/fuzzer.py | 221 ------------- .../aflplusplus_um_random/runner.Dockerfile | 23 -- .../builder.Dockerfile | 40 --- .../aflplusplus_um_random_75/description.md | 10 - fuzzers/aflplusplus_um_random_75/fuzzer.py | 213 ------------ .../runner.Dockerfile | 23 -- .../aflpp_random_default/builder.Dockerfile | 35 -- fuzzers/aflpp_random_default/fuzzer.py | 268 --------------- .../aflpp_random_default/runner.Dockerfile | 23 -- .../aflpp_random_no_favs/builder.Dockerfile | 35 -- fuzzers/aflpp_random_no_favs/fuzzer.py | 272 --------------- .../aflpp_random_no_favs/runner.Dockerfile | 23 -- fuzzers/aflpp_random_wrs/builder.Dockerfile | 35 -- fuzzers/aflpp_random_wrs/fuzzer.py | 270 --------------- fuzzers/aflpp_random_wrs/runner.Dockerfile | 23 -- .../aflpp_random_wrs_rf/builder.Dockerfile | 35 -- fuzzers/aflpp_random_wrs_rf/fuzzer.py | 269 --------------- fuzzers/aflpp_random_wrs_rf/runner.Dockerfile | 23 -- .../aflpp_random_wrs_rf_rp/builder.Dockerfile | 35 -- fuzzers/aflpp_random_wrs_rf_rp/fuzzer.py | 268 --------------- .../aflpp_random_wrs_rf_rp/runner.Dockerfile | 23 -- .../aflpp_random_wrs_rp/builder.Dockerfile | 35 -- fuzzers/aflpp_random_wrs_rp/fuzzer.py | 269 --------------- fuzzers/aflpp_random_wrs_rp/runner.Dockerfile | 23 -- .../honggfuzz_um_parallel/builder.Dockerfile | 40 --- fuzzers/honggfuzz_um_parallel/description.md | 9 - fuzzers/honggfuzz_um_parallel/fuzzer.py | 205 ------------ .../honggfuzz_um_parallel/runner.Dockerfile | 18 - .../builder.Dockerfile | 40 --- .../honggfuzz_um_prioritize/description.md | 9 - fuzzers/honggfuzz_um_prioritize/fuzzer.py | 243 -------------- .../honggfuzz_um_prioritize/runner.Dockerfile | 18 - .../builder.Dockerfile | 40 --- .../honggfuzz_um_prioritize_75/description.md | 9 - fuzzers/honggfuzz_um_prioritize_75/fuzzer.py | 243 -------------- .../runner.Dockerfile | 18 - .../honggfuzz_um_random/builder.Dockerfile | 40 --- fuzzers/honggfuzz_um_random/description.md | 10 - fuzzers/honggfuzz_um_random/fuzzer.py | 206 ------------ fuzzers/honggfuzz_um_random/runner.Dockerfile | 18 - .../honggfuzz_um_random_75/builder.Dockerfile | 40 --- fuzzers/honggfuzz_um_random_75/description.md | 10 - fuzzers/honggfuzz_um_random_75/fuzzer.py | 206 ------------ .../honggfuzz_um_random_75/runner.Dockerfile | 18 - 77 files changed, 6179 deletions(-) delete mode 100644 fuzzers/afl/builder.Dockerfile delete mode 100755 fuzzers/afl/fuzzer.py delete mode 100644 fuzzers/afl/runner.Dockerfile delete mode 100644 fuzzers/afl_2_52_b/builder.Dockerfile delete mode 100755 fuzzers/afl_2_52_b/fuzzer.py delete mode 100644 fuzzers/afl_2_52_b/runner.Dockerfile delete mode 100644 fuzzers/afl_random_favored/builder.Dockerfile delete mode 100755 fuzzers/afl_random_favored/fuzzer.py delete mode 100644 fuzzers/afl_random_favored/runner.Dockerfile delete mode 100644 fuzzers/afl_virginmap/builder.Dockerfile delete mode 100755 fuzzers/afl_virginmap/fuzzer.py delete mode 100644 fuzzers/afl_virginmap/runner.Dockerfile delete mode 100644 fuzzers/aflcc/aflcc_mock.c delete mode 100644 fuzzers/aflcc/builder.Dockerfile delete mode 100644 fuzzers/aflcc/fuzzer.py delete mode 100644 fuzzers/aflcc/runner.Dockerfile delete mode 100644 fuzzers/aflfast/builder.Dockerfile delete mode 100755 fuzzers/aflfast/fuzzer.py delete mode 100644 fuzzers/aflfast/runner.Dockerfile delete mode 100644 fuzzers/aflplusplus_um_parallel/builder.Dockerfile delete mode 100644 fuzzers/aflplusplus_um_parallel/description.md delete mode 100644 fuzzers/aflplusplus_um_parallel/fuzzer.py delete mode 100644 fuzzers/aflplusplus_um_parallel/runner.Dockerfile delete mode 100644 fuzzers/aflplusplus_um_prioritize/builder.Dockerfile delete mode 100644 fuzzers/aflplusplus_um_prioritize/description.md delete mode 100755 fuzzers/aflplusplus_um_prioritize/fuzzer.py delete mode 100644 fuzzers/aflplusplus_um_prioritize/runner.Dockerfile delete mode 100644 fuzzers/aflplusplus_um_prioritize_75/builder.Dockerfile delete mode 100644 fuzzers/aflplusplus_um_prioritize_75/description.md delete mode 100755 fuzzers/aflplusplus_um_prioritize_75/fuzzer.py delete mode 100644 fuzzers/aflplusplus_um_prioritize_75/runner.Dockerfile delete mode 100644 fuzzers/aflplusplus_um_random/builder.Dockerfile delete mode 100644 fuzzers/aflplusplus_um_random/description.md delete mode 100644 fuzzers/aflplusplus_um_random/fuzzer.py delete mode 100644 fuzzers/aflplusplus_um_random/runner.Dockerfile delete mode 100644 fuzzers/aflplusplus_um_random_75/builder.Dockerfile delete mode 100644 fuzzers/aflplusplus_um_random_75/description.md delete mode 100644 fuzzers/aflplusplus_um_random_75/fuzzer.py delete mode 100644 fuzzers/aflplusplus_um_random_75/runner.Dockerfile delete mode 100644 fuzzers/aflpp_random_default/builder.Dockerfile delete mode 100755 fuzzers/aflpp_random_default/fuzzer.py delete mode 100644 fuzzers/aflpp_random_default/runner.Dockerfile delete mode 100644 fuzzers/aflpp_random_no_favs/builder.Dockerfile delete mode 100755 fuzzers/aflpp_random_no_favs/fuzzer.py delete mode 100644 fuzzers/aflpp_random_no_favs/runner.Dockerfile delete mode 100644 fuzzers/aflpp_random_wrs/builder.Dockerfile delete mode 100755 fuzzers/aflpp_random_wrs/fuzzer.py delete mode 100644 fuzzers/aflpp_random_wrs/runner.Dockerfile delete mode 100644 fuzzers/aflpp_random_wrs_rf/builder.Dockerfile delete mode 100755 fuzzers/aflpp_random_wrs_rf/fuzzer.py delete mode 100644 fuzzers/aflpp_random_wrs_rf/runner.Dockerfile delete mode 100644 fuzzers/aflpp_random_wrs_rf_rp/builder.Dockerfile delete mode 100755 fuzzers/aflpp_random_wrs_rf_rp/fuzzer.py delete mode 100644 fuzzers/aflpp_random_wrs_rf_rp/runner.Dockerfile delete mode 100644 fuzzers/aflpp_random_wrs_rp/builder.Dockerfile delete mode 100755 fuzzers/aflpp_random_wrs_rp/fuzzer.py delete mode 100644 fuzzers/aflpp_random_wrs_rp/runner.Dockerfile delete mode 100644 fuzzers/honggfuzz_um_parallel/builder.Dockerfile delete mode 100644 fuzzers/honggfuzz_um_parallel/description.md delete mode 100644 fuzzers/honggfuzz_um_parallel/fuzzer.py delete mode 100644 fuzzers/honggfuzz_um_parallel/runner.Dockerfile delete mode 100644 fuzzers/honggfuzz_um_prioritize/builder.Dockerfile delete mode 100644 fuzzers/honggfuzz_um_prioritize/description.md delete mode 100755 fuzzers/honggfuzz_um_prioritize/fuzzer.py delete mode 100644 fuzzers/honggfuzz_um_prioritize/runner.Dockerfile delete mode 100644 fuzzers/honggfuzz_um_prioritize_75/builder.Dockerfile delete mode 100644 fuzzers/honggfuzz_um_prioritize_75/description.md delete mode 100755 fuzzers/honggfuzz_um_prioritize_75/fuzzer.py delete mode 100644 fuzzers/honggfuzz_um_prioritize_75/runner.Dockerfile delete mode 100644 fuzzers/honggfuzz_um_random/builder.Dockerfile delete mode 100644 fuzzers/honggfuzz_um_random/description.md delete mode 100644 fuzzers/honggfuzz_um_random/fuzzer.py delete mode 100644 fuzzers/honggfuzz_um_random/runner.Dockerfile delete mode 100644 fuzzers/honggfuzz_um_random_75/builder.Dockerfile delete mode 100644 fuzzers/honggfuzz_um_random_75/description.md delete mode 100644 fuzzers/honggfuzz_um_random_75/fuzzer.py delete mode 100644 fuzzers/honggfuzz_um_random_75/runner.Dockerfile diff --git a/fuzzers/afl/builder.Dockerfile b/fuzzers/afl/builder.Dockerfile deleted file mode 100644 index 94d7f5076..000000000 --- a/fuzzers/afl/builder.Dockerfile +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -# Download and compile AFL v2.57b. -# Set AFL_NO_X86 to skip flaky tests. -RUN git clone \ - --depth 1 \ - --branch v2.57b \ - https://github.com/google/AFL.git /afl && \ - cd /afl && \ - CFLAGS= CXXFLAGS= AFL_NO_X86=1 make - -# Use afl_driver.cpp from LLVM as our fuzzing library. -RUN apt-get update && \ - apt-get install wget -y && \ - wget https://raw.githubusercontent.com/llvm/llvm-project/5feb80e748924606531ba28c97fe65145c65372e/compiler-rt/lib/fuzzer/afl/afl_driver.cpp -O /afl/afl_driver.cpp && \ - clang -Wno-pointer-sign -c /afl/llvm_mode/afl-llvm-rt.o.c -I/afl && \ - clang++ -stdlib=libc++ -std=c++11 -O2 -c /afl/afl_driver.cpp && \ - ar r /libAFL.a *.o diff --git a/fuzzers/afl/fuzzer.py b/fuzzers/afl/fuzzer.py deleted file mode 100755 index 18cb71229..000000000 --- a/fuzzers/afl/fuzzer.py +++ /dev/null @@ -1,141 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -"""Integration code for AFL fuzzer.""" - -import json -import os -import shutil -import subprocess - -from fuzzers import utils - - -def prepare_build_environment(): - """Set environment variables used to build targets for AFL-based - fuzzers.""" - cflags = ['-fsanitize-coverage=trace-pc-guard'] - utils.append_flags('CFLAGS', cflags) - utils.append_flags('CXXFLAGS', cflags) - - os.environ['CC'] = 'clang' - os.environ['CXX'] = 'clang++' - os.environ['FUZZER_LIB'] = '/libAFL.a' - - -def build(): - """Build benchmark.""" - prepare_build_environment() - - utils.build_benchmark() - - print('[post_build] Copying afl-fuzz to $OUT directory') - # Copy out the afl-fuzz binary as a build artifact. - shutil.copy('/afl/afl-fuzz', os.environ['OUT']) - - -def get_stats(output_corpus, fuzzer_log): # pylint: disable=unused-argument - """Gets fuzzer stats for AFL.""" - # Get a dictionary containing the stats AFL reports. - stats_file = os.path.join(output_corpus, 'fuzzer_stats') - if not os.path.exists(stats_file): - print('Can\'t find fuzzer_stats') - return '{}' - with open(stats_file, encoding='utf-8') as file_handle: - stats_file_lines = file_handle.read().splitlines() - stats_file_dict = {} - for stats_line in stats_file_lines: - key, value = stats_line.split(': ') - stats_file_dict[key.strip()] = value.strip() - - # Report to FuzzBench the stats it accepts. - stats = {'execs_per_sec': float(stats_file_dict['execs_per_sec'])} - return json.dumps(stats) - - -def prepare_fuzz_environment(input_corpus): - """Prepare to fuzz with AFL or another AFL-based fuzzer.""" - # Tell AFL to not use its terminal UI so we get usable logs. - os.environ['AFL_NO_UI'] = '1' - # Skip AFL's CPU frequency check (fails on Docker). - os.environ['AFL_SKIP_CPUFREQ'] = '1' - # No need to bind affinity to one core, Docker enforces 1 core usage. - os.environ['AFL_NO_AFFINITY'] = '1' - # AFL will abort on startup if the core pattern sends notifications to - # external programs. We don't care about this. - os.environ['AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES'] = '1' - # Don't exit when crashes are found. This can happen when corpus from - # OSS-Fuzz is used. - os.environ['AFL_SKIP_CRASHES'] = '1' - # Shuffle the queue - os.environ['AFL_SHUFFLE_QUEUE'] = '1' - - # AFL needs at least one non-empty seed to start. - utils.create_seed_file_for_empty_corpus(input_corpus) - - -def check_skip_det_compatible(additional_flags): - """ Checks if additional flags are compatible with '-d' option""" - # AFL refuses to take in '-d' with '-M' or '-S' options for parallel mode. - # (cf. https://github.com/google/AFL/blob/8da80951/afl-fuzz.c#L7477) - if '-M' in additional_flags or '-S' in additional_flags: - return False - return True - - -def run_afl_fuzz(input_corpus, - output_corpus, - target_binary, - additional_flags=None, - hide_output=False): - """Run afl-fuzz.""" - # Spawn the afl fuzzing process. - print('[run_afl_fuzz] Running target with afl-fuzz') - command = [ - './afl-fuzz', - '-i', - input_corpus, - '-o', - output_corpus, - # Use no memory limit as ASAN doesn't play nicely with one. - '-m', - 'none', - '-t', - '1000+', # Use same default 1 sec timeout, but add '+' to skip hangs. - ] - # Use '-d' to skip deterministic mode, as long as it it compatible with - # additional flags. - if not additional_flags or check_skip_det_compatible(additional_flags): - command.append('-d') - if additional_flags: - command.extend(additional_flags) - dictionary_path = utils.get_dictionary_path(target_binary) - if dictionary_path: - command.extend(['-x', dictionary_path]) - command += [ - '--', - target_binary, - # Pass INT_MAX to afl the maximize the number of persistent loops it - # performs. - '2147483647' - ] - print('[run_afl_fuzz] Running command: ' + ' '.join(command)) - output_stream = subprocess.DEVNULL if hide_output else None - subprocess.check_call(command, stdout=output_stream, stderr=output_stream) - - -def fuzz(input_corpus, output_corpus, target_binary): - """Run afl-fuzz on target.""" - prepare_fuzz_environment(input_corpus) - - run_afl_fuzz(input_corpus, output_corpus, target_binary) diff --git a/fuzzers/afl/runner.Dockerfile b/fuzzers/afl/runner.Dockerfile deleted file mode 100644 index 0d6cf004e..000000000 --- a/fuzzers/afl/runner.Dockerfile +++ /dev/null @@ -1,15 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image diff --git a/fuzzers/afl_2_52_b/builder.Dockerfile b/fuzzers/afl_2_52_b/builder.Dockerfile deleted file mode 100644 index 271af6db0..000000000 --- a/fuzzers/afl_2_52_b/builder.Dockerfile +++ /dev/null @@ -1,30 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -# Download and compile AFL v2.56b. -# Set AFL_NO_X86 to skip flaky tests. -RUN git clone https://github.com/Fuzzers-Archive/afl-2.52b.git /afl && \ - cd /afl && \ - AFL_NO_X86=1 make - -# Use afl_driver.cpp from LLVM as our fuzzing library. -RUN apt-get update && \ - apt-get install wget -y && \ - wget https://raw.githubusercontent.com/llvm/llvm-project/5feb80e748924606531ba28c97fe65145c65372e/compiler-rt/lib/fuzzer/afl/afl_driver.cpp -O /afl/afl_driver.cpp && \ - clang -Wno-pointer-sign -c /afl/llvm_mode/afl-llvm-rt.o.c -I/afl && \ - clang++ -stdlib=libc++ -std=c++11 -O2 -c /afl/afl_driver.cpp && \ - ar r /libAFL.a *.o diff --git a/fuzzers/afl_2_52_b/fuzzer.py b/fuzzers/afl_2_52_b/fuzzer.py deleted file mode 100755 index 386898e21..000000000 --- a/fuzzers/afl_2_52_b/fuzzer.py +++ /dev/null @@ -1,139 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -"""Integration code for AFL fuzzer.""" - -import json -import os -import shutil -import subprocess - -from fuzzers import utils - - -def prepare_build_environment(): - """Set environment variables used to build targets for AFL-based - fuzzers.""" - - cflags = ['-fsanitize-coverage=trace-pc-guard'] - utils.append_flags('CFLAGS', cflags) - utils.append_flags('CXXFLAGS', cflags) - - os.environ['CC'] = 'clang' - os.environ['CXX'] = 'clang++' - os.environ['FUZZER_LIB'] = '/libAFL.a' - - -def build(): - """Build benchmark.""" - prepare_build_environment() - - utils.build_benchmark() - - print('[post_build] Copying afl-fuzz to $OUT directory') - # Copy out the afl-fuzz binary as a build artifact. - shutil.copy('/afl/afl-fuzz', os.environ['OUT']) - - -def get_stats(output_corpus, fuzzer_log): # pylint: disable=unused-argument - """Gets fuzzer stats for AFL.""" - # Get a dictionary containing the stats AFL reports. - stats_file = os.path.join(output_corpus, 'fuzzer_stats') - with open(stats_file, encoding='utf-8') as file_handle: - stats_file_lines = file_handle.read().splitlines() - stats_file_dict = {} - for stats_line in stats_file_lines: - key, value = stats_line.split(': ') - stats_file_dict[key.strip()] = value.strip() - - # Report to FuzzBench the stats it accepts. - stats = {'execs_per_sec': float(stats_file_dict['execs_per_sec'])} - return json.dumps(stats) - - -def prepare_fuzz_environment(input_corpus): - """Prepare to fuzz with AFL or another AFL-based fuzzer.""" - # Tell AFL to not use its terminal UI so we get usable logs. - os.environ['AFL_NO_UI'] = '1' - # Skip AFL's CPU frequency check (fails on Docker). - os.environ['AFL_SKIP_CPUFREQ'] = '1' - # No need to bind affinity to one core, Docker enforces 1 core usage. - os.environ['AFL_NO_AFFINITY'] = '1' - # AFL will abort on startup if the core pattern sends notifications to - # external programs. We don't care about this. - os.environ['AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES'] = '1' - # Don't exit when crashes are found. This can happen when corpus from - # OSS-Fuzz is used. - os.environ['AFL_SKIP_CRASHES'] = '1' - # Shuffle the queue - os.environ['AFL_SHUFFLE_QUEUE'] = '1' - - # AFL needs at least one non-empty seed to start. - utils.create_seed_file_for_empty_corpus(input_corpus) - - -def check_skip_det_compatible(additional_flags): - """ Checks if additional flags are compatible with '-d' option""" - # AFL refuses to take in '-d' with '-M' or '-S' options for parallel mode. - # (cf. https://github.com/google/AFL/blob/8da80951/afl-fuzz.c#L7477) - if '-M' in additional_flags or '-S' in additional_flags: - return False - return True - - -def run_afl_fuzz(input_corpus, - output_corpus, - target_binary, - additional_flags=None, - hide_output=False): - """Run afl-fuzz.""" - # Spawn the afl fuzzing process. - print('[run_afl_fuzz] Running target with afl-fuzz') - command = [ - './afl-fuzz', - '-i', - input_corpus, - '-o', - output_corpus, - # Use no memory limit as ASAN doesn't play nicely with one. - '-m', - 'none', - '-t', - '1000+', # Use same default 1 sec timeout, but add '+' to skip hangs. - ] - # Use '-d' to skip deterministic mode, as long as it it compatible with - # additional flags. - if not additional_flags or check_skip_det_compatible(additional_flags): - command.append('-d') - if additional_flags: - command.extend(additional_flags) - dictionary_path = utils.get_dictionary_path(target_binary) - if dictionary_path: - command.extend(['-x', dictionary_path]) - command += [ - '--', - target_binary, - # Pass INT_MAX to afl the maximize the number of persistent loops it - # performs. - '2147483647' - ] - print('[run_afl_fuzz] Running command: ' + ' '.join(command)) - output_stream = subprocess.DEVNULL if hide_output else None - subprocess.check_call(command, stdout=output_stream, stderr=output_stream) - - -def fuzz(input_corpus, output_corpus, target_binary): - """Run afl-fuzz on target.""" - prepare_fuzz_environment(input_corpus) - - run_afl_fuzz(input_corpus, output_corpus, target_binary) diff --git a/fuzzers/afl_2_52_b/runner.Dockerfile b/fuzzers/afl_2_52_b/runner.Dockerfile deleted file mode 100644 index 0d6cf004e..000000000 --- a/fuzzers/afl_2_52_b/runner.Dockerfile +++ /dev/null @@ -1,15 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image diff --git a/fuzzers/afl_random_favored/builder.Dockerfile b/fuzzers/afl_random_favored/builder.Dockerfile deleted file mode 100644 index 93bd6f3fc..000000000 --- a/fuzzers/afl_random_favored/builder.Dockerfile +++ /dev/null @@ -1,32 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -RUN apt-get update && \ - apt-get install wget libstdc++-5-dev -y - -RUN git clone https://github.com/Practical-Formal-Methods/AFL-public.git /afl && \ - cd /afl && \ - git checkout randomized_top_rated && \ - AFL_NO_X86=1 make - -# Use afl_driver.cpp from LLVM as our fuzzing library. -RUN apt-get update && \ - apt-get install wget -y && \ - wget https://raw.githubusercontent.com/llvm/llvm-project/5feb80e748924606531ba28c97fe65145c65372e/compiler-rt/lib/fuzzer/afl/afl_driver.cpp -O /afl/afl_driver.cpp && \ - clang -Wno-pointer-sign -c /afl/llvm_mode/afl-llvm-rt.o.c -I/afl && \ - clang++ -stdlib=libc++ -std=c++11 -O2 -c /afl/afl_driver.cpp && \ - ar r /libAFL.a *.o diff --git a/fuzzers/afl_random_favored/fuzzer.py b/fuzzers/afl_random_favored/fuzzer.py deleted file mode 100755 index 7c4c44180..000000000 --- a/fuzzers/afl_random_favored/fuzzer.py +++ /dev/null @@ -1,138 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -"""Integration code for AFL fuzzer.""" - -import json -import os -import shutil -import subprocess - -from fuzzers import utils - - -def prepare_build_environment(): - """Set environment variables used to build targets for AFL-based - fuzzers.""" - cflags = ['-fsanitize-coverage=trace-pc-guard'] - utils.append_flags('CFLAGS', cflags) - utils.append_flags('CXXFLAGS', cflags) - - os.environ['CC'] = 'clang' - os.environ['CXX'] = 'clang++' - os.environ['FUZZER_LIB'] = '/libAFL.a' - - -def build(): - """Build benchmark.""" - prepare_build_environment() - - utils.build_benchmark() - - print('[post_build] Copying afl-fuzz to $OUT directory') - # Copy out the afl-fuzz binary as a build artifact. - shutil.copy('/afl/afl-fuzz', os.environ['OUT']) - - -def get_stats(output_corpus, fuzzer_log): # pylint: disable=unused-argument - """Gets fuzzer stats for AFL.""" - # Get a dictionary containing the stats AFL reports. - stats_file = os.path.join(output_corpus, 'fuzzer_stats') - with open(stats_file, encoding='utf-8') as file_handle: - stats_file_lines = file_handle.read().splitlines() - stats_file_dict = {} - for stats_line in stats_file_lines: - key, value = stats_line.split(': ') - stats_file_dict[key.strip()] = value.strip() - - # Report to FuzzBench the stats it accepts. - stats = {'execs_per_sec': float(stats_file_dict['execs_per_sec'])} - return json.dumps(stats) - - -def prepare_fuzz_environment(input_corpus): - """Prepare to fuzz with AFL or another AFL-based fuzzer.""" - # Tell AFL to not use its terminal UI so we get usable logs. - os.environ['AFL_NO_UI'] = '1' - # Skip AFL's CPU frequency check (fails on Docker). - os.environ['AFL_SKIP_CPUFREQ'] = '1' - # No need to bind affinity to one core, Docker enforces 1 core usage. - os.environ['AFL_NO_AFFINITY'] = '1' - # AFL will abort on startup if the core pattern sends notifications to - # external programs. We don't care about this. - os.environ['AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES'] = '1' - # Don't exit when crashes are found. This can happen when corpus from - # OSS-Fuzz is used. - os.environ['AFL_SKIP_CRASHES'] = '1' - # Shuffle the queue - os.environ['AFL_SHUFFLE_QUEUE'] = '1' - - # AFL needs at least one non-empty seed to start. - utils.create_seed_file_for_empty_corpus(input_corpus) - - -def check_skip_det_compatible(additional_flags): - """ Checks if additional flags are compatible with '-d' option""" - # AFL refuses to take in '-d' with '-M' or '-S' options for parallel mode. - # (cf. https://github.com/google/AFL/blob/8da80951/afl-fuzz.c#L7477) - if '-M' in additional_flags or '-S' in additional_flags: - return False - return True - - -def run_afl_fuzz(input_corpus, - output_corpus, - target_binary, - additional_flags=None, - hide_output=False): - """Run afl-fuzz.""" - # Spawn the afl fuzzing process. - print('[run_afl_fuzz] Running target with afl-fuzz') - command = [ - './afl-fuzz', - '-i', - input_corpus, - '-o', - output_corpus, - # Use no memory limit as ASAN doesn't play nicely with one. - '-m', - 'none', - '-t', - '1000+', # Use same default 1 sec timeout, but add '+' to skip hangs. - ] - # Use '-d' to skip deterministic mode, as long as it it compatible with - # additional flags. - if not additional_flags or check_skip_det_compatible(additional_flags): - command.append('-d') - if additional_flags: - command.extend(additional_flags) - dictionary_path = utils.get_dictionary_path(target_binary) - if dictionary_path: - command.extend(['-x', dictionary_path]) - command += [ - '--', - target_binary, - # Pass INT_MAX to afl the maximize the number of persistent loops it - # performs. - '2147483647' - ] - print('[run_afl_fuzz] Running command: ' + ' '.join(command)) - output_stream = subprocess.DEVNULL if hide_output else None - subprocess.check_call(command, stdout=output_stream, stderr=output_stream) - - -def fuzz(input_corpus, output_corpus, target_binary): - """Run afl-fuzz on target.""" - prepare_fuzz_environment(input_corpus) - - run_afl_fuzz(input_corpus, output_corpus, target_binary) diff --git a/fuzzers/afl_random_favored/runner.Dockerfile b/fuzzers/afl_random_favored/runner.Dockerfile deleted file mode 100644 index 0d6cf004e..000000000 --- a/fuzzers/afl_random_favored/runner.Dockerfile +++ /dev/null @@ -1,15 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image diff --git a/fuzzers/afl_virginmap/builder.Dockerfile b/fuzzers/afl_virginmap/builder.Dockerfile deleted file mode 100644 index 2dd23e712..000000000 --- a/fuzzers/afl_virginmap/builder.Dockerfile +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -# Download and compile AFL v2.57b. -# Set AFL_NO_X86 to skip flaky tests. -RUN git clone https://github.com/vanhauser-thc/AFL.git /afl && \ - cd /afl && \ - git checkout virgin && \ - AFL_NO_X86=1 make - -# Use afl_driver.cpp from LLVM as our fuzzing library. -RUN apt-get update && \ - apt-get install wget -y && \ - wget https://raw.githubusercontent.com/llvm/llvm-project/5feb80e748924606531ba28c97fe65145c65372e/compiler-rt/lib/fuzzer/afl/afl_driver.cpp -O /afl/afl_driver.cpp && \ - clang -Wno-pointer-sign -c /afl/llvm_mode/afl-llvm-rt.o.c -I/afl && \ - clang++ -stdlib=libc++ -std=c++11 -O2 -c /afl/afl_driver.cpp && \ - ar r /libAFL.a *.o diff --git a/fuzzers/afl_virginmap/fuzzer.py b/fuzzers/afl_virginmap/fuzzer.py deleted file mode 100755 index 7c4c44180..000000000 --- a/fuzzers/afl_virginmap/fuzzer.py +++ /dev/null @@ -1,138 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -"""Integration code for AFL fuzzer.""" - -import json -import os -import shutil -import subprocess - -from fuzzers import utils - - -def prepare_build_environment(): - """Set environment variables used to build targets for AFL-based - fuzzers.""" - cflags = ['-fsanitize-coverage=trace-pc-guard'] - utils.append_flags('CFLAGS', cflags) - utils.append_flags('CXXFLAGS', cflags) - - os.environ['CC'] = 'clang' - os.environ['CXX'] = 'clang++' - os.environ['FUZZER_LIB'] = '/libAFL.a' - - -def build(): - """Build benchmark.""" - prepare_build_environment() - - utils.build_benchmark() - - print('[post_build] Copying afl-fuzz to $OUT directory') - # Copy out the afl-fuzz binary as a build artifact. - shutil.copy('/afl/afl-fuzz', os.environ['OUT']) - - -def get_stats(output_corpus, fuzzer_log): # pylint: disable=unused-argument - """Gets fuzzer stats for AFL.""" - # Get a dictionary containing the stats AFL reports. - stats_file = os.path.join(output_corpus, 'fuzzer_stats') - with open(stats_file, encoding='utf-8') as file_handle: - stats_file_lines = file_handle.read().splitlines() - stats_file_dict = {} - for stats_line in stats_file_lines: - key, value = stats_line.split(': ') - stats_file_dict[key.strip()] = value.strip() - - # Report to FuzzBench the stats it accepts. - stats = {'execs_per_sec': float(stats_file_dict['execs_per_sec'])} - return json.dumps(stats) - - -def prepare_fuzz_environment(input_corpus): - """Prepare to fuzz with AFL or another AFL-based fuzzer.""" - # Tell AFL to not use its terminal UI so we get usable logs. - os.environ['AFL_NO_UI'] = '1' - # Skip AFL's CPU frequency check (fails on Docker). - os.environ['AFL_SKIP_CPUFREQ'] = '1' - # No need to bind affinity to one core, Docker enforces 1 core usage. - os.environ['AFL_NO_AFFINITY'] = '1' - # AFL will abort on startup if the core pattern sends notifications to - # external programs. We don't care about this. - os.environ['AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES'] = '1' - # Don't exit when crashes are found. This can happen when corpus from - # OSS-Fuzz is used. - os.environ['AFL_SKIP_CRASHES'] = '1' - # Shuffle the queue - os.environ['AFL_SHUFFLE_QUEUE'] = '1' - - # AFL needs at least one non-empty seed to start. - utils.create_seed_file_for_empty_corpus(input_corpus) - - -def check_skip_det_compatible(additional_flags): - """ Checks if additional flags are compatible with '-d' option""" - # AFL refuses to take in '-d' with '-M' or '-S' options for parallel mode. - # (cf. https://github.com/google/AFL/blob/8da80951/afl-fuzz.c#L7477) - if '-M' in additional_flags or '-S' in additional_flags: - return False - return True - - -def run_afl_fuzz(input_corpus, - output_corpus, - target_binary, - additional_flags=None, - hide_output=False): - """Run afl-fuzz.""" - # Spawn the afl fuzzing process. - print('[run_afl_fuzz] Running target with afl-fuzz') - command = [ - './afl-fuzz', - '-i', - input_corpus, - '-o', - output_corpus, - # Use no memory limit as ASAN doesn't play nicely with one. - '-m', - 'none', - '-t', - '1000+', # Use same default 1 sec timeout, but add '+' to skip hangs. - ] - # Use '-d' to skip deterministic mode, as long as it it compatible with - # additional flags. - if not additional_flags or check_skip_det_compatible(additional_flags): - command.append('-d') - if additional_flags: - command.extend(additional_flags) - dictionary_path = utils.get_dictionary_path(target_binary) - if dictionary_path: - command.extend(['-x', dictionary_path]) - command += [ - '--', - target_binary, - # Pass INT_MAX to afl the maximize the number of persistent loops it - # performs. - '2147483647' - ] - print('[run_afl_fuzz] Running command: ' + ' '.join(command)) - output_stream = subprocess.DEVNULL if hide_output else None - subprocess.check_call(command, stdout=output_stream, stderr=output_stream) - - -def fuzz(input_corpus, output_corpus, target_binary): - """Run afl-fuzz on target.""" - prepare_fuzz_environment(input_corpus) - - run_afl_fuzz(input_corpus, output_corpus, target_binary) diff --git a/fuzzers/afl_virginmap/runner.Dockerfile b/fuzzers/afl_virginmap/runner.Dockerfile deleted file mode 100644 index 0d6cf004e..000000000 --- a/fuzzers/afl_virginmap/runner.Dockerfile +++ /dev/null @@ -1,15 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image diff --git a/fuzzers/aflcc/aflcc_mock.c b/fuzzers/aflcc/aflcc_mock.c deleted file mode 100644 index 987cfd91a..000000000 --- a/fuzzers/aflcc/aflcc_mock.c +++ /dev/null @@ -1,23 +0,0 @@ -// Copyright 2020 Google LLC -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -#include -#include - -// these are defined in the LLVM passes, -// but need to be mocked for persistent mode. -void __afl_manual_init(void) { printf("manual_init\n"); } -int __afl_persistent_loop(unsigned int max_cnt) { printf("peristent loop\n"); return 0; } -uint32_t __afl_get_area_size(void) { printf("get area size\n"); return 0; } -uint32_t __afl_get_bbarea_size(void) { printf("bb area size\n"); return 0; } \ No newline at end of file diff --git a/fuzzers/aflcc/builder.Dockerfile b/fuzzers/aflcc/builder.Dockerfile deleted file mode 100644 index c59752b92..000000000 --- a/fuzzers/aflcc/builder.Dockerfile +++ /dev/null @@ -1,69 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image=gcr.io/fuzzbench/base-builder -FROM $parent_image - -# Need Clang/LLVM 3.8. -RUN apt-get update -y && \ - apt-get -y install llvm-3.8 \ - clang-3.8 \ - libstdc++-5-dev \ - wget \ - make \ - gcc \ - cmake \ - texinfo \ - bison \ - software-properties-common - -# Install some libraries needed by some oss-fuzz benchmarks -RUN apt-get install -y zlib1g-dev \ - libarchive-dev \ - libglib2.0-dev \ - libpsl-dev \ - libbsd-dev - -# Set env variables. -ENV AFL_CONVERT_COMPARISON_TYPE=NONE -ENV AFL_COVERAGE_TYPE=ORIGINAL -ENV AFL_BUILD_TYPE=FUZZING -ENV AFL_DICT_TYPE=NORMAL -ENV LLVM_CONFIG=llvm-config-3.8 - - -# Download and compile aflcc. -# Note: the commit number is for branch 'nodebug' -RUN git clone https://github.com/Samsung/afl_cc.git /afl && \ - cd /afl && \ - git checkout c9486dfdf35b7d5f58ce4f9dae141031d2f9f3f1 && \ - AFL_NO_X86=1 make && \ - cd /afl/llvm_mode && \ - CC=clang-3.8 CXX=clang++-3.8 CFLAGS= CXXFLAGS= make - -# Install gllvm -RUN cd /afl && \ - sh ./setup-aflc-gclang.sh - -# Use afl_driver.cpp from LLVM as our fuzzing library. -ENV CC=/afl/aflc-gclang -ENV CXX=/afl/aflc-gclang++ -COPY aflcc_mock.c /aflcc_mock.c -RUN wget https://raw.githubusercontent.com/llvm/llvm-project/5feb80e748924606531ba28c97fe65145c65372e/compiler-rt/lib/fuzzer/afl/afl_driver.cpp -O /afl/afl_driver.cpp && \ - sed -i -e '/decide_deferred_forkserver/,+8d' /afl/afl_driver.cpp && \ - $CXX -I/usr/local/include/c++/v1/ -stdlib=libc++ -std=c++11 -O2 -c /afl/afl_driver.cpp -o /afl/afl_driver.o && \ - ar r /libAFL.a /afl/afl_driver.o && \ - clang-3.8 -O2 -c -fPIC /aflcc_mock.c -o /aflcc_mock.o && \ - clang-3.8 -shared -o /libAflccMock.so /aflcc_mock.o - diff --git a/fuzzers/aflcc/fuzzer.py b/fuzzers/aflcc/fuzzer.py deleted file mode 100644 index b402d5ff1..000000000 --- a/fuzzers/aflcc/fuzzer.py +++ /dev/null @@ -1,313 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -"""Integration code for AFLcc fuzzer.""" - -import shutil -import os -import threading -import subprocess - -from fuzzers import utils - -from fuzzers.afl import fuzzer as afl_fuzzer - - -def is_benchmark(name): - """Check if the benchmark contains the string |name|""" - benchmark = os.getenv('BENCHMARK', None) - return benchmark is not None and name in benchmark - - -def openthread_suppress_error_flags(): - """Suppress errors for openthread""" - return [ - '-Wno-error=embedded-directive', - '-Wno-error=gnu-zero-variadic-macro-arguments', - '-Wno-error=overlength-strings', '-Wno-error=c++11-long-long', - '-Wno-error=c++11-extensions', '-Wno-error=variadic-macros' - ] - - -def libjpeg_turbo_asm_object_files(): - """ - Additional .o files compiled from .asm files - and absent from the LLVM .bc file we extracted - TODO(laurentsimon): check if we can link against - *.a instead of providing a list of .o files - """ - return [ - './BUILD/simd/jidctred-sse2-64.o', './BUILD/simd/jidctint-sse2-64.o', - './BUILD/simd/jidctfst-sse2-64.o', './BUILD/simd/jdmerge-sse2-64.o', - './BUILD/simd/jidctflt-sse2-64.o', './BUILD/simd/jdsample-sse2-64.o', - './BUILD/simd/jdcolor-sse2-64.o' - ] - - -def fix_fuzzer_lib(): - """Fix FUZZER_LIB for certain benchmarks""" - - if '--warn-unresolved-symbols' not in os.environ['CFLAGS']: - os.environ['FUZZER_LIB'] += ' -L/ -lAflccMock -lpthread' - - if is_benchmark('curl'): - shutil.copy('/libAflccMock.so', '/usr/lib/libAflccMock.so') - - if is_benchmark('systemd'): - shutil.copy('/libAFL.a', '/usr/lib/libFuzzingEngine.a') - ld_flags = ['-lpthread'] - utils.append_flags('LDFLAGS', ld_flags) - - -def add_compilation_cflags(): - """Add custom flags for certain benchmarks""" - if is_benchmark('openthread'): - openthread_flags = openthread_suppress_error_flags() - utils.append_flags('CFLAGS', openthread_flags) - utils.append_flags('CXXFLAGS', openthread_flags) - - elif is_benchmark('php'): - php_flags = ['-D__builtin_cpu_supports\\(x\\)=0'] - utils.append_flags('CFLAGS', php_flags) - utils.append_flags('CXXFLAGS', php_flags) - - # For some benchmarks, we also tell the compiler - # to ignore unresolved symbols. This is useful when we cannot change - # the build process to add a shared library for linking - # (which contains mocked functions: libAflccMock.so). - # Note that some functions are only defined post-compilation - # during the LLVM passes. - elif is_benchmark('bloaty') or is_benchmark('openssl') or is_benchmark( - 'systemd'): - unresolved_flags = ['-Wl,--warn-unresolved-symbols'] - utils.append_flags('CFLAGS', unresolved_flags) - utils.append_flags('CXXFLAGS', unresolved_flags) - - elif is_benchmark('curl'): - dl_flags = ['-ldl', '-lpsl'] - utils.append_flags('CFLAGS', dl_flags) - utils.append_flags('CXXFLAGS', dl_flags) - - -def add_post_compilation_lflags(ldflags_arr): - """Add additional linking flags for certain benchmarks""" - if is_benchmark('libjpeg'): - ldflags_arr += libjpeg_turbo_asm_object_files() - elif is_benchmark('php'): - ldflags_arr += ['-lresolv'] - elif is_benchmark('curl'): - ldflags_arr += [ - '-ldl', '-lpsl', '/src/openssl/libcrypto.a', '/src/openssl/libssl.a' - ] - elif is_benchmark('openssl'): - ldflags_arr += ['/src/openssl/libcrypto.a', '/src/openssl/libssl.a'] - elif is_benchmark('systemd'): - shutil.copy( - os.path.join(os.environ['OUT'], - 'src/shared/libsystemd-shared-245.so'), - '/usr/lib/libsystemd-shared-245.so') - ldflags_arr += ['-lsystemd-shared-245'] - - -def prepare_fuzz_environment(input_corpus): - """Prepare run for some benchmarks""" - afl_fuzzer.prepare_fuzz_environment(input_corpus) - - # OUT env variable does not exists, it seems. - if os.path.isfile('/out/src/shared/libsystemd-shared-245.so'): - shutil.copy('/out/src/shared/libsystemd-shared-245.so', - '/usr/lib/libsystemd-shared-245.so') - - -def prepare_build_environment(): - """Set environment variables used to build benchmark.""" - # Update compiler flags for clang-3.8. - cflags = ['-fPIC'] - cppflags = cflags + [ - '-I/usr/local/include/c++/v1/', '-stdlib=libc++', '-std=c++11' - ] - utils.append_flags('CFLAGS', cflags) - utils.append_flags('CXXFLAGS', cppflags) - - # Add flags for various benchmarks. - add_compilation_cflags() - - # Setup aflcc compiler. - os.environ['LLVM_CONFIG'] = 'llvm-config-3.8' - os.environ['CC'] = '/afl/aflc-gclang' - os.environ['CXX'] = '/afl/aflc-gclang++' - os.environ['FUZZER_LIB'] = '/libAFL.a' - - # Fix FUZZER_LIB for various benchmarks. - fix_fuzzer_lib() - - -def post_build(fuzz_target): - """Perform the post-processing for a target""" - print(f'Fuzz-target: {fuzz_target}') - - getbc_cmd = f'/afl/aflc-get-bc {fuzz_target}' - if os.system(getbc_cmd) != 0: - raise ValueError('get-bc failed') - - # Set the flags. ldflags is here temporarily until the benchmarks - # are cleaned up and standalone. - cppflags_arr = [ - '-I/usr/local/include/c++/v1/', '-stdlib=libc++', '-std=c++11' - ] - # Note: -ld for dlopen(), -lbsd for strlcpy(). - ldflags_arr = [ - '-lpthread', '-lm', ' -lz', '-larchive', '-lglib-2.0', '-ldl', '-lbsd' - ] - - # Add post compilation linking flags for certain benchmarks. - add_post_compilation_lflags(ldflags_arr) - - # Stringify the flags arrays. - cppflags = ' '.join(cppflags_arr) - ldflags = ' '.join(ldflags_arr) - - # Create the different build types. - os.environ['AFL_BUILD_TYPE'] = 'FUZZING' - - # The original afl binary. - print('[post_build] Generating original afl build') - os.environ['AFL_COVERAGE_TYPE'] = 'ORIGINAL' - os.environ['AFL_CONVERT_COMPARISON_TYPE'] = 'NONE' - os.environ['AFL_DICT_TYPE'] = 'NORMAL' - bin1_cmd = '{compiler} {flags} -O3 {target}.bc -o ' \ - '{target}-original {ldflags}'.format( - compiler='/afl/aflc-clang-fast++', - flags=cppflags, - target=fuzz_target, - ldflags=ldflags) - if os.system(bin1_cmd) != 0: - raise ValueError(f'command "{bin1_cmd}" failed') - - # The normalized build with non-optimized dictionary. - print('[post_build] Generating normalized-none-nopt') - os.environ['AFL_COVERAGE_TYPE'] = 'ORIGINAL' - os.environ['AFL_CONVERT_COMPARISON_TYPE'] = 'NONE' - os.environ['AFL_DICT_TYPE'] = 'NORMAL' - bin2_cmd = '{compiler} {flags} {target}.bc -o ' \ - '{target}-normalized-none-nopt {ldflags}'.format( - compiler='/afl/aflc-clang-fast++', - flags=cppflags, - target=fuzz_target, - ldflags=ldflags) - if os.system(bin2_cmd) != 0: - raise ValueError(f'command "{bin2_cmd}" failed') - - # The no-collision split-condition optimized dictionary. - print('[post_build] Generating no-collision-all-opt build') - os.environ['AFL_COVERAGE_TYPE'] = 'NO_COLLISION' - os.environ['AFL_CONVERT_COMPARISON_TYPE'] = 'ALL' - os.environ['AFL_DICT_TYPE'] = 'OPTIMIZED' - bin3_cmd = '{compiler} {flags} {target}.bc -o ' \ - '{target}-no-collision-all-opt {ldflags}'.format( - compiler='/afl/aflc-clang-fast++', - flags=cppflags, - target=fuzz_target, - ldflags=ldflags) - if os.system(bin3_cmd) != 0: - raise ValueError(f'command "{bin3_cmd}" failed') - - print('[post_build] Copying afl-fuzz to $OUT directory') - # Copy out the afl-fuzz binary as a build artifact. - shutil.copy('/afl/afl-fuzz', os.environ['OUT']) - - -def build(): - """Build benchmark.""" - prepare_build_environment() - - utils.build_benchmark() - - print('[post_build] Extracting .bc file') - fuzz_target = os.getenv('FUZZ_TARGET') - fuzz_target_path = os.path.join(os.environ['OUT'], fuzz_target) - post_build(fuzz_target_path) - - -def run_fuzzer(input_corpus, - output_corpus, - target_binary, - additional_flags=None, - hide_output=False): - """Run afl-fuzz.""" - # Spawn the afl fuzzing process. - # FIXME: Currently AFL will exit if it encounters a crashing input in seed - # corpus (usually timeouts). Add a way to skip/delete such inputs and - # re-run AFL. - print('[run_fuzzer] Running target with afl-fuzz') - command = [ - './afl-fuzz', - '-i', - input_corpus, - '-o', - output_corpus, - # Use no memory limit as ASAN doesn't play nicely with one. - '-m', - 'none' - ] - if additional_flags: - command.extend(additional_flags) - dictionary_path = utils.get_dictionary_path(target_binary) - if dictionary_path: - command.extend(['-x', dictionary_path]) - command += [ - '--', - target_binary, - # Pass INT_MAX to afl the maximize the number of persistent loops it - # performs. - '2147483647' - ] - print('[run_fuzzer] Running command: ' + ' '.join(command)) - output_stream = subprocess.DEVNULL if hide_output else None - subprocess.check_call(command, stdout=output_stream, stderr=output_stream) - - -def fuzz(input_corpus, output_corpus, target_binary): - """Run fuzzer.""" - prepare_fuzz_environment(input_corpus) - - # Note: dictionary automatically added by run_fuzzer(). - - # Use a dictionary for original afl as well. - print('[fuzz] Running AFL for original binary') - src_file = f'{target_binary}-normalized-none-nopt.dict' - dst_file = f'{target_binary}-original.dict' - shutil.copy(src_file, dst_file) - # Instead of generating a new dict, just hack this one - # to be non-optimized to prevent AFL from aborting. - os.system(f'sed -i \'s/OPTIMIZED/NORMAL/g\' {dst_file}') - afl_fuzz_thread1 = threading.Thread(target=run_fuzzer, - args=(input_corpus, output_corpus, - f'{target_binary}-original', - ['-S', 'secondary-original'])) - afl_fuzz_thread1.start() - - print('[run_fuzzer] Running AFL for normalized and optimized dictionary') - afl_fuzz_thread2 = threading.Thread( - target=run_fuzzer, - args=(input_corpus, output_corpus, - f'{target_binary}-normalized-none-nopt', - ['-S', 'secondary-normalized-nopt'])) - afl_fuzz_thread2.start() - - print('[run_fuzzer] Running AFL for FBSP and optimized dictionary') - run_fuzzer(input_corpus, - output_corpus, - f'{target_binary}-no-collision-all-opt', - ['-S', 'secondary-no-collision-all-opt'], - hide_output=False) diff --git a/fuzzers/aflcc/runner.Dockerfile b/fuzzers/aflcc/runner.Dockerfile deleted file mode 100644 index e115f2c00..000000000 --- a/fuzzers/aflcc/runner.Dockerfile +++ /dev/null @@ -1,22 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -RUN apt-get install -y zlib1g-dev \ - libarchive-dev \ - libglib2.0-dev \ - libpsl-dev \ - libbsd-dev - diff --git a/fuzzers/aflfast/builder.Dockerfile b/fuzzers/aflfast/builder.Dockerfile deleted file mode 100644 index b38039810..000000000 --- a/fuzzers/aflfast/builder.Dockerfile +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -# Download and compile AFLFast (extends AFL with Power Schedules). -# Set AFL_NO_X86 to skip flaky tests. -RUN git clone https://github.com/mboehme/aflfast.git /afl && \ - cd /afl && \ - git checkout d1d54caf9850ca4afe2ac634a2a212aa6bb40032 && \ - AFL_NO_X86=1 make - -# Use afl_driver.cpp from LLVM as our fuzzing library. -RUN apt-get update && \ - apt-get install wget -y && \ - wget https://raw.githubusercontent.com/llvm/llvm-project/5feb80e748924606531ba28c97fe65145c65372e/compiler-rt/lib/fuzzer/afl/afl_driver.cpp -O /afl/afl_driver.cpp && \ - clang -Wno-pointer-sign -c /afl/llvm_mode/afl-llvm-rt.o.c -I/afl && \ - clang++ -stdlib=libc++ -std=c++11 -O2 -c /afl/afl_driver.cpp && \ - ar r /libAFL.a *.o diff --git a/fuzzers/aflfast/fuzzer.py b/fuzzers/aflfast/fuzzer.py deleted file mode 100755 index 5c366aef5..000000000 --- a/fuzzers/aflfast/fuzzer.py +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -"""Integration code for AFLFast fuzzer.""" - -from fuzzers.afl import fuzzer as afl_fuzzer - - -def build(): - """Build benchmark.""" - afl_fuzzer.build() - - -def fuzz(input_corpus, output_corpus, target_binary): - """Run fuzzer.""" - afl_fuzzer.prepare_fuzz_environment(input_corpus) - - # Write AFL's output to /dev/null to avoid filling up disk by writing too - # much to log file. This is a problem in general with AFLFast but - # particularly with the lcms benchmark. - afl_fuzzer.run_afl_fuzz(input_corpus, - output_corpus, - target_binary, - hide_output=True) diff --git a/fuzzers/aflfast/runner.Dockerfile b/fuzzers/aflfast/runner.Dockerfile deleted file mode 100644 index 0d6cf004e..000000000 --- a/fuzzers/aflfast/runner.Dockerfile +++ /dev/null @@ -1,15 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image diff --git a/fuzzers/aflplusplus_um_parallel/builder.Dockerfile b/fuzzers/aflplusplus_um_parallel/builder.Dockerfile deleted file mode 100644 index 33c94647b..000000000 --- a/fuzzers/aflplusplus_um_parallel/builder.Dockerfile +++ /dev/null @@ -1,40 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -RUN apt-get update && apt-get install -y python3 -RUN pip3 install --upgrade --force pip -RUN pip install universalmutator - -# Install libstdc++ to use llvm_mode. -RUN apt-get update && \ - apt-get install -y wget libstdc++-10-dev libtool-bin automake flex bison \ - libglib2.0-dev libpixman-1-dev python3-setuptools unzip \ - apt-utils apt-transport-https ca-certificates - -# Download and compile afl++. -RUN git clone https://github.com/AFLplusplus/AFLplusplus.git /afl && \ - cd /afl && \ - git checkout b847e0f414e7b310e1a68bc501d4e2453bfce70e - -# Build without Python support as we don't need it. -# Set AFL_NO_X86 to skip flaky tests. -RUN cd /afl && unset CFLAGS && unset CXXFLAGS && \ - export CC=clang && export AFL_NO_X86=1 && \ - PYTHON_INCLUDE=/ make && make install && \ - make -C utils/aflpp_driver && \ - cp utils/aflpp_driver/libAFLDriver.a / - diff --git a/fuzzers/aflplusplus_um_parallel/description.md b/fuzzers/aflplusplus_um_parallel/description.md deleted file mode 100644 index 2ff91d2fd..000000000 --- a/fuzzers/aflplusplus_um_parallel/description.md +++ /dev/null @@ -1,9 +0,0 @@ -# aflplusplus UM (parallel) - -Run aflplusplus over mutated code with parallel. - -NOTE: This only works with C or C++ benchmarks. - -[builder.Dockerfile](builder.Dockerfile) -[fuzzer.py](fuzzer.py) -[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/aflplusplus_um_parallel/fuzzer.py b/fuzzers/aflplusplus_um_parallel/fuzzer.py deleted file mode 100644 index ea24a2bd0..000000000 --- a/fuzzers/aflplusplus_um_parallel/fuzzer.py +++ /dev/null @@ -1,212 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -"""Integration code for AFLplusplus fuzzer.""" - -# This optimized afl++ variant should always be run together with -# "aflplusplus" to show the difference - a default configured afl++ vs. -# a hand-crafted optimized one. afl++ is configured not to enable the good -# stuff by default to be as close to vanilla afl as possible. -# But this means that the good stuff is hidden away in this benchmark -# otherwise. - -import glob -import os -from pathlib import Path -import random -import shutil -import filecmp -from subprocess import CalledProcessError -import time -import signal -import math -from contextlib import contextmanager - -from fuzzers.aflplusplus import fuzzer as aflplusplus_fuzzer -from fuzzers import utils - - -class TimeoutException(Exception): - """"Exception thrown when timeouts occur""" - - -TOTAL_FUZZING_TIME_DEFAULT = 82800 # 23 hours -TOTAL_BUILD_TIME = 43200 # 12 hours -FUZZ_PROP = 0.5 -DEFAULT_MUTANT_TIMEOUT = 300 -GRACE_TIME = 3600 # 1 hour in seconds -MAX_MUTANTS = 200000 - - -@contextmanager -def time_limit(seconds): - """Method to define a time limit before throwing exception""" - - def signal_handler(signum, frame): - raise TimeoutException("Timed out!") - - signal.signal(signal.SIGALRM, signal_handler) - signal.alarm(seconds) - try: - yield - finally: - signal.alarm(0) - - -def build(): # pylint: disable=too-many-locals,too-many-statements - """Build benchmark.""" - start_time = time.time() - - out = os.getenv("OUT") - src = os.getenv("SRC") - work = os.getenv("WORK") - storage_dir = "/storage" - os.mkdir(storage_dir) - mutate_dir = f"{storage_dir}/mutant_files" - os.mkdir(mutate_dir) - mutate_bins = f"{storage_dir}/mutant_bins" - os.mkdir(mutate_bins) - mutate_scripts = f"{storage_dir}/mutant_scripts" - os.mkdir(mutate_scripts) - orig_out = f"{storage_dir}/orig_out" - os.mkdir(orig_out) - - orig_fuzz_target = os.getenv("FUZZ_TARGET") - with utils.restore_directory(src), utils.restore_directory(work): - aflplusplus_fuzzer.build() - shutil.copy(f"{out}/{orig_fuzz_target}", - f"{mutate_bins}/{orig_fuzz_target}") - os.system(f"cp -r {out}/* {orig_out}/") - benchmark = os.getenv("BENCHMARK") - - source_extensions = [".c", ".cc", ".cpp"] - # Use heuristic to try to find benchmark directory, - # otherwise look for all files in the current directory. - subdirs = [ - name for name in os.listdir(src) - if os.path.isdir(os.path.join(src, name)) - ] - benchmark_src_dir = src - for directory in subdirs: - if directory in benchmark: - benchmark_src_dir = os.path.join(src, directory) - break - - source_files = [] - for extension in source_extensions: - source_files += glob.glob(f"{benchmark_src_dir}/**/*{extension}", - recursive=True) - random.shuffle(source_files) - - mutants = [] - for source_file in source_files: - source_dir = os.path.dirname(source_file).split(src, 1)[1] - Path(f"{mutate_dir}/{source_dir}").mkdir(parents=True, exist_ok=True) - os.system(f"mutate {source_file} --mutantDir \ - {mutate_dir}/{source_dir} --noCheck > /dev/null") - source_base = os.path.basename(source_file).split(".")[0] - mutants_glob = glob.glob( - f"{mutate_dir}/{source_dir}/{source_base}.mutant.*") - mutants += [ - f"{source_dir}/{mutant.split('/')[-1]}"[1:] - for mutant in mutants_glob - ] - - if len(mutants) > MAX_MUTANTS: - break - - random.shuffle(mutants) - with open(f"{mutate_dir}/mutants.txt", "w", encoding="utf-8") as f_name: - f_name.writelines(f"{l}\n" for l in mutants) - - curr_time = time.time() - - # Add grace time for final build at end - remaining_time = int(TOTAL_BUILD_TIME - (start_time - curr_time) - - GRACE_TIME) - try: - with time_limit(remaining_time): - num_non_buggy = 1 - ind = 0 - while ind < len(mutants): - with utils.restore_directory(src), utils.restore_directory( - work): - mutant = mutants[ind] - suffix = "." + mutant.split(".")[-1] - mpart = ".mutant." + mutant.split(".mutant.")[1] - source_file = f"{src}/{mutant.replace(mpart, suffix)}" - print(source_file) - print(f"{mutate_dir}/{mutant}") - os.system(f"cp {source_file} {mutate_dir}/orig") - os.system(f"cp {mutate_dir}/{mutant} {source_file}") - - try: - new_fuzz_target = f"{os.getenv('FUZZ_TARGET')}"\ - f".{num_non_buggy}" - - os.system(f"rm -rf {out}/*") - aflplusplus_fuzzer.build() - if not filecmp.cmp(f'{mutate_bins}/{orig_fuzz_target}', - f'{out}/{orig_fuzz_target}', - shallow=False): - print(f"{out}/{orig_fuzz_target}", - f"{mutate_bins}/{new_fuzz_target}") - shutil.copy(f"{out}/{orig_fuzz_target}", - f"{mutate_bins}/{new_fuzz_target}") - num_non_buggy += 1 - else: - print("EQUAL") - except RuntimeError: - pass - except CalledProcessError: - pass - os.system(f"cp {mutate_dir}/orig {source_file}") - ind += 1 - except TimeoutException: - pass - - os.system(f"rm -rf {out}/*") - os.system(f"cp -r {orig_out}/* {out}/") - os.system(f"cp {mutate_bins}/* {out}/") - - -def fuzz(input_corpus, output_corpus, target_binary): - """Run fuzzer.""" - total_fuzzing_time = int( - os.getenv('MAX_TOTAL_TIME', str(TOTAL_FUZZING_TIME_DEFAULT))) - total_mutant_time = int(FUZZ_PROP * total_fuzzing_time) - - mutants = glob.glob(f"{target_binary}.*") - random.shuffle(mutants) - timeout = max(DEFAULT_MUTANT_TIMEOUT, - int(total_mutant_time / max(len(mutants), 1))) - num_mutants = min(math.ceil(total_mutant_time / timeout), len(mutants)) - - input_corpus_dir = "/storage/input_corpus" - os.makedirs(input_corpus_dir, exist_ok=True) - os.environ['AFL_SKIP_CRASHES'] = "1" - - for mutant in mutants[:num_mutants]: - with utils.restore_directory(input_corpus), utils.restore_directory( - output_corpus): - try: - with time_limit(timeout): - aflplusplus_fuzzer.fuzz(input_corpus, output_corpus, mutant) - except TimeoutException: - pass - except CalledProcessError: - pass - os.system(f"cp -r {output_corpus}/* {input_corpus_dir}/*") - - os.system(f"cp -r {input_corpus_dir}/* {input_corpus}/*") - aflplusplus_fuzzer.fuzz(input_corpus, output_corpus, target_binary) diff --git a/fuzzers/aflplusplus_um_parallel/runner.Dockerfile b/fuzzers/aflplusplus_um_parallel/runner.Dockerfile deleted file mode 100644 index 7aa1da8e4..000000000 --- a/fuzzers/aflplusplus_um_parallel/runner.Dockerfile +++ /dev/null @@ -1,23 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -# This makes interactive docker runs painless: -ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" -#ENV AFL_MAP_SIZE=2621440 -ENV PATH="$PATH:/out" -ENV AFL_SKIP_CPUFREQ=1 -ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 -ENV AFL_TESTCACHE_SIZE=2 diff --git a/fuzzers/aflplusplus_um_prioritize/builder.Dockerfile b/fuzzers/aflplusplus_um_prioritize/builder.Dockerfile deleted file mode 100644 index 33c94647b..000000000 --- a/fuzzers/aflplusplus_um_prioritize/builder.Dockerfile +++ /dev/null @@ -1,40 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -RUN apt-get update && apt-get install -y python3 -RUN pip3 install --upgrade --force pip -RUN pip install universalmutator - -# Install libstdc++ to use llvm_mode. -RUN apt-get update && \ - apt-get install -y wget libstdc++-10-dev libtool-bin automake flex bison \ - libglib2.0-dev libpixman-1-dev python3-setuptools unzip \ - apt-utils apt-transport-https ca-certificates - -# Download and compile afl++. -RUN git clone https://github.com/AFLplusplus/AFLplusplus.git /afl && \ - cd /afl && \ - git checkout b847e0f414e7b310e1a68bc501d4e2453bfce70e - -# Build without Python support as we don't need it. -# Set AFL_NO_X86 to skip flaky tests. -RUN cd /afl && unset CFLAGS && unset CXXFLAGS && \ - export CC=clang && export AFL_NO_X86=1 && \ - PYTHON_INCLUDE=/ make && make install && \ - make -C utils/aflpp_driver && \ - cp utils/aflpp_driver/libAFLDriver.a / - diff --git a/fuzzers/aflplusplus_um_prioritize/description.md b/fuzzers/aflplusplus_um_prioritize/description.md deleted file mode 100644 index d5bfe6fea..000000000 --- a/fuzzers/aflplusplus_um_prioritize/description.md +++ /dev/null @@ -1,9 +0,0 @@ -# aflplusplus UM (prioritize) - -Run aflplusplus over mutated code with UM prioritization - -NOTE: This only works with C or C++ benchmarks. - -[builder.Dockerfile](builder.Dockerfile) -[fuzzer.py](fuzzer.py) -[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/aflplusplus_um_prioritize/fuzzer.py b/fuzzers/aflplusplus_um_prioritize/fuzzer.py deleted file mode 100755 index 18a463b6d..000000000 --- a/fuzzers/aflplusplus_um_prioritize/fuzzer.py +++ /dev/null @@ -1,259 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -"""Integration code for AFLplusplus fuzzer.""" - -# This optimized afl++ variant should always be run together with -# "aflplusplus" to show the difference - a default configured afl++ vs. -# a hand-crafted optimized one. afl++ is configured not to enable the good -# stuff by default to be as close to vanilla afl as possible. -# But this means that the good stuff is hidden away in this benchmark -# otherwise. - -import glob -import os -from pathlib import Path -import random -import shutil -import filecmp -from subprocess import CalledProcessError -import time -import math -import signal -from contextlib import contextmanager - -from fuzzers.aflplusplus import fuzzer as aflplusplus_fuzzer -from fuzzers import utils - - -class TimeoutException(Exception): - """"Exception thrown when timeouts occur""" - - -TOTAL_FUZZING_TIME_DEFAULT = 82800 # 23 hours -TOTAL_BUILD_TIME = 43200 # 12 hours -FUZZ_PROP = 0.5 -DEFAULT_MUTANT_TIMEOUT = 300 -PRIORITIZE_MULTIPLIER = 5 -GRACE_TIME = 3600 # 1 hour in seconds -MAX_MUTANTS = 200000 -MAX_PRIORITIZE = 30 - - -@contextmanager -def time_limit(seconds): - """Method to define a time limit before throwing exception""" - - def signal_handler(signum, frame): - raise TimeoutException("Timed out!") - - signal.signal(signal.SIGALRM, signal_handler) - signal.alarm(seconds) - try: - yield - finally: - signal.alarm(0) - - -def build(): # pylint: disable=too-many-locals,too-many-statements,too-many-branches - """Build benchmark.""" - start_time = time.time() - - out = os.getenv("OUT") - src = os.getenv("SRC") - work = os.getenv("WORK") - storage_dir = "/storage" - os.mkdir(storage_dir) - mutate_dir = f"{storage_dir}/mutant_files" - os.mkdir(mutate_dir) - mutate_bins = f"{storage_dir}/mutant_bins" - os.mkdir(mutate_bins) - mutate_scripts = f"{storage_dir}/mutant_scripts" - os.mkdir(mutate_scripts) - orig_out = f"{storage_dir}/orig_out" - os.mkdir(orig_out) - - orig_fuzz_target = os.getenv("FUZZ_TARGET") - with utils.restore_directory(src), utils.restore_directory(work): - aflplusplus_fuzzer.build() - shutil.copy(f"{out}/{orig_fuzz_target}", - f"{mutate_bins}/{orig_fuzz_target}") - os.system(f"cp -r {out}/* {orig_out}/") - benchmark = os.getenv("BENCHMARK") - total_fuzzing_time = int( - os.getenv('MAX_TOTAL_TIME', str(TOTAL_FUZZING_TIME_DEFAULT))) - - source_extensions = [".c", ".cc", ".cpp"] - num_mutants = math.ceil( - (total_fuzzing_time * FUZZ_PROP) / DEFAULT_MUTANT_TIMEOUT) - # Use heuristic to try to find benchmark directory, otherwise look for all - # files in the current directory. - subdirs = [ - name for name in os.listdir(src) - if os.path.isdir(os.path.join(src, name)) - ] - benchmark_src_dir = src - for directory in subdirs: - if directory in benchmark: - benchmark_src_dir = os.path.join(src, directory) - break - - source_files = [] - for extension in source_extensions: - source_files += glob.glob(f"{benchmark_src_dir}/**/*{extension}", - recursive=True) - random.shuffle(source_files) - - mutants_map = {} - num_mutants = 0 - for source_file in source_files: - source_dir = os.path.dirname(source_file).split(src, 1)[1] - Path(f"{mutate_dir}/{source_dir}").mkdir(parents=True, exist_ok=True) - os.system(f"mutate {source_file} --mutantDir \ - {mutate_dir}/{source_dir} --noCheck > /dev/null") - source_base = os.path.basename(source_file).split(".")[0] - mutants_glob = glob.glob( - f"{mutate_dir}/{source_dir}/{source_base}.mutant.*") - mutants = [ - f"{source_dir}/{mutant.split('/')[-1]}"[1:] - for mutant in mutants_glob - ] - num_mutants += len(mutants) - mutants_map[source_file] = mutants - if num_mutants > MAX_MUTANTS: - break - - prioritize_map = {} - num_prioritized = min( - math.ceil((num_mutants * PRIORITIZE_MULTIPLIER) / len(mutants_map)), - MAX_PRIORITIZE) - for source_file in mutants_map: - mutants = mutants_map[source_file] - with open(f"{mutate_dir}/mutants.txt", "w", encoding="utf_8") as f_name: - f_name.writelines(f"{l}\n" for l in mutants) - os.system(f"prioritize_mutants {mutate_dir}/mutants.txt \ - {mutate_dir}/prioritize_mutants_sorted.txt {num_prioritized}\ - --noSDPriority --sourceDir {src} --mutantDir {mutate_dir}") - prioritized_list = [] - with open(f"{mutate_dir}/prioritize_mutants_sorted.txt", - "r", - encoding="utf_8") as f_name: - prioritized_list = f_name.read().splitlines() - prioritize_map[source_file] = prioritized_list - - prioritized_keys = list(prioritize_map.keys()) - random.shuffle(prioritized_keys) - order = [] - ind = 0 - finished = False - - while not finished: - finished = True - for key in prioritized_keys: - if ind < len(prioritize_map[key]): - finished = False - order.append((key, ind)) - ind += 1 - curr_time = time.time() - - # Add grace time for final build at end - remaining_time = int(TOTAL_BUILD_TIME - (start_time - curr_time) - - GRACE_TIME) - try: - with time_limit(remaining_time): - num_non_buggy = 1 - ind = 0 - while ind < len(order): - with utils.restore_directory(src), utils.restore_directory( - work): - key, line = order[ind] - mutant = prioritize_map[key][line] - print(mutant) - suffix = "." + mutant.split(".")[-1] - mpart = ".mutant." + mutant.split(".mutant.")[1] - source_file = f"{src}/{mutant.replace(mpart, suffix)}" - print(source_file) - print(f"{mutate_dir}/{mutant}") - os.system(f"cp {source_file} {mutate_dir}/orig") - os.system(f"cp {mutate_dir}/{mutant} {source_file}") - try: - new_fuzz_target = f"{os.getenv('FUZZ_TARGET')}"\ - f".{num_non_buggy}" - - os.system(f"rm -rf {out}/*") - aflplusplus_fuzzer.build() - if not filecmp.cmp(f'{mutate_bins}/{orig_fuzz_target}', - f'{out}/{orig_fuzz_target}', - shallow=False): - print(f"{out}/{orig_fuzz_target}", - f"{mutate_bins}/{new_fuzz_target}") - shutil.copy(f"{out}/{orig_fuzz_target}", - f"{mutate_bins}/{new_fuzz_target}") - num_non_buggy += 1 - print(f"FOUND NOT EQUAL {num_non_buggy}, \ - ind: {ind}") - else: - print(f"EQUAL {num_non_buggy}, ind: {ind}") - except RuntimeError: - pass - except CalledProcessError: - pass - os.system(f"cp {mutate_dir}/orig {source_file}") - ind += 1 - except TimeoutException: - pass - - os.system(f"rm -rf {out}/*") - os.system(f"cp -r {orig_out}/* {out}/") - os.system(f"cp {mutate_bins}/* {out}/") - - -def fuzz(input_corpus, output_corpus, target_binary): - """Run fuzzer.""" - total_fuzzing_time = int( - os.getenv('MAX_TOTAL_TIME', str(TOTAL_FUZZING_TIME_DEFAULT))) - total_mutant_time = int(FUZZ_PROP * total_fuzzing_time) - - mutants = glob.glob(f"{target_binary}.*") - random.shuffle(mutants) - timeout = max(DEFAULT_MUTANT_TIMEOUT, - int(total_mutant_time / max(len(mutants), 1))) - num_mutants = min(math.ceil(total_mutant_time / timeout), len(mutants)) - - input_corpus_dir = "/storage/input_corpus" - os.makedirs(input_corpus_dir, exist_ok=True) - crashes_dir = "/storage/crashes" - os.makedirs(crashes_dir, exist_ok=True) - os.environ['AFL_SKIP_CRASHES'] = "1" - - for mutant in mutants[:num_mutants]: - os.system(f"cp -r {input_corpus_dir}/* {input_corpus}/*") - os.system(f"rm -rf {input_corpus_dir}/*") - with utils.restore_directory(input_corpus), utils.restore_directory( - output_corpus): - try: - with time_limit(timeout): - aflplusplus_fuzzer.fuzz(input_corpus, output_corpus, mutant) - except TimeoutException: - pass - except CalledProcessError: - pass - - os.system(f"cp {output_corpus}/default/crashes/crashes.*/id* \ - {crashes_dir}/") - os.system(f"cp {output_corpus}/default/crashes/crashes.*/id* \ - {input_corpus_dir}/") - os.system(f"cp {output_corpus}/default/queue/* {input_corpus_dir}/") - - os.system(f"cp -r {input_corpus_dir}/* {input_corpus}/") - aflplusplus_fuzzer.fuzz(input_corpus, output_corpus, target_binary) diff --git a/fuzzers/aflplusplus_um_prioritize/runner.Dockerfile b/fuzzers/aflplusplus_um_prioritize/runner.Dockerfile deleted file mode 100644 index 7aa1da8e4..000000000 --- a/fuzzers/aflplusplus_um_prioritize/runner.Dockerfile +++ /dev/null @@ -1,23 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -# This makes interactive docker runs painless: -ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" -#ENV AFL_MAP_SIZE=2621440 -ENV PATH="$PATH:/out" -ENV AFL_SKIP_CPUFREQ=1 -ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 -ENV AFL_TESTCACHE_SIZE=2 diff --git a/fuzzers/aflplusplus_um_prioritize_75/builder.Dockerfile b/fuzzers/aflplusplus_um_prioritize_75/builder.Dockerfile deleted file mode 100644 index 33c94647b..000000000 --- a/fuzzers/aflplusplus_um_prioritize_75/builder.Dockerfile +++ /dev/null @@ -1,40 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -RUN apt-get update && apt-get install -y python3 -RUN pip3 install --upgrade --force pip -RUN pip install universalmutator - -# Install libstdc++ to use llvm_mode. -RUN apt-get update && \ - apt-get install -y wget libstdc++-10-dev libtool-bin automake flex bison \ - libglib2.0-dev libpixman-1-dev python3-setuptools unzip \ - apt-utils apt-transport-https ca-certificates - -# Download and compile afl++. -RUN git clone https://github.com/AFLplusplus/AFLplusplus.git /afl && \ - cd /afl && \ - git checkout b847e0f414e7b310e1a68bc501d4e2453bfce70e - -# Build without Python support as we don't need it. -# Set AFL_NO_X86 to skip flaky tests. -RUN cd /afl && unset CFLAGS && unset CXXFLAGS && \ - export CC=clang && export AFL_NO_X86=1 && \ - PYTHON_INCLUDE=/ make && make install && \ - make -C utils/aflpp_driver && \ - cp utils/aflpp_driver/libAFLDriver.a / - diff --git a/fuzzers/aflplusplus_um_prioritize_75/description.md b/fuzzers/aflplusplus_um_prioritize_75/description.md deleted file mode 100644 index d5bfe6fea..000000000 --- a/fuzzers/aflplusplus_um_prioritize_75/description.md +++ /dev/null @@ -1,9 +0,0 @@ -# aflplusplus UM (prioritize) - -Run aflplusplus over mutated code with UM prioritization - -NOTE: This only works with C or C++ benchmarks. - -[builder.Dockerfile](builder.Dockerfile) -[fuzzer.py](fuzzer.py) -[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/aflplusplus_um_prioritize_75/fuzzer.py b/fuzzers/aflplusplus_um_prioritize_75/fuzzer.py deleted file mode 100755 index fdbed1a6a..000000000 --- a/fuzzers/aflplusplus_um_prioritize_75/fuzzer.py +++ /dev/null @@ -1,259 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -"""Integration code for AFLplusplus fuzzer.""" - -# This optimized afl++ variant should always be run together with -# "aflplusplus" to show the difference - a default configured afl++ vs. -# a hand-crafted optimized one. afl++ is configured not to enable the good -# stuff by default to be as close to vanilla afl as possible. -# But this means that the good stuff is hidden away in this benchmark -# otherwise. - -import glob -import os -from pathlib import Path -import random -import shutil -import filecmp -from subprocess import CalledProcessError -import time -import math -import signal -from contextlib import contextmanager - -from fuzzers.aflplusplus import fuzzer as aflplusplus_fuzzer -from fuzzers import utils - - -class TimeoutException(Exception): - """"Exception thrown when timeouts occur""" - - -TOTAL_FUZZING_TIME_DEFAULT = 82800 # 23 hours -TOTAL_BUILD_TIME = 43200 # 12 hours -FUZZ_PROP = 0.75 -DEFAULT_MUTANT_TIMEOUT = 300 -PRIORITIZE_MULTIPLIER = 5 -GRACE_TIME = 3600 # 1 hour in seconds -MAX_MUTANTS = 200000 -MAX_PRIORITIZE = 30 - - -@contextmanager -def time_limit(seconds): - """Method to define a time limit before throwing exception""" - - def signal_handler(signum, frame): - raise TimeoutException("Timed out!") - - signal.signal(signal.SIGALRM, signal_handler) - signal.alarm(seconds) - try: - yield - finally: - signal.alarm(0) - - -def build(): # pylint: disable=too-many-locals,too-many-statements,too-many-branches - """Build benchmark.""" - start_time = time.time() - - out = os.getenv("OUT") - src = os.getenv("SRC") - work = os.getenv("WORK") - storage_dir = "/storage" - os.mkdir(storage_dir) - mutate_dir = f"{storage_dir}/mutant_files" - os.mkdir(mutate_dir) - mutate_bins = f"{storage_dir}/mutant_bins" - os.mkdir(mutate_bins) - mutate_scripts = f"{storage_dir}/mutant_scripts" - os.mkdir(mutate_scripts) - orig_out = f"{storage_dir}/orig_out" - os.mkdir(orig_out) - - orig_fuzz_target = os.getenv("FUZZ_TARGET") - with utils.restore_directory(src), utils.restore_directory(work): - aflplusplus_fuzzer.build() - shutil.copy(f"{out}/{orig_fuzz_target}", - f"{mutate_bins}/{orig_fuzz_target}") - os.system(f"cp -r {out}/* {orig_out}/") - benchmark = os.getenv("BENCHMARK") - total_fuzzing_time = int( - os.getenv('MAX_TOTAL_TIME', str(TOTAL_FUZZING_TIME_DEFAULT))) - - source_extensions = [".c", ".cc", ".cpp"] - num_mutants = math.ceil( - (total_fuzzing_time * FUZZ_PROP) / DEFAULT_MUTANT_TIMEOUT) - # Use heuristic to try to find benchmark directory, otherwise look for all - # files in the current directory. - subdirs = [ - name for name in os.listdir(src) - if os.path.isdir(os.path.join(src, name)) - ] - benchmark_src_dir = src - for directory in subdirs: - if directory in benchmark: - benchmark_src_dir = os.path.join(src, directory) - break - - source_files = [] - for extension in source_extensions: - source_files += glob.glob(f"{benchmark_src_dir}/**/*{extension}", - recursive=True) - random.shuffle(source_files) - - mutants_map = {} - num_mutants = 0 - for source_file in source_files: - source_dir = os.path.dirname(source_file).split(src, 1)[1] - Path(f"{mutate_dir}/{source_dir}").mkdir(parents=True, exist_ok=True) - os.system(f"mutate {source_file} --mutantDir \ - {mutate_dir}/{source_dir} --noCheck > /dev/null") - source_base = os.path.basename(source_file).split(".")[0] - mutants_glob = glob.glob( - f"{mutate_dir}/{source_dir}/{source_base}.mutant.*") - mutants = [ - f"{source_dir}/{mutant.split('/')[-1]}"[1:] - for mutant in mutants_glob - ] - num_mutants += len(mutants) - mutants_map[source_file] = mutants - if num_mutants > MAX_MUTANTS: - break - - prioritize_map = {} - num_prioritized = min( - math.ceil((num_mutants * PRIORITIZE_MULTIPLIER) / len(mutants_map)), - MAX_PRIORITIZE) - for source_file in mutants_map: - mutants = mutants_map[source_file] - with open(f"{mutate_dir}/mutants.txt", "w", encoding="utf_8") as f_name: - f_name.writelines(f"{l}\n" for l in mutants) - os.system(f"prioritize_mutants {mutate_dir}/mutants.txt \ - {mutate_dir}/prioritize_mutants_sorted.txt {num_prioritized}\ - --noSDPriority --sourceDir {src} --mutantDir {mutate_dir}") - prioritized_list = [] - with open(f"{mutate_dir}/prioritize_mutants_sorted.txt", - "r", - encoding="utf_8") as f_name: - prioritized_list = f_name.read().splitlines() - prioritize_map[source_file] = prioritized_list - - prioritized_keys = list(prioritize_map.keys()) - random.shuffle(prioritized_keys) - order = [] - ind = 0 - finished = False - - while not finished: - finished = True - for key in prioritized_keys: - if ind < len(prioritize_map[key]): - finished = False - order.append((key, ind)) - ind += 1 - curr_time = time.time() - - # Add grace time for final build at end - remaining_time = int(TOTAL_BUILD_TIME - (start_time - curr_time) - - GRACE_TIME) - try: - with time_limit(remaining_time): - num_non_buggy = 1 - ind = 0 - while ind < len(order): - with utils.restore_directory(src), utils.restore_directory( - work): - key, line = order[ind] - mutant = prioritize_map[key][line] - print(mutant) - suffix = "." + mutant.split(".")[-1] - mpart = ".mutant." + mutant.split(".mutant.")[1] - source_file = f"{src}/{mutant.replace(mpart, suffix)}" - print(source_file) - print(f"{mutate_dir}/{mutant}") - os.system(f"cp {source_file} {mutate_dir}/orig") - os.system(f"cp {mutate_dir}/{mutant} {source_file}") - try: - new_fuzz_target = f"{os.getenv('FUZZ_TARGET')}"\ - f".{num_non_buggy}" - - os.system(f"rm -rf {out}/*") - aflplusplus_fuzzer.build() - if not filecmp.cmp(f'{mutate_bins}/{orig_fuzz_target}', - f'{out}/{orig_fuzz_target}', - shallow=False): - print(f"{out}/{orig_fuzz_target}", - f"{mutate_bins}/{new_fuzz_target}") - shutil.copy(f"{out}/{orig_fuzz_target}", - f"{mutate_bins}/{new_fuzz_target}") - num_non_buggy += 1 - print(f"FOUND NOT EQUAL {num_non_buggy}, \ - ind: {ind}") - else: - print(f"EQUAL {num_non_buggy}, ind: {ind}") - except RuntimeError: - pass - except CalledProcessError: - pass - os.system(f"cp {mutate_dir}/orig {source_file}") - ind += 1 - except TimeoutException: - pass - - os.system(f"rm -rf {out}/*") - os.system(f"cp -r {orig_out}/* {out}/") - os.system(f"cp {mutate_bins}/* {out}/") - - -def fuzz(input_corpus, output_corpus, target_binary): - """Run fuzzer.""" - total_fuzzing_time = int( - os.getenv('MAX_TOTAL_TIME', str(TOTAL_FUZZING_TIME_DEFAULT))) - total_mutant_time = int(FUZZ_PROP * total_fuzzing_time) - - mutants = glob.glob(f"{target_binary}.*") - random.shuffle(mutants) - timeout = max(DEFAULT_MUTANT_TIMEOUT, - int(total_mutant_time / max(len(mutants), 1))) - num_mutants = min(math.ceil(total_mutant_time / timeout), len(mutants)) - - input_corpus_dir = "/storage/input_corpus" - os.makedirs(input_corpus_dir, exist_ok=True) - crashes_dir = "/storage/crashes" - os.makedirs(crashes_dir, exist_ok=True) - os.environ['AFL_SKIP_CRASHES'] = "1" - - for mutant in mutants[:num_mutants]: - os.system(f"cp -r {input_corpus_dir}/* {input_corpus}/*") - os.system(f"rm -rf {input_corpus_dir}/*") - with utils.restore_directory(input_corpus), utils.restore_directory( - output_corpus): - try: - with time_limit(timeout): - aflplusplus_fuzzer.fuzz(input_corpus, output_corpus, mutant) - except TimeoutException: - pass - except CalledProcessError: - pass - - os.system(f"cp {output_corpus}/default/crashes/crashes.*/id* \ - {crashes_dir}/") - os.system(f"cp {output_corpus}/default/crashes/crashes.*/id* \ - {input_corpus_dir}/") - os.system(f"cp {output_corpus}/default/queue/* {input_corpus_dir}/") - - os.system(f"cp -r {input_corpus_dir}/* {input_corpus}/") - aflplusplus_fuzzer.fuzz(input_corpus, output_corpus, target_binary) diff --git a/fuzzers/aflplusplus_um_prioritize_75/runner.Dockerfile b/fuzzers/aflplusplus_um_prioritize_75/runner.Dockerfile deleted file mode 100644 index 7aa1da8e4..000000000 --- a/fuzzers/aflplusplus_um_prioritize_75/runner.Dockerfile +++ /dev/null @@ -1,23 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -# This makes interactive docker runs painless: -ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" -#ENV AFL_MAP_SIZE=2621440 -ENV PATH="$PATH:/out" -ENV AFL_SKIP_CPUFREQ=1 -ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 -ENV AFL_TESTCACHE_SIZE=2 diff --git a/fuzzers/aflplusplus_um_random/builder.Dockerfile b/fuzzers/aflplusplus_um_random/builder.Dockerfile deleted file mode 100644 index abd77021b..000000000 --- a/fuzzers/aflplusplus_um_random/builder.Dockerfile +++ /dev/null @@ -1,40 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -RUN apt-get update && apt-get install -y python3 -RUN pip3 install --upgrade --force pip -RUN pip install universalmutator - -# Install libstdc++ to use llvm_mode. -RUN apt-get update && \ - apt-get install -y wget libstdc++-5-dev libtool-bin automake flex bison \ - libglib2.0-dev libpixman-1-dev python3-setuptools unzip \ - apt-utils apt-transport-https ca-certificates - -# Download and compile afl++. -RUN git clone https://github.com/AFLplusplus/AFLplusplus.git /afl && \ - cd /afl && \ - git checkout b847e0f414e7b310e1a68bc501d4e2453bfce70e - -# Build without Python support as we don't need it. -# Set AFL_NO_X86 to skip flaky tests. -RUN cd /afl && unset CFLAGS && unset CXXFLAGS && \ - export CC=clang && export AFL_NO_X86=1 && \ - PYTHON_INCLUDE=/ make && make install && \ - make -C utils/aflpp_driver && \ - cp utils/aflpp_driver/libAFLDriver.a / - diff --git a/fuzzers/aflplusplus_um_random/description.md b/fuzzers/aflplusplus_um_random/description.md deleted file mode 100644 index 686a166cb..000000000 --- a/fuzzers/aflplusplus_um_random/description.md +++ /dev/null @@ -1,10 +0,0 @@ -# aflplusplus UM (random) - -Run aflplusplus over mutated code without UM prioritization. Randomly sample -list of generated mutants. - -NOTE: This only works with C or C++ benchmarks. - -[builder.Dockerfile](builder.Dockerfile) -[fuzzer.py](fuzzer.py) -[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/aflplusplus_um_random/fuzzer.py b/fuzzers/aflplusplus_um_random/fuzzer.py deleted file mode 100644 index 511a6fd6c..000000000 --- a/fuzzers/aflplusplus_um_random/fuzzer.py +++ /dev/null @@ -1,221 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -"""Integration code for AFLplusplus fuzzer.""" - -# This optimized afl++ variant should always be run together with -# "aflplusplus" to show the difference - a default configured afl++ vs. -# a hand-crafted optimized one. afl++ is configured not to enable the good -# stuff by default to be as close to vanilla afl as possible. -# But this means that the good stuff is hidden away in this benchmark -# otherwise. - -import glob -import os -from pathlib import Path -import random -import shutil -import filecmp -from subprocess import CalledProcessError -import time -import signal -import math -from contextlib import contextmanager - -from fuzzers.aflplusplus import fuzzer as aflplusplus_fuzzer -from fuzzers import utils - - -class TimeoutException(Exception): - """"Exception thrown when timeouts occur""" - - -TOTAL_FUZZING_TIME_DEFAULT = 82800 # 23 hours -TOTAL_BUILD_TIME = 43200 # 12 hours -FUZZ_PROP = 0.5 -DEFAULT_MUTANT_TIMEOUT = 300 -GRACE_TIME = 3600 # 1 hour in seconds -MAX_MUTANTS = 200000 - - -@contextmanager -def time_limit(seconds): - """Method to define a time limit before throwing exception""" - - def signal_handler(signum, frame): - raise TimeoutException("Timed out!") - - signal.signal(signal.SIGALRM, signal_handler) - signal.alarm(seconds) - try: - yield - finally: - signal.alarm(0) - - -def build(): # pylint: disable=too-many-locals,too-many-statements - """Build benchmark.""" - start_time = time.time() - - out = os.getenv("OUT") - src = os.getenv("SRC") - work = os.getenv("WORK") - storage_dir = "/storage" - os.mkdir(storage_dir) - mutate_dir = f"{storage_dir}/mutant_files" - os.mkdir(mutate_dir) - mutate_bins = f"{storage_dir}/mutant_bins" - os.mkdir(mutate_bins) - mutate_scripts = f"{storage_dir}/mutant_scripts" - os.mkdir(mutate_scripts) - orig_out = f"{storage_dir}/orig_out" - os.mkdir(orig_out) - - orig_fuzz_target = os.getenv("FUZZ_TARGET") - with utils.restore_directory(src), utils.restore_directory(work): - aflplusplus_fuzzer.build() - shutil.copy(f"{out}/{orig_fuzz_target}", - f"{mutate_bins}/{orig_fuzz_target}") - os.system(f"cp -r {out}/* {orig_out}/") - benchmark = os.getenv("BENCHMARK") - - source_extensions = [".c", ".cc", ".cpp"] - # Use heuristic to try to find benchmark directory, - # otherwise look for all files in the current directory. - subdirs = [ - name for name in os.listdir(src) - if os.path.isdir(os.path.join(src, name)) - ] - benchmark_src_dir = src - for directory in subdirs: - if directory in benchmark: - benchmark_src_dir = os.path.join(src, directory) - break - - source_files = [] - for extension in source_extensions: - source_files += glob.glob(f"{benchmark_src_dir}/**/*{extension}", - recursive=True) - random.shuffle(source_files) - - mutants = [] - for source_file in source_files: - source_dir = os.path.dirname(source_file).split(src, 1)[1] - Path(f"{mutate_dir}/{source_dir}").mkdir(parents=True, exist_ok=True) - os.system(f"mutate {source_file} --mutantDir \ - {mutate_dir}/{source_dir} --noCheck > /dev/null") - source_base = os.path.basename(source_file).split(".")[0] - mutants_glob = glob.glob( - f"{mutate_dir}/{source_dir}/{source_base}.mutant.*") - mutants += [ - f"{source_dir}/{mutant.split('/')[-1]}"[1:] - for mutant in mutants_glob - ] - - if len(mutants) > MAX_MUTANTS: - break - - random.shuffle(mutants) - with open(f"{mutate_dir}/mutants.txt", "w", encoding="utf-8") as f_name: - f_name.writelines(f"{l}\n" for l in mutants) - - curr_time = time.time() - - # Add grace time for final build at end - remaining_time = int(TOTAL_BUILD_TIME - (start_time - curr_time) - - GRACE_TIME) - try: - with time_limit(remaining_time): - num_non_buggy = 1 - ind = 0 - while ind < len(mutants): - with utils.restore_directory(src), utils.restore_directory( - work): - mutant = mutants[ind] - suffix = "." + mutant.split(".")[-1] - mpart = ".mutant." + mutant.split(".mutant.")[1] - source_file = f"{src}/{mutant.replace(mpart, suffix)}" - print(source_file) - print(f"{mutate_dir}/{mutant}") - os.system(f"cp {source_file} {mutate_dir}/orig") - os.system(f"cp {mutate_dir}/{mutant} {source_file}") - - try: - new_fuzz_target = f"{os.getenv('FUZZ_TARGET')}"\ - f".{num_non_buggy}" - - os.system(f"rm -rf {out}/*") - aflplusplus_fuzzer.build() - if not filecmp.cmp(f'{mutate_bins}/{orig_fuzz_target}', - f'{out}/{orig_fuzz_target}', - shallow=False): - print(f"{out}/{orig_fuzz_target}", - f"{mutate_bins}/{new_fuzz_target}") - shutil.copy(f"{out}/{orig_fuzz_target}", - f"{mutate_bins}/{new_fuzz_target}") - num_non_buggy += 1 - else: - print("EQUAL") - except RuntimeError: - pass - except CalledProcessError: - pass - os.system(f"cp {mutate_dir}/orig {source_file}") - ind += 1 - except TimeoutException: - pass - - os.system(f"rm -rf {out}/*") - os.system(f"cp -r {orig_out}/* {out}/") - os.system(f"cp {mutate_bins}/* {out}/") - - -def fuzz(input_corpus, output_corpus, target_binary): - """Run fuzzer.""" - total_fuzzing_time = int( - os.getenv('MAX_TOTAL_TIME', str(TOTAL_FUZZING_TIME_DEFAULT))) - total_mutant_time = int(FUZZ_PROP * total_fuzzing_time) - - mutants = glob.glob(f"{target_binary}.*") - random.shuffle(mutants) - timeout = max(DEFAULT_MUTANT_TIMEOUT, - int(total_mutant_time / max(len(mutants), 1))) - num_mutants = min(math.ceil(total_mutant_time / timeout), len(mutants)) - - input_corpus_dir = "/storage/input_corpus" - os.makedirs(input_corpus_dir, exist_ok=True) - crashes_dir = "/storage/crashes" - os.makedirs(crashes_dir, exist_ok=True) - os.environ['AFL_SKIP_CRASHES'] = "1" - - for mutant in mutants[:num_mutants]: - os.system(f"cp -r {input_corpus_dir}/* {input_corpus}/*") - os.system(f"rm -rf {input_corpus_dir}/*") - with utils.restore_directory(input_corpus), utils.restore_directory( - output_corpus): - try: - with time_limit(timeout): - aflplusplus_fuzzer.fuzz(input_corpus, output_corpus, mutant) - except TimeoutException: - pass - except CalledProcessError: - pass - - os.system(f"cp {output_corpus}/default/crashes/crashes.*/id* \ - {crashes_dir}/") - os.system(f"cp {output_corpus}/default/crashes/crashes.*/id* \ - {input_corpus_dir}/") - os.system(f"cp {output_corpus}/default/queue/* {input_corpus_dir}/") - - os.system(f"cp -r {input_corpus_dir}/* {input_corpus}/") - aflplusplus_fuzzer.fuzz(input_corpus, output_corpus, target_binary) diff --git a/fuzzers/aflplusplus_um_random/runner.Dockerfile b/fuzzers/aflplusplus_um_random/runner.Dockerfile deleted file mode 100644 index 7aa1da8e4..000000000 --- a/fuzzers/aflplusplus_um_random/runner.Dockerfile +++ /dev/null @@ -1,23 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -# This makes interactive docker runs painless: -ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" -#ENV AFL_MAP_SIZE=2621440 -ENV PATH="$PATH:/out" -ENV AFL_SKIP_CPUFREQ=1 -ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 -ENV AFL_TESTCACHE_SIZE=2 diff --git a/fuzzers/aflplusplus_um_random_75/builder.Dockerfile b/fuzzers/aflplusplus_um_random_75/builder.Dockerfile deleted file mode 100644 index 33c94647b..000000000 --- a/fuzzers/aflplusplus_um_random_75/builder.Dockerfile +++ /dev/null @@ -1,40 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -RUN apt-get update && apt-get install -y python3 -RUN pip3 install --upgrade --force pip -RUN pip install universalmutator - -# Install libstdc++ to use llvm_mode. -RUN apt-get update && \ - apt-get install -y wget libstdc++-10-dev libtool-bin automake flex bison \ - libglib2.0-dev libpixman-1-dev python3-setuptools unzip \ - apt-utils apt-transport-https ca-certificates - -# Download and compile afl++. -RUN git clone https://github.com/AFLplusplus/AFLplusplus.git /afl && \ - cd /afl && \ - git checkout b847e0f414e7b310e1a68bc501d4e2453bfce70e - -# Build without Python support as we don't need it. -# Set AFL_NO_X86 to skip flaky tests. -RUN cd /afl && unset CFLAGS && unset CXXFLAGS && \ - export CC=clang && export AFL_NO_X86=1 && \ - PYTHON_INCLUDE=/ make && make install && \ - make -C utils/aflpp_driver && \ - cp utils/aflpp_driver/libAFLDriver.a / - diff --git a/fuzzers/aflplusplus_um_random_75/description.md b/fuzzers/aflplusplus_um_random_75/description.md deleted file mode 100644 index 686a166cb..000000000 --- a/fuzzers/aflplusplus_um_random_75/description.md +++ /dev/null @@ -1,10 +0,0 @@ -# aflplusplus UM (random) - -Run aflplusplus over mutated code without UM prioritization. Randomly sample -list of generated mutants. - -NOTE: This only works with C or C++ benchmarks. - -[builder.Dockerfile](builder.Dockerfile) -[fuzzer.py](fuzzer.py) -[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/aflplusplus_um_random_75/fuzzer.py b/fuzzers/aflplusplus_um_random_75/fuzzer.py deleted file mode 100644 index 15e2cd873..000000000 --- a/fuzzers/aflplusplus_um_random_75/fuzzer.py +++ /dev/null @@ -1,213 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -"""Integration code for AFLplusplus fuzzer.""" - -# This optimized afl++ variant should always be run together with -# "aflplusplus" to show the difference - a default configured afl++ vs. -# a hand-crafted optimized one. afl++ is configured not to enable the good -# stuff by default to be as close to vanilla afl as possible. -# But this means that the good stuff is hidden away in this benchmark -# otherwise. - -import glob -import os -from pathlib import Path -import random -import shutil -import filecmp -from subprocess import CalledProcessError -import time -import signal -import math -from contextlib import contextmanager - -from fuzzers.aflplusplus import fuzzer as aflplusplus_fuzzer -from fuzzers import utils - - -class TimeoutException(Exception): - """"Exception thrown when timeouts occur""" - - -TOTAL_FUZZING_TIME_DEFAULT = 82800 # 23 hours -TOTAL_BUILD_TIME = 43200 # 12 hours -FUZZ_PROP = 0.75 -DEFAULT_MUTANT_TIMEOUT = 300 -GRACE_TIME = 3600 # 1 hour in seconds -MAX_MUTANTS = 200000 - - -@contextmanager -def time_limit(seconds): - """Method to define a time limit before throwing exception""" - - def signal_handler(signum, frame): - raise TimeoutException("Timed out!") - - signal.signal(signal.SIGALRM, signal_handler) - signal.alarm(seconds) - try: - yield - finally: - signal.alarm(0) - - -def build(): # pylint: disable=too-many-locals,too-many-statements - """Build benchmark.""" - start_time = time.time() - - out = os.getenv("OUT") - src = os.getenv("SRC") - work = os.getenv("WORK") - storage_dir = "/storage" - os.mkdir(storage_dir) - mutate_dir = f"{storage_dir}/mutant_files" - os.mkdir(mutate_dir) - mutate_bins = f"{storage_dir}/mutant_bins" - os.mkdir(mutate_bins) - mutate_scripts = f"{storage_dir}/mutant_scripts" - os.mkdir(mutate_scripts) - orig_out = f"{storage_dir}/orig_out" - os.mkdir(orig_out) - - orig_fuzz_target = os.getenv("FUZZ_TARGET") - with utils.restore_directory(src), utils.restore_directory(work): - aflplusplus_fuzzer.build() - shutil.copy(f"{out}/{orig_fuzz_target}", - f"{mutate_bins}/{orig_fuzz_target}") - os.system(f"cp -r {out}/* {orig_out}/") - benchmark = os.getenv("BENCHMARK") - - source_extensions = [".c", ".cc", ".cpp"] - # Use heuristic to try to find benchmark directory, - # otherwise look for all files in the current directory. - subdirs = [ - name for name in os.listdir(src) - if os.path.isdir(os.path.join(src, name)) - ] - benchmark_src_dir = src - for directory in subdirs: - if directory in benchmark: - benchmark_src_dir = os.path.join(src, directory) - break - - source_files = [] - for extension in source_extensions: - source_files += glob.glob(f"{benchmark_src_dir}/**/*{extension}", - recursive=True) - random.shuffle(source_files) - - mutants = [] - for source_file in source_files: - source_dir = os.path.dirname(source_file).split(src, 1)[1] - Path(f"{mutate_dir}/{source_dir}").mkdir(parents=True, exist_ok=True) - os.system(f"mutate {source_file} --mutantDir \ - {mutate_dir}/{source_dir} --noCheck > /dev/null") - source_base = os.path.basename(source_file).split(".")[0] - mutants_glob = glob.glob( - f"{mutate_dir}/{source_dir}/{source_base}.mutant.*") - mutants += [ - f"{source_dir}/{mutant.split('/')[-1]}"[1:] - for mutant in mutants_glob - ] - - if len(mutants) > MAX_MUTANTS: - break - - random.shuffle(mutants) - with open(f"{mutate_dir}/mutants.txt", "w", encoding="utf-8") as f_name: - f_name.writelines(f"{l}\n" for l in mutants) - - curr_time = time.time() - - # Add grace time for final build at end - remaining_time = int(TOTAL_BUILD_TIME - (start_time - curr_time) - - GRACE_TIME) - try: - with time_limit(remaining_time): - num_non_buggy = 1 - ind = 0 - while ind < len(mutants): - with utils.restore_directory(src), utils.restore_directory( - work): - mutant = mutants[ind] - suffix = "." + mutant.split(".")[-1] - mpart = ".mutant." + mutant.split(".mutant.")[1] - source_file = f"{src}/{mutant.replace(mpart, suffix)}" - print(source_file) - print(f"{mutate_dir}/{mutant}") - os.system(f"cp {source_file} {mutate_dir}/orig") - os.system(f"cp {mutate_dir}/{mutant} {source_file}") - - try: - new_fuzz_target = f"{os.getenv('FUZZ_TARGET')}"\ - f".{num_non_buggy}" - - os.system(f"rm -rf {out}/*") - aflplusplus_fuzzer.build() - if not filecmp.cmp(f'{mutate_bins}/{orig_fuzz_target}', - f'{out}/{orig_fuzz_target}', - shallow=False): - print(f"{out}/{orig_fuzz_target}", - f"{mutate_bins}/{new_fuzz_target}") - shutil.copy(f"{out}/{orig_fuzz_target}", - f"{mutate_bins}/{new_fuzz_target}") - num_non_buggy += 1 - else: - print("EQUAL") - except RuntimeError: - pass - except CalledProcessError: - pass - os.system(f"cp {mutate_dir}/orig {source_file}") - ind += 1 - except TimeoutException: - pass - - os.system(f"rm -rf {out}/*") - os.system(f"cp -r {orig_out}/* {out}/") - os.system(f"cp {mutate_bins}/* {out}/") - - -def fuzz(input_corpus, output_corpus, target_binary): - """Run fuzzer.""" - total_fuzzing_time = int( - os.getenv('MAX_TOTAL_TIME', str(TOTAL_FUZZING_TIME_DEFAULT))) - total_mutant_time = int(FUZZ_PROP * total_fuzzing_time) - - mutants = glob.glob(f"{target_binary}.*") - random.shuffle(mutants) - timeout = max(DEFAULT_MUTANT_TIMEOUT, - int(total_mutant_time / max(len(mutants), 1))) - num_mutants = min(math.ceil(total_mutant_time / timeout), len(mutants)) - - input_corpus_dir = "/storage/input_corpus" - os.makedirs(input_corpus_dir, exist_ok=True) - os.environ['AFL_SKIP_CRASHES'] = "1" - - for mutant in mutants[:num_mutants]: - os.system(f"cp -r {input_corpus_dir}/* {input_corpus}/*") - with utils.restore_directory(input_corpus), utils.restore_directory( - output_corpus): - try: - with time_limit(timeout): - aflplusplus_fuzzer.fuzz(input_corpus, output_corpus, mutant) - except TimeoutException: - pass - except CalledProcessError: - pass - os.system(f"cp -r {output_corpus}/* {input_corpus_dir}/*") - - os.system(f"cp -r {input_corpus_dir}/* {input_corpus}/*") - aflplusplus_fuzzer.fuzz(input_corpus, output_corpus, target_binary) diff --git a/fuzzers/aflplusplus_um_random_75/runner.Dockerfile b/fuzzers/aflplusplus_um_random_75/runner.Dockerfile deleted file mode 100644 index 7aa1da8e4..000000000 --- a/fuzzers/aflplusplus_um_random_75/runner.Dockerfile +++ /dev/null @@ -1,23 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -# This makes interactive docker runs painless: -ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" -#ENV AFL_MAP_SIZE=2621440 -ENV PATH="$PATH:/out" -ENV AFL_SKIP_CPUFREQ=1 -ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 -ENV AFL_TESTCACHE_SIZE=2 diff --git a/fuzzers/aflpp_random_default/builder.Dockerfile b/fuzzers/aflpp_random_default/builder.Dockerfile deleted file mode 100644 index 52bc270f5..000000000 --- a/fuzzers/aflpp_random_default/builder.Dockerfile +++ /dev/null @@ -1,35 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -# Install libstdc++ to use llvm_mode. -RUN apt-get update && \ - apt-get install -y wget libstdc++-5-dev libtool-bin automake flex bison \ - libglib2.0-dev libpixman-1-dev python3-setuptools unzip \ - apt-utils apt-transport-https ca-certificates - -# Download and compile afl++. -RUN git clone https://github.com/jiradeto/AFLplusplus.git /afl && \ - cd /afl && \ - git checkout 773baf9391ff5f1793deb7968366819e7fa07adc - -# Build without Python support as we don't need it. -# Set AFL_NO_X86 to skip flaky tests. -RUN cd /afl && unset CFLAGS && unset CXXFLAGS && \ - export CC=clang && export AFL_NO_X86=1 && \ - PYTHON_INCLUDE=/ make && make install && \ - make -C utils/aflpp_driver && \ - cp utils/aflpp_driver/libAFLDriver.a / diff --git a/fuzzers/aflpp_random_default/fuzzer.py b/fuzzers/aflpp_random_default/fuzzer.py deleted file mode 100755 index f51c59195..000000000 --- a/fuzzers/aflpp_random_default/fuzzer.py +++ /dev/null @@ -1,268 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -"""Integration code for AFLplusplus fuzzer.""" - -import os -import shutil - -from fuzzers.afl import fuzzer as afl_fuzzer -from fuzzers import utils - - -def get_cmplog_build_directory(target_directory): - """Return path to CmpLog target directory.""" - return os.path.join(target_directory, 'cmplog') - - -def get_uninstrumented_build_directory(target_directory): - """Return path to CmpLog target directory.""" - return os.path.join(target_directory, 'uninstrumented') - - -def build(*args): # pylint: disable=too-many-branches,too-many-statements - """Build benchmark.""" - # BUILD_MODES is not already supported by fuzzbench, meanwhile we provide - # a default configuration. - - build_modes = list(args) - if 'BUILD_MODES' in os.environ: - build_modes = os.environ['BUILD_MODES'].split(',') - - # Placeholder comment. - build_directory = os.environ['OUT'] - - # If nothing was set this is the default: - if not build_modes: - build_modes = ['tracepc', 'cmplog', 'dict2file'] - - # For bug type benchmarks we have to instrument via native clang pcguard :( - build_flags = os.environ['CFLAGS'] - if build_flags.find( - 'array-bounds' - ) != -1 and 'qemu' not in build_modes and 'classic' not in build_modes: - build_modes[0] = 'native' - - # Instrumentation coverage modes: - if 'lto' in build_modes: - os.environ['CC'] = '/afl/afl-clang-lto' - os.environ['CXX'] = '/afl/afl-clang-lto++' - edge_file = build_directory + '/aflpp_edges.txt' - os.environ['AFL_LLVM_DOCUMENT_IDS'] = edge_file - if os.path.isfile('/usr/local/bin/llvm-ranlib-13'): - os.environ['RANLIB'] = 'llvm-ranlib-13' - os.environ['AR'] = 'llvm-ar-13' - os.environ['AS'] = 'llvm-as-13' - elif os.path.isfile('/usr/local/bin/llvm-ranlib-12'): - os.environ['RANLIB'] = 'llvm-ranlib-12' - os.environ['AR'] = 'llvm-ar-12' - os.environ['AS'] = 'llvm-as-12' - else: - os.environ['RANLIB'] = 'llvm-ranlib' - os.environ['AR'] = 'llvm-ar' - os.environ['AS'] = 'llvm-as' - elif 'qemu' in build_modes: - os.environ['CC'] = 'clang' - os.environ['CXX'] = 'clang++' - elif 'gcc' in build_modes: - os.environ['CC'] = 'afl-gcc-fast' - os.environ['CXX'] = 'afl-g++-fast' - else: - os.environ['CC'] = '/afl/afl-clang-fast' - os.environ['CXX'] = '/afl/afl-clang-fast++' - - print('AFL++ build: ') - print(build_modes) - - if 'qemu' in build_modes or 'symcc' in build_modes: - os.environ['CFLAGS'] = ' '.join(utils.NO_SANITIZER_COMPAT_CFLAGS) - cxxflags = [utils.LIBCPLUSPLUS_FLAG] + utils.NO_SANITIZER_COMPAT_CFLAGS - os.environ['CXXFLAGS'] = ' '.join(cxxflags) - - if 'tracepc' in build_modes or 'pcguard' in build_modes: - os.environ['AFL_LLVM_USE_TRACE_PC'] = '1' - elif 'classic' in build_modes: - os.environ['AFL_LLVM_INSTRUMENT'] = 'CLASSIC' - elif 'native' in build_modes: - os.environ['AFL_LLVM_INSTRUMENT'] = 'LLVMNATIVE' - - # Instrumentation coverage options: - # Do not use a fixed map location (LTO only) - if 'dynamic' in build_modes: - os.environ['AFL_LLVM_MAP_DYNAMIC'] = '1' - # Use a fixed map location (LTO only) - if 'fixed' in build_modes: - os.environ['AFL_LLVM_MAP_ADDR'] = '0x10000' - # Generate an extra dictionary. - if 'dict2file' in build_modes or 'native' in build_modes: - os.environ['AFL_LLVM_DICT2FILE'] = build_directory + '/afl++.dict' - # Enable context sentitivity for LLVM mode (non LTO only) - if 'ctx' in build_modes: - os.environ['AFL_LLVM_CTX'] = '1' - # Enable N-gram coverage for LLVM mode (non LTO only) - if 'ngram2' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '2' - elif 'ngram3' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '3' - elif 'ngram4' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '4' - elif 'ngram5' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '5' - elif 'ngram6' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '6' - elif 'ngram7' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '7' - elif 'ngram8' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '8' - elif 'ngram16' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '16' - if 'ctx1' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '1' - elif 'ctx2' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '2' - elif 'ctx3' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '3' - elif 'ctx4' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '4' - - # Only one of the following OR cmplog - # enable laf-intel compare splitting - if 'laf' in build_modes: - os.environ['AFL_LLVM_LAF_SPLIT_SWITCHES'] = '1' - os.environ['AFL_LLVM_LAF_SPLIT_COMPARES'] = '1' - os.environ['AFL_LLVM_LAF_SPLIT_FLOATS'] = '1' - if 'autodict' not in build_modes: - os.environ['AFL_LLVM_LAF_TRANSFORM_COMPARES'] = '1' - - if 'eclipser' in build_modes: - os.environ['FUZZER_LIB'] = '/libStandaloneFuzzTarget.a' - else: - os.environ['FUZZER_LIB'] = '/libAFLDriver.a' - - # Some benchmarks like lcms. (see: - # https://github.com/mm2/Little-CMS/commit/ab1093539b4287c233aca6a3cf53b234faceb792#diff-f0e6d05e72548974e852e8e55dffc4ccR212) - # fail to compile if the compiler outputs things to stderr in unexpected - # cases. Prevent these failures by using AFL_QUIET to stop afl-clang-fast - # from writing AFL specific messages to stderr. - os.environ['AFL_QUIET'] = '1' - os.environ['AFL_MAP_SIZE'] = '2621440' - - src = os.getenv('SRC') - work = os.getenv('WORK') - - with utils.restore_directory(src), utils.restore_directory(work): - # Restore SRC to its initial state so we can build again without any - # trouble. For some OSS-Fuzz projects, build_benchmark cannot be run - # twice in the same directory without this. - utils.build_benchmark() - - if 'cmplog' in build_modes and 'qemu' not in build_modes: - - # CmpLog requires an build with different instrumentation. - new_env = os.environ.copy() - new_env['AFL_LLVM_CMPLOG'] = '1' - - # For CmpLog build, set the OUT and FUZZ_TARGET environment - # variable to point to the new CmpLog build directory. - cmplog_build_directory = get_cmplog_build_directory(build_directory) - os.mkdir(cmplog_build_directory) - new_env['OUT'] = cmplog_build_directory - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - new_env['FUZZ_TARGET'] = os.path.join(cmplog_build_directory, - os.path.basename(fuzz_target)) - - print('Re-building benchmark for CmpLog fuzzing target') - utils.build_benchmark(env=new_env) - - if 'symcc' in build_modes: - - symcc_build_directory = get_uninstrumented_build_directory( - build_directory) - os.mkdir(symcc_build_directory) - - # symcc requires an build with different instrumentation. - new_env = os.environ.copy() - new_env['CC'] = '/symcc/build/symcc' - new_env['CXX'] = '/symcc/build/sym++' - new_env['SYMCC_OUTPUT_DIR'] = '/tmp' - new_env['CXXFLAGS'] = new_env['CXXFLAGS'].replace('-stlib=libc++', '') - new_env['FUZZER_LIB'] = '/libfuzzer-harness.o' - new_env['OUT'] = symcc_build_directory - new_env['SYMCC_LIBCXX_PATH'] = '/libcxx_native_build' - new_env['SYMCC_NO_SYMBOLIC_INPUT'] = '1' - new_env['SYMCC_SILENT'] = '1' - - # For CmpLog build, set the OUT and FUZZ_TARGET environment - # variable to point to the new CmpLog build directory. - new_env['OUT'] = symcc_build_directory - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - new_env['FUZZ_TARGET'] = os.path.join(symcc_build_directory, - os.path.basename(fuzz_target)) - - print('Re-building benchmark for CmpLog fuzzing target') - utils.build_benchmark(env=new_env) - - shutil.copy('/afl/afl-fuzz', build_directory) - if os.path.exists('/afl/afl-qemu-trace'): - shutil.copy('/afl/afl-qemu-trace', build_directory) - if os.path.exists('/aflpp_qemu_driver_hook.so'): - shutil.copy('/aflpp_qemu_driver_hook.so', build_directory) - if os.path.exists('/get_frida_entry.sh'): - shutil.copy('/afl/afl-frida-trace.so', build_directory) - shutil.copy('/get_frida_entry.sh', build_directory) - - -# pylint: disable=too-many-arguments -def fuzz(input_corpus, - output_corpus, - target_binary, - flags=tuple(), - skip=False, - no_cmplog=False): # pylint: disable=too-many-arguments - """Run fuzzer.""" - # Calculate CmpLog binary path from the instrumented target binary. - target_binary_directory = os.path.dirname(target_binary) - cmplog_target_binary_directory = ( - get_cmplog_build_directory(target_binary_directory)) - target_binary_name = os.path.basename(target_binary) - cmplog_target_binary = os.path.join(cmplog_target_binary_directory, - target_binary_name) - - afl_fuzzer.prepare_fuzz_environment(input_corpus) - # decomment this to enable libdislocator. - # os.environ['AFL_ALIGNED_ALLOC'] = '1' # align malloc to max_align_t - # os.environ['AFL_PRELOAD'] = '/afl/libdislocator.so' - - flags = list(flags) - - if os.path.exists('./afl++.dict'): - flags += ['-x', './afl++.dict'] - - # Move the following to skip for upcoming _double tests: - if os.path.exists(cmplog_target_binary) and no_cmplog is not False: - flags += ['-c', cmplog_target_binary] - - if not skip: - os.environ['AFL_DISABLE_TRIM'] = '1' - # os.environ['AFL_FAST_CAL'] = '1' - os.environ['AFL_CMPLOG_ONLY_NEW'] = '1' - if 'ADDITIONAL_ARGS' in os.environ: - flags += os.environ['ADDITIONAL_ARGS'].split(' ') - - afl_fuzzer.run_afl_fuzz(input_corpus, - output_corpus, - target_binary, - additional_flags=flags) diff --git a/fuzzers/aflpp_random_default/runner.Dockerfile b/fuzzers/aflpp_random_default/runner.Dockerfile deleted file mode 100644 index 7aa1da8e4..000000000 --- a/fuzzers/aflpp_random_default/runner.Dockerfile +++ /dev/null @@ -1,23 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -# This makes interactive docker runs painless: -ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" -#ENV AFL_MAP_SIZE=2621440 -ENV PATH="$PATH:/out" -ENV AFL_SKIP_CPUFREQ=1 -ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 -ENV AFL_TESTCACHE_SIZE=2 diff --git a/fuzzers/aflpp_random_no_favs/builder.Dockerfile b/fuzzers/aflpp_random_no_favs/builder.Dockerfile deleted file mode 100644 index c4066c277..000000000 --- a/fuzzers/aflpp_random_no_favs/builder.Dockerfile +++ /dev/null @@ -1,35 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -# Install libstdc++ to use llvm_mode. -RUN apt-get update && \ - apt-get install -y wget libstdc++-5-dev libtool-bin automake flex bison \ - libglib2.0-dev libpixman-1-dev python3-setuptools unzip \ - apt-utils apt-transport-https ca-certificates - -# Download and compile afl++. -RUN git clone https://github.com/jiradeto/AFLplusplus /afl && \ - cd /afl && \ - git checkout port_random_fuzzing_to_afl++ - -# Build without Python support as we don't need it. -# Set AFL_NO_X86 to skip flaky tests. -RUN cd /afl && unset CFLAGS && unset CXXFLAGS && \ - export CC=clang && export AFL_NO_X86=1 && \ - PYTHON_INCLUDE=/ make && make install && \ - make -C utils/aflpp_driver && \ - cp utils/aflpp_driver/libAFLDriver.a / diff --git a/fuzzers/aflpp_random_no_favs/fuzzer.py b/fuzzers/aflpp_random_no_favs/fuzzer.py deleted file mode 100755 index d8a93b36c..000000000 --- a/fuzzers/aflpp_random_no_favs/fuzzer.py +++ /dev/null @@ -1,272 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -"""Integration code for AFLplusplus fuzzer.""" - -import os -import shutil - -from fuzzers.afl import fuzzer as afl_fuzzer -from fuzzers import utils - - -def get_cmplog_build_directory(target_directory): - """Return path to CmpLog target directory.""" - return os.path.join(target_directory, 'cmplog') - - -def get_uninstrumented_build_directory(target_directory): - """Return path to CmpLog target directory.""" - return os.path.join(target_directory, 'uninstrumented') - - -def build(*args): # pylint: disable=too-many-branches,too-many-statements - """Build benchmark.""" - # BUILD_MODES is not already supported by fuzzbench, meanwhile we provide - # a default configuration. - - build_modes = list(args) - if 'BUILD_MODES' in os.environ: - build_modes = os.environ['BUILD_MODES'].split(',') - - # Placeholder comment. - build_directory = os.environ['OUT'] - - # If nothing was set this is the default: - if not build_modes: - build_modes = ['tracepc', 'cmplog', 'dict2file'] - - # For bug type benchmarks we have to instrument via native clang pcguard :( - build_flags = os.environ['CFLAGS'] - if build_flags.find( - 'array-bounds' - ) != -1 and 'qemu' not in build_modes and 'classic' not in build_modes: - build_modes[0] = 'native' - - # Instrumentation coverage modes: - if 'lto' in build_modes: - os.environ['CC'] = '/afl/afl-clang-lto' - os.environ['CXX'] = '/afl/afl-clang-lto++' - edge_file = build_directory + '/aflpp_edges.txt' - os.environ['AFL_LLVM_DOCUMENT_IDS'] = edge_file - if os.path.isfile('/usr/local/bin/llvm-ranlib-13'): - os.environ['RANLIB'] = 'llvm-ranlib-13' - os.environ['AR'] = 'llvm-ar-13' - os.environ['AS'] = 'llvm-as-13' - elif os.path.isfile('/usr/local/bin/llvm-ranlib-12'): - os.environ['RANLIB'] = 'llvm-ranlib-12' - os.environ['AR'] = 'llvm-ar-12' - os.environ['AS'] = 'llvm-as-12' - else: - os.environ['RANLIB'] = 'llvm-ranlib' - os.environ['AR'] = 'llvm-ar' - os.environ['AS'] = 'llvm-as' - elif 'qemu' in build_modes: - os.environ['CC'] = 'clang' - os.environ['CXX'] = 'clang++' - elif 'gcc' in build_modes: - os.environ['CC'] = 'afl-gcc-fast' - os.environ['CXX'] = 'afl-g++-fast' - else: - os.environ['CC'] = '/afl/afl-clang-fast' - os.environ['CXX'] = '/afl/afl-clang-fast++' - - print('AFL++ build: ') - print(build_modes) - - if 'qemu' in build_modes or 'symcc' in build_modes: - os.environ['CFLAGS'] = ' '.join(utils.NO_SANITIZER_COMPAT_CFLAGS) - cxxflags = [utils.LIBCPLUSPLUS_FLAG] + utils.NO_SANITIZER_COMPAT_CFLAGS - os.environ['CXXFLAGS'] = ' '.join(cxxflags) - - if 'tracepc' in build_modes or 'pcguard' in build_modes: - os.environ['AFL_LLVM_USE_TRACE_PC'] = '1' - elif 'classic' in build_modes: - os.environ['AFL_LLVM_INSTRUMENT'] = 'CLASSIC' - elif 'native' in build_modes: - os.environ['AFL_LLVM_INSTRUMENT'] = 'LLVMNATIVE' - - # Instrumentation coverage options: - # Do not use a fixed map location (LTO only) - if 'dynamic' in build_modes: - os.environ['AFL_LLVM_MAP_DYNAMIC'] = '1' - # Use a fixed map location (LTO only) - if 'fixed' in build_modes: - os.environ['AFL_LLVM_MAP_ADDR'] = '0x10000' - # Generate an extra dictionary. - if 'dict2file' in build_modes or 'native' in build_modes: - os.environ['AFL_LLVM_DICT2FILE'] = build_directory + '/afl++.dict' - # Enable context sentitivity for LLVM mode (non LTO only) - if 'ctx' in build_modes: - os.environ['AFL_LLVM_CTX'] = '1' - # Enable N-gram coverage for LLVM mode (non LTO only) - if 'ngram2' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '2' - elif 'ngram3' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '3' - elif 'ngram4' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '4' - elif 'ngram5' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '5' - elif 'ngram6' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '6' - elif 'ngram7' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '7' - elif 'ngram8' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '8' - elif 'ngram16' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '16' - if 'ctx1' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '1' - elif 'ctx2' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '2' - elif 'ctx3' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '3' - elif 'ctx4' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '4' - - # Only one of the following OR cmplog - # enable laf-intel compare splitting - if 'laf' in build_modes: - os.environ['AFL_LLVM_LAF_SPLIT_SWITCHES'] = '1' - os.environ['AFL_LLVM_LAF_SPLIT_COMPARES'] = '1' - os.environ['AFL_LLVM_LAF_SPLIT_FLOATS'] = '1' - if 'autodict' not in build_modes: - os.environ['AFL_LLVM_LAF_TRANSFORM_COMPARES'] = '1' - - if 'eclipser' in build_modes: - os.environ['FUZZER_LIB'] = '/libStandaloneFuzzTarget.a' - else: - os.environ['FUZZER_LIB'] = '/libAFLDriver.a' - - # Some benchmarks like lcms. (see: - # https://github.com/mm2/Little-CMS/commit/ab1093539b4287c233aca6a3cf53b234faceb792#diff-f0e6d05e72548974e852e8e55dffc4ccR212) - # fail to compile if the compiler outputs things to stderr in unexpected - # cases. Prevent these failures by using AFL_QUIET to stop afl-clang-fast - # from writing AFL specific messages to stderr. - os.environ['AFL_QUIET'] = '1' - os.environ['AFL_MAP_SIZE'] = '2621440' - - src = os.getenv('SRC') - work = os.getenv('WORK') - - with utils.restore_directory(src), utils.restore_directory(work): - # Restore SRC to its initial state so we can build again without any - # trouble. For some OSS-Fuzz projects, build_benchmark cannot be run - # twice in the same directory without this. - utils.build_benchmark() - - if 'cmplog' in build_modes and 'qemu' not in build_modes: - - # CmpLog requires an build with different instrumentation. - new_env = os.environ.copy() - new_env['AFL_LLVM_CMPLOG'] = '1' - - # For CmpLog build, set the OUT and FUZZ_TARGET environment - # variable to point to the new CmpLog build directory. - cmplog_build_directory = get_cmplog_build_directory(build_directory) - os.mkdir(cmplog_build_directory) - new_env['OUT'] = cmplog_build_directory - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - new_env['FUZZ_TARGET'] = os.path.join(cmplog_build_directory, - os.path.basename(fuzz_target)) - - print('Re-building benchmark for CmpLog fuzzing target') - utils.build_benchmark(env=new_env) - - if 'symcc' in build_modes: - - symcc_build_directory = get_uninstrumented_build_directory( - build_directory) - os.mkdir(symcc_build_directory) - - # symcc requires an build with different instrumentation. - new_env = os.environ.copy() - new_env['CC'] = '/symcc/build/symcc' - new_env['CXX'] = '/symcc/build/sym++' - new_env['SYMCC_OUTPUT_DIR'] = '/tmp' - new_env['CXXFLAGS'] = new_env['CXXFLAGS'].replace('-stlib=libc++', '') - new_env['FUZZER_LIB'] = '/libfuzzer-harness.o' - new_env['OUT'] = symcc_build_directory - new_env['SYMCC_LIBCXX_PATH'] = '/libcxx_native_build' - new_env['SYMCC_NO_SYMBOLIC_INPUT'] = '1' - new_env['SYMCC_SILENT'] = '1' - - # For CmpLog build, set the OUT and FUZZ_TARGET environment - # variable to point to the new CmpLog build directory. - new_env['OUT'] = symcc_build_directory - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - new_env['FUZZ_TARGET'] = os.path.join(symcc_build_directory, - os.path.basename(fuzz_target)) - - print('Re-building benchmark for CmpLog fuzzing target') - utils.build_benchmark(env=new_env) - - shutil.copy('/afl/afl-fuzz', build_directory) - if os.path.exists('/afl/afl-qemu-trace'): - shutil.copy('/afl/afl-qemu-trace', build_directory) - if os.path.exists('/aflpp_qemu_driver_hook.so'): - shutil.copy('/aflpp_qemu_driver_hook.so', build_directory) - if os.path.exists('/get_frida_entry.sh'): - shutil.copy('/afl/afl-frida-trace.so', build_directory) - shutil.copy('/get_frida_entry.sh', build_directory) - - -# pylint: disable=too-many-arguments -def fuzz(input_corpus, - output_corpus, - target_binary, - flags=tuple(), - skip=False, - no_cmplog=False): # pylint: disable=too-many-arguments - """Run fuzzer.""" - # Calculate CmpLog binary path from the instrumented target binary. - target_binary_directory = os.path.dirname(target_binary) - cmplog_target_binary_directory = ( - get_cmplog_build_directory(target_binary_directory)) - target_binary_name = os.path.basename(target_binary) - cmplog_target_binary = os.path.join(cmplog_target_binary_directory, - target_binary_name) - - afl_fuzzer.prepare_fuzz_environment(input_corpus) - # decomment this to enable libdislocator. - # os.environ['AFL_ALIGNED_ALLOC'] = '1' # align malloc to max_align_t - # os.environ['AFL_PRELOAD'] = '/afl/libdislocator.so' - - flags = list(flags) - - if os.path.exists('./afl++.dict'): - flags += ['-x', './afl++.dict'] - - # Move the following to skip for upcoming _double tests: - if os.path.exists(cmplog_target_binary) and no_cmplog is not False: - flags += ['-c', cmplog_target_binary] - - if not skip: - os.environ['AFL_DISABLE_TRIM'] = '1' - # os.environ['AFL_FAST_CAL'] = '1' - os.environ['AFL_CMPLOG_ONLY_NEW'] = '1' - if 'ADDITIONAL_ARGS' in os.environ: - flags += os.environ['ADDITIONAL_ARGS'].split(' ') - - os.environ['AFL_DISABLE_WRS'] = '1' - os.environ['AFL_DISABLE_RF'] = '1' - os.environ['AFL_DISABLE_RP'] = '1' - os.environ['AFL_DISABLE_FAVS'] = '1' - afl_fuzzer.run_afl_fuzz(input_corpus, - output_corpus, - target_binary, - additional_flags=flags) diff --git a/fuzzers/aflpp_random_no_favs/runner.Dockerfile b/fuzzers/aflpp_random_no_favs/runner.Dockerfile deleted file mode 100644 index 7aa1da8e4..000000000 --- a/fuzzers/aflpp_random_no_favs/runner.Dockerfile +++ /dev/null @@ -1,23 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -# This makes interactive docker runs painless: -ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" -#ENV AFL_MAP_SIZE=2621440 -ENV PATH="$PATH:/out" -ENV AFL_SKIP_CPUFREQ=1 -ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 -ENV AFL_TESTCACHE_SIZE=2 diff --git a/fuzzers/aflpp_random_wrs/builder.Dockerfile b/fuzzers/aflpp_random_wrs/builder.Dockerfile deleted file mode 100644 index c4066c277..000000000 --- a/fuzzers/aflpp_random_wrs/builder.Dockerfile +++ /dev/null @@ -1,35 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -# Install libstdc++ to use llvm_mode. -RUN apt-get update && \ - apt-get install -y wget libstdc++-5-dev libtool-bin automake flex bison \ - libglib2.0-dev libpixman-1-dev python3-setuptools unzip \ - apt-utils apt-transport-https ca-certificates - -# Download and compile afl++. -RUN git clone https://github.com/jiradeto/AFLplusplus /afl && \ - cd /afl && \ - git checkout port_random_fuzzing_to_afl++ - -# Build without Python support as we don't need it. -# Set AFL_NO_X86 to skip flaky tests. -RUN cd /afl && unset CFLAGS && unset CXXFLAGS && \ - export CC=clang && export AFL_NO_X86=1 && \ - PYTHON_INCLUDE=/ make && make install && \ - make -C utils/aflpp_driver && \ - cp utils/aflpp_driver/libAFLDriver.a / diff --git a/fuzzers/aflpp_random_wrs/fuzzer.py b/fuzzers/aflpp_random_wrs/fuzzer.py deleted file mode 100755 index f561625fa..000000000 --- a/fuzzers/aflpp_random_wrs/fuzzer.py +++ /dev/null @@ -1,270 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -"""Integration code for AFLplusplus fuzzer.""" - -import os -import shutil - -from fuzzers.afl import fuzzer as afl_fuzzer -from fuzzers import utils - - -def get_cmplog_build_directory(target_directory): - """Return path to CmpLog target directory.""" - return os.path.join(target_directory, 'cmplog') - - -def get_uninstrumented_build_directory(target_directory): - """Return path to CmpLog target directory.""" - return os.path.join(target_directory, 'uninstrumented') - - -def build(*args): # pylint: disable=too-many-branches,too-many-statements - """Build benchmark.""" - # BUILD_MODES is not already supported by fuzzbench, meanwhile we provide - # a default configuration. - - build_modes = list(args) - if 'BUILD_MODES' in os.environ: - build_modes = os.environ['BUILD_MODES'].split(',') - - # Placeholder comment. - build_directory = os.environ['OUT'] - - # If nothing was set this is the default: - if not build_modes: - build_modes = ['tracepc', 'cmplog', 'dict2file'] - - # For bug type benchmarks we have to instrument via native clang pcguard :( - build_flags = os.environ['CFLAGS'] - if build_flags.find( - 'array-bounds' - ) != -1 and 'qemu' not in build_modes and 'classic' not in build_modes: - build_modes[0] = 'native' - - # Instrumentation coverage modes: - if 'lto' in build_modes: - os.environ['CC'] = '/afl/afl-clang-lto' - os.environ['CXX'] = '/afl/afl-clang-lto++' - edge_file = build_directory + '/aflpp_edges.txt' - os.environ['AFL_LLVM_DOCUMENT_IDS'] = edge_file - if os.path.isfile('/usr/local/bin/llvm-ranlib-13'): - os.environ['RANLIB'] = 'llvm-ranlib-13' - os.environ['AR'] = 'llvm-ar-13' - os.environ['AS'] = 'llvm-as-13' - elif os.path.isfile('/usr/local/bin/llvm-ranlib-12'): - os.environ['RANLIB'] = 'llvm-ranlib-12' - os.environ['AR'] = 'llvm-ar-12' - os.environ['AS'] = 'llvm-as-12' - else: - os.environ['RANLIB'] = 'llvm-ranlib' - os.environ['AR'] = 'llvm-ar' - os.environ['AS'] = 'llvm-as' - elif 'qemu' in build_modes: - os.environ['CC'] = 'clang' - os.environ['CXX'] = 'clang++' - elif 'gcc' in build_modes: - os.environ['CC'] = 'afl-gcc-fast' - os.environ['CXX'] = 'afl-g++-fast' - else: - os.environ['CC'] = '/afl/afl-clang-fast' - os.environ['CXX'] = '/afl/afl-clang-fast++' - - print('AFL++ build: ') - print(build_modes) - - if 'qemu' in build_modes or 'symcc' in build_modes: - os.environ['CFLAGS'] = ' '.join(utils.NO_SANITIZER_COMPAT_CFLAGS) - cxxflags = [utils.LIBCPLUSPLUS_FLAG] + utils.NO_SANITIZER_COMPAT_CFLAGS - os.environ['CXXFLAGS'] = ' '.join(cxxflags) - - if 'tracepc' in build_modes or 'pcguard' in build_modes: - os.environ['AFL_LLVM_USE_TRACE_PC'] = '1' - elif 'classic' in build_modes: - os.environ['AFL_LLVM_INSTRUMENT'] = 'CLASSIC' - elif 'native' in build_modes: - os.environ['AFL_LLVM_INSTRUMENT'] = 'LLVMNATIVE' - - # Instrumentation coverage options: - # Do not use a fixed map location (LTO only) - if 'dynamic' in build_modes: - os.environ['AFL_LLVM_MAP_DYNAMIC'] = '1' - # Use a fixed map location (LTO only) - if 'fixed' in build_modes: - os.environ['AFL_LLVM_MAP_ADDR'] = '0x10000' - # Generate an extra dictionary. - if 'dict2file' in build_modes or 'native' in build_modes: - os.environ['AFL_LLVM_DICT2FILE'] = build_directory + '/afl++.dict' - # Enable context sentitivity for LLVM mode (non LTO only) - if 'ctx' in build_modes: - os.environ['AFL_LLVM_CTX'] = '1' - # Enable N-gram coverage for LLVM mode (non LTO only) - if 'ngram2' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '2' - elif 'ngram3' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '3' - elif 'ngram4' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '4' - elif 'ngram5' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '5' - elif 'ngram6' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '6' - elif 'ngram7' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '7' - elif 'ngram8' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '8' - elif 'ngram16' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '16' - if 'ctx1' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '1' - elif 'ctx2' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '2' - elif 'ctx3' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '3' - elif 'ctx4' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '4' - - # Only one of the following OR cmplog - # enable laf-intel compare splitting - if 'laf' in build_modes: - os.environ['AFL_LLVM_LAF_SPLIT_SWITCHES'] = '1' - os.environ['AFL_LLVM_LAF_SPLIT_COMPARES'] = '1' - os.environ['AFL_LLVM_LAF_SPLIT_FLOATS'] = '1' - if 'autodict' not in build_modes: - os.environ['AFL_LLVM_LAF_TRANSFORM_COMPARES'] = '1' - - if 'eclipser' in build_modes: - os.environ['FUZZER_LIB'] = '/libStandaloneFuzzTarget.a' - else: - os.environ['FUZZER_LIB'] = '/libAFLDriver.a' - - # Some benchmarks like lcms. (see: - # https://github.com/mm2/Little-CMS/commit/ab1093539b4287c233aca6a3cf53b234faceb792#diff-f0e6d05e72548974e852e8e55dffc4ccR212) - # fail to compile if the compiler outputs things to stderr in unexpected - # cases. Prevent these failures by using AFL_QUIET to stop afl-clang-fast - # from writing AFL specific messages to stderr. - os.environ['AFL_QUIET'] = '1' - os.environ['AFL_MAP_SIZE'] = '2621440' - - src = os.getenv('SRC') - work = os.getenv('WORK') - - with utils.restore_directory(src), utils.restore_directory(work): - # Restore SRC to its initial state so we can build again without any - # trouble. For some OSS-Fuzz projects, build_benchmark cannot be run - # twice in the same directory without this. - utils.build_benchmark() - - if 'cmplog' in build_modes and 'qemu' not in build_modes: - - # CmpLog requires an build with different instrumentation. - new_env = os.environ.copy() - new_env['AFL_LLVM_CMPLOG'] = '1' - - # For CmpLog build, set the OUT and FUZZ_TARGET environment - # variable to point to the new CmpLog build directory. - cmplog_build_directory = get_cmplog_build_directory(build_directory) - os.mkdir(cmplog_build_directory) - new_env['OUT'] = cmplog_build_directory - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - new_env['FUZZ_TARGET'] = os.path.join(cmplog_build_directory, - os.path.basename(fuzz_target)) - - print('Re-building benchmark for CmpLog fuzzing target') - utils.build_benchmark(env=new_env) - - if 'symcc' in build_modes: - - symcc_build_directory = get_uninstrumented_build_directory( - build_directory) - os.mkdir(symcc_build_directory) - - # symcc requires an build with different instrumentation. - new_env = os.environ.copy() - new_env['CC'] = '/symcc/build/symcc' - new_env['CXX'] = '/symcc/build/sym++' - new_env['SYMCC_OUTPUT_DIR'] = '/tmp' - new_env['CXXFLAGS'] = new_env['CXXFLAGS'].replace('-stlib=libc++', '') - new_env['FUZZER_LIB'] = '/libfuzzer-harness.o' - new_env['OUT'] = symcc_build_directory - new_env['SYMCC_LIBCXX_PATH'] = '/libcxx_native_build' - new_env['SYMCC_NO_SYMBOLIC_INPUT'] = '1' - new_env['SYMCC_SILENT'] = '1' - - # For CmpLog build, set the OUT and FUZZ_TARGET environment - # variable to point to the new CmpLog build directory. - new_env['OUT'] = symcc_build_directory - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - new_env['FUZZ_TARGET'] = os.path.join(symcc_build_directory, - os.path.basename(fuzz_target)) - - print('Re-building benchmark for CmpLog fuzzing target') - utils.build_benchmark(env=new_env) - - shutil.copy('/afl/afl-fuzz', build_directory) - if os.path.exists('/afl/afl-qemu-trace'): - shutil.copy('/afl/afl-qemu-trace', build_directory) - if os.path.exists('/aflpp_qemu_driver_hook.so'): - shutil.copy('/aflpp_qemu_driver_hook.so', build_directory) - if os.path.exists('/get_frida_entry.sh'): - shutil.copy('/afl/afl-frida-trace.so', build_directory) - shutil.copy('/get_frida_entry.sh', build_directory) - - -# pylint: disable=too-many-arguments -def fuzz(input_corpus, - output_corpus, - target_binary, - flags=tuple(), - skip=False, - no_cmplog=False): # pylint: disable=too-many-arguments - """Run fuzzer.""" - # Calculate CmpLog binary path from the instrumented target binary. - target_binary_directory = os.path.dirname(target_binary) - cmplog_target_binary_directory = ( - get_cmplog_build_directory(target_binary_directory)) - target_binary_name = os.path.basename(target_binary) - cmplog_target_binary = os.path.join(cmplog_target_binary_directory, - target_binary_name) - - afl_fuzzer.prepare_fuzz_environment(input_corpus) - # decomment this to enable libdislocator. - # os.environ['AFL_ALIGNED_ALLOC'] = '1' # align malloc to max_align_t - # os.environ['AFL_PRELOAD'] = '/afl/libdislocator.so' - - flags = list(flags) - - if os.path.exists('./afl++.dict'): - flags += ['-x', './afl++.dict'] - - # Move the following to skip for upcoming _double tests: - if os.path.exists(cmplog_target_binary) and no_cmplog is not False: - flags += ['-c', cmplog_target_binary] - - if not skip: - os.environ['AFL_DISABLE_TRIM'] = '1' - # os.environ['AFL_FAST_CAL'] = '1' - os.environ['AFL_CMPLOG_ONLY_NEW'] = '1' - if 'ADDITIONAL_ARGS' in os.environ: - flags += os.environ['ADDITIONAL_ARGS'].split(' ') - - os.environ['AFL_DISABLE_RF'] = '1' - os.environ['AFL_DISABLE_RP'] = '1' - afl_fuzzer.run_afl_fuzz(input_corpus, - output_corpus, - target_binary, - additional_flags=flags) diff --git a/fuzzers/aflpp_random_wrs/runner.Dockerfile b/fuzzers/aflpp_random_wrs/runner.Dockerfile deleted file mode 100644 index 7aa1da8e4..000000000 --- a/fuzzers/aflpp_random_wrs/runner.Dockerfile +++ /dev/null @@ -1,23 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -# This makes interactive docker runs painless: -ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" -#ENV AFL_MAP_SIZE=2621440 -ENV PATH="$PATH:/out" -ENV AFL_SKIP_CPUFREQ=1 -ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 -ENV AFL_TESTCACHE_SIZE=2 diff --git a/fuzzers/aflpp_random_wrs_rf/builder.Dockerfile b/fuzzers/aflpp_random_wrs_rf/builder.Dockerfile deleted file mode 100644 index c4066c277..000000000 --- a/fuzzers/aflpp_random_wrs_rf/builder.Dockerfile +++ /dev/null @@ -1,35 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -# Install libstdc++ to use llvm_mode. -RUN apt-get update && \ - apt-get install -y wget libstdc++-5-dev libtool-bin automake flex bison \ - libglib2.0-dev libpixman-1-dev python3-setuptools unzip \ - apt-utils apt-transport-https ca-certificates - -# Download and compile afl++. -RUN git clone https://github.com/jiradeto/AFLplusplus /afl && \ - cd /afl && \ - git checkout port_random_fuzzing_to_afl++ - -# Build without Python support as we don't need it. -# Set AFL_NO_X86 to skip flaky tests. -RUN cd /afl && unset CFLAGS && unset CXXFLAGS && \ - export CC=clang && export AFL_NO_X86=1 && \ - PYTHON_INCLUDE=/ make && make install && \ - make -C utils/aflpp_driver && \ - cp utils/aflpp_driver/libAFLDriver.a / diff --git a/fuzzers/aflpp_random_wrs_rf/fuzzer.py b/fuzzers/aflpp_random_wrs_rf/fuzzer.py deleted file mode 100755 index 50a073a99..000000000 --- a/fuzzers/aflpp_random_wrs_rf/fuzzer.py +++ /dev/null @@ -1,269 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -"""Integration code for AFLplusplus fuzzer.""" - -import os -import shutil - -from fuzzers.afl import fuzzer as afl_fuzzer -from fuzzers import utils - - -def get_cmplog_build_directory(target_directory): - """Return path to CmpLog target directory.""" - return os.path.join(target_directory, 'cmplog') - - -def get_uninstrumented_build_directory(target_directory): - """Return path to CmpLog target directory.""" - return os.path.join(target_directory, 'uninstrumented') - - -def build(*args): # pylint: disable=too-many-branches,too-many-statements - """Build benchmark.""" - # BUILD_MODES is not already supported by fuzzbench, meanwhile we provide - # a default configuration. - - build_modes = list(args) - if 'BUILD_MODES' in os.environ: - build_modes = os.environ['BUILD_MODES'].split(',') - - # Placeholder comment. - build_directory = os.environ['OUT'] - - # If nothing was set this is the default: - if not build_modes: - build_modes = ['tracepc', 'cmplog', 'dict2file'] - - # For bug type benchmarks we have to instrument via native clang pcguard :( - build_flags = os.environ['CFLAGS'] - if build_flags.find( - 'array-bounds' - ) != -1 and 'qemu' not in build_modes and 'classic' not in build_modes: - build_modes[0] = 'native' - - # Instrumentation coverage modes: - if 'lto' in build_modes: - os.environ['CC'] = '/afl/afl-clang-lto' - os.environ['CXX'] = '/afl/afl-clang-lto++' - edge_file = build_directory + '/aflpp_edges.txt' - os.environ['AFL_LLVM_DOCUMENT_IDS'] = edge_file - if os.path.isfile('/usr/local/bin/llvm-ranlib-13'): - os.environ['RANLIB'] = 'llvm-ranlib-13' - os.environ['AR'] = 'llvm-ar-13' - os.environ['AS'] = 'llvm-as-13' - elif os.path.isfile('/usr/local/bin/llvm-ranlib-12'): - os.environ['RANLIB'] = 'llvm-ranlib-12' - os.environ['AR'] = 'llvm-ar-12' - os.environ['AS'] = 'llvm-as-12' - else: - os.environ['RANLIB'] = 'llvm-ranlib' - os.environ['AR'] = 'llvm-ar' - os.environ['AS'] = 'llvm-as' - elif 'qemu' in build_modes: - os.environ['CC'] = 'clang' - os.environ['CXX'] = 'clang++' - elif 'gcc' in build_modes: - os.environ['CC'] = 'afl-gcc-fast' - os.environ['CXX'] = 'afl-g++-fast' - else: - os.environ['CC'] = '/afl/afl-clang-fast' - os.environ['CXX'] = '/afl/afl-clang-fast++' - - print('AFL++ build: ') - print(build_modes) - - if 'qemu' in build_modes or 'symcc' in build_modes: - os.environ['CFLAGS'] = ' '.join(utils.NO_SANITIZER_COMPAT_CFLAGS) - cxxflags = [utils.LIBCPLUSPLUS_FLAG] + utils.NO_SANITIZER_COMPAT_CFLAGS - os.environ['CXXFLAGS'] = ' '.join(cxxflags) - - if 'tracepc' in build_modes or 'pcguard' in build_modes: - os.environ['AFL_LLVM_USE_TRACE_PC'] = '1' - elif 'classic' in build_modes: - os.environ['AFL_LLVM_INSTRUMENT'] = 'CLASSIC' - elif 'native' in build_modes: - os.environ['AFL_LLVM_INSTRUMENT'] = 'LLVMNATIVE' - - # Instrumentation coverage options: - # Do not use a fixed map location (LTO only) - if 'dynamic' in build_modes: - os.environ['AFL_LLVM_MAP_DYNAMIC'] = '1' - # Use a fixed map location (LTO only) - if 'fixed' in build_modes: - os.environ['AFL_LLVM_MAP_ADDR'] = '0x10000' - # Generate an extra dictionary. - if 'dict2file' in build_modes or 'native' in build_modes: - os.environ['AFL_LLVM_DICT2FILE'] = build_directory + '/afl++.dict' - # Enable context sentitivity for LLVM mode (non LTO only) - if 'ctx' in build_modes: - os.environ['AFL_LLVM_CTX'] = '1' - # Enable N-gram coverage for LLVM mode (non LTO only) - if 'ngram2' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '2' - elif 'ngram3' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '3' - elif 'ngram4' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '4' - elif 'ngram5' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '5' - elif 'ngram6' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '6' - elif 'ngram7' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '7' - elif 'ngram8' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '8' - elif 'ngram16' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '16' - if 'ctx1' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '1' - elif 'ctx2' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '2' - elif 'ctx3' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '3' - elif 'ctx4' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '4' - - # Only one of the following OR cmplog - # enable laf-intel compare splitting - if 'laf' in build_modes: - os.environ['AFL_LLVM_LAF_SPLIT_SWITCHES'] = '1' - os.environ['AFL_LLVM_LAF_SPLIT_COMPARES'] = '1' - os.environ['AFL_LLVM_LAF_SPLIT_FLOATS'] = '1' - if 'autodict' not in build_modes: - os.environ['AFL_LLVM_LAF_TRANSFORM_COMPARES'] = '1' - - if 'eclipser' in build_modes: - os.environ['FUZZER_LIB'] = '/libStandaloneFuzzTarget.a' - else: - os.environ['FUZZER_LIB'] = '/libAFLDriver.a' - - # Some benchmarks like lcms. (see: - # https://github.com/mm2/Little-CMS/commit/ab1093539b4287c233aca6a3cf53b234faceb792#diff-f0e6d05e72548974e852e8e55dffc4ccR212) - # fail to compile if the compiler outputs things to stderr in unexpected - # cases. Prevent these failures by using AFL_QUIET to stop afl-clang-fast - # from writing AFL specific messages to stderr. - os.environ['AFL_QUIET'] = '1' - os.environ['AFL_MAP_SIZE'] = '2621440' - - src = os.getenv('SRC') - work = os.getenv('WORK') - - with utils.restore_directory(src), utils.restore_directory(work): - # Restore SRC to its initial state so we can build again without any - # trouble. For some OSS-Fuzz projects, build_benchmark cannot be run - # twice in the same directory without this. - utils.build_benchmark() - - if 'cmplog' in build_modes and 'qemu' not in build_modes: - - # CmpLog requires an build with different instrumentation. - new_env = os.environ.copy() - new_env['AFL_LLVM_CMPLOG'] = '1' - - # For CmpLog build, set the OUT and FUZZ_TARGET environment - # variable to point to the new CmpLog build directory. - cmplog_build_directory = get_cmplog_build_directory(build_directory) - os.mkdir(cmplog_build_directory) - new_env['OUT'] = cmplog_build_directory - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - new_env['FUZZ_TARGET'] = os.path.join(cmplog_build_directory, - os.path.basename(fuzz_target)) - - print('Re-building benchmark for CmpLog fuzzing target') - utils.build_benchmark(env=new_env) - - if 'symcc' in build_modes: - - symcc_build_directory = get_uninstrumented_build_directory( - build_directory) - os.mkdir(symcc_build_directory) - - # symcc requires an build with different instrumentation. - new_env = os.environ.copy() - new_env['CC'] = '/symcc/build/symcc' - new_env['CXX'] = '/symcc/build/sym++' - new_env['SYMCC_OUTPUT_DIR'] = '/tmp' - new_env['CXXFLAGS'] = new_env['CXXFLAGS'].replace('-stlib=libc++', '') - new_env['FUZZER_LIB'] = '/libfuzzer-harness.o' - new_env['OUT'] = symcc_build_directory - new_env['SYMCC_LIBCXX_PATH'] = '/libcxx_native_build' - new_env['SYMCC_NO_SYMBOLIC_INPUT'] = '1' - new_env['SYMCC_SILENT'] = '1' - - # For CmpLog build, set the OUT and FUZZ_TARGET environment - # variable to point to the new CmpLog build directory. - new_env['OUT'] = symcc_build_directory - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - new_env['FUZZ_TARGET'] = os.path.join(symcc_build_directory, - os.path.basename(fuzz_target)) - - print('Re-building benchmark for CmpLog fuzzing target') - utils.build_benchmark(env=new_env) - - shutil.copy('/afl/afl-fuzz', build_directory) - if os.path.exists('/afl/afl-qemu-trace'): - shutil.copy('/afl/afl-qemu-trace', build_directory) - if os.path.exists('/aflpp_qemu_driver_hook.so'): - shutil.copy('/aflpp_qemu_driver_hook.so', build_directory) - if os.path.exists('/get_frida_entry.sh'): - shutil.copy('/afl/afl-frida-trace.so', build_directory) - shutil.copy('/get_frida_entry.sh', build_directory) - - -# pylint: disable=too-many-arguments -def fuzz(input_corpus, - output_corpus, - target_binary, - flags=tuple(), - skip=False, - no_cmplog=False): # pylint: disable=too-many-arguments - """Run fuzzer.""" - # Calculate CmpLog binary path from the instrumented target binary. - target_binary_directory = os.path.dirname(target_binary) - cmplog_target_binary_directory = ( - get_cmplog_build_directory(target_binary_directory)) - target_binary_name = os.path.basename(target_binary) - cmplog_target_binary = os.path.join(cmplog_target_binary_directory, - target_binary_name) - - afl_fuzzer.prepare_fuzz_environment(input_corpus) - # decomment this to enable libdislocator. - # os.environ['AFL_ALIGNED_ALLOC'] = '1' # align malloc to max_align_t - # os.environ['AFL_PRELOAD'] = '/afl/libdislocator.so' - - flags = list(flags) - - if os.path.exists('./afl++.dict'): - flags += ['-x', './afl++.dict'] - - # Move the following to skip for upcoming _double tests: - if os.path.exists(cmplog_target_binary) and no_cmplog is not False: - flags += ['-c', cmplog_target_binary] - - if not skip: - os.environ['AFL_DISABLE_TRIM'] = '1' - # os.environ['AFL_FAST_CAL'] = '1' - os.environ['AFL_CMPLOG_ONLY_NEW'] = '1' - if 'ADDITIONAL_ARGS' in os.environ: - flags += os.environ['ADDITIONAL_ARGS'].split(' ') - - os.environ['AFL_DISABLE_RP'] = '1' - afl_fuzzer.run_afl_fuzz(input_corpus, - output_corpus, - target_binary, - additional_flags=flags) diff --git a/fuzzers/aflpp_random_wrs_rf/runner.Dockerfile b/fuzzers/aflpp_random_wrs_rf/runner.Dockerfile deleted file mode 100644 index 7aa1da8e4..000000000 --- a/fuzzers/aflpp_random_wrs_rf/runner.Dockerfile +++ /dev/null @@ -1,23 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -# This makes interactive docker runs painless: -ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" -#ENV AFL_MAP_SIZE=2621440 -ENV PATH="$PATH:/out" -ENV AFL_SKIP_CPUFREQ=1 -ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 -ENV AFL_TESTCACHE_SIZE=2 diff --git a/fuzzers/aflpp_random_wrs_rf_rp/builder.Dockerfile b/fuzzers/aflpp_random_wrs_rf_rp/builder.Dockerfile deleted file mode 100644 index c4066c277..000000000 --- a/fuzzers/aflpp_random_wrs_rf_rp/builder.Dockerfile +++ /dev/null @@ -1,35 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -# Install libstdc++ to use llvm_mode. -RUN apt-get update && \ - apt-get install -y wget libstdc++-5-dev libtool-bin automake flex bison \ - libglib2.0-dev libpixman-1-dev python3-setuptools unzip \ - apt-utils apt-transport-https ca-certificates - -# Download and compile afl++. -RUN git clone https://github.com/jiradeto/AFLplusplus /afl && \ - cd /afl && \ - git checkout port_random_fuzzing_to_afl++ - -# Build without Python support as we don't need it. -# Set AFL_NO_X86 to skip flaky tests. -RUN cd /afl && unset CFLAGS && unset CXXFLAGS && \ - export CC=clang && export AFL_NO_X86=1 && \ - PYTHON_INCLUDE=/ make && make install && \ - make -C utils/aflpp_driver && \ - cp utils/aflpp_driver/libAFLDriver.a / diff --git a/fuzzers/aflpp_random_wrs_rf_rp/fuzzer.py b/fuzzers/aflpp_random_wrs_rf_rp/fuzzer.py deleted file mode 100755 index f51c59195..000000000 --- a/fuzzers/aflpp_random_wrs_rf_rp/fuzzer.py +++ /dev/null @@ -1,268 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -"""Integration code for AFLplusplus fuzzer.""" - -import os -import shutil - -from fuzzers.afl import fuzzer as afl_fuzzer -from fuzzers import utils - - -def get_cmplog_build_directory(target_directory): - """Return path to CmpLog target directory.""" - return os.path.join(target_directory, 'cmplog') - - -def get_uninstrumented_build_directory(target_directory): - """Return path to CmpLog target directory.""" - return os.path.join(target_directory, 'uninstrumented') - - -def build(*args): # pylint: disable=too-many-branches,too-many-statements - """Build benchmark.""" - # BUILD_MODES is not already supported by fuzzbench, meanwhile we provide - # a default configuration. - - build_modes = list(args) - if 'BUILD_MODES' in os.environ: - build_modes = os.environ['BUILD_MODES'].split(',') - - # Placeholder comment. - build_directory = os.environ['OUT'] - - # If nothing was set this is the default: - if not build_modes: - build_modes = ['tracepc', 'cmplog', 'dict2file'] - - # For bug type benchmarks we have to instrument via native clang pcguard :( - build_flags = os.environ['CFLAGS'] - if build_flags.find( - 'array-bounds' - ) != -1 and 'qemu' not in build_modes and 'classic' not in build_modes: - build_modes[0] = 'native' - - # Instrumentation coverage modes: - if 'lto' in build_modes: - os.environ['CC'] = '/afl/afl-clang-lto' - os.environ['CXX'] = '/afl/afl-clang-lto++' - edge_file = build_directory + '/aflpp_edges.txt' - os.environ['AFL_LLVM_DOCUMENT_IDS'] = edge_file - if os.path.isfile('/usr/local/bin/llvm-ranlib-13'): - os.environ['RANLIB'] = 'llvm-ranlib-13' - os.environ['AR'] = 'llvm-ar-13' - os.environ['AS'] = 'llvm-as-13' - elif os.path.isfile('/usr/local/bin/llvm-ranlib-12'): - os.environ['RANLIB'] = 'llvm-ranlib-12' - os.environ['AR'] = 'llvm-ar-12' - os.environ['AS'] = 'llvm-as-12' - else: - os.environ['RANLIB'] = 'llvm-ranlib' - os.environ['AR'] = 'llvm-ar' - os.environ['AS'] = 'llvm-as' - elif 'qemu' in build_modes: - os.environ['CC'] = 'clang' - os.environ['CXX'] = 'clang++' - elif 'gcc' in build_modes: - os.environ['CC'] = 'afl-gcc-fast' - os.environ['CXX'] = 'afl-g++-fast' - else: - os.environ['CC'] = '/afl/afl-clang-fast' - os.environ['CXX'] = '/afl/afl-clang-fast++' - - print('AFL++ build: ') - print(build_modes) - - if 'qemu' in build_modes or 'symcc' in build_modes: - os.environ['CFLAGS'] = ' '.join(utils.NO_SANITIZER_COMPAT_CFLAGS) - cxxflags = [utils.LIBCPLUSPLUS_FLAG] + utils.NO_SANITIZER_COMPAT_CFLAGS - os.environ['CXXFLAGS'] = ' '.join(cxxflags) - - if 'tracepc' in build_modes or 'pcguard' in build_modes: - os.environ['AFL_LLVM_USE_TRACE_PC'] = '1' - elif 'classic' in build_modes: - os.environ['AFL_LLVM_INSTRUMENT'] = 'CLASSIC' - elif 'native' in build_modes: - os.environ['AFL_LLVM_INSTRUMENT'] = 'LLVMNATIVE' - - # Instrumentation coverage options: - # Do not use a fixed map location (LTO only) - if 'dynamic' in build_modes: - os.environ['AFL_LLVM_MAP_DYNAMIC'] = '1' - # Use a fixed map location (LTO only) - if 'fixed' in build_modes: - os.environ['AFL_LLVM_MAP_ADDR'] = '0x10000' - # Generate an extra dictionary. - if 'dict2file' in build_modes or 'native' in build_modes: - os.environ['AFL_LLVM_DICT2FILE'] = build_directory + '/afl++.dict' - # Enable context sentitivity for LLVM mode (non LTO only) - if 'ctx' in build_modes: - os.environ['AFL_LLVM_CTX'] = '1' - # Enable N-gram coverage for LLVM mode (non LTO only) - if 'ngram2' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '2' - elif 'ngram3' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '3' - elif 'ngram4' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '4' - elif 'ngram5' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '5' - elif 'ngram6' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '6' - elif 'ngram7' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '7' - elif 'ngram8' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '8' - elif 'ngram16' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '16' - if 'ctx1' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '1' - elif 'ctx2' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '2' - elif 'ctx3' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '3' - elif 'ctx4' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '4' - - # Only one of the following OR cmplog - # enable laf-intel compare splitting - if 'laf' in build_modes: - os.environ['AFL_LLVM_LAF_SPLIT_SWITCHES'] = '1' - os.environ['AFL_LLVM_LAF_SPLIT_COMPARES'] = '1' - os.environ['AFL_LLVM_LAF_SPLIT_FLOATS'] = '1' - if 'autodict' not in build_modes: - os.environ['AFL_LLVM_LAF_TRANSFORM_COMPARES'] = '1' - - if 'eclipser' in build_modes: - os.environ['FUZZER_LIB'] = '/libStandaloneFuzzTarget.a' - else: - os.environ['FUZZER_LIB'] = '/libAFLDriver.a' - - # Some benchmarks like lcms. (see: - # https://github.com/mm2/Little-CMS/commit/ab1093539b4287c233aca6a3cf53b234faceb792#diff-f0e6d05e72548974e852e8e55dffc4ccR212) - # fail to compile if the compiler outputs things to stderr in unexpected - # cases. Prevent these failures by using AFL_QUIET to stop afl-clang-fast - # from writing AFL specific messages to stderr. - os.environ['AFL_QUIET'] = '1' - os.environ['AFL_MAP_SIZE'] = '2621440' - - src = os.getenv('SRC') - work = os.getenv('WORK') - - with utils.restore_directory(src), utils.restore_directory(work): - # Restore SRC to its initial state so we can build again without any - # trouble. For some OSS-Fuzz projects, build_benchmark cannot be run - # twice in the same directory without this. - utils.build_benchmark() - - if 'cmplog' in build_modes and 'qemu' not in build_modes: - - # CmpLog requires an build with different instrumentation. - new_env = os.environ.copy() - new_env['AFL_LLVM_CMPLOG'] = '1' - - # For CmpLog build, set the OUT and FUZZ_TARGET environment - # variable to point to the new CmpLog build directory. - cmplog_build_directory = get_cmplog_build_directory(build_directory) - os.mkdir(cmplog_build_directory) - new_env['OUT'] = cmplog_build_directory - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - new_env['FUZZ_TARGET'] = os.path.join(cmplog_build_directory, - os.path.basename(fuzz_target)) - - print('Re-building benchmark for CmpLog fuzzing target') - utils.build_benchmark(env=new_env) - - if 'symcc' in build_modes: - - symcc_build_directory = get_uninstrumented_build_directory( - build_directory) - os.mkdir(symcc_build_directory) - - # symcc requires an build with different instrumentation. - new_env = os.environ.copy() - new_env['CC'] = '/symcc/build/symcc' - new_env['CXX'] = '/symcc/build/sym++' - new_env['SYMCC_OUTPUT_DIR'] = '/tmp' - new_env['CXXFLAGS'] = new_env['CXXFLAGS'].replace('-stlib=libc++', '') - new_env['FUZZER_LIB'] = '/libfuzzer-harness.o' - new_env['OUT'] = symcc_build_directory - new_env['SYMCC_LIBCXX_PATH'] = '/libcxx_native_build' - new_env['SYMCC_NO_SYMBOLIC_INPUT'] = '1' - new_env['SYMCC_SILENT'] = '1' - - # For CmpLog build, set the OUT and FUZZ_TARGET environment - # variable to point to the new CmpLog build directory. - new_env['OUT'] = symcc_build_directory - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - new_env['FUZZ_TARGET'] = os.path.join(symcc_build_directory, - os.path.basename(fuzz_target)) - - print('Re-building benchmark for CmpLog fuzzing target') - utils.build_benchmark(env=new_env) - - shutil.copy('/afl/afl-fuzz', build_directory) - if os.path.exists('/afl/afl-qemu-trace'): - shutil.copy('/afl/afl-qemu-trace', build_directory) - if os.path.exists('/aflpp_qemu_driver_hook.so'): - shutil.copy('/aflpp_qemu_driver_hook.so', build_directory) - if os.path.exists('/get_frida_entry.sh'): - shutil.copy('/afl/afl-frida-trace.so', build_directory) - shutil.copy('/get_frida_entry.sh', build_directory) - - -# pylint: disable=too-many-arguments -def fuzz(input_corpus, - output_corpus, - target_binary, - flags=tuple(), - skip=False, - no_cmplog=False): # pylint: disable=too-many-arguments - """Run fuzzer.""" - # Calculate CmpLog binary path from the instrumented target binary. - target_binary_directory = os.path.dirname(target_binary) - cmplog_target_binary_directory = ( - get_cmplog_build_directory(target_binary_directory)) - target_binary_name = os.path.basename(target_binary) - cmplog_target_binary = os.path.join(cmplog_target_binary_directory, - target_binary_name) - - afl_fuzzer.prepare_fuzz_environment(input_corpus) - # decomment this to enable libdislocator. - # os.environ['AFL_ALIGNED_ALLOC'] = '1' # align malloc to max_align_t - # os.environ['AFL_PRELOAD'] = '/afl/libdislocator.so' - - flags = list(flags) - - if os.path.exists('./afl++.dict'): - flags += ['-x', './afl++.dict'] - - # Move the following to skip for upcoming _double tests: - if os.path.exists(cmplog_target_binary) and no_cmplog is not False: - flags += ['-c', cmplog_target_binary] - - if not skip: - os.environ['AFL_DISABLE_TRIM'] = '1' - # os.environ['AFL_FAST_CAL'] = '1' - os.environ['AFL_CMPLOG_ONLY_NEW'] = '1' - if 'ADDITIONAL_ARGS' in os.environ: - flags += os.environ['ADDITIONAL_ARGS'].split(' ') - - afl_fuzzer.run_afl_fuzz(input_corpus, - output_corpus, - target_binary, - additional_flags=flags) diff --git a/fuzzers/aflpp_random_wrs_rf_rp/runner.Dockerfile b/fuzzers/aflpp_random_wrs_rf_rp/runner.Dockerfile deleted file mode 100644 index 7aa1da8e4..000000000 --- a/fuzzers/aflpp_random_wrs_rf_rp/runner.Dockerfile +++ /dev/null @@ -1,23 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -# This makes interactive docker runs painless: -ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" -#ENV AFL_MAP_SIZE=2621440 -ENV PATH="$PATH:/out" -ENV AFL_SKIP_CPUFREQ=1 -ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 -ENV AFL_TESTCACHE_SIZE=2 diff --git a/fuzzers/aflpp_random_wrs_rp/builder.Dockerfile b/fuzzers/aflpp_random_wrs_rp/builder.Dockerfile deleted file mode 100644 index c4066c277..000000000 --- a/fuzzers/aflpp_random_wrs_rp/builder.Dockerfile +++ /dev/null @@ -1,35 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -# Install libstdc++ to use llvm_mode. -RUN apt-get update && \ - apt-get install -y wget libstdc++-5-dev libtool-bin automake flex bison \ - libglib2.0-dev libpixman-1-dev python3-setuptools unzip \ - apt-utils apt-transport-https ca-certificates - -# Download and compile afl++. -RUN git clone https://github.com/jiradeto/AFLplusplus /afl && \ - cd /afl && \ - git checkout port_random_fuzzing_to_afl++ - -# Build without Python support as we don't need it. -# Set AFL_NO_X86 to skip flaky tests. -RUN cd /afl && unset CFLAGS && unset CXXFLAGS && \ - export CC=clang && export AFL_NO_X86=1 && \ - PYTHON_INCLUDE=/ make && make install && \ - make -C utils/aflpp_driver && \ - cp utils/aflpp_driver/libAFLDriver.a / diff --git a/fuzzers/aflpp_random_wrs_rp/fuzzer.py b/fuzzers/aflpp_random_wrs_rp/fuzzer.py deleted file mode 100755 index e6fe85980..000000000 --- a/fuzzers/aflpp_random_wrs_rp/fuzzer.py +++ /dev/null @@ -1,269 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -"""Integration code for AFLplusplus fuzzer.""" - -import os -import shutil - -from fuzzers.afl import fuzzer as afl_fuzzer -from fuzzers import utils - - -def get_cmplog_build_directory(target_directory): - """Return path to CmpLog target directory.""" - return os.path.join(target_directory, 'cmplog') - - -def get_uninstrumented_build_directory(target_directory): - """Return path to CmpLog target directory.""" - return os.path.join(target_directory, 'uninstrumented') - - -def build(*args): # pylint: disable=too-many-branches,too-many-statements - """Build benchmark.""" - # BUILD_MODES is not already supported by fuzzbench, meanwhile we provide - # a default configuration. - - build_modes = list(args) - if 'BUILD_MODES' in os.environ: - build_modes = os.environ['BUILD_MODES'].split(',') - - # Placeholder comment. - build_directory = os.environ['OUT'] - - # If nothing was set this is the default: - if not build_modes: - build_modes = ['tracepc', 'cmplog', 'dict2file'] - - # For bug type benchmarks we have to instrument via native clang pcguard :( - build_flags = os.environ['CFLAGS'] - if build_flags.find( - 'array-bounds' - ) != -1 and 'qemu' not in build_modes and 'classic' not in build_modes: - build_modes[0] = 'native' - - # Instrumentation coverage modes: - if 'lto' in build_modes: - os.environ['CC'] = '/afl/afl-clang-lto' - os.environ['CXX'] = '/afl/afl-clang-lto++' - edge_file = build_directory + '/aflpp_edges.txt' - os.environ['AFL_LLVM_DOCUMENT_IDS'] = edge_file - if os.path.isfile('/usr/local/bin/llvm-ranlib-13'): - os.environ['RANLIB'] = 'llvm-ranlib-13' - os.environ['AR'] = 'llvm-ar-13' - os.environ['AS'] = 'llvm-as-13' - elif os.path.isfile('/usr/local/bin/llvm-ranlib-12'): - os.environ['RANLIB'] = 'llvm-ranlib-12' - os.environ['AR'] = 'llvm-ar-12' - os.environ['AS'] = 'llvm-as-12' - else: - os.environ['RANLIB'] = 'llvm-ranlib' - os.environ['AR'] = 'llvm-ar' - os.environ['AS'] = 'llvm-as' - elif 'qemu' in build_modes: - os.environ['CC'] = 'clang' - os.environ['CXX'] = 'clang++' - elif 'gcc' in build_modes: - os.environ['CC'] = 'afl-gcc-fast' - os.environ['CXX'] = 'afl-g++-fast' - else: - os.environ['CC'] = '/afl/afl-clang-fast' - os.environ['CXX'] = '/afl/afl-clang-fast++' - - print('AFL++ build: ') - print(build_modes) - - if 'qemu' in build_modes or 'symcc' in build_modes: - os.environ['CFLAGS'] = ' '.join(utils.NO_SANITIZER_COMPAT_CFLAGS) - cxxflags = [utils.LIBCPLUSPLUS_FLAG] + utils.NO_SANITIZER_COMPAT_CFLAGS - os.environ['CXXFLAGS'] = ' '.join(cxxflags) - - if 'tracepc' in build_modes or 'pcguard' in build_modes: - os.environ['AFL_LLVM_USE_TRACE_PC'] = '1' - elif 'classic' in build_modes: - os.environ['AFL_LLVM_INSTRUMENT'] = 'CLASSIC' - elif 'native' in build_modes: - os.environ['AFL_LLVM_INSTRUMENT'] = 'LLVMNATIVE' - - # Instrumentation coverage options: - # Do not use a fixed map location (LTO only) - if 'dynamic' in build_modes: - os.environ['AFL_LLVM_MAP_DYNAMIC'] = '1' - # Use a fixed map location (LTO only) - if 'fixed' in build_modes: - os.environ['AFL_LLVM_MAP_ADDR'] = '0x10000' - # Generate an extra dictionary. - if 'dict2file' in build_modes or 'native' in build_modes: - os.environ['AFL_LLVM_DICT2FILE'] = build_directory + '/afl++.dict' - # Enable context sentitivity for LLVM mode (non LTO only) - if 'ctx' in build_modes: - os.environ['AFL_LLVM_CTX'] = '1' - # Enable N-gram coverage for LLVM mode (non LTO only) - if 'ngram2' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '2' - elif 'ngram3' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '3' - elif 'ngram4' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '4' - elif 'ngram5' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '5' - elif 'ngram6' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '6' - elif 'ngram7' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '7' - elif 'ngram8' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '8' - elif 'ngram16' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '16' - if 'ctx1' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '1' - elif 'ctx2' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '2' - elif 'ctx3' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '3' - elif 'ctx4' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '4' - - # Only one of the following OR cmplog - # enable laf-intel compare splitting - if 'laf' in build_modes: - os.environ['AFL_LLVM_LAF_SPLIT_SWITCHES'] = '1' - os.environ['AFL_LLVM_LAF_SPLIT_COMPARES'] = '1' - os.environ['AFL_LLVM_LAF_SPLIT_FLOATS'] = '1' - if 'autodict' not in build_modes: - os.environ['AFL_LLVM_LAF_TRANSFORM_COMPARES'] = '1' - - if 'eclipser' in build_modes: - os.environ['FUZZER_LIB'] = '/libStandaloneFuzzTarget.a' - else: - os.environ['FUZZER_LIB'] = '/libAFLDriver.a' - - # Some benchmarks like lcms. (see: - # https://github.com/mm2/Little-CMS/commit/ab1093539b4287c233aca6a3cf53b234faceb792#diff-f0e6d05e72548974e852e8e55dffc4ccR212) - # fail to compile if the compiler outputs things to stderr in unexpected - # cases. Prevent these failures by using AFL_QUIET to stop afl-clang-fast - # from writing AFL specific messages to stderr. - os.environ['AFL_QUIET'] = '1' - os.environ['AFL_MAP_SIZE'] = '2621440' - - src = os.getenv('SRC') - work = os.getenv('WORK') - - with utils.restore_directory(src), utils.restore_directory(work): - # Restore SRC to its initial state so we can build again without any - # trouble. For some OSS-Fuzz projects, build_benchmark cannot be run - # twice in the same directory without this. - utils.build_benchmark() - - if 'cmplog' in build_modes and 'qemu' not in build_modes: - - # CmpLog requires an build with different instrumentation. - new_env = os.environ.copy() - new_env['AFL_LLVM_CMPLOG'] = '1' - - # For CmpLog build, set the OUT and FUZZ_TARGET environment - # variable to point to the new CmpLog build directory. - cmplog_build_directory = get_cmplog_build_directory(build_directory) - os.mkdir(cmplog_build_directory) - new_env['OUT'] = cmplog_build_directory - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - new_env['FUZZ_TARGET'] = os.path.join(cmplog_build_directory, - os.path.basename(fuzz_target)) - - print('Re-building benchmark for CmpLog fuzzing target') - utils.build_benchmark(env=new_env) - - if 'symcc' in build_modes: - - symcc_build_directory = get_uninstrumented_build_directory( - build_directory) - os.mkdir(symcc_build_directory) - - # symcc requires an build with different instrumentation. - new_env = os.environ.copy() - new_env['CC'] = '/symcc/build/symcc' - new_env['CXX'] = '/symcc/build/sym++' - new_env['SYMCC_OUTPUT_DIR'] = '/tmp' - new_env['CXXFLAGS'] = new_env['CXXFLAGS'].replace('-stlib=libc++', '') - new_env['FUZZER_LIB'] = '/libfuzzer-harness.o' - new_env['OUT'] = symcc_build_directory - new_env['SYMCC_LIBCXX_PATH'] = '/libcxx_native_build' - new_env['SYMCC_NO_SYMBOLIC_INPUT'] = '1' - new_env['SYMCC_SILENT'] = '1' - - # For CmpLog build, set the OUT and FUZZ_TARGET environment - # variable to point to the new CmpLog build directory. - new_env['OUT'] = symcc_build_directory - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - new_env['FUZZ_TARGET'] = os.path.join(symcc_build_directory, - os.path.basename(fuzz_target)) - - print('Re-building benchmark for CmpLog fuzzing target') - utils.build_benchmark(env=new_env) - - shutil.copy('/afl/afl-fuzz', build_directory) - if os.path.exists('/afl/afl-qemu-trace'): - shutil.copy('/afl/afl-qemu-trace', build_directory) - if os.path.exists('/aflpp_qemu_driver_hook.so'): - shutil.copy('/aflpp_qemu_driver_hook.so', build_directory) - if os.path.exists('/get_frida_entry.sh'): - shutil.copy('/afl/afl-frida-trace.so', build_directory) - shutil.copy('/get_frida_entry.sh', build_directory) - - -# pylint: disable=too-many-arguments -def fuzz(input_corpus, - output_corpus, - target_binary, - flags=tuple(), - skip=False, - no_cmplog=False): # pylint: disable=too-many-arguments - """Run fuzzer.""" - # Calculate CmpLog binary path from the instrumented target binary. - target_binary_directory = os.path.dirname(target_binary) - cmplog_target_binary_directory = ( - get_cmplog_build_directory(target_binary_directory)) - target_binary_name = os.path.basename(target_binary) - cmplog_target_binary = os.path.join(cmplog_target_binary_directory, - target_binary_name) - - afl_fuzzer.prepare_fuzz_environment(input_corpus) - # decomment this to enable libdislocator. - # os.environ['AFL_ALIGNED_ALLOC'] = '1' # align malloc to max_align_t - # os.environ['AFL_PRELOAD'] = '/afl/libdislocator.so' - - flags = list(flags) - - if os.path.exists('./afl++.dict'): - flags += ['-x', './afl++.dict'] - - # Move the following to skip for upcoming _double tests: - if os.path.exists(cmplog_target_binary) and no_cmplog is not False: - flags += ['-c', cmplog_target_binary] - - if not skip: - os.environ['AFL_DISABLE_TRIM'] = '1' - # os.environ['AFL_FAST_CAL'] = '1' - os.environ['AFL_CMPLOG_ONLY_NEW'] = '1' - if 'ADDITIONAL_ARGS' in os.environ: - flags += os.environ['ADDITIONAL_ARGS'].split(' ') - - os.environ['AFL_DISABLE_RF'] = '1' - afl_fuzzer.run_afl_fuzz(input_corpus, - output_corpus, - target_binary, - additional_flags=flags) diff --git a/fuzzers/aflpp_random_wrs_rp/runner.Dockerfile b/fuzzers/aflpp_random_wrs_rp/runner.Dockerfile deleted file mode 100644 index 7aa1da8e4..000000000 --- a/fuzzers/aflpp_random_wrs_rp/runner.Dockerfile +++ /dev/null @@ -1,23 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -# This makes interactive docker runs painless: -ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" -#ENV AFL_MAP_SIZE=2621440 -ENV PATH="$PATH:/out" -ENV AFL_SKIP_CPUFREQ=1 -ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 -ENV AFL_TESTCACHE_SIZE=2 diff --git a/fuzzers/honggfuzz_um_parallel/builder.Dockerfile b/fuzzers/honggfuzz_um_parallel/builder.Dockerfile deleted file mode 100644 index d5c2c5dca..000000000 --- a/fuzzers/honggfuzz_um_parallel/builder.Dockerfile +++ /dev/null @@ -1,40 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -RUN apt-get update && apt-get install -y python3 -RUN pip3 install --upgrade --force pip -RUN pip install universalmutator - -# honggfuzz requires libfd and libunwid. -RUN apt-get update -y && \ - apt-get install -y \ - libbfd-dev \ - libunwind-dev \ - libblocksruntime-dev \ - liblzma-dev - -# Download honggfuz version 2.3.1 + 0b4cd5b1c4cf26b7e022dc1deb931d9318c054cb -# Set CFLAGS use honggfuzz's defaults except for -mnative which can build CPU -# dependent code that may not work on the machines we actually fuzz on. -# Create an empty object file which will become the FUZZER_LIB lib (since -# honggfuzz doesn't need this when hfuzz-clang(++) is used). -RUN git clone https://github.com/google/honggfuzz.git /honggfuzz && \ - cd /honggfuzz && \ - git checkout 0b4cd5b1c4cf26b7e022dc1deb931d9318c054cb && \ - CFLAGS="-O3 -funroll-loops" make && \ - touch empty_lib.c && \ - cc -c -o empty_lib.o empty_lib.c diff --git a/fuzzers/honggfuzz_um_parallel/description.md b/fuzzers/honggfuzz_um_parallel/description.md deleted file mode 100644 index 9163c5cb6..000000000 --- a/fuzzers/honggfuzz_um_parallel/description.md +++ /dev/null @@ -1,9 +0,0 @@ -# aflplusplus UM (parallel) - -Run aflplusplus over mutated code in parallel. - -NOTE: This only works with C or C++ benchmarks. - -[builder.Dockerfile](builder.Dockerfile) -[fuzzer.py](fuzzer.py) -[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/honggfuzz_um_parallel/fuzzer.py b/fuzzers/honggfuzz_um_parallel/fuzzer.py deleted file mode 100644 index c17fc8ce8..000000000 --- a/fuzzers/honggfuzz_um_parallel/fuzzer.py +++ /dev/null @@ -1,205 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -"""Integration code for honggfuzz fuzzer.""" - -import glob -import os -from pathlib import Path -import random -import shutil -import filecmp -from subprocess import CalledProcessError -import time -import signal -import math -from contextlib import contextmanager - -from fuzzers.honggfuzz import fuzzer as honggfuzz_fuzzer -from fuzzers import utils - - -class TimeoutException(Exception): - """"Exception thrown when timeouts occur""" - - -TOTAL_FUZZING_TIME_DEFAULT = 82800 # 23 hours -TOTAL_BUILD_TIME = 43200 # 12 hours -FUZZ_PROP = 0.5 -DEFAULT_MUTANT_TIMEOUT = 300 -GRACE_TIME = 3600 # 1 hour in seconds -MAX_MUTANTS = 200000 - - -@contextmanager -def time_limit(seconds): - """Method to define a time limit before throwing exception""" - - def signal_handler(signum, frame): - raise TimeoutException("Timed out!") - - signal.signal(signal.SIGALRM, signal_handler) - signal.alarm(seconds) - try: - yield - finally: - signal.alarm(0) - - -def build(): # pylint: disable=too-many-locals,too-many-statements - """Build benchmark.""" - start_time = time.time() - - out = os.getenv("OUT") - src = os.getenv("SRC") - work = os.getenv("WORK") - storage_dir = "/storage" - os.mkdir(storage_dir) - mutate_dir = f"{storage_dir}/mutant_files" - os.mkdir(mutate_dir) - mutate_bins = f"{storage_dir}/mutant_bins" - os.mkdir(mutate_bins) - mutate_scripts = f"{storage_dir}/mutant_scripts" - os.mkdir(mutate_scripts) - orig_out = f"{storage_dir}/orig_out" - os.mkdir(orig_out) - - orig_fuzz_target = os.getenv("FUZZ_TARGET") - with utils.restore_directory(src), utils.restore_directory(work): - honggfuzz_fuzzer.build() - shutil.copy(f"{out}/{orig_fuzz_target}", - f"{mutate_bins}/{orig_fuzz_target}") - os.system(f"cp -r {out}/* {orig_out}/") - benchmark = os.getenv("BENCHMARK") - - source_extensions = [".c", ".cc", ".cpp"] - # Use heuristic to try to find benchmark directory, - # otherwise look for all files in the current directory. - subdirs = [ - name for name in os.listdir(src) - if os.path.isdir(os.path.join(src, name)) - ] - benchmark_src_dir = src - for directory in subdirs: - if directory in benchmark: - benchmark_src_dir = os.path.join(src, directory) - break - - source_files = [] - for extension in source_extensions: - source_files += glob.glob(f"{benchmark_src_dir}/**/*{extension}", - recursive=True) - random.shuffle(source_files) - - mutants = [] - for source_file in source_files: - source_dir = os.path.dirname(source_file).split(src, 1)[1] - Path(f"{mutate_dir}/{source_dir}").mkdir(parents=True, exist_ok=True) - os.system(f"mutate {source_file} --mutantDir \ - {mutate_dir}/{source_dir} --noCheck > /dev/null") - source_base = os.path.basename(source_file).split(".")[0] - mutants_glob = glob.glob( - f"{mutate_dir}/{source_dir}/{source_base}.mutant.*") - mutants += [ - f"{source_dir}/{mutant.split('/')[-1]}"[1:] - for mutant in mutants_glob - ] - - if len(mutants) > MAX_MUTANTS: - break - - random.shuffle(mutants) - with open(f"{mutate_dir}/mutants.txt", "w", encoding="utf-8") as f_name: - f_name.writelines(f"{l}\n" for l in mutants) - - curr_time = time.time() - - # Add grace time for final build at end - remaining_time = int(TOTAL_BUILD_TIME - (start_time - curr_time) - - GRACE_TIME) - try: - with time_limit(remaining_time): - num_non_buggy = 1 - ind = 0 - while ind < len(mutants): - with utils.restore_directory(src), utils.restore_directory( - work): - mutant = mutants[ind] - suffix = "." + mutant.split(".")[-1] - mpart = ".mutant." + mutant.split(".mutant.")[1] - source_file = f"{src}/{mutant.replace(mpart, suffix)}" - print(source_file) - print(f"{mutate_dir}/{mutant}") - os.system(f"cp {source_file} {mutate_dir}/orig") - os.system(f"cp {mutate_dir}/{mutant} {source_file}") - - try: - new_fuzz_target = f"{os.getenv('FUZZ_TARGET')}"\ - f".{num_non_buggy}" - - os.system(f"rm -rf {out}/*") - honggfuzz_fuzzer.build() - if not filecmp.cmp(f'{mutate_bins}/{orig_fuzz_target}', - f'{out}/{orig_fuzz_target}', - shallow=False): - print(f"{out}/{orig_fuzz_target}", - f"{mutate_bins}/{new_fuzz_target}") - shutil.copy(f"{out}/{orig_fuzz_target}", - f"{mutate_bins}/{new_fuzz_target}") - num_non_buggy += 1 - else: - print("EQUAL") - except RuntimeError: - pass - except CalledProcessError: - pass - os.system(f"cp {mutate_dir}/orig {source_file}") - ind += 1 - except TimeoutException: - pass - - os.system(f"rm -rf {out}/*") - os.system(f"cp -r {orig_out}/* {out}/") - os.system(f"cp {mutate_bins}/* {out}/") - - -def fuzz(input_corpus, output_corpus, target_binary): - """Run fuzzer.""" - total_fuzzing_time = int( - os.getenv('MAX_TOTAL_TIME', str(TOTAL_FUZZING_TIME_DEFAULT))) - total_mutant_time = int(FUZZ_PROP * total_fuzzing_time) - - mutants = glob.glob(f"{target_binary}.*") - random.shuffle(mutants) - timeout = max(DEFAULT_MUTANT_TIMEOUT, - int(total_mutant_time / max(len(mutants), 1))) - num_mutants = min(math.ceil(total_mutant_time / timeout), len(mutants)) - - input_corpus_dir = "/storage/input_corpus" - os.makedirs(input_corpus_dir, exist_ok=True) - os.environ['AFL_SKIP_CRASHES'] = "1" - - for mutant in mutants[:num_mutants]: - with utils.restore_directory(input_corpus), utils.restore_directory( - output_corpus): - try: - with time_limit(timeout): - honggfuzz_fuzzer.fuzz(input_corpus, output_corpus, mutant) - except TimeoutException: - pass - except CalledProcessError: - pass - os.system(f"cp -r {output_corpus}/* {input_corpus_dir}/*") - - os.system(f"cp -r {input_corpus_dir}/* {input_corpus}/*") - honggfuzz_fuzzer.fuzz(input_corpus, output_corpus, target_binary) diff --git a/fuzzers/honggfuzz_um_parallel/runner.Dockerfile b/fuzzers/honggfuzz_um_parallel/runner.Dockerfile deleted file mode 100644 index f3eb30039..000000000 --- a/fuzzers/honggfuzz_um_parallel/runner.Dockerfile +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -# honggfuzz requires libfd and libunwid -RUN apt-get update -y && apt-get install -y libbfd-dev libunwind-dev diff --git a/fuzzers/honggfuzz_um_prioritize/builder.Dockerfile b/fuzzers/honggfuzz_um_prioritize/builder.Dockerfile deleted file mode 100644 index d5c2c5dca..000000000 --- a/fuzzers/honggfuzz_um_prioritize/builder.Dockerfile +++ /dev/null @@ -1,40 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -RUN apt-get update && apt-get install -y python3 -RUN pip3 install --upgrade --force pip -RUN pip install universalmutator - -# honggfuzz requires libfd and libunwid. -RUN apt-get update -y && \ - apt-get install -y \ - libbfd-dev \ - libunwind-dev \ - libblocksruntime-dev \ - liblzma-dev - -# Download honggfuz version 2.3.1 + 0b4cd5b1c4cf26b7e022dc1deb931d9318c054cb -# Set CFLAGS use honggfuzz's defaults except for -mnative which can build CPU -# dependent code that may not work on the machines we actually fuzz on. -# Create an empty object file which will become the FUZZER_LIB lib (since -# honggfuzz doesn't need this when hfuzz-clang(++) is used). -RUN git clone https://github.com/google/honggfuzz.git /honggfuzz && \ - cd /honggfuzz && \ - git checkout 0b4cd5b1c4cf26b7e022dc1deb931d9318c054cb && \ - CFLAGS="-O3 -funroll-loops" make && \ - touch empty_lib.c && \ - cc -c -o empty_lib.o empty_lib.c diff --git a/fuzzers/honggfuzz_um_prioritize/description.md b/fuzzers/honggfuzz_um_prioritize/description.md deleted file mode 100644 index ca04efdba..000000000 --- a/fuzzers/honggfuzz_um_prioritize/description.md +++ /dev/null @@ -1,9 +0,0 @@ -# honggfuzz UM (prioritize) - -Run honggfuzz over mutated code with UM prioritization - -NOTE: This only works with C or C++ benchmarks. - -[builder.Dockerfile](builder.Dockerfile) -[fuzzer.py](fuzzer.py) -[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/honggfuzz_um_prioritize/fuzzer.py b/fuzzers/honggfuzz_um_prioritize/fuzzer.py deleted file mode 100755 index 59f86d3a7..000000000 --- a/fuzzers/honggfuzz_um_prioritize/fuzzer.py +++ /dev/null @@ -1,243 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -"""Integration code for honggfuzz fuzzer.""" - -import glob -import os -from pathlib import Path -import random -import shutil -import filecmp -from subprocess import CalledProcessError -import time -import math -import signal -from contextlib import contextmanager - -from fuzzers.honggfuzz import fuzzer as honggfuzz_fuzzer -from fuzzers import utils - - -class TimeoutException(Exception): - """"Exception thrown when timeouts occur""" - - -TOTAL_FUZZING_TIME_DEFAULT = 82800 # 23 hours -TOTAL_BUILD_TIME = 43200 # 12 hours -FUZZ_PROP = 0.5 -DEFAULT_MUTANT_TIMEOUT = 300 -PRIORITIZE_MULTIPLIER = 5 -GRACE_TIME = 3600 # 1 hour in seconds -MAX_MUTANTS = 200000 -MAX_PRIORITIZE = 30 - - -@contextmanager -def time_limit(seconds): - """Method to define a time limit before throwing exception""" - - def signal_handler(signum, frame): - raise TimeoutException("Timed out!") - - signal.signal(signal.SIGALRM, signal_handler) - signal.alarm(seconds) - try: - yield - finally: - signal.alarm(0) - - -def build(): # pylint: disable=too-many-locals,too-many-statements,too-many-branches - """Build benchmark.""" - start_time = time.time() - - out = os.getenv("OUT") - src = os.getenv("SRC") - work = os.getenv("WORK") - storage_dir = "/storage" - os.mkdir(storage_dir) - mutate_dir = f"{storage_dir}/mutant_files" - os.mkdir(mutate_dir) - mutate_bins = f"{storage_dir}/mutant_bins" - os.mkdir(mutate_bins) - mutate_scripts = f"{storage_dir}/mutant_scripts" - os.mkdir(mutate_scripts) - orig_out = f"{storage_dir}/orig_out" - os.mkdir(orig_out) - - orig_fuzz_target = os.getenv("FUZZ_TARGET") - with utils.restore_directory(src), utils.restore_directory(work): - honggfuzz_fuzzer.build() - shutil.copy(f"{out}/{orig_fuzz_target}", - f"{mutate_bins}/{orig_fuzz_target}") - os.system(f"cp -r {out}/* {orig_out}/") - benchmark = os.getenv("BENCHMARK") - total_fuzzing_time = int( - os.getenv('MAX_TOTAL_TIME', str(TOTAL_FUZZING_TIME_DEFAULT))) - - source_extensions = [".c", ".cc", ".cpp"] - num_mutants = math.ceil( - (total_fuzzing_time * FUZZ_PROP) / DEFAULT_MUTANT_TIMEOUT) - # Use heuristic to try to find benchmark directory, otherwise look for all - # files in the current directory. - subdirs = [ - name for name in os.listdir(src) - if os.path.isdir(os.path.join(src, name)) - ] - benchmark_src_dir = src - for directory in subdirs: - if directory in benchmark: - benchmark_src_dir = os.path.join(src, directory) - break - - source_files = [] - for extension in source_extensions: - source_files += glob.glob(f"{benchmark_src_dir}/**/*{extension}", - recursive=True) - random.shuffle(source_files) - - mutants_map = {} - num_mutants = 0 - for source_file in source_files: - source_dir = os.path.dirname(source_file).split(src, 1)[1] - Path(f"{mutate_dir}/{source_dir}").mkdir(parents=True, exist_ok=True) - os.system(f"mutate {source_file} --mutantDir \ - {mutate_dir}/{source_dir} --noCheck > /dev/null") - source_base = os.path.basename(source_file).split(".")[0] - mutants_glob = glob.glob( - f"{mutate_dir}/{source_dir}/{source_base}.mutant.*") - mutants = [ - f"{source_dir}/{mutant.split('/')[-1]}"[1:] - for mutant in mutants_glob - ] - num_mutants += len(mutants) - mutants_map[source_file] = mutants - if num_mutants > MAX_MUTANTS: - break - - prioritize_map = {} - num_prioritized = min( - math.ceil((num_mutants * PRIORITIZE_MULTIPLIER) / len(mutants_map)), - MAX_PRIORITIZE) - for source_file in mutants_map: - mutants = mutants_map[source_file] - with open(f"{mutate_dir}/mutants.txt", "w", encoding="utf_8") as f_name: - f_name.writelines(f"{l}\n" for l in mutants) - os.system(f"prioritize_mutants {mutate_dir}/mutants.txt \ - {mutate_dir}/prioritize_mutants_sorted.txt {num_prioritized}\ - --noSDPriority --sourceDir {src} --mutantDir {mutate_dir}") - prioritized_list = [] - with open(f"{mutate_dir}/prioritize_mutants_sorted.txt", - "r", - encoding="utf_8") as f_name: - prioritized_list = f_name.read().splitlines() - prioritize_map[source_file] = prioritized_list - - prioritized_keys = list(prioritize_map.keys()) - random.shuffle(prioritized_keys) - order = [] - ind = 0 - finished = False - - while not finished: - finished = True - for key in prioritized_keys: - if ind < len(prioritize_map[key]): - finished = False - order.append((key, ind)) - ind += 1 - curr_time = time.time() - - # Add grace time for final build at end - remaining_time = int(TOTAL_BUILD_TIME - (start_time - curr_time) - - GRACE_TIME) - try: - with time_limit(remaining_time): - num_non_buggy = 1 - ind = 0 - while ind < len(order): - with utils.restore_directory(src), utils.restore_directory( - work): - key, line = order[ind] - mutant = prioritize_map[key][line] - print(mutant) - suffix = "." + mutant.split(".")[-1] - mpart = ".mutant." + mutant.split(".mutant.")[1] - source_file = f"{src}/{mutant.replace(mpart, suffix)}" - print(source_file) - print(f"{mutate_dir}/{mutant}") - os.system(f"cp {source_file} {mutate_dir}/orig") - os.system(f"cp {mutate_dir}/{mutant} {source_file}") - try: - new_fuzz_target = f"{os.getenv('FUZZ_TARGET')}"\ - f".{num_non_buggy}" - - os.system(f"rm -rf {out}/*") - honggfuzz_fuzzer.build() - if not filecmp.cmp(f'{mutate_bins}/{orig_fuzz_target}', - f'{out}/{orig_fuzz_target}', - shallow=False): - print(f"{out}/{orig_fuzz_target}", - f"{mutate_bins}/{new_fuzz_target}") - shutil.copy(f"{out}/{orig_fuzz_target}", - f"{mutate_bins}/{new_fuzz_target}") - num_non_buggy += 1 - print(f"FOUND NOT EQUAL {num_non_buggy}, \ - ind: {ind}") - else: - print(f"EQUAL {num_non_buggy}, ind: {ind}") - except RuntimeError: - pass - except CalledProcessError: - pass - os.system(f"cp {mutate_dir}/orig {source_file}") - ind += 1 - except TimeoutException: - pass - - os.system(f"rm -rf {out}/*") - os.system(f"cp -r {orig_out}/* {out}/") - os.system(f"cp {mutate_bins}/* {out}/") - - -def fuzz(input_corpus, output_corpus, target_binary): - """Run fuzzer.""" - total_fuzzing_time = int( - os.getenv('MAX_TOTAL_TIME', str(TOTAL_FUZZING_TIME_DEFAULT))) - total_mutant_time = int(FUZZ_PROP * total_fuzzing_time) - - mutants = glob.glob(f"{target_binary}.*") - random.shuffle(mutants) - timeout = max(DEFAULT_MUTANT_TIMEOUT, - int(total_mutant_time / max(len(mutants), 1))) - num_mutants = min(math.ceil(total_mutant_time / timeout), len(mutants)) - - input_corpus_dir = "/storage/input_corpus" - os.makedirs(input_corpus_dir, exist_ok=True) - - for mutant in mutants[:num_mutants]: - os.system(f"cp -r {input_corpus_dir}/* {input_corpus}/*") - with utils.restore_directory(input_corpus), utils.restore_directory( - output_corpus): - try: - with time_limit(timeout): - honggfuzz_fuzzer.fuzz(input_corpus, output_corpus, mutant) - except TimeoutException: - pass - except CalledProcessError: - pass - os.system(f"cp -r {output_corpus}/* {input_corpus_dir}/*") - - os.system(f"cp -r {input_corpus_dir}/* {input_corpus}/*") - honggfuzz_fuzzer.fuzz(input_corpus, output_corpus, target_binary) diff --git a/fuzzers/honggfuzz_um_prioritize/runner.Dockerfile b/fuzzers/honggfuzz_um_prioritize/runner.Dockerfile deleted file mode 100644 index f3eb30039..000000000 --- a/fuzzers/honggfuzz_um_prioritize/runner.Dockerfile +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -# honggfuzz requires libfd and libunwid -RUN apt-get update -y && apt-get install -y libbfd-dev libunwind-dev diff --git a/fuzzers/honggfuzz_um_prioritize_75/builder.Dockerfile b/fuzzers/honggfuzz_um_prioritize_75/builder.Dockerfile deleted file mode 100644 index d5c2c5dca..000000000 --- a/fuzzers/honggfuzz_um_prioritize_75/builder.Dockerfile +++ /dev/null @@ -1,40 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -RUN apt-get update && apt-get install -y python3 -RUN pip3 install --upgrade --force pip -RUN pip install universalmutator - -# honggfuzz requires libfd and libunwid. -RUN apt-get update -y && \ - apt-get install -y \ - libbfd-dev \ - libunwind-dev \ - libblocksruntime-dev \ - liblzma-dev - -# Download honggfuz version 2.3.1 + 0b4cd5b1c4cf26b7e022dc1deb931d9318c054cb -# Set CFLAGS use honggfuzz's defaults except for -mnative which can build CPU -# dependent code that may not work on the machines we actually fuzz on. -# Create an empty object file which will become the FUZZER_LIB lib (since -# honggfuzz doesn't need this when hfuzz-clang(++) is used). -RUN git clone https://github.com/google/honggfuzz.git /honggfuzz && \ - cd /honggfuzz && \ - git checkout 0b4cd5b1c4cf26b7e022dc1deb931d9318c054cb && \ - CFLAGS="-O3 -funroll-loops" make && \ - touch empty_lib.c && \ - cc -c -o empty_lib.o empty_lib.c diff --git a/fuzzers/honggfuzz_um_prioritize_75/description.md b/fuzzers/honggfuzz_um_prioritize_75/description.md deleted file mode 100644 index ca04efdba..000000000 --- a/fuzzers/honggfuzz_um_prioritize_75/description.md +++ /dev/null @@ -1,9 +0,0 @@ -# honggfuzz UM (prioritize) - -Run honggfuzz over mutated code with UM prioritization - -NOTE: This only works with C or C++ benchmarks. - -[builder.Dockerfile](builder.Dockerfile) -[fuzzer.py](fuzzer.py) -[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/honggfuzz_um_prioritize_75/fuzzer.py b/fuzzers/honggfuzz_um_prioritize_75/fuzzer.py deleted file mode 100755 index a6c9ea22f..000000000 --- a/fuzzers/honggfuzz_um_prioritize_75/fuzzer.py +++ /dev/null @@ -1,243 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -"""Integration code for honggfuzz fuzzer.""" - -import glob -import os -from pathlib import Path -import random -import shutil -import filecmp -from subprocess import CalledProcessError -import time -import math -import signal -from contextlib import contextmanager - -from fuzzers.honggfuzz import fuzzer as honggfuzz_fuzzer -from fuzzers import utils - - -class TimeoutException(Exception): - """"Exception thrown when timeouts occur""" - - -TOTAL_FUZZING_TIME_DEFAULT = 82800 # 23 hours -TOTAL_BUILD_TIME = 43200 # 12 hours -FUZZ_PROP = 0.75 -DEFAULT_MUTANT_TIMEOUT = 300 -PRIORITIZE_MULTIPLIER = 5 -GRACE_TIME = 3600 # 1 hour in seconds -MAX_MUTANTS = 200000 -MAX_PRIORITIZE = 30 - - -@contextmanager -def time_limit(seconds): - """Method to define a time limit before throwing exception""" - - def signal_handler(signum, frame): - raise TimeoutException("Timed out!") - - signal.signal(signal.SIGALRM, signal_handler) - signal.alarm(seconds) - try: - yield - finally: - signal.alarm(0) - - -def build(): # pylint: disable=too-many-locals,too-many-statements,too-many-branches - """Build benchmark.""" - start_time = time.time() - - out = os.getenv("OUT") - src = os.getenv("SRC") - work = os.getenv("WORK") - storage_dir = "/storage" - os.mkdir(storage_dir) - mutate_dir = f"{storage_dir}/mutant_files" - os.mkdir(mutate_dir) - mutate_bins = f"{storage_dir}/mutant_bins" - os.mkdir(mutate_bins) - mutate_scripts = f"{storage_dir}/mutant_scripts" - os.mkdir(mutate_scripts) - orig_out = f"{storage_dir}/orig_out" - os.mkdir(orig_out) - - orig_fuzz_target = os.getenv("FUZZ_TARGET") - with utils.restore_directory(src), utils.restore_directory(work): - honggfuzz_fuzzer.build() - shutil.copy(f"{out}/{orig_fuzz_target}", - f"{mutate_bins}/{orig_fuzz_target}") - os.system(f"cp -r {out}/* {orig_out}/") - benchmark = os.getenv("BENCHMARK") - total_fuzzing_time = int( - os.getenv('MAX_TOTAL_TIME', str(TOTAL_FUZZING_TIME_DEFAULT))) - - source_extensions = [".c", ".cc", ".cpp"] - num_mutants = math.ceil( - (total_fuzzing_time * FUZZ_PROP) / DEFAULT_MUTANT_TIMEOUT) - # Use heuristic to try to find benchmark directory, otherwise look for all - # files in the current directory. - subdirs = [ - name for name in os.listdir(src) - if os.path.isdir(os.path.join(src, name)) - ] - benchmark_src_dir = src - for directory in subdirs: - if directory in benchmark: - benchmark_src_dir = os.path.join(src, directory) - break - - source_files = [] - for extension in source_extensions: - source_files += glob.glob(f"{benchmark_src_dir}/**/*{extension}", - recursive=True) - random.shuffle(source_files) - - mutants_map = {} - num_mutants = 0 - for source_file in source_files: - source_dir = os.path.dirname(source_file).split(src, 1)[1] - Path(f"{mutate_dir}/{source_dir}").mkdir(parents=True, exist_ok=True) - os.system(f"mutate {source_file} --mutantDir \ - {mutate_dir}/{source_dir} --noCheck > /dev/null") - source_base = os.path.basename(source_file).split(".")[0] - mutants_glob = glob.glob( - f"{mutate_dir}/{source_dir}/{source_base}.mutant.*") - mutants = [ - f"{source_dir}/{mutant.split('/')[-1]}"[1:] - for mutant in mutants_glob - ] - num_mutants += len(mutants) - mutants_map[source_file] = mutants - if num_mutants > MAX_MUTANTS: - break - - prioritize_map = {} - num_prioritized = min( - math.ceil((num_mutants * PRIORITIZE_MULTIPLIER) / len(mutants_map)), - MAX_PRIORITIZE) - for source_file in mutants_map: - mutants = mutants_map[source_file] - with open(f"{mutate_dir}/mutants.txt", "w", encoding="utf_8") as f_name: - f_name.writelines(f"{l}\n" for l in mutants) - os.system(f"prioritize_mutants {mutate_dir}/mutants.txt \ - {mutate_dir}/prioritize_mutants_sorted.txt {num_prioritized}\ - --noSDPriority --sourceDir {src} --mutantDir {mutate_dir}") - prioritized_list = [] - with open(f"{mutate_dir}/prioritize_mutants_sorted.txt", - "r", - encoding="utf_8") as f_name: - prioritized_list = f_name.read().splitlines() - prioritize_map[source_file] = prioritized_list - - prioritized_keys = list(prioritize_map.keys()) - random.shuffle(prioritized_keys) - order = [] - ind = 0 - finished = False - - while not finished: - finished = True - for key in prioritized_keys: - if ind < len(prioritize_map[key]): - finished = False - order.append((key, ind)) - ind += 1 - curr_time = time.time() - - # Add grace time for final build at end - remaining_time = int(TOTAL_BUILD_TIME - (start_time - curr_time) - - GRACE_TIME) - try: - with time_limit(remaining_time): - num_non_buggy = 1 - ind = 0 - while ind < len(order): - with utils.restore_directory(src), utils.restore_directory( - work): - key, line = order[ind] - mutant = prioritize_map[key][line] - print(mutant) - suffix = "." + mutant.split(".")[-1] - mpart = ".mutant." + mutant.split(".mutant.")[1] - source_file = f"{src}/{mutant.replace(mpart, suffix)}" - print(source_file) - print(f"{mutate_dir}/{mutant}") - os.system(f"cp {source_file} {mutate_dir}/orig") - os.system(f"cp {mutate_dir}/{mutant} {source_file}") - try: - new_fuzz_target = f"{os.getenv('FUZZ_TARGET')}"\ - f".{num_non_buggy}" - - os.system(f"rm -rf {out}/*") - honggfuzz_fuzzer.build() - if not filecmp.cmp(f'{mutate_bins}/{orig_fuzz_target}', - f'{out}/{orig_fuzz_target}', - shallow=False): - print(f"{out}/{orig_fuzz_target}", - f"{mutate_bins}/{new_fuzz_target}") - shutil.copy(f"{out}/{orig_fuzz_target}", - f"{mutate_bins}/{new_fuzz_target}") - num_non_buggy += 1 - print(f"FOUND NOT EQUAL {num_non_buggy}, \ - ind: {ind}") - else: - print(f"EQUAL {num_non_buggy}, ind: {ind}") - except RuntimeError: - pass - except CalledProcessError: - pass - os.system(f"cp {mutate_dir}/orig {source_file}") - ind += 1 - except TimeoutException: - pass - - os.system(f"rm -rf {out}/*") - os.system(f"cp -r {orig_out}/* {out}/") - os.system(f"cp {mutate_bins}/* {out}/") - - -def fuzz(input_corpus, output_corpus, target_binary): - """Run fuzzer.""" - total_fuzzing_time = int( - os.getenv('MAX_TOTAL_TIME', str(TOTAL_FUZZING_TIME_DEFAULT))) - total_mutant_time = int(FUZZ_PROP * total_fuzzing_time) - - mutants = glob.glob(f"{target_binary}.*") - random.shuffle(mutants) - timeout = max(DEFAULT_MUTANT_TIMEOUT, - int(total_mutant_time / max(len(mutants), 1))) - num_mutants = min(math.ceil(total_mutant_time / timeout), len(mutants)) - - input_corpus_dir = "/storage/input_corpus" - os.makedirs(input_corpus_dir, exist_ok=True) - - for mutant in mutants[:num_mutants]: - os.system(f"cp -r {input_corpus_dir}/* {input_corpus}/*") - with utils.restore_directory(input_corpus), utils.restore_directory( - output_corpus): - try: - with time_limit(timeout): - honggfuzz_fuzzer.fuzz(input_corpus, output_corpus, mutant) - except TimeoutException: - pass - except CalledProcessError: - pass - os.system(f"cp -r {output_corpus}/* {input_corpus_dir}/*") - - os.system(f"cp -r {input_corpus_dir}/* {input_corpus}/*") - honggfuzz_fuzzer.fuzz(input_corpus, output_corpus, target_binary) diff --git a/fuzzers/honggfuzz_um_prioritize_75/runner.Dockerfile b/fuzzers/honggfuzz_um_prioritize_75/runner.Dockerfile deleted file mode 100644 index f3eb30039..000000000 --- a/fuzzers/honggfuzz_um_prioritize_75/runner.Dockerfile +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -# honggfuzz requires libfd and libunwid -RUN apt-get update -y && apt-get install -y libbfd-dev libunwind-dev diff --git a/fuzzers/honggfuzz_um_random/builder.Dockerfile b/fuzzers/honggfuzz_um_random/builder.Dockerfile deleted file mode 100644 index d5c2c5dca..000000000 --- a/fuzzers/honggfuzz_um_random/builder.Dockerfile +++ /dev/null @@ -1,40 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -RUN apt-get update && apt-get install -y python3 -RUN pip3 install --upgrade --force pip -RUN pip install universalmutator - -# honggfuzz requires libfd and libunwid. -RUN apt-get update -y && \ - apt-get install -y \ - libbfd-dev \ - libunwind-dev \ - libblocksruntime-dev \ - liblzma-dev - -# Download honggfuz version 2.3.1 + 0b4cd5b1c4cf26b7e022dc1deb931d9318c054cb -# Set CFLAGS use honggfuzz's defaults except for -mnative which can build CPU -# dependent code that may not work on the machines we actually fuzz on. -# Create an empty object file which will become the FUZZER_LIB lib (since -# honggfuzz doesn't need this when hfuzz-clang(++) is used). -RUN git clone https://github.com/google/honggfuzz.git /honggfuzz && \ - cd /honggfuzz && \ - git checkout 0b4cd5b1c4cf26b7e022dc1deb931d9318c054cb && \ - CFLAGS="-O3 -funroll-loops" make && \ - touch empty_lib.c && \ - cc -c -o empty_lib.o empty_lib.c diff --git a/fuzzers/honggfuzz_um_random/description.md b/fuzzers/honggfuzz_um_random/description.md deleted file mode 100644 index 686a166cb..000000000 --- a/fuzzers/honggfuzz_um_random/description.md +++ /dev/null @@ -1,10 +0,0 @@ -# aflplusplus UM (random) - -Run aflplusplus over mutated code without UM prioritization. Randomly sample -list of generated mutants. - -NOTE: This only works with C or C++ benchmarks. - -[builder.Dockerfile](builder.Dockerfile) -[fuzzer.py](fuzzer.py) -[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/honggfuzz_um_random/fuzzer.py b/fuzzers/honggfuzz_um_random/fuzzer.py deleted file mode 100644 index 01b87c96c..000000000 --- a/fuzzers/honggfuzz_um_random/fuzzer.py +++ /dev/null @@ -1,206 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -"""Integration code for honggfuzz fuzzer.""" - -import glob -import os -from pathlib import Path -import random -import shutil -import filecmp -from subprocess import CalledProcessError -import time -import signal -import math -from contextlib import contextmanager - -from fuzzers.honggfuzz import fuzzer as honggfuzz_fuzzer -from fuzzers import utils - - -class TimeoutException(Exception): - """"Exception thrown when timeouts occur""" - - -TOTAL_FUZZING_TIME_DEFAULT = 82800 # 23 hours -TOTAL_BUILD_TIME = 43200 # 12 hours -FUZZ_PROP = 0.5 -DEFAULT_MUTANT_TIMEOUT = 300 -GRACE_TIME = 3600 # 1 hour in seconds -MAX_MUTANTS = 200000 - - -@contextmanager -def time_limit(seconds): - """Method to define a time limit before throwing exception""" - - def signal_handler(signum, frame): - raise TimeoutException("Timed out!") - - signal.signal(signal.SIGALRM, signal_handler) - signal.alarm(seconds) - try: - yield - finally: - signal.alarm(0) - - -def build(): # pylint: disable=too-many-locals,too-many-statements - """Build benchmark.""" - start_time = time.time() - - out = os.getenv("OUT") - src = os.getenv("SRC") - work = os.getenv("WORK") - storage_dir = "/storage" - os.mkdir(storage_dir) - mutate_dir = f"{storage_dir}/mutant_files" - os.mkdir(mutate_dir) - mutate_bins = f"{storage_dir}/mutant_bins" - os.mkdir(mutate_bins) - mutate_scripts = f"{storage_dir}/mutant_scripts" - os.mkdir(mutate_scripts) - orig_out = f"{storage_dir}/orig_out" - os.mkdir(orig_out) - - orig_fuzz_target = os.getenv("FUZZ_TARGET") - with utils.restore_directory(src), utils.restore_directory(work): - honggfuzz_fuzzer.build() - shutil.copy(f"{out}/{orig_fuzz_target}", - f"{mutate_bins}/{orig_fuzz_target}") - os.system(f"cp -r {out}/* {orig_out}/") - benchmark = os.getenv("BENCHMARK") - - source_extensions = [".c", ".cc", ".cpp"] - # Use heuristic to try to find benchmark directory, - # otherwise look for all files in the current directory. - subdirs = [ - name for name in os.listdir(src) - if os.path.isdir(os.path.join(src, name)) - ] - benchmark_src_dir = src - for directory in subdirs: - if directory in benchmark: - benchmark_src_dir = os.path.join(src, directory) - break - - source_files = [] - for extension in source_extensions: - source_files += glob.glob(f"{benchmark_src_dir}/**/*{extension}", - recursive=True) - random.shuffle(source_files) - - mutants = [] - for source_file in source_files: - source_dir = os.path.dirname(source_file).split(src, 1)[1] - Path(f"{mutate_dir}/{source_dir}").mkdir(parents=True, exist_ok=True) - os.system(f"mutate {source_file} --mutantDir \ - {mutate_dir}/{source_dir} --noCheck > /dev/null") - source_base = os.path.basename(source_file).split(".")[0] - mutants_glob = glob.glob( - f"{mutate_dir}/{source_dir}/{source_base}.mutant.*") - mutants += [ - f"{source_dir}/{mutant.split('/')[-1]}"[1:] - for mutant in mutants_glob - ] - - if len(mutants) > MAX_MUTANTS: - break - - random.shuffle(mutants) - with open(f"{mutate_dir}/mutants.txt", "w", encoding="utf-8") as f_name: - f_name.writelines(f"{l}\n" for l in mutants) - - curr_time = time.time() - - # Add grace time for final build at end - remaining_time = int(TOTAL_BUILD_TIME - (start_time - curr_time) - - GRACE_TIME) - try: - with time_limit(remaining_time): - num_non_buggy = 1 - ind = 0 - while ind < len(mutants): - with utils.restore_directory(src), utils.restore_directory( - work): - mutant = mutants[ind] - suffix = "." + mutant.split(".")[-1] - mpart = ".mutant." + mutant.split(".mutant.")[1] - source_file = f"{src}/{mutant.replace(mpart, suffix)}" - print(source_file) - print(f"{mutate_dir}/{mutant}") - os.system(f"cp {source_file} {mutate_dir}/orig") - os.system(f"cp {mutate_dir}/{mutant} {source_file}") - - try: - new_fuzz_target = f"{os.getenv('FUZZ_TARGET')}"\ - f".{num_non_buggy}" - - os.system(f"rm -rf {out}/*") - honggfuzz_fuzzer.build() - if not filecmp.cmp(f'{mutate_bins}/{orig_fuzz_target}', - f'{out}/{orig_fuzz_target}', - shallow=False): - print(f"{out}/{orig_fuzz_target}", - f"{mutate_bins}/{new_fuzz_target}") - shutil.copy(f"{out}/{orig_fuzz_target}", - f"{mutate_bins}/{new_fuzz_target}") - num_non_buggy += 1 - else: - print("EQUAL") - except RuntimeError: - pass - except CalledProcessError: - pass - os.system(f"cp {mutate_dir}/orig {source_file}") - ind += 1 - except TimeoutException: - pass - - os.system(f"rm -rf {out}/*") - os.system(f"cp -r {orig_out}/* {out}/") - os.system(f"cp {mutate_bins}/* {out}/") - - -def fuzz(input_corpus, output_corpus, target_binary): - """Run fuzzer.""" - total_fuzzing_time = int( - os.getenv('MAX_TOTAL_TIME', str(TOTAL_FUZZING_TIME_DEFAULT))) - total_mutant_time = int(FUZZ_PROP * total_fuzzing_time) - - mutants = glob.glob(f"{target_binary}.*") - random.shuffle(mutants) - timeout = max(DEFAULT_MUTANT_TIMEOUT, - int(total_mutant_time / max(len(mutants), 1))) - num_mutants = min(math.ceil(total_mutant_time / timeout), len(mutants)) - - input_corpus_dir = "/storage/input_corpus" - os.makedirs(input_corpus_dir, exist_ok=True) - os.environ['AFL_SKIP_CRASHES'] = "1" - - for mutant in mutants[:num_mutants]: - os.system(f"cp -r {input_corpus_dir}/* {input_corpus}/*") - with utils.restore_directory(input_corpus), utils.restore_directory( - output_corpus): - try: - with time_limit(timeout): - honggfuzz_fuzzer.fuzz(input_corpus, output_corpus, mutant) - except TimeoutException: - pass - except CalledProcessError: - pass - os.system(f"cp -r {output_corpus}/* {input_corpus_dir}/*") - - os.system(f"cp -r {input_corpus_dir}/* {input_corpus}/*") - honggfuzz_fuzzer.fuzz(input_corpus, output_corpus, target_binary) diff --git a/fuzzers/honggfuzz_um_random/runner.Dockerfile b/fuzzers/honggfuzz_um_random/runner.Dockerfile deleted file mode 100644 index f3eb30039..000000000 --- a/fuzzers/honggfuzz_um_random/runner.Dockerfile +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -# honggfuzz requires libfd and libunwid -RUN apt-get update -y && apt-get install -y libbfd-dev libunwind-dev diff --git a/fuzzers/honggfuzz_um_random_75/builder.Dockerfile b/fuzzers/honggfuzz_um_random_75/builder.Dockerfile deleted file mode 100644 index d5c2c5dca..000000000 --- a/fuzzers/honggfuzz_um_random_75/builder.Dockerfile +++ /dev/null @@ -1,40 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -RUN apt-get update && apt-get install -y python3 -RUN pip3 install --upgrade --force pip -RUN pip install universalmutator - -# honggfuzz requires libfd and libunwid. -RUN apt-get update -y && \ - apt-get install -y \ - libbfd-dev \ - libunwind-dev \ - libblocksruntime-dev \ - liblzma-dev - -# Download honggfuz version 2.3.1 + 0b4cd5b1c4cf26b7e022dc1deb931d9318c054cb -# Set CFLAGS use honggfuzz's defaults except for -mnative which can build CPU -# dependent code that may not work on the machines we actually fuzz on. -# Create an empty object file which will become the FUZZER_LIB lib (since -# honggfuzz doesn't need this when hfuzz-clang(++) is used). -RUN git clone https://github.com/google/honggfuzz.git /honggfuzz && \ - cd /honggfuzz && \ - git checkout 0b4cd5b1c4cf26b7e022dc1deb931d9318c054cb && \ - CFLAGS="-O3 -funroll-loops" make && \ - touch empty_lib.c && \ - cc -c -o empty_lib.o empty_lib.c diff --git a/fuzzers/honggfuzz_um_random_75/description.md b/fuzzers/honggfuzz_um_random_75/description.md deleted file mode 100644 index 686a166cb..000000000 --- a/fuzzers/honggfuzz_um_random_75/description.md +++ /dev/null @@ -1,10 +0,0 @@ -# aflplusplus UM (random) - -Run aflplusplus over mutated code without UM prioritization. Randomly sample -list of generated mutants. - -NOTE: This only works with C or C++ benchmarks. - -[builder.Dockerfile](builder.Dockerfile) -[fuzzer.py](fuzzer.py) -[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/honggfuzz_um_random_75/fuzzer.py b/fuzzers/honggfuzz_um_random_75/fuzzer.py deleted file mode 100644 index ad9bf91e0..000000000 --- a/fuzzers/honggfuzz_um_random_75/fuzzer.py +++ /dev/null @@ -1,206 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -"""Integration code for honggfuzz fuzzer.""" - -import glob -import os -from pathlib import Path -import random -import shutil -import filecmp -from subprocess import CalledProcessError -import time -import signal -import math -from contextlib import contextmanager - -from fuzzers.honggfuzz import fuzzer as honggfuzz_fuzzer -from fuzzers import utils - - -class TimeoutException(Exception): - """"Exception thrown when timeouts occur""" - - -TOTAL_FUZZING_TIME_DEFAULT = 82800 # 23 hours -TOTAL_BUILD_TIME = 43200 # 12 hours -FUZZ_PROP = 0.75 -DEFAULT_MUTANT_TIMEOUT = 300 -GRACE_TIME = 3600 # 1 hour in seconds -MAX_MUTANTS = 200000 - - -@contextmanager -def time_limit(seconds): - """Method to define a time limit before throwing exception""" - - def signal_handler(signum, frame): - raise TimeoutException("Timed out!") - - signal.signal(signal.SIGALRM, signal_handler) - signal.alarm(seconds) - try: - yield - finally: - signal.alarm(0) - - -def build(): # pylint: disable=too-many-locals,too-many-statements - """Build benchmark.""" - start_time = time.time() - - out = os.getenv("OUT") - src = os.getenv("SRC") - work = os.getenv("WORK") - storage_dir = "/storage" - os.mkdir(storage_dir) - mutate_dir = f"{storage_dir}/mutant_files" - os.mkdir(mutate_dir) - mutate_bins = f"{storage_dir}/mutant_bins" - os.mkdir(mutate_bins) - mutate_scripts = f"{storage_dir}/mutant_scripts" - os.mkdir(mutate_scripts) - orig_out = f"{storage_dir}/orig_out" - os.mkdir(orig_out) - - orig_fuzz_target = os.getenv("FUZZ_TARGET") - with utils.restore_directory(src), utils.restore_directory(work): - honggfuzz_fuzzer.build() - shutil.copy(f"{out}/{orig_fuzz_target}", - f"{mutate_bins}/{orig_fuzz_target}") - os.system(f"cp -r {out}/* {orig_out}/") - benchmark = os.getenv("BENCHMARK") - - source_extensions = [".c", ".cc", ".cpp"] - # Use heuristic to try to find benchmark directory, - # otherwise look for all files in the current directory. - subdirs = [ - name for name in os.listdir(src) - if os.path.isdir(os.path.join(src, name)) - ] - benchmark_src_dir = src - for directory in subdirs: - if directory in benchmark: - benchmark_src_dir = os.path.join(src, directory) - break - - source_files = [] - for extension in source_extensions: - source_files += glob.glob(f"{benchmark_src_dir}/**/*{extension}", - recursive=True) - random.shuffle(source_files) - - mutants = [] - for source_file in source_files: - source_dir = os.path.dirname(source_file).split(src, 1)[1] - Path(f"{mutate_dir}/{source_dir}").mkdir(parents=True, exist_ok=True) - os.system(f"mutate {source_file} --mutantDir \ - {mutate_dir}/{source_dir} --noCheck > /dev/null") - source_base = os.path.basename(source_file).split(".")[0] - mutants_glob = glob.glob( - f"{mutate_dir}/{source_dir}/{source_base}.mutant.*") - mutants += [ - f"{source_dir}/{mutant.split('/')[-1]}"[1:] - for mutant in mutants_glob - ] - - if len(mutants) > MAX_MUTANTS: - break - - random.shuffle(mutants) - with open(f"{mutate_dir}/mutants.txt", "w", encoding="utf-8") as f_name: - f_name.writelines(f"{l}\n" for l in mutants) - - curr_time = time.time() - - # Add grace time for final build at end - remaining_time = int(TOTAL_BUILD_TIME - (start_time - curr_time) - - GRACE_TIME) - try: - with time_limit(remaining_time): - num_non_buggy = 1 - ind = 0 - while ind < len(mutants): - with utils.restore_directory(src), utils.restore_directory( - work): - mutant = mutants[ind] - suffix = "." + mutant.split(".")[-1] - mpart = ".mutant." + mutant.split(".mutant.")[1] - source_file = f"{src}/{mutant.replace(mpart, suffix)}" - print(source_file) - print(f"{mutate_dir}/{mutant}") - os.system(f"cp {source_file} {mutate_dir}/orig") - os.system(f"cp {mutate_dir}/{mutant} {source_file}") - - try: - new_fuzz_target = f"{os.getenv('FUZZ_TARGET')}"\ - f".{num_non_buggy}" - - os.system(f"rm -rf {out}/*") - honggfuzz_fuzzer.build() - if not filecmp.cmp(f'{mutate_bins}/{orig_fuzz_target}', - f'{out}/{orig_fuzz_target}', - shallow=False): - print(f"{out}/{orig_fuzz_target}", - f"{mutate_bins}/{new_fuzz_target}") - shutil.copy(f"{out}/{orig_fuzz_target}", - f"{mutate_bins}/{new_fuzz_target}") - num_non_buggy += 1 - else: - print("EQUAL") - except RuntimeError: - pass - except CalledProcessError: - pass - os.system(f"cp {mutate_dir}/orig {source_file}") - ind += 1 - except TimeoutException: - pass - - os.system(f"rm -rf {out}/*") - os.system(f"cp -r {orig_out}/* {out}/") - os.system(f"cp {mutate_bins}/* {out}/") - - -def fuzz(input_corpus, output_corpus, target_binary): - """Run fuzzer.""" - total_fuzzing_time = int( - os.getenv('MAX_TOTAL_TIME', str(TOTAL_FUZZING_TIME_DEFAULT))) - total_mutant_time = int(FUZZ_PROP * total_fuzzing_time) - - mutants = glob.glob(f"{target_binary}.*") - random.shuffle(mutants) - timeout = max(DEFAULT_MUTANT_TIMEOUT, - int(total_mutant_time / max(len(mutants), 1))) - num_mutants = min(math.ceil(total_mutant_time / timeout), len(mutants)) - - input_corpus_dir = "/storage/input_corpus" - os.makedirs(input_corpus_dir, exist_ok=True) - os.environ['AFL_SKIP_CRASHES'] = "1" - - for mutant in mutants[:num_mutants]: - os.system(f"cp -r {input_corpus_dir}/* {input_corpus}/*") - with utils.restore_directory(input_corpus), utils.restore_directory( - output_corpus): - try: - with time_limit(timeout): - honggfuzz_fuzzer.fuzz(input_corpus, output_corpus, mutant) - except TimeoutException: - pass - except CalledProcessError: - pass - os.system(f"cp -r {output_corpus}/* {input_corpus_dir}/*") - - os.system(f"cp -r {input_corpus_dir}/* {input_corpus}/*") - honggfuzz_fuzzer.fuzz(input_corpus, output_corpus, target_binary) diff --git a/fuzzers/honggfuzz_um_random_75/runner.Dockerfile b/fuzzers/honggfuzz_um_random_75/runner.Dockerfile deleted file mode 100644 index f3eb30039..000000000 --- a/fuzzers/honggfuzz_um_random_75/runner.Dockerfile +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -# honggfuzz requires libfd and libunwid -RUN apt-get update -y && apt-get install -y libbfd-dev libunwind-dev From 8d0bb95f8534e03259ee94505df644ae532d8469 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sat, 7 Oct 2023 08:43:30 +0200 Subject: [PATCH 19/39] readd afl --- fuzzers/afl/builder.Dockerfile | 33 ++++++++ fuzzers/afl/fuzzer.py | 141 +++++++++++++++++++++++++++++++++ fuzzers/afl/runner.Dockerfile | 15 ++++ 3 files changed, 189 insertions(+) create mode 100644 fuzzers/afl/builder.Dockerfile create mode 100755 fuzzers/afl/fuzzer.py create mode 100644 fuzzers/afl/runner.Dockerfile diff --git a/fuzzers/afl/builder.Dockerfile b/fuzzers/afl/builder.Dockerfile new file mode 100644 index 000000000..94d7f5076 --- /dev/null +++ b/fuzzers/afl/builder.Dockerfile @@ -0,0 +1,33 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ARG parent_image +FROM $parent_image + +# Download and compile AFL v2.57b. +# Set AFL_NO_X86 to skip flaky tests. +RUN git clone \ + --depth 1 \ + --branch v2.57b \ + https://github.com/google/AFL.git /afl && \ + cd /afl && \ + CFLAGS= CXXFLAGS= AFL_NO_X86=1 make + +# Use afl_driver.cpp from LLVM as our fuzzing library. +RUN apt-get update && \ + apt-get install wget -y && \ + wget https://raw.githubusercontent.com/llvm/llvm-project/5feb80e748924606531ba28c97fe65145c65372e/compiler-rt/lib/fuzzer/afl/afl_driver.cpp -O /afl/afl_driver.cpp && \ + clang -Wno-pointer-sign -c /afl/llvm_mode/afl-llvm-rt.o.c -I/afl && \ + clang++ -stdlib=libc++ -std=c++11 -O2 -c /afl/afl_driver.cpp && \ + ar r /libAFL.a *.o diff --git a/fuzzers/afl/fuzzer.py b/fuzzers/afl/fuzzer.py new file mode 100755 index 000000000..18cb71229 --- /dev/null +++ b/fuzzers/afl/fuzzer.py @@ -0,0 +1,141 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +"""Integration code for AFL fuzzer.""" + +import json +import os +import shutil +import subprocess + +from fuzzers import utils + + +def prepare_build_environment(): + """Set environment variables used to build targets for AFL-based + fuzzers.""" + cflags = ['-fsanitize-coverage=trace-pc-guard'] + utils.append_flags('CFLAGS', cflags) + utils.append_flags('CXXFLAGS', cflags) + + os.environ['CC'] = 'clang' + os.environ['CXX'] = 'clang++' + os.environ['FUZZER_LIB'] = '/libAFL.a' + + +def build(): + """Build benchmark.""" + prepare_build_environment() + + utils.build_benchmark() + + print('[post_build] Copying afl-fuzz to $OUT directory') + # Copy out the afl-fuzz binary as a build artifact. + shutil.copy('/afl/afl-fuzz', os.environ['OUT']) + + +def get_stats(output_corpus, fuzzer_log): # pylint: disable=unused-argument + """Gets fuzzer stats for AFL.""" + # Get a dictionary containing the stats AFL reports. + stats_file = os.path.join(output_corpus, 'fuzzer_stats') + if not os.path.exists(stats_file): + print('Can\'t find fuzzer_stats') + return '{}' + with open(stats_file, encoding='utf-8') as file_handle: + stats_file_lines = file_handle.read().splitlines() + stats_file_dict = {} + for stats_line in stats_file_lines: + key, value = stats_line.split(': ') + stats_file_dict[key.strip()] = value.strip() + + # Report to FuzzBench the stats it accepts. + stats = {'execs_per_sec': float(stats_file_dict['execs_per_sec'])} + return json.dumps(stats) + + +def prepare_fuzz_environment(input_corpus): + """Prepare to fuzz with AFL or another AFL-based fuzzer.""" + # Tell AFL to not use its terminal UI so we get usable logs. + os.environ['AFL_NO_UI'] = '1' + # Skip AFL's CPU frequency check (fails on Docker). + os.environ['AFL_SKIP_CPUFREQ'] = '1' + # No need to bind affinity to one core, Docker enforces 1 core usage. + os.environ['AFL_NO_AFFINITY'] = '1' + # AFL will abort on startup if the core pattern sends notifications to + # external programs. We don't care about this. + os.environ['AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES'] = '1' + # Don't exit when crashes are found. This can happen when corpus from + # OSS-Fuzz is used. + os.environ['AFL_SKIP_CRASHES'] = '1' + # Shuffle the queue + os.environ['AFL_SHUFFLE_QUEUE'] = '1' + + # AFL needs at least one non-empty seed to start. + utils.create_seed_file_for_empty_corpus(input_corpus) + + +def check_skip_det_compatible(additional_flags): + """ Checks if additional flags are compatible with '-d' option""" + # AFL refuses to take in '-d' with '-M' or '-S' options for parallel mode. + # (cf. https://github.com/google/AFL/blob/8da80951/afl-fuzz.c#L7477) + if '-M' in additional_flags or '-S' in additional_flags: + return False + return True + + +def run_afl_fuzz(input_corpus, + output_corpus, + target_binary, + additional_flags=None, + hide_output=False): + """Run afl-fuzz.""" + # Spawn the afl fuzzing process. + print('[run_afl_fuzz] Running target with afl-fuzz') + command = [ + './afl-fuzz', + '-i', + input_corpus, + '-o', + output_corpus, + # Use no memory limit as ASAN doesn't play nicely with one. + '-m', + 'none', + '-t', + '1000+', # Use same default 1 sec timeout, but add '+' to skip hangs. + ] + # Use '-d' to skip deterministic mode, as long as it it compatible with + # additional flags. + if not additional_flags or check_skip_det_compatible(additional_flags): + command.append('-d') + if additional_flags: + command.extend(additional_flags) + dictionary_path = utils.get_dictionary_path(target_binary) + if dictionary_path: + command.extend(['-x', dictionary_path]) + command += [ + '--', + target_binary, + # Pass INT_MAX to afl the maximize the number of persistent loops it + # performs. + '2147483647' + ] + print('[run_afl_fuzz] Running command: ' + ' '.join(command)) + output_stream = subprocess.DEVNULL if hide_output else None + subprocess.check_call(command, stdout=output_stream, stderr=output_stream) + + +def fuzz(input_corpus, output_corpus, target_binary): + """Run afl-fuzz on target.""" + prepare_fuzz_environment(input_corpus) + + run_afl_fuzz(input_corpus, output_corpus, target_binary) diff --git a/fuzzers/afl/runner.Dockerfile b/fuzzers/afl/runner.Dockerfile new file mode 100644 index 000000000..0d6cf004e --- /dev/null +++ b/fuzzers/afl/runner.Dockerfile @@ -0,0 +1,15 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FROM gcr.io/fuzzbench/base-image From 0f394275c80f0b61ee8a67cbbb467bc2d3cbab09 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sat, 7 Oct 2023 09:07:46 +0200 Subject: [PATCH 20/39] remove not working fuzzers --- fuzzers/symcc_afl/builder.Dockerfile | 84 - fuzzers/symcc_afl/fuzzer.py | 134 -- fuzzers/symcc_afl/runner.Dockerfile | 17 - fuzzers/symcc_afl_single/builder.Dockerfile | 84 - fuzzers/symcc_afl_single/fuzzer.py | 27 - fuzzers/symcc_afl_single/runner.Dockerfile | 17 - fuzzers/symcc_aflplusplus/builder.Dockerfile | 87 - fuzzers/symcc_aflplusplus/fuzzer.py | 134 -- fuzzers/symcc_aflplusplus/runner.Dockerfile | 17 - .../builder.Dockerfile | 89 - fuzzers/symcc_aflplusplus_single/fuzzer.py | 104 - .../runner.Dockerfile | 17 - .../symqemu_aflplusplus/builder.Dockerfile | 98 - fuzzers/symqemu_aflplusplus/fuzzer.py | 120 -- fuzzers/symqemu_aflplusplus/runner.Dockerfile | 57 - fuzzers/symsan/CMakeLists_bloaty.txt | 406 ---- fuzzers/symsan/build_freetype2.sh | 40 - fuzzers/symsan/build_proj.sh | 98 - fuzzers/symsan/builder.Dockerfile | 59 - fuzzers/symsan/bz2.abilist | 33 - fuzzers/symsan/cares.abilist | 89 - fuzzers/symsan/fres.sh | 15 - fuzzers/symsan/fuz.sh | 13 - fuzzers/symsan/fuzzer.py | 350 ---- fuzzers/symsan/gcry.abilist | 877 --------- fuzzers/symsan/glib.abilist | 1732 ----------------- fuzzers/symsan/libfuzz-harness-proxy.c | 41 - fuzzers/symsan/pcre.abilist | 38 - fuzzers/symsan/runner.Dockerfile | 43 - fuzzers/symsan/xml.abilist | 1692 ---------------- 30 files changed, 6612 deletions(-) delete mode 100644 fuzzers/symcc_afl/builder.Dockerfile delete mode 100644 fuzzers/symcc_afl/fuzzer.py delete mode 100644 fuzzers/symcc_afl/runner.Dockerfile delete mode 100644 fuzzers/symcc_afl_single/builder.Dockerfile delete mode 100644 fuzzers/symcc_afl_single/fuzzer.py delete mode 100644 fuzzers/symcc_afl_single/runner.Dockerfile delete mode 100644 fuzzers/symcc_aflplusplus/builder.Dockerfile delete mode 100644 fuzzers/symcc_aflplusplus/fuzzer.py delete mode 100644 fuzzers/symcc_aflplusplus/runner.Dockerfile delete mode 100644 fuzzers/symcc_aflplusplus_single/builder.Dockerfile delete mode 100644 fuzzers/symcc_aflplusplus_single/fuzzer.py delete mode 100644 fuzzers/symcc_aflplusplus_single/runner.Dockerfile delete mode 100644 fuzzers/symqemu_aflplusplus/builder.Dockerfile delete mode 100644 fuzzers/symqemu_aflplusplus/fuzzer.py delete mode 100644 fuzzers/symqemu_aflplusplus/runner.Dockerfile delete mode 100644 fuzzers/symsan/CMakeLists_bloaty.txt delete mode 100755 fuzzers/symsan/build_freetype2.sh delete mode 100644 fuzzers/symsan/build_proj.sh delete mode 100644 fuzzers/symsan/builder.Dockerfile delete mode 100644 fuzzers/symsan/bz2.abilist delete mode 100644 fuzzers/symsan/cares.abilist delete mode 100755 fuzzers/symsan/fres.sh delete mode 100755 fuzzers/symsan/fuz.sh delete mode 100644 fuzzers/symsan/fuzzer.py delete mode 100644 fuzzers/symsan/gcry.abilist delete mode 100644 fuzzers/symsan/glib.abilist delete mode 100644 fuzzers/symsan/libfuzz-harness-proxy.c delete mode 100644 fuzzers/symsan/pcre.abilist delete mode 100644 fuzzers/symsan/runner.Dockerfile delete mode 100644 fuzzers/symsan/xml.abilist diff --git a/fuzzers/symcc_afl/builder.Dockerfile b/fuzzers/symcc_afl/builder.Dockerfile deleted file mode 100644 index 76e4ecf7d..000000000 --- a/fuzzers/symcc_afl/builder.Dockerfile +++ /dev/null @@ -1,84 +0,0 @@ -# Copyright 2021 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -# Download and compile AFL v2.56b. -# Set AFL_NO_X86 to skip flaky tests. -RUN git clone https://github.com/google/AFL.git /afl && \ - cd /afl && \ - git checkout 82b5e359463238d790cadbe2dd494d6a4928bff3 && \ - AFL_NO_X86=1 make - -## Use afl_driver.cpp from LLVM as our fuzzing library. -RUN apt-get update && \ - apt-get install wget -y && \ - wget https://raw.githubusercontent.com/llvm/llvm-project/5feb80e748924606531ba28c97fe65145c65372e/compiler-rt/lib/fuzzer/afl/afl_driver.cpp -O /afl/afl_driver.cpp && \ - clang -Wno-pointer-sign -c /afl/llvm_mode/afl-llvm-rt.o.c -I/afl && \ - clang++ -stdlib=libc++ -std=c++11 -O2 -c /afl/afl_driver.cpp && \ - ar r /libAFL.a *.o - - -# Install the packages we need. -RUN apt-get install -y ninja-build flex bison python zlib1g-dev cargo - -# Install Z3 from binary -RUN wget -qO /tmp/z3x64.zip https://github.com/Z3Prover/z3/releases/download/z3-4.8.7/z3-4.8.7-x64-ubuntu-16.04.zip && \ - unzip -jd /usr/include /tmp/z3x64.zip "*/include/*.h" && \ - unzip -jd /usr/lib /tmp/z3x64.zip "*/bin/libz3.so" && \ - rm -f /tmp/*.zip && \ - ldconfig - -ENV CFLAGS="" -ENV CXXFLAGS="" - -# Get and install symcc. -RUN cd / && \ - git clone https://github.com/AdaLogics/adacc symcc && \ - cd symcc && \ - git checkout edda79dcb830c95ba6d303e47c698839313ef506 && \ - cd ./runtime/qsym_backend && \ - git clone https://github.com/adalogics/qsym && \ - cd qsym && \ - git checkout adalogics && \ - cd /symcc && \ - mkdir build && \ - cd build && \ - cmake -G Ninja -DCMAKE_BUILD_TYPE=Release -DQSYM_BACKEND=ON \ - -DZ3_TRUST_SYSTEM_VERSION=ON ../ && \ - ninja -j 3 && \ - cd ../examples && \ - export SYMCC_PC=1 && \ - ../build/symcc -c ./libfuzz-harness-proxy.c -o /libfuzzer-harness.o && \ - cd ../ && echo "[+] Installing cargo now 4" && \ - cargo install --path util/symcc_fuzzing_helper - -# Build libcxx with the SymCC compiler so we can instrument -# C++ code. -RUN git clone -b llvmorg-12.0.0 --depth 1 https://github.com/llvm/llvm-project.git /llvm_source && \ - mkdir /libcxx_native_install && mkdir /libcxx_native_build && \ - cd /libcxx_native_install \ - && export SYMCC_REGULAR_LIBCXX="" && \ - cmake /llvm_source/llvm \ - -G Ninja -DLLVM_ENABLE_PROJECTS="libcxx;libcxxabi" \ - -DLLVM_DISTRIBUTION_COMPONENTS="cxx;cxxabi;cxx-headers" \ - -DLLVM_TARGETS_TO_BUILD="X86" -DCMAKE_BUILD_TYPE=Release \ - -DCMAKE_C_COMPILER=/symcc/build/symcc \ - -DCMAKE_CXX_COMPILER=/symcc/build/sym++ \ - -DHAVE_POSIX_REGEX=1 \ - -DCMAKE_INSTALL_PREFIX="/libcxx_native_build" \ - -DHAVE_STEADY_CLOCK=1 && \ - ninja distribution && \ - ninja install-distribution diff --git a/fuzzers/symcc_afl/fuzzer.py b/fuzzers/symcc_afl/fuzzer.py deleted file mode 100644 index 0c92eaa2c..000000000 --- a/fuzzers/symcc_afl/fuzzer.py +++ /dev/null @@ -1,134 +0,0 @@ -# Copyright 2021 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -''' Uses the SymCC-AFL hybrid from SymCC. ''' - -import os -import time -import shutil -import threading -import subprocess - -from fuzzers import utils -from fuzzers.afl import fuzzer as afl_fuzzer - - -def get_symcc_build_dir(target_directory): - """Return path to uninstrumented target directory.""" - return os.path.join(target_directory, 'uninstrumented') - - -def build(): - """Build an AFL version and SymCC version of the benchmark""" - print('Step 1: Building with AFL') - build_directory = os.environ['OUT'] - - # First build with AFL. - src = os.getenv('SRC') - work = os.getenv('WORK') - with utils.restore_directory(src), utils.restore_directory(work): - # Restore SRC to its initial state so we can build again without any - # trouble. For some OSS-Fuzz projects, build_benchmark cannot be run - # twice in the same directory without this. - afl_fuzzer.build() - - print('Step 2: Completed AFL build') - # Copy over AFL artifacts needed by SymCC. - shutil.copy('/afl/afl-fuzz', build_directory) - shutil.copy('/afl/afl-showmap', build_directory) - - # Build the SymCC-instrumented target. - print('Step 3: Building the benchmark with SymCC') - symcc_build_dir = get_symcc_build_dir(os.environ['OUT']) - os.mkdir(symcc_build_dir) - - # Set flags to ensure compilation with SymCC. - new_env = os.environ.copy() - new_env['CC'] = '/symcc/build/symcc' - new_env['CXX'] = '/symcc/build/sym++' - new_env['CXXFLAGS'] = new_env['CXXFLAGS'].replace('-stlib=libc++', '') - new_env['FUZZER_LIB'] = '/libfuzzer-harness.o' - new_env['OUT'] = symcc_build_dir - - new_env['CXXFLAGS'] += ' -fno-sanitize=all ' - new_env['CFLAGS'] += ' -fno-sanitize=all ' - - # Setting this environment variable instructs SymCC to use the - # libcxx library compiled with SymCC instrumentation. - new_env['SYMCC_LIBCXX_PATH'] = '/libcxx_native_build' - - # Instructs SymCC to consider no symbolic inputs at runtime. This is needed - # if, for example, some tests are run during compilation of the benchmark. - new_env['SYMCC_NO_SYMBOLIC_INPUT'] = '1' - - # Build benchmark. - utils.build_benchmark(env=new_env) - - # Copy over symcc artifacts and symbolic libc++. - shutil.copy( - '/symcc/build//SymRuntime-prefix/src/SymRuntime-build/libSymRuntime.so', - symcc_build_dir) - shutil.copy('/usr/lib/libz3.so', os.path.join(symcc_build_dir, 'libz3.so')) - shutil.copy('/libcxx_native_build/lib/libc++.so.1', symcc_build_dir) - shutil.copy('/libcxx_native_build/lib/libc++abi.so.1', symcc_build_dir) - shutil.copy('/rust/bin/symcc_fuzzing_helper', symcc_build_dir) - - -def launch_afl_thread(input_corpus, output_corpus, target_binary, - additional_flags): - """ Simple wrapper for running AFL. """ - afl_thread = threading.Thread(target=afl_fuzzer.run_afl_fuzz, - args=(input_corpus, output_corpus, - target_binary, additional_flags)) - afl_thread.start() - return afl_thread - - -def fuzz(input_corpus, output_corpus, target_binary, master_only=False): - """ - Launches a master and a secondary instance of AFL, as well as - the symcc helper. - """ - target_binary_dir = os.path.dirname(target_binary) - symcc_workdir = get_symcc_build_dir(target_binary_dir) - target_binary_name = os.path.basename(target_binary) - symcc_target_binary = os.path.join(symcc_workdir, target_binary_name) - - # Start a master and secondary instance of AFL. - # We need both because of the way SymCC works. - print('[run_fuzzer] Running AFL for SymCC') - afl_fuzzer.prepare_fuzz_environment(input_corpus) - launch_afl_thread(input_corpus, output_corpus, target_binary, - ['-M', 'afl-master']) - time.sleep(5) - - if master_only: - sharing_dir = 'afl-master' - else: - launch_afl_thread(input_corpus, output_corpus, target_binary, - ['-S', 'afl-secondary']) - time.sleep(5) - sharing_dir = 'afl-secondary' - - # Start an instance of SymCC. - # We need to ensure it uses the symbolic version of libc++. - print('Starting the SymCC helper') - new_environ = os.environ.copy() - new_environ['LD_LIBRARY_PATH'] = symcc_workdir - cmd = [ - os.path.join(symcc_workdir, - 'symcc_fuzzing_helper'), '-o', output_corpus, '-a', - sharing_dir, '-n', 'symcc', '--', symcc_target_binary, '@@' - ] - with subprocess.Popen(cmd, env=new_environ): - pass diff --git a/fuzzers/symcc_afl/runner.Dockerfile b/fuzzers/symcc_afl/runner.Dockerfile deleted file mode 100644 index d882a6575..000000000 --- a/fuzzers/symcc_afl/runner.Dockerfile +++ /dev/null @@ -1,17 +0,0 @@ -# Copyright 2021 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" diff --git a/fuzzers/symcc_afl_single/builder.Dockerfile b/fuzzers/symcc_afl_single/builder.Dockerfile deleted file mode 100644 index 76e4ecf7d..000000000 --- a/fuzzers/symcc_afl_single/builder.Dockerfile +++ /dev/null @@ -1,84 +0,0 @@ -# Copyright 2021 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -# Download and compile AFL v2.56b. -# Set AFL_NO_X86 to skip flaky tests. -RUN git clone https://github.com/google/AFL.git /afl && \ - cd /afl && \ - git checkout 82b5e359463238d790cadbe2dd494d6a4928bff3 && \ - AFL_NO_X86=1 make - -## Use afl_driver.cpp from LLVM as our fuzzing library. -RUN apt-get update && \ - apt-get install wget -y && \ - wget https://raw.githubusercontent.com/llvm/llvm-project/5feb80e748924606531ba28c97fe65145c65372e/compiler-rt/lib/fuzzer/afl/afl_driver.cpp -O /afl/afl_driver.cpp && \ - clang -Wno-pointer-sign -c /afl/llvm_mode/afl-llvm-rt.o.c -I/afl && \ - clang++ -stdlib=libc++ -std=c++11 -O2 -c /afl/afl_driver.cpp && \ - ar r /libAFL.a *.o - - -# Install the packages we need. -RUN apt-get install -y ninja-build flex bison python zlib1g-dev cargo - -# Install Z3 from binary -RUN wget -qO /tmp/z3x64.zip https://github.com/Z3Prover/z3/releases/download/z3-4.8.7/z3-4.8.7-x64-ubuntu-16.04.zip && \ - unzip -jd /usr/include /tmp/z3x64.zip "*/include/*.h" && \ - unzip -jd /usr/lib /tmp/z3x64.zip "*/bin/libz3.so" && \ - rm -f /tmp/*.zip && \ - ldconfig - -ENV CFLAGS="" -ENV CXXFLAGS="" - -# Get and install symcc. -RUN cd / && \ - git clone https://github.com/AdaLogics/adacc symcc && \ - cd symcc && \ - git checkout edda79dcb830c95ba6d303e47c698839313ef506 && \ - cd ./runtime/qsym_backend && \ - git clone https://github.com/adalogics/qsym && \ - cd qsym && \ - git checkout adalogics && \ - cd /symcc && \ - mkdir build && \ - cd build && \ - cmake -G Ninja -DCMAKE_BUILD_TYPE=Release -DQSYM_BACKEND=ON \ - -DZ3_TRUST_SYSTEM_VERSION=ON ../ && \ - ninja -j 3 && \ - cd ../examples && \ - export SYMCC_PC=1 && \ - ../build/symcc -c ./libfuzz-harness-proxy.c -o /libfuzzer-harness.o && \ - cd ../ && echo "[+] Installing cargo now 4" && \ - cargo install --path util/symcc_fuzzing_helper - -# Build libcxx with the SymCC compiler so we can instrument -# C++ code. -RUN git clone -b llvmorg-12.0.0 --depth 1 https://github.com/llvm/llvm-project.git /llvm_source && \ - mkdir /libcxx_native_install && mkdir /libcxx_native_build && \ - cd /libcxx_native_install \ - && export SYMCC_REGULAR_LIBCXX="" && \ - cmake /llvm_source/llvm \ - -G Ninja -DLLVM_ENABLE_PROJECTS="libcxx;libcxxabi" \ - -DLLVM_DISTRIBUTION_COMPONENTS="cxx;cxxabi;cxx-headers" \ - -DLLVM_TARGETS_TO_BUILD="X86" -DCMAKE_BUILD_TYPE=Release \ - -DCMAKE_C_COMPILER=/symcc/build/symcc \ - -DCMAKE_CXX_COMPILER=/symcc/build/sym++ \ - -DHAVE_POSIX_REGEX=1 \ - -DCMAKE_INSTALL_PREFIX="/libcxx_native_build" \ - -DHAVE_STEADY_CLOCK=1 && \ - ninja distribution && \ - ninja install-distribution diff --git a/fuzzers/symcc_afl_single/fuzzer.py b/fuzzers/symcc_afl_single/fuzzer.py deleted file mode 100644 index b37e13bb3..000000000 --- a/fuzzers/symcc_afl_single/fuzzer.py +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright 2021 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -''' Uses the SymCC-AFL hybrid from SymCC, although this only - launches a single AFL instance rather than two. ''' - -from fuzzers.symcc_afl import fuzzer as symcc_afl_fuzzer - - -def build(): - """ Build an AFL version and SymCC version of the benchmark """ - symcc_afl_fuzzer.build() - - -def fuzz(input_corpus, output_corpus, target_binary): - """ Launch a SymCC with a single AFL instance. """ - symcc_afl_fuzzer.fuzz(input_corpus, output_corpus, target_binary, True) diff --git a/fuzzers/symcc_afl_single/runner.Dockerfile b/fuzzers/symcc_afl_single/runner.Dockerfile deleted file mode 100644 index d882a6575..000000000 --- a/fuzzers/symcc_afl_single/runner.Dockerfile +++ /dev/null @@ -1,17 +0,0 @@ -# Copyright 2021 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" diff --git a/fuzzers/symcc_aflplusplus/builder.Dockerfile b/fuzzers/symcc_aflplusplus/builder.Dockerfile deleted file mode 100644 index 5bdc0c175..000000000 --- a/fuzzers/symcc_aflplusplus/builder.Dockerfile +++ /dev/null @@ -1,87 +0,0 @@ -# Copyright 2021 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -# Install libstdc++ to use llvm_mode. -RUN apt-get update && \ - apt-get install -y wget libstdc++-5-dev libtool-bin automake flex bison \ - libglib2.0-dev libpixman-1-dev python3-setuptools unzip \ - apt-utils apt-transport-https ca-certificates - -# Download and compile afl++. -RUN git clone https://github.com/AFLplusplus/AFLplusplus.git /afl && \ - cd /afl && \ - git checkout 8fc249d210ad49e3dd88d1409877ca64d9884690 - -# Build without Python support as we don't need it. -# Set AFL_NO_X86 to skip flaky tests. -RUN cd /afl && unset CFLAGS && unset CXXFLAGS && \ - export CC=clang && export AFL_NO_X86=1 && \ - PYTHON_INCLUDE=/ make && make install && \ - make -C utils/aflpp_driver && \ - cp utils/aflpp_driver/libAFLDriver.a / - -# Install the packages we need. -RUN apt-get install -y ninja-build flex bison python zlib1g-dev cargo - -# Install Z3 from binary -RUN wget -qO /tmp/z3x64.zip https://github.com/Z3Prover/z3/releases/download/z3-4.8.7/z3-4.8.7-x64-ubuntu-16.04.zip && \ - unzip -jd /usr/include /tmp/z3x64.zip "*/include/*.h" && \ - unzip -jd /usr/lib /tmp/z3x64.zip "*/bin/libz3.so" && \ - rm -f /tmp/*.zip && \ - ldconfig - -ENV CFLAGS="" -ENV CXXFLAGS="" - -# Get and install symcc. -RUN cd / && \ - git clone https://github.com/AdaLogics/adacc symcc && \ - cd symcc && \ - git checkout edda79dcb830c95ba6d303e47c698839313ef506 && \ - cd ./runtime/qsym_backend && \ - git clone https://github.com/adalogics/qsym && \ - cd qsym && \ - git checkout adalogics && \ - cd /symcc && \ - mkdir build && \ - cd build && \ - cmake -G Ninja -DCMAKE_BUILD_TYPE=Release -DQSYM_BACKEND=ON \ - -DZ3_TRUST_SYSTEM_VERSION=ON ../ && \ - ninja -j 3 && \ - cd ../examples && \ - export SYMCC_PC=1 && \ - ../build/symcc -c ./libfuzz-harness-proxy.c -o /libfuzzer-harness.o && \ - cd ../ && echo "[+] Installing cargo now 4" && \ - cargo install --path util/symcc_fuzzing_helper - -# Build libcxx with the SymCC compiler so we can instrument -# C++ code. -RUN git clone -b llvmorg-12.0.0 --depth 1 https://github.com/llvm/llvm-project.git /llvm_source && \ - mkdir /libcxx_native_install && mkdir /libcxx_native_build && \ - cd /libcxx_native_install \ - && export SYMCC_REGULAR_LIBCXX="" && \ - cmake /llvm_source/llvm \ - -G Ninja -DLLVM_ENABLE_PROJECTS="libcxx;libcxxabi" \ - -DLLVM_DISTRIBUTION_COMPONENTS="cxx;cxxabi;cxx-headers" \ - -DLLVM_TARGETS_TO_BUILD="X86" -DCMAKE_BUILD_TYPE=Release \ - -DCMAKE_C_COMPILER=/symcc/build/symcc \ - -DCMAKE_CXX_COMPILER=/symcc/build/sym++ \ - -DHAVE_POSIX_REGEX=1 \ - -DCMAKE_INSTALL_PREFIX="/libcxx_native_build" \ - -DHAVE_STEADY_CLOCK=1 && \ - ninja distribution && \ - ninja install-distribution diff --git a/fuzzers/symcc_aflplusplus/fuzzer.py b/fuzzers/symcc_aflplusplus/fuzzer.py deleted file mode 100644 index 1737d0567..000000000 --- a/fuzzers/symcc_aflplusplus/fuzzer.py +++ /dev/null @@ -1,134 +0,0 @@ -# Copyright 2021 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -''' Uses the SymCC-AFL hybrid from SymCC. ''' - -import os -import time -import shutil -import threading -import subprocess - -from fuzzers import utils -from fuzzers.afl import fuzzer as afl_fuzzer -from fuzzers.aflplusplus import fuzzer as aflplusplus_fuzzer - - -def get_symcc_build_dir(target_directory): - """Return path to uninstrumented target directory.""" - return os.path.join(target_directory, 'uninstrumented') - - -def build(): - """Build an AFL version and SymCC version of the benchmark""" - print('Step 1: Building with AFL') - build_directory = os.environ['OUT'] - - # Save the environment for use in SymCC - new_env = os.environ.copy() - - # First build with AFL. - src = os.getenv('SRC') - work = os.getenv('WORK') - with utils.restore_directory(src), utils.restore_directory(work): - # Restore SRC to its initial state so we can build again without any - # trouble. For some OSS-Fuzz projects, build_benchmark cannot be run - # twice in the same directory without this. - aflplusplus_fuzzer.build('tracepc') - - print('Step 2: Completed AFL build') - # Copy over AFL artifacts needed by SymCC. - shutil.copy('/afl/afl-fuzz', build_directory) - shutil.copy('/afl/afl-showmap', build_directory) - - # Build the SymCC-instrumented target. - print('Step 3: Building the benchmark with SymCC') - symcc_build_dir = get_symcc_build_dir(os.environ['OUT']) - os.mkdir(symcc_build_dir) - - # Set flags to ensure compilation with SymCC. - new_env['CC'] = '/symcc/build/symcc' - new_env['CXX'] = '/symcc/build/sym++' - new_env['CXXFLAGS'] = new_env['CXXFLAGS'].replace('-stlib=libc++', '') - new_env['CXXFLAGS'] += ' -ldl' - new_env['FUZZER_LIB'] = '/libfuzzer-harness.o' - new_env['OUT'] = symcc_build_dir - - new_env['CXXFLAGS'] += ' -fno-sanitize=all ' - new_env['CFLAGS'] += ' -fno-sanitize=all ' - - # Setting this environment variable instructs SymCC to use the - # libcxx library compiled with SymCC instrumentation. - new_env['SYMCC_LIBCXX_PATH'] = '/libcxx_native_build' - - # Instructs SymCC to consider no symbolic inputs at runtime. This is needed - # if, for example, some tests are run during compilation of the benchmark. - new_env['SYMCC_NO_SYMBOLIC_INPUT'] = '1' - - # Build benchmark. - utils.build_benchmark(env=new_env) - - # Copy over symcc artifacts and symbolic libc++. - shutil.copy( - '/symcc/build//SymRuntime-prefix/src/SymRuntime-build/libSymRuntime.so', - symcc_build_dir) - shutil.copy('/usr/lib/libz3.so', os.path.join(symcc_build_dir, 'libz3.so')) - shutil.copy('/libcxx_native_build/lib/libc++.so.1', symcc_build_dir) - shutil.copy('/libcxx_native_build/lib/libc++abi.so.1', symcc_build_dir) - shutil.copy('/rust/bin/symcc_fuzzing_helper', symcc_build_dir) - - -def launch_afl_thread(input_corpus, output_corpus, target_binary, - additional_flags): - """ Simple wrapper for running AFL. """ - afl_thread = threading.Thread(target=afl_fuzzer.run_afl_fuzz, - args=(input_corpus, output_corpus, - target_binary, additional_flags)) - afl_thread.start() - return afl_thread - - -def fuzz(input_corpus, output_corpus, target_binary): - """ - Launches a master and a secondary instance of AFL, as well as - the symcc helper. - """ - target_binary_dir = os.path.dirname(target_binary) - symcc_workdir = get_symcc_build_dir(target_binary_dir) - target_binary_name = os.path.basename(target_binary) - symcc_target_binary = os.path.join(symcc_workdir, target_binary_name) - - os.environ['AFL_DISABLE_TRIM'] = '1' - - # Start a master and secondary instance of AFL. - # We need both because of the way SymCC works. - print('[run_fuzzer] Running AFL for SymCC') - afl_fuzzer.prepare_fuzz_environment(input_corpus) - launch_afl_thread(input_corpus, output_corpus, target_binary, ['-S', 'afl']) - time.sleep(5) - launch_afl_thread(input_corpus, output_corpus, target_binary, - ['-S', 'afl-secondary']) - time.sleep(5) - - # Start an instance of SymCC. - # We need to ensure it uses the symbolic version of libc++. - print('Starting the SymCC helper') - new_environ = os.environ.copy() - new_environ['LD_LIBRARY_PATH'] = symcc_workdir - cmd = [ - os.path.join(symcc_workdir, - 'symcc_fuzzing_helper'), '-o', output_corpus, '-a', - 'afl-secondary', '-n', 'symcc', '-m', '--', symcc_target_binary, '@@' - ] - with subprocess.Popen(cmd, env=new_environ): - pass diff --git a/fuzzers/symcc_aflplusplus/runner.Dockerfile b/fuzzers/symcc_aflplusplus/runner.Dockerfile deleted file mode 100644 index d882a6575..000000000 --- a/fuzzers/symcc_aflplusplus/runner.Dockerfile +++ /dev/null @@ -1,17 +0,0 @@ -# Copyright 2021 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" diff --git a/fuzzers/symcc_aflplusplus_single/builder.Dockerfile b/fuzzers/symcc_aflplusplus_single/builder.Dockerfile deleted file mode 100644 index fa2329f14..000000000 --- a/fuzzers/symcc_aflplusplus_single/builder.Dockerfile +++ /dev/null @@ -1,89 +0,0 @@ -# Copyright 2021 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -# Install libstdc++ to use llvm_mode. -RUN apt-get update && \ - apt-get install -y wget libstdc++-5-dev libtool-bin automake flex bison \ - libglib2.0-dev libpixman-1-dev python3-setuptools unzip \ - apt-utils apt-transport-https ca-certificates - -# Download and compile afl++. -RUN git clone https://github.com/AFLplusplus/AFLplusplus.git /afl && \ - cd /afl && \ - git checkout 8fc249d210ad49e3dd88d1409877ca64d9884690 - -# Build without Python support as we don't need it. -# Set AFL_NO_X86 to skip flaky tests. -RUN cd /afl && unset CFLAGS && unset CXXFLAGS && \ - export CC=clang && export AFL_NO_X86=1 && \ - PYTHON_INCLUDE=/ make && make install && \ - make -C utils/aflpp_driver && \ - cp utils/aflpp_driver/libAFLDriver.a / - -# Install the packages we need. -RUN apt-get install -y ninja-build flex bison python zlib1g-dev cargo - -# Install Z3 from binary -RUN wget -qO /tmp/z3x64.zip https://github.com/Z3Prover/z3/releases/download/z3-4.8.7/z3-4.8.7-x64-ubuntu-16.04.zip && \ - unzip -jd /usr/include /tmp/z3x64.zip "*/include/*.h" && \ - unzip -jd /usr/lib /tmp/z3x64.zip "*/bin/libz3.so" && \ - rm -f /tmp/*.zip && \ - ldconfig - -# Get and install symcc. -RUN cd / && \ - git clone https://github.com/adalogics/adacc symcc && \ - cd symcc && \ - git checkout 70efb3ef512a12b31caedcfcd9c0890813cd797e && \ - cd ./runtime/qsym_backend && \ - git clone https://github.com/adalogics/qsym && \ - cd qsym && \ - git checkout adalogics && \ - cd /symcc && \ - mkdir build && \ - cd build && \ - unset CFLAGS && unset CXXFLAGS && \ - cmake -G Ninja -DCMAKE_BUILD_TYPE=Release -DQSYM_BACKEND=ON \ - -DZ3_TRUST_SYSTEM_VERSION=ON ../ && \ - ninja -j 3 && \ - cd ../examples && \ - export SYMCC_PC=1 && \ - ../build/symcc -c ./libfuzz-harness-proxy.c -o /libfuzzer-harness.o && \ - cd ../ && echo "[+] Installing cargo now 4" && \ - cargo install --path util/symcc_fuzzing_helper - -# Build libcxx with the SymCC compiler so we can instrument -# C++ code. -RUN git clone -b llvmorg-12.0.0 --depth 1 https://github.com/llvm/llvm-project.git /llvm_source && \ - mkdir /libcxx_native_install && mkdir /libcxx_native_build && \ - cd /libcxx_native_install \ - && export SYMCC_REGULAR_LIBCXX="" && \ - unset CFLAGS && unset CXXFLAGS && \ - cmake /llvm_source/llvm \ - -G Ninja -DLLVM_ENABLE_PROJECTS="libcxx;libcxxabi" \ - -DLLVM_DISTRIBUTION_COMPONENTS="cxx;cxxabi;cxx-headers" \ - -DLLVM_TARGETS_TO_BUILD="X86" -DCMAKE_BUILD_TYPE=Release \ - -DCMAKE_C_COMPILER=/symcc/build/symcc \ - -DCMAKE_CXX_COMPILER=/symcc/build/sym++ \ - -DHAVE_POSIX_REGEX=1 \ - -DCMAKE_INSTALL_PREFIX="/libcxx_native_build" \ - -DHAVE_STEADY_CLOCK=1 && \ - ninja distribution && \ - ninja install-distribution - -ENV SYMCC_NO_SYMBOLIC_INPUT=1 -ENV SYMCC_SILENT=1 diff --git a/fuzzers/symcc_aflplusplus_single/fuzzer.py b/fuzzers/symcc_aflplusplus_single/fuzzer.py deleted file mode 100644 index 15b4cfd02..000000000 --- a/fuzzers/symcc_aflplusplus_single/fuzzer.py +++ /dev/null @@ -1,104 +0,0 @@ -# Copyright 2021 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -''' Uses the SymCC-AFL hybrid from SymCC. ''' - -import os -import time -import shutil -import threading -import subprocess - -from fuzzers import utils -from fuzzers.afl import fuzzer as afl_fuzzer -from fuzzers.aflplusplus import fuzzer as aflplusplus_fuzzer - - -def get_symcc_build_dir(target_directory): - """Return path to uninstrumented target directory.""" - return os.path.join(target_directory, 'uninstrumented') - - -def build(): - """Build an AFL version and SymCC version of the benchmark""" - print('Step 1: Building with AFL and SymCC') - build_directory = os.environ['OUT'] - - # First build with AFL. - src = os.getenv('SRC') - work = os.getenv('WORK') - with utils.restore_directory(src), utils.restore_directory(work): - # Restore SRC to its initial state so we can build again without any - # trouble. For some OSS-Fuzz projects, build_benchmark cannot be run - # twice in the same directory without this. - aflplusplus_fuzzer.build('tracepc', 'symcc') - - print('Step 2: Completed AFL build') - # Copy over AFL artifacts needed by SymCC. - shutil.copy('/afl/afl-fuzz', build_directory) - shutil.copy('/afl/afl-showmap', build_directory) - - # Copy over symcc artifacts and symbolic libc++. - print('Step 3: Copying SymCC files') - symcc_build_dir = get_symcc_build_dir(os.environ['OUT']) - shutil.copy( - '/symcc/build//SymRuntime-prefix/src/SymRuntime-build/libSymRuntime.so', - symcc_build_dir) - shutil.copy('/usr/lib/libz3.so', os.path.join(symcc_build_dir, 'libz3.so')) - shutil.copy('/libcxx_native_build/lib/libc++.so.1', symcc_build_dir) - shutil.copy('/libcxx_native_build/lib/libc++abi.so.1', symcc_build_dir) - shutil.copy('/rust/bin/symcc_fuzzing_helper', symcc_build_dir) - - -def launch_afl_thread(input_corpus, output_corpus, target_binary, - additional_flags): - """ Simple wrapper for running AFL. """ - afl_thread = threading.Thread(target=afl_fuzzer.run_afl_fuzz, - args=(input_corpus, output_corpus, - target_binary, additional_flags)) - afl_thread.start() - return afl_thread - - -def fuzz(input_corpus, output_corpus, target_binary): - """ - Launches a master and a secondary instance of AFL, as well as - the symcc helper. - """ - target_binary_dir = os.path.dirname(target_binary) - symcc_workdir = get_symcc_build_dir(target_binary_dir) - target_binary_name = os.path.basename(target_binary) - symcc_target_binary = os.path.join(symcc_workdir, target_binary_name) - - os.environ['AFL_DISABLE_TRIM'] = '1' - - # Start a master and secondary instance of AFL. - # We need both because of the way SymCC works. - print('[run_fuzzer] Running AFL for SymCC') - afl_fuzzer.prepare_fuzz_environment(input_corpus) - launch_afl_thread(input_corpus, output_corpus, target_binary, - ['-S', 'afl-secondary']) - time.sleep(5) - - # Start an instance of SymCC. - # We need to ensure it uses the symbolic version of libc++. - print('Starting the SymCC helper') - new_environ = os.environ.copy() - new_environ['LD_LIBRARY_PATH'] = symcc_workdir - cmd = [ - os.path.join(symcc_workdir, - 'symcc_fuzzing_helper'), '-o', output_corpus, '-a', - 'afl-secondary', '-n', 'symcc', '-m', '--', symcc_target_binary, '@@' - ] - with subprocess.Popen(cmd, env=new_environ): - pass diff --git a/fuzzers/symcc_aflplusplus_single/runner.Dockerfile b/fuzzers/symcc_aflplusplus_single/runner.Dockerfile deleted file mode 100644 index d882a6575..000000000 --- a/fuzzers/symcc_aflplusplus_single/runner.Dockerfile +++ /dev/null @@ -1,17 +0,0 @@ -# Copyright 2021 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" diff --git a/fuzzers/symqemu_aflplusplus/builder.Dockerfile b/fuzzers/symqemu_aflplusplus/builder.Dockerfile deleted file mode 100644 index a15b9c410..000000000 --- a/fuzzers/symqemu_aflplusplus/builder.Dockerfile +++ /dev/null @@ -1,98 +0,0 @@ -# Copyright 2021 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -# Install libstdc++ to use llvm_mode. -RUN apt-get update && \ - apt-get install -y wget libstdc++-5-dev libtool-bin automake flex bison \ - libglib2.0-dev libpixman-1-dev python3-setuptools unzip \ - apt-utils apt-transport-https ca-certificates - -# Upgrade to avoid certs errors -RUN apt-get upgrade -y - -# Download and compile afl++. -RUN git clone https://github.com/AFLplusplus/AFLplusplus.git /afl && \ - cd /afl && \ - git checkout 8fc249d210ad49e3dd88d1409877ca64d9884690 - -# Build without Python support as we don't need it. -# Set AFL_NO_X86 to skip flaky tests. -RUN cd /afl && unset CFLAGS && unset CXXFLAGS && \ - export CC=clang && export AFL_NO_X86=1 && \ - PYTHON_INCLUDE=/ make && make install && \ - make -C utils/aflpp_driver && \ - cp utils/aflpp_driver/libAFLDriver.a / - -# Install the packages we need. -RUN apt-get install -y ninja-build flex bison python zlib1g-dev cargo - -# Install Z3 from binary -RUN wget -qO /tmp/z3x64.zip https://github.com/Z3Prover/z3/releases/download/z3-4.8.7/z3-4.8.7-x64-ubuntu-16.04.zip && \ - unzip -jd /usr/include /tmp/z3x64.zip "*/include/*.h" && \ - unzip -jd /usr/lib /tmp/z3x64.zip "*/bin/libz3.so" && \ - rm -f /tmp/*.zip && \ - ldconfig - -ENV CFLAGS="" -ENV CXXFLAGS="" - -# Get and install symcc. -RUN cd / && \ - git clone https://github.com/adalogics/adacc symcc && \ - cd symcc && \ - git checkout 70efb3ef512a12b31caedcfcd9c0890813cd797e && \ - cd ./runtime/qsym_backend && \ - git clone https://github.com/adalogics/qsym && \ - cd qsym && \ - git checkout adalogics && \ - cd /symcc && \ - mkdir build && \ - cd build && \ - cmake -G Ninja -DCMAKE_BUILD_TYPE=Release -DQSYM_BACKEND=ON \ - -DZ3_TRUST_SYSTEM_VERSION=ON ../ && \ - ninja -j 3 && \ - cd ../examples && \ - export SYMCC_PC=1 && \ - ../build/symcc -c ./libfuzz-harness-proxy.c -o /libfuzzer-harness.o && \ - cd ../ && echo "[+] Installing cargo now 4" && \ - cargo install --path util/symcc_fuzzing_helper - -RUN cd / && \ - wget https://raw.githubusercontent.com/llvm/llvm-project/5feb80e748924606531ba28c97fe65145c65372e/compiler-rt/lib/fuzzer/standalone/StandaloneFuzzTargetMain.c -O /StandaloneFuzzTargetMain.c && \ - clang -O2 -c /StandaloneFuzzTargetMain.c && \ - ar rc /libStandaloneFuzzTarget.a StandaloneFuzzTargetMain.o && \ - rm /StandaloneFuzzTargetMain.c - -RUN git clone https://github.com/eurecom-s3/symqemu --depth 1 /symqemu/src -RUN mkdir /symqemu/build && \ - cd /symqemu/build && \ - ../src/configure \ - --audio-drv-list= \ - --disable-bluez \ - --disable-sdl \ - --disable-gtk \ - --disable-vte \ - --disable-opengl \ - --disable-virglrenderer \ - --target-list=x86_64-linux-user \ - --enable-capstone=git \ - --disable-werror \ - --symcc-source=/symcc/ \ - --symcc-build=/symcc/build && \ - make && \ - cd /symqemu && \ - rm -rf src diff --git a/fuzzers/symqemu_aflplusplus/fuzzer.py b/fuzzers/symqemu_aflplusplus/fuzzer.py deleted file mode 100644 index bb8e1c0ec..000000000 --- a/fuzzers/symqemu_aflplusplus/fuzzer.py +++ /dev/null @@ -1,120 +0,0 @@ -# Copyright 2021 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -''' Uses the SymCC-AFL hybrid from SymCC. ''' - -import os -import time -import shutil -import threading -import subprocess - -from fuzzers.afl import fuzzer as afl_fuzzer -from fuzzers.aflplusplus import fuzzer as aflplusplus_fuzzer - - -def get_symcc_build_dir(target_directory): - """Return path to uninstrumented target directory.""" - return os.path.join(target_directory, 'uninstrumented') - - -def build(): - """Build an AFL version and SymCC version of the benchmark""" - - # Backup the environment. - orig_env = os.environ.copy() - #src = os.getenv('SRC') - #work = os.getenv('WORK') - build_directory = os.getenv('OUT') - fuzz_target = os.getenv('FUZZ_TARGET') - - # First, build an uninstrumented binary for Eclipser. - aflplusplus_fuzzer.build('qemu', 'eclipser') - eclipser_dir = get_symcc_build_dir(build_directory) - os.mkdir(eclipser_dir) - fuzz_binary = build_directory + '/' + fuzz_target - shutil.copy(fuzz_binary, eclipser_dir) - if os.path.isdir(build_directory + '/seeds'): - shutil.rmtree(build_directory + '/seeds') - - # Second, build an instrumented binary for AFL++. - os.environ = orig_env - aflplusplus_fuzzer.build('tracepc') - print('[build] Copying afl-fuzz to $OUT directory') - - # Copy afl-fuzz - shutil.copy('/afl/afl-fuzz', build_directory) - shutil.copy('/afl/afl-showmap', build_directory) - shutil.copy('/rust/bin/symcc_fuzzing_helper', eclipser_dir) - - symcc_build_dir = get_symcc_build_dir(os.environ['OUT']) - - # Copy over symcc artifacts and symbolic libc++. - shutil.copy( - '/symcc/build//SymRuntime-prefix/src/SymRuntime-build/libSymRuntime.so', - symcc_build_dir) - shutil.copy('/usr/lib/libz3.so', os.path.join(symcc_build_dir, 'libz3.so')) - shutil.copy('/rust/bin/symcc_fuzzing_helper', symcc_build_dir) - shutil.copy('/symqemu/build/x86_64-linux-user/symqemu-x86_64', - symcc_build_dir) - - -def launch_afl_thread(input_corpus, output_corpus, target_binary, - additional_flags): - """ Simple wrapper for running AFL. """ - afl_thread = threading.Thread(target=afl_fuzzer.run_afl_fuzz, - args=(input_corpus, output_corpus, - target_binary, additional_flags)) - afl_thread.start() - return afl_thread - - -def fuzz(input_corpus, output_corpus, target_binary): - """ - Launches a master and a secondary instance of AFL, as well as - the symcc helper. - """ - target_binary_dir = os.path.dirname(target_binary) - symcc_workdir = get_symcc_build_dir(target_binary_dir) - target_binary_name = os.path.basename(target_binary) - symcc_target_binary = os.path.join(symcc_workdir, target_binary_name) - - os.environ['AFL_DISABLE_TRIM'] = '1' - - # Start a master and secondary instance of AFL. - # We need both because of the way SymCC works. - print('[run_fuzzer] Running AFL for SymCC') - afl_fuzzer.prepare_fuzz_environment(input_corpus) - launch_afl_thread(input_corpus, output_corpus, target_binary, - ['-S', 'afl-secondary']) - time.sleep(5) - - # Start an instance of SymCC. - # We need to ensure it uses the symbolic version of libc++. - symqemu_target = os.path.join(symcc_workdir, 'symqemu-x86_64') - if os.path.isfile(symqemu_target): - print('Found symqemu target') - else: - print('Did not find symqemu target') - - print('Starting the SymCC helper') - new_environ = os.environ.copy() - new_environ['LD_LIBRARY_PATH'] = symcc_workdir - cmd = [ - os.path.join(symcc_workdir, 'symcc_fuzzing_helper'), '-o', - output_corpus, '-a', 'afl-secondary', '-n', 'symqemu', '-m', '--', - symqemu_target, symcc_target_binary, '@@' - ] - print(f'Running command: {" ".join(cmd)}') - with subprocess.Popen(cmd, env=new_environ): - pass diff --git a/fuzzers/symqemu_aflplusplus/runner.Dockerfile b/fuzzers/symqemu_aflplusplus/runner.Dockerfile deleted file mode 100644 index e63ac957d..000000000 --- a/fuzzers/symqemu_aflplusplus/runner.Dockerfile +++ /dev/null @@ -1,57 +0,0 @@ -# Copyright 2021 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -RUN apt-get install -y wget -RUN sed -i -- 's/# deb-src/deb-src/g' /etc/apt/sources.list -#RUN echo deb http://apt.llvm.org/xenial/ llvm-toolchain-xenial-10 main >> /etc/apt/sources.list && \ -# wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | apt-key add - -#RUN echo deb http://ppa.launchpad.net/ubuntu-toolchain-r/test/ubuntu xenial main >> /etc/apt/sources.list && \ -# apt-key adv --recv-keys --keyserver keyserver.ubuntu.com 1E9377A2BA9EF27F -RUN apt-get update && \ - apt-get install -y wget libstdc++-5-dev libtool-bin automake flex bison \ - libglib2.0-dev libpixman-1-dev python3-setuptools unzip \ - apt-utils apt-transport-https ca-certificates - -# Install the packages we need. -RUN apt-get install -y ninja-build python zlib1g-dev cargo - -RUN apt-get install -y \ - libtool \ - wget \ - automake \ - autoconf \ - bison \ - git \ - build-essential \ - gdb \ - g++ \ - cmake \ - cargo \ - rustc \ - sudo \ - joe \ - vim \ - zlib1g \ - zlib1g-dev \ - wget \ - bison \ - flex \ - gdb \ - strace -RUN apt-get build-dep -y qemu - -ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" - diff --git a/fuzzers/symsan/CMakeLists_bloaty.txt b/fuzzers/symsan/CMakeLists_bloaty.txt deleted file mode 100644 index 8132cf3ef..000000000 --- a/fuzzers/symsan/CMakeLists_bloaty.txt +++ /dev/null @@ -1,406 +0,0 @@ -cmake_minimum_required(VERSION 3.5) -cmake_policy(SET CMP0048 NEW) -if(POLICY CMP0091) - cmake_policy(SET CMP0091 NEW) -endif() -project (Bloaty VERSION 1.1) -include(CTest) -set(CMAKE_CXX_STANDARD 17) -set_property(GLOBAL PROPERTY USE_FOLDERS ON) # Group projects in visual studio - -# Options we define for users. -option(BLOATY_ENABLE_ASAN "Enable address sanitizer." OFF) -option(BLOATY_ENABLE_UBSAN "Enable undefined behavior sanitizer." OFF) -option(BLOATY_ENABLE_CMAKETARGETS "Enable installing cmake target files." ON) -option(BLOATY_ENABLE_BUILDID "Enable build id." ON) -option(BLOATY_ENABLE_RE2 "Enable the support for regular expression functions." ON) -option(BLOATY_PREFER_SYSTEM_CAPSTONE "Prefer to use the system capstone if available" YES) - -if(UNIX OR MINGW) -find_package(PkgConfig) -find_package(ZLIB) -if(BLOATY_ENABLE_RE2) - pkg_search_module(RE2 re2) -endif() -if(BLOATY_PREFER_SYSTEM_CAPSTONE) - pkg_search_module(CAPSTONE capstone) -endif() -pkg_search_module(PROTOBUF protobuf) -if(BLOATY_ENABLE_RE2) - if(RE2_FOUND) - MESSAGE(STATUS "System re2 found, using") - else() - MESSAGE(STATUS "System re2 not found, using bundled version") - endif() -endif() -if(CAPSTONE_FOUND) - MESSAGE(STATUS "System capstone found, using") -else() - MESSAGE(STATUS "System capstone not found, using bundled version") -endif() -if(PROTOBUF_FOUND) - MESSAGE(STATUS "System protobuf found, using") -else() - MESSAGE(STATUS "System protobuf not found, using bundled version") -endif() -if (ZLIB_FOUND) - MESSAGE(STATUS "System zlib found, using") -else() - MESSAGE(STATUS "System zlib not found, using bundled version") -endif() -endif() - -# Set default build type. -if(NOT CMAKE_BUILD_TYPE) - message(STATUS "Setting build type to 'RelWithDebInfo' as none was specified.") - set(CMAKE_BUILD_TYPE "RelWithDebInfo" CACHE STRING - "Choose the type of build, options are: Debug Release RelWithDebInfo MinSizeRel." - FORCE) -endif() - -# Check out Git submodules. -if (EXISTS "${CMAKE_CURRENT_SOURCE_DIR}/.gitmodules") - execute_process (COMMAND git submodule update --init --recursive - WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}) -endif() - -# Add third_party libraries, disabling as much as we can of their builds. - -add_definitions(-D_LIBCXXABI_FUNC_VIS=) # For Demumble. -if(BLOATY_ENABLE_RE2) - add_definitions(-DUSE_RE2) -endif() - -# Set MSVC runtime before including thirdparty libraries -if(MSVC) - if(CMAKE_VERSION VERSION_GREATER_EQUAL 3.15) - set(CMAKE_MSVC_RUNTIME_LIBRARY MultiThreaded$<$:Debug>) - else() - # Link also the runtime library statically so that MSVCR*.DLL is not required at runtime. - # https://msdn.microsoft.com/en-us/library/2kzt1wy3.aspx - # This is achieved by replacing msvc option /MD with /MT and /MDd with /MTd - # http://www.cmake.org/Wiki/CMake_FAQ#How_can_I_build_my_MSVC_application_with_a_static_runtime.3F - foreach(flag_var - CMAKE_CXX_FLAGS CMAKE_CXX_FLAGS_DEBUG CMAKE_CXX_FLAGS_RELEASE - CMAKE_CXX_FLAGS_MINSIZEREL CMAKE_CXX_FLAGS_RELWITHDEBINFO) - if (flag_var MATCHES "/MD") - string(REGEX REPLACE "/MD" "/MT" ${flag_var} "${${flag_var}}") - endif() - endforeach() - endif() -endif() - -set(THREADS_PREFER_PTHREAD_FLAG TRUE) -find_package(Threads REQUIRED) - -if(UNIX OR MINGW) - if(BLOATY_ENABLE_RE2) - if(RE2_FOUND) - include_directories(${RE2_INCLUDE_DIRS}) - else() - set(RE2_BUILD_TESTING OFF CACHE BOOL "enable testing for RE2" FORCE) - add_subdirectory(third_party/re2) - include_directories(third_party/re2) - endif() - endif() - if(CAPSTONE_FOUND) - include_directories(${CAPSTONE_INCLUDE_DIRS}) - else() - set(CAPSTONE_BUILD_SHARED OFF CACHE BOOL "Build shared library" FORCE) - set(CAPSTONE_BUILD_TESTS OFF CACHE BOOL "Build tests" FORCE) - add_subdirectory(third_party/capstone) - include_directories(third_party/capstone/include) - endif() - if(PROTOBUF_FOUND) - include_directories(${PROTOBUF_INCLUDE_DIRS}) - else() - set(protobuf_BUILD_TESTS OFF CACHE BOOL "enable tests for proto2" FORCE) - set(protobuf_BUILD_SHARED_LIBS OFF CACHE BOOL "enable shared libs for proto2" FORCE) - add_subdirectory(third_party/protobuf/cmake) - include_directories(SYSTEM third_party/protobuf/src) - endif() - if(NOT ZLIB_FOUND) - add_subdirectory(third_party/zlib) - include_directories(SYSTEM third_party/zlib) - endif() -else() - if(BLOATY_ENABLE_RE2) - set(RE2_BUILD_TESTING OFF CACHE BOOL "enable testing for RE2" FORCE) - add_subdirectory(third_party/re2) - include_directories(third_party/re2) - set_property(TARGET re2 PROPERTY FOLDER "third_party") - endif() - - set(CAPSTONE_BUILD_SHARED OFF CACHE BOOL "Build shared library" FORCE) - set(CAPSTONE_BUILD_TESTS OFF CACHE BOOL "Build tests" FORCE) - add_subdirectory(third_party/capstone) - include_directories(third_party/capstone/include) - set_property(TARGET capstone-static PROPERTY FOLDER "third_party") - - set(protobuf_BUILD_TESTS OFF CACHE BOOL "enable tests for proto2" FORCE) - set(protobuf_BUILD_SHARED_LIBS OFF CACHE BOOL "enable shared libs for proto2" FORCE) - add_subdirectory(third_party/protobuf/cmake) - include_directories(SYSTEM third_party/protobuf/src) - - add_subdirectory(third_party/zlib) - include_directories(third_party/zlib) - include_directories(${CMAKE_CURRENT_BINARY_DIR}/third_party/zlib) - set_property(TARGET example PROPERTY FOLDER "third_party") - set_property(TARGET minigzip PROPERTY FOLDER "third_party") - set_property(TARGET zlib PROPERTY FOLDER "third_party") - set_property(TARGET zlibstatic PROPERTY FOLDER "third_party") - set_property(TARGET libprotobuf PROPERTY FOLDER "third_party") - set_property(TARGET libprotobuf-lite PROPERTY FOLDER "third_party") - set_property(TARGET libprotoc PROPERTY FOLDER "third_party") - set_property(TARGET protoc PROPERTY FOLDER "third_party") -endif() - -include_directories(.) -include_directories(src) -include_directories(third_party/abseil-cpp) -include_directories("${CMAKE_CURRENT_BINARY_DIR}/src") - -# Baseline build flags. -if(MSVC) - set(CMAKE_CXX_FLAGS "/EHsc /wd4018 /D_CRT_SECURE_NO_WARNINGS /DNOMINMAX") -else() - set(CMAKE_CXX_FLAGS "-W -Wall -Wno-sign-compare") - set(CMAKE_CXX_FLAGS_DEBUG "-g1") - set(CMAKE_CXX_FLAGS_RELEASE "-O2") - set(CMAKE_CXX_FLAGS_RELWITHDEBINFO "-O2 -g1") -endif() - -if(APPLE) -elseif(UNIX) - if(BLOATY_ENABLE_BUILDID) - set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -Wl,--build-id") - endif() -endif() - -# When using Ninja, compiler output won't be colorized without this. -include(CheckCXXCompilerFlag) -CHECK_CXX_COMPILER_FLAG(-fdiagnostics-color=always SUPPORTS_COLOR_ALWAYS) -if(SUPPORTS_COLOR_ALWAYS) - set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fdiagnostics-color=always") -endif() - -# Implement ASAN/UBSAN options -if(BLOATY_ENABLE_ASAN) - set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=address") - set(CMAKE_LINKER_FLAGS_DEBUG "${CMAKE_LINKER_FLAGS_DEBUG} -fsanitize=address") -endif() - -if(BLOATY_ENABLE_UBSAN) - set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=undefined") - set(CMAKE_LINKER_FLAGS_DEBUG "${CMAKE_LINKER_FLAGS_DEBUG} -fsanitize=undefined") -endif() - -if(DEFINED ENV{CXXFLAGS}) - set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} $ENV{CXXFLAGS}") -endif() - -file(MAKE_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/src) -if(PROTOC_FOUND) -add_custom_command( - OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/src/bloaty.pb.cc - DEPENDS protoc ${CMAKE_CURRENT_SOURCE_DIR}/src/bloaty.proto - COMMAND protoc ${CMAKE_CURRENT_SOURCE_DIR}/src/bloaty.proto - --cpp_out=${CMAKE_CURRENT_BINARY_DIR}/src - -I${CMAKE_CURRENT_SOURCE_DIR}/src -) -else() -add_custom_command( - OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/src/bloaty.pb.cc - COMMAND protoc ${CMAKE_CURRENT_SOURCE_DIR}/src/bloaty.proto - --cpp_out=${CMAKE_CURRENT_BINARY_DIR}/src - -I${CMAKE_CURRENT_SOURCE_DIR}/src -) -endif() - -file(COPY ${CMAKE_CURRENT_SOURCE_DIR}/src/bloaty_package.bloaty - DESTINATION ${CMAKE_CURRENT_BINARY_DIR}) - -add_library(libbloaty STATIC - src/bloaty.cc - src/bloaty.h - src/disassemble.cc - ${CMAKE_CURRENT_BINARY_DIR}/src/bloaty.pb.cc - src/dwarf/attr.h - src/dwarf/attr.cc - src/dwarf/dwarf_util.cc - src/dwarf/debug_info.cc - src/dwarf/line_info.cc - src/dwarf.cc - src/dwarf_constants.h - src/eh_frame.cc - src/elf.cc - src/macho.cc - src/pe.cc - third_party/lief_pe/pe_structures.h - src/range_map.cc - src/range_map.h - src/re.h - src/util.cc - src/util.h - src/webassembly.cc - # Until Abseil has a proper CMake build system - third_party/abseil-cpp/absl/base/internal/raw_logging.cc # Grrrr... - third_party/abseil-cpp/absl/base/internal/throw_delegate.cc - third_party/abseil-cpp/absl/debugging/internal/demangle.cc - third_party/abseil-cpp/absl/numeric/int128.cc - third_party/abseil-cpp/absl/strings/ascii.cc - third_party/abseil-cpp/absl/strings/charconv.cc - third_party/abseil-cpp/absl/strings/escaping.cc - third_party/abseil-cpp/absl/strings/internal/charconv_bigint.cc - third_party/abseil-cpp/absl/strings/internal/charconv_parse.cc - third_party/abseil-cpp/absl/strings/internal/escaping.cc - third_party/abseil-cpp/absl/strings/internal/memutil.cc - third_party/abseil-cpp/absl/strings/internal/utf8.cc - third_party/abseil-cpp/absl/strings/match.cc - third_party/abseil-cpp/absl/strings/numbers.cc - third_party/abseil-cpp/absl/strings/str_cat.cc - third_party/abseil-cpp/absl/strings/string_view.cc - third_party/abseil-cpp/absl/strings/str_split.cc - third_party/abseil-cpp/absl/strings/substitute.cc - third_party/abseil-cpp/absl/types/bad_optional_access.cc - # One source file, no special build system needed. - ) -set_property(TARGET libbloaty PROPERTY FOLDER "bloaty") - -if(UNIX OR MINGW) - set(LIBBLOATY_LIBS libbloaty) - if(PROTOBUF_FOUND) - list(APPEND LIBBLOATY_LIBS ${PROTOBUF_LIBRARIES}) - else() - list(APPEND LIBBLOATY_LIBS libprotoc) - endif() - if(BLOATY_ENABLE_RE2) - if(RE2_FOUND) - list(APPEND LIBBLOATY_LIBS ${RE2_LIBRARIES}) - else() - list(APPEND LIBBLOATY_LIBS re2) - endif() - endif() - if(CAPSTONE_FOUND) - list(APPEND LIBBLOATY_LIBS ${CAPSTONE_LIBRARIES}) - else() - list(APPEND LIBBLOATY_LIBS capstone-static) - endif() - if(ZLIB_FOUND) - list(APPEND LIBBLOATY_LIBS ZLIB::ZLIB) - else() - list(APPEND LIBBLOATY_LIBS zlibstatic) - endif() -else() - set(LIBBLOATY_LIBS libbloaty libprotoc capstone-static) - if(BLOATY_ENABLE_RE2) - list(APPEND LIBBLOATY_LIBS re2) - endif() - list(APPEND LIBBLOATY_LIBS zlibstatic) -endif() - -if(UNIX OR MINGW) - if(BLOATY_ENABLE_RE2) - if(RE2_FOUND) - link_directories(${RE2_LIBRARY_DIRS}) - endif() - endif() - if(CAPSTONE_FOUND) - link_directories(${CAPSTONE_LIBRARY_DIRS}) - endif() - if(PROTOBUF_FOUND) - link_directories(${PROTOBUF_LIBRARY_DIRS}) - endif() -endif() - -list(APPEND LIBBLOATY_LIBS Threads::Threads) - -if(DEFINED ENV{LIB_FUZZING_ENGINE}) - message("LIB_FUZZING_ENGINE set, building fuzz_target instead of Bloaty") - add_executable(fuzz_target tests/fuzz_target.cc) - target_link_libraries(fuzz_target ${LIBBLOATY_LIBS} $ENV{LIB_FUZZING_ENGINE}) -else() - add_executable(bloaty src/main.cc) - target_link_libraries(bloaty ${LIBBLOATY_LIBS}) - - set_property(TARGET bloaty PROPERTY FOLDER "bloaty") - - if(BLOATY_ENABLE_CMAKETARGETS) - install( - TARGETS bloaty - EXPORT ${PROJECT_NAME}Targets - RUNTIME DESTINATION bin - ) - else() - install( - TARGETS bloaty - RUNTIME DESTINATION bin - ) - endif() - - if (IS_DIRECTORY "${PROJECT_SOURCE_DIR}/tests") - enable_testing() - - find_package(Python COMPONENTS Interpreter) - find_program(LIT_EXECUTABLE NAMES lit-script.py lit.py lit) - find_program(FILECHECK_EXECUTABLE FileCheck) - find_program(YAML2OBJ_EXECUTABLE yaml2obj) - if(Python_FOUND AND LIT_EXECUTABLE AND FILECHECK_EXECUTABLE AND YAML2OBJ_EXECUTABLE) - set(BLOATY_SRC_DIR ${PROJECT_SOURCE_DIR}) - set(BLOATY_OBJ_DIR ${PROJECT_BINARY_DIR}) - configure_file(tests/lit.site.cfg.in tests/lit.site.cfg @ONLY) - - add_custom_target(check-bloaty - COMMAND ${Python_EXECUTABLE} ${LIT_EXECUTABLE} -sv ${PROJECT_BINARY_DIR}/tests --param bloaty=$ - DEPENDS - bloaty - ${CMAKE_CURRENT_SOURCE_DIR}/tests/lit.cfg - ${CMAKE_CURRENT_BINARY_DIR}/tests/lit.site.cfg - COMMENT "Running bloaty tests..." - USES_TERMINAL) - set_property(TARGET check-bloaty PROPERTY FOLDER "tests") - endif() - - if(BUILD_TESTING) - option(INSTALL_GTEST "" OFF) - add_subdirectory(third_party/googletest) - include_directories(third_party/googletest/googletest/include) - include_directories(third_party/googletest/googlemock/include) - - set(TEST_TARGETS - bloaty_test - bloaty_test_pe - bloaty_misc_test - range_map_test - ) - - foreach(target ${TEST_TARGETS}) - add_executable(${target} tests/${target}.cc) - target_link_libraries(${target} ${LIBBLOATY_LIBS} gtest_main gmock) - set_property(TARGET ${target} PROPERTY FOLDER "tests") - endforeach(target) - - add_executable(fuzz_test tests/fuzz_target.cc tests/fuzz_driver.cc) - target_link_libraries(fuzz_test ${LIBBLOATY_LIBS}) - set_property(TARGET fuzz_test PROPERTY FOLDER "tests") - - foreach(testlib gmock gmock_main gtest gtest_main) - set_property(TARGET ${testlib} PROPERTY FOLDER "tests/libs") - endforeach(testlib) - - file(GLOB fuzz_corpus tests/testdata/fuzz_corpus/*) - - add_test(NAME range_map_test COMMAND range_map_test) - add_test(NAME bloaty_test_x86-64 COMMAND bloaty_test WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/tests/testdata/linux-x86_64) - add_test(NAME bloaty_test_x86 COMMAND bloaty_test WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/tests/testdata/linux-x86) - add_test(NAME bloaty_test_pe_x64 COMMAND bloaty_test_pe WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/tests/testdata/PE/x64) - add_test(NAME bloaty_test_pe_x86 COMMAND bloaty_test_pe WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/tests/testdata/PE/x86) - add_test(NAME bloaty_misc_test COMMAND bloaty_misc_test WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/tests/testdata/misc) - add_test(NAME fuzz_test COMMAND fuzz_test ${fuzz_corpus} WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/tests/testdata/fuzz_corpus) - endif() - endif() - - if(BLOATY_ENABLE_CMAKETARGETS) - install(EXPORT ${PROJECT_NAME}Targets NAMESPACE ${PROJECT_NAME} DESTINATION lib/${PROJECT_NAME}) - endif() -endif() diff --git a/fuzzers/symsan/build_freetype2.sh b/fuzzers/symsan/build_freetype2.sh deleted file mode 100755 index ae8d5831d..000000000 --- a/fuzzers/symsan/build_freetype2.sh +++ /dev/null @@ -1,40 +0,0 @@ -#!/bin/bash -ex -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -INSTALL_DIR="$PWD/install" - -mkdir $OUT/seeds -# TRT/fonts is the full seed folder, but they're too big -cp TRT/fonts/TestKERNOne.otf $OUT/seeds/ -cp TRT/fonts/TestGLYFOne.ttf $OUT/seeds/ - -tar xf libarchive-3.4.3.tar.xz - -cd libarchive-3.4.3 -./configure --prefix="$INSTALL_DIR" --disable-shared --with-xml2=no -make clean -make -j $(nproc) -make install -cd .. - -cd freetype2 -./autogen.sh -./configure --with-harfbuzz=no --with-bzip2=no --with-png=no --without-zlib -make clean -make all -j $(nproc) - -$CXX $CXXFLAGS -std=c++11 -I"$INSTALL_DIR/include" -I include -I . src/tools/ftfuzzer/ftfuzzer.cc \ - objs/.libs/libfreetype.a $FUZZER_LIB -L"$INSTALL_DIR/lib" -larchive \ - -o $OUT/ftfuzzer diff --git a/fuzzers/symsan/build_proj.sh b/fuzzers/symsan/build_proj.sh deleted file mode 100644 index 169d196b2..000000000 --- a/fuzzers/symsan/build_proj.sh +++ /dev/null @@ -1,98 +0,0 @@ -#!/bin/bash -ex -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - - -set -e - -if [ "$SRC" == "" ]; then - echo "SRC env var not defined" - exit 1 -fi - -if [ "$OUT" == "" ]; then - echo "OUT env var not defined" - exit 1 -fi - -if [ "$CXX" == "" ]; then - echo "CXX env var not defined" - exit 1 -fi - -if [ "$LIB_FUZZING_ENGINE" = "" ]; then - export LIB_FUZZING_ENGINE=-lFuzzingEngine -fi - -I386_PACKAGES="zlib1g-dev:i386 libssl-dev:i386 libsqlite3-dev:i386" -X64_PACKAGES="zlib1g-dev libssl-dev libsqlite3-dev" - -if [ "$ARCHITECTURE" = "i386" ]; then - apt-get install -y $I386_PACKAGES -else - apt-get install -y $X64_PACKAGES -fi - -# build libcurl.a (builing against Ubuntu libcurl.a doesn't work easily) -cd curl -autoreconf -i -./configure --disable-shared --without-ssl --prefix=$SRC/install -make clean -s -make -j$(nproc) -s -make install -cd .. - -# build libtiff.a -cd libtiff -./autogen.sh -./configure --disable-shared --prefix=$SRC/install -make -j$(nproc) -make install -cd .. - -mkdir build -cd build -cmake .. -DBUILD_SHARED_LIBS:BOOL=OFF \ - -DCURL_INCLUDE_DIR:PATH="$SRC/install/include" \ - -DCURL_LIBRARY_RELEASE:FILEPATH="$SRC/install/lib/libcurl.a" \ - -DTIFF_INCLUDE_DIR:PATH="$SRC/install/include" \ - -DTIFF_LIBRARY_RELEASE:FILEPATH="$SRC/install/lib/libtiff.a" \ - -DCMAKE_INSTALL_PREFIX=$SRC/install \ - -DBUILD_APPS:BOOL=OFF \ - -DBUILD_TESTING:BOOL=OFF -make clean -s -make -j$(nproc) -s -make install -cd .. - -EXTRA_LIBS="-lpthread -Wl,-Bstatic -lsqlite3 -L$SRC/install/lib -ltiff -lcurl -lssl -lcrypto -lz -Wl,-Bdynamic" - -build_fuzzer() -{ - fuzzerName=$1 - sourceFilename=$2 - shift - shift - echo "Building fuzzer $fuzzerName" - $CXX $CXXFLAGS -std=c++11 -fvisibility=hidden -llzma -Isrc -Iinclude \ - $sourceFilename $* -o $OUT/$fuzzerName \ - $LIB_FUZZING_ENGINE "$SRC/install/lib/libproj.a" $EXTRA_LIBS -} - -build_fuzzer proj_crs_to_crs_fuzzer test/fuzzers/proj_crs_to_crs_fuzzer.cpp - -echo "[libfuzzer]" > $OUT/proj_crs_to_crs_fuzzer.options -echo "max_len = 10000" >> $OUT/proj_crs_to_crs_fuzzer.options - -cp -r data/* $OUT diff --git a/fuzzers/symsan/builder.Dockerfile b/fuzzers/symsan/builder.Dockerfile deleted file mode 100644 index 8b9094f24..000000000 --- a/fuzzers/symsan/builder.Dockerfile +++ /dev/null @@ -1,59 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# # http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -#ARG parent_image=gcr.io/fuzzbench/base-builder -ARG parent_image -FROM $parent_image - -RUN apt-get update -y && \ - apt-get -y install wget python3-dev python3-setuptools apt-transport-https \ - libboost-all-dev texinfo libz3-dev \ - build-essential automake flex bison libglib2.0-dev libpixman-1-dev libgtk-3-dev ninja-build libnl-genl-3-dev \ - lsb-release software-properties-common autoconf curl zlib1g-dev cmake protobuf-compiler libprotobuf-dev - -RUN if [ -x "$(command -v rustc)" ]; then rustup self uninstall -y; fi -RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | bash -s -- -y - -RUN wget https://apt.llvm.org/llvm.sh && chmod +x llvm.sh && ./llvm.sh 12 - -# Download and compile afl++. -RUN git clone https://github.com/AFLplusplus/AFLplusplus.git /afl && \ - cd /afl && \ - git checkout 33eba1fc5652060e8d877b02135fce2325813d0c && \ - unset CFLAGS && unset CXXFLAGS && \ - export CC=clang && export AFL_NO_X86=1 && \ - PYTHON_INCLUDE=/ make && make install && \ - cp utils/aflpp_driver/libAFLDriver.a / - -ENV PATH="/out/bin:${PATH}" -ENV PATH="/root/.cargo/bin:${PATH}" -RUN cp /usr/local/lib/libpython3.8.so.1.0 /out/ - -RUN git clone https://github.com/chenju2k6/symsan /symsan - -RUN apt-get install -y libc++abi-12-dev libc++-12-dev libunwind-dev - -RUN cd /symsan && git checkout jigsaw && \ - unset CFLAGS && \ - unset CXXFLAGS && \ - mkdir build && \ - cd build && \ - CC=clang-12 CXX=clang++-12 cmake -DCMAKE_INSTALL_PREFIX=. ../ && \ - make -j && make install && \ - cd ../fuzzer/cpp_core && mkdir build && cd build && cmake .. && make -j && \ - cd ../../../ && cargo build --release && \ - cp target/release/libruntime_fast.a build/lib/symsan - -COPY libfuzz-harness-proxy.c / -RUN KO_DONT_OPTIMIZE=1 USE_TRACK=1 KO_CC=clang-12 KO_USE_FASTGEN=1 /symsan/build/bin/ko-clang -c /libfuzz-harness-proxy.c -o /libfuzzer-harness.o -RUN KO_DONT_OPTIMIZE=1 KO_CC=clang-12 /symsan/build/bin/ko-clang -c /libfuzz-harness-proxy.c -o /libfuzzer-harness-fast.o diff --git a/fuzzers/symsan/bz2.abilist b/fuzzers/symsan/bz2.abilist deleted file mode 100644 index 934f4b876..000000000 --- a/fuzzers/symsan/bz2.abilist +++ /dev/null @@ -1,33 +0,0 @@ -fun:BZ2_blockSort=uninstrumented -fun:BZ2_bsInitWrite=uninstrumented -fun:BZ2_bzBuffToBuffCompress=uninstrumented -fun:BZ2_bzBuffToBuffDecompress=uninstrumented -fun:BZ2_bzCompress=uninstrumented -fun:BZ2_bzCompressEnd=uninstrumented -fun:BZ2_bzCompressInit=uninstrumented -fun:BZ2_bzDecompress=uninstrumented -fun:BZ2_bzDecompressEnd=uninstrumented -fun:BZ2_bzDecompressInit=uninstrumented -fun:BZ2_bzRead=uninstrumented -fun:BZ2_bzReadClose=uninstrumented -fun:BZ2_bzReadGetUnused=uninstrumented -fun:BZ2_bzReadOpen=uninstrumented -fun:BZ2_bzWrite=uninstrumented -fun:BZ2_bzWriteClose=uninstrumented -fun:BZ2_bzWriteClose64=uninstrumented -fun:BZ2_bzWriteOpen=uninstrumented -fun:BZ2_bz__AssertH__fail=uninstrumented -fun:BZ2_bzclose=uninstrumented -fun:BZ2_bzdopen=uninstrumented -fun:BZ2_bzerror=uninstrumented -fun:BZ2_bzflush=uninstrumented -fun:BZ2_bzlibVersion=uninstrumented -fun:BZ2_bzopen=uninstrumented -fun:BZ2_bzread=uninstrumented -fun:BZ2_bzwrite=uninstrumented -fun:BZ2_compressBlock=uninstrumented -fun:BZ2_decompress=uninstrumented -fun:BZ2_hbAssignCodes=uninstrumented -fun:BZ2_hbCreateDecodeTables=uninstrumented -fun:BZ2_hbMakeCodeLengths=uninstrumented -fun:BZ2_indexIntoF=uninstrumented diff --git a/fuzzers/symsan/cares.abilist b/fuzzers/symsan/cares.abilist deleted file mode 100644 index 471278b70..000000000 --- a/fuzzers/symsan/cares.abilist +++ /dev/null @@ -1,89 +0,0 @@ -fun:ares__bitncmp=uninstrumented -fun:ares__close_sockets=uninstrumented -fun:ares__destroy_servers_state=uninstrumented -fun:ares__expand_name_for_response=uninstrumented -fun:ares__free_query=uninstrumented -fun:ares__generate_new_id=uninstrumented -fun:ares__get_hostent=uninstrumented -fun:ares__init_list_head=uninstrumented -fun:ares__init_list_node=uninstrumented -fun:ares__init_servers_state=uninstrumented -fun:ares__insert_in_list=uninstrumented -fun:ares__is_list_empty=uninstrumented -fun:ares__is_onion_domain=uninstrumented -fun:ares__read_line=uninstrumented -fun:ares__remove_from_list=uninstrumented -fun:ares__send_query=uninstrumented -fun:ares__socket_close=uninstrumented -fun:ares__timedout=uninstrumented -fun:ares__tvnow=uninstrumented -fun:ares_cancel=uninstrumented -fun:ares_create_query=uninstrumented -fun:ares_destroy=uninstrumented -fun:ares_destroy_options=uninstrumented -fun:ares_dup=uninstrumented -fun:ares_expand_name=uninstrumented -fun:ares_expand_string=uninstrumented -fun:ares_fds=uninstrumented -fun:ares_free_data=uninstrumented -fun:ares_free_hostent=uninstrumented -fun:ares_free_string=uninstrumented -fun:ares_get_servers=uninstrumented -fun:ares_get_servers_ports=uninstrumented -fun:ares_gethostbyaddr=uninstrumented -fun:ares_gethostbyname=uninstrumented -fun:ares_gethostbyname_file=uninstrumented -fun:ares_getnameinfo=uninstrumented -fun:ares_getsock=uninstrumented -fun:ares_inet_net_pton=uninstrumented -fun:ares_inet_ntop=uninstrumented -fun:ares_inet_pton=uninstrumented -fun:ares_init=uninstrumented -fun:ares_init_options=uninstrumented -fun:ares_library_cleanup=uninstrumented -fun:ares_library_init=uninstrumented -fun:ares_library_init_mem=uninstrumented -fun:ares_library_initialized=uninstrumented -fun:ares_malloc_data=uninstrumented -fun:ares_mkquery=uninstrumented -fun:ares_parse_a_reply=uninstrumented -fun:ares_parse_aaaa_reply=uninstrumented -fun:ares_parse_mx_reply=uninstrumented -fun:ares_parse_naptr_reply=uninstrumented -fun:ares_parse_ns_reply=uninstrumented -fun:ares_parse_ptr_reply=uninstrumented -fun:ares_parse_soa_reply=uninstrumented -fun:ares_parse_srv_reply=uninstrumented -fun:ares_parse_txt_reply=uninstrumented -fun:ares_parse_txt_reply_ext=uninstrumented -fun:ares_process=uninstrumented -fun:ares_process_fd=uninstrumented -fun:ares_query=uninstrumented -fun:ares_save_options=uninstrumented -fun:ares_search=uninstrumented -fun:ares_send=uninstrumented -fun:ares_set_local_dev=uninstrumented -fun:ares_set_local_ip4=uninstrumented -fun:ares_set_local_ip6=uninstrumented -fun:ares_set_servers=uninstrumented -fun:ares_set_servers_csv=uninstrumented -fun:ares_set_servers_ports=uninstrumented -fun:ares_set_servers_ports_csv=uninstrumented -fun:ares_set_socket_callback=uninstrumented -fun:ares_set_socket_configure_callback=uninstrumented -fun:ares_set_socket_functions=uninstrumented -fun:ares_set_sortlist=uninstrumented -fun:ares_strdup=uninstrumented -fun:ares_strerror=uninstrumented -fun:ares_strsplit=uninstrumented -fun:ares_strsplit_free=uninstrumented -fun:ares_timeout=uninstrumented -fun:ares_version=uninstrumented -fun:aresx_sitoss=uninstrumented -fun:aresx_sitous=uninstrumented -fun:aresx_sltosi=uninstrumented -fun:aresx_sztosi=uninstrumented -fun:aresx_sztoui=uninstrumented -fun:aresx_uztosi=uninstrumented -fun:aresx_uztosl=uninstrumented -fun:aresx_uztoss=uninstrumented diff --git a/fuzzers/symsan/fres.sh b/fuzzers/symsan/fres.sh deleted file mode 100755 index 28bbf62e0..000000000 --- a/fuzzers/symsan/fres.sh +++ /dev/null @@ -1,15 +0,0 @@ -# Copyright 2021 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -#!/bin/bash -RUST_LOG=info /out/fastgen --sync_afl -i - -o /out/corpus -t $1 -- $2 @@ diff --git a/fuzzers/symsan/fuz.sh b/fuzzers/symsan/fuz.sh deleted file mode 100755 index 6190c4bc9..000000000 --- a/fuzzers/symsan/fuz.sh +++ /dev/null @@ -1,13 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -#!/bin/bash -RUST_LOG=info /out/fastgen --sync_afl -i /out/seeds -o /out/corpus -t $1 -- $2 @@ diff --git a/fuzzers/symsan/fuzzer.py b/fuzzers/symsan/fuzzer.py deleted file mode 100644 index 87649ffe2..000000000 --- a/fuzzers/symsan/fuzzer.py +++ /dev/null @@ -1,350 +0,0 @@ -# Copyright 2021 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -''' Uses the SymSan-AFL hybrid from SymSan. ''' - -import shutil -import glob -import os -import subprocess -import threading - -from fuzzers.afl import fuzzer as afl_fuzzer -from fuzzers.aflplusplus import fuzzer as aflplusplus_fuzzer - -# Helper library that contains important functions for building. -from fuzzers import utils - -OSS_FUZZ_LIB_FUZZING_ENGINE_PATH = '/usr/lib/libFuzzingEngine.a' - - -def build_benchmark_symsan(env, benchmark_name): - """Build a benchmark using fuzzer library.""" - if not env: - env = os.environ.copy() - - # Add OSS-Fuzz environment variable for fuzzer library. - fuzzer_lib = env['FUZZER_LIB'] - env['LIB_FUZZING_ENGINE'] = fuzzer_lib - if os.path.exists(fuzzer_lib): - # Make /usr/lib/libFuzzingEngine.a point to our library for OSS-Fuzz - # so we can build projects that are using -lFuzzingEngine. - shutil.copy(fuzzer_lib, OSS_FUZZ_LIB_FUZZING_ENGINE_PATH) - - build_script_name = 'build_' + benchmark_name + '.sh' - build_script = os.path.join('/src/fuzzers/symsan', build_script_name) - - benchmark = os.getenv('BENCHMARK') - fuzzer = os.getenv('FUZZER') - print(f'Building benchmark {benchmark} with fuzzer {fuzzer}') - subprocess.check_call(['/bin/bash', '-ex', build_script], env=env) - - -def is_benchmark(name): - """Check the benchmark under built.""" - benchmark = os.getenv('BENCHMARK', None) - return benchmark is not None and name in benchmark - - -def get_symsan_build_dir(target_directory): - """Return path to CmpLog target directory.""" - return os.path.join(target_directory, 'symsantrack') - - -def get_symsan_build_fast_dir(target_directory): - """Return path to CmpLog target directory.""" - return os.path.join(target_directory, 'symsanfast') - - -def get_cmplog_build_directory(target_directory): - """Return path to CmpLog target directory.""" - return os.path.join(target_directory, 'cmplog') - - -def fix_flags(new_env): - """Fix symsan/symsan_fast build flags""" - new_env['CC'] = '/symsan/build/bin/ko-clang' - new_env['CXX'] = '/symsan/build/bin/ko-clang++' - new_env['KO_CC'] = 'clang-12' - new_env['KO_CXX'] = 'clang++-12' - if not is_benchmark('libjpeg'): - new_env['CXXFLAGS'] = '' - new_env['CFLAGS'] = '' - if is_benchmark('libpcap'): - new_env['CXXFLAGS'] = '-libverbs' - if is_benchmark('libgit'): - new_env['CXXFLAGS'] = '-lpcre' - if is_benchmark('file_magic'): - new_env['CXXFLAGS'] = '-llzma' - if is_benchmark('wireshark'): - new_env['CXXFLAGS'] = '-llzma -licuuc' - - if is_benchmark('curl_curl_fuzzer_http'): - new_env['SANITIZER'] = 'memory' - if is_benchmark('libxslt_xpath'): - new_env['SANITIZER'] = 'memory' - if is_benchmark('openssl_x509'): - new_env['CFLAGS'] = '-fsanitize=memory' - - -def fix_abilist(): - """Fix abilist for symsan""" - if is_benchmark('proj'): - with open('/symsan/build/lib/symsan/dfsan_abilist.txt', - 'a', - encoding='utf-8') as abilist: - abilist.write('fun:sqlite3_*=uninstrumented\n') - abilist.write('fun:sqlite3_*=discard\n') - if is_benchmark('bloaty'): - with open('/symsan/build/lib/symsan/dfsan_abilist.txt', - 'a', - encoding='utf-8') as abilist: - abilist.write('fun:*google8protobuf*=uninstrumented\n') - if is_benchmark('libarchive'): - with open('/symsan/build/lib/symsan/dfsan_abilist.txt', - 'a', - encoding='utf-8') as abilist: - with open('/src/fuzzers/symsan/xml.abilist', 'r', - encoding='utf-8') as xml: - abilist.write(xml.read()) - with open('/src/fuzzers/symsan/bz2.abilist', 'r', - encoding='utf-8') as bz2: - abilist.write(bz2.read()) - if is_benchmark('libgit'): - with open('/symsan/build/lib/symsan/dfsan_abilist.txt', - 'a', - encoding='utf-8') as abilist: - with open('/src/fuzzers/symsan/pcre.abilist', 'r', - encoding='utf-8') as pcre: - abilist.write(pcre.read()) - if is_benchmark('wireshark'): - with open('/symsan/build/lib/symsan/dfsan_abilist.txt', - 'a', - encoding='utf-8') as abilist: - with open('/src/fuzzers/symsan/gcry.abilist', 'r', - encoding='utf-8') as gcry: - abilist.write(gcry.read()) - with open('/src/fuzzers/symsan/cares.abilist', - 'r', - encoding='utf-8') as cares: - abilist.write(cares.read()) - with open('/src/fuzzers/symsan/glib.abilist', 'r', - encoding='utf-8') as glib: - abilist.write(glib.read()) - with open('/src/fuzzers/symsan/xml.abilist', 'r', - encoding='utf-8') as xml: - abilist.write(xml.read()) - - -def build_symsan_fast(build_directory, src, work): - """Build symsan fast binaries.""" - symsan_build_fast_directory = get_symsan_build_fast_dir(build_directory) - os.mkdir(symsan_build_fast_directory) - - new_env = os.environ.copy() - - fix_flags(new_env) - new_env['KO_USE_NATIVE_LIBCXX'] = '1' - new_env['FUZZER_LIB'] = '/libfuzzer-harness-fast.o' - new_env['OUT'] = symsan_build_fast_directory - new_env['KO_DONT_OPTIMIZE'] = '1' - new_env['CXXFLAGS'] = new_env['CXXFLAGS'] + ' -stdlib=libc++' - - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - new_env['FUZZ_TARGET'] = os.path.join(symsan_build_fast_directory, - os.path.basename(fuzz_target)) - - with utils.restore_directory(src), utils.restore_directory(work): - if is_benchmark('freetype2_ftfuzzer'): - build_benchmark_symsan(new_env, 'freetype2') - elif is_benchmark('proj'): - build_benchmark_symsan(new_env, 'proj') - elif is_benchmark('bloaty'): - shutil.copy('/src/fuzzers/symsan/CMakeLists_bloaty.txt', - '/src/bloaty/CMakeLists.txt') - utils.build_benchmark(env=new_env) - else: - utils.build_benchmark(env=new_env) - - -def build_symsan(build_directory, src, work): - """Build symsan track binaries.""" - symsan_build_directory = get_symsan_build_dir(build_directory) - os.mkdir(symsan_build_directory) - new_env = os.environ.copy() - - fix_flags(new_env) - fix_abilist() - new_env['FUZZER_LIB'] = '/libfuzzer-harness.o' - new_env['OUT'] = symsan_build_directory - new_env['KO_DONT_OPTIMIZE'] = '1' - new_env['USE_TRACK'] = '1' - new_env['KO_USE_FASTGEN'] = '1' - # For CmpLog build, set the OUT and FUZZ_TARGET environment - # variable to point to the new CmpLog build directory. - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - new_env['FUZZ_TARGET'] = os.path.join(symsan_build_directory, - os.path.basename(fuzz_target)) - - with utils.restore_directory(src), utils.restore_directory(work): - if is_benchmark('freetype2_ftfuzzer'): - build_benchmark_symsan(new_env, 'freetype2') - elif is_benchmark('proj'): - build_benchmark_symsan(new_env, 'proj') - elif is_benchmark('bloaty'): - shutil.copy('/src/fuzzers/symsan/CMakeLists_bloaty.txt', - '/src/bloaty/CMakeLists.txt') - utils.build_benchmark(env=new_env) - else: - utils.build_benchmark(env=new_env) - - -def update_protobuf(): - """Update protobuf version to 3.9.1""" - command = [ - 'wget', '-P', '/src', - 'https://github.com/protocolbuffers/protobuf/releases/\ -download/v3.9.1/protobuf-cpp-3.9.1.tar.gz' - ] - subprocess.check_call(command) - command = ['tar', '-xvf', 'protobuf-cpp-3.9.1.tar.gz'] - subprocess.check_call(command, cwd='/src') - command = ['./autogen.sh'] - subprocess.check_call(command, cwd='/src/protobuf-3.9.1') - command = ['./configure'] - subprocess.check_call(command, cwd='/src/protobuf-3.9.1') - command = ['make'] - subprocess.check_call(command, cwd='/src/protobuf-3.9.1') - command = ['make', 'install'] - subprocess.check_call(command, cwd='/src/protobuf-3.9.1') - command = ['ldconfig'] - subprocess.check_call(command) - for filename in glob.glob('/usr/lib/x86_64-linux-gnu/libprotobuf*'): - os.remove(filename) - - -def build(): # pylint: disable=too-many-branches,too-many-statements - """Build benchmark.""" - # BUILD_MODES is not already supported by fuzzbench, meanwhile we provide - # a default configuration. - - src = os.getenv('SRC') - work = os.getenv('WORK') - build_directory = os.environ['OUT'] - - if is_benchmark('bloaty'): - update_protobuf() - - if is_benchmark('libpcap_fuzz_both'): - os.environ['CXXFLAGS'] = os.environ['CXXFLAGS'] + ' -libverbs' - if is_benchmark('libgit'): - os.environ['CXXFLAGS'] = os.environ['CXXFLAGS'] + ' -lpcre' - if is_benchmark('file_magic'): - os.environ['CXXFLAGS'] = os.environ['CXXFLAGS'] + ' -llzma' - if is_benchmark('wireshark'): - os.environ['CXXFLAGS'] = os.environ['CXXFLAGS'] + ' -llzma -licuuc' - - with utils.restore_directory(src), utils.restore_directory(work): - if is_benchmark('njs') or is_benchmark('muparser') or is_benchmark( - 'bloaty'): - os.remove('/usr/local/lib/libc++.a') - os.remove('/usr/local/lib/libc++abi.a') - build_symsan(build_directory, src, work) - build_symsan_fast(build_directory, src, work) - aflplusplus_fuzzer.build('tracepc', 'cmplog', 'dict2file') - - shutil.copy('/symsan/target/release/fastgen', os.environ['OUT']) - - -def check_skip_det_compatible(additional_flags): - """ Checks if additional flags are compatible with '-d' option""" - # AFL refuses to take in '-d' with '-M' or '-S' options for parallel mode. - # (cf. https://github.com/google/AFL/blob/8da80951/afl-fuzz.c#L7477) - if '-M' in additional_flags or '-S' in additional_flags: - return False - return True - - -def launch_afl_thread(input_corpus, output_corpus, target_binary, - additional_flags): - """ Simple wrapper for running AFL. """ - afl_thread = threading.Thread(target=afl_fuzzer.run_afl_fuzz, - args=(input_corpus, output_corpus, - target_binary, additional_flags)) - afl_thread.start() - return afl_thread - - -def fuzz(input_corpus, output_corpus, target_binary, flags=tuple(), skip=False): - """Run fuzzer.""" - # Calculate CmpLog binary path from the instrumented target binary. - target_binary_directory = os.path.dirname(target_binary) - cmplog_target_binary_directory = ( - get_cmplog_build_directory(target_binary_directory)) - target_binary_name = os.path.basename(target_binary) - cmplog_target_binary = os.path.join(cmplog_target_binary_directory, - target_binary_name) - - target_binary_name = os.path.basename(target_binary) - - symsantrack_binary = os.path.join( - get_symsan_build_dir(target_binary_directory), target_binary_name) - symsanfast_binary = os.path.join( - get_symsan_build_fast_dir(target_binary_directory), target_binary_name) - - afl_fuzzer.prepare_fuzz_environment(input_corpus) - # decomment this to enable libdislocator. - # os.environ['AFL_ALIGNED_ALLOC'] = '1' # align malloc to max_align_t - # os.environ['AFL_PRELOAD'] = '/afl/libdislocator.so' - - flags = list(flags) - - if os.path.exists('./afl++.dict'): - flags += ['-x', './afl++.dict'] - # Move the following to skip for upcoming _double tests: - if os.path.exists(cmplog_target_binary): - flags += ['-c', cmplog_target_binary] - - if not skip: - if not flags or not flags[0] == '-Q' and '-p' not in flags: - flags += ['-p', 'fast'] - if ((not flags or (not '-l' in flags and not '-R' in flags)) and - os.path.exists(cmplog_target_binary)): - flags += ['-l', '2'] - os.environ['AFL_DISABLE_TRIM'] = '1' - if 'ADDITIONAL_ARGS' in os.environ: - flags += os.environ['ADDITIONAL_ARGS'].split(' ') - print('target binary is ' + target_binary) - #run fastgen - fastgen_cmd = [ - '/bin/bash', '-ex', '/out/fuz.sh', symsantrack_binary, symsanfast_binary - ] - fastgen_restart_cmd = [ - '/bin/bash', '-ex', '/out/fres.sh', symsantrack_binary, - symsanfast_binary - ] - - launch_afl_thread(input_corpus, - output_corpus, - target_binary, - additional_flags=flags) - - with subprocess.Popen(fastgen_cmd, stdout=None, stderr=None) as ori: - ori.wait() - - while True: - with subprocess.Popen(fastgen_restart_cmd, stdout=None, - stderr=None) as res: - res.wait() diff --git a/fuzzers/symsan/gcry.abilist b/fuzzers/symsan/gcry.abilist deleted file mode 100644 index 4e9720567..000000000 --- a/fuzzers/symsan/gcry.abilist +++ /dev/null @@ -1,877 +0,0 @@ -fun:__gcry_burn_stack=uninstrumented -fun:_gcry_3des_amd64_cbc_dec=uninstrumented -fun:_gcry_3des_amd64_cfb_dec=uninstrumented -fun:_gcry_3des_amd64_crypt_block=uninstrumented -fun:_gcry_3des_amd64_ctr_enc=uninstrumented -fun:_gcry_3des_cbc_dec=uninstrumented -fun:_gcry_3des_cfb_dec=uninstrumented -fun:_gcry_3des_ctr_enc=uninstrumented -fun:_gcry_Camellia_DecryptBlock=uninstrumented -fun:_gcry_Camellia_Ekeygen=uninstrumented -fun:_gcry_Camellia_EncryptBlock=uninstrumented -fun:_gcry_aes_aesni_cbc_dec=uninstrumented -fun:_gcry_aes_aesni_cbc_enc=uninstrumented -fun:_gcry_aes_aesni_cfb_dec=uninstrumented -fun:_gcry_aes_aesni_cfb_enc=uninstrumented -fun:_gcry_aes_aesni_ctr_enc=uninstrumented -fun:_gcry_aes_aesni_decrypt=uninstrumented -fun:_gcry_aes_aesni_do_setkey=uninstrumented -fun:_gcry_aes_aesni_encrypt=uninstrumented -fun:_gcry_aes_aesni_ocb_auth=uninstrumented -fun:_gcry_aes_aesni_ocb_crypt=uninstrumented -fun:_gcry_aes_aesni_prepare_decryption=uninstrumented -fun:_gcry_aes_amd64_decrypt_block=uninstrumented -fun:_gcry_aes_amd64_encrypt_block=uninstrumented -fun:_gcry_aes_cbc_dec=uninstrumented -fun:_gcry_aes_cbc_enc=uninstrumented -fun:_gcry_aes_cfb_dec=uninstrumented -fun:_gcry_aes_cfb_enc=uninstrumented -fun:_gcry_aes_ctr_enc=uninstrumented -fun:_gcry_aes_ocb_auth=uninstrumented -fun:_gcry_aes_ocb_crypt=uninstrumented -fun:_gcry_aes_padlock_decrypt=uninstrumented -fun:_gcry_aes_padlock_encrypt=uninstrumented -fun:_gcry_aes_ssse3_cbc_dec=uninstrumented -fun:_gcry_aes_ssse3_cbc_enc=uninstrumented -fun:_gcry_aes_ssse3_cfb_dec=uninstrumented -fun:_gcry_aes_ssse3_cfb_enc=uninstrumented -fun:_gcry_aes_ssse3_ctr_enc=uninstrumented -fun:_gcry_aes_ssse3_dec_preload=uninstrumented -fun:_gcry_aes_ssse3_decrypt=uninstrumented -fun:_gcry_aes_ssse3_decrypt_core=uninstrumented -fun:_gcry_aes_ssse3_do_setkey=uninstrumented -fun:_gcry_aes_ssse3_enc_preload=uninstrumented -fun:_gcry_aes_ssse3_encrypt=uninstrumented -fun:_gcry_aes_ssse3_encrypt_core=uninstrumented -fun:_gcry_aes_ssse3_ocb_auth=uninstrumented -fun:_gcry_aes_ssse3_ocb_crypt=uninstrumented -fun:_gcry_aes_ssse3_prepare_decryption=uninstrumented -fun:_gcry_aes_ssse3_schedule_core=uninstrumented -fun:_gcry_arcfour_amd64=uninstrumented -fun:_gcry_assert_failed=uninstrumented -fun:_gcry_blake2_init_with_key=uninstrumented -fun:_gcry_blowfish_amd64_cbc_dec=uninstrumented -fun:_gcry_blowfish_amd64_cfb_dec=uninstrumented -fun:_gcry_blowfish_amd64_ctr_enc=uninstrumented -fun:_gcry_blowfish_amd64_decrypt_block=uninstrumented -fun:_gcry_blowfish_amd64_do_encrypt=uninstrumented -fun:_gcry_blowfish_amd64_encrypt_block=uninstrumented -fun:_gcry_blowfish_cbc_dec=uninstrumented -fun:_gcry_blowfish_cfb_dec=uninstrumented -fun:_gcry_blowfish_ctr_enc=uninstrumented -fun:_gcry_bug=uninstrumented -fun:_gcry_calloc=uninstrumented -fun:_gcry_calloc_secure=uninstrumented -fun:_gcry_camellia_aesni_avx2_cbc_dec=uninstrumented -fun:_gcry_camellia_aesni_avx2_cfb_dec=uninstrumented -fun:_gcry_camellia_aesni_avx2_ctr_enc=uninstrumented -fun:_gcry_camellia_aesni_avx2_ocb_auth=uninstrumented -fun:_gcry_camellia_aesni_avx2_ocb_dec=uninstrumented -fun:_gcry_camellia_aesni_avx2_ocb_enc=uninstrumented -fun:_gcry_camellia_aesni_avx_cbc_dec=uninstrumented -fun:_gcry_camellia_aesni_avx_cfb_dec=uninstrumented -fun:_gcry_camellia_aesni_avx_ctr_enc=uninstrumented -fun:_gcry_camellia_aesni_avx_keygen=uninstrumented -fun:_gcry_camellia_aesni_avx_ocb_auth=uninstrumented -fun:_gcry_camellia_aesni_avx_ocb_dec=uninstrumented -fun:_gcry_camellia_aesni_avx_ocb_enc=uninstrumented -fun:_gcry_camellia_cbc_dec=uninstrumented -fun:_gcry_camellia_cfb_dec=uninstrumented -fun:_gcry_camellia_ctr_enc=uninstrumented -fun:_gcry_camellia_decrypt128=uninstrumented -fun:_gcry_camellia_decrypt256=uninstrumented -fun:_gcry_camellia_encrypt128=uninstrumented -fun:_gcry_camellia_encrypt256=uninstrumented -fun:_gcry_camellia_ocb_auth=uninstrumented -fun:_gcry_camellia_ocb_crypt=uninstrumented -fun:_gcry_camellia_setup128=uninstrumented -fun:_gcry_camellia_setup192=uninstrumented -fun:_gcry_camellia_setup256=uninstrumented -fun:_gcry_cast5_amd64_cbc_dec=uninstrumented -fun:_gcry_cast5_amd64_cfb_dec=uninstrumented -fun:_gcry_cast5_amd64_ctr_enc=uninstrumented -fun:_gcry_cast5_amd64_decrypt_block=uninstrumented -fun:_gcry_cast5_amd64_encrypt_block=uninstrumented -fun:_gcry_cast5_cbc_dec=uninstrumented -fun:_gcry_cast5_cfb_dec=uninstrumented -fun:_gcry_cast5_ctr_enc=uninstrumented -fun:_gcry_chacha20_amd64_avx2_blocks=uninstrumented -fun:_gcry_chacha20_amd64_sse2_blocks=uninstrumented -fun:_gcry_chacha20_amd64_ssse3_blocks=uninstrumented -fun:_gcry_check_heap=uninstrumented -fun:_gcry_check_version=uninstrumented -fun:_gcry_cipher_aeswrap_decrypt=uninstrumented -fun:_gcry_cipher_aeswrap_encrypt=uninstrumented -fun:_gcry_cipher_algo_info=uninstrumented -fun:_gcry_cipher_algo_name=uninstrumented -fun:_gcry_cipher_authenticate=uninstrumented -fun:_gcry_cipher_cbc_decrypt=uninstrumented -fun:_gcry_cipher_cbc_encrypt=uninstrumented -fun:_gcry_cipher_ccm_authenticate=uninstrumented -fun:_gcry_cipher_ccm_check_tag=uninstrumented -fun:_gcry_cipher_ccm_decrypt=uninstrumented -fun:_gcry_cipher_ccm_encrypt=uninstrumented -fun:_gcry_cipher_ccm_get_tag=uninstrumented -fun:_gcry_cipher_ccm_set_lengths=uninstrumented -fun:_gcry_cipher_ccm_set_nonce=uninstrumented -fun:_gcry_cipher_ccm_tag=uninstrumented -fun:_gcry_cipher_cfb8_decrypt=uninstrumented -fun:_gcry_cipher_cfb8_encrypt=uninstrumented -fun:_gcry_cipher_cfb_decrypt=uninstrumented -fun:_gcry_cipher_cfb_encrypt=uninstrumented -fun:_gcry_cipher_checktag=uninstrumented -fun:_gcry_cipher_close=uninstrumented -fun:_gcry_cipher_cmac_authenticate=uninstrumented -fun:_gcry_cipher_cmac_check_tag=uninstrumented -fun:_gcry_cipher_cmac_get_tag=uninstrumented -fun:_gcry_cipher_cmac_set_subkeys=uninstrumented -fun:_gcry_cipher_ctl=uninstrumented -fun:_gcry_cipher_ctr_encrypt=uninstrumented -fun:_gcry_cipher_decrypt=uninstrumented -fun:_gcry_cipher_encrypt=uninstrumented -fun:_gcry_cipher_gcm_authenticate=uninstrumented -fun:_gcry_cipher_gcm_check_tag=uninstrumented -fun:_gcry_cipher_gcm_decrypt=uninstrumented -fun:_gcry_cipher_gcm_encrypt=uninstrumented -fun:_gcry_cipher_gcm_get_tag=uninstrumented -fun:_gcry_cipher_gcm_setiv=uninstrumented -fun:_gcry_cipher_gcm_setkey=uninstrumented -fun:_gcry_cipher_get_algo_blklen=uninstrumented -fun:_gcry_cipher_get_algo_keylen=uninstrumented -fun:_gcry_cipher_getctr=uninstrumented -fun:_gcry_cipher_gettag=uninstrumented -fun:_gcry_cipher_info=uninstrumented -fun:_gcry_cipher_init=uninstrumented -fun:_gcry_cipher_map_name=uninstrumented -fun:_gcry_cipher_mode_from_oid=uninstrumented -fun:_gcry_cipher_ocb_authenticate=uninstrumented -fun:_gcry_cipher_ocb_check_tag=uninstrumented -fun:_gcry_cipher_ocb_decrypt=uninstrumented -fun:_gcry_cipher_ocb_encrypt=uninstrumented -fun:_gcry_cipher_ocb_get_tag=uninstrumented -fun:_gcry_cipher_ocb_set_nonce=uninstrumented -fun:_gcry_cipher_ofb_encrypt=uninstrumented -fun:_gcry_cipher_open=uninstrumented -fun:_gcry_cipher_open_internal=uninstrumented -fun:_gcry_cipher_poly1305_authenticate=uninstrumented -fun:_gcry_cipher_poly1305_check_tag=uninstrumented -fun:_gcry_cipher_poly1305_decrypt=uninstrumented -fun:_gcry_cipher_poly1305_encrypt=uninstrumented -fun:_gcry_cipher_poly1305_get_tag=uninstrumented -fun:_gcry_cipher_poly1305_setiv=uninstrumented -fun:_gcry_cipher_poly1305_setkey=uninstrumented -fun:_gcry_cipher_selftest=uninstrumented -fun:_gcry_cipher_selftest_alloc_ctx=uninstrumented -fun:_gcry_cipher_setctr=uninstrumented -fun:_gcry_cipher_setiv=uninstrumented -fun:_gcry_cipher_setkey=uninstrumented -fun:_gcry_cipher_xts_crypt=uninstrumented -fun:_gcry_compat_identification=uninstrumented -fun:_gcry_crc24rfc2440_intel_pclmul=uninstrumented -fun:_gcry_crc32_intel_pclmul=uninstrumented -fun:_gcry_create_nonce=uninstrumented -fun:_gcry_ctx_alloc=uninstrumented -fun:_gcry_ctx_find_pointer=uninstrumented -fun:_gcry_ctx_get_pointer=uninstrumented -fun:_gcry_ctx_release=uninstrumented -fun:_gcry_derive_x931_prime=uninstrumented -fun:_gcry_detect_hw_features=uninstrumented -fun:_gcry_disable_hw_feature=uninstrumented -fun:_gcry_divide_by_zero=uninstrumented -fun:_gcry_dsa_gen_k=uninstrumented -fun:_gcry_dsa_gen_rfc6979_k=uninstrumented -fun:_gcry_dsa_modify_k=uninstrumented -fun:_gcry_dsa_normalize_hash=uninstrumented -fun:_gcry_ecc_compute_public=uninstrumented -fun:_gcry_ecc_curve_copy=uninstrumented -fun:_gcry_ecc_curve_free=uninstrumented -fun:_gcry_ecc_dialect2str=uninstrumented -fun:_gcry_ecc_ec2os=uninstrumented -fun:_gcry_ecc_ecdsa_sign=uninstrumented -fun:_gcry_ecc_ecdsa_verify=uninstrumented -fun:_gcry_ecc_eddsa_compute_h_d=uninstrumented -fun:_gcry_ecc_eddsa_decodepoint=uninstrumented -fun:_gcry_ecc_eddsa_encodepoint=uninstrumented -fun:_gcry_ecc_eddsa_ensure_compact=uninstrumented -fun:_gcry_ecc_eddsa_genkey=uninstrumented -fun:_gcry_ecc_eddsa_recover_x=uninstrumented -fun:_gcry_ecc_eddsa_sign=uninstrumented -fun:_gcry_ecc_eddsa_verify=uninstrumented -fun:_gcry_ecc_fill_in_curve=uninstrumented -fun:_gcry_ecc_get_curve=uninstrumented -fun:_gcry_ecc_get_mpi=uninstrumented -fun:_gcry_ecc_get_param_sexp=uninstrumented -fun:_gcry_ecc_get_point=uninstrumented -fun:_gcry_ecc_gost_sign=uninstrumented -fun:_gcry_ecc_gost_verify=uninstrumented -fun:_gcry_ecc_model2str=uninstrumented -fun:_gcry_ecc_mont_decodepoint=uninstrumented -fun:_gcry_ecc_os2ec=uninstrumented -fun:_gcry_ecc_set_mpi=uninstrumented -fun:_gcry_ecc_set_point=uninstrumented -fun:_gcry_ecc_update_curve_param=uninstrumented -fun:_gcry_enable_quick_random_gen=uninstrumented -fun:_gcry_enforced_fips_mode=uninstrumented -fun:_gcry_enum_hw_features=uninstrumented -fun:_gcry_fast_random_poll=uninstrumented -fun:_gcry_fatal_error=uninstrumented -fun:_gcry_fips186_4_prime_check=uninstrumented -fun:_gcry_fips_is_operational=uninstrumented -fun:_gcry_fips_mode=uninstrumented -fun:_gcry_fips_noreturn=uninstrumented -fun:_gcry_fips_run_selftests=uninstrumented -fun:_gcry_fips_signal_error=uninstrumented -fun:_gcry_fips_test_error_or_operational=uninstrumented -fun:_gcry_fips_test_operational=uninstrumented -fun:_gcry_free=uninstrumented -fun:_gcry_generate_elg_prime=uninstrumented -fun:_gcry_generate_fips186_2_prime=uninstrumented -fun:_gcry_generate_fips186_3_prime=uninstrumented -fun:_gcry_generate_public_prime=uninstrumented -fun:_gcry_generate_secret_prime=uninstrumented -fun:_gcry_get_config=uninstrumented -fun:_gcry_get_debug_flag=uninstrumented -fun:_gcry_get_hw_features=uninstrumented -fun:_gcry_get_rng_type=uninstrumented -fun:_gcry_gettext=uninstrumented -fun:_gcry_ghash_intel_pclmul=uninstrumented -fun:_gcry_ghash_setup_intel_pclmul=uninstrumented -fun:_gcry_global_is_operational=uninstrumented -fun:_gcry_gost_enc_data=uninstrumented -fun:_gcry_hash_selftest_check_one=uninstrumented -fun:_gcry_hmac256_file=uninstrumented -fun:_gcry_hmac256_finalize=uninstrumented -fun:_gcry_hmac256_new=uninstrumented -fun:_gcry_hmac256_release=uninstrumented -fun:_gcry_hmac256_update=uninstrumented -fun:_gcry_hmac_selftest=uninstrumented -fun:_gcry_hwf_detect_x86=uninstrumented -fun:_gcry_inactivate_fips_mode=uninstrumented -fun:_gcry_initialize_fips_mode=uninstrumented -fun:_gcry_is_fips_mode_inactive=uninstrumented -fun:_gcry_is_secure=uninstrumented -fun:_gcry_kdf_derive=uninstrumented -fun:_gcry_kdf_pkdf2=uninstrumented -fun:_gcry_kdf_scrypt=uninstrumented -fun:_gcry_log=uninstrumented -fun:_gcry_log_bug=uninstrumented -fun:_gcry_log_debug=uninstrumented -fun:_gcry_log_error=uninstrumented -fun:_gcry_log_fatal=uninstrumented -fun:_gcry_log_info=uninstrumented -fun:_gcry_log_printf=uninstrumented -fun:_gcry_log_printhex=uninstrumented -fun:_gcry_log_printmpi=uninstrumented -fun:_gcry_log_printsxp=uninstrumented -fun:_gcry_log_verbosity=uninstrumented -fun:_gcry_logv=uninstrumented -fun:_gcry_mac_algo_info=uninstrumented -fun:_gcry_mac_algo_name=uninstrumented -fun:_gcry_mac_close=uninstrumented -fun:_gcry_mac_ctl=uninstrumented -fun:_gcry_mac_get_algo=uninstrumented -fun:_gcry_mac_get_algo_keylen=uninstrumented -fun:_gcry_mac_get_algo_maclen=uninstrumented -fun:_gcry_mac_init=uninstrumented -fun:_gcry_mac_map_name=uninstrumented -fun:_gcry_mac_open=uninstrumented -fun:_gcry_mac_read=uninstrumented -fun:_gcry_mac_setiv=uninstrumented -fun:_gcry_mac_setkey=uninstrumented -fun:_gcry_mac_verify=uninstrumented -fun:_gcry_mac_write=uninstrumented -fun:_gcry_malloc=uninstrumented -fun:_gcry_malloc_secure=uninstrumented -fun:_gcry_md_algo_info=uninstrumented -fun:_gcry_md_algo_name=uninstrumented -fun:_gcry_md_block_write=uninstrumented -fun:_gcry_md_close=uninstrumented -fun:_gcry_md_copy=uninstrumented -fun:_gcry_md_ctl=uninstrumented -fun:_gcry_md_debug=uninstrumented -fun:_gcry_md_enable=uninstrumented -fun:_gcry_md_extract=uninstrumented -fun:_gcry_md_get=uninstrumented -fun:_gcry_md_get_algo=uninstrumented -fun:_gcry_md_get_algo_dlen=uninstrumented -fun:_gcry_md_hash_buffer=uninstrumented -fun:_gcry_md_hash_buffers=uninstrumented -fun:_gcry_md_info=uninstrumented -fun:_gcry_md_init=uninstrumented -fun:_gcry_md_is_enabled=uninstrumented -fun:_gcry_md_is_secure=uninstrumented -fun:_gcry_md_map_name=uninstrumented -fun:_gcry_md_open=uninstrumented -fun:_gcry_md_read=uninstrumented -fun:_gcry_md_reset=uninstrumented -fun:_gcry_md_selftest=uninstrumented -fun:_gcry_md_setkey=uninstrumented -fun:_gcry_md_write=uninstrumented -fun:_gcry_mpi_abs=uninstrumented -fun:_gcry_mpi_add=uninstrumented -fun:_gcry_mpi_add_ui=uninstrumented -fun:_gcry_mpi_addm=uninstrumented -fun:_gcry_mpi_alloc=uninstrumented -fun:_gcry_mpi_alloc_like=uninstrumented -fun:_gcry_mpi_alloc_limb_space=uninstrumented -fun:_gcry_mpi_alloc_secure=uninstrumented -fun:_gcry_mpi_alloc_set_ui=uninstrumented -fun:_gcry_mpi_aprint=uninstrumented -fun:_gcry_mpi_assign_limb_space=uninstrumented -fun:_gcry_mpi_barrett_free=uninstrumented -fun:_gcry_mpi_barrett_init=uninstrumented -fun:_gcry_mpi_clear=uninstrumented -fun:_gcry_mpi_clear_bit=uninstrumented -fun:_gcry_mpi_clear_flag=uninstrumented -fun:_gcry_mpi_clear_highbit=uninstrumented -fun:_gcry_mpi_cmp=uninstrumented -fun:_gcry_mpi_cmp_ui=uninstrumented -fun:_gcry_mpi_cmpabs=uninstrumented -fun:_gcry_mpi_const=uninstrumented -fun:_gcry_mpi_copy=uninstrumented -fun:_gcry_mpi_div=uninstrumented -fun:_gcry_mpi_divisible_ui=uninstrumented -fun:_gcry_mpi_ec_add_points=uninstrumented -fun:_gcry_mpi_ec_bad_point=uninstrumented -fun:_gcry_mpi_ec_curve_point=uninstrumented -fun:_gcry_mpi_ec_decode_point=uninstrumented -fun:_gcry_mpi_ec_dup_point=uninstrumented -fun:_gcry_mpi_ec_ec2os=uninstrumented -fun:_gcry_mpi_ec_ed25519_mod=uninstrumented -fun:_gcry_mpi_ec_free=uninstrumented -fun:_gcry_mpi_ec_get_affine=uninstrumented -fun:_gcry_mpi_ec_get_mpi=uninstrumented -fun:_gcry_mpi_ec_get_point=uninstrumented -fun:_gcry_mpi_ec_get_reset=uninstrumented -fun:_gcry_mpi_ec_mul_point=uninstrumented -fun:_gcry_mpi_ec_new=uninstrumented -fun:_gcry_mpi_ec_p_internal_new=uninstrumented -fun:_gcry_mpi_ec_p_new=uninstrumented -fun:_gcry_mpi_ec_set_mpi=uninstrumented -fun:_gcry_mpi_ec_set_point=uninstrumented -fun:_gcry_mpi_ec_sub_points=uninstrumented -fun:_gcry_mpi_fdiv_q=uninstrumented -fun:_gcry_mpi_fdiv_qr=uninstrumented -fun:_gcry_mpi_fdiv_r=uninstrumented -fun:_gcry_mpi_fdiv_r_ui=uninstrumented -fun:_gcry_mpi_free=uninstrumented -fun:_gcry_mpi_free_limb_space=uninstrumented -fun:_gcry_mpi_gcd=uninstrumented -fun:_gcry_mpi_get_buffer=uninstrumented -fun:_gcry_mpi_get_buffer_extra=uninstrumented -fun:_gcry_mpi_get_const=uninstrumented -fun:_gcry_mpi_get_flag=uninstrumented -fun:_gcry_mpi_get_hw_config=uninstrumented -fun:_gcry_mpi_get_nbits=uninstrumented -fun:_gcry_mpi_get_opaque=uninstrumented -fun:_gcry_mpi_get_opaque_copy=uninstrumented -fun:_gcry_mpi_get_secure_buffer=uninstrumented -fun:_gcry_mpi_get_ui=uninstrumented -fun:_gcry_mpi_immutable_failed=uninstrumented -fun:_gcry_mpi_init=uninstrumented -fun:_gcry_mpi_invm=uninstrumented -fun:_gcry_mpi_is_neg=uninstrumented -fun:_gcry_mpi_lshift=uninstrumented -fun:_gcry_mpi_lshift_limbs=uninstrumented -fun:_gcry_mpi_m_check=uninstrumented -fun:_gcry_mpi_mod=uninstrumented -fun:_gcry_mpi_mod_barrett=uninstrumented -fun:_gcry_mpi_mul=uninstrumented -fun:_gcry_mpi_mul_2exp=uninstrumented -fun:_gcry_mpi_mul_barrett=uninstrumented -fun:_gcry_mpi_mul_ui=uninstrumented -fun:_gcry_mpi_mulm=uninstrumented -fun:_gcry_mpi_mulpowm=uninstrumented -fun:_gcry_mpi_neg=uninstrumented -fun:_gcry_mpi_new=uninstrumented -fun:_gcry_mpi_normalize=uninstrumented -fun:_gcry_mpi_point_copy=uninstrumented -fun:_gcry_mpi_point_free_parts=uninstrumented -fun:_gcry_mpi_point_get=uninstrumented -fun:_gcry_mpi_point_init=uninstrumented -fun:_gcry_mpi_point_log=uninstrumented -fun:_gcry_mpi_point_new=uninstrumented -fun:_gcry_mpi_point_release=uninstrumented -fun:_gcry_mpi_point_set=uninstrumented -fun:_gcry_mpi_point_snatch_get=uninstrumented -fun:_gcry_mpi_point_snatch_set=uninstrumented -fun:_gcry_mpi_powm=uninstrumented -fun:_gcry_mpi_print=uninstrumented -fun:_gcry_mpi_randomize=uninstrumented -fun:_gcry_mpi_release=uninstrumented -fun:_gcry_mpi_resize=uninstrumented -fun:_gcry_mpi_rshift=uninstrumented -fun:_gcry_mpi_rshift_limbs=uninstrumented -fun:_gcry_mpi_scan=uninstrumented -fun:_gcry_mpi_set=uninstrumented -fun:_gcry_mpi_set_bit=uninstrumented -fun:_gcry_mpi_set_buffer=uninstrumented -fun:_gcry_mpi_set_cond=uninstrumented -fun:_gcry_mpi_set_flag=uninstrumented -fun:_gcry_mpi_set_highbit=uninstrumented -fun:_gcry_mpi_set_opaque=uninstrumented -fun:_gcry_mpi_set_opaque_copy=uninstrumented -fun:_gcry_mpi_set_ui=uninstrumented -fun:_gcry_mpi_snatch=uninstrumented -fun:_gcry_mpi_snew=uninstrumented -fun:_gcry_mpi_sub=uninstrumented -fun:_gcry_mpi_sub_ui=uninstrumented -fun:_gcry_mpi_subm=uninstrumented -fun:_gcry_mpi_swap=uninstrumented -fun:_gcry_mpi_swap_cond=uninstrumented -fun:_gcry_mpi_tdiv_q_2exp=uninstrumented -fun:_gcry_mpi_tdiv_qr=uninstrumented -fun:_gcry_mpi_tdiv_r=uninstrumented -fun:_gcry_mpi_test_bit=uninstrumented -fun:_gcry_mpi_to_octet_string=uninstrumented -fun:_gcry_mpi_trailing_zeros=uninstrumented -fun:_gcry_mpih_add=uninstrumented -fun:_gcry_mpih_add_1=uninstrumented -fun:_gcry_mpih_cmp=uninstrumented -fun:_gcry_mpih_divmod_1=uninstrumented -fun:_gcry_mpih_divrem=uninstrumented -fun:_gcry_mpih_mod_1=uninstrumented -fun:_gcry_mpih_mul=uninstrumented -fun:_gcry_mpih_mul_karatsuba_case=uninstrumented -fun:_gcry_mpih_mul_n=uninstrumented -fun:_gcry_mpih_release_karatsuba_ctx=uninstrumented -fun:_gcry_mpih_sqr_n=uninstrumented -fun:_gcry_mpih_sqr_n_basecase=uninstrumented -fun:_gcry_mpih_sub=uninstrumented -fun:_gcry_mpih_sub_1=uninstrumented -fun:_gcry_pk_algo_info=uninstrumented -fun:_gcry_pk_algo_name=uninstrumented -fun:_gcry_pk_ctl=uninstrumented -fun:_gcry_pk_decrypt=uninstrumented -fun:_gcry_pk_ecc_get_sexp=uninstrumented -fun:_gcry_pk_encrypt=uninstrumented -fun:_gcry_pk_genkey=uninstrumented -fun:_gcry_pk_get_curve=uninstrumented -fun:_gcry_pk_get_keygrip=uninstrumented -fun:_gcry_pk_get_nbits=uninstrumented -fun:_gcry_pk_get_param=uninstrumented -fun:_gcry_pk_init=uninstrumented -fun:_gcry_pk_map_name=uninstrumented -fun:_gcry_pk_selftest=uninstrumented -fun:_gcry_pk_sign=uninstrumented -fun:_gcry_pk_testkey=uninstrumented -fun:_gcry_pk_util_data_to_mpi=uninstrumented -fun:_gcry_pk_util_free_encoding_ctx=uninstrumented -fun:_gcry_pk_util_get_nbits=uninstrumented -fun:_gcry_pk_util_get_rsa_use_e=uninstrumented -fun:_gcry_pk_util_init_encoding_ctx=uninstrumented -fun:_gcry_pk_util_parse_flaglist=uninstrumented -fun:_gcry_pk_util_preparse_encval=uninstrumented -fun:_gcry_pk_util_preparse_sigval=uninstrumented -fun:_gcry_pk_verify=uninstrumented -fun:_gcry_poly1305_amd64_avx2_blocks=uninstrumented -fun:_gcry_poly1305_amd64_avx2_finish_ext=uninstrumented -fun:_gcry_poly1305_amd64_avx2_init_ext=uninstrumented -fun:_gcry_poly1305_amd64_sse2_blocks=uninstrumented -fun:_gcry_poly1305_amd64_sse2_finish_ext=uninstrumented -fun:_gcry_poly1305_amd64_sse2_init_ext=uninstrumented -fun:_gcry_poly1305_finish=uninstrumented -fun:_gcry_poly1305_init=uninstrumented -fun:_gcry_poly1305_update=uninstrumented -fun:_gcry_post_syscall=uninstrumented -fun:_gcry_pre_syscall=uninstrumented -fun:_gcry_prime_check=uninstrumented -fun:_gcry_prime_generate=uninstrumented -fun:_gcry_prime_group_generator=uninstrumented -fun:_gcry_prime_release_factors=uninstrumented -fun:_gcry_primegen_init=uninstrumented -fun:_gcry_private_check_heap=uninstrumented -fun:_gcry_private_enable_m_guard=uninstrumented -fun:_gcry_private_free=uninstrumented -fun:_gcry_private_is_secure=uninstrumented -fun:_gcry_private_malloc=uninstrumented -fun:_gcry_private_malloc_secure=uninstrumented -fun:_gcry_private_realloc=uninstrumented -fun:_gcry_pubkey_get_sexp=uninstrumented -fun:_gcry_random_add_bytes=uninstrumented -fun:_gcry_random_bytes=uninstrumented -fun:_gcry_random_bytes_secure=uninstrumented -fun:_gcry_random_close_fds=uninstrumented -fun:_gcry_random_dump_stats=uninstrumented -fun:_gcry_random_initialize=uninstrumented -fun:_gcry_random_is_faked=uninstrumented -fun:_gcry_random_progress=uninstrumented -fun:_gcry_random_read_conf=uninstrumented -fun:_gcry_random_selftest=uninstrumented -fun:_gcry_randomize=uninstrumented -fun:_gcry_realloc=uninstrumented -fun:_gcry_register_pk_dsa_progress=uninstrumented -fun:_gcry_register_pk_ecc_progress=uninstrumented -fun:_gcry_register_pk_elg_progress=uninstrumented -fun:_gcry_register_primegen_progress=uninstrumented -fun:_gcry_register_random_progress=uninstrumented -fun:_gcry_rmd160_hash_buffer=uninstrumented -fun:_gcry_rndhw_failed_p=uninstrumented -fun:_gcry_rndhw_poll_fast=uninstrumented -fun:_gcry_rndhw_poll_slow=uninstrumented -fun:_gcry_rndjent_dump_stats=uninstrumented -fun:_gcry_rndjent_get_version=uninstrumented -fun:_gcry_rndjent_poll=uninstrumented -fun:_gcry_rndlinux_gather_random=uninstrumented -fun:_gcry_rngcsprng_add_bytes=uninstrumented -fun:_gcry_rngcsprng_close_fds=uninstrumented -fun:_gcry_rngcsprng_dump_stats=uninstrumented -fun:_gcry_rngcsprng_enable_quick_gen=uninstrumented -fun:_gcry_rngcsprng_fast_poll=uninstrumented -fun:_gcry_rngcsprng_initialize=uninstrumented -fun:_gcry_rngcsprng_is_faked=uninstrumented -fun:_gcry_rngcsprng_randomize=uninstrumented -fun:_gcry_rngcsprng_secure_alloc=uninstrumented -fun:_gcry_rngcsprng_set_daemon_socket=uninstrumented -fun:_gcry_rngcsprng_set_seed_file=uninstrumented -fun:_gcry_rngcsprng_update_seed_file=uninstrumented -fun:_gcry_rngcsprng_use_daemon=uninstrumented -fun:_gcry_rngdrbg_add_bytes=uninstrumented -fun:_gcry_rngdrbg_cavs_test=uninstrumented -fun:_gcry_rngdrbg_close_fds=uninstrumented -fun:_gcry_rngdrbg_dump_stats=uninstrumented -fun:_gcry_rngdrbg_healthcheck_one=uninstrumented -fun:_gcry_rngdrbg_inititialize=uninstrumented -fun:_gcry_rngdrbg_is_faked=uninstrumented -fun:_gcry_rngdrbg_randomize=uninstrumented -fun:_gcry_rngdrbg_reinit=uninstrumented -fun:_gcry_rngdrbg_selftest=uninstrumented -fun:_gcry_rngsystem_add_bytes=uninstrumented -fun:_gcry_rngsystem_close_fds=uninstrumented -fun:_gcry_rngsystem_dump_stats=uninstrumented -fun:_gcry_rngsystem_initialize=uninstrumented -fun:_gcry_rngsystem_is_faked=uninstrumented -fun:_gcry_rngsystem_randomize=uninstrumented -fun:_gcry_rsa_oaep_decode=uninstrumented -fun:_gcry_rsa_oaep_encode=uninstrumented -fun:_gcry_rsa_pkcs1_decode_for_enc=uninstrumented -fun:_gcry_rsa_pkcs1_encode_for_enc=uninstrumented -fun:_gcry_rsa_pkcs1_encode_for_sig=uninstrumented -fun:_gcry_rsa_pkcs1_encode_raw_for_sig=uninstrumented -fun:_gcry_rsa_pss_encode=uninstrumented -fun:_gcry_rsa_pss_verify=uninstrumented -fun:_gcry_salsa20_amd64_encrypt_blocks=uninstrumented -fun:_gcry_salsa20_amd64_ivsetup=uninstrumented -fun:_gcry_salsa20_amd64_keysetup=uninstrumented -fun:_gcry_secmem_dump_stats=uninstrumented -fun:_gcry_secmem_free=uninstrumented -fun:_gcry_secmem_get_flags=uninstrumented -fun:_gcry_secmem_init=uninstrumented -fun:_gcry_secmem_malloc=uninstrumented -fun:_gcry_secmem_module_init=uninstrumented -fun:_gcry_secmem_realloc=uninstrumented -fun:_gcry_secmem_set_auto_expand=uninstrumented -fun:_gcry_secmem_set_flags=uninstrumented -fun:_gcry_secmem_term=uninstrumented -fun:_gcry_secure_random_alloc=uninstrumented -fun:_gcry_selftest_helper_cbc=uninstrumented -fun:_gcry_selftest_helper_cfb=uninstrumented -fun:_gcry_selftest_helper_ctr=uninstrumented -fun:_gcry_serpent_avx2_cbc_dec=uninstrumented -fun:_gcry_serpent_avx2_cfb_dec=uninstrumented -fun:_gcry_serpent_avx2_ctr_enc=uninstrumented -fun:_gcry_serpent_avx2_ocb_auth=uninstrumented -fun:_gcry_serpent_avx2_ocb_dec=uninstrumented -fun:_gcry_serpent_avx2_ocb_enc=uninstrumented -fun:_gcry_serpent_cbc_dec=uninstrumented -fun:_gcry_serpent_cfb_dec=uninstrumented -fun:_gcry_serpent_ctr_enc=uninstrumented -fun:_gcry_serpent_ocb_auth=uninstrumented -fun:_gcry_serpent_ocb_crypt=uninstrumented -fun:_gcry_serpent_sse2_cbc_dec=uninstrumented -fun:_gcry_serpent_sse2_cfb_dec=uninstrumented -fun:_gcry_serpent_sse2_ctr_enc=uninstrumented -fun:_gcry_serpent_sse2_ocb_auth=uninstrumented -fun:_gcry_serpent_sse2_ocb_dec=uninstrumented -fun:_gcry_serpent_sse2_ocb_enc=uninstrumented -fun:_gcry_set_allocation_handler=uninstrumented -fun:_gcry_set_enforced_fips_mode=uninstrumented -fun:_gcry_set_fatalerror_handler=uninstrumented -fun:_gcry_set_gettext_handler=uninstrumented -fun:_gcry_set_log_handler=uninstrumented -fun:_gcry_set_log_verbosity=uninstrumented -fun:_gcry_set_outofcore_handler=uninstrumented -fun:_gcry_set_preferred_rng_type=uninstrumented -fun:_gcry_set_progress_handler=uninstrumented -fun:_gcry_set_random_daemon_socket=uninstrumented -fun:_gcry_set_random_seed_file=uninstrumented -fun:_gcry_sexp_alist=uninstrumented -fun:_gcry_sexp_append=uninstrumented -fun:_gcry_sexp_build=uninstrumented -fun:_gcry_sexp_build_array=uninstrumented -fun:_gcry_sexp_cadr=uninstrumented -fun:_gcry_sexp_canon_len=uninstrumented -fun:_gcry_sexp_car=uninstrumented -fun:_gcry_sexp_cdr=uninstrumented -fun:_gcry_sexp_cons=uninstrumented -fun:_gcry_sexp_create=uninstrumented -fun:_gcry_sexp_dump=uninstrumented -fun:_gcry_sexp_extract_param=uninstrumented -fun:_gcry_sexp_find_token=uninstrumented -fun:_gcry_sexp_length=uninstrumented -fun:_gcry_sexp_new=uninstrumented -fun:_gcry_sexp_nth=uninstrumented -fun:_gcry_sexp_nth_buffer=uninstrumented -fun:_gcry_sexp_nth_data=uninstrumented -fun:_gcry_sexp_nth_mpi=uninstrumented -fun:_gcry_sexp_nth_string=uninstrumented -fun:_gcry_sexp_prepend=uninstrumented -fun:_gcry_sexp_release=uninstrumented -fun:_gcry_sexp_sprint=uninstrumented -fun:_gcry_sexp_sscan=uninstrumented -fun:_gcry_sexp_vbuild=uninstrumented -fun:_gcry_sexp_vextract_param=uninstrumented -fun:_gcry_sexp_vlist=uninstrumented -fun:_gcry_sha1_hash_buffer=uninstrumented -fun:_gcry_sha1_hash_buffers=uninstrumented -fun:_gcry_sha1_mixblock=uninstrumented -fun:_gcry_sha1_mixblock_init=uninstrumented -fun:_gcry_sha1_transform_amd64_avx=uninstrumented -fun:_gcry_sha1_transform_amd64_avx_bmi2=uninstrumented -fun:_gcry_sha1_transform_amd64_ssse3=uninstrumented -fun:_gcry_sha256_hash_buffer=uninstrumented -fun:_gcry_sha256_hash_buffers=uninstrumented -fun:_gcry_sha256_transform_amd64_avx=uninstrumented -fun:_gcry_sha256_transform_amd64_avx2=uninstrumented -fun:_gcry_sha256_transform_amd64_ssse3=uninstrumented -fun:_gcry_sha512_hash_buffer=uninstrumented -fun:_gcry_sha512_hash_buffers=uninstrumented -fun:_gcry_sha512_transform_amd64_avx=uninstrumented -fun:_gcry_sha512_transform_amd64_avx2=uninstrumented -fun:_gcry_sha512_transform_amd64_ssse3=uninstrumented -fun:_gcry_strdup=uninstrumented -fun:_gcry_strtokenize=uninstrumented -fun:_gcry_twofish_amd64_cbc_dec=uninstrumented -fun:_gcry_twofish_amd64_cfb_dec=uninstrumented -fun:_gcry_twofish_amd64_ctr_enc=uninstrumented -fun:_gcry_twofish_amd64_decrypt_block=uninstrumented -fun:_gcry_twofish_amd64_encrypt_block=uninstrumented -fun:_gcry_twofish_amd64_ocb_auth=uninstrumented -fun:_gcry_twofish_amd64_ocb_dec=uninstrumented -fun:_gcry_twofish_amd64_ocb_enc=uninstrumented -fun:_gcry_twofish_avx2_cbc_dec=uninstrumented -fun:_gcry_twofish_avx2_cfb_dec=uninstrumented -fun:_gcry_twofish_avx2_ctr_enc=uninstrumented -fun:_gcry_twofish_avx2_ocb_auth=uninstrumented -fun:_gcry_twofish_avx2_ocb_dec=uninstrumented -fun:_gcry_twofish_avx2_ocb_enc=uninstrumented -fun:_gcry_twofish_cbc_dec=uninstrumented -fun:_gcry_twofish_cfb_dec=uninstrumented -fun:_gcry_twofish_ctr_enc=uninstrumented -fun:_gcry_twofish_ocb_auth=uninstrumented -fun:_gcry_twofish_ocb_crypt=uninstrumented -fun:_gcry_update_random_seed_file=uninstrumented -fun:_gcry_use_random_daemon=uninstrumented -fun:_gcry_vcontrol=uninstrumented -fun:_gcry_whirlpool_transform_amd64=uninstrumented -fun:_gcry_xcalloc=uninstrumented -fun:_gcry_xcalloc_secure=uninstrumented -fun:_gcry_xmalloc=uninstrumented -fun:_gcry_xmalloc_secure=uninstrumented -fun:_gcry_xrealloc=uninstrumented -fun:_gcry_xstrdup=uninstrumented -fun:gcry_calloc=uninstrumented -fun:gcry_calloc_secure=uninstrumented -fun:gcry_check_version=uninstrumented -fun:gcry_cipher_algo_info=uninstrumented -fun:gcry_cipher_algo_name=uninstrumented -fun:gcry_cipher_authenticate=uninstrumented -fun:gcry_cipher_checktag=uninstrumented -fun:gcry_cipher_close=uninstrumented -fun:gcry_cipher_ctl=uninstrumented -fun:gcry_cipher_decrypt=uninstrumented -fun:gcry_cipher_encrypt=uninstrumented -fun:gcry_cipher_get_algo_blklen=uninstrumented -fun:gcry_cipher_get_algo_keylen=uninstrumented -fun:gcry_cipher_gettag=uninstrumented -fun:gcry_cipher_info=uninstrumented -fun:gcry_cipher_map_name=uninstrumented -fun:gcry_cipher_mode_from_oid=uninstrumented -fun:gcry_cipher_open=uninstrumented -fun:gcry_cipher_setctr=uninstrumented -fun:gcry_cipher_setiv=uninstrumented -fun:gcry_cipher_setkey=uninstrumented -fun:gcry_control=uninstrumented -fun:gcry_create_nonce=uninstrumented -fun:gcry_ctx_release=uninstrumented -fun:gcry_err_code_from_errno=uninstrumented -fun:gcry_err_code_to_errno=uninstrumented -fun:gcry_err_make_from_errno=uninstrumented -fun:gcry_error_from_errno=uninstrumented -fun:gcry_free=uninstrumented -fun:gcry_get_config=uninstrumented -fun:gcry_is_secure=uninstrumented -fun:gcry_kdf_derive=uninstrumented -fun:gcry_log_debug=uninstrumented -fun:gcry_log_debughex=uninstrumented -fun:gcry_log_debugmpi=uninstrumented -fun:gcry_log_debugpnt=uninstrumented -fun:gcry_log_debugsxp=uninstrumented -fun:gcry_mac_algo_info=uninstrumented -fun:gcry_mac_algo_name=uninstrumented -fun:gcry_mac_close=uninstrumented -fun:gcry_mac_ctl=uninstrumented -fun:gcry_mac_get_algo=uninstrumented -fun:gcry_mac_get_algo_keylen=uninstrumented -fun:gcry_mac_get_algo_maclen=uninstrumented -fun:gcry_mac_map_name=uninstrumented -fun:gcry_mac_open=uninstrumented -fun:gcry_mac_read=uninstrumented -fun:gcry_mac_setiv=uninstrumented -fun:gcry_mac_setkey=uninstrumented -fun:gcry_mac_verify=uninstrumented -fun:gcry_mac_write=uninstrumented -fun:gcry_malloc=uninstrumented -fun:gcry_malloc_secure=uninstrumented -fun:gcry_md_algo_info=uninstrumented -fun:gcry_md_algo_name=uninstrumented -fun:gcry_md_close=uninstrumented -fun:gcry_md_copy=uninstrumented -fun:gcry_md_ctl=uninstrumented -fun:gcry_md_debug=uninstrumented -fun:gcry_md_enable=uninstrumented -fun:gcry_md_extract=uninstrumented -fun:gcry_md_get_algo=uninstrumented -fun:gcry_md_get_algo_dlen=uninstrumented -fun:gcry_md_hash_buffer=uninstrumented -fun:gcry_md_hash_buffers=uninstrumented -fun:gcry_md_info=uninstrumented -fun:gcry_md_is_enabled=uninstrumented -fun:gcry_md_is_secure=uninstrumented -fun:gcry_md_map_name=uninstrumented -fun:gcry_md_open=uninstrumented -fun:gcry_md_read=uninstrumented -fun:gcry_md_reset=uninstrumented -fun:gcry_md_setkey=uninstrumented -fun:gcry_md_write=uninstrumented -fun:gcry_mpi_abs=uninstrumented -fun:gcry_mpi_add=uninstrumented -fun:gcry_mpi_add_ui=uninstrumented -fun:gcry_mpi_addm=uninstrumented -fun:gcry_mpi_aprint=uninstrumented -fun:gcry_mpi_clear_bit=uninstrumented -fun:gcry_mpi_clear_flag=uninstrumented -fun:gcry_mpi_clear_highbit=uninstrumented -fun:gcry_mpi_cmp=uninstrumented -fun:gcry_mpi_cmp_ui=uninstrumented -fun:gcry_mpi_copy=uninstrumented -fun:gcry_mpi_div=uninstrumented -fun:gcry_mpi_dump=uninstrumented -fun:gcry_mpi_ec_add=uninstrumented -fun:gcry_mpi_ec_curve_point=uninstrumented -fun:gcry_mpi_ec_decode_point=uninstrumented -fun:gcry_mpi_ec_dup=uninstrumented -fun:gcry_mpi_ec_get_affine=uninstrumented -fun:gcry_mpi_ec_get_mpi=uninstrumented -fun:gcry_mpi_ec_get_point=uninstrumented -fun:gcry_mpi_ec_mul=uninstrumented -fun:gcry_mpi_ec_new=uninstrumented -fun:gcry_mpi_ec_set_mpi=uninstrumented -fun:gcry_mpi_ec_set_point=uninstrumented -fun:gcry_mpi_ec_sub=uninstrumented -fun:gcry_mpi_gcd=uninstrumented -fun:gcry_mpi_get_flag=uninstrumented -fun:gcry_mpi_get_nbits=uninstrumented -fun:gcry_mpi_get_opaque=uninstrumented -fun:gcry_mpi_get_ui=uninstrumented -fun:gcry_mpi_invm=uninstrumented -fun:gcry_mpi_is_neg=uninstrumented -fun:gcry_mpi_lshift=uninstrumented -fun:gcry_mpi_mod=uninstrumented -fun:gcry_mpi_mul=uninstrumented -fun:gcry_mpi_mul_2exp=uninstrumented -fun:gcry_mpi_mul_ui=uninstrumented -fun:gcry_mpi_mulm=uninstrumented -fun:gcry_mpi_neg=uninstrumented -fun:gcry_mpi_new=uninstrumented -fun:gcry_mpi_point_copy=uninstrumented -fun:gcry_mpi_point_get=uninstrumented -fun:gcry_mpi_point_new=uninstrumented -fun:gcry_mpi_point_release=uninstrumented -fun:gcry_mpi_point_set=uninstrumented -fun:gcry_mpi_point_snatch_get=uninstrumented -fun:gcry_mpi_point_snatch_set=uninstrumented -fun:gcry_mpi_powm=uninstrumented -fun:gcry_mpi_print=uninstrumented -fun:gcry_mpi_randomize=uninstrumented -fun:gcry_mpi_release=uninstrumented -fun:gcry_mpi_rshift=uninstrumented -fun:gcry_mpi_scan=uninstrumented -fun:gcry_mpi_set=uninstrumented -fun:gcry_mpi_set_bit=uninstrumented -fun:gcry_mpi_set_flag=uninstrumented -fun:gcry_mpi_set_highbit=uninstrumented -fun:gcry_mpi_set_opaque=uninstrumented -fun:gcry_mpi_set_opaque_copy=uninstrumented -fun:gcry_mpi_set_ui=uninstrumented -fun:gcry_mpi_snatch=uninstrumented -fun:gcry_mpi_snew=uninstrumented -fun:gcry_mpi_sub=uninstrumented -fun:gcry_mpi_sub_ui=uninstrumented -fun:gcry_mpi_subm=uninstrumented -fun:gcry_mpi_swap=uninstrumented -fun:gcry_mpi_test_bit=uninstrumented -fun:gcry_pk_algo_info=uninstrumented -fun:gcry_pk_algo_name=uninstrumented -fun:gcry_pk_ctl=uninstrumented -fun:gcry_pk_decrypt=uninstrumented -fun:gcry_pk_encrypt=uninstrumented -fun:gcry_pk_genkey=uninstrumented -fun:gcry_pk_get_curve=uninstrumented -fun:gcry_pk_get_keygrip=uninstrumented -fun:gcry_pk_get_nbits=uninstrumented -fun:gcry_pk_get_param=uninstrumented -fun:gcry_pk_map_name=uninstrumented -fun:gcry_pk_sign=uninstrumented -fun:gcry_pk_testkey=uninstrumented -fun:gcry_pk_verify=uninstrumented -fun:gcry_prime_check=uninstrumented -fun:gcry_prime_generate=uninstrumented -fun:gcry_prime_group_generator=uninstrumented -fun:gcry_prime_release_factors=uninstrumented -fun:gcry_pubkey_get_sexp=uninstrumented -fun:gcry_random_add_bytes=uninstrumented -fun:gcry_random_bytes=uninstrumented -fun:gcry_random_bytes_secure=uninstrumented -fun:gcry_randomize=uninstrumented -fun:gcry_realloc=uninstrumented -fun:gcry_set_allocation_handler=uninstrumented -fun:gcry_set_fatalerror_handler=uninstrumented -fun:gcry_set_gettext_handler=uninstrumented -fun:gcry_set_log_handler=uninstrumented -fun:gcry_set_outofcore_handler=uninstrumented -fun:gcry_set_progress_handler=uninstrumented -fun:gcry_sexp_alist=uninstrumented -fun:gcry_sexp_append=uninstrumented -fun:gcry_sexp_build=uninstrumented -fun:gcry_sexp_build_array=uninstrumented -fun:gcry_sexp_cadr=uninstrumented -fun:gcry_sexp_canon_len=uninstrumented -fun:gcry_sexp_car=uninstrumented -fun:gcry_sexp_cdr=uninstrumented -fun:gcry_sexp_cons=uninstrumented -fun:gcry_sexp_create=uninstrumented -fun:gcry_sexp_dump=uninstrumented -fun:gcry_sexp_extract_param=uninstrumented -fun:gcry_sexp_find_token=uninstrumented -fun:gcry_sexp_length=uninstrumented -fun:gcry_sexp_new=uninstrumented -fun:gcry_sexp_nth=uninstrumented -fun:gcry_sexp_nth_buffer=uninstrumented -fun:gcry_sexp_nth_data=uninstrumented -fun:gcry_sexp_nth_mpi=uninstrumented -fun:gcry_sexp_nth_string=uninstrumented -fun:gcry_sexp_prepend=uninstrumented -fun:gcry_sexp_release=uninstrumented -fun:gcry_sexp_sprint=uninstrumented -fun:gcry_sexp_sscan=uninstrumented -fun:gcry_sexp_vlist=uninstrumented -fun:gcry_strdup=uninstrumented -fun:gcry_strerror=uninstrumented -fun:gcry_strsource=uninstrumented -fun:gcry_xcalloc=uninstrumented -fun:gcry_xcalloc_secure=uninstrumented -fun:gcry_xmalloc=uninstrumented -fun:gcry_xmalloc_secure=uninstrumented -fun:gcry_xrealloc=uninstrumented -fun:gcry_xstrdup=uninstrumented diff --git a/fuzzers/symsan/glib.abilist b/fuzzers/symsan/glib.abilist deleted file mode 100644 index dddc96754..000000000 --- a/fuzzers/symsan/glib.abilist +++ /dev/null @@ -1,1732 +0,0 @@ -fun:_g_async_queue_get_mutex=uninstrumented -fun:_g_charset_get_aliases=uninstrumented -fun:_g_locale_charset_raw=uninstrumented -fun:_g_locale_charset_unalias=uninstrumented -fun:_g_locale_get_charset_aliases=uninstrumented -fun:_g_log_fallback_handler=uninstrumented -fun:_g_main_create_unix_signal_watch=uninstrumented -fun:_g_utf8_normalize_wc=uninstrumented -fun:g_access=uninstrumented -fun:g_allocator_free=uninstrumented -fun:g_allocator_new=uninstrumented -fun:g_array_append_vals=uninstrumented -fun:g_array_binary_search=uninstrumented -fun:g_array_copy=uninstrumented -fun:g_array_free=uninstrumented -fun:g_array_get_element_size=uninstrumented -fun:g_array_insert_vals=uninstrumented -fun:g_array_new=uninstrumented -fun:g_array_prepend_vals=uninstrumented -fun:g_array_ref=uninstrumented -fun:g_array_remove_index=uninstrumented -fun:g_array_remove_index_fast=uninstrumented -fun:g_array_remove_range=uninstrumented -fun:g_array_set_clear_func=uninstrumented -fun:g_array_set_size=uninstrumented -fun:g_array_sized_new=uninstrumented -fun:g_array_sort=uninstrumented -fun:g_array_sort_with_data=uninstrumented -fun:g_array_steal=uninstrumented -fun:g_array_unref=uninstrumented -fun:g_ascii_digit_value=uninstrumented -fun:g_ascii_dtostr=uninstrumented -fun:g_ascii_formatd=uninstrumented -fun:g_ascii_strcasecmp=uninstrumented -fun:g_ascii_strdown=uninstrumented -fun:g_ascii_string_to_signed=uninstrumented -fun:g_ascii_string_to_unsigned=uninstrumented -fun:g_ascii_strncasecmp=uninstrumented -fun:g_ascii_strtod=uninstrumented -fun:g_ascii_strtoll=uninstrumented -fun:g_ascii_strtoull=uninstrumented -fun:g_ascii_strup=uninstrumented -fun:g_ascii_tolower=uninstrumented -fun:g_ascii_toupper=uninstrumented -fun:g_ascii_xdigit_value=uninstrumented -fun:g_assert_warning=uninstrumented -fun:g_assertion_message=uninstrumented -fun:g_assertion_message_cmpnum=uninstrumented -fun:g_assertion_message_cmpstr=uninstrumented -fun:g_assertion_message_error=uninstrumented -fun:g_assertion_message_expr=uninstrumented -fun:g_async_queue_length=uninstrumented -fun:g_async_queue_length_unlocked=uninstrumented -fun:g_async_queue_lock=uninstrumented -fun:g_async_queue_new=uninstrumented -fun:g_async_queue_new_full=uninstrumented -fun:g_async_queue_pop=uninstrumented -fun:g_async_queue_pop_unlocked=uninstrumented -fun:g_async_queue_push=uninstrumented -fun:g_async_queue_push_front=uninstrumented -fun:g_async_queue_push_front_unlocked=uninstrumented -fun:g_async_queue_push_sorted=uninstrumented -fun:g_async_queue_push_sorted_unlocked=uninstrumented -fun:g_async_queue_push_unlocked=uninstrumented -fun:g_async_queue_ref=uninstrumented -fun:g_async_queue_ref_unlocked=uninstrumented -fun:g_async_queue_remove=uninstrumented -fun:g_async_queue_remove_unlocked=uninstrumented -fun:g_async_queue_sort=uninstrumented -fun:g_async_queue_sort_unlocked=uninstrumented -fun:g_async_queue_timed_pop=uninstrumented -fun:g_async_queue_timed_pop_unlocked=uninstrumented -fun:g_async_queue_timeout_pop=uninstrumented -fun:g_async_queue_timeout_pop_unlocked=uninstrumented -fun:g_async_queue_try_pop=uninstrumented -fun:g_async_queue_try_pop_unlocked=uninstrumented -fun:g_async_queue_unlock=uninstrumented -fun:g_async_queue_unref=uninstrumented -fun:g_async_queue_unref_and_unlock=uninstrumented -fun:g_atexit=uninstrumented -fun:g_atomic_int_add=uninstrumented -fun:g_atomic_int_and=uninstrumented -fun:g_atomic_int_compare_and_exchange=uninstrumented -fun:g_atomic_int_dec_and_test=uninstrumented -fun:g_atomic_int_exchange_and_add=uninstrumented -fun:g_atomic_int_get=uninstrumented -fun:g_atomic_int_inc=uninstrumented -fun:g_atomic_int_or=uninstrumented -fun:g_atomic_int_set=uninstrumented -fun:g_atomic_int_xor=uninstrumented -fun:g_atomic_pointer_add=uninstrumented -fun:g_atomic_pointer_and=uninstrumented -fun:g_atomic_pointer_compare_and_exchange=uninstrumented -fun:g_atomic_pointer_get=uninstrumented -fun:g_atomic_pointer_or=uninstrumented -fun:g_atomic_pointer_set=uninstrumented -fun:g_atomic_pointer_xor=uninstrumented -fun:g_atomic_rc_box_acquire=uninstrumented -fun:g_atomic_rc_box_alloc=uninstrumented -fun:g_atomic_rc_box_alloc0=uninstrumented -fun:g_atomic_rc_box_dup=uninstrumented -fun:g_atomic_rc_box_get_size=uninstrumented -fun:g_atomic_rc_box_release=uninstrumented -fun:g_atomic_rc_box_release_full=uninstrumented -fun:g_atomic_ref_count_compare=uninstrumented -fun:g_atomic_ref_count_dec=uninstrumented -fun:g_atomic_ref_count_inc=uninstrumented -fun:g_atomic_ref_count_init=uninstrumented -fun:g_base64_decode=uninstrumented -fun:g_base64_decode_inplace=uninstrumented -fun:g_base64_decode_step=uninstrumented -fun:g_base64_encode=uninstrumented -fun:g_base64_encode_close=uninstrumented -fun:g_base64_encode_step=uninstrumented -fun:g_basename=uninstrumented -fun:g_bit_lock=uninstrumented -fun:g_bit_nth_lsf=uninstrumented -fun:g_bit_nth_msf=uninstrumented -fun:g_bit_storage=uninstrumented -fun:g_bit_trylock=uninstrumented -fun:g_bit_unlock=uninstrumented -fun:g_blow_chunks=uninstrumented -fun:g_bookmark_file_add_application=uninstrumented -fun:g_bookmark_file_add_group=uninstrumented -fun:g_bookmark_file_error_quark=uninstrumented -fun:g_bookmark_file_free=uninstrumented -fun:g_bookmark_file_get_added=uninstrumented -fun:g_bookmark_file_get_app_info=uninstrumented -fun:g_bookmark_file_get_applications=uninstrumented -fun:g_bookmark_file_get_description=uninstrumented -fun:g_bookmark_file_get_groups=uninstrumented -fun:g_bookmark_file_get_icon=uninstrumented -fun:g_bookmark_file_get_is_private=uninstrumented -fun:g_bookmark_file_get_mime_type=uninstrumented -fun:g_bookmark_file_get_modified=uninstrumented -fun:g_bookmark_file_get_size=uninstrumented -fun:g_bookmark_file_get_title=uninstrumented -fun:g_bookmark_file_get_uris=uninstrumented -fun:g_bookmark_file_get_visited=uninstrumented -fun:g_bookmark_file_has_application=uninstrumented -fun:g_bookmark_file_has_group=uninstrumented -fun:g_bookmark_file_has_item=uninstrumented -fun:g_bookmark_file_load_from_data=uninstrumented -fun:g_bookmark_file_load_from_data_dirs=uninstrumented -fun:g_bookmark_file_load_from_file=uninstrumented -fun:g_bookmark_file_move_item=uninstrumented -fun:g_bookmark_file_new=uninstrumented -fun:g_bookmark_file_remove_application=uninstrumented -fun:g_bookmark_file_remove_group=uninstrumented -fun:g_bookmark_file_remove_item=uninstrumented -fun:g_bookmark_file_set_added=uninstrumented -fun:g_bookmark_file_set_app_info=uninstrumented -fun:g_bookmark_file_set_description=uninstrumented -fun:g_bookmark_file_set_groups=uninstrumented -fun:g_bookmark_file_set_icon=uninstrumented -fun:g_bookmark_file_set_is_private=uninstrumented -fun:g_bookmark_file_set_mime_type=uninstrumented -fun:g_bookmark_file_set_modified=uninstrumented -fun:g_bookmark_file_set_title=uninstrumented -fun:g_bookmark_file_set_visited=uninstrumented -fun:g_bookmark_file_to_data=uninstrumented -fun:g_bookmark_file_to_file=uninstrumented -fun:g_build_filename=uninstrumented -fun:g_build_filename_valist=uninstrumented -fun:g_build_filenamev=uninstrumented -fun:g_build_path=uninstrumented -fun:g_build_pathv=uninstrumented -fun:g_byte_array_append=uninstrumented -fun:g_byte_array_free=uninstrumented -fun:g_byte_array_free_to_bytes=uninstrumented -fun:g_byte_array_new=uninstrumented -fun:g_byte_array_new_take=uninstrumented -fun:g_byte_array_prepend=uninstrumented -fun:g_byte_array_ref=uninstrumented -fun:g_byte_array_remove_index=uninstrumented -fun:g_byte_array_remove_index_fast=uninstrumented -fun:g_byte_array_remove_range=uninstrumented -fun:g_byte_array_set_size=uninstrumented -fun:g_byte_array_sized_new=uninstrumented -fun:g_byte_array_sort=uninstrumented -fun:g_byte_array_sort_with_data=uninstrumented -fun:g_byte_array_steal=uninstrumented -fun:g_byte_array_unref=uninstrumented -fun:g_bytes_compare=uninstrumented -fun:g_bytes_equal=uninstrumented -fun:g_bytes_get_data=uninstrumented -fun:g_bytes_get_size=uninstrumented -fun:g_bytes_hash=uninstrumented -fun:g_bytes_new=uninstrumented -fun:g_bytes_new_from_bytes=uninstrumented -fun:g_bytes_new_static=uninstrumented -fun:g_bytes_new_take=uninstrumented -fun:g_bytes_new_with_free_func=uninstrumented -fun:g_bytes_ref=uninstrumented -fun:g_bytes_unref=uninstrumented -fun:g_bytes_unref_to_array=uninstrumented -fun:g_bytes_unref_to_data=uninstrumented -fun:g_cache_destroy=uninstrumented -fun:g_cache_insert=uninstrumented -fun:g_cache_key_foreach=uninstrumented -fun:g_cache_new=uninstrumented -fun:g_cache_remove=uninstrumented -fun:g_cache_value_foreach=uninstrumented -fun:g_canonicalize_filename=uninstrumented -fun:g_chdir=uninstrumented -fun:g_check_setuid=uninstrumented -fun:g_checksum_copy=uninstrumented -fun:g_checksum_free=uninstrumented -fun:g_checksum_get_digest=uninstrumented -fun:g_checksum_get_string=uninstrumented -fun:g_checksum_new=uninstrumented -fun:g_checksum_reset=uninstrumented -fun:g_checksum_type_get_length=uninstrumented -fun:g_checksum_update=uninstrumented -fun:g_child_watch_add=uninstrumented -fun:g_child_watch_add_full=uninstrumented -fun:g_child_watch_source_new=uninstrumented -fun:g_chmod=uninstrumented -fun:g_clear_error=uninstrumented -fun:g_clear_handle_id=uninstrumented -fun:g_clear_list=uninstrumented -fun:g_clear_pointer=uninstrumented -fun:g_clear_slist=uninstrumented -fun:g_close=uninstrumented -fun:g_completion_add_items=uninstrumented -fun:g_completion_clear_items=uninstrumented -fun:g_completion_complete=uninstrumented -fun:g_completion_complete_utf8=uninstrumented -fun:g_completion_free=uninstrumented -fun:g_completion_new=uninstrumented -fun:g_completion_remove_items=uninstrumented -fun:g_completion_set_compare=uninstrumented -fun:g_compute_checksum_for_bytes=uninstrumented -fun:g_compute_checksum_for_data=uninstrumented -fun:g_compute_checksum_for_string=uninstrumented -fun:g_compute_hmac_for_bytes=uninstrumented -fun:g_compute_hmac_for_data=uninstrumented -fun:g_compute_hmac_for_string=uninstrumented -fun:g_cond_broadcast=uninstrumented -fun:g_cond_clear=uninstrumented -fun:g_cond_free=uninstrumented -fun:g_cond_init=uninstrumented -fun:g_cond_new=uninstrumented -fun:g_cond_signal=uninstrumented -fun:g_cond_timed_wait=uninstrumented -fun:g_cond_wait=uninstrumented -fun:g_cond_wait_until=uninstrumented -fun:g_convert=uninstrumented -fun:g_convert_error_quark=uninstrumented -fun:g_convert_with_fallback=uninstrumented -fun:g_convert_with_iconv=uninstrumented -fun:g_creat=uninstrumented -fun:g_datalist_clear=uninstrumented -fun:g_datalist_foreach=uninstrumented -fun:g_datalist_get_data=uninstrumented -fun:g_datalist_get_flags=uninstrumented -fun:g_datalist_id_dup_data=uninstrumented -fun:g_datalist_id_get_data=uninstrumented -fun:g_datalist_id_remove_no_notify=uninstrumented -fun:g_datalist_id_replace_data=uninstrumented -fun:g_datalist_id_set_data_full=uninstrumented -fun:g_datalist_init=uninstrumented -fun:g_datalist_set_flags=uninstrumented -fun:g_datalist_unset_flags=uninstrumented -fun:g_dataset_destroy=uninstrumented -fun:g_dataset_foreach=uninstrumented -fun:g_dataset_id_get_data=uninstrumented -fun:g_dataset_id_remove_no_notify=uninstrumented -fun:g_dataset_id_set_data_full=uninstrumented -fun:g_date_add_days=uninstrumented -fun:g_date_add_months=uninstrumented -fun:g_date_add_years=uninstrumented -fun:g_date_clamp=uninstrumented -fun:g_date_clear=uninstrumented -fun:g_date_compare=uninstrumented -fun:g_date_copy=uninstrumented -fun:g_date_days_between=uninstrumented -fun:g_date_free=uninstrumented -fun:g_date_get_day=uninstrumented -fun:g_date_get_day_of_year=uninstrumented -fun:g_date_get_days_in_month=uninstrumented -fun:g_date_get_iso8601_week_of_year=uninstrumented -fun:g_date_get_julian=uninstrumented -fun:g_date_get_monday_week_of_year=uninstrumented -fun:g_date_get_monday_weeks_in_year=uninstrumented -fun:g_date_get_month=uninstrumented -fun:g_date_get_sunday_week_of_year=uninstrumented -fun:g_date_get_sunday_weeks_in_year=uninstrumented -fun:g_date_get_weekday=uninstrumented -fun:g_date_get_year=uninstrumented -fun:g_date_is_first_of_month=uninstrumented -fun:g_date_is_last_of_month=uninstrumented -fun:g_date_is_leap_year=uninstrumented -fun:g_date_new=uninstrumented -fun:g_date_new_dmy=uninstrumented -fun:g_date_new_julian=uninstrumented -fun:g_date_order=uninstrumented -fun:g_date_set_day=uninstrumented -fun:g_date_set_dmy=uninstrumented -fun:g_date_set_julian=uninstrumented -fun:g_date_set_month=uninstrumented -fun:g_date_set_parse=uninstrumented -fun:g_date_set_time=uninstrumented -fun:g_date_set_time_t=uninstrumented -fun:g_date_set_time_val=uninstrumented -fun:g_date_set_year=uninstrumented -fun:g_date_strftime=uninstrumented -fun:g_date_subtract_days=uninstrumented -fun:g_date_subtract_months=uninstrumented -fun:g_date_subtract_years=uninstrumented -fun:g_date_time_add=uninstrumented -fun:g_date_time_add_days=uninstrumented -fun:g_date_time_add_full=uninstrumented -fun:g_date_time_add_hours=uninstrumented -fun:g_date_time_add_minutes=uninstrumented -fun:g_date_time_add_months=uninstrumented -fun:g_date_time_add_seconds=uninstrumented -fun:g_date_time_add_weeks=uninstrumented -fun:g_date_time_add_years=uninstrumented -fun:g_date_time_compare=uninstrumented -fun:g_date_time_difference=uninstrumented -fun:g_date_time_equal=uninstrumented -fun:g_date_time_format=uninstrumented -fun:g_date_time_format_iso8601=uninstrumented -fun:g_date_time_get_day_of_month=uninstrumented -fun:g_date_time_get_day_of_week=uninstrumented -fun:g_date_time_get_day_of_year=uninstrumented -fun:g_date_time_get_hour=uninstrumented -fun:g_date_time_get_microsecond=uninstrumented -fun:g_date_time_get_minute=uninstrumented -fun:g_date_time_get_month=uninstrumented -fun:g_date_time_get_second=uninstrumented -fun:g_date_time_get_seconds=uninstrumented -fun:g_date_time_get_timezone=uninstrumented -fun:g_date_time_get_timezone_abbreviation=uninstrumented -fun:g_date_time_get_utc_offset=uninstrumented -fun:g_date_time_get_week_numbering_year=uninstrumented -fun:g_date_time_get_week_of_year=uninstrumented -fun:g_date_time_get_year=uninstrumented -fun:g_date_time_get_ymd=uninstrumented -fun:g_date_time_hash=uninstrumented -fun:g_date_time_is_daylight_savings=uninstrumented -fun:g_date_time_new=uninstrumented -fun:g_date_time_new_from_iso8601=uninstrumented -fun:g_date_time_new_from_timeval_local=uninstrumented -fun:g_date_time_new_from_timeval_utc=uninstrumented -fun:g_date_time_new_from_unix_local=uninstrumented -fun:g_date_time_new_from_unix_utc=uninstrumented -fun:g_date_time_new_local=uninstrumented -fun:g_date_time_new_now=uninstrumented -fun:g_date_time_new_now_local=uninstrumented -fun:g_date_time_new_now_utc=uninstrumented -fun:g_date_time_new_utc=uninstrumented -fun:g_date_time_ref=uninstrumented -fun:g_date_time_to_local=uninstrumented -fun:g_date_time_to_timeval=uninstrumented -fun:g_date_time_to_timezone=uninstrumented -fun:g_date_time_to_unix=uninstrumented -fun:g_date_time_to_utc=uninstrumented -fun:g_date_time_unref=uninstrumented -fun:g_date_to_struct_tm=uninstrumented -fun:g_date_valid=uninstrumented -fun:g_date_valid_day=uninstrumented -fun:g_date_valid_dmy=uninstrumented -fun:g_date_valid_julian=uninstrumented -fun:g_date_valid_month=uninstrumented -fun:g_date_valid_weekday=uninstrumented -fun:g_date_valid_year=uninstrumented -fun:g_dcgettext=uninstrumented -fun:g_dgettext=uninstrumented -fun:g_dir_close=uninstrumented -fun:g_dir_make_tmp=uninstrumented -fun:g_dir_new_from_dirp=uninstrumented -fun:g_dir_open=uninstrumented -fun:g_dir_open_with_errno=uninstrumented -fun:g_dir_read_name=uninstrumented -fun:g_dir_rewind=uninstrumented -fun:g_direct_equal=uninstrumented -fun:g_direct_hash=uninstrumented -fun:g_dngettext=uninstrumented -fun:g_double_equal=uninstrumented -fun:g_double_hash=uninstrumented -fun:g_dpgettext=uninstrumented -fun:g_dpgettext2=uninstrumented -fun:g_environ_getenv=uninstrumented -fun:g_environ_setenv=uninstrumented -fun:g_environ_unsetenv=uninstrumented -fun:g_error_copy=uninstrumented -fun:g_error_free=uninstrumented -fun:g_error_matches=uninstrumented -fun:g_error_new=uninstrumented -fun:g_error_new_literal=uninstrumented -fun:g_error_new_valist=uninstrumented -fun:g_file_error_from_errno=uninstrumented -fun:g_file_error_quark=uninstrumented -fun:g_file_get_contents=uninstrumented -fun:g_file_open_tmp=uninstrumented -fun:g_file_read_link=uninstrumented -fun:g_file_set_contents=uninstrumented -fun:g_file_test=uninstrumented -fun:g_filename_display_basename=uninstrumented -fun:g_filename_display_name=uninstrumented -fun:g_filename_from_uri=uninstrumented -fun:g_filename_from_utf8=uninstrumented -fun:g_filename_to_uri=uninstrumented -fun:g_filename_to_utf8=uninstrumented -fun:g_find_program_in_path=uninstrumented -fun:g_fopen=uninstrumented -fun:g_format_size=uninstrumented -fun:g_format_size_for_display=uninstrumented -fun:g_format_size_full=uninstrumented -fun:g_fprintf=uninstrumented -fun:g_free=uninstrumented -fun:g_freopen=uninstrumented -fun:g_fsync=uninstrumented -fun:g_get_application_name=uninstrumented -fun:g_get_charset=uninstrumented -fun:g_get_codeset=uninstrumented -fun:g_get_console_charset=uninstrumented -fun:g_get_current_dir=uninstrumented -fun:g_get_current_time=uninstrumented -fun:g_get_environ=uninstrumented -fun:g_get_filename_charsets=uninstrumented -fun:g_get_home_dir=uninstrumented -fun:g_get_host_name=uninstrumented -fun:g_get_language_names=uninstrumented -fun:g_get_language_names_with_category=uninstrumented -fun:g_get_locale_variants=uninstrumented -fun:g_get_monotonic_time=uninstrumented -fun:g_get_num_processors=uninstrumented -fun:g_get_os_info=uninstrumented -fun:g_get_prgname=uninstrumented -fun:g_get_real_name=uninstrumented -fun:g_get_real_time=uninstrumented -fun:g_get_system_config_dirs=uninstrumented -fun:g_get_system_data_dirs=uninstrumented -fun:g_get_tmp_dir=uninstrumented -fun:g_get_user_cache_dir=uninstrumented -fun:g_get_user_config_dir=uninstrumented -fun:g_get_user_data_dir=uninstrumented -fun:g_get_user_name=uninstrumented -fun:g_get_user_runtime_dir=uninstrumented -fun:g_get_user_special_dir=uninstrumented -fun:g_get_worker_context=uninstrumented -fun:g_getenv=uninstrumented -fun:g_hash_table_add=uninstrumented -fun:g_hash_table_contains=uninstrumented -fun:g_hash_table_destroy=uninstrumented -fun:g_hash_table_find=uninstrumented -fun:g_hash_table_foreach=uninstrumented -fun:g_hash_table_foreach_remove=uninstrumented -fun:g_hash_table_foreach_steal=uninstrumented -fun:g_hash_table_get_keys=uninstrumented -fun:g_hash_table_get_keys_as_array=uninstrumented -fun:g_hash_table_get_values=uninstrumented -fun:g_hash_table_insert=uninstrumented -fun:g_hash_table_iter_get_hash_table=uninstrumented -fun:g_hash_table_iter_init=uninstrumented -fun:g_hash_table_iter_next=uninstrumented -fun:g_hash_table_iter_remove=uninstrumented -fun:g_hash_table_iter_replace=uninstrumented -fun:g_hash_table_iter_steal=uninstrumented -fun:g_hash_table_lookup=uninstrumented -fun:g_hash_table_lookup_extended=uninstrumented -fun:g_hash_table_new=uninstrumented -fun:g_hash_table_new_full=uninstrumented -fun:g_hash_table_ref=uninstrumented -fun:g_hash_table_remove=uninstrumented -fun:g_hash_table_remove_all=uninstrumented -fun:g_hash_table_replace=uninstrumented -fun:g_hash_table_size=uninstrumented -fun:g_hash_table_steal=uninstrumented -fun:g_hash_table_steal_all=uninstrumented -fun:g_hash_table_steal_extended=uninstrumented -fun:g_hash_table_unref=uninstrumented -fun:g_hmac_copy=uninstrumented -fun:g_hmac_get_digest=uninstrumented -fun:g_hmac_get_string=uninstrumented -fun:g_hmac_new=uninstrumented -fun:g_hmac_ref=uninstrumented -fun:g_hmac_unref=uninstrumented -fun:g_hmac_update=uninstrumented -fun:g_hook_alloc=uninstrumented -fun:g_hook_compare_ids=uninstrumented -fun:g_hook_destroy=uninstrumented -fun:g_hook_destroy_link=uninstrumented -fun:g_hook_find=uninstrumented -fun:g_hook_find_data=uninstrumented -fun:g_hook_find_func=uninstrumented -fun:g_hook_find_func_data=uninstrumented -fun:g_hook_first_valid=uninstrumented -fun:g_hook_free=uninstrumented -fun:g_hook_get=uninstrumented -fun:g_hook_insert_before=uninstrumented -fun:g_hook_insert_sorted=uninstrumented -fun:g_hook_list_clear=uninstrumented -fun:g_hook_list_init=uninstrumented -fun:g_hook_list_invoke=uninstrumented -fun:g_hook_list_invoke_check=uninstrumented -fun:g_hook_list_marshal=uninstrumented -fun:g_hook_list_marshal_check=uninstrumented -fun:g_hook_next_valid=uninstrumented -fun:g_hook_prepend=uninstrumented -fun:g_hook_ref=uninstrumented -fun:g_hook_unref=uninstrumented -fun:g_hostname_is_ascii_encoded=uninstrumented -fun:g_hostname_is_ip_address=uninstrumented -fun:g_hostname_is_non_ascii=uninstrumented -fun:g_hostname_to_ascii=uninstrumented -fun:g_hostname_to_unicode=uninstrumented -fun:g_iconv=uninstrumented -fun:g_iconv_close=uninstrumented -fun:g_iconv_open=uninstrumented -fun:g_idle_add=uninstrumented -fun:g_idle_add_full=uninstrumented -fun:g_idle_remove_by_data=uninstrumented -fun:g_idle_source_new=uninstrumented -fun:g_int64_equal=uninstrumented -fun:g_int64_hash=uninstrumented -fun:g_int_equal=uninstrumented -fun:g_int_hash=uninstrumented -fun:g_intern_static_string=uninstrumented -fun:g_intern_string=uninstrumented -fun:g_io_add_watch=uninstrumented -fun:g_io_add_watch_full=uninstrumented -fun:g_io_channel_close=uninstrumented -fun:g_io_channel_error_from_errno=uninstrumented -fun:g_io_channel_error_quark=uninstrumented -fun:g_io_channel_flush=uninstrumented -fun:g_io_channel_get_buffer_condition=uninstrumented -fun:g_io_channel_get_buffer_size=uninstrumented -fun:g_io_channel_get_buffered=uninstrumented -fun:g_io_channel_get_close_on_unref=uninstrumented -fun:g_io_channel_get_encoding=uninstrumented -fun:g_io_channel_get_flags=uninstrumented -fun:g_io_channel_get_line_term=uninstrumented -fun:g_io_channel_init=uninstrumented -fun:g_io_channel_new_file=uninstrumented -fun:g_io_channel_read=uninstrumented -fun:g_io_channel_read_chars=uninstrumented -fun:g_io_channel_read_line=uninstrumented -fun:g_io_channel_read_line_string=uninstrumented -fun:g_io_channel_read_to_end=uninstrumented -fun:g_io_channel_read_unichar=uninstrumented -fun:g_io_channel_ref=uninstrumented -fun:g_io_channel_seek=uninstrumented -fun:g_io_channel_seek_position=uninstrumented -fun:g_io_channel_set_buffer_size=uninstrumented -fun:g_io_channel_set_buffered=uninstrumented -fun:g_io_channel_set_close_on_unref=uninstrumented -fun:g_io_channel_set_encoding=uninstrumented -fun:g_io_channel_set_flags=uninstrumented -fun:g_io_channel_set_line_term=uninstrumented -fun:g_io_channel_shutdown=uninstrumented -fun:g_io_channel_unix_get_fd=uninstrumented -fun:g_io_channel_unix_new=uninstrumented -fun:g_io_channel_unref=uninstrumented -fun:g_io_channel_write=uninstrumented -fun:g_io_channel_write_chars=uninstrumented -fun:g_io_channel_write_unichar=uninstrumented -fun:g_io_create_watch=uninstrumented -fun:g_key_file_error_quark=uninstrumented -fun:g_key_file_free=uninstrumented -fun:g_key_file_get_boolean=uninstrumented -fun:g_key_file_get_boolean_list=uninstrumented -fun:g_key_file_get_comment=uninstrumented -fun:g_key_file_get_double=uninstrumented -fun:g_key_file_get_double_list=uninstrumented -fun:g_key_file_get_groups=uninstrumented -fun:g_key_file_get_int64=uninstrumented -fun:g_key_file_get_integer=uninstrumented -fun:g_key_file_get_integer_list=uninstrumented -fun:g_key_file_get_keys=uninstrumented -fun:g_key_file_get_locale_for_key=uninstrumented -fun:g_key_file_get_locale_string=uninstrumented -fun:g_key_file_get_locale_string_list=uninstrumented -fun:g_key_file_get_start_group=uninstrumented -fun:g_key_file_get_string=uninstrumented -fun:g_key_file_get_string_list=uninstrumented -fun:g_key_file_get_uint64=uninstrumented -fun:g_key_file_get_value=uninstrumented -fun:g_key_file_has_group=uninstrumented -fun:g_key_file_has_key=uninstrumented -fun:g_key_file_load_from_bytes=uninstrumented -fun:g_key_file_load_from_data=uninstrumented -fun:g_key_file_load_from_data_dirs=uninstrumented -fun:g_key_file_load_from_dirs=uninstrumented -fun:g_key_file_load_from_file=uninstrumented -fun:g_key_file_new=uninstrumented -fun:g_key_file_ref=uninstrumented -fun:g_key_file_remove_comment=uninstrumented -fun:g_key_file_remove_group=uninstrumented -fun:g_key_file_remove_key=uninstrumented -fun:g_key_file_save_to_file=uninstrumented -fun:g_key_file_set_boolean=uninstrumented -fun:g_key_file_set_boolean_list=uninstrumented -fun:g_key_file_set_comment=uninstrumented -fun:g_key_file_set_double=uninstrumented -fun:g_key_file_set_double_list=uninstrumented -fun:g_key_file_set_int64=uninstrumented -fun:g_key_file_set_integer=uninstrumented -fun:g_key_file_set_integer_list=uninstrumented -fun:g_key_file_set_list_separator=uninstrumented -fun:g_key_file_set_locale_string=uninstrumented -fun:g_key_file_set_locale_string_list=uninstrumented -fun:g_key_file_set_string=uninstrumented -fun:g_key_file_set_string_list=uninstrumented -fun:g_key_file_set_uint64=uninstrumented -fun:g_key_file_set_value=uninstrumented -fun:g_key_file_to_data=uninstrumented -fun:g_key_file_unref=uninstrumented -fun:g_list_alloc=uninstrumented -fun:g_list_append=uninstrumented -fun:g_list_concat=uninstrumented -fun:g_list_copy=uninstrumented -fun:g_list_copy_deep=uninstrumented -fun:g_list_delete_link=uninstrumented -fun:g_list_find=uninstrumented -fun:g_list_find_custom=uninstrumented -fun:g_list_first=uninstrumented -fun:g_list_foreach=uninstrumented -fun:g_list_free=uninstrumented -fun:g_list_free_1=uninstrumented -fun:g_list_free_full=uninstrumented -fun:g_list_index=uninstrumented -fun:g_list_insert=uninstrumented -fun:g_list_insert_before=uninstrumented -fun:g_list_insert_before_link=uninstrumented -fun:g_list_insert_sorted=uninstrumented -fun:g_list_insert_sorted_with_data=uninstrumented -fun:g_list_last=uninstrumented -fun:g_list_length=uninstrumented -fun:g_list_nth=uninstrumented -fun:g_list_nth_data=uninstrumented -fun:g_list_nth_prev=uninstrumented -fun:g_list_pop_allocator=uninstrumented -fun:g_list_position=uninstrumented -fun:g_list_prepend=uninstrumented -fun:g_list_push_allocator=uninstrumented -fun:g_list_remove=uninstrumented -fun:g_list_remove_all=uninstrumented -fun:g_list_remove_link=uninstrumented -fun:g_list_reverse=uninstrumented -fun:g_list_sort=uninstrumented -fun:g_list_sort_with_data=uninstrumented -fun:g_listenv=uninstrumented -fun:g_locale_from_utf8=uninstrumented -fun:g_locale_to_utf8=uninstrumented -fun:g_log=uninstrumented -fun:g_log_default_handler=uninstrumented -fun:g_log_remove_handler=uninstrumented -fun:g_log_set_always_fatal=uninstrumented -fun:g_log_set_default_handler=uninstrumented -fun:g_log_set_fatal_mask=uninstrumented -fun:g_log_set_handler=uninstrumented -fun:g_log_set_handler_full=uninstrumented -fun:g_log_set_writer_func=uninstrumented -fun:g_log_structured=uninstrumented -fun:g_log_structured_array=uninstrumented -fun:g_log_structured_standard=uninstrumented -fun:g_log_variant=uninstrumented -fun:g_log_writer_default=uninstrumented -fun:g_log_writer_format_fields=uninstrumented -fun:g_log_writer_is_journald=uninstrumented -fun:g_log_writer_journald=uninstrumented -fun:g_log_writer_standard_streams=uninstrumented -fun:g_log_writer_supports_color=uninstrumented -fun:g_logv=uninstrumented -fun:g_lstat=uninstrumented -fun:g_main_context_acquire=uninstrumented -fun:g_main_context_add_poll=uninstrumented -fun:g_main_context_check=uninstrumented -fun:g_main_context_default=uninstrumented -fun:g_main_context_dispatch=uninstrumented -fun:g_main_context_find_source_by_funcs_user_data=uninstrumented -fun:g_main_context_find_source_by_id=uninstrumented -fun:g_main_context_find_source_by_user_data=uninstrumented -fun:g_main_context_get_poll_func=uninstrumented -fun:g_main_context_get_thread_default=uninstrumented -fun:g_main_context_invoke=uninstrumented -fun:g_main_context_invoke_full=uninstrumented -fun:g_main_context_is_owner=uninstrumented -fun:g_main_context_iteration=uninstrumented -fun:g_main_context_new=uninstrumented -fun:g_main_context_new_with_next_id=uninstrumented -fun:g_main_context_pending=uninstrumented -fun:g_main_context_pop_thread_default=uninstrumented -fun:g_main_context_prepare=uninstrumented -fun:g_main_context_push_thread_default=uninstrumented -fun:g_main_context_query=uninstrumented -fun:g_main_context_ref=uninstrumented -fun:g_main_context_ref_thread_default=uninstrumented -fun:g_main_context_release=uninstrumented -fun:g_main_context_remove_poll=uninstrumented -fun:g_main_context_set_poll_func=uninstrumented -fun:g_main_context_unref=uninstrumented -fun:g_main_context_wait=uninstrumented -fun:g_main_context_wakeup=uninstrumented -fun:g_main_current_source=uninstrumented -fun:g_main_depth=uninstrumented -fun:g_main_loop_get_context=uninstrumented -fun:g_main_loop_is_running=uninstrumented -fun:g_main_loop_new=uninstrumented -fun:g_main_loop_quit=uninstrumented -fun:g_main_loop_ref=uninstrumented -fun:g_main_loop_run=uninstrumented -fun:g_main_loop_unref=uninstrumented -fun:g_malloc=uninstrumented -fun:g_malloc0=uninstrumented -fun:g_malloc0_n=uninstrumented -fun:g_malloc_n=uninstrumented -fun:g_mapped_file_free=uninstrumented -fun:g_mapped_file_get_bytes=uninstrumented -fun:g_mapped_file_get_contents=uninstrumented -fun:g_mapped_file_get_length=uninstrumented -fun:g_mapped_file_new=uninstrumented -fun:g_mapped_file_new_from_fd=uninstrumented -fun:g_mapped_file_ref=uninstrumented -fun:g_mapped_file_unref=uninstrumented -fun:g_markup_collect_attributes=uninstrumented -fun:g_markup_error_quark=uninstrumented -fun:g_markup_escape_text=uninstrumented -fun:g_markup_parse_context_end_parse=uninstrumented -fun:g_markup_parse_context_free=uninstrumented -fun:g_markup_parse_context_get_element=uninstrumented -fun:g_markup_parse_context_get_element_stack=uninstrumented -fun:g_markup_parse_context_get_position=uninstrumented -fun:g_markup_parse_context_get_user_data=uninstrumented -fun:g_markup_parse_context_new=uninstrumented -fun:g_markup_parse_context_parse=uninstrumented -fun:g_markup_parse_context_pop=uninstrumented -fun:g_markup_parse_context_push=uninstrumented -fun:g_markup_parse_context_ref=uninstrumented -fun:g_markup_parse_context_unref=uninstrumented -fun:g_markup_printf_escaped=uninstrumented -fun:g_markup_vprintf_escaped=uninstrumented -fun:g_match_info_expand_references=uninstrumented -fun:g_match_info_fetch=uninstrumented -fun:g_match_info_fetch_all=uninstrumented -fun:g_match_info_fetch_named=uninstrumented -fun:g_match_info_fetch_named_pos=uninstrumented -fun:g_match_info_fetch_pos=uninstrumented -fun:g_match_info_free=uninstrumented -fun:g_match_info_get_match_count=uninstrumented -fun:g_match_info_get_regex=uninstrumented -fun:g_match_info_get_string=uninstrumented -fun:g_match_info_is_partial_match=uninstrumented -fun:g_match_info_matches=uninstrumented -fun:g_match_info_next=uninstrumented -fun:g_match_info_ref=uninstrumented -fun:g_match_info_unref=uninstrumented -fun:g_mem_chunk_alloc=uninstrumented -fun:g_mem_chunk_alloc0=uninstrumented -fun:g_mem_chunk_clean=uninstrumented -fun:g_mem_chunk_destroy=uninstrumented -fun:g_mem_chunk_free=uninstrumented -fun:g_mem_chunk_info=uninstrumented -fun:g_mem_chunk_new=uninstrumented -fun:g_mem_chunk_print=uninstrumented -fun:g_mem_chunk_reset=uninstrumented -fun:g_mem_is_system_malloc=uninstrumented -fun:g_mem_profile=uninstrumented -fun:g_mem_set_vtable=uninstrumented -fun:g_memdup=uninstrumented -fun:g_mkdir=uninstrumented -fun:g_mkdir_with_parents=uninstrumented -fun:g_mkdtemp=uninstrumented -fun:g_mkdtemp_full=uninstrumented -fun:g_mkstemp=uninstrumented -fun:g_mkstemp_full=uninstrumented -fun:g_mutex_clear=uninstrumented -fun:g_mutex_free=uninstrumented -fun:g_mutex_init=uninstrumented -fun:g_mutex_lock=uninstrumented -fun:g_mutex_new=uninstrumented -fun:g_mutex_trylock=uninstrumented -fun:g_mutex_unlock=uninstrumented -fun:g_node_child_index=uninstrumented -fun:g_node_child_position=uninstrumented -fun:g_node_children_foreach=uninstrumented -fun:g_node_copy=uninstrumented -fun:g_node_copy_deep=uninstrumented -fun:g_node_depth=uninstrumented -fun:g_node_destroy=uninstrumented -fun:g_node_find=uninstrumented -fun:g_node_find_child=uninstrumented -fun:g_node_first_sibling=uninstrumented -fun:g_node_get_root=uninstrumented -fun:g_node_insert=uninstrumented -fun:g_node_insert_after=uninstrumented -fun:g_node_insert_before=uninstrumented -fun:g_node_is_ancestor=uninstrumented -fun:g_node_last_child=uninstrumented -fun:g_node_last_sibling=uninstrumented -fun:g_node_max_height=uninstrumented -fun:g_node_n_children=uninstrumented -fun:g_node_n_nodes=uninstrumented -fun:g_node_new=uninstrumented -fun:g_node_nth_child=uninstrumented -fun:g_node_pop_allocator=uninstrumented -fun:g_node_prepend=uninstrumented -fun:g_node_push_allocator=uninstrumented -fun:g_node_reverse_children=uninstrumented -fun:g_node_traverse=uninstrumented -fun:g_node_unlink=uninstrumented -fun:g_nullify_pointer=uninstrumented -fun:g_number_parser_error_quark=uninstrumented -fun:g_on_error_query=uninstrumented -fun:g_on_error_stack_trace=uninstrumented -fun:g_once_impl=uninstrumented -fun:g_once_init_enter=uninstrumented -fun:g_once_init_enter_impl=uninstrumented -fun:g_once_init_leave=uninstrumented -fun:g_open=uninstrumented -fun:g_option_context_add_group=uninstrumented -fun:g_option_context_add_main_entries=uninstrumented -fun:g_option_context_free=uninstrumented -fun:g_option_context_get_description=uninstrumented -fun:g_option_context_get_help=uninstrumented -fun:g_option_context_get_help_enabled=uninstrumented -fun:g_option_context_get_ignore_unknown_options=uninstrumented -fun:g_option_context_get_main_group=uninstrumented -fun:g_option_context_get_strict_posix=uninstrumented -fun:g_option_context_get_summary=uninstrumented -fun:g_option_context_new=uninstrumented -fun:g_option_context_parse=uninstrumented -fun:g_option_context_parse_strv=uninstrumented -fun:g_option_context_set_description=uninstrumented -fun:g_option_context_set_help_enabled=uninstrumented -fun:g_option_context_set_ignore_unknown_options=uninstrumented -fun:g_option_context_set_main_group=uninstrumented -fun:g_option_context_set_strict_posix=uninstrumented -fun:g_option_context_set_summary=uninstrumented -fun:g_option_context_set_translate_func=uninstrumented -fun:g_option_context_set_translation_domain=uninstrumented -fun:g_option_error_quark=uninstrumented -fun:g_option_group_add_entries=uninstrumented -fun:g_option_group_free=uninstrumented -fun:g_option_group_new=uninstrumented -fun:g_option_group_ref=uninstrumented -fun:g_option_group_set_error_hook=uninstrumented -fun:g_option_group_set_parse_hooks=uninstrumented -fun:g_option_group_set_translate_func=uninstrumented -fun:g_option_group_set_translation_domain=uninstrumented -fun:g_option_group_unref=uninstrumented -fun:g_parse_debug_string=uninstrumented -fun:g_path_get_basename=uninstrumented -fun:g_path_get_dirname=uninstrumented -fun:g_path_is_absolute=uninstrumented -fun:g_path_skip_root=uninstrumented -fun:g_pattern_match=uninstrumented -fun:g_pattern_match_simple=uninstrumented -fun:g_pattern_match_string=uninstrumented -fun:g_pattern_spec_equal=uninstrumented -fun:g_pattern_spec_free=uninstrumented -fun:g_pattern_spec_new=uninstrumented -fun:g_pointer_bit_lock=uninstrumented -fun:g_pointer_bit_trylock=uninstrumented -fun:g_pointer_bit_unlock=uninstrumented -fun:g_poll=uninstrumented -fun:g_prefix_error=uninstrumented -fun:g_print=uninstrumented -fun:g_printerr=uninstrumented -fun:g_printf=uninstrumented -fun:g_printf_string_upper_bound=uninstrumented -fun:g_private_get=uninstrumented -fun:g_private_new=uninstrumented -fun:g_private_replace=uninstrumented -fun:g_private_set=uninstrumented -fun:g_private_set_alloc0=uninstrumented -fun:g_propagate_error=uninstrumented -fun:g_propagate_prefixed_error=uninstrumented -fun:g_ptr_array_add=uninstrumented -fun:g_ptr_array_copy=uninstrumented -fun:g_ptr_array_extend=uninstrumented -fun:g_ptr_array_extend_and_steal=uninstrumented -fun:g_ptr_array_find=uninstrumented -fun:g_ptr_array_find_with_equal_func=uninstrumented -fun:g_ptr_array_foreach=uninstrumented -fun:g_ptr_array_free=uninstrumented -fun:g_ptr_array_insert=uninstrumented -fun:g_ptr_array_new=uninstrumented -fun:g_ptr_array_new_full=uninstrumented -fun:g_ptr_array_new_with_free_func=uninstrumented -fun:g_ptr_array_ref=uninstrumented -fun:g_ptr_array_remove=uninstrumented -fun:g_ptr_array_remove_fast=uninstrumented -fun:g_ptr_array_remove_index=uninstrumented -fun:g_ptr_array_remove_index_fast=uninstrumented -fun:g_ptr_array_remove_range=uninstrumented -fun:g_ptr_array_set_free_func=uninstrumented -fun:g_ptr_array_set_size=uninstrumented -fun:g_ptr_array_sized_new=uninstrumented -fun:g_ptr_array_sort=uninstrumented -fun:g_ptr_array_sort_with_data=uninstrumented -fun:g_ptr_array_steal=uninstrumented -fun:g_ptr_array_steal_index=uninstrumented -fun:g_ptr_array_steal_index_fast=uninstrumented -fun:g_ptr_array_unref=uninstrumented -fun:g_qsort_with_data=uninstrumented -fun:g_quark_from_static_string=uninstrumented -fun:g_quark_from_string=uninstrumented -fun:g_quark_init=uninstrumented -fun:g_quark_to_string=uninstrumented -fun:g_quark_try_string=uninstrumented -fun:g_queue_clear=uninstrumented -fun:g_queue_clear_full=uninstrumented -fun:g_queue_copy=uninstrumented -fun:g_queue_delete_link=uninstrumented -fun:g_queue_find=uninstrumented -fun:g_queue_find_custom=uninstrumented -fun:g_queue_foreach=uninstrumented -fun:g_queue_free=uninstrumented -fun:g_queue_free_full=uninstrumented -fun:g_queue_get_length=uninstrumented -fun:g_queue_index=uninstrumented -fun:g_queue_init=uninstrumented -fun:g_queue_insert_after=uninstrumented -fun:g_queue_insert_after_link=uninstrumented -fun:g_queue_insert_before=uninstrumented -fun:g_queue_insert_before_link=uninstrumented -fun:g_queue_insert_sorted=uninstrumented -fun:g_queue_is_empty=uninstrumented -fun:g_queue_link_index=uninstrumented -fun:g_queue_new=uninstrumented -fun:g_queue_peek_head=uninstrumented -fun:g_queue_peek_head_link=uninstrumented -fun:g_queue_peek_nth=uninstrumented -fun:g_queue_peek_nth_link=uninstrumented -fun:g_queue_peek_tail=uninstrumented -fun:g_queue_peek_tail_link=uninstrumented -fun:g_queue_pop_head=uninstrumented -fun:g_queue_pop_head_link=uninstrumented -fun:g_queue_pop_nth=uninstrumented -fun:g_queue_pop_nth_link=uninstrumented -fun:g_queue_pop_tail=uninstrumented -fun:g_queue_pop_tail_link=uninstrumented -fun:g_queue_push_head=uninstrumented -fun:g_queue_push_head_link=uninstrumented -fun:g_queue_push_nth=uninstrumented -fun:g_queue_push_nth_link=uninstrumented -fun:g_queue_push_tail=uninstrumented -fun:g_queue_push_tail_link=uninstrumented -fun:g_queue_remove=uninstrumented -fun:g_queue_remove_all=uninstrumented -fun:g_queue_reverse=uninstrumented -fun:g_queue_sort=uninstrumented -fun:g_queue_unlink=uninstrumented -fun:g_rand_copy=uninstrumented -fun:g_rand_double=uninstrumented -fun:g_rand_double_range=uninstrumented -fun:g_rand_free=uninstrumented -fun:g_rand_int=uninstrumented -fun:g_rand_int_range=uninstrumented -fun:g_rand_new=uninstrumented -fun:g_rand_new_with_seed=uninstrumented -fun:g_rand_new_with_seed_array=uninstrumented -fun:g_rand_set_seed=uninstrumented -fun:g_rand_set_seed_array=uninstrumented -fun:g_random_double=uninstrumented -fun:g_random_double_range=uninstrumented -fun:g_random_int=uninstrumented -fun:g_random_int_range=uninstrumented -fun:g_random_set_seed=uninstrumented -fun:g_rc_box_acquire=uninstrumented -fun:g_rc_box_alloc=uninstrumented -fun:g_rc_box_alloc0=uninstrumented -fun:g_rc_box_alloc_full=uninstrumented -fun:g_rc_box_dup=uninstrumented -fun:g_rc_box_get_size=uninstrumented -fun:g_rc_box_release=uninstrumented -fun:g_rc_box_release_full=uninstrumented -fun:g_realloc=uninstrumented -fun:g_realloc_n=uninstrumented -fun:g_rec_mutex_clear=uninstrumented -fun:g_rec_mutex_init=uninstrumented -fun:g_rec_mutex_lock=uninstrumented -fun:g_rec_mutex_trylock=uninstrumented -fun:g_rec_mutex_unlock=uninstrumented -fun:g_ref_count_compare=uninstrumented -fun:g_ref_count_dec=uninstrumented -fun:g_ref_count_inc=uninstrumented -fun:g_ref_count_init=uninstrumented -fun:g_ref_string_acquire=uninstrumented -fun:g_ref_string_length=uninstrumented -fun:g_ref_string_new=uninstrumented -fun:g_ref_string_new_intern=uninstrumented -fun:g_ref_string_new_len=uninstrumented -fun:g_ref_string_release=uninstrumented -fun:g_regex_check_replacement=uninstrumented -fun:g_regex_error_quark=uninstrumented -fun:g_regex_escape_nul=uninstrumented -fun:g_regex_escape_string=uninstrumented -fun:g_regex_get_capture_count=uninstrumented -fun:g_regex_get_compile_flags=uninstrumented -fun:g_regex_get_has_cr_or_lf=uninstrumented -fun:g_regex_get_match_flags=uninstrumented -fun:g_regex_get_max_backref=uninstrumented -fun:g_regex_get_max_lookbehind=uninstrumented -fun:g_regex_get_pattern=uninstrumented -fun:g_regex_get_string_number=uninstrumented -fun:g_regex_match=uninstrumented -fun:g_regex_match_all=uninstrumented -fun:g_regex_match_all_full=uninstrumented -fun:g_regex_match_full=uninstrumented -fun:g_regex_match_simple=uninstrumented -fun:g_regex_new=uninstrumented -fun:g_regex_ref=uninstrumented -fun:g_regex_replace=uninstrumented -fun:g_regex_replace_eval=uninstrumented -fun:g_regex_replace_literal=uninstrumented -fun:g_regex_split=uninstrumented -fun:g_regex_split_full=uninstrumented -fun:g_regex_split_simple=uninstrumented -fun:g_regex_unref=uninstrumented -fun:g_relation_count=uninstrumented -fun:g_relation_delete=uninstrumented -fun:g_relation_destroy=uninstrumented -fun:g_relation_exists=uninstrumented -fun:g_relation_index=uninstrumented -fun:g_relation_insert=uninstrumented -fun:g_relation_new=uninstrumented -fun:g_relation_print=uninstrumented -fun:g_relation_select=uninstrumented -fun:g_reload_user_special_dirs_cache=uninstrumented -fun:g_remove=uninstrumented -fun:g_rename=uninstrumented -fun:g_return_if_fail_warning=uninstrumented -fun:g_rmdir=uninstrumented -fun:g_rw_lock_clear=uninstrumented -fun:g_rw_lock_init=uninstrumented -fun:g_rw_lock_reader_lock=uninstrumented -fun:g_rw_lock_reader_trylock=uninstrumented -fun:g_rw_lock_reader_unlock=uninstrumented -fun:g_rw_lock_writer_lock=uninstrumented -fun:g_rw_lock_writer_trylock=uninstrumented -fun:g_rw_lock_writer_unlock=uninstrumented -fun:g_scanner_cur_line=uninstrumented -fun:g_scanner_cur_position=uninstrumented -fun:g_scanner_cur_token=uninstrumented -fun:g_scanner_cur_value=uninstrumented -fun:g_scanner_destroy=uninstrumented -fun:g_scanner_eof=uninstrumented -fun:g_scanner_error=uninstrumented -fun:g_scanner_get_next_token=uninstrumented -fun:g_scanner_input_file=uninstrumented -fun:g_scanner_input_text=uninstrumented -fun:g_scanner_lookup_symbol=uninstrumented -fun:g_scanner_new=uninstrumented -fun:g_scanner_peek_next_token=uninstrumented -fun:g_scanner_scope_add_symbol=uninstrumented -fun:g_scanner_scope_foreach_symbol=uninstrumented -fun:g_scanner_scope_lookup_symbol=uninstrumented -fun:g_scanner_scope_remove_symbol=uninstrumented -fun:g_scanner_set_scope=uninstrumented -fun:g_scanner_sync_file_offset=uninstrumented -fun:g_scanner_unexp_token=uninstrumented -fun:g_scanner_warn=uninstrumented -fun:g_sequence_append=uninstrumented -fun:g_sequence_foreach=uninstrumented -fun:g_sequence_foreach_range=uninstrumented -fun:g_sequence_free=uninstrumented -fun:g_sequence_get=uninstrumented -fun:g_sequence_get_begin_iter=uninstrumented -fun:g_sequence_get_end_iter=uninstrumented -fun:g_sequence_get_iter_at_pos=uninstrumented -fun:g_sequence_get_length=uninstrumented -fun:g_sequence_insert_before=uninstrumented -fun:g_sequence_insert_sorted=uninstrumented -fun:g_sequence_insert_sorted_iter=uninstrumented -fun:g_sequence_is_empty=uninstrumented -fun:g_sequence_iter_compare=uninstrumented -fun:g_sequence_iter_get_position=uninstrumented -fun:g_sequence_iter_get_sequence=uninstrumented -fun:g_sequence_iter_is_begin=uninstrumented -fun:g_sequence_iter_is_end=uninstrumented -fun:g_sequence_iter_move=uninstrumented -fun:g_sequence_iter_next=uninstrumented -fun:g_sequence_iter_prev=uninstrumented -fun:g_sequence_lookup=uninstrumented -fun:g_sequence_lookup_iter=uninstrumented -fun:g_sequence_move=uninstrumented -fun:g_sequence_move_range=uninstrumented -fun:g_sequence_new=uninstrumented -fun:g_sequence_prepend=uninstrumented -fun:g_sequence_range_get_midpoint=uninstrumented -fun:g_sequence_remove=uninstrumented -fun:g_sequence_remove_range=uninstrumented -fun:g_sequence_search=uninstrumented -fun:g_sequence_search_iter=uninstrumented -fun:g_sequence_set=uninstrumented -fun:g_sequence_sort=uninstrumented -fun:g_sequence_sort_changed=uninstrumented -fun:g_sequence_sort_changed_iter=uninstrumented -fun:g_sequence_sort_iter=uninstrumented -fun:g_sequence_swap=uninstrumented -fun:g_set_application_name=uninstrumented -fun:g_set_error=uninstrumented -fun:g_set_error_literal=uninstrumented -fun:g_set_prgname=uninstrumented -fun:g_set_print_handler=uninstrumented -fun:g_set_printerr_handler=uninstrumented -fun:g_set_user_dirs=uninstrumented -fun:g_setenv=uninstrumented -fun:g_shell_error_quark=uninstrumented -fun:g_shell_parse_argv=uninstrumented -fun:g_shell_quote=uninstrumented -fun:g_shell_unquote=uninstrumented -fun:g_slice_alloc=uninstrumented -fun:g_slice_alloc0=uninstrumented -fun:g_slice_copy=uninstrumented -fun:g_slice_free1=uninstrumented -fun:g_slice_free_chain_with_offset=uninstrumented -fun:g_slice_get_config=uninstrumented -fun:g_slice_get_config_state=uninstrumented -fun:g_slice_set_config=uninstrumented -fun:g_slist_alloc=uninstrumented -fun:g_slist_append=uninstrumented -fun:g_slist_concat=uninstrumented -fun:g_slist_copy=uninstrumented -fun:g_slist_copy_deep=uninstrumented -fun:g_slist_delete_link=uninstrumented -fun:g_slist_find=uninstrumented -fun:g_slist_find_custom=uninstrumented -fun:g_slist_foreach=uninstrumented -fun:g_slist_free=uninstrumented -fun:g_slist_free_1=uninstrumented -fun:g_slist_free_full=uninstrumented -fun:g_slist_index=uninstrumented -fun:g_slist_insert=uninstrumented -fun:g_slist_insert_before=uninstrumented -fun:g_slist_insert_sorted=uninstrumented -fun:g_slist_insert_sorted_with_data=uninstrumented -fun:g_slist_last=uninstrumented -fun:g_slist_length=uninstrumented -fun:g_slist_nth=uninstrumented -fun:g_slist_nth_data=uninstrumented -fun:g_slist_pop_allocator=uninstrumented -fun:g_slist_position=uninstrumented -fun:g_slist_prepend=uninstrumented -fun:g_slist_push_allocator=uninstrumented -fun:g_slist_remove=uninstrumented -fun:g_slist_remove_all=uninstrumented -fun:g_slist_remove_link=uninstrumented -fun:g_slist_reverse=uninstrumented -fun:g_slist_sort=uninstrumented -fun:g_slist_sort_with_data=uninstrumented -fun:g_snprintf=uninstrumented -fun:g_source_add_child_source=uninstrumented -fun:g_source_add_poll=uninstrumented -fun:g_source_add_unix_fd=uninstrumented -fun:g_source_attach=uninstrumented -fun:g_source_destroy=uninstrumented -fun:g_source_get_can_recurse=uninstrumented -fun:g_source_get_context=uninstrumented -fun:g_source_get_current_time=uninstrumented -fun:g_source_get_id=uninstrumented -fun:g_source_get_name=uninstrumented -fun:g_source_get_priority=uninstrumented -fun:g_source_get_ready_time=uninstrumented -fun:g_source_get_time=uninstrumented -fun:g_source_is_destroyed=uninstrumented -fun:g_source_modify_unix_fd=uninstrumented -fun:g_source_new=uninstrumented -fun:g_source_query_unix_fd=uninstrumented -fun:g_source_ref=uninstrumented -fun:g_source_remove=uninstrumented -fun:g_source_remove_by_funcs_user_data=uninstrumented -fun:g_source_remove_by_user_data=uninstrumented -fun:g_source_remove_child_source=uninstrumented -fun:g_source_remove_poll=uninstrumented -fun:g_source_remove_unix_fd=uninstrumented -fun:g_source_set_callback=uninstrumented -fun:g_source_set_callback_indirect=uninstrumented -fun:g_source_set_can_recurse=uninstrumented -fun:g_source_set_dispose_function=uninstrumented -fun:g_source_set_funcs=uninstrumented -fun:g_source_set_name=uninstrumented -fun:g_source_set_name_by_id=uninstrumented -fun:g_source_set_priority=uninstrumented -fun:g_source_set_ready_time=uninstrumented -fun:g_source_unref=uninstrumented -fun:g_spaced_primes_closest=uninstrumented -fun:g_spawn_async=uninstrumented -fun:g_spawn_async_with_fds=uninstrumented -fun:g_spawn_async_with_pipes=uninstrumented -fun:g_spawn_check_exit_status=uninstrumented -fun:g_spawn_close_pid=uninstrumented -fun:g_spawn_command_line_async=uninstrumented -fun:g_spawn_command_line_sync=uninstrumented -fun:g_spawn_error_quark=uninstrumented -fun:g_spawn_exit_error_quark=uninstrumented -fun:g_spawn_sync=uninstrumented -fun:g_sprintf=uninstrumented -fun:g_stat=uninstrumented -fun:g_static_mutex_free=uninstrumented -fun:g_static_mutex_get_mutex_impl=uninstrumented -fun:g_static_mutex_init=uninstrumented -fun:g_static_private_free=uninstrumented -fun:g_static_private_get=uninstrumented -fun:g_static_private_init=uninstrumented -fun:g_static_private_set=uninstrumented -fun:g_static_rec_mutex_free=uninstrumented -fun:g_static_rec_mutex_init=uninstrumented -fun:g_static_rec_mutex_lock=uninstrumented -fun:g_static_rec_mutex_lock_full=uninstrumented -fun:g_static_rec_mutex_trylock=uninstrumented -fun:g_static_rec_mutex_unlock=uninstrumented -fun:g_static_rec_mutex_unlock_full=uninstrumented -fun:g_static_rw_lock_free=uninstrumented -fun:g_static_rw_lock_init=uninstrumented -fun:g_static_rw_lock_reader_lock=uninstrumented -fun:g_static_rw_lock_reader_trylock=uninstrumented -fun:g_static_rw_lock_reader_unlock=uninstrumented -fun:g_static_rw_lock_writer_lock=uninstrumented -fun:g_static_rw_lock_writer_trylock=uninstrumented -fun:g_static_rw_lock_writer_unlock=uninstrumented -fun:g_stpcpy=uninstrumented -fun:g_str_equal=uninstrumented -fun:g_str_has_prefix=uninstrumented -fun:g_str_has_suffix=uninstrumented -fun:g_str_hash=uninstrumented -fun:g_str_is_ascii=uninstrumented -fun:g_str_match_string=uninstrumented -fun:g_str_to_ascii=uninstrumented -fun:g_str_tokenize_and_fold=uninstrumented -fun:g_strcanon=uninstrumented -fun:g_strcasecmp=uninstrumented -fun:g_strchomp=uninstrumented -fun:g_strchug=uninstrumented -fun:g_strcmp0=uninstrumented -fun:g_strcompress=uninstrumented -fun:g_strconcat=uninstrumented -fun:g_strdelimit=uninstrumented -fun:g_strdown=uninstrumented -fun:g_strdup=uninstrumented -fun:g_strdup_printf=uninstrumented -fun:g_strdup_vprintf=uninstrumented -fun:g_strdupv=uninstrumented -fun:g_strerror=uninstrumented -fun:g_strescape=uninstrumented -fun:g_strfreev=uninstrumented -fun:g_string_append=uninstrumented -fun:g_string_append_c=uninstrumented -fun:g_string_append_len=uninstrumented -fun:g_string_append_printf=uninstrumented -fun:g_string_append_unichar=uninstrumented -fun:g_string_append_uri_escaped=uninstrumented -fun:g_string_append_vprintf=uninstrumented -fun:g_string_ascii_down=uninstrumented -fun:g_string_ascii_up=uninstrumented -fun:g_string_assign=uninstrumented -fun:g_string_chunk_clear=uninstrumented -fun:g_string_chunk_free=uninstrumented -fun:g_string_chunk_insert=uninstrumented -fun:g_string_chunk_insert_const=uninstrumented -fun:g_string_chunk_insert_len=uninstrumented -fun:g_string_chunk_new=uninstrumented -fun:g_string_down=uninstrumented -fun:g_string_equal=uninstrumented -fun:g_string_erase=uninstrumented -fun:g_string_free=uninstrumented -fun:g_string_free_to_bytes=uninstrumented -fun:g_string_hash=uninstrumented -fun:g_string_insert=uninstrumented -fun:g_string_insert_c=uninstrumented -fun:g_string_insert_len=uninstrumented -fun:g_string_insert_unichar=uninstrumented -fun:g_string_new=uninstrumented -fun:g_string_new_len=uninstrumented -fun:g_string_overwrite=uninstrumented -fun:g_string_overwrite_len=uninstrumented -fun:g_string_prepend=uninstrumented -fun:g_string_prepend_c=uninstrumented -fun:g_string_prepend_len=uninstrumented -fun:g_string_prepend_unichar=uninstrumented -fun:g_string_printf=uninstrumented -fun:g_string_set_size=uninstrumented -fun:g_string_sized_new=uninstrumented -fun:g_string_truncate=uninstrumented -fun:g_string_up=uninstrumented -fun:g_string_vprintf=uninstrumented -fun:g_strip_context=uninstrumented -fun:g_strjoin=uninstrumented -fun:g_strjoinv=uninstrumented -fun:g_strlcat=uninstrumented -fun:g_strlcpy=uninstrumented -fun:g_strncasecmp=uninstrumented -fun:g_strndup=uninstrumented -fun:g_strnfill=uninstrumented -fun:g_strreverse=uninstrumented -fun:g_strrstr=uninstrumented -fun:g_strrstr_len=uninstrumented -fun:g_strsignal=uninstrumented -fun:g_strsplit=uninstrumented -fun:g_strsplit_set=uninstrumented -fun:g_strstr_len=uninstrumented -fun:g_strtod=uninstrumented -fun:g_strup=uninstrumented -fun:g_strv_contains=uninstrumented -fun:g_strv_equal=uninstrumented -fun:g_strv_length=uninstrumented -fun:g_system_thread_exit=uninstrumented -fun:g_system_thread_free=uninstrumented -fun:g_system_thread_get_scheduler_settings=uninstrumented -fun:g_system_thread_new=uninstrumented -fun:g_system_thread_set_name=uninstrumented -fun:g_system_thread_wait=uninstrumented -fun:g_test_add_data_func=uninstrumented -fun:g_test_add_data_func_full=uninstrumented -fun:g_test_add_func=uninstrumented -fun:g_test_add_vtable=uninstrumented -fun:g_test_assert_expected_messages_internal=uninstrumented -fun:g_test_bug=uninstrumented -fun:g_test_bug_base=uninstrumented -fun:g_test_build_filename=uninstrumented -fun:g_test_create_case=uninstrumented -fun:g_test_create_suite=uninstrumented -fun:g_test_expect_message=uninstrumented -fun:g_test_fail=uninstrumented -fun:g_test_failed=uninstrumented -fun:g_test_get_dir=uninstrumented -fun:g_test_get_filename=uninstrumented -fun:g_test_get_root=uninstrumented -fun:g_test_incomplete=uninstrumented -fun:g_test_init=uninstrumented -fun:g_test_log_buffer_free=uninstrumented -fun:g_test_log_buffer_new=uninstrumented -fun:g_test_log_buffer_pop=uninstrumented -fun:g_test_log_buffer_push=uninstrumented -fun:g_test_log_msg_free=uninstrumented -fun:g_test_log_set_fatal_handler=uninstrumented -fun:g_test_log_type_name=uninstrumented -fun:g_test_maximized_result=uninstrumented -fun:g_test_message=uninstrumented -fun:g_test_minimized_result=uninstrumented -fun:g_test_queue_destroy=uninstrumented -fun:g_test_queue_free=uninstrumented -fun:g_test_rand_double=uninstrumented -fun:g_test_rand_double_range=uninstrumented -fun:g_test_rand_int=uninstrumented -fun:g_test_rand_int_range=uninstrumented -fun:g_test_run=uninstrumented -fun:g_test_run_suite=uninstrumented -fun:g_test_set_nonfatal_assertions=uninstrumented -fun:g_test_skip=uninstrumented -fun:g_test_subprocess=uninstrumented -fun:g_test_suite_add=uninstrumented -fun:g_test_suite_add_suite=uninstrumented -fun:g_test_summary=uninstrumented -fun:g_test_timer_elapsed=uninstrumented -fun:g_test_timer_last=uninstrumented -fun:g_test_timer_start=uninstrumented -fun:g_test_trap_assertions=uninstrumented -fun:g_test_trap_fork=uninstrumented -fun:g_test_trap_has_passed=uninstrumented -fun:g_test_trap_reached_timeout=uninstrumented -fun:g_test_trap_subprocess=uninstrumented -fun:g_thread_create=uninstrumented -fun:g_thread_create_full=uninstrumented -fun:g_thread_error_quark=uninstrumented -fun:g_thread_exit=uninstrumented -fun:g_thread_foreach=uninstrumented -fun:g_thread_get_initialized=uninstrumented -fun:g_thread_get_scheduler_settings=uninstrumented -fun:g_thread_init_glib=uninstrumented -fun:g_thread_join=uninstrumented -fun:g_thread_n_created=uninstrumented -fun:g_thread_new=uninstrumented -fun:g_thread_new_internal=uninstrumented -fun:g_thread_pool_free=uninstrumented -fun:g_thread_pool_get_max_idle_time=uninstrumented -fun:g_thread_pool_get_max_threads=uninstrumented -fun:g_thread_pool_get_max_unused_threads=uninstrumented -fun:g_thread_pool_get_num_threads=uninstrumented -fun:g_thread_pool_get_num_unused_threads=uninstrumented -fun:g_thread_pool_move_to_front=uninstrumented -fun:g_thread_pool_new=uninstrumented -fun:g_thread_pool_push=uninstrumented -fun:g_thread_pool_set_max_idle_time=uninstrumented -fun:g_thread_pool_set_max_threads=uninstrumented -fun:g_thread_pool_set_max_unused_threads=uninstrumented -fun:g_thread_pool_set_sort_function=uninstrumented -fun:g_thread_pool_stop_unused_threads=uninstrumented -fun:g_thread_pool_unprocessed=uninstrumented -fun:g_thread_proxy=uninstrumented -fun:g_thread_ref=uninstrumented -fun:g_thread_self=uninstrumented -fun:g_thread_set_priority=uninstrumented -fun:g_thread_try_new=uninstrumented -fun:g_thread_unref=uninstrumented -fun:g_thread_yield=uninstrumented -fun:g_time_val_add=uninstrumented -fun:g_time_val_from_iso8601=uninstrumented -fun:g_time_val_to_iso8601=uninstrumented -fun:g_time_zone_adjust_time=uninstrumented -fun:g_time_zone_find_interval=uninstrumented -fun:g_time_zone_get_abbreviation=uninstrumented -fun:g_time_zone_get_identifier=uninstrumented -fun:g_time_zone_get_offset=uninstrumented -fun:g_time_zone_is_dst=uninstrumented -fun:g_time_zone_new=uninstrumented -fun:g_time_zone_new_local=uninstrumented -fun:g_time_zone_new_offset=uninstrumented -fun:g_time_zone_new_utc=uninstrumented -fun:g_time_zone_ref=uninstrumented -fun:g_time_zone_unref=uninstrumented -fun:g_timeout_add=uninstrumented -fun:g_timeout_add_full=uninstrumented -fun:g_timeout_add_seconds=uninstrumented -fun:g_timeout_add_seconds_full=uninstrumented -fun:g_timeout_source_new=uninstrumented -fun:g_timeout_source_new_seconds=uninstrumented -fun:g_timer_continue=uninstrumented -fun:g_timer_destroy=uninstrumented -fun:g_timer_elapsed=uninstrumented -fun:g_timer_is_active=uninstrumented -fun:g_timer_new=uninstrumented -fun:g_timer_reset=uninstrumented -fun:g_timer_start=uninstrumented -fun:g_timer_stop=uninstrumented -fun:g_trash_stack_height=uninstrumented -fun:g_trash_stack_peek=uninstrumented -fun:g_trash_stack_pop=uninstrumented -fun:g_trash_stack_push=uninstrumented -fun:g_tree_destroy=uninstrumented -fun:g_tree_foreach=uninstrumented -fun:g_tree_height=uninstrumented -fun:g_tree_insert=uninstrumented -fun:g_tree_lookup=uninstrumented -fun:g_tree_lookup_extended=uninstrumented -fun:g_tree_new=uninstrumented -fun:g_tree_new_full=uninstrumented -fun:g_tree_new_with_data=uninstrumented -fun:g_tree_nnodes=uninstrumented -fun:g_tree_ref=uninstrumented -fun:g_tree_remove=uninstrumented -fun:g_tree_replace=uninstrumented -fun:g_tree_search=uninstrumented -fun:g_tree_steal=uninstrumented -fun:g_tree_traverse=uninstrumented -fun:g_tree_unref=uninstrumented -fun:g_try_malloc=uninstrumented -fun:g_try_malloc0=uninstrumented -fun:g_try_malloc0_n=uninstrumented -fun:g_try_malloc_n=uninstrumented -fun:g_try_realloc=uninstrumented -fun:g_try_realloc_n=uninstrumented -fun:g_tuples_destroy=uninstrumented -fun:g_tuples_index=uninstrumented -fun:g_ucs4_to_utf16=uninstrumented -fun:g_ucs4_to_utf8=uninstrumented -fun:g_unichar_break_type=uninstrumented -fun:g_unichar_combining_class=uninstrumented -fun:g_unichar_compose=uninstrumented -fun:g_unichar_decompose=uninstrumented -fun:g_unichar_digit_value=uninstrumented -fun:g_unichar_fully_decompose=uninstrumented -fun:g_unichar_get_mirror_char=uninstrumented -fun:g_unichar_get_script=uninstrumented -fun:g_unichar_isalnum=uninstrumented -fun:g_unichar_isalpha=uninstrumented -fun:g_unichar_iscntrl=uninstrumented -fun:g_unichar_isdefined=uninstrumented -fun:g_unichar_isdigit=uninstrumented -fun:g_unichar_isgraph=uninstrumented -fun:g_unichar_islower=uninstrumented -fun:g_unichar_ismark=uninstrumented -fun:g_unichar_isprint=uninstrumented -fun:g_unichar_ispunct=uninstrumented -fun:g_unichar_isspace=uninstrumented -fun:g_unichar_istitle=uninstrumented -fun:g_unichar_isupper=uninstrumented -fun:g_unichar_iswide=uninstrumented -fun:g_unichar_iswide_cjk=uninstrumented -fun:g_unichar_isxdigit=uninstrumented -fun:g_unichar_iszerowidth=uninstrumented -fun:g_unichar_to_utf8=uninstrumented -fun:g_unichar_tolower=uninstrumented -fun:g_unichar_totitle=uninstrumented -fun:g_unichar_toupper=uninstrumented -fun:g_unichar_type=uninstrumented -fun:g_unichar_validate=uninstrumented -fun:g_unichar_xdigit_value=uninstrumented -fun:g_unicode_canonical_decomposition=uninstrumented -fun:g_unicode_canonical_ordering=uninstrumented -fun:g_unicode_script_from_iso15924=uninstrumented -fun:g_unicode_script_to_iso15924=uninstrumented -fun:g_unix_error_quark=uninstrumented -fun:g_unix_fd_add=uninstrumented -fun:g_unix_fd_add_full=uninstrumented -fun:g_unix_fd_source_new=uninstrumented -fun:g_unix_get_passwd_entry=uninstrumented -fun:g_unix_open_pipe=uninstrumented -fun:g_unix_set_fd_nonblocking=uninstrumented -fun:g_unix_signal_add=uninstrumented -fun:g_unix_signal_add_full=uninstrumented -fun:g_unix_signal_source_new=uninstrumented -fun:g_unlink=uninstrumented -fun:g_unsetenv=uninstrumented -fun:g_uri_escape_string=uninstrumented -fun:g_uri_list_extract_uris=uninstrumented -fun:g_uri_parse_scheme=uninstrumented -fun:g_uri_unescape_segment=uninstrumented -fun:g_uri_unescape_string=uninstrumented -fun:g_usleep=uninstrumented -fun:g_utf16_to_ucs4=uninstrumented -fun:g_utf16_to_utf8=uninstrumented -fun:g_utf8_casefold=uninstrumented -fun:g_utf8_collate=uninstrumented -fun:g_utf8_collate_key=uninstrumented -fun:g_utf8_collate_key_for_filename=uninstrumented -fun:g_utf8_find_next_char=uninstrumented -fun:g_utf8_find_prev_char=uninstrumented -fun:g_utf8_get_char=uninstrumented -fun:g_utf8_get_char_validated=uninstrumented -fun:g_utf8_make_valid=uninstrumented -fun:g_utf8_normalize=uninstrumented -fun:g_utf8_offset_to_pointer=uninstrumented -fun:g_utf8_pointer_to_offset=uninstrumented -fun:g_utf8_prev_char=uninstrumented -fun:g_utf8_strchr=uninstrumented -fun:g_utf8_strdown=uninstrumented -fun:g_utf8_strlen=uninstrumented -fun:g_utf8_strncpy=uninstrumented -fun:g_utf8_strrchr=uninstrumented -fun:g_utf8_strreverse=uninstrumented -fun:g_utf8_strup=uninstrumented -fun:g_utf8_substring=uninstrumented -fun:g_utf8_to_ucs4=uninstrumented -fun:g_utf8_to_ucs4_fast=uninstrumented -fun:g_utf8_to_utf16=uninstrumented -fun:g_utf8_validate=uninstrumented -fun:g_utf8_validate_len=uninstrumented -fun:g_utime=uninstrumented -fun:g_uuid_string_is_valid=uninstrumented -fun:g_uuid_string_random=uninstrumented -fun:g_variant_builder_add=uninstrumented -fun:g_variant_builder_add_parsed=uninstrumented -fun:g_variant_builder_add_value=uninstrumented -fun:g_variant_builder_clear=uninstrumented -fun:g_variant_builder_close=uninstrumented -fun:g_variant_builder_end=uninstrumented -fun:g_variant_builder_init=uninstrumented -fun:g_variant_builder_new=uninstrumented -fun:g_variant_builder_open=uninstrumented -fun:g_variant_builder_ref=uninstrumented -fun:g_variant_builder_unref=uninstrumented -fun:g_variant_byteswap=uninstrumented -fun:g_variant_check_format_string=uninstrumented -fun:g_variant_classify=uninstrumented -fun:g_variant_compare=uninstrumented -fun:g_variant_dict_clear=uninstrumented -fun:g_variant_dict_contains=uninstrumented -fun:g_variant_dict_end=uninstrumented -fun:g_variant_dict_init=uninstrumented -fun:g_variant_dict_insert=uninstrumented -fun:g_variant_dict_insert_value=uninstrumented -fun:g_variant_dict_lookup=uninstrumented -fun:g_variant_dict_lookup_value=uninstrumented -fun:g_variant_dict_new=uninstrumented -fun:g_variant_dict_ref=uninstrumented -fun:g_variant_dict_remove=uninstrumented -fun:g_variant_dict_unref=uninstrumented -fun:g_variant_dup_bytestring=uninstrumented -fun:g_variant_dup_bytestring_array=uninstrumented -fun:g_variant_dup_objv=uninstrumented -fun:g_variant_dup_string=uninstrumented -fun:g_variant_dup_strv=uninstrumented -fun:g_variant_equal=uninstrumented -fun:g_variant_format_string_scan=uninstrumented -fun:g_variant_format_string_scan_type=uninstrumented -fun:g_variant_get=uninstrumented -fun:g_variant_get_boolean=uninstrumented -fun:g_variant_get_byte=uninstrumented -fun:g_variant_get_bytestring=uninstrumented -fun:g_variant_get_bytestring_array=uninstrumented -fun:g_variant_get_child=uninstrumented -fun:g_variant_get_child_value=uninstrumented -fun:g_variant_get_data=uninstrumented -fun:g_variant_get_data_as_bytes=uninstrumented -fun:g_variant_get_depth=uninstrumented -fun:g_variant_get_double=uninstrumented -fun:g_variant_get_fixed_array=uninstrumented -fun:g_variant_get_handle=uninstrumented -fun:g_variant_get_int16=uninstrumented -fun:g_variant_get_int32=uninstrumented -fun:g_variant_get_int64=uninstrumented -fun:g_variant_get_maybe=uninstrumented -fun:g_variant_get_normal_form=uninstrumented -fun:g_variant_get_objv=uninstrumented -fun:g_variant_get_size=uninstrumented -fun:g_variant_get_string=uninstrumented -fun:g_variant_get_strv=uninstrumented -fun:g_variant_get_type=uninstrumented -fun:g_variant_get_type_info=uninstrumented -fun:g_variant_get_type_string=uninstrumented -fun:g_variant_get_uint16=uninstrumented -fun:g_variant_get_uint32=uninstrumented -fun:g_variant_get_uint64=uninstrumented -fun:g_variant_get_va=uninstrumented -fun:g_variant_get_variant=uninstrumented -fun:g_variant_hash=uninstrumented -fun:g_variant_is_container=uninstrumented -fun:g_variant_is_floating=uninstrumented -fun:g_variant_is_normal_form=uninstrumented -fun:g_variant_is_object_path=uninstrumented -fun:g_variant_is_of_type=uninstrumented -fun:g_variant_is_signature=uninstrumented -fun:g_variant_is_trusted=uninstrumented -fun:g_variant_iter_copy=uninstrumented -fun:g_variant_iter_free=uninstrumented -fun:g_variant_iter_init=uninstrumented -fun:g_variant_iter_loop=uninstrumented -fun:g_variant_iter_n_children=uninstrumented -fun:g_variant_iter_new=uninstrumented -fun:g_variant_iter_next=uninstrumented -fun:g_variant_iter_next_value=uninstrumented -fun:g_variant_lookup=uninstrumented -fun:g_variant_lookup_value=uninstrumented -fun:g_variant_n_children=uninstrumented -fun:g_variant_new=uninstrumented -fun:g_variant_new_array=uninstrumented -fun:g_variant_new_boolean=uninstrumented -fun:g_variant_new_byte=uninstrumented -fun:g_variant_new_bytestring=uninstrumented -fun:g_variant_new_bytestring_array=uninstrumented -fun:g_variant_new_dict_entry=uninstrumented -fun:g_variant_new_double=uninstrumented -fun:g_variant_new_fixed_array=uninstrumented -fun:g_variant_new_from_bytes=uninstrumented -fun:g_variant_new_from_children=uninstrumented -fun:g_variant_new_from_data=uninstrumented -fun:g_variant_new_handle=uninstrumented -fun:g_variant_new_int16=uninstrumented -fun:g_variant_new_int32=uninstrumented -fun:g_variant_new_int64=uninstrumented -fun:g_variant_new_maybe=uninstrumented -fun:g_variant_new_object_path=uninstrumented -fun:g_variant_new_objv=uninstrumented -fun:g_variant_new_parsed=uninstrumented -fun:g_variant_new_parsed_va=uninstrumented -fun:g_variant_new_printf=uninstrumented -fun:g_variant_new_signature=uninstrumented -fun:g_variant_new_string=uninstrumented -fun:g_variant_new_strv=uninstrumented -fun:g_variant_new_take_string=uninstrumented -fun:g_variant_new_tuple=uninstrumented -fun:g_variant_new_uint16=uninstrumented -fun:g_variant_new_uint32=uninstrumented -fun:g_variant_new_uint64=uninstrumented -fun:g_variant_new_va=uninstrumented -fun:g_variant_new_variant=uninstrumented -fun:g_variant_parse=uninstrumented -fun:g_variant_parse_error_print_context=uninstrumented -fun:g_variant_parse_error_quark=uninstrumented -fun:g_variant_parser_get_error_quark=uninstrumented -fun:g_variant_print=uninstrumented -fun:g_variant_print_string=uninstrumented -fun:g_variant_ref=uninstrumented -fun:g_variant_ref_sink=uninstrumented -fun:g_variant_serialised_byteswap=uninstrumented -fun:g_variant_serialised_check=uninstrumented -fun:g_variant_serialised_get_child=uninstrumented -fun:g_variant_serialised_is_normal=uninstrumented -fun:g_variant_serialised_n_children=uninstrumented -fun:g_variant_serialiser_is_object_path=uninstrumented -fun:g_variant_serialiser_is_signature=uninstrumented -fun:g_variant_serialiser_is_string=uninstrumented -fun:g_variant_serialiser_needed_size=uninstrumented -fun:g_variant_serialiser_serialise=uninstrumented -fun:g_variant_store=uninstrumented -fun:g_variant_take_ref=uninstrumented -fun:g_variant_type_checked_=uninstrumented -fun:g_variant_type_copy=uninstrumented -fun:g_variant_type_dup_string=uninstrumented -fun:g_variant_type_element=uninstrumented -fun:g_variant_type_equal=uninstrumented -fun:g_variant_type_first=uninstrumented -fun:g_variant_type_free=uninstrumented -fun:g_variant_type_get_string_length=uninstrumented -fun:g_variant_type_hash=uninstrumented -fun:g_variant_type_info_assert_no_infos=uninstrumented -fun:g_variant_type_info_element=uninstrumented -fun:g_variant_type_info_get=uninstrumented -fun:g_variant_type_info_get_type_string=uninstrumented -fun:g_variant_type_info_member_info=uninstrumented -fun:g_variant_type_info_n_members=uninstrumented -fun:g_variant_type_info_query=uninstrumented -fun:g_variant_type_info_query_depth=uninstrumented -fun:g_variant_type_info_query_element=uninstrumented -fun:g_variant_type_info_ref=uninstrumented -fun:g_variant_type_info_unref=uninstrumented -fun:g_variant_type_is_array=uninstrumented -fun:g_variant_type_is_basic=uninstrumented -fun:g_variant_type_is_container=uninstrumented -fun:g_variant_type_is_definite=uninstrumented -fun:g_variant_type_is_dict_entry=uninstrumented -fun:g_variant_type_is_maybe=uninstrumented -fun:g_variant_type_is_subtype_of=uninstrumented -fun:g_variant_type_is_tuple=uninstrumented -fun:g_variant_type_is_variant=uninstrumented -fun:g_variant_type_key=uninstrumented -fun:g_variant_type_n_items=uninstrumented -fun:g_variant_type_new=uninstrumented -fun:g_variant_type_new_array=uninstrumented -fun:g_variant_type_new_dict_entry=uninstrumented -fun:g_variant_type_new_maybe=uninstrumented -fun:g_variant_type_new_tuple=uninstrumented -fun:g_variant_type_next=uninstrumented -fun:g_variant_type_peek_string=uninstrumented -fun:g_variant_type_string_get_depth_=uninstrumented -fun:g_variant_type_string_is_valid=uninstrumented -fun:g_variant_type_string_scan=uninstrumented -fun:g_variant_type_value=uninstrumented -fun:g_variant_unref=uninstrumented -fun:g_vasprintf=uninstrumented -fun:g_vfprintf=uninstrumented -fun:g_vprintf=uninstrumented -fun:g_vsnprintf=uninstrumented -fun:g_vsprintf=uninstrumented -fun:g_wakeup_acknowledge=uninstrumented -fun:g_wakeup_free=uninstrumented -fun:g_wakeup_get_pollfd=uninstrumented -fun:g_wakeup_new=uninstrumented -fun:g_wakeup_signal=uninstrumented -fun:g_warn_message=uninstrumented -fun:glib__private__=uninstrumented -fun:glib_check_version=uninstrumented -fun:glib_gettext=uninstrumented -fun:glib_init=uninstrumented -fun:glib_pgettext=uninstrumented diff --git a/fuzzers/symsan/libfuzz-harness-proxy.c b/fuzzers/symsan/libfuzz-harness-proxy.c deleted file mode 100644 index 86097062f..000000000 --- a/fuzzers/symsan/libfuzz-harness-proxy.c +++ /dev/null @@ -1,41 +0,0 @@ -// Copyright 2021 Google LLC -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. -#include -#include -#include -#include -#include - -extern int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size); - -int main(int argc, char* argv[]) { - // open file - FILE *f = fopen(argv[1], "rb"); - - // get file size - fseek(f, 0, SEEK_END); - long fsize = ftell(f); - - // read file contents - fseek(f, 0, SEEK_SET); - char *string = (char*)malloc(fsize + 1); - fread(string, 1, fsize, f); - fclose(f); - - // Now call into the harness - int retval = LLVMFuzzerTestOneInput((const uint8_t *)string, fsize); - - free(string); - return retval; -} diff --git a/fuzzers/symsan/pcre.abilist b/fuzzers/symsan/pcre.abilist deleted file mode 100644 index a73b8fb99..000000000 --- a/fuzzers/symsan/pcre.abilist +++ /dev/null @@ -1,38 +0,0 @@ -fun:_pcre_find_bracket=uninstrumented -fun:_pcre_is_newline=uninstrumented -fun:_pcre_jit_compile=uninstrumented -fun:_pcre_jit_exec=uninstrumented -fun:_pcre_jit_free=uninstrumented -fun:_pcre_jit_get_size=uninstrumented -fun:_pcre_jit_get_target=uninstrumented -fun:_pcre_ord2utf=uninstrumented -fun:_pcre_valid_utf=uninstrumented -fun:_pcre_was_newline=uninstrumented -fun:_pcre_xclass=uninstrumented -fun:pcre_assign_jit_stack=uninstrumented -fun:pcre_compile=uninstrumented -fun:pcre_compile2=uninstrumented -fun:pcre_config=uninstrumented -fun:pcre_copy_named_substring=uninstrumented -fun:pcre_copy_substring=uninstrumented -fun:pcre_dfa_exec=uninstrumented -fun:pcre_exec=uninstrumented -fun:pcre_free_study=uninstrumented -fun:pcre_free_substring=uninstrumented -fun:pcre_free_substring_list=uninstrumented -fun:pcre_fullinfo=uninstrumented -fun:pcre_get_named_substring=uninstrumented -fun:pcre_get_stringnumber=uninstrumented -fun:pcre_get_stringtable_entries=uninstrumented -fun:pcre_get_substring=uninstrumented -fun:pcre_get_substring_list=uninstrumented -fun:pcre_info=uninstrumented -fun:pcre_jit_exec=uninstrumented -fun:pcre_jit_free_unused_memory=uninstrumented -fun:pcre_jit_stack_alloc=uninstrumented -fun:pcre_jit_stack_free=uninstrumented -fun:pcre_maketables=uninstrumented -fun:pcre_pattern_to_host_byte_order=uninstrumented -fun:pcre_refcount=uninstrumented -fun:pcre_study=uninstrumented -fun:pcre_version=uninstrumented diff --git a/fuzzers/symsan/runner.Dockerfile b/fuzzers/symsan/runner.Dockerfile deleted file mode 100644 index 76159d030..000000000 --- a/fuzzers/symsan/runner.Dockerfile +++ /dev/null @@ -1,43 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -#FROM gcr.io/fuzzbench/base-runner -FROM gcr.io/fuzzbench/base-image - -RUN apt-get update -RUN apt-get -y install git cmake wget build-essential autoconf libtool python3-pip python3-setuptools apt-transport-https libboost-all-dev lsb-release software-properties-common -RUN apt-get install -y wget libc++abi-dev libc++-dev libunwind-dev - - -RUN wget https://apt.llvm.org/llvm.sh && chmod +x llvm.sh && ./llvm.sh 12 -ENV PATH="/out/bin:${PATH}" -ENV PATH="/root/.cargo/bin:${PATH}" -RUN ln -s /out/lib/libz3.so /usr/local/lib/libz3.so -RUN ln -s /out/lib/libtcmalloc.so /usr/local/lib/libtcmalloc.so -RUN ldconfig - - - -ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" -ENV AFL_MAP_SIZE=900000 -ENV AFL_QUIET=1 -ENV PATH="$PATH:/out" -ENV AFL_SKIP_CPUFREQ=1 -#ENV AFL_NO_UI=1 -ENV AFL_NO_AFFINITY=1 -ENV AFL_SKIP_CRASHES=1 -#ENV AFL_TESTCACHE_SIZE=2 -ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 -COPY fuz.sh /out/ -COPY fres.sh /out/ diff --git a/fuzzers/symsan/xml.abilist b/fuzzers/symsan/xml.abilist deleted file mode 100644 index eee32b85f..000000000 --- a/fuzzers/symsan/xml.abilist +++ /dev/null @@ -1,1692 +0,0 @@ -fun:UTF8ToHtml=uninstrumented -fun:UTF8Toisolat1=uninstrumented -fun:__docbDefaultSAXHandler=uninstrumented -fun:__htmlDefaultSAXHandler=uninstrumented -fun:__htmlParseContent=uninstrumented -fun:__libxml2_xzclose=uninstrumented -fun:__libxml2_xzcompressed=uninstrumented -fun:__libxml2_xzdopen=uninstrumented -fun:__libxml2_xzopen=uninstrumented -fun:__libxml2_xzread=uninstrumented -fun:__oldXMLWDcompatibility=uninstrumented -fun:__xmlBufferAllocScheme=uninstrumented -fun:__xmlDefaultBufferSize=uninstrumented -fun:__xmlDefaultSAXHandler=uninstrumented -fun:__xmlDefaultSAXLocator=uninstrumented -fun:__xmlDeregisterNodeDefaultValue=uninstrumented -fun:__xmlDoValidityCheckingDefaultValue=uninstrumented -fun:__xmlErrEncoding=uninstrumented -fun:__xmlGenericError=uninstrumented -fun:__xmlGenericErrorContext=uninstrumented -fun:__xmlGetWarningsDefaultValue=uninstrumented -fun:__xmlGlobalInitMutexDestroy=uninstrumented -fun:__xmlGlobalInitMutexLock=uninstrumented -fun:__xmlGlobalInitMutexUnlock=uninstrumented -fun:__xmlIOErr=uninstrumented -fun:__xmlIndentTreeOutput=uninstrumented -fun:__xmlInitializeDict=uninstrumented -fun:__xmlKeepBlanksDefaultValue=uninstrumented -fun:__xmlLastError=uninstrumented -fun:__xmlLineNumbersDefaultValue=uninstrumented -fun:__xmlLoadExtDtdDefaultValue=uninstrumented -fun:__xmlLoaderErr=uninstrumented -fun:__xmlOutputBufferCreateFilename=uninstrumented -fun:__xmlOutputBufferCreateFilenameValue=uninstrumented -fun:__xmlParserDebugEntities=uninstrumented -fun:__xmlParserInputBufferCreateFilename=uninstrumented -fun:__xmlParserInputBufferCreateFilenameValue=uninstrumented -fun:__xmlParserVersion=uninstrumented -fun:__xmlPedanticParserDefaultValue=uninstrumented -fun:__xmlRaiseError=uninstrumented -fun:__xmlRandom=uninstrumented -fun:__xmlRegisterNodeDefaultValue=uninstrumented -fun:__xmlSaveNoEmptyTags=uninstrumented -fun:__xmlSimpleError=uninstrumented -fun:__xmlStructuredError=uninstrumented -fun:__xmlStructuredErrorContext=uninstrumented -fun:__xmlSubstituteEntitiesDefaultValue=uninstrumented -fun:__xmlTreeIndentString=uninstrumented -fun:attribute=uninstrumented -fun:attributeDecl=uninstrumented -fun:cdataBlock=uninstrumented -fun:characters=uninstrumented -fun:checkNamespace=uninstrumented -fun:comment=uninstrumented -fun:docbDefaultSAXHandlerInit=uninstrumented -fun:elementDecl=uninstrumented -fun:endDocument=uninstrumented -fun:endElement=uninstrumented -fun:entityDecl=uninstrumented -fun:externalSubset=uninstrumented -fun:getColumnNumber=uninstrumented -fun:getEntity=uninstrumented -fun:getLineNumber=uninstrumented -fun:getNamespace=uninstrumented -fun:getParameterEntity=uninstrumented -fun:getPublicId=uninstrumented -fun:getSystemId=uninstrumented -fun:globalNamespace=uninstrumented -fun:hasExternalSubset=uninstrumented -fun:hasInternalSubset=uninstrumented -fun:htmlAttrAllowed=uninstrumented -fun:htmlAutoCloseTag=uninstrumented -fun:htmlCreateFileParserCtxt=uninstrumented -fun:htmlCreateMemoryParserCtxt=uninstrumented -fun:htmlCreatePushParserCtxt=uninstrumented -fun:htmlCtxtReadDoc=uninstrumented -fun:htmlCtxtReadFd=uninstrumented -fun:htmlCtxtReadFile=uninstrumented -fun:htmlCtxtReadIO=uninstrumented -fun:htmlCtxtReadMemory=uninstrumented -fun:htmlCtxtReset=uninstrumented -fun:htmlCtxtUseOptions=uninstrumented -fun:htmlDecodeEntities=uninstrumented -fun:htmlDefaultSAXHandlerInit=uninstrumented -fun:htmlDocContentDumpFormatOutput=uninstrumented -fun:htmlDocContentDumpOutput=uninstrumented -fun:htmlDocDump=uninstrumented -fun:htmlDocDumpMemory=uninstrumented -fun:htmlDocDumpMemoryFormat=uninstrumented -fun:htmlElementAllowedHere=uninstrumented -fun:htmlElementStatusHere=uninstrumented -fun:htmlEncodeEntities=uninstrumented -fun:htmlEntityLookup=uninstrumented -fun:htmlEntityValueLookup=uninstrumented -fun:htmlFreeParserCtxt=uninstrumented -fun:htmlGetMetaEncoding=uninstrumented -fun:htmlHandleOmittedElem=uninstrumented -fun:htmlInitAutoClose=uninstrumented -fun:htmlIsAutoClosed=uninstrumented -fun:htmlIsBooleanAttr=uninstrumented -fun:htmlIsScriptAttribute=uninstrumented -fun:htmlNewDoc=uninstrumented -fun:htmlNewDocNoDtD=uninstrumented -fun:htmlNewParserCtxt=uninstrumented -fun:htmlNodeDump=uninstrumented -fun:htmlNodeDumpFile=uninstrumented -fun:htmlNodeDumpFileFormat=uninstrumented -fun:htmlNodeDumpFormatOutput=uninstrumented -fun:htmlNodeDumpOutput=uninstrumented -fun:htmlNodeStatus=uninstrumented -fun:htmlParseCharRef=uninstrumented -fun:htmlParseChunk=uninstrumented -fun:htmlParseDoc=uninstrumented -fun:htmlParseDocument=uninstrumented -fun:htmlParseElement=uninstrumented -fun:htmlParseEntityRef=uninstrumented -fun:htmlParseFile=uninstrumented -fun:htmlReadDoc=uninstrumented -fun:htmlReadFd=uninstrumented -fun:htmlReadFile=uninstrumented -fun:htmlReadIO=uninstrumented -fun:htmlReadMemory=uninstrumented -fun:htmlSAXParseDoc=uninstrumented -fun:htmlSAXParseFile=uninstrumented -fun:htmlSaveFile=uninstrumented -fun:htmlSaveFileEnc=uninstrumented -fun:htmlSaveFileFormat=uninstrumented -fun:htmlSetMetaEncoding=uninstrumented -fun:htmlTagLookup=uninstrumented -fun:ignorableWhitespace=uninstrumented -fun:initGenericErrorDefaultFunc=uninstrumented -fun:initdocbDefaultSAXHandler=uninstrumented -fun:inithtmlDefaultSAXHandler=uninstrumented -fun:initxmlDefaultSAXHandler=uninstrumented -fun:inputPop=uninstrumented -fun:inputPush=uninstrumented -fun:internalSubset=uninstrumented -fun:isStandalone=uninstrumented -fun:isolat1ToUTF8=uninstrumented -fun:libxml_domnode_binary_insertion_sort=uninstrumented -fun:libxml_domnode_tim_sort=uninstrumented -fun:namePop=uninstrumented -fun:namePush=uninstrumented -fun:namespaceDecl=uninstrumented -fun:nodePop=uninstrumented -fun:nodePush=uninstrumented -fun:notationDecl=uninstrumented -fun:processingInstruction=uninstrumented -fun:reference=uninstrumented -fun:resolveEntity=uninstrumented -fun:setDocumentLocator=uninstrumented -fun:setNamespace=uninstrumented -fun:startDocument=uninstrumented -fun:startElement=uninstrumented -fun:unparsedEntityDecl=uninstrumented -fun:valuePop=uninstrumented -fun:valuePush=uninstrumented -fun:xlinkGetDefaultDetect=uninstrumented -fun:xlinkGetDefaultHandler=uninstrumented -fun:xlinkIsLink=uninstrumented -fun:xlinkSetDefaultDetect=uninstrumented -fun:xlinkSetDefaultHandler=uninstrumented -fun:xmlACatalogAdd=uninstrumented -fun:xmlACatalogDump=uninstrumented -fun:xmlACatalogRemove=uninstrumented -fun:xmlACatalogResolve=uninstrumented -fun:xmlACatalogResolvePublic=uninstrumented -fun:xmlACatalogResolveSystem=uninstrumented -fun:xmlACatalogResolveURI=uninstrumented -fun:xmlAddAttributeDecl=uninstrumented -fun:xmlAddChild=uninstrumented -fun:xmlAddChildList=uninstrumented -fun:xmlAddDocEntity=uninstrumented -fun:xmlAddDtdEntity=uninstrumented -fun:xmlAddElementDecl=uninstrumented -fun:xmlAddEncodingAlias=uninstrumented -fun:xmlAddID=uninstrumented -fun:xmlAddNextSibling=uninstrumented -fun:xmlAddNotationDecl=uninstrumented -fun:xmlAddPrevSibling=uninstrumented -fun:xmlAddRef=uninstrumented -fun:xmlAddSibling=uninstrumented -fun:xmlAllocOutputBuffer=uninstrumented -fun:xmlAllocOutputBufferInternal=uninstrumented -fun:xmlAllocParserInputBuffer=uninstrumented -fun:xmlAttrSerializeTxtContent=uninstrumented -fun:xmlAutomataCompile=uninstrumented -fun:xmlAutomataGetInitState=uninstrumented -fun:xmlAutomataIsDeterminist=uninstrumented -fun:xmlAutomataNewAllTrans=uninstrumented -fun:xmlAutomataNewCountTrans=uninstrumented -fun:xmlAutomataNewCountTrans2=uninstrumented -fun:xmlAutomataNewCountedTrans=uninstrumented -fun:xmlAutomataNewCounter=uninstrumented -fun:xmlAutomataNewCounterTrans=uninstrumented -fun:xmlAutomataNewEpsilon=uninstrumented -fun:xmlAutomataNewNegTrans=uninstrumented -fun:xmlAutomataNewOnceTrans=uninstrumented -fun:xmlAutomataNewOnceTrans2=uninstrumented -fun:xmlAutomataNewState=uninstrumented -fun:xmlAutomataNewTransition=uninstrumented -fun:xmlAutomataNewTransition2=uninstrumented -fun:xmlAutomataSetFinalState=uninstrumented -fun:xmlAutomataSetFlags=uninstrumented -fun:xmlBoolToText=uninstrumented -fun:xmlBufAdd=uninstrumented -fun:xmlBufAddHead=uninstrumented -fun:xmlBufAddLen=uninstrumented -fun:xmlBufAttrSerializeTxtContent=uninstrumented -fun:xmlBufAvail=uninstrumented -fun:xmlBufBackToBuffer=uninstrumented -fun:xmlBufCCat=uninstrumented -fun:xmlBufCat=uninstrumented -fun:xmlBufContent=uninstrumented -fun:xmlBufCreate=uninstrumented -fun:xmlBufCreateSize=uninstrumented -fun:xmlBufCreateStatic=uninstrumented -fun:xmlBufDetach=uninstrumented -fun:xmlBufDump=uninstrumented -fun:xmlBufDumpAttributeDecl=uninstrumented -fun:xmlBufDumpElementDecl=uninstrumented -fun:xmlBufDumpEntityDecl=uninstrumented -fun:xmlBufDumpNotationTable=uninstrumented -fun:xmlBufEmpty=uninstrumented -fun:xmlBufEnd=uninstrumented -fun:xmlBufErase=uninstrumented -fun:xmlBufFree=uninstrumented -fun:xmlBufFromBuffer=uninstrumented -fun:xmlBufGetAllocationScheme=uninstrumented -fun:xmlBufGetInputBase=uninstrumented -fun:xmlBufGetNodeContent=uninstrumented -fun:xmlBufGrow=uninstrumented -fun:xmlBufInflate=uninstrumented -fun:xmlBufIsEmpty=uninstrumented -fun:xmlBufLength=uninstrumented -fun:xmlBufMergeBuffer=uninstrumented -fun:xmlBufNodeDump=uninstrumented -fun:xmlBufResetInput=uninstrumented -fun:xmlBufResize=uninstrumented -fun:xmlBufSetAllocationScheme=uninstrumented -fun:xmlBufSetInputBaseCur=uninstrumented -fun:xmlBufShrink=uninstrumented -fun:xmlBufUse=uninstrumented -fun:xmlBufWriteCHAR=uninstrumented -fun:xmlBufWriteChar=uninstrumented -fun:xmlBufWriteQuotedString=uninstrumented -fun:xmlBufferAdd=uninstrumented -fun:xmlBufferAddHead=uninstrumented -fun:xmlBufferCCat=uninstrumented -fun:xmlBufferCat=uninstrumented -fun:xmlBufferContent=uninstrumented -fun:xmlBufferCreate=uninstrumented -fun:xmlBufferCreateSize=uninstrumented -fun:xmlBufferCreateStatic=uninstrumented -fun:xmlBufferDetach=uninstrumented -fun:xmlBufferDump=uninstrumented -fun:xmlBufferEmpty=uninstrumented -fun:xmlBufferFree=uninstrumented -fun:xmlBufferGrow=uninstrumented -fun:xmlBufferLength=uninstrumented -fun:xmlBufferResize=uninstrumented -fun:xmlBufferSetAllocationScheme=uninstrumented -fun:xmlBufferShrink=uninstrumented -fun:xmlBufferWriteCHAR=uninstrumented -fun:xmlBufferWriteChar=uninstrumented -fun:xmlBufferWriteQuotedString=uninstrumented -fun:xmlBuildQName=uninstrumented -fun:xmlBuildRelativeURI=uninstrumented -fun:xmlBuildURI=uninstrumented -fun:xmlByteConsumed=uninstrumented -fun:xmlC14NDocDumpMemory=uninstrumented -fun:xmlC14NDocSave=uninstrumented -fun:xmlC14NDocSaveTo=uninstrumented -fun:xmlC14NExecute=uninstrumented -fun:xmlCanonicPath=uninstrumented -fun:xmlCatalogAdd=uninstrumented -fun:xmlCatalogAddLocal=uninstrumented -fun:xmlCatalogCleanup=uninstrumented -fun:xmlCatalogConvert=uninstrumented -fun:xmlCatalogDump=uninstrumented -fun:xmlCatalogFreeLocal=uninstrumented -fun:xmlCatalogGetDefaults=uninstrumented -fun:xmlCatalogGetPublic=uninstrumented -fun:xmlCatalogGetSystem=uninstrumented -fun:xmlCatalogIsEmpty=uninstrumented -fun:xmlCatalogLocalResolve=uninstrumented -fun:xmlCatalogLocalResolveURI=uninstrumented -fun:xmlCatalogRemove=uninstrumented -fun:xmlCatalogResolve=uninstrumented -fun:xmlCatalogResolvePublic=uninstrumented -fun:xmlCatalogResolveSystem=uninstrumented -fun:xmlCatalogResolveURI=uninstrumented -fun:xmlCatalogSetDebug=uninstrumented -fun:xmlCatalogSetDefaultPrefer=uninstrumented -fun:xmlCatalogSetDefaults=uninstrumented -fun:xmlCharEncCloseFunc=uninstrumented -fun:xmlCharEncFirstLine=uninstrumented -fun:xmlCharEncFirstLineInput=uninstrumented -fun:xmlCharEncFirstLineInt=uninstrumented -fun:xmlCharEncInFunc=uninstrumented -fun:xmlCharEncInput=uninstrumented -fun:xmlCharEncOutFunc=uninstrumented -fun:xmlCharEncOutput=uninstrumented -fun:xmlCharInRange=uninstrumented -fun:xmlCharStrdup=uninstrumented -fun:xmlCharStrndup=uninstrumented -fun:xmlCheckFilename=uninstrumented -fun:xmlCheckHTTPInput=uninstrumented -fun:xmlCheckLanguageID=uninstrumented -fun:xmlCheckUTF8=uninstrumented -fun:xmlCheckVersion=uninstrumented -fun:xmlChildElementCount=uninstrumented -fun:xmlCleanupCharEncodingHandlers=uninstrumented -fun:xmlCleanupEncodingAliases=uninstrumented -fun:xmlCleanupGlobals=uninstrumented -fun:xmlCleanupInputCallbacks=uninstrumented -fun:xmlCleanupMemory=uninstrumented -fun:xmlCleanupOutputCallbacks=uninstrumented -fun:xmlCleanupParser=uninstrumented -fun:xmlCleanupPredefinedEntities=uninstrumented -fun:xmlCleanupThreads=uninstrumented -fun:xmlClearNodeInfoSeq=uninstrumented -fun:xmlClearParserCtxt=uninstrumented -fun:xmlConvertSGMLCatalog=uninstrumented -fun:xmlCopyAttributeTable=uninstrumented -fun:xmlCopyChar=uninstrumented -fun:xmlCopyCharMultiByte=uninstrumented -fun:xmlCopyDoc=uninstrumented -fun:xmlCopyDocElementContent=uninstrumented -fun:xmlCopyDtd=uninstrumented -fun:xmlCopyElementContent=uninstrumented -fun:xmlCopyElementTable=uninstrumented -fun:xmlCopyEntitiesTable=uninstrumented -fun:xmlCopyEnumeration=uninstrumented -fun:xmlCopyError=uninstrumented -fun:xmlCopyNamespace=uninstrumented -fun:xmlCopyNamespaceList=uninstrumented -fun:xmlCopyNode=uninstrumented -fun:xmlCopyNodeList=uninstrumented -fun:xmlCopyNotationTable=uninstrumented -fun:xmlCopyProp=uninstrumented -fun:xmlCopyPropList=uninstrumented -fun:xmlCreateDocParserCtxt=uninstrumented -fun:xmlCreateEntitiesTable=uninstrumented -fun:xmlCreateEntityParserCtxt=uninstrumented -fun:xmlCreateEnumeration=uninstrumented -fun:xmlCreateFileParserCtxt=uninstrumented -fun:xmlCreateIOParserCtxt=uninstrumented -fun:xmlCreateIntSubset=uninstrumented -fun:xmlCreateMemoryParserCtxt=uninstrumented -fun:xmlCreatePushParserCtxt=uninstrumented -fun:xmlCreateURI=uninstrumented -fun:xmlCreateURLParserCtxt=uninstrumented -fun:xmlCtxtGetLastError=uninstrumented -fun:xmlCtxtReadDoc=uninstrumented -fun:xmlCtxtReadFd=uninstrumented -fun:xmlCtxtReadFile=uninstrumented -fun:xmlCtxtReadIO=uninstrumented -fun:xmlCtxtReadMemory=uninstrumented -fun:xmlCtxtReset=uninstrumented -fun:xmlCtxtResetLastError=uninstrumented -fun:xmlCtxtResetPush=uninstrumented -fun:xmlCtxtUseOptions=uninstrumented -fun:xmlCurrentChar=uninstrumented -fun:xmlDOMWrapAdoptNode=uninstrumented -fun:xmlDOMWrapCloneNode=uninstrumented -fun:xmlDOMWrapFreeCtxt=uninstrumented -fun:xmlDOMWrapNewCtxt=uninstrumented -fun:xmlDOMWrapReconcileNamespaces=uninstrumented -fun:xmlDOMWrapRemoveNode=uninstrumented -fun:xmlDebugCheckDocument=uninstrumented -fun:xmlDebugDumpAttr=uninstrumented -fun:xmlDebugDumpAttrList=uninstrumented -fun:xmlDebugDumpDTD=uninstrumented -fun:xmlDebugDumpDocument=uninstrumented -fun:xmlDebugDumpDocumentHead=uninstrumented -fun:xmlDebugDumpEntities=uninstrumented -fun:xmlDebugDumpNode=uninstrumented -fun:xmlDebugDumpNodeList=uninstrumented -fun:xmlDebugDumpOneNode=uninstrumented -fun:xmlDebugDumpString=uninstrumented -fun:xmlDecodeEntities=uninstrumented -fun:xmlDefaultSAXHandlerInit=uninstrumented -fun:xmlDelEncodingAlias=uninstrumented -fun:xmlDeregisterNodeDefault=uninstrumented -fun:xmlDetectCharEncoding=uninstrumented -fun:xmlDictCleanup=uninstrumented -fun:xmlDictCreate=uninstrumented -fun:xmlDictCreateSub=uninstrumented -fun:xmlDictExists=uninstrumented -fun:xmlDictFree=uninstrumented -fun:xmlDictGetUsage=uninstrumented -fun:xmlDictLookup=uninstrumented -fun:xmlDictOwns=uninstrumented -fun:xmlDictQLookup=uninstrumented -fun:xmlDictReference=uninstrumented -fun:xmlDictSetLimit=uninstrumented -fun:xmlDictSize=uninstrumented -fun:xmlDocCopyNode=uninstrumented -fun:xmlDocCopyNodeList=uninstrumented -fun:xmlDocDump=uninstrumented -fun:xmlDocDumpFormatMemory=uninstrumented -fun:xmlDocDumpFormatMemoryEnc=uninstrumented -fun:xmlDocDumpMemory=uninstrumented -fun:xmlDocDumpMemoryEnc=uninstrumented -fun:xmlDocFormatDump=uninstrumented -fun:xmlDocGetRootElement=uninstrumented -fun:xmlDocSetRootElement=uninstrumented -fun:xmlDumpAttributeDecl=uninstrumented -fun:xmlDumpAttributeTable=uninstrumented -fun:xmlDumpElementDecl=uninstrumented -fun:xmlDumpElementTable=uninstrumented -fun:xmlDumpEntitiesTable=uninstrumented -fun:xmlDumpEntityDecl=uninstrumented -fun:xmlDumpNotationDecl=uninstrumented -fun:xmlDumpNotationTable=uninstrumented -fun:xmlElemDump=uninstrumented -fun:xmlEncodeAttributeEntities=uninstrumented -fun:xmlEncodeEntities=uninstrumented -fun:xmlEncodeEntitiesReentrant=uninstrumented -fun:xmlEncodeSpecialChars=uninstrumented -fun:xmlErrMemory=uninstrumented -fun:xmlEscapeFormatString=uninstrumented -fun:xmlFileClose=uninstrumented -fun:xmlFileMatch=uninstrumented -fun:xmlFileOpen=uninstrumented -fun:xmlFileRead=uninstrumented -fun:xmlFindCharEncodingHandler=uninstrumented -fun:xmlFirstElementChild=uninstrumented -fun:xmlFreeAttributeTable=uninstrumented -fun:xmlFreeAutomata=uninstrumented -fun:xmlFreeCatalog=uninstrumented -fun:xmlFreeDoc=uninstrumented -fun:xmlFreeDocElementContent=uninstrumented -fun:xmlFreeDtd=uninstrumented -fun:xmlFreeElementContent=uninstrumented -fun:xmlFreeElementTable=uninstrumented -fun:xmlFreeEntitiesTable=uninstrumented -fun:xmlFreeEnumeration=uninstrumented -fun:xmlFreeIDTable=uninstrumented -fun:xmlFreeInputStream=uninstrumented -fun:xmlFreeMutex=uninstrumented -fun:xmlFreeNode=uninstrumented -fun:xmlFreeNodeList=uninstrumented -fun:xmlFreeNotationTable=uninstrumented -fun:xmlFreeNs=uninstrumented -fun:xmlFreeNsList=uninstrumented -fun:xmlFreeParserCtxt=uninstrumented -fun:xmlFreeParserInputBuffer=uninstrumented -fun:xmlFreePattern=uninstrumented -fun:xmlFreePatternList=uninstrumented -fun:xmlFreeProp=uninstrumented -fun:xmlFreePropList=uninstrumented -fun:xmlFreeRMutex=uninstrumented -fun:xmlFreeRefTable=uninstrumented -fun:xmlFreeStreamCtxt=uninstrumented -fun:xmlFreeTextReader=uninstrumented -fun:xmlFreeTextWriter=uninstrumented -fun:xmlFreeURI=uninstrumented -fun:xmlFreeValidCtxt=uninstrumented -fun:xmlGcMemGet=uninstrumented -fun:xmlGcMemSetup=uninstrumented -fun:xmlGenericErrorDefaultFunc=uninstrumented -fun:xmlGetBufferAllocationScheme=uninstrumented -fun:xmlGetCharEncodingHandler=uninstrumented -fun:xmlGetCharEncodingName=uninstrumented -fun:xmlGetCompressMode=uninstrumented -fun:xmlGetDocCompressMode=uninstrumented -fun:xmlGetDocEntity=uninstrumented -fun:xmlGetDtdAttrDesc=uninstrumented -fun:xmlGetDtdElementDesc=uninstrumented -fun:xmlGetDtdEntity=uninstrumented -fun:xmlGetDtdNotationDesc=uninstrumented -fun:xmlGetDtdQAttrDesc=uninstrumented -fun:xmlGetDtdQElementDesc=uninstrumented -fun:xmlGetEncodingAlias=uninstrumented -fun:xmlGetExternalEntityLoader=uninstrumented -fun:xmlGetFeature=uninstrumented -fun:xmlGetFeaturesList=uninstrumented -fun:xmlGetGlobalState=uninstrumented -fun:xmlGetID=uninstrumented -fun:xmlGetIntSubset=uninstrumented -fun:xmlGetLastChild=uninstrumented -fun:xmlGetLastError=uninstrumented -fun:xmlGetLineNo=uninstrumented -fun:xmlGetNoNsProp=uninstrumented -fun:xmlGetNodePath=uninstrumented -fun:xmlGetNsList=uninstrumented -fun:xmlGetNsProp=uninstrumented -fun:xmlGetParameterEntity=uninstrumented -fun:xmlGetPredefinedEntity=uninstrumented -fun:xmlGetProp=uninstrumented -fun:xmlGetRefs=uninstrumented -fun:xmlGetThreadId=uninstrumented -fun:xmlGetUTF8Char=uninstrumented -fun:xmlHandleEntity=uninstrumented -fun:xmlHasFeature=uninstrumented -fun:xmlHasNsProp=uninstrumented -fun:xmlHasProp=uninstrumented -fun:xmlHashAddEntry=uninstrumented -fun:xmlHashAddEntry2=uninstrumented -fun:xmlHashAddEntry3=uninstrumented -fun:xmlHashCopy=uninstrumented -fun:xmlHashCreate=uninstrumented -fun:xmlHashCreateDict=uninstrumented -fun:xmlHashDefaultDeallocator=uninstrumented -fun:xmlHashFree=uninstrumented -fun:xmlHashLookup=uninstrumented -fun:xmlHashLookup2=uninstrumented -fun:xmlHashLookup3=uninstrumented -fun:xmlHashQLookup=uninstrumented -fun:xmlHashQLookup2=uninstrumented -fun:xmlHashQLookup3=uninstrumented -fun:xmlHashRemoveEntry=uninstrumented -fun:xmlHashRemoveEntry2=uninstrumented -fun:xmlHashRemoveEntry3=uninstrumented -fun:xmlHashScan=uninstrumented -fun:xmlHashScan3=uninstrumented -fun:xmlHashScanFull=uninstrumented -fun:xmlHashScanFull3=uninstrumented -fun:xmlHashSize=uninstrumented -fun:xmlHashUpdateEntry=uninstrumented -fun:xmlHashUpdateEntry2=uninstrumented -fun:xmlHashUpdateEntry3=uninstrumented -fun:xmlIOFTPClose=uninstrumented -fun:xmlIOFTPMatch=uninstrumented -fun:xmlIOFTPOpen=uninstrumented -fun:xmlIOFTPRead=uninstrumented -fun:xmlIOHTTPClose=uninstrumented -fun:xmlIOHTTPMatch=uninstrumented -fun:xmlIOHTTPOpen=uninstrumented -fun:xmlIOHTTPOpenW=uninstrumented -fun:xmlIOHTTPRead=uninstrumented -fun:xmlIOParseDTD=uninstrumented -fun:xmlInitCharEncodingHandlers=uninstrumented -fun:xmlInitGlobals=uninstrumented -fun:xmlInitMemory=uninstrumented -fun:xmlInitNodeInfoSeq=uninstrumented -fun:xmlInitParser=uninstrumented -fun:xmlInitParserCtxt=uninstrumented -fun:xmlInitThreads=uninstrumented -fun:xmlInitializeCatalog=uninstrumented -fun:xmlInitializeDict=uninstrumented -fun:xmlInitializeGlobalState=uninstrumented -fun:xmlInitializePredefinedEntities=uninstrumented -fun:xmlInputReadCallbackNop=uninstrumented -fun:xmlIsBaseChar=uninstrumented -fun:xmlIsBlank=uninstrumented -fun:xmlIsBlankNode=uninstrumented -fun:xmlIsChar=uninstrumented -fun:xmlIsCombining=uninstrumented -fun:xmlIsDigit=uninstrumented -fun:xmlIsExtender=uninstrumented -fun:xmlIsID=uninstrumented -fun:xmlIsIdeographic=uninstrumented -fun:xmlIsLetter=uninstrumented -fun:xmlIsMainThread=uninstrumented -fun:xmlIsMixedElement=uninstrumented -fun:xmlIsPubidChar=uninstrumented -fun:xmlIsRef=uninstrumented -fun:xmlIsXHTML=uninstrumented -fun:xmlKeepBlanksDefault=uninstrumented -fun:xmlLastElementChild=uninstrumented -fun:xmlLineNumbersDefault=uninstrumented -fun:xmlLinkGetData=uninstrumented -fun:xmlListAppend=uninstrumented -fun:xmlListClear=uninstrumented -fun:xmlListCopy=uninstrumented -fun:xmlListCreate=uninstrumented -fun:xmlListDelete=uninstrumented -fun:xmlListDup=uninstrumented -fun:xmlListEmpty=uninstrumented -fun:xmlListEnd=uninstrumented -fun:xmlListFront=uninstrumented -fun:xmlListInsert=uninstrumented -fun:xmlListMerge=uninstrumented -fun:xmlListPopBack=uninstrumented -fun:xmlListPopFront=uninstrumented -fun:xmlListPushBack=uninstrumented -fun:xmlListPushFront=uninstrumented -fun:xmlListRemoveAll=uninstrumented -fun:xmlListRemoveFirst=uninstrumented -fun:xmlListRemoveLast=uninstrumented -fun:xmlListReverse=uninstrumented -fun:xmlListReverseSearch=uninstrumented -fun:xmlListReverseWalk=uninstrumented -fun:xmlListSearch=uninstrumented -fun:xmlListSize=uninstrumented -fun:xmlListSort=uninstrumented -fun:xmlListWalk=uninstrumented -fun:xmlLoadACatalog=uninstrumented -fun:xmlLoadCatalog=uninstrumented -fun:xmlLoadCatalogs=uninstrumented -fun:xmlLoadExternalEntity=uninstrumented -fun:xmlLoadSGMLSuperCatalog=uninstrumented -fun:xmlLockLibrary=uninstrumented -fun:xmlLsCountNode=uninstrumented -fun:xmlLsOneNode=uninstrumented -fun:xmlMallocAtomicLoc=uninstrumented -fun:xmlMallocBreakpoint=uninstrumented -fun:xmlMallocLoc=uninstrumented -fun:xmlMemBlocks=uninstrumented -fun:xmlMemDisplay=uninstrumented -fun:xmlMemDisplayLast=uninstrumented -fun:xmlMemFree=uninstrumented -fun:xmlMemGet=uninstrumented -fun:xmlMemMalloc=uninstrumented -fun:xmlMemRealloc=uninstrumented -fun:xmlMemSetup=uninstrumented -fun:xmlMemShow=uninstrumented -fun:xmlMemStrdupLoc=uninstrumented -fun:xmlMemUsed=uninstrumented -fun:xmlMemoryDump=uninstrumented -fun:xmlMemoryStrdup=uninstrumented -fun:xmlModuleClose=uninstrumented -fun:xmlModuleFree=uninstrumented -fun:xmlModuleOpen=uninstrumented -fun:xmlModuleSymbol=uninstrumented -fun:xmlMutexLock=uninstrumented -fun:xmlMutexUnlock=uninstrumented -fun:xmlNamespaceParseNCName=uninstrumented -fun:xmlNamespaceParseNSDef=uninstrumented -fun:xmlNamespaceParseQName=uninstrumented -fun:xmlNanoFTPCheckResponse=uninstrumented -fun:xmlNanoFTPCleanup=uninstrumented -fun:xmlNanoFTPClose=uninstrumented -fun:xmlNanoFTPCloseConnection=uninstrumented -fun:xmlNanoFTPConnect=uninstrumented -fun:xmlNanoFTPConnectTo=uninstrumented -fun:xmlNanoFTPCwd=uninstrumented -fun:xmlNanoFTPDele=uninstrumented -fun:xmlNanoFTPFreeCtxt=uninstrumented -fun:xmlNanoFTPGet=uninstrumented -fun:xmlNanoFTPGetConnection=uninstrumented -fun:xmlNanoFTPGetResponse=uninstrumented -fun:xmlNanoFTPGetSocket=uninstrumented -fun:xmlNanoFTPInit=uninstrumented -fun:xmlNanoFTPList=uninstrumented -fun:xmlNanoFTPNewCtxt=uninstrumented -fun:xmlNanoFTPOpen=uninstrumented -fun:xmlNanoFTPProxy=uninstrumented -fun:xmlNanoFTPQuit=uninstrumented -fun:xmlNanoFTPRead=uninstrumented -fun:xmlNanoFTPScanProxy=uninstrumented -fun:xmlNanoFTPUpdateURL=uninstrumented -fun:xmlNanoHTTPAuthHeader=uninstrumented -fun:xmlNanoHTTPCleanup=uninstrumented -fun:xmlNanoHTTPClose=uninstrumented -fun:xmlNanoHTTPContentLength=uninstrumented -fun:xmlNanoHTTPEncoding=uninstrumented -fun:xmlNanoHTTPFetch=uninstrumented -fun:xmlNanoHTTPInit=uninstrumented -fun:xmlNanoHTTPMethod=uninstrumented -fun:xmlNanoHTTPMethodRedir=uninstrumented -fun:xmlNanoHTTPMimeType=uninstrumented -fun:xmlNanoHTTPOpen=uninstrumented -fun:xmlNanoHTTPOpenRedir=uninstrumented -fun:xmlNanoHTTPRead=uninstrumented -fun:xmlNanoHTTPRedir=uninstrumented -fun:xmlNanoHTTPReturnCode=uninstrumented -fun:xmlNanoHTTPSave=uninstrumented -fun:xmlNanoHTTPScanProxy=uninstrumented -fun:xmlNewAutomata=uninstrumented -fun:xmlNewCDataBlock=uninstrumented -fun:xmlNewCatalog=uninstrumented -fun:xmlNewCharEncodingHandler=uninstrumented -fun:xmlNewCharRef=uninstrumented -fun:xmlNewChild=uninstrumented -fun:xmlNewComment=uninstrumented -fun:xmlNewDoc=uninstrumented -fun:xmlNewDocComment=uninstrumented -fun:xmlNewDocElementContent=uninstrumented -fun:xmlNewDocFragment=uninstrumented -fun:xmlNewDocNode=uninstrumented -fun:xmlNewDocNodeEatName=uninstrumented -fun:xmlNewDocPI=uninstrumented -fun:xmlNewDocProp=uninstrumented -fun:xmlNewDocRawNode=uninstrumented -fun:xmlNewDocText=uninstrumented -fun:xmlNewDocTextLen=uninstrumented -fun:xmlNewDtd=uninstrumented -fun:xmlNewElementContent=uninstrumented -fun:xmlNewEntity=uninstrumented -fun:xmlNewEntityInputStream=uninstrumented -fun:xmlNewGlobalNs=uninstrumented -fun:xmlNewIOInputStream=uninstrumented -fun:xmlNewInputFromFile=uninstrumented -fun:xmlNewInputStream=uninstrumented -fun:xmlNewMutex=uninstrumented -fun:xmlNewNode=uninstrumented -fun:xmlNewNodeEatName=uninstrumented -fun:xmlNewNs=uninstrumented -fun:xmlNewNsProp=uninstrumented -fun:xmlNewNsPropEatName=uninstrumented -fun:xmlNewPI=uninstrumented -fun:xmlNewParserCtxt=uninstrumented -fun:xmlNewProp=uninstrumented -fun:xmlNewRMutex=uninstrumented -fun:xmlNewReference=uninstrumented -fun:xmlNewStringInputStream=uninstrumented -fun:xmlNewText=uninstrumented -fun:xmlNewTextChild=uninstrumented -fun:xmlNewTextLen=uninstrumented -fun:xmlNewTextReader=uninstrumented -fun:xmlNewTextReaderFilename=uninstrumented -fun:xmlNewTextWriter=uninstrumented -fun:xmlNewTextWriterDoc=uninstrumented -fun:xmlNewTextWriterFilename=uninstrumented -fun:xmlNewTextWriterMemory=uninstrumented -fun:xmlNewTextWriterPushParser=uninstrumented -fun:xmlNewTextWriterTree=uninstrumented -fun:xmlNewValidCtxt=uninstrumented -fun:xmlNextChar=uninstrumented -fun:xmlNextElementSibling=uninstrumented -fun:xmlNoNetExternalEntityLoader=uninstrumented -fun:xmlNodeAddContent=uninstrumented -fun:xmlNodeAddContentLen=uninstrumented -fun:xmlNodeBufGetContent=uninstrumented -fun:xmlNodeDump=uninstrumented -fun:xmlNodeDumpOutput=uninstrumented -fun:xmlNodeGetBase=uninstrumented -fun:xmlNodeGetContent=uninstrumented -fun:xmlNodeGetLang=uninstrumented -fun:xmlNodeGetSpacePreserve=uninstrumented -fun:xmlNodeIsText=uninstrumented -fun:xmlNodeListGetRawString=uninstrumented -fun:xmlNodeListGetString=uninstrumented -fun:xmlNodeSetBase=uninstrumented -fun:xmlNodeSetContent=uninstrumented -fun:xmlNodeSetContentLen=uninstrumented -fun:xmlNodeSetLang=uninstrumented -fun:xmlNodeSetName=uninstrumented -fun:xmlNodeSetSpacePreserve=uninstrumented -fun:xmlNormalizeURIPath=uninstrumented -fun:xmlNormalizeWindowsPath=uninstrumented -fun:xmlNsListDumpOutput=uninstrumented -fun:xmlOutputBufferClose=uninstrumented -fun:xmlOutputBufferCreateBuffer=uninstrumented -fun:xmlOutputBufferCreateFd=uninstrumented -fun:xmlOutputBufferCreateFile=uninstrumented -fun:xmlOutputBufferCreateFilename=uninstrumented -fun:xmlOutputBufferCreateFilenameDefault=uninstrumented -fun:xmlOutputBufferCreateIO=uninstrumented -fun:xmlOutputBufferFlush=uninstrumented -fun:xmlOutputBufferGetContent=uninstrumented -fun:xmlOutputBufferGetSize=uninstrumented -fun:xmlOutputBufferWrite=uninstrumented -fun:xmlOutputBufferWriteEscape=uninstrumented -fun:xmlOutputBufferWriteString=uninstrumented -fun:xmlParseAttValue=uninstrumented -fun:xmlParseAttribute=uninstrumented -fun:xmlParseAttributeListDecl=uninstrumented -fun:xmlParseAttributeType=uninstrumented -fun:xmlParseBalancedChunkMemory=uninstrumented -fun:xmlParseBalancedChunkMemoryRecover=uninstrumented -fun:xmlParseCDSect=uninstrumented -fun:xmlParseCatalogFile=uninstrumented -fun:xmlParseCharData=uninstrumented -fun:xmlParseCharEncoding=uninstrumented -fun:xmlParseCharRef=uninstrumented -fun:xmlParseChunk=uninstrumented -fun:xmlParseComment=uninstrumented -fun:xmlParseContent=uninstrumented -fun:xmlParseCtxtExternalEntity=uninstrumented -fun:xmlParseDTD=uninstrumented -fun:xmlParseDefaultDecl=uninstrumented -fun:xmlParseDoc=uninstrumented -fun:xmlParseDocTypeDecl=uninstrumented -fun:xmlParseDocument=uninstrumented -fun:xmlParseElement=uninstrumented -fun:xmlParseElementChildrenContentDecl=uninstrumented -fun:xmlParseElementContentDecl=uninstrumented -fun:xmlParseElementDecl=uninstrumented -fun:xmlParseElementMixedContentDecl=uninstrumented -fun:xmlParseEncName=uninstrumented -fun:xmlParseEncodingDecl=uninstrumented -fun:xmlParseEndTag=uninstrumented -fun:xmlParseEntity=uninstrumented -fun:xmlParseEntityDecl=uninstrumented -fun:xmlParseEntityRef=uninstrumented -fun:xmlParseEntityValue=uninstrumented -fun:xmlParseEnumeratedType=uninstrumented -fun:xmlParseEnumerationType=uninstrumented -fun:xmlParseExtParsedEnt=uninstrumented -fun:xmlParseExternalEntity=uninstrumented -fun:xmlParseExternalID=uninstrumented -fun:xmlParseExternalSubset=uninstrumented -fun:xmlParseFile=uninstrumented -fun:xmlParseInNodeContext=uninstrumented -fun:xmlParseMarkupDecl=uninstrumented -fun:xmlParseMemory=uninstrumented -fun:xmlParseMisc=uninstrumented -fun:xmlParseName=uninstrumented -fun:xmlParseNamespace=uninstrumented -fun:xmlParseNmtoken=uninstrumented -fun:xmlParseNotationDecl=uninstrumented -fun:xmlParseNotationType=uninstrumented -fun:xmlParsePEReference=uninstrumented -fun:xmlParsePI=uninstrumented -fun:xmlParsePITarget=uninstrumented -fun:xmlParsePubidLiteral=uninstrumented -fun:xmlParseQuotedString=uninstrumented -fun:xmlParseReference=uninstrumented -fun:xmlParseSDDecl=uninstrumented -fun:xmlParseStartTag=uninstrumented -fun:xmlParseSystemLiteral=uninstrumented -fun:xmlParseTextDecl=uninstrumented -fun:xmlParseURI=uninstrumented -fun:xmlParseURIRaw=uninstrumented -fun:xmlParseURIReference=uninstrumented -fun:xmlParseVersionInfo=uninstrumented -fun:xmlParseVersionNum=uninstrumented -fun:xmlParseXMLDecl=uninstrumented -fun:xmlParserAddNodeInfo=uninstrumented -fun:xmlParserError=uninstrumented -fun:xmlParserFindNodeInfo=uninstrumented -fun:xmlParserFindNodeInfoIndex=uninstrumented -fun:xmlParserGetDirectory=uninstrumented -fun:xmlParserHandlePEReference=uninstrumented -fun:xmlParserHandleReference=uninstrumented -fun:xmlParserInputBufferCreateFd=uninstrumented -fun:xmlParserInputBufferCreateFile=uninstrumented -fun:xmlParserInputBufferCreateFilename=uninstrumented -fun:xmlParserInputBufferCreateFilenameDefault=uninstrumented -fun:xmlParserInputBufferCreateIO=uninstrumented -fun:xmlParserInputBufferCreateMem=uninstrumented -fun:xmlParserInputBufferCreateStatic=uninstrumented -fun:xmlParserInputBufferGrow=uninstrumented -fun:xmlParserInputBufferPush=uninstrumented -fun:xmlParserInputBufferRead=uninstrumented -fun:xmlParserInputGrow=uninstrumented -fun:xmlParserInputRead=uninstrumented -fun:xmlParserInputShrink=uninstrumented -fun:xmlParserPrintFileContext=uninstrumented -fun:xmlParserPrintFileInfo=uninstrumented -fun:xmlParserValidityError=uninstrumented -fun:xmlParserValidityWarning=uninstrumented -fun:xmlParserWarning=uninstrumented -fun:xmlPathToURI=uninstrumented -fun:xmlPatternFromRoot=uninstrumented -fun:xmlPatternGetStreamCtxt=uninstrumented -fun:xmlPatternMatch=uninstrumented -fun:xmlPatternMaxDepth=uninstrumented -fun:xmlPatternMinDepth=uninstrumented -fun:xmlPatternStreamable=uninstrumented -fun:xmlPatterncompile=uninstrumented -fun:xmlPedanticParserDefault=uninstrumented -fun:xmlPopInput=uninstrumented -fun:xmlPopInputCallbacks=uninstrumented -fun:xmlPreviousElementSibling=uninstrumented -fun:xmlPrintURI=uninstrumented -fun:xmlPushInput=uninstrumented -fun:xmlRMutexLock=uninstrumented -fun:xmlRMutexUnlock=uninstrumented -fun:xmlReadDoc=uninstrumented -fun:xmlReadFd=uninstrumented -fun:xmlReadFile=uninstrumented -fun:xmlReadIO=uninstrumented -fun:xmlReadMemory=uninstrumented -fun:xmlReaderForDoc=uninstrumented -fun:xmlReaderForFd=uninstrumented -fun:xmlReaderForFile=uninstrumented -fun:xmlReaderForIO=uninstrumented -fun:xmlReaderForMemory=uninstrumented -fun:xmlReaderNewDoc=uninstrumented -fun:xmlReaderNewFd=uninstrumented -fun:xmlReaderNewFile=uninstrumented -fun:xmlReaderNewIO=uninstrumented -fun:xmlReaderNewMemory=uninstrumented -fun:xmlReaderNewWalker=uninstrumented -fun:xmlReaderWalker=uninstrumented -fun:xmlReallocLoc=uninstrumented -fun:xmlReconciliateNs=uninstrumented -fun:xmlRecoverDoc=uninstrumented -fun:xmlRecoverFile=uninstrumented -fun:xmlRecoverMemory=uninstrumented -fun:xmlRegExecErrInfo=uninstrumented -fun:xmlRegExecNextValues=uninstrumented -fun:xmlRegExecPushString=uninstrumented -fun:xmlRegExecPushString2=uninstrumented -fun:xmlRegFreeExecCtxt=uninstrumented -fun:xmlRegFreeRegexp=uninstrumented -fun:xmlRegNewExecCtxt=uninstrumented -fun:xmlRegexpCompile=uninstrumented -fun:xmlRegexpExec=uninstrumented -fun:xmlRegexpIsDeterminist=uninstrumented -fun:xmlRegexpPrint=uninstrumented -fun:xmlRegisterCharEncodingHandler=uninstrumented -fun:xmlRegisterDefaultInputCallbacks=uninstrumented -fun:xmlRegisterDefaultOutputCallbacks=uninstrumented -fun:xmlRegisterHTTPPostCallbacks=uninstrumented -fun:xmlRegisterInputCallbacks=uninstrumented -fun:xmlRegisterNodeDefault=uninstrumented -fun:xmlRegisterOutputCallbacks=uninstrumented -fun:xmlRelaxNGCleanupTypes=uninstrumented -fun:xmlRelaxNGDump=uninstrumented -fun:xmlRelaxNGDumpTree=uninstrumented -fun:xmlRelaxNGFree=uninstrumented -fun:xmlRelaxNGFreeParserCtxt=uninstrumented -fun:xmlRelaxNGFreeValidCtxt=uninstrumented -fun:xmlRelaxNGGetParserErrors=uninstrumented -fun:xmlRelaxNGGetValidErrors=uninstrumented -fun:xmlRelaxNGInitTypes=uninstrumented -fun:xmlRelaxNGNewDocParserCtxt=uninstrumented -fun:xmlRelaxNGNewMemParserCtxt=uninstrumented -fun:xmlRelaxNGNewParserCtxt=uninstrumented -fun:xmlRelaxNGNewValidCtxt=uninstrumented -fun:xmlRelaxNGParse=uninstrumented -fun:xmlRelaxNGSetParserErrors=uninstrumented -fun:xmlRelaxNGSetParserStructuredErrors=uninstrumented -fun:xmlRelaxNGSetValidErrors=uninstrumented -fun:xmlRelaxNGSetValidStructuredErrors=uninstrumented -fun:xmlRelaxNGValidateDoc=uninstrumented -fun:xmlRelaxNGValidateFullElement=uninstrumented -fun:xmlRelaxNGValidatePopElement=uninstrumented -fun:xmlRelaxNGValidatePushCData=uninstrumented -fun:xmlRelaxNGValidatePushElement=uninstrumented -fun:xmlRelaxParserSetFlag=uninstrumented -fun:xmlRemoveID=uninstrumented -fun:xmlRemoveProp=uninstrumented -fun:xmlRemoveRef=uninstrumented -fun:xmlReplaceNode=uninstrumented -fun:xmlResetError=uninstrumented -fun:xmlResetLastError=uninstrumented -fun:xmlSAX2AttributeDecl=uninstrumented -fun:xmlSAX2CDataBlock=uninstrumented -fun:xmlSAX2Characters=uninstrumented -fun:xmlSAX2Comment=uninstrumented -fun:xmlSAX2ElementDecl=uninstrumented -fun:xmlSAX2EndDocument=uninstrumented -fun:xmlSAX2EndElement=uninstrumented -fun:xmlSAX2EndElementNs=uninstrumented -fun:xmlSAX2EntityDecl=uninstrumented -fun:xmlSAX2ExternalSubset=uninstrumented -fun:xmlSAX2GetColumnNumber=uninstrumented -fun:xmlSAX2GetEntity=uninstrumented -fun:xmlSAX2GetLineNumber=uninstrumented -fun:xmlSAX2GetParameterEntity=uninstrumented -fun:xmlSAX2GetPublicId=uninstrumented -fun:xmlSAX2GetSystemId=uninstrumented -fun:xmlSAX2HasExternalSubset=uninstrumented -fun:xmlSAX2HasInternalSubset=uninstrumented -fun:xmlSAX2IgnorableWhitespace=uninstrumented -fun:xmlSAX2InitDefaultSAXHandler=uninstrumented -fun:xmlSAX2InitDocbDefaultSAXHandler=uninstrumented -fun:xmlSAX2InitHtmlDefaultSAXHandler=uninstrumented -fun:xmlSAX2InternalSubset=uninstrumented -fun:xmlSAX2IsStandalone=uninstrumented -fun:xmlSAX2NotationDecl=uninstrumented -fun:xmlSAX2ProcessingInstruction=uninstrumented -fun:xmlSAX2Reference=uninstrumented -fun:xmlSAX2ResolveEntity=uninstrumented -fun:xmlSAX2SetDocumentLocator=uninstrumented -fun:xmlSAX2StartDocument=uninstrumented -fun:xmlSAX2StartElement=uninstrumented -fun:xmlSAX2StartElementNs=uninstrumented -fun:xmlSAX2UnparsedEntityDecl=uninstrumented -fun:xmlSAXDefaultVersion=uninstrumented -fun:xmlSAXParseDTD=uninstrumented -fun:xmlSAXParseDoc=uninstrumented -fun:xmlSAXParseEntity=uninstrumented -fun:xmlSAXParseFile=uninstrumented -fun:xmlSAXParseFileWithData=uninstrumented -fun:xmlSAXParseMemory=uninstrumented -fun:xmlSAXParseMemoryWithData=uninstrumented -fun:xmlSAXUserParseFile=uninstrumented -fun:xmlSAXUserParseMemory=uninstrumented -fun:xmlSAXVersion=uninstrumented -fun:xmlSaveClose=uninstrumented -fun:xmlSaveDoc=uninstrumented -fun:xmlSaveFile=uninstrumented -fun:xmlSaveFileEnc=uninstrumented -fun:xmlSaveFileTo=uninstrumented -fun:xmlSaveFlush=uninstrumented -fun:xmlSaveFormatFile=uninstrumented -fun:xmlSaveFormatFileEnc=uninstrumented -fun:xmlSaveFormatFileTo=uninstrumented -fun:xmlSaveSetAttrEscape=uninstrumented -fun:xmlSaveSetEscape=uninstrumented -fun:xmlSaveToBuffer=uninstrumented -fun:xmlSaveToFd=uninstrumented -fun:xmlSaveToFilename=uninstrumented -fun:xmlSaveToIO=uninstrumented -fun:xmlSaveTree=uninstrumented -fun:xmlSaveUri=uninstrumented -fun:xmlScanName=uninstrumented -fun:xmlSchemaCheckFacet=uninstrumented -fun:xmlSchemaCleanupTypes=uninstrumented -fun:xmlSchemaCollapseString=uninstrumented -fun:xmlSchemaCompareValues=uninstrumented -fun:xmlSchemaCompareValuesWhtsp=uninstrumented -fun:xmlSchemaCopyValue=uninstrumented -fun:xmlSchemaDump=uninstrumented -fun:xmlSchemaFree=uninstrumented -fun:xmlSchemaFreeFacet=uninstrumented -fun:xmlSchemaFreeParserCtxt=uninstrumented -fun:xmlSchemaFreeType=uninstrumented -fun:xmlSchemaFreeValidCtxt=uninstrumented -fun:xmlSchemaFreeValue=uninstrumented -fun:xmlSchemaFreeWildcard=uninstrumented -fun:xmlSchemaGetBuiltInListSimpleTypeItemType=uninstrumented -fun:xmlSchemaGetBuiltInType=uninstrumented -fun:xmlSchemaGetCanonValue=uninstrumented -fun:xmlSchemaGetCanonValueWhtsp=uninstrumented -fun:xmlSchemaGetFacetValueAsULong=uninstrumented -fun:xmlSchemaGetParserErrors=uninstrumented -fun:xmlSchemaGetPredefinedType=uninstrumented -fun:xmlSchemaGetValType=uninstrumented -fun:xmlSchemaGetValidErrors=uninstrumented -fun:xmlSchemaInitTypes=uninstrumented -fun:xmlSchemaIsBuiltInTypeFacet=uninstrumented -fun:xmlSchemaIsValid=uninstrumented -fun:xmlSchemaNewDocParserCtxt=uninstrumented -fun:xmlSchemaNewFacet=uninstrumented -fun:xmlSchemaNewMemParserCtxt=uninstrumented -fun:xmlSchemaNewNOTATIONValue=uninstrumented -fun:xmlSchemaNewParserCtxt=uninstrumented -fun:xmlSchemaNewQNameValue=uninstrumented -fun:xmlSchemaNewStringValue=uninstrumented -fun:xmlSchemaNewValidCtxt=uninstrumented -fun:xmlSchemaParse=uninstrumented -fun:xmlSchemaSAXPlug=uninstrumented -fun:xmlSchemaSAXUnplug=uninstrumented -fun:xmlSchemaSetParserErrors=uninstrumented -fun:xmlSchemaSetParserStructuredErrors=uninstrumented -fun:xmlSchemaSetValidErrors=uninstrumented -fun:xmlSchemaSetValidOptions=uninstrumented -fun:xmlSchemaSetValidStructuredErrors=uninstrumented -fun:xmlSchemaValPredefTypeNode=uninstrumented -fun:xmlSchemaValPredefTypeNodeNoNorm=uninstrumented -fun:xmlSchemaValidCtxtGetOptions=uninstrumented -fun:xmlSchemaValidCtxtGetParserCtxt=uninstrumented -fun:xmlSchemaValidateDoc=uninstrumented -fun:xmlSchemaValidateFacet=uninstrumented -fun:xmlSchemaValidateFacetWhtsp=uninstrumented -fun:xmlSchemaValidateFile=uninstrumented -fun:xmlSchemaValidateLengthFacet=uninstrumented -fun:xmlSchemaValidateLengthFacetWhtsp=uninstrumented -fun:xmlSchemaValidateListSimpleTypeFacet=uninstrumented -fun:xmlSchemaValidateOneElement=uninstrumented -fun:xmlSchemaValidatePredefinedType=uninstrumented -fun:xmlSchemaValidateSetFilename=uninstrumented -fun:xmlSchemaValidateSetLocator=uninstrumented -fun:xmlSchemaValidateStream=uninstrumented -fun:xmlSchemaValueAppend=uninstrumented -fun:xmlSchemaValueGetAsBoolean=uninstrumented -fun:xmlSchemaValueGetAsString=uninstrumented -fun:xmlSchemaValueGetNext=uninstrumented -fun:xmlSchemaWhiteSpaceReplace=uninstrumented -fun:xmlSchematronFree=uninstrumented -fun:xmlSchematronFreeParserCtxt=uninstrumented -fun:xmlSchematronFreeValidCtxt=uninstrumented -fun:xmlSchematronNewDocParserCtxt=uninstrumented -fun:xmlSchematronNewMemParserCtxt=uninstrumented -fun:xmlSchematronNewParserCtxt=uninstrumented -fun:xmlSchematronNewValidCtxt=uninstrumented -fun:xmlSchematronParse=uninstrumented -fun:xmlSchematronSetValidStructuredErrors=uninstrumented -fun:xmlSchematronValidateDoc=uninstrumented -fun:xmlSearchNs=uninstrumented -fun:xmlSearchNsByHref=uninstrumented -fun:xmlSetBufferAllocationScheme=uninstrumented -fun:xmlSetCompressMode=uninstrumented -fun:xmlSetDocCompressMode=uninstrumented -fun:xmlSetEntityReferenceFunc=uninstrumented -fun:xmlSetExternalEntityLoader=uninstrumented -fun:xmlSetFeature=uninstrumented -fun:xmlSetGenericErrorFunc=uninstrumented -fun:xmlSetListDoc=uninstrumented -fun:xmlSetNs=uninstrumented -fun:xmlSetNsProp=uninstrumented -fun:xmlSetProp=uninstrumented -fun:xmlSetStructuredErrorFunc=uninstrumented -fun:xmlSetTreeDoc=uninstrumented -fun:xmlSetupParserForBuffer=uninstrumented -fun:xmlShell=uninstrumented -fun:xmlShellBase=uninstrumented -fun:xmlShellCat=uninstrumented -fun:xmlShellDir=uninstrumented -fun:xmlShellDu=uninstrumented -fun:xmlShellList=uninstrumented -fun:xmlShellLoad=uninstrumented -fun:xmlShellPrintNode=uninstrumented -fun:xmlShellPrintXPathError=uninstrumented -fun:xmlShellPrintXPathResult=uninstrumented -fun:xmlShellPwd=uninstrumented -fun:xmlShellSave=uninstrumented -fun:xmlShellValidate=uninstrumented -fun:xmlShellWrite=uninstrumented -fun:xmlSkipBlankChars=uninstrumented -fun:xmlSnprintfElementContent=uninstrumented -fun:xmlSplitQName=uninstrumented -fun:xmlSplitQName2=uninstrumented -fun:xmlSplitQName3=uninstrumented -fun:xmlSprintfElementContent=uninstrumented -fun:xmlStopParser=uninstrumented -fun:xmlStrEqual=uninstrumented -fun:xmlStrPrintf=uninstrumented -fun:xmlStrQEqual=uninstrumented -fun:xmlStrVPrintf=uninstrumented -fun:xmlStrcasecmp=uninstrumented -fun:xmlStrcasestr=uninstrumented -fun:xmlStrcat=uninstrumented -fun:xmlStrchr=uninstrumented -fun:xmlStrcmp=uninstrumented -fun:xmlStrdup=uninstrumented -fun:xmlStreamPop=uninstrumented -fun:xmlStreamPush=uninstrumented -fun:xmlStreamPushAttr=uninstrumented -fun:xmlStreamPushNode=uninstrumented -fun:xmlStreamWantsAnyNode=uninstrumented -fun:xmlStringCurrentChar=uninstrumented -fun:xmlStringDecodeEntities=uninstrumented -fun:xmlStringGetNodeList=uninstrumented -fun:xmlStringLenDecodeEntities=uninstrumented -fun:xmlStringLenGetNodeList=uninstrumented -fun:xmlStrlen=uninstrumented -fun:xmlStrncasecmp=uninstrumented -fun:xmlStrncat=uninstrumented -fun:xmlStrncatNew=uninstrumented -fun:xmlStrncmp=uninstrumented -fun:xmlStrndup=uninstrumented -fun:xmlStrstr=uninstrumented -fun:xmlStrsub=uninstrumented -fun:xmlSubstituteEntitiesDefault=uninstrumented -fun:xmlSwitchEncoding=uninstrumented -fun:xmlSwitchInputEncoding=uninstrumented -fun:xmlSwitchToEncoding=uninstrumented -fun:xmlTextConcat=uninstrumented -fun:xmlTextMerge=uninstrumented -fun:xmlTextReaderAttributeCount=uninstrumented -fun:xmlTextReaderBaseUri=uninstrumented -fun:xmlTextReaderByteConsumed=uninstrumented -fun:xmlTextReaderClose=uninstrumented -fun:xmlTextReaderConstBaseUri=uninstrumented -fun:xmlTextReaderConstEncoding=uninstrumented -fun:xmlTextReaderConstLocalName=uninstrumented -fun:xmlTextReaderConstName=uninstrumented -fun:xmlTextReaderConstNamespaceUri=uninstrumented -fun:xmlTextReaderConstPrefix=uninstrumented -fun:xmlTextReaderConstString=uninstrumented -fun:xmlTextReaderConstValue=uninstrumented -fun:xmlTextReaderConstXmlLang=uninstrumented -fun:xmlTextReaderConstXmlVersion=uninstrumented -fun:xmlTextReaderCurrentDoc=uninstrumented -fun:xmlTextReaderCurrentNode=uninstrumented -fun:xmlTextReaderDepth=uninstrumented -fun:xmlTextReaderExpand=uninstrumented -fun:xmlTextReaderGetAttribute=uninstrumented -fun:xmlTextReaderGetAttributeNo=uninstrumented -fun:xmlTextReaderGetAttributeNs=uninstrumented -fun:xmlTextReaderGetErrorHandler=uninstrumented -fun:xmlTextReaderGetParserColumnNumber=uninstrumented -fun:xmlTextReaderGetParserLineNumber=uninstrumented -fun:xmlTextReaderGetParserProp=uninstrumented -fun:xmlTextReaderGetRemainder=uninstrumented -fun:xmlTextReaderHasAttributes=uninstrumented -fun:xmlTextReaderHasValue=uninstrumented -fun:xmlTextReaderIsDefault=uninstrumented -fun:xmlTextReaderIsEmptyElement=uninstrumented -fun:xmlTextReaderIsNamespaceDecl=uninstrumented -fun:xmlTextReaderIsValid=uninstrumented -fun:xmlTextReaderLocalName=uninstrumented -fun:xmlTextReaderLocatorBaseURI=uninstrumented -fun:xmlTextReaderLocatorLineNumber=uninstrumented -fun:xmlTextReaderLookupNamespace=uninstrumented -fun:xmlTextReaderMoveToAttribute=uninstrumented -fun:xmlTextReaderMoveToAttributeNo=uninstrumented -fun:xmlTextReaderMoveToAttributeNs=uninstrumented -fun:xmlTextReaderMoveToElement=uninstrumented -fun:xmlTextReaderMoveToFirstAttribute=uninstrumented -fun:xmlTextReaderMoveToNextAttribute=uninstrumented -fun:xmlTextReaderName=uninstrumented -fun:xmlTextReaderNamespaceUri=uninstrumented -fun:xmlTextReaderNext=uninstrumented -fun:xmlTextReaderNextSibling=uninstrumented -fun:xmlTextReaderNodeType=uninstrumented -fun:xmlTextReaderNormalization=uninstrumented -fun:xmlTextReaderPrefix=uninstrumented -fun:xmlTextReaderPreserve=uninstrumented -fun:xmlTextReaderPreservePattern=uninstrumented -fun:xmlTextReaderQuoteChar=uninstrumented -fun:xmlTextReaderRead=uninstrumented -fun:xmlTextReaderReadAttributeValue=uninstrumented -fun:xmlTextReaderReadInnerXml=uninstrumented -fun:xmlTextReaderReadOuterXml=uninstrumented -fun:xmlTextReaderReadState=uninstrumented -fun:xmlTextReaderReadString=uninstrumented -fun:xmlTextReaderRelaxNGSetSchema=uninstrumented -fun:xmlTextReaderRelaxNGValidate=uninstrumented -fun:xmlTextReaderRelaxNGValidateCtxt=uninstrumented -fun:xmlTextReaderSchemaValidate=uninstrumented -fun:xmlTextReaderSchemaValidateCtxt=uninstrumented -fun:xmlTextReaderSetErrorHandler=uninstrumented -fun:xmlTextReaderSetParserProp=uninstrumented -fun:xmlTextReaderSetSchema=uninstrumented -fun:xmlTextReaderSetStructuredErrorHandler=uninstrumented -fun:xmlTextReaderSetup=uninstrumented -fun:xmlTextReaderStandalone=uninstrumented -fun:xmlTextReaderValue=uninstrumented -fun:xmlTextReaderXmlLang=uninstrumented -fun:xmlTextWriterEndAttribute=uninstrumented -fun:xmlTextWriterEndCDATA=uninstrumented -fun:xmlTextWriterEndComment=uninstrumented -fun:xmlTextWriterEndDTD=uninstrumented -fun:xmlTextWriterEndDTDAttlist=uninstrumented -fun:xmlTextWriterEndDTDElement=uninstrumented -fun:xmlTextWriterEndDTDEntity=uninstrumented -fun:xmlTextWriterEndDocument=uninstrumented -fun:xmlTextWriterEndElement=uninstrumented -fun:xmlTextWriterEndPI=uninstrumented -fun:xmlTextWriterFlush=uninstrumented -fun:xmlTextWriterFullEndElement=uninstrumented -fun:xmlTextWriterSetIndent=uninstrumented -fun:xmlTextWriterSetIndentString=uninstrumented -fun:xmlTextWriterSetQuoteChar=uninstrumented -fun:xmlTextWriterStartAttribute=uninstrumented -fun:xmlTextWriterStartAttributeNS=uninstrumented -fun:xmlTextWriterStartCDATA=uninstrumented -fun:xmlTextWriterStartComment=uninstrumented -fun:xmlTextWriterStartDTD=uninstrumented -fun:xmlTextWriterStartDTDAttlist=uninstrumented -fun:xmlTextWriterStartDTDElement=uninstrumented -fun:xmlTextWriterStartDTDEntity=uninstrumented -fun:xmlTextWriterStartDocument=uninstrumented -fun:xmlTextWriterStartElement=uninstrumented -fun:xmlTextWriterStartElementNS=uninstrumented -fun:xmlTextWriterStartPI=uninstrumented -fun:xmlTextWriterWriteAttribute=uninstrumented -fun:xmlTextWriterWriteAttributeNS=uninstrumented -fun:xmlTextWriterWriteBase64=uninstrumented -fun:xmlTextWriterWriteBinHex=uninstrumented -fun:xmlTextWriterWriteCDATA=uninstrumented -fun:xmlTextWriterWriteComment=uninstrumented -fun:xmlTextWriterWriteDTD=uninstrumented -fun:xmlTextWriterWriteDTDAttlist=uninstrumented -fun:xmlTextWriterWriteDTDElement=uninstrumented -fun:xmlTextWriterWriteDTDEntity=uninstrumented -fun:xmlTextWriterWriteDTDExternalEntity=uninstrumented -fun:xmlTextWriterWriteDTDExternalEntityContents=uninstrumented -fun:xmlTextWriterWriteDTDInternalEntity=uninstrumented -fun:xmlTextWriterWriteDTDNotation=uninstrumented -fun:xmlTextWriterWriteElement=uninstrumented -fun:xmlTextWriterWriteElementNS=uninstrumented -fun:xmlTextWriterWriteFormatAttribute=uninstrumented -fun:xmlTextWriterWriteFormatAttributeNS=uninstrumented -fun:xmlTextWriterWriteFormatCDATA=uninstrumented -fun:xmlTextWriterWriteFormatComment=uninstrumented -fun:xmlTextWriterWriteFormatDTD=uninstrumented -fun:xmlTextWriterWriteFormatDTDAttlist=uninstrumented -fun:xmlTextWriterWriteFormatDTDElement=uninstrumented -fun:xmlTextWriterWriteFormatDTDInternalEntity=uninstrumented -fun:xmlTextWriterWriteFormatElement=uninstrumented -fun:xmlTextWriterWriteFormatElementNS=uninstrumented -fun:xmlTextWriterWriteFormatPI=uninstrumented -fun:xmlTextWriterWriteFormatRaw=uninstrumented -fun:xmlTextWriterWriteFormatString=uninstrumented -fun:xmlTextWriterWritePI=uninstrumented -fun:xmlTextWriterWriteRaw=uninstrumented -fun:xmlTextWriterWriteRawLen=uninstrumented -fun:xmlTextWriterWriteString=uninstrumented -fun:xmlTextWriterWriteVFormatAttribute=uninstrumented -fun:xmlTextWriterWriteVFormatAttributeNS=uninstrumented -fun:xmlTextWriterWriteVFormatCDATA=uninstrumented -fun:xmlTextWriterWriteVFormatComment=uninstrumented -fun:xmlTextWriterWriteVFormatDTD=uninstrumented -fun:xmlTextWriterWriteVFormatDTDAttlist=uninstrumented -fun:xmlTextWriterWriteVFormatDTDElement=uninstrumented -fun:xmlTextWriterWriteVFormatDTDInternalEntity=uninstrumented -fun:xmlTextWriterWriteVFormatElement=uninstrumented -fun:xmlTextWriterWriteVFormatElementNS=uninstrumented -fun:xmlTextWriterWriteVFormatPI=uninstrumented -fun:xmlTextWriterWriteVFormatRaw=uninstrumented -fun:xmlTextWriterWriteVFormatString=uninstrumented -fun:xmlThrDefBufferAllocScheme=uninstrumented -fun:xmlThrDefDefaultBufferSize=uninstrumented -fun:xmlThrDefDeregisterNodeDefault=uninstrumented -fun:xmlThrDefDoValidityCheckingDefaultValue=uninstrumented -fun:xmlThrDefGetWarningsDefaultValue=uninstrumented -fun:xmlThrDefIndentTreeOutput=uninstrumented -fun:xmlThrDefKeepBlanksDefaultValue=uninstrumented -fun:xmlThrDefLineNumbersDefaultValue=uninstrumented -fun:xmlThrDefLoadExtDtdDefaultValue=uninstrumented -fun:xmlThrDefOutputBufferCreateFilenameDefault=uninstrumented -fun:xmlThrDefParserDebugEntities=uninstrumented -fun:xmlThrDefParserInputBufferCreateFilenameDefault=uninstrumented -fun:xmlThrDefPedanticParserDefaultValue=uninstrumented -fun:xmlThrDefRegisterNodeDefault=uninstrumented -fun:xmlThrDefSaveNoEmptyTags=uninstrumented -fun:xmlThrDefSetGenericErrorFunc=uninstrumented -fun:xmlThrDefSetStructuredErrorFunc=uninstrumented -fun:xmlThrDefSubstituteEntitiesDefaultValue=uninstrumented -fun:xmlThrDefTreeIndentString=uninstrumented -fun:xmlUCSIsAegeanNumbers=uninstrumented -fun:xmlUCSIsAlphabeticPresentationForms=uninstrumented -fun:xmlUCSIsArabic=uninstrumented -fun:xmlUCSIsArabicPresentationFormsA=uninstrumented -fun:xmlUCSIsArabicPresentationFormsB=uninstrumented -fun:xmlUCSIsArmenian=uninstrumented -fun:xmlUCSIsArrows=uninstrumented -fun:xmlUCSIsBasicLatin=uninstrumented -fun:xmlUCSIsBengali=uninstrumented -fun:xmlUCSIsBlock=uninstrumented -fun:xmlUCSIsBlockElements=uninstrumented -fun:xmlUCSIsBopomofo=uninstrumented -fun:xmlUCSIsBopomofoExtended=uninstrumented -fun:xmlUCSIsBoxDrawing=uninstrumented -fun:xmlUCSIsBraillePatterns=uninstrumented -fun:xmlUCSIsBuhid=uninstrumented -fun:xmlUCSIsByzantineMusicalSymbols=uninstrumented -fun:xmlUCSIsCJKCompatibility=uninstrumented -fun:xmlUCSIsCJKCompatibilityForms=uninstrumented -fun:xmlUCSIsCJKCompatibilityIdeographs=uninstrumented -fun:xmlUCSIsCJKCompatibilityIdeographsSupplement=uninstrumented -fun:xmlUCSIsCJKRadicalsSupplement=uninstrumented -fun:xmlUCSIsCJKSymbolsandPunctuation=uninstrumented -fun:xmlUCSIsCJKUnifiedIdeographs=uninstrumented -fun:xmlUCSIsCJKUnifiedIdeographsExtensionA=uninstrumented -fun:xmlUCSIsCJKUnifiedIdeographsExtensionB=uninstrumented -fun:xmlUCSIsCat=uninstrumented -fun:xmlUCSIsCatC=uninstrumented -fun:xmlUCSIsCatCc=uninstrumented -fun:xmlUCSIsCatCf=uninstrumented -fun:xmlUCSIsCatCo=uninstrumented -fun:xmlUCSIsCatCs=uninstrumented -fun:xmlUCSIsCatL=uninstrumented -fun:xmlUCSIsCatLl=uninstrumented -fun:xmlUCSIsCatLm=uninstrumented -fun:xmlUCSIsCatLo=uninstrumented -fun:xmlUCSIsCatLt=uninstrumented -fun:xmlUCSIsCatLu=uninstrumented -fun:xmlUCSIsCatM=uninstrumented -fun:xmlUCSIsCatMc=uninstrumented -fun:xmlUCSIsCatMe=uninstrumented -fun:xmlUCSIsCatMn=uninstrumented -fun:xmlUCSIsCatN=uninstrumented -fun:xmlUCSIsCatNd=uninstrumented -fun:xmlUCSIsCatNl=uninstrumented -fun:xmlUCSIsCatNo=uninstrumented -fun:xmlUCSIsCatP=uninstrumented -fun:xmlUCSIsCatPc=uninstrumented -fun:xmlUCSIsCatPd=uninstrumented -fun:xmlUCSIsCatPe=uninstrumented -fun:xmlUCSIsCatPf=uninstrumented -fun:xmlUCSIsCatPi=uninstrumented -fun:xmlUCSIsCatPo=uninstrumented -fun:xmlUCSIsCatPs=uninstrumented -fun:xmlUCSIsCatS=uninstrumented -fun:xmlUCSIsCatSc=uninstrumented -fun:xmlUCSIsCatSk=uninstrumented -fun:xmlUCSIsCatSm=uninstrumented -fun:xmlUCSIsCatSo=uninstrumented -fun:xmlUCSIsCatZ=uninstrumented -fun:xmlUCSIsCatZl=uninstrumented -fun:xmlUCSIsCatZp=uninstrumented -fun:xmlUCSIsCatZs=uninstrumented -fun:xmlUCSIsCherokee=uninstrumented -fun:xmlUCSIsCombiningDiacriticalMarks=uninstrumented -fun:xmlUCSIsCombiningDiacriticalMarksforSymbols=uninstrumented -fun:xmlUCSIsCombiningHalfMarks=uninstrumented -fun:xmlUCSIsCombiningMarksforSymbols=uninstrumented -fun:xmlUCSIsControlPictures=uninstrumented -fun:xmlUCSIsCurrencySymbols=uninstrumented -fun:xmlUCSIsCypriotSyllabary=uninstrumented -fun:xmlUCSIsCyrillic=uninstrumented -fun:xmlUCSIsCyrillicSupplement=uninstrumented -fun:xmlUCSIsDeseret=uninstrumented -fun:xmlUCSIsDevanagari=uninstrumented -fun:xmlUCSIsDingbats=uninstrumented -fun:xmlUCSIsEnclosedAlphanumerics=uninstrumented -fun:xmlUCSIsEnclosedCJKLettersandMonths=uninstrumented -fun:xmlUCSIsEthiopic=uninstrumented -fun:xmlUCSIsGeneralPunctuation=uninstrumented -fun:xmlUCSIsGeometricShapes=uninstrumented -fun:xmlUCSIsGeorgian=uninstrumented -fun:xmlUCSIsGothic=uninstrumented -fun:xmlUCSIsGreek=uninstrumented -fun:xmlUCSIsGreekExtended=uninstrumented -fun:xmlUCSIsGreekandCoptic=uninstrumented -fun:xmlUCSIsGujarati=uninstrumented -fun:xmlUCSIsGurmukhi=uninstrumented -fun:xmlUCSIsHalfwidthandFullwidthForms=uninstrumented -fun:xmlUCSIsHangulCompatibilityJamo=uninstrumented -fun:xmlUCSIsHangulJamo=uninstrumented -fun:xmlUCSIsHangulSyllables=uninstrumented -fun:xmlUCSIsHanunoo=uninstrumented -fun:xmlUCSIsHebrew=uninstrumented -fun:xmlUCSIsHighPrivateUseSurrogates=uninstrumented -fun:xmlUCSIsHighSurrogates=uninstrumented -fun:xmlUCSIsHiragana=uninstrumented -fun:xmlUCSIsIPAExtensions=uninstrumented -fun:xmlUCSIsIdeographicDescriptionCharacters=uninstrumented -fun:xmlUCSIsKanbun=uninstrumented -fun:xmlUCSIsKangxiRadicals=uninstrumented -fun:xmlUCSIsKannada=uninstrumented -fun:xmlUCSIsKatakana=uninstrumented -fun:xmlUCSIsKatakanaPhoneticExtensions=uninstrumented -fun:xmlUCSIsKhmer=uninstrumented -fun:xmlUCSIsKhmerSymbols=uninstrumented -fun:xmlUCSIsLao=uninstrumented -fun:xmlUCSIsLatin1Supplement=uninstrumented -fun:xmlUCSIsLatinExtendedA=uninstrumented -fun:xmlUCSIsLatinExtendedAdditional=uninstrumented -fun:xmlUCSIsLatinExtendedB=uninstrumented -fun:xmlUCSIsLetterlikeSymbols=uninstrumented -fun:xmlUCSIsLimbu=uninstrumented -fun:xmlUCSIsLinearBIdeograms=uninstrumented -fun:xmlUCSIsLinearBSyllabary=uninstrumented -fun:xmlUCSIsLowSurrogates=uninstrumented -fun:xmlUCSIsMalayalam=uninstrumented -fun:xmlUCSIsMathematicalAlphanumericSymbols=uninstrumented -fun:xmlUCSIsMathematicalOperators=uninstrumented -fun:xmlUCSIsMiscellaneousMathematicalSymbolsA=uninstrumented -fun:xmlUCSIsMiscellaneousMathematicalSymbolsB=uninstrumented -fun:xmlUCSIsMiscellaneousSymbols=uninstrumented -fun:xmlUCSIsMiscellaneousSymbolsandArrows=uninstrumented -fun:xmlUCSIsMiscellaneousTechnical=uninstrumented -fun:xmlUCSIsMongolian=uninstrumented -fun:xmlUCSIsMusicalSymbols=uninstrumented -fun:xmlUCSIsMyanmar=uninstrumented -fun:xmlUCSIsNumberForms=uninstrumented -fun:xmlUCSIsOgham=uninstrumented -fun:xmlUCSIsOldItalic=uninstrumented -fun:xmlUCSIsOpticalCharacterRecognition=uninstrumented -fun:xmlUCSIsOriya=uninstrumented -fun:xmlUCSIsOsmanya=uninstrumented -fun:xmlUCSIsPhoneticExtensions=uninstrumented -fun:xmlUCSIsPrivateUse=uninstrumented -fun:xmlUCSIsPrivateUseArea=uninstrumented -fun:xmlUCSIsRunic=uninstrumented -fun:xmlUCSIsShavian=uninstrumented -fun:xmlUCSIsSinhala=uninstrumented -fun:xmlUCSIsSmallFormVariants=uninstrumented -fun:xmlUCSIsSpacingModifierLetters=uninstrumented -fun:xmlUCSIsSpecials=uninstrumented -fun:xmlUCSIsSuperscriptsandSubscripts=uninstrumented -fun:xmlUCSIsSupplementalArrowsA=uninstrumented -fun:xmlUCSIsSupplementalArrowsB=uninstrumented -fun:xmlUCSIsSupplementalMathematicalOperators=uninstrumented -fun:xmlUCSIsSupplementaryPrivateUseAreaA=uninstrumented -fun:xmlUCSIsSupplementaryPrivateUseAreaB=uninstrumented -fun:xmlUCSIsSyriac=uninstrumented -fun:xmlUCSIsTagalog=uninstrumented -fun:xmlUCSIsTagbanwa=uninstrumented -fun:xmlUCSIsTags=uninstrumented -fun:xmlUCSIsTaiLe=uninstrumented -fun:xmlUCSIsTaiXuanJingSymbols=uninstrumented -fun:xmlUCSIsTamil=uninstrumented -fun:xmlUCSIsTelugu=uninstrumented -fun:xmlUCSIsThaana=uninstrumented -fun:xmlUCSIsThai=uninstrumented -fun:xmlUCSIsTibetan=uninstrumented -fun:xmlUCSIsUgaritic=uninstrumented -fun:xmlUCSIsUnifiedCanadianAboriginalSyllabics=uninstrumented -fun:xmlUCSIsVariationSelectors=uninstrumented -fun:xmlUCSIsVariationSelectorsSupplement=uninstrumented -fun:xmlUCSIsYiRadicals=uninstrumented -fun:xmlUCSIsYiSyllables=uninstrumented -fun:xmlUCSIsYijingHexagramSymbols=uninstrumented -fun:xmlURIEscape=uninstrumented -fun:xmlURIEscapeStr=uninstrumented -fun:xmlURIUnescapeString=uninstrumented -fun:xmlUTF8Charcmp=uninstrumented -fun:xmlUTF8Size=uninstrumented -fun:xmlUTF8Strlen=uninstrumented -fun:xmlUTF8Strloc=uninstrumented -fun:xmlUTF8Strndup=uninstrumented -fun:xmlUTF8Strpos=uninstrumented -fun:xmlUTF8Strsize=uninstrumented -fun:xmlUTF8Strsub=uninstrumented -fun:xmlUnlinkNode=uninstrumented -fun:xmlUnlockLibrary=uninstrumented -fun:xmlUnsetNsProp=uninstrumented -fun:xmlUnsetProp=uninstrumented -fun:xmlUpgradeOldNs=uninstrumented -fun:xmlValidBuildContentModel=uninstrumented -fun:xmlValidCtxtNormalizeAttributeValue=uninstrumented -fun:xmlValidGetPotentialChildren=uninstrumented -fun:xmlValidGetValidElements=uninstrumented -fun:xmlValidNormalizeAttributeValue=uninstrumented -fun:xmlValidateAttributeDecl=uninstrumented -fun:xmlValidateAttributeValue=uninstrumented -fun:xmlValidateDocument=uninstrumented -fun:xmlValidateDocumentFinal=uninstrumented -fun:xmlValidateDtd=uninstrumented -fun:xmlValidateDtdFinal=uninstrumented -fun:xmlValidateElement=uninstrumented -fun:xmlValidateElementDecl=uninstrumented -fun:xmlValidateNCName=uninstrumented -fun:xmlValidateNMToken=uninstrumented -fun:xmlValidateName=uninstrumented -fun:xmlValidateNameValue=uninstrumented -fun:xmlValidateNamesValue=uninstrumented -fun:xmlValidateNmtokenValue=uninstrumented -fun:xmlValidateNmtokensValue=uninstrumented -fun:xmlValidateNotationDecl=uninstrumented -fun:xmlValidateNotationUse=uninstrumented -fun:xmlValidateOneAttribute=uninstrumented -fun:xmlValidateOneElement=uninstrumented -fun:xmlValidateOneNamespace=uninstrumented -fun:xmlValidatePopElement=uninstrumented -fun:xmlValidatePushCData=uninstrumented -fun:xmlValidatePushElement=uninstrumented -fun:xmlValidateQName=uninstrumented -fun:xmlValidateRoot=uninstrumented -fun:xmlXIncludeFreeContext=uninstrumented -fun:xmlXIncludeNewContext=uninstrumented -fun:xmlXIncludeProcess=uninstrumented -fun:xmlXIncludeProcessFlags=uninstrumented -fun:xmlXIncludeProcessFlagsData=uninstrumented -fun:xmlXIncludeProcessNode=uninstrumented -fun:xmlXIncludeProcessTree=uninstrumented -fun:xmlXIncludeProcessTreeFlags=uninstrumented -fun:xmlXIncludeProcessTreeFlagsData=uninstrumented -fun:xmlXIncludeSetFlags=uninstrumented -fun:xmlXPathAddValues=uninstrumented -fun:xmlXPathBooleanFunction=uninstrumented -fun:xmlXPathCastBooleanToNumber=uninstrumented -fun:xmlXPathCastBooleanToString=uninstrumented -fun:xmlXPathCastNodeSetToBoolean=uninstrumented -fun:xmlXPathCastNodeSetToNumber=uninstrumented -fun:xmlXPathCastNodeSetToString=uninstrumented -fun:xmlXPathCastNodeToNumber=uninstrumented -fun:xmlXPathCastNodeToString=uninstrumented -fun:xmlXPathCastNumberToBoolean=uninstrumented -fun:xmlXPathCastNumberToString=uninstrumented -fun:xmlXPathCastStringToBoolean=uninstrumented -fun:xmlXPathCastStringToNumber=uninstrumented -fun:xmlXPathCastToBoolean=uninstrumented -fun:xmlXPathCastToNumber=uninstrumented -fun:xmlXPathCastToString=uninstrumented -fun:xmlXPathCeilingFunction=uninstrumented -fun:xmlXPathCmpNodes=uninstrumented -fun:xmlXPathCompareValues=uninstrumented -fun:xmlXPathCompile=uninstrumented -fun:xmlXPathCompiledEval=uninstrumented -fun:xmlXPathCompiledEvalToBoolean=uninstrumented -fun:xmlXPathConcatFunction=uninstrumented -fun:xmlXPathContainsFunction=uninstrumented -fun:xmlXPathContextSetCache=uninstrumented -fun:xmlXPathConvertBoolean=uninstrumented -fun:xmlXPathConvertNumber=uninstrumented -fun:xmlXPathConvertString=uninstrumented -fun:xmlXPathCountFunction=uninstrumented -fun:xmlXPathCtxtCompile=uninstrumented -fun:xmlXPathDebugDumpCompExpr=uninstrumented -fun:xmlXPathDebugDumpObject=uninstrumented -fun:xmlXPathDifference=uninstrumented -fun:xmlXPathDistinct=uninstrumented -fun:xmlXPathDistinctSorted=uninstrumented -fun:xmlXPathDivValues=uninstrumented -fun:xmlXPathEqualValues=uninstrumented -fun:xmlXPathErr=uninstrumented -fun:xmlXPathEval=uninstrumented -fun:xmlXPathEvalExpr=uninstrumented -fun:xmlXPathEvalExpression=uninstrumented -fun:xmlXPathEvalPredicate=uninstrumented -fun:xmlXPathEvaluatePredicateResult=uninstrumented -fun:xmlXPathFalseFunction=uninstrumented -fun:xmlXPathFloorFunction=uninstrumented -fun:xmlXPathFreeCompExpr=uninstrumented -fun:xmlXPathFreeContext=uninstrumented -fun:xmlXPathFreeNodeSet=uninstrumented -fun:xmlXPathFreeNodeSetList=uninstrumented -fun:xmlXPathFreeObject=uninstrumented -fun:xmlXPathFreeParserContext=uninstrumented -fun:xmlXPathFunctionLookup=uninstrumented -fun:xmlXPathFunctionLookupNS=uninstrumented -fun:xmlXPathHasSameNodes=uninstrumented -fun:xmlXPathIdFunction=uninstrumented -fun:xmlXPathInit=uninstrumented -fun:xmlXPathIntersection=uninstrumented -fun:xmlXPathIsInf=uninstrumented -fun:xmlXPathIsNaN=uninstrumented -fun:xmlXPathIsNodeType=uninstrumented -fun:xmlXPathLangFunction=uninstrumented -fun:xmlXPathLastFunction=uninstrumented -fun:xmlXPathLeading=uninstrumented -fun:xmlXPathLeadingSorted=uninstrumented -fun:xmlXPathLocalNameFunction=uninstrumented -fun:xmlXPathModValues=uninstrumented -fun:xmlXPathMultValues=uninstrumented -fun:xmlXPathNamespaceURIFunction=uninstrumented -fun:xmlXPathNewBoolean=uninstrumented -fun:xmlXPathNewCString=uninstrumented -fun:xmlXPathNewContext=uninstrumented -fun:xmlXPathNewFloat=uninstrumented -fun:xmlXPathNewNodeSet=uninstrumented -fun:xmlXPathNewNodeSetList=uninstrumented -fun:xmlXPathNewParserContext=uninstrumented -fun:xmlXPathNewString=uninstrumented -fun:xmlXPathNewValueTree=uninstrumented -fun:xmlXPathNextAncestor=uninstrumented -fun:xmlXPathNextAncestorOrSelf=uninstrumented -fun:xmlXPathNextAttribute=uninstrumented -fun:xmlXPathNextChild=uninstrumented -fun:xmlXPathNextDescendant=uninstrumented -fun:xmlXPathNextDescendantOrSelf=uninstrumented -fun:xmlXPathNextFollowing=uninstrumented -fun:xmlXPathNextFollowingSibling=uninstrumented -fun:xmlXPathNextNamespace=uninstrumented -fun:xmlXPathNextParent=uninstrumented -fun:xmlXPathNextPreceding=uninstrumented -fun:xmlXPathNextPrecedingSibling=uninstrumented -fun:xmlXPathNextSelf=uninstrumented -fun:xmlXPathNodeEval=uninstrumented -fun:xmlXPathNodeLeading=uninstrumented -fun:xmlXPathNodeLeadingSorted=uninstrumented -fun:xmlXPathNodeSetAdd=uninstrumented -fun:xmlXPathNodeSetAddNs=uninstrumented -fun:xmlXPathNodeSetAddUnique=uninstrumented -fun:xmlXPathNodeSetContains=uninstrumented -fun:xmlXPathNodeSetCreate=uninstrumented -fun:xmlXPathNodeSetDel=uninstrumented -fun:xmlXPathNodeSetFreeNs=uninstrumented -fun:xmlXPathNodeSetMerge=uninstrumented -fun:xmlXPathNodeSetRemove=uninstrumented -fun:xmlXPathNodeSetSort=uninstrumented -fun:xmlXPathNodeTrailing=uninstrumented -fun:xmlXPathNodeTrailingSorted=uninstrumented -fun:xmlXPathNormalizeFunction=uninstrumented -fun:xmlXPathNotEqualValues=uninstrumented -fun:xmlXPathNotFunction=uninstrumented -fun:xmlXPathNsLookup=uninstrumented -fun:xmlXPathNumberFunction=uninstrumented -fun:xmlXPathObjectCopy=uninstrumented -fun:xmlXPathOrderDocElems=uninstrumented -fun:xmlXPathParseNCName=uninstrumented -fun:xmlXPathParseName=uninstrumented -fun:xmlXPathPopBoolean=uninstrumented -fun:xmlXPathPopExternal=uninstrumented -fun:xmlXPathPopNodeSet=uninstrumented -fun:xmlXPathPopNumber=uninstrumented -fun:xmlXPathPopString=uninstrumented -fun:xmlXPathPositionFunction=uninstrumented -fun:xmlXPathRegisterAllFunctions=uninstrumented -fun:xmlXPathRegisterFunc=uninstrumented -fun:xmlXPathRegisterFuncLookup=uninstrumented -fun:xmlXPathRegisterFuncNS=uninstrumented -fun:xmlXPathRegisterNs=uninstrumented -fun:xmlXPathRegisterVariable=uninstrumented -fun:xmlXPathRegisterVariableLookup=uninstrumented -fun:xmlXPathRegisterVariableNS=uninstrumented -fun:xmlXPathRegisteredFuncsCleanup=uninstrumented -fun:xmlXPathRegisteredNsCleanup=uninstrumented -fun:xmlXPathRegisteredVariablesCleanup=uninstrumented -fun:xmlXPathRoot=uninstrumented -fun:xmlXPathRoundFunction=uninstrumented -fun:xmlXPathSetContextNode=uninstrumented -fun:xmlXPathStartsWithFunction=uninstrumented -fun:xmlXPathStringEvalNumber=uninstrumented -fun:xmlXPathStringFunction=uninstrumented -fun:xmlXPathStringLengthFunction=uninstrumented -fun:xmlXPathSubValues=uninstrumented -fun:xmlXPathSubstringAfterFunction=uninstrumented -fun:xmlXPathSubstringBeforeFunction=uninstrumented -fun:xmlXPathSubstringFunction=uninstrumented -fun:xmlXPathSumFunction=uninstrumented -fun:xmlXPathTrailing=uninstrumented -fun:xmlXPathTrailingSorted=uninstrumented -fun:xmlXPathTranslateFunction=uninstrumented -fun:xmlXPathTrueFunction=uninstrumented -fun:xmlXPathValueFlipSign=uninstrumented -fun:xmlXPathVariableLookup=uninstrumented -fun:xmlXPathVariableLookupNS=uninstrumented -fun:xmlXPathWrapCString=uninstrumented -fun:xmlXPathWrapExternal=uninstrumented -fun:xmlXPathWrapNodeSet=uninstrumented -fun:xmlXPathWrapString=uninstrumented -fun:xmlXPatherror=uninstrumented -fun:xmlXPtrAdvanceNode=uninstrumented -fun:xmlXPtrBuildNodeList=uninstrumented -fun:xmlXPtrEval=uninstrumented -fun:xmlXPtrEvalRangePredicate=uninstrumented -fun:xmlXPtrFreeLocationSet=uninstrumented -fun:xmlXPtrLocationSetAdd=uninstrumented -fun:xmlXPtrLocationSetCreate=uninstrumented -fun:xmlXPtrLocationSetDel=uninstrumented -fun:xmlXPtrLocationSetMerge=uninstrumented -fun:xmlXPtrLocationSetRemove=uninstrumented -fun:xmlXPtrNewCollapsedRange=uninstrumented -fun:xmlXPtrNewContext=uninstrumented -fun:xmlXPtrNewLocationSetNodeSet=uninstrumented -fun:xmlXPtrNewLocationSetNodes=uninstrumented -fun:xmlXPtrNewRange=uninstrumented -fun:xmlXPtrNewRangeNodeObject=uninstrumented -fun:xmlXPtrNewRangeNodePoint=uninstrumented -fun:xmlXPtrNewRangeNodes=uninstrumented -fun:xmlXPtrNewRangePointNode=uninstrumented -fun:xmlXPtrNewRangePoints=uninstrumented -fun:xmlXPtrRangeToFunction=uninstrumented -fun:xmlXPtrWrapLocationSet=uninstrumented From 95024e3e694c8028b05ee3ef65e434fc0e00d001 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sat, 7 Oct 2023 09:35:01 +0200 Subject: [PATCH 21/39] remove more --- fuzzers/afl_qemu/builder.Dockerfile | 37 -- fuzzers/afl_qemu/fuzzer.py | 32 -- fuzzers/afl_qemu/runner.Dockerfile | 15 - fuzzers/aflrustrust/builder.Dockerfile | 56 --- fuzzers/aflrustrust/description.md | 13 - fuzzers/aflrustrust/fuzzer.py | 67 --- fuzzers/aflrustrust/runner.Dockerfile | 23 - .../builder.Dockerfile | 32 -- fuzzers/centipede_function_filter/fuzzer.py | 39 -- .../runner.Dockerfile | 22 - fuzzers/darwin/builder.Dockerfile | 32 -- fuzzers/darwin/fuzzer.py | 144 ------ fuzzers/darwin/runner.Dockerfile | 15 - fuzzers/eclipser/builder.Dockerfile | 39 -- fuzzers/eclipser/fuzzer.py | 132 ------ fuzzers/eclipser/runner.Dockerfile | 48 -- .../eclipser_aflplusplus/builder.Dockerfile | 45 -- fuzzers/eclipser_aflplusplus/description.md | 14 - fuzzers/eclipser_aflplusplus/fuzzer.py | 124 ----- .../eclipser_aflplusplus/runner.Dockerfile | 51 -- fuzzers/eclipser_new/builder.Dockerfile | 71 --- fuzzers/eclipser_new/fuzzer.py | 132 ------ fuzzers/eclipser_new/runner.Dockerfile | 48 -- fuzzers/ecofuzz/builder.Dockerfile | 31 -- fuzzers/ecofuzz/fuzzer.py | 34 -- fuzzers/ecofuzz/runner.Dockerfile | 15 - fuzzers/fafuzz/builder.Dockerfile | 30 -- fuzzers/fafuzz/fuzzer.py | 140 ------ fuzzers/fafuzz/runner.Dockerfile | 15 - fuzzers/fairfuzz/builder.Dockerfile | 30 -- fuzzers/fairfuzz/fuzzer.py | 26 -- fuzzers/fairfuzz/runner.Dockerfile | 15 - .../builder.Dockerfile | 169 ------- .../fuzzolic_aflplusplus_fuzzy/description.md | 10 - fuzzers/fuzzolic_aflplusplus_fuzzy/fuzzer.py | 141 ------ .../runner.Dockerfile | 52 --- .../builder.Dockerfile | 169 ------- .../fuzzolic_aflplusplus_z3/description.md | 10 - fuzzers/fuzzolic_aflplusplus_z3/fuzzer.py | 140 ------ .../fuzzolic_aflplusplus_z3/runner.Dockerfile | 52 --- fuzzers/glibfuzzer/builder.Dockerfile | 27 -- fuzzers/glibfuzzer/fuzzer.py | 89 ---- fuzzers/glibfuzzer/runner.Dockerfile | 15 - fuzzers/gramatron/builder.Dockerfile | 46 -- fuzzers/gramatron/fuzzer.py | 80 ---- fuzzers/gramatron/fuzzer.yaml | 4 - fuzzers/gramatron/runner.Dockerfile | 23 - fuzzers/grimoire/builder.Dockerfile | 46 -- fuzzers/grimoire/fuzzer.py | 82 ---- fuzzers/grimoire/fuzzer.yaml | 4 - fuzzers/grimoire/runner.Dockerfile | 23 - fuzzers/hastefuzz/builder.Dockerfile | 49 -- fuzzers/hastefuzz/description.md | 15 - fuzzers/hastefuzz/fuzzer.py | 321 ------------- fuzzers/hastefuzz/runner.Dockerfile | 23 - fuzzers/honggfuzz_qemu/builder.Dockerfile | 47 -- fuzzers/honggfuzz_qemu/fuzzer.py | 72 --- fuzzers/honggfuzz_qemu/runner.Dockerfile | 18 - fuzzers/klee/builder.Dockerfile | 263 ----------- fuzzers/klee/fuzzer.py | 434 ------------------ fuzzers/klee/klee_driver.cpp | 47 -- fuzzers/klee/klee_mock.c | 20 - fuzzers/klee/runner.Dockerfile | 23 - fuzzers/lafintel/builder.Dockerfile | 64 --- fuzzers/lafintel/fuzzer.py | 77 ---- fuzzers/lafintel/runner.Dockerfile | 15 - fuzzers/learnperffuzz/builder.Dockerfile | 32 -- fuzzers/learnperffuzz/fuzzer.py | 143 ------ fuzzers/learnperffuzz/runner.Dockerfile | 15 - fuzzers/libafl_text/builder.Dockerfile | 55 --- fuzzers/libafl_text/description.md | 11 - fuzzers/libafl_text/fuzzer.py | 68 --- fuzzers/libafl_text/runner.Dockerfile | 23 - fuzzers/manul/builder.Dockerfile | 31 -- fuzzers/manul/fuzzer.py | 47 -- fuzzers/manul/runner.Dockerfile | 16 - fuzzers/mopt/builder.Dockerfile | 31 -- fuzzers/mopt/fuzzer.py | 37 -- fuzzers/mopt/runner.Dockerfile | 15 - fuzzers/nautilus/builder.Dockerfile | 46 -- fuzzers/nautilus/fuzzer.py | 79 ---- fuzzers/nautilus/fuzzer.yaml | 4 - fuzzers/nautilus/runner.Dockerfile | 23 - fuzzers/neuzz/builder.Dockerfile | 48 -- fuzzers/neuzz/fuzzer.py | 112 ----- fuzzers/neuzz/runner.Dockerfile | 43 -- fuzzers/pastis/builder.Dockerfile | 83 ---- fuzzers/pastis/fuzzer.py | 260 ----------- .../patches/honggfuzz-3a8f2ae-pastis.patch | 291 ------------ fuzzers/pastis/runner.Dockerfile | 48 -- fuzzers/pythia_bb/builder.Dockerfile | 31 -- fuzzers/pythia_bb/fuzzer.py | 138 ------ fuzzers/pythia_bb/runner.Dockerfile | 15 - fuzzers/pythia_effect_bb/builder.Dockerfile | 31 -- fuzzers/pythia_effect_bb/fuzzer.py | 138 ------ fuzzers/pythia_effect_bb/runner.Dockerfile | 15 - fuzzers/token_level/builder.Dockerfile | 46 -- fuzzers/token_level/fuzzer.py | 79 ---- fuzzers/token_level/fuzzer.yaml | 4 - fuzzers/token_level/runner.Dockerfile | 23 - fuzzers/tortoisefuzz/builder.Dockerfile | 59 --- fuzzers/tortoisefuzz/fuzzer.py | 41 -- fuzzers/tortoisefuzz/runner.Dockerfile | 15 - fuzzers/weizz_qemu/builder.Dockerfile | 40 -- fuzzers/weizz_qemu/fuzzer.py | 82 ---- fuzzers/weizz_qemu/runner.Dockerfile | 21 - fuzzers/wingfuzz/builder.Dockerfile | 21 - fuzzers/wingfuzz/fuzzer.py | 52 --- fuzzers/wingfuzz/runner.Dockerfile | 15 - 109 files changed, 6664 deletions(-) delete mode 100644 fuzzers/afl_qemu/builder.Dockerfile delete mode 100755 fuzzers/afl_qemu/fuzzer.py delete mode 100644 fuzzers/afl_qemu/runner.Dockerfile delete mode 100644 fuzzers/aflrustrust/builder.Dockerfile delete mode 100644 fuzzers/aflrustrust/description.md delete mode 100755 fuzzers/aflrustrust/fuzzer.py delete mode 100644 fuzzers/aflrustrust/runner.Dockerfile delete mode 100644 fuzzers/centipede_function_filter/builder.Dockerfile delete mode 100755 fuzzers/centipede_function_filter/fuzzer.py delete mode 100644 fuzzers/centipede_function_filter/runner.Dockerfile delete mode 100644 fuzzers/darwin/builder.Dockerfile delete mode 100755 fuzzers/darwin/fuzzer.py delete mode 100644 fuzzers/darwin/runner.Dockerfile delete mode 100644 fuzzers/eclipser/builder.Dockerfile delete mode 100644 fuzzers/eclipser/fuzzer.py delete mode 100644 fuzzers/eclipser/runner.Dockerfile delete mode 100644 fuzzers/eclipser_aflplusplus/builder.Dockerfile delete mode 100644 fuzzers/eclipser_aflplusplus/description.md delete mode 100644 fuzzers/eclipser_aflplusplus/fuzzer.py delete mode 100644 fuzzers/eclipser_aflplusplus/runner.Dockerfile delete mode 100644 fuzzers/eclipser_new/builder.Dockerfile delete mode 100644 fuzzers/eclipser_new/fuzzer.py delete mode 100644 fuzzers/eclipser_new/runner.Dockerfile delete mode 100644 fuzzers/ecofuzz/builder.Dockerfile delete mode 100755 fuzzers/ecofuzz/fuzzer.py delete mode 100644 fuzzers/ecofuzz/runner.Dockerfile delete mode 100644 fuzzers/fafuzz/builder.Dockerfile delete mode 100644 fuzzers/fafuzz/fuzzer.py delete mode 100644 fuzzers/fafuzz/runner.Dockerfile delete mode 100644 fuzzers/fairfuzz/builder.Dockerfile delete mode 100755 fuzzers/fairfuzz/fuzzer.py delete mode 100644 fuzzers/fairfuzz/runner.Dockerfile delete mode 100644 fuzzers/fuzzolic_aflplusplus_fuzzy/builder.Dockerfile delete mode 100644 fuzzers/fuzzolic_aflplusplus_fuzzy/description.md delete mode 100644 fuzzers/fuzzolic_aflplusplus_fuzzy/fuzzer.py delete mode 100644 fuzzers/fuzzolic_aflplusplus_fuzzy/runner.Dockerfile delete mode 100644 fuzzers/fuzzolic_aflplusplus_z3/builder.Dockerfile delete mode 100644 fuzzers/fuzzolic_aflplusplus_z3/description.md delete mode 100644 fuzzers/fuzzolic_aflplusplus_z3/fuzzer.py delete mode 100644 fuzzers/fuzzolic_aflplusplus_z3/runner.Dockerfile delete mode 100644 fuzzers/glibfuzzer/builder.Dockerfile delete mode 100755 fuzzers/glibfuzzer/fuzzer.py delete mode 100644 fuzzers/glibfuzzer/runner.Dockerfile delete mode 100644 fuzzers/gramatron/builder.Dockerfile delete mode 100755 fuzzers/gramatron/fuzzer.py delete mode 100644 fuzzers/gramatron/fuzzer.yaml delete mode 100644 fuzzers/gramatron/runner.Dockerfile delete mode 100644 fuzzers/grimoire/builder.Dockerfile delete mode 100755 fuzzers/grimoire/fuzzer.py delete mode 100644 fuzzers/grimoire/fuzzer.yaml delete mode 100644 fuzzers/grimoire/runner.Dockerfile delete mode 100644 fuzzers/hastefuzz/builder.Dockerfile delete mode 100644 fuzzers/hastefuzz/description.md delete mode 100755 fuzzers/hastefuzz/fuzzer.py delete mode 100644 fuzzers/hastefuzz/runner.Dockerfile delete mode 100644 fuzzers/honggfuzz_qemu/builder.Dockerfile delete mode 100644 fuzzers/honggfuzz_qemu/fuzzer.py delete mode 100644 fuzzers/honggfuzz_qemu/runner.Dockerfile delete mode 100644 fuzzers/klee/builder.Dockerfile delete mode 100644 fuzzers/klee/fuzzer.py delete mode 100644 fuzzers/klee/klee_driver.cpp delete mode 100644 fuzzers/klee/klee_mock.c delete mode 100644 fuzzers/klee/runner.Dockerfile delete mode 100644 fuzzers/lafintel/builder.Dockerfile delete mode 100644 fuzzers/lafintel/fuzzer.py delete mode 100644 fuzzers/lafintel/runner.Dockerfile delete mode 100644 fuzzers/learnperffuzz/builder.Dockerfile delete mode 100644 fuzzers/learnperffuzz/fuzzer.py delete mode 100644 fuzzers/learnperffuzz/runner.Dockerfile delete mode 100644 fuzzers/libafl_text/builder.Dockerfile delete mode 100644 fuzzers/libafl_text/description.md delete mode 100755 fuzzers/libafl_text/fuzzer.py delete mode 100644 fuzzers/libafl_text/runner.Dockerfile delete mode 100644 fuzzers/manul/builder.Dockerfile delete mode 100644 fuzzers/manul/fuzzer.py delete mode 100644 fuzzers/manul/runner.Dockerfile delete mode 100644 fuzzers/mopt/builder.Dockerfile delete mode 100755 fuzzers/mopt/fuzzer.py delete mode 100644 fuzzers/mopt/runner.Dockerfile delete mode 100644 fuzzers/nautilus/builder.Dockerfile delete mode 100755 fuzzers/nautilus/fuzzer.py delete mode 100644 fuzzers/nautilus/fuzzer.yaml delete mode 100644 fuzzers/nautilus/runner.Dockerfile delete mode 100644 fuzzers/neuzz/builder.Dockerfile delete mode 100644 fuzzers/neuzz/fuzzer.py delete mode 100644 fuzzers/neuzz/runner.Dockerfile delete mode 100644 fuzzers/pastis/builder.Dockerfile delete mode 100644 fuzzers/pastis/fuzzer.py delete mode 100644 fuzzers/pastis/patches/honggfuzz-3a8f2ae-pastis.patch delete mode 100644 fuzzers/pastis/runner.Dockerfile delete mode 100644 fuzzers/pythia_bb/builder.Dockerfile delete mode 100755 fuzzers/pythia_bb/fuzzer.py delete mode 100644 fuzzers/pythia_bb/runner.Dockerfile delete mode 100644 fuzzers/pythia_effect_bb/builder.Dockerfile delete mode 100755 fuzzers/pythia_effect_bb/fuzzer.py delete mode 100644 fuzzers/pythia_effect_bb/runner.Dockerfile delete mode 100644 fuzzers/token_level/builder.Dockerfile delete mode 100755 fuzzers/token_level/fuzzer.py delete mode 100644 fuzzers/token_level/fuzzer.yaml delete mode 100644 fuzzers/token_level/runner.Dockerfile delete mode 100644 fuzzers/tortoisefuzz/builder.Dockerfile delete mode 100755 fuzzers/tortoisefuzz/fuzzer.py delete mode 100644 fuzzers/tortoisefuzz/runner.Dockerfile delete mode 100644 fuzzers/weizz_qemu/builder.Dockerfile delete mode 100644 fuzzers/weizz_qemu/fuzzer.py delete mode 100644 fuzzers/weizz_qemu/runner.Dockerfile delete mode 100644 fuzzers/wingfuzz/builder.Dockerfile delete mode 100644 fuzzers/wingfuzz/fuzzer.py delete mode 100644 fuzzers/wingfuzz/runner.Dockerfile diff --git a/fuzzers/afl_qemu/builder.Dockerfile b/fuzzers/afl_qemu/builder.Dockerfile deleted file mode 100644 index 7ec6c532f..000000000 --- a/fuzzers/afl_qemu/builder.Dockerfile +++ /dev/null @@ -1,37 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -# Install wget to download afl_driver.cpp. Install libstdc++ to use llvm_mode. -RUN apt-get update && \ - apt-get install wget libstdc++-5-dev libtool-bin automake -y && \ - apt-get install flex bison libglib2.0-dev libpixman-1-dev -y - -# Download and compile afl++ (v2.62d). -# Build without Python support as we don't need it. -# Set AFL_NO_X86 to skip flaky tests. -RUN cd / && git clone https://github.com/google/AFL.git /afl && \ - cd /afl && \ - git checkout 8da80951dd7eeeb3e3b5a3bcd36c485045f40274 && \ - AFL_NO_X86=1 make && \ - unset CFLAGS && unset CXXFLAGS && \ - cd qemu_mode && ./build_qemu_support.sh - -RUN cd / && git clone https://github.com/vanhauser-thc/qemu_driver && \ - cd /qemu_driver && \ - git checkout 8ad9ad589b4881552fa7ef8b7d29cd9aeb5071bd && \ - make && \ - cp -fv libQEMU.a /libAFLDriver.a diff --git a/fuzzers/afl_qemu/fuzzer.py b/fuzzers/afl_qemu/fuzzer.py deleted file mode 100755 index ab9143fdf..000000000 --- a/fuzzers/afl_qemu/fuzzer.py +++ /dev/null @@ -1,32 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -"""Integration code for AFL qemu fuzzer.""" - -# As aflplusplus has the build for qemu already in there we include this. -from fuzzers.aflplusplus import fuzzer as aflplusplus_fuzzer - - -def build(): - """Build benchmark.""" - aflplusplus_fuzzer.build('qemu') - - -def fuzz(input_corpus, output_corpus, target_binary): - """Run fuzzer.""" - # Necessary fuzzer options. - flags = ['-Q'] - aflplusplus_fuzzer.fuzz(input_corpus, - output_corpus, - target_binary, - flags=flags) diff --git a/fuzzers/afl_qemu/runner.Dockerfile b/fuzzers/afl_qemu/runner.Dockerfile deleted file mode 100644 index 0d6cf004e..000000000 --- a/fuzzers/afl_qemu/runner.Dockerfile +++ /dev/null @@ -1,15 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image diff --git a/fuzzers/aflrustrust/builder.Dockerfile b/fuzzers/aflrustrust/builder.Dockerfile deleted file mode 100644 index 7835c03b7..000000000 --- a/fuzzers/aflrustrust/builder.Dockerfile +++ /dev/null @@ -1,56 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -# Install dependencies. -RUN apt-get update && \ - apt-get install -y build-essential libstdc++5 libtool-bin automake flex \ - bison libglib2.0-dev python3-setuptools unzip python3-dev joe curl \ - cmake git apt-utils apt-transport-https ca-certificates libdbus-1-dev - -# Uninstall old Rust & Install the latest one. -RUN if which rustup; then rustup self uninstall -y; fi && \ - curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs > /rustup.sh && \ - sh /rustup.sh --default-toolchain nightly -y && \ - rm /rustup.sh - -# Download afl++. -RUN git clone https://github.com/AFLplusplus/AFLplusplus /afl - -# Checkout a current commit -RUN cd /afl && git checkout 8cdc48f73a17ddd557897f2098937a8ba3bfe184 - -# Build without Python support as we don't need it. -# Set AFL_NO_X86 to skip flaky tests. -RUN cd /afl && \ - unset CFLAGS CXXFLAGS && \ - export CC=clang AFL_NO_X86=1 && \ - PYTHON_INCLUDE=/ make && \ - make install && \ - cp utils/aflpp_driver/libAFLDriver.a / - -# Download libafl. -RUN git clone https://github.com/AFLplusplus/LibAFL /libafl - -# Checkout a current commit -RUN cd /libafl && git checkout 8bffd28b4c357b315acb9cecd92cbf2b734a625a - -# Compile libafl. -RUN cd /libafl && \ - unset CFLAGS CXXFLAGS && \ - cd ./fuzzers/fuzzbench_forkserver && \ - PATH="/root/.cargo/bin/:$PATH" cargo build --release - diff --git a/fuzzers/aflrustrust/description.md b/fuzzers/aflrustrust/description.md deleted file mode 100644 index 445a27663..000000000 --- a/fuzzers/aflrustrust/description.md +++ /dev/null @@ -1,13 +0,0 @@ -# aflplusplus - -AFL++ fuzzer instance that has the following config active for all benchmarks: - - PCGUARD instrumentation - - cmplog feature - - "fast" power schedule - - persistent mode + shared memory test cases - -Repository: [https://github.com/AFLplusplus/AFLplusplus/](https://github.com/AFLplusplus/AFLplusplus/) - -[builder.Dockerfile](builder.Dockerfile) -[fuzzer.py](fuzzer.py) -[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/aflrustrust/fuzzer.py b/fuzzers/aflrustrust/fuzzer.py deleted file mode 100755 index c8b66976f..000000000 --- a/fuzzers/aflrustrust/fuzzer.py +++ /dev/null @@ -1,67 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -"""Integration code for a LibAFL fuzzer with an AFL++ forkserver.""" - -import os -import shutil -import subprocess - -from fuzzers import utils -from fuzzers.aflplusplus import fuzzer as aflplusplus_fuzzer -from fuzzers.libafl import fuzzer as libafl_fuzzer - - -def build(): - """Build benchmark.""" - # Build the target with AFL++ - aflplusplus_fuzzer.build('tracepc', 'cmplog', 'dict2file') - - # Copy to fuzzer to OUT - build_directory = os.environ['OUT'] - fuzzer = '/libafl/fuzzers/fuzzbench_forkserver/' \ - 'target/release/fuzzbench_forkserver' - shutil.copy(fuzzer, build_directory) - - -def fuzz(input_corpus, output_corpus, target_binary): - """Run fuzzer.""" - # Calculate CmpLog binary path from the instrumented target binary. - target_binary_directory = os.path.dirname(target_binary) - cmplog_target_binary_directory = \ - aflplusplus_fuzzer.get_cmplog_build_directory(target_binary_directory) - target_binary_name = os.path.basename(target_binary) - cmplog_target_binary = os.path.join(cmplog_target_binary_directory, - target_binary_name) - - # Setup env vars - libafl_fuzzer.prepare_fuzz_environment(input_corpus) - - # Merge dictionaries - dictionary_path = utils.get_dictionary_path(target_binary) - if os.path.exists('./afl++.dict'): - if dictionary_path: - with open('./afl++.dict', encoding='utf-8') as dictfile: - autodict = dictfile.read() - with open(dictionary_path, 'a', encoding='utf-8') as dictfile: - dictfile.write(autodict) - else: - dictionary_path = './afl++.dict' - - # Run the fuzzer - command = ['./fuzzbench_forkserver', '-c', cmplog_target_binary] - if dictionary_path: - command += (['-x', dictionary_path]) - command += (['-o', output_corpus, '-i', input_corpus, target_binary]) - print(command) - subprocess.check_call(command) diff --git a/fuzzers/aflrustrust/runner.Dockerfile b/fuzzers/aflrustrust/runner.Dockerfile deleted file mode 100644 index 7aa1da8e4..000000000 --- a/fuzzers/aflrustrust/runner.Dockerfile +++ /dev/null @@ -1,23 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -# This makes interactive docker runs painless: -ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" -#ENV AFL_MAP_SIZE=2621440 -ENV PATH="$PATH:/out" -ENV AFL_SKIP_CPUFREQ=1 -ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 -ENV AFL_TESTCACHE_SIZE=2 diff --git a/fuzzers/centipede_function_filter/builder.Dockerfile b/fuzzers/centipede_function_filter/builder.Dockerfile deleted file mode 100644 index a1cd4e3d2..000000000 --- a/fuzzers/centipede_function_filter/builder.Dockerfile +++ /dev/null @@ -1,32 +0,0 @@ -# Copyright 2022 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -ENV CENTIPEDE_SRC=/src/centipede - -# Remove the Centipede from OSS-Fuzz base-builder and rebuild centipede. -RUN rm -rf "$CENTIPEDE_SRC" && \ - git clone -n \ - https://github.com/google/centipede.git "$CENTIPEDE_SRC" && \ - echo 'build --client_env=CC=clang --cxxopt=-std=c++17 ' \ - '--cxxopt=-stdlib=libc++ --linkopt=-lc++' >> ~/.bazelrc && \ - (cd "$CENTIPEDE_SRC" && \ - git checkout 2a2c78a2c161d99f5962b9710bce61feb00acc3d && \ - ./install_dependencies_debian.sh && \ - bazel build -c opt :all) && \ - cp "$CENTIPEDE_SRC/bazel-bin/centipede" '/out/centipede' - -RUN /clang/bin/clang "$CENTIPEDE_SRC/weak_sancov_stubs.cc" -c -o /lib/weak.o diff --git a/fuzzers/centipede_function_filter/fuzzer.py b/fuzzers/centipede_function_filter/fuzzer.py deleted file mode 100755 index 7aa904996..000000000 --- a/fuzzers/centipede_function_filter/fuzzer.py +++ /dev/null @@ -1,39 +0,0 @@ -# Copyright 2022 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -"""Integration code for centipede fuzzer.""" - -import os -import yaml - -from fuzzers.centipede import fuzzer - - -def build(): - """Build benchmark.""" - fuzzer.build() - - -def fuzz(input_corpus, output_corpus, target_binary): - """Run fuzzer. Wrapper that uses the defaults when calling run_fuzzer.""" - with open('/focus_map.yaml', 'r', encoding='utf-8') as focus_file: - focus_map = yaml.safe_load(focus_file) - benchmark = os.getenv('BENCHMARK', None) - if benchmark not in focus_map: - return - focus_list = focus_map[benchmark] - focus_filter = ','.join(focus_list) - fuzzer.run_fuzzer(input_corpus, - output_corpus, - target_binary, - extra_flags=[f'--function_filter={focus_filter}']) diff --git a/fuzzers/centipede_function_filter/runner.Dockerfile b/fuzzers/centipede_function_filter/runner.Dockerfile deleted file mode 100644 index 710fe6f4e..000000000 --- a/fuzzers/centipede_function_filter/runner.Dockerfile +++ /dev/null @@ -1,22 +0,0 @@ -# Copyright 2022 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/oss-fuzz-base/base-clang@sha256:30706816922bf9c141b15ff4a5a44af8c0ec5700d4b46e0572029c15e495d45b AS base-clang -FROM gcr.io/fuzzbench/base-image - -RUN apt-get update && apt-get install -y wget && \ - wget https://storage.googleapis.com/oss-fuzz-introspector-testing/focus_map.yaml && \ - apt-get remove --purge -y wget - -COPY --from=base-clang /usr/local/bin/llvm-symbolizer /usr/local/bin/ \ No newline at end of file diff --git a/fuzzers/darwin/builder.Dockerfile b/fuzzers/darwin/builder.Dockerfile deleted file mode 100644 index 49d4d6bc6..000000000 --- a/fuzzers/darwin/builder.Dockerfile +++ /dev/null @@ -1,32 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -# Download and compile AFL v2.57b. -# Set AFL_NO_X86 to skip flaky tests. -RUN git clone \ - --depth 1 \ - https://github.com/TUDA-SSL/DARWIN/ /afl && \ - cd /afl && \ - CFLAGS= CXXFLAGS= AFL_NO_X86=1 make - -# Use afl_driver.cpp from LLVM as our fuzzing library. -RUN apt-get update && \ - apt-get install wget -y && \ - wget https://raw.githubusercontent.com/llvm/llvm-project/5feb80e748924606531ba28c97fe65145c65372e/compiler-rt/lib/fuzzer/afl/afl_driver.cpp -O /afl/afl_driver.cpp && \ - clang -Wno-pointer-sign -c /afl/llvm_mode/afl-llvm-rt.o.c -I/afl && \ - clang++ -stdlib=libc++ -std=c++11 -O2 -c /afl/afl_driver.cpp && \ - ar r /libAFL.a *.o diff --git a/fuzzers/darwin/fuzzer.py b/fuzzers/darwin/fuzzer.py deleted file mode 100755 index 888743a32..000000000 --- a/fuzzers/darwin/fuzzer.py +++ /dev/null @@ -1,144 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -"""Integration code for AFL fuzzer.""" - -import json -import os -import shutil -import subprocess - -from fuzzers import utils - - -def prepare_build_environment(): - """Set environment variables used to build targets for AFL-based - fuzzers.""" - cflags = ['-fsanitize-coverage=trace-pc-guard'] - utils.append_flags('CFLAGS', cflags) - utils.append_flags('CXXFLAGS', cflags) - - os.environ['CC'] = 'clang' - os.environ['CXX'] = 'clang++' - os.environ['FUZZER_LIB'] = '/libAFL.a' - - -def build(): - """Build benchmark.""" - prepare_build_environment() - - utils.build_benchmark() - - print('[post_build] Copying afl-fuzz to $OUT directory') - # Copy out the afl-fuzz binary as a build artifact. - shutil.copy('/afl/afl-fuzz', os.environ['OUT']) - - -def get_stats(output_corpus, fuzzer_log): # pylint: disable=unused-argument - """Gets fuzzer stats for AFL.""" - # Get a dictionary containing the stats AFL reports. - stats_file = os.path.join(output_corpus, 'fuzzer_stats') - if not os.path.exists(stats_file): - print('Can\'t find fuzzer_stats') - return '{}' - with open(stats_file, encoding='utf-8') as file_handle: - stats_file_lines = file_handle.read().splitlines() - stats_file_dict = {} - for stats_line in stats_file_lines: - key, value = stats_line.split(': ') - stats_file_dict[key.strip()] = value.strip() - - # Report to FuzzBench the stats it accepts. - stats = {'execs_per_sec': float(stats_file_dict['execs_per_sec'])} - return json.dumps(stats) - - -def prepare_fuzz_environment(input_corpus): - """Prepare to fuzz with AFL or another AFL-based fuzzer.""" - # Tell AFL to not use its terminal UI so we get usable logs. - os.environ['AFL_NO_UI'] = '1' - # Skip AFL's CPU frequency check (fails on Docker). - os.environ['AFL_SKIP_CPUFREQ'] = '1' - # No need to bind affinity to one core, Docker enforces 1 core usage. - os.environ['AFL_NO_AFFINITY'] = '1' - # AFL will abort on startup if the core pattern sends notifications to - # external programs. We don't care about this. - os.environ['AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES'] = '1' - # Don't exit when crashes are found. This can happen when corpus from - # OSS-Fuzz is used. - os.environ['AFL_SKIP_CRASHES'] = '1' - # Shuffle the queue - os.environ['AFL_SHUFFLE_QUEUE'] = '1' - - # AFL needs at least one non-empty seed to start. - utils.create_seed_file_for_empty_corpus(input_corpus) - - -def check_skip_det_compatible(additional_flags): - """ Checks if additional flags are compatible with '-d' option""" - # AFL refuses to take in '-d' with '-M' or '-S' options for parallel mode. - # (cf. https://github.com/google/AFL/blob/8da80951/afl-fuzz.c#L7477) - if '-M' in additional_flags or '-S' in additional_flags: - return False - return True - - -def run_afl_fuzz(input_corpus, - output_corpus, - target_binary, - additional_flags=None, - hide_output=False): - """Run afl-fuzz.""" - # Spawn the afl fuzzing process. - print('[run_afl_fuzz] Running target with afl-fuzz') - command = [ - './afl-fuzz', - '-i', - input_corpus, - '-o', - output_corpus, - # Use no memory limit as ASAN doesn't play nicely with one. - '-m', - 'none', - '-t', - '1000+', # Use same default 1 sec timeout, but add '+' to skip hangs. - ] - # Use '-d' to skip deterministic mode, as long as it it compatible with - # additional flags. - if not additional_flags or check_skip_det_compatible(additional_flags): - command.append('-d') - if additional_flags: - command.extend(additional_flags) - command.append('-s') - command.append('-p') - command.append('-L0') - dictionary_path = utils.get_dictionary_path(target_binary) - if dictionary_path: - command.extend(['-x', dictionary_path]) - command += [ - '--', - target_binary, - # Pass INT_MAX to afl the maximize the number of persistent loops it - # performs. - '2147483647' - ] - print('[run_afl_fuzz] Running command: ' + ' '.join(command)) - output_stream = subprocess.DEVNULL if hide_output else None - subprocess.check_call(command, stdout=output_stream, stderr=output_stream) - - -def fuzz(input_corpus, output_corpus, target_binary): - """Run afl-fuzz on target.""" - prepare_fuzz_environment(input_corpus) - - run_afl_fuzz(input_corpus, output_corpus, target_binary) diff --git a/fuzzers/darwin/runner.Dockerfile b/fuzzers/darwin/runner.Dockerfile deleted file mode 100644 index 0d6cf004e..000000000 --- a/fuzzers/darwin/runner.Dockerfile +++ /dev/null @@ -1,15 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image diff --git a/fuzzers/eclipser/builder.Dockerfile b/fuzzers/eclipser/builder.Dockerfile deleted file mode 100644 index 572706c52..000000000 --- a/fuzzers/eclipser/builder.Dockerfile +++ /dev/null @@ -1,39 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -# Upgrade to avoid certs errors -RUN apt-get update && apt-get upgrade -y && \ - apt-get install -y apt-utils apt-transport-https ca-certificates - -# Download and compile AFL v2.56b, since Eclipser now adopts AFL as its random -# fuzzing module. Set AFL_NO_X86 to skip flaky tests. -RUN git clone https://github.com/google/AFL.git /afl && \ - cd /afl && \ - git checkout 82b5e359463238d790cadbe2dd494d6a4928bff3 && \ - AFL_NO_X86=1 make - -# Use afl_driver.cpp for AFL, and StandaloneFuzzTargetMain.c for Eclipser. -RUN apt-get update && \ - apt-get install wget -y && \ - wget https://raw.githubusercontent.com/llvm/llvm-project/5feb80e748924606531ba28c97fe65145c65372e/compiler-rt/lib/fuzzer/afl/afl_driver.cpp -O /afl/afl_driver.cpp && \ - clang -Wno-pointer-sign -c /afl/llvm_mode/afl-llvm-rt.o.c -I/afl && \ - clang++ -stdlib=libc++ -std=c++11 -O2 -c /afl/afl_driver.cpp && \ - ar r /libAFL.a *.o && \ - wget https://raw.githubusercontent.com/llvm/llvm-project/5feb80e748924606531ba28c97fe65145c65372e/compiler-rt/lib/fuzzer/standalone/StandaloneFuzzTargetMain.c -O /StandaloneFuzzTargetMain.c && \ - clang -O2 -c /StandaloneFuzzTargetMain.c && \ - ar rc /libStandaloneFuzzTarget.a StandaloneFuzzTargetMain.o && \ - rm /StandaloneFuzzTargetMain.c diff --git a/fuzzers/eclipser/fuzzer.py b/fuzzers/eclipser/fuzzer.py deleted file mode 100644 index 19e69f6fa..000000000 --- a/fuzzers/eclipser/fuzzer.py +++ /dev/null @@ -1,132 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -"""Integration code for Eclipser fuzzer. Note that starting from v2.0, Eclipser -relies on AFL to perform random-based fuzzing.""" - -import shutil -import subprocess -import os -import threading - -from fuzzers import utils -from fuzzers.afl import fuzzer as afl_fuzzer - - -def get_uninstrumented_outdir(target_directory): - """Return path to uninstrumented target directory.""" - return os.path.join(target_directory, 'uninstrumented') - - -def build(): - """Build benchmark.""" - - # Backup the environment. - new_env = os.environ.copy() - - # First, build an instrumented binary for AFL. - afl_fuzzer.prepare_build_environment() - src = os.getenv('SRC') - work = os.getenv('WORK') - with utils.restore_directory(src), utils.restore_directory(work): - # Restore SRC to its initial state so we can build again without any - # trouble. For some OSS-Fuzz projects, build_benchmark cannot be run - # twice in the same directory without this. - utils.build_benchmark() - print('[build] Copying afl-fuzz to $OUT directory') - shutil.copy('/afl/afl-fuzz', os.environ['OUT']) - - # Next, build an uninstrumented binary for Eclipser. - new_env['CC'] = 'clang' - new_env['CXX'] = 'clang++' - new_env['FUZZER_LIB'] = '/libStandaloneFuzzTarget.a' - # Ensure to compile with NO_SANITIZER_COMPAT* flags even for bug benchmarks, - # as QEMU is incompatible with sanitizers. Also, Eclipser prefers clean and - # unoptimized binaries. We leave fast random fuzzing as AFL's job. - new_env['CFLAGS'] = ' '.join(utils.NO_SANITIZER_COMPAT_CFLAGS) - cxxflags = [utils.LIBCPLUSPLUS_FLAG] + utils.NO_SANITIZER_COMPAT_CFLAGS - new_env['CXXFLAGS'] = ' '.join(cxxflags) - uninstrumented_outdir = get_uninstrumented_outdir(os.environ['OUT']) - os.mkdir(uninstrumented_outdir) - new_env['OUT'] = uninstrumented_outdir - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - targ_name = os.path.basename(fuzz_target) - new_env['FUZZ_TARGET'] = os.path.join(uninstrumented_outdir, targ_name) - print('[build] Re-building benchmark for uninstrumented fuzzing target') - utils.build_benchmark(env=new_env) - - -def eclipser(input_corpus, output_corpus, target_binary): - """Run Eclipser.""" - # We will use output_corpus as a directory where AFL and Eclipser sync their - # test cases with each other. For Eclipser, we should explicitly specify an - # output directory under this sync directory. - eclipser_out = os.path.join(output_corpus, 'eclipser_output') - command = [ - 'dotnet', - '/Eclipser/build/Eclipser.dll', - '-p', - target_binary, - '-s', - output_corpus, - '-o', - eclipser_out, - '--arg', # Specifies the command-line of the program. - 'foo', - '-f', # Specifies the path of file input to fuzz. - 'foo', - '-v', # Controls the verbosity. - '2', - '--exectimeout', - '5000', - ] - if os.listdir(input_corpus): # Specify inputs only if any seed exists. - command += ['-i', input_corpus] - print('[eclipser] Run Eclipser with command: ' + ' '.join(command)) - with subprocess.Popen(command): - pass - - -def afl_worker(input_corpus, output_corpus, target_binary): - """Run AFL worker instance.""" - print('[afl_worker] Run AFL worker') - afl_fuzzer.run_afl_fuzz(input_corpus, output_corpus, target_binary, - ['-S', 'afl-worker'], True) - - -def fuzz(input_corpus, output_corpus, target_binary): - """Run fuzzer.""" - - # Calculate uninstrumented binary path from the instrumented target binary. - target_binary_directory = os.path.dirname(target_binary) - uninstrumented_target_binary_directory = ( - get_uninstrumented_outdir(target_binary_directory)) - target_binary_name = os.path.basename(target_binary) - uninstrumented_target_binary = os.path.join( - uninstrumented_target_binary_directory, target_binary_name) - - afl_fuzzer.prepare_fuzz_environment(input_corpus) - afl_args = (input_corpus, output_corpus, target_binary) - eclipser_args = (input_corpus, output_corpus, uninstrumented_target_binary) - # Do not launch AFL master instance for now, to reduce memory usage and - # align with the vanilla AFL. - print('[fuzz] Running AFL worker') - afl_worker_thread = threading.Thread(target=afl_worker, args=afl_args) - afl_worker_thread.start() - print('[fuzz] Running Eclipser') - eclipser_thread = threading.Thread(target=eclipser, args=eclipser_args) - eclipser_thread.start() - print('[fuzz] Now waiting for threads to finish...') - afl_worker_thread.join() - eclipser_thread.join() diff --git a/fuzzers/eclipser/runner.Dockerfile b/fuzzers/eclipser/runner.Dockerfile deleted file mode 100644 index dce0e0ac9..000000000 --- a/fuzzers/eclipser/runner.Dockerfile +++ /dev/null @@ -1,48 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -# Install dotnet, qemu and other Eclipser deps. -RUN sed -i -- 's/# deb-src/deb-src/g' /etc/apt/sources.list -RUN apt-get update -y && \ - apt-get build-dep -y qemu && \ - apt-get install -y \ - apt-transport-https \ - libtool \ - libtool-bin \ - wget \ - automake \ - autoconf \ - bison \ - git \ - gdb \ - python2 - -# Use a copy of -# https://packages.microsoft.com/config/ubuntu/16.04/packages-microsoft-prod.deb -# to avoid network flakiness. -RUN wget -q https://storage.googleapis.com/fuzzbench-files/packages-microsoft-prod.deb -O packages-microsoft-prod.deb && \ - dpkg -i packages-microsoft-prod.deb && \ - apt-get update -y && \ - apt-get install -y dotnet-sdk-2.1 dotnet-runtime-2.1 && \ - rm packages-microsoft-prod.deb - -# Build Eclipser. -RUN git clone https://github.com/SoftSec-KAIST/Eclipser.git /Eclipser && \ - cd /Eclipser && \ - git checkout ba1d7a55c168f7c19ecceb788a81ea07c2625e45 && \ - ln -sf /usr/bin/python2.7 /usr/local/bin/python && \ - make -j && \ - ln -sf /usr/local/bin/python3.10 /usr/local/bin/python diff --git a/fuzzers/eclipser_aflplusplus/builder.Dockerfile b/fuzzers/eclipser_aflplusplus/builder.Dockerfile deleted file mode 100644 index ea39ff720..000000000 --- a/fuzzers/eclipser_aflplusplus/builder.Dockerfile +++ /dev/null @@ -1,45 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -# Install libstdc++ to use llvm_mode. -RUN apt-get update && \ - apt-get install -y wget libstdc++-5-dev libtool-bin automake flex bison \ - libglib2.0-dev libpixman-1-dev python3-setuptools unzip \ - apt-utils apt-transport-https ca-certificates - -# Upgrade to avoid certs errors -RUN apt-get upgrade -y - -# Download and compile afl++. -RUN git clone https://github.com/AFLplusplus/AFLplusplus.git /afl && \ - cd /afl && \ - git checkout 8fc249d210ad49e3dd88d1409877ca64d9884690 - -# Build without Python support as we don't need it. -# Set AFL_NO_X86 to skip flaky tests. -RUN cd /afl && unset CFLAGS && unset CXXFLAGS && \ - export CC=clang && export AFL_NO_X86=1 && \ - PYTHON_INCLUDE=/ make && make install && \ - make -C utils/aflpp_driver && \ - cp utils/aflpp_driver/libAFLDriver.a / - -# Eclipser special -RUN cd / && \ - wget https://raw.githubusercontent.com/llvm/llvm-project/5feb80e748924606531ba28c97fe65145c65372e/compiler-rt/lib/fuzzer/standalone/StandaloneFuzzTargetMain.c -O /StandaloneFuzzTargetMain.c && \ - clang -O2 -c /StandaloneFuzzTargetMain.c && \ - ar rc /libStandaloneFuzzTarget.a StandaloneFuzzTargetMain.o && \ - rm /StandaloneFuzzTargetMain.c diff --git a/fuzzers/eclipser_aflplusplus/description.md b/fuzzers/eclipser_aflplusplus/description.md deleted file mode 100644 index dc01fac9d..000000000 --- a/fuzzers/eclipser_aflplusplus/description.md +++ /dev/null @@ -1,14 +0,0 @@ -# aflplusplus + eclipser 2.0 - -AFL++ fuzzer instance that uses Eclipser 2.0 - - PCGUARD instrumentation - - dict2file feature - - "fast" power schedule - - persistent mode + shared memory test cases - -Repository: [https://github.com/AFLplusplus/AFLplusplus/](https://github.com/AFLplusplus/AFLplusplus/) -Repository: [https://github.com/SoftSec-KAIST/Eclipser](https://github.com/SoftSec-KAIST/Eclipser) - -[builder.Dockerfile](builder.Dockerfile) -[fuzzer.py](fuzzer.py) -[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/eclipser_aflplusplus/fuzzer.py b/fuzzers/eclipser_aflplusplus/fuzzer.py deleted file mode 100644 index 87235b012..000000000 --- a/fuzzers/eclipser_aflplusplus/fuzzer.py +++ /dev/null @@ -1,124 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -"""Integration code for Eclipser fuzzer. Note that starting from v2.0, Eclipser -relies on AFL to perform random-based fuzzing.""" - -import shutil -import subprocess -import os -import threading - -from fuzzers.aflplusplus import fuzzer as aflplusplus_fuzzer - - -def get_uninstrumented_outdir(target_directory): - """Return path to uninstrumented target directory.""" - return os.path.join(target_directory, 'uninstrumented') - - -def build(): - """Build benchmark.""" - - # Backup the environment. - orig_env = os.environ.copy() - #src = os.getenv('SRC') - #work = os.getenv('WORK') - build_directory = os.getenv('OUT') - fuzz_target = os.getenv('FUZZ_TARGET') - - # First, build an uninstrumented binary for Eclipser. - aflplusplus_fuzzer.build('qemu', 'eclipser') - eclipser_dir = get_uninstrumented_outdir(build_directory) - os.mkdir(eclipser_dir) - fuzz_binary = build_directory + '/' + fuzz_target - shutil.copy(fuzz_binary, eclipser_dir) - if os.path.isdir(build_directory + '/seeds'): - shutil.rmtree(build_directory + '/seeds') - - # Second, build an instrumented binary for AFL++. - os.environ = orig_env - aflplusplus_fuzzer.build('tracepc') - print('[build] Copying afl-fuzz to $OUT directory') - - # Copy afl-fuzz - shutil.copy('/afl/afl-fuzz', build_directory) - - -def eclipser(input_corpus, output_corpus, target_binary): - """Run Eclipser.""" - # We will use output_corpus as a directory where AFL and Eclipser sync their - # test cases with each other. For Eclipser, we should explicitly specify an - # output directory under this sync directory. - eclipser_out = os.path.join(output_corpus, 'eclipser_output') - command = [ - 'dotnet', - '/Eclipser/build/Eclipser.dll', - '-p', - target_binary, - '-s', - output_corpus, - '-o', - eclipser_out, - '--arg', # Specifies the command-line of the program. - 'foo', - '-f', # Specifies the path of file input to fuzz. - 'foo', - '-v', # Controls the verbosity. - '2', - '--exectimeout', - '5000', - ] - if os.listdir(input_corpus): # Specify inputs only if any seed exists. - command += ['-i', input_corpus] - print('[eclipser] Run Eclipser with command: ' + ' '.join(command)) - with subprocess.Popen(command): - pass - - -def afl_worker(input_corpus, output_corpus, target_binary): - """Run AFL worker instance.""" - print('[afl_worker] Run AFL worker') - aflplusplus_fuzzer.fuzz(input_corpus, - output_corpus, - target_binary, - flags=(['-S', 'afl-worker'])) - - -def fuzz(input_corpus, output_corpus, target_binary): - """Run fuzzer.""" - - # Calculate uninstrumented binary path from the instrumented target binary. - target_binary_directory = os.path.dirname(target_binary) - uninstrumented_target_binary_directory = ( - get_uninstrumented_outdir(target_binary_directory)) - target_binary_name = os.path.basename(target_binary) - uninstrumented_target_binary = os.path.join( - uninstrumented_target_binary_directory, target_binary_name) - if not os.path.isdir(input_corpus): - raise Exception('invalid input directory') - - afl_args = (input_corpus, output_corpus, target_binary) - eclipser_args = (input_corpus, output_corpus, uninstrumented_target_binary) - # Do not launch AFL master instance for now, to reduce memory usage and - # align with the vanilla AFL. - os.environ['AFL_DISABLE_TRIM'] = '1' - print('[fuzz] Running AFL worker') - afl_worker_thread = threading.Thread(target=afl_worker, args=afl_args) - afl_worker_thread.start() - print('[fuzz] Running Eclipser') - eclipser_thread = threading.Thread(target=eclipser, args=eclipser_args) - eclipser_thread.start() - print('[fuzz] Now waiting for threads to finish...') - afl_worker_thread.join() - eclipser_thread.join() diff --git a/fuzzers/eclipser_aflplusplus/runner.Dockerfile b/fuzzers/eclipser_aflplusplus/runner.Dockerfile deleted file mode 100644 index 9d620dcca..000000000 --- a/fuzzers/eclipser_aflplusplus/runner.Dockerfile +++ /dev/null @@ -1,51 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -# Install dotnet, qemu and other Eclipser deps. -RUN sed -i -- 's/# deb-src/deb-src/g' /etc/apt/sources.list -RUN apt-get update -y && \ - apt-get build-dep -y qemu && \ - apt-get install -y \ - apt-transport-https \ - libtool \ - libtool-bin \ - wget \ - automake \ - autoconf \ - bison \ - git \ - gdb - -# Use a copy of -# https://packages.microsoft.com/config/ubuntu/16.04/packages-microsoft-prod.deb -# to avoid network flakiness. -RUN wget -q https://storage.googleapis.com/fuzzbench-files/packages-microsoft-prod.deb -O packages-microsoft-prod.deb && \ - dpkg -i packages-microsoft-prod.deb && \ - apt-get update -y && \ - apt-get install -y dotnet-sdk-2.1 dotnet-runtime-2.1 && \ - rm packages-microsoft-prod.deb - -# Build Eclipser. -RUN git clone https://github.com/SoftSec-KAIST/Eclipser.git /Eclipser && \ - cd /Eclipser && \ - git checkout 310220649a4d790f8bc858ef85873399bba79a8c && \ - make - -ENV AFL_MAP_SIZE=2222222 -ENV PATH="$PATH:/out" -ENV AFL_SKIP_CPUFREQ=1 -ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 -ENV AFL_TESTCACHE_SIZE=2 diff --git a/fuzzers/eclipser_new/builder.Dockerfile b/fuzzers/eclipser_new/builder.Dockerfile deleted file mode 100644 index 511c06d61..000000000 --- a/fuzzers/eclipser_new/builder.Dockerfile +++ /dev/null @@ -1,71 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -# Upgrade to avoid certs errors -RUN apt-get update && apt-get upgrade -y && \ - apt-get install -y apt-utils apt-transport-https ca-certificates - -# Download and compile AFL v2.56b, since Eclipser now adopts AFL as its random -# fuzzing module. Set AFL_NO_X86 to skip flaky tests. -RUN git clone https://github.com/google/AFL.git /afl && \ - cd /afl && \ - git checkout 82b5e359463238d790cadbe2dd494d6a4928bff3 && \ - AFL_NO_X86=1 make - -# Use afl_driver.cpp for AFL, and StandaloneFuzzTargetMain.c for Eclipser. -RUN apt-get update && \ - apt-get install wget -y && \ - wget https://raw.githubusercontent.com/llvm/llvm-project/5feb80e748924606531ba28c97fe65145c65372e/compiler-rt/lib/fuzzer/afl/afl_driver.cpp -O /afl/afl_driver.cpp && \ - clang -Wno-pointer-sign -c /afl/llvm_mode/afl-llvm-rt.o.c -I/afl && \ - clang++ -stdlib=libc++ -std=c++11 -O2 -c /afl/afl_driver.cpp && \ - ar r /libAFL.a *.o && \ - wget https://raw.githubusercontent.com/llvm/llvm-project/5feb80e748924606531ba28c97fe65145c65372e/compiler-rt/lib/fuzzer/standalone/StandaloneFuzzTargetMain.c -O /StandaloneFuzzTargetMain.c && \ - clang -O2 -c /StandaloneFuzzTargetMain.c && \ - ar rc /libStandaloneFuzzTarget.a StandaloneFuzzTargetMain.o && \ - rm /StandaloneFuzzTargetMain.c - -RUN sed -i -- 's/# deb-src/deb-src/g' /etc/apt/sources.list -RUN apt-get update -y && \ - apt-get build-dep -y qemu && \ - apt-get install -y \ - apt-transport-https \ - libtool \ - libtool-bin \ - wget \ - automake \ - autoconf \ - bison \ - git \ - gdb \ - python2 - -# Use a copy of -# https://packages.microsoft.com/config/ubuntu/16.04/packages-microsoft-prod.deb -# to avoid network flakiness. -RUN wget -q https://storage.googleapis.com/fuzzbench-files/packages-microsoft-prod.deb -O packages-microsoft-prod.deb && \ - dpkg -i packages-microsoft-prod.deb && \ - apt-get update -y && \ - apt-get install -y dotnet-sdk-2.1 dotnet-runtime-2.1 && \ - rm packages-microsoft-prod.deb - -# Build Eclipser. -RUN git clone https://github.com/SoftSec-KAIST/Eclipser.git /Eclipser && \ - cd /Eclipser && \ - git checkout ba1d7a55c168f7c19ecceb788a81ea07c2625e45 && \ - ln -sf /usr/bin/python2.7 /usr/local/bin/python && \ - make -j && \ - ln -sf /usr/local/bin/python3.10 /usr/local/bin/python diff --git a/fuzzers/eclipser_new/fuzzer.py b/fuzzers/eclipser_new/fuzzer.py deleted file mode 100644 index 19e69f6fa..000000000 --- a/fuzzers/eclipser_new/fuzzer.py +++ /dev/null @@ -1,132 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -"""Integration code for Eclipser fuzzer. Note that starting from v2.0, Eclipser -relies on AFL to perform random-based fuzzing.""" - -import shutil -import subprocess -import os -import threading - -from fuzzers import utils -from fuzzers.afl import fuzzer as afl_fuzzer - - -def get_uninstrumented_outdir(target_directory): - """Return path to uninstrumented target directory.""" - return os.path.join(target_directory, 'uninstrumented') - - -def build(): - """Build benchmark.""" - - # Backup the environment. - new_env = os.environ.copy() - - # First, build an instrumented binary for AFL. - afl_fuzzer.prepare_build_environment() - src = os.getenv('SRC') - work = os.getenv('WORK') - with utils.restore_directory(src), utils.restore_directory(work): - # Restore SRC to its initial state so we can build again without any - # trouble. For some OSS-Fuzz projects, build_benchmark cannot be run - # twice in the same directory without this. - utils.build_benchmark() - print('[build] Copying afl-fuzz to $OUT directory') - shutil.copy('/afl/afl-fuzz', os.environ['OUT']) - - # Next, build an uninstrumented binary for Eclipser. - new_env['CC'] = 'clang' - new_env['CXX'] = 'clang++' - new_env['FUZZER_LIB'] = '/libStandaloneFuzzTarget.a' - # Ensure to compile with NO_SANITIZER_COMPAT* flags even for bug benchmarks, - # as QEMU is incompatible with sanitizers. Also, Eclipser prefers clean and - # unoptimized binaries. We leave fast random fuzzing as AFL's job. - new_env['CFLAGS'] = ' '.join(utils.NO_SANITIZER_COMPAT_CFLAGS) - cxxflags = [utils.LIBCPLUSPLUS_FLAG] + utils.NO_SANITIZER_COMPAT_CFLAGS - new_env['CXXFLAGS'] = ' '.join(cxxflags) - uninstrumented_outdir = get_uninstrumented_outdir(os.environ['OUT']) - os.mkdir(uninstrumented_outdir) - new_env['OUT'] = uninstrumented_outdir - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - targ_name = os.path.basename(fuzz_target) - new_env['FUZZ_TARGET'] = os.path.join(uninstrumented_outdir, targ_name) - print('[build] Re-building benchmark for uninstrumented fuzzing target') - utils.build_benchmark(env=new_env) - - -def eclipser(input_corpus, output_corpus, target_binary): - """Run Eclipser.""" - # We will use output_corpus as a directory where AFL and Eclipser sync their - # test cases with each other. For Eclipser, we should explicitly specify an - # output directory under this sync directory. - eclipser_out = os.path.join(output_corpus, 'eclipser_output') - command = [ - 'dotnet', - '/Eclipser/build/Eclipser.dll', - '-p', - target_binary, - '-s', - output_corpus, - '-o', - eclipser_out, - '--arg', # Specifies the command-line of the program. - 'foo', - '-f', # Specifies the path of file input to fuzz. - 'foo', - '-v', # Controls the verbosity. - '2', - '--exectimeout', - '5000', - ] - if os.listdir(input_corpus): # Specify inputs only if any seed exists. - command += ['-i', input_corpus] - print('[eclipser] Run Eclipser with command: ' + ' '.join(command)) - with subprocess.Popen(command): - pass - - -def afl_worker(input_corpus, output_corpus, target_binary): - """Run AFL worker instance.""" - print('[afl_worker] Run AFL worker') - afl_fuzzer.run_afl_fuzz(input_corpus, output_corpus, target_binary, - ['-S', 'afl-worker'], True) - - -def fuzz(input_corpus, output_corpus, target_binary): - """Run fuzzer.""" - - # Calculate uninstrumented binary path from the instrumented target binary. - target_binary_directory = os.path.dirname(target_binary) - uninstrumented_target_binary_directory = ( - get_uninstrumented_outdir(target_binary_directory)) - target_binary_name = os.path.basename(target_binary) - uninstrumented_target_binary = os.path.join( - uninstrumented_target_binary_directory, target_binary_name) - - afl_fuzzer.prepare_fuzz_environment(input_corpus) - afl_args = (input_corpus, output_corpus, target_binary) - eclipser_args = (input_corpus, output_corpus, uninstrumented_target_binary) - # Do not launch AFL master instance for now, to reduce memory usage and - # align with the vanilla AFL. - print('[fuzz] Running AFL worker') - afl_worker_thread = threading.Thread(target=afl_worker, args=afl_args) - afl_worker_thread.start() - print('[fuzz] Running Eclipser') - eclipser_thread = threading.Thread(target=eclipser, args=eclipser_args) - eclipser_thread.start() - print('[fuzz] Now waiting for threads to finish...') - afl_worker_thread.join() - eclipser_thread.join() diff --git a/fuzzers/eclipser_new/runner.Dockerfile b/fuzzers/eclipser_new/runner.Dockerfile deleted file mode 100644 index dce0e0ac9..000000000 --- a/fuzzers/eclipser_new/runner.Dockerfile +++ /dev/null @@ -1,48 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -# Install dotnet, qemu and other Eclipser deps. -RUN sed -i -- 's/# deb-src/deb-src/g' /etc/apt/sources.list -RUN apt-get update -y && \ - apt-get build-dep -y qemu && \ - apt-get install -y \ - apt-transport-https \ - libtool \ - libtool-bin \ - wget \ - automake \ - autoconf \ - bison \ - git \ - gdb \ - python2 - -# Use a copy of -# https://packages.microsoft.com/config/ubuntu/16.04/packages-microsoft-prod.deb -# to avoid network flakiness. -RUN wget -q https://storage.googleapis.com/fuzzbench-files/packages-microsoft-prod.deb -O packages-microsoft-prod.deb && \ - dpkg -i packages-microsoft-prod.deb && \ - apt-get update -y && \ - apt-get install -y dotnet-sdk-2.1 dotnet-runtime-2.1 && \ - rm packages-microsoft-prod.deb - -# Build Eclipser. -RUN git clone https://github.com/SoftSec-KAIST/Eclipser.git /Eclipser && \ - cd /Eclipser && \ - git checkout ba1d7a55c168f7c19ecceb788a81ea07c2625e45 && \ - ln -sf /usr/bin/python2.7 /usr/local/bin/python && \ - make -j && \ - ln -sf /usr/local/bin/python3.10 /usr/local/bin/python diff --git a/fuzzers/ecofuzz/builder.Dockerfile b/fuzzers/ecofuzz/builder.Dockerfile deleted file mode 100644 index cd4cde5bd..000000000 --- a/fuzzers/ecofuzz/builder.Dockerfile +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -# Download and compile EcoFuzz. -# Set AFL_NO_X86 to skip flaky tests. -RUN git clone https://github.com/MoonLight-SteinsGate/EcoFuzz /EcoFuzz && \ - mv /EcoFuzz/EcoFuzz /afl && \ - cd /afl && \ - AFL_NO_X86=1 make - -# Use afl_driver.cpp from LLVM as our fuzzing library. -RUN apt-get update && \ - apt-get install wget -y && \ - wget https://raw.githubusercontent.com/llvm/llvm-project/5feb80e748924606531ba28c97fe65145c65372e/compiler-rt/lib/fuzzer/afl/afl_driver.cpp -O /afl/afl_driver.cpp && \ - clang -Wno-pointer-sign -c /afl/llvm_mode/afl-llvm-rt.o.c -I/afl && \ - clang++ -stdlib=libc++ -std=c++11 -O2 -c /afl/afl_driver.cpp && \ - ar r /libAFL.a *.o diff --git a/fuzzers/ecofuzz/fuzzer.py b/fuzzers/ecofuzz/fuzzer.py deleted file mode 100755 index 0de3703c7..000000000 --- a/fuzzers/ecofuzz/fuzzer.py +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -"""Integration code for EcoFuzz fuzzer.""" - -from fuzzers.afl import fuzzer as afl_fuzzer - - -def build(): - """Build benchmark.""" - afl_fuzzer.build() - - -def fuzz(input_corpus, output_corpus, target_binary): - """Run fuzzer.""" - afl_fuzzer.prepare_fuzz_environment(input_corpus) - - # Write AFL's output to /dev/null to avoid filling up disk by writing too - # much to log file. This is a problem in general with AFLFast but - # particularly with the lcms benchmark. - afl_fuzzer.run_afl_fuzz(input_corpus, - output_corpus, - target_binary, - hide_output=True) diff --git a/fuzzers/ecofuzz/runner.Dockerfile b/fuzzers/ecofuzz/runner.Dockerfile deleted file mode 100644 index 0d6cf004e..000000000 --- a/fuzzers/ecofuzz/runner.Dockerfile +++ /dev/null @@ -1,15 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image diff --git a/fuzzers/fafuzz/builder.Dockerfile b/fuzzers/fafuzz/builder.Dockerfile deleted file mode 100644 index cd41ae2f6..000000000 --- a/fuzzers/fafuzz/builder.Dockerfile +++ /dev/null @@ -1,30 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -# Download and compile AFL v2.56b. -# Set AFL_NO_X86 to skip flaky tests. -RUN git clone https://github.com/14isnot40/fafuzz.git /fafuzz && \ - cd /fafuzz && \ - AFL_NO_X86=1 make - -# Use afl_driver.cpp from LLVM as our fuzzing library. -RUN apt-get update && \ - apt-get install wget -y && \ - wget https://raw.githubusercontent.com/llvm/llvm-project/5feb80e748924606531ba28c97fe65145c65372e/compiler-rt/lib/fuzzer/afl/afl_driver.cpp -O /fafuzz/afl_driver.cpp && \ - clang -Wno-pointer-sign -c /fafuzz/llvm_mode/afl-llvm-rt.o.c -I/fafuzz && \ - clang++ -stdlib=libc++ -std=c++11 -O2 -c /fafuzz/afl_driver.cpp && \ - ar r /libAFL.a *.o diff --git a/fuzzers/fafuzz/fuzzer.py b/fuzzers/fafuzz/fuzzer.py deleted file mode 100644 index 8713d76d2..000000000 --- a/fuzzers/fafuzz/fuzzer.py +++ /dev/null @@ -1,140 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -"""Integration code for AFL fuzzer.""" - -import json -import os -import shutil -import subprocess - -from fuzzers import utils - - -def prepare_build_environment(): - """Set environment variables used to build targets for AFL-based - fuzzers.""" - cflags = ['-fsanitize-coverage=trace-pc-guard'] - utils.append_flags('CFLAGS', cflags) - utils.append_flags('CXXFLAGS', cflags) - - os.environ['CC'] = 'clang' - os.environ['CXX'] = 'clang++' - os.environ['FUZZER_LIB'] = '/libAFL.a' - - -def build(): - """Build benchmark.""" - prepare_build_environment() - - utils.build_benchmark() - - print('[post_build] Copying afl-fuzz to $OUT directory') - # Copy out the afl-fuzz binary as a build artifact. - shutil.copy('/fafuzz/afl-fuzz', os.environ['OUT']) - - -def get_stats(output_corpus, fuzzer_log): # pylint: disable=unused-argument - """Gets fuzzer stats for AFL.""" - # Get a dictionary containing the stats AFL reports. - stats_file = os.path.join(output_corpus, 'fuzzer_stats') - with open(stats_file, encoding='utf-8') as file_handle: - stats_file_lines = file_handle.read().splitlines() - stats_file_dict = {} - for stats_line in stats_file_lines: - key, value = stats_line.split(': ') - stats_file_dict[key.strip()] = value.strip() - - # Report to FuzzBench the stats it accepts. - stats = {'execs_per_sec': float(stats_file_dict['execs_per_sec'])} - return json.dumps(stats) - - -def prepare_fuzz_environment(input_corpus): - """Prepare to fuzz with AFL or another AFL-based fuzzer.""" - # Tell AFL to not use its terminal UI so we get usable logs. - os.environ['AFL_NO_UI'] = '1' - # Skip AFL's CPU frequency check (fails on Docker). - os.environ['AFL_SKIP_CPUFREQ'] = '1' - # No need to bind affinity to one core, Docker enforces 1 core usage. - os.environ['AFL_NO_AFFINITY'] = '1' - # AFL will abort on startup if the core pattern sends notifications to - # external programs. We don't care about this. - os.environ['AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES'] = '1' - # Don't exit when crashes are found. This can happen when corpus from - # OSS-Fuzz is used. - os.environ['AFL_SKIP_CRASHES'] = '1' - # Shuffle the queue - os.environ['AFL_SHUFFLE_QUEUE'] = '1' - - # AFL needs at least one non-empty seed to start. - utils.create_seed_file_for_empty_corpus(input_corpus) - - -def check_skip_det_compatible(additional_flags): - """ Checks if additional flags are compatible with '-d' option""" - # AFL refuses to take in '-d' with '-M' or '-S' options for parallel mode. - # (cf. https://github.com/google/AFL/blob/8da80951/afl-fuzz.c#L7477) - if '-M' in additional_flags or '-S' in additional_flags: - return False - return True - - -def run_afl_fuzz(input_corpus, - output_corpus, - target_binary, - additional_flags=None, - hide_output=False): - """Run afl-fuzz.""" - # Spawn the afl fuzzing process. - print('[run_afl_fuzz] Running target with afl-fuzz') - command = [ - './afl-fuzz', - '-A 1', - #enable FA mode - '-i', - input_corpus, - '-o', - output_corpus, - # Use no memory limit as ASAN doesn't play nicely with one. - '-m', - 'none', - '-t', - '1000+', # Use same default 1 sec timeout, but add '+' to skip hangs. - ] - # Use '-d' to skip deterministic mode, as long as it it compatible with - # additional flags. - if not additional_flags or check_skip_det_compatible(additional_flags): - command.append('-d') - if additional_flags: - command.extend(additional_flags) - dictionary_path = utils.get_dictionary_path(target_binary) - if dictionary_path: - command.extend(['-x', dictionary_path]) - command += [ - '--', - target_binary, - # Pass INT_MAX to afl the maximize the number of persistent loops it - # performs. - '2147483647' - ] - print('[run_afl_fuzz] Running command: ' + ' '.join(command)) - output_stream = subprocess.DEVNULL if hide_output else None - subprocess.check_call(command, stdout=output_stream, stderr=output_stream) - - -def fuzz(input_corpus, output_corpus, target_binary): - """Run afl-fuzz on target.""" - prepare_fuzz_environment(input_corpus) - - run_afl_fuzz(input_corpus, output_corpus, target_binary) diff --git a/fuzzers/fafuzz/runner.Dockerfile b/fuzzers/fafuzz/runner.Dockerfile deleted file mode 100644 index 0d6cf004e..000000000 --- a/fuzzers/fafuzz/runner.Dockerfile +++ /dev/null @@ -1,15 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image diff --git a/fuzzers/fairfuzz/builder.Dockerfile b/fuzzers/fairfuzz/builder.Dockerfile deleted file mode 100644 index c73ec5c4d..000000000 --- a/fuzzers/fairfuzz/builder.Dockerfile +++ /dev/null @@ -1,30 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -# Set AFL_NO_X86 to skip flaky tests. -RUN git clone https://github.com/carolemieux/afl-rb.git /afl && \ - cd /afl && \ - git checkout e529c1f1b3666ad94e4d6e7ef24ea648aff39ae2 && \ - AFL_NO_X86=1 make - -# Use afl_driver.cpp from LLVM as our fuzzing library. -RUN apt-get update && \ - apt-get install wget -y && \ - wget https://raw.githubusercontent.com/llvm/llvm-project/5feb80e748924606531ba28c97fe65145c65372e/compiler-rt/lib/fuzzer/afl/afl_driver.cpp -O /afl/afl_driver.cpp && \ - clang -Wno-pointer-sign -c /afl/llvm_mode/afl-llvm-rt.o.c -I/afl && \ - clang++ -stdlib=libc++ -std=c++11 -O2 -c /afl/afl_driver.cpp && \ - ar r /libAFL.a *.o diff --git a/fuzzers/fairfuzz/fuzzer.py b/fuzzers/fairfuzz/fuzzer.py deleted file mode 100755 index 6f95023ed..000000000 --- a/fuzzers/fairfuzz/fuzzer.py +++ /dev/null @@ -1,26 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -"""Integration code for FairFuzz fuzzer.""" - -from fuzzers.afl import fuzzer as afl_fuzzer - - -def build(): - """Build benchmark.""" - afl_fuzzer.build() - - -def fuzz(input_corpus, output_corpus, target_binary): - """Run fuzzer.""" - afl_fuzzer.fuzz(input_corpus, output_corpus, target_binary) diff --git a/fuzzers/fairfuzz/runner.Dockerfile b/fuzzers/fairfuzz/runner.Dockerfile deleted file mode 100644 index 0d6cf004e..000000000 --- a/fuzzers/fairfuzz/runner.Dockerfile +++ /dev/null @@ -1,15 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image diff --git a/fuzzers/fuzzolic_aflplusplus_fuzzy/builder.Dockerfile b/fuzzers/fuzzolic_aflplusplus_fuzzy/builder.Dockerfile deleted file mode 100644 index 29bea7562..000000000 --- a/fuzzers/fuzzolic_aflplusplus_fuzzy/builder.Dockerfile +++ /dev/null @@ -1,169 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -RUN sed -i -- 's/# deb-src/deb-src/g' /etc/apt/sources.list && cat /etc/apt/sources.list - -RUN apt update -y && \ - apt-get build-dep -y qemu-user - -RUN apt-get install -y wget libstdc++-5-dev libtool-bin automake flex bison \ - libglib2.0-dev libpixman-1-dev python3-setuptools unzip \ - apt-utils apt-transport-https ca-certificates - -# Why do some build images have ninja, other not? Weird. -RUN cd / && wget https://github.com/ninja-build/ninja/releases/download/v1.10.1/ninja-linux.zip && \ - unzip ninja-linux.zip && chmod 755 ninja && mv ninja /usr/local/bin - -RUN git clone https://github.com/season-lab/fuzzolic /out/fuzzolic && \ - cd /out/fuzzolic && \ - git checkout f03884e59a86af812214166ad1d5bdbda92aa23a - -RUN cd /out/fuzzolic && \ - git submodule init && \ - git submodule update - -RUN cd /out/fuzzolic/solver/fuzzy-sat && git fetch && \ - git submodule sync && git submodule update --init - -# Download and compile afl++. -RUN git clone https://github.com/AFLplusplus/AFLplusplus.git /out/AFLplusplus && \ - cd /out/AFLplusplus && \ - git checkout 8fc249d210ad49e3dd88d1409877ca64d9884690 - -# Build without Python support as we don't need it. -# Set AFL_NO_X86 to skip flaky tests. -RUN cd /out/AFLplusplus && \ - unset CFLAGS && unset CXXFLAGS && \ - export AFL_NO_X86=1 && \ - export CC=clang && export CXX=clang++ && \ - PYTHON_INCLUDE=/ make && \ - make -C utils/aflpp_driver && \ - cp utils/aflpp_driver/libAFLDriver.a / && \ - make install - -RUN cd / && git clone https://github.com/vanhauser-thc/qemu_driver && \ - cd /qemu_driver && \ - git checkout 8ad9ad589b4881552fa7ef8b7d29cd9aeb5071bd && \ - unset CFLAGS && unset CXXFLAGS && \ - export CC=clang && export CXX=clang++ && \ - make && \ - cp -fv libQEMU.a /libStandaloneFuzzTarget.a - -RUN cp /out/fuzzolic/utils/afl-showmap /out && \ - cp /out/fuzzolic/utils/afl-showmap /out/AFLplusplus/ && \ - cp /out/fuzzolic/utils/afl-qemu-trace /out/ && \ - cp /out/fuzzolic/utils/afl-qemu-trace /out/AFLplusplus/ && \ - cp /out/fuzzolic/utils/merge_bitmap /out/ && \ - cp /out/fuzzolic/utils/merge_bitmap /out/AFLplusplus/ - -RUN apt install -y \ - llvm-8 clang-8 nano \ - qemu-user git libglib2.0-dev libfdt-dev \ - libpixman-1-dev zlib1g-dev libcapstone-dev \ - strace cmake python3 libprotobuf-dev libprotobuf9v5 \ - libibverbs-dev libjpeg62-dev \ - libpng16-16 libjbig-dev \ - build-essential libtool-bin python3-dev \ - automake flex bison libglib2.0-dev \ - libpixman-1-dev clang \ - python3-setuptools llvm wget \ - llvm-dev g++ g++-multilib python \ - python-pip lsb-release gcc-4.8 g++-4.8 \ - llvm-3.9 cmake libc6 libstdc++6 \ - linux-libc-dev gcc-multilib \ - apt-transport-https libtool \ - libtool-bin wget joe \ - automake autoconf \ - bison git valgrind ninja-build \ - time python3-pip -# dumb-init xxd libprotobuf10 - -RUN apt clean -y -RUN python3 -m pip install --upgrade pip -RUN pip install --user virtualenv - -# Build QEMU tracer -RUN cd /out/fuzzolic/tracer && \ - export CC=clang && export CXX=clang++ && \ - export CFLAGS="-O3 -g -funroll-loops -Wno-error" && \ - export CXXFLAGS="-O3 -g -funroll-loops -Wno-error" && \ - ./configure --prefix=`pwd`/../build --target-list=x86_64-linux-user && make -j - -# Build custom Z3 -RUN cd /out/fuzzolic/solver/fuzzy-sat/fuzzolic-z3 && \ - export CC=clang && export CXX=clang++ && \ - export CFLAGS="-O3 -g -funroll-loops -Wno-error" && \ - export CXXFLAGS="-O3 -g -funroll-loops -Wno-error" && \ - mkdir build && cd build && cmake .. -DCMAKE_BUILD_TYPE=Release -DCMAKE_INSTALL_PREFIX=`pwd`/dist && make -j && make install - -# Create fuzzy-sat-CLI folder -RUN cd /out/fuzzolic/solver/fuzzy-sat && \ - git rev-parse HEAD > /tmp/revision && \ - git checkout master && \ - git submodule update && \ - cd ../.. && \ - cp -r solver/fuzzy-sat solver/fuzzy-sat-cli && \ - rm solver/fuzzy-sat-cli/.git && \ - cd solver/fuzzy-sat && \ - git checkout `cat /tmp/revision` && \ - git submodule update - -# Build fuzzy-sat-CLI -RUN cd /out/fuzzolic/solver/fuzzy-sat-cli && \ - export CC=clang && export CXX=clang++ && \ - export CFLAGS="-O3 -g -funroll-loops -Wno-error" && \ - export CXXFLAGS="-O3 -g -funroll-loops -Wno-error" && \ - export C_INCLUDE_PATH=/out/fuzzolic/solver/fuzzy-sat/fuzzolic-z3/build/dist/include && \ - export LIBRARY_PATH=/out/fuzzolic/solver/fuzzy-sat/fuzzolic-z3/build/dist/lib && \ - export LD_LIBRARY_PATH=/out/fuzzolic/solver/fuzzy-sat/fuzzolic-z3/build/dist/lib && \ - make -j - -# Build fuzzy-sat -RUN cd /out/fuzzolic/solver/fuzzy-sat && \ - export CC=clang && export CXX=clang++ && \ - export CFLAGS="-O3 -g -funroll-loops -Wno-error" && \ - export CXXFLAGS="-O3 -g -funroll-loops -Wno-error" && \ - export C_INCLUDE_PATH=/out/fuzzolic/solver/fuzzy-sat/fuzzolic-z3/build/dist/include && \ - export LIBRARY_PATH=/out/fuzzolic/solver/fuzzy-sat/fuzzolic-z3/build/dist/lib && \ - export LD_LIBRARY_PATH=/out/fuzzolic/solver/fuzzy-sat/fuzzolic-z3/build/dist/lib && \ - make -j - -# Build solver frontend -RUN cd /out/fuzzolic/solver && \ - export CC=clang && export CXX=clang++ && \ - export CFLAGS="-O3 -g -funroll-loops -Wno-error -Wl,--allow-multiple-definition" && \ - export CXXFLAGS="-O3 -g -funroll-loops -Wno-error -Wl,--allow-multiple-definition" && \ - export C_INCLUDE_PATH=/out/fuzzolic/solver/fuzzy-sat/fuzzolic-z3/build/dist/include && \ - export LIBRARY_PATH=/out/fuzzolic/solver/fuzzy-sat/fuzzolic-z3/build/dist/lib && \ - export LD_LIBRARY_PATH=/out/fuzzolic/solver/fuzzy-sat/fuzzolic-z3/build/dist/lib && \ - cmake . && make -j - -# Remove packages that make benchmark builds fail otherwise -RUN apt-get remove -y -m -f \ - binfmt-support clang-3.8 cpp-4.8 g++-5-multilib gcc-4.8-base gdbserver \ - lib32stdc++-5-dev libbabeltrace-ctf1 libbabeltrace1 libc6-dbg \ - libcapstone3 libclang-common-3.8-dev libclang-common-8-dev libclang1-3.8 \ - libclang1-8 libcloog-isl4 libexpat1-dev libffi-dev libgcc-4.8-dev \ - libibverbs1 libjbig0 libjpeg62 libllvm3.8 libllvm3.9 libllvm8 libobjc-5-dev \ - libobjc4 libomp-8-dev libomp5-8 libprotobuf-lite9v5 libpython-all-dev \ - libpython-dev libpython2.7 libpython2.7-dev libpython3-dev libpython3.5 \ - libpython3.5-dev libstdc++-4.8-dev libx32stdc++-5-dev llvm-3.8 llvm-3.8-dev \ - llvm-3.8-runtime llvm-3.9-dev llvm-3.9-runtime llvm-8-dev llvm-8-runtime \ - llvm-runtime python-all python-all-dev python-dev python-pip-whl \ - python-pkg-resources python-setuptools python-wheel python2.7-dev \ - python3.5-dev qemu-user-binfmt -RUN apt-get autoremove -y && apt-get clean -y diff --git a/fuzzers/fuzzolic_aflplusplus_fuzzy/description.md b/fuzzers/fuzzolic_aflplusplus_fuzzy/description.md deleted file mode 100644 index a78ddc417..000000000 --- a/fuzzers/fuzzolic_aflplusplus_fuzzy/description.md +++ /dev/null @@ -1,10 +0,0 @@ -# aflplusplus + fuzzolic fuzzy solver - -Simple AFL++ fuzzer instance together with fuzzolic fuzzy solver - -Repository: [https://github.com/AFLplusplus/AFLplusplus/](https://github.com/AFLplusplus/AFLplusplus/) -Repository: [https://github.com/season-lab/fuzzolic](https://github.com/season-lab/fuzzolic) - -[builder.Dockerfile](builder.Dockerfile) -[fuzzer.py](fuzzer.py) -[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/fuzzolic_aflplusplus_fuzzy/fuzzer.py b/fuzzers/fuzzolic_aflplusplus_fuzzy/fuzzer.py deleted file mode 100644 index e3e785e2c..000000000 --- a/fuzzers/fuzzolic_aflplusplus_fuzzy/fuzzer.py +++ /dev/null @@ -1,141 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -"""Integration code for Fuzzolic fuzzer. Note that starting from v2.0, Fuzzolic -relies on AFL to perform random-based fuzzing.""" - -import shutil -import subprocess -import os -import threading -import time - -from fuzzers import utils -from fuzzers.afl import fuzzer as afl_fuzzer - - -def get_uninstrumented_outdir(target_directory): - """Return path to uninstrumented target directory.""" - return os.path.join(target_directory, 'uninstrumented') - - -def build(): - """Build benchmark.""" - - # Backup the environment. - new_env = os.environ.copy() - - # First, build an instrumented binary for AFL. - os.environ['CC'] = '/out/AFLplusplus/afl-clang-fast' - os.environ['CXX'] = '/out/AFLplusplus/afl-clang-fast++' - os.environ['FUZZER_LIB'] = '/libAFLDriver.a' - os.environ['AFL_PATH'] = '/out/AFLplusplus/' - #afl_fuzzer.prepare_build_environment() - src = os.getenv('SRC') - work = os.getenv('WORK') - with utils.restore_directory(src), utils.restore_directory(work): - # Restore SRC to its initial state so we can build again without any - # trouble. For some OSS-Fuzz projects, build_benchmark cannot be run - # twice in the same directory without this. - utils.build_benchmark() - print('[build] Copying afl-fuzz to $OUT directory') - shutil.copy('/out/AFLplusplus/afl-fuzz', os.environ['OUT']) - - # Next, build an uninstrumented binary for Fuzzolic. - new_env['CC'] = 'clang' - new_env['CXX'] = 'clang++' - new_env['FUZZER_LIB'] = '/libStandaloneFuzzTarget.a' - # Ensure to compile with NO_SANITIZER_COMPAT* flags even for bug benchmarks, - # as QEMU is incompatible with sanitizers. Also, Fuzzolic prefers clean and - # unoptimized binaries. We leave fast random fuzzing as AFL's job. - new_env['CFLAGS'] = ' '.join(utils.NO_SANITIZER_COMPAT_CFLAGS) - cxxflags = [utils.LIBCPLUSPLUS_FLAG] + utils.NO_SANITIZER_COMPAT_CFLAGS - new_env['CXXFLAGS'] = ' '.join(cxxflags) - uninstrumented_outdir = get_uninstrumented_outdir(os.environ['OUT']) - os.mkdir(uninstrumented_outdir) - new_env['OUT'] = uninstrumented_outdir - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - targ_name = os.path.basename(fuzz_target) - new_env['FUZZ_TARGET'] = os.path.join(uninstrumented_outdir, targ_name) - print('[build] Re-building benchmark for uninstrumented fuzzing target') - utils.build_benchmark(env=new_env) - - -def fuzzolic(input_corpus, output_corpus, target_binary): - """Run Fuzzolic.""" - # We will use output_corpus as a directory where AFL and Fuzzolic sync their - # test cases with each other. For Fuzzolic, we should explicitly specify an - # output directory under this sync directory. - if input_corpus: - fuzzolic_out = os.path.join(output_corpus, 'fuzzolic_output') - afl_out = os.path.join(output_corpus, 'afl-worker') - afl_queue = os.path.join(afl_out, 'queue') - command = [ - '/out/fuzzolic/fuzzolic/fuzzolic.py', - '-f', # fuzzy-sat solver - '-p', # optimistic solving - '-r', # address reasoning - '-l', # symbolic libc models - '-t', # timeout - '90000', - '-a', - afl_out, - '-i', - afl_queue, - '-o', - fuzzolic_out, - '--', - target_binary, - ] - print('[fuzzolic] Running Fuzzolic with command: ' + ' '.join(command)) - with subprocess.Popen(command): - pass - - -def afl_worker(input_corpus, output_corpus, target_binary): - """Run AFL worker instance.""" - print('[afl_worker] Run AFL worker') - #dictionary_path = utils.get_dictionary_path(target_binary) - #if dictionary_path: - # command += (['-x', dictionary_path]) - afl_fuzzer.run_afl_fuzz(input_corpus, output_corpus, target_binary, - ['-S', 'afl-worker'], True) - - -def fuzz(input_corpus, output_corpus, target_binary): - """Run fuzzer.""" - #utils.create_seed_file_for_empty_corpus(input_corpus) - afl_fuzzer.prepare_fuzz_environment(input_corpus) - - print('[fuzz] Running AFL worker') - os.environ['AFL_DISABLE_TRIM'] = '1' - afl_args = (input_corpus, output_corpus, target_binary) - afl_worker_thread = threading.Thread(target=afl_worker, args=afl_args) - afl_worker_thread.start() - time.sleep(5) - - print('[fuzz] Running Fuzzolic') - target_binary_directory = os.path.dirname(target_binary) - uninstrumented_target_binary_directory = ( - get_uninstrumented_outdir(target_binary_directory)) - target_binary_name = os.path.basename(target_binary) - uninstrumented_target_binary = os.path.join( - uninstrumented_target_binary_directory, target_binary_name) - fuzzolic_args = (input_corpus, output_corpus, uninstrumented_target_binary) - fuzzolic_thread = threading.Thread(target=fuzzolic, args=fuzzolic_args) - fuzzolic_thread.start() - - print('[fuzz] Now waiting for threads to finish...') - afl_worker_thread.join() - fuzzolic_thread.join() diff --git a/fuzzers/fuzzolic_aflplusplus_fuzzy/runner.Dockerfile b/fuzzers/fuzzolic_aflplusplus_fuzzy/runner.Dockerfile deleted file mode 100644 index 6fb7cdaae..000000000 --- a/fuzzers/fuzzolic_aflplusplus_fuzzy/runner.Dockerfile +++ /dev/null @@ -1,52 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -RUN sed -i -- 's/# deb-src/deb-src/g' /etc/apt/sources.list && cat /etc/apt/sources.list - -RUN apt update -y && \ - apt-get build-dep -y qemu-user - -RUN apt install -y \ - llvm-8 clang-8 nano \ - qemu-user git libglib2.0-dev libfdt-dev \ - libpixman-1-dev zlib1g-dev libcapstone-dev \ - strace cmake python3 libprotobuf-dev libprotobuf9v5 \ - libibverbs-dev libjpeg62-dev \ - libpng16-16 libjbig-dev \ - build-essential libtool-bin python3-dev \ - automake flex bison libglib2.0-dev \ - libpixman-1-dev clang \ - python3-setuptools llvm wget \ - llvm-dev g++ g++-multilib python \ - python-pip lsb-release gcc-4.8 g++-4.8 \ - llvm-3.9 cmake libc6 libstdc++6 \ - linux-libc-dev gcc-multilib \ - apt-transport-https libtool \ - libtool-bin wget \ - automake autoconf \ - bison git valgrind ninja-build \ - time python3-pip - -RUN apt clean -y - -# Set environment vars for Z3 -ENV C_INCLUDE_PATH=/out/fuzzolic/solver/fuzzy-sat/fuzzolic-z3/build/dist/include -ENV LIBRARY_PATH=/out/fuzzolic/solver/fuzzy-sat/fuzzolic-z3/build/dist/lib -ENV LD_LIBRARY_PATH=/out/fuzzolic/solver/fuzzy-sat/fuzzolic-z3/build/dist/lib -ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 -ENV AFL_SKIP_CPUFREQ=1 -ENV AFL_PATH=/out/AFLplusplus - diff --git a/fuzzers/fuzzolic_aflplusplus_z3/builder.Dockerfile b/fuzzers/fuzzolic_aflplusplus_z3/builder.Dockerfile deleted file mode 100644 index 29bea7562..000000000 --- a/fuzzers/fuzzolic_aflplusplus_z3/builder.Dockerfile +++ /dev/null @@ -1,169 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -RUN sed -i -- 's/# deb-src/deb-src/g' /etc/apt/sources.list && cat /etc/apt/sources.list - -RUN apt update -y && \ - apt-get build-dep -y qemu-user - -RUN apt-get install -y wget libstdc++-5-dev libtool-bin automake flex bison \ - libglib2.0-dev libpixman-1-dev python3-setuptools unzip \ - apt-utils apt-transport-https ca-certificates - -# Why do some build images have ninja, other not? Weird. -RUN cd / && wget https://github.com/ninja-build/ninja/releases/download/v1.10.1/ninja-linux.zip && \ - unzip ninja-linux.zip && chmod 755 ninja && mv ninja /usr/local/bin - -RUN git clone https://github.com/season-lab/fuzzolic /out/fuzzolic && \ - cd /out/fuzzolic && \ - git checkout f03884e59a86af812214166ad1d5bdbda92aa23a - -RUN cd /out/fuzzolic && \ - git submodule init && \ - git submodule update - -RUN cd /out/fuzzolic/solver/fuzzy-sat && git fetch && \ - git submodule sync && git submodule update --init - -# Download and compile afl++. -RUN git clone https://github.com/AFLplusplus/AFLplusplus.git /out/AFLplusplus && \ - cd /out/AFLplusplus && \ - git checkout 8fc249d210ad49e3dd88d1409877ca64d9884690 - -# Build without Python support as we don't need it. -# Set AFL_NO_X86 to skip flaky tests. -RUN cd /out/AFLplusplus && \ - unset CFLAGS && unset CXXFLAGS && \ - export AFL_NO_X86=1 && \ - export CC=clang && export CXX=clang++ && \ - PYTHON_INCLUDE=/ make && \ - make -C utils/aflpp_driver && \ - cp utils/aflpp_driver/libAFLDriver.a / && \ - make install - -RUN cd / && git clone https://github.com/vanhauser-thc/qemu_driver && \ - cd /qemu_driver && \ - git checkout 8ad9ad589b4881552fa7ef8b7d29cd9aeb5071bd && \ - unset CFLAGS && unset CXXFLAGS && \ - export CC=clang && export CXX=clang++ && \ - make && \ - cp -fv libQEMU.a /libStandaloneFuzzTarget.a - -RUN cp /out/fuzzolic/utils/afl-showmap /out && \ - cp /out/fuzzolic/utils/afl-showmap /out/AFLplusplus/ && \ - cp /out/fuzzolic/utils/afl-qemu-trace /out/ && \ - cp /out/fuzzolic/utils/afl-qemu-trace /out/AFLplusplus/ && \ - cp /out/fuzzolic/utils/merge_bitmap /out/ && \ - cp /out/fuzzolic/utils/merge_bitmap /out/AFLplusplus/ - -RUN apt install -y \ - llvm-8 clang-8 nano \ - qemu-user git libglib2.0-dev libfdt-dev \ - libpixman-1-dev zlib1g-dev libcapstone-dev \ - strace cmake python3 libprotobuf-dev libprotobuf9v5 \ - libibverbs-dev libjpeg62-dev \ - libpng16-16 libjbig-dev \ - build-essential libtool-bin python3-dev \ - automake flex bison libglib2.0-dev \ - libpixman-1-dev clang \ - python3-setuptools llvm wget \ - llvm-dev g++ g++-multilib python \ - python-pip lsb-release gcc-4.8 g++-4.8 \ - llvm-3.9 cmake libc6 libstdc++6 \ - linux-libc-dev gcc-multilib \ - apt-transport-https libtool \ - libtool-bin wget joe \ - automake autoconf \ - bison git valgrind ninja-build \ - time python3-pip -# dumb-init xxd libprotobuf10 - -RUN apt clean -y -RUN python3 -m pip install --upgrade pip -RUN pip install --user virtualenv - -# Build QEMU tracer -RUN cd /out/fuzzolic/tracer && \ - export CC=clang && export CXX=clang++ && \ - export CFLAGS="-O3 -g -funroll-loops -Wno-error" && \ - export CXXFLAGS="-O3 -g -funroll-loops -Wno-error" && \ - ./configure --prefix=`pwd`/../build --target-list=x86_64-linux-user && make -j - -# Build custom Z3 -RUN cd /out/fuzzolic/solver/fuzzy-sat/fuzzolic-z3 && \ - export CC=clang && export CXX=clang++ && \ - export CFLAGS="-O3 -g -funroll-loops -Wno-error" && \ - export CXXFLAGS="-O3 -g -funroll-loops -Wno-error" && \ - mkdir build && cd build && cmake .. -DCMAKE_BUILD_TYPE=Release -DCMAKE_INSTALL_PREFIX=`pwd`/dist && make -j && make install - -# Create fuzzy-sat-CLI folder -RUN cd /out/fuzzolic/solver/fuzzy-sat && \ - git rev-parse HEAD > /tmp/revision && \ - git checkout master && \ - git submodule update && \ - cd ../.. && \ - cp -r solver/fuzzy-sat solver/fuzzy-sat-cli && \ - rm solver/fuzzy-sat-cli/.git && \ - cd solver/fuzzy-sat && \ - git checkout `cat /tmp/revision` && \ - git submodule update - -# Build fuzzy-sat-CLI -RUN cd /out/fuzzolic/solver/fuzzy-sat-cli && \ - export CC=clang && export CXX=clang++ && \ - export CFLAGS="-O3 -g -funroll-loops -Wno-error" && \ - export CXXFLAGS="-O3 -g -funroll-loops -Wno-error" && \ - export C_INCLUDE_PATH=/out/fuzzolic/solver/fuzzy-sat/fuzzolic-z3/build/dist/include && \ - export LIBRARY_PATH=/out/fuzzolic/solver/fuzzy-sat/fuzzolic-z3/build/dist/lib && \ - export LD_LIBRARY_PATH=/out/fuzzolic/solver/fuzzy-sat/fuzzolic-z3/build/dist/lib && \ - make -j - -# Build fuzzy-sat -RUN cd /out/fuzzolic/solver/fuzzy-sat && \ - export CC=clang && export CXX=clang++ && \ - export CFLAGS="-O3 -g -funroll-loops -Wno-error" && \ - export CXXFLAGS="-O3 -g -funroll-loops -Wno-error" && \ - export C_INCLUDE_PATH=/out/fuzzolic/solver/fuzzy-sat/fuzzolic-z3/build/dist/include && \ - export LIBRARY_PATH=/out/fuzzolic/solver/fuzzy-sat/fuzzolic-z3/build/dist/lib && \ - export LD_LIBRARY_PATH=/out/fuzzolic/solver/fuzzy-sat/fuzzolic-z3/build/dist/lib && \ - make -j - -# Build solver frontend -RUN cd /out/fuzzolic/solver && \ - export CC=clang && export CXX=clang++ && \ - export CFLAGS="-O3 -g -funroll-loops -Wno-error -Wl,--allow-multiple-definition" && \ - export CXXFLAGS="-O3 -g -funroll-loops -Wno-error -Wl,--allow-multiple-definition" && \ - export C_INCLUDE_PATH=/out/fuzzolic/solver/fuzzy-sat/fuzzolic-z3/build/dist/include && \ - export LIBRARY_PATH=/out/fuzzolic/solver/fuzzy-sat/fuzzolic-z3/build/dist/lib && \ - export LD_LIBRARY_PATH=/out/fuzzolic/solver/fuzzy-sat/fuzzolic-z3/build/dist/lib && \ - cmake . && make -j - -# Remove packages that make benchmark builds fail otherwise -RUN apt-get remove -y -m -f \ - binfmt-support clang-3.8 cpp-4.8 g++-5-multilib gcc-4.8-base gdbserver \ - lib32stdc++-5-dev libbabeltrace-ctf1 libbabeltrace1 libc6-dbg \ - libcapstone3 libclang-common-3.8-dev libclang-common-8-dev libclang1-3.8 \ - libclang1-8 libcloog-isl4 libexpat1-dev libffi-dev libgcc-4.8-dev \ - libibverbs1 libjbig0 libjpeg62 libllvm3.8 libllvm3.9 libllvm8 libobjc-5-dev \ - libobjc4 libomp-8-dev libomp5-8 libprotobuf-lite9v5 libpython-all-dev \ - libpython-dev libpython2.7 libpython2.7-dev libpython3-dev libpython3.5 \ - libpython3.5-dev libstdc++-4.8-dev libx32stdc++-5-dev llvm-3.8 llvm-3.8-dev \ - llvm-3.8-runtime llvm-3.9-dev llvm-3.9-runtime llvm-8-dev llvm-8-runtime \ - llvm-runtime python-all python-all-dev python-dev python-pip-whl \ - python-pkg-resources python-setuptools python-wheel python2.7-dev \ - python3.5-dev qemu-user-binfmt -RUN apt-get autoremove -y && apt-get clean -y diff --git a/fuzzers/fuzzolic_aflplusplus_z3/description.md b/fuzzers/fuzzolic_aflplusplus_z3/description.md deleted file mode 100644 index 1f0f247a1..000000000 --- a/fuzzers/fuzzolic_aflplusplus_z3/description.md +++ /dev/null @@ -1,10 +0,0 @@ -# aflplusplus + fuzzolic z3 - -Simple AFL++ fuzzer instance together with fuzzolic z3 - -Repository: [https://github.com/AFLplusplus/AFLplusplus/](https://github.com/AFLplusplus/AFLplusplus/) -Repository: [https://github.com/season-lab/fuzzolic](https://github.com/season-lab/fuzzolic) - -[builder.Dockerfile](builder.Dockerfile) -[fuzzer.py](fuzzer.py) -[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/fuzzolic_aflplusplus_z3/fuzzer.py b/fuzzers/fuzzolic_aflplusplus_z3/fuzzer.py deleted file mode 100644 index 5fe9ff931..000000000 --- a/fuzzers/fuzzolic_aflplusplus_z3/fuzzer.py +++ /dev/null @@ -1,140 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -"""Integration code for Fuzzolic fuzzer. Note that starting from v2.0, Fuzzolic -relies on AFL to perform random-based fuzzing.""" - -import shutil -import subprocess -import os -import threading -import time - -from fuzzers import utils -from fuzzers.afl import fuzzer as afl_fuzzer - - -def get_uninstrumented_outdir(target_directory): - """Return path to uninstrumented target directory.""" - return os.path.join(target_directory, 'uninstrumented') - - -def build(): - """Build benchmark.""" - - # Backup the environment. - new_env = os.environ.copy() - - # First, build an instrumented binary for AFL. - os.environ['CC'] = '/out/AFLplusplus/afl-clang-fast' - os.environ['CXX'] = '/out/AFLplusplus/afl-clang-fast++' - os.environ['FUZZER_LIB'] = '/libAFLDriver.a' - os.environ['AFL_PATH'] = '/out/AFLplusplus/' - #afl_fuzzer.prepare_build_environment() - src = os.getenv('SRC') - work = os.getenv('WORK') - with utils.restore_directory(src), utils.restore_directory(work): - # Restore SRC to its initial state so we can build again without any - # trouble. For some OSS-Fuzz projects, build_benchmark cannot be run - # twice in the same directory without this. - utils.build_benchmark() - print('[build] Copying afl-fuzz to $OUT directory') - shutil.copy('/out/AFLplusplus/afl-fuzz', os.environ['OUT']) - - # Next, build an uninstrumented binary for Fuzzolic. - new_env['CC'] = 'clang' - new_env['CXX'] = 'clang++' - new_env['FUZZER_LIB'] = '/libStandaloneFuzzTarget.a' - # Ensure to compile with NO_SANITIZER_COMPAT* flags even for bug benchmarks, - # as QEMU is incompatible with sanitizers. Also, Fuzzolic prefers clean and - # unoptimized binaries. We leave fast random fuzzing as AFL's job. - new_env['CFLAGS'] = ' '.join(utils.NO_SANITIZER_COMPAT_CFLAGS) - cxxflags = [utils.LIBCPLUSPLUS_FLAG] + utils.NO_SANITIZER_COMPAT_CFLAGS - new_env['CXXFLAGS'] = ' '.join(cxxflags) - uninstrumented_outdir = get_uninstrumented_outdir(os.environ['OUT']) - os.mkdir(uninstrumented_outdir) - new_env['OUT'] = uninstrumented_outdir - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - targ_name = os.path.basename(fuzz_target) - new_env['FUZZ_TARGET'] = os.path.join(uninstrumented_outdir, targ_name) - print('[build] Re-building benchmark for uninstrumented fuzzing target') - utils.build_benchmark(env=new_env) - - -def fuzzolic(input_corpus, output_corpus, target_binary): - """Run Fuzzolic.""" - # We will use output_corpus as a directory where AFL and Fuzzolic sync their - # test cases with each other. For Fuzzolic, we should explicitly specify an - # output directory under this sync directory. - if input_corpus: - fuzzolic_out = os.path.join(output_corpus, 'fuzzolic_output') - afl_out = os.path.join(output_corpus, 'afl-worker') - afl_queue = os.path.join(afl_out, 'queue') - command = [ - '/out/fuzzolic/fuzzolic/fuzzolic.py', - '-p', # optimistic solving - '-r', # address reasoning - '-l', # symbolic libc models - '-t', # timeout - '90000', - '-a', - afl_out, - '-i', - afl_queue, - '-o', - fuzzolic_out, - '--', - target_binary, - ] - print('[fuzzolic] Running Fuzzolic with command: ' + ' '.join(command)) - with subprocess.Popen(command): - pass - - -def afl_worker(input_corpus, output_corpus, target_binary): - """Run AFL worker instance.""" - print('[afl_worker] Run AFL worker') - #dictionary_path = utils.get_dictionary_path(target_binary) - #if dictionary_path: - # command += (['-x', dictionary_path]) - afl_fuzzer.run_afl_fuzz(input_corpus, output_corpus, target_binary, - ['-S', 'afl-worker'], True) - - -def fuzz(input_corpus, output_corpus, target_binary): - """Run fuzzer.""" - #utils.create_seed_file_for_empty_corpus(input_corpus) - afl_fuzzer.prepare_fuzz_environment(input_corpus) - - print('[fuzz] Running AFL worker') - os.environ['AFL_DISABLE_TRIM'] = '1' - afl_args = (input_corpus, output_corpus, target_binary) - afl_worker_thread = threading.Thread(target=afl_worker, args=afl_args) - afl_worker_thread.start() - time.sleep(5) - - print('[fuzz] Running Fuzzolic') - target_binary_directory = os.path.dirname(target_binary) - uninstrumented_target_binary_directory = ( - get_uninstrumented_outdir(target_binary_directory)) - target_binary_name = os.path.basename(target_binary) - uninstrumented_target_binary = os.path.join( - uninstrumented_target_binary_directory, target_binary_name) - fuzzolic_args = (input_corpus, output_corpus, uninstrumented_target_binary) - fuzzolic_thread = threading.Thread(target=fuzzolic, args=fuzzolic_args) - fuzzolic_thread.start() - - print('[fuzz] Now waiting for threads to finish...') - afl_worker_thread.join() - fuzzolic_thread.join() diff --git a/fuzzers/fuzzolic_aflplusplus_z3/runner.Dockerfile b/fuzzers/fuzzolic_aflplusplus_z3/runner.Dockerfile deleted file mode 100644 index 6fb7cdaae..000000000 --- a/fuzzers/fuzzolic_aflplusplus_z3/runner.Dockerfile +++ /dev/null @@ -1,52 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -RUN sed -i -- 's/# deb-src/deb-src/g' /etc/apt/sources.list && cat /etc/apt/sources.list - -RUN apt update -y && \ - apt-get build-dep -y qemu-user - -RUN apt install -y \ - llvm-8 clang-8 nano \ - qemu-user git libglib2.0-dev libfdt-dev \ - libpixman-1-dev zlib1g-dev libcapstone-dev \ - strace cmake python3 libprotobuf-dev libprotobuf9v5 \ - libibverbs-dev libjpeg62-dev \ - libpng16-16 libjbig-dev \ - build-essential libtool-bin python3-dev \ - automake flex bison libglib2.0-dev \ - libpixman-1-dev clang \ - python3-setuptools llvm wget \ - llvm-dev g++ g++-multilib python \ - python-pip lsb-release gcc-4.8 g++-4.8 \ - llvm-3.9 cmake libc6 libstdc++6 \ - linux-libc-dev gcc-multilib \ - apt-transport-https libtool \ - libtool-bin wget \ - automake autoconf \ - bison git valgrind ninja-build \ - time python3-pip - -RUN apt clean -y - -# Set environment vars for Z3 -ENV C_INCLUDE_PATH=/out/fuzzolic/solver/fuzzy-sat/fuzzolic-z3/build/dist/include -ENV LIBRARY_PATH=/out/fuzzolic/solver/fuzzy-sat/fuzzolic-z3/build/dist/lib -ENV LD_LIBRARY_PATH=/out/fuzzolic/solver/fuzzy-sat/fuzzolic-z3/build/dist/lib -ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 -ENV AFL_SKIP_CPUFREQ=1 -ENV AFL_PATH=/out/AFLplusplus - diff --git a/fuzzers/glibfuzzer/builder.Dockerfile b/fuzzers/glibfuzzer/builder.Dockerfile deleted file mode 100644 index 37f025d39..000000000 --- a/fuzzers/glibfuzzer/builder.Dockerfile +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -#RUN git clone https://github.com/llvm/llvm-project.git /llvm-project && \ -#RUN git clone https://github.com/gtt1995/libfuzzer-adaptive-group.git&& \ -RUN git clone https://github.com/gtt1995/libfuzzer-cmab-latest.git && \ - cd libfuzzer-cmab-latest && \ -# git checkout 5cda4dc7b4d28fcd11307d4234c513ff779a1c6f && \ -# cd compiler-rt/lib/fuzzer && \ - (for f in *.cpp; do \ - clang++ -stdlib=libc++ -fPIC -O2 -std=c++11 $f -c & \ - done && wait) && \ - ar r /usr/lib/glibFuzzer.a *.o diff --git a/fuzzers/glibfuzzer/fuzzer.py b/fuzzers/glibfuzzer/fuzzer.py deleted file mode 100755 index b7df68ed0..000000000 --- a/fuzzers/glibfuzzer/fuzzer.py +++ /dev/null @@ -1,89 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -"""Integration code for glibFuzzer fuzzer.""" - -import subprocess -import os - -from fuzzers import utils - - -def build(): - """Build benchmark.""" - # With LibFuzzer we use -fsanitize=fuzzer-no-link for build CFLAGS and then - # /usr/lib/libFuzzer.a as the FUZZER_LIB for the main fuzzing binary. This - # allows us to link against a version of LibFuzzer that we specify. - cflags = ['-fsanitize=fuzzer-no-link'] - utils.append_flags('CFLAGS', cflags) - utils.append_flags('CXXFLAGS', cflags) - - os.environ['CC'] = 'clang' - os.environ['CXX'] = 'clang++' - os.environ['FUZZER_LIB'] = '/usr/lib/glibFuzzer.a' - - utils.build_benchmark() - - -def fuzz(input_corpus, output_corpus, target_binary): - """Run fuzzer. Wrapper that uses the defaults when calling - run_fuzzer.""" - run_fuzzer(input_corpus, - output_corpus, - target_binary, - extra_flags=['-keep_seed=0', '-cross_over_uniform_dist=1']) - - -def run_fuzzer(input_corpus, output_corpus, target_binary, extra_flags=None): - """Run fuzzer.""" - if extra_flags is None: - extra_flags = [] - - # Seperate out corpus and crash directories as sub-directories of - # |output_corpus| to avoid conflicts when corpus directory is reloaded. - crashes_dir = os.path.join(output_corpus, 'crashes') - output_corpus = os.path.join(output_corpus, 'corpus') - os.makedirs(crashes_dir) - os.makedirs(output_corpus) - - flags = [ - '-print_final_stats=1', - # `close_fd_mask` to prevent too much logging output from the target. - '-close_fd_mask=3', - # Run in fork mode to allow ignoring ooms, timeouts, crashes and - # continue fuzzing indefinitely. - '-fork=4', - '-NumCorpuses=8', - '-ignore_ooms=1', - '-ignore_timeouts=1', - '-ignore_crashes=1', - '-entropic=1', - '-adaptive=6', - - # Don't use LSAN's leak detection. Other fuzzers won't be using it and - # using it will cause libFuzzer to find "crashes" no one cares about. - '-detect_leaks=0', - - # Store crashes along with corpus for bug based benchmarking. - f'-artifact_prefix={crashes_dir}/', - ] - flags += extra_flags - if 'ADDITIONAL_ARGS' in os.environ: - flags += os.environ['ADDITIONAL_ARGS'].split(' ') - dictionary_path = utils.get_dictionary_path(target_binary) - if dictionary_path: - flags.append('-dict=' + dictionary_path) - - command = [target_binary] + flags + [output_corpus, input_corpus] - print('[run_fuzzer] Running command: ' + ' '.join(command)) - subprocess.check_call(command) diff --git a/fuzzers/glibfuzzer/runner.Dockerfile b/fuzzers/glibfuzzer/runner.Dockerfile deleted file mode 100644 index 0d6cf004e..000000000 --- a/fuzzers/glibfuzzer/runner.Dockerfile +++ /dev/null @@ -1,15 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image diff --git a/fuzzers/gramatron/builder.Dockerfile b/fuzzers/gramatron/builder.Dockerfile deleted file mode 100644 index f1890e47c..000000000 --- a/fuzzers/gramatron/builder.Dockerfile +++ /dev/null @@ -1,46 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -# Install libstdc++ to use llvm_mode. -RUN apt-get update && \ - apt-get install -y wget libstdc++-5-dev libtool-bin automake flex bison \ - libglib2.0-dev libpixman-1-dev python3-setuptools unzip \ - apt-utils apt-transport-https ca-certificates joe curl \ - python3-dev gzip - -# Uninstall old Rust -RUN if which rustup; then rustup self uninstall -y; fi - -# Install latest Rust -RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs > /rustup.sh && \ - sh /rustup.sh -y - -# Download libafl -RUN git clone https://github.com/AFLplusplus/libafl_fuzzbench /libafl_fuzzbench && \ - cd /libafl_fuzzbench && \ - git checkout db32b7b8c1c0065a0cec2129b4dfe3897d1b9a4b && \ - git submodule update --init - -# Compile libafl -RUN cd /libafl_fuzzbench/ && unset CFLAGS && unset CXXFLAGS && \ - export CC=clang && export CXX=clang++ && \ - export LIBAFL_EDGES_MAP_SIZE=2621440 && \ - PATH="$PATH:/root/.cargo/bin/" cargo build --release - -RUN wget https://gist.githubusercontent.com/andreafioraldi/e5f60d68c98b31665a274207cfd05541/raw/4da351a321f1408df566a9cf2ce7cde6eeab3904/empty_fuzzer_lib.c -O /empty_fuzzer_lib.c && \ - clang -c /empty_fuzzer_lib.c && \ - ar r /emptylib.a *.o diff --git a/fuzzers/gramatron/fuzzer.py b/fuzzers/gramatron/fuzzer.py deleted file mode 100755 index 3174f8894..000000000 --- a/fuzzers/gramatron/fuzzer.py +++ /dev/null @@ -1,80 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -"""Integration code for a LibAFL-based fuzzer.""" - -import os -import shutil -import subprocess - -from fuzzers import utils - - -def prepare_fuzz_environment(input_corpus): - """Prepare to fuzz with a LibAFL-based fuzzer.""" - os.environ['ASAN_OPTIONS'] = 'abort_on_error=1:detect_leaks=0:'\ - 'malloc_context_size=0:symbolize=0:'\ - 'allocator_may_return_null=1:'\ - 'detect_odr_violation=0:handle_segv=0:'\ - 'handle_sigbus=0:handle_abort=0:'\ - 'handle_sigfpe=0:handle_sigill=0' - os.environ['UBSAN_OPTIONS'] = 'abort_on_error=1:'\ - 'allocator_release_to_os_interval_ms=500:'\ - 'handle_abort=0:handle_segv=0:'\ - 'handle_sigbus=0:handle_sigfpe=0:'\ - 'handle_sigill=0:print_stacktrace=0:'\ - 'symbolize=0:symbolize_inline_frames=0' - # Create at least one non-empty seed to start. - utils.create_seed_file_for_empty_corpus(input_corpus) - - -def build(): # pylint: disable=too-many-branches,too-many-statements - """Build benchmark.""" - benchmark_name = os.environ['BENCHMARK'].lower() - if 'php' in benchmark_name: - copy_file = '/libafl_fuzzbench/grammars/php_automata.json.gz' - elif 'ruby' in benchmark_name: - copy_file = '/libafl_fuzzbench/grammars/ruby_automata.json.gz' - elif 'js' in benchmark_name or 'javascript' in benchmark_name: - copy_file = '/libafl_fuzzbench/grammars/js_automata.json.gz' - else: - raise RuntimeError('Unsupported benchmark, unavailable grammar') - dest = os.path.join(os.environ['OUT'], 'grammar.json.gz') - shutil.copy(copy_file, dest) - os.system(f'gzip -d "{dest}"') - - os.environ['CC'] = '/libafl_fuzzbench/target/release/gramatron_cc' - os.environ['CXX'] = '/libafl_fuzzbench/target/release/gramatron_cxx' - - os.environ['ASAN_OPTIONS'] = 'abort_on_error=0:allocator_may_return_null=1' - os.environ['UBSAN_OPTIONS'] = 'abort_on_error=0' - - cflags = ['--libafl'] - utils.append_flags('CFLAGS', cflags) - utils.append_flags('CXXFLAGS', cflags) - - os.environ['FUZZER_LIB'] = '/emptylib.a' - utils.build_benchmark() - - -def fuzz(input_corpus, output_corpus, target_binary): - """Run fuzzer.""" - prepare_fuzz_environment(input_corpus) - command = [target_binary] - grammar = os.path.join(os.environ['OUT'], 'grammar.json') - out = os.path.join(os.environ['OUT'], 'out') - os.mkdir(out) - command += (['-r', output_corpus, '-o', out, '-g', grammar]) - print(command) - subprocess.check_call(command, cwd=os.environ['OUT']) diff --git a/fuzzers/gramatron/fuzzer.yaml b/fuzzers/gramatron/fuzzer.yaml deleted file mode 100644 index de283f07d..000000000 --- a/fuzzers/gramatron/fuzzer.yaml +++ /dev/null @@ -1,4 +0,0 @@ -allowed_benchmarks: - - quickjs_eval-2020-01-05 - - php_php-fuzz-execute - - mruby-2018-05-23 diff --git a/fuzzers/gramatron/runner.Dockerfile b/fuzzers/gramatron/runner.Dockerfile deleted file mode 100644 index 7aa1da8e4..000000000 --- a/fuzzers/gramatron/runner.Dockerfile +++ /dev/null @@ -1,23 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -# This makes interactive docker runs painless: -ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" -#ENV AFL_MAP_SIZE=2621440 -ENV PATH="$PATH:/out" -ENV AFL_SKIP_CPUFREQ=1 -ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 -ENV AFL_TESTCACHE_SIZE=2 diff --git a/fuzzers/grimoire/builder.Dockerfile b/fuzzers/grimoire/builder.Dockerfile deleted file mode 100644 index f1890e47c..000000000 --- a/fuzzers/grimoire/builder.Dockerfile +++ /dev/null @@ -1,46 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -# Install libstdc++ to use llvm_mode. -RUN apt-get update && \ - apt-get install -y wget libstdc++-5-dev libtool-bin automake flex bison \ - libglib2.0-dev libpixman-1-dev python3-setuptools unzip \ - apt-utils apt-transport-https ca-certificates joe curl \ - python3-dev gzip - -# Uninstall old Rust -RUN if which rustup; then rustup self uninstall -y; fi - -# Install latest Rust -RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs > /rustup.sh && \ - sh /rustup.sh -y - -# Download libafl -RUN git clone https://github.com/AFLplusplus/libafl_fuzzbench /libafl_fuzzbench && \ - cd /libafl_fuzzbench && \ - git checkout db32b7b8c1c0065a0cec2129b4dfe3897d1b9a4b && \ - git submodule update --init - -# Compile libafl -RUN cd /libafl_fuzzbench/ && unset CFLAGS && unset CXXFLAGS && \ - export CC=clang && export CXX=clang++ && \ - export LIBAFL_EDGES_MAP_SIZE=2621440 && \ - PATH="$PATH:/root/.cargo/bin/" cargo build --release - -RUN wget https://gist.githubusercontent.com/andreafioraldi/e5f60d68c98b31665a274207cfd05541/raw/4da351a321f1408df566a9cf2ce7cde6eeab3904/empty_fuzzer_lib.c -O /empty_fuzzer_lib.c && \ - clang -c /empty_fuzzer_lib.c && \ - ar r /emptylib.a *.o diff --git a/fuzzers/grimoire/fuzzer.py b/fuzzers/grimoire/fuzzer.py deleted file mode 100755 index 1c156412a..000000000 --- a/fuzzers/grimoire/fuzzer.py +++ /dev/null @@ -1,82 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -"""Integration code for a LibAFL-based fuzzer.""" - -import os -import shutil -import subprocess - -from fuzzers import utils - - -def prepare_fuzz_environment(input_corpus): - """Prepare to fuzz with a LibAFL-based fuzzer.""" - os.environ['ASAN_OPTIONS'] = 'abort_on_error=1:detect_leaks=0:'\ - 'malloc_context_size=0:symbolize=0:'\ - 'allocator_may_return_null=1:'\ - 'detect_odr_violation=0:handle_segv=0:'\ - 'handle_sigbus=0:handle_abort=0:'\ - 'handle_sigfpe=0:handle_sigill=0' - os.environ['UBSAN_OPTIONS'] = 'abort_on_error=1:'\ - 'allocator_release_to_os_interval_ms=500:'\ - 'handle_abort=0:handle_segv=0:'\ - 'handle_sigbus=0:handle_sigfpe=0:'\ - 'handle_sigill=0:print_stacktrace=0:'\ - 'symbolize=0:symbolize_inline_frames=0' - # Create at least one non-empty seed to start. - utils.create_seed_file_for_empty_corpus(input_corpus) - - -def build(): # pylint: disable=too-many-branches,too-many-statements - """Build benchmark.""" - benchmark_name = os.environ['BENCHMARK'].lower() - if 'php' in benchmark_name: - copy_file = '/libafl_fuzzbench/grammars/php_nautilus.json' - elif 'ruby' in benchmark_name: - copy_file = '/libafl_fuzzbench/grammars/ruby_nautilus.json' - elif 'js' in benchmark_name or 'javascript' in benchmark_name: - copy_file = '/libafl_fuzzbench/grammars/js_nautilus.json' - else: - raise RuntimeError('Unsupported benchmark, unavailable grammar') - dest = os.path.join(os.environ['OUT'], 'grammar.json') - shutil.copy(copy_file, dest) - - os.environ['CC'] = '/libafl_fuzzbench/target/release/grimoire_cc' - os.environ['CXX'] = '/libafl_fuzzbench/target/release/grimoire_cxx' - - os.environ['ASAN_OPTIONS'] = 'abort_on_error=0:allocator_may_return_null=1' - os.environ['UBSAN_OPTIONS'] = 'abort_on_error=0' - - cflags = ['--libafl'] - utils.append_flags('CFLAGS', cflags) - utils.append_flags('CXXFLAGS', cflags) - - os.environ['FUZZER_LIB'] = '/emptylib.a' - utils.build_benchmark() - - -def fuzz(input_corpus, output_corpus, target_binary): - """Run fuzzer.""" - prepare_fuzz_environment(input_corpus) - dictionary_path = utils.get_dictionary_path(target_binary) - command = [target_binary] - if dictionary_path: - command += (['-x', dictionary_path]) - grammar = os.path.join(os.environ['OUT'], 'grammar.json') - out = os.path.join(os.environ['OUT'], 'out') - os.mkdir(out) - command += (['-r', output_corpus, '-o', out, '-g', grammar]) - print(command) - subprocess.check_call(command, cwd=os.environ['OUT']) diff --git a/fuzzers/grimoire/fuzzer.yaml b/fuzzers/grimoire/fuzzer.yaml deleted file mode 100644 index de283f07d..000000000 --- a/fuzzers/grimoire/fuzzer.yaml +++ /dev/null @@ -1,4 +0,0 @@ -allowed_benchmarks: - - quickjs_eval-2020-01-05 - - php_php-fuzz-execute - - mruby-2018-05-23 diff --git a/fuzzers/grimoire/runner.Dockerfile b/fuzzers/grimoire/runner.Dockerfile deleted file mode 100644 index 7aa1da8e4..000000000 --- a/fuzzers/grimoire/runner.Dockerfile +++ /dev/null @@ -1,23 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -# This makes interactive docker runs painless: -ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" -#ENV AFL_MAP_SIZE=2621440 -ENV PATH="$PATH:/out" -ENV AFL_SKIP_CPUFREQ=1 -ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 -ENV AFL_TESTCACHE_SIZE=2 diff --git a/fuzzers/hastefuzz/builder.Dockerfile b/fuzzers/hastefuzz/builder.Dockerfile deleted file mode 100644 index e851555bd..000000000 --- a/fuzzers/hastefuzz/builder.Dockerfile +++ /dev/null @@ -1,49 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -RUN apt-get update && \ - apt-get install -y \ - build-essential \ - python3-dev \ - python3-setuptools \ - automake \ - cmake \ - git \ - flex \ - bison \ - libglib2.0-dev \ - libpixman-1-dev \ - cargo \ - libgtk-3-dev \ - # for QEMU mode - ninja-build \ - gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-plugin-dev \ - libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev - -# Download hastefuzz. -RUN git clone https://github.com/AAArdu/hastefuzz.git /hastefuzz && \ - cd /hastefuzz && \ - git checkout aab96098dbe291ef8874398bde1fed910faad6cd - -# Build hastefuzz without Python support as we don't need it. -# Set AFL_NO_X86 to skip flaky tests. -RUN cd /hastefuzz/fuzzer && \ - unset CFLAGS CXXFLAGS && \ - export CC=clang AFL_NO_X86=1 && \ - PYTHON_INCLUDE=/ make && \ - make install && \ - cp utils/aflpp_driver/libAFLDriver.a / diff --git a/fuzzers/hastefuzz/description.md b/fuzzers/hastefuzz/description.md deleted file mode 100644 index b914e1faf..000000000 --- a/fuzzers/hastefuzz/description.md +++ /dev/null @@ -1,15 +0,0 @@ -# hastefuzz - -AFL++ fuzzer instance that has the following config active for all benchmarks: - - PCGUARD instrumentation - - cmplog feature - - dict2file feature - - "fast" power schedule - - persistent mode + shared memory test cases - - haste mode - -Repository: [https://github.com/AAArdu/hastefuzz](https://github.com/AAArdu/hastefuzz) - -[builder.Dockerfile](builder.Dockerfile) -[fuzzer.py](fuzzer.py) -[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/hastefuzz/fuzzer.py b/fuzzers/hastefuzz/fuzzer.py deleted file mode 100755 index e5d331b49..000000000 --- a/fuzzers/hastefuzz/fuzzer.py +++ /dev/null @@ -1,321 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -"""Integration code for AFLplusplus fuzzer.""" - -import os -import shutil - -from fuzzers.afl import fuzzer as afl_fuzzer -from fuzzers import utils - - -def get_cmplog_build_directory(target_directory): - """Return path to CmpLog target directory.""" - return os.path.join(target_directory, 'cmplog') - - -def get_uninstrumented_build_directory(target_directory): - """Return path to CmpLog target directory.""" - return os.path.join(target_directory, 'uninstrumented') - - -def get_hastemode_build_directory(target_directory): - """Return path to Hastemode target directory""" - return os.path.join(target_directory, 'hastemode') - - -def build(*args): # pylint: disable=too-many-branches,too-many-statements - """Build benchmark.""" - # BUILD_MODES is not already supported by fuzzbench, meanwhile we provide - # a default configuration. - - build_modes = list(args) - if 'BUILD_MODES' in os.environ: - build_modes = os.environ['BUILD_MODES'].split(',') - - # Placeholder comment. - build_directory = os.environ['OUT'] - - # If nothing was set this is the default: - if not build_modes: - build_modes = ['tracepc', 'cmplog', 'dict2file'] - - # For bug type benchmarks we have to instrument via native clang pcguard :( - build_flags = os.environ['CFLAGS'] - - if build_flags.find( - 'array-bounds' - ) != -1 and 'qemu' not in build_modes and 'classic' not in build_modes: - if 'gcc' not in build_modes: - build_modes[0] = 'native' - - # Instrumentation coverage modes: - if 'lto' in build_modes: - os.environ['CC'] = '/hastefuzz/fuzzer/afl-clang-lto' - os.environ['CXX'] = '/hastefuzz/fuzzer/afl-clang-lto++' - edge_file = build_directory + '/aflpp_edges.txt' - os.environ['AFL_LLVM_DOCUMENT_IDS'] = edge_file - if os.path.isfile('/usr/local/bin/llvm-ranlib-13'): - os.environ['RANLIB'] = 'llvm-ranlib-13' - os.environ['AR'] = 'llvm-ar-13' - os.environ['AS'] = 'llvm-as-13' - elif os.path.isfile('/usr/local/bin/llvm-ranlib-12'): - os.environ['RANLIB'] = 'llvm-ranlib-12' - os.environ['AR'] = 'llvm-ar-12' - os.environ['AS'] = 'llvm-as-12' - else: - os.environ['RANLIB'] = 'llvm-ranlib' - os.environ['AR'] = 'llvm-ar' - os.environ['AS'] = 'llvm-as' - elif 'qemu' in build_modes: - os.environ['CC'] = 'clang' - os.environ['CXX'] = 'clang++' - elif 'gcc' in build_modes: - os.environ['CC'] = 'afl-gcc-fast' - os.environ['CXX'] = 'afl-g++-fast' - if build_flags.find('array-bounds') != -1: - os.environ['CFLAGS'] = '-fsanitize=address -O1' - os.environ['CXXFLAGS'] = '-fsanitize=address -O1' - else: - os.environ['CFLAGS'] = '' - os.environ['CXXFLAGS'] = '' - os.environ['CPPFLAGS'] = '' - else: - os.environ['CC'] = '/hastefuzz/fuzzer/afl-clang-fast' - os.environ['CXX'] = '/hastefuzz/fuzzer/afl-clang-fast++' - - print('AFL++ build: ') - print(build_modes) - - if 'qemu' in build_modes or 'symcc' in build_modes: - os.environ['CFLAGS'] = ' '.join(utils.NO_SANITIZER_COMPAT_CFLAGS) - cxxflags = [utils.LIBCPLUSPLUS_FLAG] + utils.NO_SANITIZER_COMPAT_CFLAGS - os.environ['CXXFLAGS'] = ' '.join(cxxflags) - - if 'tracepc' in build_modes or 'pcguard' in build_modes: - os.environ['AFL_LLVM_USE_TRACE_PC'] = '1' - elif 'classic' in build_modes: - os.environ['AFL_LLVM_INSTRUMENT'] = 'CLASSIC' - elif 'native' in build_modes: - os.environ['AFL_LLVM_INSTRUMENT'] = 'LLVMNATIVE' - - # Instrumentation coverage options: - # Do not use a fixed map location (LTO only) - if 'dynamic' in build_modes: - os.environ['AFL_LLVM_MAP_DYNAMIC'] = '1' - # Use a fixed map location (LTO only) - if 'fixed' in build_modes: - os.environ['AFL_LLVM_MAP_ADDR'] = '0x10000' - # Generate an extra dictionary. - if 'dict2file' in build_modes or 'native' in build_modes: - os.environ['AFL_LLVM_DICT2FILE'] = build_directory + '/afl++.dict' - # Enable context sentitivity for LLVM mode (non LTO only) - if 'ctx' in build_modes: - os.environ['AFL_LLVM_CTX'] = '1' - # Enable N-gram coverage for LLVM mode (non LTO only) - if 'ngram2' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '2' - elif 'ngram3' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '3' - elif 'ngram4' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '4' - elif 'ngram5' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '5' - elif 'ngram6' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '6' - elif 'ngram7' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '7' - elif 'ngram8' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '8' - elif 'ngram16' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '16' - if 'ctx1' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '1' - elif 'ctx2' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '2' - elif 'ctx3' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '3' - elif 'ctx4' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '4' - - # Only one of the following OR cmplog - # enable laf-intel compare splitting - if 'laf' in build_modes: - os.environ['AFL_LLVM_LAF_SPLIT_SWITCHES'] = '1' - os.environ['AFL_LLVM_LAF_SPLIT_COMPARES'] = '1' - os.environ['AFL_LLVM_LAF_SPLIT_FLOATS'] = '1' - if 'autodict' not in build_modes: - os.environ['AFL_LLVM_LAF_TRANSFORM_COMPARES'] = '1' - - if 'eclipser' in build_modes: - os.environ['FUZZER_LIB'] = '/libStandaloneFuzzTarget.a' - else: - os.environ['FUZZER_LIB'] = '/libAFLDriver.a' - - # Some benchmarks like lcms. (see: - # https://github.com/mm2/Little-CMS/commit/ab1093539b4287c233aca6a3cf53b234faceb792#diff-f0e6d05e72548974e852e8e55dffc4ccR212) - # fail to compile if the compiler outputs things to stderr in unexpected - # cases. Prevent these failures by using AFL_QUIET to stop afl-clang-fast - # from writing AFL specific messages to stderr. - os.environ['AFL_QUIET'] = '1' - os.environ['AFL_MAP_SIZE'] = '2621440' - - src = os.getenv('SRC') - work = os.getenv('WORK') - - with utils.restore_directory(src), utils.restore_directory(work): - # Restore SRC to its initial state so we can build again without any - # trouble. For some OSS-Fuzz projects, build_benchmark cannot be run - # twice in the same directory without this. - utils.build_benchmark() - - if 'cmplog' in build_modes and 'qemu' not in build_modes: - - # CmpLog requires an build with different instrumentation. - new_env = os.environ.copy() - new_env['AFL_LLVM_CMPLOG'] = '1' - - # For CmpLog build, set the OUT and FUZZ_TARGET environment - # variable to point to the new CmpLog build directory. - cmplog_build_directory = get_cmplog_build_directory(build_directory) - os.mkdir(cmplog_build_directory) - new_env['OUT'] = cmplog_build_directory - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - new_env['FUZZ_TARGET'] = os.path.join(cmplog_build_directory, - os.path.basename(fuzz_target)) - - print('Re-building benchmark for CmpLog fuzzing target') - with utils.restore_directory(src), utils.restore_directory(work): - utils.build_benchmark(env=new_env) - - if 'symcc' in build_modes: - - symcc_build_directory = get_uninstrumented_build_directory( - build_directory) - os.mkdir(symcc_build_directory) - - # symcc requires an build with different instrumentation. - new_env = os.environ.copy() - new_env['CC'] = '/symcc/build/symcc' - new_env['CXX'] = '/symcc/build/sym++' - new_env['SYMCC_OUTPUT_DIR'] = '/tmp' - new_env['CXXFLAGS'] = new_env['CXXFLAGS'].replace('-stlib=libc++', '') - new_env['FUZZER_LIB'] = '/libfuzzer-harness.o' - new_env['OUT'] = symcc_build_directory - new_env['SYMCC_LIBCXX_PATH'] = '/libcxx_native_build' - new_env['SYMCC_NO_SYMBOLIC_INPUT'] = '1' - new_env['SYMCC_SILENT'] = '1' - - # For symcc build, set the OUT and FUZZ_TARGET environment - # variable to point to the new symcc build directory. - new_env['OUT'] = symcc_build_directory - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - new_env['FUZZ_TARGET'] = os.path.join(symcc_build_directory, - os.path.basename(fuzz_target)) - - print('Re-building benchmark for symcc fuzzing target') - with utils.restore_directory(src), utils.restore_directory(work): - utils.build_benchmark(env=new_env) - - if utils.get_config_value('type') == 'bug': - new_env = os.environ.copy() - t_a = [utils.BUGS_OPTIMIZATION_LEVEL] - cflags = utils.FUZZING_CFLAGS + utils.NO_SANITIZER_COMPAT_CFLAGS + t_a - new_env['CFLAGS'] = ' '.join(cflags) - t_a = [utils.LIBCPLUSPLUS_FLAG, utils.BUGS_OPTIMIZATION_LEVEL] - cxxflags = utils.FUZZING_CFLAGS + utils.NO_SANITIZER_COMPAT_CFLAGS + t_a - new_env['CXXFLAGS'] = ' '.join(cxxflags) - #new_env['AFL_LLVM_USE_TRACE_PC'] = '1' - #del new_env['AFL_LLVM_INSTRUMENT'] - hastemode_build_directory = get_hastemode_build_directory( - build_directory) - os.mkdir(hastemode_build_directory) - new_env['OUT'] = hastemode_build_directory - fuzz_target = os.getenv('FUZZ_TARGET') - - if fuzz_target: - new_env['FUZZ_TARGET'] = os.path.join(hastemode_build_directory, - os.path.basename(fuzz_target)) - print('Re-building benchmark for hastemode fuzzing target') - with utils.restore_directory(src), utils.restore_directory(work): - utils.build_benchmark(env=new_env) - - shutil.copy('/hastefuzz/fuzzer/afl-fuzz', build_directory) - if os.path.exists('/hastefuzz/fuzzer/afl-qemu-trace'): - shutil.copy('/hastefuzz/fuzzer/afl-qemu-trace', build_directory) - if os.path.exists('/aflpp_qemu_driver_hook.so'): - shutil.copy('/aflpp_qemu_driver_hook.so', build_directory) - if os.path.exists('/get_frida_entry.sh'): - shutil.copy('/hastefuzz/fuzzer/afl-frida-trace.so', build_directory) - shutil.copy('/get_frida_entry.sh', build_directory) - - -# pylint: disable=too-many-arguments -def fuzz(input_corpus, - output_corpus, - target_binary, - flags=tuple(), - skip=False, - no_cmplog=False): # pylint: disable=too-many-arguments - """Run fuzzer.""" - # Calculate CmpLog binary path from the instrumented target binary. - target_binary_directory = os.path.dirname(target_binary) - cmplog_target_binary_directory = ( - get_cmplog_build_directory(target_binary_directory)) - target_binary_name = os.path.basename(target_binary) - cmplog_target_binary = os.path.join(cmplog_target_binary_directory, - target_binary_name) - hastemode_target_binary_directory = ( - get_hastemode_build_directory(target_binary_directory)) - hastemode_target_binary = os.path.join(hastemode_target_binary_directory, - target_binary_name) - - afl_fuzzer.prepare_fuzz_environment(input_corpus) - # decomment this to enable libdislocator. - # os.environ['AFL_ALIGNED_ALLOC'] = '1' # align malloc to max_align_t - # os.environ['AFL_PRELOAD'] = '/afl/libdislocator.so' - os.environ['AFL_MAX_DET_EXTRAS'] = '99999' - - flags = list(flags) - - if os.path.exists('./afl++.dict'): - flags += ['-x', './afl++.dict'] - - # Move the following to skip for upcoming _double tests: - if os.path.exists(cmplog_target_binary) and no_cmplog is False: - flags += ['-c', cmplog_target_binary] - - if os.path.exists(hastemode_target_binary): - flags += ['-u', target_binary] - target_binary = hastemode_target_binary - else: - flags += ['-u', '0'] - - os.environ['AFL_IGNORE_TIMEOUTS'] = '1' - os.environ['AFL_IGNORE_UNKNOWN_ENVS'] = '1' - os.environ['AFL_FAST_CAL'] = '1' - - if not skip: - os.environ['AFL_DISABLE_TRIM'] = '1' - os.environ['AFL_CMPLOG_ONLY_NEW'] = '1' - if 'ADDITIONAL_ARGS' in os.environ: - flags += os.environ['ADDITIONAL_ARGS'].split(' ') - - afl_fuzzer.run_afl_fuzz(input_corpus, - output_corpus, - target_binary, - additional_flags=flags) diff --git a/fuzzers/hastefuzz/runner.Dockerfile b/fuzzers/hastefuzz/runner.Dockerfile deleted file mode 100644 index 7aa1da8e4..000000000 --- a/fuzzers/hastefuzz/runner.Dockerfile +++ /dev/null @@ -1,23 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -# This makes interactive docker runs painless: -ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" -#ENV AFL_MAP_SIZE=2621440 -ENV PATH="$PATH:/out" -ENV AFL_SKIP_CPUFREQ=1 -ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 -ENV AFL_TESTCACHE_SIZE=2 diff --git a/fuzzers/honggfuzz_qemu/builder.Dockerfile b/fuzzers/honggfuzz_qemu/builder.Dockerfile deleted file mode 100644 index 45f21a725..000000000 --- a/fuzzers/honggfuzz_qemu/builder.Dockerfile +++ /dev/null @@ -1,47 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -# Honggfuzz requires libbfd and libunwid. -RUN apt-get update -y && \ - apt-get upgrade -y ca-certificates && \ - apt-get install -y \ - libbfd-dev \ - libunwind-dev \ - libblocksruntime-dev \ - libstdc++-5-dev libtool-bin automake \ - flex bison libglib2.0-dev libpixman-1-dev \ - liblzma-dev - -# Download honggfuz version 2.1 + d0fbcb0373c32436b8fb922e6937da93b17291f5 -# Set CFLAGS use honggfuzz's defaults except for -mnative which can build CPU -# dependent code that may not work on the machines we actually fuzz on. -# Create an empty object file which will become the FUZZER_LIB lib (since -# honggfuzz doesn't need this when hfuzz-clang(++) is used). -RUN cd / && git clone https://github.com/google/honggfuzz.git /honggfuzz && \ - cd /honggfuzz && \ - git checkout d0fbcb0373c32436b8fb922e6937da93b17291f5 && \ - CFLAGS="-O3 -funroll-loops" make && \ - unset CFLAGS && unset CXXFLAGS && \ - cd qemu_mode && export LIBS=-ldl && TARGETS=x86_64-linux-user make && \ - sed -i 's/-Werror //g' honggfuzz-qemu/config-host.mak && \ - cd honggfuzz-qemu && make - -RUN cd / && git clone https://github.com/vanhauser-thc/qemu_driver && \ - cd /qemu_driver && \ - git checkout 8ad9ad589b4881552fa7ef8b7d29cd9aeb5071bd && \ - make && \ - cp -fv libQEMU.a / diff --git a/fuzzers/honggfuzz_qemu/fuzzer.py b/fuzzers/honggfuzz_qemu/fuzzer.py deleted file mode 100644 index b9b7577fe..000000000 --- a/fuzzers/honggfuzz_qemu/fuzzer.py +++ /dev/null @@ -1,72 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -"""Integration code for Honggfuzz fuzzer.""" - -import os -import shutil -import subprocess - -from fuzzers import utils - - -def build(): - """Build benchmark.""" - # honggfuzz doesn't need additional libraries when code is compiled - # with hfuzz-clang(++) - os.environ['CC'] = 'clang' - os.environ['CXX'] = 'clang++' - os.environ['FUZZER_LIB'] = '/libQEMU.a' - - utils.build_benchmark() - - print('[post_build] Copying honggfuzz to $OUT directory') - # Copy over honggfuzz's main fuzzing binary. - shutil.copy('/honggfuzz/honggfuzz', os.environ['OUT']) - shutil.copy( - '/honggfuzz/qemu_mode/honggfuzz-qemu/x86_64-linux-user/qemu-x86_64', - os.environ['OUT']) - - -def fuzz(input_corpus, output_corpus, target_binary): - """Run fuzzer.""" - # Seperate out corpus and crash directories as sub-directories of - # |output_corpus| to avoid conflicts when corpus directory is reloaded. - crashes_dir = os.path.join(output_corpus, 'crashes') - output_corpus = os.path.join(output_corpus, 'corpus') - os.makedirs(crashes_dir) - os.makedirs(output_corpus) - - print('[fuzz] Running target with honggfuzz') - command = [ - './honggfuzz', - '--rlimit_rss', - '2048', - '--sanitizers_del_report=true', - '--input', - input_corpus, - '--output', - output_corpus, - - # Store crashes along with corpus for bug based benchmarking. - '--crashdir', - crashes_dir, - '-s', - ] - dictionary_path = utils.get_dictionary_path(target_binary) - if dictionary_path: - command.extend(['--dict', dictionary_path]) - command.extend(['--', './qemu-x86_64', target_binary]) - - print('[fuzz] Running command: ' + ' '.join(command)) - subprocess.check_call(command) diff --git a/fuzzers/honggfuzz_qemu/runner.Dockerfile b/fuzzers/honggfuzz_qemu/runner.Dockerfile deleted file mode 100644 index f3eb30039..000000000 --- a/fuzzers/honggfuzz_qemu/runner.Dockerfile +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -# honggfuzz requires libfd and libunwid -RUN apt-get update -y && apt-get install -y libbfd-dev libunwind-dev diff --git a/fuzzers/klee/builder.Dockerfile b/fuzzers/klee/builder.Dockerfile deleted file mode 100644 index 30036824e..000000000 --- a/fuzzers/klee/builder.Dockerfile +++ /dev/null @@ -1,263 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -# The following installation Steps 1-8 are from KLEE's recommended build guide: -# https://klee.github.io/build-llvm11/ -# We should merge some of them to minimise Dockerfile / docker image. - -# Step 1: Install dependencies. -# Install dependencies for KLEE. -RUN apt-get update && \ - apt-get install -y \ - build-essential \ - cmake \ - curl \ - file \ - g++-multilib \ - gcc-multilib \ - git \ - libcap-dev \ - libgoogle-perftools-dev \ - libncurses5-dev \ - libsqlite3-dev \ - libtcmalloc-minimal4 \ - python3-pip \ - unzip \ - graphviz \ - doxygen - -# Install dependencies for testing and additional features. -RUN pip3 install lit wllvm && \ - apt-get install -y python3-tabulate -ENV PATH=$PATH:'~/.local/bin' - -# Step 2: Install LLVM 11. -RUN apt-get install -y clang-11 llvm-11 llvm-11-dev llvm-11-tools -ENV PATH='/usr/lib/llvm-11/bin':$PATH -ENV LD_LIBRARY_PATH='/usr/lib/llvm-11/lib':$LD_LIBRARY_PATH -# ENV LD_LIBRARY_PATH='/usr/lib/clang/11.0.0/lib/linux':$LD_LIBRARY_PATH -# ENV LDFLAGS="$LDFLAGS -pthread" - -# Step 3: Install constraint solver (STP). -# Install STP dependencies. -RUN apt-get install -y \ - cmake \ - bison \ - flex \ - libboost-all-dev \ - python \ - perl \ - zlib1g-dev \ - minisat \ - libboost-all-dev \ - perl \ - zlib1g-dev - -ENV INSTALL_DIR=/out - -# Install minisat. -RUN git clone https://github.com/stp/minisat.git /src/minisat && \ - mkdir /src/minisat/build && \ - (cd /src/minisat/build && \ - CXXFLAGS= cmake -DSTATIC_BINARIES=ON \ - -DCMAKE_INSTALL_PREFIX=$INSTALL_DIR -DCMAKE_BUILD_TYPE=Release ../ && \ - make -j`nproc` && make install) - -# Install STP solver. -RUN git clone \ - --depth 1 \ - --branch 2.3.3\ - https://github.com/stp/stp.git /src/stp && \ - mkdir /src/stp/build && \ - (cd /src/stp/build && \ - CXXFLAGS= cmake -DBUILD_SHARED_LIBS:BOOL=ON \ - -DENABLE_PYTHON_INTERFACE:BOOL=OFF \ - -DMINISAT_LIBRARY=$INSTALL_DIR/lib/libminisat.so.2.1.0 \ - -DMINISAT_INCLUDE_DIR=$INSTALL_DIR/include \ - -DCMAKE_INSTALL_PREFIX=/user/local/ -DCMAKE_BUILD_TYPE=Release .. && \ - make -j`nproc` && make install) - -# Step 4 (Optional): Get Google test sources. -RUN curl \ - -o /src/release-1.11.0.zip \ - -L https://github.com/google/googletest/archive/release-1.11.0.zip && \ - unzip /src/release-1.11.0.zip -d /src && \ - rm /src/release-1.11.0.zip - -# Step 5(Optional): Build uClibc and the POSIX environment model. -# Enable the KLEE POSIX runtime to run on real programs. -ENV KLEE_UCLIBC='/src/klee-uclibc' -RUN git clone https://github.com/klee/klee-uclibc.git $KLEE_UCLIBC && \ - (cd $KLEE_UCLIBC && \ - ./configure --make-llvm-lib && \ -# --make-llvm-lib \ -# --with-cc clang-11 \ -# --with-llvm-config llvm-config-11 && \ - make -j`nproc`) - -# Step 6: Get KLEE source. -ENV KLEE_DIR=/src/klee -RUN git clone https://github.com/klee/klee.git $KLEE_DIR - -# Step 7 (Optional): Build libc++. -ENV LIBCXX_DIR=/src/libcxx -RUN mkdir $LIBCXX_DIR && \ - (cd $KLEE_DIR && \ - LLVM_VERSION=11 BASE=$LIBCXX_DIR ./scripts/build/build.sh libcxx) - -# Step 8: Configure KLEE. -RUN mkdir $KLEE_DIR/build && \ - (cd $KLEE_DIR/build && \ - cmake \ - -DENABLE_SOLVER_STP=ON \ - -DENABLE_POSIX_RUNTIME=ON \ - -DKLEE_UCLIBC_PATH=/src/klee-uclibc \ - -DENABLE_UNIT_TESTS=ON \ - -DLLVM_CONFIG_BINARY=/usr/bin/llvm-config-11 \ - -DGTEST_SRC_DIR=/src/googletest-release-1.11.0/ \ - -DENABLE_KLEE_LIBCXX=ON \ - -DKLEE_LIBCXX_DIR=/src/libcxx/libc++-install-110/ \ - -DKLEE_LIBCXX_INCLUDE_DIR=/src/libcxx/libc++-install-110/include/c++/v1/ \ - -DENABLE_KLEE_EH_CXX=ON \ - -DKLEE_LIBCXXABI_SRC_DIR=/src/libcxx/llvm-110/libcxxabi/ \ - ..) - -# Step 9: Build KLEE. -RUN (cd $KLEE_DIR/build && \ - make) - - -# Install Clang/LLVM 6.0. -# RUN apt-get update -y && \ -# apt-get -y install llvm-11.0 \ -# clang-6.0 llvm-6.0-dev llvm-6.0-tools \ -# wget - -# # Install KLEE. -# ENV LIBCXX_DIR=/src/libcxx -# RUN mkdir $LIBCXX_DIR && \ -# git clone https://github.com/klee/klee.git && \ -# cd klee && \ -# LLVM_VERSION=11 BASE=$LIBCXX_DIR \ -# ./scripts/build/build.sh libcxx \ -# mkdir build && \ -# cd build && \ -# cmake \ -# -DENABLE_SOLVER_STP=ON \ -# -DENABLE_POSIX_RUNTIME=ON \ -# -DKLEE_UCLIBC_PATH=/src/klee-uclibc \ -# -DENABLE_UNIT_TESTS=ON \ -# -DLLVM_CONFIG_BINARY=/usr/bin/llvm-config-11 \ -# -DGTEST_SRC_DIR=/src/googletest-release-1.11.0/ \ -# -DENABLE_KLEE_LIBCXX=ON \ -# -DKLEE_LIBCXX_DIR=/src/libcxx/libc++-install-110/ \ -# -DKLEE_LIBCXX_INCLUDE_DIR=/src/libcxx/libc++-install-110/include/c++/v1/ \ -# -DENABLE_KLEE_EH_CXX=ON \ -# -DKLEE_LIBCXXABI_SRC_DIR=/src/libcxx/llvm-110/libcxxabi/ \ -# .. && \ -# make && \ -# make systemtests && \ -# lit test/ && \ -# make unittests - - -# # Install libstdc++-4.8. -# RUN echo 'deb http://dk.archive.ubuntu.com/ubuntu/ trusty main' >> /etc/apt/sources.list && \ -# echo 'deb http://dk.archive.ubuntu.com/ubuntu/ trusty universe' >> /etc/apt/sources && \ -# apt-get update && \ -# apt-get install -y libstdc++-4.8-dev -# -# # Install KLEE dependencies. -# RUN apt-get install -y \ -# cmake-data build-essential curl libcap-dev \ -# git cmake libncurses5-dev unzip libtcmalloc-minimal4 \ -# libgoogle-perftools-dev bison flex libboost-all-dev \ -# perl zlib1g-dev libsqlite3-dev doxygen -# -# ENV INSTALL_DIR=/out -# -# # Install minisat. -# RUN git clone https://github.com/stp/minisat.git /minisat && \ -# cd /minisat && mkdir build && cd build && \ -# CXXFLAGS= cmake -DSTATIC_BINARIES=ON \ -# -DCMAKE_INSTALL_PREFIX=$INSTALL_DIR -DCMAKE_BUILD_TYPE=Release ../ && \ -# make -j`nproc` && make install -# -# # Install STP solver. -# RUN git clone https://github.com/stp/stp.git /stp && \ -# cd /stp && git checkout tags/2.1.2 && \ -# mkdir build && cd build && \ -# CXXFLAGS= cmake -DBUILD_SHARED_LIBS:BOOL=OFF \ -# -DENABLE_PYTHON_INTERFACE:BOOL=OFF \ -# -DMINISAT_LIBRARY=$INSTALL_DIR/lib/libminisat.so \ -# -DMINISAT_INCLUDE_DIR=$INSTALL_DIR/include \ -# -DCMAKE_INSTALL_PREFIX=/user/local/ -DCMAKE_BUILD_TYPE=Release .. && \ -# make -j`nproc` && make install -# -# RUN git clone https://github.com/klee/klee-uclibc.git /klee-uclibc && \ -# cd /klee-uclibc && \ -# CC=`which clang-6.0` CXX=`which clang++-6.0` \ -# ./configure --make-llvm-lib --with-llvm-config=`which llvm-config-6.0` && \ -# make -j`nproc` && make install -# -# # Install KLEE. Use my personal repo containing seed conversion scripts for now. -# # TODO: Include seed conversion scripts in fuzzbench repo. -# # Note: don't use the 'debug' branch because it has checks for non-initialized values -# # that need to be fixed for certain syscalls. -# # When we use it, be sure to also use klee-uclibc from https://github.com/lmrs2/klee-uclibc.git. -# RUN git clone https://github.com/lmrs2/klee.git /klee && \ -# cd /klee && \ -# git checkout 3810917841c1cb58587719c1d3d47181a2401324 && \ -# wget -O tools/ktest-tool/ktest-tool https://raw.githubusercontent.com/lmrs2/klee/debug/tools/ktest-tool/ktest-tool -# -# # The libcxx build script in the KLEE repo depends on wllvm: -# RUN pip3 install wllvm - -# # Before building KLEE, build libcxx. -# RUN cd /klee && \ -# LLVM_VERSION=6.0 SANITIZER_BUILD= ENABLE_OPTIMIZED=0 ENABLE_DEBUG=1 \ -# DISABLE_ASSERTIONS=1 REQUIRES_RTTI=1 \ -# BASE=/out \ -# ./scripts/build/build.sh libcxx -# -# RUN cd /klee && \ -# mkdir build && cd build && \ -# CXXFLAGS= cmake -DENABLE_SOLVER_STP=ON -DENABLE_POSIX_RUNTIME=ON \ -# -DENABLE_KLEE_LIBCXX=ON -DKLEE_LIBCXX_DIR=/out/libc++-install-60/ \ -# -DKLEE_LIBCXX_INCLUDE_DIR=/out/libc++-install-60/include/c++/v1/ \ -# -DENABLE_KLEE_UCLIBC=ON -DKLEE_UCLIBC_PATH=/klee-uclibc/ \ -# -DENABLE_SYSTEM_TESTS=OFF -DENABLE_UNIT_TESTS=OFF \ -# -DLLVM_CONFIG_BINARY=`which llvm-config-6.0` -DLLVMCC=`which clang-6.0` \ -# -DLLVMCXX=`which clang++-6.0` -DCMAKE_INSTALL_PREFIX=$INSTALL_DIR ../ \ -# -DCMAKE_BUILD_TYPE=Release && \ -# make -j`nproc` && make install -# -# ENV LLVM_CC_NAME=clang-6.0 -# ENV LLVM_CXX_NAME=clang++-6.0 -# ENV LLVM_AR_NAME=llvm-ar-6.0 -# ENV LLVM_LINK_NAME=llvm-link-6.0 -# ENV LLVM_COMPILER=clang -# ENV CC=wllvm -# ENV CXX=wllvm++ -# -# # Compile the harness klee_driver.cpp. -# COPY klee_driver.cpp /klee_driver.cpp -# COPY klee_mock.c /klee_mock.c -# RUN $CXX -stdlib=libc++ -std=c++11 -O2 -c /klee_driver.cpp -o /klee_driver.o && \ -# ar r /libAFL.a /klee_driver.o && \ -# $LLVM_CC_NAME -O2 -c -fPIC /klee_mock.c -o /klee_mock.o && \ -# $LLVM_CC_NAME -shared -o /libKleeMock.so /klee_mock.o diff --git a/fuzzers/klee/fuzzer.py b/fuzzers/klee/fuzzer.py deleted file mode 100644 index 2fc7b4d7d..000000000 --- a/fuzzers/klee/fuzzer.py +++ /dev/null @@ -1,434 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -"""Integration code for AFL fuzzer.""" -# pylint: disable=too-many-arguments - -import shutil -import os -import glob -import pathlib -import struct -import subprocess -import threading -import time -from datetime import datetime - -from fuzzers import utils - -LIB_BC_DIR = 'lib-bc' -SYMBOLIC_BUFFER = 'kleeInputBuf' -MODEL_VERSION = 'model_version' - -MAX_SOLVER_TIME_SECONDS = 30 -MAX_TOTAL_TIME_DEFAULT = 82800 # Default experiment duration = 23 hrs. - - -def is_benchmark(name): - """Check if the benchmark contains the string |name|""" - benchmark = os.getenv('BENCHMARK', None) - return benchmark is not None and name in benchmark - - -def prepare_build_environment(): - """Set environment variables used to build benchmark.""" - if is_benchmark('sqlite3'): - sqlite3_flags = [ - '-DSQLITE_THREADSAFE=0', '-DSQLITE_OMIT_LOAD_EXTENSION', - '-DSQLITE_DEFAULT_MEMSTATUS=0', '-DSQLITE_MAX_EXPR_DEPTH=0', - '-DSQLITE_OMIT_DECLTYPE', '-DSQLITE_OMIT_DEPRECATED', - '-DSQLITE_DEFAULT_PAGE_SIZE=512', '-DSQLITE_DEFAULT_CACHE_SIZE=10', - '-DSQLITE_DISABLE_INTRINSIC', '-DSQLITE_DISABLE_LFS', - '-DYYSTACKDEPTH=20', '-DSQLITE_OMIT_LOOKASIDE', '-DSQLITE_OMIT_WAL', - '-DSQLITE_DEFAULT_LOOKASIDE=\'64,5\'', - '-DSQLITE_OMIT_PROGRESS_CALLBACK', '-DSQLITE_OMIT_SHARED_CACHE' - ] - utils.append_flags('CFLAGS', sqlite3_flags) - utils.append_flags('CXXFLAGS', sqlite3_flags) - #This convinces sqlite3 ./configure script to not reenable threads - os.environ['enable_threadsafe'] = 'no' - - # See https://klee.github.io/tutorials/testing-function/ - cflags = ['-O0', '-Xclang', '-disable-O0-optnone'] - utils.append_flags('CFLAGS', cflags) - utils.append_flags('CXXFLAGS', cflags) - - # Add flags for various benchmarks. - add_compilation_cflags() - - os.environ['LLVM_CC_NAME'] = 'clang-6.0' - os.environ['LLVM_CXX_NAME'] = 'clang++-6.0' - os.environ['LLVM_AR_NAME'] = 'llvm-ar-6.0' - os.environ['LLVM_LINK_NAME'] = 'llvm-link-6.0' - os.environ['LLVM_COMPILER'] = 'clang' - os.environ['CC'] = 'wllvm' - os.environ['CXX'] = 'wllvm++' - - os.environ['FUZZER_LIB'] = '/libAFL.a' # -L/ -lKleeMock -lpthread' - - # Fix FUZZER_LIB for various benchmarks. - fix_fuzzer_lib() - - -def openthread_suppress_error_flags(): - """Suppress errors for openthread""" - return [ - '-Wno-error=embedded-directive', - '-Wno-error=gnu-zero-variadic-macro-arguments', - '-Wno-error=overlength-strings', '-Wno-error=c++11-long-long', - '-Wno-error=c++11-extensions', '-Wno-error=variadic-macros' - ] - - -def get_size_for_benchmark(): - """ - Returns the size for the seed for each benchmark. - """ - size = 256 - if 're2-2014-12-09' in os.environ['BENCHMARK']: - size = 64 - if 'libpng' in os.environ['BENCHMARK']: - size = 128 - return size - - -def get_bcs_for_shared_libs(fuzz_target): - """Get shared libs paths for the fuzz_target""" - ldd_cmd = ['/usr/bin/ldd', f'{fuzz_target}'] - output = '' - try: - output = subprocess.check_output(ldd_cmd, universal_newlines=True) - except subprocess.CalledProcessError as error: - raise ValueError('ldd failed') from error - - for line in output.split('\n'): - if '=>' not in line: - continue - - out_dir = f'{os.environ["OUT"]}/{LIB_BC_DIR}' - path = pathlib.Path(out_dir) - path.mkdir(exist_ok=True) - so_path = line.split('=>')[1].split(' ')[1] - so_name = so_path.split('/')[-1].split('.')[0] - if so_name: - getbc_cmd = f'extract-bc -o {out_dir}/{so_name}.bc {so_path}' - print(f'[extract-bc command] | {getbc_cmd}') - # This will fail for most of the dependencies, which is fine. We - # want to grab the .bc files for dependencies built in any given - # benchmark's build.sh file. - success = os.system(getbc_cmd) - if success == 1: - print(f'Got a bc file for {so_path}') - - -def get_bc_files(): - """Returns list of .bc files in the OUT directory""" - out_dir = './' + LIB_BC_DIR - files = os.listdir(out_dir) - bc_files = [] - for filename in files: - if filename.split('.')[-1] == 'bc' and 'fuzz-target' not in filename: - bc_files.append(filename) - - return bc_files - - -def fix_fuzzer_lib(): - """Fix FUZZER_LIB for certain benchmarks""" - - os.environ['FUZZER_LIB'] += ' -L/ -lKleeMock -lpthread' - - if is_benchmark('curl'): - shutil.copy('/libKleeMock.so', '/usr/lib/libKleeMock.so') - - shutil.copy('/libAFL.a', '/usr/lib/libFuzzingEngine.a') - if is_benchmark('systemd'): - shutil.copy('/libAFL.a', '/usr/lib/libFuzzingEngine.a') - ld_flags = ['-lpthread'] - utils.append_flags('LDFLAGS', ld_flags) - - -def add_compilation_cflags(): - """Add custom flags for certain benchmarks""" - if is_benchmark('openthread'): - openthread_flags = openthread_suppress_error_flags() - utils.append_flags('CFLAGS', openthread_flags) - utils.append_flags('CXXFLAGS', openthread_flags) - - elif is_benchmark('php'): - php_flags = ['-D__builtin_cpu_supports\\(x\\)=0'] - utils.append_flags('CFLAGS', php_flags) - utils.append_flags('CXXFLAGS', php_flags) - - # For some benchmarks, we also tell the compiler - # to ignore unresolved symbols. This is useful when we cannot change - # the build process to add a shared library for linking - # (which contains mocked functions: libAflccMock.so). - # Note that some functions are only defined post-compilation - # during the LLVM passes. - elif is_benchmark('bloaty') or is_benchmark('openssl') or is_benchmark( - 'systemd'): - unresolved_flags = ['-Wl,--warn-unresolved-symbols'] - utils.append_flags('CFLAGS', unresolved_flags) - utils.append_flags('CXXFLAGS', unresolved_flags) - - elif is_benchmark('curl'): - dl_flags = ['-ldl', '-lpsl'] - utils.append_flags('CFLAGS', dl_flags) - utils.append_flags('CXXFLAGS', dl_flags) - - -def build(): - """Build benchmark.""" - prepare_build_environment() - - utils.build_benchmark() - - fuzz_target = os.getenv('FUZZ_TARGET') - fuzz_target_path = os.path.join(os.environ['OUT'], fuzz_target) - getbc_cmd = f'extract-bc {fuzz_target_path}' - if os.system(getbc_cmd) != 0: - raise ValueError('extract-bc failed') - get_bcs_for_shared_libs(fuzz_target_path) - - -def rmdir(path): - """"Remove a directory recursively""" - if os.path.isdir(path): - shutil.rmtree(path) - - -def emptydir(path): - """Empty a directory""" - rmdir(path) - - os.mkdir(path) - - -# pylint: disable=too-many-locals -def run(command, hide_output=False, ulimit_cmd=None): - """Run the command |command|, optionally, run |ulimit_cmd| first.""" - cmd = ' '.join(command) - print(f'[run_cmd] {cmd}') - - output_stream = subprocess.DEVNULL if hide_output else None - if ulimit_cmd: - ulimit_command = [ulimit_cmd + ';'] - ulimit_command.extend(command) - print(f'[ulimit_command] {" ".join(ulimit_command)}') - ret = subprocess.call(' '.join(ulimit_command), - stdout=output_stream, - stderr=output_stream, - shell=True) - else: - ret = subprocess.call(command, - stdout=output_stream, - stderr=output_stream) - if ret != 0: - raise ValueError(f'command failed: {ret} - {cmd}') - - -def convert_seed_inputs(ktest_tool, input_klee, input_corpus): - """ - Convert seeds to a format KLEE understands. - - Returns the number of converted seeds. - """ - - print('[run_fuzzer] Converting seed files...') - - # We put the file data into the symbolic buffer, - # and the model_version set to 1 for uc-libc - model = struct.pack('@i', 1) - files = glob.glob(os.path.join(input_corpus, '*')) - n_converted = 0 - - for seedfile in files: - if '.ktest' in seedfile: - continue - - if not os.path.isfile(seedfile): - continue - - # Truncate the seed to the max size for the benchmark - file_size = os.path.getsize(seedfile) - benchmark_size = get_size_for_benchmark() - if file_size > benchmark_size: - print(f'[run_fuzzer] Truncating {seedfile} ({file_size}) to ' - f'{benchmark_size}') - os.truncate(seedfile, benchmark_size) - - seed_in = f'{seedfile}.ktest' - seed_out = os.path.join(input_klee, os.path.basename(seed_in)) - - # Create file for symblic buffer - input_file = f'{seedfile}.ktest.{SYMBOLIC_BUFFER}' - output_kfile = f'{seedfile}.ktest' - shutil.copyfile(seedfile, input_file) - os.rename(seedfile, input_file) - - # Create file for mode version - model_input_file = f'{seedfile}.ktest.{MODEL_VERSION}' - with open(model_input_file, 'wb') as mfile: - mfile.write(model) - - # Run conversion tool - convert_cmd = [ - ktest_tool, 'create', output_kfile, '--args', seed_out, '--objects', - MODEL_VERSION, SYMBOLIC_BUFFER - ] - - run(convert_cmd) - - # Move the resulting file to klee corpus dir - os.rename(seed_in, seed_out) - - n_converted += 1 - - print(f'[run_fuzzer] Converted {n_converted} seed files') - - return n_converted - - -# pylint: disable=wrong-import-position -# pylint: disable=too-many-locals -def convert_individual_ktest(ktest_tool, kfile, queue_dir, output_klee, - crash_dir, info_dir): - """ - Convert an individual ktest, return the number of crashes. - """ - convert_cmd = [ktest_tool, 'extract', kfile, '--objects', SYMBOLIC_BUFFER] - - run(convert_cmd) - - # And copy the resulting file in output_corpus - ktest_fn = os.path.splitext(kfile)[0] - file_in = f'{kfile}.{SYMBOLIC_BUFFER}' - file_out = os.path.join(queue_dir, os.path.basename(ktest_fn)) - os.rename(file_in, file_out) - - # Check if this is a crash - crash_regex = os.path.join(output_klee, f'{ktest_fn}.*.err') - crashes = glob.glob(crash_regex) - n_crashes = 0 - if len(crashes) == 1: - crash_out = os.path.join(crash_dir, os.path.basename(ktest_fn)) - shutil.copy(file_out, crash_out) - info_in = crashes[0] - info_out = os.path.join(info_dir, os.path.basename(info_in)) - shutil.copy(info_in, info_out) - return n_crashes - - -# pylint: disable=import-error -# pylint: disable=import-outside-toplevel -def monitor_resource_usage(): - """Monitor resource consumption.""" - - import psutil - print('[resource_thread] Starting resource usage monitoring...') - - start = datetime.now() - while True: - time.sleep(60 * 5) - message = (f'{psutil.cpu_times_percent(percpu=False)}\n' - f'{psutil.virtual_memory()}\n' - f'{psutil.swap_memory()}') - now = datetime.now() - print( - f'[resource_thread] Resource usage after {now - start}:\n{message}') - - -# pylint: disable=import-error -# pylint: disable=import-outside-toplevel -def fuzz(input_corpus, output_corpus, target_binary): - """Run fuzzer.""" - - import psutil - - # Set ulimit. Note: must be changed as this does not take effect - if os.system('ulimit -s unlimited') != 0: - raise ValueError('ulimit failed') - - # Convert corpus files to KLEE .ktest format - out_dir = os.path.dirname(target_binary) - ktest_tool = os.path.join(out_dir, 'bin/ktest-tool') - crash_dir = os.path.join(output_corpus, 'crashes') - input_klee = os.path.join(out_dir, 'seeds_klee') - queue_dir = os.path.join(output_corpus, 'queue') - info_dir = os.path.join(output_corpus, 'info') - emptydir(crash_dir) - emptydir(info_dir) - emptydir(input_klee) - rmdir(queue_dir) - - n_converted = convert_seed_inputs(ktest_tool, input_klee, input_corpus) - # Run KLEE - # Option -only-output-states-covering-new makes - # dumping ktest files faster. - # See lib/Core/StatsTracker.cpp:markBranchVisited() - - print('[run_fuzzer] Starting resource monitoring thread') - monitoring_thread = threading.Thread(target=monitor_resource_usage) - monitoring_thread.start() - - print('[run_fuzzer] Running target with klee') - - klee_bin = os.path.join(out_dir, 'bin/klee') - target_binary_bc = f'{target_binary}.bc' - max_time_seconds = ( - int(os.getenv('MAX_TOTAL_TIME', str(MAX_TOTAL_TIME_DEFAULT))) * 4) // 5 - - seeds_option = ['-zero-seed-extension', '-seed-dir', input_klee - ] if n_converted > 0 else [] - - llvm_link_libs = [] - for filename in get_bc_files(): - llvm_link_libs.append(f'-link-llvm-lib=./{LIB_BC_DIR}/{filename}') - - max_memory_mb = str(int(psutil.virtual_memory().available // 10**6 * 0.9)) - - klee_cmd = [ - klee_bin, - '-ignore-solver-failures', - '-always-output-seeds', - '-output-format-binary', - '-output-symbolic-name', - f'{SYMBOLIC_BUFFER}', - '-max-memory', - max_memory_mb, - '-max-solver-time', - f'{MAX_SOLVER_TIME_SECONDS}s', - '-log-timed-out-queries', - '-max-time', - f'{max_time_seconds}s', - '-libc', - 'uclibc', - '-libcxx', - '-posix-runtime', - '-disable-verify', # Needed because debug builds don't always work. - '-output-dir', - queue_dir, - ] - - klee_cmd.extend(llvm_link_libs) - - if seeds_option: - klee_cmd.extend(seeds_option) - - size = get_size_for_benchmark() - klee_cmd += [target_binary_bc, str(size)] - run(klee_cmd, ulimit_cmd='ulimit -s unlimited') - - # Klee has now terminated. - print('[run_fuzzer] Klee has terminated.') diff --git a/fuzzers/klee/klee_driver.cpp b/fuzzers/klee/klee_driver.cpp deleted file mode 100644 index 9a174b782..000000000 --- a/fuzzers/klee/klee_driver.cpp +++ /dev/null @@ -1,47 +0,0 @@ -// Copyright 2020 Google LLC -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -#include -#include -#include -#include -#include -#include -#include -#include - -//TODO: include klee/klee.h when KLEE is installed -extern "C" -{ - // Functon defined by benchmarks as entry point - int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size); - // KLEE's internal functions - void klee_make_symbolic(void *addr, size_t nbytes, const char *name); -} - -// Input buffer. -size_t kleeInputSize = 4096; - -int main(int argc, char **argv) -{ - kleeInputSize = atoi(argv[1]); - uint8_t *kleeInputBuf = (uint8_t *)malloc(kleeInputSize * sizeof(uint8_t)); - printf("kleeInputSize: %zu\n", kleeInputSize); - - klee_make_symbolic(kleeInputBuf, kleeInputSize, "kleeInputBuf"); - int result = LLVMFuzzerTestOneInput(kleeInputBuf, kleeInputSize); - - free(kleeInputBuf); - return result; -} diff --git a/fuzzers/klee/klee_mock.c b/fuzzers/klee/klee_mock.c deleted file mode 100644 index 1e30eeaad..000000000 --- a/fuzzers/klee/klee_mock.c +++ /dev/null @@ -1,20 +0,0 @@ -// Copyright 2020 Google LLC -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -#include -void klee_make_symbolic(void *addr, size_t len, char const* name) { - // do nothing - abort(); -} - diff --git a/fuzzers/klee/runner.Dockerfile b/fuzzers/klee/runner.Dockerfile deleted file mode 100644 index 21064dc66..000000000 --- a/fuzzers/klee/runner.Dockerfile +++ /dev/null @@ -1,23 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -RUN apt-get update -y && \ - apt-get install -y \ - google-perftools \ - llvm-6.0 llvm-6.0-dev llvm-6.0-tools - -RUN apt-get install -y clang-6.0 vim less -RUN pip3 install psutil==5.7.2 diff --git a/fuzzers/lafintel/builder.Dockerfile b/fuzzers/lafintel/builder.Dockerfile deleted file mode 100644 index f71a9e3e6..000000000 --- a/fuzzers/lafintel/builder.Dockerfile +++ /dev/null @@ -1,64 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -# Need Clang/LLVM 3.8. -RUN apt-get update -y && \ - apt-get -y install llvm-3.8 \ - clang-3.8 \ - libstdc++-5-dev \ - wget - -# Download AFL and compile using default compiler. -# We need afl-2.26b -# Use a copy of -# https://lcamtuf.coredump.cx/afl/releases/afl-2.26b.tgz -# to avoid network flakiness. -RUN wget https://storage.googleapis.com/fuzzbench-files/afl-2.26b.tgz -O /afl-2.26b.tgz && \ - tar xvzf /afl-2.26b.tgz -C / && \ - mv /afl-2.26b /afl && \ - cd /afl && \ - git clone https://github.com/google/AFL.git /afl/recent_afl && \ - cd /afl/recent_afl && \ - git checkout 8da80951dd7eeeb3e3b5a3bcd36c485045f40274 && \ - cd /afl/ && \ - cp /afl/recent_afl/*.c /afl/ && \ - cp /afl/recent_afl/*.h /afl/ && \ - AFL_NO_X86=1 make - -# Set the env variables for LLVM passes and test units. -ENV CC=clang-3.8 -ENV CXX=clang++-3.8 -ENV LLVM_CONFIG=llvm-config-3.8 - -# Build the LLVM passes with the LAF-INTEL patches, using Clang 3.8. -# We force linking by setting maybe_linking = 1, see https://github.com/google/AFL/commit/3ef34c16697715d64fecfaed46c0e31e86fa9f01#diff-49b21a9ca7039117ef774ba1adfa2962 -RUN cd /afl/llvm_mode && \ - wget https://gitlab.com/laf-intel/laf-llvm-pass/raw/master/src/afl.patch && \ - patch -p0 < afl.patch && \ - sed -i 's/maybe_linking = 0/maybe_linking = 1/g' afl-clang-fast.c && \ - wget https://gitlab.com/laf-intel/laf-llvm-pass/raw/master/src/compare-transform-pass.so.cc && \ - wget https://gitlab.com/laf-intel/laf-llvm-pass/raw/master/src/split-compares-pass.so.cc && \ - wget https://gitlab.com/laf-intel/laf-llvm-pass/raw/master/src/split-switches-pass.so.cc && \ - sed -i 's/errs()/outs()/g' split-switches-pass.so.cc && \ - sed -i 's/errs()/outs()/g' split-compares-pass.so.cc && \ - sed -i 's/errs()/outs()/g' compare-transform-pass.so.cc && \ - CXXFLAGS= CFLAGS= make - -# Use afl_driver.cpp from LLVM as our fuzzing library. -RUN wget https://raw.githubusercontent.com/llvm/llvm-project/5feb80e748924606531ba28c97fe65145c65372e/compiler-rt/lib/fuzzer/afl/afl_driver.cpp -O /afl/afl_driver.cpp && \ - $CXX -I/usr/local/include/c++/v1/ -stdlib=libc++ -std=c++11 -O2 -c /afl/afl_driver.cpp && \ - ar r /libAFL.a *.o diff --git a/fuzzers/lafintel/fuzzer.py b/fuzzers/lafintel/fuzzer.py deleted file mode 100644 index 3cfc082c9..000000000 --- a/fuzzers/lafintel/fuzzer.py +++ /dev/null @@ -1,77 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -"""Integration code for AFL fuzzer.""" - -import shutil -import os - -from fuzzers import utils - -from fuzzers.afl import fuzzer as afl_fuzzer - - -def prepare_build_environment(): - """Set environment variables used to build benchmark.""" - - # LLVm 3.8 doesn't support -fsanitize=builtin - def remove_builtin(flag): - split = flag.split('=') - if split[0].startswith('-fsanitize') or split[0].startswith( - '-fno-sanitize'): - options = split[1].split(',') - options = filter(lambda x: x != 'builtin', options) - return split[0] + '=' + ','.join(options) - return flag - - cflags = map(remove_builtin, os.environ['CFLAGS'].split()) - cxxflags = map(remove_builtin, os.environ['CXXFLAGS'].split()) - os.environ['CFLAGS'] = ' '.join(cflags) - os.environ['CXXFLAGS'] = ' '.join(cxxflags) - # In php benchmark, there is a call to __builtin_cpu_supports("ssse3") - # (see https://github.com/php/php-src/blob/master/Zend/zend_cpuinfo.h). - # It is not supported by clang-3.8, so we define the MACRO below - # to replace any __builtin_cpu_supports() with 0, i.e., not supported - cflags = ['-fPIC'] - if 'php' in os.environ['BENCHMARK']: - cflags += ['-D__builtin_cpu_supports\\(x\\)=0'] - cppflags = cflags + ['-I/usr/local/include/c++/v1/', '-std=c++11'] - utils.append_flags('CFLAGS', cflags) - utils.append_flags('CXXFLAGS', cppflags) - - # Enable LAF-INTEL changes - os.environ['LAF_SPLIT_SWITCHES'] = '1' - os.environ['LAF_TRANSFORM_COMPARES'] = '1' - os.environ['LAF_SPLIT_COMPARES'] = '1' - os.environ['AFL_CC'] = 'clang-3.8' - os.environ['AFL_CXX'] = 'clang++-3.8' - - os.environ['CC'] = '/afl/afl-clang-fast' - os.environ['CXX'] = '/afl/afl-clang-fast++' - os.environ['FUZZER_LIB'] = '/libAFL.a' - - -def build(): - """Build benchmark.""" - prepare_build_environment() - - utils.build_benchmark() - - print('[post_build] Copying afl-fuzz to $OUT directory') - # Copy out the afl-fuzz binary as a build artifact. - shutil.copy('/afl/afl-fuzz', os.environ['OUT']) - - -def fuzz(input_corpus, output_corpus, target_binary): - """Run fuzzer.""" - afl_fuzzer.fuzz(input_corpus, output_corpus, target_binary) diff --git a/fuzzers/lafintel/runner.Dockerfile b/fuzzers/lafintel/runner.Dockerfile deleted file mode 100644 index 0d6cf004e..000000000 --- a/fuzzers/lafintel/runner.Dockerfile +++ /dev/null @@ -1,15 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image diff --git a/fuzzers/learnperffuzz/builder.Dockerfile b/fuzzers/learnperffuzz/builder.Dockerfile deleted file mode 100644 index fce9b335d..000000000 --- a/fuzzers/learnperffuzz/builder.Dockerfile +++ /dev/null @@ -1,32 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -# Download and compile LearnPerfFuzz. -# Set AFL_NO_X86 to skip flaky tests. - -RUN git clone https://github.com/somiha/LearnPerfFuzz.git /LearnPerfFuzz && \ - cd /LearnPerfFuzz && \ - git checkout 6b5c6e40dd72ccc22803edf7f30637637e70cc24 && \ - CFLAGS= CXXFLAGS= AFL_NO_X86=1 make - -# Use afl_driver.cpp from LLVM as our fuzzing library. -RUN apt-get update && \ - apt-get install wget -y && \ - wget https://raw.githubusercontent.com/llvm/llvm-project/5feb80e748924606531ba28c97fe65145c65372e/compiler-rt/lib/fuzzer/afl/afl_driver.cpp -O /LearnPerfFuzz/afl_driver.cpp && \ - clang -Wno-pointer-sign -c /LearnPerfFuzz/llvm_mode/afl-llvm-rt.o.c -I/LearnPerfFuzz && \ - clang++ -stdlib=libc++ -std=c++11 -O2 -c /LearnPerfFuzz/afl_driver.cpp && \ - ar r /libAFL.a *.o \ No newline at end of file diff --git a/fuzzers/learnperffuzz/fuzzer.py b/fuzzers/learnperffuzz/fuzzer.py deleted file mode 100644 index 656c7c995..000000000 --- a/fuzzers/learnperffuzz/fuzzer.py +++ /dev/null @@ -1,143 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -"""Integration code for AFL fuzzer.""" - -import json -import os -import shutil -import subprocess - -from fuzzers import utils - - -def prepare_build_environment(): - """Set environment variables used to build targets for AFL-based - fuzzers.""" - cflags = ['-fsanitize-coverage=trace-pc-guard'] - utils.append_flags('CFLAGS', cflags) - utils.append_flags('CXXFLAGS', cflags) - - os.environ['CC'] = 'clang' - os.environ['CXX'] = 'clang++' - os.environ['FUZZER_LIB'] = '/libAFL.a' - - -def build(): - """Build benchmark.""" - prepare_build_environment() - - utils.build_benchmark() - - print('[post_build] Copying afl-fuzz to $OUT directory') - # Copy out the afl-fuzz binary as a build artifact. - shutil.copy('/LearnPerfFuzz/afl-fuzz', os.environ['OUT']) - shutil.copy('/LearnPerfFuzz/learning_engine.py', os.environ['OUT']) - - -def get_stats(output_corpus, fuzzer_log): # pylint: disable=unused-argument - """Gets fuzzer stats for AFL.""" - # Get a dictionary containing the stats AFL reports. - stats_file = os.path.join(output_corpus, 'fuzzer_stats') - with open(stats_file, encoding='utf-8') as file_handle: - stats_file_lines = file_handle.read().splitlines() - stats_file_dict = {} - for stats_line in stats_file_lines: - key, value = stats_line.split(': ') - stats_file_dict[key.strip()] = value.strip() - - # Report to FuzzBench the stats it accepts. - stats = {'execs_per_sec': float(stats_file_dict['execs_per_sec'])} - return json.dumps(stats) - - -def prepare_fuzz_environment(input_corpus): - """Prepare to fuzz with AFL or another AFL-based fuzzer.""" - # Tell AFL to not use its terminal UI so we get usable logs. - os.environ['AFL_NO_UI'] = '1' - # Skip AFL's CPU frequency check (fails on Docker). - os.environ['AFL_SKIP_CPUFREQ'] = '1' - # No need to bind affinity to one core, Docker enforces 1 core usage. - os.environ['AFL_NO_AFFINITY'] = '1' - # AFL will abort on startup if the core pattern sends notifications to - # external programs. We don't care about this. - os.environ['AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES'] = '1' - # Don't exit when crashes are found. This can happen when corpus from - # OSS-Fuzz is used. - os.environ['AFL_SKIP_CRASHES'] = '1' - # Shuffle the queue - os.environ['AFL_SHUFFLE_QUEUE'] = '1' - - # AFL needs at least one non-empty seed to start. - utils.create_seed_file_for_empty_corpus(input_corpus) - - -def check_skip_det_compatible(additional_flags): - """ Checks if additional flags are compatible with '-d' option""" - # AFL refuses to take in '-d' with '-M' or '-S' options for parallel mode. - # (cf. https://github.com/google/AFL/blob/8da80951/afl-fuzz.c#L7477) - if '-M' in additional_flags or '-S' in additional_flags: - return False - return True - - -def run_afl_fuzz(input_corpus, - output_corpus, - target_binary, - additional_flags=None, - hide_output=False): - """Run afl-fuzz.""" - # Spawn the afl fuzzing process. - print('[run_afl_fuzz] Running target with afl-fuzz') - command = [ - './afl-fuzz', - '-p', - '-i', - input_corpus, - '-o', - output_corpus, - # Use no memory limit as ASAN doesn't play nicely with one. - '-m', - 'none', - '-t', - '1000+', # Use same default 1 sec timeout, but add '+' to skip hangs. - ] - # Use '-d' to skip deterministic mode, as long as it it compatible with - # additional flags. - if not additional_flags or check_skip_det_compatible(additional_flags): - command.append('-d') - if additional_flags: - command.extend(additional_flags) - dictionary_path = utils.get_dictionary_path(target_binary) - if dictionary_path: - command.extend(['-x', dictionary_path]) - command += [ - '--', - target_binary, - # Pass INT_MAX to afl the maximize the number of persistent loops it - # performs. - '2147483647' - ] - print('[run_afl_fuzz] Running command: ' + ' '.join(command)) - output_stream = subprocess.DEVNULL if hide_output else None - - with subprocess.Popen(command, stdout=output_stream, - stderr=output_stream) as pipe: - pipe.communicate() - - -def fuzz(input_corpus, output_corpus, target_binary): - """Run afl-fuzz on target.""" - prepare_fuzz_environment(input_corpus) - - run_afl_fuzz(input_corpus, output_corpus, target_binary) diff --git a/fuzzers/learnperffuzz/runner.Dockerfile b/fuzzers/learnperffuzz/runner.Dockerfile deleted file mode 100644 index f9e9c6127..000000000 --- a/fuzzers/learnperffuzz/runner.Dockerfile +++ /dev/null @@ -1,15 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image \ No newline at end of file diff --git a/fuzzers/libafl_text/builder.Dockerfile b/fuzzers/libafl_text/builder.Dockerfile deleted file mode 100644 index 37d1456d5..000000000 --- a/fuzzers/libafl_text/builder.Dockerfile +++ /dev/null @@ -1,55 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -# Uninstall old Rust & Install the latest one. -RUN if which rustup; then rustup self uninstall -y; fi && \ - curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs > /rustup.sh && \ - sh /rustup.sh --default-toolchain nightly -y && \ - rm /rustup.sh - -# Install dependencies. -RUN apt-get update && \ - apt-get remove -y llvm-10 && \ - apt-get install -y \ - build-essential \ - llvm-11 \ - clang-12 \ - cargo && \ - apt-get install -y wget libstdc++5 libtool-bin automake flex bison \ - libglib2.0-dev libpixman-1-dev python3-setuptools unzip \ - apt-utils apt-transport-https ca-certificates joe curl && \ - PATH="/root/.cargo/bin/:$PATH" cargo install cargo-make - -# Download libafl. -RUN git clone \ - --branch vhtokens \ - https://github.com/AFLplusplus/libafl /libafl && \ - cd /libafl && \ - git checkout 6c7f6566b0c8b3b82352c052a0672f46a2f7d1e9 || \ - true - -# Compile libafl. -RUN cd /libafl && \ - unset CFLAGS CXXFLAGS && \ - export LIBAFL_EDGES_MAP_SIZE=2621440 && \ - cd ./fuzzers/fuzzbench_text && \ - PATH="/root/.cargo/bin/:$PATH" cargo build --release - -# Auxiliary weak references. -RUN wget https://gist.githubusercontent.com/andreafioraldi/e5f60d68c98b31665a274207cfd05541/raw/4da351a321f1408df566a9cf2ce7cde6eeab3904/empty_fuzzer_lib.c -O /empty_fuzzer_lib.c && \ - clang -c /empty_fuzzer_lib.c && \ - ar r /emptylib.a *.o diff --git a/fuzzers/libafl_text/description.md b/fuzzers/libafl_text/description.md deleted file mode 100644 index ea9b947d6..000000000 --- a/fuzzers/libafl_text/description.md +++ /dev/null @@ -1,11 +0,0 @@ -# libafl - -libafl fuzzer instance - - cmplog feature - - persistent mode - -Repository: [https://github.com/AFLplusplus/libafl/](https://github.com/AFLplusplus/libafl/) - -[builder.Dockerfile](builder.Dockerfile) -[fuzzer.py](fuzzer.py) -[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/libafl_text/fuzzer.py b/fuzzers/libafl_text/fuzzer.py deleted file mode 100755 index 79b52a7c4..000000000 --- a/fuzzers/libafl_text/fuzzer.py +++ /dev/null @@ -1,68 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -"""Integration code for a LibAFL-based fuzzer.""" - -import os -import subprocess - -from fuzzers import utils - - -def prepare_fuzz_environment(input_corpus): - """Prepare to fuzz with a LibAFL-based fuzzer.""" - os.environ['ASAN_OPTIONS'] = 'abort_on_error=1:detect_leaks=0:'\ - 'malloc_context_size=0:symbolize=0:'\ - 'allocator_may_return_null=1:'\ - 'detect_odr_violation=0:handle_segv=0:'\ - 'handle_sigbus=0:handle_abort=0:'\ - 'handle_sigfpe=0:handle_sigill=0' - os.environ['UBSAN_OPTIONS'] = 'abort_on_error=1:'\ - 'allocator_release_to_os_interval_ms=500:'\ - 'handle_abort=0:handle_segv=0:'\ - 'handle_sigbus=0:handle_sigfpe=0:'\ - 'handle_sigill=0:print_stacktrace=0:'\ - 'symbolize=0:symbolize_inline_frames=0' - # Create at least one non-empty seed to start. - utils.create_seed_file_for_empty_corpus(input_corpus) - - -def build(): # pylint: disable=too-many-branches,too-many-statements - """Build benchmark.""" - os.environ['CC'] = '/libafl/fuzzers/fuzzbench_text/target/release/libafl_cc' - os.environ[ - 'CXX'] = '/libafl/fuzzers/fuzzbench_text/target/release/libafl_cxx' - - os.environ['ASAN_OPTIONS'] = 'abort_on_error=0:allocator_may_return_null=1' - os.environ['UBSAN_OPTIONS'] = 'abort_on_error=0' - - cflags = ['--libafl'] - utils.append_flags('CFLAGS', cflags) - utils.append_flags('CXXFLAGS', cflags) - utils.append_flags('LDFLAGS', cflags) - - os.environ['FUZZER_LIB'] = '/emptylib.a' - utils.build_benchmark() - - -def fuzz(input_corpus, output_corpus, target_binary): - """Run fuzzer.""" - prepare_fuzz_environment(input_corpus) - dictionary_path = utils.get_dictionary_path(target_binary) - command = [target_binary] - if dictionary_path: - command += (['-x', dictionary_path]) - command += (['-o', output_corpus, '-i', input_corpus]) - print(command) - subprocess.check_call(command, cwd=os.environ['OUT']) diff --git a/fuzzers/libafl_text/runner.Dockerfile b/fuzzers/libafl_text/runner.Dockerfile deleted file mode 100644 index 7aa1da8e4..000000000 --- a/fuzzers/libafl_text/runner.Dockerfile +++ /dev/null @@ -1,23 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -# This makes interactive docker runs painless: -ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" -#ENV AFL_MAP_SIZE=2621440 -ENV PATH="$PATH:/out" -ENV AFL_SKIP_CPUFREQ=1 -ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 -ENV AFL_TESTCACHE_SIZE=2 diff --git a/fuzzers/manul/builder.Dockerfile b/fuzzers/manul/builder.Dockerfile deleted file mode 100644 index 9ca0e0bab..000000000 --- a/fuzzers/manul/builder.Dockerfile +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -RUN cd / && git clone https://github.com/mxmssh/manul /manul && \ - cd /manul && sed -i "s/mutator_weights=afl:10,radamsa:0/mutator_weights=afl:3,radamsa:7/" manul_lin.config - -RUN cd / && git clone https://github.com/google/AFL.git /afl && \ - cd /afl && \ - git checkout 8da80951dd7eeeb3e3b5a3bcd36c485045f40274 && \ - AFL_NO_X86=1 make - -RUN apt update && apt install -y wget && \ - wget https://raw.githubusercontent.com/llvm/llvm-project/5feb80e748924606531ba28c97fe65145c65372e/compiler-rt/lib/fuzzer/afl/afl_driver.cpp -O /afl/afl_driver.cpp && \ - clang -Wno-pointer-sign -c /afl/llvm_mode/afl-llvm-rt.o.c -I/afl && \ - clang++ -stdlib=libc++ -std=c++11 -O2 -c /afl/afl_driver.cpp && \ - ar r /libAFL.a *.o - diff --git a/fuzzers/manul/fuzzer.py b/fuzzers/manul/fuzzer.py deleted file mode 100644 index 34af755b7..000000000 --- a/fuzzers/manul/fuzzer.py +++ /dev/null @@ -1,47 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -"""Manul Integration""" -import os -import subprocess -import shutil -from fuzzers import utils -from fuzzers.afl import fuzzer as afl_fuzzer - - -def build(): - """Build benchmark and copy fuzzer to $OUT.""" - afl_fuzzer.prepare_build_environment() - utils.build_benchmark() - # Move manul base to /out. - shutil.move('/manul', os.environ['OUT']) - - -def fuzz(input_corpus, output_corpus, target_binary): - """Run fuzzer. - - Arguments: - input_corpus: Directory containing the initial seed corpus for - the benchmark. - output_corpus: Output directory to place the newly generated corpus - from fuzzer run. - target_binary: Absolute path to the fuzz target binary. - """ - afl_fuzzer.prepare_fuzz_environment(input_corpus) - # Run fuzzer on the benchmark. - manul_directory = os.path.join(os.environ['OUT'], 'manul') - command = ([ - 'python3', 'manul.py', '-i', input_corpus, '-o', output_corpus, '-c', - os.path.join(manul_directory, 'manul_lin.config'), target_binary + ' @@' - ]) - subprocess.check_call(command, cwd=manul_directory) diff --git a/fuzzers/manul/runner.Dockerfile b/fuzzers/manul/runner.Dockerfile deleted file mode 100644 index 1f5db1a97..000000000 --- a/fuzzers/manul/runner.Dockerfile +++ /dev/null @@ -1,16 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image -RUN python3 -m pip install psutil diff --git a/fuzzers/mopt/builder.Dockerfile b/fuzzers/mopt/builder.Dockerfile deleted file mode 100644 index afd22521e..000000000 --- a/fuzzers/mopt/builder.Dockerfile +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -# Set AFL_NO_X86 to skip flaky tests. -RUN git clone https://github.com/puppet-meteor/MOpt-AFL /afl && \ - cd /afl && \ - git checkout 45b9f38d2d8b699fd571cfde1bf974974339a21e && \ - cd MOpt && AFL_NO_X86=1 make && \ - cp afl-fuzz .. - -# Use afl_driver.cpp from LLVM as our fuzzing library. -RUN apt-get update && \ - apt-get install wget -y && cd /afl/MOpt && \ - wget https://raw.githubusercontent.com/llvm/llvm-project/5feb80e748924606531ba28c97fe65145c65372e/compiler-rt/lib/fuzzer/afl/afl_driver.cpp -O /afl/MOpt/afl_driver.cpp && \ - clang -Wno-pointer-sign -c -o /afl/MOpt/afl-llvm-rt.o /afl/MOpt/llvm_mode/afl-llvm-rt.o.c -I/afl/MOpt && \ - clang++ -stdlib=libc++ -std=c++11 -O2 -c -o /afl/MOpt/afl_driver.o /afl/MOpt/afl_driver.cpp && \ - ar r /libAFL.a *.o diff --git a/fuzzers/mopt/fuzzer.py b/fuzzers/mopt/fuzzer.py deleted file mode 100755 index 150d1992a..000000000 --- a/fuzzers/mopt/fuzzer.py +++ /dev/null @@ -1,37 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -"""Integration code for MOpt fuzzer.""" - -from fuzzers.afl import fuzzer as afl_fuzzer - - -def build(): - """Build benchmark.""" - afl_fuzzer.build() - - -def fuzz(input_corpus, output_corpus, target_binary): - """Run fuzzer.""" - afl_fuzzer.prepare_fuzz_environment(input_corpus) - - afl_fuzzer.run_afl_fuzz( - input_corpus, - output_corpus, - target_binary, - additional_flags=[ - # Enable Mopt mutator with pacemaker fuzzing mode at first. This - # is also recommended in a short-time scale evaluation. - '-L', - '0', - ]) diff --git a/fuzzers/mopt/runner.Dockerfile b/fuzzers/mopt/runner.Dockerfile deleted file mode 100644 index 0d6cf004e..000000000 --- a/fuzzers/mopt/runner.Dockerfile +++ /dev/null @@ -1,15 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image diff --git a/fuzzers/nautilus/builder.Dockerfile b/fuzzers/nautilus/builder.Dockerfile deleted file mode 100644 index f1890e47c..000000000 --- a/fuzzers/nautilus/builder.Dockerfile +++ /dev/null @@ -1,46 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -# Install libstdc++ to use llvm_mode. -RUN apt-get update && \ - apt-get install -y wget libstdc++-5-dev libtool-bin automake flex bison \ - libglib2.0-dev libpixman-1-dev python3-setuptools unzip \ - apt-utils apt-transport-https ca-certificates joe curl \ - python3-dev gzip - -# Uninstall old Rust -RUN if which rustup; then rustup self uninstall -y; fi - -# Install latest Rust -RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs > /rustup.sh && \ - sh /rustup.sh -y - -# Download libafl -RUN git clone https://github.com/AFLplusplus/libafl_fuzzbench /libafl_fuzzbench && \ - cd /libafl_fuzzbench && \ - git checkout db32b7b8c1c0065a0cec2129b4dfe3897d1b9a4b && \ - git submodule update --init - -# Compile libafl -RUN cd /libafl_fuzzbench/ && unset CFLAGS && unset CXXFLAGS && \ - export CC=clang && export CXX=clang++ && \ - export LIBAFL_EDGES_MAP_SIZE=2621440 && \ - PATH="$PATH:/root/.cargo/bin/" cargo build --release - -RUN wget https://gist.githubusercontent.com/andreafioraldi/e5f60d68c98b31665a274207cfd05541/raw/4da351a321f1408df566a9cf2ce7cde6eeab3904/empty_fuzzer_lib.c -O /empty_fuzzer_lib.c && \ - clang -c /empty_fuzzer_lib.c && \ - ar r /emptylib.a *.o diff --git a/fuzzers/nautilus/fuzzer.py b/fuzzers/nautilus/fuzzer.py deleted file mode 100755 index 8cf7b4a0f..000000000 --- a/fuzzers/nautilus/fuzzer.py +++ /dev/null @@ -1,79 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -"""Integration code for a LibAFL-based fuzzer.""" - -import os -import shutil -import subprocess - -from fuzzers import utils - - -def prepare_fuzz_environment(input_corpus): - """Prepare to fuzz with a LibAFL-based fuzzer.""" - os.environ['ASAN_OPTIONS'] = 'abort_on_error=1:detect_leaks=0:'\ - 'malloc_context_size=0:symbolize=0:'\ - 'allocator_may_return_null=1:'\ - 'detect_odr_violation=0:handle_segv=0:'\ - 'handle_sigbus=0:handle_abort=0:'\ - 'handle_sigfpe=0:handle_sigill=0' - os.environ['UBSAN_OPTIONS'] = 'abort_on_error=1:'\ - 'allocator_release_to_os_interval_ms=500:'\ - 'handle_abort=0:handle_segv=0:'\ - 'handle_sigbus=0:handle_sigfpe=0:'\ - 'handle_sigill=0:print_stacktrace=0:'\ - 'symbolize=0:symbolize_inline_frames=0' - # Create at least one non-empty seed to start. - utils.create_seed_file_for_empty_corpus(input_corpus) - - -def build(): # pylint: disable=too-many-branches,too-many-statements - """Build benchmark.""" - benchmark_name = os.environ['BENCHMARK'].lower() - if 'php' in benchmark_name: - copy_file = '/libafl_fuzzbench/grammars/php_nautilus.json' - elif 'ruby' in benchmark_name: - copy_file = '/libafl_fuzzbench/grammars/ruby_nautilus.json' - elif 'js' in benchmark_name or 'javascript' in benchmark_name: - copy_file = '/libafl_fuzzbench/grammars/js_nautilus.json' - else: - raise RuntimeError('Unsupported benchmark, unavailable grammar') - dest = os.path.join(os.environ['OUT'], 'grammar.json') - shutil.copy(copy_file, dest) - - os.environ['CC'] = '/libafl_fuzzbench/target/release/nautilus_cc' - os.environ['CXX'] = '/libafl_fuzzbench/target/release/nautilus_cxx' - - os.environ['ASAN_OPTIONS'] = 'abort_on_error=0:allocator_may_return_null=1' - os.environ['UBSAN_OPTIONS'] = 'abort_on_error=0' - - cflags = ['--libafl'] - utils.append_flags('CFLAGS', cflags) - utils.append_flags('CXXFLAGS', cflags) - - os.environ['FUZZER_LIB'] = '/emptylib.a' - utils.build_benchmark() - - -def fuzz(input_corpus, output_corpus, target_binary): - """Run fuzzer.""" - prepare_fuzz_environment(input_corpus) - command = [target_binary] - grammar = os.path.join(os.environ['OUT'], 'grammar.json') - out = os.path.join(os.environ['OUT'], 'out') - os.mkdir(out) - command += (['-r', output_corpus, '-o', out, '-g', grammar]) - print(command) - subprocess.check_call(command, cwd=os.environ['OUT']) diff --git a/fuzzers/nautilus/fuzzer.yaml b/fuzzers/nautilus/fuzzer.yaml deleted file mode 100644 index de283f07d..000000000 --- a/fuzzers/nautilus/fuzzer.yaml +++ /dev/null @@ -1,4 +0,0 @@ -allowed_benchmarks: - - quickjs_eval-2020-01-05 - - php_php-fuzz-execute - - mruby-2018-05-23 diff --git a/fuzzers/nautilus/runner.Dockerfile b/fuzzers/nautilus/runner.Dockerfile deleted file mode 100644 index 7aa1da8e4..000000000 --- a/fuzzers/nautilus/runner.Dockerfile +++ /dev/null @@ -1,23 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -# This makes interactive docker runs painless: -ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" -#ENV AFL_MAP_SIZE=2621440 -ENV PATH="$PATH:/out" -ENV AFL_SKIP_CPUFREQ=1 -ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 -ENV AFL_TESTCACHE_SIZE=2 diff --git a/fuzzers/neuzz/builder.Dockerfile b/fuzzers/neuzz/builder.Dockerfile deleted file mode 100644 index 4fa94d123..000000000 --- a/fuzzers/neuzz/builder.Dockerfile +++ /dev/null @@ -1,48 +0,0 @@ - -# Copyright 2021 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -# Install and setup clang-11 for AFL/NEUZZ. -RUN apt install -y clang-11 && \ - ln -s /usr/bin/clang-11 /usr/bin/clang && \ - ln -s /usr/bin/clang++-11 /usr/bin/clang++ -ENV PATH="/usr/bin:${PATH}" -ENV LD_LIBRARY_PATH="/usr/lib/clang/11.0.0/lib/linux:${LD_LIBRARY_PATH}" - -# Download and compile AFL v2.56b. -# Set AFL_NO_X86 to skip flaky tests. -RUN git clone https://github.com/google/AFL.git /afl && \ - cd /afl && \ - git checkout 82b5e359463238d790cadbe2dd494d6a4928bff3 && \ - AFL_NO_X86=1 make - -# Download and compile neuzz. -# Use Ammar's repo with patch for ASan and other bug fixes. -# See https://github.com/Dongdongshe/neuzz/pull/16. -RUN git clone https://github.com/ammaraskar/neuzz.git /neuzz && \ - cd /neuzz && \ - git checkout e93c7a4c625aa1a17ae2f99e5902d62a46eaa068 && \ - clang -O3 -funroll-loops ./neuzz.c -o neuzz - -# Use afl_driver.cpp from LLVM as our fuzzing library. -RUN apt-get update && \ - apt-get install wget -y && \ - wget https://raw.githubusercontent.com/llvm/llvm-project/5feb80e748924606531ba28c97fe65145c65372e/compiler-rt/lib/fuzzer/afl/afl_driver.cpp -O /afl/afl_driver.cpp && \ - clang -Wno-pointer-sign -c /afl/llvm_mode/afl-llvm-rt.o.c -I/afl && \ - clang++ -stdlib=libc++ -std=c++11 -O2 -c /afl/afl_driver.cpp && \ - ar r /libNeuzz.a *.o - diff --git a/fuzzers/neuzz/fuzzer.py b/fuzzers/neuzz/fuzzer.py deleted file mode 100644 index cd4eef3ae..000000000 --- a/fuzzers/neuzz/fuzzer.py +++ /dev/null @@ -1,112 +0,0 @@ -# Copyright 2021 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -"""Integration code for AFL fuzzer.""" - -import os -import shutil -import subprocess -import time -import threading - -from fuzzers import utils -from fuzzers.afl import fuzzer as afl - -WARMUP = 60 * 60 - - -def prepare_build_environment(): - """Set environment variables used to build targets for AFL-based - fuzzers.""" - utils.set_compilation_flags() - os.environ['CC'] = '/afl/afl-clang' - os.environ['CXX'] = '/afl/afl-clang++' - os.environ['FUZZER_LIB'] = '/libNeuzz.a' - - -def build(): - """Build benchmark.""" - prepare_build_environment() - utils.build_benchmark() - output_directory = os.environ['OUT'] - # Copy out the afl-fuzz binary as a build artifact. - print('[post_build] Copying afl-fuzz to $OUT directory') - shutil.copy('/afl/afl-fuzz', output_directory) - # Neuzz also requires afl-showmap. - print('[post_build] Copying afl-showmap to $OUT directory') - shutil.copy('/afl/afl-showmap', output_directory) - # Copy the Neuzz fuzzer itself. - print('[post_build] Copy neuzz fuzzer.') - shutil.copy('/neuzz/neuzz', output_directory) - shutil.copy('/neuzz/nn.py', output_directory) - - -def kill_afl(output_stream=subprocess.DEVNULL): - """kill afl-fuzz process.""" - print('Warmed up!') - # Can't avoid this because 'run_afl_fuzz' doesn't return a handle to - # 'afl-fuzz' process so that we can kill it with subprocess.terminate() - subprocess.call(['pkill', '-f', 'afl-fuzz'], - stdout=output_stream, - stderr=output_stream) - - -def run_neuzz(input_corpus, - output_corpus, - target_binary, - additional_flags=None, - hide_output=False): - """Run neuzz""" - # Spawn the afl fuzzing process for warmup - output_stream = subprocess.DEVNULL if hide_output else None - threading.Timer(20, kill_afl, [output_stream]).start() - afl.run_afl_fuzz(input_corpus, output_corpus, target_binary, - additional_flags, hide_output) - # After warming up, copy the 'queue' to use for neuzz input - print('[run_neuzz] Warmed up!') - command = [ - 'cp', '-RT', f'{output_corpus}/queue/', f'{input_corpus}_neuzzin/' - ] - print('[run_neuzz] Running command: ' + ' '.join(command)) - - subprocess.check_call(command, stdout=output_stream, stderr=output_stream) - - afl_output_dir = os.path.join(output_corpus, 'queue') - neuzz_input_dir = os.path.join(output_corpus, 'neuzz_in') - # Treat afl's queue folder as the input for Neuzz. - os.rename(afl_output_dir, neuzz_input_dir) - - # Spinning up the neural network - command = [ - 'python2', './nn.py', '--output-folder', afl_output_dir, target_binary - ] - print('[run_neuzz] Running command: ' + ' '.join(command)) - with subprocess.Popen(command, stdout=output_stream, stderr=output_stream): - pass - time.sleep(40) - target_rel_path = os.path.relpath(target_binary, os.getcwd()) - # Spinning up neuzz - command = [ - './neuzz', '-m', 'none', '-i', neuzz_input_dir, '-o', afl_output_dir, - target_rel_path, '@@' - ] - print('[run_neuzz] Running command: ' + ' '.join(command)) - with subprocess.Popen(command, stdout=output_stream, - stderr=output_stream) as neuzz_proc: - neuzz_proc.wait() - - -def fuzz(input_corpus, output_corpus, target_binary): - """Run afl-fuzz on target.""" - afl.prepare_fuzz_environment(input_corpus) - run_neuzz(input_corpus, output_corpus, target_binary) diff --git a/fuzzers/neuzz/runner.Dockerfile b/fuzzers/neuzz/runner.Dockerfile deleted file mode 100644 index 40a42c8f3..000000000 --- a/fuzzers/neuzz/runner.Dockerfile +++ /dev/null @@ -1,43 +0,0 @@ -# Copyright 2021 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -# Install and setup clang-11 for AFL/NEUZZ. -RUN apt install -y clang-11 && \ - ln -s /usr/bin/clang-11 /usr/bin/clang && \ - ln -s /usr/bin/clang++-11 /usr/bin/clang++ -ENV PATH="/usr/bin:${PATH}" -ENV LD_LIBRARY_PATH="/usr/lib/clang/11.0.0/lib/linux:${LD_LIBRARY_PATH}" - -# Install Python2 and Pip2 on Ubuntu:20.04. -RUN DEBIAN_FRONTEND=noninteractive TZ=Etc/UTC \ - apt-get install -y software-properties-common && \ - apt-get update && \ - add-apt-repository universe && \ - apt-get install -y python-dev && \ - curl https://bootstrap.pypa.io/pip/2.7/get-pip.py --output get-pip.py && \ - python2 get-pip.py && \ - rm /usr/bin/python && \ - ln -s /usr/bin/python2.7 /usr/bin/python - -RUN apt-get update && \ - apt-get install wget -y && \ - python -m pip install --upgrade pip==20.3.4 && \ - python -m pip install tensorflow==1.8.0 && \ - python -m pip install keras==2.2.3 - -# Use Python3.10 by default. -RUN rm /usr/bin/python3 && \ - ln -s /usr/local/bin/python3 /usr/bin/python3 diff --git a/fuzzers/pastis/builder.Dockerfile b/fuzzers/pastis/builder.Dockerfile deleted file mode 100644 index 1a0e8fb5c..000000000 --- a/fuzzers/pastis/builder.Dockerfile +++ /dev/null @@ -1,83 +0,0 @@ -ARG parent_image -FROM $parent_image - -# -# AFLplusplus -# - -RUN apt-get update && \ - apt-get install -y \ - build-essential \ - python3-dev \ - python3-setuptools \ - automake \ - cmake \ - git \ - flex \ - bison \ - libglib2.0-dev \ - libpixman-1-dev \ - cargo \ - libgtk-3-dev \ - # for QEMU mode - ninja-build \ - gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-plugin-dev \ - libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev - -# Download afl++. -RUN git clone https://github.com/AFLplusplus/AFLplusplus /afl - -# Checkout a current commit -RUN cd /afl && git checkout 35f09e11a4373b0fb42c690d23127c144f72f73c - -# Build without Python support as we don't need it. -# Set AFL_NO_X86 to skip flaky tests. -RUN cd /afl && \ - unset CFLAGS CXXFLAGS && \ - export CC=clang AFL_NO_X86=1 && \ - PYTHON_INCLUDE=/ make && \ - make install && \ - cp utils/aflpp_driver/libAFLDriver.a / - -# -# Honggfuzz -# - -# honggfuzz requires libfd and libunwid. -RUN apt-get update -y && \ - apt-get install -y \ - libbfd-dev \ - libunwind-dev \ - libblocksruntime-dev \ - liblzma-dev - -# Copy honggfuzz PASTIS patch. -RUN mkdir /patches -COPY patches/honggfuzz-3a8f2ae-pastis.patch /patches - -# Donwload honggfuzz oss-fuzz version (commit 3a8f2ae41604b6696e7bd5e5cdc0129ce49567c0) -RUN git clone https://github.com/google/honggfuzz.git /honggfuzz && \ - cd /honggfuzz && \ - git checkout 3a8f2ae41604b6696e7bd5e5cdc0129ce49567c0 && \ - cd .. - -# Apply PASTIS patch. -RUN cd / && \ - patch -s -p0 < /patches/honggfuzz-3a8f2ae-pastis.patch - -# Set CFLAGS use honggfuzz's defaults except for -mnative which can build CPU -# dependent code that may not work on the machines we actually fuzz on. -# Create an empty object file which will become the FUZZER_LIB lib (since -# honggfuzz doesn't need this when hfuzz-clang(++) is used). -RUN cd /honggfuzz && \ - CFLAGS="-O3 -funroll-loops" make && \ - touch empty_lib.c && \ - cc -c -o empty_lib.o empty_lib.c - -# Use afl_driver.cpp for AFL, and StandaloneFuzzTargetMain.c for Eclipser. -RUN apt-get update && \ - apt-get install wget -y && \ - wget https://raw.githubusercontent.com/llvm/llvm-project/5feb80e748924606531ba28c97fe65145c65372e/compiler-rt/lib/fuzzer/standalone/StandaloneFuzzTargetMain.c -O /StandaloneFuzzTargetMain.c && \ - clang -O2 -c /StandaloneFuzzTargetMain.c && \ - ar rc /libStandaloneFuzzTarget.a StandaloneFuzzTargetMain.o && \ - rm /StandaloneFuzzTargetMain.c diff --git a/fuzzers/pastis/fuzzer.py b/fuzzers/pastis/fuzzer.py deleted file mode 100644 index 1ce5058f7..000000000 --- a/fuzzers/pastis/fuzzer.py +++ /dev/null @@ -1,260 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -"""Integration code for PASTIS fuzzer.""" - -import os -import shutil -import subprocess - -from fuzzers import utils -from fuzzers.aflplusplus import fuzzer as aflplusplus_fuzzer -from fuzzers.honggfuzz import fuzzer as honggfuzz_fuzzer - -TRITONDSE_CONF = """{{ - "seed_format": "RAW", - "pipe_stdout": false, - "pipe_stderr": false, - "skip_sleep_routine": true, - "smt_solver": "BITWUZLA", - "smt_timeout": 5000, - "execution_timeout": 300, - "exploration_timeout": 0, - "exploration_limit": 0, - "thread_scheduling": 200, - "smt_queries_limit": 0, - "smt_enumeration_limit": 40, - "coverage_strategy": "PREFIXED_EDGE", - "branch_solving_strategy": [ - "ALL_NOT_COVERED" - ], - "debug": false, - "workspace": "", - "program_argv": {program_argv}, - "time_inc_coefficient": 1e-05, - "skip_unsupported_import": false, - "memory_segmentation": true, - "custom": {{}} -}} -""" - - -def get_fuzzers_dir(output_directory): - """Return path to fuzzers directory.""" - return os.path.join(output_directory, 'fuzzers') - - -def get_aflpp_target_dir(output_directory): - """Return path to AFL++'s target directory.""" - return os.path.join(output_directory, 'target-aflpp') - - -def get_honggfuzz_target_dir(output_directory): - """Return path to Honggfuzz's target directory.""" - return os.path.join(output_directory, 'target-hf') - - -def get_targets_dir(output_directory): - """Return path to targets directory.""" - return os.path.join(output_directory, 'targets') - - -def build_aflpp(): - """Build benchmark with AFL++.""" - print('Building with AFL++') - - out_dir = os.environ['OUT'] - - aflpp_target_dir = get_aflpp_target_dir(os.environ['OUT']) - - os.environ['OUT'] = aflpp_target_dir - - src = os.getenv('SRC') - work = os.getenv('WORK') - - with utils.restore_directory(src), utils.restore_directory(work): - # Restore SRC to its initial state so we can build again without any - # trouble. For some OSS-Fuzz projects, build_benchmark cannot be run - # twice in the same directory without this. - aflplusplus_fuzzer.build() - - os.environ['OUT'] = out_dir - - fuzzers_dir = get_fuzzers_dir(os.environ['OUT']) - shutil.move(os.path.join(aflpp_target_dir, 'afl-fuzz'), - os.path.join(fuzzers_dir, 'afl-fuzz')) - - -def build_honggfuzz(): - """Build benchmark with Honggfuzz.""" - print('Building with Honggfuzz') - - out_dir = os.environ['OUT'] - - hf_target_dir = get_honggfuzz_target_dir(os.environ['OUT']) - - os.environ['OUT'] = hf_target_dir - - src = os.getenv('SRC') - work = os.getenv('WORK') - - with utils.restore_directory(src), utils.restore_directory(work): - # Restore SRC to its initial state so we can build again without any - # trouble. For some OSS-Fuzz projects, build_benchmark cannot be run - # twice in the same directory without this. - honggfuzz_fuzzer.build() - - os.environ['OUT'] = out_dir - - fuzzers_dir = get_fuzzers_dir(os.environ['OUT']) - shutil.move(os.path.join(hf_target_dir, 'honggfuzz'), - os.path.join(fuzzers_dir, 'honggfuzz')) - - -def build_tritondse(): - """Build benchmark with TritonDSE.""" - print('Building with TritonDSE') - - new_env = os.environ.copy() - - new_env['CC'] = 'clang' - new_env['CXX'] = 'clang++' - new_env['FUZZER_LIB'] = '/libStandaloneFuzzTarget.a' - - src = new_env['SRC'] - work = new_env['WORK'] - - with utils.restore_directory(src), utils.restore_directory(work): - # Restore SRC to its initial state so we can build again without any - # trouble. For some OSS-Fuzz projects, build_benchmark cannot be run - # twice in the same directory without this. - utils.build_benchmark(env=new_env) - - -def prepare_build_environment(): - """Prepare build environment.""" - aflpp_target_dir = get_aflpp_target_dir(os.environ['OUT']) - honggfuzz_target_dir = get_honggfuzz_target_dir(os.environ['OUT']) - targets_dir = get_targets_dir(os.environ['OUT']) - - fuzzers_dir = get_fuzzers_dir(os.environ['OUT']) - - os.makedirs(aflpp_target_dir, exist_ok=True) - os.makedirs(honggfuzz_target_dir, exist_ok=True) - os.makedirs(targets_dir, exist_ok=True) - os.makedirs(fuzzers_dir, exist_ok=True) - - -def build(): - """Build benchmark.""" - prepare_build_environment() - - build_tritondse() - build_aflpp() - build_honggfuzz() - - -def prepare_fuzz_environment(): - """Prepare fuzz environment.""" - os.environ['AFLPP_PATH'] = get_fuzzers_dir(os.environ['OUT']) - os.environ['HFUZZ_PATH'] = get_fuzzers_dir(os.environ['OUT']) - - -def prepare_tritondse_config(base_dir, target_binary): - """Prepare TritonDSE configuration.""" - config_dir = os.path.join(base_dir, 'triton_confs') - - os.makedirs(config_dir, exist_ok=True) - - config_filename = os.path.join(config_dir, 'conf1.json') - - target_binary_name = os.path.basename(target_binary) - - program_argv = f'["{target_binary_name}_tt", "@@"]' - - with open(config_filename, 'w', encoding='utf8') as config_file: - config_file.write(TRITONDSE_CONF.format(program_argv=program_argv)) - - -def fuzz(input_corpus, output_corpus, target_binary): - """Run pastis-benchmark on target.""" - prepare_fuzz_environment() - - prepare_tritondse_config(output_corpus, target_binary) - - targets_dir = get_targets_dir(os.environ['OUT']) - - target_binary_name = os.path.basename(target_binary) - - # Copy and rename AFL++ target binary. - aflpp_target_dir = get_aflpp_target_dir(os.environ['OUT']) - shutil.copy(os.path.join(aflpp_target_dir, target_binary_name), - os.path.join(targets_dir, target_binary_name + '_aflpp')) - - # Copy and rename Honggfuzz target binary. - honggfuzz_target_dir = get_honggfuzz_target_dir(os.environ['OUT']) - shutil.copy(os.path.join(honggfuzz_target_dir, target_binary_name), - os.path.join(targets_dir, target_binary_name + '_hf')) - - # Copy and rename TritonDSE target binary. - shutil.copy(os.path.join(os.environ['OUT'], target_binary_name), - os.path.join(targets_dir, target_binary_name + '_tt')) - - # Copy and rename the dictionary file in case it exists (AFL++). - dictionary_path = os.path.join(aflpp_target_dir, 'afl++.dict') - if os.path.exists(dictionary_path): - shutil.copy( - dictionary_path, - os.path.join(targets_dir, target_binary_name + '_aflpp.dict')) - - # Copy and rename the dictionary file in case it exists (Honggfuzz). - dictionary_path = utils.get_dictionary_path(target_binary) - if dictionary_path and os.path.exists(dictionary_path): - shutil.copy(dictionary_path, - os.path.join(targets_dir, target_binary_name + '_hf.dict')) - - # Copy cmplog directory if it exists. - cmplog_path = os.path.join(aflpp_target_dir, 'cmplog', target_binary_name) - if os.path.exists(cmplog_path): - shutil.copy( - cmplog_path, - os.path.join(targets_dir, target_binary_name + '_aflpp.cmplog')) - - # Prepare command-line string. - command = [ - 'pastis-benchmark', - 'run', - '-b', - targets_dir, - '-w', - output_corpus, - '-s', - input_corpus, - '-m', - 'FULL', - '-i', - 'ARGV', - '-p', - '5551', - '--triton', - '--hfuzz', - '--hfuzz-threads', - '1', - '--aflpp', - '--skip-cpufreq', - ] - - print('[fuzz] Running command: ' + ' '.join(command)) - ret_code = subprocess.call(command) - print(f'Return code: {ret_code}') diff --git a/fuzzers/pastis/patches/honggfuzz-3a8f2ae-pastis.patch b/fuzzers/pastis/patches/honggfuzz-3a8f2ae-pastis.patch deleted file mode 100644 index fbf39666d..000000000 --- a/fuzzers/pastis/patches/honggfuzz-3a8f2ae-pastis.patch +++ /dev/null @@ -1,291 +0,0 @@ -diff -ruN honggfuzz/cmdline.c honggfuzz-3a8f2ae-pastis/cmdline.c ---- honggfuzz/cmdline.c 2022-06-23 17:27:05.000000000 -0300 -+++ honggfuzz-3a8f2ae-pastis/cmdline.c 2023-01-13 16:48:23.617159827 -0300 -@@ -525,6 +525,8 @@ - { { "export_feedback", no_argument, NULL, 0x10E }, "Export the coverage feedback structure as ./hfuzz-feedback" }, - { { "const_feedback", required_argument, NULL, 0x112 }, "Use constant integer/string values from fuzzed programs to mangle input files via a dynamic dictionary (default: true)" }, - { { "pin_thread_cpu", required_argument, NULL, 0x114 }, "Pin a single execution thread to this many consecutive CPUs (default: 0 = no CPU pinning)" }, -+ { { "statsfile", required_argument, NULL, 0x115 }, "Stats file" }, -+ { { "dynamic_input", required_argument, NULL, 0x116 }, "Path to a directory containing the dynamic file corpus" }, - - #if defined(_HF_ARCH_LINUX) - { { "linux_symbols_bl", required_argument, NULL, 0x504 }, "Symbols blocklist filter file (one entry per line)" }, -@@ -804,6 +806,12 @@ - hfuzz->arch_linux.disableRandomization = false; - break; - #endif -+ case 0x115: -+ hfuzz->io.statsFileName = optarg; -+ break; -+ case 0x116: -+ hfuzz->io.dynamicInputDir = optarg; -+ break; - default: - cmdlineHelp(argv[0], custom_opts); - return false; -diff -ruN honggfuzz/fuzz.c honggfuzz-3a8f2ae-pastis/fuzz.c ---- honggfuzz/fuzz.c 2022-06-23 17:27:05.000000000 -0300 -+++ honggfuzz-3a8f2ae-pastis/fuzz.c 2023-01-13 16:48:50.349198188 -0300 -@@ -229,6 +229,39 @@ - softNewPC, softNewCmp, run->hwCnts.cpuInstrCnt, run->hwCnts.cpuBranchCnt, - run->hwCnts.bbCnt, softCurEdge, softCurPC, softCurCmp); - -+ if (run->global->io.statsFileName) { -+ /* NOTE: Calculation of `tot_exec_per_sec` taken from -+ * the `display_display` function. -+ */ -+ const time_t curr_sec = time(NULL); -+ const time_t elapsed_sec = curr_sec - run->global->timing.timeStart; -+ size_t curr_exec_cnt = ATOMIC_GET(run->global->cnts.mutationsCnt); -+ /* -+ * We increase the mutation counter unconditionally in threads, but if it's -+ * above hfuzz->mutationsMax we don't really execute the fuzzing loop. -+ * Therefore at the end of fuzzing, the mutation counter might be higher -+ * than hfuzz->mutationsMax -+ */ -+ if (run->global->mutate.mutationsMax > 0 && curr_exec_cnt > run->global->mutate.mutationsMax) { -+ curr_exec_cnt = run->global->mutate.mutationsMax; -+ } -+ size_t tot_exec_per_sec = elapsed_sec ? (curr_exec_cnt / elapsed_sec) : 0; -+ -+ dprintf(run->global->io.statsFileFd, -+ "%lu, %lu, %lu, %lu, " -+ "%" PRIu64 ", %" PRIu64 ", %" PRIu64 ", %" PRIu64 ", %" PRIu64 "\n", -+ curr_sec, /* unix_time */ -+ run->global->timing.lastCovUpdate, /* last_cov_update */ -+ curr_exec_cnt, /* total_exec */ -+ tot_exec_per_sec, /* exec_per_sec */ -+ run->global->cnts.crashesCnt, /* crashes */ -+ run->global->cnts.uniqueCrashesCnt, /* unique_crashes */ -+ run->global->cnts.timeoutedCnt, /* hangs */ -+ run->global->feedback.hwCnts.softCntEdge, /* edge_cov */ -+ run->global->feedback.hwCnts.softCntPc /* block_cov */ -+ ); -+ } -+ - /* Update per-input coverage metrics */ - run->dynfile->cov[0] = softCurEdge + softCurPC + run->hwCnts.bbCnt; - run->dynfile->cov[1] = softCurCmp; -diff -ruN honggfuzz/honggfuzz.c honggfuzz-3a8f2ae-pastis/honggfuzz.c ---- honggfuzz/honggfuzz.c 2022-06-23 17:27:05.000000000 -0300 -+++ honggfuzz-3a8f2ae-pastis/honggfuzz.c 2023-01-13 16:49:10.965232496 -0300 -@@ -23,12 +23,14 @@ - */ - - #include -+#include - #include - #include - #include - #include - #include - #include -+#include - #include - #include - #include -@@ -260,6 +262,12 @@ - setupMainThreadTimer(); - - for (;;) { -+ /* Dynamic input queue. */ -+ if (hfuzz->io.dynamicInputDir) { -+ LOG_D("Loading files from the dynamic input queue..."); -+ input_enqueueDynamicInputs(hfuzz); -+ } -+ - if (hfuzz->display.useScreen) { - if (ATOMIC_XCHG(clearWin, false)) { - display_clear(); -@@ -399,6 +407,16 @@ - sizeof(cmpfeedback_t), hfuzz.io.workDir); - } - } -+ /* Stats file. */ -+ if (hfuzz.io.statsFileName) { -+ hfuzz.io.statsFileFd = TEMP_FAILURE_RETRY(open(hfuzz.io.statsFileName, O_CREAT | O_RDWR | O_TRUNC, 0640)); -+ -+ if (hfuzz.io.statsFileFd == -1) { -+ PLOG_F("Couldn't open statsfile open('%s')", hfuzz.io.statsFileName); -+ } else { -+ dprintf(hfuzz.io.statsFileFd, "# unix_time, last_cov_update, total_exec, exec_per_sec, crashes, unique_crashes, hangs, edge_cov, block_cov\n"); -+ } -+ } - - setupRLimits(); - setupSignalsPreThreads(); -@@ -433,6 +451,10 @@ - if (hfuzz.socketFuzzer.enabled) { - cleanupSocketFuzzer(); - } -+ /* Stats file. */ -+ if (hfuzz.io.statsFileName) { -+ close(hfuzz.io.statsFileFd); -+ } - - printSummary(&hfuzz); - -diff -ruN honggfuzz/honggfuzz.h honggfuzz-3a8f2ae-pastis/honggfuzz.h ---- honggfuzz/honggfuzz.h 2022-06-23 17:27:05.000000000 -0300 -+++ honggfuzz-3a8f2ae-pastis/honggfuzz.h 2023-01-13 16:49:18.817246608 -0300 -@@ -216,6 +216,9 @@ - dynfile_t* dynfileq2Current; - TAILQ_HEAD(dyns_t, _dynfile_t) dynfileq; - bool exportFeedback; -+ const char* statsFileName; -+ int statsFileFd; -+ const char* dynamicInputDir; - } io; - struct { - int argc; -diff -ruN honggfuzz/input.c honggfuzz-3a8f2ae-pastis/input.c ---- honggfuzz/input.c 2022-06-23 17:27:05.000000000 -0300 -+++ honggfuzz-3a8f2ae-pastis/input.c 2023-01-13 16:49:38.961285357 -0300 -@@ -31,6 +31,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -575,6 +576,128 @@ - return true; - } - -+/** -+ * NOTE: This function is based on `input_getNext`. -+ */ -+bool input_dynamicQueueGetNext(char fname[PATH_MAX], DIR* dynamicDirPtr, char *dynamicWorkDir) { -+ static pthread_mutex_t input_mutex = PTHREAD_MUTEX_INITIALIZER; -+ MX_SCOPED_LOCK(&input_mutex); -+ -+ for (;;) { -+ errno = 0; -+ struct dirent* entry = readdir(dynamicDirPtr); -+ if (entry == NULL && errno == EINTR) { -+ continue; -+ } -+ if (entry == NULL && errno != 0) { -+ PLOG_W("readdir_r('%s')", dynamicWorkDir); -+ return false; -+ } -+ if (entry == NULL) { -+ return false; -+ } -+ char path[PATH_MAX]; -+ snprintf(path, PATH_MAX, "%s/%s", dynamicWorkDir, entry->d_name); -+ struct stat st; -+ if (stat(path, &st) == -1) { -+ LOG_W("Couldn't stat() the '%s' file", path); -+ continue; -+ } -+ if (!S_ISREG(st.st_mode)) { -+ LOG_D("'%s' is not a regular file, skipping", path); -+ continue; -+ } -+ -+ snprintf(fname, PATH_MAX, "%s/%s", dynamicWorkDir, entry->d_name); -+ return true; -+ } -+} -+ -+void input_enqueueDynamicInputs(honggfuzz_t* hfuzz) { -+ char dynamicWorkDir[PATH_MAX]; -+ -+ snprintf(dynamicWorkDir, sizeof(dynamicWorkDir), "%s", hfuzz->io.dynamicInputDir); -+ -+ int dynamicDirFd = TEMP_FAILURE_RETRY(open(dynamicWorkDir, O_DIRECTORY | O_RDONLY | O_CLOEXEC)); -+ if (dynamicDirFd == -1) { -+ PLOG_W("open('%s', O_DIRECTORY|O_RDONLY|O_CLOEXEC)", dynamicWorkDir); -+ return; -+ } -+ -+ DIR* dynamicDirPtr; -+ if ((dynamicDirPtr = fdopendir(dynamicDirFd)) == NULL) { -+ PLOG_W("fdopendir(dir='%s', fd=%d)", dynamicWorkDir, dynamicDirFd); -+ close(dynamicDirFd); -+ return; -+ } -+ -+ char dynamicInputFileName[PATH_MAX]; -+ for (;;) { -+ if (!input_dynamicQueueGetNext(dynamicInputFileName, dynamicDirPtr, dynamicWorkDir)) { -+ break; -+ } -+ -+ int dynamicFileFd; -+ if ((dynamicFileFd = open(dynamicInputFileName, O_RDWR)) == -1) { -+ PLOG_E("Error opening dynamic input file: %s", dynamicInputFileName); -+ continue; -+ } -+ -+ /* Get file status. */ -+ struct stat dynamicFileStat; -+ size_t dynamicFileSz; -+ -+ if (fstat(dynamicFileFd, &dynamicFileStat) == -1) { -+ PLOG_E("Error getting file status: %s", dynamicInputFileName); -+ close(dynamicFileFd); -+ continue; -+ } -+ -+ dynamicFileSz = dynamicFileStat.st_size; -+ -+ uint8_t* dynamicFile = (uint8_t *) mmap(NULL, dynamicFileSz, PROT_READ | PROT_WRITE, MAP_SHARED, dynamicFileFd, 0); -+ -+ if (dynamicFile == MAP_FAILED) { -+ PLOG_E("Error mapping dynamic input file: %s", dynamicInputFileName); -+ close(dynamicFileFd); -+ continue; -+ } -+ -+ LOG_I("Loading dynamic input file: %s (%lu)", dynamicInputFileName, dynamicFileSz); -+ -+ run_t tmp_run; -+ tmp_run.global = hfuzz; -+ dynfile_t tmp_dynfile = { -+ .size = dynamicFileSz, -+ .cov = {0xff, 0xff, 0xff, 0xff}, -+ .idx = 0, -+ .fd = -1, -+ .timeExecUSecs = 1, -+ .path = "", -+ .data = dynamicFile, -+ }; -+ tmp_run.timeStartedUSecs = util_timeNowUSecs() -1; -+ memcpy(tmp_dynfile.path, dynamicInputFileName, PATH_MAX); -+ tmp_run.dynfile = &tmp_dynfile; -+ input_addDynamicInput(&tmp_run); -+ //input_addDynamicInput(hfuzz, dynamicFile, dynamicFileSz, (uint64_t[4]){0xff, 0xff, 0xff, 0xff}, dynamicInputFileName); -+ -+ /* Unmap input file. */ -+ if (munmap((void *) dynamicFile, dynamicFileSz) == -1) { -+ PLOG_E("Error unmapping input file!"); -+ } -+ -+ /* Close input file. */ -+ if (close(dynamicFileFd) == -1) { -+ PLOG_E("Error closing input file!"); -+ } -+ -+ /* Remove enqueued file from the directory. */ -+ unlink(dynamicInputFileName); -+ } -+ closedir(dynamicDirPtr); -+} -+ - const uint8_t* input_getRandomInputAsBuf(run_t* run, size_t* len) { - if (run->global->feedback.dynFileMethod == _HF_DYNFILE_NONE) { - LOG_W( -diff -ruN honggfuzz/input.h honggfuzz-3a8f2ae-pastis/input.h ---- honggfuzz/input.h 2022-06-23 17:27:05.000000000 -0300 -+++ honggfuzz-3a8f2ae-pastis/input.h 2023-01-13 16:49:57.593324375 -0300 -@@ -49,5 +49,7 @@ - extern bool input_prepareExternalFile(run_t* run); - extern bool input_postProcessFile(run_t* run, const char* cmd); - extern bool input_prepareDynamicFileForMinimization(run_t* run); -+extern bool input_dynamicQueueGetNext(char fname[PATH_MAX], DIR* dynamicDirPtr, char *dynamicWorkDir); -+extern void input_enqueueDynamicInputs(honggfuzz_t* hfuzz); - - #endif /* ifndef _HF_INPUT_H_ */ diff --git a/fuzzers/pastis/runner.Dockerfile b/fuzzers/pastis/runner.Dockerfile deleted file mode 100644 index 5127121de..000000000 --- a/fuzzers/pastis/runner.Dockerfile +++ /dev/null @@ -1,48 +0,0 @@ -FROM gcr.io/fuzzbench/base-image - -# NOTE Comiple Python again with `--enabled-shared`. - -# Python 3.10.8 is not the default version in Ubuntu 20.04 (Focal Fossa). -ENV PYTHON_VERSION 3.10.8 - -RUN cd /tmp/ && \ - curl -O https://www.python.org/ftp/python/$PYTHON_VERSION/Python-$PYTHON_VERSION.tar.xz && \ - tar -xvf Python-$PYTHON_VERSION.tar.xz > /dev/null && \ - cd Python-$PYTHON_VERSION && \ - ./configure \ - --enable-loadable-sqlite-extensions \ - --enable-optimizations \ - --enable-shared \ - > /dev/null && \ - make -j install > /dev/null && \ - rm -r /tmp/Python-$PYTHON_VERSION.tar.xz /tmp/Python-$PYTHON_VERSION - -# -# Pastis. -# - -# Install dependencies. -RUN DEBIAN_FRONTEND="noninteractive" \ - apt-get install -y --no-install-suggests --no-install-recommends \ - libmagic-dev - -RUN pip install pastis-framework - -# -# AFLplusplus -# - -# This makes interactive docker runs painless: -ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" -#ENV AFL_MAP_SIZE=2621440 -ENV PATH="$PATH:/out" -ENV AFL_SKIP_CPUFREQ=1 -ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 -ENV AFL_TESTCACHE_SIZE=2 - -# -# Honggfuzz -# - -# honggfuzz requires libfd and libunwid -RUN apt-get update -y && apt-get install -y libbfd-dev libunwind-dev diff --git a/fuzzers/pythia_bb/builder.Dockerfile b/fuzzers/pythia_bb/builder.Dockerfile deleted file mode 100644 index e6e938f48..000000000 --- a/fuzzers/pythia_bb/builder.Dockerfile +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -# Download and compile AFL v2.56b. -# Set AFL_NO_X86 to skip flaky tests. -RUN git clone https://github.com/dliyanage/pythia /afl && \ - cd /afl && \ - git checkout af0a01dc3146c93b5e8bb32621d3f2f4ebb2e257 && \ - AFL_NO_X86=1 make - -# Use afl_driver.cpp from LLVM as our fuzzing library. -RUN apt-get update && \ - apt-get install wget -y && \ - wget https://raw.githubusercontent.com/llvm/llvm-project/5feb80e748924606531ba28c97fe65145c65372e/compiler-rt/lib/fuzzer/afl/afl_driver.cpp -O /afl/afl_driver.cpp && \ - clang -Wno-pointer-sign -c /afl/llvm_mode/afl-llvm-rt.o.c -I/afl && \ - clang++ -stdlib=libc++ -std=c++11 -O2 -c /afl/afl_driver.cpp && \ - ar r /libAFL.a *.o diff --git a/fuzzers/pythia_bb/fuzzer.py b/fuzzers/pythia_bb/fuzzer.py deleted file mode 100755 index 7c4c44180..000000000 --- a/fuzzers/pythia_bb/fuzzer.py +++ /dev/null @@ -1,138 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -"""Integration code for AFL fuzzer.""" - -import json -import os -import shutil -import subprocess - -from fuzzers import utils - - -def prepare_build_environment(): - """Set environment variables used to build targets for AFL-based - fuzzers.""" - cflags = ['-fsanitize-coverage=trace-pc-guard'] - utils.append_flags('CFLAGS', cflags) - utils.append_flags('CXXFLAGS', cflags) - - os.environ['CC'] = 'clang' - os.environ['CXX'] = 'clang++' - os.environ['FUZZER_LIB'] = '/libAFL.a' - - -def build(): - """Build benchmark.""" - prepare_build_environment() - - utils.build_benchmark() - - print('[post_build] Copying afl-fuzz to $OUT directory') - # Copy out the afl-fuzz binary as a build artifact. - shutil.copy('/afl/afl-fuzz', os.environ['OUT']) - - -def get_stats(output_corpus, fuzzer_log): # pylint: disable=unused-argument - """Gets fuzzer stats for AFL.""" - # Get a dictionary containing the stats AFL reports. - stats_file = os.path.join(output_corpus, 'fuzzer_stats') - with open(stats_file, encoding='utf-8') as file_handle: - stats_file_lines = file_handle.read().splitlines() - stats_file_dict = {} - for stats_line in stats_file_lines: - key, value = stats_line.split(': ') - stats_file_dict[key.strip()] = value.strip() - - # Report to FuzzBench the stats it accepts. - stats = {'execs_per_sec': float(stats_file_dict['execs_per_sec'])} - return json.dumps(stats) - - -def prepare_fuzz_environment(input_corpus): - """Prepare to fuzz with AFL or another AFL-based fuzzer.""" - # Tell AFL to not use its terminal UI so we get usable logs. - os.environ['AFL_NO_UI'] = '1' - # Skip AFL's CPU frequency check (fails on Docker). - os.environ['AFL_SKIP_CPUFREQ'] = '1' - # No need to bind affinity to one core, Docker enforces 1 core usage. - os.environ['AFL_NO_AFFINITY'] = '1' - # AFL will abort on startup if the core pattern sends notifications to - # external programs. We don't care about this. - os.environ['AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES'] = '1' - # Don't exit when crashes are found. This can happen when corpus from - # OSS-Fuzz is used. - os.environ['AFL_SKIP_CRASHES'] = '1' - # Shuffle the queue - os.environ['AFL_SHUFFLE_QUEUE'] = '1' - - # AFL needs at least one non-empty seed to start. - utils.create_seed_file_for_empty_corpus(input_corpus) - - -def check_skip_det_compatible(additional_flags): - """ Checks if additional flags are compatible with '-d' option""" - # AFL refuses to take in '-d' with '-M' or '-S' options for parallel mode. - # (cf. https://github.com/google/AFL/blob/8da80951/afl-fuzz.c#L7477) - if '-M' in additional_flags or '-S' in additional_flags: - return False - return True - - -def run_afl_fuzz(input_corpus, - output_corpus, - target_binary, - additional_flags=None, - hide_output=False): - """Run afl-fuzz.""" - # Spawn the afl fuzzing process. - print('[run_afl_fuzz] Running target with afl-fuzz') - command = [ - './afl-fuzz', - '-i', - input_corpus, - '-o', - output_corpus, - # Use no memory limit as ASAN doesn't play nicely with one. - '-m', - 'none', - '-t', - '1000+', # Use same default 1 sec timeout, but add '+' to skip hangs. - ] - # Use '-d' to skip deterministic mode, as long as it it compatible with - # additional flags. - if not additional_flags or check_skip_det_compatible(additional_flags): - command.append('-d') - if additional_flags: - command.extend(additional_flags) - dictionary_path = utils.get_dictionary_path(target_binary) - if dictionary_path: - command.extend(['-x', dictionary_path]) - command += [ - '--', - target_binary, - # Pass INT_MAX to afl the maximize the number of persistent loops it - # performs. - '2147483647' - ] - print('[run_afl_fuzz] Running command: ' + ' '.join(command)) - output_stream = subprocess.DEVNULL if hide_output else None - subprocess.check_call(command, stdout=output_stream, stderr=output_stream) - - -def fuzz(input_corpus, output_corpus, target_binary): - """Run afl-fuzz on target.""" - prepare_fuzz_environment(input_corpus) - - run_afl_fuzz(input_corpus, output_corpus, target_binary) diff --git a/fuzzers/pythia_bb/runner.Dockerfile b/fuzzers/pythia_bb/runner.Dockerfile deleted file mode 100644 index 0d6cf004e..000000000 --- a/fuzzers/pythia_bb/runner.Dockerfile +++ /dev/null @@ -1,15 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image diff --git a/fuzzers/pythia_effect_bb/builder.Dockerfile b/fuzzers/pythia_effect_bb/builder.Dockerfile deleted file mode 100644 index b8b58a52a..000000000 --- a/fuzzers/pythia_effect_bb/builder.Dockerfile +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -# Download and compile AFL v2.56b. -# Set AFL_NO_X86 to skip flaky tests. -RUN git clone https://github.com/dliyanage/pythia /afl && \ - cd /afl && \ - git checkout 20d74c2650f178fd10008e7d8962767cea2fb5cc && \ - AFL_NO_X86=1 make - -# Use afl_driver.cpp from LLVM as our fuzzing library. -RUN apt-get update && \ - apt-get install wget -y && \ - wget https://raw.githubusercontent.com/llvm/llvm-project/5feb80e748924606531ba28c97fe65145c65372e/compiler-rt/lib/fuzzer/afl/afl_driver.cpp -O /afl/afl_driver.cpp && \ - clang -Wno-pointer-sign -c /afl/llvm_mode/afl-llvm-rt.o.c -I/afl && \ - clang++ -stdlib=libc++ -std=c++11 -O2 -c /afl/afl_driver.cpp && \ - ar r /libAFL.a *.o diff --git a/fuzzers/pythia_effect_bb/fuzzer.py b/fuzzers/pythia_effect_bb/fuzzer.py deleted file mode 100755 index 7c4c44180..000000000 --- a/fuzzers/pythia_effect_bb/fuzzer.py +++ /dev/null @@ -1,138 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -"""Integration code for AFL fuzzer.""" - -import json -import os -import shutil -import subprocess - -from fuzzers import utils - - -def prepare_build_environment(): - """Set environment variables used to build targets for AFL-based - fuzzers.""" - cflags = ['-fsanitize-coverage=trace-pc-guard'] - utils.append_flags('CFLAGS', cflags) - utils.append_flags('CXXFLAGS', cflags) - - os.environ['CC'] = 'clang' - os.environ['CXX'] = 'clang++' - os.environ['FUZZER_LIB'] = '/libAFL.a' - - -def build(): - """Build benchmark.""" - prepare_build_environment() - - utils.build_benchmark() - - print('[post_build] Copying afl-fuzz to $OUT directory') - # Copy out the afl-fuzz binary as a build artifact. - shutil.copy('/afl/afl-fuzz', os.environ['OUT']) - - -def get_stats(output_corpus, fuzzer_log): # pylint: disable=unused-argument - """Gets fuzzer stats for AFL.""" - # Get a dictionary containing the stats AFL reports. - stats_file = os.path.join(output_corpus, 'fuzzer_stats') - with open(stats_file, encoding='utf-8') as file_handle: - stats_file_lines = file_handle.read().splitlines() - stats_file_dict = {} - for stats_line in stats_file_lines: - key, value = stats_line.split(': ') - stats_file_dict[key.strip()] = value.strip() - - # Report to FuzzBench the stats it accepts. - stats = {'execs_per_sec': float(stats_file_dict['execs_per_sec'])} - return json.dumps(stats) - - -def prepare_fuzz_environment(input_corpus): - """Prepare to fuzz with AFL or another AFL-based fuzzer.""" - # Tell AFL to not use its terminal UI so we get usable logs. - os.environ['AFL_NO_UI'] = '1' - # Skip AFL's CPU frequency check (fails on Docker). - os.environ['AFL_SKIP_CPUFREQ'] = '1' - # No need to bind affinity to one core, Docker enforces 1 core usage. - os.environ['AFL_NO_AFFINITY'] = '1' - # AFL will abort on startup if the core pattern sends notifications to - # external programs. We don't care about this. - os.environ['AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES'] = '1' - # Don't exit when crashes are found. This can happen when corpus from - # OSS-Fuzz is used. - os.environ['AFL_SKIP_CRASHES'] = '1' - # Shuffle the queue - os.environ['AFL_SHUFFLE_QUEUE'] = '1' - - # AFL needs at least one non-empty seed to start. - utils.create_seed_file_for_empty_corpus(input_corpus) - - -def check_skip_det_compatible(additional_flags): - """ Checks if additional flags are compatible with '-d' option""" - # AFL refuses to take in '-d' with '-M' or '-S' options for parallel mode. - # (cf. https://github.com/google/AFL/blob/8da80951/afl-fuzz.c#L7477) - if '-M' in additional_flags or '-S' in additional_flags: - return False - return True - - -def run_afl_fuzz(input_corpus, - output_corpus, - target_binary, - additional_flags=None, - hide_output=False): - """Run afl-fuzz.""" - # Spawn the afl fuzzing process. - print('[run_afl_fuzz] Running target with afl-fuzz') - command = [ - './afl-fuzz', - '-i', - input_corpus, - '-o', - output_corpus, - # Use no memory limit as ASAN doesn't play nicely with one. - '-m', - 'none', - '-t', - '1000+', # Use same default 1 sec timeout, but add '+' to skip hangs. - ] - # Use '-d' to skip deterministic mode, as long as it it compatible with - # additional flags. - if not additional_flags or check_skip_det_compatible(additional_flags): - command.append('-d') - if additional_flags: - command.extend(additional_flags) - dictionary_path = utils.get_dictionary_path(target_binary) - if dictionary_path: - command.extend(['-x', dictionary_path]) - command += [ - '--', - target_binary, - # Pass INT_MAX to afl the maximize the number of persistent loops it - # performs. - '2147483647' - ] - print('[run_afl_fuzz] Running command: ' + ' '.join(command)) - output_stream = subprocess.DEVNULL if hide_output else None - subprocess.check_call(command, stdout=output_stream, stderr=output_stream) - - -def fuzz(input_corpus, output_corpus, target_binary): - """Run afl-fuzz on target.""" - prepare_fuzz_environment(input_corpus) - - run_afl_fuzz(input_corpus, output_corpus, target_binary) diff --git a/fuzzers/pythia_effect_bb/runner.Dockerfile b/fuzzers/pythia_effect_bb/runner.Dockerfile deleted file mode 100644 index 0d6cf004e..000000000 --- a/fuzzers/pythia_effect_bb/runner.Dockerfile +++ /dev/null @@ -1,15 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image diff --git a/fuzzers/token_level/builder.Dockerfile b/fuzzers/token_level/builder.Dockerfile deleted file mode 100644 index f1890e47c..000000000 --- a/fuzzers/token_level/builder.Dockerfile +++ /dev/null @@ -1,46 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -# Install libstdc++ to use llvm_mode. -RUN apt-get update && \ - apt-get install -y wget libstdc++-5-dev libtool-bin automake flex bison \ - libglib2.0-dev libpixman-1-dev python3-setuptools unzip \ - apt-utils apt-transport-https ca-certificates joe curl \ - python3-dev gzip - -# Uninstall old Rust -RUN if which rustup; then rustup self uninstall -y; fi - -# Install latest Rust -RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs > /rustup.sh && \ - sh /rustup.sh -y - -# Download libafl -RUN git clone https://github.com/AFLplusplus/libafl_fuzzbench /libafl_fuzzbench && \ - cd /libafl_fuzzbench && \ - git checkout db32b7b8c1c0065a0cec2129b4dfe3897d1b9a4b && \ - git submodule update --init - -# Compile libafl -RUN cd /libafl_fuzzbench/ && unset CFLAGS && unset CXXFLAGS && \ - export CC=clang && export CXX=clang++ && \ - export LIBAFL_EDGES_MAP_SIZE=2621440 && \ - PATH="$PATH:/root/.cargo/bin/" cargo build --release - -RUN wget https://gist.githubusercontent.com/andreafioraldi/e5f60d68c98b31665a274207cfd05541/raw/4da351a321f1408df566a9cf2ce7cde6eeab3904/empty_fuzzer_lib.c -O /empty_fuzzer_lib.c && \ - clang -c /empty_fuzzer_lib.c && \ - ar r /emptylib.a *.o diff --git a/fuzzers/token_level/fuzzer.py b/fuzzers/token_level/fuzzer.py deleted file mode 100755 index 8a9023aa4..000000000 --- a/fuzzers/token_level/fuzzer.py +++ /dev/null @@ -1,79 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -"""Integration code for a LibAFL-based fuzzer.""" - -import os -import shutil -import subprocess - -from fuzzers import utils - - -def prepare_fuzz_environment(input_corpus): - """Prepare to fuzz with a LibAFL-based fuzzer.""" - os.environ['ASAN_OPTIONS'] = 'abort_on_error=1:detect_leaks=0:'\ - 'malloc_context_size=0:symbolize=0:'\ - 'allocator_may_return_null=1:'\ - 'detect_odr_violation=0:handle_segv=0:'\ - 'handle_sigbus=0:handle_abort=0:'\ - 'handle_sigfpe=0:handle_sigill=0' - os.environ['UBSAN_OPTIONS'] = 'abort_on_error=1:'\ - 'allocator_release_to_os_interval_ms=500:'\ - 'handle_abort=0:handle_segv=0:'\ - 'handle_sigbus=0:handle_sigfpe=0:'\ - 'handle_sigill=0:print_stacktrace=0:'\ - 'symbolize=0:symbolize_inline_frames=0' - # Create at least one non-empty seed to start. - utils.create_seed_file_for_empty_corpus(input_corpus) - - -def build(): # pylint: disable=too-many-branches,too-many-statements - """Build benchmark.""" - benchmark_name = os.environ['BENCHMARK'].lower() - if 'php' in benchmark_name: - copy_file = '/libafl_fuzzbench/grammars/php_nautilus.json' - elif 'ruby' in benchmark_name: - copy_file = '/libafl_fuzzbench/grammars/ruby_nautilus.json' - elif 'js' in benchmark_name or 'javascript' in benchmark_name: - copy_file = '/libafl_fuzzbench/grammars/js_nautilus.json' - else: - raise RuntimeError('Unsupported benchmark, unavailable grammar') - dest = os.path.join(os.environ['OUT'], 'grammar.json') - shutil.copy(copy_file, dest) - - os.environ['CC'] = '/libafl_fuzzbench/target/release/token_level_cc' - os.environ['CXX'] = '/libafl_fuzzbench/target/release/token_level_cxx' - - os.environ['ASAN_OPTIONS'] = 'abort_on_error=0:allocator_may_return_null=1' - os.environ['UBSAN_OPTIONS'] = 'abort_on_error=0' - - cflags = ['--libafl'] - utils.append_flags('CFLAGS', cflags) - utils.append_flags('CXXFLAGS', cflags) - - os.environ['FUZZER_LIB'] = '/emptylib.a' - utils.build_benchmark() - - -def fuzz(input_corpus, output_corpus, target_binary): - """Run fuzzer.""" - prepare_fuzz_environment(input_corpus) - command = [target_binary] - grammar = os.path.join(os.environ['OUT'], 'grammar.json') - out = os.path.join(os.environ['OUT'], 'out') - os.mkdir(out) - command += (['-r', output_corpus, '-o', out, '-g', grammar]) - print(command) - subprocess.check_call(command, cwd=os.environ['OUT']) diff --git a/fuzzers/token_level/fuzzer.yaml b/fuzzers/token_level/fuzzer.yaml deleted file mode 100644 index de283f07d..000000000 --- a/fuzzers/token_level/fuzzer.yaml +++ /dev/null @@ -1,4 +0,0 @@ -allowed_benchmarks: - - quickjs_eval-2020-01-05 - - php_php-fuzz-execute - - mruby-2018-05-23 diff --git a/fuzzers/token_level/runner.Dockerfile b/fuzzers/token_level/runner.Dockerfile deleted file mode 100644 index 7aa1da8e4..000000000 --- a/fuzzers/token_level/runner.Dockerfile +++ /dev/null @@ -1,23 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -# This makes interactive docker runs painless: -ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" -#ENV AFL_MAP_SIZE=2621440 -ENV PATH="$PATH:/out" -ENV AFL_SKIP_CPUFREQ=1 -ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 -ENV AFL_TESTCACHE_SIZE=2 diff --git a/fuzzers/tortoisefuzz/builder.Dockerfile b/fuzzers/tortoisefuzz/builder.Dockerfile deleted file mode 100644 index 083e13969..000000000 --- a/fuzzers/tortoisefuzz/builder.Dockerfile +++ /dev/null @@ -1,59 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Includes latest clang -ARG parent_image -FROM $parent_image - -# Prerequisits - -RUN apt-get update && \ - apt-get -y install git build-essential cmake ninja-build \ - python-dev \ - wget - -ENV CC=gcc -ENV CXX=g++ - -# Compile & Install llvm 6.0.0 -RUN mkdir /workdir && cd /workdir && \ - wget https://releases.llvm.org/6.0.0/llvm-6.0.0.src.tar.xz && \ - wget https://releases.llvm.org/6.0.0/cfe-6.0.0.src.tar.xz && \ - wget https://releases.llvm.org/6.0.0/compiler-rt-6.0.0.src.tar.xz && \ - wget https://releases.llvm.org/6.0.0/clang-tools-extra-6.0.0.src.tar.xz && \ - tar -xf llvm-6.0.0.src.tar.xz && mv llvm-6.0.0.src llvm6 && \ - tar -xf cfe-6.0.0.src.tar.xz && mv cfe-6.0.0.src llvm6/tools/clang && \ - tar -xf compiler-rt-6.0.0.src.tar.xz && mv compiler-rt-6.0.0.src llvm6/projects/compiler-rt && \ - tar -xf clang-tools-extra-6.0.0.src.tar.xz && mv clang-tools-extra-6.0.0.src llvm6/tools/clang/tools/extra - -RUN cd /workdir && mkdir build6 && unset CFLAGS && unset CXXFLAGS && \ - cd build6 && \ - cmake -G "Ninja" -DLLVM_ENABLE_ASSERTIONS=On -DCMAKE_BUILD_TYPE=Release ../llvm6 && \ - ninja && \ - ninja install - -# Compile TortoiseFuzz -ENV CC=clang -ENV CXX=clang++ - -RUN cd /workdir && \ - git clone https://github.com/TortoiseFuzz/TortoiseFuzz.git && \ - cd TortoiseFuzz && \ - unset CFLAGS && unset CXXFLAGS && make - -# Use afl_driver.cpp from LLVM as our libFuzzer harness. -RUN \ - wget https://raw.githubusercontent.com/llvm/llvm-project/5feb80e748924606531ba28c97fe65145c65372e/compiler-rt/lib/fuzzer/afl/afl_driver.cpp -O /workdir/TortoiseFuzz/afl_driver.cpp && \ - clang++ -stdlib=libc++ -std=c++11 -O2 -c /workdir/TortoiseFuzz/afl_driver.cpp && \ - ar r /libAFLDriver.a afl_driver.o diff --git a/fuzzers/tortoisefuzz/fuzzer.py b/fuzzers/tortoisefuzz/fuzzer.py deleted file mode 100755 index 84e300220..000000000 --- a/fuzzers/tortoisefuzz/fuzzer.py +++ /dev/null @@ -1,41 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -"""Integration code for AFL fuzzer.""" - -import os -import shutil - -from fuzzers import utils -from fuzzers.afl import fuzzer as afl_fuzzer - - -def build(): - """Build benchmark.""" - afl_fuzzer.prepare_build_environment() - os.environ['CC'] = '/workdir/TortoiseFuzz/bb_metric/afl-clang-fast' - os.environ['CXX'] = '/workdir/TortoiseFuzz/bb_metric/afl-clang-fast++' - os.environ['FUZZER_LIB'] = '/libAFLDriver.a' - utils.build_benchmark() - - print('[post_build] Copying tortoise-fuzz to $OUT directory') - # Copy out the afl-fuzz binary as a build artifact. - shutil.copy('/workdir/TortoiseFuzz/bb_metric/afl-fuzz', os.environ['OUT']) - - -def fuzz(input_corpus, output_corpus, target_binary): - """Run Tortoise-fuzz on target.""" - - afl_fuzzer.prepare_fuzz_environment(input_corpus) - - afl_fuzzer.run_afl_fuzz(input_corpus, output_corpus, target_binary, ['-s']) diff --git a/fuzzers/tortoisefuzz/runner.Dockerfile b/fuzzers/tortoisefuzz/runner.Dockerfile deleted file mode 100644 index 0d6cf004e..000000000 --- a/fuzzers/tortoisefuzz/runner.Dockerfile +++ /dev/null @@ -1,15 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image diff --git a/fuzzers/weizz_qemu/builder.Dockerfile b/fuzzers/weizz_qemu/builder.Dockerfile deleted file mode 100644 index 4012a6481..000000000 --- a/fuzzers/weizz_qemu/builder.Dockerfile +++ /dev/null @@ -1,40 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -# -# When the llvm-12 installation gets LLVMgold (llvm-12-dev) then we can get -# rid of the clang-8 installation :-( -# - -RUN apt-get update && \ - apt-get install -y wget libstdc++-5-dev libtool-bin automake \ - flex bison libglib2.0-dev libpixman-1-dev cmake automake \ - libglib2.0-dev libpixman-1-dev liblzma-dev \ - llvm-8-dev clang-8 - -RUN cd / && git clone https://github.com/andreafioraldi/weizz-fuzzer /weizz && \ - cd /weizz && \ - git checkout c9cbeef0b057b9f7dc62af9b20629090b1b9fe4f && \ - export CC=clang-8 && export CXX=clang++-8 && \ - CFLAGS="-O3 -funroll-loops" make - -RUN cd / && git clone https://github.com/vanhauser-thc/qemu_driver && \ - cd /qemu_driver && \ - git checkout 8ad9ad589b4881552fa7ef8b7d29cd9aeb5071bd && \ - make && \ - cp -fv libQEMU.a / - diff --git a/fuzzers/weizz_qemu/fuzzer.py b/fuzzers/weizz_qemu/fuzzer.py deleted file mode 100644 index 739ec3e1b..000000000 --- a/fuzzers/weizz_qemu/fuzzer.py +++ /dev/null @@ -1,82 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -"""Integration code for weizz fuzzer.""" - -import os -import shutil -import subprocess - -from fuzzers import utils - - -def build(): - """Build benchmark.""" - os.environ['CC'] = 'clang' - os.environ['CXX'] = 'clang++' - os.environ['FUZZER_LIB'] = '/libQEMU.a' - # QEMU doesn't like ASan - cflags = filter(lambda flag: not flag.startswith('-fsanitize=address'), - os.environ['CFLAGS'].split()) - cxxflags = filter(lambda flag: not flag.startswith('-fsanitize=address'), - os.environ['CXXFLAGS'].split()) - os.environ['CFLAGS'] = ' '.join(cflags) - os.environ['CXXFLAGS'] = ' '.join(cxxflags) - - utils.build_benchmark() - - # Copy over weizz's binaries. - shutil.copy('/weizz/weizz', os.environ['OUT']) - shutil.copy('/weizz/weizz-qemu', os.environ['OUT']) - - -def fuzz(input_corpus, output_corpus, target_binary): - """Run fuzzer.""" - # FIXME: Share code with afl.fuzz. - os.environ['WEIZZ_NO_UI'] = '1' - os.environ['WEIZZ_SKIP_CPUFREQ'] = '1' - os.environ['WEIZZ_NO_AFFINITY'] = '1' - os.environ['WEIZZ_I_DONT_CARE_ABOUT_MISSING_CRASHES'] = '1' - os.environ['WEIZZ_CTX_SENSITIVE'] = '1' - os.environ['WEIZZ_SKIP_CRASHES'] = '1' - os.environ['WEIZZ_SHUFFLE_QUEUE'] = '1' - - # Weizz needs at least one non-empty seed to start. - utils.create_seed_file_for_empty_corpus(input_corpus) - - command = [ - './weizz', - '-d', # No deterministic mutation. - '-w', # Enable smart mode, high-order mutate tagged inputs. - '-h', # Stacking mode, alternate smart and AFL mutations. - '-Q', # Qemu mode. - '-L', # Size bounds to disable getdeps for a testcase. - '8k', # Size bounds set to 8kb. - '-m', # No memory limits - 'none', - '-i', - input_corpus, - '-o', - output_corpus, - '-t', - '1000+', # Use same default 1 sec timeout, but add '+' to skip hangs. - ] - dictionary_path = utils.get_dictionary_path(target_binary) - if dictionary_path: - command.extend(['-x', dictionary_path]) - command.extend(['--', target_binary]) - - os.system('ulimit -s 16384') - - print('[weizz] Running command: ' + ' '.join(command)) - subprocess.check_call(command) diff --git a/fuzzers/weizz_qemu/runner.Dockerfile b/fuzzers/weizz_qemu/runner.Dockerfile deleted file mode 100644 index 887b10ca0..000000000 --- a/fuzzers/weizz_qemu/runner.Dockerfile +++ /dev/null @@ -1,21 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -RUN apt-get update -y && apt-get install -y libbfd-dev libunwind-dev - -ENV LD_LIBRARY_PATH /out -ENV PATH="$PATH:/out" -ENV AFL_MAP_SIZE=1048576 diff --git a/fuzzers/wingfuzz/builder.Dockerfile b/fuzzers/wingfuzz/builder.Dockerfile deleted file mode 100644 index dac0394f4..000000000 --- a/fuzzers/wingfuzz/builder.Dockerfile +++ /dev/null @@ -1,21 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -RUN git clone https://github.com/WingTecherTHU/wingfuzz -RUN cd wingfuzz && git checkout 6ef3281f145fa1839df0f46c38b348ec9d93b0e2 && \ - ./build.sh && cd instrument && ./build.sh && clang -c WeakSym.c && \ - cp ../libFuzzer.a /libWingfuzz.a && cp WeakSym.o / && cp LoadCmpTracer.so / diff --git a/fuzzers/wingfuzz/fuzzer.py b/fuzzers/wingfuzz/fuzzer.py deleted file mode 100644 index fd1d02fd1..000000000 --- a/fuzzers/wingfuzz/fuzzer.py +++ /dev/null @@ -1,52 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -"""Integration code for Wingfuzz fuzzer.""" - -import os - -from fuzzers import utils -from fuzzers.libfuzzer import fuzzer as libfuzzer_fuzzer - - -def build(): - """Build benchmark.""" - cflags = [ - '-fsanitize=fuzzer-no-link', - '-fno-sanitize-coverage=trace-cmp', - '-fno-legacy-pass-manager', - '-fpass-plugin=/LoadCmpTracer.so', - # Hack: support non-standard build scripts ignoring LDFLAGS - '-w', - '-Wl,/WeakSym.o' - ] - utils.append_flags('CFLAGS', cflags) - utils.append_flags('CXXFLAGS', cflags) - - os.environ['CC'] = 'clang' - os.environ['CXX'] = 'clang++' - os.environ['FUZZER_LIB'] = '/libWingfuzz.a' - - utils.build_benchmark() - - -def fuzz(input_corpus, output_corpus, target_binary): - """Run fuzzer.""" - libfuzzer_fuzzer.run_fuzzer(input_corpus, - output_corpus, - target_binary, - extra_flags=[ - '-fork=0', '-keep_seed=1', - '-jobs=2147483647', '-workers=1', - '-reload=0' - ]) diff --git a/fuzzers/wingfuzz/runner.Dockerfile b/fuzzers/wingfuzz/runner.Dockerfile deleted file mode 100644 index 0d6cf004e..000000000 --- a/fuzzers/wingfuzz/runner.Dockerfile +++ /dev/null @@ -1,15 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image From 3d5b942b002d52c6ad6fae7b2cd8964ff96b440c Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sat, 7 Oct 2023 12:20:59 +0200 Subject: [PATCH 22/39] fix --- fuzzers/fairfuzz/builder.Dockerfile | 30 +++++++++++++++++++++++++++++ fuzzers/fairfuzz/fuzzer.py | 26 +++++++++++++++++++++++++ fuzzers/fairfuzz/runner.Dockerfile | 15 +++++++++++++++ 3 files changed, 71 insertions(+) create mode 100644 fuzzers/fairfuzz/builder.Dockerfile create mode 100755 fuzzers/fairfuzz/fuzzer.py create mode 100644 fuzzers/fairfuzz/runner.Dockerfile diff --git a/fuzzers/fairfuzz/builder.Dockerfile b/fuzzers/fairfuzz/builder.Dockerfile new file mode 100644 index 000000000..c73ec5c4d --- /dev/null +++ b/fuzzers/fairfuzz/builder.Dockerfile @@ -0,0 +1,30 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ARG parent_image +FROM $parent_image + +# Set AFL_NO_X86 to skip flaky tests. +RUN git clone https://github.com/carolemieux/afl-rb.git /afl && \ + cd /afl && \ + git checkout e529c1f1b3666ad94e4d6e7ef24ea648aff39ae2 && \ + AFL_NO_X86=1 make + +# Use afl_driver.cpp from LLVM as our fuzzing library. +RUN apt-get update && \ + apt-get install wget -y && \ + wget https://raw.githubusercontent.com/llvm/llvm-project/5feb80e748924606531ba28c97fe65145c65372e/compiler-rt/lib/fuzzer/afl/afl_driver.cpp -O /afl/afl_driver.cpp && \ + clang -Wno-pointer-sign -c /afl/llvm_mode/afl-llvm-rt.o.c -I/afl && \ + clang++ -stdlib=libc++ -std=c++11 -O2 -c /afl/afl_driver.cpp && \ + ar r /libAFL.a *.o diff --git a/fuzzers/fairfuzz/fuzzer.py b/fuzzers/fairfuzz/fuzzer.py new file mode 100755 index 000000000..6f95023ed --- /dev/null +++ b/fuzzers/fairfuzz/fuzzer.py @@ -0,0 +1,26 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +"""Integration code for FairFuzz fuzzer.""" + +from fuzzers.afl import fuzzer as afl_fuzzer + + +def build(): + """Build benchmark.""" + afl_fuzzer.build() + + +def fuzz(input_corpus, output_corpus, target_binary): + """Run fuzzer.""" + afl_fuzzer.fuzz(input_corpus, output_corpus, target_binary) diff --git a/fuzzers/fairfuzz/runner.Dockerfile b/fuzzers/fairfuzz/runner.Dockerfile new file mode 100644 index 000000000..0d6cf004e --- /dev/null +++ b/fuzzers/fairfuzz/runner.Dockerfile @@ -0,0 +1,15 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FROM gcr.io/fuzzbench/base-image From c179c70896a2505be30b4c0b430321607d4587a1 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sat, 7 Oct 2023 12:34:24 +0200 Subject: [PATCH 23/39] remove everything --- fuzzers/aflplusplus_406/builder.Dockerfile | 49 --- fuzzers/aflplusplus_406/description.md | 14 - fuzzers/aflplusplus_406/fuzzer.py | 282 ----------------- fuzzers/aflplusplus_406/runner.Dockerfile | 24 -- fuzzers/aflplusplus_407/builder.Dockerfile | 49 --- fuzzers/aflplusplus_407/description.md | 14 - fuzzers/aflplusplus_407/fuzzer.py | 282 ----------------- fuzzers/aflplusplus_407/runner.Dockerfile | 24 -- .../aflplusplus_ff_comp/builder.Dockerfile | 89 ------ fuzzers/aflplusplus_ff_comp/description.md | 14 - fuzzers/aflplusplus_ff_comp/fuzzer.py | 285 ----------------- fuzzers/aflplusplus_ff_comp/runner.Dockerfile | 42 --- fuzzers/aflplusplus_frida/builder.Dockerfile | 42 --- fuzzers/aflplusplus_frida/description.md | 15 - fuzzers/aflplusplus_frida/fuzzer.py | 67 ---- fuzzers/aflplusplus_frida/get_frida_entry.sh | 25 -- fuzzers/aflplusplus_frida/runner.Dockerfile | 27 -- .../aflplusplus_frida_perf/builder.Dockerfile | 42 --- fuzzers/aflplusplus_frida_perf/description.md | 15 - fuzzers/aflplusplus_frida_perf/fuzzer.py | 67 ---- .../aflplusplus_frida_perf/get_frida_entry.sh | 25 -- .../aflplusplus_frida_perf/runner.Dockerfile | 27 -- fuzzers/aflplusplus_o0/builder.Dockerfile | 50 --- fuzzers/aflplusplus_o0/description.md | 14 - fuzzers/aflplusplus_o0/fuzzer.py | 283 ----------------- fuzzers/aflplusplus_o0/runner.Dockerfile | 24 -- fuzzers/aflplusplus_o1/builder.Dockerfile | 50 --- fuzzers/aflplusplus_o1/description.md | 14 - fuzzers/aflplusplus_o1/fuzzer.py | 283 ----------------- fuzzers/aflplusplus_o1/runner.Dockerfile | 24 -- fuzzers/aflplusplus_o2/builder.Dockerfile | 50 --- fuzzers/aflplusplus_o2/description.md | 14 - fuzzers/aflplusplus_o2/fuzzer.py | 283 ----------------- fuzzers/aflplusplus_o2/runner.Dockerfile | 24 -- fuzzers/aflplusplus_qemu/builder.Dockerfile | 43 --- fuzzers/aflplusplus_qemu/description.md | 14 - fuzzers/aflplusplus_qemu/fuzzer.py | 51 ---- fuzzers/aflplusplus_qemu/runner.Dockerfile | 23 -- .../aflplusplus_symqemu/builder.Dockerfile | 53 ---- fuzzers/aflplusplus_symqemu/description.md | 14 - fuzzers/aflplusplus_symqemu/fuzzer.py | 289 ------------------ fuzzers/aflplusplus_symqemu/runner.Dockerfile | 92 ------ fuzzers/aflsmart/README.md | 18 -- fuzzers/aflsmart/builder.Dockerfile | 70 ----- fuzzers/aflsmart/fuzzer.py | 79 ----- fuzzers/aflsmart/runner.Dockerfile | 21 -- fuzzers/aflsmart_plusplus/README.md | 2 - fuzzers/aflsmart_plusplus/builder.Dockerfile | 77 ----- fuzzers/aflsmart_plusplus/fuzzer.py | 62 ---- fuzzers/aflsmart_plusplus/runner.Dockerfile | 21 -- fuzzers/centipede/builder.Dockerfile | 32 -- fuzzers/centipede/fuzzer.py | 90 ------ fuzzers/centipede/runner.Dockerfile | 15 - fuzzers/honggfuzz/builder.Dockerfile | 36 --- fuzzers/honggfuzz/fuzzer.py | 69 ----- fuzzers/honggfuzz/runner.Dockerfile | 18 -- fuzzers/libafl/builder.Dockerfile | 54 ---- fuzzers/libafl/description.md | 11 - fuzzers/libafl/fuzzer.py | 67 ---- fuzzers/libafl/runner.Dockerfile | 23 -- fuzzers/libafl_forkserver/builder.Dockerfile | 56 ---- fuzzers/libafl_forkserver/description.md | 13 - fuzzers/libafl_forkserver/fuzzer.py | 67 ---- fuzzers/libafl_forkserver/runner.Dockerfile | 23 -- fuzzers/libafl_libfuzzer/builder.Dockerfile | 44 --- fuzzers/libafl_libfuzzer/description.md | 11 - fuzzers/libafl_libfuzzer/fuzzer.py | 117 ------- fuzzers/libafl_libfuzzer/runner.Dockerfile | 15 - 68 files changed, 4323 deletions(-) delete mode 100644 fuzzers/aflplusplus_406/builder.Dockerfile delete mode 100644 fuzzers/aflplusplus_406/description.md delete mode 100755 fuzzers/aflplusplus_406/fuzzer.py delete mode 100644 fuzzers/aflplusplus_406/runner.Dockerfile delete mode 100644 fuzzers/aflplusplus_407/builder.Dockerfile delete mode 100644 fuzzers/aflplusplus_407/description.md delete mode 100755 fuzzers/aflplusplus_407/fuzzer.py delete mode 100644 fuzzers/aflplusplus_407/runner.Dockerfile delete mode 100644 fuzzers/aflplusplus_ff_comp/builder.Dockerfile delete mode 100644 fuzzers/aflplusplus_ff_comp/description.md delete mode 100755 fuzzers/aflplusplus_ff_comp/fuzzer.py delete mode 100644 fuzzers/aflplusplus_ff_comp/runner.Dockerfile delete mode 100644 fuzzers/aflplusplus_frida/builder.Dockerfile delete mode 100644 fuzzers/aflplusplus_frida/description.md delete mode 100755 fuzzers/aflplusplus_frida/fuzzer.py delete mode 100755 fuzzers/aflplusplus_frida/get_frida_entry.sh delete mode 100644 fuzzers/aflplusplus_frida/runner.Dockerfile delete mode 100644 fuzzers/aflplusplus_frida_perf/builder.Dockerfile delete mode 100644 fuzzers/aflplusplus_frida_perf/description.md delete mode 100755 fuzzers/aflplusplus_frida_perf/fuzzer.py delete mode 100755 fuzzers/aflplusplus_frida_perf/get_frida_entry.sh delete mode 100644 fuzzers/aflplusplus_frida_perf/runner.Dockerfile delete mode 100644 fuzzers/aflplusplus_o0/builder.Dockerfile delete mode 100644 fuzzers/aflplusplus_o0/description.md delete mode 100755 fuzzers/aflplusplus_o0/fuzzer.py delete mode 100644 fuzzers/aflplusplus_o0/runner.Dockerfile delete mode 100644 fuzzers/aflplusplus_o1/builder.Dockerfile delete mode 100644 fuzzers/aflplusplus_o1/description.md delete mode 100755 fuzzers/aflplusplus_o1/fuzzer.py delete mode 100644 fuzzers/aflplusplus_o1/runner.Dockerfile delete mode 100644 fuzzers/aflplusplus_o2/builder.Dockerfile delete mode 100644 fuzzers/aflplusplus_o2/description.md delete mode 100755 fuzzers/aflplusplus_o2/fuzzer.py delete mode 100644 fuzzers/aflplusplus_o2/runner.Dockerfile delete mode 100644 fuzzers/aflplusplus_qemu/builder.Dockerfile delete mode 100644 fuzzers/aflplusplus_qemu/description.md delete mode 100755 fuzzers/aflplusplus_qemu/fuzzer.py delete mode 100644 fuzzers/aflplusplus_qemu/runner.Dockerfile delete mode 100644 fuzzers/aflplusplus_symqemu/builder.Dockerfile delete mode 100644 fuzzers/aflplusplus_symqemu/description.md delete mode 100755 fuzzers/aflplusplus_symqemu/fuzzer.py delete mode 100644 fuzzers/aflplusplus_symqemu/runner.Dockerfile delete mode 100644 fuzzers/aflsmart/README.md delete mode 100644 fuzzers/aflsmart/builder.Dockerfile delete mode 100755 fuzzers/aflsmart/fuzzer.py delete mode 100644 fuzzers/aflsmart/runner.Dockerfile delete mode 100644 fuzzers/aflsmart_plusplus/README.md delete mode 100644 fuzzers/aflsmart_plusplus/builder.Dockerfile delete mode 100755 fuzzers/aflsmart_plusplus/fuzzer.py delete mode 100644 fuzzers/aflsmart_plusplus/runner.Dockerfile delete mode 100644 fuzzers/centipede/builder.Dockerfile delete mode 100755 fuzzers/centipede/fuzzer.py delete mode 100644 fuzzers/centipede/runner.Dockerfile delete mode 100644 fuzzers/honggfuzz/builder.Dockerfile delete mode 100644 fuzzers/honggfuzz/fuzzer.py delete mode 100644 fuzzers/honggfuzz/runner.Dockerfile delete mode 100644 fuzzers/libafl/builder.Dockerfile delete mode 100644 fuzzers/libafl/description.md delete mode 100755 fuzzers/libafl/fuzzer.py delete mode 100644 fuzzers/libafl/runner.Dockerfile delete mode 100644 fuzzers/libafl_forkserver/builder.Dockerfile delete mode 100644 fuzzers/libafl_forkserver/description.md delete mode 100755 fuzzers/libafl_forkserver/fuzzer.py delete mode 100644 fuzzers/libafl_forkserver/runner.Dockerfile delete mode 100644 fuzzers/libafl_libfuzzer/builder.Dockerfile delete mode 100644 fuzzers/libafl_libfuzzer/description.md delete mode 100755 fuzzers/libafl_libfuzzer/fuzzer.py delete mode 100644 fuzzers/libafl_libfuzzer/runner.Dockerfile diff --git a/fuzzers/aflplusplus_406/builder.Dockerfile b/fuzzers/aflplusplus_406/builder.Dockerfile deleted file mode 100644 index c3ae94b3f..000000000 --- a/fuzzers/aflplusplus_406/builder.Dockerfile +++ /dev/null @@ -1,49 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -RUN apt-get update && \ - apt-get install -y \ - build-essential \ - python3-dev \ - python3-setuptools \ - automake \ - cmake \ - git \ - flex \ - bison \ - libglib2.0-dev \ - libpixman-1-dev \ - cargo \ - libgtk-3-dev \ - # for QEMU mode - ninja-build \ - gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-plugin-dev \ - libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev - -# Download afl++. -RUN git clone -b dev https://github.com/AFLplusplus/AFLplusplus /afl && \ - cd /afl && \ - git checkout a326c23210dc2ace37bf1cadcc4521cf5d0b58cb || \ - true - -# Build without Python support as we don't need it. -# Set AFL_NO_X86 to skip flaky tests. -RUN cd /afl && \ - unset CFLAGS CXXFLAGS && \ - export CC=clang AFL_NO_X86=1 && \ - PYTHON_INCLUDE=/ make && \ - cp utils/aflpp_driver/libAFLDriver.a / diff --git a/fuzzers/aflplusplus_406/description.md b/fuzzers/aflplusplus_406/description.md deleted file mode 100644 index f7eb407ad..000000000 --- a/fuzzers/aflplusplus_406/description.md +++ /dev/null @@ -1,14 +0,0 @@ -# aflplusplus - -AFL++ fuzzer instance that has the following config active for all benchmarks: - - PCGUARD instrumentation - - cmplog feature - - dict2file feature - - "fast" power schedule - - persistent mode + shared memory test cases - -Repository: [https://github.com/AFLplusplus/AFLplusplus/](https://github.com/AFLplusplus/AFLplusplus/) - -[builder.Dockerfile](builder.Dockerfile) -[fuzzer.py](fuzzer.py) -[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/aflplusplus_406/fuzzer.py b/fuzzers/aflplusplus_406/fuzzer.py deleted file mode 100755 index 7016da75e..000000000 --- a/fuzzers/aflplusplus_406/fuzzer.py +++ /dev/null @@ -1,282 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -"""Integration code for AFLplusplus fuzzer.""" - -import os -import shutil - -from fuzzers.afl import fuzzer as afl_fuzzer -from fuzzers import utils - - -def get_cmplog_build_directory(target_directory): - """Return path to CmpLog target directory.""" - return os.path.join(target_directory, 'cmplog') - - -def get_uninstrumented_build_directory(target_directory): - """Return path to CmpLog target directory.""" - return os.path.join(target_directory, 'uninstrumented') - - -def build(*args): # pylint: disable=too-many-branches,too-many-statements - """Build benchmark.""" - # BUILD_MODES is not already supported by fuzzbench, meanwhile we provide - # a default configuration. - - build_modes = list(args) - if 'BUILD_MODES' in os.environ: - build_modes = os.environ['BUILD_MODES'].split(',') - - # Placeholder comment. - build_directory = os.environ['OUT'] - - # If nothing was set this is the default: - if not build_modes: - build_modes = ['tracepc', 'cmplog', 'dict2file'] - - # For bug type benchmarks we have to instrument via native clang pcguard :( - build_flags = os.environ['CFLAGS'] - - if build_flags.find( - 'array-bounds' - ) != -1 and 'qemu' not in build_modes and 'classic' not in build_modes: - if 'gcc' not in build_modes: - build_modes[0] = 'native' - - # Instrumentation coverage modes: - if 'lto' in build_modes: - os.environ['CC'] = '/afl/afl-clang-lto' - os.environ['CXX'] = '/afl/afl-clang-lto++' - edge_file = build_directory + '/aflpp_edges.txt' - os.environ['AFL_LLVM_DOCUMENT_IDS'] = edge_file - if os.path.isfile('/usr/local/bin/llvm-ranlib-13'): - os.environ['RANLIB'] = 'llvm-ranlib-13' - os.environ['AR'] = 'llvm-ar-13' - os.environ['AS'] = 'llvm-as-13' - elif os.path.isfile('/usr/local/bin/llvm-ranlib-12'): - os.environ['RANLIB'] = 'llvm-ranlib-12' - os.environ['AR'] = 'llvm-ar-12' - os.environ['AS'] = 'llvm-as-12' - else: - os.environ['RANLIB'] = 'llvm-ranlib' - os.environ['AR'] = 'llvm-ar' - os.environ['AS'] = 'llvm-as' - elif 'qemu' in build_modes: - os.environ['CC'] = 'clang' - os.environ['CXX'] = 'clang++' - elif 'gcc' in build_modes: - os.environ['CC'] = 'afl-gcc-fast' - os.environ['CXX'] = 'afl-g++-fast' - if build_flags.find('array-bounds') != -1: - os.environ['CFLAGS'] = '-fsanitize=address -O1' - os.environ['CXXFLAGS'] = '-fsanitize=address -O1' - else: - os.environ['CFLAGS'] = '' - os.environ['CXXFLAGS'] = '' - os.environ['CPPFLAGS'] = '' - else: - os.environ['CC'] = '/afl/afl-clang-fast' - os.environ['CXX'] = '/afl/afl-clang-fast++' - - print('AFL++ build: ') - print(build_modes) - - if 'qemu' in build_modes or 'symcc' in build_modes: - os.environ['CFLAGS'] = ' '.join(utils.NO_SANITIZER_COMPAT_CFLAGS) - cxxflags = [utils.LIBCPLUSPLUS_FLAG] + utils.NO_SANITIZER_COMPAT_CFLAGS - os.environ['CXXFLAGS'] = ' '.join(cxxflags) - - if 'tracepc' in build_modes or 'pcguard' in build_modes: - os.environ['AFL_LLVM_USE_TRACE_PC'] = '1' - elif 'classic' in build_modes: - os.environ['AFL_LLVM_INSTRUMENT'] = 'CLASSIC' - elif 'native' in build_modes: - os.environ['AFL_LLVM_INSTRUMENT'] = 'LLVMNATIVE' - - # Instrumentation coverage options: - # Do not use a fixed map location (LTO only) - if 'dynamic' in build_modes: - os.environ['AFL_LLVM_MAP_DYNAMIC'] = '1' - # Use a fixed map location (LTO only) - if 'fixed' in build_modes: - os.environ['AFL_LLVM_MAP_ADDR'] = '0x10000' - # Generate an extra dictionary. - if 'dict2file' in build_modes or 'native' in build_modes: - os.environ['AFL_LLVM_DICT2FILE'] = build_directory + '/afl++.dict' - os.environ['AFL_LLVM_DICT2FILE_NO_MAIN'] = '1' - # Enable context sentitivity for LLVM mode (non LTO only) - if 'ctx' in build_modes: - os.environ['AFL_LLVM_CTX'] = '1' - # Enable N-gram coverage for LLVM mode (non LTO only) - if 'ngram2' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '2' - elif 'ngram3' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '3' - elif 'ngram4' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '4' - elif 'ngram5' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '5' - elif 'ngram6' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '6' - elif 'ngram7' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '7' - elif 'ngram8' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '8' - elif 'ngram16' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '16' - if 'ctx1' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '1' - elif 'ctx2' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '2' - elif 'ctx3' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '3' - elif 'ctx4' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '4' - - # Only one of the following OR cmplog - # enable laf-intel compare splitting - if 'laf' in build_modes: - os.environ['AFL_LLVM_LAF_SPLIT_SWITCHES'] = '1' - os.environ['AFL_LLVM_LAF_SPLIT_COMPARES'] = '1' - os.environ['AFL_LLVM_LAF_SPLIT_FLOATS'] = '1' - if 'autodict' not in build_modes: - os.environ['AFL_LLVM_LAF_TRANSFORM_COMPARES'] = '1' - - if 'eclipser' in build_modes: - os.environ['FUZZER_LIB'] = '/libStandaloneFuzzTarget.a' - else: - os.environ['FUZZER_LIB'] = '/libAFLDriver.a' - - # Some benchmarks like lcms. (see: - # https://github.com/mm2/Little-CMS/commit/ab1093539b4287c233aca6a3cf53b234faceb792#diff-f0e6d05e72548974e852e8e55dffc4ccR212) - # fail to compile if the compiler outputs things to stderr in unexpected - # cases. Prevent these failures by using AFL_QUIET to stop afl-clang-fast - # from writing AFL specific messages to stderr. - os.environ['AFL_QUIET'] = '1' - os.environ['AFL_MAP_SIZE'] = '2621440' - - src = os.getenv('SRC') - work = os.getenv('WORK') - - with utils.restore_directory(src), utils.restore_directory(work): - # Restore SRC to its initial state so we can build again without any - # trouble. For some OSS-Fuzz projects, build_benchmark cannot be run - # twice in the same directory without this. - utils.build_benchmark() - - if 'cmplog' in build_modes and 'qemu' not in build_modes: - - # CmpLog requires an build with different instrumentation. - new_env = os.environ.copy() - new_env['AFL_LLVM_CMPLOG'] = '1' - - # For CmpLog build, set the OUT and FUZZ_TARGET environment - # variable to point to the new CmpLog build directory. - cmplog_build_directory = get_cmplog_build_directory(build_directory) - os.mkdir(cmplog_build_directory) - new_env['OUT'] = cmplog_build_directory - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - new_env['FUZZ_TARGET'] = os.path.join(cmplog_build_directory, - os.path.basename(fuzz_target)) - - print('Re-building benchmark for CmpLog fuzzing target') - utils.build_benchmark(env=new_env) - - if 'symcc' in build_modes: - - symcc_build_directory = get_uninstrumented_build_directory( - build_directory) - os.mkdir(symcc_build_directory) - - # symcc requires an build with different instrumentation. - new_env = os.environ.copy() - new_env['CC'] = '/symcc/build/symcc' - new_env['CXX'] = '/symcc/build/sym++' - new_env['SYMCC_OUTPUT_DIR'] = '/tmp' - new_env['CXXFLAGS'] = new_env['CXXFLAGS'].replace('-stlib=libc++', '') - new_env['FUZZER_LIB'] = '/libfuzzer-harness.o' - new_env['OUT'] = symcc_build_directory - new_env['SYMCC_LIBCXX_PATH'] = '/libcxx_native_build' - new_env['SYMCC_NO_SYMBOLIC_INPUT'] = '1' - new_env['SYMCC_SILENT'] = '1' - - # For symcc build, set the OUT and FUZZ_TARGET environment - # variable to point to the new symcc build directory. - new_env['OUT'] = symcc_build_directory - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - new_env['FUZZ_TARGET'] = os.path.join(symcc_build_directory, - os.path.basename(fuzz_target)) - - print('Re-building benchmark for symcc fuzzing target') - utils.build_benchmark(env=new_env) - - shutil.copy('/afl/afl-fuzz', build_directory) - if os.path.exists('/afl/afl-qemu-trace'): - shutil.copy('/afl/afl-qemu-trace', build_directory) - if os.path.exists('/aflpp_qemu_driver_hook.so'): - shutil.copy('/aflpp_qemu_driver_hook.so', build_directory) - if os.path.exists('/get_frida_entry.sh'): - shutil.copy('/afl/afl-frida-trace.so', build_directory) - shutil.copy('/get_frida_entry.sh', build_directory) - - -# pylint: disable=too-many-arguments -def fuzz(input_corpus, - output_corpus, - target_binary, - flags=tuple(), - skip=False, - no_cmplog=False): # pylint: disable=too-many-arguments - """Run fuzzer.""" - # Calculate CmpLog binary path from the instrumented target binary. - target_binary_directory = os.path.dirname(target_binary) - cmplog_target_binary_directory = ( - get_cmplog_build_directory(target_binary_directory)) - target_binary_name = os.path.basename(target_binary) - cmplog_target_binary = os.path.join(cmplog_target_binary_directory, - target_binary_name) - - afl_fuzzer.prepare_fuzz_environment(input_corpus) - # decomment this to enable libdislocator. - # os.environ['AFL_ALIGNED_ALLOC'] = '1' # align malloc to max_align_t - # os.environ['AFL_PRELOAD'] = '/afl/libdislocator.so' - - flags = list(flags) - - if os.path.exists('./afl++.dict'): - flags += ['-x', './afl++.dict'] - - # Move the following to skip for upcoming _double tests: - if os.path.exists(cmplog_target_binary) and no_cmplog is False: - flags += ['-c', cmplog_target_binary] - - #os.environ['AFL_IGNORE_TIMEOUTS'] = '1' - os.environ['AFL_IGNORE_UNKNOWN_ENVS'] = '1' - os.environ['AFL_FAST_CAL'] = '1' - os.environ['AFL_NO_WARN_INSTABILITY'] = '1' - - if not skip: - os.environ['AFL_DISABLE_TRIM'] = '1' - os.environ['AFL_CMPLOG_ONLY_NEW'] = '1' - if 'ADDITIONAL_ARGS' in os.environ: - flags += os.environ['ADDITIONAL_ARGS'].split(' ') - - afl_fuzzer.run_afl_fuzz(input_corpus, - output_corpus, - target_binary, - additional_flags=flags) diff --git a/fuzzers/aflplusplus_406/runner.Dockerfile b/fuzzers/aflplusplus_406/runner.Dockerfile deleted file mode 100644 index 1a10f861c..000000000 --- a/fuzzers/aflplusplus_406/runner.Dockerfile +++ /dev/null @@ -1,24 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -# This makes interactive docker runs painless: -ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" -#ENV AFL_MAP_SIZE=2621440 -ENV PATH="$PATH:/out" -ENV AFL_SKIP_CPUFREQ=1 -ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 -ENV AFL_TESTCACHE_SIZE=2 -RUN apt install -y unzip git gdb joe diff --git a/fuzzers/aflplusplus_407/builder.Dockerfile b/fuzzers/aflplusplus_407/builder.Dockerfile deleted file mode 100644 index ddfad64d9..000000000 --- a/fuzzers/aflplusplus_407/builder.Dockerfile +++ /dev/null @@ -1,49 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -RUN apt-get update && \ - apt-get install -y \ - build-essential \ - python3-dev \ - python3-setuptools \ - automake \ - cmake \ - git \ - flex \ - bison \ - libglib2.0-dev \ - libpixman-1-dev \ - cargo \ - libgtk-3-dev \ - # for QEMU mode - ninja-build \ - gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-plugin-dev \ - libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev - -# Download afl++. -RUN git clone -b dev https://github.com/AFLplusplus/AFLplusplus /afl && \ - cd /afl && \ - git checkout af8c68a774d0271ae6a2145ac566e1c7024e95d5 || \ - true - -# Build without Python support as we don't need it. -# Set AFL_NO_X86 to skip flaky tests. -RUN cd /afl && \ - unset CFLAGS CXXFLAGS && \ - export CC=clang AFL_NO_X86=1 && \ - PYTHON_INCLUDE=/ make && \ - cp utils/aflpp_driver/libAFLDriver.a / diff --git a/fuzzers/aflplusplus_407/description.md b/fuzzers/aflplusplus_407/description.md deleted file mode 100644 index f7eb407ad..000000000 --- a/fuzzers/aflplusplus_407/description.md +++ /dev/null @@ -1,14 +0,0 @@ -# aflplusplus - -AFL++ fuzzer instance that has the following config active for all benchmarks: - - PCGUARD instrumentation - - cmplog feature - - dict2file feature - - "fast" power schedule - - persistent mode + shared memory test cases - -Repository: [https://github.com/AFLplusplus/AFLplusplus/](https://github.com/AFLplusplus/AFLplusplus/) - -[builder.Dockerfile](builder.Dockerfile) -[fuzzer.py](fuzzer.py) -[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/aflplusplus_407/fuzzer.py b/fuzzers/aflplusplus_407/fuzzer.py deleted file mode 100755 index 7016da75e..000000000 --- a/fuzzers/aflplusplus_407/fuzzer.py +++ /dev/null @@ -1,282 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -"""Integration code for AFLplusplus fuzzer.""" - -import os -import shutil - -from fuzzers.afl import fuzzer as afl_fuzzer -from fuzzers import utils - - -def get_cmplog_build_directory(target_directory): - """Return path to CmpLog target directory.""" - return os.path.join(target_directory, 'cmplog') - - -def get_uninstrumented_build_directory(target_directory): - """Return path to CmpLog target directory.""" - return os.path.join(target_directory, 'uninstrumented') - - -def build(*args): # pylint: disable=too-many-branches,too-many-statements - """Build benchmark.""" - # BUILD_MODES is not already supported by fuzzbench, meanwhile we provide - # a default configuration. - - build_modes = list(args) - if 'BUILD_MODES' in os.environ: - build_modes = os.environ['BUILD_MODES'].split(',') - - # Placeholder comment. - build_directory = os.environ['OUT'] - - # If nothing was set this is the default: - if not build_modes: - build_modes = ['tracepc', 'cmplog', 'dict2file'] - - # For bug type benchmarks we have to instrument via native clang pcguard :( - build_flags = os.environ['CFLAGS'] - - if build_flags.find( - 'array-bounds' - ) != -1 and 'qemu' not in build_modes and 'classic' not in build_modes: - if 'gcc' not in build_modes: - build_modes[0] = 'native' - - # Instrumentation coverage modes: - if 'lto' in build_modes: - os.environ['CC'] = '/afl/afl-clang-lto' - os.environ['CXX'] = '/afl/afl-clang-lto++' - edge_file = build_directory + '/aflpp_edges.txt' - os.environ['AFL_LLVM_DOCUMENT_IDS'] = edge_file - if os.path.isfile('/usr/local/bin/llvm-ranlib-13'): - os.environ['RANLIB'] = 'llvm-ranlib-13' - os.environ['AR'] = 'llvm-ar-13' - os.environ['AS'] = 'llvm-as-13' - elif os.path.isfile('/usr/local/bin/llvm-ranlib-12'): - os.environ['RANLIB'] = 'llvm-ranlib-12' - os.environ['AR'] = 'llvm-ar-12' - os.environ['AS'] = 'llvm-as-12' - else: - os.environ['RANLIB'] = 'llvm-ranlib' - os.environ['AR'] = 'llvm-ar' - os.environ['AS'] = 'llvm-as' - elif 'qemu' in build_modes: - os.environ['CC'] = 'clang' - os.environ['CXX'] = 'clang++' - elif 'gcc' in build_modes: - os.environ['CC'] = 'afl-gcc-fast' - os.environ['CXX'] = 'afl-g++-fast' - if build_flags.find('array-bounds') != -1: - os.environ['CFLAGS'] = '-fsanitize=address -O1' - os.environ['CXXFLAGS'] = '-fsanitize=address -O1' - else: - os.environ['CFLAGS'] = '' - os.environ['CXXFLAGS'] = '' - os.environ['CPPFLAGS'] = '' - else: - os.environ['CC'] = '/afl/afl-clang-fast' - os.environ['CXX'] = '/afl/afl-clang-fast++' - - print('AFL++ build: ') - print(build_modes) - - if 'qemu' in build_modes or 'symcc' in build_modes: - os.environ['CFLAGS'] = ' '.join(utils.NO_SANITIZER_COMPAT_CFLAGS) - cxxflags = [utils.LIBCPLUSPLUS_FLAG] + utils.NO_SANITIZER_COMPAT_CFLAGS - os.environ['CXXFLAGS'] = ' '.join(cxxflags) - - if 'tracepc' in build_modes or 'pcguard' in build_modes: - os.environ['AFL_LLVM_USE_TRACE_PC'] = '1' - elif 'classic' in build_modes: - os.environ['AFL_LLVM_INSTRUMENT'] = 'CLASSIC' - elif 'native' in build_modes: - os.environ['AFL_LLVM_INSTRUMENT'] = 'LLVMNATIVE' - - # Instrumentation coverage options: - # Do not use a fixed map location (LTO only) - if 'dynamic' in build_modes: - os.environ['AFL_LLVM_MAP_DYNAMIC'] = '1' - # Use a fixed map location (LTO only) - if 'fixed' in build_modes: - os.environ['AFL_LLVM_MAP_ADDR'] = '0x10000' - # Generate an extra dictionary. - if 'dict2file' in build_modes or 'native' in build_modes: - os.environ['AFL_LLVM_DICT2FILE'] = build_directory + '/afl++.dict' - os.environ['AFL_LLVM_DICT2FILE_NO_MAIN'] = '1' - # Enable context sentitivity for LLVM mode (non LTO only) - if 'ctx' in build_modes: - os.environ['AFL_LLVM_CTX'] = '1' - # Enable N-gram coverage for LLVM mode (non LTO only) - if 'ngram2' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '2' - elif 'ngram3' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '3' - elif 'ngram4' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '4' - elif 'ngram5' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '5' - elif 'ngram6' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '6' - elif 'ngram7' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '7' - elif 'ngram8' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '8' - elif 'ngram16' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '16' - if 'ctx1' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '1' - elif 'ctx2' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '2' - elif 'ctx3' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '3' - elif 'ctx4' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '4' - - # Only one of the following OR cmplog - # enable laf-intel compare splitting - if 'laf' in build_modes: - os.environ['AFL_LLVM_LAF_SPLIT_SWITCHES'] = '1' - os.environ['AFL_LLVM_LAF_SPLIT_COMPARES'] = '1' - os.environ['AFL_LLVM_LAF_SPLIT_FLOATS'] = '1' - if 'autodict' not in build_modes: - os.environ['AFL_LLVM_LAF_TRANSFORM_COMPARES'] = '1' - - if 'eclipser' in build_modes: - os.environ['FUZZER_LIB'] = '/libStandaloneFuzzTarget.a' - else: - os.environ['FUZZER_LIB'] = '/libAFLDriver.a' - - # Some benchmarks like lcms. (see: - # https://github.com/mm2/Little-CMS/commit/ab1093539b4287c233aca6a3cf53b234faceb792#diff-f0e6d05e72548974e852e8e55dffc4ccR212) - # fail to compile if the compiler outputs things to stderr in unexpected - # cases. Prevent these failures by using AFL_QUIET to stop afl-clang-fast - # from writing AFL specific messages to stderr. - os.environ['AFL_QUIET'] = '1' - os.environ['AFL_MAP_SIZE'] = '2621440' - - src = os.getenv('SRC') - work = os.getenv('WORK') - - with utils.restore_directory(src), utils.restore_directory(work): - # Restore SRC to its initial state so we can build again without any - # trouble. For some OSS-Fuzz projects, build_benchmark cannot be run - # twice in the same directory without this. - utils.build_benchmark() - - if 'cmplog' in build_modes and 'qemu' not in build_modes: - - # CmpLog requires an build with different instrumentation. - new_env = os.environ.copy() - new_env['AFL_LLVM_CMPLOG'] = '1' - - # For CmpLog build, set the OUT and FUZZ_TARGET environment - # variable to point to the new CmpLog build directory. - cmplog_build_directory = get_cmplog_build_directory(build_directory) - os.mkdir(cmplog_build_directory) - new_env['OUT'] = cmplog_build_directory - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - new_env['FUZZ_TARGET'] = os.path.join(cmplog_build_directory, - os.path.basename(fuzz_target)) - - print('Re-building benchmark for CmpLog fuzzing target') - utils.build_benchmark(env=new_env) - - if 'symcc' in build_modes: - - symcc_build_directory = get_uninstrumented_build_directory( - build_directory) - os.mkdir(symcc_build_directory) - - # symcc requires an build with different instrumentation. - new_env = os.environ.copy() - new_env['CC'] = '/symcc/build/symcc' - new_env['CXX'] = '/symcc/build/sym++' - new_env['SYMCC_OUTPUT_DIR'] = '/tmp' - new_env['CXXFLAGS'] = new_env['CXXFLAGS'].replace('-stlib=libc++', '') - new_env['FUZZER_LIB'] = '/libfuzzer-harness.o' - new_env['OUT'] = symcc_build_directory - new_env['SYMCC_LIBCXX_PATH'] = '/libcxx_native_build' - new_env['SYMCC_NO_SYMBOLIC_INPUT'] = '1' - new_env['SYMCC_SILENT'] = '1' - - # For symcc build, set the OUT and FUZZ_TARGET environment - # variable to point to the new symcc build directory. - new_env['OUT'] = symcc_build_directory - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - new_env['FUZZ_TARGET'] = os.path.join(symcc_build_directory, - os.path.basename(fuzz_target)) - - print('Re-building benchmark for symcc fuzzing target') - utils.build_benchmark(env=new_env) - - shutil.copy('/afl/afl-fuzz', build_directory) - if os.path.exists('/afl/afl-qemu-trace'): - shutil.copy('/afl/afl-qemu-trace', build_directory) - if os.path.exists('/aflpp_qemu_driver_hook.so'): - shutil.copy('/aflpp_qemu_driver_hook.so', build_directory) - if os.path.exists('/get_frida_entry.sh'): - shutil.copy('/afl/afl-frida-trace.so', build_directory) - shutil.copy('/get_frida_entry.sh', build_directory) - - -# pylint: disable=too-many-arguments -def fuzz(input_corpus, - output_corpus, - target_binary, - flags=tuple(), - skip=False, - no_cmplog=False): # pylint: disable=too-many-arguments - """Run fuzzer.""" - # Calculate CmpLog binary path from the instrumented target binary. - target_binary_directory = os.path.dirname(target_binary) - cmplog_target_binary_directory = ( - get_cmplog_build_directory(target_binary_directory)) - target_binary_name = os.path.basename(target_binary) - cmplog_target_binary = os.path.join(cmplog_target_binary_directory, - target_binary_name) - - afl_fuzzer.prepare_fuzz_environment(input_corpus) - # decomment this to enable libdislocator. - # os.environ['AFL_ALIGNED_ALLOC'] = '1' # align malloc to max_align_t - # os.environ['AFL_PRELOAD'] = '/afl/libdislocator.so' - - flags = list(flags) - - if os.path.exists('./afl++.dict'): - flags += ['-x', './afl++.dict'] - - # Move the following to skip for upcoming _double tests: - if os.path.exists(cmplog_target_binary) and no_cmplog is False: - flags += ['-c', cmplog_target_binary] - - #os.environ['AFL_IGNORE_TIMEOUTS'] = '1' - os.environ['AFL_IGNORE_UNKNOWN_ENVS'] = '1' - os.environ['AFL_FAST_CAL'] = '1' - os.environ['AFL_NO_WARN_INSTABILITY'] = '1' - - if not skip: - os.environ['AFL_DISABLE_TRIM'] = '1' - os.environ['AFL_CMPLOG_ONLY_NEW'] = '1' - if 'ADDITIONAL_ARGS' in os.environ: - flags += os.environ['ADDITIONAL_ARGS'].split(' ') - - afl_fuzzer.run_afl_fuzz(input_corpus, - output_corpus, - target_binary, - additional_flags=flags) diff --git a/fuzzers/aflplusplus_407/runner.Dockerfile b/fuzzers/aflplusplus_407/runner.Dockerfile deleted file mode 100644 index 1a10f861c..000000000 --- a/fuzzers/aflplusplus_407/runner.Dockerfile +++ /dev/null @@ -1,24 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -# This makes interactive docker runs painless: -ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" -#ENV AFL_MAP_SIZE=2621440 -ENV PATH="$PATH:/out" -ENV AFL_SKIP_CPUFREQ=1 -ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 -ENV AFL_TESTCACHE_SIZE=2 -RUN apt install -y unzip git gdb joe diff --git a/fuzzers/aflplusplus_ff_comp/builder.Dockerfile b/fuzzers/aflplusplus_ff_comp/builder.Dockerfile deleted file mode 100644 index 221a95ecc..000000000 --- a/fuzzers/aflplusplus_ff_comp/builder.Dockerfile +++ /dev/null @@ -1,89 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -RUN apt-get update && \ - apt-get install -y \ - build-essential \ - python3-dev \ - python3-setuptools \ - automake \ - cmake \ - git \ - flex \ - bison \ - libglib2.0-dev \ - libpixman-1-dev \ - cargo \ - libgtk-3-dev \ - # for QEMU mode - ninja-build \ - gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-plugin-dev \ - libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev - -RUN apt install -y lsb-release wget software-properties-common - -RUN wget https://apt.llvm.org/llvm.sh && chmod +x llvm.sh && ./llvm.sh 12 all - -ENV LLVM_CONFIG=llvm-config-12 - -RUN update-alternatives \ - --install /usr/lib/llvm llvm /usr/lib/llvm-12 100 \ - --slave /usr/bin/llvm-config llvm-config /usr/bin/llvm-config-12 \ - --slave /usr/bin/llvm-ar llvm-ar /usr/bin/llvm-ar-12 \ - --slave /usr/bin/llvm-as llvm-as /usr/bin/llvm-as-12 \ - --slave /usr/bin/llvm-bcanalyzer llvm-bcanalyzer /usr/bin/llvm-bcanalyzer-12 \ - --slave /usr/bin/llvm-c-test llvm-c-test /usr/bin/llvm-c-test-12 \ - --slave /usr/bin/llvm-cov llvm-cov /usr/bin/llvm-cov-12 \ - --slave /usr/bin/llvm-diff llvm-diff /usr/bin/llvm-diff-12 \ - --slave /usr/bin/llvm-dis llvm-dis /usr/bin/llvm-dis-12 \ - --slave /usr/bin/llvm-dwarfdump llvm-dwarfdump /usr/bin/llvm-dwarfdump-12 \ - --slave /usr/bin/llvm-extract llvm-extract /usr/bin/llvm-extract-12 \ - --slave /usr/bin/llvm-link llvm-link /usr/bin/llvm-link-12 \ - --slave /usr/bin/llvm-mc llvm-mc /usr/bin/llvm-mc-12 \ - --slave /usr/bin/llvm-nm llvm-nm /usr/bin/llvm-nm-12 \ - --slave /usr/bin/llvm-objdump llvm-objdump /usr/bin/llvm-objdump-12 \ - --slave /usr/bin/llvm-ranlib llvm-ranlib /usr/bin/llvm-ranlib-12 \ - --slave /usr/bin/llvm-readobj llvm-readobj /usr/bin/llvm-readobj-12 \ - --slave /usr/bin/llvm-rtdyld llvm-rtdyld /usr/bin/llvm-rtdyld-12 \ - --slave /usr/bin/llvm-size llvm-size /usr/bin/llvm-size-12 \ - --slave /usr/bin/llvm-stress llvm-stress /usr/bin/llvm-stress-12 \ - --slave /usr/bin/llvm-symbolizer llvm-symbolizer /usr/bin/llvm-symbolizer-12 \ - --slave /usr/bin/llvm-tblgen llvm-tblgen /usr/bin/llvm-tblgen-12 \ - --slave /usr/bin/llc llc /usr/bin/llc-12 \ - --slave /usr/bin/opt opt /usr/bin/opt-12 && \ - update-alternatives \ - --install /usr/bin/clang clang /usr/bin/clang-12 100 \ - --slave /usr/bin/clang++ clang++ /usr/bin/clang++-12 \ - --slave /usr/bin/clang-cpp clang-cpp /usr/bin/clang-cpp-12 - -# put the /usr/bin of the highest priority, to make sure clang-12 is called before clang-15, which is in /usr/local/bin -ENV PATH="/usr/bin:${PATH}" - -# Download afl++. -RUN git clone -b dev https://github.com/AFLplusplus/AFLplusplus /afl && \ - cd /afl && \ - git checkout 1d4f1e48797c064ee71441ba555b29fc3f467983 || \ - true - -# Build without Python support as we don't need it. -# Set AFL_NO_X86 to skip flaky tests. -RUN cd /afl && \ - unset CFLAGS CXXFLAGS && \ - export CC=clang AFL_NO_X86=1 && \ - PYTHON_INCLUDE=/ make && \ - make install && \ - cp utils/aflpp_driver/libAFLDriver.a / diff --git a/fuzzers/aflplusplus_ff_comp/description.md b/fuzzers/aflplusplus_ff_comp/description.md deleted file mode 100644 index f7eb407ad..000000000 --- a/fuzzers/aflplusplus_ff_comp/description.md +++ /dev/null @@ -1,14 +0,0 @@ -# aflplusplus - -AFL++ fuzzer instance that has the following config active for all benchmarks: - - PCGUARD instrumentation - - cmplog feature - - dict2file feature - - "fast" power schedule - - persistent mode + shared memory test cases - -Repository: [https://github.com/AFLplusplus/AFLplusplus/](https://github.com/AFLplusplus/AFLplusplus/) - -[builder.Dockerfile](builder.Dockerfile) -[fuzzer.py](fuzzer.py) -[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/aflplusplus_ff_comp/fuzzer.py b/fuzzers/aflplusplus_ff_comp/fuzzer.py deleted file mode 100755 index 0912f0a97..000000000 --- a/fuzzers/aflplusplus_ff_comp/fuzzer.py +++ /dev/null @@ -1,285 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -"""Integration code for AFLplusplus fuzzer.""" - -import os -import shutil - -from fuzzers.afl import fuzzer as afl_fuzzer -from fuzzers import utils - - -def get_cmplog_build_directory(target_directory): - """Return path to CmpLog target directory.""" - return os.path.join(target_directory, 'cmplog') - - -def get_uninstrumented_build_directory(target_directory): - """Return path to CmpLog target directory.""" - return os.path.join(target_directory, 'uninstrumented') - - -def build(*args): # pylint: disable=too-many-branches,too-many-statements - """Build benchmark.""" - # BUILD_MODES is not already supported by fuzzbench, meanwhile we provide - # a default configuration. - - build_modes = list(args) - if 'BUILD_MODES' in os.environ: - build_modes = os.environ['BUILD_MODES'].split(',') - - # Placeholder comment. - build_directory = os.environ['OUT'] - - # If nothing was set this is the default: - if not build_modes: - build_modes = ['tracepc'] - - # For bug type benchmarks we have to instrument via native clang pcguard :( - build_flags = os.environ['CFLAGS'] - os.environ['CFLAGS'] = build_flags - - #if build_flags.find( - # 'array-bounds' - #) != -1 and 'qemu' not in build_modes and 'classic' not in build_modes: - # if 'gcc' not in build_modes: - # build_modes[0] = 'native' - - # Instrumentation coverage modes: - if 'lto' in build_modes: - os.environ['CC'] = '/afl/afl-clang-lto' - os.environ['CXX'] = '/afl/afl-clang-lto++' - edge_file = build_directory + '/aflpp_edges.txt' - os.environ['AFL_LLVM_DOCUMENT_IDS'] = edge_file - if os.path.isfile('/usr/local/bin/llvm-ranlib-13'): - os.environ['RANLIB'] = 'llvm-ranlib-13' - os.environ['AR'] = 'llvm-ar-13' - os.environ['AS'] = 'llvm-as-13' - elif os.path.isfile('/usr/local/bin/llvm-ranlib-12'): - os.environ['RANLIB'] = 'llvm-ranlib-12' - os.environ['AR'] = 'llvm-ar-12' - os.environ['AS'] = 'llvm-as-12' - else: - os.environ['RANLIB'] = 'llvm-ranlib' - os.environ['AR'] = 'llvm-ar' - os.environ['AS'] = 'llvm-as' - elif 'qemu' in build_modes: - os.environ['CC'] = 'clang' - os.environ['CXX'] = 'clang++' - elif 'gcc' in build_modes: - os.environ['CC'] = 'afl-gcc-fast' - os.environ['CXX'] = 'afl-g++-fast' - if build_flags.find('array-bounds') != -1: - os.environ['CFLAGS'] = '-fsanitize=address -O1' - os.environ['CXXFLAGS'] = '-fsanitize=address -O1' - else: - os.environ['CFLAGS'] = '' - os.environ['CXXFLAGS'] = '' - os.environ['CPPFLAGS'] = '' - else: - os.environ['CC'] = '/afl/afl-clang-fast' - os.environ['CXX'] = '/afl/afl-clang-fast++' - - print('AFL++ build: ') - print(build_modes) - - if 'qemu' in build_modes or 'symcc' in build_modes: - os.environ['CFLAGS'] = ' '.join(utils.NO_SANITIZER_COMPAT_CFLAGS) - cxxflags = [utils.LIBCPLUSPLUS_FLAG] + utils.NO_SANITIZER_COMPAT_CFLAGS - os.environ['CXXFLAGS'] = ' '.join(cxxflags) - - if 'tracepc' in build_modes or 'pcguard' in build_modes: - os.environ['AFL_LLVM_USE_TRACE_PC'] = '1' - elif 'classic' in build_modes: - os.environ['AFL_LLVM_INSTRUMENT'] = 'CLASSIC' - elif 'native' in build_modes: - os.environ['AFL_LLVM_INSTRUMENT'] = 'LLVMNATIVE' - - # Instrumentation coverage options: - # Do not use a fixed map location (LTO only) - if 'dynamic' in build_modes: - os.environ['AFL_LLVM_MAP_DYNAMIC'] = '1' - # Use a fixed map location (LTO only) - if 'fixed' in build_modes: - os.environ['AFL_LLVM_MAP_ADDR'] = '0x10000' - # Generate an extra dictionary. - if 'dict2file' in build_modes or 'native' in build_modes: - os.environ['AFL_LLVM_DICT2FILE'] = build_directory + '/afl++.dict' - os.environ['AFL_LLVM_DICT2FILE_NO_MAIN'] = '1' - # Enable context sentitivity for LLVM mode (non LTO only) - if 'ctx' in build_modes: - os.environ['AFL_LLVM_CTX'] = '1' - # Enable N-gram coverage for LLVM mode (non LTO only) - if 'ngram2' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '2' - elif 'ngram3' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '3' - elif 'ngram4' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '4' - elif 'ngram5' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '5' - elif 'ngram6' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '6' - elif 'ngram7' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '7' - elif 'ngram8' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '8' - elif 'ngram16' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '16' - if 'ctx1' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '1' - elif 'ctx2' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '2' - elif 'ctx3' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '3' - elif 'ctx4' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '4' - - # Only one of the following OR cmplog - # enable laf-intel compare splitting - if 'laf' in build_modes: - os.environ['AFL_LLVM_LAF_SPLIT_SWITCHES'] = '1' - os.environ['AFL_LLVM_LAF_SPLIT_COMPARES'] = '1' - os.environ['AFL_LLVM_LAF_SPLIT_FLOATS'] = '1' - if 'autodict' not in build_modes: - os.environ['AFL_LLVM_LAF_TRANSFORM_COMPARES'] = '1' - - if 'eclipser' in build_modes: - os.environ['FUZZER_LIB'] = '/libStandaloneFuzzTarget.a' - else: - os.environ['FUZZER_LIB'] = '/libAFLDriver.a' - - # Some benchmarks like lcms. (see: - # https://github.com/mm2/Little-CMS/commit/ab1093539b4287c233aca6a3cf53b234faceb792#diff-f0e6d05e72548974e852e8e55dffc4ccR212) - # fail to compile if the compiler outputs things to stderr in unexpected - # cases. Prevent these failures by using AFL_QUIET to stop afl-clang-fast - # from writing AFL specific messages to stderr. - os.environ['AFL_QUIET'] = '1' - os.environ['AFL_MAP_SIZE'] = '2621440' - - src = os.getenv('SRC') - work = os.getenv('WORK') - - with utils.restore_directory(src), utils.restore_directory(work): - # Restore SRC to its initial state so we can build again without any - # trouble. For some OSS-Fuzz projects, build_benchmark cannot be run - # twice in the same directory without this. - utils.build_benchmark() - - if 'cmplog' in build_modes and 'qemu' not in build_modes: - - # CmpLog requires an build with different instrumentation. - new_env = os.environ.copy() - new_env['AFL_LLVM_CMPLOG'] = '1' - - # For CmpLog build, set the OUT and FUZZ_TARGET environment - # variable to point to the new CmpLog build directory. - cmplog_build_directory = get_cmplog_build_directory(build_directory) - os.mkdir(cmplog_build_directory) - new_env['OUT'] = cmplog_build_directory - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - new_env['FUZZ_TARGET'] = os.path.join(cmplog_build_directory, - os.path.basename(fuzz_target)) - - print('Re-building benchmark for CmpLog fuzzing target') - utils.build_benchmark(env=new_env) - else: - os.environ['AFL_USE_ASAN'] = '1' - - if 'symcc' in build_modes: - - symcc_build_directory = get_uninstrumented_build_directory( - build_directory) - os.mkdir(symcc_build_directory) - - # symcc requires an build with different instrumentation. - new_env = os.environ.copy() - new_env['CC'] = '/symcc/build/symcc' - new_env['CXX'] = '/symcc/build/sym++' - new_env['SYMCC_OUTPUT_DIR'] = '/tmp' - new_env['CXXFLAGS'] = new_env['CXXFLAGS'].replace('-stlib=libc++', '') - new_env['FUZZER_LIB'] = '/libfuzzer-harness.o' - new_env['OUT'] = symcc_build_directory - new_env['SYMCC_LIBCXX_PATH'] = '/libcxx_native_build' - new_env['SYMCC_NO_SYMBOLIC_INPUT'] = '1' - new_env['SYMCC_SILENT'] = '1' - - # For symcc build, set the OUT and FUZZ_TARGET environment - # variable to point to the new symcc build directory. - new_env['OUT'] = symcc_build_directory - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - new_env['FUZZ_TARGET'] = os.path.join(symcc_build_directory, - os.path.basename(fuzz_target)) - - print('Re-building benchmark for symcc fuzzing target') - utils.build_benchmark(env=new_env) - - shutil.copy('/afl/afl-fuzz', build_directory) - if os.path.exists('/afl/afl-qemu-trace'): - shutil.copy('/afl/afl-qemu-trace', build_directory) - if os.path.exists('/aflpp_qemu_driver_hook.so'): - shutil.copy('/aflpp_qemu_driver_hook.so', build_directory) - if os.path.exists('/get_frida_entry.sh'): - shutil.copy('/afl/afl-frida-trace.so', build_directory) - shutil.copy('/get_frida_entry.sh', build_directory) - - -# pylint: disable=too-many-arguments -def fuzz(input_corpus, - output_corpus, - target_binary, - flags=tuple(), - skip=False, - no_cmplog=False): # pylint: disable=too-many-arguments - """Run fuzzer.""" - # Calculate CmpLog binary path from the instrumented target binary. - target_binary_directory = os.path.dirname(target_binary) - cmplog_target_binary_directory = ( - get_cmplog_build_directory(target_binary_directory)) - target_binary_name = os.path.basename(target_binary) - cmplog_target_binary = os.path.join(cmplog_target_binary_directory, - target_binary_name) - - afl_fuzzer.prepare_fuzz_environment(input_corpus) - # decomment this to enable libdislocator. - # os.environ['AFL_ALIGNED_ALLOC'] = '1' # align malloc to max_align_t - # os.environ['AFL_PRELOAD'] = '/afl/libdislocator.so' - - flags = list(flags) - - if os.path.exists('./afl++.dict'): - flags += ['-x', './afl++.dict'] - - # Move the following to skip for upcoming _double tests: - if os.path.exists(cmplog_target_binary) and no_cmplog is False: - flags += ['-c', cmplog_target_binary] - - #os.environ['AFL_IGNORE_TIMEOUTS'] = '1' - os.environ['AFL_IGNORE_UNKNOWN_ENVS'] = '1' - os.environ['AFL_FAST_CAL'] = '1' - os.environ['AFL_NO_WARN_INSTABILITY'] = '1' - - if not skip: - os.environ['AFL_DISABLE_TRIM'] = '1' - os.environ['AFL_CMPLOG_ONLY_NEW'] = '1' - if 'ADDITIONAL_ARGS' in os.environ: - flags += os.environ['ADDITIONAL_ARGS'].split(' ') - - afl_fuzzer.run_afl_fuzz(input_corpus, - output_corpus, - target_binary, - additional_flags=flags) diff --git a/fuzzers/aflplusplus_ff_comp/runner.Dockerfile b/fuzzers/aflplusplus_ff_comp/runner.Dockerfile deleted file mode 100644 index a17c457ec..000000000 --- a/fuzzers/aflplusplus_ff_comp/runner.Dockerfile +++ /dev/null @@ -1,42 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -ENV DEBIAN_FRONTEND=noninteractive -ENV TZ=Etc/UTC - -RUN apt update && apt install -y git gcc g++ make cmake wget \ - libgmp-dev libmpfr-dev texinfo bison python3 - -# for runtime library, we just need libc++-12-dev libc++abi-12-dev -RUN wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key|apt-key add - && \ - printf "deb http://apt.llvm.org/focal/ llvm-toolchain-focal main\n" \ - "deb-src http://apt.llvm.org/focal/ llvm-toolchain-focal main\n" \ - "deb http://apt.llvm.org/focal/ llvm-toolchain-focal-12 main\n" \ - "deb-src http://apt.llvm.org/focal/ llvm-toolchain-focal-12 main\n" \ - >> /etc/apt/sources.list && \ - apt update && \ - apt install libc++-12-dev libc++abi-12-dev -y - -RUN apt-get install -y libboost-all-dev libjsoncpp-dev libgraphviz-dev \ - pkg-config libglib2.0-dev libunwind-17 - -# This makes interactive docker runs painless: -ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" -#ENV AFL_MAP_SIZE=2621440 -ENV PATH="$PATH:/out" -ENV AFL_SKIP_CPUFREQ=1 -ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 -ENV AFL_TESTCACHE_SIZE=2 diff --git a/fuzzers/aflplusplus_frida/builder.Dockerfile b/fuzzers/aflplusplus_frida/builder.Dockerfile deleted file mode 100644 index 2ebb98b1f..000000000 --- a/fuzzers/aflplusplus_frida/builder.Dockerfile +++ /dev/null @@ -1,42 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -# Install the necessary packages. -RUN apt-get update && \ - apt-get install -y \ - build-essential \ - git \ - flex \ - bison \ - libglib2.0-dev \ - libpixman-1-dev \ - libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev - -# Download afl++ -RUN git clone https://github.com/AFLplusplus/AFLplusplus.git /afl && \ - cd /afl && git checkout 3b835b7c8b2f73be6d5972951d049cef66c24abd - -# Build afl++ without Python support as we don't need it. -# Set AFL_NO_X86 to skip flaky tests. -RUN cd /afl && \ - unset CFLAGS && unset CXXFLAGS && \ - AFL_NO_X86=1 CC=clang PYTHON_INCLUDE=/ make && \ - make -C utils/aflpp_driver && \ - cd frida_mode && make && cd .. && \ - cp utils/aflpp_driver/libAFLQemuDriver.a /libAFLDriver.a - -COPY get_frida_entry.sh / diff --git a/fuzzers/aflplusplus_frida/description.md b/fuzzers/aflplusplus_frida/description.md deleted file mode 100644 index 9ced871ec..000000000 --- a/fuzzers/aflplusplus_frida/description.md +++ /dev/null @@ -1,15 +0,0 @@ -# aflplusplus_qemu - -AFL++ fuzzer instance for binary-only fuzzing with frida_mode. -The following config active for all benchmarks: - - qemu_mode with: - - entrypoint set to LLVMFuzzerTestOneInput - - persisten mode set to LLVMFuzzerTestOneInput - - shared memory testcases - - cmplog - -Repository: [https://github.com/AFLplusplus/AFLplusplus/](https://github.com/AFLplusplus/AFLplusplus/) - -[builder.Dockerfile](builder.Dockerfile) -[fuzzer.py](fuzzer.py) -[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/aflplusplus_frida/fuzzer.py b/fuzzers/aflplusplus_frida/fuzzer.py deleted file mode 100755 index 64f3eb632..000000000 --- a/fuzzers/aflplusplus_frida/fuzzer.py +++ /dev/null @@ -1,67 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -"""Integration code for AFLplusplus fuzzer.""" - -import os -import subprocess -import shutil -# import resource - -from fuzzers.aflplusplus import fuzzer as aflplusplus_fuzzer - - -def build(): - """Build benchmark.""" - aflplusplus_fuzzer.build('qemu') - shutil.copy('/afl/frida_mode/build/frida_hook.so', os.environ['OUT']) - - -def fuzz(input_corpus, output_corpus, target_binary): - """Run fuzzer.""" - # Get LLVMFuzzerTestOneInput address. - nm_proc = subprocess.run([ - 'sh', '-c', - 'get_frida_entry.sh \'' + target_binary + '\' LLVMFuzzerTestOneInput' - ], - stdout=subprocess.PIPE, - check=True) - target_func = nm_proc.stdout.split()[0].decode('utf-8') - print('[fuzz] LLVMFuzzerTestOneInput() address =', target_func) - - # Fuzzer options for qemu_mode. - flags = ['-O', '-c0'] - - os.environ['AFL_FRIDA_PERSISTENT_ADDR'] = target_func - os.environ['AFL_ENTRYPOINT'] = target_func - os.environ['AFL_FRIDA_PERSISTENT_CNT'] = '1000000' - os.environ['AFL_FRIDA_PERSISTENT_HOOK'] = '/out/frida_hook.so' - os.environ['AFL_PATH'] = '/out' - os.environ['AFL_IGNORE_SEED_PROBLEMS'] = '1' - - # resource.setrlimit(resource.RLIMIT_CORE, - # (resource.RLIM_INFINITY, resource.RLIM_INFINITY)) - - # The systemd benchmark fails without full library instrumentation :( - benchmark_name = os.environ['BENCHMARK'] - if benchmark_name == 'systemd_fuzz-link-parser': - os.environ['AFL_INST_LIBS'] = '1' - - aflplusplus_fuzzer.fuzz(input_corpus, - output_corpus, - target_binary, - flags=flags) - - # sts = os.system('cp -v *core* corpus') - # if sts == 0: - # print('Copied cores') diff --git a/fuzzers/aflplusplus_frida/get_frida_entry.sh b/fuzzers/aflplusplus_frida/get_frida_entry.sh deleted file mode 100755 index 7d72a1124..000000000 --- a/fuzzers/aflplusplus_frida/get_frida_entry.sh +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/bash -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -test -z "$1" -o -z "$2" -o '!' -e "$1" && exit 0 - -file "$1" | grep -q executable && { - nm "$1" | grep -i "T $2" | awk '{print"0x"$1}' - exit 0 -} - -nm "$1" | grep -i "T $2" | '{print$1}' | tr a-f A-F | \ - xargs echo "ibase=16;obase=10;555555554000 + " | bc | tr A-F a-f -exit 0 diff --git a/fuzzers/aflplusplus_frida/runner.Dockerfile b/fuzzers/aflplusplus_frida/runner.Dockerfile deleted file mode 100644 index 4a7be9403..000000000 --- a/fuzzers/aflplusplus_frida/runner.Dockerfile +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -RUN apt update -y && apt-get upgrade -y && \ - apt-get install -y python3-pyelftools bc - -# This makes interactive docker run painless: -ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" -#ENV AFL_MAP_SIZE=2621440 -ENV PATH="$PATH:/out" -ENV AFL_SKIP_CPUFREQ=1 -ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 -ENV AFL_TESTCACHE_SIZE=2 - diff --git a/fuzzers/aflplusplus_frida_perf/builder.Dockerfile b/fuzzers/aflplusplus_frida_perf/builder.Dockerfile deleted file mode 100644 index 15df016c7..000000000 --- a/fuzzers/aflplusplus_frida_perf/builder.Dockerfile +++ /dev/null @@ -1,42 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -# Install the necessary packages. -RUN apt-get update && \ - apt-get install -y \ - build-essential \ - git \ - flex \ - bison \ - libglib2.0-dev \ - libpixman-1-dev \ - libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev - -# Download afl++ -RUN git clone -b frida-perf https://github.com/WorksButNotTested/AFLplusplus /afl && \ - cd /afl && git checkout 6e80109 || true - -# Build afl++ without Python support as we don't need it. -# Set AFL_NO_X86 to skip flaky tests. -RUN cd /afl && \ - unset CFLAGS && unset CXXFLAGS && \ - AFL_NO_X86=1 CC=clang PYTHON_INCLUDE=/ make && \ - make -C utils/aflpp_driver && \ - cd frida_mode && make && cd .. && \ - cp utils/aflpp_driver/libAFLQemuDriver.a /libAFLDriver.a - -COPY get_frida_entry.sh / diff --git a/fuzzers/aflplusplus_frida_perf/description.md b/fuzzers/aflplusplus_frida_perf/description.md deleted file mode 100644 index 9ced871ec..000000000 --- a/fuzzers/aflplusplus_frida_perf/description.md +++ /dev/null @@ -1,15 +0,0 @@ -# aflplusplus_qemu - -AFL++ fuzzer instance for binary-only fuzzing with frida_mode. -The following config active for all benchmarks: - - qemu_mode with: - - entrypoint set to LLVMFuzzerTestOneInput - - persisten mode set to LLVMFuzzerTestOneInput - - shared memory testcases - - cmplog - -Repository: [https://github.com/AFLplusplus/AFLplusplus/](https://github.com/AFLplusplus/AFLplusplus/) - -[builder.Dockerfile](builder.Dockerfile) -[fuzzer.py](fuzzer.py) -[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/aflplusplus_frida_perf/fuzzer.py b/fuzzers/aflplusplus_frida_perf/fuzzer.py deleted file mode 100755 index 64f3eb632..000000000 --- a/fuzzers/aflplusplus_frida_perf/fuzzer.py +++ /dev/null @@ -1,67 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -"""Integration code for AFLplusplus fuzzer.""" - -import os -import subprocess -import shutil -# import resource - -from fuzzers.aflplusplus import fuzzer as aflplusplus_fuzzer - - -def build(): - """Build benchmark.""" - aflplusplus_fuzzer.build('qemu') - shutil.copy('/afl/frida_mode/build/frida_hook.so', os.environ['OUT']) - - -def fuzz(input_corpus, output_corpus, target_binary): - """Run fuzzer.""" - # Get LLVMFuzzerTestOneInput address. - nm_proc = subprocess.run([ - 'sh', '-c', - 'get_frida_entry.sh \'' + target_binary + '\' LLVMFuzzerTestOneInput' - ], - stdout=subprocess.PIPE, - check=True) - target_func = nm_proc.stdout.split()[0].decode('utf-8') - print('[fuzz] LLVMFuzzerTestOneInput() address =', target_func) - - # Fuzzer options for qemu_mode. - flags = ['-O', '-c0'] - - os.environ['AFL_FRIDA_PERSISTENT_ADDR'] = target_func - os.environ['AFL_ENTRYPOINT'] = target_func - os.environ['AFL_FRIDA_PERSISTENT_CNT'] = '1000000' - os.environ['AFL_FRIDA_PERSISTENT_HOOK'] = '/out/frida_hook.so' - os.environ['AFL_PATH'] = '/out' - os.environ['AFL_IGNORE_SEED_PROBLEMS'] = '1' - - # resource.setrlimit(resource.RLIMIT_CORE, - # (resource.RLIM_INFINITY, resource.RLIM_INFINITY)) - - # The systemd benchmark fails without full library instrumentation :( - benchmark_name = os.environ['BENCHMARK'] - if benchmark_name == 'systemd_fuzz-link-parser': - os.environ['AFL_INST_LIBS'] = '1' - - aflplusplus_fuzzer.fuzz(input_corpus, - output_corpus, - target_binary, - flags=flags) - - # sts = os.system('cp -v *core* corpus') - # if sts == 0: - # print('Copied cores') diff --git a/fuzzers/aflplusplus_frida_perf/get_frida_entry.sh b/fuzzers/aflplusplus_frida_perf/get_frida_entry.sh deleted file mode 100755 index 7d72a1124..000000000 --- a/fuzzers/aflplusplus_frida_perf/get_frida_entry.sh +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/bash -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -test -z "$1" -o -z "$2" -o '!' -e "$1" && exit 0 - -file "$1" | grep -q executable && { - nm "$1" | grep -i "T $2" | awk '{print"0x"$1}' - exit 0 -} - -nm "$1" | grep -i "T $2" | '{print$1}' | tr a-f A-F | \ - xargs echo "ibase=16;obase=10;555555554000 + " | bc | tr A-F a-f -exit 0 diff --git a/fuzzers/aflplusplus_frida_perf/runner.Dockerfile b/fuzzers/aflplusplus_frida_perf/runner.Dockerfile deleted file mode 100644 index 4a7be9403..000000000 --- a/fuzzers/aflplusplus_frida_perf/runner.Dockerfile +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -RUN apt update -y && apt-get upgrade -y && \ - apt-get install -y python3-pyelftools bc - -# This makes interactive docker run painless: -ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" -#ENV AFL_MAP_SIZE=2621440 -ENV PATH="$PATH:/out" -ENV AFL_SKIP_CPUFREQ=1 -ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 -ENV AFL_TESTCACHE_SIZE=2 - diff --git a/fuzzers/aflplusplus_o0/builder.Dockerfile b/fuzzers/aflplusplus_o0/builder.Dockerfile deleted file mode 100644 index 567161ccd..000000000 --- a/fuzzers/aflplusplus_o0/builder.Dockerfile +++ /dev/null @@ -1,50 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -RUN apt-get update && \ - apt-get install -y \ - build-essential \ - python3-dev \ - python3-setuptools \ - automake \ - cmake \ - git \ - flex \ - bison \ - libglib2.0-dev \ - libpixman-1-dev \ - cargo \ - libgtk-3-dev \ - # for QEMU mode - ninja-build \ - gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-plugin-dev \ - libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev - -# Download afl++. -RUN git clone -b dev https://github.com/AFLplusplus/AFLplusplus /afl && \ - cd /afl && \ - git checkout 3b835b7c8b2f73be6d5972951d049cef66c24abd || \ - true - -# Build without Python support as we don't need it. -# Set AFL_NO_X86 to skip flaky tests. -RUN cd /afl && \ - sed -i 's/"-O3"/"-O0"/' src/afl-cc.c && \ - unset CFLAGS CXXFLAGS && \ - export CC=clang AFL_NO_X86=1 && \ - PYTHON_INCLUDE=/ make && \ - cp utils/aflpp_driver/libAFLDriver.a / diff --git a/fuzzers/aflplusplus_o0/description.md b/fuzzers/aflplusplus_o0/description.md deleted file mode 100644 index f7eb407ad..000000000 --- a/fuzzers/aflplusplus_o0/description.md +++ /dev/null @@ -1,14 +0,0 @@ -# aflplusplus - -AFL++ fuzzer instance that has the following config active for all benchmarks: - - PCGUARD instrumentation - - cmplog feature - - dict2file feature - - "fast" power schedule - - persistent mode + shared memory test cases - -Repository: [https://github.com/AFLplusplus/AFLplusplus/](https://github.com/AFLplusplus/AFLplusplus/) - -[builder.Dockerfile](builder.Dockerfile) -[fuzzer.py](fuzzer.py) -[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/aflplusplus_o0/fuzzer.py b/fuzzers/aflplusplus_o0/fuzzer.py deleted file mode 100755 index 11e128c6a..000000000 --- a/fuzzers/aflplusplus_o0/fuzzer.py +++ /dev/null @@ -1,283 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -"""Integration code for AFLplusplus fuzzer.""" - -import os -import shutil - -from fuzzers.afl import fuzzer as afl_fuzzer -from fuzzers import utils - - -def get_cmplog_build_directory(target_directory): - """Return path to CmpLog target directory.""" - return os.path.join(target_directory, 'cmplog') - - -def get_uninstrumented_build_directory(target_directory): - """Return path to CmpLog target directory.""" - return os.path.join(target_directory, 'uninstrumented') - - -def build(*args): # pylint: disable=too-many-branches,too-many-statements - """Build benchmark.""" - # BUILD_MODES is not already supported by fuzzbench, meanwhile we provide - # a default configuration. - - build_modes = list(args) - if 'BUILD_MODES' in os.environ: - build_modes = os.environ['BUILD_MODES'].split(',') - - # Placeholder comment. - build_directory = os.environ['OUT'] - - # If nothing was set this is the default: - if not build_modes: - build_modes = ['tracepc', 'cmplog', 'dict2file'] - - # For bug type benchmarks we have to instrument via native clang pcguard :( - build_flags = os.environ['CFLAGS'] - - if build_flags.find( - 'array-bounds' - ) != -1 and 'qemu' not in build_modes and 'classic' not in build_modes: - if 'gcc' not in build_modes: - build_modes[0] = 'native' - - # Instrumentation coverage modes: - if 'lto' in build_modes: - os.environ['CC'] = '/afl/afl-clang-lto' - os.environ['CXX'] = '/afl/afl-clang-lto++' - edge_file = build_directory + '/aflpp_edges.txt' - os.environ['AFL_LLVM_DOCUMENT_IDS'] = edge_file - if os.path.isfile('/usr/local/bin/llvm-ranlib-13'): - os.environ['RANLIB'] = 'llvm-ranlib-13' - os.environ['AR'] = 'llvm-ar-13' - os.environ['AS'] = 'llvm-as-13' - elif os.path.isfile('/usr/local/bin/llvm-ranlib-12'): - os.environ['RANLIB'] = 'llvm-ranlib-12' - os.environ['AR'] = 'llvm-ar-12' - os.environ['AS'] = 'llvm-as-12' - else: - os.environ['RANLIB'] = 'llvm-ranlib' - os.environ['AR'] = 'llvm-ar' - os.environ['AS'] = 'llvm-as' - elif 'qemu' in build_modes: - os.environ['CC'] = 'clang' - os.environ['CXX'] = 'clang++' - elif 'gcc' in build_modes: - os.environ['CC'] = 'afl-gcc-fast' - os.environ['CXX'] = 'afl-g++-fast' - if build_flags.find('array-bounds') != -1: - os.environ['CFLAGS'] = '-fsanitize=address -O1' - os.environ['CXXFLAGS'] = '-fsanitize=address -O1' - else: - os.environ['CFLAGS'] = '' - os.environ['CXXFLAGS'] = '' - os.environ['CPPFLAGS'] = '' - else: - os.environ['CC'] = '/afl/afl-clang-fast' - os.environ['CXX'] = '/afl/afl-clang-fast++' - - print('AFL++ build: ') - print(build_modes) - - if 'qemu' in build_modes or 'symcc' in build_modes: - os.environ['CFLAGS'] = ' '.join(utils.NO_SANITIZER_COMPAT_CFLAGS) - cxxflags = [utils.LIBCPLUSPLUS_FLAG] + utils.NO_SANITIZER_COMPAT_CFLAGS - os.environ['CXXFLAGS'] = ' '.join(cxxflags) - - if 'tracepc' in build_modes or 'pcguard' in build_modes: - os.environ['AFL_LLVM_USE_TRACE_PC'] = '1' - elif 'classic' in build_modes: - os.environ['AFL_LLVM_INSTRUMENT'] = 'CLASSIC' - elif 'native' in build_modes: - os.environ['AFL_LLVM_INSTRUMENT'] = 'LLVMNATIVE' - - # Instrumentation coverage options: - # Do not use a fixed map location (LTO only) - if 'dynamic' in build_modes: - os.environ['AFL_LLVM_MAP_DYNAMIC'] = '1' - # Use a fixed map location (LTO only) - if 'fixed' in build_modes: - os.environ['AFL_LLVM_MAP_ADDR'] = '0x10000' - # Generate an extra dictionary. - if 'dict2file' in build_modes or 'native' in build_modes: - os.environ['AFL_LLVM_DICT2FILE'] = build_directory + '/afl++.dict' - os.environ['AFL_LLVM_DICT2FILE_NO_MAIN'] = '1' - # Enable context sentitivity for LLVM mode (non LTO only) - if 'ctx' in build_modes: - os.environ['AFL_LLVM_CTX'] = '1' - # Enable N-gram coverage for LLVM mode (non LTO only) - if 'ngram2' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '2' - elif 'ngram3' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '3' - elif 'ngram4' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '4' - elif 'ngram5' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '5' - elif 'ngram6' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '6' - elif 'ngram7' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '7' - elif 'ngram8' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '8' - elif 'ngram16' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '16' - if 'ctx1' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '1' - elif 'ctx2' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '2' - elif 'ctx3' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '3' - elif 'ctx4' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '4' - - # Only one of the following OR cmplog - # enable laf-intel compare splitting - if 'laf' in build_modes: - os.environ['AFL_LLVM_LAF_SPLIT_SWITCHES'] = '1' - os.environ['AFL_LLVM_LAF_SPLIT_COMPARES'] = '1' - os.environ['AFL_LLVM_LAF_SPLIT_FLOATS'] = '1' - if 'autodict' not in build_modes: - os.environ['AFL_LLVM_LAF_TRANSFORM_COMPARES'] = '1' - - if 'eclipser' in build_modes: - os.environ['FUZZER_LIB'] = '/libStandaloneFuzzTarget.a' - else: - os.environ['FUZZER_LIB'] = '/libAFLDriver.a' - - # Some benchmarks like lcms. (see: - # https://github.com/mm2/Little-CMS/commit/ab1093539b4287c233aca6a3cf53b234faceb792#diff-f0e6d05e72548974e852e8e55dffc4ccR212) - # fail to compile if the compiler outputs things to stderr in unexpected - # cases. Prevent these failures by using AFL_QUIET to stop afl-clang-fast - # from writing AFL specific messages to stderr. - os.environ['AFL_QUIET'] = '1' - os.environ['AFL_MAP_SIZE'] = '2621440' - - src = os.getenv('SRC') - work = os.getenv('WORK') - - with utils.restore_directory(src), utils.restore_directory(work): - # Restore SRC to its initial state so we can build again without any - # trouble. For some OSS-Fuzz projects, build_benchmark cannot be run - # twice in the same directory without this. - utils.build_benchmark() - - if 'cmplog' in build_modes and 'qemu' not in build_modes: - - # CmpLog requires an build with different instrumentation. - new_env = os.environ.copy() - new_env['AFL_LLVM_CMPLOG'] = '1' - - # For CmpLog build, set the OUT and FUZZ_TARGET environment - # variable to point to the new CmpLog build directory. - cmplog_build_directory = get_cmplog_build_directory(build_directory) - os.mkdir(cmplog_build_directory) - new_env['OUT'] = cmplog_build_directory - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - new_env['FUZZ_TARGET'] = os.path.join(cmplog_build_directory, - os.path.basename(fuzz_target)) - - print('Re-building benchmark for CmpLog fuzzing target') - utils.build_benchmark(env=new_env) - - if 'symcc' in build_modes: - - symcc_build_directory = get_uninstrumented_build_directory( - build_directory) - os.mkdir(symcc_build_directory) - - # symcc requires an build with different instrumentation. - new_env = os.environ.copy() - new_env['CC'] = '/symcc/build/symcc' - new_env['CXX'] = '/symcc/build/sym++' - new_env['SYMCC_OUTPUT_DIR'] = '/tmp' - new_env['CXXFLAGS'] = new_env['CXXFLAGS'].replace('-stlib=libc++', '') - new_env['FUZZER_LIB'] = '/libfuzzer-harness.o' - new_env['OUT'] = symcc_build_directory - new_env['SYMCC_LIBCXX_PATH'] = '/libcxx_native_build' - new_env['SYMCC_NO_SYMBOLIC_INPUT'] = '1' - new_env['SYMCC_SILENT'] = '1' - - # For symcc build, set the OUT and FUZZ_TARGET environment - # variable to point to the new symcc build directory. - new_env['OUT'] = symcc_build_directory - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - new_env['FUZZ_TARGET'] = os.path.join(symcc_build_directory, - os.path.basename(fuzz_target)) - - print('Re-building benchmark for symcc fuzzing target') - utils.build_benchmark(env=new_env) - - shutil.copy('/afl/afl-fuzz', build_directory) - if os.path.exists('/afl/afl-qemu-trace'): - shutil.copy('/afl/afl-qemu-trace', build_directory) - if os.path.exists('/aflpp_qemu_driver_hook.so'): - shutil.copy('/aflpp_qemu_driver_hook.so', build_directory) - if os.path.exists('/get_frida_entry.sh'): - shutil.copy('/afl/afl-frida-trace.so', build_directory) - shutil.copy('/get_frida_entry.sh', build_directory) - - -# pylint: disable=too-many-arguments -def fuzz(input_corpus, - output_corpus, - target_binary, - flags=tuple(), - skip=False, - no_cmplog=False): # pylint: disable=too-many-arguments - """Run fuzzer.""" - # Calculate CmpLog binary path from the instrumented target binary. - target_binary_directory = os.path.dirname(target_binary) - cmplog_target_binary_directory = ( - get_cmplog_build_directory(target_binary_directory)) - target_binary_name = os.path.basename(target_binary) - cmplog_target_binary = os.path.join(cmplog_target_binary_directory, - target_binary_name) - - afl_fuzzer.prepare_fuzz_environment(input_corpus) - # decomment this to enable libdislocator. - # os.environ['AFL_ALIGNED_ALLOC'] = '1' # align malloc to max_align_t - # os.environ['AFL_PRELOAD'] = '/afl/libdislocator.so' - - flags = list(flags) - - if os.path.exists('./afl++.dict'): - flags += ['-x', './afl++.dict'] - - # Move the following to skip for upcoming _double tests: - if os.path.exists(cmplog_target_binary) and no_cmplog is False: - flags += ['-c', cmplog_target_binary] - - #os.environ['AFL_IGNORE_TIMEOUTS'] = '1' - os.environ['AFL_IGNORE_UNKNOWN_ENVS'] = '1' - os.environ['AFL_FAST_CAL'] = '1' - os.environ['AFL_NO_WARN_INSTABILITY'] = '1' - os.environ['AFL_IGNORE_SEED_PROBLEMS'] = '1' - - if not skip: - os.environ['AFL_DISABLE_TRIM'] = '1' - os.environ['AFL_CMPLOG_ONLY_NEW'] = '1' - if 'ADDITIONAL_ARGS' in os.environ: - flags += os.environ['ADDITIONAL_ARGS'].split(' ') - - afl_fuzzer.run_afl_fuzz(input_corpus, - output_corpus, - target_binary, - additional_flags=flags) diff --git a/fuzzers/aflplusplus_o0/runner.Dockerfile b/fuzzers/aflplusplus_o0/runner.Dockerfile deleted file mode 100644 index 1a10f861c..000000000 --- a/fuzzers/aflplusplus_o0/runner.Dockerfile +++ /dev/null @@ -1,24 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -# This makes interactive docker runs painless: -ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" -#ENV AFL_MAP_SIZE=2621440 -ENV PATH="$PATH:/out" -ENV AFL_SKIP_CPUFREQ=1 -ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 -ENV AFL_TESTCACHE_SIZE=2 -RUN apt install -y unzip git gdb joe diff --git a/fuzzers/aflplusplus_o1/builder.Dockerfile b/fuzzers/aflplusplus_o1/builder.Dockerfile deleted file mode 100644 index 0d196c859..000000000 --- a/fuzzers/aflplusplus_o1/builder.Dockerfile +++ /dev/null @@ -1,50 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -RUN apt-get update && \ - apt-get install -y \ - build-essential \ - python3-dev \ - python3-setuptools \ - automake \ - cmake \ - git \ - flex \ - bison \ - libglib2.0-dev \ - libpixman-1-dev \ - cargo \ - libgtk-3-dev \ - # for QEMU mode - ninja-build \ - gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-plugin-dev \ - libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev - -# Download afl++. -RUN git clone -b dev https://github.com/AFLplusplus/AFLplusplus /afl && \ - cd /afl && \ - git checkout 3b835b7c8b2f73be6d5972951d049cef66c24abd || \ - true - -# Build without Python support as we don't need it. -# Set AFL_NO_X86 to skip flaky tests. -RUN cd /afl && \ - sed -i 's/"-O3"/"-O1"/' src/afl-cc.c && \ - unset CFLAGS CXXFLAGS && \ - export CC=clang AFL_NO_X86=1 && \ - PYTHON_INCLUDE=/ make && \ - cp utils/aflpp_driver/libAFLDriver.a / diff --git a/fuzzers/aflplusplus_o1/description.md b/fuzzers/aflplusplus_o1/description.md deleted file mode 100644 index f7eb407ad..000000000 --- a/fuzzers/aflplusplus_o1/description.md +++ /dev/null @@ -1,14 +0,0 @@ -# aflplusplus - -AFL++ fuzzer instance that has the following config active for all benchmarks: - - PCGUARD instrumentation - - cmplog feature - - dict2file feature - - "fast" power schedule - - persistent mode + shared memory test cases - -Repository: [https://github.com/AFLplusplus/AFLplusplus/](https://github.com/AFLplusplus/AFLplusplus/) - -[builder.Dockerfile](builder.Dockerfile) -[fuzzer.py](fuzzer.py) -[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/aflplusplus_o1/fuzzer.py b/fuzzers/aflplusplus_o1/fuzzer.py deleted file mode 100755 index 11e128c6a..000000000 --- a/fuzzers/aflplusplus_o1/fuzzer.py +++ /dev/null @@ -1,283 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -"""Integration code for AFLplusplus fuzzer.""" - -import os -import shutil - -from fuzzers.afl import fuzzer as afl_fuzzer -from fuzzers import utils - - -def get_cmplog_build_directory(target_directory): - """Return path to CmpLog target directory.""" - return os.path.join(target_directory, 'cmplog') - - -def get_uninstrumented_build_directory(target_directory): - """Return path to CmpLog target directory.""" - return os.path.join(target_directory, 'uninstrumented') - - -def build(*args): # pylint: disable=too-many-branches,too-many-statements - """Build benchmark.""" - # BUILD_MODES is not already supported by fuzzbench, meanwhile we provide - # a default configuration. - - build_modes = list(args) - if 'BUILD_MODES' in os.environ: - build_modes = os.environ['BUILD_MODES'].split(',') - - # Placeholder comment. - build_directory = os.environ['OUT'] - - # If nothing was set this is the default: - if not build_modes: - build_modes = ['tracepc', 'cmplog', 'dict2file'] - - # For bug type benchmarks we have to instrument via native clang pcguard :( - build_flags = os.environ['CFLAGS'] - - if build_flags.find( - 'array-bounds' - ) != -1 and 'qemu' not in build_modes and 'classic' not in build_modes: - if 'gcc' not in build_modes: - build_modes[0] = 'native' - - # Instrumentation coverage modes: - if 'lto' in build_modes: - os.environ['CC'] = '/afl/afl-clang-lto' - os.environ['CXX'] = '/afl/afl-clang-lto++' - edge_file = build_directory + '/aflpp_edges.txt' - os.environ['AFL_LLVM_DOCUMENT_IDS'] = edge_file - if os.path.isfile('/usr/local/bin/llvm-ranlib-13'): - os.environ['RANLIB'] = 'llvm-ranlib-13' - os.environ['AR'] = 'llvm-ar-13' - os.environ['AS'] = 'llvm-as-13' - elif os.path.isfile('/usr/local/bin/llvm-ranlib-12'): - os.environ['RANLIB'] = 'llvm-ranlib-12' - os.environ['AR'] = 'llvm-ar-12' - os.environ['AS'] = 'llvm-as-12' - else: - os.environ['RANLIB'] = 'llvm-ranlib' - os.environ['AR'] = 'llvm-ar' - os.environ['AS'] = 'llvm-as' - elif 'qemu' in build_modes: - os.environ['CC'] = 'clang' - os.environ['CXX'] = 'clang++' - elif 'gcc' in build_modes: - os.environ['CC'] = 'afl-gcc-fast' - os.environ['CXX'] = 'afl-g++-fast' - if build_flags.find('array-bounds') != -1: - os.environ['CFLAGS'] = '-fsanitize=address -O1' - os.environ['CXXFLAGS'] = '-fsanitize=address -O1' - else: - os.environ['CFLAGS'] = '' - os.environ['CXXFLAGS'] = '' - os.environ['CPPFLAGS'] = '' - else: - os.environ['CC'] = '/afl/afl-clang-fast' - os.environ['CXX'] = '/afl/afl-clang-fast++' - - print('AFL++ build: ') - print(build_modes) - - if 'qemu' in build_modes or 'symcc' in build_modes: - os.environ['CFLAGS'] = ' '.join(utils.NO_SANITIZER_COMPAT_CFLAGS) - cxxflags = [utils.LIBCPLUSPLUS_FLAG] + utils.NO_SANITIZER_COMPAT_CFLAGS - os.environ['CXXFLAGS'] = ' '.join(cxxflags) - - if 'tracepc' in build_modes or 'pcguard' in build_modes: - os.environ['AFL_LLVM_USE_TRACE_PC'] = '1' - elif 'classic' in build_modes: - os.environ['AFL_LLVM_INSTRUMENT'] = 'CLASSIC' - elif 'native' in build_modes: - os.environ['AFL_LLVM_INSTRUMENT'] = 'LLVMNATIVE' - - # Instrumentation coverage options: - # Do not use a fixed map location (LTO only) - if 'dynamic' in build_modes: - os.environ['AFL_LLVM_MAP_DYNAMIC'] = '1' - # Use a fixed map location (LTO only) - if 'fixed' in build_modes: - os.environ['AFL_LLVM_MAP_ADDR'] = '0x10000' - # Generate an extra dictionary. - if 'dict2file' in build_modes or 'native' in build_modes: - os.environ['AFL_LLVM_DICT2FILE'] = build_directory + '/afl++.dict' - os.environ['AFL_LLVM_DICT2FILE_NO_MAIN'] = '1' - # Enable context sentitivity for LLVM mode (non LTO only) - if 'ctx' in build_modes: - os.environ['AFL_LLVM_CTX'] = '1' - # Enable N-gram coverage for LLVM mode (non LTO only) - if 'ngram2' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '2' - elif 'ngram3' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '3' - elif 'ngram4' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '4' - elif 'ngram5' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '5' - elif 'ngram6' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '6' - elif 'ngram7' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '7' - elif 'ngram8' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '8' - elif 'ngram16' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '16' - if 'ctx1' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '1' - elif 'ctx2' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '2' - elif 'ctx3' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '3' - elif 'ctx4' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '4' - - # Only one of the following OR cmplog - # enable laf-intel compare splitting - if 'laf' in build_modes: - os.environ['AFL_LLVM_LAF_SPLIT_SWITCHES'] = '1' - os.environ['AFL_LLVM_LAF_SPLIT_COMPARES'] = '1' - os.environ['AFL_LLVM_LAF_SPLIT_FLOATS'] = '1' - if 'autodict' not in build_modes: - os.environ['AFL_LLVM_LAF_TRANSFORM_COMPARES'] = '1' - - if 'eclipser' in build_modes: - os.environ['FUZZER_LIB'] = '/libStandaloneFuzzTarget.a' - else: - os.environ['FUZZER_LIB'] = '/libAFLDriver.a' - - # Some benchmarks like lcms. (see: - # https://github.com/mm2/Little-CMS/commit/ab1093539b4287c233aca6a3cf53b234faceb792#diff-f0e6d05e72548974e852e8e55dffc4ccR212) - # fail to compile if the compiler outputs things to stderr in unexpected - # cases. Prevent these failures by using AFL_QUIET to stop afl-clang-fast - # from writing AFL specific messages to stderr. - os.environ['AFL_QUIET'] = '1' - os.environ['AFL_MAP_SIZE'] = '2621440' - - src = os.getenv('SRC') - work = os.getenv('WORK') - - with utils.restore_directory(src), utils.restore_directory(work): - # Restore SRC to its initial state so we can build again without any - # trouble. For some OSS-Fuzz projects, build_benchmark cannot be run - # twice in the same directory without this. - utils.build_benchmark() - - if 'cmplog' in build_modes and 'qemu' not in build_modes: - - # CmpLog requires an build with different instrumentation. - new_env = os.environ.copy() - new_env['AFL_LLVM_CMPLOG'] = '1' - - # For CmpLog build, set the OUT and FUZZ_TARGET environment - # variable to point to the new CmpLog build directory. - cmplog_build_directory = get_cmplog_build_directory(build_directory) - os.mkdir(cmplog_build_directory) - new_env['OUT'] = cmplog_build_directory - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - new_env['FUZZ_TARGET'] = os.path.join(cmplog_build_directory, - os.path.basename(fuzz_target)) - - print('Re-building benchmark for CmpLog fuzzing target') - utils.build_benchmark(env=new_env) - - if 'symcc' in build_modes: - - symcc_build_directory = get_uninstrumented_build_directory( - build_directory) - os.mkdir(symcc_build_directory) - - # symcc requires an build with different instrumentation. - new_env = os.environ.copy() - new_env['CC'] = '/symcc/build/symcc' - new_env['CXX'] = '/symcc/build/sym++' - new_env['SYMCC_OUTPUT_DIR'] = '/tmp' - new_env['CXXFLAGS'] = new_env['CXXFLAGS'].replace('-stlib=libc++', '') - new_env['FUZZER_LIB'] = '/libfuzzer-harness.o' - new_env['OUT'] = symcc_build_directory - new_env['SYMCC_LIBCXX_PATH'] = '/libcxx_native_build' - new_env['SYMCC_NO_SYMBOLIC_INPUT'] = '1' - new_env['SYMCC_SILENT'] = '1' - - # For symcc build, set the OUT and FUZZ_TARGET environment - # variable to point to the new symcc build directory. - new_env['OUT'] = symcc_build_directory - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - new_env['FUZZ_TARGET'] = os.path.join(symcc_build_directory, - os.path.basename(fuzz_target)) - - print('Re-building benchmark for symcc fuzzing target') - utils.build_benchmark(env=new_env) - - shutil.copy('/afl/afl-fuzz', build_directory) - if os.path.exists('/afl/afl-qemu-trace'): - shutil.copy('/afl/afl-qemu-trace', build_directory) - if os.path.exists('/aflpp_qemu_driver_hook.so'): - shutil.copy('/aflpp_qemu_driver_hook.so', build_directory) - if os.path.exists('/get_frida_entry.sh'): - shutil.copy('/afl/afl-frida-trace.so', build_directory) - shutil.copy('/get_frida_entry.sh', build_directory) - - -# pylint: disable=too-many-arguments -def fuzz(input_corpus, - output_corpus, - target_binary, - flags=tuple(), - skip=False, - no_cmplog=False): # pylint: disable=too-many-arguments - """Run fuzzer.""" - # Calculate CmpLog binary path from the instrumented target binary. - target_binary_directory = os.path.dirname(target_binary) - cmplog_target_binary_directory = ( - get_cmplog_build_directory(target_binary_directory)) - target_binary_name = os.path.basename(target_binary) - cmplog_target_binary = os.path.join(cmplog_target_binary_directory, - target_binary_name) - - afl_fuzzer.prepare_fuzz_environment(input_corpus) - # decomment this to enable libdislocator. - # os.environ['AFL_ALIGNED_ALLOC'] = '1' # align malloc to max_align_t - # os.environ['AFL_PRELOAD'] = '/afl/libdislocator.so' - - flags = list(flags) - - if os.path.exists('./afl++.dict'): - flags += ['-x', './afl++.dict'] - - # Move the following to skip for upcoming _double tests: - if os.path.exists(cmplog_target_binary) and no_cmplog is False: - flags += ['-c', cmplog_target_binary] - - #os.environ['AFL_IGNORE_TIMEOUTS'] = '1' - os.environ['AFL_IGNORE_UNKNOWN_ENVS'] = '1' - os.environ['AFL_FAST_CAL'] = '1' - os.environ['AFL_NO_WARN_INSTABILITY'] = '1' - os.environ['AFL_IGNORE_SEED_PROBLEMS'] = '1' - - if not skip: - os.environ['AFL_DISABLE_TRIM'] = '1' - os.environ['AFL_CMPLOG_ONLY_NEW'] = '1' - if 'ADDITIONAL_ARGS' in os.environ: - flags += os.environ['ADDITIONAL_ARGS'].split(' ') - - afl_fuzzer.run_afl_fuzz(input_corpus, - output_corpus, - target_binary, - additional_flags=flags) diff --git a/fuzzers/aflplusplus_o1/runner.Dockerfile b/fuzzers/aflplusplus_o1/runner.Dockerfile deleted file mode 100644 index 1a10f861c..000000000 --- a/fuzzers/aflplusplus_o1/runner.Dockerfile +++ /dev/null @@ -1,24 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -# This makes interactive docker runs painless: -ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" -#ENV AFL_MAP_SIZE=2621440 -ENV PATH="$PATH:/out" -ENV AFL_SKIP_CPUFREQ=1 -ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 -ENV AFL_TESTCACHE_SIZE=2 -RUN apt install -y unzip git gdb joe diff --git a/fuzzers/aflplusplus_o2/builder.Dockerfile b/fuzzers/aflplusplus_o2/builder.Dockerfile deleted file mode 100644 index 0c965b181..000000000 --- a/fuzzers/aflplusplus_o2/builder.Dockerfile +++ /dev/null @@ -1,50 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -RUN apt-get update && \ - apt-get install -y \ - build-essential \ - python3-dev \ - python3-setuptools \ - automake \ - cmake \ - git \ - flex \ - bison \ - libglib2.0-dev \ - libpixman-1-dev \ - cargo \ - libgtk-3-dev \ - # for QEMU mode - ninja-build \ - gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-plugin-dev \ - libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev - -# Download afl++. -RUN git clone -b dev https://github.com/AFLplusplus/AFLplusplus /afl && \ - cd /afl && \ - git checkout 3b835b7c8b2f73be6d5972951d049cef66c24abd || \ - true - -# Build without Python support as we don't need it. -# Set AFL_NO_X86 to skip flaky tests. -RUN cd /afl && \ - sed -i 's/"-O3"/"-O2"/' src/afl-cc.c && \ - unset CFLAGS CXXFLAGS && \ - export CC=clang AFL_NO_X86=1 && \ - PYTHON_INCLUDE=/ make && \ - cp utils/aflpp_driver/libAFLDriver.a / diff --git a/fuzzers/aflplusplus_o2/description.md b/fuzzers/aflplusplus_o2/description.md deleted file mode 100644 index f7eb407ad..000000000 --- a/fuzzers/aflplusplus_o2/description.md +++ /dev/null @@ -1,14 +0,0 @@ -# aflplusplus - -AFL++ fuzzer instance that has the following config active for all benchmarks: - - PCGUARD instrumentation - - cmplog feature - - dict2file feature - - "fast" power schedule - - persistent mode + shared memory test cases - -Repository: [https://github.com/AFLplusplus/AFLplusplus/](https://github.com/AFLplusplus/AFLplusplus/) - -[builder.Dockerfile](builder.Dockerfile) -[fuzzer.py](fuzzer.py) -[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/aflplusplus_o2/fuzzer.py b/fuzzers/aflplusplus_o2/fuzzer.py deleted file mode 100755 index 11e128c6a..000000000 --- a/fuzzers/aflplusplus_o2/fuzzer.py +++ /dev/null @@ -1,283 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -"""Integration code for AFLplusplus fuzzer.""" - -import os -import shutil - -from fuzzers.afl import fuzzer as afl_fuzzer -from fuzzers import utils - - -def get_cmplog_build_directory(target_directory): - """Return path to CmpLog target directory.""" - return os.path.join(target_directory, 'cmplog') - - -def get_uninstrumented_build_directory(target_directory): - """Return path to CmpLog target directory.""" - return os.path.join(target_directory, 'uninstrumented') - - -def build(*args): # pylint: disable=too-many-branches,too-many-statements - """Build benchmark.""" - # BUILD_MODES is not already supported by fuzzbench, meanwhile we provide - # a default configuration. - - build_modes = list(args) - if 'BUILD_MODES' in os.environ: - build_modes = os.environ['BUILD_MODES'].split(',') - - # Placeholder comment. - build_directory = os.environ['OUT'] - - # If nothing was set this is the default: - if not build_modes: - build_modes = ['tracepc', 'cmplog', 'dict2file'] - - # For bug type benchmarks we have to instrument via native clang pcguard :( - build_flags = os.environ['CFLAGS'] - - if build_flags.find( - 'array-bounds' - ) != -1 and 'qemu' not in build_modes and 'classic' not in build_modes: - if 'gcc' not in build_modes: - build_modes[0] = 'native' - - # Instrumentation coverage modes: - if 'lto' in build_modes: - os.environ['CC'] = '/afl/afl-clang-lto' - os.environ['CXX'] = '/afl/afl-clang-lto++' - edge_file = build_directory + '/aflpp_edges.txt' - os.environ['AFL_LLVM_DOCUMENT_IDS'] = edge_file - if os.path.isfile('/usr/local/bin/llvm-ranlib-13'): - os.environ['RANLIB'] = 'llvm-ranlib-13' - os.environ['AR'] = 'llvm-ar-13' - os.environ['AS'] = 'llvm-as-13' - elif os.path.isfile('/usr/local/bin/llvm-ranlib-12'): - os.environ['RANLIB'] = 'llvm-ranlib-12' - os.environ['AR'] = 'llvm-ar-12' - os.environ['AS'] = 'llvm-as-12' - else: - os.environ['RANLIB'] = 'llvm-ranlib' - os.environ['AR'] = 'llvm-ar' - os.environ['AS'] = 'llvm-as' - elif 'qemu' in build_modes: - os.environ['CC'] = 'clang' - os.environ['CXX'] = 'clang++' - elif 'gcc' in build_modes: - os.environ['CC'] = 'afl-gcc-fast' - os.environ['CXX'] = 'afl-g++-fast' - if build_flags.find('array-bounds') != -1: - os.environ['CFLAGS'] = '-fsanitize=address -O1' - os.environ['CXXFLAGS'] = '-fsanitize=address -O1' - else: - os.environ['CFLAGS'] = '' - os.environ['CXXFLAGS'] = '' - os.environ['CPPFLAGS'] = '' - else: - os.environ['CC'] = '/afl/afl-clang-fast' - os.environ['CXX'] = '/afl/afl-clang-fast++' - - print('AFL++ build: ') - print(build_modes) - - if 'qemu' in build_modes or 'symcc' in build_modes: - os.environ['CFLAGS'] = ' '.join(utils.NO_SANITIZER_COMPAT_CFLAGS) - cxxflags = [utils.LIBCPLUSPLUS_FLAG] + utils.NO_SANITIZER_COMPAT_CFLAGS - os.environ['CXXFLAGS'] = ' '.join(cxxflags) - - if 'tracepc' in build_modes or 'pcguard' in build_modes: - os.environ['AFL_LLVM_USE_TRACE_PC'] = '1' - elif 'classic' in build_modes: - os.environ['AFL_LLVM_INSTRUMENT'] = 'CLASSIC' - elif 'native' in build_modes: - os.environ['AFL_LLVM_INSTRUMENT'] = 'LLVMNATIVE' - - # Instrumentation coverage options: - # Do not use a fixed map location (LTO only) - if 'dynamic' in build_modes: - os.environ['AFL_LLVM_MAP_DYNAMIC'] = '1' - # Use a fixed map location (LTO only) - if 'fixed' in build_modes: - os.environ['AFL_LLVM_MAP_ADDR'] = '0x10000' - # Generate an extra dictionary. - if 'dict2file' in build_modes or 'native' in build_modes: - os.environ['AFL_LLVM_DICT2FILE'] = build_directory + '/afl++.dict' - os.environ['AFL_LLVM_DICT2FILE_NO_MAIN'] = '1' - # Enable context sentitivity for LLVM mode (non LTO only) - if 'ctx' in build_modes: - os.environ['AFL_LLVM_CTX'] = '1' - # Enable N-gram coverage for LLVM mode (non LTO only) - if 'ngram2' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '2' - elif 'ngram3' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '3' - elif 'ngram4' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '4' - elif 'ngram5' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '5' - elif 'ngram6' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '6' - elif 'ngram7' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '7' - elif 'ngram8' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '8' - elif 'ngram16' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '16' - if 'ctx1' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '1' - elif 'ctx2' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '2' - elif 'ctx3' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '3' - elif 'ctx4' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '4' - - # Only one of the following OR cmplog - # enable laf-intel compare splitting - if 'laf' in build_modes: - os.environ['AFL_LLVM_LAF_SPLIT_SWITCHES'] = '1' - os.environ['AFL_LLVM_LAF_SPLIT_COMPARES'] = '1' - os.environ['AFL_LLVM_LAF_SPLIT_FLOATS'] = '1' - if 'autodict' not in build_modes: - os.environ['AFL_LLVM_LAF_TRANSFORM_COMPARES'] = '1' - - if 'eclipser' in build_modes: - os.environ['FUZZER_LIB'] = '/libStandaloneFuzzTarget.a' - else: - os.environ['FUZZER_LIB'] = '/libAFLDriver.a' - - # Some benchmarks like lcms. (see: - # https://github.com/mm2/Little-CMS/commit/ab1093539b4287c233aca6a3cf53b234faceb792#diff-f0e6d05e72548974e852e8e55dffc4ccR212) - # fail to compile if the compiler outputs things to stderr in unexpected - # cases. Prevent these failures by using AFL_QUIET to stop afl-clang-fast - # from writing AFL specific messages to stderr. - os.environ['AFL_QUIET'] = '1' - os.environ['AFL_MAP_SIZE'] = '2621440' - - src = os.getenv('SRC') - work = os.getenv('WORK') - - with utils.restore_directory(src), utils.restore_directory(work): - # Restore SRC to its initial state so we can build again without any - # trouble. For some OSS-Fuzz projects, build_benchmark cannot be run - # twice in the same directory without this. - utils.build_benchmark() - - if 'cmplog' in build_modes and 'qemu' not in build_modes: - - # CmpLog requires an build with different instrumentation. - new_env = os.environ.copy() - new_env['AFL_LLVM_CMPLOG'] = '1' - - # For CmpLog build, set the OUT and FUZZ_TARGET environment - # variable to point to the new CmpLog build directory. - cmplog_build_directory = get_cmplog_build_directory(build_directory) - os.mkdir(cmplog_build_directory) - new_env['OUT'] = cmplog_build_directory - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - new_env['FUZZ_TARGET'] = os.path.join(cmplog_build_directory, - os.path.basename(fuzz_target)) - - print('Re-building benchmark for CmpLog fuzzing target') - utils.build_benchmark(env=new_env) - - if 'symcc' in build_modes: - - symcc_build_directory = get_uninstrumented_build_directory( - build_directory) - os.mkdir(symcc_build_directory) - - # symcc requires an build with different instrumentation. - new_env = os.environ.copy() - new_env['CC'] = '/symcc/build/symcc' - new_env['CXX'] = '/symcc/build/sym++' - new_env['SYMCC_OUTPUT_DIR'] = '/tmp' - new_env['CXXFLAGS'] = new_env['CXXFLAGS'].replace('-stlib=libc++', '') - new_env['FUZZER_LIB'] = '/libfuzzer-harness.o' - new_env['OUT'] = symcc_build_directory - new_env['SYMCC_LIBCXX_PATH'] = '/libcxx_native_build' - new_env['SYMCC_NO_SYMBOLIC_INPUT'] = '1' - new_env['SYMCC_SILENT'] = '1' - - # For symcc build, set the OUT and FUZZ_TARGET environment - # variable to point to the new symcc build directory. - new_env['OUT'] = symcc_build_directory - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - new_env['FUZZ_TARGET'] = os.path.join(symcc_build_directory, - os.path.basename(fuzz_target)) - - print('Re-building benchmark for symcc fuzzing target') - utils.build_benchmark(env=new_env) - - shutil.copy('/afl/afl-fuzz', build_directory) - if os.path.exists('/afl/afl-qemu-trace'): - shutil.copy('/afl/afl-qemu-trace', build_directory) - if os.path.exists('/aflpp_qemu_driver_hook.so'): - shutil.copy('/aflpp_qemu_driver_hook.so', build_directory) - if os.path.exists('/get_frida_entry.sh'): - shutil.copy('/afl/afl-frida-trace.so', build_directory) - shutil.copy('/get_frida_entry.sh', build_directory) - - -# pylint: disable=too-many-arguments -def fuzz(input_corpus, - output_corpus, - target_binary, - flags=tuple(), - skip=False, - no_cmplog=False): # pylint: disable=too-many-arguments - """Run fuzzer.""" - # Calculate CmpLog binary path from the instrumented target binary. - target_binary_directory = os.path.dirname(target_binary) - cmplog_target_binary_directory = ( - get_cmplog_build_directory(target_binary_directory)) - target_binary_name = os.path.basename(target_binary) - cmplog_target_binary = os.path.join(cmplog_target_binary_directory, - target_binary_name) - - afl_fuzzer.prepare_fuzz_environment(input_corpus) - # decomment this to enable libdislocator. - # os.environ['AFL_ALIGNED_ALLOC'] = '1' # align malloc to max_align_t - # os.environ['AFL_PRELOAD'] = '/afl/libdislocator.so' - - flags = list(flags) - - if os.path.exists('./afl++.dict'): - flags += ['-x', './afl++.dict'] - - # Move the following to skip for upcoming _double tests: - if os.path.exists(cmplog_target_binary) and no_cmplog is False: - flags += ['-c', cmplog_target_binary] - - #os.environ['AFL_IGNORE_TIMEOUTS'] = '1' - os.environ['AFL_IGNORE_UNKNOWN_ENVS'] = '1' - os.environ['AFL_FAST_CAL'] = '1' - os.environ['AFL_NO_WARN_INSTABILITY'] = '1' - os.environ['AFL_IGNORE_SEED_PROBLEMS'] = '1' - - if not skip: - os.environ['AFL_DISABLE_TRIM'] = '1' - os.environ['AFL_CMPLOG_ONLY_NEW'] = '1' - if 'ADDITIONAL_ARGS' in os.environ: - flags += os.environ['ADDITIONAL_ARGS'].split(' ') - - afl_fuzzer.run_afl_fuzz(input_corpus, - output_corpus, - target_binary, - additional_flags=flags) diff --git a/fuzzers/aflplusplus_o2/runner.Dockerfile b/fuzzers/aflplusplus_o2/runner.Dockerfile deleted file mode 100644 index 1a10f861c..000000000 --- a/fuzzers/aflplusplus_o2/runner.Dockerfile +++ /dev/null @@ -1,24 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -# This makes interactive docker runs painless: -ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" -#ENV AFL_MAP_SIZE=2621440 -ENV PATH="$PATH:/out" -ENV AFL_SKIP_CPUFREQ=1 -ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 -ENV AFL_TESTCACHE_SIZE=2 -RUN apt install -y unzip git gdb joe diff --git a/fuzzers/aflplusplus_qemu/builder.Dockerfile b/fuzzers/aflplusplus_qemu/builder.Dockerfile deleted file mode 100644 index fbba9ed7b..000000000 --- a/fuzzers/aflplusplus_qemu/builder.Dockerfile +++ /dev/null @@ -1,43 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -# Install the necessary packages. -RUN apt-get update && \ - apt-get install -y \ - build-essential \ - git \ - flex \ - bison \ - libglib2.0-dev \ - libpixman-1-dev \ - ninja-build \ - libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev - - -# Download afl++ -RUN git clone https://github.com/AFLplusplus/AFLplusplus.git /afl && \ - cd /afl && git checkout 3b835b7c8b2f73be6d5972951d049cef66c24abd || true - -# Build afl++ without Python support as we don't need it. -# Set AFL_NO_X86 to skip flaky tests. -RUN cd /afl && \ - unset CFLAGS && unset CXXFLAGS && \ - AFL_NO_X86=1 CC=clang PYTHON_INCLUDE=/ make && \ - cd qemu_mode && ./build_qemu_support.sh && cd .. && \ - make -C utils/aflpp_driver && \ - cp utils/aflpp_driver/libAFLQemuDriver.a /libAFLDriver.a && \ - cp utils/aflpp_driver/aflpp_qemu_driver_hook.so / diff --git a/fuzzers/aflplusplus_qemu/description.md b/fuzzers/aflplusplus_qemu/description.md deleted file mode 100644 index f93c35897..000000000 --- a/fuzzers/aflplusplus_qemu/description.md +++ /dev/null @@ -1,14 +0,0 @@ -# aflplusplus_qemu - -AFL++ fuzzer instance for binary-only fuzzing with qemu_mode. -The following config active for all benchmarks: - - qemu_mode with: - - entrypoint set to afl_qemu_driver_stdin_input - - persisten mode set to afl_qemu_driver_stdin_input - - cmplog - -Repository: [https://github.com/AFLplusplus/AFLplusplus/](https://github.com/AFLplusplus/AFLplusplus/) - -[builder.Dockerfile](builder.Dockerfile) -[fuzzer.py](fuzzer.py) -[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/aflplusplus_qemu/fuzzer.py b/fuzzers/aflplusplus_qemu/fuzzer.py deleted file mode 100755 index 5bab908c1..000000000 --- a/fuzzers/aflplusplus_qemu/fuzzer.py +++ /dev/null @@ -1,51 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -"""Integration code for AFLplusplus fuzzer.""" - -import os -import subprocess - -from fuzzers.aflplusplus import fuzzer as aflplusplus_fuzzer - - -def build(): - """Build benchmark.""" - aflplusplus_fuzzer.build('qemu') - - -def fuzz(input_corpus, output_corpus, target_binary): - """Run fuzzer.""" - # Get LLVMFuzzerTestOneInput address. - nm_proc = subprocess.run([ - 'sh', '-c', - 'nm \'' + target_binary + '\' | grep -i \'T afl_qemu_driver_stdin\'' - ], - stdout=subprocess.PIPE, - check=True) - target_func = '0x' + nm_proc.stdout.split()[0].decode('utf-8') - print('[fuzz] afl_qemu_driver_stdin_input() address =', target_func) - - # Fuzzer options for qemu_mode. - flags = ['-Q', '-c0'] - - os.environ['AFL_QEMU_PERSISTENT_ADDR'] = target_func - os.environ['AFL_ENTRYPOINT'] = target_func - os.environ['AFL_QEMU_PERSISTENT_CNT'] = '1000000' - os.environ['AFL_QEMU_DRIVER_NO_HOOK'] = '1' - os.environ['AFL_IGNORE_SEED_PROBLEMS'] = '1' - - aflplusplus_fuzzer.fuzz(input_corpus, - output_corpus, - target_binary, - flags=flags) diff --git a/fuzzers/aflplusplus_qemu/runner.Dockerfile b/fuzzers/aflplusplus_qemu/runner.Dockerfile deleted file mode 100644 index 7aa1da8e4..000000000 --- a/fuzzers/aflplusplus_qemu/runner.Dockerfile +++ /dev/null @@ -1,23 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -# This makes interactive docker runs painless: -ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" -#ENV AFL_MAP_SIZE=2621440 -ENV PATH="$PATH:/out" -ENV AFL_SKIP_CPUFREQ=1 -ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 -ENV AFL_TESTCACHE_SIZE=2 diff --git a/fuzzers/aflplusplus_symqemu/builder.Dockerfile b/fuzzers/aflplusplus_symqemu/builder.Dockerfile deleted file mode 100644 index 2588652c0..000000000 --- a/fuzzers/aflplusplus_symqemu/builder.Dockerfile +++ /dev/null @@ -1,53 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -RUN apt-get update && \ - apt-get install -y \ - build-essential \ - python3-dev \ - python3-setuptools \ - automake \ - cmake \ - git \ - flex \ - bison \ - libglib2.0-dev \ - libpixman-1-dev \ - cargo \ - libgtk-3-dev \ - # for QEMU mode - ninja-build \ - gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-plugin-dev \ - libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev - -# Download afl++. -RUN git clone -b dev https://github.com/AFLplusplus/AFLplusplus /afl && \ - cd /afl && \ - git checkout 3b835b7c8b2f73be6d5972951d049cef66c24abd || \ - true - -# Build without Python support as we don't need it. -# Set AFL_NO_X86 to skip flaky tests. -RUN cd /afl && \ - unset CFLAGS CXXFLAGS && \ - export CC=clang AFL_NO_X86=1 && \ - PYTHON_INCLUDE=/ make && \ - make install && \ - cp utils/aflpp_driver/libAFLDriver.a / - -RUN cd /afl && \ - make -C custom_mutators/symqemu diff --git a/fuzzers/aflplusplus_symqemu/description.md b/fuzzers/aflplusplus_symqemu/description.md deleted file mode 100644 index f7eb407ad..000000000 --- a/fuzzers/aflplusplus_symqemu/description.md +++ /dev/null @@ -1,14 +0,0 @@ -# aflplusplus - -AFL++ fuzzer instance that has the following config active for all benchmarks: - - PCGUARD instrumentation - - cmplog feature - - dict2file feature - - "fast" power schedule - - persistent mode + shared memory test cases - -Repository: [https://github.com/AFLplusplus/AFLplusplus/](https://github.com/AFLplusplus/AFLplusplus/) - -[builder.Dockerfile](builder.Dockerfile) -[fuzzer.py](fuzzer.py) -[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/aflplusplus_symqemu/fuzzer.py b/fuzzers/aflplusplus_symqemu/fuzzer.py deleted file mode 100755 index 74c3635ff..000000000 --- a/fuzzers/aflplusplus_symqemu/fuzzer.py +++ /dev/null @@ -1,289 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -"""Integration code for AFLplusplus fuzzer.""" - -import os -import shutil - -from fuzzers.afl import fuzzer as afl_fuzzer -from fuzzers import utils - - -def get_cmplog_build_directory(target_directory): - """Return path to CmpLog target directory.""" - return os.path.join(target_directory, 'cmplog') - - -def get_uninstrumented_build_directory(target_directory): - """Return path to CmpLog target directory.""" - return os.path.join(target_directory, 'uninstrumented') - - -def build(*args): # pylint: disable=too-many-branches,too-many-statements - """Build benchmark.""" - # BUILD_MODES is not already supported by fuzzbench, meanwhile we provide - # a default configuration. - - build_modes = list(args) - if 'BUILD_MODES' in os.environ: - build_modes = os.environ['BUILD_MODES'].split(',') - - # Placeholder comment. - build_directory = os.environ['OUT'] - - # If nothing was set this is the default: - if not build_modes: - build_modes = ['tracepc', 'cmplog', 'dict2file'] - - # For bug type benchmarks we have to instrument via native clang pcguard :( - build_flags = os.environ['CFLAGS'] - - if build_flags.find( - 'array-bounds' - ) != -1 and 'qemu' not in build_modes and 'classic' not in build_modes: - if 'gcc' not in build_modes: - build_modes[0] = 'native' - - # Instrumentation coverage modes: - if 'lto' in build_modes: - os.environ['CC'] = '/afl/afl-clang-lto' - os.environ['CXX'] = '/afl/afl-clang-lto++' - edge_file = build_directory + '/aflpp_edges.txt' - os.environ['AFL_LLVM_DOCUMENT_IDS'] = edge_file - if os.path.isfile('/usr/local/bin/llvm-ranlib-13'): - os.environ['RANLIB'] = 'llvm-ranlib-13' - os.environ['AR'] = 'llvm-ar-13' - os.environ['AS'] = 'llvm-as-13' - elif os.path.isfile('/usr/local/bin/llvm-ranlib-12'): - os.environ['RANLIB'] = 'llvm-ranlib-12' - os.environ['AR'] = 'llvm-ar-12' - os.environ['AS'] = 'llvm-as-12' - else: - os.environ['RANLIB'] = 'llvm-ranlib' - os.environ['AR'] = 'llvm-ar' - os.environ['AS'] = 'llvm-as' - elif 'qemu' in build_modes: - os.environ['CC'] = 'clang' - os.environ['CXX'] = 'clang++' - elif 'gcc' in build_modes: - os.environ['CC'] = 'afl-gcc-fast' - os.environ['CXX'] = 'afl-g++-fast' - if build_flags.find('array-bounds') != -1: - os.environ['CFLAGS'] = '-fsanitize=address -O1' - os.environ['CXXFLAGS'] = '-fsanitize=address -O1' - else: - os.environ['CFLAGS'] = '' - os.environ['CXXFLAGS'] = '' - os.environ['CPPFLAGS'] = '' - else: - os.environ['CC'] = '/afl/afl-clang-fast' - os.environ['CXX'] = '/afl/afl-clang-fast++' - - print('AFL++ build: ') - print(build_modes) - - if 'qemu' in build_modes or 'symcc' in build_modes: - os.environ['CFLAGS'] = ' '.join(utils.NO_SANITIZER_COMPAT_CFLAGS) - cxxflags = [utils.LIBCPLUSPLUS_FLAG] + utils.NO_SANITIZER_COMPAT_CFLAGS - os.environ['CXXFLAGS'] = ' '.join(cxxflags) - - if 'tracepc' in build_modes or 'pcguard' in build_modes: - os.environ['AFL_LLVM_USE_TRACE_PC'] = '1' - elif 'classic' in build_modes: - os.environ['AFL_LLVM_INSTRUMENT'] = 'CLASSIC' - elif 'native' in build_modes: - os.environ['AFL_LLVM_INSTRUMENT'] = 'LLVMNATIVE' - - # Instrumentation coverage options: - # Do not use a fixed map location (LTO only) - if 'dynamic' in build_modes: - os.environ['AFL_LLVM_MAP_DYNAMIC'] = '1' - # Use a fixed map location (LTO only) - if 'fixed' in build_modes: - os.environ['AFL_LLVM_MAP_ADDR'] = '0x10000' - # Generate an extra dictionary. - if 'dict2file' in build_modes or 'native' in build_modes: - os.environ['AFL_LLVM_DICT2FILE'] = build_directory + '/afl++.dict' - os.environ['AFL_LLVM_DICT2FILE_NO_MAIN'] = '1' - # Enable context sentitivity for LLVM mode (non LTO only) - if 'ctx' in build_modes: - os.environ['AFL_LLVM_CTX'] = '1' - # Enable N-gram coverage for LLVM mode (non LTO only) - if 'ngram2' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '2' - elif 'ngram3' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '3' - elif 'ngram4' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '4' - elif 'ngram5' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '5' - elif 'ngram6' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '6' - elif 'ngram7' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '7' - elif 'ngram8' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '8' - elif 'ngram16' in build_modes: - os.environ['AFL_LLVM_NGRAM_SIZE'] = '16' - if 'ctx1' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '1' - elif 'ctx2' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '2' - elif 'ctx3' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '3' - elif 'ctx4' in build_modes: - os.environ['AFL_LLVM_CTX_K'] = '4' - - # Only one of the following OR cmplog - # enable laf-intel compare splitting - if 'laf' in build_modes: - os.environ['AFL_LLVM_LAF_SPLIT_SWITCHES'] = '1' - os.environ['AFL_LLVM_LAF_SPLIT_COMPARES'] = '1' - os.environ['AFL_LLVM_LAF_SPLIT_FLOATS'] = '1' - if 'autodict' not in build_modes: - os.environ['AFL_LLVM_LAF_TRANSFORM_COMPARES'] = '1' - - if 'eclipser' in build_modes: - os.environ['FUZZER_LIB'] = '/libStandaloneFuzzTarget.a' - else: - os.environ['FUZZER_LIB'] = '/libAFLDriver.a' - - # Some benchmarks like lcms. (see: - # https://github.com/mm2/Little-CMS/commit/ab1093539b4287c233aca6a3cf53b234faceb792#diff-f0e6d05e72548974e852e8e55dffc4ccR212) - # fail to compile if the compiler outputs things to stderr in unexpected - # cases. Prevent these failures by using AFL_QUIET to stop afl-clang-fast - # from writing AFL specific messages to stderr. - os.environ['AFL_QUIET'] = '1' - os.environ['AFL_MAP_SIZE'] = '2621440' - - src = os.getenv('SRC') - work = os.getenv('WORK') - - with utils.restore_directory(src), utils.restore_directory(work): - # Restore SRC to its initial state so we can build again without any - # trouble. For some OSS-Fuzz projects, build_benchmark cannot be run - # twice in the same directory without this. - utils.build_benchmark() - - if 'cmplog' in build_modes and 'qemu' not in build_modes: - - # CmpLog requires an build with different instrumentation. - new_env = os.environ.copy() - new_env['AFL_LLVM_CMPLOG'] = '1' - - # For CmpLog build, set the OUT and FUZZ_TARGET environment - # variable to point to the new CmpLog build directory. - cmplog_build_directory = get_cmplog_build_directory(build_directory) - os.mkdir(cmplog_build_directory) - new_env['OUT'] = cmplog_build_directory - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - new_env['FUZZ_TARGET'] = os.path.join(cmplog_build_directory, - os.path.basename(fuzz_target)) - - print('Re-building benchmark for CmpLog fuzzing target') - utils.build_benchmark(env=new_env) - - if 'symcc' in build_modes: - - symcc_build_directory = get_uninstrumented_build_directory( - build_directory) - os.mkdir(symcc_build_directory) - - # symcc requires an build with different instrumentation. - new_env = os.environ.copy() - new_env['CC'] = '/symcc/build/symcc' - new_env['CXX'] = '/symcc/build/sym++' - new_env['SYMCC_OUTPUT_DIR'] = '/tmp' - new_env['CXXFLAGS'] = new_env['CXXFLAGS'].replace('-stlib=libc++', '') - new_env['FUZZER_LIB'] = '/libfuzzer-harness.o' - new_env['OUT'] = symcc_build_directory - new_env['SYMCC_LIBCXX_PATH'] = '/libcxx_native_build' - new_env['SYMCC_NO_SYMBOLIC_INPUT'] = '1' - new_env['SYMCC_SILENT'] = '1' - - # For symcc build, set the OUT and FUZZ_TARGET environment - # variable to point to the new symcc build directory. - new_env['OUT'] = symcc_build_directory - fuzz_target = os.getenv('FUZZ_TARGET') - if fuzz_target: - new_env['FUZZ_TARGET'] = os.path.join(symcc_build_directory, - os.path.basename(fuzz_target)) - - print('Re-building benchmark for symcc fuzzing target') - utils.build_benchmark(env=new_env) - - shutil.copy('/afl/afl-fuzz', build_directory) - if os.path.exists('/afl/afl-qemu-trace'): - shutil.copy('/afl/afl-qemu-trace', build_directory) - if os.path.exists('/aflpp_qemu_driver_hook.so'): - shutil.copy('/aflpp_qemu_driver_hook.so', build_directory) - if os.path.exists('/get_frida_entry.sh'): - shutil.copy('/afl/afl-frida-trace.so', build_directory) - shutil.copy('/get_frida_entry.sh', build_directory) - if os.path.exists('/afl/custom_mutators/symqemu/symqemu-mutator.so'): - shutil.copy('/afl/custom_mutators/symqemu/symqemu-mutator.so', - build_directory) - - -# pylint: disable=too-many-arguments -def fuzz(input_corpus, - output_corpus, - target_binary, - flags=tuple(), - skip=False, - no_cmplog=False): # pylint: disable=too-many-arguments - """Run fuzzer.""" - # Calculate CmpLog binary path from the instrumented target binary. - target_binary_directory = os.path.dirname(target_binary) - cmplog_target_binary_directory = ( - get_cmplog_build_directory(target_binary_directory)) - target_binary_name = os.path.basename(target_binary) - cmplog_target_binary = os.path.join(cmplog_target_binary_directory, - target_binary_name) - - afl_fuzzer.prepare_fuzz_environment(input_corpus) - # decomment this to enable libdislocator. - # os.environ['AFL_ALIGNED_ALLOC'] = '1' # align malloc to max_align_t - # os.environ['AFL_PRELOAD'] = '/afl/libdislocator.so' - - flags = list(flags) - - if os.path.exists('./afl++.dict'): - flags += ['-x', './afl++.dict'] - - # Move the following to skip for upcoming _double tests: - if os.path.exists(cmplog_target_binary) and no_cmplog is False: - flags += ['-c', cmplog_target_binary] - - #os.environ['AFL_IGNORE_TIMEOUTS'] = '1' - os.environ['AFL_IGNORE_UNKNOWN_ENVS'] = '1' - os.environ['AFL_FAST_CAL'] = '1' - os.environ['AFL_NO_WARN_INSTABILITY'] = '1' - os.environ['AFL_DISABLE_TRIM'] = '1' - os.environ['AFL_CUSTOM_MUTATOR_LIBRARY'] = '/out/symqemu-mutator.so' - os.environ['AFL_SYNC_TIME'] = '1' - os.environ['SYMQEMU_LATE'] = '1' - os.environ['AFL_CUSTOM_INFO_PROGRAM_ARGV'] = '-' - - if not skip: - os.environ['AFL_CMPLOG_ONLY_NEW'] = '1' - if 'ADDITIONAL_ARGS' in os.environ: - flags += os.environ['ADDITIONAL_ARGS'].split(' ') - - afl_fuzzer.run_afl_fuzz(input_corpus, - output_corpus, - target_binary, - additional_flags=flags) diff --git a/fuzzers/aflplusplus_symqemu/runner.Dockerfile b/fuzzers/aflplusplus_symqemu/runner.Dockerfile deleted file mode 100644 index 9e7f01a08..000000000 --- a/fuzzers/aflplusplus_symqemu/runner.Dockerfile +++ /dev/null @@ -1,92 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -RUN sed -i 's/# deb/deb/' /etc/apt/sources.list - -RUN apt-get update || true - -RUN apt-get install -y wget libtool-bin automake flex bison \ - libglib2.0-dev libpixman-1-dev python3-setuptools unzip \ - apt-utils apt-transport-https ca-certificates - -RUN apt-get install -y ninja-build python zlib1g-dev cargo - -RUN apt-get install -y \ - libtool \ - wget \ - automake \ - autoconf \ - bison \ - git \ - build-essential \ - gdb \ - g++ \ - cmake \ - cargo \ - rustc \ - sudo \ - joe \ - vim \ - zlib1g \ - zlib1g-dev \ - wget \ - bison \ - flex \ - gdb \ - strace - -RUN apt-get build-dep -y qemu - -RUN pip3 install lit - -RUN git clone --depth=1 https://github.com/eurecom-s3/symcc - -RUN apt-get install -y clang-12 llvm-12 -ENV CC=clang-12 -ENV CXX=clang++-12 - -RUN cd /symcc && git submodule update --init && \ - mkdir build && \ - cd build && \ - cmake -G Ninja -DQSYM_BACKEND=ON -DZ3_TRUST_SYSTEM_VERSION=on .. && \ - ninja - -RUN cd /symcc && git clone --depth=1 https://github.com/eurecom-s3/symqemu - -RUN cd /symcc/symqemu && \ - ./configure \ - --audio-drv-list= \ - --disable-bluez \ - --disable-sdl \ - --disable-gtk \ - --disable-vte \ - --disable-opengl \ - --disable-virglrenderer \ - --target-list=x86_64-linux-user \ - --disable-werror \ - --enable-capstone=git \ - --symcc-source=/symcc/ \ - --symcc-build=/symcc/build && \ - make -j$(nproc) - -# This makes interactive docker runs painless: -ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" -#ENV AFL_MAP_SIZE=2621440 -ENV PATH="$PATH:/out:/symcc/symqemu/x86_64-linux-user" -ENV AFL_SKIP_CPUFREQ=1 -ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 -ENV AFL_TESTCACHE_SIZE=2 - diff --git a/fuzzers/aflsmart/README.md b/fuzzers/aflsmart/README.md deleted file mode 100644 index df780998f..000000000 --- a/fuzzers/aflsmart/README.md +++ /dev/null @@ -1,18 +0,0 @@ -# Supported benchmarks - -[AFLSmart](https://github.com/aflsmart/aflsmart) is a structure-aware greybox-fuzzer and it is designed to work best for programs taking chunk-based file formats (e.g., JPEG, PNG and many others) as inputs. To fully enable its structure-aware mode, AFLSmart requires input models (e.g., grammar). So if you evaluate AFLSmart on FuzzBench, please focus on the results for the following benchmarks. We keep trying to include more input models so that more benchmarks will be supported. - -1. libpng-1.2.56 - -2. libjpeg-turbo-07-2017 - -3. libpcap_fuzz_both - -4. freetype2-2017 - -5. vorbis-2017-12-11 - -6. bloaty_fuzz_target - -Since the experiment summary diagram of the default FuzzBench report is automatically generated based on the results of all benchmarks, many of them have not been supported by AFLSmart, the ranking of AFLSmart in that diagram may not be correct. - diff --git a/fuzzers/aflsmart/builder.Dockerfile b/fuzzers/aflsmart/builder.Dockerfile deleted file mode 100644 index dcb8eb7a9..000000000 --- a/fuzzers/aflsmart/builder.Dockerfile +++ /dev/null @@ -1,70 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -# Install gcc-4.4 & g++-4.4 required by Peach while running on Ubuntu 16.04. -# Install Python2 and Pip2 required by AFLSmart on Ubuntu:20.04. -RUN echo 'deb http://dk.archive.ubuntu.com/ubuntu/ trusty main' >> \ - /etc/apt/sources.list && \ - echo 'deb http://dk.archive.ubuntu.com/ubuntu/ trusty universe' >> \ - /etc/apt/sources.list && \ - apt-get update && \ - apt-get install -y \ - gcc-4.4 \ - g++-4.4 \ - unzip \ - wget \ - tzdata \ - python2 && \ - curl https://bootstrap.pypa.io/pip/2.7/get-pip.py --output get-pip.py && \ - python2 get-pip.py && \ - rm /usr/bin/python && \ - ln -s /usr/bin/python2.7 /usr/bin/python - -# Install AFLSmart dependencies. -RUN dpkg --add-architecture i386 && \ - apt-get update && \ - apt-get install -y \ - apt-utils \ - libc6-dev-i386 \ - g++-multilib \ - mono-complete \ - software-properties-common - -# Download and compile AFLSmart. -RUN git clone https://github.com/aflsmart/aflsmart /afl && \ - cd /afl && \ - git checkout 4286ae47e0e5d8c412f91aae94ef9d11fb97dfd8 && \ - AFL_NO_X86=1 make - -# Setup Peach. -# Set CFLAGS="" so that we don't use the CFLAGS defined in OSS-Fuzz images. -# Use a copy of -# https://sourceforge.net/projects/peachfuzz/files/Peach/3.0/peach-3.0.202-source.zip -# to avoid network flakiness. -RUN cd /afl && \ - wget https://storage.googleapis.com/fuzzbench-files/peach-3.0.202-source.zip && \ - unzip peach-3.0.202-source.zip && \ - patch -p1 < peach-3.0.202.patch && \ - cd peach-3.0.202-source && \ - CC=gcc-4.4 CXX=g++-4.4 CFLAGS="" CXXFLAGS="-std=c++0x" ./waf configure && \ - CC=gcc-4.4 CXX=g++-4.4 CFLAGS="" CXXFLAGS="-std=c++0x" ./waf install - -# Use afl_driver.cpp from LLVM as our fuzzing library. -RUN wget https://raw.githubusercontent.com/llvm/llvm-project/5feb80e748924606531ba28c97fe65145c65372e/compiler-rt/lib/fuzzer/afl/afl_driver.cpp -O /afl/afl_driver.cpp && \ - clang -Wno-pointer-sign -c /afl/llvm_mode/afl-llvm-rt.o.c -I/afl && \ - clang++ -stdlib=libc++ -std=c++11 -O2 -c /afl/afl_driver.cpp && \ - ar r /libAFL.a *.o diff --git a/fuzzers/aflsmart/fuzzer.py b/fuzzers/aflsmart/fuzzer.py deleted file mode 100755 index 9f60116a2..000000000 --- a/fuzzers/aflsmart/fuzzer.py +++ /dev/null @@ -1,79 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -"""Integration code for AFLSmart fuzzer.""" - -import os -import shutil -import glob - -from fuzzers.afl import fuzzer as afl_fuzzer - - -def build(): - """Build benchmark.""" - afl_fuzzer.build() - - # Copy Peach binaries to OUT - shutil.copytree('/afl/peach-3.0.202-source/output/linux_x86_64_debug/bin', - os.environ['OUT'] + '/peach-3.0.202') - - # Copy supported input models - for file in glob.glob('/afl/input_models/*.xml'): - print(file) - shutil.copy(file, os.environ['OUT']) - - -def fuzz(input_corpus, output_corpus, target_binary): - """Run afl-fuzz on target.""" - afl_fuzzer.prepare_fuzz_environment(input_corpus) - os.environ['PATH'] += os.pathsep + '/out/peach-3.0.202/' - - composite_mode = False - input_model = '' - benchmark_name = os.environ['BENCHMARK'] - if benchmark_name == 'libpng-1.6.38': - input_model = 'png.xml' - if benchmark_name == 'libpcap_fuzz_both': - input_model = 'pcap.xml' - if benchmark_name == 'libjpeg-turbo-07-2017': - input_model = 'jpeg.xml' - if benchmark_name == 'freetype2-2017': - input_model = 'xtf.xml' - if benchmark_name == 'vorbis-2017-12-11': - input_model = 'ogg.xml' - if benchmark_name == 'bloaty_fuzz_target': - input_model = 'bloaty_composite.xml' - composite_mode = True - - additional_flags = [ - # Enable stacked mutations - '-h', - # Enable structure-aware fuzzing - '-w', - 'peach', - # Select input model - '-g', - input_model, - ] - - # Enable composite mode for targets - # taking multiple input formats like bloaty - if composite_mode: - additional_flags.append('-c') - - if input_model != '': - afl_fuzzer.run_afl_fuzz(input_corpus, output_corpus, target_binary, - additional_flags) - else: - afl_fuzzer.run_afl_fuzz(input_corpus, output_corpus, target_binary) diff --git a/fuzzers/aflsmart/runner.Dockerfile b/fuzzers/aflsmart/runner.Dockerfile deleted file mode 100644 index 1e9046888..000000000 --- a/fuzzers/aflsmart/runner.Dockerfile +++ /dev/null @@ -1,21 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -RUN apt-get update -y && \ - DEBIAN_FRONTEND=noninteractive TZ=Etc/UTC \ - apt-get install -y \ - mono-complete \ - tzdata diff --git a/fuzzers/aflsmart_plusplus/README.md b/fuzzers/aflsmart_plusplus/README.md deleted file mode 100644 index 47f35d9b1..000000000 --- a/fuzzers/aflsmart_plusplus/README.md +++ /dev/null @@ -1,2 +0,0 @@ -[AFLSmart++](https://github.com/thuanpv/aflsmart) is an extension of AFLSmart. Like AFLSmart, it is a structure-aware greybox-fuzzer and it is designed to work best for programs taking chunk-based file formats (e.g., JPEG, PNG and many others) as inputs. - diff --git a/fuzzers/aflsmart_plusplus/builder.Dockerfile b/fuzzers/aflsmart_plusplus/builder.Dockerfile deleted file mode 100644 index 43bd48d92..000000000 --- a/fuzzers/aflsmart_plusplus/builder.Dockerfile +++ /dev/null @@ -1,77 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -# Install gcc-4.4 & g++-4.4 required by Peach while running on Ubuntu 16.04. -# Install Python2 and Pip2 required by AFLSmart on Ubuntu:20.04. -RUN echo 'deb http://dk.archive.ubuntu.com/ubuntu/ trusty main' >> \ - /etc/apt/sources.list && \ - echo 'deb http://dk.archive.ubuntu.com/ubuntu/ trusty universe' >> \ - /etc/apt/sources.list && \ - apt-get update && \ - apt-get install -y \ - gcc-4.4 \ - g++-4.4 \ - unzip \ - wget \ - tzdata \ - python2 && \ - curl https://bootstrap.pypa.io/pip/2.7/get-pip.py --output get-pip.py && \ - python2 get-pip.py && \ - rm /usr/bin/python && \ - ln -s /usr/bin/python2.7 /usr/bin/python - -# Install AFLSmart dependencies. -RUN dpkg --add-architecture i386 && \ - apt-get update && \ - apt-get install -y \ - apt-utils \ - libc6-dev-i386 \ - g++-multilib \ - software-properties-common - -RUN apt install gnupg ca-certificates && \ - apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 \ - --recv-keys 3FA7E0328081BFF6A14DA29AA6A19B38D3D831EF && \ - echo "deb https://download.mono-project.com/repo/ubuntu stable-focal main" \ - | tee /etc/apt/sources.list.d/mono-official-stable.list && \ - apt update && \ - apt install -y monodoc-manual mono-complete - -# Download and compile AFLSmart. -RUN git clone https://github.com/thuanpv/aflsmart /afl && \ - cd /afl && \ - git checkout de0b3855b0e688b3a9f52ccb241d2ebaf3d7f6b4 && \ - AFL_NO_X86=1 make - -# Setup Peach. -# Set CFLAGS="" so that we don't use the CFLAGS defined in OSS-Fuzz images. -# Use a copy of -# https://sourceforge.net/projects/peachfuzz/files/Peach/3.0/peach-3.0.202-source.zip -# to avoid network flakiness. -RUN cd /afl && \ - wget https://storage.googleapis.com/fuzzbench-files/peach-3.0.202-source.zip && \ - unzip peach-3.0.202-source.zip && \ - patch -p1 < peach-3.0.202.patch && \ - cd peach-3.0.202-source && \ - CC=gcc-4.4 CXX=g++-4.4 CFLAGS="" CXXFLAGS="-std=c++0x" ./waf configure && \ - CC=gcc-4.4 CXX=g++-4.4 CFLAGS="" CXXFLAGS="-std=c++0x" ./waf install - -# Use afl_driver.cpp from LLVM as our fuzzing library. -RUN wget https://raw.githubusercontent.com/llvm/llvm-project/5feb80e748924606531ba28c97fe65145c65372e/compiler-rt/lib/fuzzer/afl/afl_driver.cpp -O /afl/afl_driver.cpp && \ - clang -Wno-pointer-sign -c /afl/llvm_mode/afl-llvm-rt.o.c -I/afl && \ - clang++ -stdlib=libc++ -std=c++11 -O2 -c /afl/afl_driver.cpp && \ - ar r /libAFL.a *.o diff --git a/fuzzers/aflsmart_plusplus/fuzzer.py b/fuzzers/aflsmart_plusplus/fuzzer.py deleted file mode 100755 index 7eaf6d05c..000000000 --- a/fuzzers/aflsmart_plusplus/fuzzer.py +++ /dev/null @@ -1,62 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -"""Integration code for AFLSmart++ fuzzer.""" - -import os -import shutil -import glob - -from fuzzers.afl import fuzzer as afl_fuzzer - - -def build(): - """Build benchmark.""" - afl_fuzzer.build() - - # Copy Peach binaries to OUT - shutil.copytree('/afl/peach-3.0.202-source/output/linux_x86_64_debug/bin', - os.environ['OUT'] + '/peach-3.0.202') - - # Copy supported input models - for file in glob.glob('/afl/input_models/*.xml'): - print(file) - shutil.copy(file, os.environ['OUT']) - - -def fuzz(input_corpus, output_corpus, target_binary): - """Run afl-fuzz on target.""" - afl_fuzzer.prepare_fuzz_environment(input_corpus) - os.environ['PATH'] += os.pathsep + '/out/peach-3.0.202/' - - input_model = 'all_composite.xml' - - additional_flags = [ - # Enable stacked mutations - '-h', - # Enable structure-aware fuzzing - '-w', - 'peach', - # Select input model - '-g', - input_model, - # Choose FAVOR chunk type selection algo - '-s', - '2', - # Reduce the chance of doing "destructive" mutations - '-D', - '50', - ] - - afl_fuzzer.run_afl_fuzz(input_corpus, output_corpus, target_binary, - additional_flags) diff --git a/fuzzers/aflsmart_plusplus/runner.Dockerfile b/fuzzers/aflsmart_plusplus/runner.Dockerfile deleted file mode 100644 index 1e9046888..000000000 --- a/fuzzers/aflsmart_plusplus/runner.Dockerfile +++ /dev/null @@ -1,21 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -RUN apt-get update -y && \ - DEBIAN_FRONTEND=noninteractive TZ=Etc/UTC \ - apt-get install -y \ - mono-complete \ - tzdata diff --git a/fuzzers/centipede/builder.Dockerfile b/fuzzers/centipede/builder.Dockerfile deleted file mode 100644 index a1cd4e3d2..000000000 --- a/fuzzers/centipede/builder.Dockerfile +++ /dev/null @@ -1,32 +0,0 @@ -# Copyright 2022 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -ENV CENTIPEDE_SRC=/src/centipede - -# Remove the Centipede from OSS-Fuzz base-builder and rebuild centipede. -RUN rm -rf "$CENTIPEDE_SRC" && \ - git clone -n \ - https://github.com/google/centipede.git "$CENTIPEDE_SRC" && \ - echo 'build --client_env=CC=clang --cxxopt=-std=c++17 ' \ - '--cxxopt=-stdlib=libc++ --linkopt=-lc++' >> ~/.bazelrc && \ - (cd "$CENTIPEDE_SRC" && \ - git checkout 2a2c78a2c161d99f5962b9710bce61feb00acc3d && \ - ./install_dependencies_debian.sh && \ - bazel build -c opt :all) && \ - cp "$CENTIPEDE_SRC/bazel-bin/centipede" '/out/centipede' - -RUN /clang/bin/clang "$CENTIPEDE_SRC/weak_sancov_stubs.cc" -c -o /lib/weak.o diff --git a/fuzzers/centipede/fuzzer.py b/fuzzers/centipede/fuzzer.py deleted file mode 100755 index fbcc358c4..000000000 --- a/fuzzers/centipede/fuzzer.py +++ /dev/null @@ -1,90 +0,0 @@ -# Copyright 2022 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -"""Integration code for centipede fuzzer.""" - -import subprocess -import os - -from fuzzers import utils - - -def build(): - """Build benchmark.""" - san_cflags = ['-fsanitize-coverage=trace-loads'] - - link_cflags = [ - '-Wno-unused-command-line-argument', - '-Wl,-ldl,-lrt,-lpthread,/lib/weak.o' - ] - - # TODO(Dongge): Build targets with sanitizers. - with open('/src/centipede/clang-flags.txt', 'r', - encoding='utf-8') as clang_flags_handle: - centipede_cflags = [ - line.strip() for line in clang_flags_handle.readlines() - ] - - cflags = san_cflags + centipede_cflags + link_cflags - utils.append_flags('CFLAGS', cflags) - utils.append_flags('CXXFLAGS', cflags) - utils.append_flags('LDFLAGS', ['/lib/weak.o']) - - os.environ['CC'] = '/clang/bin/clang' - os.environ['CXX'] = '/clang/bin/clang++' - os.environ['FUZZER_LIB'] = ( - '/src/centipede/bazel-bin/libcentipede_runner.pic.a') - utils.build_benchmark() - - -def fuzz(input_corpus, output_corpus, target_binary): - """Run fuzzer. Wrapper that uses the defaults when calling run_fuzzer.""" - run_fuzzer(input_corpus, output_corpus, target_binary) - - -def run_fuzzer(input_corpus, output_corpus, target_binary, extra_flags=None): - """Run fuzzer.""" - if extra_flags is None: - extra_flags = [] - - # Seperate out corpus and crash directories as sub-directories of - # |output_corpus| to avoid conflicts when corpus directory is reloaded. - work_dir = os.path.join(output_corpus, 'work-dir') - work_dir_crash = os.path.join(work_dir, 'crashes') - crashes_dir = os.path.join(output_corpus, 'crashes') - output_corpus = os.path.join(output_corpus, 'corpus') - os.makedirs(work_dir) - os.symlink(crashes_dir, work_dir_crash) - os.makedirs(crashes_dir) - os.makedirs(output_corpus) - - flags = [ - f'--workdir={work_dir}', - f'--corpus_dir={output_corpus},{input_corpus}', - f'--binary={target_binary}', - # Run in fork mode to allow ignoring ooms, timeouts, crashes and - # continue fuzzing indefinitely. - '--fork_server=1', - '--exit_on_crash=0', - '--timeout=1200', - '--rss_limit_mb=0', - '--address_space_limit_mb=0', - ] - flags += extra_flags - dictionary_path = utils.get_dictionary_path(target_binary) - if dictionary_path: - flags.append(f'--dictionary={dictionary_path}') - - command = ['/out/centipede'] + flags - print('[run_fuzzer] Running command: ' + ' '.join(command)) - subprocess.check_call(command) diff --git a/fuzzers/centipede/runner.Dockerfile b/fuzzers/centipede/runner.Dockerfile deleted file mode 100644 index ac592776b..000000000 --- a/fuzzers/centipede/runner.Dockerfile +++ /dev/null @@ -1,15 +0,0 @@ -# Copyright 2022 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image diff --git a/fuzzers/honggfuzz/builder.Dockerfile b/fuzzers/honggfuzz/builder.Dockerfile deleted file mode 100644 index 11a483288..000000000 --- a/fuzzers/honggfuzz/builder.Dockerfile +++ /dev/null @@ -1,36 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -# honggfuzz requires libfd and libunwid. -RUN apt-get update -y && \ - apt-get install -y \ - libbfd-dev \ - libunwind-dev \ - libblocksruntime-dev \ - liblzma-dev - -# Download honggfuz version 2.3.1 + 0b4cd5b1c4cf26b7e022dc1deb931d9318c054cb -# Set CFLAGS use honggfuzz's defaults except for -mnative which can build CPU -# dependent code that may not work on the machines we actually fuzz on. -# Create an empty object file which will become the FUZZER_LIB lib (since -# honggfuzz doesn't need this when hfuzz-clang(++) is used). -RUN git clone https://github.com/google/honggfuzz.git /honggfuzz && \ - cd /honggfuzz && \ - git checkout oss-fuzz && \ - CFLAGS="-O3 -funroll-loops" make && \ - touch empty_lib.c && \ - cc -c -o empty_lib.o empty_lib.c \ No newline at end of file diff --git a/fuzzers/honggfuzz/fuzzer.py b/fuzzers/honggfuzz/fuzzer.py deleted file mode 100644 index 7a75a17fd..000000000 --- a/fuzzers/honggfuzz/fuzzer.py +++ /dev/null @@ -1,69 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -"""Integration code for Honggfuzz fuzzer.""" - -import os -import shutil -import subprocess - -from fuzzers import utils - - -def build(): - """Build benchmark.""" - # honggfuzz doesn't need additional libraries when code is compiled - # with hfuzz-clang(++) - os.environ['CC'] = '/honggfuzz/hfuzz_cc/hfuzz-clang' - os.environ['CXX'] = '/honggfuzz/hfuzz_cc/hfuzz-clang++' - os.environ['FUZZER_LIB'] = '/honggfuzz/empty_lib.o' - - utils.build_benchmark() - - print('[post_build] Copying honggfuzz to $OUT directory') - # Copy over honggfuzz's main fuzzing binary. - shutil.copy('/honggfuzz/honggfuzz', os.environ['OUT']) - - -def fuzz(input_corpus, output_corpus, target_binary): - """Run fuzzer.""" - # Seperate out corpus and crash directories as sub-directories of - # |output_corpus| to avoid conflicts when corpus directory is reloaded. - crashes_dir = os.path.join(output_corpus, 'crashes') - output_corpus = os.path.join(output_corpus, 'corpus') - os.makedirs(crashes_dir) - os.makedirs(output_corpus) - - print('[fuzz] Running target with honggfuzz') - command = [ - './honggfuzz', - '--persistent', - '--rlimit_rss', - '2048', - '--sanitizers_del_report=true', - '--input', - input_corpus, - '--output', - output_corpus, - - # Store crashes along with corpus for bug based benchmarking. - '--crashdir', - crashes_dir, - ] - dictionary_path = utils.get_dictionary_path(target_binary) - if dictionary_path: - command.extend(['--dict', dictionary_path]) - command.extend(['--', target_binary]) - - print('[fuzz] Running command: ' + ' '.join(command)) - subprocess.check_call(command) diff --git a/fuzzers/honggfuzz/runner.Dockerfile b/fuzzers/honggfuzz/runner.Dockerfile deleted file mode 100644 index f3eb30039..000000000 --- a/fuzzers/honggfuzz/runner.Dockerfile +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -# honggfuzz requires libfd and libunwid -RUN apt-get update -y && apt-get install -y libbfd-dev libunwind-dev diff --git a/fuzzers/libafl/builder.Dockerfile b/fuzzers/libafl/builder.Dockerfile deleted file mode 100644 index f1d027780..000000000 --- a/fuzzers/libafl/builder.Dockerfile +++ /dev/null @@ -1,54 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -# Uninstall old Rust & Install the latest one. -RUN if which rustup; then rustup self uninstall -y; fi && \ - curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs > /rustup.sh && \ - sh /rustup.sh --default-toolchain nightly-2023-03-29 -y && \ - rm /rustup.sh - -# Install dependencies. -RUN apt-get update && \ - apt-get remove -y llvm-10 && \ - apt-get install -y \ - build-essential \ - llvm-11 \ - clang-12 \ - cargo && \ - apt-get install -y wget libstdc++5 libtool-bin automake flex bison \ - libglib2.0-dev libpixman-1-dev python3-setuptools unzip \ - apt-utils apt-transport-https ca-certificates joe curl && \ - PATH="/root/.cargo/bin/:$PATH" cargo install cargo-make - -# Download libafl. -RUN git clone https://github.com/AFLplusplus/LibAFL /libafl - -# Checkout a current commit -RUN cd /libafl && git checkout 8ff8ae41f1ed2956bb1e906c5c7bd0505ca110c0 || true -# Note that due a nightly bug it is currently fixed to a known version on top! - -# Compile libafl. -RUN cd /libafl && \ - unset CFLAGS CXXFLAGS && \ - export LIBAFL_EDGES_MAP_SIZE=2621440 && \ - cd ./fuzzers/fuzzbench && \ - PATH="/root/.cargo/bin/:$PATH" cargo build --release --features no_link_main - -# Auxiliary weak references. -RUN cd /libafl/fuzzers/fuzzbench && \ - clang -c stub_rt.c && \ - ar r /stub_rt.a stub_rt.o diff --git a/fuzzers/libafl/description.md b/fuzzers/libafl/description.md deleted file mode 100644 index ea9b947d6..000000000 --- a/fuzzers/libafl/description.md +++ /dev/null @@ -1,11 +0,0 @@ -# libafl - -libafl fuzzer instance - - cmplog feature - - persistent mode - -Repository: [https://github.com/AFLplusplus/libafl/](https://github.com/AFLplusplus/libafl/) - -[builder.Dockerfile](builder.Dockerfile) -[fuzzer.py](fuzzer.py) -[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/libafl/fuzzer.py b/fuzzers/libafl/fuzzer.py deleted file mode 100755 index d00bb1dd5..000000000 --- a/fuzzers/libafl/fuzzer.py +++ /dev/null @@ -1,67 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -"""Integration code for a LibAFL-based fuzzer.""" - -import os -import subprocess - -from fuzzers import utils - - -def prepare_fuzz_environment(input_corpus): - """Prepare to fuzz with a LibAFL-based fuzzer.""" - os.environ['ASAN_OPTIONS'] = 'abort_on_error=1:detect_leaks=0:'\ - 'malloc_context_size=0:symbolize=0:'\ - 'allocator_may_return_null=1:'\ - 'detect_odr_violation=0:handle_segv=0:'\ - 'handle_sigbus=0:handle_abort=0:'\ - 'handle_sigfpe=0:handle_sigill=0' - os.environ['UBSAN_OPTIONS'] = 'abort_on_error=1:'\ - 'allocator_release_to_os_interval_ms=500:'\ - 'handle_abort=0:handle_segv=0:'\ - 'handle_sigbus=0:handle_sigfpe=0:'\ - 'handle_sigill=0:print_stacktrace=0:'\ - 'symbolize=0:symbolize_inline_frames=0' - # Create at least one non-empty seed to start. - utils.create_seed_file_for_empty_corpus(input_corpus) - - -def build(): # pylint: disable=too-many-branches,too-many-statements - """Build benchmark.""" - os.environ['CC'] = '/libafl/fuzzers/fuzzbench/target/release/libafl_cc' - os.environ['CXX'] = '/libafl/fuzzers/fuzzbench/target/release/libafl_cxx' - - os.environ['ASAN_OPTIONS'] = 'abort_on_error=0:allocator_may_return_null=1' - os.environ['UBSAN_OPTIONS'] = 'abort_on_error=0' - - cflags = ['--libafl'] - utils.append_flags('CFLAGS', cflags) - utils.append_flags('CXXFLAGS', cflags) - utils.append_flags('LDFLAGS', cflags) - - os.environ['FUZZER_LIB'] = '/stub_rt.a' - utils.build_benchmark() - - -def fuzz(input_corpus, output_corpus, target_binary): - """Run fuzzer.""" - prepare_fuzz_environment(input_corpus) - dictionary_path = utils.get_dictionary_path(target_binary) - command = [target_binary] - if dictionary_path: - command += (['-x', dictionary_path]) - command += (['-o', output_corpus, '-i', input_corpus]) - print(command) - subprocess.check_call(command, cwd=os.environ['OUT']) diff --git a/fuzzers/libafl/runner.Dockerfile b/fuzzers/libafl/runner.Dockerfile deleted file mode 100644 index 7aa1da8e4..000000000 --- a/fuzzers/libafl/runner.Dockerfile +++ /dev/null @@ -1,23 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -# This makes interactive docker runs painless: -ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" -#ENV AFL_MAP_SIZE=2621440 -ENV PATH="$PATH:/out" -ENV AFL_SKIP_CPUFREQ=1 -ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 -ENV AFL_TESTCACHE_SIZE=2 diff --git a/fuzzers/libafl_forkserver/builder.Dockerfile b/fuzzers/libafl_forkserver/builder.Dockerfile deleted file mode 100644 index d0894e72f..000000000 --- a/fuzzers/libafl_forkserver/builder.Dockerfile +++ /dev/null @@ -1,56 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -# Install dependencies. -RUN apt-get update && \ - apt-get install -y build-essential libstdc++5 libtool-bin automake flex \ - bison libglib2.0-dev python3-setuptools unzip python3-dev joe curl \ - cmake git apt-utils apt-transport-https ca-certificates libdbus-1-dev - -# Uninstall old Rust & Install the latest one. -RUN if which rustup; then rustup self uninstall -y; fi && \ - curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs > /rustup.sh && \ - sh /rustup.sh --default-toolchain nightly -y && \ - rm /rustup.sh - -# Download afl++. -RUN git clone https://github.com/AFLplusplus/AFLplusplus /afl - -# Checkout a current commit -RUN cd /afl && git checkout 8cdc48f73a17ddd557897f2098937a8ba3bfe184 - -# Build without Python support as we don't need it. -# Set AFL_NO_X86 to skip flaky tests. -RUN cd /afl && \ - unset CFLAGS CXXFLAGS && \ - export CC=clang AFL_NO_X86=1 && \ - PYTHON_INCLUDE=/ make && \ - make install && \ - cp utils/aflpp_driver/libAFLDriver.a / - -# Download libafl. -RUN git clone https://github.com/AFLplusplus/LibAFL /libafl - -# Checkout a current commit -RUN cd /libafl && git checkout 664e87809e6005f1814df1b55a345e7b2247f15b - -# Compile libafl. -RUN cd /libafl && \ - unset CFLAGS CXXFLAGS && \ - cd ./fuzzers/fuzzbench_forkserver && \ - PATH="/root/.cargo/bin/:$PATH" cargo build --release - diff --git a/fuzzers/libafl_forkserver/description.md b/fuzzers/libafl_forkserver/description.md deleted file mode 100644 index 445a27663..000000000 --- a/fuzzers/libafl_forkserver/description.md +++ /dev/null @@ -1,13 +0,0 @@ -# aflplusplus - -AFL++ fuzzer instance that has the following config active for all benchmarks: - - PCGUARD instrumentation - - cmplog feature - - "fast" power schedule - - persistent mode + shared memory test cases - -Repository: [https://github.com/AFLplusplus/AFLplusplus/](https://github.com/AFLplusplus/AFLplusplus/) - -[builder.Dockerfile](builder.Dockerfile) -[fuzzer.py](fuzzer.py) -[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/libafl_forkserver/fuzzer.py b/fuzzers/libafl_forkserver/fuzzer.py deleted file mode 100755 index c8b66976f..000000000 --- a/fuzzers/libafl_forkserver/fuzzer.py +++ /dev/null @@ -1,67 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -"""Integration code for a LibAFL fuzzer with an AFL++ forkserver.""" - -import os -import shutil -import subprocess - -from fuzzers import utils -from fuzzers.aflplusplus import fuzzer as aflplusplus_fuzzer -from fuzzers.libafl import fuzzer as libafl_fuzzer - - -def build(): - """Build benchmark.""" - # Build the target with AFL++ - aflplusplus_fuzzer.build('tracepc', 'cmplog', 'dict2file') - - # Copy to fuzzer to OUT - build_directory = os.environ['OUT'] - fuzzer = '/libafl/fuzzers/fuzzbench_forkserver/' \ - 'target/release/fuzzbench_forkserver' - shutil.copy(fuzzer, build_directory) - - -def fuzz(input_corpus, output_corpus, target_binary): - """Run fuzzer.""" - # Calculate CmpLog binary path from the instrumented target binary. - target_binary_directory = os.path.dirname(target_binary) - cmplog_target_binary_directory = \ - aflplusplus_fuzzer.get_cmplog_build_directory(target_binary_directory) - target_binary_name = os.path.basename(target_binary) - cmplog_target_binary = os.path.join(cmplog_target_binary_directory, - target_binary_name) - - # Setup env vars - libafl_fuzzer.prepare_fuzz_environment(input_corpus) - - # Merge dictionaries - dictionary_path = utils.get_dictionary_path(target_binary) - if os.path.exists('./afl++.dict'): - if dictionary_path: - with open('./afl++.dict', encoding='utf-8') as dictfile: - autodict = dictfile.read() - with open(dictionary_path, 'a', encoding='utf-8') as dictfile: - dictfile.write(autodict) - else: - dictionary_path = './afl++.dict' - - # Run the fuzzer - command = ['./fuzzbench_forkserver', '-c', cmplog_target_binary] - if dictionary_path: - command += (['-x', dictionary_path]) - command += (['-o', output_corpus, '-i', input_corpus, target_binary]) - print(command) - subprocess.check_call(command) diff --git a/fuzzers/libafl_forkserver/runner.Dockerfile b/fuzzers/libafl_forkserver/runner.Dockerfile deleted file mode 100644 index 7aa1da8e4..000000000 --- a/fuzzers/libafl_forkserver/runner.Dockerfile +++ /dev/null @@ -1,23 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image - -# This makes interactive docker runs painless: -ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" -#ENV AFL_MAP_SIZE=2621440 -ENV PATH="$PATH:/out" -ENV AFL_SKIP_CPUFREQ=1 -ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 -ENV AFL_TESTCACHE_SIZE=2 diff --git a/fuzzers/libafl_libfuzzer/builder.Dockerfile b/fuzzers/libafl_libfuzzer/builder.Dockerfile deleted file mode 100644 index 54d4bf776..000000000 --- a/fuzzers/libafl_libfuzzer/builder.Dockerfile +++ /dev/null @@ -1,44 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ARG parent_image -FROM $parent_image - -RUN apt-get update && \ - apt-get remove -y llvm-10 && \ - apt-get install -y \ - build-essential \ - llvm-11 \ - clang-12 && \ - apt-get install -y wget libstdc++5 libtool-bin automake flex bison \ - libglib2.0-dev libpixman-1-dev python3-setuptools unzip \ - apt-utils apt-transport-https ca-certificates joe curl - -# Uninstall old Rust & Install the latest one. -RUN if which rustup; then rustup self uninstall -y; fi && \ - curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs > /rustup.sh && \ - sh /rustup.sh --default-toolchain nightly -y && \ - rm /rustup.sh - -# Download libafl. -RUN git clone \ - --branch libfuzzer \ - https://github.com/AFLplusplus/libafl /libafl && \ - cd /libafl && \ - git checkout d31f82387d1d233771ff1e13ef7e49cdb508410f && \ - unset CFLAGS CXXFLAGS && \ - export LIBAFL_EDGES_MAP_SIZE=2621440 && \ - cd ./libafl_libfuzzer/libafl_libfuzzer_runtime && \ - env -i CXX=$CXX CC=$CC PATH="/root/.cargo/bin/:$PATH" cargo build --release --no-default-features && \ - cp ./target/release/libafl_libfuzzer_runtime.a /usr/lib/libFuzzer.a diff --git a/fuzzers/libafl_libfuzzer/description.md b/fuzzers/libafl_libfuzzer/description.md deleted file mode 100644 index 69107e2eb..000000000 --- a/fuzzers/libafl_libfuzzer/description.md +++ /dev/null @@ -1,11 +0,0 @@ -# libafl_libfuzzer - -`libafl_libfuzzer` is a libfuzzer shim which attempts to replicate as many of the features of libfuzzer as possible -without utilising any customisation from the compiler, making it compatible with all libfuzzer targets while also using -all the advanced features of libafl. - -Repository: [LibAFL/libfuzzer](https://github.com/AFLplusplus/LibAFL/tree/libfuzzer) - -[builder.Dockerfile](builder.Dockerfile) -[fuzzer.py](fuzzer.py) -[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/libafl_libfuzzer/fuzzer.py b/fuzzers/libafl_libfuzzer/fuzzer.py deleted file mode 100755 index 50a2932d9..000000000 --- a/fuzzers/libafl_libfuzzer/fuzzer.py +++ /dev/null @@ -1,117 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -"""Integration code for a LibAFL-based fuzzer.""" - -import os -import subprocess - -from fuzzers import utils - - -def prepare_fuzz_environment(): - """Prepare to fuzz with a LibAFL-based fuzzer.""" - os.environ['ASAN_OPTIONS'] = 'abort_on_error=1:detect_leaks=0:' \ - 'malloc_context_size=0:symbolize=0:' \ - 'allocator_may_return_null=1:' \ - 'detect_odr_violation=0:handle_segv=0:' \ - 'handle_sigbus=0:handle_abort=0:' \ - 'handle_sigfpe=0:handle_sigill=0' - os.environ['UBSAN_OPTIONS'] = 'abort_on_error=1:' \ - 'allocator_release_to_os_interval_ms=500:' \ - 'handle_abort=0:handle_segv=0:' \ - 'handle_sigbus=0:handle_sigfpe=0:' \ - 'handle_sigill=0:print_stacktrace=0:' \ - 'symbolize=0:symbolize_inline_frames=0' - - -def build(): - """Build benchmark.""" - # With LibFuzzer we use -fsanitize=fuzzer-no-link for build CFLAGS and then - # /usr/lib/libFuzzer.a as the FUZZER_LIB for the main fuzzing binary. This - # allows us to link against a version of LibFuzzer that we specify. - cflags = ['-fsanitize=fuzzer-no-link'] - utils.append_flags('CFLAGS', cflags) - utils.append_flags('CXXFLAGS', cflags) - - os.environ['CC'] = 'clang' - os.environ['CXX'] = 'clang++' - - # merge all of our lib into a single .o, then pack that into a static lib - subprocess.check_call([ - '/usr/bin/ld', '-Ur', '--whole-archive', '/usr/lib/libFuzzer.a', '-o', - '/tmp/libFuzzerMerged.o' - ]) - subprocess.check_call(['/usr/bin/rm', '/usr/lib/libFuzzer.a']) - subprocess.check_call( - ['/usr/bin/ar', 'cr', '/usr/lib/libFuzzer.a', '/tmp/libFuzzerMerged.o']) - - os.environ['FUZZER_LIB'] = '/usr/lib/libFuzzer.a' - - utils.build_benchmark() - - -def fuzz(input_corpus, output_corpus, target_binary): - """Run fuzzer. Wrapper that uses the defaults when calling - run_fuzzer.""" - run_fuzzer(input_corpus, output_corpus, target_binary) - - -def run_fuzzer(input_corpus, output_corpus, target_binary, extra_flags=None): - """Run fuzzer.""" - if extra_flags is None: - extra_flags = [] - - # ASAN doesn't play nicely with our signal handling - # in the future, we will make this more compatible with libfuzzer, but - # for the initial implementation, we consider this sufficient - prepare_fuzz_environment() - - # Seperate out corpus and crash directories as sub-directories of - # |output_corpus| to avoid conflicts when corpus directory is reloaded. - crashes_dir = os.path.join(output_corpus, 'crashes') - output_corpus = os.path.join(output_corpus, 'corpus') - os.makedirs(crashes_dir) - os.makedirs(output_corpus) - - flags = [ - # not supported by libafl_libfuzzer currently - '-print_final_stats=1', - # `close_fd_mask` to prevent too much logging output from the target. - '-close_fd_mask=3', - # Run in fork mode to allow ignoring ooms, timeouts, crashes and - # continue fuzzing indefinitely. - '-fork=1', - '-ignore_ooms=1', - '-ignore_timeouts=1', - '-ignore_crashes=1', - - # Don't use LSAN's leak detection. Other fuzzers won't be using it and - # using it will cause libFuzzer to find "crashes" no one cares about. - # libafl_libfuzzer does not do leak checking regardless; not supported - '-detect_leaks=0', - - # Store crashes along with corpus for bug based benchmarking. - f'-artifact_prefix={crashes_dir}/', - ] - flags += extra_flags - if 'ADDITIONAL_ARGS' in os.environ: - flags += os.environ['ADDITIONAL_ARGS'].split(' ') - dictionary_path = utils.get_dictionary_path(target_binary) - if dictionary_path: - flags.append('-dict=' + dictionary_path) - - command = [target_binary] + flags + [output_corpus, input_corpus] - print('[run_fuzzer] Running command: ' + ' '.join(command)) - subprocess.check_call(command) diff --git a/fuzzers/libafl_libfuzzer/runner.Dockerfile b/fuzzers/libafl_libfuzzer/runner.Dockerfile deleted file mode 100644 index 0d6cf004e..000000000 --- a/fuzzers/libafl_libfuzzer/runner.Dockerfile +++ /dev/null @@ -1,15 +0,0 @@ -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM gcr.io/fuzzbench/base-image From 7a2b184d65b284fa82b5bff58a501a5b3c1bd240 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sat, 7 Oct 2023 12:36:00 +0200 Subject: [PATCH 24/39] fix --- fuzzers/libafl_libfuzzer/builder.Dockerfile | 42 +++++++ fuzzers/libafl_libfuzzer/description.md | 11 ++ fuzzers/libafl_libfuzzer/fuzzer.py | 117 ++++++++++++++++++++ fuzzers/libafl_libfuzzer/runner.Dockerfile | 15 +++ 4 files changed, 185 insertions(+) create mode 100644 fuzzers/libafl_libfuzzer/builder.Dockerfile create mode 100644 fuzzers/libafl_libfuzzer/description.md create mode 100755 fuzzers/libafl_libfuzzer/fuzzer.py create mode 100644 fuzzers/libafl_libfuzzer/runner.Dockerfile diff --git a/fuzzers/libafl_libfuzzer/builder.Dockerfile b/fuzzers/libafl_libfuzzer/builder.Dockerfile new file mode 100644 index 000000000..24dbb83c0 --- /dev/null +++ b/fuzzers/libafl_libfuzzer/builder.Dockerfile @@ -0,0 +1,42 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ARG parent_image +FROM $parent_image + +RUN apt-get update && \ + apt-get remove -y llvm-10 && \ + apt-get install -y \ + build-essential \ + llvm-11 \ + clang-12 && \ + apt-get install -y wget libstdc++5 libtool-bin automake flex bison \ + libglib2.0-dev libpixman-1-dev python3-setuptools unzip \ + apt-utils apt-transport-https ca-certificates joe curl + +# Uninstall old Rust & Install the latest one. +RUN if which rustup; then rustup self uninstall -y; fi && \ + curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs > /rustup.sh && \ + sh /rustup.sh --default-toolchain nightly-2023-08-23 -y && \ + rm /rustup.sh + +# Download libafl. +RUN git clone https://github.com/AFLplusplus/libafl /libafl && \ + cd /libafl && \ + git checkout defe9084aed5a80ac32fe9a1f3ff00baf97738c6 && \ + unset CFLAGS CXXFLAGS && \ + export LIBAFL_EDGES_MAP_SIZE=2621440 && \ + cd ./libafl_libfuzzer/libafl_libfuzzer_runtime && \ + env -i CXX=$CXX CC=$CC PATH="/root/.cargo/bin/:$PATH" cargo build --profile release-fuzzbench && \ + cp ./target/release-fuzzbench/libafl_libfuzzer_runtime.a /usr/lib/libFuzzer.a diff --git a/fuzzers/libafl_libfuzzer/description.md b/fuzzers/libafl_libfuzzer/description.md new file mode 100644 index 000000000..69107e2eb --- /dev/null +++ b/fuzzers/libafl_libfuzzer/description.md @@ -0,0 +1,11 @@ +# libafl_libfuzzer + +`libafl_libfuzzer` is a libfuzzer shim which attempts to replicate as many of the features of libfuzzer as possible +without utilising any customisation from the compiler, making it compatible with all libfuzzer targets while also using +all the advanced features of libafl. + +Repository: [LibAFL/libfuzzer](https://github.com/AFLplusplus/LibAFL/tree/libfuzzer) + +[builder.Dockerfile](builder.Dockerfile) +[fuzzer.py](fuzzer.py) +[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/libafl_libfuzzer/fuzzer.py b/fuzzers/libafl_libfuzzer/fuzzer.py new file mode 100755 index 000000000..50a2932d9 --- /dev/null +++ b/fuzzers/libafl_libfuzzer/fuzzer.py @@ -0,0 +1,117 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +"""Integration code for a LibAFL-based fuzzer.""" + +import os +import subprocess + +from fuzzers import utils + + +def prepare_fuzz_environment(): + """Prepare to fuzz with a LibAFL-based fuzzer.""" + os.environ['ASAN_OPTIONS'] = 'abort_on_error=1:detect_leaks=0:' \ + 'malloc_context_size=0:symbolize=0:' \ + 'allocator_may_return_null=1:' \ + 'detect_odr_violation=0:handle_segv=0:' \ + 'handle_sigbus=0:handle_abort=0:' \ + 'handle_sigfpe=0:handle_sigill=0' + os.environ['UBSAN_OPTIONS'] = 'abort_on_error=1:' \ + 'allocator_release_to_os_interval_ms=500:' \ + 'handle_abort=0:handle_segv=0:' \ + 'handle_sigbus=0:handle_sigfpe=0:' \ + 'handle_sigill=0:print_stacktrace=0:' \ + 'symbolize=0:symbolize_inline_frames=0' + + +def build(): + """Build benchmark.""" + # With LibFuzzer we use -fsanitize=fuzzer-no-link for build CFLAGS and then + # /usr/lib/libFuzzer.a as the FUZZER_LIB for the main fuzzing binary. This + # allows us to link against a version of LibFuzzer that we specify. + cflags = ['-fsanitize=fuzzer-no-link'] + utils.append_flags('CFLAGS', cflags) + utils.append_flags('CXXFLAGS', cflags) + + os.environ['CC'] = 'clang' + os.environ['CXX'] = 'clang++' + + # merge all of our lib into a single .o, then pack that into a static lib + subprocess.check_call([ + '/usr/bin/ld', '-Ur', '--whole-archive', '/usr/lib/libFuzzer.a', '-o', + '/tmp/libFuzzerMerged.o' + ]) + subprocess.check_call(['/usr/bin/rm', '/usr/lib/libFuzzer.a']) + subprocess.check_call( + ['/usr/bin/ar', 'cr', '/usr/lib/libFuzzer.a', '/tmp/libFuzzerMerged.o']) + + os.environ['FUZZER_LIB'] = '/usr/lib/libFuzzer.a' + + utils.build_benchmark() + + +def fuzz(input_corpus, output_corpus, target_binary): + """Run fuzzer. Wrapper that uses the defaults when calling + run_fuzzer.""" + run_fuzzer(input_corpus, output_corpus, target_binary) + + +def run_fuzzer(input_corpus, output_corpus, target_binary, extra_flags=None): + """Run fuzzer.""" + if extra_flags is None: + extra_flags = [] + + # ASAN doesn't play nicely with our signal handling + # in the future, we will make this more compatible with libfuzzer, but + # for the initial implementation, we consider this sufficient + prepare_fuzz_environment() + + # Seperate out corpus and crash directories as sub-directories of + # |output_corpus| to avoid conflicts when corpus directory is reloaded. + crashes_dir = os.path.join(output_corpus, 'crashes') + output_corpus = os.path.join(output_corpus, 'corpus') + os.makedirs(crashes_dir) + os.makedirs(output_corpus) + + flags = [ + # not supported by libafl_libfuzzer currently + '-print_final_stats=1', + # `close_fd_mask` to prevent too much logging output from the target. + '-close_fd_mask=3', + # Run in fork mode to allow ignoring ooms, timeouts, crashes and + # continue fuzzing indefinitely. + '-fork=1', + '-ignore_ooms=1', + '-ignore_timeouts=1', + '-ignore_crashes=1', + + # Don't use LSAN's leak detection. Other fuzzers won't be using it and + # using it will cause libFuzzer to find "crashes" no one cares about. + # libafl_libfuzzer does not do leak checking regardless; not supported + '-detect_leaks=0', + + # Store crashes along with corpus for bug based benchmarking. + f'-artifact_prefix={crashes_dir}/', + ] + flags += extra_flags + if 'ADDITIONAL_ARGS' in os.environ: + flags += os.environ['ADDITIONAL_ARGS'].split(' ') + dictionary_path = utils.get_dictionary_path(target_binary) + if dictionary_path: + flags.append('-dict=' + dictionary_path) + + command = [target_binary] + flags + [output_corpus, input_corpus] + print('[run_fuzzer] Running command: ' + ' '.join(command)) + subprocess.check_call(command) diff --git a/fuzzers/libafl_libfuzzer/runner.Dockerfile b/fuzzers/libafl_libfuzzer/runner.Dockerfile new file mode 100644 index 000000000..0d6cf004e --- /dev/null +++ b/fuzzers/libafl_libfuzzer/runner.Dockerfile @@ -0,0 +1,15 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FROM gcr.io/fuzzbench/base-image From 278e74e38485485275d00c5295418726c86e9451 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sat, 7 Oct 2023 15:54:52 +0200 Subject: [PATCH 25/39] set llvm17 --- fuzzers/aflplusplus_early/builder.Dockerfile | 3 + fuzzers/aflplusplus_llvm17/builder.Dockerfile | 52 ++++ fuzzers/aflplusplus_llvm17/description.md | 14 + fuzzers/aflplusplus_llvm17/fuzzer.py | 283 ++++++++++++++++++ fuzzers/aflplusplus_llvm17/runner.Dockerfile | 24 ++ fuzzers/mopt/builder.Dockerfile | 31 ++ fuzzers/mopt/fuzzer.py | 37 +++ fuzzers/mopt/runner.Dockerfile | 15 + 8 files changed, 459 insertions(+) create mode 100644 fuzzers/aflplusplus_llvm17/builder.Dockerfile create mode 100644 fuzzers/aflplusplus_llvm17/description.md create mode 100755 fuzzers/aflplusplus_llvm17/fuzzer.py create mode 100644 fuzzers/aflplusplus_llvm17/runner.Dockerfile create mode 100644 fuzzers/mopt/builder.Dockerfile create mode 100755 fuzzers/mopt/fuzzer.py create mode 100644 fuzzers/mopt/runner.Dockerfile diff --git a/fuzzers/aflplusplus_early/builder.Dockerfile b/fuzzers/aflplusplus_early/builder.Dockerfile index 555f3516b..d8c1c133c 100644 --- a/fuzzers/aflplusplus_early/builder.Dockerfile +++ b/fuzzers/aflplusplus_early/builder.Dockerfile @@ -34,6 +34,9 @@ RUN apt-get update && \ gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-plugin-dev \ libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev +RUN cd / && https://apt.llvm.org/llvm.sh && chmod +x llvm.sh && ./llvm.sh 17 +ENV LLVM_CONFIG=llvm-config-17 + # Download afl++. RUN git clone -b chg_pass_entrypoint https://github.com/AFLplusplus/AFLplusplus /afl && \ cd /afl && \ diff --git a/fuzzers/aflplusplus_llvm17/builder.Dockerfile b/fuzzers/aflplusplus_llvm17/builder.Dockerfile new file mode 100644 index 000000000..e076fecc4 --- /dev/null +++ b/fuzzers/aflplusplus_llvm17/builder.Dockerfile @@ -0,0 +1,52 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ARG parent_image +FROM $parent_image + +RUN apt-get update && \ + apt-get install -y \ + build-essential \ + python3-dev \ + python3-setuptools \ + automake \ + cmake \ + git \ + flex \ + bison \ + libglib2.0-dev \ + libpixman-1-dev \ + cargo \ + libgtk-3-dev \ + # for QEMU mode + ninja-build \ + gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-plugin-dev \ + libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev + +RUN cd / && https://apt.llvm.org/llvm.sh && chmod +x /llvm.sh && /llvm.sh 17 +ENV LLVM_CONFIG=llvm-config-17 + +# Download afl++. +RUN git clone -b dev https://github.com/AFLplusplus/AFLplusplus /afl && \ + cd /afl && \ + git checkout a3806158116ae4c5b8a30c19533975cb41dd497f || \ + true + +# Build without Python support as we don't need it. +# Set AFL_NO_X86 to skip flaky tests. +RUN cd /afl && \ + unset CFLAGS CXXFLAGS && \ + export CC=clang AFL_NO_X86=1 && \ + PYTHON_INCLUDE=/ make && \ + cp utils/aflpp_driver/libAFLDriver.a / diff --git a/fuzzers/aflplusplus_llvm17/description.md b/fuzzers/aflplusplus_llvm17/description.md new file mode 100644 index 000000000..f7eb407ad --- /dev/null +++ b/fuzzers/aflplusplus_llvm17/description.md @@ -0,0 +1,14 @@ +# aflplusplus + +AFL++ fuzzer instance that has the following config active for all benchmarks: + - PCGUARD instrumentation + - cmplog feature + - dict2file feature + - "fast" power schedule + - persistent mode + shared memory test cases + +Repository: [https://github.com/AFLplusplus/AFLplusplus/](https://github.com/AFLplusplus/AFLplusplus/) + +[builder.Dockerfile](builder.Dockerfile) +[fuzzer.py](fuzzer.py) +[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/aflplusplus_llvm17/fuzzer.py b/fuzzers/aflplusplus_llvm17/fuzzer.py new file mode 100755 index 000000000..11e128c6a --- /dev/null +++ b/fuzzers/aflplusplus_llvm17/fuzzer.py @@ -0,0 +1,283 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +"""Integration code for AFLplusplus fuzzer.""" + +import os +import shutil + +from fuzzers.afl import fuzzer as afl_fuzzer +from fuzzers import utils + + +def get_cmplog_build_directory(target_directory): + """Return path to CmpLog target directory.""" + return os.path.join(target_directory, 'cmplog') + + +def get_uninstrumented_build_directory(target_directory): + """Return path to CmpLog target directory.""" + return os.path.join(target_directory, 'uninstrumented') + + +def build(*args): # pylint: disable=too-many-branches,too-many-statements + """Build benchmark.""" + # BUILD_MODES is not already supported by fuzzbench, meanwhile we provide + # a default configuration. + + build_modes = list(args) + if 'BUILD_MODES' in os.environ: + build_modes = os.environ['BUILD_MODES'].split(',') + + # Placeholder comment. + build_directory = os.environ['OUT'] + + # If nothing was set this is the default: + if not build_modes: + build_modes = ['tracepc', 'cmplog', 'dict2file'] + + # For bug type benchmarks we have to instrument via native clang pcguard :( + build_flags = os.environ['CFLAGS'] + + if build_flags.find( + 'array-bounds' + ) != -1 and 'qemu' not in build_modes and 'classic' not in build_modes: + if 'gcc' not in build_modes: + build_modes[0] = 'native' + + # Instrumentation coverage modes: + if 'lto' in build_modes: + os.environ['CC'] = '/afl/afl-clang-lto' + os.environ['CXX'] = '/afl/afl-clang-lto++' + edge_file = build_directory + '/aflpp_edges.txt' + os.environ['AFL_LLVM_DOCUMENT_IDS'] = edge_file + if os.path.isfile('/usr/local/bin/llvm-ranlib-13'): + os.environ['RANLIB'] = 'llvm-ranlib-13' + os.environ['AR'] = 'llvm-ar-13' + os.environ['AS'] = 'llvm-as-13' + elif os.path.isfile('/usr/local/bin/llvm-ranlib-12'): + os.environ['RANLIB'] = 'llvm-ranlib-12' + os.environ['AR'] = 'llvm-ar-12' + os.environ['AS'] = 'llvm-as-12' + else: + os.environ['RANLIB'] = 'llvm-ranlib' + os.environ['AR'] = 'llvm-ar' + os.environ['AS'] = 'llvm-as' + elif 'qemu' in build_modes: + os.environ['CC'] = 'clang' + os.environ['CXX'] = 'clang++' + elif 'gcc' in build_modes: + os.environ['CC'] = 'afl-gcc-fast' + os.environ['CXX'] = 'afl-g++-fast' + if build_flags.find('array-bounds') != -1: + os.environ['CFLAGS'] = '-fsanitize=address -O1' + os.environ['CXXFLAGS'] = '-fsanitize=address -O1' + else: + os.environ['CFLAGS'] = '' + os.environ['CXXFLAGS'] = '' + os.environ['CPPFLAGS'] = '' + else: + os.environ['CC'] = '/afl/afl-clang-fast' + os.environ['CXX'] = '/afl/afl-clang-fast++' + + print('AFL++ build: ') + print(build_modes) + + if 'qemu' in build_modes or 'symcc' in build_modes: + os.environ['CFLAGS'] = ' '.join(utils.NO_SANITIZER_COMPAT_CFLAGS) + cxxflags = [utils.LIBCPLUSPLUS_FLAG] + utils.NO_SANITIZER_COMPAT_CFLAGS + os.environ['CXXFLAGS'] = ' '.join(cxxflags) + + if 'tracepc' in build_modes or 'pcguard' in build_modes: + os.environ['AFL_LLVM_USE_TRACE_PC'] = '1' + elif 'classic' in build_modes: + os.environ['AFL_LLVM_INSTRUMENT'] = 'CLASSIC' + elif 'native' in build_modes: + os.environ['AFL_LLVM_INSTRUMENT'] = 'LLVMNATIVE' + + # Instrumentation coverage options: + # Do not use a fixed map location (LTO only) + if 'dynamic' in build_modes: + os.environ['AFL_LLVM_MAP_DYNAMIC'] = '1' + # Use a fixed map location (LTO only) + if 'fixed' in build_modes: + os.environ['AFL_LLVM_MAP_ADDR'] = '0x10000' + # Generate an extra dictionary. + if 'dict2file' in build_modes or 'native' in build_modes: + os.environ['AFL_LLVM_DICT2FILE'] = build_directory + '/afl++.dict' + os.environ['AFL_LLVM_DICT2FILE_NO_MAIN'] = '1' + # Enable context sentitivity for LLVM mode (non LTO only) + if 'ctx' in build_modes: + os.environ['AFL_LLVM_CTX'] = '1' + # Enable N-gram coverage for LLVM mode (non LTO only) + if 'ngram2' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '2' + elif 'ngram3' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '3' + elif 'ngram4' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '4' + elif 'ngram5' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '5' + elif 'ngram6' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '6' + elif 'ngram7' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '7' + elif 'ngram8' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '8' + elif 'ngram16' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '16' + if 'ctx1' in build_modes: + os.environ['AFL_LLVM_CTX_K'] = '1' + elif 'ctx2' in build_modes: + os.environ['AFL_LLVM_CTX_K'] = '2' + elif 'ctx3' in build_modes: + os.environ['AFL_LLVM_CTX_K'] = '3' + elif 'ctx4' in build_modes: + os.environ['AFL_LLVM_CTX_K'] = '4' + + # Only one of the following OR cmplog + # enable laf-intel compare splitting + if 'laf' in build_modes: + os.environ['AFL_LLVM_LAF_SPLIT_SWITCHES'] = '1' + os.environ['AFL_LLVM_LAF_SPLIT_COMPARES'] = '1' + os.environ['AFL_LLVM_LAF_SPLIT_FLOATS'] = '1' + if 'autodict' not in build_modes: + os.environ['AFL_LLVM_LAF_TRANSFORM_COMPARES'] = '1' + + if 'eclipser' in build_modes: + os.environ['FUZZER_LIB'] = '/libStandaloneFuzzTarget.a' + else: + os.environ['FUZZER_LIB'] = '/libAFLDriver.a' + + # Some benchmarks like lcms. (see: + # https://github.com/mm2/Little-CMS/commit/ab1093539b4287c233aca6a3cf53b234faceb792#diff-f0e6d05e72548974e852e8e55dffc4ccR212) + # fail to compile if the compiler outputs things to stderr in unexpected + # cases. Prevent these failures by using AFL_QUIET to stop afl-clang-fast + # from writing AFL specific messages to stderr. + os.environ['AFL_QUIET'] = '1' + os.environ['AFL_MAP_SIZE'] = '2621440' + + src = os.getenv('SRC') + work = os.getenv('WORK') + + with utils.restore_directory(src), utils.restore_directory(work): + # Restore SRC to its initial state so we can build again without any + # trouble. For some OSS-Fuzz projects, build_benchmark cannot be run + # twice in the same directory without this. + utils.build_benchmark() + + if 'cmplog' in build_modes and 'qemu' not in build_modes: + + # CmpLog requires an build with different instrumentation. + new_env = os.environ.copy() + new_env['AFL_LLVM_CMPLOG'] = '1' + + # For CmpLog build, set the OUT and FUZZ_TARGET environment + # variable to point to the new CmpLog build directory. + cmplog_build_directory = get_cmplog_build_directory(build_directory) + os.mkdir(cmplog_build_directory) + new_env['OUT'] = cmplog_build_directory + fuzz_target = os.getenv('FUZZ_TARGET') + if fuzz_target: + new_env['FUZZ_TARGET'] = os.path.join(cmplog_build_directory, + os.path.basename(fuzz_target)) + + print('Re-building benchmark for CmpLog fuzzing target') + utils.build_benchmark(env=new_env) + + if 'symcc' in build_modes: + + symcc_build_directory = get_uninstrumented_build_directory( + build_directory) + os.mkdir(symcc_build_directory) + + # symcc requires an build with different instrumentation. + new_env = os.environ.copy() + new_env['CC'] = '/symcc/build/symcc' + new_env['CXX'] = '/symcc/build/sym++' + new_env['SYMCC_OUTPUT_DIR'] = '/tmp' + new_env['CXXFLAGS'] = new_env['CXXFLAGS'].replace('-stlib=libc++', '') + new_env['FUZZER_LIB'] = '/libfuzzer-harness.o' + new_env['OUT'] = symcc_build_directory + new_env['SYMCC_LIBCXX_PATH'] = '/libcxx_native_build' + new_env['SYMCC_NO_SYMBOLIC_INPUT'] = '1' + new_env['SYMCC_SILENT'] = '1' + + # For symcc build, set the OUT and FUZZ_TARGET environment + # variable to point to the new symcc build directory. + new_env['OUT'] = symcc_build_directory + fuzz_target = os.getenv('FUZZ_TARGET') + if fuzz_target: + new_env['FUZZ_TARGET'] = os.path.join(symcc_build_directory, + os.path.basename(fuzz_target)) + + print('Re-building benchmark for symcc fuzzing target') + utils.build_benchmark(env=new_env) + + shutil.copy('/afl/afl-fuzz', build_directory) + if os.path.exists('/afl/afl-qemu-trace'): + shutil.copy('/afl/afl-qemu-trace', build_directory) + if os.path.exists('/aflpp_qemu_driver_hook.so'): + shutil.copy('/aflpp_qemu_driver_hook.so', build_directory) + if os.path.exists('/get_frida_entry.sh'): + shutil.copy('/afl/afl-frida-trace.so', build_directory) + shutil.copy('/get_frida_entry.sh', build_directory) + + +# pylint: disable=too-many-arguments +def fuzz(input_corpus, + output_corpus, + target_binary, + flags=tuple(), + skip=False, + no_cmplog=False): # pylint: disable=too-many-arguments + """Run fuzzer.""" + # Calculate CmpLog binary path from the instrumented target binary. + target_binary_directory = os.path.dirname(target_binary) + cmplog_target_binary_directory = ( + get_cmplog_build_directory(target_binary_directory)) + target_binary_name = os.path.basename(target_binary) + cmplog_target_binary = os.path.join(cmplog_target_binary_directory, + target_binary_name) + + afl_fuzzer.prepare_fuzz_environment(input_corpus) + # decomment this to enable libdislocator. + # os.environ['AFL_ALIGNED_ALLOC'] = '1' # align malloc to max_align_t + # os.environ['AFL_PRELOAD'] = '/afl/libdislocator.so' + + flags = list(flags) + + if os.path.exists('./afl++.dict'): + flags += ['-x', './afl++.dict'] + + # Move the following to skip for upcoming _double tests: + if os.path.exists(cmplog_target_binary) and no_cmplog is False: + flags += ['-c', cmplog_target_binary] + + #os.environ['AFL_IGNORE_TIMEOUTS'] = '1' + os.environ['AFL_IGNORE_UNKNOWN_ENVS'] = '1' + os.environ['AFL_FAST_CAL'] = '1' + os.environ['AFL_NO_WARN_INSTABILITY'] = '1' + os.environ['AFL_IGNORE_SEED_PROBLEMS'] = '1' + + if not skip: + os.environ['AFL_DISABLE_TRIM'] = '1' + os.environ['AFL_CMPLOG_ONLY_NEW'] = '1' + if 'ADDITIONAL_ARGS' in os.environ: + flags += os.environ['ADDITIONAL_ARGS'].split(' ') + + afl_fuzzer.run_afl_fuzz(input_corpus, + output_corpus, + target_binary, + additional_flags=flags) diff --git a/fuzzers/aflplusplus_llvm17/runner.Dockerfile b/fuzzers/aflplusplus_llvm17/runner.Dockerfile new file mode 100644 index 000000000..1a10f861c --- /dev/null +++ b/fuzzers/aflplusplus_llvm17/runner.Dockerfile @@ -0,0 +1,24 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FROM gcr.io/fuzzbench/base-image + +# This makes interactive docker runs painless: +ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" +#ENV AFL_MAP_SIZE=2621440 +ENV PATH="$PATH:/out" +ENV AFL_SKIP_CPUFREQ=1 +ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 +ENV AFL_TESTCACHE_SIZE=2 +RUN apt install -y unzip git gdb joe diff --git a/fuzzers/mopt/builder.Dockerfile b/fuzzers/mopt/builder.Dockerfile new file mode 100644 index 000000000..afd22521e --- /dev/null +++ b/fuzzers/mopt/builder.Dockerfile @@ -0,0 +1,31 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ARG parent_image +FROM $parent_image + +# Set AFL_NO_X86 to skip flaky tests. +RUN git clone https://github.com/puppet-meteor/MOpt-AFL /afl && \ + cd /afl && \ + git checkout 45b9f38d2d8b699fd571cfde1bf974974339a21e && \ + cd MOpt && AFL_NO_X86=1 make && \ + cp afl-fuzz .. + +# Use afl_driver.cpp from LLVM as our fuzzing library. +RUN apt-get update && \ + apt-get install wget -y && cd /afl/MOpt && \ + wget https://raw.githubusercontent.com/llvm/llvm-project/5feb80e748924606531ba28c97fe65145c65372e/compiler-rt/lib/fuzzer/afl/afl_driver.cpp -O /afl/MOpt/afl_driver.cpp && \ + clang -Wno-pointer-sign -c -o /afl/MOpt/afl-llvm-rt.o /afl/MOpt/llvm_mode/afl-llvm-rt.o.c -I/afl/MOpt && \ + clang++ -stdlib=libc++ -std=c++11 -O2 -c -o /afl/MOpt/afl_driver.o /afl/MOpt/afl_driver.cpp && \ + ar r /libAFL.a *.o diff --git a/fuzzers/mopt/fuzzer.py b/fuzzers/mopt/fuzzer.py new file mode 100755 index 000000000..150d1992a --- /dev/null +++ b/fuzzers/mopt/fuzzer.py @@ -0,0 +1,37 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +"""Integration code for MOpt fuzzer.""" + +from fuzzers.afl import fuzzer as afl_fuzzer + + +def build(): + """Build benchmark.""" + afl_fuzzer.build() + + +def fuzz(input_corpus, output_corpus, target_binary): + """Run fuzzer.""" + afl_fuzzer.prepare_fuzz_environment(input_corpus) + + afl_fuzzer.run_afl_fuzz( + input_corpus, + output_corpus, + target_binary, + additional_flags=[ + # Enable Mopt mutator with pacemaker fuzzing mode at first. This + # is also recommended in a short-time scale evaluation. + '-L', + '0', + ]) diff --git a/fuzzers/mopt/runner.Dockerfile b/fuzzers/mopt/runner.Dockerfile new file mode 100644 index 000000000..0d6cf004e --- /dev/null +++ b/fuzzers/mopt/runner.Dockerfile @@ -0,0 +1,15 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FROM gcr.io/fuzzbench/base-image From 8c57315295e60a412b348792f4a31d3b24fd2a74 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sat, 7 Oct 2023 20:21:07 +0200 Subject: [PATCH 26/39] fix --- fuzzers/aflplusplus_early/builder.Dockerfile | 2 +- fuzzers/aflplusplus_llvm17/builder.Dockerfile | 2 +- fuzzers/honggfuzz/builder.Dockerfile | 36 ++++++++++ fuzzers/honggfuzz/fuzzer.py | 69 +++++++++++++++++++ fuzzers/honggfuzz/runner.Dockerfile | 18 +++++ 5 files changed, 125 insertions(+), 2 deletions(-) create mode 100644 fuzzers/honggfuzz/builder.Dockerfile create mode 100644 fuzzers/honggfuzz/fuzzer.py create mode 100644 fuzzers/honggfuzz/runner.Dockerfile diff --git a/fuzzers/aflplusplus_early/builder.Dockerfile b/fuzzers/aflplusplus_early/builder.Dockerfile index d8c1c133c..a7d8b1cf0 100644 --- a/fuzzers/aflplusplus_early/builder.Dockerfile +++ b/fuzzers/aflplusplus_early/builder.Dockerfile @@ -34,7 +34,7 @@ RUN apt-get update && \ gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-plugin-dev \ libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev -RUN cd / && https://apt.llvm.org/llvm.sh && chmod +x llvm.sh && ./llvm.sh 17 +RUN cd / && wget https://apt.llvm.org/llvm.sh && chmod +x llvm.sh && ./llvm.sh 17 ENV LLVM_CONFIG=llvm-config-17 # Download afl++. diff --git a/fuzzers/aflplusplus_llvm17/builder.Dockerfile b/fuzzers/aflplusplus_llvm17/builder.Dockerfile index e076fecc4..0d6651744 100644 --- a/fuzzers/aflplusplus_llvm17/builder.Dockerfile +++ b/fuzzers/aflplusplus_llvm17/builder.Dockerfile @@ -34,7 +34,7 @@ RUN apt-get update && \ gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-plugin-dev \ libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev -RUN cd / && https://apt.llvm.org/llvm.sh && chmod +x /llvm.sh && /llvm.sh 17 +RUN cd / && wget https://apt.llvm.org/llvm.sh && chmod +x /llvm.sh && /llvm.sh 17 ENV LLVM_CONFIG=llvm-config-17 # Download afl++. diff --git a/fuzzers/honggfuzz/builder.Dockerfile b/fuzzers/honggfuzz/builder.Dockerfile new file mode 100644 index 000000000..11a483288 --- /dev/null +++ b/fuzzers/honggfuzz/builder.Dockerfile @@ -0,0 +1,36 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ARG parent_image +FROM $parent_image + +# honggfuzz requires libfd and libunwid. +RUN apt-get update -y && \ + apt-get install -y \ + libbfd-dev \ + libunwind-dev \ + libblocksruntime-dev \ + liblzma-dev + +# Download honggfuz version 2.3.1 + 0b4cd5b1c4cf26b7e022dc1deb931d9318c054cb +# Set CFLAGS use honggfuzz's defaults except for -mnative which can build CPU +# dependent code that may not work on the machines we actually fuzz on. +# Create an empty object file which will become the FUZZER_LIB lib (since +# honggfuzz doesn't need this when hfuzz-clang(++) is used). +RUN git clone https://github.com/google/honggfuzz.git /honggfuzz && \ + cd /honggfuzz && \ + git checkout oss-fuzz && \ + CFLAGS="-O3 -funroll-loops" make && \ + touch empty_lib.c && \ + cc -c -o empty_lib.o empty_lib.c \ No newline at end of file diff --git a/fuzzers/honggfuzz/fuzzer.py b/fuzzers/honggfuzz/fuzzer.py new file mode 100644 index 000000000..7a75a17fd --- /dev/null +++ b/fuzzers/honggfuzz/fuzzer.py @@ -0,0 +1,69 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +"""Integration code for Honggfuzz fuzzer.""" + +import os +import shutil +import subprocess + +from fuzzers import utils + + +def build(): + """Build benchmark.""" + # honggfuzz doesn't need additional libraries when code is compiled + # with hfuzz-clang(++) + os.environ['CC'] = '/honggfuzz/hfuzz_cc/hfuzz-clang' + os.environ['CXX'] = '/honggfuzz/hfuzz_cc/hfuzz-clang++' + os.environ['FUZZER_LIB'] = '/honggfuzz/empty_lib.o' + + utils.build_benchmark() + + print('[post_build] Copying honggfuzz to $OUT directory') + # Copy over honggfuzz's main fuzzing binary. + shutil.copy('/honggfuzz/honggfuzz', os.environ['OUT']) + + +def fuzz(input_corpus, output_corpus, target_binary): + """Run fuzzer.""" + # Seperate out corpus and crash directories as sub-directories of + # |output_corpus| to avoid conflicts when corpus directory is reloaded. + crashes_dir = os.path.join(output_corpus, 'crashes') + output_corpus = os.path.join(output_corpus, 'corpus') + os.makedirs(crashes_dir) + os.makedirs(output_corpus) + + print('[fuzz] Running target with honggfuzz') + command = [ + './honggfuzz', + '--persistent', + '--rlimit_rss', + '2048', + '--sanitizers_del_report=true', + '--input', + input_corpus, + '--output', + output_corpus, + + # Store crashes along with corpus for bug based benchmarking. + '--crashdir', + crashes_dir, + ] + dictionary_path = utils.get_dictionary_path(target_binary) + if dictionary_path: + command.extend(['--dict', dictionary_path]) + command.extend(['--', target_binary]) + + print('[fuzz] Running command: ' + ' '.join(command)) + subprocess.check_call(command) diff --git a/fuzzers/honggfuzz/runner.Dockerfile b/fuzzers/honggfuzz/runner.Dockerfile new file mode 100644 index 000000000..f3eb30039 --- /dev/null +++ b/fuzzers/honggfuzz/runner.Dockerfile @@ -0,0 +1,18 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FROM gcr.io/fuzzbench/base-image + +# honggfuzz requires libfd and libunwid +RUN apt-get update -y && apt-get install -y libbfd-dev libunwind-dev From ea5d16ea4329e37a8b57a06fc52b4be6c5035447 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sun, 8 Oct 2023 07:23:22 +0200 Subject: [PATCH 27/39] fix --- fuzzers/aflplusplus_early/builder.Dockerfile | 2 ++ fuzzers/aflplusplus_llvm17/builder.Dockerfile | 2 ++ 2 files changed, 4 insertions(+) diff --git a/fuzzers/aflplusplus_early/builder.Dockerfile b/fuzzers/aflplusplus_early/builder.Dockerfile index a7d8b1cf0..dc9564729 100644 --- a/fuzzers/aflplusplus_early/builder.Dockerfile +++ b/fuzzers/aflplusplus_early/builder.Dockerfile @@ -34,6 +34,8 @@ RUN apt-get update && \ gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-plugin-dev \ libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev +RUN apt install -y lsb-release wget software-properties-common gnupg + RUN cd / && wget https://apt.llvm.org/llvm.sh && chmod +x llvm.sh && ./llvm.sh 17 ENV LLVM_CONFIG=llvm-config-17 diff --git a/fuzzers/aflplusplus_llvm17/builder.Dockerfile b/fuzzers/aflplusplus_llvm17/builder.Dockerfile index 0d6651744..687f763fa 100644 --- a/fuzzers/aflplusplus_llvm17/builder.Dockerfile +++ b/fuzzers/aflplusplus_llvm17/builder.Dockerfile @@ -34,6 +34,8 @@ RUN apt-get update && \ gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-plugin-dev \ libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev +RUN apt install -y lsb-release wget software-properties-common gnupg + RUN cd / && wget https://apt.llvm.org/llvm.sh && chmod +x /llvm.sh && /llvm.sh 17 ENV LLVM_CONFIG=llvm-config-17 From b6a0e9442de831136674c8101d1202637efce36a Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sun, 8 Oct 2023 10:34:11 +0200 Subject: [PATCH 28/39] workaround on ubuntu server issues --- fuzzers/aflplusplus_early/runner.Dockerfile | 2 +- fuzzers/aflplusplus_llvm17/runner.Dockerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/fuzzers/aflplusplus_early/runner.Dockerfile b/fuzzers/aflplusplus_early/runner.Dockerfile index 1a10f861c..fb9ee7a59 100644 --- a/fuzzers/aflplusplus_early/runner.Dockerfile +++ b/fuzzers/aflplusplus_early/runner.Dockerfile @@ -21,4 +21,4 @@ ENV PATH="$PATH:/out" ENV AFL_SKIP_CPUFREQ=1 ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 ENV AFL_TESTCACHE_SIZE=2 -RUN apt install -y unzip git gdb joe +RUN apt update -y && apt install -y unzip git gdb joe diff --git a/fuzzers/aflplusplus_llvm17/runner.Dockerfile b/fuzzers/aflplusplus_llvm17/runner.Dockerfile index 1a10f861c..fb9ee7a59 100644 --- a/fuzzers/aflplusplus_llvm17/runner.Dockerfile +++ b/fuzzers/aflplusplus_llvm17/runner.Dockerfile @@ -21,4 +21,4 @@ ENV PATH="$PATH:/out" ENV AFL_SKIP_CPUFREQ=1 ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 ENV AFL_TESTCACHE_SIZE=2 -RUN apt install -y unzip git gdb joe +RUN apt update -y && apt install -y unzip git gdb joe From 0be402f5737761c53b61adddab2818cd70a487cc Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sun, 8 Oct 2023 12:49:14 +0200 Subject: [PATCH 29/39] fix other fuzzers --- fuzzers/aflplusplus/runner.Dockerfile | 3 ++- fuzzers/aflplusplus_ff_comp3/runner.Dockerfile | 3 ++- fuzzers/aflplusplus_llvm17/runner.Dockerfile | 1 + 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/fuzzers/aflplusplus/runner.Dockerfile b/fuzzers/aflplusplus/runner.Dockerfile index 1a10f861c..67ebe8b5e 100644 --- a/fuzzers/aflplusplus/runner.Dockerfile +++ b/fuzzers/aflplusplus/runner.Dockerfile @@ -21,4 +21,5 @@ ENV PATH="$PATH:/out" ENV AFL_SKIP_CPUFREQ=1 ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 ENV AFL_TESTCACHE_SIZE=2 -RUN apt install -y unzip git gdb joe + +RUN apt update -y && apt install -y unzip git gdb joe diff --git a/fuzzers/aflplusplus_ff_comp3/runner.Dockerfile b/fuzzers/aflplusplus_ff_comp3/runner.Dockerfile index 1a10f861c..67ebe8b5e 100644 --- a/fuzzers/aflplusplus_ff_comp3/runner.Dockerfile +++ b/fuzzers/aflplusplus_ff_comp3/runner.Dockerfile @@ -21,4 +21,5 @@ ENV PATH="$PATH:/out" ENV AFL_SKIP_CPUFREQ=1 ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 ENV AFL_TESTCACHE_SIZE=2 -RUN apt install -y unzip git gdb joe + +RUN apt update -y && apt install -y unzip git gdb joe diff --git a/fuzzers/aflplusplus_llvm17/runner.Dockerfile b/fuzzers/aflplusplus_llvm17/runner.Dockerfile index fb9ee7a59..67ebe8b5e 100644 --- a/fuzzers/aflplusplus_llvm17/runner.Dockerfile +++ b/fuzzers/aflplusplus_llvm17/runner.Dockerfile @@ -21,4 +21,5 @@ ENV PATH="$PATH:/out" ENV AFL_SKIP_CPUFREQ=1 ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 ENV AFL_TESTCACHE_SIZE=2 + RUN apt update -y && apt install -y unzip git gdb joe From 268f45d0448dc6dcc5c70051bc335e3afa4a0aaa Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 9 Oct 2023 09:38:31 +0200 Subject: [PATCH 30/39] no cmplog --- fuzzers/aflplusplus_early/fuzzer.py | 2 +- fuzzers/aflplusplus_llvm17/fuzzer.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/fuzzers/aflplusplus_early/fuzzer.py b/fuzzers/aflplusplus_early/fuzzer.py index 11e128c6a..f25ef56b6 100755 --- a/fuzzers/aflplusplus_early/fuzzer.py +++ b/fuzzers/aflplusplus_early/fuzzer.py @@ -45,7 +45,7 @@ def build(*args): # pylint: disable=too-many-branches,too-many-statements # If nothing was set this is the default: if not build_modes: - build_modes = ['tracepc', 'cmplog', 'dict2file'] + build_modes = ['tracepc', 'dict2file'] # For bug type benchmarks we have to instrument via native clang pcguard :( build_flags = os.environ['CFLAGS'] diff --git a/fuzzers/aflplusplus_llvm17/fuzzer.py b/fuzzers/aflplusplus_llvm17/fuzzer.py index 11e128c6a..f25ef56b6 100755 --- a/fuzzers/aflplusplus_llvm17/fuzzer.py +++ b/fuzzers/aflplusplus_llvm17/fuzzer.py @@ -45,7 +45,7 @@ def build(*args): # pylint: disable=too-many-branches,too-many-statements # If nothing was set this is the default: if not build_modes: - build_modes = ['tracepc', 'cmplog', 'dict2file'] + build_modes = ['tracepc', 'dict2file'] # For bug type benchmarks we have to instrument via native clang pcguard :( build_flags = os.environ['CFLAGS'] From 48b9e78981a0252f35ba325054a6cb8d4cfc80fc Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 28 Nov 2023 10:30:00 +0100 Subject: [PATCH 31/39] nou8 --- fuzzers/aflplusplus/builder.Dockerfile | 2 +- fuzzers/aflplusplus_nou8/builder.Dockerfile | 49 ++++ fuzzers/aflplusplus_nou8/description.md | 14 + fuzzers/aflplusplus_nou8/fuzzer.py | 283 ++++++++++++++++++++ fuzzers/aflplusplus_nou8/runner.Dockerfile | 25 ++ 5 files changed, 372 insertions(+), 1 deletion(-) create mode 100644 fuzzers/aflplusplus_nou8/builder.Dockerfile create mode 100644 fuzzers/aflplusplus_nou8/description.md create mode 100755 fuzzers/aflplusplus_nou8/fuzzer.py create mode 100644 fuzzers/aflplusplus_nou8/runner.Dockerfile diff --git a/fuzzers/aflplusplus/builder.Dockerfile b/fuzzers/aflplusplus/builder.Dockerfile index 1fdde66e0..e9a0be30d 100644 --- a/fuzzers/aflplusplus/builder.Dockerfile +++ b/fuzzers/aflplusplus/builder.Dockerfile @@ -37,7 +37,7 @@ RUN apt-get update && \ # Download afl++. RUN git clone -b dev https://github.com/AFLplusplus/AFLplusplus /afl && \ cd /afl && \ - git checkout a3806158116ae4c5b8a30c19533975cb41dd497f || \ + git checkout dd9a04c901c79fe2f3f078de6cc0777e3a5d96df || \ true # Build without Python support as we don't need it. diff --git a/fuzzers/aflplusplus_nou8/builder.Dockerfile b/fuzzers/aflplusplus_nou8/builder.Dockerfile new file mode 100644 index 000000000..87e8df018 --- /dev/null +++ b/fuzzers/aflplusplus_nou8/builder.Dockerfile @@ -0,0 +1,49 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ARG parent_image +FROM $parent_image + +RUN apt-get update && \ + apt-get install -y \ + build-essential \ + python3-dev \ + python3-setuptools \ + automake \ + cmake \ + git \ + flex \ + bison \ + libglib2.0-dev \ + libpixman-1-dev \ + cargo \ + libgtk-3-dev \ + # for QEMU mode + ninja-build \ + gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-plugin-dev \ + libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev + +# Download afl++. +RUN git clone -b dev https://github.com/AFLplusplus/AFLplusplus /afl && \ + cd /afl && \ + git checkout 74f8ca6b468b6d89e8d588e3835486be48184893 || \ + true + +# Build without Python support as we don't need it. +# Set AFL_NO_X86 to skip flaky tests. +RUN cd /afl && \ + unset CFLAGS CXXFLAGS && \ + export CC=clang AFL_NO_X86=1 && \ + PYTHON_INCLUDE=/ make && \ + cp utils/aflpp_driver/libAFLDriver.a / diff --git a/fuzzers/aflplusplus_nou8/description.md b/fuzzers/aflplusplus_nou8/description.md new file mode 100644 index 000000000..f7eb407ad --- /dev/null +++ b/fuzzers/aflplusplus_nou8/description.md @@ -0,0 +1,14 @@ +# aflplusplus + +AFL++ fuzzer instance that has the following config active for all benchmarks: + - PCGUARD instrumentation + - cmplog feature + - dict2file feature + - "fast" power schedule + - persistent mode + shared memory test cases + +Repository: [https://github.com/AFLplusplus/AFLplusplus/](https://github.com/AFLplusplus/AFLplusplus/) + +[builder.Dockerfile](builder.Dockerfile) +[fuzzer.py](fuzzer.py) +[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/aflplusplus_nou8/fuzzer.py b/fuzzers/aflplusplus_nou8/fuzzer.py new file mode 100755 index 000000000..11e128c6a --- /dev/null +++ b/fuzzers/aflplusplus_nou8/fuzzer.py @@ -0,0 +1,283 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +"""Integration code for AFLplusplus fuzzer.""" + +import os +import shutil + +from fuzzers.afl import fuzzer as afl_fuzzer +from fuzzers import utils + + +def get_cmplog_build_directory(target_directory): + """Return path to CmpLog target directory.""" + return os.path.join(target_directory, 'cmplog') + + +def get_uninstrumented_build_directory(target_directory): + """Return path to CmpLog target directory.""" + return os.path.join(target_directory, 'uninstrumented') + + +def build(*args): # pylint: disable=too-many-branches,too-many-statements + """Build benchmark.""" + # BUILD_MODES is not already supported by fuzzbench, meanwhile we provide + # a default configuration. + + build_modes = list(args) + if 'BUILD_MODES' in os.environ: + build_modes = os.environ['BUILD_MODES'].split(',') + + # Placeholder comment. + build_directory = os.environ['OUT'] + + # If nothing was set this is the default: + if not build_modes: + build_modes = ['tracepc', 'cmplog', 'dict2file'] + + # For bug type benchmarks we have to instrument via native clang pcguard :( + build_flags = os.environ['CFLAGS'] + + if build_flags.find( + 'array-bounds' + ) != -1 and 'qemu' not in build_modes and 'classic' not in build_modes: + if 'gcc' not in build_modes: + build_modes[0] = 'native' + + # Instrumentation coverage modes: + if 'lto' in build_modes: + os.environ['CC'] = '/afl/afl-clang-lto' + os.environ['CXX'] = '/afl/afl-clang-lto++' + edge_file = build_directory + '/aflpp_edges.txt' + os.environ['AFL_LLVM_DOCUMENT_IDS'] = edge_file + if os.path.isfile('/usr/local/bin/llvm-ranlib-13'): + os.environ['RANLIB'] = 'llvm-ranlib-13' + os.environ['AR'] = 'llvm-ar-13' + os.environ['AS'] = 'llvm-as-13' + elif os.path.isfile('/usr/local/bin/llvm-ranlib-12'): + os.environ['RANLIB'] = 'llvm-ranlib-12' + os.environ['AR'] = 'llvm-ar-12' + os.environ['AS'] = 'llvm-as-12' + else: + os.environ['RANLIB'] = 'llvm-ranlib' + os.environ['AR'] = 'llvm-ar' + os.environ['AS'] = 'llvm-as' + elif 'qemu' in build_modes: + os.environ['CC'] = 'clang' + os.environ['CXX'] = 'clang++' + elif 'gcc' in build_modes: + os.environ['CC'] = 'afl-gcc-fast' + os.environ['CXX'] = 'afl-g++-fast' + if build_flags.find('array-bounds') != -1: + os.environ['CFLAGS'] = '-fsanitize=address -O1' + os.environ['CXXFLAGS'] = '-fsanitize=address -O1' + else: + os.environ['CFLAGS'] = '' + os.environ['CXXFLAGS'] = '' + os.environ['CPPFLAGS'] = '' + else: + os.environ['CC'] = '/afl/afl-clang-fast' + os.environ['CXX'] = '/afl/afl-clang-fast++' + + print('AFL++ build: ') + print(build_modes) + + if 'qemu' in build_modes or 'symcc' in build_modes: + os.environ['CFLAGS'] = ' '.join(utils.NO_SANITIZER_COMPAT_CFLAGS) + cxxflags = [utils.LIBCPLUSPLUS_FLAG] + utils.NO_SANITIZER_COMPAT_CFLAGS + os.environ['CXXFLAGS'] = ' '.join(cxxflags) + + if 'tracepc' in build_modes or 'pcguard' in build_modes: + os.environ['AFL_LLVM_USE_TRACE_PC'] = '1' + elif 'classic' in build_modes: + os.environ['AFL_LLVM_INSTRUMENT'] = 'CLASSIC' + elif 'native' in build_modes: + os.environ['AFL_LLVM_INSTRUMENT'] = 'LLVMNATIVE' + + # Instrumentation coverage options: + # Do not use a fixed map location (LTO only) + if 'dynamic' in build_modes: + os.environ['AFL_LLVM_MAP_DYNAMIC'] = '1' + # Use a fixed map location (LTO only) + if 'fixed' in build_modes: + os.environ['AFL_LLVM_MAP_ADDR'] = '0x10000' + # Generate an extra dictionary. + if 'dict2file' in build_modes or 'native' in build_modes: + os.environ['AFL_LLVM_DICT2FILE'] = build_directory + '/afl++.dict' + os.environ['AFL_LLVM_DICT2FILE_NO_MAIN'] = '1' + # Enable context sentitivity for LLVM mode (non LTO only) + if 'ctx' in build_modes: + os.environ['AFL_LLVM_CTX'] = '1' + # Enable N-gram coverage for LLVM mode (non LTO only) + if 'ngram2' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '2' + elif 'ngram3' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '3' + elif 'ngram4' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '4' + elif 'ngram5' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '5' + elif 'ngram6' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '6' + elif 'ngram7' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '7' + elif 'ngram8' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '8' + elif 'ngram16' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '16' + if 'ctx1' in build_modes: + os.environ['AFL_LLVM_CTX_K'] = '1' + elif 'ctx2' in build_modes: + os.environ['AFL_LLVM_CTX_K'] = '2' + elif 'ctx3' in build_modes: + os.environ['AFL_LLVM_CTX_K'] = '3' + elif 'ctx4' in build_modes: + os.environ['AFL_LLVM_CTX_K'] = '4' + + # Only one of the following OR cmplog + # enable laf-intel compare splitting + if 'laf' in build_modes: + os.environ['AFL_LLVM_LAF_SPLIT_SWITCHES'] = '1' + os.environ['AFL_LLVM_LAF_SPLIT_COMPARES'] = '1' + os.environ['AFL_LLVM_LAF_SPLIT_FLOATS'] = '1' + if 'autodict' not in build_modes: + os.environ['AFL_LLVM_LAF_TRANSFORM_COMPARES'] = '1' + + if 'eclipser' in build_modes: + os.environ['FUZZER_LIB'] = '/libStandaloneFuzzTarget.a' + else: + os.environ['FUZZER_LIB'] = '/libAFLDriver.a' + + # Some benchmarks like lcms. (see: + # https://github.com/mm2/Little-CMS/commit/ab1093539b4287c233aca6a3cf53b234faceb792#diff-f0e6d05e72548974e852e8e55dffc4ccR212) + # fail to compile if the compiler outputs things to stderr in unexpected + # cases. Prevent these failures by using AFL_QUIET to stop afl-clang-fast + # from writing AFL specific messages to stderr. + os.environ['AFL_QUIET'] = '1' + os.environ['AFL_MAP_SIZE'] = '2621440' + + src = os.getenv('SRC') + work = os.getenv('WORK') + + with utils.restore_directory(src), utils.restore_directory(work): + # Restore SRC to its initial state so we can build again without any + # trouble. For some OSS-Fuzz projects, build_benchmark cannot be run + # twice in the same directory without this. + utils.build_benchmark() + + if 'cmplog' in build_modes and 'qemu' not in build_modes: + + # CmpLog requires an build with different instrumentation. + new_env = os.environ.copy() + new_env['AFL_LLVM_CMPLOG'] = '1' + + # For CmpLog build, set the OUT and FUZZ_TARGET environment + # variable to point to the new CmpLog build directory. + cmplog_build_directory = get_cmplog_build_directory(build_directory) + os.mkdir(cmplog_build_directory) + new_env['OUT'] = cmplog_build_directory + fuzz_target = os.getenv('FUZZ_TARGET') + if fuzz_target: + new_env['FUZZ_TARGET'] = os.path.join(cmplog_build_directory, + os.path.basename(fuzz_target)) + + print('Re-building benchmark for CmpLog fuzzing target') + utils.build_benchmark(env=new_env) + + if 'symcc' in build_modes: + + symcc_build_directory = get_uninstrumented_build_directory( + build_directory) + os.mkdir(symcc_build_directory) + + # symcc requires an build with different instrumentation. + new_env = os.environ.copy() + new_env['CC'] = '/symcc/build/symcc' + new_env['CXX'] = '/symcc/build/sym++' + new_env['SYMCC_OUTPUT_DIR'] = '/tmp' + new_env['CXXFLAGS'] = new_env['CXXFLAGS'].replace('-stlib=libc++', '') + new_env['FUZZER_LIB'] = '/libfuzzer-harness.o' + new_env['OUT'] = symcc_build_directory + new_env['SYMCC_LIBCXX_PATH'] = '/libcxx_native_build' + new_env['SYMCC_NO_SYMBOLIC_INPUT'] = '1' + new_env['SYMCC_SILENT'] = '1' + + # For symcc build, set the OUT and FUZZ_TARGET environment + # variable to point to the new symcc build directory. + new_env['OUT'] = symcc_build_directory + fuzz_target = os.getenv('FUZZ_TARGET') + if fuzz_target: + new_env['FUZZ_TARGET'] = os.path.join(symcc_build_directory, + os.path.basename(fuzz_target)) + + print('Re-building benchmark for symcc fuzzing target') + utils.build_benchmark(env=new_env) + + shutil.copy('/afl/afl-fuzz', build_directory) + if os.path.exists('/afl/afl-qemu-trace'): + shutil.copy('/afl/afl-qemu-trace', build_directory) + if os.path.exists('/aflpp_qemu_driver_hook.so'): + shutil.copy('/aflpp_qemu_driver_hook.so', build_directory) + if os.path.exists('/get_frida_entry.sh'): + shutil.copy('/afl/afl-frida-trace.so', build_directory) + shutil.copy('/get_frida_entry.sh', build_directory) + + +# pylint: disable=too-many-arguments +def fuzz(input_corpus, + output_corpus, + target_binary, + flags=tuple(), + skip=False, + no_cmplog=False): # pylint: disable=too-many-arguments + """Run fuzzer.""" + # Calculate CmpLog binary path from the instrumented target binary. + target_binary_directory = os.path.dirname(target_binary) + cmplog_target_binary_directory = ( + get_cmplog_build_directory(target_binary_directory)) + target_binary_name = os.path.basename(target_binary) + cmplog_target_binary = os.path.join(cmplog_target_binary_directory, + target_binary_name) + + afl_fuzzer.prepare_fuzz_environment(input_corpus) + # decomment this to enable libdislocator. + # os.environ['AFL_ALIGNED_ALLOC'] = '1' # align malloc to max_align_t + # os.environ['AFL_PRELOAD'] = '/afl/libdislocator.so' + + flags = list(flags) + + if os.path.exists('./afl++.dict'): + flags += ['-x', './afl++.dict'] + + # Move the following to skip for upcoming _double tests: + if os.path.exists(cmplog_target_binary) and no_cmplog is False: + flags += ['-c', cmplog_target_binary] + + #os.environ['AFL_IGNORE_TIMEOUTS'] = '1' + os.environ['AFL_IGNORE_UNKNOWN_ENVS'] = '1' + os.environ['AFL_FAST_CAL'] = '1' + os.environ['AFL_NO_WARN_INSTABILITY'] = '1' + os.environ['AFL_IGNORE_SEED_PROBLEMS'] = '1' + + if not skip: + os.environ['AFL_DISABLE_TRIM'] = '1' + os.environ['AFL_CMPLOG_ONLY_NEW'] = '1' + if 'ADDITIONAL_ARGS' in os.environ: + flags += os.environ['ADDITIONAL_ARGS'].split(' ') + + afl_fuzzer.run_afl_fuzz(input_corpus, + output_corpus, + target_binary, + additional_flags=flags) diff --git a/fuzzers/aflplusplus_nou8/runner.Dockerfile b/fuzzers/aflplusplus_nou8/runner.Dockerfile new file mode 100644 index 000000000..67ebe8b5e --- /dev/null +++ b/fuzzers/aflplusplus_nou8/runner.Dockerfile @@ -0,0 +1,25 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FROM gcr.io/fuzzbench/base-image + +# This makes interactive docker runs painless: +ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" +#ENV AFL_MAP_SIZE=2621440 +ENV PATH="$PATH:/out" +ENV AFL_SKIP_CPUFREQ=1 +ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 +ENV AFL_TESTCACHE_SIZE=2 + +RUN apt update -y && apt install -y unzip git gdb joe From 1a275255f8e63536d04295ceea21f12a81af02b4 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 28 Nov 2023 11:13:42 +0100 Subject: [PATCH 32/39] fix --- fuzzers/aflrustrust/builder.Dockerfile | 56 ++++++++++++++++++++ fuzzers/aflrustrust/description.md | 13 +++++ fuzzers/aflrustrust/fuzzer.py | 67 ++++++++++++++++++++++++ fuzzers/aflrustrust/runner.Dockerfile | 23 +++++++++ fuzzers/libafl/builder.Dockerfile | 54 ++++++++++++++++++++ fuzzers/libafl/description.md | 11 ++++ fuzzers/libafl/fuzzer.py | 71 ++++++++++++++++++++++++++ fuzzers/libafl/runner.Dockerfile | 25 +++++++++ 8 files changed, 320 insertions(+) create mode 100644 fuzzers/aflrustrust/builder.Dockerfile create mode 100644 fuzzers/aflrustrust/description.md create mode 100755 fuzzers/aflrustrust/fuzzer.py create mode 100644 fuzzers/aflrustrust/runner.Dockerfile create mode 100644 fuzzers/libafl/builder.Dockerfile create mode 100644 fuzzers/libafl/description.md create mode 100755 fuzzers/libafl/fuzzer.py create mode 100644 fuzzers/libafl/runner.Dockerfile diff --git a/fuzzers/aflrustrust/builder.Dockerfile b/fuzzers/aflrustrust/builder.Dockerfile new file mode 100644 index 000000000..ccc7afc4f --- /dev/null +++ b/fuzzers/aflrustrust/builder.Dockerfile @@ -0,0 +1,56 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ARG parent_image +FROM $parent_image + +# Install dependencies. +RUN apt-get update && \ + apt-get install -y build-essential libstdc++5 libtool-bin automake flex \ + bison libglib2.0-dev python3-setuptools unzip python3-dev joe curl \ + cmake git apt-utils apt-transport-https ca-certificates libdbus-1-dev + +# Uninstall old Rust & Install the latest one. +RUN if which rustup; then rustup self uninstall -y; fi && \ + curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs > /rustup.sh && \ + sh /rustup.sh --default-toolchain nightly-2023-09-21 -y && \ + rm /rustup.sh + +# Download afl++. +RUN git clone https://github.com/AFLplusplus/AFLplusplus /afl + +# Checkout a current commit +RUN cd /afl && git checkout 8cdc48f73a17ddd557897f2098937a8ba3bfe184 + +# Build without Python support as we don't need it. +# Set AFL_NO_X86 to skip flaky tests. +RUN cd /afl && \ + unset CFLAGS CXXFLAGS && \ + export CC=clang AFL_NO_X86=1 && \ + PYTHON_INCLUDE=/ make && \ + make install && \ + cp utils/aflpp_driver/libAFLDriver.a / + +# Download libafl. +RUN git clone https://github.com/AFLplusplus/LibAFL /libafl + +# Checkout a current commit +RUN cd /libafl && git checkout c103444396697af102dce2b936a00e93017057ba + +# Compile libafl. +RUN cd /libafl && \ + unset CFLAGS CXXFLAGS && \ + cd ./fuzzers/fuzzbench_forkserver && \ + PATH="/root/.cargo/bin/:$PATH" cargo build --profile release-fuzzbench + diff --git a/fuzzers/aflrustrust/description.md b/fuzzers/aflrustrust/description.md new file mode 100644 index 000000000..445a27663 --- /dev/null +++ b/fuzzers/aflrustrust/description.md @@ -0,0 +1,13 @@ +# aflplusplus + +AFL++ fuzzer instance that has the following config active for all benchmarks: + - PCGUARD instrumentation + - cmplog feature + - "fast" power schedule + - persistent mode + shared memory test cases + +Repository: [https://github.com/AFLplusplus/AFLplusplus/](https://github.com/AFLplusplus/AFLplusplus/) + +[builder.Dockerfile](builder.Dockerfile) +[fuzzer.py](fuzzer.py) +[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/aflrustrust/fuzzer.py b/fuzzers/aflrustrust/fuzzer.py new file mode 100755 index 000000000..81cc4b2f2 --- /dev/null +++ b/fuzzers/aflrustrust/fuzzer.py @@ -0,0 +1,67 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +"""Integration code for a LibAFL fuzzer with an AFL++ forkserver.""" + +import os +import shutil +import subprocess + +from fuzzers import utils +from fuzzers.aflplusplus import fuzzer as aflplusplus_fuzzer +from fuzzers.libafl import fuzzer as libafl_fuzzer + + +def build(): + """Build benchmark.""" + # Build the target with AFL++ + aflplusplus_fuzzer.build('tracepc', 'cmplog', 'dict2file') + + # Copy to fuzzer to OUT + build_directory = os.environ['OUT'] + fuzzer = '/libafl/fuzzers/fuzzbench_forkserver/' \ + 'target/release-fuzzbench/fuzzbench_forkserver' + shutil.copy(fuzzer, build_directory) + + +def fuzz(input_corpus, output_corpus, target_binary): + """Run fuzzer.""" + # Calculate CmpLog binary path from the instrumented target binary. + target_binary_directory = os.path.dirname(target_binary) + cmplog_target_binary_directory = \ + aflplusplus_fuzzer.get_cmplog_build_directory(target_binary_directory) + target_binary_name = os.path.basename(target_binary) + cmplog_target_binary = os.path.join(cmplog_target_binary_directory, + target_binary_name) + + # Setup env vars + libafl_fuzzer.prepare_fuzz_environment(input_corpus) + + # Merge dictionaries + dictionary_path = utils.get_dictionary_path(target_binary) + if os.path.exists('./afl++.dict'): + if dictionary_path: + with open('./afl++.dict', encoding='utf-8') as dictfile: + autodict = dictfile.read() + with open(dictionary_path, 'a', encoding='utf-8') as dictfile: + dictfile.write(autodict) + else: + dictionary_path = './afl++.dict' + + # Run the fuzzer + command = ['./fuzzbench_forkserver', '-c', cmplog_target_binary] + if dictionary_path: + command += (['-x', dictionary_path]) + command += (['-o', output_corpus, '-i', input_corpus, target_binary]) + print(command) + subprocess.check_call(command) diff --git a/fuzzers/aflrustrust/runner.Dockerfile b/fuzzers/aflrustrust/runner.Dockerfile new file mode 100644 index 000000000..7aa1da8e4 --- /dev/null +++ b/fuzzers/aflrustrust/runner.Dockerfile @@ -0,0 +1,23 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FROM gcr.io/fuzzbench/base-image + +# This makes interactive docker runs painless: +ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" +#ENV AFL_MAP_SIZE=2621440 +ENV PATH="$PATH:/out" +ENV AFL_SKIP_CPUFREQ=1 +ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 +ENV AFL_TESTCACHE_SIZE=2 diff --git a/fuzzers/libafl/builder.Dockerfile b/fuzzers/libafl/builder.Dockerfile new file mode 100644 index 000000000..cef4659cc --- /dev/null +++ b/fuzzers/libafl/builder.Dockerfile @@ -0,0 +1,54 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ARG parent_image +FROM $parent_image + +# Uninstall old Rust & Install the latest one. +RUN if which rustup; then rustup self uninstall -y; fi && \ + curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs > /rustup.sh && \ + sh /rustup.sh --default-toolchain nightly-2023-09-21 -y && \ + rm /rustup.sh + +# Install dependencies. +RUN apt-get update && \ + apt-get remove -y llvm-10 && \ + apt-get install -y \ + build-essential \ + llvm-11 \ + clang-12 \ + cargo && \ + apt-get install -y wget libstdc++5 libtool-bin automake flex bison \ + libglib2.0-dev libpixman-1-dev python3-setuptools unzip \ + apt-utils apt-transport-https ca-certificates joe curl && \ + PATH="/root/.cargo/bin/:$PATH" cargo install cargo-make + +# Download libafl. +RUN git clone https://github.com/AFLplusplus/LibAFL /libafl + +# Checkout a current commit +RUN cd /libafl && git pull && git checkout b20fda2a4ada2a6462718dc661e139e6c7a29807 || true +# Note that due a nightly bug it is currently fixed to a known version on top! + +# Compile libafl. +RUN cd /libafl && \ + unset CFLAGS CXXFLAGS && \ + export LIBAFL_EDGES_MAP_SIZE=2621440 && \ + cd ./fuzzers/fuzzbench && \ + PATH="/root/.cargo/bin/:$PATH" cargo build --profile release-fuzzbench --features no_link_main + +# Auxiliary weak references. +RUN cd /libafl/fuzzers/fuzzbench && \ + clang -c stub_rt.c && \ + ar r /stub_rt.a stub_rt.o diff --git a/fuzzers/libafl/description.md b/fuzzers/libafl/description.md new file mode 100644 index 000000000..ea9b947d6 --- /dev/null +++ b/fuzzers/libafl/description.md @@ -0,0 +1,11 @@ +# libafl + +libafl fuzzer instance + - cmplog feature + - persistent mode + +Repository: [https://github.com/AFLplusplus/libafl/](https://github.com/AFLplusplus/libafl/) + +[builder.Dockerfile](builder.Dockerfile) +[fuzzer.py](fuzzer.py) +[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/libafl/fuzzer.py b/fuzzers/libafl/fuzzer.py new file mode 100755 index 000000000..cfd2a64d7 --- /dev/null +++ b/fuzzers/libafl/fuzzer.py @@ -0,0 +1,71 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +"""Integration code for a LibAFL-based fuzzer.""" + +import os +import subprocess + +from fuzzers import utils + + +def prepare_fuzz_environment(input_corpus): + """Prepare to fuzz with a LibAFL-based fuzzer.""" + os.environ['ASAN_OPTIONS'] = 'abort_on_error=1:detect_leaks=0:'\ + 'malloc_context_size=0:symbolize=0:'\ + 'allocator_may_return_null=1:'\ + 'detect_odr_violation=0:handle_segv=0:'\ + 'handle_sigbus=0:handle_abort=0:'\ + 'handle_sigfpe=0:handle_sigill=0' + os.environ['UBSAN_OPTIONS'] = 'abort_on_error=1:'\ + 'allocator_release_to_os_interval_ms=500:'\ + 'handle_abort=0:handle_segv=0:'\ + 'handle_sigbus=0:handle_sigfpe=0:'\ + 'handle_sigill=0:print_stacktrace=0:'\ + 'symbolize=0:symbolize_inline_frames=0' + # Create at least one non-empty seed to start. + utils.create_seed_file_for_empty_corpus(input_corpus) + + +def build(): # pylint: disable=too-many-branches,too-many-statements + """Build benchmark.""" + os.environ[ + 'CC'] = '/libafl/fuzzers/fuzzbench/target/release-fuzzbench/libafl_cc' + os.environ[ + 'CXX'] = '/libafl/fuzzers/fuzzbench/target/release-fuzzbench/libafl_cxx' + + os.environ['ASAN_OPTIONS'] = 'abort_on_error=0:allocator_may_return_null=1' + os.environ['UBSAN_OPTIONS'] = 'abort_on_error=0' + + cflags = ['--libafl'] + utils.append_flags('CFLAGS', cflags) + utils.append_flags('CXXFLAGS', cflags) + utils.append_flags('LDFLAGS', cflags) + + os.environ['FUZZER_LIB'] = '/stub_rt.a' + utils.build_benchmark() + + +def fuzz(input_corpus, output_corpus, target_binary): + """Run fuzzer.""" + prepare_fuzz_environment(input_corpus) + dictionary_path = utils.get_dictionary_path(target_binary) + command = [target_binary] + if dictionary_path: + command += (['-x', dictionary_path]) + command += (['-o', output_corpus, '-i', input_corpus]) + fuzzer_env = os.environ.copy() + fuzzer_env['LD_PRELOAD'] = '/usr/lib/x86_64-linux-gnu/libjemalloc.so.2' + print(command) + subprocess.check_call(command, cwd=os.environ['OUT'], env=fuzzer_env) diff --git a/fuzzers/libafl/runner.Dockerfile b/fuzzers/libafl/runner.Dockerfile new file mode 100644 index 000000000..f0c5eb6cc --- /dev/null +++ b/fuzzers/libafl/runner.Dockerfile @@ -0,0 +1,25 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FROM gcr.io/fuzzbench/base-image + +RUN apt install libjemalloc2 + +# This makes interactive docker runs painless: +ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" +#ENV AFL_MAP_SIZE=2621440 +ENV PATH="$PATH:/out" +ENV AFL_SKIP_CPUFREQ=1 +ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 +ENV AFL_TESTCACHE_SIZE=2 From 0b0262aced2e19eea5ca701575acfe881cacf2df Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 29 Nov 2023 15:39:17 +0100 Subject: [PATCH 33/39] fishfuzz --- .../aflplusplus_fishfuzz/builder.Dockerfile | 21 ++++++++------- fuzzers/aflplusplus_fishfuzz/fuzzer.py | 26 +++++++++---------- .../aflplusplus_fishfuzz/runner.Dockerfile | 2 ++ 3 files changed, 26 insertions(+), 23 deletions(-) diff --git a/fuzzers/aflplusplus_fishfuzz/builder.Dockerfile b/fuzzers/aflplusplus_fishfuzz/builder.Dockerfile index 02f552c91..fdeda0410 100644 --- a/fuzzers/aflplusplus_fishfuzz/builder.Dockerfile +++ b/fuzzers/aflplusplus_fishfuzz/builder.Dockerfile @@ -43,28 +43,32 @@ RUN apt install -y git gcc g++ make cmake wget \ RUN apt-get install -y libboost-all-dev libjsoncpp-dev libgraphviz-dev \ pkg-config libglib2.0-dev findutils -RUN apt install -y lsb-release wget software-properties-common python3-pip +RUN apt install -y lsb-release wget software-properties-common python3-pip -RUN pip3 install networkx pydot +# these two packages are automatically installed, libpcap will consider libnl +# installed and try to link with libnl-genl-3-dev, which is not installed. +# Simply remove these packages +RUN apt remove libnl-3-200 libnl-3-dev -y + +RUN pip3 install networkx pydot # copy Fish++ earlier to patch the llvm # COPY FishFuzz/FF_AFL++ /FishFuzz RUN git clone https://github.com/kdsjZh/FishFuzz/ /ff_src && \ - cd /ff_src && git checkout 72e07551dcf712bddf5cf5f8feb0af1f6f0c4afd && \ + cd /ff_src && git checkout 0b49cbf3a89f36e5038c759344454438e21b96d1 && \ mv /ff_src/FF_AFL++ /FishFuzz && cd / && rm -r /ff_src # build clang-12 with gold plugin RUN mkdir -p /build && \ git clone \ - --depth 1 \ - --branch release/12.x \ https://github.com/llvm/llvm-project /llvm && \ git clone \ --depth 1 \ --branch binutils-2_40-branch \ git://sourceware.org/git/binutils-gdb.git /llvm/binutils && \ - cd /llvm/ && git apply /FishFuzz/asan_patch/FishFuzzASan.patch && \ - cp /FishFuzz/asan_patch/FishFuzzAddressSanitizer.cpp llvm/lib/Transforms/Instrumentation/ && \ + cd /llvm/ && git checkout bf7f8d6fa6f460bf0a16ffec319cd71592216bf4 && \ + git apply /FishFuzz/asan_patch/llvm-15.0/llvm-15-asan.diff && \ + cp /FishFuzz/asan_patch/llvm-15.0/FishFuzzAddressSanitizer.cpp llvm/lib/Transforms/Instrumentation/ && \ mkdir /llvm/binutils/build && cd /llvm/binutils/build && \ CFLAGS="" CXXFLAGS="" CC=gcc CXX=g++ \ ../configure --enable-gold --enable-plugins --disable-werror && \ @@ -84,7 +88,7 @@ ENV LLVM_CONFIG=llvm-config # make sure our modified clang-12 is called before clang-15, which is in /usr/local/bin ENV PATH="/llvm/build/bin:${PATH}" -ENV LD_LIBRARY_PATH="/llvm/build/lib/x86_64-unknown-linux-gnu/c++/:${LD_LIBRARY_PATH}" +ENV LD_LIBRARY_PATH="/llvm/build/lib/x86_64-unknown-linux-gnu/" # Build without Python support as we don't need it. @@ -101,4 +105,3 @@ RUN cd /FishFuzz/ && \ RUN wget https://raw.githubusercontent.com/llvm/llvm-project/5feb80e748924606531ba28c97fe65145c65372e/compiler-rt/lib/fuzzer/afl/afl_driver.cpp -O /FishFuzz/afl_driver.cpp && \ clang++ -stdlib=libc++ -std=c++11 -O2 -c /FishFuzz/afl_driver.cpp -o /FishFuzz/afl_driver.o && \ ar r /libAFLDriver.a /FishFuzz/afl_driver.o /FishFuzz/afl-compiler-rt.o - diff --git a/fuzzers/aflplusplus_fishfuzz/fuzzer.py b/fuzzers/aflplusplus_fishfuzz/fuzzer.py index 3f566598a..ba17c3377 100755 --- a/fuzzers/aflplusplus_fishfuzz/fuzzer.py +++ b/fuzzers/aflplusplus_fishfuzz/fuzzer.py @@ -30,10 +30,7 @@ def get_uninstrumented_build_directory(target_directory): """Return path to CmpLog target directory.""" return os.path.join(target_directory, 'uninstrumented') - -# pylint: disable=consider-using-f-string def prepare_tmp_files(tmp_dir): - """ Prepare tmp files.""" if not os.path.isdir(tmp_dir) or os.path.exists(tmp_dir): os.mkdir(tmp_dir) os.mkdir('%s/idlog' % (tmp_dir)) @@ -41,14 +38,12 @@ def prepare_tmp_files(tmp_dir): os.mkdir('%s/fid' % (tmp_dir)) os.system('touch %s/idlog/fid %s/idlog/targid' % (tmp_dir, tmp_dir)) - def set_ff_env(): - """ set FishFuzz Env before build. """ + # set FishFuzz Env before build os.environ['TMP_DIR'] = os.environ['OUT'] + '/TEMP' os.environ['FF_TMP_DIR'] = os.environ['OUT'] + '/TEMP' prepare_tmp_files(os.environ['TMP_DIR']) - def build(*args): # pylint: disable=too-many-branches,too-many-statements """Build benchmark.""" # BUILD_MODES is not already supported by fuzzbench, meanwhile we provide @@ -68,7 +63,7 @@ def build(*args): # pylint: disable=too-many-branches,too-many-statements # For bug type benchmarks we have to instrument via native clang pcguard :( build_flags = os.environ['CFLAGS'] os.environ['CFLAGS'] = build_flags - os.environ['AFL_USE_ASAN'] = '1' + os.environ['USE_FF_INST'] = '1' #if build_flags.find( # 'array-bounds' @@ -178,7 +173,7 @@ def build(*args): # pylint: disable=too-many-branches,too-many-statements if 'eclipser' in build_modes: os.environ['FUZZER_LIB'] = '/libStandaloneFuzzTarget.a' else: - os.environ['FUZZER_LIB'] = '/FishFuzz/afl_driver.o' + os.environ['FUZZER_LIB'] = '/FishFuzz/afl_driver.o' # '/libAFLDriver.a' # Some benchmarks like lcms. (see: # https://github.com/mm2/Little-CMS/commit/ab1093539b4287c233aca6a3cf53b234faceb792#diff-f0e6d05e72548974e852e8e55dffc4ccR212) @@ -203,6 +198,8 @@ def build(*args): # pylint: disable=too-many-branches,too-many-statements # CmpLog requires an build with different instrumentation. new_env = os.environ.copy() new_env['AFL_LLVM_CMPLOG'] = '1' + if 'USE_FF_INST' in new_env: + del new_env['USE_FF_INST'] # For CmpLog build, set the OUT and FUZZ_TARGET environment # variable to point to the new CmpLog build directory. @@ -257,12 +254,13 @@ def build(*args): # pylint: disable=too-many-branches,too-many-statements tmp_dir_dst = os.environ['OUT'] + '/TEMP' print('[post_build] generating distance files') - os.system('python3 /FishFuzz/distance/match_function.py -i %s' % - (tmp_dir_dst)) - os.system('python3 /FishFuzz/distance/merge_callgraph.py -i %s' % - (tmp_dir_dst)) - os.system('python3 /FishFuzz/distance/calculate_distance.py -i %s' % - (tmp_dir_dst)) + # python3 /Fish++/distance/match_function.py -i $FF_TMP_DIR + # python3 /Fish++/distance/merge_callgraph.py -i $FF_TMP_DIR + # python3 /Fish++/distance/calculate_distance.py -i $FF_TMP_DIR + os.system('python3 /FishFuzz/distance/match_function.py -i %s' % (tmp_dir_dst)) + # os.system('python3 /FishFuzz/distance/merge_callgraph.py -i %s' % (tmp_dir_dst)) + # os.system('python3 /FishFuzz/distance/calculate_distance.py -i %s' % (tmp_dir_dst)) + os.system('python3 /FishFuzz/distance/calculate_all_distance.py -i %s' % (tmp_dir_dst)) # pylint: disable=too-many-arguments diff --git a/fuzzers/aflplusplus_fishfuzz/runner.Dockerfile b/fuzzers/aflplusplus_fishfuzz/runner.Dockerfile index cf202eb1b..1be76e230 100644 --- a/fuzzers/aflplusplus_fishfuzz/runner.Dockerfile +++ b/fuzzers/aflplusplus_fishfuzz/runner.Dockerfile @@ -40,3 +40,5 @@ ENV AFL_SKIP_CPUFREQ=1 ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 ENV AFL_TESTCACHE_SIZE=2 + + From 457aeee084c4886800f1ee8dbd37e61275301c8e Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 29 Nov 2023 15:46:38 +0100 Subject: [PATCH 34/39] format --- fuzzers/aflplusplus_fishfuzz/fuzzer.py | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/fuzzers/aflplusplus_fishfuzz/fuzzer.py b/fuzzers/aflplusplus_fishfuzz/fuzzer.py index ba17c3377..0f0363403 100755 --- a/fuzzers/aflplusplus_fishfuzz/fuzzer.py +++ b/fuzzers/aflplusplus_fishfuzz/fuzzer.py @@ -30,7 +30,9 @@ def get_uninstrumented_build_directory(target_directory): """Return path to CmpLog target directory.""" return os.path.join(target_directory, 'uninstrumented') + def prepare_tmp_files(tmp_dir): + """prepare tmp files""" if not os.path.isdir(tmp_dir) or os.path.exists(tmp_dir): os.mkdir(tmp_dir) os.mkdir('%s/idlog' % (tmp_dir)) @@ -38,12 +40,14 @@ def prepare_tmp_files(tmp_dir): os.mkdir('%s/fid' % (tmp_dir)) os.system('touch %s/idlog/fid %s/idlog/targid' % (tmp_dir, tmp_dir)) + def set_ff_env(): - # set FishFuzz Env before build + """set FishFuzz Env before build""" os.environ['TMP_DIR'] = os.environ['OUT'] + '/TEMP' os.environ['FF_TMP_DIR'] = os.environ['OUT'] + '/TEMP' prepare_tmp_files(os.environ['TMP_DIR']) + def build(*args): # pylint: disable=too-many-branches,too-many-statements """Build benchmark.""" # BUILD_MODES is not already supported by fuzzbench, meanwhile we provide @@ -173,7 +177,7 @@ def build(*args): # pylint: disable=too-many-branches,too-many-statements if 'eclipser' in build_modes: os.environ['FUZZER_LIB'] = '/libStandaloneFuzzTarget.a' else: - os.environ['FUZZER_LIB'] = '/FishFuzz/afl_driver.o' # '/libAFLDriver.a' + os.environ['FUZZER_LIB'] = '/FishFuzz/afl_driver.o' # Some benchmarks like lcms. (see: # https://github.com/mm2/Little-CMS/commit/ab1093539b4287c233aca6a3cf53b234faceb792#diff-f0e6d05e72548974e852e8e55dffc4ccR212) @@ -257,10 +261,12 @@ def build(*args): # pylint: disable=too-many-branches,too-many-statements # python3 /Fish++/distance/match_function.py -i $FF_TMP_DIR # python3 /Fish++/distance/merge_callgraph.py -i $FF_TMP_DIR # python3 /Fish++/distance/calculate_distance.py -i $FF_TMP_DIR - os.system('python3 /FishFuzz/distance/match_function.py -i %s' % (tmp_dir_dst)) + os.system('python3 /FishFuzz/distance/match_function.py -i %s' % + (tmp_dir_dst)) # os.system('python3 /FishFuzz/distance/merge_callgraph.py -i %s' % (tmp_dir_dst)) # os.system('python3 /FishFuzz/distance/calculate_distance.py -i %s' % (tmp_dir_dst)) - os.system('python3 /FishFuzz/distance/calculate_all_distance.py -i %s' % (tmp_dir_dst)) + os.system('python3 /FishFuzz/distance/calculate_all_distance.py -i %s' % + (tmp_dir_dst)) # pylint: disable=too-many-arguments From a3e2d5e7b75c71c0ce10f779390d1f367c31f3fc Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 29 Nov 2023 16:03:02 +0100 Subject: [PATCH 35/39] fix --- fuzzers/aflplusplus_fishfuzz/fuzzer.py | 27 +++++++++++++------------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/fuzzers/aflplusplus_fishfuzz/fuzzer.py b/fuzzers/aflplusplus_fishfuzz/fuzzer.py index 0f0363403..42c009e85 100755 --- a/fuzzers/aflplusplus_fishfuzz/fuzzer.py +++ b/fuzzers/aflplusplus_fishfuzz/fuzzer.py @@ -35,10 +35,14 @@ def prepare_tmp_files(tmp_dir): """prepare tmp files""" if not os.path.isdir(tmp_dir) or os.path.exists(tmp_dir): os.mkdir(tmp_dir) - os.mkdir('%s/idlog' % (tmp_dir)) - os.mkdir('%s/cg' % (tmp_dir)) - os.mkdir('%s/fid' % (tmp_dir)) - os.system('touch %s/idlog/fid %s/idlog/targid' % (tmp_dir, tmp_dir)) + fua = tmp_dir + '/idlog' + fub = tmp_dir + '/cg' + fuc = tmp_dir + '/fid' + os.mkdir(fua) + os.mkdir(fub) + os.mkdir(fuc) + fud = 'touch ' + tmp_dir + '/idlog/fid ' + tmp_dir + '/idlog/targid' + os.system(fud) def set_ff_env(): @@ -256,17 +260,12 @@ def build(*args): # pylint: disable=too-many-branches,too-many-statements shutil.copy('/FishFuzz/afl-frida-trace.so', build_directory) shutil.copy('/get_frida_entry.sh', build_directory) - tmp_dir_dst = os.environ['OUT'] + '/TEMP' + tmp_dst = os.environ['OUT'] + '/TEMP' print('[post_build] generating distance files') - # python3 /Fish++/distance/match_function.py -i $FF_TMP_DIR - # python3 /Fish++/distance/merge_callgraph.py -i $FF_TMP_DIR - # python3 /Fish++/distance/calculate_distance.py -i $FF_TMP_DIR - os.system('python3 /FishFuzz/distance/match_function.py -i %s' % - (tmp_dir_dst)) - # os.system('python3 /FishFuzz/distance/merge_callgraph.py -i %s' % (tmp_dir_dst)) - # os.system('python3 /FishFuzz/distance/calculate_distance.py -i %s' % (tmp_dir_dst)) - os.system('python3 /FishFuzz/distance/calculate_all_distance.py -i %s' % - (tmp_dir_dst)) + xxa = 'python3 /FishFuzz/distance/match_function.py -i ' + tmp_dst + os.system(xxa) + xxb = 'python3 /FishFuzz/distance/calculate_all_distance.py -i ' + tmp_dst + os.system(xab) # pylint: disable=too-many-arguments From f7929e68c7441ab80e0052f4cab444e585d64c22 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Wed, 29 Nov 2023 16:29:00 +0100 Subject: [PATCH 36/39] fix --- fuzzers/aflplusplus_fishfuzz/fuzzer.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fuzzers/aflplusplus_fishfuzz/fuzzer.py b/fuzzers/aflplusplus_fishfuzz/fuzzer.py index 42c009e85..5715221f1 100755 --- a/fuzzers/aflplusplus_fishfuzz/fuzzer.py +++ b/fuzzers/aflplusplus_fishfuzz/fuzzer.py @@ -265,7 +265,7 @@ def build(*args): # pylint: disable=too-many-branches,too-many-statements xxa = 'python3 /FishFuzz/distance/match_function.py -i ' + tmp_dst os.system(xxa) xxb = 'python3 /FishFuzz/distance/calculate_all_distance.py -i ' + tmp_dst - os.system(xab) + os.system(xxb) # pylint: disable=too-many-arguments From ebf62c3f79de6ff37750328d6f9cced88f70fe25 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sun, 10 Dec 2023 14:10:51 +0100 Subject: [PATCH 37/39] new experiment --- fuzzers/aflplusplus/builder.Dockerfile | 2 +- .../builder.Dockerfile | 7 +- .../description.md | 0 fuzzers/aflplusplus_explore/fuzzer.py | 285 ++++++++++++++++++ .../runner.Dockerfile | 0 .../aflplusplus_noclassify/builder.Dockerfile | 49 +++ fuzzers/aflplusplus_noclassify/description.md | 14 + .../fuzzer.py | 2 +- .../aflplusplus_noclassify/runner.Dockerfile | 25 ++ 9 files changed, 376 insertions(+), 8 deletions(-) rename fuzzers/{aflplusplus_llvm17 => aflplusplus_explore}/builder.Dockerfile (85%) rename fuzzers/{aflplusplus_llvm17 => aflplusplus_explore}/description.md (100%) create mode 100755 fuzzers/aflplusplus_explore/fuzzer.py rename fuzzers/{aflplusplus_llvm17 => aflplusplus_explore}/runner.Dockerfile (100%) create mode 100644 fuzzers/aflplusplus_noclassify/builder.Dockerfile create mode 100644 fuzzers/aflplusplus_noclassify/description.md rename fuzzers/{aflplusplus_llvm17 => aflplusplus_noclassify}/fuzzer.py (99%) create mode 100644 fuzzers/aflplusplus_noclassify/runner.Dockerfile diff --git a/fuzzers/aflplusplus/builder.Dockerfile b/fuzzers/aflplusplus/builder.Dockerfile index e9a0be30d..570a620d6 100644 --- a/fuzzers/aflplusplus/builder.Dockerfile +++ b/fuzzers/aflplusplus/builder.Dockerfile @@ -37,7 +37,7 @@ RUN apt-get update && \ # Download afl++. RUN git clone -b dev https://github.com/AFLplusplus/AFLplusplus /afl && \ cd /afl && \ - git checkout dd9a04c901c79fe2f3f078de6cc0777e3a5d96df || \ + git checkout b2d118f821b9a98b64a955b6dce5785646a8f19e || \ true # Build without Python support as we don't need it. diff --git a/fuzzers/aflplusplus_llvm17/builder.Dockerfile b/fuzzers/aflplusplus_explore/builder.Dockerfile similarity index 85% rename from fuzzers/aflplusplus_llvm17/builder.Dockerfile rename to fuzzers/aflplusplus_explore/builder.Dockerfile index 687f763fa..570a620d6 100644 --- a/fuzzers/aflplusplus_llvm17/builder.Dockerfile +++ b/fuzzers/aflplusplus_explore/builder.Dockerfile @@ -34,15 +34,10 @@ RUN apt-get update && \ gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-plugin-dev \ libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev -RUN apt install -y lsb-release wget software-properties-common gnupg - -RUN cd / && wget https://apt.llvm.org/llvm.sh && chmod +x /llvm.sh && /llvm.sh 17 -ENV LLVM_CONFIG=llvm-config-17 - # Download afl++. RUN git clone -b dev https://github.com/AFLplusplus/AFLplusplus /afl && \ cd /afl && \ - git checkout a3806158116ae4c5b8a30c19533975cb41dd497f || \ + git checkout b2d118f821b9a98b64a955b6dce5785646a8f19e || \ true # Build without Python support as we don't need it. diff --git a/fuzzers/aflplusplus_llvm17/description.md b/fuzzers/aflplusplus_explore/description.md similarity index 100% rename from fuzzers/aflplusplus_llvm17/description.md rename to fuzzers/aflplusplus_explore/description.md diff --git a/fuzzers/aflplusplus_explore/fuzzer.py b/fuzzers/aflplusplus_explore/fuzzer.py new file mode 100755 index 000000000..bb85f1dd3 --- /dev/null +++ b/fuzzers/aflplusplus_explore/fuzzer.py @@ -0,0 +1,285 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +"""Integration code for AFLplusplus fuzzer.""" + +import os +import shutil + +from fuzzers.afl import fuzzer as afl_fuzzer +from fuzzers import utils + + +def get_cmplog_build_directory(target_directory): + """Return path to CmpLog target directory.""" + return os.path.join(target_directory, 'cmplog') + + +def get_uninstrumented_build_directory(target_directory): + """Return path to CmpLog target directory.""" + return os.path.join(target_directory, 'uninstrumented') + + +def build(*args): # pylint: disable=too-many-branches,too-many-statements + """Build benchmark.""" + # BUILD_MODES is not already supported by fuzzbench, meanwhile we provide + # a default configuration. + + build_modes = list(args) + if 'BUILD_MODES' in os.environ: + build_modes = os.environ['BUILD_MODES'].split(',') + + # Placeholder comment. + build_directory = os.environ['OUT'] + + # If nothing was set this is the default: + if not build_modes: + build_modes = ['tracepc', 'cmplog', 'dict2file'] + + # For bug type benchmarks we have to instrument via native clang pcguard :( + build_flags = os.environ['CFLAGS'] + + if build_flags.find( + 'array-bounds' + ) != -1 and 'qemu' not in build_modes and 'classic' not in build_modes: + if 'gcc' not in build_modes: + build_modes[0] = 'native' + + # Instrumentation coverage modes: + if 'lto' in build_modes: + os.environ['CC'] = '/afl/afl-clang-lto' + os.environ['CXX'] = '/afl/afl-clang-lto++' + edge_file = build_directory + '/aflpp_edges.txt' + os.environ['AFL_LLVM_DOCUMENT_IDS'] = edge_file + if os.path.isfile('/usr/local/bin/llvm-ranlib-13'): + os.environ['RANLIB'] = 'llvm-ranlib-13' + os.environ['AR'] = 'llvm-ar-13' + os.environ['AS'] = 'llvm-as-13' + elif os.path.isfile('/usr/local/bin/llvm-ranlib-12'): + os.environ['RANLIB'] = 'llvm-ranlib-12' + os.environ['AR'] = 'llvm-ar-12' + os.environ['AS'] = 'llvm-as-12' + else: + os.environ['RANLIB'] = 'llvm-ranlib' + os.environ['AR'] = 'llvm-ar' + os.environ['AS'] = 'llvm-as' + elif 'qemu' in build_modes: + os.environ['CC'] = 'clang' + os.environ['CXX'] = 'clang++' + elif 'gcc' in build_modes: + os.environ['CC'] = 'afl-gcc-fast' + os.environ['CXX'] = 'afl-g++-fast' + if build_flags.find('array-bounds') != -1: + os.environ['CFLAGS'] = '-fsanitize=address -O1' + os.environ['CXXFLAGS'] = '-fsanitize=address -O1' + else: + os.environ['CFLAGS'] = '' + os.environ['CXXFLAGS'] = '' + os.environ['CPPFLAGS'] = '' + else: + os.environ['CC'] = '/afl/afl-clang-fast' + os.environ['CXX'] = '/afl/afl-clang-fast++' + + print('AFL++ build: ') + print(build_modes) + + if 'qemu' in build_modes or 'symcc' in build_modes: + os.environ['CFLAGS'] = ' '.join(utils.NO_SANITIZER_COMPAT_CFLAGS) + cxxflags = [utils.LIBCPLUSPLUS_FLAG] + utils.NO_SANITIZER_COMPAT_CFLAGS + os.environ['CXXFLAGS'] = ' '.join(cxxflags) + + if 'tracepc' in build_modes or 'pcguard' in build_modes: + os.environ['AFL_LLVM_USE_TRACE_PC'] = '1' + elif 'classic' in build_modes: + os.environ['AFL_LLVM_INSTRUMENT'] = 'CLASSIC' + elif 'native' in build_modes: + os.environ['AFL_LLVM_INSTRUMENT'] = 'LLVMNATIVE' + + # Instrumentation coverage options: + # Do not use a fixed map location (LTO only) + if 'dynamic' in build_modes: + os.environ['AFL_LLVM_MAP_DYNAMIC'] = '1' + # Use a fixed map location (LTO only) + if 'fixed' in build_modes: + os.environ['AFL_LLVM_MAP_ADDR'] = '0x10000' + # Generate an extra dictionary. + if 'dict2file' in build_modes or 'native' in build_modes: + os.environ['AFL_LLVM_DICT2FILE'] = build_directory + '/afl++.dict' + os.environ['AFL_LLVM_DICT2FILE_NO_MAIN'] = '1' + # Enable context sentitivity for LLVM mode (non LTO only) + if 'ctx' in build_modes: + os.environ['AFL_LLVM_CTX'] = '1' + # Enable N-gram coverage for LLVM mode (non LTO only) + if 'ngram2' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '2' + elif 'ngram3' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '3' + elif 'ngram4' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '4' + elif 'ngram5' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '5' + elif 'ngram6' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '6' + elif 'ngram7' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '7' + elif 'ngram8' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '8' + elif 'ngram16' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '16' + if 'ctx1' in build_modes: + os.environ['AFL_LLVM_CTX_K'] = '1' + elif 'ctx2' in build_modes: + os.environ['AFL_LLVM_CTX_K'] = '2' + elif 'ctx3' in build_modes: + os.environ['AFL_LLVM_CTX_K'] = '3' + elif 'ctx4' in build_modes: + os.environ['AFL_LLVM_CTX_K'] = '4' + + # Only one of the following OR cmplog + # enable laf-intel compare splitting + if 'laf' in build_modes: + os.environ['AFL_LLVM_LAF_SPLIT_SWITCHES'] = '1' + os.environ['AFL_LLVM_LAF_SPLIT_COMPARES'] = '1' + os.environ['AFL_LLVM_LAF_SPLIT_FLOATS'] = '1' + if 'autodict' not in build_modes: + os.environ['AFL_LLVM_LAF_TRANSFORM_COMPARES'] = '1' + + if 'eclipser' in build_modes: + os.environ['FUZZER_LIB'] = '/libStandaloneFuzzTarget.a' + else: + os.environ['FUZZER_LIB'] = '/libAFLDriver.a' + + # Some benchmarks like lcms. (see: + # https://github.com/mm2/Little-CMS/commit/ab1093539b4287c233aca6a3cf53b234faceb792#diff-f0e6d05e72548974e852e8e55dffc4ccR212) + # fail to compile if the compiler outputs things to stderr in unexpected + # cases. Prevent these failures by using AFL_QUIET to stop afl-clang-fast + # from writing AFL specific messages to stderr. + os.environ['AFL_QUIET'] = '1' + os.environ['AFL_MAP_SIZE'] = '2621440' + + src = os.getenv('SRC') + work = os.getenv('WORK') + + with utils.restore_directory(src), utils.restore_directory(work): + # Restore SRC to its initial state so we can build again without any + # trouble. For some OSS-Fuzz projects, build_benchmark cannot be run + # twice in the same directory without this. + utils.build_benchmark() + + if 'cmplog' in build_modes and 'qemu' not in build_modes: + + # CmpLog requires an build with different instrumentation. + new_env = os.environ.copy() + new_env['AFL_LLVM_CMPLOG'] = '1' + + # For CmpLog build, set the OUT and FUZZ_TARGET environment + # variable to point to the new CmpLog build directory. + cmplog_build_directory = get_cmplog_build_directory(build_directory) + os.mkdir(cmplog_build_directory) + new_env['OUT'] = cmplog_build_directory + fuzz_target = os.getenv('FUZZ_TARGET') + if fuzz_target: + new_env['FUZZ_TARGET'] = os.path.join(cmplog_build_directory, + os.path.basename(fuzz_target)) + + print('Re-building benchmark for CmpLog fuzzing target') + utils.build_benchmark(env=new_env) + + if 'symcc' in build_modes: + + symcc_build_directory = get_uninstrumented_build_directory( + build_directory) + os.mkdir(symcc_build_directory) + + # symcc requires an build with different instrumentation. + new_env = os.environ.copy() + new_env['CC'] = '/symcc/build/symcc' + new_env['CXX'] = '/symcc/build/sym++' + new_env['SYMCC_OUTPUT_DIR'] = '/tmp' + new_env['CXXFLAGS'] = new_env['CXXFLAGS'].replace('-stlib=libc++', '') + new_env['FUZZER_LIB'] = '/libfuzzer-harness.o' + new_env['OUT'] = symcc_build_directory + new_env['SYMCC_LIBCXX_PATH'] = '/libcxx_native_build' + new_env['SYMCC_NO_SYMBOLIC_INPUT'] = '1' + new_env['SYMCC_SILENT'] = '1' + + # For symcc build, set the OUT and FUZZ_TARGET environment + # variable to point to the new symcc build directory. + new_env['OUT'] = symcc_build_directory + fuzz_target = os.getenv('FUZZ_TARGET') + if fuzz_target: + new_env['FUZZ_TARGET'] = os.path.join(symcc_build_directory, + os.path.basename(fuzz_target)) + + print('Re-building benchmark for symcc fuzzing target') + utils.build_benchmark(env=new_env) + + shutil.copy('/afl/afl-fuzz', build_directory) + if os.path.exists('/afl/afl-qemu-trace'): + shutil.copy('/afl/afl-qemu-trace', build_directory) + if os.path.exists('/aflpp_qemu_driver_hook.so'): + shutil.copy('/aflpp_qemu_driver_hook.so', build_directory) + if os.path.exists('/get_frida_entry.sh'): + shutil.copy('/afl/afl-frida-trace.so', build_directory) + shutil.copy('/get_frida_entry.sh', build_directory) + + +# pylint: disable=too-many-arguments +def fuzz(input_corpus, + output_corpus, + target_binary, + flags=tuple(), + skip=False, + no_cmplog=False): # pylint: disable=too-many-arguments + """Run fuzzer.""" + # Calculate CmpLog binary path from the instrumented target binary. + target_binary_directory = os.path.dirname(target_binary) + cmplog_target_binary_directory = ( + get_cmplog_build_directory(target_binary_directory)) + target_binary_name = os.path.basename(target_binary) + cmplog_target_binary = os.path.join(cmplog_target_binary_directory, + target_binary_name) + + afl_fuzzer.prepare_fuzz_environment(input_corpus) + # decomment this to enable libdislocator. + # os.environ['AFL_ALIGNED_ALLOC'] = '1' # align malloc to max_align_t + # os.environ['AFL_PRELOAD'] = '/afl/libdislocator.so' + + flags = list(flags) + + if os.path.exists('./afl++.dict'): + flags += ['-x', './afl++.dict'] + + # Move the following to skip for upcoming _double tests: + if os.path.exists(cmplog_target_binary) and no_cmplog is False: + flags += ['-c', cmplog_target_binary] + + flags += ['-p', 'explore'] + + #os.environ['AFL_IGNORE_TIMEOUTS'] = '1' + os.environ['AFL_IGNORE_UNKNOWN_ENVS'] = '1' + os.environ['AFL_FAST_CAL'] = '1' + os.environ['AFL_NO_WARN_INSTABILITY'] = '1' + os.environ['AFL_IGNORE_SEED_PROBLEMS'] = '1' + + if not skip: + os.environ['AFL_DISABLE_TRIM'] = '1' + os.environ['AFL_CMPLOG_ONLY_NEW'] = '1' + if 'ADDITIONAL_ARGS' in os.environ: + flags += os.environ['ADDITIONAL_ARGS'].split(' ') + + afl_fuzzer.run_afl_fuzz(input_corpus, + output_corpus, + target_binary, + additional_flags=flags) diff --git a/fuzzers/aflplusplus_llvm17/runner.Dockerfile b/fuzzers/aflplusplus_explore/runner.Dockerfile similarity index 100% rename from fuzzers/aflplusplus_llvm17/runner.Dockerfile rename to fuzzers/aflplusplus_explore/runner.Dockerfile diff --git a/fuzzers/aflplusplus_noclassify/builder.Dockerfile b/fuzzers/aflplusplus_noclassify/builder.Dockerfile new file mode 100644 index 000000000..234b16863 --- /dev/null +++ b/fuzzers/aflplusplus_noclassify/builder.Dockerfile @@ -0,0 +1,49 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ARG parent_image +FROM $parent_image + +RUN apt-get update && \ + apt-get install -y \ + build-essential \ + python3-dev \ + python3-setuptools \ + automake \ + cmake \ + git \ + flex \ + bison \ + libglib2.0-dev \ + libpixman-1-dev \ + cargo \ + libgtk-3-dev \ + # for QEMU mode + ninja-build \ + gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-plugin-dev \ + libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev + +# Download afl++. +RUN git clone -b classify https://github.com/AFLplusplus/AFLplusplus /afl && \ + cd /afl && \ + git checkout e5447fc2952d0b3d10d73cf078e11fc31ac4d4c1 || \ + true + +# Build without Python support as we don't need it. +# Set AFL_NO_X86 to skip flaky tests. +RUN cd /afl && \ + unset CFLAGS CXXFLAGS && \ + export CC=clang AFL_NO_X86=1 && \ + PYTHON_INCLUDE=/ make && \ + cp utils/aflpp_driver/libAFLDriver.a / diff --git a/fuzzers/aflplusplus_noclassify/description.md b/fuzzers/aflplusplus_noclassify/description.md new file mode 100644 index 000000000..f7eb407ad --- /dev/null +++ b/fuzzers/aflplusplus_noclassify/description.md @@ -0,0 +1,14 @@ +# aflplusplus + +AFL++ fuzzer instance that has the following config active for all benchmarks: + - PCGUARD instrumentation + - cmplog feature + - dict2file feature + - "fast" power schedule + - persistent mode + shared memory test cases + +Repository: [https://github.com/AFLplusplus/AFLplusplus/](https://github.com/AFLplusplus/AFLplusplus/) + +[builder.Dockerfile](builder.Dockerfile) +[fuzzer.py](fuzzer.py) +[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/aflplusplus_llvm17/fuzzer.py b/fuzzers/aflplusplus_noclassify/fuzzer.py similarity index 99% rename from fuzzers/aflplusplus_llvm17/fuzzer.py rename to fuzzers/aflplusplus_noclassify/fuzzer.py index f25ef56b6..11e128c6a 100755 --- a/fuzzers/aflplusplus_llvm17/fuzzer.py +++ b/fuzzers/aflplusplus_noclassify/fuzzer.py @@ -45,7 +45,7 @@ def build(*args): # pylint: disable=too-many-branches,too-many-statements # If nothing was set this is the default: if not build_modes: - build_modes = ['tracepc', 'dict2file'] + build_modes = ['tracepc', 'cmplog', 'dict2file'] # For bug type benchmarks we have to instrument via native clang pcguard :( build_flags = os.environ['CFLAGS'] diff --git a/fuzzers/aflplusplus_noclassify/runner.Dockerfile b/fuzzers/aflplusplus_noclassify/runner.Dockerfile new file mode 100644 index 000000000..67ebe8b5e --- /dev/null +++ b/fuzzers/aflplusplus_noclassify/runner.Dockerfile @@ -0,0 +1,25 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FROM gcr.io/fuzzbench/base-image + +# This makes interactive docker runs painless: +ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" +#ENV AFL_MAP_SIZE=2621440 +ENV PATH="$PATH:/out" +ENV AFL_SKIP_CPUFREQ=1 +ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 +ENV AFL_TESTCACHE_SIZE=2 + +RUN apt update -y && apt install -y unzip git gdb joe From 7202e9b1a9006881d5650df2e648826a2a048cbf Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Tue, 12 Dec 2023 08:58:38 +0100 Subject: [PATCH 38/39] fix test --- fuzzers/aflplusplus_cxx/builder.Dockerfile | 49 ++++ fuzzers/aflplusplus_cxx/description.md | 14 + fuzzers/aflplusplus_cxx/fuzzer.py | 283 +++++++++++++++++++++ fuzzers/aflplusplus_cxx/runner.Dockerfile | 25 ++ 4 files changed, 371 insertions(+) create mode 100644 fuzzers/aflplusplus_cxx/builder.Dockerfile create mode 100644 fuzzers/aflplusplus_cxx/description.md create mode 100755 fuzzers/aflplusplus_cxx/fuzzer.py create mode 100644 fuzzers/aflplusplus_cxx/runner.Dockerfile diff --git a/fuzzers/aflplusplus_cxx/builder.Dockerfile b/fuzzers/aflplusplus_cxx/builder.Dockerfile new file mode 100644 index 000000000..9a600cc12 --- /dev/null +++ b/fuzzers/aflplusplus_cxx/builder.Dockerfile @@ -0,0 +1,49 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ARG parent_image +FROM $parent_image + +RUN apt-get update && \ + apt-get install -y \ + build-essential \ + python3-dev \ + python3-setuptools \ + automake \ + cmake \ + git \ + flex \ + bison \ + libglib2.0-dev \ + libpixman-1-dev \ + cargo \ + libgtk-3-dev \ + # for QEMU mode + ninja-build \ + gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-plugin-dev \ + libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev + +# Download afl++. +RUN git clone -b dev https://github.com/AFLplusplus/AFLplusplus /afl && \ + cd /afl && \ + git checkout ab532e7c151edaa1b563702dc26daabed09da157 || \ + true + +# Build without Python support as we don't need it. +# Set AFL_NO_X86 to skip flaky tests. +RUN cd /afl && \ + unset CFLAGS CXXFLAGS && \ + export CC=clang AFL_NO_X86=1 && \ + PYTHON_INCLUDE=/ make && \ + cp utils/aflpp_driver/libAFLDriver.a / diff --git a/fuzzers/aflplusplus_cxx/description.md b/fuzzers/aflplusplus_cxx/description.md new file mode 100644 index 000000000..f7eb407ad --- /dev/null +++ b/fuzzers/aflplusplus_cxx/description.md @@ -0,0 +1,14 @@ +# aflplusplus + +AFL++ fuzzer instance that has the following config active for all benchmarks: + - PCGUARD instrumentation + - cmplog feature + - dict2file feature + - "fast" power schedule + - persistent mode + shared memory test cases + +Repository: [https://github.com/AFLplusplus/AFLplusplus/](https://github.com/AFLplusplus/AFLplusplus/) + +[builder.Dockerfile](builder.Dockerfile) +[fuzzer.py](fuzzer.py) +[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/aflplusplus_cxx/fuzzer.py b/fuzzers/aflplusplus_cxx/fuzzer.py new file mode 100755 index 000000000..11e128c6a --- /dev/null +++ b/fuzzers/aflplusplus_cxx/fuzzer.py @@ -0,0 +1,283 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +"""Integration code for AFLplusplus fuzzer.""" + +import os +import shutil + +from fuzzers.afl import fuzzer as afl_fuzzer +from fuzzers import utils + + +def get_cmplog_build_directory(target_directory): + """Return path to CmpLog target directory.""" + return os.path.join(target_directory, 'cmplog') + + +def get_uninstrumented_build_directory(target_directory): + """Return path to CmpLog target directory.""" + return os.path.join(target_directory, 'uninstrumented') + + +def build(*args): # pylint: disable=too-many-branches,too-many-statements + """Build benchmark.""" + # BUILD_MODES is not already supported by fuzzbench, meanwhile we provide + # a default configuration. + + build_modes = list(args) + if 'BUILD_MODES' in os.environ: + build_modes = os.environ['BUILD_MODES'].split(',') + + # Placeholder comment. + build_directory = os.environ['OUT'] + + # If nothing was set this is the default: + if not build_modes: + build_modes = ['tracepc', 'cmplog', 'dict2file'] + + # For bug type benchmarks we have to instrument via native clang pcguard :( + build_flags = os.environ['CFLAGS'] + + if build_flags.find( + 'array-bounds' + ) != -1 and 'qemu' not in build_modes and 'classic' not in build_modes: + if 'gcc' not in build_modes: + build_modes[0] = 'native' + + # Instrumentation coverage modes: + if 'lto' in build_modes: + os.environ['CC'] = '/afl/afl-clang-lto' + os.environ['CXX'] = '/afl/afl-clang-lto++' + edge_file = build_directory + '/aflpp_edges.txt' + os.environ['AFL_LLVM_DOCUMENT_IDS'] = edge_file + if os.path.isfile('/usr/local/bin/llvm-ranlib-13'): + os.environ['RANLIB'] = 'llvm-ranlib-13' + os.environ['AR'] = 'llvm-ar-13' + os.environ['AS'] = 'llvm-as-13' + elif os.path.isfile('/usr/local/bin/llvm-ranlib-12'): + os.environ['RANLIB'] = 'llvm-ranlib-12' + os.environ['AR'] = 'llvm-ar-12' + os.environ['AS'] = 'llvm-as-12' + else: + os.environ['RANLIB'] = 'llvm-ranlib' + os.environ['AR'] = 'llvm-ar' + os.environ['AS'] = 'llvm-as' + elif 'qemu' in build_modes: + os.environ['CC'] = 'clang' + os.environ['CXX'] = 'clang++' + elif 'gcc' in build_modes: + os.environ['CC'] = 'afl-gcc-fast' + os.environ['CXX'] = 'afl-g++-fast' + if build_flags.find('array-bounds') != -1: + os.environ['CFLAGS'] = '-fsanitize=address -O1' + os.environ['CXXFLAGS'] = '-fsanitize=address -O1' + else: + os.environ['CFLAGS'] = '' + os.environ['CXXFLAGS'] = '' + os.environ['CPPFLAGS'] = '' + else: + os.environ['CC'] = '/afl/afl-clang-fast' + os.environ['CXX'] = '/afl/afl-clang-fast++' + + print('AFL++ build: ') + print(build_modes) + + if 'qemu' in build_modes or 'symcc' in build_modes: + os.environ['CFLAGS'] = ' '.join(utils.NO_SANITIZER_COMPAT_CFLAGS) + cxxflags = [utils.LIBCPLUSPLUS_FLAG] + utils.NO_SANITIZER_COMPAT_CFLAGS + os.environ['CXXFLAGS'] = ' '.join(cxxflags) + + if 'tracepc' in build_modes or 'pcguard' in build_modes: + os.environ['AFL_LLVM_USE_TRACE_PC'] = '1' + elif 'classic' in build_modes: + os.environ['AFL_LLVM_INSTRUMENT'] = 'CLASSIC' + elif 'native' in build_modes: + os.environ['AFL_LLVM_INSTRUMENT'] = 'LLVMNATIVE' + + # Instrumentation coverage options: + # Do not use a fixed map location (LTO only) + if 'dynamic' in build_modes: + os.environ['AFL_LLVM_MAP_DYNAMIC'] = '1' + # Use a fixed map location (LTO only) + if 'fixed' in build_modes: + os.environ['AFL_LLVM_MAP_ADDR'] = '0x10000' + # Generate an extra dictionary. + if 'dict2file' in build_modes or 'native' in build_modes: + os.environ['AFL_LLVM_DICT2FILE'] = build_directory + '/afl++.dict' + os.environ['AFL_LLVM_DICT2FILE_NO_MAIN'] = '1' + # Enable context sentitivity for LLVM mode (non LTO only) + if 'ctx' in build_modes: + os.environ['AFL_LLVM_CTX'] = '1' + # Enable N-gram coverage for LLVM mode (non LTO only) + if 'ngram2' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '2' + elif 'ngram3' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '3' + elif 'ngram4' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '4' + elif 'ngram5' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '5' + elif 'ngram6' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '6' + elif 'ngram7' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '7' + elif 'ngram8' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '8' + elif 'ngram16' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '16' + if 'ctx1' in build_modes: + os.environ['AFL_LLVM_CTX_K'] = '1' + elif 'ctx2' in build_modes: + os.environ['AFL_LLVM_CTX_K'] = '2' + elif 'ctx3' in build_modes: + os.environ['AFL_LLVM_CTX_K'] = '3' + elif 'ctx4' in build_modes: + os.environ['AFL_LLVM_CTX_K'] = '4' + + # Only one of the following OR cmplog + # enable laf-intel compare splitting + if 'laf' in build_modes: + os.environ['AFL_LLVM_LAF_SPLIT_SWITCHES'] = '1' + os.environ['AFL_LLVM_LAF_SPLIT_COMPARES'] = '1' + os.environ['AFL_LLVM_LAF_SPLIT_FLOATS'] = '1' + if 'autodict' not in build_modes: + os.environ['AFL_LLVM_LAF_TRANSFORM_COMPARES'] = '1' + + if 'eclipser' in build_modes: + os.environ['FUZZER_LIB'] = '/libStandaloneFuzzTarget.a' + else: + os.environ['FUZZER_LIB'] = '/libAFLDriver.a' + + # Some benchmarks like lcms. (see: + # https://github.com/mm2/Little-CMS/commit/ab1093539b4287c233aca6a3cf53b234faceb792#diff-f0e6d05e72548974e852e8e55dffc4ccR212) + # fail to compile if the compiler outputs things to stderr in unexpected + # cases. Prevent these failures by using AFL_QUIET to stop afl-clang-fast + # from writing AFL specific messages to stderr. + os.environ['AFL_QUIET'] = '1' + os.environ['AFL_MAP_SIZE'] = '2621440' + + src = os.getenv('SRC') + work = os.getenv('WORK') + + with utils.restore_directory(src), utils.restore_directory(work): + # Restore SRC to its initial state so we can build again without any + # trouble. For some OSS-Fuzz projects, build_benchmark cannot be run + # twice in the same directory without this. + utils.build_benchmark() + + if 'cmplog' in build_modes and 'qemu' not in build_modes: + + # CmpLog requires an build with different instrumentation. + new_env = os.environ.copy() + new_env['AFL_LLVM_CMPLOG'] = '1' + + # For CmpLog build, set the OUT and FUZZ_TARGET environment + # variable to point to the new CmpLog build directory. + cmplog_build_directory = get_cmplog_build_directory(build_directory) + os.mkdir(cmplog_build_directory) + new_env['OUT'] = cmplog_build_directory + fuzz_target = os.getenv('FUZZ_TARGET') + if fuzz_target: + new_env['FUZZ_TARGET'] = os.path.join(cmplog_build_directory, + os.path.basename(fuzz_target)) + + print('Re-building benchmark for CmpLog fuzzing target') + utils.build_benchmark(env=new_env) + + if 'symcc' in build_modes: + + symcc_build_directory = get_uninstrumented_build_directory( + build_directory) + os.mkdir(symcc_build_directory) + + # symcc requires an build with different instrumentation. + new_env = os.environ.copy() + new_env['CC'] = '/symcc/build/symcc' + new_env['CXX'] = '/symcc/build/sym++' + new_env['SYMCC_OUTPUT_DIR'] = '/tmp' + new_env['CXXFLAGS'] = new_env['CXXFLAGS'].replace('-stlib=libc++', '') + new_env['FUZZER_LIB'] = '/libfuzzer-harness.o' + new_env['OUT'] = symcc_build_directory + new_env['SYMCC_LIBCXX_PATH'] = '/libcxx_native_build' + new_env['SYMCC_NO_SYMBOLIC_INPUT'] = '1' + new_env['SYMCC_SILENT'] = '1' + + # For symcc build, set the OUT and FUZZ_TARGET environment + # variable to point to the new symcc build directory. + new_env['OUT'] = symcc_build_directory + fuzz_target = os.getenv('FUZZ_TARGET') + if fuzz_target: + new_env['FUZZ_TARGET'] = os.path.join(symcc_build_directory, + os.path.basename(fuzz_target)) + + print('Re-building benchmark for symcc fuzzing target') + utils.build_benchmark(env=new_env) + + shutil.copy('/afl/afl-fuzz', build_directory) + if os.path.exists('/afl/afl-qemu-trace'): + shutil.copy('/afl/afl-qemu-trace', build_directory) + if os.path.exists('/aflpp_qemu_driver_hook.so'): + shutil.copy('/aflpp_qemu_driver_hook.so', build_directory) + if os.path.exists('/get_frida_entry.sh'): + shutil.copy('/afl/afl-frida-trace.so', build_directory) + shutil.copy('/get_frida_entry.sh', build_directory) + + +# pylint: disable=too-many-arguments +def fuzz(input_corpus, + output_corpus, + target_binary, + flags=tuple(), + skip=False, + no_cmplog=False): # pylint: disable=too-many-arguments + """Run fuzzer.""" + # Calculate CmpLog binary path from the instrumented target binary. + target_binary_directory = os.path.dirname(target_binary) + cmplog_target_binary_directory = ( + get_cmplog_build_directory(target_binary_directory)) + target_binary_name = os.path.basename(target_binary) + cmplog_target_binary = os.path.join(cmplog_target_binary_directory, + target_binary_name) + + afl_fuzzer.prepare_fuzz_environment(input_corpus) + # decomment this to enable libdislocator. + # os.environ['AFL_ALIGNED_ALLOC'] = '1' # align malloc to max_align_t + # os.environ['AFL_PRELOAD'] = '/afl/libdislocator.so' + + flags = list(flags) + + if os.path.exists('./afl++.dict'): + flags += ['-x', './afl++.dict'] + + # Move the following to skip for upcoming _double tests: + if os.path.exists(cmplog_target_binary) and no_cmplog is False: + flags += ['-c', cmplog_target_binary] + + #os.environ['AFL_IGNORE_TIMEOUTS'] = '1' + os.environ['AFL_IGNORE_UNKNOWN_ENVS'] = '1' + os.environ['AFL_FAST_CAL'] = '1' + os.environ['AFL_NO_WARN_INSTABILITY'] = '1' + os.environ['AFL_IGNORE_SEED_PROBLEMS'] = '1' + + if not skip: + os.environ['AFL_DISABLE_TRIM'] = '1' + os.environ['AFL_CMPLOG_ONLY_NEW'] = '1' + if 'ADDITIONAL_ARGS' in os.environ: + flags += os.environ['ADDITIONAL_ARGS'].split(' ') + + afl_fuzzer.run_afl_fuzz(input_corpus, + output_corpus, + target_binary, + additional_flags=flags) diff --git a/fuzzers/aflplusplus_cxx/runner.Dockerfile b/fuzzers/aflplusplus_cxx/runner.Dockerfile new file mode 100644 index 000000000..67ebe8b5e --- /dev/null +++ b/fuzzers/aflplusplus_cxx/runner.Dockerfile @@ -0,0 +1,25 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FROM gcr.io/fuzzbench/base-image + +# This makes interactive docker runs painless: +ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" +#ENV AFL_MAP_SIZE=2621440 +ENV PATH="$PATH:/out" +ENV AFL_SKIP_CPUFREQ=1 +ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 +ENV AFL_TESTCACHE_SIZE=2 + +RUN apt update -y && apt install -y unzip git gdb joe From df99812c63d19ee9b3b49dfb10568889ccb326e5 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Fri, 15 Dec 2023 10:34:36 +0100 Subject: [PATCH 39/39] afl++ version test --- fuzzers/aflplusplus_408/builder.Dockerfile | 49 ++++ fuzzers/aflplusplus_408/description.md | 14 + fuzzers/aflplusplus_408/fuzzer.py | 283 +++++++++++++++++++++ fuzzers/aflplusplus_408/runner.Dockerfile | 25 ++ fuzzers/aflplusplus_409/builder.Dockerfile | 49 ++++ fuzzers/aflplusplus_409/description.md | 14 + fuzzers/aflplusplus_409/fuzzer.py | 283 +++++++++++++++++++++ fuzzers/aflplusplus_409/runner.Dockerfile | 25 ++ 8 files changed, 742 insertions(+) create mode 100644 fuzzers/aflplusplus_408/builder.Dockerfile create mode 100644 fuzzers/aflplusplus_408/description.md create mode 100755 fuzzers/aflplusplus_408/fuzzer.py create mode 100644 fuzzers/aflplusplus_408/runner.Dockerfile create mode 100644 fuzzers/aflplusplus_409/builder.Dockerfile create mode 100644 fuzzers/aflplusplus_409/description.md create mode 100755 fuzzers/aflplusplus_409/fuzzer.py create mode 100644 fuzzers/aflplusplus_409/runner.Dockerfile diff --git a/fuzzers/aflplusplus_408/builder.Dockerfile b/fuzzers/aflplusplus_408/builder.Dockerfile new file mode 100644 index 000000000..f6a7498b2 --- /dev/null +++ b/fuzzers/aflplusplus_408/builder.Dockerfile @@ -0,0 +1,49 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ARG parent_image +FROM $parent_image + +RUN apt-get update && \ + apt-get install -y \ + build-essential \ + python3-dev \ + python3-setuptools \ + automake \ + cmake \ + git \ + flex \ + bison \ + libglib2.0-dev \ + libpixman-1-dev \ + cargo \ + libgtk-3-dev \ + # for QEMU mode + ninja-build \ + gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-plugin-dev \ + libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev + +# Download afl++. +RUN git clone -b dev https://github.com/AFLplusplus/AFLplusplus /afl && \ + cd /afl && \ + git checkout f596a297c4de6a5e1a6fb9fbb3b4e18124a24f58 || \ + true + +# Build without Python support as we don't need it. +# Set AFL_NO_X86 to skip flaky tests. +RUN cd /afl && \ + unset CFLAGS CXXFLAGS && \ + export CC=clang AFL_NO_X86=1 && \ + PYTHON_INCLUDE=/ make && \ + cp utils/aflpp_driver/libAFLDriver.a / diff --git a/fuzzers/aflplusplus_408/description.md b/fuzzers/aflplusplus_408/description.md new file mode 100644 index 000000000..f7eb407ad --- /dev/null +++ b/fuzzers/aflplusplus_408/description.md @@ -0,0 +1,14 @@ +# aflplusplus + +AFL++ fuzzer instance that has the following config active for all benchmarks: + - PCGUARD instrumentation + - cmplog feature + - dict2file feature + - "fast" power schedule + - persistent mode + shared memory test cases + +Repository: [https://github.com/AFLplusplus/AFLplusplus/](https://github.com/AFLplusplus/AFLplusplus/) + +[builder.Dockerfile](builder.Dockerfile) +[fuzzer.py](fuzzer.py) +[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/aflplusplus_408/fuzzer.py b/fuzzers/aflplusplus_408/fuzzer.py new file mode 100755 index 000000000..11e128c6a --- /dev/null +++ b/fuzzers/aflplusplus_408/fuzzer.py @@ -0,0 +1,283 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +"""Integration code for AFLplusplus fuzzer.""" + +import os +import shutil + +from fuzzers.afl import fuzzer as afl_fuzzer +from fuzzers import utils + + +def get_cmplog_build_directory(target_directory): + """Return path to CmpLog target directory.""" + return os.path.join(target_directory, 'cmplog') + + +def get_uninstrumented_build_directory(target_directory): + """Return path to CmpLog target directory.""" + return os.path.join(target_directory, 'uninstrumented') + + +def build(*args): # pylint: disable=too-many-branches,too-many-statements + """Build benchmark.""" + # BUILD_MODES is not already supported by fuzzbench, meanwhile we provide + # a default configuration. + + build_modes = list(args) + if 'BUILD_MODES' in os.environ: + build_modes = os.environ['BUILD_MODES'].split(',') + + # Placeholder comment. + build_directory = os.environ['OUT'] + + # If nothing was set this is the default: + if not build_modes: + build_modes = ['tracepc', 'cmplog', 'dict2file'] + + # For bug type benchmarks we have to instrument via native clang pcguard :( + build_flags = os.environ['CFLAGS'] + + if build_flags.find( + 'array-bounds' + ) != -1 and 'qemu' not in build_modes and 'classic' not in build_modes: + if 'gcc' not in build_modes: + build_modes[0] = 'native' + + # Instrumentation coverage modes: + if 'lto' in build_modes: + os.environ['CC'] = '/afl/afl-clang-lto' + os.environ['CXX'] = '/afl/afl-clang-lto++' + edge_file = build_directory + '/aflpp_edges.txt' + os.environ['AFL_LLVM_DOCUMENT_IDS'] = edge_file + if os.path.isfile('/usr/local/bin/llvm-ranlib-13'): + os.environ['RANLIB'] = 'llvm-ranlib-13' + os.environ['AR'] = 'llvm-ar-13' + os.environ['AS'] = 'llvm-as-13' + elif os.path.isfile('/usr/local/bin/llvm-ranlib-12'): + os.environ['RANLIB'] = 'llvm-ranlib-12' + os.environ['AR'] = 'llvm-ar-12' + os.environ['AS'] = 'llvm-as-12' + else: + os.environ['RANLIB'] = 'llvm-ranlib' + os.environ['AR'] = 'llvm-ar' + os.environ['AS'] = 'llvm-as' + elif 'qemu' in build_modes: + os.environ['CC'] = 'clang' + os.environ['CXX'] = 'clang++' + elif 'gcc' in build_modes: + os.environ['CC'] = 'afl-gcc-fast' + os.environ['CXX'] = 'afl-g++-fast' + if build_flags.find('array-bounds') != -1: + os.environ['CFLAGS'] = '-fsanitize=address -O1' + os.environ['CXXFLAGS'] = '-fsanitize=address -O1' + else: + os.environ['CFLAGS'] = '' + os.environ['CXXFLAGS'] = '' + os.environ['CPPFLAGS'] = '' + else: + os.environ['CC'] = '/afl/afl-clang-fast' + os.environ['CXX'] = '/afl/afl-clang-fast++' + + print('AFL++ build: ') + print(build_modes) + + if 'qemu' in build_modes or 'symcc' in build_modes: + os.environ['CFLAGS'] = ' '.join(utils.NO_SANITIZER_COMPAT_CFLAGS) + cxxflags = [utils.LIBCPLUSPLUS_FLAG] + utils.NO_SANITIZER_COMPAT_CFLAGS + os.environ['CXXFLAGS'] = ' '.join(cxxflags) + + if 'tracepc' in build_modes or 'pcguard' in build_modes: + os.environ['AFL_LLVM_USE_TRACE_PC'] = '1' + elif 'classic' in build_modes: + os.environ['AFL_LLVM_INSTRUMENT'] = 'CLASSIC' + elif 'native' in build_modes: + os.environ['AFL_LLVM_INSTRUMENT'] = 'LLVMNATIVE' + + # Instrumentation coverage options: + # Do not use a fixed map location (LTO only) + if 'dynamic' in build_modes: + os.environ['AFL_LLVM_MAP_DYNAMIC'] = '1' + # Use a fixed map location (LTO only) + if 'fixed' in build_modes: + os.environ['AFL_LLVM_MAP_ADDR'] = '0x10000' + # Generate an extra dictionary. + if 'dict2file' in build_modes or 'native' in build_modes: + os.environ['AFL_LLVM_DICT2FILE'] = build_directory + '/afl++.dict' + os.environ['AFL_LLVM_DICT2FILE_NO_MAIN'] = '1' + # Enable context sentitivity for LLVM mode (non LTO only) + if 'ctx' in build_modes: + os.environ['AFL_LLVM_CTX'] = '1' + # Enable N-gram coverage for LLVM mode (non LTO only) + if 'ngram2' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '2' + elif 'ngram3' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '3' + elif 'ngram4' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '4' + elif 'ngram5' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '5' + elif 'ngram6' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '6' + elif 'ngram7' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '7' + elif 'ngram8' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '8' + elif 'ngram16' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '16' + if 'ctx1' in build_modes: + os.environ['AFL_LLVM_CTX_K'] = '1' + elif 'ctx2' in build_modes: + os.environ['AFL_LLVM_CTX_K'] = '2' + elif 'ctx3' in build_modes: + os.environ['AFL_LLVM_CTX_K'] = '3' + elif 'ctx4' in build_modes: + os.environ['AFL_LLVM_CTX_K'] = '4' + + # Only one of the following OR cmplog + # enable laf-intel compare splitting + if 'laf' in build_modes: + os.environ['AFL_LLVM_LAF_SPLIT_SWITCHES'] = '1' + os.environ['AFL_LLVM_LAF_SPLIT_COMPARES'] = '1' + os.environ['AFL_LLVM_LAF_SPLIT_FLOATS'] = '1' + if 'autodict' not in build_modes: + os.environ['AFL_LLVM_LAF_TRANSFORM_COMPARES'] = '1' + + if 'eclipser' in build_modes: + os.environ['FUZZER_LIB'] = '/libStandaloneFuzzTarget.a' + else: + os.environ['FUZZER_LIB'] = '/libAFLDriver.a' + + # Some benchmarks like lcms. (see: + # https://github.com/mm2/Little-CMS/commit/ab1093539b4287c233aca6a3cf53b234faceb792#diff-f0e6d05e72548974e852e8e55dffc4ccR212) + # fail to compile if the compiler outputs things to stderr in unexpected + # cases. Prevent these failures by using AFL_QUIET to stop afl-clang-fast + # from writing AFL specific messages to stderr. + os.environ['AFL_QUIET'] = '1' + os.environ['AFL_MAP_SIZE'] = '2621440' + + src = os.getenv('SRC') + work = os.getenv('WORK') + + with utils.restore_directory(src), utils.restore_directory(work): + # Restore SRC to its initial state so we can build again without any + # trouble. For some OSS-Fuzz projects, build_benchmark cannot be run + # twice in the same directory without this. + utils.build_benchmark() + + if 'cmplog' in build_modes and 'qemu' not in build_modes: + + # CmpLog requires an build with different instrumentation. + new_env = os.environ.copy() + new_env['AFL_LLVM_CMPLOG'] = '1' + + # For CmpLog build, set the OUT and FUZZ_TARGET environment + # variable to point to the new CmpLog build directory. + cmplog_build_directory = get_cmplog_build_directory(build_directory) + os.mkdir(cmplog_build_directory) + new_env['OUT'] = cmplog_build_directory + fuzz_target = os.getenv('FUZZ_TARGET') + if fuzz_target: + new_env['FUZZ_TARGET'] = os.path.join(cmplog_build_directory, + os.path.basename(fuzz_target)) + + print('Re-building benchmark for CmpLog fuzzing target') + utils.build_benchmark(env=new_env) + + if 'symcc' in build_modes: + + symcc_build_directory = get_uninstrumented_build_directory( + build_directory) + os.mkdir(symcc_build_directory) + + # symcc requires an build with different instrumentation. + new_env = os.environ.copy() + new_env['CC'] = '/symcc/build/symcc' + new_env['CXX'] = '/symcc/build/sym++' + new_env['SYMCC_OUTPUT_DIR'] = '/tmp' + new_env['CXXFLAGS'] = new_env['CXXFLAGS'].replace('-stlib=libc++', '') + new_env['FUZZER_LIB'] = '/libfuzzer-harness.o' + new_env['OUT'] = symcc_build_directory + new_env['SYMCC_LIBCXX_PATH'] = '/libcxx_native_build' + new_env['SYMCC_NO_SYMBOLIC_INPUT'] = '1' + new_env['SYMCC_SILENT'] = '1' + + # For symcc build, set the OUT and FUZZ_TARGET environment + # variable to point to the new symcc build directory. + new_env['OUT'] = symcc_build_directory + fuzz_target = os.getenv('FUZZ_TARGET') + if fuzz_target: + new_env['FUZZ_TARGET'] = os.path.join(symcc_build_directory, + os.path.basename(fuzz_target)) + + print('Re-building benchmark for symcc fuzzing target') + utils.build_benchmark(env=new_env) + + shutil.copy('/afl/afl-fuzz', build_directory) + if os.path.exists('/afl/afl-qemu-trace'): + shutil.copy('/afl/afl-qemu-trace', build_directory) + if os.path.exists('/aflpp_qemu_driver_hook.so'): + shutil.copy('/aflpp_qemu_driver_hook.so', build_directory) + if os.path.exists('/get_frida_entry.sh'): + shutil.copy('/afl/afl-frida-trace.so', build_directory) + shutil.copy('/get_frida_entry.sh', build_directory) + + +# pylint: disable=too-many-arguments +def fuzz(input_corpus, + output_corpus, + target_binary, + flags=tuple(), + skip=False, + no_cmplog=False): # pylint: disable=too-many-arguments + """Run fuzzer.""" + # Calculate CmpLog binary path from the instrumented target binary. + target_binary_directory = os.path.dirname(target_binary) + cmplog_target_binary_directory = ( + get_cmplog_build_directory(target_binary_directory)) + target_binary_name = os.path.basename(target_binary) + cmplog_target_binary = os.path.join(cmplog_target_binary_directory, + target_binary_name) + + afl_fuzzer.prepare_fuzz_environment(input_corpus) + # decomment this to enable libdislocator. + # os.environ['AFL_ALIGNED_ALLOC'] = '1' # align malloc to max_align_t + # os.environ['AFL_PRELOAD'] = '/afl/libdislocator.so' + + flags = list(flags) + + if os.path.exists('./afl++.dict'): + flags += ['-x', './afl++.dict'] + + # Move the following to skip for upcoming _double tests: + if os.path.exists(cmplog_target_binary) and no_cmplog is False: + flags += ['-c', cmplog_target_binary] + + #os.environ['AFL_IGNORE_TIMEOUTS'] = '1' + os.environ['AFL_IGNORE_UNKNOWN_ENVS'] = '1' + os.environ['AFL_FAST_CAL'] = '1' + os.environ['AFL_NO_WARN_INSTABILITY'] = '1' + os.environ['AFL_IGNORE_SEED_PROBLEMS'] = '1' + + if not skip: + os.environ['AFL_DISABLE_TRIM'] = '1' + os.environ['AFL_CMPLOG_ONLY_NEW'] = '1' + if 'ADDITIONAL_ARGS' in os.environ: + flags += os.environ['ADDITIONAL_ARGS'].split(' ') + + afl_fuzzer.run_afl_fuzz(input_corpus, + output_corpus, + target_binary, + additional_flags=flags) diff --git a/fuzzers/aflplusplus_408/runner.Dockerfile b/fuzzers/aflplusplus_408/runner.Dockerfile new file mode 100644 index 000000000..67ebe8b5e --- /dev/null +++ b/fuzzers/aflplusplus_408/runner.Dockerfile @@ -0,0 +1,25 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FROM gcr.io/fuzzbench/base-image + +# This makes interactive docker runs painless: +ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" +#ENV AFL_MAP_SIZE=2621440 +ENV PATH="$PATH:/out" +ENV AFL_SKIP_CPUFREQ=1 +ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 +ENV AFL_TESTCACHE_SIZE=2 + +RUN apt update -y && apt install -y unzip git gdb joe diff --git a/fuzzers/aflplusplus_409/builder.Dockerfile b/fuzzers/aflplusplus_409/builder.Dockerfile new file mode 100644 index 000000000..94da6a27d --- /dev/null +++ b/fuzzers/aflplusplus_409/builder.Dockerfile @@ -0,0 +1,49 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ARG parent_image +FROM $parent_image + +RUN apt-get update && \ + apt-get install -y \ + build-essential \ + python3-dev \ + python3-setuptools \ + automake \ + cmake \ + git \ + flex \ + bison \ + libglib2.0-dev \ + libpixman-1-dev \ + cargo \ + libgtk-3-dev \ + # for QEMU mode + ninja-build \ + gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-plugin-dev \ + libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev + +# Download afl++. +RUN git clone -b dev https://github.com/AFLplusplus/AFLplusplus /afl && \ + cd /afl && \ + git checkout 353ae3682a02634abae0b6590dfb47b762cf6bfa || \ + true + +# Build without Python support as we don't need it. +# Set AFL_NO_X86 to skip flaky tests. +RUN cd /afl && \ + unset CFLAGS CXXFLAGS && \ + export CC=clang AFL_NO_X86=1 && \ + PYTHON_INCLUDE=/ make && \ + cp utils/aflpp_driver/libAFLDriver.a / diff --git a/fuzzers/aflplusplus_409/description.md b/fuzzers/aflplusplus_409/description.md new file mode 100644 index 000000000..f7eb407ad --- /dev/null +++ b/fuzzers/aflplusplus_409/description.md @@ -0,0 +1,14 @@ +# aflplusplus + +AFL++ fuzzer instance that has the following config active for all benchmarks: + - PCGUARD instrumentation + - cmplog feature + - dict2file feature + - "fast" power schedule + - persistent mode + shared memory test cases + +Repository: [https://github.com/AFLplusplus/AFLplusplus/](https://github.com/AFLplusplus/AFLplusplus/) + +[builder.Dockerfile](builder.Dockerfile) +[fuzzer.py](fuzzer.py) +[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/aflplusplus_409/fuzzer.py b/fuzzers/aflplusplus_409/fuzzer.py new file mode 100755 index 000000000..11e128c6a --- /dev/null +++ b/fuzzers/aflplusplus_409/fuzzer.py @@ -0,0 +1,283 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +"""Integration code for AFLplusplus fuzzer.""" + +import os +import shutil + +from fuzzers.afl import fuzzer as afl_fuzzer +from fuzzers import utils + + +def get_cmplog_build_directory(target_directory): + """Return path to CmpLog target directory.""" + return os.path.join(target_directory, 'cmplog') + + +def get_uninstrumented_build_directory(target_directory): + """Return path to CmpLog target directory.""" + return os.path.join(target_directory, 'uninstrumented') + + +def build(*args): # pylint: disable=too-many-branches,too-many-statements + """Build benchmark.""" + # BUILD_MODES is not already supported by fuzzbench, meanwhile we provide + # a default configuration. + + build_modes = list(args) + if 'BUILD_MODES' in os.environ: + build_modes = os.environ['BUILD_MODES'].split(',') + + # Placeholder comment. + build_directory = os.environ['OUT'] + + # If nothing was set this is the default: + if not build_modes: + build_modes = ['tracepc', 'cmplog', 'dict2file'] + + # For bug type benchmarks we have to instrument via native clang pcguard :( + build_flags = os.environ['CFLAGS'] + + if build_flags.find( + 'array-bounds' + ) != -1 and 'qemu' not in build_modes and 'classic' not in build_modes: + if 'gcc' not in build_modes: + build_modes[0] = 'native' + + # Instrumentation coverage modes: + if 'lto' in build_modes: + os.environ['CC'] = '/afl/afl-clang-lto' + os.environ['CXX'] = '/afl/afl-clang-lto++' + edge_file = build_directory + '/aflpp_edges.txt' + os.environ['AFL_LLVM_DOCUMENT_IDS'] = edge_file + if os.path.isfile('/usr/local/bin/llvm-ranlib-13'): + os.environ['RANLIB'] = 'llvm-ranlib-13' + os.environ['AR'] = 'llvm-ar-13' + os.environ['AS'] = 'llvm-as-13' + elif os.path.isfile('/usr/local/bin/llvm-ranlib-12'): + os.environ['RANLIB'] = 'llvm-ranlib-12' + os.environ['AR'] = 'llvm-ar-12' + os.environ['AS'] = 'llvm-as-12' + else: + os.environ['RANLIB'] = 'llvm-ranlib' + os.environ['AR'] = 'llvm-ar' + os.environ['AS'] = 'llvm-as' + elif 'qemu' in build_modes: + os.environ['CC'] = 'clang' + os.environ['CXX'] = 'clang++' + elif 'gcc' in build_modes: + os.environ['CC'] = 'afl-gcc-fast' + os.environ['CXX'] = 'afl-g++-fast' + if build_flags.find('array-bounds') != -1: + os.environ['CFLAGS'] = '-fsanitize=address -O1' + os.environ['CXXFLAGS'] = '-fsanitize=address -O1' + else: + os.environ['CFLAGS'] = '' + os.environ['CXXFLAGS'] = '' + os.environ['CPPFLAGS'] = '' + else: + os.environ['CC'] = '/afl/afl-clang-fast' + os.environ['CXX'] = '/afl/afl-clang-fast++' + + print('AFL++ build: ') + print(build_modes) + + if 'qemu' in build_modes or 'symcc' in build_modes: + os.environ['CFLAGS'] = ' '.join(utils.NO_SANITIZER_COMPAT_CFLAGS) + cxxflags = [utils.LIBCPLUSPLUS_FLAG] + utils.NO_SANITIZER_COMPAT_CFLAGS + os.environ['CXXFLAGS'] = ' '.join(cxxflags) + + if 'tracepc' in build_modes or 'pcguard' in build_modes: + os.environ['AFL_LLVM_USE_TRACE_PC'] = '1' + elif 'classic' in build_modes: + os.environ['AFL_LLVM_INSTRUMENT'] = 'CLASSIC' + elif 'native' in build_modes: + os.environ['AFL_LLVM_INSTRUMENT'] = 'LLVMNATIVE' + + # Instrumentation coverage options: + # Do not use a fixed map location (LTO only) + if 'dynamic' in build_modes: + os.environ['AFL_LLVM_MAP_DYNAMIC'] = '1' + # Use a fixed map location (LTO only) + if 'fixed' in build_modes: + os.environ['AFL_LLVM_MAP_ADDR'] = '0x10000' + # Generate an extra dictionary. + if 'dict2file' in build_modes or 'native' in build_modes: + os.environ['AFL_LLVM_DICT2FILE'] = build_directory + '/afl++.dict' + os.environ['AFL_LLVM_DICT2FILE_NO_MAIN'] = '1' + # Enable context sentitivity for LLVM mode (non LTO only) + if 'ctx' in build_modes: + os.environ['AFL_LLVM_CTX'] = '1' + # Enable N-gram coverage for LLVM mode (non LTO only) + if 'ngram2' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '2' + elif 'ngram3' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '3' + elif 'ngram4' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '4' + elif 'ngram5' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '5' + elif 'ngram6' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '6' + elif 'ngram7' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '7' + elif 'ngram8' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '8' + elif 'ngram16' in build_modes: + os.environ['AFL_LLVM_NGRAM_SIZE'] = '16' + if 'ctx1' in build_modes: + os.environ['AFL_LLVM_CTX_K'] = '1' + elif 'ctx2' in build_modes: + os.environ['AFL_LLVM_CTX_K'] = '2' + elif 'ctx3' in build_modes: + os.environ['AFL_LLVM_CTX_K'] = '3' + elif 'ctx4' in build_modes: + os.environ['AFL_LLVM_CTX_K'] = '4' + + # Only one of the following OR cmplog + # enable laf-intel compare splitting + if 'laf' in build_modes: + os.environ['AFL_LLVM_LAF_SPLIT_SWITCHES'] = '1' + os.environ['AFL_LLVM_LAF_SPLIT_COMPARES'] = '1' + os.environ['AFL_LLVM_LAF_SPLIT_FLOATS'] = '1' + if 'autodict' not in build_modes: + os.environ['AFL_LLVM_LAF_TRANSFORM_COMPARES'] = '1' + + if 'eclipser' in build_modes: + os.environ['FUZZER_LIB'] = '/libStandaloneFuzzTarget.a' + else: + os.environ['FUZZER_LIB'] = '/libAFLDriver.a' + + # Some benchmarks like lcms. (see: + # https://github.com/mm2/Little-CMS/commit/ab1093539b4287c233aca6a3cf53b234faceb792#diff-f0e6d05e72548974e852e8e55dffc4ccR212) + # fail to compile if the compiler outputs things to stderr in unexpected + # cases. Prevent these failures by using AFL_QUIET to stop afl-clang-fast + # from writing AFL specific messages to stderr. + os.environ['AFL_QUIET'] = '1' + os.environ['AFL_MAP_SIZE'] = '2621440' + + src = os.getenv('SRC') + work = os.getenv('WORK') + + with utils.restore_directory(src), utils.restore_directory(work): + # Restore SRC to its initial state so we can build again without any + # trouble. For some OSS-Fuzz projects, build_benchmark cannot be run + # twice in the same directory without this. + utils.build_benchmark() + + if 'cmplog' in build_modes and 'qemu' not in build_modes: + + # CmpLog requires an build with different instrumentation. + new_env = os.environ.copy() + new_env['AFL_LLVM_CMPLOG'] = '1' + + # For CmpLog build, set the OUT and FUZZ_TARGET environment + # variable to point to the new CmpLog build directory. + cmplog_build_directory = get_cmplog_build_directory(build_directory) + os.mkdir(cmplog_build_directory) + new_env['OUT'] = cmplog_build_directory + fuzz_target = os.getenv('FUZZ_TARGET') + if fuzz_target: + new_env['FUZZ_TARGET'] = os.path.join(cmplog_build_directory, + os.path.basename(fuzz_target)) + + print('Re-building benchmark for CmpLog fuzzing target') + utils.build_benchmark(env=new_env) + + if 'symcc' in build_modes: + + symcc_build_directory = get_uninstrumented_build_directory( + build_directory) + os.mkdir(symcc_build_directory) + + # symcc requires an build with different instrumentation. + new_env = os.environ.copy() + new_env['CC'] = '/symcc/build/symcc' + new_env['CXX'] = '/symcc/build/sym++' + new_env['SYMCC_OUTPUT_DIR'] = '/tmp' + new_env['CXXFLAGS'] = new_env['CXXFLAGS'].replace('-stlib=libc++', '') + new_env['FUZZER_LIB'] = '/libfuzzer-harness.o' + new_env['OUT'] = symcc_build_directory + new_env['SYMCC_LIBCXX_PATH'] = '/libcxx_native_build' + new_env['SYMCC_NO_SYMBOLIC_INPUT'] = '1' + new_env['SYMCC_SILENT'] = '1' + + # For symcc build, set the OUT and FUZZ_TARGET environment + # variable to point to the new symcc build directory. + new_env['OUT'] = symcc_build_directory + fuzz_target = os.getenv('FUZZ_TARGET') + if fuzz_target: + new_env['FUZZ_TARGET'] = os.path.join(symcc_build_directory, + os.path.basename(fuzz_target)) + + print('Re-building benchmark for symcc fuzzing target') + utils.build_benchmark(env=new_env) + + shutil.copy('/afl/afl-fuzz', build_directory) + if os.path.exists('/afl/afl-qemu-trace'): + shutil.copy('/afl/afl-qemu-trace', build_directory) + if os.path.exists('/aflpp_qemu_driver_hook.so'): + shutil.copy('/aflpp_qemu_driver_hook.so', build_directory) + if os.path.exists('/get_frida_entry.sh'): + shutil.copy('/afl/afl-frida-trace.so', build_directory) + shutil.copy('/get_frida_entry.sh', build_directory) + + +# pylint: disable=too-many-arguments +def fuzz(input_corpus, + output_corpus, + target_binary, + flags=tuple(), + skip=False, + no_cmplog=False): # pylint: disable=too-many-arguments + """Run fuzzer.""" + # Calculate CmpLog binary path from the instrumented target binary. + target_binary_directory = os.path.dirname(target_binary) + cmplog_target_binary_directory = ( + get_cmplog_build_directory(target_binary_directory)) + target_binary_name = os.path.basename(target_binary) + cmplog_target_binary = os.path.join(cmplog_target_binary_directory, + target_binary_name) + + afl_fuzzer.prepare_fuzz_environment(input_corpus) + # decomment this to enable libdislocator. + # os.environ['AFL_ALIGNED_ALLOC'] = '1' # align malloc to max_align_t + # os.environ['AFL_PRELOAD'] = '/afl/libdislocator.so' + + flags = list(flags) + + if os.path.exists('./afl++.dict'): + flags += ['-x', './afl++.dict'] + + # Move the following to skip for upcoming _double tests: + if os.path.exists(cmplog_target_binary) and no_cmplog is False: + flags += ['-c', cmplog_target_binary] + + #os.environ['AFL_IGNORE_TIMEOUTS'] = '1' + os.environ['AFL_IGNORE_UNKNOWN_ENVS'] = '1' + os.environ['AFL_FAST_CAL'] = '1' + os.environ['AFL_NO_WARN_INSTABILITY'] = '1' + os.environ['AFL_IGNORE_SEED_PROBLEMS'] = '1' + + if not skip: + os.environ['AFL_DISABLE_TRIM'] = '1' + os.environ['AFL_CMPLOG_ONLY_NEW'] = '1' + if 'ADDITIONAL_ARGS' in os.environ: + flags += os.environ['ADDITIONAL_ARGS'].split(' ') + + afl_fuzzer.run_afl_fuzz(input_corpus, + output_corpus, + target_binary, + additional_flags=flags) diff --git a/fuzzers/aflplusplus_409/runner.Dockerfile b/fuzzers/aflplusplus_409/runner.Dockerfile new file mode 100644 index 000000000..67ebe8b5e --- /dev/null +++ b/fuzzers/aflplusplus_409/runner.Dockerfile @@ -0,0 +1,25 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FROM gcr.io/fuzzbench/base-image + +# This makes interactive docker runs painless: +ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" +#ENV AFL_MAP_SIZE=2621440 +ENV PATH="$PATH:/out" +ENV AFL_SKIP_CPUFREQ=1 +ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 +ENV AFL_TESTCACHE_SIZE=2 + +RUN apt update -y && apt install -y unzip git gdb joe