Separate AFL build, run fuzz stages, and add afl argument pass-through

This commit is contained in:
Taylor Hornby 2019-10-23 13:11:44 -06:00
parent f968506039
commit b25a14f433
10 changed files with 26 additions and 29 deletions

1
.gitignore vendored
View File

@ -111,3 +111,4 @@ contrib/debian/files
contrib/debian/substvars
src/fuzzing/*/output
src/fuzz.cpp

View File

@ -186,7 +186,6 @@ bool AppInit(int argc, char* argv[])
return fRet;
}
#include "fuzz.h"
#ifdef ZCASH_FUZZ
#warning BUILDING A FUZZER, NOT THE REAL MAIN
#include "fuzz.cpp"

View File

@ -1,17 +0,0 @@
extern bool DecodeHexTx(CTransaction& tx, const std::string& strHexTx);
bool fuzz_DecodeHexTxFunction (const std::string& strHexTx) {
CTransaction tx;
return DecodeHexTx(tx, strHexTx);
}
int fuzz_DecodeHexTx (int argc, char *argv[]) {
std::ifstream t(argv[1]);
std::string str((std::istreambuf_iterator<char>(t)),
std::istreambuf_iterator<char>());
if (fuzz_DecodeHexTxFunction (str)) { fprintf(stdout, "Decoded hex string") ; return 0; }
else { fprintf(stderr, "Could not decode hex string") ; return -1; }
}
int main (int argc, char *argv[]) { return fuzz_DecodeHexTx(argc, argv); }

View File

View File

@ -1,13 +1,19 @@
#!/usr/bin/env bash
# A wrapper around ./zcutil/build.sh for instrumenting the build with AFL:
# ./zcutil/afl/afl-build.sh <directory where AFL is installed>
# ./zcutil/afl/afl-build.sh <directory where AFL is installed> <fuzz case>
# You may obtain a copy of AFL using ./zcutil/afl/afl-get.sh.
set -eu -o pipefail
export AFL_INSTALL_DIR="$1"
export AFL_INSTALL_DIR=$(realpath "$1")
FUZZ_CASE="$2"
shift 2
export AFL_LOG_DIR="$(pwd)"
export ZCUTIL=$(realpath "./zcutil")
shift 1
cp "./src/fuzzing/$FUZZ_CASE/fuzz.cpp" src/fuzz.cpp
CONFIGURE_FLAGS="--enable-tests=no --enable-fuzz-main" "$ZCUTIL/build.sh" "CC=$ZCUTIL/afl/zcash-wrapper-gcc" "CXX=$ZCUTIL/afl/zcash-wrapper-g++" AFL_HARDEN=1 "$@"
echo "You can now run AFL as follows:"
echo "$ ./zcutil/afl/afl-run.sh '$AFL_INSTALL_DIR' '$FUZZ_CASE'"

View File

@ -28,5 +28,6 @@ mv afl-*/* .
make
echo "You can now build zcashd with AFL instrumentation as follows:"
echo "$ make clean"
echo "$ ./zcutil/afl/afl-build.sh '$(pwd)'"
echo "$ make clean # if you've already built zcashd without AFL instrumentation"
echo "$ ./zcutil/afl/afl-build.sh '$(pwd)' <fuzz case> -j\$(nproc)"
echo "...where <fuzz case> is the name of a directory in src/fuzzing."

View File

@ -2,10 +2,12 @@
# Builds AFL and an instrumented zcashd, then begins fuzzing.
# This script must be run from within the top level directory of a zcash clone.
# Pass it the name of a directory in ./src/fuzzing.
# Additional arguments are passed-through to AFL.
set -eu -o pipefail
FUZZ_CASE="$1"
shift 1
export AFL_INSTALL_DIR=$(realpath "./afl-temp")
@ -14,9 +16,5 @@ if [ ! -d "$AFL_INSTALL_DIR" ]; then
./zcutil/afl/afl-get.sh "$AFL_INSTALL_DIR"
fi
cp "./src/fuzzing/$FUZZ_CASE/fuzz.h" src/fuzz.h
cp "./src/fuzzing/$FUZZ_CASE/fuzz.cpp" src/fuzz.cpp
./zcutil/afl/afl-build.sh "$AFL_INSTALL_DIR" -j$(nproc)
"$AFL_INSTALL_DIR/afl-fuzz" -i "./src/fuzzing/$FUZZ_CASE/input" -o "./src/fuzzing/$FUZZ_CASE/output" ./src/zcashd
./zcutil/afl/afl-build.sh "$AFL_INSTALL_DIR" "$FUZZ_CASE" -j$(nproc)
./zcutil/afl/afl-run.sh "$AFL_INSTALL_DIR" "$FUZZ_CASE" "$@"

9
zcutil/afl/afl-run.sh Executable file
View File

@ -0,0 +1,9 @@
#!/usr/bin/env bash
set -eu -o pipefail
AFL_INSTALL_DIR="$1"
FUZZ_CASE="$2"
shift 2
"$AFL_INSTALL_DIR/afl-fuzz" -i "./src/fuzzing/$FUZZ_CASE/input" -o "./src/fuzzing/$FUZZ_CASE/output" "$@" ./src/zcashd