Separate AFL build, run fuzz stages, and add afl argument pass-through

.gitignore

@@ -111,3 +111,4 @@ contrib/debian/files
 contrib/debian/substvars
 
 src/fuzzing/*/output
+src/fuzz.cpp

src/bitcoind.cpp

@@ -186,7 +186,6 @@ bool AppInit(int argc, char* argv[])
 
     return fRet;
 }
-#include "fuzz.h"
 #ifdef ZCASH_FUZZ
 #warning BUILDING A FUZZER, NOT THE REAL MAIN
 #include "fuzz.cpp"

src/fuzz.cpp

@@ -1,17 +0,0 @@
-extern bool DecodeHexTx(CTransaction& tx, const std::string& strHexTx);
-
-bool fuzz_DecodeHexTxFunction (const std::string& strHexTx) {
-        CTransaction tx;
-        return DecodeHexTx(tx, strHexTx);
-}
-
-
-int fuzz_DecodeHexTx (int argc, char *argv[]) {
-        std::ifstream t(argv[1]);
-        std::string str((std::istreambuf_iterator<char>(t)),
-                                         std::istreambuf_iterator<char>());
-        if (fuzz_DecodeHexTxFunction (str)) { fprintf(stdout, "Decoded hex string") ; return 0; }
-        else { fprintf(stderr, "Could not decode hex string") ; return -1; }
-}
-
-int main (int argc, char *argv[]) { return fuzz_DecodeHexTx(argc, argv); }

zcutil/afl/afl-build.sh

@@ -1,13 +1,19 @@
 #!/usr/bin/env bash
 # A wrapper around ./zcutil/build.sh for instrumenting the build with AFL:
-#   ./zcutil/afl/afl-build.sh <directory where AFL is installed>
+#   ./zcutil/afl/afl-build.sh <directory where AFL is installed> <fuzz case>
 # You may obtain a copy of AFL using ./zcutil/afl/afl-get.sh.
 
 set -eu -o pipefail
 
-export AFL_INSTALL_DIR="$1"
+export AFL_INSTALL_DIR=$(realpath "$1")
+FUZZ_CASE="$2"
+shift 2
 export AFL_LOG_DIR="$(pwd)"
 export ZCUTIL=$(realpath "./zcutil")
-shift 1
+
+cp "./src/fuzzing/$FUZZ_CASE/fuzz.cpp" src/fuzz.cpp
 
 CONFIGURE_FLAGS="--enable-tests=no --enable-fuzz-main" "$ZCUTIL/build.sh" "CC=$ZCUTIL/afl/zcash-wrapper-gcc" "CXX=$ZCUTIL/afl/zcash-wrapper-g++" AFL_HARDEN=1 "$@"
+
+echo "You can now run AFL as follows:"
+echo "$ ./zcutil/afl/afl-run.sh '$AFL_INSTALL_DIR' '$FUZZ_CASE'"

zcutil/afl/afl-get.sh

@@ -28,5 +28,6 @@ mv afl-*/* .
 make
 
 echo "You can now build zcashd with AFL instrumentation as follows:"
-echo "$ make clean"
-echo "$ ./zcutil/afl/afl-build.sh '$(pwd)'"
+echo "$ make clean # if you've already built zcashd without AFL instrumentation"
+echo "$ ./zcutil/afl/afl-build.sh '$(pwd)' <fuzz case> -j\$(nproc)"
+echo "...where <fuzz case> is the name of a directory in src/fuzzing."

zcutil/afl/afl-getbuildrun.sh

@@ -2,10 +2,12 @@
 # Builds AFL and an instrumented zcashd, then begins fuzzing.
 # This script must be run from within the top level directory of a zcash clone.
 # Pass it the name of a directory in ./src/fuzzing.
+# Additional arguments are passed-through to AFL.
 
 set -eu -o pipefail
 
 FUZZ_CASE="$1"
+shift 1
 
 export AFL_INSTALL_DIR=$(realpath "./afl-temp")
 
@@ -14,9 +16,5 @@ if [ ! -d "$AFL_INSTALL_DIR" ]; then
     ./zcutil/afl/afl-get.sh "$AFL_INSTALL_DIR"
 fi
 
-cp "./src/fuzzing/$FUZZ_CASE/fuzz.h" src/fuzz.h
-cp "./src/fuzzing/$FUZZ_CASE/fuzz.cpp" src/fuzz.cpp
-
-./zcutil/afl/afl-build.sh "$AFL_INSTALL_DIR" -j$(nproc)
-
-"$AFL_INSTALL_DIR/afl-fuzz" -i "./src/fuzzing/$FUZZ_CASE/input" -o "./src/fuzzing/$FUZZ_CASE/output" ./src/zcashd
+./zcutil/afl/afl-build.sh "$AFL_INSTALL_DIR" "$FUZZ_CASE" -j$(nproc)
+./zcutil/afl/afl-run.sh "$AFL_INSTALL_DIR" "$FUZZ_CASE" "$@"

zcutil/afl/afl-run.sh

@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+
+set -eu -o pipefail
+
+AFL_INSTALL_DIR="$1"
+FUZZ_CASE="$2"
+shift 2
+
+"$AFL_INSTALL_DIR/afl-fuzz" -i "./src/fuzzing/$FUZZ_CASE/input" -o "./src/fuzzing/$FUZZ_CASE/output" "$@" ./src/zcashd