Page not found :(
| tinyxml2 | 31% |
| cjson | 6% |
| expat | 4% |
| libplist | 4% |
| libxml2 | 1% |
| elfutils | 1% |
| Project | Function | Output | Build rate | Max Coverage | Max Line coverage diff | Reports |
| tinyxml2 | tinyxml2-xmldocument-print | Prompt;
Fixes; Targets. |
50 |
29.74 |
11.16 |
Reports |
| tinyxml2 | tinyxml2-xmldocument-deepcopy | Prompt;
Fixes; Targets. |
25 |
26.8 |
4.45 |
Reports |
| tinyxml2 | tinyxml2-xmlelement-setattribute | Prompt;
Fixes; Targets. |
75 |
26.08 |
3.77 |
Reports |
| libplist | plist_print | Prompt;
Fixes; Targets. |
25 |
12.88 |
3.42 |
Reports |
| tinyxml2 | tinyxml2-xmlelement-doubletext | Prompt;
Fixes; Targets. |
62.5 |
25.61 |
3.28 |
Reports |
| tinyxml2 | tinyxml2-xmlelement-booltext | Prompt;
Fixes; Targets. |
87.5 |
26.18 |
2.9 |
Reports |
| tinyxml2 | tinyxml2-xmlelement-insertnewunknown | Prompt;
Fixes; Targets. |
25 |
25.67 |
2.64 |
Reports |
| tinyxml2 | tinyxml2-xmlelement-int64text | Prompt;
Fixes; Targets. |
87.5 |
25.91 |
2.64 |
Reports |
| cjson | cjson_compare | Prompt;
Fixes; Targets. |
75 |
29.68 |
2.47 |
Reports |
| tinyxml2 | tinyxml2-xmlelement-floattext | Prompt;
Fixes; Targets. |
62.5 |
25.09 |
2.45 |
Reports |
| tinyxml2 | tinyxml2-xmlelement-inttext | Prompt;
Fixes; Targets. |
75 |
26.2 |
2.41 |
Reports |
| tinyxml2 | tinyxml2-xmlelement-unsigned64text | Prompt;
Fixes; Targets. |
37.5 |
25.74 |
2.22 |
Reports |
| tinyobjloader | tinyobj-objreader-parsefromfile | Prompt;
Fixes; Targets. |
37.5 |
5.7 |
2.16 |
Reports |
| tinyxml2 | tinyxml2-xmlelement-unsignedtext | Prompt;
Fixes; Targets. |
50 |
25.53 |
2.15 |
Reports |
| tinyxml2 | tinyxml2-xmlelement-shallowclone | Prompt;
Fixes; Targets. |
50 |
25.03 |
2.07 |
Reports |
| cjson | cjson_replaceiteminobject | Prompt;
Fixes; Targets. |
37.5 |
27.56 |
1.98 |
Reports |
| tinyxml2 | tinyxml2-xmlelement-gettext | Prompt;
Fixes; Targets. |
37.5 |
25.42 |
1.96 |
Reports |
| tinyxml2 | tinyxml2-xmlelement-shallowequal | Prompt;
Fixes; Targets. |
62.5 |
25.58 |
1.96 |
Reports |
| cjson | cjson_duplicate | Prompt;
Fixes; Targets. |
62.5 |
27.4 |
1.89 |
Reports |
| expat | xml_externalentityparsercreate | Prompt;
Fixes; Targets. |
12.5 |
1.25 |
1.88 |
Reports |
| cjson | cjson_replaceiteminobjectcasesensitive | Prompt;
Fixes; Targets. |
87.5 |
25.54 |
1.85 |
Reports |
| tinyxml2 | tinyxml2-xmlelement-insertnewcomment | Prompt;
Fixes; Targets. |
62.5 |
25.61 |
1.85 |
Reports |
| expat | xml_parsercreatens | Prompt;
Fixes; Targets. |
12.5 |
45.6 |
1.84 |
Reports |
| tinyxml2 | tinyxml2-xmlelement-deleteattribute | Prompt;
Fixes; Targets. |
50 |
25.73 |
1.7 |
Reports |
| tinyxml2 | tinyxml2-xmlelement-insertnewdeclaration | Prompt;
Fixes; Targets. |
50 |
25 |
1.7 |
Reports |
| tinyxml2 | tinyxml2-xmlelement-insertnewchildelement | Prompt;
Fixes; Targets. |
50 |
24.88 |
1.51 |
Reports |
| tinyxml2 | tinyxml2-xmlnode-previoussiblingelement | Prompt;
Fixes; Targets. |
87.5 |
26.08 |
1.43 |
Reports |
| tinyobjloader | tinyobj-loadobj | Prompt;
Fixes; Targets. |
25 |
4.33 |
1.35 |
Reports |
| tinyobjloader | tinyobj-material_t-material_t | Prompt;
Fixes; Targets. |
25 |
23.91 |
1.35 |
Reports |
| tinyxml2 | tinyxml2-xmlelement-insertnewtext | Prompt;
Fixes; Targets. |
62.5 |
24.42 |
1.32 |
Reports |
| elfutils | dwfl_module_relocate_address | Prompt;
Fixes; Targets. |
87.5 |
7.81 |
1.1 |
Reports |
| libxml2 | xmlschemavalidatefile | Prompt;
Fixes; Targets. |
50 |
4.18 |
0.93 |
Reports |
| tinyxml2 | tinyxml2-xmldocument-loadfile | Prompt;
Fixes; Targets. |
25 |
2.17 |
0.9 |
Reports |
| speex | ogg_stream_packetin | Prompt;
Fixes; Targets. |
25 |
8.06 |
0.55 |
Reports |
| libxml2 | xmltextreadersetschema | Prompt;
Fixes; Targets. |
37.5 |
1.44 |
0.48 |
Reports |
| libxml2 | xmltextreaderschemavalidate | Prompt;
Fixes; Targets. |
37.5 |
4.03 |
0.36 |
Reports |
| libplist | plist_dict_merge | Prompt;
Fixes; Targets. |
12.5 |
0.8 |
0.35 |
Reports |
| libxml2 | xmltextreaderschemavalidatectxt | Prompt;
Fixes; Targets. |
25 |
1.19 |
0.33 |
Reports |
| cjson | cjson_printpreallocated | Prompt;
Fixes; Targets. |
75 |
26.44 |
0.22 |
Reports |
| libucl | ucl_parser_insert_chunk | Prompt;
Fixes; Targets. |
25 |
10.5 |
0.22 |
Reports |
| libucl | ucl_object_compare | Prompt;
Fixes; Targets. |
12.5 |
1.35 |
0.21 |
Reports |
| elfutils | dwarf_getlocations | Prompt;
Fixes; Targets. |
62.5 |
7.22 |
0.2 |
Reports |
| libucl | ucl_parser_add_fd_priority | Prompt;
Fixes; Targets. |
71.43 |
19.61 |
0.18 |
Reports |
| jsoncpp | json-value-resize | Prompt;
Fixes; Targets. |
37.5 |
2.23 |
0.17 |
Reports |
| mosquitto | mosquitto_topic_matches_sub2 | Prompt;
Fixes; Targets. |
87.5 |
28.28 |
0.16 |
Reports |
| xvid | xvid_encore | Prompt;
Fixes; Targets. |
31.25 |
0.22 |
0.16 |
Reports |
| cjson | cjson_parse | Prompt;
Fixes; Targets. |
75 |
25.72 |
0.13 |
Reports |
| cjson | cjson_parsewithlength | Prompt;
Fixes; Targets. |
62.5 |
25.72 |
0.13 |
Reports |
| jsoncpp | json-value-removeindex | Prompt;
Fixes; Targets. |
25 |
5.11 |
0.13 |
Reports |
| libucl | ucl_object_merge | Prompt;
Fixes; Targets. |
25 |
0.65 |
0.12 |
Reports |
| speex | ogg_stream_pageout_fill | Prompt;
Fixes; Targets. |
6.25 |
0 |
0.07 |
Reports |
| libsndfile | sf_command | Prompt;
Fixes; Targets. |
25 |
3.41 |
0.06 |
Reports |
| mosquitto | mosquitto_topic_matches_sub | Prompt;
Fixes; Targets. |
62.5 |
4.03 |
0.05 |
Reports |
| libsndfile | sf_format_check | Prompt;
Fixes; Targets. |
12.5 |
0.1 |
0.04 |
Reports |
| libucl | ucl_object_replace_key | Prompt;
Fixes; Targets. |
50 |
7.14 |
0.04 |
Reports |
| libdwarf | dwarf_find_die_given_sig8 | Prompt;
Fixes; Targets. |
37.5 |
11.62 |
0.01 |
Reports |
docker run --rm -ti gcr.io/oss-fuzz/$project <command> <arguments...># Supported Commands | Command | Description | |---------|-------------| | `compile` (default) | build all fuzz targets | `/bin/bash` | drop into shell, execute `compile` script to start build. # Build Configuration A single build image can build same set of fuzzers in many configurations. The configuration is picked through one or more environment variables. | Env Variable | Description | ------------- | -------- | `$SANITIZER ("address")` | Specifies predefined sanitizer configuration to use. `address` or `memory` or `undefined`. | `$SANITIZER_FLAGS` | Specify compiler sanitizer flags directly. Overrides `$SANITIZER`. | `$COVERAGE_FLAGS` | Specify compiler flags to use for fuzzer feedback coverage. | `$BUILD_UID` | User id to use while building fuzzers. ## Examples - *building sqlite3 fuzzer with UBSan (`SANITIZER=undefined`):*
docker run --rm -ti -e SANITIZER=undefined gcr.io/oss-fuzz/sqlite3# Image Files Layout | Location|Env| Description | |---------| -------- | ---------- | | `/out/` | `$OUT` | Directory to store build artifacts (fuzz targets, dictionaries, options files, seed corpus archives). | | `/src/` | `$SRC` | Directory to checkout source files | | `/work/`| `$WORK` | Directory for storing intermediate files | | `/usr/lib/libFuzzingEngine.a` | `$LIB_FUZZING_ENGINE` | Location of prebuilt fuzzing engine library (e.g. libFuzzer) that needs to be linked with all fuzz targets. While files layout is fixed within a container, the environment variables are provided to be able to write retargetable scripts. ## Compiler Flags You *must* use special compiler flags to build your project and fuzz targets. These flags are provided in following environment variables: | Env Variable | Description | ------------- | -------- | `$CC` | The C compiler binary. | `$CXX`, `$CCC` | The C++ compiler binary. | `$CFLAGS` | C compiler flags. | `$CXXFLAGS` | C++ compiler flags. Most well-crafted build scripts will automatically use these variables. If not, pass them manually to the build tool. # Child Image Interface ## Sources Child image has to checkout all sources that it needs to compile fuzz targets into `$SRC` directory. When the image is executed, a directory could be mounted on top of these with local checkouts using `docker run -v $HOME/my_project:/src/my_project ...`. ## Other Required Files Following files have to be added by child images: | File Location | Description | | ------------- | ----------- | | `$SRC/build.sh` | build script to build the project and its fuzz targets | ================================================ FILE: infra/base-images/base-builder/afl_llvm22_patch.diff ================================================ diff --git a/GNUmakefile.llvm b/GNUmakefile.llvm index 2cde89d9..7cafd3f5 100644 --- a/GNUmakefile.llvm +++ b/GNUmakefile.llvm @@ -32,7 +32,7 @@ VERSION = $(shell grep '^ *$(HASH)define VERSION ' ./config.h | cut -d '"' - SYS = $(shell uname -s) -override LLVM_TOO_NEW_DEFAULT := 21 +override LLVM_TOO_NEW_DEFAULT := 22 override LLVM_TOO_OLD_DEFAULT := 14 ifeq "$(SYS)" "OpenBSD" @@ -69,7 +69,7 @@ endif LLVM_STDCXX := gnu++11 LLVM_LTO := 0 -LLVM_UNSUPPORTED := $(shell echo "$(LLVMVER)" | grep -E -q '^[0-2]\.|^3\.[0-7]\.|^2[2-9]\.' && echo 1 || echo 0) +LLVM_UNSUPPORTED := $(shell echo "$(LLVMVER)" | grep -E -q '^[0-2]\.|^3\.[0-7]\.|^2[3-9]\.' && echo 1 || echo 0) # Uncomment to see the values assigned above # $(foreach var,_CLANG_VERSIONS_TO_TEST LLVM_CONFIG LLVMVER LLVM_MAJOR LLVM_MINOR LLVM_TOO_NEW LLVM_TOO_OLD LLVM_TOO_NEW_DEFAULT LLVM_TOO_OLD_DEFAULT LLVM_NEW_API LLVM_NEWER_API LLVM_13_OK LLVM_HAVE_LTO LLVM_BINDIR LLVM_LIBDIR LLVM_STDCXX LLVM_APPLE_XCODE LLVM_LTO LLVM_UNSUPPORTED,$(warning $(var) = $($(var)))) ================================================ FILE: infra/base-images/base-builder/bazel.bazelrc ================================================ # Copyright 2022 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # ################################################################################ # Pass variables from environment. build --action_env=FUZZ_INTROSPECTOR build --action_env=FUZZINTRO_OUTDIR ================================================ FILE: infra/base-images/base-builder/bazel_build_fuzz_tests ================================================ #!/bin/bash -eu # # Copyright 2021 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # ################################################################################ : "${BAZEL_FUZZ_TEST_TAG:=fuzz-test}" : "${BAZEL_FUZZ_TEST_EXCLUDE_TAG:=no-oss-fuzz}" : "${BAZEL_PACKAGE_SUFFIX:=_oss_fuzz}" : "${BAZEL_TOOL:=bazel}" : "${BAZEL_EXTRA_BUILD_FLAGS:=}" if [ "$FUZZING_LANGUAGE" = "jvm" ]; then BAZEL_LANGUAGE=java else BAZEL_LANGUAGE=cc fi if [[ -z "${BAZEL_FUZZ_TEST_QUERY:-}" ]]; then BAZEL_FUZZ_TEST_QUERY=" let all_fuzz_tests = attr(tags, \"${BAZEL_FUZZ_TEST_TAG}\", \"//...\") in let lang_fuzz_tests = attr(generator_function, \"^${BAZEL_LANGUAGE}_fuzz_test\$\", \$all_fuzz_tests) in \$lang_fuzz_tests - attr(tags, \"${BAZEL_FUZZ_TEST_EXCLUDE_TAG}\", \$lang_fuzz_tests) " fi echo "Using Bazel query to find fuzz targets: ${BAZEL_FUZZ_TEST_QUERY}" declare -r OSS_FUZZ_TESTS=( $(bazel query "${BAZEL_FUZZ_TEST_QUERY}" | sed "s/$/${BAZEL_PACKAGE_SUFFIX}/") ) echo "Found ${#OSS_FUZZ_TESTS[@]} fuzz test packages:" for oss_fuzz_test in "${OSS_FUZZ_TESTS[@]}"; do echo " ${oss_fuzz_test}" done declare -r BAZEL_BUILD_FLAGS=( "--@rules_fuzzing//fuzzing:cc_engine=@rules_fuzzing_oss_fuzz//:oss_fuzz_engine" \ "--@rules_fuzzing//fuzzing:java_engine=@rules_fuzzing_oss_fuzz//:oss_fuzz_java_engine" \ "--@rules_fuzzing//fuzzing:cc_engine_instrumentation=oss-fuzz" \ "--@rules_fuzzing//fuzzing:cc_engine_sanitizer=none" \ "--cxxopt=-stdlib=libc++" \ "--linkopt=-lc++" \ "--verbose_failures" \ "--spawn_strategy=standalone" \ "--action_env=CC=${CC}" "--action_env=CXX=${CXX}" \ ${BAZEL_EXTRA_BUILD_FLAGS[*]} ) echo "Building the fuzz tests with the following Bazel options:" echo " ${BAZEL_BUILD_FLAGS[@]}" ${BAZEL_TOOL} build "${BAZEL_BUILD_FLAGS[@]}" "${OSS_FUZZ_TESTS[@]}" echo "Extracting the fuzz test packages in the output directory." for oss_fuzz_archive in $(find bazel-bin/ -name "*${BAZEL_PACKAGE_SUFFIX}.tar"); do tar --no-same-owner -xvf "${oss_fuzz_archive}" -C "${OUT}" done if [ "$SANITIZER" = "coverage" ]; then echo "Collecting the repository source files for coverage tracking." declare -r COVERAGE_SOURCES="${OUT}/proc/self/cwd" mkdir -p "${COVERAGE_SOURCES}" declare -r RSYNC_FILTER_ARGS=( "--include" "*.h" "--include" "*.cc" "--include" "*.hpp" "--include" "*.cpp" "--include" "*.c" "--include" "*.inc" "--include" "*/" "--exclude" "*" ) rsync -avLk "${RSYNC_FILTER_ARGS[@]}" \ "$(bazel info execution_root)/" \ "${COVERAGE_SOURCES}/" fi ================================================ FILE: infra/base-images/base-builder/bisect_clang.py ================================================ #!/usr/bin/env python3 # Copyright 2019 Google Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # ################################################################################ """Use git bisect to find the Clang/LLVM commit causing a regression.""" import logging import os import re import shutil import subprocess import sys def execute(command, *args, expect_zero=True, **kwargs): """Execute |command| and return the returncode, stdout and stderr.""" kwargs['stdout'] = subprocess.PIPE kwargs['stderr'] = subprocess.PIPE logging.debug('Running command: "%s"', str(command)) process = subprocess.Popen(command, *args, **kwargs) stdout, stderr = process.communicate() stdout = stdout.decode('utf-8') stderr = stderr.decode('utf-8') retcode = process.returncode logging.info('Command: "%s" returned: %d.\nStdout: %s.\nStderr: %s', str(command), retcode, stdout, stderr) if expect_zero and retcode != 0: raise subprocess.CalledProcessError(retcode, command) return retcode, stdout, stderr def search_bisect_output(output): """Search |output| for a message indicating the culprit commit has been found.""" # TODO(metzman): Is it necessary to look for "good"? culprit_regex = re.compile('([a-z0-9]{40}) is the first (good|bad) commit') match = re.match(culprit_regex, output) return match.group(1) if match is not None else None class GitRepo: """Class for executing commmands on a git repo.""" def __init__(self, repo_dir): self.repo_dir = repo_dir def do_command(self, git_subcommand): """Execute a |git_subcommand| (a list of strings).""" command = ['git', '-C', self.repo_dir] + git_subcommand return execute(command) def test_commit(self, test_command): """Build LLVM at the currently checkedout commit, then run |test_command|. If returncode is 0 run 'git bisect good' otherwise return 'git bisect bad'. Return None if bisect didn't finish yet. Return the culprit commit if it does.""" build_clang(self.repo_dir) retcode, _, _ = execute(test_command, shell=True, expect_zero=False) if retcode == 0: retcode, stdout, _ = self.do_bisect_command('good') else: retcode, stdout, _ = self.do_bisect_command('bad') return search_bisect_output(stdout) def bisect(self, good_commit, bad_commit, test_command): """Do git bisect assuming |good_commit| is good, |bad_commit| is bad and |test_command| is an oracle. Return the culprit commit.""" self.bisect_start(good_commit, bad_commit, test_command) result = self.test_commit(test_command) while result is None: result = self.test_commit(test_command) return result def bisect_start(self, good_commit, bad_commit, test_command): """Start doing git bisect.""" self.do_bisect_command('start') # Do bad commit first since it is more likely to be recent. self.test_start_commit(bad_commit, 'bad', test_command) self.test_start_commit(good_commit, 'good', test_command) def do_bisect_command(self, subcommand): """Execute a git bisect |subcommand| (string) and return the result.""" return self.do_command(['bisect', subcommand]) def test_start_commit(self, commit, label, test_command): """Use |test_command| to test the first good or bad |commit| (depending on |label|).""" assert label in ('good', 'bad'), label self.do_command(['checkout', commit]) build_clang(self.repo_dir) retcode, _, _ = execute(test_command, shell=True, expect_zero=False) if label == 'good' and retcode != 0: raise BisectError('Test command "%s" returns %d on first good commit %s' % (test_command, retcode, commit)) if label == 'bad' and retcode == 0: raise BisectError('Test command "%s" returns %d on first bad commit %s' % (test_command, retcode, commit)) self.do_bisect_command(label) class BisectError(Exception): """Error that was encountered during bisection.""" def get_clang_build_env(): """Get an environment for building Clang.""" env = os.environ.copy() for variable in ['CXXFLAGS', 'CFLAGS']: if variable in env: del env[variable] return env def install_clang_build_deps(): """Instal dependencies necessary to build clang.""" execute([ 'apt-get', 'install', '-y', 'build-essential', 'make', 'cmake', 'ninja-build', 'git', 'subversion', 'g++-multilib' ]) def clone_with_retries(repo, local_path, num_retries=10): """Clone |repo| to |local_path| if it doesn't exist already. Try up to |num_retries| times. Return False if unable to checkout.""" if os.path.isdir(local_path): return for _ in range(num_retries): if os.path.isdir(local_path): shutil.rmtree(local_path) retcode, _, _ = execute(['git', 'clone', repo, local_path], expect_zero=False) if retcode == 0: return raise Exception('Could not checkout %s.' % repo) def get_clang_target_arch(): """Get target architecture we want clang to target when we build it.""" _, arch, _ = execute(['uname', '-m']) if 'x86_64' in arch: return 'X86' if 'aarch64' in arch: return 'AArch64' raise Exception('Unsupported target: %s.' % arch) def prepare_build(llvm_project_path): """Prepare to build clang.""" llvm_build_dir = os.path.join(os.getenv('WORK'), 'llvm-build') if not os.path.exists(llvm_build_dir): os.mkdir(llvm_build_dir) execute([ 'cmake', '-G', 'Ninja', '-DLIBCXX_ENABLE_SHARED=OFF', '-DLIBCXX_ENABLE_STATIC_ABI_LIBRARY=ON', '-DLIBCXXABI_ENABLE_SHARED=OFF', '-DCMAKE_BUILD_TYPE=Release', '-DLLVM_ENABLE_PROJECTS=libcxx;libcxxabi;compiler-rt;clang', '-DLLVM_TARGETS_TO_BUILD=' + get_clang_target_arch(), os.path.join(llvm_project_path, 'llvm') ], env=get_clang_build_env(), cwd=llvm_build_dir) return llvm_build_dir def build_clang(llvm_project_path): """Checkout, build and install Clang.""" # TODO(metzman): Merge Python checkout and build code with # checkout_build_install_llvm.sh. # TODO(metzman): Look into speeding this process using ccache. # TODO(metzman): Make this program capable of handling MSAN and i386 Clang # regressions. llvm_build_dir = prepare_build(llvm_project_path) execute(['ninja', '-C', llvm_build_dir, 'install'], env=get_clang_build_env()) def find_culprit_commit(test_command, good_commit, bad_commit): """Returns the culprit LLVM commit that introduced a bug revealed by running |test_command|. Uses git bisect and treats |good_commit| as the first latest known good commit and |bad_commit| as the first known bad commit.""" llvm_project_path = os.path.join(os.getenv('SRC'), 'llvm-project') clone_with_retries('https://github.com/llvm/llvm-project.git', llvm_project_path) git_repo = GitRepo(llvm_project_path) result = git_repo.bisect(good_commit, bad_commit, test_command) print('Culprit commit', result) return result def main(): # pylint: disable=line-too-long """Finds the culprit LLVM commit that introduced a clang regression. Can be tested using this command in a libsodium shell: python3 bisect_clang.py "cd /src/libsodium; make clean; cd -; compile && /out/secret_key_auth_fuzzer -runs=100" \ f7e52fbdb5a7af8ea0808e98458b497125a5eca1 \ 8288453f6aac05080b751b680455349e09d49825 """ # pylint: enable=line-too-long # TODO(metzman): Check CFLAGS for things like -fsanitize=fuzzer-no-link. # TODO(metzman): Allow test_command to be optional and for just build.sh to be # used instead. test_command = sys.argv[1] # TODO(metzman): Add in more automation so that the script can automatically # determine the commits used in last Clang roll. good_commit = sys.argv[2] bad_commit = sys.argv[3] # TODO(metzman): Make verbosity configurable. logging.getLogger().setLevel(logging.DEBUG) install_clang_build_deps() find_culprit_commit(test_command, good_commit, bad_commit) return 0 if __name__ == '__main__': sys.exit(main()) ================================================ FILE: infra/base-images/base-builder/bisect_clang_test.py ================================================ # Copyright 2019 Google Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # ################################################################################ """Tests for bisect_clang.py""" import os from unittest import mock import unittest import bisect_clang FILE_DIRECTORY = os.path.dirname(__file__) LLVM_REPO_PATH = '/llvm-project' def get_git_command(*args): """Returns a git command for the LLVM repo with |args| as arguments.""" return ['git', '-C', LLVM_REPO_PATH] + list(args) def patch_environ(testcase_obj): """Patch environment.""" env = {} patcher = mock.patch.dict(os.environ, env) testcase_obj.addCleanup(patcher.stop) patcher.start() class BisectClangTestMixin: # pylint: disable=too-few-public-methods """Useful mixin for bisect_clang unittests.""" def setUp(self): # pylint: disable=invalid-name """Initialization method for unittests.""" patch_environ(self) os.environ['SRC'] = '/src' os.environ['WORK'] = '/work' class GetClangBuildEnvTest(BisectClangTestMixin, unittest.TestCase): """Tests for get_clang_build_env.""" def test_cflags(self): """Test that CFLAGS are not used compiling clang.""" os.environ['CFLAGS'] = 'blah' self.assertNotIn('CFLAGS', bisect_clang.get_clang_build_env()) def test_cxxflags(self): """Test that CXXFLAGS are not used compiling clang.""" os.environ['CXXFLAGS'] = 'blah' self.assertNotIn('CXXFLAGS', bisect_clang.get_clang_build_env()) def test_other_variables(self): """Test that other env vars are used when compiling clang.""" key = 'other' value = 'blah' os.environ[key] = value self.assertEqual(value, bisect_clang.get_clang_build_env()[key]) def read_test_data(filename): """Returns data from |filename| in the test_data directory.""" with open(os.path.join(FILE_DIRECTORY, 'test_data', filename)) as file_handle: return file_handle.read() class SearchBisectOutputTest(BisectClangTestMixin, unittest.TestCase): """Tests for search_bisect_output.""" def test_search_bisect_output(self): """Test that search_bisect_output finds the responsible commit when one exists.""" test_data = read_test_data('culprit-commit.txt') self.assertEqual('ac9ee01fcbfac745aaedca0393a8e1c8a33acd8d', bisect_clang.search_bisect_output(test_data)) def test_search_bisect_output_none(self): """Test that search_bisect_output doesnt find a non-existent culprit commit.""" self.assertIsNone(bisect_clang.search_bisect_output('hello')) def create_mock_popen( output=bytes('', 'utf-8'), err=bytes('', 'utf-8'), returncode=0): """Creates a mock subprocess.Popen.""" class MockPopen: """Mock subprocess.Popen.""" commands = [] testcases_written = [] def __init__(self, command, *args, **kwargs): # pylint: disable=unused-argument """Inits the MockPopen.""" stdout = kwargs.pop('stdout', None) self.command = command self.commands.append(command) self.stdout = None self.stderr = None self.returncode = returncode if hasattr(stdout, 'write'): self.stdout = stdout def communicate(self, input_data=None): # pylint: disable=unused-argument """Mock subprocess.Popen.communicate.""" if self.stdout: self.stdout.write(output) if self.stderr: self.stderr.write(err) return output, err def poll(self, input_data=None): # pylint: disable=unused-argument """Mock subprocess.Popen.poll.""" return self.returncode return MockPopen def mock_prepare_build_impl(llvm_project_path): # pylint: disable=unused-argument """Mocked prepare_build function.""" return '/work/llvm-build' class BuildClangTest(BisectClangTestMixin, unittest.TestCase): """Tests for build_clang.""" def test_build_clang_test(self): """Tests that build_clang works as intended.""" with mock.patch('subprocess.Popen', create_mock_popen()) as mock_popen: with mock.patch('bisect_clang.prepare_build', mock_prepare_build_impl): llvm_src_dir = '/src/llvm-project' bisect_clang.build_clang(llvm_src_dir) self.assertEqual([['ninja', '-C', '/work/llvm-build', 'install']], mock_popen.commands) class GitRepoTest(BisectClangTestMixin, unittest.TestCase): """Tests for GitRepo.""" # TODO(metzman): Mock filesystem. Until then, use a real directory. def setUp(self): super().setUp() self.git = bisect_clang.GitRepo(LLVM_REPO_PATH) self.good_commit = 'good_commit' self.bad_commit = 'bad_commit' self.test_command = 'testcommand' def test_do_command(self): """Test do_command creates a new process as intended.""" # TODO(metzman): Test directory changing behavior. command = ['subcommand', '--option'] with mock.patch('subprocess.Popen', create_mock_popen()) as mock_popen: self.git.do_command(command) self.assertEqual([get_git_command('subcommand', '--option')], mock_popen.commands) def _test_test_start_commit_unexpected(self, label, commit, returncode): """Tests test_start_commit works as intended when the test returns an unexpected value.""" def mock_execute_impl(command, *args, **kwargs): # pylint: disable=unused-argument if command == self.test_command: return returncode, '', '' return 0, '', '' with mock.patch('bisect_clang.execute', mock_execute_impl): with mock.patch('bisect_clang.prepare_build', mock_prepare_build_impl): with self.assertRaises(bisect_clang.BisectError): self.git.test_start_commit(commit, label, self.test_command) def test_test_start_commit_bad_zero(self): """Tests test_start_commit works as intended when the test on the first bad commit returns 0.""" self._test_test_start_commit_unexpected('bad', self.bad_commit, 0) def test_test_start_commit_good_nonzero(self): """Tests test_start_commit works as intended when the test on the first good commit returns nonzero.""" self._test_test_start_commit_unexpected('good', self.good_commit, 1) def test_test_start_commit_good_zero(self): """Tests test_start_commit works as intended when the test on the first good commit returns 0.""" self._test_test_start_commit_expected('good', self.good_commit, 0) # pylint: disable=no-value-for-parameter @mock.patch('bisect_clang.build_clang') def _test_test_start_commit_expected(self, label, commit, returncode, mock_build_clang): """Tests test_start_commit works as intended when the test returns an expected value.""" command_args = [] def mock_execute_impl(command, *args, **kwargs): # pylint: disable=unused-argument command_args.append(command) if command == self.test_command: return returncode, '', '' return 0, '', '' with mock.patch('bisect_clang.execute', mock_execute_impl): self.git.test_start_commit(commit, label, self.test_command) self.assertEqual([ get_git_command('checkout', commit), self.test_command, get_git_command('bisect', label) ], command_args) mock_build_clang.assert_called_once_with(LLVM_REPO_PATH) def test_test_start_commit_bad_nonzero(self): """Tests test_start_commit works as intended when the test on the first bad commit returns nonzero.""" self._test_test_start_commit_expected('bad', self.bad_commit, 1) # pylint: disable=no-value-for-parameter @mock.patch('bisect_clang.GitRepo.test_start_commit') def test_bisect_start(self, mock_test_start_commit): """Tests bisect_start works as intended.""" with mock.patch('subprocess.Popen', create_mock_popen()) as mock_popen: self.git.bisect_start(self.good_commit, self.bad_commit, self.test_command) self.assertEqual(get_git_command('bisect', 'start'), mock_popen.commands[0]) mock_test_start_commit.assert_has_calls([ mock.call('bad_commit', 'bad', 'testcommand'), mock.call('good_commit', 'good', 'testcommand') ]) def test_do_bisect_command(self): """Test do_bisect_command executes a git bisect subcommand as intended.""" subcommand = 'subcommand' with mock.patch('subprocess.Popen', create_mock_popen()) as mock_popen: self.git.do_bisect_command(subcommand) self.assertEqual([get_git_command('bisect', subcommand)], mock_popen.commands) @mock.patch('bisect_clang.build_clang') def _test_test_commit(self, label, output, returncode, mock_build_clang): """Test test_commit works as intended.""" command_args = [] def mock_execute_impl(command, *args, **kwargs): # pylint: disable=unused-argument command_args.append(command) if command == self.test_command: return returncode, output, '' return 0, output, '' with mock.patch('bisect_clang.execute', mock_execute_impl): result = self.git.test_commit(self.test_command) self.assertEqual([self.test_command, get_git_command('bisect', label)], command_args) mock_build_clang.assert_called_once_with(LLVM_REPO_PATH) return result def test_test_commit_good(self): """Test test_commit labels a good commit as good.""" self.assertIsNone(self._test_test_commit('good', '', 0)) # pylint: disable=no-value-for-parameter def test_test_commit_bad(self): """Test test_commit labels a bad commit as bad.""" self.assertIsNone(self._test_test_commit('bad', '', 1)) # pylint: disable=no-value-for-parameter def test_test_commit_culprit(self): """Test test_commit returns the culprit""" test_data = read_test_data('culprit-commit.txt') self.assertEqual('ac9ee01fcbfac745aaedca0393a8e1c8a33acd8d', self._test_test_commit('good', test_data, 0)) # pylint: disable=no-value-for-parameter class GetTargetArchToBuildTest(unittest.TestCase): """Tests for get_target_arch_to_build.""" def test_unrecognized(self): """Test that an unrecognized architecture raises an exception.""" with mock.patch('bisect_clang.execute') as mock_execute: mock_execute.return_value = (None, 'mips', None) with self.assertRaises(Exception): bisect_clang.get_clang_target_arch() def test_recognized(self): """Test that a recognized architecture returns the expected value.""" arch_pairs = {'x86_64': 'X86', 'aarch64': 'AArch64'} for uname_result, clang_target in arch_pairs.items(): with mock.patch('bisect_clang.execute') as mock_execute: mock_execute.return_value = (None, uname_result, None) self.assertEqual(clang_target, bisect_clang.get_clang_target_arch()) ================================================ FILE: infra/base-images/base-builder/cargo ================================================ #!/bin/bash -eu # Copyright 2020 Google Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # # This is a wrapper around calling cargo # This just expands RUSTFLAGS in case of a coverage build # We need this until https://github.com/rust-lang/cargo/issues/5450 is merged # because cargo uses relative paths for the current crate # and absolute paths for its dependencies # ################################################################################ if [ "$SANITIZER" = "coverage" ] && [ $1 = "build" ] then crate_src_abspath=`cargo metadata --no-deps --format-version 1 | jq -r '.workspace_root'` export RUSTFLAGS="$RUSTFLAGS --remap-path-prefix src=$crate_src_abspath/src" fi if [ "$SANITIZER" = "coverage" ] && [ $1 = "fuzz" ] && [ $2 = "build" ] then # hack to turn cargo fuzz build into cargo build so as to get coverage # cargo fuzz adds "--target" "x86_64-unknown-linux-gnu" ( # go into fuzz directory if not already the case cd fuzz || true fuzz_src_abspath=`pwd` # Default directory is fuzz_targets, but some projects like image-rs use fuzzers. while read i; do export RUSTFLAGS="$RUSTFLAGS --remap-path-prefix $i=$fuzz_src_abspath/$i" # Bash while syntax so that we modify RUSTFLAGS in main shell instead of a subshell. done <<< "$(find . -name "*.rs" | cut -d/ -f2 | uniq)" # we do not want to trigger debug assertions and stops export RUSTFLAGS="$RUSTFLAGS -C debug-assertions=no" # do not optimize with --release, leading to Malformed instrumentation profile data cargo build --bins # copies the build output in the expected target directory cd `cargo metadata --format-version 1 --no-deps | jq -r '.target_directory'` mkdir -p x86_64-unknown-linux-gnu/release cp -r debug/* x86_64-unknown-linux-gnu/release/ ) exit 0 fi /rust/bin/cargo "$@" ================================================ FILE: infra/base-images/base-builder/compile ================================================ #!/bin/bash -eu # Copyright 2016 Google Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # ################################################################################ echo "---------------------------------------------------------------" sysctl -w vm.mmap_rnd_bits=28 OSS_FUZZ_ON_DEMAND="${OSS_FUZZ_ON_DEMAND:-0}" # Used for Rust introspector builds RUST_SANITIZER=$SANITIZER if [ "$FUZZING_LANGUAGE" = "jvm" ]; then if [ "$SANITIZER" != "address" ] && [ "$SANITIZER" != "coverage" ] && [ "$SANITIZER" != "undefined" ] && [ "$SANITIZER" != "none" ] && [ "$SANITIZER" != "introspector" ]; then echo "ERROR: JVM projects can be fuzzed with AddressSanitizer or UndefinedBehaviorSanitizer or Introspector only." exit 1 fi if [ "$ARCHITECTURE" != "x86_64" ]; then echo "ERROR: JVM projects can be fuzzed on x86_64 architecture only." exit 1 fi fi if [ "$FUZZING_LANGUAGE" = "rust" ]; then if [ "$SANITIZER" = "introspector" ]; then # introspector sanitizer flag will cause cargo build to fail. Rremove it # temporarily, RUST_SANITIZER will hold the original sanitizer. export SANITIZER=address fi fi if [ "$FUZZING_LANGUAGE" = "javascript" ]; then if [ "$FUZZING_ENGINE" != "libfuzzer" ]; then echo "ERROR: JavaScript projects can be fuzzed with libFuzzer engine only." exit 1 fi if [ "$SANITIZER" != "coverage" ] && [ "$SANITIZER" != "none" ]; then echo "ERROR: JavaScript projects cannot be fuzzed with sanitizers." exit 1 fi if [ "$ARCHITECTURE" != "x86_64" ]; then echo "ERROR: JavaScript projects can be fuzzed on x86_64 architecture only." exit 1 fi fi if [ "$FUZZING_LANGUAGE" = "python" ]; then if [ "$FUZZING_ENGINE" != "libfuzzer" ]; then echo "ERROR: Python projects can be fuzzed with libFuzzer engine only." exit 1 fi if [ "$SANITIZER" != "address" ] && [ "$SANITIZER" != "undefined" ] && [ "$SANITIZER" != "coverage" ] && [ "$SANITIZER" != "introspector" ]; then echo "ERROR: Python projects can be fuzzed with AddressSanitizer or UndefinedBehaviorSanitizer or Coverage or Fuzz Introspector only." exit 1 fi if [ "$ARCHITECTURE" != "x86_64" ]; then echo "ERROR: Python projects can be fuzzed on x86_64 architecture only." exit 1 fi fi if [ -z "${SANITIZER_FLAGS-}" ]; then FLAGS_VAR="SANITIZER_FLAGS_${SANITIZER}" export SANITIZER_FLAGS=${!FLAGS_VAR-} fi if [[ $ARCHITECTURE == "i386" ]]; then export CFLAGS="-m32 $CFLAGS" cp -R /usr/i386/lib/* /usr/local/lib cp -R /usr/i386/include/* /usr/local/include fi # Don't use a fuzzing engine with Jazzer which has libFuzzer built-in or with # FuzzBench which will provide the fuzzing engine. if [[ $FUZZING_ENGINE != "none" ]] && [[ $FUZZING_LANGUAGE != "jvm" ]] && [[ "${OSS_FUZZ_ON_DEMAND}" == "0" ]] ; then # compile script might override environment, use . to call it. . compile_${FUZZING_ENGINE} fi if [[ $SANITIZER_FLAGS = *sanitize=memory* ]] then # Take all libraries from lib/msan # export CXXFLAGS_EXTRA="-L/usr/msan/lib $CXXFLAGS_EXTRA" cp -R /usr/msan/lib/* /usr/local/lib/x86_64-unknown-linux-gnu/ cp -R /usr/msan/include/* /usr/local/include echo 'Building without MSan instrumented libraries.' fi # Coverage flag overrides. COVERAGE_FLAGS_VAR="COVERAGE_FLAGS_${SANITIZER}" if [[ -n ${!COVERAGE_FLAGS_VAR+x} ]] then export COVERAGE_FLAGS="${!COVERAGE_FLAGS_VAR}" fi # Only need the default coverage instrumentation for libFuzzer or honggfuzz. # Other engines bring their own. if [ $FUZZING_ENGINE = "none" ] || [ $FUZZING_ENGINE = "afl" ] || [ $FUZZING_ENGINE = "centipede" ] || [ "${OSS_FUZZ_ON_DEMAND}" != "0" ]; then export COVERAGE_FLAGS= fi # Rust does not support sanitizers and coverage flags via CFLAGS/CXXFLAGS, so # use RUSTFLAGS. # FIXME: Support code coverage once support is in. # See https://github.com/rust-lang/rust/issues/34701. if [ "$RUST_SANITIZER" == "introspector" ]; then export RUSTFLAGS="-Cdebuginfo=2 -Cforce-frame-pointers" elif [ "$SANITIZER" != "undefined" ] && [ "$SANITIZER" != "coverage" ] && [ "$SANITIZER" != "none" ] && [ "$ARCHITECTURE" != 'i386' ]; then export RUSTFLAGS="--cfg fuzzing -Zsanitizer=${SANITIZER} -Cdebuginfo=1 -Cforce-frame-pointers" else export RUSTFLAGS="--cfg fuzzing -Cdebuginfo=1 -Cforce-frame-pointers" fi if [ "$SANITIZER" = "coverage" ] then # link to C++ from comment in f5098035eb1a14aa966c8651d88ea3d64323823d export RUSTFLAGS="$RUSTFLAGS -Cinstrument-coverage -C link-arg=-lc++" fi # Add Rust libfuzzer flags. # See https://github.com/rust-fuzz/libfuzzer/blob/master/build.rs#L12. export CUSTOM_LIBFUZZER_PATH="$LIB_FUZZING_ENGINE_DEPRECATED" export CUSTOM_LIBFUZZER_STD_CXX=c++ export CFLAGS="$CFLAGS $SANITIZER_FLAGS $COVERAGE_FLAGS" export CXXFLAGS="$CFLAGS $CXXFLAGS_EXTRA" if [ "$SANITIZER" = "undefined" ]; then # Disable "function" sanitizer for C code for now, because many projects, # possibly via legacy C code are affected. # The projects should be fixed and this workaround be removed in the future. # TODO(#11778): # https://github.com/google/oss-fuzz/issues/11778 export CFLAGS="$CFLAGS -fno-sanitize=function" fi if [ "$FUZZING_LANGUAGE" = "go" ]; then # required by Go 1.20 export CXX="${CXX} -lresolv" fi if [ "$FUZZING_LANGUAGE" = "python" ]; then sanitizer_with_fuzzer_lib_dir=`python3 -c "import atheris; import os; print(atheris.path())"` sanitizer_with_fuzzer_output_lib=$OUT/sanitizer_with_fuzzer.so if [ "$SANITIZER" = "address" ]; then cp $sanitizer_with_fuzzer_lib_dir/asan_with_fuzzer.so $sanitizer_with_fuzzer_output_lib elif [ "$SANITIZER" = "undefined" ]; then cp $sanitizer_with_fuzzer_lib_dir/ubsan_with_fuzzer.so $sanitizer_with_fuzzer_output_lib fi # Disable leak checking as it is unsupported. export CFLAGS="$CFLAGS -fno-sanitize=function,leak,vptr," export CXXFLAGS="$CXXFLAGS -fno-sanitize=function,leak,vptr" fi # Copy latest llvm-symbolizer in $OUT for stack symbolization. cp $(which llvm-symbolizer) $OUT/ # Copy Jazzer to $OUT if needed. if [ "$FUZZING_LANGUAGE" = "jvm" ]; then cp $(which jazzer_agent_deploy.jar) $(which jazzer_driver) $(which jazzer_junit.jar) $OUT/ jazzer_driver_with_sanitizer=$OUT/jazzer_driver_with_sanitizer if [ "$SANITIZER" = "address" ]; then cat > $jazzer_driver_with_sanitizer << 'EOF' #!/bin/bash this_dir=$(dirname "$0") "$this_dir/jazzer_driver" --asan "$@" EOF elif [ "$SANITIZER" = "undefined" ]; then cat > $jazzer_driver_with_sanitizer << 'EOF' #!/bin/bash this_dir=$(dirname "$0") "$this_dir/jazzer_driver" --ubsan "$@" EOF elif [ "$SANITIZER" = "coverage" ] || [ "$SANITIZER" = "introspector" ]; then # Coverage & introspector builds require no instrumentation. cp $(which jazzer_driver) $jazzer_driver_with_sanitizer fi chmod +x $jazzer_driver_with_sanitizer # Disable leak checking since the JVM triggers too many false positives. export CFLAGS="$CFLAGS -fno-sanitize=leak" export CXXFLAGS="$CXXFLAGS -fno-sanitize=leak" fi if [ "$SANITIZER" = "introspector" ] || [ "$RUST_SANITIZER" = "introspector" ]; then export AR=llvm-ar export NM=llvm-nm export RANLIB=llvm-ranlib export CFLAGS="$CFLAGS -g" export CXXFLAGS="$CXXFLAGS -g" export FI_BRANCH_PROFILE=1 export FUZZ_INTROSPECTOR=1 export FUZZ_INTROSPECTOR_AUTO_FUZZ=1 # Move ar and ranlib mv /usr/bin/ar /usr/bin/old-ar mv /usr/bin/nm /usr/bin/old-nm mv /usr/bin/ranlib /usr/bin/old-ranlib ln -sf /usr/local/bin/llvm-ar /usr/bin/ar ln -sf /usr/local/bin/llvm-nm /usr/bin/nm ln -sf /usr/local/bin/llvm-ranlib /usr/bin/ranlib apt-get install -y libjpeg-dev zlib1g-dev libyaml-dev python3 -m pip install --upgrade pip setuptools python3 -m pip install cxxfilt pyyaml beautifulsoup4 lxml soupsieve rust-demangler python3 -m pip install --prefer-binary matplotlib # Install Fuzz-Introspector pushd /fuzz-introspector/src python3 -m pip install -e . popd if [ "$FUZZING_LANGUAGE" = "python" ]; then python3 /fuzz-introspector/src/main.py light --language=python cp -rf $SRC/inspector/ /tmp/inspector-saved elif [ "$FUZZING_LANGUAGE" = "jvm" ]; then python3 /fuzz-introspector/src/main.py light --language=jvm cp -rf $SRC/inspector/ /tmp/inspector-saved elif [ "$FUZZING_LANGUAGE" = "rust" ]; then python3 /fuzz-introspector/src/main.py light --language=rust cp -rf $SRC/inspector/ /tmp/inspector-saved else python3 /fuzz-introspector/src/main.py light # Make a copy of the light. This is needed because we run two versions of # introspector: one based on pure statis analysis and one based on # regular LTO. cp -rf $SRC/inspector/ /tmp/inspector-saved # Move coverage report. if [ -d "$OUT/textcov_reports" ] then find $OUT/textcov_reports/ -name "*.covreport" -exec cp {} $SRC/inspector/ \; find $OUT/textcov_reports/ -name "*.json" -exec cp {} $SRC/inspector/ \; fi # Make fuzz-introspector HTML report using light approach. REPORT_ARGS="--name=$PROJECT_NAME" # Only pass coverage_url when COVERAGE_URL is set (in cloud builds) if [[ ! -z "${COVERAGE_URL+x}" ]]; then REPORT_ARGS="$REPORT_ARGS --coverage-url=${COVERAGE_URL}" fi # Run pure static analysis fuzz introspector fuzz-introspector full --target-dir=$SRC \ --language=${FUZZING_LANGUAGE} \ --out-dir=$SRC/inspector \ ${REPORT_ARGS} fi rsync -avu --delete "$SRC/inspector/" "$OUT/inspector" fi echo "---------------------------------------------------------------" echo "CC=$CC" echo "CXX=$CXX" echo "CFLAGS=$CFLAGS" echo "CXXFLAGS=$CXXFLAGS" echo "RUSTFLAGS=$RUSTFLAGS" echo "---------------------------------------------------------------" if [ "${OSS_FUZZ_ON_DEMAND}" != "0" ]; then fuzzbench_build cp $(which llvm-symbolizer) $OUT/ exit 0 fi # Prepare the build command to run the project's build script. if [[ ! -z "${REPLAY_ENABLED-}" ]]; then # If this is a replay, then use replay_build.sh. This is expected to be # running in a cached container where a build has already happened prior. BUILD_CMD="bash -eux $SRC/replay_build.sh $@" else BUILD_CMD="bash -eux $SRC/build.sh $@" fi # Set +u temporarily to continue even if GOPATH and OSSFUZZ_RUSTPATH are undefined. set +u # We need to preserve source code files for generating a code coverage report. # We need exact files that were compiled, so copy both $SRC and $WORK dirs. COPY_SOURCES_CMD="cp -rL --parents $SRC $WORK /usr/include /usr/local/include $GOPATH $OSSFUZZ_RUSTPATH /rustc $OUT" set -u if [ "$FUZZING_LANGUAGE" = "rust" ]; then # Copy rust std lib to its path with a hash. export rustch=`rustc --version --verbose | grep commit-hash | cut -d' ' -f2` mkdir -p /rustc/$rustch/ export rustdef=`rustup toolchain list | grep default | cut -d' ' -f1` cp -r /rust/rustup/toolchains/$rustdef/lib/rustlib/src/rust/library/ /rustc/$rustch/ fi if [ "${BUILD_UID-0}" -ne "0" ]; then adduser -u $BUILD_UID --disabled-password --gecos '' builder chown -R builder $SRC $OUT $WORK su -c "$BUILD_CMD" builder if [ "$SANITIZER" = "coverage" ]; then # Some directories have broken symlinks (e.g. honggfuzz), ignore the errors. su -c "$COPY_SOURCES_CMD" builder 2>/dev/null || true fi else $BUILD_CMD if [ "$SANITIZER" = "coverage" ]; then # Some directories have broken symlinks (e.g. honggfuzz), ignore the errors. $COPY_SOURCES_CMD 2>/dev/null || true fi fi if [ "$SANITIZER" = "introspector" ] || [ "$RUST_SANITIZER" = "introspector" ]; then unset CXXFLAGS unset CFLAGS export G_ANALYTICS_TAG="G-8WTFM1Y62J" # If we get to here, it means the e.g. LTO had no problems and succeeded. # TO this end, we wlil restore the original light analysis and used the # LTO processing itself. rm -rf $SRC/inspector cp -rf /tmp/inspector-saved $SRC/inspector cd /fuzz-introspector/src python3 -m pip install -e . cd /src/ if [ "$FUZZING_LANGUAGE" = "rust" ]; then # Restore the sanitizer flag for rust export SANITIZER="introspector" fi mkdir -p $SRC/inspector find $SRC/ -name "fuzzerLogFile-*.data" -exec cp {} $SRC/inspector/ \; find $SRC/ -name "fuzzerLogFile-*.data.yaml" -exec cp {} $SRC/inspector/ \; find $SRC/ -name "fuzzerLogFile-*.data.debug_*" -exec cp {} $SRC/inspector/ \; find $SRC/ -name "allFunctionsWithMain-*.yaml" -exec cp {} $SRC/inspector/ \; # Move coverage report. if [ -d "$OUT/textcov_reports" ] then find $OUT/textcov_reports/ -name "*.covreport" -exec cp {} $SRC/inspector/ \; find $OUT/textcov_reports/ -name "*.json" -exec cp {} $SRC/inspector/ \; fi cd $SRC/inspector # Make fuzz-introspector HTML report. REPORT_ARGS="--name=$PROJECT_NAME" # Only pass coverage_url when COVERAGE_URL is set (in cloud builds) if [[ ! -z "${COVERAGE_URL+x}" ]]; then REPORT_ARGS="$REPORT_ARGS --coverage-url=${COVERAGE_URL}" fi # Do different things depending on languages if [ "$FUZZING_LANGUAGE" = "python" ]; then echo "GOING python route" set -x REPORT_ARGS="$REPORT_ARGS --target-dir=$SRC/inspector" REPORT_ARGS="$REPORT_ARGS --language=python" fuzz-introspector report $REPORT_ARGS rsync -avu --delete "$SRC/inspector/" "$OUT/inspector" elif [ "$FUZZING_LANGUAGE" = "jvm" ]; then echo "GOING jvm route" set -x find $OUT/ -name "jacoco.xml" -exec cp {} $SRC/inspector/ \; REPORT_ARGS="$REPORT_ARGS --target-dir=$SRC --out-dir=$SRC/inspector" REPORT_ARGS="$REPORT_ARGS --language=jvm" fuzz-introspector full $REPORT_ARGS rsync -avu --delete "$SRC/inspector/" "$OUT/inspector" elif [ "$FUZZING_LANGUAGE" = "rust" ]; then echo "GOING rust route" REPORT_ARGS="$REPORT_ARGS --target-dir=$SRC --out-dir=$SRC/inspector" REPORT_ARGS="$REPORT_ARGS --language=rust" fuzz-introspector full $REPORT_ARGS rsync -avu --delete "$SRC/inspector/" "$OUT/inspector" else # C/C++ mkdir -p $SRC/inspector # Correlate fuzzer binaries to fuzz-introspector's raw data fuzz-introspector correlate --binaries-dir=$OUT/ # Generate fuzz-introspector HTML report, this generates # the file exe_to_fuzz_introspector_logs.yaml REPORT_ARGS="$REPORT_ARGS --target-dir=$SRC/inspector" # Use the just-generated correlation file REPORT_ARGS="$REPORT_ARGS --correlation-file=exe_to_fuzz_introspector_logs.yaml" fuzz-introspector report $REPORT_ARGS rsync -avu --delete "$SRC/inspector/" "$OUT/inspector" fi fi ================================================ FILE: infra/base-images/base-builder/compile_afl ================================================ #!/bin/bash -eu # Copyright 2016 Google Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # ################################################################################ # If LLVM once again does weird changes then enable this: #export AFL_LLVM_INSTRUMENT=LLVM-NATIVE # AFL++ setup echo "Copying precompiled AFL++" # Copy AFL++ tools necessary for fuzzing. pushd $SRC/aflplusplus > /dev/null cp -f libAFLDriver.a $LIB_FUZZING_ENGINE # Some important projects include libraries, copy those even when they don't # start with "afl-". Use "sort -u" to avoid a warning about duplicates. ls afl-* *.txt *.a *.o *.so | sort -u | xargs cp -t $OUT export CC="$SRC/aflplusplus/afl-clang-fast" export CXX="$SRC/aflplusplus/afl-clang-fast++" # Set sane AFL++ environment defaults: # Be quiet, otherwise this can break some builds. export AFL_QUIET=1 # No leak errors during builds. export ASAN_OPTIONS="detect_leaks=0:symbolize=0:detect_odr_violation=0:abort_on_error=1" # Do not abort on any problems (because this is during build where it is ok) export AFL_IGNORE_PROBLEMS=1 # No complain on unknown AFL environment variables export AFL_IGNORE_UNKNOWN_ENVS=1 # Provide a way to document the AFL++ options used in this build: echo echo AFL++ target compilation setup: env | egrep '^AFL_' | tee "$OUT/afl_options.txt" echo popd > /dev/null echo " done." ================================================ FILE: infra/base-images/base-builder/compile_centipede ================================================ #!/bin/bash -eu # Copyright 2022 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # ################################################################################ echo "Skipping compilation; using precompiled centipede" if [[ "$SANITIZER" == 'none' ]]; then cp "$CENTIPEDE_BIN_DIR/centipede" "$OUT" fi cp "$CENTIPEDE_BIN_DIR/libcentipede_runner.pic.a" "$LIB_FUZZING_ENGINE" export CENTIPEDE_FLAGS=`cat "$SRC/fuzztest/centipede/clang-flags.txt" | tr '\n' ' '` export LIBRARIES_FLAGS="-Wno-unused-command-line-argument -Wl,-ldl -Wl,-lrt -Wl,-lpthread -Wl,$SRC/fuzztest/centipede/weak.o" export CFLAGS="$CFLAGS $CENTIPEDE_FLAGS $LIBRARIES_FLAGS" export CXXFLAGS="$CXXFLAGS $CENTIPEDE_FLAGS $LIBRARIES_FLAGS" echo 'done.' ================================================ FILE: infra/base-images/base-builder/compile_fuzztests.sh ================================================ #!/bin/bash -eu # Copyright 2022 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # ################################################################################ set -x # In order to identify fuzztest test case "bazel query" is used to search # the project. A search of the entire project is done with a default "...", # however, some projects may fail to, or have very long processing time, if # searching the entire project. Additionally, it may include fuzzers in # dependencies, which should not be build as part of a given project. # Tensorflow is an example project that will fail when the entire project is # queried. FUZZTEST_TARGET_FOLDER makes it posible to specify the folder # where fuzztest fuzzers should be search for. FUZZTEST_TARGET_FOLDER is passed # to "bazel query" below. if [[ ${FUZZTEST_TARGET_FOLDER:-"unset"} == "unset" ]]; then export TARGET_FOLDER="..." else TARGET_FOLDER=${FUZZTEST_TARGET_FOLDER} fi BUILD_ARGS="--config=oss-fuzz --subcommands" if [[ ${FUZZTEST_EXTRA_ARGS:-"unset"} != "unset" ]]; then BUILD_ARGS="$BUILD_ARGS ${FUZZTEST_EXTRA_ARGS}" fi # Trigger setup_configs rule of fuzztest as it generates the necessary # configuration file based on OSS-Fuzz environment variables. bazel run @com_google_fuzztest//bazel:setup_configs >> /etc/bazel.bazelrc # Bazel target names of the fuzz binaries. FUZZ_TEST_BINARIES=$(bazel query "kind(\"cc_test\", rdeps(${TARGET_FOLDER}, @com_google_fuzztest//fuzztest:fuzztest_gtest_main))") # Bazel output paths of the fuzz binaries. FUZZ_TEST_BINARIES_OUT_PATHS=$(bazel cquery "kind(\"cc_test\", rdeps(${TARGET_FOLDER}, @com_google_fuzztest//fuzztest:fuzztest_gtest_main))" --output=files) # Build the project and fuzz binaries # Expose `FUZZTEST_EXTRA_TARGETS` environment variable, in the event a project # includes non-FuzzTest fuzzers then this can be used to compile these in the # same `bazel build` command as when building the FuzzTest fuzzers. # This is to avoid having to call `bazel build` twice. bazel build $BUILD_ARGS -- ${FUZZ_TEST_BINARIES[*]} ${FUZZTEST_EXTRA_TARGETS:-} # Iterate the fuzz binaries and list each fuzz entrypoint in the binary. For # each entrypoint create a wrapper script that calls into the binaries the # given entrypoint as argument. # The scripts will be named: # {binary_name}@{fuzztest_entrypoint} for fuzz_main_file in $FUZZ_TEST_BINARIES_OUT_PATHS; do FUZZ_TESTS=$($fuzz_main_file --list_fuzz_tests) cp ${fuzz_main_file} $OUT/ fuzz_basename=$(basename $fuzz_main_file) chmod -x $OUT/$fuzz_basename for fuzz_entrypoint in $FUZZ_TESTS; do TARGET_FUZZER="${fuzz_basename}@$fuzz_entrypoint" # Write executer script echo "#!/bin/sh # LLVMFuzzerTestOneInput for fuzzer detection. this_dir=\$(dirname \"\$0\") chmod +x \$this_dir/$fuzz_basename \$this_dir/$fuzz_basename --fuzz=$fuzz_entrypoint -- \$@" > $OUT/$TARGET_FUZZER chmod +x $OUT/$TARGET_FUZZER done done # Synchronise coverage directory to bazel output artifacts. This is a # best-effort basis in that it will include source code in common # bazel output folders. # For projects that store results in non-standard folders or want to # manage what code to include in the coverage report more specifically, # the FUZZTEST_DO_SYNC environment variable is made available. Projects # can then implement a custom way of synchronising source code with the # coverage build. Set FUZZTEST_DO_SYNC to something other than "yes" and # no effort will be made to automatically synchronise the source code with # the code coverage visualisation utility. if [[ "$SANITIZER" = "coverage" && ${FUZZTEST_DO_SYNC:-"yes"} == "yes" ]] then # Synchronize bazel source files to coverage collection. declare -r REMAP_PATH="${OUT}/proc/self/cwd" mkdir -p "${REMAP_PATH}" # Synchronize the folder bazel-BAZEL_OUT_PROJECT. declare -r RSYNC_FILTER_ARGS=("--include" "*.h" "--include" "*.cc" "--include" \ "*.hpp" "--include" "*.cpp" "--include" "*.c" "--include" "*/" "--include" "*.inc" \ "--exclude" "*") project_folders="$(find . -name 'bazel-*' -type l -printf '%P\n' | \ grep -v -x -F \ -e 'bazel-bin' \ -e 'bazel-testlogs')" for link in $project_folders; do if [[ -d "${PWD}"/$link/external ]] then rsync -avLk "${RSYNC_FILTER_ARGS[@]}" "${PWD}"/$link/external "${REMAP_PATH}" fi # k8-opt is a common path for storing bazel output artifacts, e.g. bazel-out/k8-opt. # It's the output folder for default amd-64 builds, but projects may specify custom # platform output directories, see: https://github.com/bazelbuild/bazel/issues/13818 # We support the default at the moment, and if a project needs custom synchronizing of # output artifacts and code coverage we currently recommend using FUZZTEST_DO_SYNC. if [[ -d "${PWD}"/$link/k8-opt ]] then rsync -avLk "${RSYNC_FILTER_ARGS[@]}" "${PWD}"/$link/k8-opt "${REMAP_PATH}"/$link fi done # Delete symlinks and sync the current folder. find . -type l -ls -delete rsync -av ${PWD}/ "${REMAP_PATH}" fi ================================================ FILE: infra/base-images/base-builder/compile_go_fuzzer ================================================ #!/bin/bash -eu # Copyright 2020 Google Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # ################################################################################ path=$1 function=$2 fuzzer=$3 tags="-tags gofuzz" if [[ $# -eq 4 ]]; then tags="-tags $4" fi # Import go_utils.sh SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" source "$SCRIPT_DIR/go_utils.sh" # makes directory change temporary ( cd $GOPATH/src/$path || true # in the case we are in the right directory, with go.mod but no go.sum go mod tidy || true # project was downloaded with go get if go list fails go list $tags $path || { cd $GOPATH/pkg/mod/ && cd `echo $path | cut -d/ -f1-3 | awk '{print $1"@*"}'`; } || cd - # project does not have go.mod if go list fails again go list $tags $path || { go mod init $path && go mod tidy ;} if [[ $SANITIZER = *coverage* ]]; then fuzzed_package=`go list $tags -f '{{.Name}}' $path` abspath=`go list $tags -f {{.Dir}} $path` cd $abspath cp $GOPATH/ossfuzz_coverage_runner.go ./"${function,,}"_test.go sed -i -e 's/FuzzFunction/'$function'/' ./"${function,,}"_test.go sed -i -e 's/mypackagebeingfuzzed/'$fuzzed_package'/' ./"${function,,}"_test.go sed -i -e 's/TestFuzzCorpus/Test'$function'Corpus/' ./"${function,,}"_test.go # The repo is the module path/name, which is already created above in case it doesn't exist, # but not always the same as the module path. This is necessary to handle SIV properly. fuzzed_repo=$(go list $tags -f {{.Module}} "$path") abspath_repo=`go list -m $tags -f {{.Dir}} $fuzzed_repo || go list $tags -f {{.Dir}} $fuzzed_repo` # give equivalence to absolute paths in another file, as go test -cover uses golangish pkg.Dir echo "s=$fuzzed_repo"="$abspath_repo"= > $OUT/$fuzzer.gocovpath # Additional packages for which to get coverage. pkgaddcov="" # to prevent bash from failing about unbound variable GO_COV_ADD_PKG_SET=${GO_COV_ADD_PKG:-} if [[ -n "${GO_COV_ADD_PKG_SET}" ]]; then pkgaddcov=","$GO_COV_ADD_PKG abspath_repo=`go list -m $tags -f {{.Dir}} $GO_COV_ADD_PKG || go list $tags -f {{.Dir}} $GO_COV_ADD_PKG` echo "s=^$GO_COV_ADD_PKG"="$abspath_repo"= >> $OUT/$fuzzer.gocovpath fi go test $tags \ -c \ -o $OUT/$fuzzer \ -v \ -covermode=atomic \ -coverpkg $fuzzed_repo/...$pkgaddcov \ $path function_names_file="$OUT/fuzzer_function_names.json" save_function_name "$fuzzer" "Test${function}Corpus" "$function_names_file" else # Compile and instrument all Go files relevant to this fuzz target. echo "Running go-fuzz $tags -func $function -o $fuzzer.a $path" go-fuzz $tags -func $function -o $fuzzer.a $path # Link Go code ($fuzzer.a) with fuzzing engine to produce fuzz target binary. $CXX $CXXFLAGS $LIB_FUZZING_ENGINE $fuzzer.a -o $OUT/$fuzzer fi ) ================================================ FILE: infra/base-images/base-builder/compile_honggfuzz ================================================ #!/bin/bash -eu # Copyright 2016 Google Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # ################################################################################ echo "Skipping compilation; using precompiled honggfuzz" cp $SRC/honggfuzz/honggfuzz.a $LIB_FUZZING_ENGINE cp $SRC/honggfuzz/honggfuzz $OUT/ # Set flags necessary for netdriver compilation. export LIB_HFND="-Wl,-u,LIBHFNETDRIVER_module_netdriver -Wl,--start-group $SRC/honggfuzz/libhfnetdriver/libhfnetdriver.a $SRC/honggfuzz/libhfcommon/libhfcommon.a -Wl,--end-group" export HFND_CXXFLAGS='-DHFND_FUZZING_ENTRY_FUNCTION_CXX(x,y)=extern const char* LIBHFNETDRIVER_module_netdriver;const char** LIBHFNETDRIVER_tmp1 = &LIBHFNETDRIVER_module_netdriver;extern "C" int HonggfuzzNetDriver_main(x,y);int HonggfuzzNetDriver_main(x,y)' export HFND_CFLAGS='-DHFND_FUZZING_ENTRY_FUNCTION(x,y)=extern const char* LIBHFNETDRIVER_module_netdriver;const char** LIBHFNETDRIVER_tmp1 = &LIBHFNETDRIVER_module_netdriver;int HonggfuzzNetDriver_main(x,y);int HonggfuzzNetDriver_main(x,y)' # Custom coverage flags, roughly in sync with: # https://github.com/google/honggfuzz/blob/oss-fuzz/hfuzz_cc/hfuzz-cc.c export COVERAGE_FLAGS="-fsanitize-coverage=trace-pc-guard,indirect-calls,trace-cmp" echo " done." ================================================ FILE: infra/base-images/base-builder/compile_javascript_fuzzer ================================================ #!/bin/bash -eu # Copyright 2023 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # ################################################################################ project=$1 # Path the fuzz target source file relative to the project's root. fuzz_target=$2 # Arguments to pass to Jazzer.js jazzerjs_args=${@:3} # Copy source code into the $OUT directory and install Jazzer.js into the project. if [ ! -d $OUT/$project ]; then cp -r $SRC/$project $OUT/$project fi fuzzer_basename=$(basename -s .js $fuzz_target) # Create an execution wrapper that executes Jazzer.js with the correct arguments. echo "#!/bin/bash # LLVMFuzzerTestOneInput so that the wrapper script is recognized as a fuzz target for 'check_build'. project_dir=\$(dirname \"\$0\")/$project \$project_dir/node_modules/@jazzer.js/core/dist/cli.js \$project_dir/$fuzz_target $jazzerjs_args \$JAZZERJS_EXTRA_ARGS -- \$@" > $OUT/$fuzzer_basename chmod +x $OUT/$fuzzer_basename ================================================ FILE: infra/base-images/base-builder/compile_libfuzzer ================================================ #!/bin/bash -eu # Copyright 2016 Google Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # ################################################################################ echo -n "Compiling libFuzzer to $LIB_FUZZING_ENGINE... " export LIB_FUZZING_ENGINE="-fsanitize=fuzzer" if [ "$FUZZING_LANGUAGE" = "go" ]; then export LIB_FUZZING_ENGINE="$LIB_FUZZING_ENGINE $GOPATH/gosigfuzz/gosigfuzz.o" fi cp /usr/local/lib/clang/*/lib/$ARCHITECTURE-unknown-linux-gnu/libclang_rt.fuzzer.a $LIB_FUZZING_ENGINE_DEPRECATED echo " done." ================================================ FILE: infra/base-images/base-builder/compile_native_go_fuzzer ================================================ #!/bin/bash -eu # Copyright 2022 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # ################################################################################ path=$1 function=$2 fuzzer=$3 tags="-tags gofuzz" # Get absolute path. abs_file_dir=$(go list $tags -f {{.Dir}} $path) # TODO(adamkorcz): Get rid of "-r" flag here. export fuzzer_filename=$(grep -r -l --include='*.go' -s "$function" "${abs_file_dir}") # Import build_native_go_fuzzer_legacy SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" source "$SCRIPT_DIR/go_utils.sh" # Test if file contains a line with "func $function" and "testing.F". if [ $(grep -r "func $function" $fuzzer_filename | grep "testing.F" | wc -l) -eq 1 ] then build_native_go_fuzzer_legacy $fuzzer $function $abs_file_dir $path else echo "Could not find the function: func ${function}(f *testing.F)" fi ================================================ FILE: infra/base-images/base-builder/compile_native_go_fuzzer_v2 ================================================ #!/bin/bash -eu # Copyright 2025 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # ################################################################################ path=$1 function=$2 fuzzer=$3 tags="-tags gofuzz" # Get absolute path. abs_file_dir=$(go list $tags -f {{.Dir}} $path) # Find the file containing the fuzzer function definition. # Search for the actual function signature with testing.F to avoid false matches # in files that only reference the function name (e.g., in comments or helper functions). export fuzzer_filename=$(grep -r -l --include='*.go' "func ${function}(.*testing\.F" "${abs_file_dir}") # Import build_native_go_fuzzer SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" source "$SCRIPT_DIR/go_utils.sh" # Verify we found exactly one file with the fuzzer function. file_count=$(echo "$fuzzer_filename" | wc -w) if [ "$file_count" -eq 1 ] && [ -n "$fuzzer_filename" ] && [ -f "$fuzzer_filename" ] then build_native_go_fuzzer $fuzzer $function $abs_file_dir $path elif [ "$file_count" -gt 1 ] then echo "Error: Found multiple files with func ${function}(f *testing.F):" echo "$fuzzer_filename" exit 1 else echo "Could not find the function: func ${function}(f *testing.F)" fi ================================================ FILE: infra/base-images/base-builder/compile_python_fuzzer ================================================ #!/bin/bash -eux # Copyright 2022 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # ################################################################################ # In order to enable PySecSan for a given module, set the environment # variable ENABLE_PYSECSAN="YES" fuzzer_path=$1 shift 1 fuzzer_basename=$(basename -s .py $fuzzer_path) fuzzer_package=${fuzzer_basename}.pkg PYFUZZ_WORKPATH=$SRC/pyfuzzworkdir/ FUZZ_WORKPATH=$PYFUZZ_WORKPATH/$fuzzer_basename if [[ $SANITIZER = *introspector* ]]; then # Extract the source package the fuzzer targets. This must happen before # we enter the virtual environment in the following lines because we need # to use the same python environment that installed the fuzzer dependencies. python3 /fuzz-introspector/frontends/python/prepare_fuzz_imports.py $fuzzer_path isossfuzz # We must ensure python3.9, this is because we use certain # AST logic from there. # The below should probably be refined apt-get install -y python3.9 apt-get update apt-get install -y python3-pip python3.9 -m pip install virtualenv python3.9 -m virtualenv .venv . .venv/bin/activate pip3 install pyyaml export PYTHONPATH="/fuzz-introspector/frontends/python/PyCG" ARGS="--fuzzer $fuzzer_path" if [ -n "${PYFUZZPACKAGE-}" ]; then ARGS="$ARGS --package=${PYFUZZPACKAGE}" fi python /fuzz-introspector/frontends/python/main.py $ARGS ls -la ./ exit 0 fi # In coverage mode prepend coverage logic to the fuzzer source if [[ $SANITIZER = *coverage* ]]; then cat <
docker run --rm -ti -v <testcase_path>:/testcase gcr.io/oss-fuzz/$PROJECT_NAME reproduce <fuzzer_name>- *Reproduce using local source checkout:*
docker run --rm -ti -v <source_path>:/src/$PROJECT_NAME \
-v <testcase_path>:/testcase gcr.io/oss-fuzz/$PROJECT_NAME \
reproduce <fuzzer_name>
================================================
FILE: infra/base-images/base-runner/bad_build_check
================================================
#!/bin/bash -u
# Copyright 2017 Google Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
################################################################################
# A minimal number of runs to test fuzz target with a non-empty input.
MIN_NUMBER_OF_RUNS=4
# The "example" target has 73 with ASan, 65 with UBSan, and 6648 with MSan.
# Real world targets have greater values (arduinojson: 407, zlib: 664).
# Mercurial's bdiff_fuzzer has 116 PCs when built with ASan.
THRESHOLD_FOR_NUMBER_OF_EDGES=100
# A fuzz target is supposed to have at least two functions, such as
# LLVMFuzzerTestOneInput and an API that is being called from there.
THRESHOLD_FOR_NUMBER_OF_FUNCTIONS=2
# Threshold values for different sanitizers used by instrumentation checks.
ASAN_CALLS_THRESHOLD_FOR_ASAN_BUILD=1000
ASAN_CALLS_THRESHOLD_FOR_NON_ASAN_BUILD=0
# The value below can definitely be higher (like 500-1000), but avoid being too
# agressive here while still evaluating the DFT-based fuzzing approach.
DFSAN_CALLS_THRESHOLD_FOR_DFSAN_BUILD=100
DFSAN_CALLS_THRESHOLD_FOR_NON_DFSAN_BUILD=0
MSAN_CALLS_THRESHOLD_FOR_MSAN_BUILD=1000
# Some engines (e.g. honggfuzz) may make a very small number of calls to msan
# for memory poisoning.
MSAN_CALLS_THRESHOLD_FOR_NON_MSAN_BUILD=3
# Usually, a non UBSan build (e.g. ASan) has 165 calls to UBSan runtime. The
# majority of targets built with UBSan have 200+ UBSan calls, but there are
# some very small targets that may have < 200 UBSan calls even in a UBSan build.
# Use the threshold value of 168 (slightly > 165) for UBSan build.
UBSAN_CALLS_THRESHOLD_FOR_UBSAN_BUILD=168
# It would be risky to use the threshold value close to 165 for non UBSan build,
# as UBSan runtime may change any time and thus we could have different number
# of calls to UBSan runtime even in ASan build. With that, we use the threshold
# value of 200 that would detect unnecessary UBSan instrumentation in the vast
# majority of targets, except of a handful very small ones, which would not be
# a big concern either way as the overhead for them would not be significant.
UBSAN_CALLS_THRESHOLD_FOR_NON_UBSAN_BUILD=200
# ASan builds on i386 generally have about 250 UBSan runtime calls.
if [[ $ARCHITECTURE == 'i386' ]]
then
UBSAN_CALLS_THRESHOLD_FOR_NON_UBSAN_BUILD=280
fi
# Verify that the given fuzz target is correctly built to run with a particular
# engine.
function check_engine {
local FUZZER=$1
local FUZZER_NAME=$(basename $FUZZER)
local FUZZER_OUTPUT="/tmp/$FUZZER_NAME.output"
local CHECK_FAILED=0
if [[ "$FUZZING_ENGINE" == libfuzzer ]]; then
# Store fuzz target's output into a temp file to be used for further checks.
$FUZZER -- -seed=1337 -runs=$MIN_NUMBER_OF_RUNS &>$FUZZER_OUTPUT
CHECK_FAILED=$(egrep "ERROR: no interesting inputs were found. Is the code instrumented" -c $FUZZER_OUTPUT)
if (( $CHECK_FAILED > 0 )); then
echo "BAD BUILD: $FUZZER does not seem to have coverage instrumentation."
cat $FUZZER_OUTPUT
# Bail out as the further check does not make any sense, there are 0 PCs.
return 1
fi
local NUMBER_OF_EDGES=$(grep -Po "INFO: Loaded [[:digit:]]+ module.*\(.*(counters|guards)\):[[:space:]]+\K[[:digit:]]+" $FUZZER_OUTPUT)
# If a fuzz target fails to start, grep won't find anything, so bail out early to let check_startup_crash deal with it.
[[ -z "$NUMBER_OF_EDGES" ]] && return
if (( $NUMBER_OF_EDGES < $THRESHOLD_FOR_NUMBER_OF_EDGES )); then
echo "BAD BUILD: $FUZZER seems to have only partial coverage instrumentation."
fi
elif [[ "$FUZZING_ENGINE" == afl ]]; then
AFL_FORKSRV_INIT_TMOUT=30000 AFL_NO_UI=1 SKIP_SEED_CORPUS=1 timeout --preserve-status -s INT 35s run_fuzzer $FUZZER_NAME &>$FUZZER_OUTPUT
CHECK_PASSED=$(egrep "All set and ready to roll" -c $FUZZER_OUTPUT)
if (( $CHECK_PASSED == 0 )); then
echo "BAD BUILD: fuzzing $FUZZER with afl-fuzz failed."
cat $FUZZER_OUTPUT
return 1
fi
elif [[ "$FUZZING_ENGINE" == honggfuzz ]]; then
SKIP_SEED_CORPUS=1 timeout --preserve-status -s INT 20s run_fuzzer $FUZZER_NAME &>$FUZZER_OUTPUT
CHECK_PASSED=$(egrep "^Sz:[0-9]+ Tm:[0-9]+" -c $FUZZER_OUTPUT)
if (( $CHECK_PASSED == 0 )); then
echo "BAD BUILD: fuzzing $FUZZER with honggfuzz failed."
cat $FUZZER_OUTPUT
return 1
fi
elif [[ "$FUZZING_ENGINE" == dataflow ]]; then
$FUZZER &> $FUZZER_OUTPUT
local NUMBER_OF_FUNCTIONS=$(grep -Po "INFO:\s+\K[[:digit:]]+(?=\s+instrumented function.*)" $FUZZER_OUTPUT)
[[ -z "$NUMBER_OF_FUNCTIONS" ]] && NUMBER_OF_FUNCTIONS=0
if (( $NUMBER_OF_FUNCTIONS < $THRESHOLD_FOR_NUMBER_OF_FUNCTIONS )); then
echo "BAD BUILD: $FUZZER does not seem to be properly built in 'dataflow' config."
cat $FUZZER_OUTPUT
return 1
fi
elif [[ "$FUZZING_ENGINE" == centipede \
&& ("${HELPER:-}" == True || "$SANITIZER" == none ) ]]; then
# Performs run test on unsanitized binaries with auxiliary sanitized
# binaries if they are built with helper.py.
# Performs run test on unsanitized binaries without auxiliary sanitized
# binaries if they are from trial build and production build.
# TODO(Dongge): Support run test with sanitized binaries for trial and
# production build.
SKIP_SEED_CORPUS=1 timeout --preserve-status -s INT 20s run_fuzzer $FUZZER_NAME &>$FUZZER_OUTPUT
CHECK_PASSED=$(egrep "\[S0.0] begin-fuzz: ft: 0 corp: 0/0" -c $FUZZER_OUTPUT)
if (( $CHECK_PASSED == 0 )); then
echo "BAD BUILD: fuzzing $FUZZER with centipede failed."
cat $FUZZER_OUTPUT
return 1
fi
fi
return 0
}
# Verify that the given fuzz target has been built properly and works.
function check_startup_crash {
local FUZZER=$1
local FUZZER_NAME=$(basename $FUZZER)
local FUZZER_OUTPUT="/tmp/$FUZZER_NAME.output"
local CHECK_PASSED=0
if [[ "$FUZZING_ENGINE" = libfuzzer ]]; then
# Skip seed corpus as there is another explicit check that uses seed corpora.
SKIP_SEED_CORPUS=1 run_fuzzer $FUZZER_NAME -seed=1337 -runs=$MIN_NUMBER_OF_RUNS &>$FUZZER_OUTPUT
CHECK_PASSED=$(egrep "Done $MIN_NUMBER_OF_RUNS runs" -c $FUZZER_OUTPUT)
elif [[ "$FUZZING_ENGINE" = afl ]]; then
AFL_FORKSRV_INIT_TMOUT=30000 AFL_NO_UI=1 SKIP_SEED_CORPUS=1 timeout --preserve-status -s INT 35s run_fuzzer $FUZZER_NAME &>$FUZZER_OUTPUT
if [ $(egrep "target binary (crashed|terminated)" -c $FUZZER_OUTPUT) -eq 0 ]; then
CHECK_PASSED=1
fi
elif [[ "$FUZZING_ENGINE" = dataflow ]]; then
# TODO(https://github.com/google/oss-fuzz/issues/1632): add check for
# binaries compiled with dataflow engine when the interface becomes stable.
CHECK_PASSED=1
else
# TODO: add checks for another fuzzing engines if possible.
CHECK_PASSED=1
fi
if [ "$CHECK_PASSED" -eq "0" ]; then
echo "BAD BUILD: $FUZZER seems to have either startup crash or exit:"
cat $FUZZER_OUTPUT
return 1
fi
return 0
}
# Mixed sanitizers check for ASan build.
function check_asan_build {
local FUZZER=$1
local ASAN_CALLS=$2
local DFSAN_CALLS=$3
local MSAN_CALLS=$4
local UBSAN_CALLS=$5
# Perform all the checks for more detailed error message.
if (( $ASAN_CALLS < $ASAN_CALLS_THRESHOLD_FOR_ASAN_BUILD )); then
echo "BAD BUILD: $FUZZER does not seem to be compiled with ASan."
return 1
fi
if (( $DFSAN_CALLS > $DFSAN_CALLS_THRESHOLD_FOR_NON_DFSAN_BUILD )); then
echo "BAD BUILD: ASan build of $FUZZER seems to be compiled with DFSan."
return 1
fi
if (( $MSAN_CALLS > $MSAN_CALLS_THRESHOLD_FOR_NON_MSAN_BUILD )); then
echo "BAD BUILD: ASan build of $FUZZER seems to be compiled with MSan."
return 1
fi
if (( $UBSAN_CALLS > $UBSAN_CALLS_THRESHOLD_FOR_NON_UBSAN_BUILD )); then
echo "BAD BUILD: ASan build of $FUZZER seems to be compiled with UBSan."
return 1
fi
return 0
}
# Mixed sanitizers check for DFSan build.
function check_dfsan_build {
local FUZZER=$1
local ASAN_CALLS=$2
local DFSAN_CALLS=$3
local MSAN_CALLS=$4
local UBSAN_CALLS=$5
# Perform all the checks for more detailed error message.
if (( $ASAN_CALLS > $ASAN_CALLS_THRESHOLD_FOR_NON_ASAN_BUILD )); then
echo "BAD BUILD: DFSan build of $FUZZER seems to be compiled with ASan."
return 1
fi
if (( $DFSAN_CALLS < $DFSAN_CALLS_THRESHOLD_FOR_DFSAN_BUILD )); then
echo "BAD BUILD: $FUZZER does not seem to be compiled with DFSan."
return 1
fi
if (( $MSAN_CALLS > $MSAN_CALLS_THRESHOLD_FOR_NON_MSAN_BUILD )); then
echo "BAD BUILD: ASan build of $FUZZER seems to be compiled with MSan."
return 1
fi
if (( $UBSAN_CALLS > $UBSAN_CALLS_THRESHOLD_FOR_NON_UBSAN_BUILD )); then
echo "BAD BUILD: ASan build of $FUZZER seems to be compiled with UBSan."
return 1
fi
return 0
}
# Mixed sanitizers check for MSan build.
function check_msan_build {
local FUZZER=$1
local ASAN_CALLS=$2
local DFSAN_CALLS=$3
local MSAN_CALLS=$4
local UBSAN_CALLS=$5
# Perform all the checks for more detailed error message.
if (( $ASAN_CALLS > $ASAN_CALLS_THRESHOLD_FOR_NON_ASAN_BUILD )); then
echo "BAD BUILD: MSan build of $FUZZER seems to be compiled with ASan."
return 1
fi
if (( $DFSAN_CALLS > $DFSAN_CALLS_THRESHOLD_FOR_NON_DFSAN_BUILD )); then
echo "BAD BUILD: MSan build of $FUZZER seems to be compiled with DFSan."
return 1
fi
if (( $MSAN_CALLS < $MSAN_CALLS_THRESHOLD_FOR_MSAN_BUILD )); then
echo "BAD BUILD: $FUZZER does not seem to be compiled with MSan."
return 1
fi
if (( $UBSAN_CALLS > $UBSAN_CALLS_THRESHOLD_FOR_NON_UBSAN_BUILD )); then
echo "BAD BUILD: MSan build of $FUZZER seems to be compiled with UBSan."
return 1
fi
return 0
}
# Mixed sanitizers check for UBSan build.
function check_ubsan_build {
local FUZZER=$1
local ASAN_CALLS=$2
local DFSAN_CALLS=$3
local MSAN_CALLS=$4
local UBSAN_CALLS=$5
if [[ "$FUZZING_ENGINE" != libfuzzer ]]; then
# Ignore UBSan checks for fuzzing engines other than libFuzzer because:
# A) we (probably) are not going to use those with UBSan
# B) such builds show indistinguishable number of calls to UBSan
return 0
fi
# Perform all the checks for more detailed error message.
if (( $ASAN_CALLS > $ASAN_CALLS_THRESHOLD_FOR_NON_ASAN_BUILD )); then
echo "BAD BUILD: UBSan build of $FUZZER seems to be compiled with ASan."
return 1
fi
if (( $DFSAN_CALLS > $DFSAN_CALLS_THRESHOLD_FOR_NON_DFSAN_BUILD )); then
echo "BAD BUILD: UBSan build of $FUZZER seems to be compiled with DFSan."
return 1
fi
if (( $MSAN_CALLS > $MSAN_CALLS_THRESHOLD_FOR_NON_MSAN_BUILD )); then
echo "BAD BUILD: UBSan build of $FUZZER seems to be compiled with MSan."
return 1
fi
if (( $UBSAN_CALLS < $UBSAN_CALLS_THRESHOLD_FOR_UBSAN_BUILD )); then
echo "BAD BUILD: $FUZZER does not seem to be compiled with UBSan."
return 1
fi
}
# Verify that the given fuzz target is compiled with correct sanitizer.
function check_mixed_sanitizers {
local FUZZER=$1
local result=0
local CALL_INSN=
if [ "${FUZZING_LANGUAGE:-}" = "jvm" ]; then
# Sanitizer runtime is linked into the Jazzer driver, so this check does not
# apply.
return 0
fi
if [ "${FUZZING_LANGUAGE:-}" = "javascript" ]; then
# Jazzer.js currently does not support using sanitizers with native Node.js addons.
# This is not relevant anyways since supporting this will be done by preloading
# the sanitizers in the wrapper script starting Jazzer.js.
return 0
fi
if [ "${FUZZING_LANGUAGE:-}" = "ruby" ]; then
return 0
fi
if [ "${FUZZING_LANGUAGE:-}" = "python" ]; then
# Sanitizer runtime is loaded via LD_PRELOAD, so this check does not apply.
return 0
fi
# luzer-based tests.
# Sanitizer runtime is loaded via LD_PRELOAD, so this check does
# not apply.
egrep luarocks $FUZZER && return 0;
# For fuzztest fuzzers point to the binary instead of launcher script.
if [[ $FUZZER == *"@"* ]]; then
FUZZER=(${FUZZER//@/ }[0])
fi
CALL_INSN=
if [[ $ARCHITECTURE == "x86_64" ]]
then
CALL_INSN="callq?\s+[0-9a-f]+\s+<"
elif [[ $ARCHITECTURE == "i386" ]]
then
CALL_INSN="call\s+[0-9a-f]+\s+<"
elif [[ $ARCHITECTURE == "aarch64" ]]
then
CALL_INSN="bl\s+[0-9a-f]+\s+<"
else
echo "UNSUPPORTED ARCHITECTURE"
exit 1
fi
local ASAN_CALLS=$(objdump -dC $FUZZER | egrep "${CALL_INSN}__asan" -c)
local DFSAN_CALLS=$(objdump -dC $FUZZER | egrep "${CALL_INSN}__dfsan" -c)
local MSAN_CALLS=$(objdump -dC $FUZZER | egrep "${CALL_INSN}__msan" -c)
local UBSAN_CALLS=$(objdump -dC $FUZZER | egrep "${CALL_INSN}__ubsan" -c)
if [[ "$SANITIZER" = address ]]; then
check_asan_build $FUZZER $ASAN_CALLS $DFSAN_CALLS $MSAN_CALLS $UBSAN_CALLS
result=$?
elif [[ "$SANITIZER" = dataflow ]]; then
check_dfsan_build $FUZZER $ASAN_CALLS $DFSAN_CALLS $MSAN_CALLS $UBSAN_CALLS
result=$?
elif [[ "$SANITIZER" = memory ]]; then
check_msan_build $FUZZER $ASAN_CALLS $DFSAN_CALLS $MSAN_CALLS $UBSAN_CALLS
result=$?
elif [[ "$SANITIZER" = undefined ]]; then
check_ubsan_build $FUZZER $ASAN_CALLS $DFSAN_CALLS $MSAN_CALLS $UBSAN_CALLS
result=$?
elif [[ "$SANITIZER" = thread ]]; then
# TODO(metzman): Implement this.
result=0
fi
return $result
}
# Verify that the given fuzz target doesn't crash on the seed corpus.
function check_seed_corpus {
local FUZZER=$1
local FUZZER_NAME="$(basename $FUZZER)"
local FUZZER_OUTPUT="/tmp/$FUZZER_NAME.output"
if [[ "$FUZZING_ENGINE" != libfuzzer ]]; then
return 0
fi
# Set up common fuzzing arguments, otherwise "run_fuzzer" errors out.
if [ -z "$FUZZER_ARGS" ]; then
export FUZZER_ARGS="-rss_limit_mb=2560 -timeout=25"
fi
bash -c "run_fuzzer $FUZZER_NAME -runs=0" &> $FUZZER_OUTPUT
# Don't output anything if fuzz target hasn't crashed.
if [ $? -ne 0 ]; then
echo "BAD BUILD: $FUZZER has a crashing input in its seed corpus:"
cat $FUZZER_OUTPUT
return 1
fi
return 0
}
function check_architecture {
local FUZZER=$1
local FUZZER_NAME=$(basename $FUZZER)
if [ "${FUZZING_LANGUAGE:-}" = "jvm" ]; then
# The native dependencies of a JVM project are not packaged, but loaded
# dynamically at runtime and thus cannot be checked here.
return 0;
fi
if [ "${FUZZING_LANGUAGE:-}" = "javascript" ]; then
# Jazzer.js fuzzers are wrapper scripts that start the fuzz target with
# the Jazzer.js CLI.
return 0;
fi
if [ "${FUZZING_LANGUAGE:-}" = "ruby" ]; then
return 0;
fi
if [ "${FUZZING_LANGUAGE:-}" = "python" ]; then
FUZZER=${FUZZER}.pkg
fi
# luzer-based tests.
egrep luarocks $FUZZER && return 0;
# For fuzztest fuzzers point to the binary instead of launcher script.
if [[ $FUZZER == *"@"* ]]; then
FUZZER=(${FUZZER//@/ }[0])
fi
FILE_OUTPUT=$(file $FUZZER)
if [[ $ARCHITECTURE == "x86_64" ]]
then
echo $FILE_OUTPUT | grep "x86-64" > /dev/null
elif [[ $ARCHITECTURE == "i386" ]]
then
echo $FILE_OUTPUT | grep "80386" > /dev/null
elif [[ $ARCHITECTURE == "aarch64" ]]
then
echo $FILE_OUTPUT | grep "aarch64" > /dev/null
else
echo "UNSUPPORTED ARCHITECTURE"
return 1
fi
result=$?
if [[ $result != 0 ]]
then
echo "BAD BUILD $FUZZER is not built for architecture: $ARCHITECTURE"
echo "file command output: $FILE_OUTPUT"
echo "check_mixed_sanitizers test will fail."
fi
return $result
}
function main {
local FUZZER=$1
local AUXILIARY_FUZZER=${2:-}
local checks_failed=0
local result=0
export RUN_FUZZER_MODE="batch"
check_engine $FUZZER
result=$?
checks_failed=$(( $checks_failed + $result ))
check_architecture $FUZZER
result=$?
checks_failed=$(( $checks_failed + $result ))
if [[ "$FUZZING_ENGINE" == centipede \
&& "$SANITIZER" != none && "${HELPER:-}" == True ]]; then
check_mixed_sanitizers $AUXILIARY_FUZZER
else
check_mixed_sanitizers $FUZZER
fi
result=$?
checks_failed=$(( $checks_failed + $result ))
check_startup_crash $FUZZER
result=$?
checks_failed=$(( $checks_failed + $result ))
# TODO: re-enable after introducing bug auto-filing for bad builds.
# check_seed_corpus $FUZZER
return $checks_failed
}
if [ $# -ne 1 -a $# -ne 2 ]; then
echo "Usage: $0 java.lang.Random class in the generated code.java.lang.reflect package in the generated code.| Project Report | Fuzz target count | Code statically reached | Code covered at runtime |
|---|
Select a build to see logs.
Finish Time : [[finish_time]]Loading...
[[log]]