Support honggfuzz as a FUZZING_ENGINE (#636)

author: robertswiecki <robert@swiecki.net> 2017-06-02 02:55:01 +0200
committer: Oliver Chang <oliverchang@users.noreply.github.com> 2017-06-01 17:55:01 -0700
commit: 268d8052a28a8f165a675d1f46513feb5795fcee (patch)
tree: ab45ac8e1c7d87304406653c0158bd813dfc2658
parent: 5401205191e850ce8c3b3a2db2c4b24287382718 (diff)
9 files changed, 83 insertions, 11 deletions
diff --git a/docs/faq.md b/docs/faq.md
index 9075b39b..866a07b3 100644
--- a/docs/faq.md
+++ b/docs/faq.md
@@ -88,3 +88,6 @@ In either case, look at the [coverage reports](clusterfuzz.md#coverage-reports)
     
 ## Does OSS-Fuzz support AFL?
 OSS-Fuzz *uses* [AFL](http://lcamtuf.coredump.cx/afl/) as one of its [fuzzing engines](glossary.md#fuzzing-engine) but this is an implementation detail. Just follow the [ideal integration guide](ideal_integration.md) and OSS-Fuzz will use all its fuzzing engines on your code.
+
+## Does OSS-Fuzz support Honggfuzz?
+Analogically to [AFL](#does-oss-fuzz-support-afl).
diff --git a/infra/base-images/base-builder/Dockerfile b/infra/base-images/base-builder/Dockerfile
index 40c1388e..cda382fe 100644
--- a/infra/base-images/base-builder/Dockerfile
+++ b/infra/base-images/base-builder/Dockerfile
@@ -16,7 +16,7 @@
 
 FROM gcr.io/oss-fuzz-base/base-clang
 MAINTAINER mike.aizatsky@gmail.com
-RUN apt-get install -y git subversion jq python3 zip make
+RUN apt-get install -y git subversion jq python3 zip make libunwind8-dev binutils-dev libblocksruntime-dev
 
 # Default build flags for various sanitizers.
 ENV SANITIZER_FLAGS_address "-fsanitize=address -fsanitize-address-use-after-scope"
@@ -47,7 +47,13 @@ RUN mkdir afl && \
     tar -xzv --strip-components=1 -f $SRC/afl-latest.tgz && \
     rm -rf $SRC/afl-latest.tgz
 
-COPY compile compile_afl compile_libfuzzer coverage_report srcmap /usr/local/bin/
+ADD https://github.com/google/honggfuzz/archive/oss-fuzz.tar.gz $SRC/
+RUN mkdir honggfuzz && \
+    cd honggfuzz && \
+    tar -xzv --strip-components=1 -f $SRC/oss-fuzz.tar.gz && \
+    rm -rf $SRC/oss-fuzz.tar.gz
+
+COPY compile compile_afl compile_libfuzzer compile_honggfuzz coverage_report srcmap /usr/local/bin/
 
 CMD ["compile"]
 
diff --git a/infra/base-images/base-builder/compile_honggfuzz b/infra/base-images/base-builder/compile_honggfuzz
new file mode 100755
index 00000000..1e86910b
--- /dev/null
+++ b/infra/base-images/base-builder/compile_honggfuzz
@@ -0,0 +1,34 @@
+#!/bin/bash -eu
+# Copyright 2016 Google Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+echo -n "Compiling honggfuzz to $LIB_FUZZING_ENGINE ..."
+
+pushd $SRC/honggfuzz > /dev/null
+make clean
+CC=clang CFLAGS= make
+# libhfuzz.a willl be added by CC/CXX linker directly during linking,
+# but its defined here to satisfy the build infrastructure
+cp libhfuzz/libhfuzz.a $LIB_FUZZING_ENGINE
+cp honggfuzz $OUT/
+popd > /dev/null
+
+# Relevant coverage flags are added by the compiler/linker
+export COVERAGE_FLAGS=
+export CC=$SRC/honggfuzz/hfuzz_cc/hfuzz-clang
+export CXX=$SRC/honggfuzz/hfuzz_cc/hfuzz-clang++
+
+echo " done."
diff --git a/infra/base-images/base-runner/Dockerfile b/infra/base-images/base-runner/Dockerfile
index 018ff274..61eca8dc 100644
--- a/infra/base-images/base-runner/Dockerfile
+++ b/infra/base-images/base-runner/Dockerfile
@@ -16,7 +16,7 @@
 
 FROM gcr.io/oss-fuzz-base/base-image
 MAINTAINER mike.aizatsky@gmail.com
-RUN apt-get install -y zip file
+RUN apt-get install -y zip file libunwind8 binutils libblocksruntime0
 COPY llvm-symbolizer reproduce run_fuzzer test_all test_report \
     /usr/local/bin/
 
diff --git a/infra/base-images/base-runner/run_fuzzer b/infra/base-images/base-runner/run_fuzzer
index f4c0befd..ea80d2cc 100755
--- a/infra/base-images/base-runner/run_fuzzer
+++ b/infra/base-images/base-runner/run_fuzzer
@@ -45,6 +45,22 @@ if [[ "$FUZZING_ENGINE" = afl ]]; then
   # AFL expects at least 1 file in the input dir.
   echo input > /tmp/input/input
   CMD_LINE="$OUT/afl-fuzz $AFL_FUZZER_ARGS -i /tmp/input -o /tmp/afl_output $@ $OUT/$FUZZER"
+elif [[ "$FUZZING_ENGINE" = honggfuzz ]]; then
+  if [ -z "$CORPUS" ]; then
+    CORPUS=/tmp/input
+  fi
+  # Honggfuzz expects at least 1 file in the input dir.
+  echo input > $CORPUS/input
+  rm -rf /tmp/honggfuzz_workdir && mkdir /tmp/honggfuzz_workdir
+  # --exit_upon_crash: exit whith a first crash seen
+  # -R (report): save report file to this location
+  # -W (working dir): where the crashes and the report file go
+  # -v (verbose): don't use VTE UI, just stderr
+  # -z: use software-instrumentation of clang (trace-pc-guard....)
+  # -P: use persistent mode of fuzzing (i.e. LLVMFuzzerTestOneInput)
+  # -f: location of the initial (and destination) file corpus
+  # -n: number of fuzzing threads (and processes)
+  CMD_LINE="$OUT/honggfuzz -n 1 --exit_upon_crash -R /tmp/HONGGFUZZ.REPORT.TXT -W /tmp/honggfuzz_workdir -v -z -P -f \"$CORPUS\" $@ -- \"$OUT/$FUZZER\""
 else
   CMD_LINE="$OUT/$FUZZER $FUZZER_ARGS $@ $CORPUS"
 
diff --git a/infra/base-images/base-runner/test_all b/infra/base-images/base-runner/test_all
index b7285e61..2a6473d2 100755
--- a/infra/base-images/base-runner/test_all
+++ b/infra/base-images/base-runner/test_all
@@ -24,12 +24,18 @@ for FUZZER_BINARY in $(find $OUT/ -executable -type f); do
   fi
 
   FUZZER=$(basename $FUZZER_BINARY)
-  if echo "$FUZZER" | grep "^afl-" > /dev/null 2>&1; then
+  if [[ "$FUZZER" == afl-* ]]; then
+    continue
+  fi
+  if [[ "$FUZZER" == honggfuzz ]]; then
     continue
   fi
 
   echo "testing $FUZZER"
-  if [[ "$FUZZING_ENGINE" = libfuzzer ]]; then
+
+  if [[ "$FUZZING_ENGINE" = honggfuzz ]]; then
+    timeout --preserve-status -s INT 20s run_fuzzer $FUZZER
+  elif [[ "$FUZZING_ENGINE" = libfuzzer ]]; then
     run_fuzzer $FUZZER -max_total_time=20
   else
     export AFL_NO_UI=1
diff --git a/infra/base-images/base-runner/test_report b/infra/base-images/base-runner/test_report
index 62365dab..3c0988bb 100755
--- a/infra/base-images/base-runner/test_report
+++ b/infra/base-images/base-runner/test_report
@@ -26,9 +26,10 @@ for FUZZER_BINARY in $(find $OUT/ -executable -type f); do
   if file "$FUZZER_BINARY" | grep -v ELF > /dev/null 2>&1; then
     continue
   fi
-
-  FUZZER=$(basename $FUZZER_BINARY)
-  if echo "$FUZZER" | grep "^afl-" > /dev/null 2>&1; then
+  if [[ "$FUZZER" == afl-* ]]; then
+    continue
+  fi
+  if [[ "$FUZZER" == honggfuzz ]]; then
     continue
   fi
 
@@ -37,7 +38,9 @@ for FUZZER_BINARY in $(find $OUT/ -executable -type f); do
 
   # run fuzzer.
   FUZZER_STDOUT=$(tempfile)
-  if [[ "$FUZZING_ENGINE" = libfuzzer ]]; then
+  if [[ "$FUZZING_ENGINE" = honggfuzz ]]; then
+    timeout --preserve-status -s INT 20s run_fuzzer $FUZZER 2>&1 |& tee $FUZZER_STDOUT
+  elif [[ "$FUZZING_ENGINE" = libfuzzer ]]; then
     run_fuzzer $FUZZER -max_total_time=20 |& tee $FUZZER_STDOUT
   else
     export AFL_NO_UI=1
diff --git a/infra/gcb/build.py b/infra/gcb/build.py
index 78e41930..b3a6a135 100755
--- a/infra/gcb/build.py
+++ b/infra/gcb/build.py
@@ -27,6 +27,7 @@ CONFIGURATIONS = {
   'sanitizer-coverage' : [ 'SANITIZER=coverage' ],
   'engine-libfuzzer' : [ 'FUZZING_ENGINE=libfuzzer' ],
   'engine-afl' : [ 'FUZZING_ENGINE=afl' ],
+  'engine-honggfuzz' : [ 'FUZZING_ENGINE=honggfuzz' ],
 }
 
 EngineInfo = collections.namedtuple(
@@ -39,9 +40,12 @@ ENGINE_INFO = {
     'afl': EngineInfo(
         upload_bucket='clusterfuzz-builds-afl',
         supported_sanitizers=['address']),
+    'honggfuzz': EngineInfo(
+        upload_bucket='clusterfuzz-builds-honggfuzz',
+        supported_sanitizers=['address', 'memory', 'undefined']),
 }
 
-DEFAULT_ENGINES = ['libfuzzer', 'afl']
+DEFAULT_ENGINES = ['libfuzzer', 'afl', 'honggfuzz']
 DEFAULT_SANITIZERS = ['address', 'undefined']
 
 
diff --git a/infra/helper.py b/infra/helper.py
index e8e0c221..25aa12e3 100755
--- a/infra/helper.py
+++ b/infra/helper.py
@@ -174,7 +174,7 @@ def _get_command_string(command):
 def _add_engine_args(parser):
   """Add common engine args."""
   parser.add_argument('--engine', default='libfuzzer',
-                      choices=['libfuzzer', 'afl'])
+                      choices=['libfuzzer', 'afl', 'honggfuzz'])
 
 
 def _add_sanitizer_args(parser):
author	robertswiecki <robert@swiecki.net>	2017-06-02 02:55:01 +0200
committer	Oliver Chang <oliverchang@users.noreply.github.com>	2017-06-01 17:55:01 -0700
commit	268d8052a28a8f165a675d1f46513feb5795fcee (patch)
tree	ab45ac8e1c7d87304406653c0158bd813dfc2658
parent	5401205191e850ce8c3b3a2db2c4b24287382718 (diff)