2019-11-12 05:17:32 +08:00
|
|
|
#!/bin/sh
|
|
|
|
|
#
|
|
|
|
|
# This file builds multiple variants of the fuzzers
|
|
|
|
|
# - different sanitizers
|
|
|
|
|
# - different build options
|
|
|
|
|
# - reproduce build, for running through valgrind
|
2020-10-31 15:22:49 +08:00
|
|
|
#
|
|
|
|
|
# Set environment variable CLANGSUFFIX to select clang version (example: "-11")
|
2019-11-12 05:17:32 +08:00
|
|
|
|
|
|
|
|
# fail on error
|
2020-10-31 15:22:49 +08:00
|
|
|
set -e
|
2019-11-12 05:17:32 +08:00
|
|
|
|
|
|
|
|
unset CXX CC CFLAGS CXXFLAGS LDFLAGS
|
|
|
|
|
|
2019-12-28 02:42:44 +08:00
|
|
|
me=$(basename $0)
|
|
|
|
|
|
2020-10-31 15:22:49 +08:00
|
|
|
|
|
|
|
|
if [ -z $CLANGSUFFIX ] ; then
|
|
|
|
|
# the default clang version is set low enough to be found on current Debian stable (Buster)
|
|
|
|
|
CLANGSUFFIX=-8
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
# detect unset variables
|
|
|
|
|
set -u
|
|
|
|
|
|
2020-12-08 07:12:36 +08:00
|
|
|
if ! which clang++$CLANGSUFFIX >/dev/null 2>&1 ; then
|
|
|
|
|
echo "could not find clang++$CLANGSUFFIX"
|
|
|
|
|
exit 1
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
# find out how to build fuzzer. On amd64 and arm64, libFuzzer is built with the compiler and activated
|
|
|
|
|
# with -fsanitize=fuzzer at link time. On power, libFuzzer is shipped separately.
|
|
|
|
|
testfuzzer=testfuzzer.cpp
|
|
|
|
|
/bin/echo -e "#include <cstddef>\n#include <cstdint>\nextern \"C\" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {return 0;}" >$testfuzzer
|
|
|
|
|
if clang++$CLANGSUFFIX -o testfuzzer $testfuzzer -fsanitize=fuzzer && ./testfuzzer -runs=1 >/dev/null 2>&1 ; then
|
|
|
|
|
echo "will use -fsanitize=fuzzer to link libFuzzer"
|
|
|
|
|
SIMDJSON_FUZZ_LDFLAGS="-fsanitize=fuzzer"
|
|
|
|
|
elif clang++$CLANGSUFFIX -o testfuzzer $testfuzzer -fsanitize=fuzzer-no-link -lFuzzer && ./testfuzzer -runs=1 >/dev/null 2>&1 ; then
|
|
|
|
|
echo "will use -lFuzzer to link libFuzzer"
|
|
|
|
|
SIMDJSON_FUZZ_LDFLAGS="-lFuzzer"
|
|
|
|
|
else
|
|
|
|
|
echo "could not link to the fuzzer with -fsanitize=fuzzer or -lFuzzer"
|
|
|
|
|
exit 1
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
if [ -e testfuzzer ] ; then rm testfuzzer; fi
|
|
|
|
|
if [ -e $testfuzzer ] ; then rm $testfuzzer; fi
|
|
|
|
|
|
add multi implementation fuzzer (#1162)
This adds a fuzzer which parses the same input using all the available implementations (haswell, westmere, fallback on x64).
This should get the otherwise uncovered sourcefiles (mostly fallback) to show up in the fuzz coverage.
For instance, the fallback directory has only one line covered.
As of the 20200909 report, 1866 lines are covered out of 4478.
Also, it will detect if the implementations behave differently:
by making sure they all succeed, or all error
turning the parsed data into text again, should produce equal results
While at it, I corrected some minor things:
clean up building too many variants, run with forced implementation (closes #815 )
always store crashes as artefacts, good in case the fuzzer finds something
return value of the fuzzer function should always be 0
reduce log spam
introduce max size for the seed corpus and the CI fuzzer
2020-09-12 05:46:22 +08:00
|
|
|
# common options
|
2020-11-19 23:51:56 +08:00
|
|
|
CXX_CLAGS_COMMON=-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
|
2021-05-08 10:59:26 +08:00
|
|
|
COMMON="-GNinja -DCMAKE_CXX_COMPILER=clang++$CLANGSUFFIX -DCMAKE_C_COMPILER=clang$CLANGSUFFIX -DSIMDJSON_DEVELOPER_MODE=ON -DBUILD_SHARED_LIBS=ON -DSIMDJSON_ENABLE_FUZZING=On -DSIMDJSON_COMPETITION=OFF -DSIMDJSON_GOOGLE_BENCHMARKS=OFF -DSIMDJSON_DISABLE_DEPRECATED_API=On -DSIMDJSON_FUZZ_LDFLAGS=$SIMDJSON_FUZZ_LDFLAGS"
|
2019-11-12 05:17:32 +08:00
|
|
|
|
add multi implementation fuzzer (#1162)
This adds a fuzzer which parses the same input using all the available implementations (haswell, westmere, fallback on x64).
This should get the otherwise uncovered sourcefiles (mostly fallback) to show up in the fuzz coverage.
For instance, the fallback directory has only one line covered.
As of the 20200909 report, 1866 lines are covered out of 4478.
Also, it will detect if the implementations behave differently:
by making sure they all succeed, or all error
turning the parsed data into text again, should produce equal results
While at it, I corrected some minor things:
clean up building too many variants, run with forced implementation (closes #815 )
always store crashes as artefacts, good in case the fuzzer finds something
return value of the fuzzer function should always be 0
reduce log spam
introduce max size for the seed corpus and the CI fuzzer
2020-09-12 05:46:22 +08:00
|
|
|
# A replay build, as plain as it gets. For use with valgrind/gdb.
|
|
|
|
|
variant=replay
|
2019-11-12 05:17:32 +08:00
|
|
|
if [ ! -d build-$variant ] ; then
|
|
|
|
|
mkdir build-$variant
|
|
|
|
|
cd build-$variant
|
2020-11-04 04:48:09 +08:00
|
|
|
|
2019-11-12 05:17:32 +08:00
|
|
|
cmake .. \
|
add multi implementation fuzzer (#1162)
This adds a fuzzer which parses the same input using all the available implementations (haswell, westmere, fallback on x64).
This should get the otherwise uncovered sourcefiles (mostly fallback) to show up in the fuzz coverage.
For instance, the fallback directory has only one line covered.
As of the 20200909 report, 1866 lines are covered out of 4478.
Also, it will detect if the implementations behave differently:
by making sure they all succeed, or all error
turning the parsed data into text again, should produce equal results
While at it, I corrected some minor things:
clean up building too many variants, run with forced implementation (closes #815 )
always store crashes as artefacts, good in case the fuzzer finds something
return value of the fuzzer function should always be 0
reduce log spam
introduce max size for the seed corpus and the CI fuzzer
2020-09-12 05:46:22 +08:00
|
|
|
$COMMON \
|
2019-11-12 05:17:32 +08:00
|
|
|
-DCMAKE_BUILD_TYPE=Debug \
|
|
|
|
|
-DSIMDJSON_FUZZ_LINKMAIN=On
|
2020-11-04 04:48:09 +08:00
|
|
|
|
2020-04-28 04:02:19 +08:00
|
|
|
ninja all_fuzzers
|
2019-11-12 05:17:32 +08:00
|
|
|
cd ..
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
|
add multi implementation fuzzer (#1162)
This adds a fuzzer which parses the same input using all the available implementations (haswell, westmere, fallback on x64).
This should get the otherwise uncovered sourcefiles (mostly fallback) to show up in the fuzz coverage.
For instance, the fallback directory has only one line covered.
As of the 20200909 report, 1866 lines are covered out of 4478.
Also, it will detect if the implementations behave differently:
by making sure they all succeed, or all error
turning the parsed data into text again, should produce equal results
While at it, I corrected some minor things:
clean up building too many variants, run with forced implementation (closes #815 )
always store crashes as artefacts, good in case the fuzzer finds something
return value of the fuzzer function should always be 0
reduce log spam
introduce max size for the seed corpus and the CI fuzzer
2020-09-12 05:46:22 +08:00
|
|
|
# A fuzzer with sanitizers. For improved capability to find bugs.
|
2020-10-31 15:22:49 +08:00
|
|
|
# About the optimization level: (measured for fuzz_atpointer)
|
|
|
|
|
# -O0 gives 4000 executions/s
|
|
|
|
|
# -O1 gives 20000 executions/s
|
|
|
|
|
# -O2 gives 32000 executions/s
|
|
|
|
|
# -O3 gives 32000 executions/s
|
|
|
|
|
# for reference, the release build (without sanitizers, but with fuzzing instrumentation)
|
|
|
|
|
# gives 80000 executions/s.
|
|
|
|
|
# A low level is good for debugging. A higher level gets more work done.
|
|
|
|
|
# Different levels may uncover different types of bugs, see this interesting
|
|
|
|
|
# thread: https://github.com/google/oss-fuzz/issues/2295#issuecomment-481493392
|
|
|
|
|
# Oss-fuzz uses -O1 so it may be relevant to use something else than that,
|
|
|
|
|
# to do something oss-fuzz doesn't.
|
|
|
|
|
variant=sanitizers-O3
|
2019-11-12 05:17:32 +08:00
|
|
|
|
2019-12-28 02:42:44 +08:00
|
|
|
if [ ! -d build-$variant ] ; then
|
2020-11-04 04:48:09 +08:00
|
|
|
|
2019-12-28 02:42:44 +08:00
|
|
|
mkdir build-$variant
|
|
|
|
|
cd build-$variant
|
|
|
|
|
cmake .. \
|
add multi implementation fuzzer (#1162)
This adds a fuzzer which parses the same input using all the available implementations (haswell, westmere, fallback on x64).
This should get the otherwise uncovered sourcefiles (mostly fallback) to show up in the fuzz coverage.
For instance, the fallback directory has only one line covered.
As of the 20200909 report, 1866 lines are covered out of 4478.
Also, it will detect if the implementations behave differently:
by making sure they all succeed, or all error
turning the parsed data into text again, should produce equal results
While at it, I corrected some minor things:
clean up building too many variants, run with forced implementation (closes #815 )
always store crashes as artefacts, good in case the fuzzer finds something
return value of the fuzzer function should always be 0
reduce log spam
introduce max size for the seed corpus and the CI fuzzer
2020-09-12 05:46:22 +08:00
|
|
|
$COMMON \
|
2020-11-19 23:51:56 +08:00
|
|
|
-DCMAKE_CXX_FLAGS="-O3 -fsanitize=fuzzer-no-link,address,undefined -fno-sanitize-recover=undefined $CXX_CLAGS_COMMON" \
|
2020-10-31 15:22:49 +08:00
|
|
|
-DCMAKE_C_FLAGS="-O3 -fsanitize=fuzzer-no-link,address,undefined -fno-sanitize-recover=undefined" \
|
2019-12-28 02:42:44 +08:00
|
|
|
-DCMAKE_BUILD_TYPE=Debug \
|
2020-12-08 07:12:36 +08:00
|
|
|
-DSIMDJSON_FUZZ_LINKMAIN=Off
|
2020-11-04 04:48:09 +08:00
|
|
|
|
2020-04-28 04:02:19 +08:00
|
|
|
ninja all_fuzzers
|
2019-12-28 02:42:44 +08:00
|
|
|
cd ..
|
|
|
|
|
fi
|
2019-11-12 05:17:32 +08:00
|
|
|
|
2020-10-31 15:22:49 +08:00
|
|
|
variant=sanitizers-O0
|
|
|
|
|
|
|
|
|
|
if [ ! -d build-$variant ] ; then
|
2020-11-04 04:48:09 +08:00
|
|
|
|
2020-10-31 15:22:49 +08:00
|
|
|
mkdir build-$variant
|
|
|
|
|
cd build-$variant
|
|
|
|
|
cmake .. \
|
|
|
|
|
$COMMON \
|
2020-11-19 23:51:56 +08:00
|
|
|
-DCMAKE_CXX_FLAGS="-O0 -fsanitize=fuzzer-no-link,address,undefined -fno-sanitize-recover=undefined $CXX_CLAGS_COMMON" \
|
2020-10-31 15:22:49 +08:00
|
|
|
-DCMAKE_C_FLAGS="-O0 -fsanitize=fuzzer-no-link,address,undefined -fno-sanitize-recover=undefined" \
|
|
|
|
|
-DCMAKE_BUILD_TYPE=Debug \
|
2020-12-08 07:12:36 +08:00
|
|
|
-DSIMDJSON_FUZZ_LINKMAIN=Off
|
2020-11-04 04:48:09 +08:00
|
|
|
|
2020-10-31 15:22:49 +08:00
|
|
|
ninja all_fuzzers
|
|
|
|
|
cd ..
|
|
|
|
|
fi
|
2019-11-12 05:17:32 +08:00
|
|
|
|
add multi implementation fuzzer (#1162)
This adds a fuzzer which parses the same input using all the available implementations (haswell, westmere, fallback on x64).
This should get the otherwise uncovered sourcefiles (mostly fallback) to show up in the fuzz coverage.
For instance, the fallback directory has only one line covered.
As of the 20200909 report, 1866 lines are covered out of 4478.
Also, it will detect if the implementations behave differently:
by making sure they all succeed, or all error
turning the parsed data into text again, should produce equal results
While at it, I corrected some minor things:
clean up building too many variants, run with forced implementation (closes #815 )
always store crashes as artefacts, good in case the fuzzer finds something
return value of the fuzzer function should always be 0
reduce log spam
introduce max size for the seed corpus and the CI fuzzer
2020-09-12 05:46:22 +08:00
|
|
|
|
|
|
|
|
# A fast fuzzer, for fast exploration rather than finding bugs.
|
|
|
|
|
variant=fast
|
|
|
|
|
if [ ! -d build-$variant ] ; then
|
2020-11-04 04:48:09 +08:00
|
|
|
|
2019-12-28 02:42:44 +08:00
|
|
|
mkdir build-$variant
|
|
|
|
|
cd build-$variant
|
2020-11-04 04:48:09 +08:00
|
|
|
|
2019-12-28 02:42:44 +08:00
|
|
|
cmake .. \
|
add multi implementation fuzzer (#1162)
This adds a fuzzer which parses the same input using all the available implementations (haswell, westmere, fallback on x64).
This should get the otherwise uncovered sourcefiles (mostly fallback) to show up in the fuzz coverage.
For instance, the fallback directory has only one line covered.
As of the 20200909 report, 1866 lines are covered out of 4478.
Also, it will detect if the implementations behave differently:
by making sure they all succeed, or all error
turning the parsed data into text again, should produce equal results
While at it, I corrected some minor things:
clean up building too many variants, run with forced implementation (closes #815 )
always store crashes as artefacts, good in case the fuzzer finds something
return value of the fuzzer function should always be 0
reduce log spam
introduce max size for the seed corpus and the CI fuzzer
2020-09-12 05:46:22 +08:00
|
|
|
$COMMON \
|
2020-11-19 23:51:56 +08:00
|
|
|
-DCMAKE_CXX_FLAGS="-fsanitize=fuzzer-no-link $CXX_CLAGS_COMMON" \
|
add multi implementation fuzzer (#1162)
This adds a fuzzer which parses the same input using all the available implementations (haswell, westmere, fallback on x64).
This should get the otherwise uncovered sourcefiles (mostly fallback) to show up in the fuzz coverage.
For instance, the fallback directory has only one line covered.
As of the 20200909 report, 1866 lines are covered out of 4478.
Also, it will detect if the implementations behave differently:
by making sure they all succeed, or all error
turning the parsed data into text again, should produce equal results
While at it, I corrected some minor things:
clean up building too many variants, run with forced implementation (closes #815 )
always store crashes as artefacts, good in case the fuzzer finds something
return value of the fuzzer function should always be 0
reduce log spam
introduce max size for the seed corpus and the CI fuzzer
2020-09-12 05:46:22 +08:00
|
|
|
-DCMAKE_C_FLAGS="-fsanitize=fuzzer-no-link" \
|
|
|
|
|
-DCMAKE_BUILD_TYPE=Release \
|
2020-12-08 07:12:36 +08:00
|
|
|
-DSIMDJSON_FUZZ_LINKMAIN=Off
|
2020-11-04 04:48:09 +08:00
|
|
|
|
2020-04-28 04:02:19 +08:00
|
|
|
ninja all_fuzzers
|
2019-12-28 02:42:44 +08:00
|
|
|
cd ..
|
|
|
|
|
fi
|
