1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
|
FUZZERS=$(patsubst jigs/%.cpp,%,$(wildcard jigs/*.cpp))
AFL_SAN_FLAGS=-fsanitize=address,undefined -fno-sanitize-recover=undefined
CLANG_SAN_FLAGS=-fsanitize=address,undefined -fno-sanitize-recover=undefined
#CLANG_SAN_FLAGS=-fsanitize=address
CLANG_COV_FLAGS=-fsanitize-coverage=edge,indirect-calls,8bit-counters
SHARED_FLAGS=-O3 -g -std=c++11 -pthread
CFG_FLAGS=--with-debug-info --unsafe-fuzzer-mode
LIBFUZZER_FLAGS=-Illvm-build/build/include $(SHARED_FLAGS) $(CLANG_COV_FLAGS) $(CLANG_SAN_FLAGS)
AFL_FLAGS=-Iafl-build/build/include $(SHARED_FLAGS) -DINCLUDE_AFL_MAIN
LIBFUZZER_LIBS=llvm-build/libbotan-2.a libFuzzer.a
AFL_LIBS=afl-build/libbotan-2.a
#AFL_CXX=AFL_USE_ASAN=1 afl-g++ -m32
AFL_CXX=afl-g++
AFL_CXX_TYPE=gcc
CLANG_CXX=clang++
LIBFUZZER_PROGS=$(patsubst %,bin/llvm_fuzz_%,$(FUZZERS))
AFL_PROGS=$(patsubst %,bin/afl_fuzz_%,$(FUZZERS))
all:
@echo "make afl for AFL, llvm for libFuzzer"
afl: dirs afl-build $(AFL_PROGS)
llvm: dirs llvm-build $(LIBFUZZER_PROGS)
bin/llvm_fuzz_%: jigs/%.cpp $(LIBFUZZER_LIBS)
$(CLANG_CXX) $(LIBFUZZER_FLAGS) $< $(LIBFUZZER_LIBS) -o $@
bin/afl_fuzz_%: jigs/%.cpp $(AFL_LIBS)
$(AFL_CXX) $(AFL_FLAGS) $< $(AFL_LIBS) -o $@
dirs:
mkdir -p bin
mkdir -p output
mkdir -p corpus
afl-build:
../../../configure.py $(CFG_FLAGS) --with-build-dir=afl-build --cc=$(AFL_CXX_TYPE) --cc-bin=$(AFL_CXX)
make -j2 -f afl-build/Makefile afl-build/libbotan-2.a
llvm-build:
../../../configure.py $(CFG_FLAGS) --with-build-dir=llvm-build --cc=clang --cc-bin=$(CLANG_CXX) --cc-abi-flags="$(CLANG_COV_FLAGS) $(CLANG_SAN_FLAGS)"
make -j2 -f llvm-build/Makefile llvm-build/libbotan-2.a
# libFuzzer default is max_len 64 this sets 140 but allows override via args=
run_llvm_%: bin/llvm_fuzz_%
$(eval FUZZER = $(subst bin/llvm_fuzz_,,$<))
mkdir -p output/$(FUZZER)/llvm/queue
mkdir -p output/$(FUZZER)/llvm/outputs
$< -max_len=140 -artifact_prefix=output/$(FUZZER)/llvm/outputs/ output/$(FUZZER)/llvm/queue corpus/$(FUZZER) $(args)
run_afl_%: bin/afl_fuzz_%
$(eval FUZZER = $(subst bin/afl_fuzz_,,$<))
mkdir -p output/$(FUZZER)/afl
afl-fuzz $(args) -o output/$(FUZZER)/afl -i corpus/$(FUZZER) $<
cmin_%: bin/afl_fuzz_%
$(eval FUZZER = $(subst bin/afl_fuzz_,,$<))
rm -rf cmin-dir
mv corpus/$(FUZZER) cmin-dir
-cp -n output/$(FUZZER)/afl/queue/* cmin-dir
-cp -n output/$(FUZZER)/llvm/queue/* cmin-dir
afl-cmin -i cmin-dir -o corpus/$(FUZZER) $<
rm -rf cmin-dir
clean:
rm -f $(LIBFUZZER_PROGS) $(AFL_PROGS)
clean_builds: clean
rm -rf afl-build llvm-build
libFuzzer:
svn co http://llvm.org/svn/llvm-project/compiler-rt/trunk/lib/fuzzer libFuzzer
libFuzzer.a: libFuzzer
cd libFuzzer && clang -c -g -O2 -std=c++11 *.cpp
ar cr libFuzzer.a libFuzzer/*.o
update:
svn co http://llvm.org/svn/llvm-project/compiler-rt/trunk/lib/fuzzer libFuzzer
|