Add American Fuzzy Lop (afl) to third_party/afl/

Exclude the following unneeded files/directories from afl:
  1. src/docs/visualization/
  2. src/docs/vuln_samples/
  3. src/testcases/
  4. third_party/afl/src/experimental/argv_fuzzing/argv-fuzz-inl.h
  5. third_party/afl/src/llvm_mode/afl-llvm-pass.so.cc
  6. third_party/afl/src/hash.h
  7. third_party/afl/experimental/instrumented_cmp/instrumented_cmp.c

Directories 1-3 contain binary files. We will exclude these files once we start
using DEPS by reorganizing afl upstream so that source files are kept in a
src/ directory. The other directories won't be cloned by DEPS.

Files 4-5 contain includes that cause checkdeps to complain when
git cl presubmit is run. Once we start using DEPS this will be handled
through exclude rules in DEPS.

Files 6-7 do not have license headers and fail checklicenses when
git cl presubmit is run. This will be fixed upstream by adding license headers.

DEPS will be used for afl once it gets a repo.

BUG=611337

Review-Url: https://codereview.chromium.org/2075883002
Cr-Commit-Position: refs/heads/master@{#401096}

third_party/afl/BUILD.gn

@@ -0,0 +1,27 @@
+# Copyright 2016 The Chromium Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+source_set("afl_runtime") {
+  # AFL needs this flag to be built with -Werror. This is because it uses u8*
+  # and char* types interchangeably in its source code. The AFL Makefiles use
+  # this flag.
+  cflags = [ "-Wno-pointer-sign" ]
+
+  configs -= [
+    # These functions should not be compiled with sanitizers since they
+    # are used by the sanitizers.
+    "//build/config/sanitizers:default_sanitizer_flags",
+
+    # Every function in this library should have "default" visibility.
+    # Thus we turn off flags which make visibility "hidden" for functions
+    # that do not specify visibility.
+    # The functions in this library will not conflict with others elsewhere
+    # because they begin with a double underscore and/or are static.
+    "//build/config/gcc:symbol_visibility_hidden",
+  ]
+
+  sources = [
+    "src/llvm_mode/afl-llvm-rt.o.c",
+  ]
+}

third_party/afl/OWNERS

@@ -0,0 +1,5 @@
+aizatsky@chromium.org
+inferno@chromium.org
+kcc@chromium.org
+mmoroz@chromium.org
+ochang@chromium.org

third_party/afl/README.chromium

@@ -0,0 +1,23 @@
+Name: American Fuzzy Lop
+Short Name: afl
+URL: http://lcamtuf.coredump.cx/afl/
+Version: 2.14b
+Date: June 16th, 2016
+License: Apache 2.0
+License File: src/docs/COPYING
+Security Critical: no
+
+Description:
+Tool for in-process and out-of-process (fork) coverage-guided fuzz testing
+(fuzzing). Similar to libFuzzer.
+
+Local Modifications:
+Renamed afl-2.14b/ to src/.
+Removed the following unneeded files/directories:
+  1. src/docs/visualization/
+  2. src/docs/vuln_samples/
+  3. src/testcases/
+  4. third_party/afl/src/experimental/argv_fuzzing/argv-fuzz-inl.h
+  5. third_party/afl/src/llvm_mode/afl-llvm-pass.so.cc
+  6. third_party/afl/src/hash.h
+  7. third_party/afl/experimental/instrumented_cmp/instrumented_cmp.c

third_party/afl/src/Makefile

@@ -0,0 +1,146 @@
+#
+# american fuzzy lop - makefile
+# -----------------------------
+#
+# Written and maintained by Michal Zalewski <lcamtuf@google.com>
+# 
+# Copyright 2013, 2014, 2015, 2016 Google Inc. All rights reserved.
+# 
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at:
+# 
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+
+PROGNAME    = afl
+VERSION     = 2.14b
+
+PREFIX     ?= /usr/local
+BIN_PATH    = $(PREFIX)/bin
+HELPER_PATH = $(PREFIX)/lib/afl
+DOC_PATH    = $(PREFIX)/share/doc/afl
+MISC_PATH   = $(PREFIX)/share/afl
+
+# PROGS intentionally omit afl-as, which gets installed to its own dir.
+
+PROGS       = afl-gcc afl-fuzz afl-showmap afl-tmin afl-gotcpu afl-analyze
+SH_PROGS    = afl-plot afl-cmin afl-whatsup
+
+CFLAGS     ?= -O3 -funroll-loops
+CFLAGS     += -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign \
+	      -DAFL_PATH=\"$(HELPER_PATH)\" -DDOC_PATH=\"$(DOC_PATH)\" \
+	      -DBIN_PATH=\"$(BIN_PATH)\" -DVERSION=\"$(VERSION)\"
+
+ifneq "$(filter Linux GNU%,$(shell uname))" ""
+  LDFLAGS  += -ldl
+endif
+
+ifeq "$(findstring clang, $(shell $(CC) --version 2>/dev/null))" ""
+  TEST_CC   = afl-gcc
+else
+  TEST_CC   = afl-clang
+endif
+
+COMM_HDR    = alloc-inl.h config.h debug.h types.h
+
+all: test_x86 $(PROGS) afl-as test_build all_done
+
+ifndef AFL_NO_X86
+
+test_x86:
+	@echo "[*] Checking for the ability to compile x86 code..."
+	@echo 'main() { __asm__("xorb %al, %al"); }' | $(CC) -w -x c - -o .test || ( echo; echo "Oops, looks like your compiler can't generate x86 code."; echo; echo "Don't panic! You can use the LLVM or QEMU mode, but see docs/INSTALL first."; echo "(To ignore this error, set AFL_NO_X86=1 and try again.)"; echo; exit 1 )
+	@rm -f .test
+	@echo "[+] Everything seems to be working, ready to compile."
+
+else
+
+test_x86:
+	@echo "[!] Note: skipping x86 compilation checks (AFL_NO_X86 set)."
+
+endif
+
+afl-gcc: afl-gcc.c $(COMM_HDR) | test_x86
+	$(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS)
+	set -e; for i in afl-g++ afl-clang afl-clang++; do ln -sf afl-gcc $$i; done
+
+afl-as: afl-as.c afl-as.h $(COMM_HDR) | test_x86
+	$(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS) 
+	ln -sf afl-as as
+
+afl-fuzz: afl-fuzz.c $(COMM_HDR) | test_x86
+	$(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS)
+
+afl-showmap: afl-showmap.c $(COMM_HDR) | test_x86
+	$(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS)
+
+afl-tmin: afl-tmin.c $(COMM_HDR) | test_x86
+	$(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS)
+
+afl-analyze: afl-analyze.c $(COMM_HDR) | test_x86
+	$(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS)
+
+afl-gotcpu: afl-gotcpu.c $(COMM_HDR) | test_x86
+	$(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS)
+
+ifndef AFL_NO_X86
+
+test_build: afl-gcc afl-as afl-showmap
+	@echo "[*] Testing the CC wrapper and instrumentation output..."
+	unset AFL_USE_ASAN AFL_USE_MSAN; AFL_QUIET=1 AFL_INST_RATIO=100 AFL_PATH=. ./$(TEST_CC) $(CFLAGS) test-instr.c -o test-instr $(LDFLAGS)
+	echo 0 | ./afl-showmap -m none -q -o .test-instr0 ./test-instr
+	echo 1 | ./afl-showmap -m none -q -o .test-instr1 ./test-instr
+	@rm -f test-instr
+	@cmp -s .test-instr0 .test-instr1; DR="$$?"; rm -f .test-instr0 .test-instr1; if [ "$$DR" = "0" ]; then echo; echo "Oops, the instrumentation does not seem to be behaving correctly!"; echo; echo "Please ping <lcamtuf@google.com> to troubleshoot the issue."; echo; exit 1; fi
+	@echo "[+] All right, the instrumentation seems to be working!"
+
+else
+
+test_build: afl-gcc afl-as afl-showmap
+	@echo "[!] Note: skipping build tests (you may need to use LLVM or QEMU mode)."
+
+endif
+
+all_done: test_build
+	@if [ ! "`which clang 2>/dev/null`" = "" ]; then echo "[+] LLVM users: see llvm_mode/README.llvm for a faster alternative to afl-gcc."; fi
+	@echo "[+] All done! Be sure to review README - it's pretty short and useful."
+	@if [ "`uname`" = "Darwin" ]; then printf "\nWARNING: Fuzzing on MacOS X is slow because of the unusually high overhead of\nfork() on this OS. Consider using Linux or *BSD. You can also use VirtualBox\n(virtualbox.org) to put AFL inside a Linux or *BSD VM.\n\n"; fi
+	@! tty <&1 >/dev/null || printf "\033[0;30mNOTE: If you can read this, your terminal probably uses white background.\nThis will make the UI hard to read. See docs/status_screen.txt for advice.\033[0m\n" 2>/dev/null
+
+.NOTPARALLEL: clean
+
+clean:
+	rm -f $(PROGS) afl-as as afl-g++ afl-clang afl-clang++ *.o *~ a.out core core.[1-9][0-9]* *.stackdump test .test test-instr .test-instr0 .test-instr1 qemu_mode/qemu-2.3.0.tar.bz2 afl-qemu-trace
+	rm -rf out_dir qemu_mode/qemu-2.3.0
+	$(MAKE) -C llvm_mode clean
+
+install: all
+	mkdir -p -m 755 $${DESTDIR}$(BIN_PATH) $${DESTDIR}$(HELPER_PATH) $${DESTDIR}$(DOC_PATH) $${DESTDIR}$(MISC_PATH)
+	rm -f $${DESTDIR}$(BIN_PATH)/afl-plot.sh
+	install -m 755 $(PROGS) $(SH_PROGS) $${DESTDIR}$(BIN_PATH)
+	rm -f $${DESTDIR}$(BIN_PATH)/afl-as
+	if [ -f afl-qemu-trace ]; then install -m 755 afl-qemu-trace $${DESTDIR}$(BIN_PATH); fi
+	if [ -f afl-clang-fast -a -f afl-llvm-pass.so -a -f afl-llvm-rt.o ]; then set -e; install -m 755 afl-clang-fast $${DESTDIR}$(BIN_PATH); ln -sf afl-clang-fast $${DESTDIR}$(BIN_PATH)/afl-clang-fast++; install -m 755 afl-llvm-pass.so afl-llvm-rt.o $${DESTDIR}$(HELPER_PATH); fi
+	if [ -f afl-llvm-rt-32.o ]; then set -e; install -m 755 afl-llvm-rt-32.o $${DESTDIR}$(HELPER_PATH); fi
+	if [ -f afl-llvm-rt-64.o ]; then set -e; install -m 755 afl-llvm-rt-64.o $${DESTDIR}$(HELPER_PATH); fi
+	set -e; for i in afl-g++ afl-clang afl-clang++; do ln -sf afl-gcc $${DESTDIR}$(BIN_PATH)/$$i; done
+	install -m 755 afl-as $${DESTDIR}$(HELPER_PATH)
+	ln -sf afl-as $${DESTDIR}$(HELPER_PATH)/as
+	install -m 644 docs/README docs/ChangeLog docs/*.txt $${DESTDIR}$(DOC_PATH)
+	cp -r testcases/ $${DESTDIR}$(MISC_PATH)
+
+publish: clean
+	test "`basename $$PWD`" = "afl" || exit 1
+	test -f ~/www/afl/releases/$(PROGNAME)-$(VERSION).tgz; if [ "$$?" = "0" ]; then echo; echo "Change program version in Makefile, mmkay?"; echo; exit 1; fi
+	cd ..; rm -rf $(PROGNAME)-$(VERSION); cp -pr $(PROGNAME) $(PROGNAME)-$(VERSION); \
+	  tar -cvz -f ~/www/afl/releases/$(PROGNAME)-$(VERSION).tgz $(PROGNAME)-$(VERSION)
+	chmod 644 ~/www/afl/releases/$(PROGNAME)-$(VERSION).tgz
+	( cd ~/www/afl/releases/; ln -s -f $(PROGNAME)-$(VERSION).tgz $(PROGNAME)-latest.tgz )
+	cat docs/README >~/www/afl/README.txt
+	cat docs/status_screen.txt >~/www/afl/status_screen.txt
+	cat docs/historical_notes.txt >~/www/afl/historical_notes.txt
+	cat docs/technical_details.txt >~/www/afl/technical_details.txt
+	cat docs/ChangeLog >~/www/afl/ChangeLog.txt
+	cat docs/QuickStartGuide.txt >~/www/afl/QuickStartGuide.txt
+	echo -n "$(VERSION)" >~/www/afl/version.txt

third_party/afl/src/QuickStartGuide.txt

@@ -0,0 +1 @@
+docs/QuickStartGuide.txt

third_party/afl/src/README

@@ -0,0 +1 @@
+docs/README