Fuzzing: Integrate ClusterFuzzLite

kateinoigakukun · kateinoigakukun · commit 73cf2a4f0300 · 2024-10-22T05:48:59.000Z
diff --git a/.clusterfuzzlite/Dockerfile b/.clusterfuzzlite/Dockerfile
@@ -0,0 +1,9 @@
+FROM gcr.io/oss-fuzz-base/base-builder-swift:v1
+RUN apt-get update && apt-get install -y make autoconf automake libtool
+ENV SWIFT_PREFIX=/opt/swift
+RUN mkdir -p "$SWIFT_PREFIX" && \
+  curl -L https://download.swift.org/swift-6.0.1-release/ubuntu2004/swift-6.0.1-RELEASE/swift-6.0.1-RELEASE-ubuntu20.04.tar.gz | tar xz -C "$SWIFT_PREFIX" --strip-component 1
+ENV PATH="$SWIFT_PREFIX/usr/bin:$PATH"
+COPY . $SRC/wasmkit
+WORKDIR $SRC/wasmkit
+COPY .clusterfuzzlite/build.sh $SRC/
diff --git a/.clusterfuzzlite/build.sh b/.clusterfuzzlite/build.sh
@@ -0,0 +1,7 @@
+#!/bin/bash -eu
+
+cd FuzzTesting
+./fuzz.py --verbose build --sanitizer="$SANITIZER" FuzzTranslator
+
+find .build/debug/ -maxdepth 1 -type f -name "Fuzz*" -executable -exec cp {} "$OUT/" \;
+
diff --git a/.clusterfuzzlite/project.yaml b/.clusterfuzzlite/project.yaml
@@ -0,0 +1 @@
+language: swift
diff --git a/.github/workflows/cflite_pr.yml b/.github/workflows/cflite_pr.yml
@@ -0,0 +1,50 @@
+name: ClusterFuzzLite PR fuzzing
+on:
+  pull_request:
+    paths:
+      - '**'
+permissions: read-all
+jobs:
+  PR:
+    runs-on: ubuntu-latest
+    concurrency:
+      group: ${{ github.workflow }}-${{ matrix.sanitizer }}-${{ github.ref }}
+      cancel-in-progress: true
+    strategy:
+      fail-fast: false
+      matrix:
+        sanitizer:
+        - address
+        # Override this with the sanitizers you want.
+        # - undefined
+        # - memory
+    steps:
+    - name: Build Fuzzers (${{ matrix.sanitizer }})
+      id: build
+      uses: google/clusterfuzzlite/actions/build_fuzzers@v1
+      with:
+        language: c++ # Change this to the language you are fuzzing.
+        github-token: ${{ secrets.GITHUB_TOKEN }}
+        sanitizer: ${{ matrix.sanitizer }}
+        # Optional but recommended: used to only run fuzzers that are affected
+        # by the PR.
+        # See later section on "Git repo for storage".
+        # storage-repo: https://${{ secrets.PERSONAL_ACCESS_TOKEN }}@github.com/OWNER/STORAGE-REPO-NAME.git
+        # storage-repo-branch: main   # Optional. Defaults to "main"
+        # storage-repo-branch-coverage: gh-pages  # Optional. Defaults to "gh-pages".
+    - name: Run Fuzzers (${{ matrix.sanitizer }})
+      id: run
+      uses: google/clusterfuzzlite/actions/run_fuzzers@v1
+      with:
+        github-token: ${{ secrets.GITHUB_TOKEN }}
+        fuzz-seconds: 600
+        mode: 'code-change'
+        sanitizer: ${{ matrix.sanitizer }}
+        output-sarif: true
+        # Optional but recommended: used to download the corpus produced by
+        # batch fuzzing.
+        # See later section on "Git repo for storage".
+        # storage-repo: https://${{ secrets.PERSONAL_ACCESS_TOKEN }}@github.com/OWNER/STORAGE-REPO-NAME.git
+        # storage-repo-branch: main   # Optional. Defaults to "main"
+        # storage-repo-branch-coverage: gh-pages  # Optional. Defaults to "gh-pages".
+
diff --git a/FuzzTesting/Package.swift b/FuzzTesting/Package.swift
@@ -44,10 +44,3 @@ let package = Package(
         .target(name: "WasmCAPI"),
     ]
 )
-
-let libFuzzerTargets = ["FuzzTranslator", "FuzzExecute"]
-
-for target in package.targets {
-    guard libFuzzerTargets.contains(target.name) else { continue }
-    target.swiftSettings = [.unsafeFlags(["-Xfrontend", "-sanitize=fuzzer,address"])]
-}
diff --git a/FuzzTesting/fuzz.py b/FuzzTesting/fuzz.py
@@ -46,6 +46,8 @@ def main():
     build_parser = subparsers.add_parser('build', help='Build the fuzzer')
     build_parser.add_argument(
         'target_name', type=str, help='Name of the target', choices=available_targets)
+    build_parser.add_argument(
+        '--sanitizer', type=str, default='address')
     build_parser.set_defaults(func=build)
 
     run_parser = subparsers.add_parser('run', help='Run the fuzzer')
@@ -96,18 +98,35 @@ def executable_path(target_name: str) -> str:
 def build(args, runner: CommandRunner):
     print(f'Building fuzzer for {args.target_name}')
 
-    runner.run([
-        'swift', 'build', '--product', args.target_name
-    ], check=True)
+    driver_flags = []
+    if args.sanitizer == 'coverage':
+        driver_flags += [
+            '-profile-generate', '-profile-coverage-mapping',
+            '-sanitize=fuzzer'
+        ]
+    else:
+        driver_flags += [f'-sanitize=fuzzer,{args.sanitizer}']
+
+    build_args = [
+        'swift', 'build', '--product', args.target_name,
+    ]
+    for driver_flag in driver_flags:
+        build_args += ['-Xswiftc', driver_flag]
+
+    runner.run(build_args, check=True)
 
     print('Building fuzzer executable')
     # See "Discussion" in Package.swift for why we need to manually link
     # the library product.
     output = executable_path(args.target_name)
-    runner.run([
+    link_args = [
         'swiftc', f'./.build/debug/lib{args.target_name}.a', '-g',
-        '-sanitize=fuzzer,address', '-o', output
-    ], check=True)
+        # Link Swift runtime statically to allow copying fuzzers to other
+        # machines (oss-fuzz does this)
+        '-static-stdlib',
+    ]
+    link_args += driver_flags
+    runner.run(link_args, check=True)
 
     print('Fuzzer built successfully: ', output)
 

Original file line number	Diff line number	Diff line change
`@@ -44,10 +44,3 @@ let package = Package(`
`44`	`44`	`.target(name: "WasmCAPI"),`
`45`	`45`	`]`
`46`	`46`	`)`
`47`		`-`
`48`		`-let libFuzzerTargets = ["FuzzTranslator", "FuzzExecute"]`
`49`		`-`
`50`		`-for target in package.targets {`
`51`		`- guard libFuzzerTargets.contains(target.name) else { continue }`
`52`		`- target.swiftSettings = [.unsafeFlags(["-Xfrontend", "-sanitize=fuzzer,address"])]`
`53`		`-}`