-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathbuild.sh
executable file
·142 lines (127 loc) · 4.79 KB
/
build.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
# Quit on any error.
set -e
###### For dockers
#
# apt install ninja-build python3-dev cmake clang git wget ccache -y
#
# In case you need more updated cmake:
# https://askubuntu.com/questions/355565/how-do-i-install-the-latest-version-of-cmake-from-the-command-line
# This is just to make sure we use correct cmake and ninja.
# cmake() { /group/xrlabs/tools/x86_64_Ubuntu18/bin/cmake $@; }
# ninja() { /group/xrlabs/tools/x86_64_Ubuntu18/bin/ninja $@; }
# Path to this directory
export FUZZING_HOME=$(pwd)
# The LLVM you want to fuzz
export LLVM=llvm-project
export AFL=AFLplusplus
###### Install llvm
if [ ! -d $HOME/clang+llvm ]
then
cd $HOME
CLANG_LLVM=clang+llvm-14.0.0-x86_64-linux-gnu-ubuntu-18.04
wget https://github.com/llvm/llvm-project/releases/download/llvmorg-14.0.0/$CLANG_LLVM.tar.xz
tar -xvf $CLANG_LLVM.tar.xz
rm $CLANG_LLVM.tar.xz
mv $CLANG_LLVM clang+llvm14
ln -s clang+llvm14 clang+llvm
fi
export PATH=$PATH:$HOME/clang+llvm/bin
###### Download submodules
git submodule update
###### Compile AFLplusplus
cd $FUZZING_HOME/$AFL; make -j; cd $FUZZING_HOME
export AFL_LLVM_INSTRUMENT=CLASSIC
###### Build LLVM & AIE
# Unfortunatelly we have to compile LLVM twice.
# `build-afl` is the build to be fuzzed.
# `build-release` is the dependency of mutator
# The paths to both LLVM is fixed in `CMakeLists.txt`
# `build-afl` is a afl-customed built with afl instrumentations so we can collect runtime info
# and report back to afl.
# Driver also depends on `build-afl`
if [ ! -d $FUZZING_HOME/$LLVM/build-afl ]
then
mkdir -p $LLVM/build-afl
cd $LLVM/build-afl
cmake -GNinja \
-DBUILD_SHARED_LIBS=OFF \
-DLLVM_BUILD_TOOLS=ON \
-DLLVM_CCACHE_BUILD=OFF \
-DLLVM_EXPERIMENTAL_TARGETS_TO_BUILD="ARC;CSKY;LoongArch;M68k" \
-DCMAKE_C_COMPILER=$FUZZING_HOME/$AFL/afl-clang-fast \
-DCMAKE_CXX_COMPILER=$FUZZING_HOME/$AFL/afl-clang-fast++ \
-DCMAKE_BUILD_TYPE=Release \
-DLLVM_APPEND_VC_REV=OFF \
-DLLVM_BUILD_EXAMPLES=OFF \
-DLLVM_BUILD_RUNTIME=OFF \
-DLLVM_INCLUDE_EXAMPLES=OFF \
-DLLVM_USE_SANITIZE_COVERAGE=OFF \
-DLLVM_USE_SANITIZER="" \
../llvm
cd $FUZZING_HOME
fi
cd $LLVM/build-afl; ninja -j $(nproc --all); cd ../..
# Mutator depends on `build-release`.
# They can't depend on `build-afl` since all AFL compiled code reference to global
# `__afl_area_ptr`(branch counting table) and `__afl_prev_loc`(edge hash)
if [ ! -d $FUZZING_HOME/$LLVM/build-release ]
then
mkdir -p $LLVM/build-release
cd $LLVM/build-release
cmake -GNinja \
-DBUILD_SHARED_LIBS=ON \
-DLLVM_CCACHE_BUILD=ON \
-DLLVM_EXPERIMENTAL_TARGETS_TO_BUILD="ARC;CSKY;LoongArch;M68k" \
-DCMAKE_C_COMPILER=clang \
-DCMAKE_CXX_COMPILER=clang++ \
-DCMAKE_BUILD_TYPE=Release \
../llvm
cd $FUZZING_HOME
fi
cd $LLVM/build-release; ninja -j $(nproc --all); cd ../..
# Don't build debug build in docker.
if [ ! -f /.dockerenv ]; then
# Mutator depends on `build-release`.
# They can't depend on `build-afl` since all AFL compiled code reference to global
# `__afl_area_ptr`(branch counting table) and `__afl_prev_loc`(edge hash)
if [ ! -d $FUZZING_HOME/$LLVM/build-debug ]
then
mkdir -p $LLVM/build-debug
cd $LLVM/build-debug
cmake -GNinja \
-DBUILD_SHARED_LIBS=ON \
-DLLVM_CCACHE_BUILD=ON \
-DLLVM_EXPERIMENTAL_TARGETS_TO_BUILD="ARC;CSKY;LoongArch;M68k" \
-DCMAKE_C_COMPILER=clang \
-DCMAKE_CXX_COMPILER=clang++ \
-DCMAKE_BUILD_TYPE=Debug \
../llvm
cd $FUZZING_HOME
fi
cd $LLVM/build-debug; ninja -j $(nproc --all); cd ../..
fi
###### Compile driver.
# Driver has to be compiled by `afl-clang-fast`, so the `afl_init` is inserted before `main`
mkdir -p llvm-isel-afl/build
cd llvm-isel-afl/build
cmake -GNinja \
-DCMAKE_C_COMPILER=$FUZZING_HOME/$AFL/afl-clang-fast \
-DCMAKE_CXX_COMPILER=$FUZZING_HOME/$AFL/afl-clang-fast++ \
.. && \
ninja -j 4
cd $FUZZING_HOME
###### Compile mutator.
mkdir -p mutator/build
cd mutator/build
cmake -GNinja .. && ninja -j 4
cd $FUZZING_HOME
# Tell AFL++ to only use our mutator
export AFL_CUSTOM_MUTATOR_ONLY=1
# Tell AFL++ Where our mutator is
export AFL_CUSTOM_MUTATOR_LIBRARY=$FUZZING_HOME/mutator/build/libAFLCustomIRMutator.so
# Run afl
# $FUZZING_HOME/$AFL/afl-fuzz -i <input> -o <output> $FUZZING_HOME/llvm-isel-afl/build/isel-fuzzing
# Kill zombie processes left over by afl.
# It will report a `no such process`, that's ok.
# That process is `grep`, which is also shown in `ps`, which died before `kill` thus doesn't exist.
# kill -9 $(ps aux | grep isel-fuzzing | awk '{print $2}')