Merge pull request #185 from andrewchambers/afl

Add afl fuzzing helpers.
2025-04-05 14:56:55 +00:00 · 2019-11-29 22:36:47 -05:00 · 2019-11-29 22:36:47 -05:00 · 13ef2bd905
commit 13ef2bd905
parent 4e4cdb6356 4acc63e325
6 changed files with 88 additions and 0 deletions
--- a/tools/afl/README.md
+++ b/tools/afl/README.md
@ -0,0 +1,14 @@
+# AFL Fuzzing scripts
+
+To use these, you need to install afl (of course), and xterm. A tiling window manager helps manage
+many concurrent fuzzer instances.
+
+## Fuzz the parser
+```
+$ sh ./tools/afl/prepare_to_fuzz.sh
+export NFUZZ=1
+$ sh ./tools/afl/fuzz.sh parser
+Ctrl+C when done to close all fuzzer terminals.
+$ sh ./tools/afl/aggregate_cases.sh parser
+$ ls ./fuzz_out/parser_aggregated/
+```
--- a/tools/afl/aggregate_cases.sh
+++ b/tools/afl/aggregate_cases.sh
@ -0,0 +1,13 @@
+set -eux
+
+n=0
+for tc in $(echo ./fuzz_out/$1/*/hangs/* ./fuzz_out/$1/*/crashes/*)
+do
+  if ! test -e $tc
+  then
+    continue
+  fi
+  mkdir -p ./fuzz_out/$1_aggregated/
+  cp "$tc" $(printf "./fuzz_out/$1_aggregated/$1-%04d.test" $n)
+  n=$((n + 1))
+done
--- a/tools/afl/fuzz.sh
+++ b/tools/afl/fuzz.sh
@ -0,0 +1,36 @@
+set -eux
+
+NFUZZ=${NFUZZ:-1}
+children=""
+
+function finish {
+  for pid in $children
+  do
+    set +e
+    kill -s INT $pid
+  done
+  wait
+}
+trap finish EXIT
+
+test -e ./tools/afl/$1_testcases
+test -e ./tools/afl/$1_runner.janet
+
+echo "running fuzz master..."
+xterm -e \
+  "afl-fuzz -i ./tools/afl/$1_testcases -o ./fuzz_out/$1 -M Fuzz$1_0 -- ./build/janet ./tools/afl/$1_runner.janet @@" &
+children="$! $children"
+echo "waiting for afl to get started before starting secondary fuzzers"
+sleep 10
+
+NFUZZ=$((NFUZZ - 1))
+
+for N in $(seq $NFUZZ)
+do
+  xterm -e \
+    "afl-fuzz -i ./tools/afl/$1_testcases -o ./fuzz_out/$1 -S Fuzz$1_$N -- ./build/janet ./tools/afl/$1_runner.janet @@" &
+  children="$! $children"
+done
+
+echo "waiting for child terminals to exit."
+wait
--- a/tools/afl/parser_runner.janet
+++ b/tools/afl/parser_runner.janet
@ -0,0 +1,4 @@
+(def p (parser/new))
+(parser/consume p (slurp ((dyn :args) 1)))
+(while (parser/has-more p)
+  (pp (parser/produce p)))
--- a/tools/afl/parser_testcases/simple.janet
+++ b/tools/afl/parser_testcases/simple.janet
@ -0,0 +1,15 @@
+0
+123.653
+true
+:true
+{}
+`
+   hello
+`
+|()
+,()
+@{:hello "world"}
+@[1 "hello"]
+nil
+(foo 2 3)
+([{} @{:k ([""])}])
--- a/tools/afl/prepare_to_fuzz.sh
+++ b/tools/afl/prepare_to_fuzz.sh
@ -0,0 +1,6 @@
+set -eux
+
+export CC=afl-clang
+make clean
+make -j $(nproc) all
+mkdir -p "./fuzz_out"