|
| 1 | +# Over time the fuzz engine will reduce inputs (produce a smaller input that |
| 2 | +# yields the same coverage statistics). With a growing set of inputs, it could |
| 3 | +# be useful to occasionally delete the "old" non-reduced inputs. |
| 4 | +# |
| 5 | +# This script tries to do so in a way that is as deterministic as possible. |
| 6 | +# |
| 7 | +# The script should be run on an x86_64 virtual machine with only a minimal |
| 8 | +# vanilla Ubuntu Noble 24.04 installed. Ideally, the script was run on |
| 9 | +# different architectures or even different OS versions, which come with |
| 10 | +# different library packages, but this is left as a future improvement. |
| 11 | + |
| 12 | +export FUZZ_CORPORA_DIR="fuzz_corpora" |
| 13 | + |
| 14 | +set -e |
| 15 | + |
| 16 | +echo "Installing Bitcoin Core build deps" |
| 17 | +export DEBIAN_FRONTEND=noninteractive |
| 18 | +apt update |
| 19 | +apt install -y \ |
| 20 | + git \ |
| 21 | + build-essential pkg-config bsdmainutils python3 cmake \ |
| 22 | + libsqlite3-dev libevent-dev libboost-dev \ |
| 23 | + lsb-release wget software-properties-common gnupg |
| 24 | + |
| 25 | +export LLVM_VERSION=18 |
| 26 | +wget https://apt.llvm.org/llvm.sh && chmod +x ./llvm.sh |
| 27 | +./llvm.sh $LLVM_VERSION all |
| 28 | +ln -s $(which llvm-symbolizer-$LLVM_VERSION) /usr/bin/llvm-symbolizer |
| 29 | + |
| 30 | +git clone --branch stable https://github.com/AFLplusplus/AFLplusplus |
| 31 | +make -C AFLplusplus LLVM_CONFIG=llvm-config-$LLVM_VERSION PERFORMANCE=1 install -j$(nproc) |
| 32 | + |
| 33 | +git clone --depth=1 https://github.com/bitcoin-core/qa-assets.git |
| 34 | +( |
| 35 | + cd qa-assets |
| 36 | + mv ./"${FUZZ_CORPORA_DIR}" ../all_inputs |
| 37 | + git config user.name "delete_nonreduced_inputs script" |
| 38 | + git config user.email "noreply@noreply.noreply" |
| 39 | + git commit -a -m "Delete fuzz inputs" |
| 40 | +) |
| 41 | + |
| 42 | +git clone --depth=1 https://github.com/bitcoin/bitcoin.git |
| 43 | +( |
| 44 | + cd bitcoin |
| 45 | + |
| 46 | + echo "Adding reduced seeds with afl-cmin" |
| 47 | + |
| 48 | + rm -rf build_fuzz/ |
| 49 | + export LDFLAGS="-fuse-ld=lld" |
| 50 | + cmake -B build_fuzz \ |
| 51 | + -DCMAKE_C_COMPILER=afl-clang-fast -DCMAKE_CXX_COMPILER=afl-clang-fast++ \ |
| 52 | + -DBUILD_FOR_FUZZING=ON |
| 53 | + cmake --build build_fuzz -j$(nproc) |
| 54 | + |
| 55 | + WRITE_ALL_FUZZ_TARGETS_AND_ABORT="/tmp/a" "./build_fuzz/bin/fuzz" || true |
| 56 | + readarray FUZZ_TARGETS < "/tmp/a" |
| 57 | + for fuzz_target in ${FUZZ_TARGETS[@]}; do |
| 58 | + if [ -d "../all_inputs/$fuzz_target" ]; then |
| 59 | + mkdir --parents ../qa-assets/"${FUZZ_CORPORA_DIR}"/$fuzz_target |
| 60 | + # Allow timeouts and crashes with "-A", "-T all" to use all available cores |
| 61 | + FUZZ=$fuzz_target afl-cmin -T all -A -i ../all_inputs/$fuzz_target -o ../qa-assets/"${FUZZ_CORPORA_DIR}"/$fuzz_target -- ./build_fuzz/bin/fuzz |
| 62 | + else |
| 63 | + echo "No input corpus for $fuzz_target (ignoring)" |
| 64 | + fi |
| 65 | + done |
| 66 | + |
| 67 | + ( |
| 68 | + cd ../qa-assets |
| 69 | + git add "${FUZZ_CORPORA_DIR}" |
| 70 | + git commit -m "Reduced inputs for afl-cmin" |
| 71 | + ) |
| 72 | + |
| 73 | + for sanitizer in {"fuzzer","fuzzer,address,undefined,integer"}; do |
| 74 | + echo "Adding reduced seeds for sanitizer=${sanitizer}" |
| 75 | + |
| 76 | + rm -rf build_fuzz/ |
| 77 | + cmake -B build_fuzz \ |
| 78 | + -DCMAKE_C_COMPILER=clang-$LLVM_VERSION -DCMAKE_CXX_COMPILER=clang++-$LLVM_VERSION \ |
| 79 | + -DBUILD_FOR_FUZZING=ON -DSANITIZERS="$sanitizer" |
| 80 | + cmake --build build_fuzz -j$(nproc) |
| 81 | + |
| 82 | + ( cd build_fuzz; ./test/fuzz/test_runner.py -l DEBUG --par=$(nproc) --m_dir=../../all_inputs ../../qa-assets/"${FUZZ_CORPORA_DIR}" ) |
| 83 | + |
| 84 | + ( |
| 85 | + cd ../qa-assets |
| 86 | + git add "${FUZZ_CORPORA_DIR}" |
| 87 | + git commit -m "Reduced inputs for ${sanitizer}" |
| 88 | + ) |
| 89 | + done |
| 90 | +) |
0 commit comments