[Scripts] provide fuzzilli toolchain

Author: bongjunj

instrumentation/Makefile

@@ -1,5 +1,11 @@
-CXX = clang++
+CXX ?= clang++
 LLVM_CONFIG ?= llvm-config
+
+ifdef BASE
+CXX := $(BASE)/bin/clang++
+LLVM_CONFIG := $(BASE)/bin/llvm-config
+endif
+
 CXXFLAGS = $(shell $(LLVM_CONFIG) --cxxflags) -std=c++17 -fno-rtti -fPIC
 LDFLAGS  = $(shell $(LLVM_CONFIG) --ldflags)
 PLUGIN_FLAGS = -Xclang -fpass-plugin=./inst-pass.so
@@ -9,7 +15,7 @@ DISTANCE = $(HOME)/llfuzz-experiment/optimuzz/_build/default/src/program/distanc
 all: inst-pass.so coverage.o
 
 inst-pass.so: InstPass.cpp
-	$(CXX) -g -shared -o $@ $^ $(CXXFLAGS) $(LLVM_LDFLAGS)
+	$(CXX) -g -shared -o $@ $^ $(CXXFLAGS) $(LDFLAGS)
 
 coverage.o: coverage.cpp
 	$(CXX) -fPIC -c $< -o $@

scripts/alive.sh

@@ -0,0 +1,128 @@
+#!/usr/bin/env python3
+
+import argparse
+from pathlib import Path
+import logging
+import pydot
+import networkx as nx
+import sys
+from collections import defaultdict
+
+parser = argparse.ArgumentParser()
+parser.add_argument("cfg_dir", help="directory of CFG files and callgraph.txt")
+parser.add_argument('targets_file', help="file containing <target_file>:<target_line> pairs")
+args = parser.parse_args()
+
+logging.basicConfig(
+    filename='cfg_preprocess.log',
+    level=logging.INFO,
+    format='%(asctime)s - %(name)s - %(levelname)s - %(message)s'
+)
+
+cfg_dir = Path(args.cfg_dir)
+
+targets = []
+
+for line in open(args.targets_file):
+    target_file, target_line = line.strip().split(':')
+    target_line = int(target_line)
+    targets.append((target_file, target_line))
+
+    print(target_file, target_line, file=sys.stderr)
+
+for target in targets:
+    logging.info(f'Target: {target[0]}:{target[1]}')
+
+# each line looks like
+# simplified-lowering.cc:_ZN2v88internal8compiler22RepresentationSelector12EnqueueInputILNS1_5PhaseE0EEEvPNS1_4NodeEiNS1_7UseInfoE:0:0:384103392 _ZN2v88internal8compiler22RepresentationSelector7GetInfoEPNS1_4NodeE
+def parse_callgraph(callgraph_txt):
+    with open(callgraph_txt, 'r') as f:
+        for line in f:
+            caller, callee = line.strip().split()
+            # print(f'{caller} -> {callee}')
+            filename, funcname, lineno, order, bbid = caller.split(':')
+            yield (filename, funcname, lineno, order, hex(int(bbid))), callee
+
+target_nodes = []
+
+# need to extract (function name -> first block id)
+def parse_cfg(cfg_file):
+    graph: pydot.Graph = pydot.graph_from_dot_file(cfg_file)[0]
+    graph: nx.MultiDiGraph = nx.drawing.nx_pydot.from_pydot(graph)
+    # print('graph name', graph.name)
+    # set edge weight as 1
+    for u, v, k, d in graph.edges(keys=True, data=True):
+        d['weight'] = 1
+
+    for n, d in graph.nodes(data=True):
+        label = d['label'].strip('{}"')
+        filename, funcname, lineno, order = label.split(':')
+        d['filename'] = filename
+        d['funcname'] = funcname
+        d['lineno'] = int(lineno)
+        d['order'] = int(order)
+
+        for filename, lineno in targets:
+            if d['filename'] in filename and d['lineno'] == lineno:
+                target_nodes.append(n)
+                logging.info(f'Found target node {n} in {cfg_file}')
+                break
+
+    # print('graph nodes', graph.nodes(data=True))
+    # print('graph edges', graph.edges(keys=True, data=True))
+    return graph
+
+callgraph = list(parse_callgraph(cfg_dir / 'callgraph.txt'))
+cfgs = []
+func_to_node = {}
+for f in cfg_dir.glob('*.dot'):
+    g = parse_cfg(f)
+    cfgs.append(g)
+
+    the_node = min(g.nodes(data=True), key=lambda n: n[1]['order'])
+    # print(the_node)
+    func_to_node[g.name] = the_node[0]
+
+# for func, first_node in func_to_node.items():
+#     print(f'{func} -> {first_node}')
+
+logging.info(f'{len(target_nodes)} target nodes found')
+
+logging.info(f'{len(callgraph)} call edges found in callgraph.txt')
+logging.info(f'{len(cfgs)} CFG files found in {cfg_dir}')
+
+node_cnt = sum([cfg.number_of_nodes() for cfg in cfgs])
+edge_cnt = sum([cfg.number_of_edges() for cfg in cfgs])
+
+logging.info(f'Total number of nodes: {node_cnt}')
+logging.info(f'Total number of edges: {edge_cnt}')
+
+# merge cfgs into one
+entire_cfg = nx.MultiDiGraph()
+for cfg in cfgs:
+    entire_cfg = nx.compose(entire_cfg, cfg)
+
+for caller, callee in callgraph:
+    filename, funcname, lineno, order, bbid = caller
+    node = 'Node' + bbid
+    assert node in entire_cfg, f'Node {node} not found in entire CFG'
+    entire_cfg.add_edge(node, func_to_node[callee], weight=10)
+
+logging.info(f'Number of nodes in entire CFG: {entire_cfg.number_of_nodes()}')
+logging.info(f'Number of edges in entire CFG: {entire_cfg.number_of_edges()}')
+
+fulldistmap = defaultdict(list)
+for v in target_nodes:
+    distmap = nx.single_source_dijkstra_path_length(entire_cfg, v)
+    for n, distance in distmap.items():
+        fulldistmap[n].append(distance)
+
+for n, distances in fulldistmap.items():
+    bbid = n[4:]
+    # compute harmonic mean
+    if 0 not in distances:
+        harmonic_mean = len(distances) / sum([1/d for d in distances])
+        print(f'{bbid} {harmonic_mean}')
+    else:
+        print(f'{bbid} 0.0')
+

build-turbotv.sh scripts/build-turbotv.shbuild-turbotv.sh renamed to scripts/build-turbotv.sh

@@ -0,0 +1,30 @@
+#!/usr/bin/env python3
+
+import sys
+
+toolchain = sys.argv[1]
+target_rule = sys.argv[2]
+prepends = sys.argv[3]
+appends = sys.argv[4]
+
+# print(toolchain, target_rule, prepends, appends)
+
+command_line = None
+
+with open(toolchain, 'r') as f:
+    lines = f.readlines()
+    for i, l in enumerate(lines):
+        if l.strip() == f"rule {target_rule}":
+            command_line = lines[i + 1].strip()
+            break
+
+
+if command_line is None:
+    sys.stderr.write("target rule not found")
+    exit(1)
+
+command_line = '  command =  ' + prepends + ' ' + command_line.lstrip('command =').strip() + ' ' + appends + '\n'
+lines[i + 1] = command_line
+
+with open(toolchain, 'w') as f:
+    f.write(''.join(lines))

scripts/cfg_preprocess.py

@@ -0,0 +1,3 @@
+cd $HOME
+wget https://github.com/llvm/llvm-project/releases/download/llvmorg-13.0.0/clang+llvm-13.0.0-x86_64-linux-gnu-ubuntu-20.04.tar.xz
+tar -xvf clang+llvm-13.0.0-x86_64-linux-gnu-ubuntu-20.04.tar.xz

scripts/check-format

@@ -0,0 +1,94 @@
+#!/usr/bin/env bash
+
+ROOT=$PWD
+NUMBER=$1 # 1195650 1198705 1199345 1200490 1234764 1234770
+
+if [[ -z $NUMBER ]]; then
+    echo "Usage: $0 <number>"
+    exit 1
+fi
+
+if [[ $(basename "$ROOT") != "optimuzz" ]]; then
+    echo "Please run this script from the root of the optimuzz repository."
+    exit 1
+fi
+
+echo $ROOT
+
+set -e
+
+# Our TurboFan benchmark requires Python 2
+if [[ ! -d $HOME/.pyenv ]]; then
+    curl https://pyenv.run | bash
+fi
+export PYENV_ROOT="$HOME/.pyenv"
+[[ -d $PYENV_ROOT/bin ]] && export PATH="$PYENV_ROOT/bin:$PATH"
+eval "$(pyenv init - bash)"
+# pyenv install 2
+
+
+TURBOFAN_BUILDS=$HOME/turbofan-builds
+
+mkdir -p $TURBOFAN_BUILDS
+pushd $TURBOFAN_BUILDS
+if [[ ! -d tools/depot_tools ]]; then
+    git clone https://chromium.googlesource.com/chromium/tools/depot_tools.git tools/depot_tools
+fi
+export PATH=$PWD/tools/depot_tools:$PATH
+echo "Fetching v8..."
+# fetch v8
+
+echo "Checking out v8..."
+# gclient sync
+
+
+COMMIT_ID=$(grep "^$NUMBER" $ROOT/turbotv-fuzzilli/d8-targets/commits.txt | awk '{print $2}')
+echo $COMMIT_ID
+pyenv global 2 # Our targets need python 2.7
+pyenv exec gclient sync -D -R --revision=$COMMIT_ID
+
+if [[ ! -f $HOME/clang+llvm-13.0.0-x86_64-linux-gnu-ubuntu-20.04.tar.xz ]]; then
+    pushd $HOME
+    wget https://github.com/llvm/llvm-project/releases/download/llvmorg-13.0.0/clang+llvm-13.0.0-x86_64-linux-gnu-ubuntu-20.04.tar.xz
+    tar -xvf clang+llvm-13.0.0-x86_64-linux-gnu-ubuntu-20.04.tar.xz
+    popd
+fi
+
+pushd v8
+tools/dev/v8gen.py x64.debug
+
+cat > out.gn/x64.debug/args.gn <<EOF
+clang_base_path = "$HOME/clang+llvm-13.0.0-x86_64-linux-gnu-ubuntu-20.04"
+clang_use_chrome_plugins = false
+treat_warnings_as_errors = false
+is_debug = true
+target_cpu = "x64"
+v8_enable_backtrace = true
+v8_enable_slow_dchecks = true
+v8_optimized_debug = false
+EOF
+
+gn gen out.gn/x64.debug
+
+cat out.gn/x64.debug/args.gn
+
+echo -e "\033[34mBuilding instrumentation...\033[0m"
+
+make -C $ROOT/instrumentation/ clean
+make -C $ROOT/instrumentation/ BASE=$HOME/clang+llvm-13.0.0-x86_64-linux-gnu-ubuntu-20.04
+
+echo -e "\033[34mEditing build rules...\033[0m"
+export SCRIPTS=$ROOT/scripts
+TARGET_FILE=$(cat $ROOT/turbotv-fuzzilli/d8-targets/$NUMBER.txt | cut -d':' -f1)
+$SCRIPTS/edit_rule.py out.gn/x64.debug/toolchain.ninja cxx "VERBOSE=1 TARGET_FILE=$TARGET_FILE OUT_DIR=\"$PWD/out.gn/x64.debug/cfg\"" "-fexperimental-new-pass-manager -Xclang -fpass-plugin=$ROOT/instrumentation/inst-pass.so"
+$SCRIPTS/edit_rule.py out.gn/x64.debug/toolchain.ninja link "" "$ROOT/instrumentation/coverage.o"
+$SCRIPTS/edit_rule.py out.gn/x64.debug/toolchain.ninja solink "" "$ROOT/instrumentation/coverage.o"
+
+echo -e "\033[34mBuilding d8...\033[0m"
+ninja -C out.gn/x64.debug d8 > out.gn/x64.debug/ninja.log
+$SCRIPTS/cfg_preprocess.py out.gn/x64.debug/cfg $HOME/optimuzz-experiment/cases/turbofan/targets/$NUMBER.txt > distmap.txt
+cd $ROOT
+mv $TURBOFAN_BUILDS/v8/out.gn/x64.debug/ d8s/$NUMBER/
+cp $TURBOFAN_BUILDS/v8/distmap.txt d8s/$NUMBER/distmap.txt
+
+tools/turbofan-reproduce.py $NUMBER