Hu Chunming / sip_server

fuzz.sh 2.73 KB
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 
#!/bin/sh
#
# builds the fuzzers, runs old crashes etc
#
# Optional: set environment variable CLANG, otherwise clang is auto detected.
#
# By Paul Dreik 2019-2020 for the boost json project
# License: Boost 1.0

set -e

fuzzdir=$(dirname $0)
me=$(basename $0)

cd $fuzzdir

if [ -z $CLANG ] ; then
    #see if we can find clang
    for clangver in -10 -9 -8 -7 -6 -6.0 "" ;   do
	CLANG=clang++$clangver
	if which $CLANG >/dev/null; then
	    break
	fi
    done
fi

if ! which $CLANG >/dev/null; then
    if ! -x $CLANG; then
	echo $me: sorry, could not find clang $CLANG
	exit 1
    fi
fi
echo "$me: will use this compiler: $CLANG"

# set the maximum size of the input, to avoid
# big inputs which blow up the corpus size
MAXLEN="-max_len=4000"

# If doing fuzzing locally (not in CI), adjust this to utilize more
# of your cpu.
#JOBS="-jobs=32"
JOBS=

# set a timelimit (you may want to adjust this if you run locally)
MAXTIME="-max_total_time=30"

variants="basic_parser parse parser"

for variant in $variants; do

srcfile=fuzz_$variant.cpp
fuzzer=./fuzzer_$variant

if [ ! -e $fuzzer -o $srcfile -nt $fuzzer ] ; then
    # explicitly set BOOST_JSON_STACK_BUFFER_SIZE small so interesting
    # code paths are taken also for small inputs (see https://github.com/CPPAlliance/json/issues/333)
    $CLANG \
        -std=c++17 \
        -O3 \
        -g \
        -fsanitize=fuzzer,address,undefined \
        -fno-sanitize-recover=undefined \
        -I../include \
        -DBOOST_JSON_STACK_BUFFER_SIZE=64  \
        -o $fuzzer \
        ../src/src.cpp \
        $srcfile
fi

# make sure ubsan stops in case anything is found
export UBSAN_OPTIONS="halt_on_error=1"

# make sure the old crashes pass without problems
if [ -d old_crashes/$variant ]; then
  find old_crashes/$variant -type f -print0 |xargs -0 --no-run-if-empty $fuzzer
fi

# make an initial corpus from the test data already in the repo
seedcorpus=seedcorpus/$variant
if [ ! -d $seedcorpus ] ; then
    mkdir -p $seedcorpus
    find ../test -name "*.json" -type f -print0 |xargs -0 --no-run-if-empty cp -f -t $seedcorpus/
fi

# if an old corpus exists, use it
# get it with curl -O --location -J https://bintray.com/pauldreik/boost.json/download_file?file_path=corpus%2Fcorpus.tar
if [ -e corpus.tar ] ; then
  mkdir -p oldcorpus
  tar xf corpus.tar -C oldcorpus || echo "corpus.tar was broken! ignoring it"
  OLDCORPUS=oldcorpus/cmin/$variant
  # in case the old corpus did not have this variant (when adding/renaming a new fuzzer)
  mkdir -p $OLDCORPUS
else
  OLDCORPUS=
fi


# run the fuzzer for a short while
mkdir -p out/$variant
$fuzzer out/$variant $OLDCORPUS $seedcorpus/ $MAXTIME $MAXLEN $JOBS

# minimize the corpus
mkdir -p cmin/$variant
$fuzzer cmin/$variant $OLDCORPUS out/$variant $seedcorpus/ -merge=1 $MAXLEN
done