Fuzzing: the fourth attempt to migrate to -fsanitize=fuzzer-no-link.

This instrumentation flag is recommended by libFuzzer authors, as it may enable
various different instrumentation options which are actual and recommended for use.
The flag is implemented in clang, so we won't have to update individual
instrumentation flags anymore.

See crbug.com/764514 and https://github.com/google/oss-fuzz/issues/832

AFL still supports only trace-pc-guard instrumentation, so we have to use separate
compilation flags for AFL and libFuzzer, the same way as we do in OSS-Fuzz.

Previous reverts:

1) https://chromium-review.googlesource.com/c/chromium/src/+/852826

The issue with sancov report generation is not resolved yet. We can either land
this and break coverage on CF for some time, until I resolve crbug.com/818467 OR
we can wait until crbug.com/818467 gets resolved first. I'd prefer landing this now
and fixing coverage on CF after that.

2) https://chromium-review.googlesource.com/c/chromium/src/+/1087431

The issue with linker trying to link in symbols which were not used and thus
were not properly instrumented has been reported to the sanitizers project
and fixed on LLVM side: https://github.com/google/sanitizers/issues/971.

3) https://chromium-review.googlesource.com/c/chromium/src/+/1110348

Dead code stripping led to libFuzzer complaining about a mismatch of the size of
coverage PC tables: https://crbug.com/856239.
Fixed upstream: https://reviews.llvm.org/rL336941.

Bug: 764514
Change-Id: Ic19a6c27ee37143f3ca126e3bc57c9182e962750
Reviewed-on: https://chromium-review.googlesource.com/1175851Reviewed-by: Abhishek Arya <inferno@chromium.org>
Reviewed-by: Jonathan Metzman <metzman@chromium.org>
Commit-Queue: Max Moroz <mmoroz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#583294}

build/config/sanitizers/BUILD.gn

@@ -199,7 +199,11 @@ config("default_sanitizer_ldflags") {
     }
 
     if (use_sanitizer_coverage) {
-      ldflags += [ "-fsanitize-coverage=$sanitizer_coverage_flags" ]
+      if (use_libfuzzer) {
+        ldflags += [ "-fsanitize=fuzzer-no-link" ]
+      } else {
+        ldflags += [ "-fsanitize-coverage=$sanitizer_coverage_flags" ]
+      }
     }
 
     if (is_cfi && current_toolchain == default_toolchain) {
@@ -375,19 +379,24 @@ config("cfi_icall_generalize_pointers") {
 config("coverage_flags") {
   cflags = []
   if (use_sanitizer_coverage) {
-    cflags += [
-      "-fsanitize-coverage=$sanitizer_coverage_flags",
-      "-mllvm",
-      "-sanitizer-coverage-prune-blocks=1",
-    ]
-    if (current_cpu == "arm") {
-      # http://crbug.com/517105
+    # Used by sandboxing code to allow coverage dump to be written on the disk.
+    defines = [ "SANITIZER_COVERAGE" ]
+    if (use_libfuzzer) {
+      cflags += [ "-fsanitize=fuzzer-no-link" ]
+    } else {
       cflags += [
+        "-fsanitize-coverage=$sanitizer_coverage_flags",
         "-mllvm",
-        "-sanitizer-coverage-block-threshold=0",
+        "-sanitizer-coverage-prune-blocks=1",
       ]
+      if (current_cpu == "arm") {
+        # http://crbug.com/517105
+        cflags += [
+          "-mllvm",
+          "-sanitizer-coverage-block-threshold=0",
+        ]
+      }
     }
-    defines = [ "SANITIZER_COVERAGE" ]
   }
 }
 

build/config/sanitizers/sanitizers.gni

@@ -97,7 +97,9 @@ declare_args() {
 
   # Value for -fsanitize-coverage flag. Setting this causes
   # use_sanitizer_coverage to be enabled.
-  # Default value when unset and use_fuzzing_engine=true:
+  # This flag is not used for libFuzzer (use_libfuzzer=true). Instead, we use:
+  #     -fsanitize=fuzzer-no-link
+  # Default value when unset and use_afl=true:
   #     trace-pc-guard
   # Default value when unset and use_sanitizer_coverage=true:
   #     trace-pc-guard,indirect-calls