[AFL] Opt v8 fuzzers out of AFL's forkserver

Allow fuzzers to opt out of using AFL's forkserver. Also opt v8 fuzzers out of using it. v8 fuzzers start threads when LLVMFuzzerInitialize is called. This breaks AFL's forkserver because one cannot fork after a thread has started. This is a speculative fix for crbug.com/875199 Bug: 797798, 875199, 796680 Change-Id: I12e8408afaba9c9ca435d031e4263fcc2f80c67f Reviewed-on: https://chromium-review.googlesource.com/1187835Reviewed-by: Max Moroz <mmoroz@chromium.org> Commit-Queue: Jonathan Metzman <metzman@chromium.org> Cr-Commit-Position: refs/heads/master@{#585874}

[AFL] Opt v8 fuzzers out of AFL's forkserver
Allow fuzzers to opt out of using AFL's forkserver. Also opt v8 fuzzers out of using it. v8 fuzzers start threads when LLVMFuzzerInitialize is called. This breaks AFL's forkserver because one cannot fork after a thread has started. This is a speculative fix for crbug.com/875199 Bug: 797798, 875199, 796680 Change-Id: I12e8408afaba9c9ca435d031e4263fcc2f80c67f Reviewed-on: https://chromium-review.googlesource.com/1187835Reviewed-by: Max Moroz <mmoroz@chromium.org> Commit-Queue: Jonathan Metzman <metzman@chromium.org> Cr-Commit-Position: refs/heads/master@{#585874}
88f4eab8 · Jonathan Metzman · Commit Bot · 2c653e93 · 88f4eab8 · 88f4eab8
Commit 88f4eab8 authored Aug 24, 2018 by Jonathan Metzman Committed by Commit Bot Aug 24, 2018
3 changed files
--- a/testing/libfuzzer/fuzzer_test.gni
+++ b/testing/libfuzzer/fuzzer_test.gni
@@ -16,6 +16,8 @@ import("//testing/test.gni")
 # - deps - test dependencies
 # - additional_configs - additional configs to be used for compilation
 # - dict - a dictionary file for the fuzzer.
+# - environment_variables - certain whitelisted environment variables for the
+# fuzzer (AFL_DRIVER_DONT_DEFER is the only one allowed currently).
 # - libfuzzer_options - options for the fuzzer (e.g. -max_len or -timeout).
 # - seed_corpus - a directory with seed corpus.
 # - seed_corpus_deps - dependencies for generating the seed corpus.
@@ -83,7 +85,8 @@ template("fuzzer_test") {
      test_deps += [ ":" + target_name + "_seed_corpus" ]
    }

-    if (defined(invoker.dict) || defined(invoker.libfuzzer_options)) {
+    if (defined(invoker.dict) || defined(invoker.libfuzzer_options) ||
+        defined(invoker.environment_variables)) {
      if (defined(invoker.dict)) {
        # Copy dictionary to output.
        copy(target_name + "_dict_copy") {
@@ -119,6 +122,11 @@ template("fuzzer_test") {
          args += invoker.libfuzzer_options
        }

+        if (defined(invoker.environment_variables)) {
+          args += [ "--environment_variables" ]
+          args += invoker.environment_variables
+        }
+
        outputs = [
          "$root_build_dir/$config_file_name",
        ]

--- a/testing/libfuzzer/fuzzers/BUILD.gn
+++ b/testing/libfuzzer/fuzzers/BUILD.gn
@@ -161,6 +161,7 @@ fuzzer_test("v8_script_parser_fuzzer") {
  dict = "dicts/generated/javascript.dict"
  seed_corpus = "//v8/test/mjsunit/regress/"
  libfuzzer_options = [ "only_ascii=1" ]
+  environment_variables = [ "AFL_DRIVER_DONT_DEFER=1" ]
 }

 fuzzer_test("v8_json_parser_fuzzer") {
@@ -169,6 +170,7 @@ fuzzer_test("v8_json_parser_fuzzer") {
    "//v8:json_fuzzer",
  ]
  dict = "dicts/json.dict"
+  environment_variables = [ "AFL_DRIVER_DONT_DEFER=1" ]
 }

 fuzzer_test("v8_regexp_parser_fuzzer") {
@@ -179,6 +181,7 @@ fuzzer_test("v8_regexp_parser_fuzzer") {
  dict = "dicts/regexp.dict"
  seed_corpus = "//v8/test/fuzzer/regexp/"
  libfuzzer_options = [ "max_len=64" ]
+  environment_variables = [ "AFL_DRIVER_DONT_DEFER=1" ]
 }

 fuzzer_test("v8_regexp_builtins_fuzzer") {
@@ -186,6 +189,7 @@ fuzzer_test("v8_regexp_builtins_fuzzer") {
  deps = [
    "//v8:regexp_builtins_fuzzer",
  ]
+  environment_variables = [ "AFL_DRIVER_DONT_DEFER=1" ]
 }

 fuzzer_test("v8_multi_return_fuzzer") {
@@ -193,6 +197,7 @@ fuzzer_test("v8_multi_return_fuzzer") {
  deps = [
    "//v8:multi_return_fuzzer",
  ]
+  environment_variables = [ "AFL_DRIVER_DONT_DEFER=1" ]
 }

 fuzzer_test("v8_wasm_code_fuzzer") {
@@ -201,6 +206,7 @@ fuzzer_test("v8_wasm_code_fuzzer") {
    "//v8:wasm_code_fuzzer",
  ]
  libfuzzer_options = [ "max_len=500" ]
+  environment_variables = [ "AFL_DRIVER_DONT_DEFER=1" ]
 }

 fuzzer_test("v8_wasm_compile_fuzzer") {
@@ -209,6 +215,7 @@ fuzzer_test("v8_wasm_compile_fuzzer") {
    "//v8:wasm_compile_fuzzer",
  ]
  libfuzzer_options = [ "max_len=500" ]
+  environment_variables = [ "AFL_DRIVER_DONT_DEFER=1" ]
 }

 fuzzer_test("v8_wasm_fuzzer") {
@@ -219,6 +226,7 @@ fuzzer_test("v8_wasm_fuzzer") {
  dict = "dicts/v8_wasm.dict"
  seed_corpus = "//v8/test/fuzzer/wasm_corpus/"
  libfuzzer_options = [ "max_len=500" ]
+  environment_variables = [ "AFL_DRIVER_DONT_DEFER=1" ]
 }

 fuzzer_test("v8_wasm_async_fuzzer") {
@@ -229,6 +237,7 @@ fuzzer_test("v8_wasm_async_fuzzer") {
  dict = "dicts/v8_wasm.dict"
  seed_corpus = "//v8/test/fuzzer/wasm_corpus/"
  libfuzzer_options = [ "max_len=500" ]
+  environment_variables = [ "AFL_DRIVER_DONT_DEFER=1" ]
 }

 fuzzer_test("v8_wasm_data_section_fuzzer") {
@@ -237,6 +246,7 @@ fuzzer_test("v8_wasm_data_section_fuzzer") {
    "//v8:wasm_data_section_fuzzer",
  ]
  libfuzzer_options = [ "max_len=500" ]
+  environment_variables = [ "AFL_DRIVER_DONT_DEFER=1" ]
 }

 fuzzer_test("v8_wasm_function_sigs_section_fuzzer") {
@@ -245,6 +255,7 @@ fuzzer_test("v8_wasm_function_sigs_section_fuzzer") {
    "//v8:wasm_function_sigs_section_fuzzer",
  ]
  libfuzzer_options = [ "max_len=500" ]
+  environment_variables = [ "AFL_DRIVER_DONT_DEFER=1" ]
 }

 fuzzer_test("v8_wasm_globals_section_fuzzer") {
@@ -253,6 +264,7 @@ fuzzer_test("v8_wasm_globals_section_fuzzer") {
    "//v8:wasm_globals_section_fuzzer",
  ]
  libfuzzer_options = [ "max_len=500" ]
+  environment_variables = [ "AFL_DRIVER_DONT_DEFER=1" ]
 }

 fuzzer_test("v8_wasm_imports_section_fuzzer") {
@@ -261,6 +273,7 @@ fuzzer_test("v8_wasm_imports_section_fuzzer") {
    "//v8:wasm_imports_section_fuzzer",
  ]
  libfuzzer_options = [ "max_len=500" ]
+  environment_variables = [ "AFL_DRIVER_DONT_DEFER=1" ]
 }

 fuzzer_test("v8_wasm_memory_section_fuzzer") {
@@ -269,6 +282,7 @@ fuzzer_test("v8_wasm_memory_section_fuzzer") {
    "//v8:wasm_memory_section_fuzzer",
  ]
  libfuzzer_options = [ "max_len=500" ]
+  environment_variables = [ "AFL_DRIVER_DONT_DEFER=1" ]
 }

 fuzzer_test("v8_wasm_names_section_fuzzer") {
@@ -277,6 +291,7 @@ fuzzer_test("v8_wasm_names_section_fuzzer") {
    "//v8:wasm_names_section_fuzzer",
  ]
  libfuzzer_options = [ "max_len=500" ]
+  environment_variables = [ "AFL_DRIVER_DONT_DEFER=1" ]
 }

 fuzzer_test("v8_wasm_types_section_fuzzer") {
@@ -285,6 +300,7 @@ fuzzer_test("v8_wasm_types_section_fuzzer") {
    "//v8:wasm_types_section_fuzzer",
  ]
  libfuzzer_options = [ "max_len=500" ]
+  environment_variables = [ "AFL_DRIVER_DONT_DEFER=1" ]
 }

 fuzzer_test("convert_woff2ttf_fuzzer") {

--- a/testing/libfuzzer/gen_fuzzer_config.py
+++ b/testing/libfuzzer/gen_fuzzer_config.py
@@ -9,38 +9,57 @@
 Invoked by GN from fuzzer_test.gni.
 """

+import ConfigParser
 import argparse
 import os
 import sys

+def AddSectionOptions(config, section_name, options):
+  """Add |options| to the |section_name| section of |config|. Throws an
+  assertion error if any option in |options| does not have exactly two
+  elements."""
+  if not options:
+    return
+
+  config.add_section(section_name)
+  for option_and_value in options:
+    assert len(option_and_value) == 2, (
+        '%s is not an option, value pair' % option_and_value)
+
+    config.set(section_name, *option_and_value)

-CONFIG_HEADER = '''# This is an automatically generated config for libFuzzer.
-[libfuzzer]
-'''

 def main():
  parser = argparse.ArgumentParser(description="Generate fuzzer config.")
  parser.add_argument('--config', required=True)
  parser.add_argument('--dict')
  parser.add_argument('--libfuzzer_options', nargs='+', default=[])
+  parser.add_argument('--environment_variables', nargs='+', default=[],
+                      choices=['AFL_DRIVER_DONT_DEFER=1'])
  args = parser.parse_args()

-  # Script shouldn't be invoked without both arguments, but just in case.
-  if not args.dict and not args.libfuzzer_options:
+  # Script shouldn't be invoked without any arguments, but just in case.
+  if not (args.dict or args.libfuzzer_options or args.environment_variables):
    return

-  config_path = args.config
-  # Generate .options file.
-  with open(config_path, 'w') as options_file:
-    options_file.write(CONFIG_HEADER)
+  config = ConfigParser.ConfigParser()
+  libfuzzer_options = []
+  if args.dict:
+      libfuzzer_options.append(('dict', os.path.basename(args.dict)))
+  libfuzzer_options.extend(option.split('=')
+                           for option in args.libfuzzer_options)

-    # Dict will be copied into build directory, need only basename for config.
-    if args.dict:
-      options_file.write('dict = %s\n' % os.path.basename(args.dict))
+  AddSectionOptions(config, 'libfuzzer', libfuzzer_options)
+  AddSectionOptions(config, 'env',
+                    [option.split('=') for option in args.environment_variables]
+  )

-    for option in args.libfuzzer_options:
-      options_file.write(option)
-      options_file.write('\n')
+  # Generate .options file.
+  config_path = args.config
+  with open(config_path, 'w') as options_file:
+    options_file.write(
+        '# This is an automatically generated config for ClusterFuzz.\n')
+    config.write(options_file)

 if __name__ == '__main__':
  main()