From 71feb670f90deec2548891e389b73dc5bfde3982 Mon Sep 17 00:00:00 2001
From: van Hauser <vh@thc.org>
Date: Thu, 12 Jan 2023 17:30:50 +0100
Subject: [PATCH] new afl++ token/libafl experiment (#1608)

hopefully fuzzbench is not throwing up again :)
---
 .github/workflows/fuzzers.yml                 |  1 +
 fuzzers/aflplusplus/builder.Dockerfile        |  2 +-
 fuzzers/aflplusplus_tokens/builder.Dockerfile |  2 +-
 .../builder.Dockerfile                        | 70 +++++++++++++++++++
 .../aflplusplus_tokens_only/description.md    | 13 ++++
 fuzzers/aflplusplus_tokens_only/fuzzer.py     | 45 ++++++++++++
 .../aflplusplus_tokens_only/runner.Dockerfile | 23 ++++++
 service/experiment-requests.yaml              |  7 ++
 8 files changed, 161 insertions(+), 2 deletions(-)
 create mode 100644 fuzzers/aflplusplus_tokens_only/builder.Dockerfile
 create mode 100644 fuzzers/aflplusplus_tokens_only/description.md
 create mode 100755 fuzzers/aflplusplus_tokens_only/fuzzer.py
 create mode 100644 fuzzers/aflplusplus_tokens_only/runner.Dockerfile

diff --git a/.github/workflows/fuzzers.yml b/.github/workflows/fuzzers.yml
index d6cf1aa1f..3167cc9c4 100644
--- a/.github/workflows/fuzzers.yml
+++ b/.github/workflows/fuzzers.yml
@@ -56,6 +56,7 @@ jobs:
           # - afl_2_52_b
           - aflplusplus_cmplog
           - aflplusplus_tokens
+          - aflplusplus_tokens_only
           # - afl_random_favored
           # - entropic_execute_final
           # - libfuzzer_exeute_final
diff --git a/fuzzers/aflplusplus/builder.Dockerfile b/fuzzers/aflplusplus/builder.Dockerfile
index 9aa0e429c..f6642174b 100644
--- a/fuzzers/aflplusplus/builder.Dockerfile
+++ b/fuzzers/aflplusplus/builder.Dockerfile
@@ -38,7 +38,7 @@ RUN apt-get update && \
 RUN git clone https://github.com/AFLplusplus/AFLplusplus /afl
 
 # Checkout a current commit
-RUN cd /afl && git checkout 35f09e11a4373b0fb42c690d23127c144f72f73c
+RUN cd /afl && git checkout e4ff0ebd56d8076abd2413ebfaeb7b5e6c07bc3a
 
 # Build without Python support as we don't need it.
 # Set AFL_NO_X86 to skip flaky tests.
diff --git a/fuzzers/aflplusplus_tokens/builder.Dockerfile b/fuzzers/aflplusplus_tokens/builder.Dockerfile
index fcfc8aba8..324f41005 100644
--- a/fuzzers/aflplusplus_tokens/builder.Dockerfile
+++ b/fuzzers/aflplusplus_tokens/builder.Dockerfile
@@ -38,7 +38,7 @@ RUN apt-get update && \
 RUN git clone https://github.com/AFLplusplus/AFLplusplus /afl
 
 # Checkout a current commit
-RUN cd /afl && git checkout 35f09e11a4373b0fb42c690d23127c144f72f73c
+RUN cd /afl && git checkout e4ff0ebd56d8076abd2413ebfaeb7b5e6c07bc3a
 
 # Build without Python support as we don't need it.
 # Set AFL_NO_X86 to skip flaky tests.
diff --git a/fuzzers/aflplusplus_tokens_only/builder.Dockerfile b/fuzzers/aflplusplus_tokens_only/builder.Dockerfile
new file mode 100644
index 000000000..324f41005
--- /dev/null
+++ b/fuzzers/aflplusplus_tokens_only/builder.Dockerfile
@@ -0,0 +1,70 @@
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+ARG parent_image
+FROM $parent_image
+
+RUN apt-get update && \
+    apt-get install -y \
+        build-essential \
+        python3-dev \
+        python3-setuptools \
+        automake \
+        cmake \
+        git \
+        flex \
+        bison \
+        libglib2.0-dev \
+        libpixman-1-dev \
+        cargo \
+        libgtk-3-dev \
+        # for QEMU mode
+        ninja-build \
+        gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-plugin-dev \
+        libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev
+
+# Download afl++.
+RUN git clone https://github.com/AFLplusplus/AFLplusplus /afl
+
+# Checkout a current commit
+RUN cd /afl && git checkout e4ff0ebd56d8076abd2413ebfaeb7b5e6c07bc3a
+
+# Build without Python support as we don't need it.
+# Set AFL_NO_X86 to skip flaky tests.
+RUN cd /afl && \
+    unset CFLAGS CXXFLAGS && \
+    export CC=clang AFL_NO_X86=1 && \
+    PYTHON_INCLUDE=/ make && \
+    make install && \
+    cp utils/aflpp_driver/libAFLDriver.a /
+
+RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs > /rustup.sh && \
+    sh /rustup.sh -y
+
+RUN apt-get remove -y llvm-10 && \
+    apt-get install -y \
+        build-essential \
+        llvm-11 \
+        clang-12 \
+        cargo && \
+    apt-get install -y wget libstdc++5 libtool-bin automake flex bison \
+        libglib2.0-dev libpixman-1-dev python3-setuptools unzip \
+        apt-utils apt-transport-https ca-certificates joe curl && \
+    PATH="/root/.cargo/bin/:$PATH" cargo install cargo-make
+
+RUN cd /afl/custom_mutators/libafl_base && \
+    unset CFLAGS CXXFLAGS && \
+    export PATH="/root/.cargo/bin/:$PATH" && \
+    make && \
+    cp -f libafl_base.so /
diff --git a/fuzzers/aflplusplus_tokens_only/description.md b/fuzzers/aflplusplus_tokens_only/description.md
new file mode 100644
index 000000000..445a27663
--- /dev/null
+++ b/fuzzers/aflplusplus_tokens_only/description.md
@@ -0,0 +1,13 @@
+# aflplusplus
+
+AFL++ fuzzer instance that has the following config active for all benchmarks:
+  - PCGUARD instrumentation 
+  - cmplog feature
+  - "fast" power schedule
+  - persistent mode + shared memory test cases
+
+Repository: [https://github.com/AFLplusplus/AFLplusplus/](https://github.com/AFLplusplus/AFLplusplus/)
+
+[builder.Dockerfile](builder.Dockerfile)
+[fuzzer.py](fuzzer.py)
+[runner.Dockerfile](runner.Dockerfile)
diff --git a/fuzzers/aflplusplus_tokens_only/fuzzer.py b/fuzzers/aflplusplus_tokens_only/fuzzer.py
new file mode 100755
index 000000000..1e48fa6a8
--- /dev/null
+++ b/fuzzers/aflplusplus_tokens_only/fuzzer.py
@@ -0,0 +1,45 @@
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+"""Integration code for AFLplusplus fuzzer."""
+
+# This optimized afl++ variant should always be run together with
+# "aflplusplus" to show the difference - a default configured afl++ vs.
+# a hand-crafted optimized one. afl++ is configured not to enable the good
+# stuff by default to be as close to vanilla afl as possible.
+# But this means that the good stuff is hidden away in this benchmark
+# otherwise.
+
+import os
+import shutil
+
+from fuzzers.aflplusplus import fuzzer as aflplusplus_fuzzer
+
+
+def build():  # pylint: disable=too-many-branches,too-many-statements
+    """Build benchmark."""
+    aflplusplus_fuzzer.build('tracepc', 'cmplog')
+    shutil.copy('/libafl_base.so', os.environ['OUT'])
+
+
+def fuzz(input_corpus, output_corpus, target_binary):
+    """Run fuzzer."""
+    run_options = ['-l', '2']
+    libpath = os.environ['OUT'] + '/libafl_base.so'
+    os.environ['AFL_CUSTOM_MUTATOR_LIBRARY'] = libpath
+    os.environ['AFL_CUSTOM_MUTATOR_ONLY'] = '1'
+
+    aflplusplus_fuzzer.fuzz(input_corpus,
+                            output_corpus,
+                            target_binary,
+                            flags=(run_options))
diff --git a/fuzzers/aflplusplus_tokens_only/runner.Dockerfile b/fuzzers/aflplusplus_tokens_only/runner.Dockerfile
new file mode 100644
index 000000000..7aa1da8e4
--- /dev/null
+++ b/fuzzers/aflplusplus_tokens_only/runner.Dockerfile
@@ -0,0 +1,23 @@
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM gcr.io/fuzzbench/base-image
+
+# This makes interactive docker runs painless:
+ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out"
+#ENV AFL_MAP_SIZE=2621440
+ENV PATH="$PATH:/out"
+ENV AFL_SKIP_CPUFREQ=1
+ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1
+ENV AFL_TESTCACHE_SIZE=2
diff --git a/service/experiment-requests.yaml b/service/experiment-requests.yaml
index 3680bd5f6..27d1f2187 100644
--- a/service/experiment-requests.yaml
+++ b/service/experiment-requests.yaml
@@ -20,6 +20,13 @@
 # Please add new experiment requests towards the top of this file.
 #
 
+- experiment: 2023-01-12-aflpp
+  description: "afl++ tokens + libafl test."
+  fuzzers:
+    - aflplusplus_tokens_only
+    - aflplusplus_tokens
+    - aflplusplus
+
 - experiment: 2023-01-05-libafl
   description: "Test the LibAFL forkserver"
   type: bug