Switch to Clang 6.0's fuzzer support.
With Clang 6.0, libFuzzer is now included and there's a new
-fsanitize=fuzzer command to enable the needed compiler actions.
Change-Id: If8c0d649f494655c5bb1e55ebdbf39450940c75b
Reviewed-on: https://boringssl-review.googlesource.com/31324
Reviewed-by: David Benjamin <davidben@google.com>
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 4eb0d0d..b9e0101 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -206,6 +206,10 @@
message(FATAL_ERROR "You need to build with Clang for fuzzing to work")
endif()
+ if(CMAKE_C_COMPILER_VERSION VERSION_LESS "6.0.0")
+ message(FATAL_ERROR "You need Clang ≥ 6.0.0")
+ endif()
+
add_definitions(-DBORINGSSL_UNSAFE_DETERMINISTIC_MODE)
set(RUNNER_ARGS "-deterministic")
@@ -214,10 +218,8 @@
set(RUNNER_ARGS ${RUNNER_ARGS} "-fuzzer" "-shim-config" "fuzzer_mode.json")
endif()
- set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fsanitize=address -fsanitize-coverage=edge,indirect-calls,trace-pc-guard")
- set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=address -fsanitize-coverage=edge,indirect-calls,trace-pc-guard")
- set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -fsanitize=address")
- link_directories(.)
+ set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fsanitize=address,fuzzer-no-link -fsanitize-coverage=edge,indirect-calls")
+ set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=address,fuzzer-no-link -fsanitize-coverage=edge,indirect-calls")
endif()
add_definitions(-DBORINGSSL_IMPLEMENTATION)
@@ -448,14 +450,6 @@
add_subdirectory(decrepit)
if(FUZZ)
- if(LIBFUZZER_FROM_DEPS)
- file(GLOB LIBFUZZER_SOURCES "util/bot/libFuzzer/*.cpp")
- add_library(Fuzzer STATIC ${LIBFUZZER_SOURCES})
- # libFuzzer does not pass our aggressive warnings. It also must be built
- # without -fsanitize-coverage options or clang crashes.
- set_target_properties(Fuzzer PROPERTIES COMPILE_FLAGS "-Wno-shadow -Wno-format-nonliteral -Wno-missing-prototypes -fsanitize-coverage=0")
- endif()
-
add_subdirectory(fuzz)
endif()
diff --git a/FUZZING.md b/FUZZING.md
index 60457c6..200f7a5 100644
--- a/FUZZING.md
+++ b/FUZZING.md
@@ -2,23 +2,17 @@
Modern fuzz testers are very effective and we wish to use them to ensure that no silly bugs creep into BoringSSL.
-We primarily use Clang's [libFuzzer](http://llvm.org/docs/LibFuzzer.html) for fuzz testing and there are a number of fuzz testing functions in `fuzz/`. They are not built by default because they require libFuzzer at build time.
+We use Clang's [libFuzzer](http://llvm.org/docs/LibFuzzer.html) for fuzz testing and there are a number of fuzz testing functions in `fuzz/`. They are not built by default because they require that the rest of BoringSSL be built with some changes that make fuzzing much more effective, but are completely unsafe for real use.
-In order to build the fuzz tests you will need at least Clang 3.7. Pass `-DFUZZ=1` on the CMake command line to enable building BoringSSL with coverage and AddressSanitizer, and to build the fuzz test binaries. You'll probably need to set the `CC` and `CXX` environment variables too, like this:
+In order to build the fuzz tests you will need at least Clang 6.0. Pass `-DFUZZ=1` on the CMake command line to enable building BoringSSL with coverage and AddressSanitizer, and to build the fuzz test binaries. You'll probably need to set the `CC` and `CXX` environment variables too, like this:
```
+mkdir build
+cd build
CC=clang CXX=clang++ cmake -GNinja -DFUZZ=1 ..
+ninja
```
-In order for the fuzz tests to link, the linker needs to find libFuzzer. This is not commonly provided and you may need to download the [Clang source code](http://llvm.org/releases/download.html) and do the following:
-
-```
-svn co http://llvm.org/svn/llvm-project/llvm/trunk/lib/Fuzzer
-clang++ -c -g -O2 -std=c++11 Fuzzer/*.cpp -IFuzzer
-ar ruv libFuzzer.a Fuzzer*.o
-```
-
-Then copy `libFuzzer.a` to the top-level of your BoringSSL source directory.
From the `build/` directory, you can then run the fuzzers. For example:
@@ -32,6 +26,7 @@
| Test | `max_len` value |
|---------------|-----------------|
+| `bn_mod_exp` | 4096 |
| `cert` | 10000 |
| `client` | 20000 |
| `pkcs8` | 2048 |
diff --git a/fuzz/CMakeLists.txt b/fuzz/CMakeLists.txt
index a269696..b7dbd6b 100644
--- a/fuzz/CMakeLists.txt
+++ b/fuzz/CMakeLists.txt
@@ -2,44 +2,22 @@
set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Wno-missing-prototypes")
-add_executable(bn_mod_exp bn_mod_exp.cc)
-target_link_libraries(bn_mod_exp Fuzzer crypto)
+macro(fuzzer name)
+ add_executable(${name} ${name}.cc)
+ target_link_libraries(${name} crypto ${ARGN})
+ set_target_properties(${name} PROPERTIES LINK_FLAGS "-fsanitize=fuzzer")
+endmacro()
-add_executable(bn_div bn_div.cc)
-target_link_libraries(bn_div Fuzzer crypto)
-
-add_executable(privkey privkey.cc)
-target_link_libraries(privkey Fuzzer crypto)
-
-add_executable(cert cert.cc)
-target_link_libraries(cert Fuzzer crypto)
-
-add_executable(spki spki.cc)
-target_link_libraries(spki Fuzzer crypto)
-
-add_executable(pkcs8 pkcs8.cc)
-target_link_libraries(pkcs8 Fuzzer crypto)
-
-add_executable(pkcs12 pkcs12.cc)
-target_link_libraries(pkcs12 Fuzzer crypto)
-
-add_executable(server server.cc)
-target_link_libraries(server Fuzzer crypto ssl)
-
-add_executable(client client.cc)
-target_link_libraries(client Fuzzer crypto ssl)
-
-add_executable(dtls_server dtls_server.cc)
-target_link_libraries(dtls_server Fuzzer crypto ssl)
-
-add_executable(dtls_client dtls_client.cc)
-target_link_libraries(dtls_client Fuzzer crypto ssl)
-
-add_executable(read_pem read_pem.cc)
-target_link_libraries(read_pem Fuzzer crypto)
-
-add_executable(ssl_ctx_api ssl_ctx_api.cc)
-target_link_libraries(ssl_ctx_api Fuzzer crypto ssl)
-
-add_executable(session session.cc)
-target_link_libraries(session Fuzzer crypto ssl)
+fuzzer(bn_mod_exp)
+fuzzer(privkey)
+fuzzer(cert)
+fuzzer(spki)
+fuzzer(pkcs8)
+fuzzer(pkcs12)
+fuzzer(read_pem)
+fuzzer(server ssl)
+fuzzer(client ssl)
+fuzzer(dtls_server ssl)
+fuzzer(dtls_client ssl)
+fuzzer(ssl_ctx_api ssl)
+fuzzer(session ssl)