Add plugins feature

[brunoproduit]

This PR activates full cmplog by compiling the afl++ llvm plugins and linking them into the target binaries.
This is activated via an added features "cmplog" as it needs nightly and llvm tools. It is not activated by default.

This fixes #323 .

[brunoproduit]

Pipelines seems to break at afl system-config and should probably be running cargo install --path . beforehand

[smoelius]

Thank you very much for this PR.

It's probably going to take a few rounds of review for me to understand all of what has changed, so please be patient with me.

I will start on this soon.

[smoelius]

Thanks a lot for doing this. I like the approach of using a Cargo feature.

Again, I may need to look at this a few times. So thanks in advance for your patience.

[smoelius]

Suggested change

	let slice = &data[16..27];
	let slice = &data[16..];

I think the 27 version could panic(?), because data is only checked to be of length >= 24.

[brunoproduit]

Changed in last commit

[smoelius]

Was the use of git submodule init added just as a convenience? Or is the answer more complicated than that?

I'm not 100% certain, but I think think will break when others try to download this from crates.io. As I learned recently, when you publish to crates.io, cargo takes a snapshot of the submodule directory, and then the fact that it is a submodule is forgotten.

Also, it looks like a bunch of code was deleted, e.g., code related to building on docs.rs. Was that intentional?

[brunoproduit]

See my other comment on line 99

[smoelius]

Would this work?

    format!("llvm-config-{llvm_version}")

[brunoproduit]

Changed in the last commit

[smoelius]

Note to self to revisit this.

[smoelius]

Shouldn't these be guarded by the cmplog feature?

If that's correct, then I would set these in the same if block above where the -Z flags were added.

[brunoproduit]

Splitted this into a Hashmap to be included in the cmplog feature, let me know if that's more adequate

[brunoproduit]

Thanks a lot for the review! I'll take a look at it next week and make the requested changes

[vanhauser-thc]

Some context why this is something someone would want: it allows solving eg

                let slice16 = &data[20..36];
                let if_u128 = u128::from_le_bytes(slice16.try_into().unwrap());
                if secret_u128 != if_u128 { return; }

Plus the string matching you see added in the example plus floating point solving - all things that libfuzzer and honggfuzz can’t do.

[brunoproduit]

Did a first round of fixes for most of the conversations, let me know if I missed something. Could you take another look?

[smoelius]

Can this logic be moved inside build_afl (since llvm_config is not needed elsewhere)?

[brunoproduit]

Done in the latest commit

[smoelius]

It still appears to me that a bunch of logic was removed from this function:

afl.rs/build.rs

Lines 17 to 51 in 777a97b

	let installing = home::cargo_home()
	.map(|path| Path::new(env!("CARGO_MANIFEST_DIR")).starts_with(path))
	.unwrap();
	let out_dir = env::var("OUT_DIR").unwrap();
	// smoelius: Build AFLplusplus in a temporary directory when installing or when building on docs.rs.
	let work_dir = if installing || env::var("DOCS_RS").is_ok() {
	let tempdir = tempfile::tempdir_in(&out_dir).unwrap();
	if Path::new(AFL_SRC_PATH).join(".git").is_dir() {
	let status = Command::new("git")
	.args(["clone", AFL_SRC_PATH, &*tempdir.path().to_string_lossy()])
	.status()
	.expect("could not run 'git'");
	assert!(status.success());
	} else {
	fs_extra::dir::copy(
	AFL_SRC_PATH,
	tempdir.path(),
	&fs_extra::dir::CopyOptions {
	content_only: true,
	..Default::default()
	},
	)
	.unwrap();
	}
	tempdir.into_path()
	} else {
	PathBuf::from(AFL_SRC_PATH)
	};
	let base = if env::var("DOCS_RS").is_ok() {
	Some(PathBuf::from(out_dir))
	} else {
	None
	};

I assume that was a mistake. Could you please re-add it?

[brunoproduit]

This was initially because of the compilation errors we had and discussed before, all these have been reverted to the master branch's way. Done in the latest commit.

[smoelius]

and with the good version

What does this comment refer to? It suggests the output of llvm-config --version should be checked. Is that missing?

[smoelius]

It looks like this use of ar was copied from build_afl_llvm_runtime by mistake?

[brunoproduit]

Indeed, good catch, removed

[smoelius]

This code appears nearly verbatim in build.rs. I think it is fine to perform these checks in just build.rs.

[brunoproduit]

As you prefer, we wanted to make sure that the environment is the same when using it, let me remove that. I'll also put it in the build.rs instead of common.rs in that case

[smoelius]

Suggested change

	fn build_afl_llvm_plugins(work_dir: &Path, base: Option<&Path>) {
	fn copy_afl_llvm_plugins(work_dir: &Path, base: Option<&Path>) {

Nit, since the pluigns were actually built in build_afl.

[brunoproduit]

Done in the latest commit

[smoelius]

Suggested change

	"
	"

Nit.

[brunoproduit]

Done in the latest commit

[smoelius]

Thanks for your continued patience, @brunoproduit.

[brunoproduit]

No problem! @smoelius If you could take yet another look, I should have resolved all the new conversations

[smoelius]

I'm likely going to request more changes, but I want to be sure this is going to work in CI.

So, I'm going to push to your branch. But I won't touch any files that you've modified. Ok?

[smoelius]

I need to find the right syntax for the GitHub matrix and macOS's sed. I'll get back to this soon.

[smoelius]

When I brew install llvm@17 on a Mac, I get an llvm-config but not an llvm-config-17.

Mac is a platform that we support, and I expect many Mac users will install llvm with Homebrew.

Could you please adjust the build script so that llvm-config-17 is not required (at least not on macOS)?

[brunoproduit]

We do need to check that the major version matches the rustc llvm version, else it won't work. I'll set an if that sets LLVM_CONFIG to "llvm-config" on Mac and check that the major version corresponds (by catching the output of the --version). later this week if that works for you

[smoelius]

I'll set an if that sets LLVM_CONFIG to "llvm-config" on Mac and check that the major version corresponds (by catching the output of the --version). later this week if that works for you

That sounds perfect. Thank you!

[brunoproduit]

Did the change and refactored a bit around it. Also it now only sets LLVM_CONFIG if cmplog is activated

[smoelius]

I'm going to push more changes to rust.yml, but I will stay out of your code.

[vanhauser-thc]

btw I added support for two advanced features:

• dict2file: generates a valid dictionary on the fly during compilation (needs AFL_LLVM_DICT2FILE=/file/to/create.txt set), this has shown on fuzzbench to be a major improvement to unlock coverage
• selective coverage: only instrument for fuzzing specific functions or files for fuzzing - or specifically not instrument for fuzzing.

also in tests I see that using the AFL++ instrumentation module vs. the llvm sancov creates a x2 speed increase (without any drawbacks and an even better coverage gathering).

[smoelius]

@brunoproduit I'm pushing to your branch to get the fix for AFLplusplus/AFLplusplus#1898.

[brunoproduit]

Should we change the feature name to something else now that this activates more than cmplog?
What about something like "llvm-afl-plugins"?

[smoelius]

Should we change the feature name to something else now that this activates more than cmplog? What about something like "llvm-afl-plugins"?

Oh, I didn't make that connection.

What is the full list of "features"? (I'm wondering if it would make sense to enable them independently.)

---

Separately, I am trying to diagnose why the shared libraries cannot be loaded on macOS (see here). From what I can tell, it's not a path problem, i.e., I expect that /Users/runner/.../cmplog-instructions-pass.so exists, as I observe the same failure locally.

Please share if you know what the cause could be.

[brunoproduit]

Features are

• Cmplog
• dict2file
• partial instrumentation
• Faster fuzzing due to the AFL++ instrumentation module instead of the llvm sancov

IMO, we shouldn't separate as they all have the same requirements. Either you want to add addons from AFL, or not.
The only thing is you need nightly and LLVM, which is why a feature is nice.

Haven't had time to take a look at the macos issue yet, sorry

[smoelius]

Features are

• Cmplog
• dict2file
• partial instrumentation
• Faster fuzzing due to the AFL++ instrumentation module instead of the llvm sancov

Thanks.

IMO, we shouldn't separate as they all have the same requirements. Either you want to add addons from AFL, or not. The only thing is you need nightly and LLVM, which is why a feature is nice.

I'm not sure I agree, but we don't have to decide this now. I agree that "llvm-afl-plugins" would be a better feature name.

[vanhauser-thc]

Can we please shorten the flag to “plugins”? Imho it is too long otherwise

[smoelius]

Can we please shorten the flag to “plugins”? Imho it is too long otherwise

That works for me.

[smoelius]

Separately, I am trying to diagnose why the shared libraries cannot be loaded on macOS (see here). From what I can tell, it's not a path problem, i.e., I expect that /Users/runner/.../cmplog-instructions-pass.so exists, as I observe the same failure locally.

This is the error I get locally:

Could not load library '/Users/[snip]/cmplog-instructions-pass.so': dlopen(/Users/[snip]/cmplog-instructions-pass.so, 0x0009): symbol not found in flat namespace '__ZN4llvm17PreservedAnalyses14AllAnalysesKeyE'

[smoelius]

@vanhauser-thc Can I ask why AFLplusplus's macos-latest tests are disabled?

[vanhauser-thc]

@vanhauser-thc Can I ask why AFLplusplus's macos-latest tests are disabled?

Because there are often unpredictable changes. Eg Apple change how to preload libraries and supporting this would be quite an effort. Or the he crippled Xcode clang. And brew llvm also changes from time to time how it behaves. Finally GitHub’s mac container also changes sometimes where otherwise it works perfectly on my Mac mini.
So making the CI work is quite an effort.
I am not a Mac user and few people fuzz on Mac (bad performance of clone for example) hence I rather fix stuff it I get a report something is not working.

[smoelius]

In GNUmakefile.llvm, if I change this line:

  CLANG_LFL += -Wl,-flat_namespace -Wl,-undefined,suppress

to this one:

  CLANG_LFL += -Wl,-flat_namespace -Wl,-undefined,suppress `$(LLVM_CONFIG) --libs`

I get a different error:

Assertion failed: (AnalysisPasses.count(PassT::ID()) && "This analysis pass was not registered prior to being queried"), function getResult, file PassManager.h, line 776.

Does this mean anything to you? @brunoproduit @vanhauser-thc

[vanhauser-thc]

MacOS is difficult. brew needs to install the right llvm version, there all the time changes in brew and Mac - for me as a non-user of MacOS it is very difficult to be on top of this.
Hence there is no full MacOS support for AFL++ and only act on things if people report issues.

I would simply propose to not support the plugin feature for MacOS, someone can do it by hand if they want to,.
Handling all the CI failures that will creep up again and again over the time is not worth it IMHO

[vanhauser-thc]

@smoelius please note that I changed the output of the --version command. IHMO it is important to see if afl.rs was compiled normal or with the plugins feature. if you want it to look different, just edit away or tell me how else you would like it :)

[smoelius]

I think once these changes are made, this should be mergeable.

[smoelius]

Suggested change

	let help = "In addition to the subcommands above, Cargo subcommands are also \
	const HELP: &str = "In addition to the subcommands above, Cargo subcommands are also \

And then change help to HELP below. That should make Clippy happy.

[brunoproduit]

Handled in https://github.com/brunoproduit/afl.rs/commit/a6716abf6d03e946b3b95b818ead35e31bcb2dc6

[smoelius]

Suggested change

	const VERSION: &'static str = if cfg!(feature = "plugins") {
	const VERSION: &str = if cfg!(feature = "plugins") {

Again, make Clippy happy.

[brunoproduit]

Handled in https://github.com/brunoproduit/afl.rs/commit/a6716abf6d03e946b3b95b818ead35e31bcb2dc6

[smoelius]

Rather than create a hash table, please move this if-statement below and modify command directly. Something like:

    if cfg!(feature = "plugins") {
        let llvm_config = check_llvm_and_get_config();
        command.env("LLVM_CONFIG", llvm_config);
    }

[brunoproduit]

Handled in https://github.com/brunoproduit/afl.rs/commit/a6716abf6d03e946b3b95b818ead35e31bcb2dc6

[smoelius]

Suggested change

	.expect("could not run 'make clean, make install'");
	.expect("could not run 'make clean install'");

Nit. Technically, it's one command.

[brunoproduit]

Handled in https://github.com/brunoproduit/afl.rs/commit/a6716abf6d03e946b3b95b818ead35e31bcb2dc6

[smoelius]

These are all of the .so files that are built, correct? Would it make sense to loop over all of the files using read_dir, and then copy those with an so extension? Or, is there a good argument for listing the files explicitly?

[brunoproduit]

The idea was to fix those for readability and future-proofing, like if we want to exclude certain so's in the future. I changed this in the last commit

[smoelius]

Suggested change

	concat_str!(env!("CARGO_PKG_VERSION"), " [feature=plugins]")
	concat!(env!("CARGO_PKG_VERSION"), " [feature=plugins]")

And remove the concat_str macro above.

[brunoproduit]

fixed in the last commit

[smoelius]

Suggested change

let mut environment_variables = HashMap::<String, String>::new();

See comment just below this one.

[brunoproduit]

fixed in the last commit

[smoelius]

Please set these directly on command (like before).

[brunoproduit]

fixed in the last commit

[smoelius]

Suggested change

	let mut environment_variables = HashMap::<String, String>::new();
	let mut environment_variables = HashMap::<&str, String>::new();

I think all of the keys are strs, so this should work. Note that the inserts below will need to be adjusted.

[brunoproduit]

fixed in the last commit

[brunoproduit]

Applied the requested changes in the last commit, could take a look @smoelius ?

[smoelius]

@brunoproduit Could you please resolve the conflicts?

If it's easiest, you can squash all of the commits down to one. (I would like to squash before rebasing anyway.)

[brunoproduit]

@smoelius done, you can go ahead and merge/squash it

[smoelius]

Thank you, @brunoproduit.

[smoelius]

@vanhauser-thc @brunoproduit #421 impacts the feature introduced by this PR.

Could I impose on one or both of you try #421, and let me know if there are any suprises?

[brunoproduit]

I'll try it out this week, I like the idea

[jberryman]

dict2file: generates a valid dictionary on the fly during compilation (needs AFL_LLVM_DICT2FILE=/file/to/create.txt set), this has shown on fuzzbench to be a major improvement to unlock coverage
selective coverage: only instrument for fuzzing specific functions or files for fuzzing - or specifically not instrument for fuzzing.

it would be super helpful if this stuff was in the README or somewhere prominent.

[kevin-valerio]

Separately, I am trying to diagnose why the shared libraries cannot be loaded on macOS (see here). From what I can tell, it's not a path problem, i.e., I expect that /Users/runner/.../cmplog-instructions-pass.so exists, as I observe the same failure locally.

This is the error I get locally:

Could not load library '/Users/[snip]/cmplog-instructions-pass.so': dlopen(/Users/[snip]/cmplog-instructions-pass.so, 0x0009): symbol not found in flat namespace '__ZN4llvm17PreservedAnalyses14AllAnalysesKeyE'

Hey. I'm having the same error here. How did you fix it, do you remember ?

[smoelius]

@kevin-valerio I never was able to resolve this issue. (See #392 (comment).) That is why plugins are not tested on macOS in CI:

afl.rs/.github/workflows/rust.yml

Lines 38 to 39 in 425b419

	- environment: macos-latest
	plugins: true

I just checked and I still experience the issue. FWIW, I would love to have help with this.

[vanhauser-thc]

Are you sure the plugins are compiled with the correct clang from brew? Xcode clang is crippled and the brew llvm version must match the version rust is based on (currently 18)

[kevin-valerio]

Are you sure the plugins are compiled with the correct clang from brew? Xcode clang is crippled and the brew llvm version must match the version rust is based on (currently 18)

❯ rustc --version --verbose
rustc 1.81.0-nightly (6b0f4b5ec 2024-06-24)
LLVM version: 18.1.7

❯ brew info llvm
==> llvm: stable 18.1.7 (bottled), HEAD [keg-only]

❯ which clang
/opt/homebrew/opt/llvm/bin/clang

❯ which llvm-ar
/opt/homebrew/opt/llvm/bin/llvm-ar

Everything seem to match for me unfortunately

[vanhauser-thc]

Then likely brew updated llvm to a slightly newer minor revision at a later point so you need to recompile the plugins …

cargo afl config —plugins —force

[vanhauser-thc]

Another possibility is that brew llvm and macOS rustc llvm are compiled very differently and the plugins are incompatible. You could experiment switching to a different nightly