Fuzzing the FIDL host tools

Some notes on fuzzing the tools/fidl parser using afl-fuzz.

Build afl-fuzz

Download and build it, then:

export AFL_PATH=~/src/afl-2.41b/

with whatever path you downloaded and built it with.

Patch the parser to not trap on invalid syntax

afl-fuzz treats crashes as interesting but the parser currently calls __builtin_trap() when it encounters invalid syntax. Remove that line in parser.h - its in the Parser::Fail() method.

Build the fidl tool with afl-fuzz's instrumentation

Clear any existing build and then build with the afl-fuzz compiler wrappers.

rm -fr build-x86
PATH=$PWD/prebuilt/downloads/clang+llvm-x86_64-linux/bin/:$PATH:$AFL_PATH make \
  build-x86/tools/fidl HOST_TOOLCHAIN_PREFIX=afl-

adjusting if you're not building on x86 Linux, etc.

Run the fuzzer

The parser includes some examples to use as inputs. As FIDL becomes adopted we can expand our inputs to include all of the different protocols declared across our tree, but for now we use what's in tools/fidl/examples.

$AFL_PATH/afl-fuzz -i tools/fidl/examples -o fidl-fuzz-out build-x86/tools/fidl dump '@@'


Running against the source from early May 2017, there were no crashes or hangs after two days of fuzzing on a fairly fast machine. It ran over 300 million executions.