Add builder and tests for QASAN (#2898)

* Add tests for QASAN from aflplusplus

* refactor asan module to use the builder pattern

* move injection tests to the new tests directory

Author: rmalmain

fuzzers/binary_only/qemu_launcher/Makefile.toml

@@ -1,3 +1,14 @@
+env_scripts = ['''
+#!@duckscript
+profile = get_env PROFILE
+
+if eq ${profile} "dev"
+    set_env PROFILE_DIR debug
+else
+    set_env PROFILE_DIR ${profile}
+end
+''']
+
 [env]
 PROFILE = { value = "release", condition = { env_not_set = ["PROFILE"] } }
 PROFILE_DIR = { source = "${PROFILE}", default_value = "release", mapping = { "release" = "release", "dev" = "debug" }, condition = { env_not_set = [
@@ -360,21 +371,11 @@ windows_alias = "unsupported"
 script_runner = "@shell"
 script = '''
 echo "Profile: ${PROFILE}"
-cd injection_test || exit 1
-make
-mkdir in || true
-echo aaaaaaaaaa > in/a
-timeout 10s "$(find ${TARGET_DIR} -name 'qemu_launcher')" -o out -i in -j ../injections.toml -v -- ./static >/dev/null 2>fuzz.log || true
-if [ -z "$(grep -Ei "found.*injection" fuzz.log)" ]; then
-    echo "Fuzzer does not generate any testcases or any crashes"
-    echo "Logs:"
-    cat fuzz.log
-    exit 1
-else
-    echo "Fuzzer is working"
-fi
-make clean
-#rm -rf in out fuzz.log || true
+
+export QEMU_LAUNCHER=${TARGET_DIR}/${PROFILE_DIR}/qemu_launcher
+
+./tests/injection/test.sh || exit 1
+./tests/qasan/test.sh || exit 1
 '''
 dependencies = ["build_unix"]
 

fuzzers/binary_only/qemu_launcher/src/client.rs

@@ -94,6 +94,8 @@ impl Client<'_> {
 
         let is_cmplog = self.options.is_cmplog_core(core_id);
 
+        let is_drcov = self.options.drcov.is_some();
+
         let extra_tokens = if cfg!(feature = "injections") {
             injection_module
                 .as_ref()
@@ -109,32 +111,58 @@ impl Client<'_> {
             .client_description(client_description)
             .extra_tokens(extra_tokens);
 
-        if self.options.rerun_input.is_some() && self.options.drcov.is_some() {
-            // Special code path for re-running inputs with DrCov.
-            // TODO: Add ASan support, injection support
-            let drcov = self.options.drcov.as_ref().unwrap();
-            let drcov = DrCovModule::builder()
-                .filename(drcov.clone())
-                .full_trace(true)
-                .build();
-            instance_builder
-                .build()
-                .run(args, tuple_list!(drcov), state)
+        if self.options.rerun_input.is_some() {
+            if is_drcov {
+                // Special code path for re-running inputs with DrCov and Asan.
+                // TODO: Add injection support
+                let drcov = self.options.drcov.as_ref().unwrap();
+
+                if is_asan {
+                    let modules = tuple_list!(
+                        DrCovModule::builder()
+                            .filename(drcov.clone())
+                            .full_trace(true)
+                            .build(),
+                        unsafe { AsanModule::builder().env(&env).asan_report().build() }
+                    );
+
+                    instance_builder.build().run(args, modules, state)
+                } else {
+                    let modules = tuple_list!(DrCovModule::builder()
+                        .filename(drcov.clone())
+                        .full_trace(true)
+                        .build(),);
+
+                    instance_builder.build().run(args, modules, state)
+                }
+            } else if is_asan {
+                let modules =
+                    tuple_list!(unsafe { AsanModule::builder().env(&env).asan_report().build() });
+
+                instance_builder.build().run(args, modules, state)
+            } else {
+                let modules = tuple_list!();
+
+                instance_builder.build().run(args, modules, state)
+            }
         } else if is_asan && is_cmplog {
             if let Some(injection_module) = injection_module {
                 instance_builder.build().run(
                     args,
                     tuple_list!(
                         CmpLogModule::default(),
-                        AsanModule::default(&env),
+                        AsanModule::builder().env(&env).build(),
                         injection_module,
                     ),
                     state,
                 )
             } else {
                 instance_builder.build().run(
                     args,
-                    tuple_list!(CmpLogModule::default(), AsanModule::default(&env),),
+                    tuple_list!(
+                        CmpLogModule::default(),
+                        AsanModule::builder().env(&env).build()
+                    ),
                     state,
                 )
             }
@@ -160,13 +188,15 @@ impl Client<'_> {
             if let Some(injection_module) = injection_module {
                 instance_builder.build().run(
                     args,
-                    tuple_list!(AsanModule::default(&env), injection_module),
+                    tuple_list!(AsanModule::builder().env(&env).build(), injection_module),
                     state,
                 )
             } else {
-                instance_builder
-                    .build()
-                    .run(args, tuple_list!(AsanModule::default(&env),), state)
+                instance_builder.build().run(
+                    args,
+                    tuple_list!(AsanModule::builder().env(&env).build()),
+                    state,
+                )
             }
         } else if is_asan_guest {
             instance_builder

fuzzers/binary_only/qemu_launcher/injection_test/.gitignore renamed to fuzzers/binary_only/qemu_launcher/tests/injection/.gitignore

@@ -0,0 +1,30 @@
+#!/bin/bash
+set -e
+
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+
+if [[ ! -x "$QEMU_LAUNCHER" ]]; then
+  echo "env variable QEMU_LAUNCHER does not point to a valid executable"
+  echo "QEMU_LAUNCHER should point to qemu_launcher location, but points to ${QEMU_LAUNCHER} instead."
+  exit 1
+fi
+
+cd "$SCRIPT_DIR"
+
+make
+
+mkdir in || true
+
+echo aaaaaaaaaa > in/a
+
+timeout 10s "$QEMU_LAUNCHER" -o out -i in -j ../../injections.toml -v -- ./static >/dev/null 2>fuzz.log || true
+if ! grep -Ei "found.*injection" fuzz.log; then
+    echo "Fuzzer does not generate any testcases or any crashes"
+    echo "Logs:"
+    cat fuzz.log
+    exit 1
+else
+    echo "Fuzzer is working"
+fi
+
+make clean

fuzzers/binary_only/qemu_launcher/injection_test/Makefile renamed to fuzzers/binary_only/qemu_launcher/tests/injection/Makefile

@@ -0,0 +1,7 @@
+all: qasan
+
+qasan: qasan.c
+	gcc qasan.c -o qasan
+
+clean:
+	rm -rf qasan out stats.txt

fuzzers/binary_only/qemu_launcher/injection_test/README.md renamed to fuzzers/binary_only/qemu_launcher/tests/injection/README.md

@@ -0,0 +1 @@
+D