fuzz: Use libFuzzer instead of afl-fuzz

This allows us to have faster fuzz cycles since the fuzzer is in-process.

2 files changed, 15 insertions, 14 deletions

diff --git a/Makefile b/Makefile
index f9b26d6..e483e02 100644
--- a/Makefile
+++ b/Makefile
@@ -68,10 +68,9 @@ test: $(EXECUTABLE)
 	./$(EXECUTABLE)
 endif
 
-fuzz:
-	@mkdir -p $(BUILD)
-	$(AFL)/afl-clang++ tests/fuzz_parse.cpp tests/allocator.cpp src/pugixml.cpp $(CXXFLAGS) -o $(BUILD)/fuzz_parse
-	$(AFL)/afl-fuzz -i tests/data_fuzz_parse -o $(BUILD)/fuzz_parse_out -x $(AFL)/testcases/_extras/xml/ -- $(BUILD)/fuzz_parse @@
+fuzz_%: $(BUILD)/fuzz_%
+	@mkdir -p build/$@
+	$< build/$@ tests/data_$*
 
 clean:
 	rm -rf $(BUILD)
@@ -87,6 +86,10 @@ build/pugixml-%: .FORCE | $(RELEASE)
 $(EXECUTABLE): $(OBJECTS)
 	$(CXX) $(OBJECTS) $(LDFLAGS) -o $@
 
+$(BUILD)/fuzz_%: tests/fuzz_%.cpp src/pugixml.cpp
+	@mkdir -p $(BUILD)
+	clang++ $(CXXFLAGS) -fsanitize=address -fsanitize-coverage=trace-pc-guard $^ libFuzzer.a -o $@
+
 $(BUILD)/%.o: %
 	@mkdir -p $(dir $@)
 	$(CXX) $< $(CXXFLAGS) -c -MMD -MP -o $@
diff --git a/tests/fuzz_parse.cpp b/tests/fuzz_parse.cpp
index e758196..94c610a 100644
--- a/tests/fuzz_parse.cpp
+++ b/tests/fuzz_parse.cpp
@@ -1,16 +1,14 @@
 #include "../src/pugixml.hpp"
-#include "allocator.hpp"
 
-int main(int argc, const char** argv)
-{
-    pugi::set_memory_management_functions(memory_allocate, memory_deallocate);
+#include <stdint.h>
 
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
+{
     pugi::xml_document doc;
 
-    for (int i = 1; i < argc; ++i)
-    {
-	    doc.load_file(argv[i]);
-	    doc.load_file(argv[i], pugi::parse_minimal);
-	    doc.load_file(argv[i], pugi::parse_full);
-	}
+	doc.load_buffer(Data, Size);
+	doc.load_buffer(Data, Size, pugi::parse_minimal);
+	doc.load_buffer(Data, Size, pugi::parse_full);
+
+	return 0;
 }