Integrate LibFuzzer

[henrybear327]

By leveraging the LLVM's LibFuzzer, we will be able to test our emulator code more thoroughly.

The seed corpus being added automatically are all the elf files in the build folder.

Major changes:

• Conditional compilation for the main function, as the fuzzer will generate its own main function
• Add Clang to the Dockerfile
• Introduce loading binary stream as elf file, as the input from fuzzer will be passed into the emulator directly instead of going through a file

Minor changes:

• Fixed ELF verification logic

Currently, known improvements are:

• Fix the Makefile to handle the compilation flags and compile coexisting .c and .cc files correctly

[henrybear327]

Based on the initial fuzzer runs, I think the ELF loader logic doesn't check for invalid ELF strictly yet.

For example, this is one of the crashes produced by the fuzzer

Executed with failure
src/elf.c:145:52: runtime error: member access within misaligned address 0x1000078803437 for type 'const struct Elf32_Shdr', which requires 4 byte alignment
0x1000078803437: note: pointer points here
<memory cannot be printed>
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/elf.c:145:52 in 
src/elf.c:145:52: runtime error: load of misaligned address 0x1000078803437 for type 'const Elf32_Word' (aka 'const unsigned int'), which requires 4 byte alignment
0x1000078803437: note: pointer points here
<memory cannot be printed>
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/elf.c:145:52 in 
AddressSanitizer:DEADLYSIGNAL

This PR was also created based on the fuzzer's crash log.

[github-advanced-security]

Cppcheck (reported by Codacy) found more than 10 potential problems in the proposed changes. Check the Files changed tab for more details.

[henrybear327]

Resolve the issues reported by Codacy.

I tried to resolve most, but there are some that are hard to understand what the error is about, or, some don't make sense to fix (single exit point per function, use the output of fprintf, don't use abort() in fuzzer, etc.) .

[jserv]

Rather than creating a separate standalone fuzzer program, we can explore the option of integrating the fuzzing components as a feature activated by a command-line option. This approach aims to minimize the necessary changes for fuzzer integration. If we opt for this method, we will need to address the linkage between the C++-based LibFuzzer and the existing C codebase.

See src/feature.h for the use of macro RV32_HAS.

[henrybear327]

Rather than creating a separate standalone fuzzer program, we can explore the option of integrating the fuzzing components as a feature activated by a command-line option. This approach aims to minimize the necessary changes for fuzzer integration. If we opt for this method, we will need to address the linkage between the C++-based LibFuzzer and the existing C codebase.

See src/feature.h for the use of macro RV32_HAS.

I am not aware of how we can merge both main() functions.

My current understanding is that for the LibFuzzer to work, we will need to provide an implementation of LLVMFuzzerTestOneInput, and during complication, a separate main() will be generated and be used for driving the actions for the fuzzer.

If there is more information or hints for merging the fuzzer into the current binary, I am happy to learn! :)

[jserv]

It seems that C-only source files are compatible with libFuzzer. e.g., libFuzzer-examples.

[jserv]

I am closing this pull request because we have not made a clear decision on how we can effectively utilize libFuzzer to identify potential issues.