From feafd0e029365827419bb0d39139563f1e6814d9 Mon Sep 17 00:00:00 2001
From: quinox <gofu@qtea.nl>
Date: Tue, 8 Nov 2022 17:46:03 +0100
Subject: [PATCH] Faster fuzzing

On my system using AFLplusplus, for a single core:
* `afl-gcc` / `afl-g++` reaches 100 exec/s
* `afl-gcc-fast` / `afl-g++-fast` reaches 330 exec/s
* `afl-clang-lto` / `afl-clang-lto++` reaches 400 exec/s
---
 fuzz-helper.sh | 57 ++++++++++++++++++++++++++++++++++++++++++++------
 threaddata.cpp |  2 ++
 2 files changed, 53 insertions(+), 6 deletions(-)

diff --git a/fuzz-helper.sh b/fuzz-helper.sh
index 003d5313..7513f71d 100755
--- a/fuzz-helper.sh
+++ b/fuzz-helper.sh
@@ -17,15 +17,41 @@ fi
 
 set -u
 
+usage() {
+  >&2 echo "Usage: [ build | run ]"
+}
+
 if [[ ! -d "$FLASHMQ_SRC/fuzztests" ]]; then
   echo "Folder 'fuzztests' not found in '$FLASHMQ_SRC'"
   exit 1
 fi
 
+if [[ $# -ne 1 ]]; then
+  usage
+  exit 1
+fi
+
 if [[ "$1" == "build" ]]; then
 
+  # AFLplusplus has some fancy versions:
+  # *-lto (collision free instrumentation at link time) is preferred
+  # *-fast is also better than base (but less so than LTO)
+  echo "Detecting afl-gcc / alf-gcc-fast / alf-clang-lto ..."
   export CC="$AFL_ROOT/afl-gcc"
+  CC_GNU_FAST="${CC}-fast"
+  CC_CLANG_LTO="$AFL_ROOT/afl-clang-lto"
+  [[ -e "$CC_GNU_FAST" ]] && export CC="$CC_GNU_FAST"
+  [[ -e "$CC_CLANG_LTO" ]] && export CC="$CC_CLANG_LTO"
+
+  echo "Detecting afl-g++ / afl-g++-fast / alf-clang-lto++ ..."
   export CXX="$AFL_ROOT/afl-g++"
+  CXX_GNU_FAST="${CXX}-fast"
+  CXX_CLANG_LTO="$AFL_ROOT/afl-clang-lto++"
+  [[ -e "$CXX_GNU_FAST" ]] && export CXX="$CXX_GNU_FAST"
+  [[ -e "$CXX_CLANG_LTO" ]] && export CXX="$CXX_CLANG_LTO"
+
+  echo "Using for \$CC:  $CC"
+  echo "Using for \$CXX: $CXX"
 
   mkdir "fuzzbuild"
   cd "fuzzbuild" || exit 1
@@ -35,22 +61,41 @@ if [[ "$1" == "build" ]]; then
   if [[ -f "./FlashMQBuildDebug/flashmq" ]]; then
     cp -v "./FlashMQBuildDebug/flashmq" ..
   fi
-fi
 
-if [[ "$1" == "run" ]]; then
+elif [[ "$1" == "run" ]]; then
+  RUNNERS=("primary" "secondary01" "secondary02" "secondary03")
+
   INPUTDIR="$FLASHMQ_SRC/fuzztests"
   OUTPUTDIR="fuzzoutput"
+  RUNDIR="${thisdir}/fuzzrun"
+
+  for runner in "${RUNNERS[@]}"
+  do
+    runner_dir="$RUNDIR/$runner"
+    mkdir -p "$runner_dir/storage"
+
+    # Overriding the system wide config from /etc/flashmq/flashmq.conf
+    # not specifying log_file:    logs will go to stdout instead
+    # not specifying storage_dir: turn off persistent storage
+    echo "quiet       yes" > "$runner_dir/flashmq.conf"
+  done
+
   BINARY="./flashmq"
 
   if [[ ! -d "$OUTPUTDIR" ]]; then
     mkdir "$OUTPUTDIR"
   fi
 
-  tmux new-session -s flashmqfuzz -d  "'$AFL_ROOT/afl-fuzz' -m 200 -M primary     -i '$INPUTDIR' -o '$OUTPUTDIR' '$BINARY' --fuzz-file '@@'; sleep 5"
-  tmux split-window -t flashmqfuzz -v "'$AFL_ROOT/afl-fuzz' -m 200 -S secondary01 -i '$INPUTDIR' -o '$OUTPUTDIR' '$BINARY' --fuzz-file '@@'; sleep 5"
-  tmux split-window -t flashmqfuzz -h "'$AFL_ROOT/afl-fuzz' -m 200 -S secondary02 -i '$INPUTDIR' -o '$OUTPUTDIR' '$BINARY' --fuzz-file '@@'; sleep 5"
+  tmux new-session -s flashmqfuzz -d  "'$AFL_ROOT/afl-fuzz' -m 200 -M primary     -i '$INPUTDIR' -o '$OUTPUTDIR' '$BINARY' --config-file ${RUNDIR}/primary/flashmq.conf --fuzz-file '@@'; sleep 5"
+  tmux split-window -t flashmqfuzz -v "'$AFL_ROOT/afl-fuzz' -m 200 -S secondary01 -i '$INPUTDIR' -o '$OUTPUTDIR' '$BINARY' --config-file ${RUNDIR}/secondary01/flashmq.conf --fuzz-file '@@'; sleep 5"
+  tmux split-window -t flashmqfuzz -h "'$AFL_ROOT/afl-fuzz' -m 200 -S secondary02 -i '$INPUTDIR' -o '$OUTPUTDIR' '$BINARY' --config-file ${RUNDIR}/secondary02/flashmq.conf --fuzz-file '@@'; sleep 5"
   tmux select-pane -t flashmqfuzz -U
-  tmux split-window -t flashmqfuzz -h "'$AFL_ROOT/afl-fuzz' -m 200 -S secondary03 -i '$INPUTDIR' -o '$OUTPUTDIR' '$BINARY' --fuzz-file '@@'; sleep 5"
+  tmux split-window -t flashmqfuzz -h "'$AFL_ROOT/afl-fuzz' -m 200 -S secondary03 -i '$INPUTDIR' -o '$OUTPUTDIR' '$BINARY' --config-file ${RUNDIR}/secondary03/flashmq.conf --fuzz-file '@@'; sleep 5"
 
   tmux attach-session -d -t flashmqfuzz
+
+else
+  >&2 echo "Unknown option $1."
+  usage
+  exit 1
 fi
diff --git a/threaddata.cpp b/threaddata.cpp
index afc5db27..7179fcb2 100644
--- a/threaddata.cpp
+++ b/threaddata.cpp
@@ -168,7 +168,9 @@ void ThreadData::queueClientNextKeepAliveCheckLocked(std::shared_ptr<Client> &cl
  */
 void ThreadData::continuationOfAuthentication(std::shared_ptr<Client> &client, AuthResult authResult, const std::string &authMethod, const std::string &returnData)
 {
+#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
     assert(pthread_self() == thread.native_handle());
+#endif
 
     std::shared_ptr<SubscriptionStore> subscriptionStore = MainApp::getMainApp()->getSubscriptionStore();