fuzz: Replace shelling out in build.rs with Rust code

tgross35 · tgross35 · commit 4856685854e5 · 2026-04-03T01:59:52.000-04:00
diff --git a/fuzz/build.rs b/fuzz/build.rs
@@ -33,14 +33,14 @@ fn main() -> io::Result<ExitCode> {
 
     let manifest_dir =
         PathBuf::from(env::var_os("CARGO_MANIFEST_DIR").expect("CARGO_MANIFEST_DIR unset"));
-    let fake_include_dir = manifest_dir.join("cxx/include");
     let target_dir = env::var_os("CARGO_TARGET_DIR")
         .map(PathBuf::from)
         .unwrap_or_else(|| manifest_dir.parent().unwrap().join("target"));
-    let llvm_dir = target_dir.join(format!("llvm-downloads/llvm-project-{llvm_commit_hash}"));
-    if !llvm_dir.try_exists().is_ok_and(|val| val) {
+    let llvm_root = target_dir.join(format!("llvm-downloads/llvm-project-{llvm_commit_hash}"));
+
+    if !llvm_root.try_exists().is_ok_and(|val| val) {
         panic!(
-            "llvm dir `{llvm_dir:?}` does not exist or cannot be reached. \
+            "llvm dir `{llvm_root:?}` does not exist or cannot be reached. \
             Perhaps you need to run etc/download-llvm.sh?"
         )
     }
@@ -59,74 +59,93 @@ fn main() -> io::Result<ExitCode> {
         }
     }
 
-    let sh_script_exit_status = Command::new("bash")
-        .args(["-c", SH_SCRIPT])
-        .env("llvm", &llvm_dir.join("llvm"))
-        .env("manifest_dir", &manifest_dir)
-        .envs([
-            ("llvm_project_git_hash", llvm_commit_hash),
-            ("cxx_apf_fuzz_exports", &cxx_exported_symbols.join(",")),
-            (
-                "cxx_apf_fuzz_is_fuzzing",
-                if cfg!(fuzzing) { "1" } else { "0" },
-            ),
+    let llvm_dir = llvm_root.join("llvm");
+    let bc_out = out_dir.join("cxx_apf_fuzz.bc");
+    let bc_opt_out = out_dir.join("cxx_apf_fuzz.opt.bc");
+    let obj_out = out_dir.join("cxx_apf_fuzz.o");
+    let archive = out_dir.join("libcxx_apf_fuzz.a");
+
+    // Flags could probably be split between the frontend and backend.
+    let clang_codegen_flags = ["-g", "-fPIC", "-fno-exceptions", "-O3", "-march=native"];
+
+    // HACK(eddyb) first compile all the source files into one `.bc` file:
+    // - "unity build" (w/ `--include`) lets `-o` specify path (no `--out-dir` sadly)
+    // - LLVM `.bc` intermediate allows the steps below to reduce dependencies
+    let mut clang = Command::new("clang++");
+    clang
+        .env_clear()
+        .args(["-xc++", "-", "-std=c++17"])
+        .args(clang_codegen_flags)
+        .arg("-I")
+        .arg(llvm_dir.join("include"))
+        .arg("-I")
+        .arg(llvm_dir.join("lib/Support"))
+        .arg("-I")
+        .arg(manifest_dir.join("cxx/include"))
+        .args([
+            "-DNDEBUG",
+            "-DHAVE_UNISTD_H",
+            "-DLLVM_ON_UNIX",
+            "-DLLVM_ENABLE_THREADS=0",
         ])
-        .status()?;
-    Ok(if sh_script_exit_status.success() {
-        ExitCode::SUCCESS
-    } else {
-        ExitCode::FAILURE
-    })
-}
+        .arg("--include")
+        .arg(manifest_dir.join("cxx/fuzz_unity_build.cpp"))
+        .arg("--include")
+        .arg(out_dir.join("cxx_apf_fuzz.cpp"))
+        .args(["-c", "-emit-llvm", "-o"])
+        .arg(&bc_out);
+    println!("+ {clang:?}");
+    assert!(clang.status()?.success());
+
+    // Use the `internalize` pass (+ O3) to prune everything unexported.
+    let mut opt = Command::new("opt");
+    opt.env_clear()
+        .arg("--internalize-public-api-list")
+        .arg(cxx_exported_symbols.join(","))
+        .arg(&bc_out)
+        .arg("-o")
+        .arg(&bc_opt_out);
+
+    // FIXME this was just the `internalize` hack, but had to move `sancov` here, to
+    // replicate https://github.com/rust-fuzz/afl.rs/blob/8ece4f9/src/bin/cargo-afl.rs#L370-L372
+    // *after* `internalize` & optimizations (to avoid instrumenting dead code).
+    let mut passes = "--passes=internalize,default<O3>".to_string();
+    if cfg!(fuzzing) {
+        opt.args([
+            "--sanitizer-coverage-level=3",
+            "--sanitizer-coverage-trace-pc-guard",
+            "--sanitizer-coverage-prune-blocks=0",
+        ]);
+        passes.push_str(",sancov-module");
+    }
 
-// HACK(eddyb) should avoid shelling out, but for now this will suffice.
-const SH_SCRIPT: &str = r#"
-set -eux
-
-# FIXME(eddyb) maybe split `$clang_codegen_flags` into front-end vs back-end.
-clang_codegen_flags="-g -fPIC -fno-exceptions -O3 -march=native"
-
-# HACK(eddyb) first compile all the source files into one `.bc` file:
-# - "unity build" (w/ `--include`) lets `-o` specify path (no `--out-dir` sadly)
-# - LLVM `.bc` intermediate allows the steps below to reduce dependencies
-echo | clang++ -x c++ - -std=c++17 \
-  $clang_codegen_flags \
-  -I "$llvm"/include \
-  -I "$llvm"/lib/Support \
-  -I "$manifest_dir/cxx/include" \
-  -DNDEBUG -DHAVE_UNISTD_H -DLLVM_ON_UNIX -DLLVM_ENABLE_THREADS=0 \
-  --include="$manifest_dir/cxx/fuzz_unity_build.cpp" \
-  --include="$OUT_DIR"/cxx_apf_fuzz.cpp \
-  -c -emit-llvm -o "$OUT_DIR"/cxx_apf_fuzz.bc
-
-# HACK(eddyb) use the `internalize` pass (+ O3) to prune everything unexported.
-opt_passes='internalize,default<O3>'
-opt_flags=""
-# FIXME(eddyb) this was just the `internalize` hack, but had to move `sancov` here, to
-# replicate https://github.com/rust-fuzz/afl.rs/blob/8ece4f9/src/bin/cargo-afl.rs#L370-L372
-# *after* `internalize` & optimizations (to avoid instrumenting dead code).
-if [ "$cxx_apf_fuzz_is_fuzzing" == "1" ]; then
-    opt_passes="$opt_passes,sancov-module"
-    opt_flags="--sanitizer-coverage-level=3 \
-               --sanitizer-coverage-trace-pc-guard \
-               --sanitizer-coverage-prune-blocks=0"
-fi
-opt \
-  --internalize-public-api-list="$cxx_apf_fuzz_exports" \
-  --passes="$opt_passes" \
-  $opt_flags \
-  "$OUT_DIR"/cxx_apf_fuzz.bc \
-  -o "$OUT_DIR"/cxx_apf_fuzz.opt.bc
-
-# HACK(eddyb) let Clang do the rest of the work, from the pruned `.bc`.
-# FIXME(eddyb) maybe split `$clang_codegen_flags` into front-end vs back-end.
-clang++ $clang_codegen_flags \
-  "$OUT_DIR"/cxx_apf_fuzz.opt.bc \
-  -c -o "$OUT_DIR"/cxx_apf_fuzz.o
-
-llvm-ar rc "$OUT_DIR"/libcxx_apf_fuzz.a "$OUT_DIR"/cxx_apf_fuzz.o
-
-echo cargo:rustc-link-search=native="$OUT_DIR"
-echo cargo:rustc-link-lib=cxx_apf_fuzz
-echo cargo:rustc-link-lib=stdc++
-"#;
+    opt.arg(passes);
+    println!("+ {opt:?}");
+    assert!(opt.status()?.success());
+
+    // Let Clang do the rest of the work, from the pruned `.bc`.
+    let mut clang_final = Command::new("clang++");
+    clang_final
+        .env_clear()
+        .args(clang_codegen_flags)
+        .arg(bc_opt_out)
+        .args(["-c", "-o"])
+        .arg(&obj_out);
+    eprintln!("+ {clang_final:?}");
+    assert!(clang_final.status()?.success());
+
+    // Construct a linkable archive.
+    let mut ar = Command::new("ar");
+    ar.env_clear().arg("rc").arg(archive).arg(&obj_out);
+    println!("+ {ar:?}");
+    assert!(ar.status()?.success());
+
+    println!(
+        "cargo:rustc-link-search=native={}",
+        out_dir.to_str().unwrap()
+    );
+    println!("cargo:rustc-link-lib=cxx_apf_fuzz");
+    println!("cargo:rustc-link-lib=stdc++");
+
+    Ok(ExitCode::SUCCESS)
+}
