Bughunt - ClusterFuzz and Stumbles

With the release of the open-source release of ClusterFuzz in February I figured I could solve one of the key problems of the bughunt project – getting enough CPU time – by deploying a ClusterFuzz setup and scaling up as funds allowed. ClusterFuzz promises a convenient build pipeline which would allow me to do regular fuzzes of nightly; even better.

Well, getting ClusterFuzz set up was pretty straightforward thanks to their instructions and, as of this writing, I have a relatively stock cluster running. There's work in the bughunt project to get travis to feed in builds, seen here.

I have hit one key snag, however. ClusterFuzz is unable to recognize a fuzz binary which doesn't have -fsanitize=fuzzer sent to it, per this issue. Now, so far as I'm aware, rustc can't set this flag. There's discussion on cargo-fuzz about making fuzzer the default over address but the sanitizer flag on rustc doesn't admit fuzzer

error: incorrect value fuzzer for debugging option sanitizer - one of: address, leak, memory or thread was expected

and tying to pass the flag directly as -C llvm-args=-fsanitize=fuzzer results in

--- stderr
rustc: Unknown command line argument '-fsanitize=fuzzer'.  Try: 'rustc -help'
rustc: Did you mean '-asan-stack=fuzzer'?

so that's tough. I think the fuzzer flag has been around for a while in LLVM but only sparsely documented, appearing incidentally in code build examples. For instance, this section. Anyway, clearly, next steps are to modify change cargo-fuzz and possibly rustc itself to support the changes to cargo-fuzz.

Should be fun.