use container; more is built + tested; use make -i (#2)

.github/workflows/codeql-analysis.yml

-name: "CodeQL"
-
-on:
-  push:
-    branches: [ stable, dev ]
-  pull_request:
-    branches: [ stable, dev ]
-
-jobs:
-  analyze:
-    name: Analyze
-    runs-on: ubuntu-latest
-
-    strategy:
-      fail-fast: false
-      matrix:
-        language: [ 'cpp' ]
-
-    steps:
-    - name: Checkout repository
-      uses: actions/checkout@v3
-
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
-      with:
-        languages: ${{ matrix.language }}
-
-    - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
-
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2

.github/workflows/build-test-push-container.yaml → .github/workflows/container.yaml

-name: Build and test container image
+name: Build, test, CodeQL and push container image
 on:
   push:
     branches:
       - stable
       - dev
     tags:
-      - '*'
+      - "*"
   pull_request:
-    branch:
-      - stable
-      - dev
+    branches:
+      - dev # No need for stable-pull-request, as that equals dev-push
 
 jobs:
   build-amd64:
-    name: Build and test amd64
+    name: Build amd64 image
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - name: Checkout
+        uses: actions/checkout@v3
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v2
+      - name: Login to GitHub Container Registry # Container cache registry
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build amd64
         uses: docker/build-push-action@v3
         with:
           context: .
           platforms: linux/amd64
-          load: true
-          tags: aflplusplus/aflplusplus:test
-          # cache-from: type=gha  # Ensure we always build a fresh image. We just use the cache for the subsequent push job.
-          cache-to: type=gha,mode=max
-      - name: Test linux/amd64 image
-        run: docker run --rm --platform linux/amd64 aflplusplus/aflplusplus:test make tests
-        continue-on-error: true
+          tags: ghcr.io/${{ github.actor }}/aflplusplus:amd64
+          push: true
+          cache-from: type=registry,ref=ghcr.io/${{ github.actor }}/aflplusplus:amd64
+
   build-arm64:
-    name: Build and test arm64
+    name: Build arm64 image
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: Login to GitHub Container Registry # Container cache registry
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v2
         with:
           platforms: arm64
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
       - name: Build arm64
         uses: docker/build-push-action@v3
         with:
           context: .
           platforms: linux/arm64
-          load: true
-          tags: aflplusplus/aflplusplus:test
-          # cache-from: type=gha  # Ensure we always build a fresh image. We just use the cache for the subsequent push job.
-          cache-to: type=gha,mode=max
-      - name: Test linux/arm64 image
-        run: docker run --rm --platform linux/arm64 aflplusplus/aflplusplus:test make tests
+          tags: ghcr.io/${{ github.actor }}/aflplusplus:arm64
+          push: true
+          cache-from: type=registry,ref=ghcr.io/${{ github.actor }}/aflplusplus:arm64
+
+  test-amd64:
+    name: Test amd64 image
+    runs-on: ubuntu-latest
+    needs: build-amd64
+    steps:
+      - name: Test amd64
+        run: docker run --rm ghcr.io/${{ github.actor }}/aflplusplus:amd64 make tests
         continue-on-error: true
-  push:
+
+  codeql-amd64:
+    name: CodeQL Analyze amd64 compiled code
+    runs-on: ubuntu-latest
     needs:
       - build-amd64
+    container:
+      image: ghcr.io/${{ github.actor }}/aflplusplus:amd64
+    steps:
+      - name: Fix for using external repo in container build # https://github.com/actions/checkout/issues/760
+        run: git config --global --add safe.directory /__w/AFLplusplus/AFLplusplus
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+          languages: cpp
+      - name: Build AFLplusplus # Rebuild because CodeQL needs to monitor the build process
+        env:
+          CC: gcc # These are symlinked to the version used in the container build
+          CXX: g++
+        run: make -i distrib # Best effort using -i
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v2
+
+  push:
+    name: Push amd64 and arm64 image
+    runs-on: ubuntu-latest
+    needs:
+      - test-amd64
       - build-arm64
     if: ${{ github.event_name == 'push' }}
-    name: Push image
-    runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - name: Checkout
+        uses: actions/checkout@v3
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v2
         with:
           platforms: arm64
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v2
-      - name: Login to Dockerhub
+      - name: Login to docker.io
         uses: docker/login-action@v2
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_TOKEN }}
-      - name: Publish ${{ github.ref_name }} for amd64 and arm64 to docker.io registry
-        uses: docker/build-push-action@v3
-        with:
-          context: .
-          platforms: linux/amd64,linux/arm64
-          push: true
-          tags: aflplusplus/aflplusplus:${{ github.ref_name }}
-          cache-from: type=gha
-          # cache-to: type=gha,mode=max  # No need to add to cache as we'll never use this
-        if: ${{ github.ref_name != 'stable' }}
-      - name: Publish stable and latest to docker.io registry
+      - name: Set tags to push
+        id: push-tags
+        run: |
+          PUSH_TAGS=docker.io/aflplusplus/aflplusplus:${GITHUB_REF_NAME}
+          if [ "${GITHUB_REF_NAME}" = "stable" ]; then
+            PUSH_TAGS=${PUSH_TAGS},docker.io/aflplusplus/aflplusplus:latest
+          fi
+          export PUSH_TAGS
+          echo "::set-output name=PUSH_TAGS::${PUSH_TAGS}"
+      - name: Push to docker.io registry
         uses: docker/build-push-action@v3
         with:
           context: .
-          platforms: linux/amd64,linux/arm64
+          platforms: linux/amd64,linux/arm64 # TODO: Fix: arm64 image doesn't use cached layer from COPY line
           push: true
-          tags: aflplusplus/aflplusplus:${{ github.ref_name }},aflplusplus/aflplusplus:latest
-          cache-from: type=gha
-          # cache-to: type=gha,mode=max  # No need to add to cache as we'll never use this
-        if: ${{ github.ref_name == 'stable' }}
+          tags: ${{ steps.push-tags.outputs.PUSH_TAGS }}
+          cache-from: |
+            type=registry,ref=ghcr.io/${{ github.actor }}/aflplusplus:amd64
+            type=registry,ref=ghcr.io/${{ github.actor }}/aflplusplus:arm64

Dockerfile

@@ -5,46 +5,41 @@
 
 FROM ubuntu:22.04 AS aflplusplus
 LABEL "maintainer"="afl++ team <afl@aflplus.plus>"
-LABEL "about"="AFLplusplus docker image"
+LABEL "about"="AFLplusplus container image"
 
 ARG DEBIAN_FRONTEND=noninteractive
 
-ENV NO_ARCH_OPT 1
-ENV IS_DOCKER="1"
+ENV NO_ARCH_OPT=1
+ENV IS_DOCKER=1
 
 RUN apt-get update && apt-get full-upgrade -y && \
-    apt-get -y install --no-install-recommends \
-    make cmake automake \
-    meson ninja-build bison flex \
-    xz-utils bzip2 \
-    git \
-    python3 python3-dev python3-setuptools python-is-python3 \
-    libtool libtool-bin \
-    libglib2.0-dev \
-    wget vim jupp nano bash-completion less \
-    apt-utils apt-transport-https ca-certificates gnupg dialog \
-    libpixman-1-dev \
-    gnuplot-nox && \
+    apt-get install -y --no-install-recommends wget ca-certificates && \
     rm -rf /var/lib/apt/lists/*
 
-RUN wget -qO- https://sh.rustup.rs | CARGO_HOME=/etc/cargo sh -s -- -y -q --no-modify-path
-ENV PATH=$PATH:/etc/cargo/bin
-
 ARG LLVM_VERSION=14
 ARG GCC_VERSION=12
 
-RUN mkdir -p /etc/apt/keyrings && \
-    echo "deb [signed-by=/etc/apt/keyrings/llvm-snapshot.gpg.key] http://apt.llvm.org/jammy/ llvm-toolchain-jammy-${LLVM_VERSION} main" > /etc/apt/sources.list.d/llvm.list && \
+RUN echo "deb [signed-by=/etc/apt/keyrings/llvm-snapshot.gpg.key] http://apt.llvm.org/jammy/ llvm-toolchain-jammy-${LLVM_VERSION} main" > /etc/apt/sources.list.d/llvm.list && \
     wget -qO /etc/apt/keyrings/llvm-snapshot.gpg.key https://apt.llvm.org/llvm-snapshot.gpg.key
 
 RUN apt-get update && \
     apt-get -y install --no-install-recommends \
+    make cmake automake meson ninja-build bison flex \
+    git xz-utils bzip2 wget vim jupp nano bash-completion less \
+    python3 python3-dev python3-setuptools python-is-python3 \
+    libtool libtool-bin libglib2.0-dev \
+    apt-utils apt-transport-https gnupg dialog \
+    gnuplot-nox libpixman-1-dev \
     gcc-${GCC_VERSION} g++-${GCC_VERSION} gcc-${GCC_VERSION}-plugin-dev gdb lcov \
-    clang-${LLVM_VERSION} clang-tools-${LLVM_VERSION} libc++1-${LLVM_VERSION} libc++-${LLVM_VERSION}-dev \
-    libc++abi1-${LLVM_VERSION} libc++abi-${LLVM_VERSION}-dev libclang1-${LLVM_VERSION} libclang-${LLVM_VERSION}-dev \
-    libclang-common-${LLVM_VERSION}-dev libclang-cpp${LLVM_VERSION} libclang-cpp${LLVM_VERSION}-dev liblld-${LLVM_VERSION} \
-    liblld-${LLVM_VERSION}-dev liblldb-${LLVM_VERSION} liblldb-${LLVM_VERSION}-dev libllvm${LLVM_VERSION} libomp-${LLVM_VERSION}-dev \
-    libomp5-${LLVM_VERSION} lld-${LLVM_VERSION} lldb-${LLVM_VERSION} llvm-${LLVM_VERSION} llvm-${LLVM_VERSION}-dev llvm-${LLVM_VERSION}-runtime llvm-${LLVM_VERSION}-tools \
+    clang-${LLVM_VERSION} clang-tools-${LLVM_VERSION} libc++1-${LLVM_VERSION} \
+    libc++-${LLVM_VERSION}-dev libc++abi1-${LLVM_VERSION} libc++abi-${LLVM_VERSION}-dev \
+    libclang1-${LLVM_VERSION} libclang-${LLVM_VERSION}-dev \
+    libclang-common-${LLVM_VERSION}-dev libclang-cpp${LLVM_VERSION} \
+    libclang-cpp${LLVM_VERSION}-dev liblld-${LLVM_VERSION} \
+    liblld-${LLVM_VERSION}-dev liblldb-${LLVM_VERSION} liblldb-${LLVM_VERSION}-dev \
+    libllvm${LLVM_VERSION} libomp-${LLVM_VERSION}-dev libomp5-${LLVM_VERSION} \
+    lld-${LLVM_VERSION} lldb-${LLVM_VERSION} llvm-${LLVM_VERSION} \
+    llvm-${LLVM_VERSION}-dev llvm-${LLVM_VERSION}-runtime llvm-${LLVM_VERSION}-tools \
     $([ "$(dpkg --print-architecture)" = "amd64" ] && echo gcc-${GCC_VERSION}-multilib gcc-multilib) \
     $([ "$(dpkg --print-architecture)" = "arm64" ] && echo libcapstone-dev) && \
     rm -rf /var/lib/apt/lists/*
@@ -54,6 +49,9 @@ RUN apt-get update && \
 RUN update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-${GCC_VERSION} 0 && \
     update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-${GCC_VERSION} 0
 
+RUN wget -qO- https://sh.rustup.rs | CARGO_HOME=/etc/cargo sh -s -- -y -q --no-modify-path
+ENV PATH=$PATH:/etc/cargo/bin
+
 ENV LLVM_CONFIG=llvm-config-${LLVM_VERSION}
 ENV AFL_SKIP_CPUFREQ=1
 ENV AFL_TRY_AFFINITY=1
@@ -62,18 +60,18 @@ ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1
 RUN git clone --depth=1 https://github.com/vanhauser-thc/afl-cov && \
     (cd afl-cov && make install) && rm -rf afl-cov
 
-WORKDIR /AFLplusplus
-COPY . .
-
 # Until gcc v12.1 is released for ubuntu https://bugs.launchpad.net/ubuntu/+source/gcc-11/+bug/1940029
-ENV NO_NYX 1
+ARG NO_NYX=1
 
 # Build currently broken
-ENV NO_CORESIGHT 1
-ENV NO_UNICORN_ARM64 1
+ARG NO_CORESIGHT=1
+ARG NO_UNICORN_ARM64=1
+
+WORKDIR /AFLplusplus
+COPY . .
 
-RUN export CC=gcc-${GCC_VERSION} && export CXX=g++-${GCC_VERSION} && make clean && \
-    make distrib && make install && make clean
+RUN export CC=gcc-${GCC_VERSION} && export CXX=g++-${GCC_VERSION} && gmake clean && \
+    gmake distrib && gmake install && gmake clean
 
 RUN echo "set encoding=utf-8" > /root/.vimrc && \
     echo ". /etc/bash_completion" >> ~/.bashrc && \

GNUmakefile

@@ -308,17 +308,17 @@ endif
 
 .PHONY: all
 all:	test_x86 test_shm test_python ready $(PROGS) afl-as llvm gcc_plugin test_build all_done
-	-$(MAKE) -C utils/aflpp_driver
+	$(MAKE) -C utils/aflpp_driver
 
 .PHONY: llvm
 llvm:
-	-$(MAKE) -j4 -f GNUmakefile.llvm
+	$(MAKE) -j$(nproc) -f GNUmakefile.llvm
 	@test -e afl-cc || { echo "[-] Compiling afl-cc failed. You seem not to have a working compiler." ; exit 1; }
 
 .PHONY: gcc_plugin
 gcc_plugin:
 ifneq "$(SYS)" "Darwin"
-	-$(MAKE) -f GNUmakefile.gcc_plugin
+	$(MAKE) -f GNUmakefile.gcc_plugin
 endif
 
 .PHONY: man
@@ -568,19 +568,19 @@ all_done: test_build
 .PHONY: clean
 clean:
 	rm -rf $(PROGS) afl-fuzz-document afl-as as afl-g++ afl-clang afl-clang++ *.o src/*.o *~ a.out core core.[1-9][0-9]* *.stackdump .test .test1 .test2 test-instr .test-instr0 .test-instr1 afl-cs-proxy afl-qemu-trace afl-gcc-fast afl-g++-fast ld *.so *.8 test/unittests/*.o test/unittests/unit_maybe_alloc test/unittests/preallocable .afl-* afl-gcc afl-g++ afl-clang afl-clang++ test/unittests/unit_hash test/unittests/unit_rand *.dSYM lib*.a
-	-$(MAKE) -f GNUmakefile.llvm clean
-	-$(MAKE) -f GNUmakefile.gcc_plugin clean
-	-$(MAKE) -C utils/libdislocator clean
-	-$(MAKE) -C utils/libtokencap clean
+	$(MAKE) -f GNUmakefile.llvm clean
+	$(MAKE) -f GNUmakefile.gcc_plugin clean
+	$(MAKE) -C utils/libdislocator clean
+	$(MAKE) -C utils/libtokencap clean
 	$(MAKE) -C utils/aflpp_driver clean
-	-$(MAKE) -C utils/afl_network_proxy clean
-	-$(MAKE) -C utils/socket_fuzzing clean
-	-$(MAKE) -C utils/argv_fuzzing clean
-	-$(MAKE) -C utils/plot_ui clean
-	-$(MAKE) -C qemu_mode/unsigaction clean
-	-$(MAKE) -C qemu_mode/libcompcov clean
-	-$(MAKE) -C qemu_mode/libqasan clean
-	-$(MAKE) -C frida_mode clean
+	$(MAKE) -C utils/afl_network_proxy clean
+	$(MAKE) -C utils/socket_fuzzing clean
+	$(MAKE) -C utils/argv_fuzzing clean
+	$(MAKE) -C utils/plot_ui clean
+	$(MAKE) -C qemu_mode/unsigaction clean
+	$(MAKE) -C qemu_mode/libcompcov clean
+	$(MAKE) -C qemu_mode/libqasan clean
+	$(MAKE) -C frida_mode clean
 	rm -rf nyx_mode/packer/linux_initramfs/init.cpio.gz nyx_mode/libnyx/libnyx/target/release/* nyx_mode/QEMU-Nyx/x86_64-softmmu/qemu-system-x86_64
 ifeq "$(IN_REPO)" "1"
 	-test -e coresight_mode/coresight-trace/Makefile && $(MAKE) -C coresight_mode/coresight-trace clean || true
@@ -610,7 +610,7 @@ endif
 
 .PHONY: distrib
 distrib: all
-	$(MAKE) -j4 -f GNUmakefile.llvm
+	$(MAKE) -j$(nproc) -f GNUmakefile.llvm
 ifneq "$(SYS)" "Darwin"
 	$(MAKE) -f GNUmakefile.gcc_plugin
 endif
@@ -674,7 +674,7 @@ endif
 
 .PHONY: source-only
 source-only: all
-	$(MAKE) -j4 -f GNUmakefile.llvm
+	$(MAKE) -j$(nproc) -f GNUmakefile.llvm
 ifneq "$(SYS)" "Darwin"
 	$(MAKE) -f GNUmakefile.gcc_plugin
 endif

Makefile

 all:
 	@echo trying to use GNU make...
-	@gmake all || echo please install GNUmake
+	-@gmake all
 
 source-only:
-	@gmake source-only
+	-@gmake source-only
 
 binary-only:
-	@gmake binary-only
+	-@gmake binary-only
 
 distrib:
-	@gmake distrib
+	-@gmake distrib
 
 man:
-	@gmake man
+	-@gmake man
 
 install:
-	@gmake install
+	-@gmake install
 
 document:
-	@gmake document
+	-@gmake document
 
 deepclean:
-	@gmake deepclean
+	-@gmake deepclean
 
 code-format:
-	@gmake code-format
+	-@gmake code-format
 
 help:
-	@gmake help
+	-@gmake help
 
 tests:
-	@gmake tests
+	-@gmake tests
 
 unit:
-	@gmake unit
+	-@gmake unit
 
 unit_clean:
-	@gmake unit_clean
+	-@gmake unit_clean
 
 clean:
-	@gmake clean
+	-@gmake clean

docs/INSTALL.md

@@ -30,20 +30,22 @@ sudo apt-get install -y gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //
 sudo apt-get install -y ninja-build # for QEMU mode
 git clone https://github.com/AFLplusplus/AFLplusplus
 cd AFLplusplus
-make distrib
+make -i distrib
 sudo make install
 ```
 
+> We add the `-i` to make so it will skip any features that fail to install.
+
 It is recommended to install the newest available gcc, clang and llvm-dev
 possible in your distribution!
 
-Note that `make distrib` also builds FRIDA mode, QEMU mode, unicorn_mode, and
+Note that `make -i distrib` also builds FRIDA mode, QEMU mode, unicorn_mode, and
 more. If you just want plain AFL++, then do `make all`. If you want some
 assisting tooling compiled but are not interested in binary-only targets, then
 instead choose:
 
 ```shell
-make source-only
+make -i source-only
 ```
 
 These build targets exist:
@@ -70,7 +72,7 @@ you can also build statically linked versions of the AFL++ binaries by passing
 the `STATIC=1` argument to make:
 
 ```shell
-make STATIC=1
+make -i STATIC=1
 ```
 
 These build options exist:
@@ -88,7 +90,7 @@ These build options exist:
 * LLVM_CONFIG - if your distro doesn't use the standard name for llvm-config
   (e.g., Debian)
 
-e.g.: `make ASAN_BUILD=1`
+e.g.: `make -i ASAN_BUILD=1`
 
 ## MacOS X on x86 and arm64 (M1)
 
@@ -114,11 +116,11 @@ export PATH="/usr/local/opt/llvm/bin:$PATH"
 export PATH="/usr/local/opt/coreutils/libexec/gnubin:/usr/local/bin:$PATH"
 export CC=clang
 export CXX=clang++
-gmake
+gmake -i
 cd frida_mode
-gmake
+gmake -i
 cd ..
-sudo gmake install
+sudo gmake -i install
 ```
 
 `afl-gcc` will fail unless you have GCC installed, but that is using outdated

qemu_mode/build_qemu_support.sh

@@ -273,7 +273,7 @@ echo "[+] Configuration complete."
 
 echo "[*] Attempting to build QEMU (fingers crossed!)..."
 
-make -j `nproc` || exit 1
+make -j$(nproc) || exit 1
 
 echo "[+] Build process successful!"