Fix macOS AFL fuzz executable linking

rtfeldman · rtfeldman · commit 8ed2ea82e0fa · 2026-06-14T17:42:41.000-04:00
diff --git a/build.zig b/build.zig
@@ -4627,14 +4627,58 @@ fn add_fuzz_target(
         const fuzz_step = b.step(b.fmt("build-fuzz-{s}", .{name}), b.fmt("Build fuzz executable for {s}", .{name}));
         b.default_step.dependOn(fuzz_step);
 
-        const afl = b.lazyImport(@This(), "afl_kit") orelse return;
-        const fuzz_exe = afl.addInstrumentedExe(b, target, .ReleaseSafe, &.{}, use_system_afl, fuzz_obj, &.{"-lm"}) orelse return;
+        const fuzz_exe = if (target.result.os.tag == .macos)
+            addMacosAflFuzzExe(b, target, .ReleaseSafe, use_system_afl, fuzz_obj) orelse return
+        else blk: {
+            const afl = b.lazyImport(@This(), "afl_kit") orelse return;
+            break :blk afl.addInstrumentedExe(b, target, .ReleaseSafe, &.{}, use_system_afl, fuzz_obj, &.{"-lm"}) orelse return;
+        };
         const install_fuzz = b.addInstallBinFile(fuzz_exe, name_exe);
         fuzz_step.dependOn(&install_fuzz.step);
         b.getInstallStep().dependOn(&install_fuzz.step);
     }
 }
 
+fn addMacosAflFuzzExe(
+    b: *std.Build,
+    target: ResolvedTarget,
+    optimize: OptimizeMode,
+    use_system_afl: bool,
+    fuzz_obj: *Step.Compile,
+) ?std.Build.LazyPath {
+    if (!use_system_afl) {
+        std.log.warn("Vendored AFL++ does not currently support macOS fuzz executable linking; use system AFL++", .{});
+        return null;
+    }
+
+    const afl_kit = b.lazyDependency("afl_kit", .{}) orelse return null;
+    const afl_cc = b.findProgram(&.{"afl-cc"}, &.{}) catch @panic("Could not find 'afl-cc', which is required to build");
+    const afl_bin_dir = std.fs.path.dirname(afl_cc) orelse @panic("Could not determine afl-cc directory");
+    const afl_compiler_rt = std.Build.LazyPath{ .cwd_relative = b.pathJoin(&.{ afl_bin_dir, "..", "lib", "afl", "afl-compiler-rt.o" }) };
+
+    fuzz_obj.root_module.fuzz = true;
+    fuzz_obj.root_module.link_libc = true;
+    fuzz_obj.sanitize_coverage_trace_pc_guard = true;
+
+    const exe = b.addExecutable(.{
+        .name = fuzz_obj.name,
+        .root_module = b.createModule(.{
+            .target = target,
+            .optimize = optimize,
+            .link_libc = true,
+        }),
+    });
+    configureBackend(exe, target);
+    exe.root_module.addCSourceFile(.{
+        .file = afl_kit.path("afl.c"),
+        .flags = &.{},
+    });
+    exe.root_module.addObject(fuzz_obj);
+    exe.root_module.addObjectFile(afl_compiler_rt);
+
+    return exe.getEmittedBin();
+}
+
 fn addMainExe(
     b: *std.Build,
     roc_modules: modules.RocModules,
diff --git a/test/fuzzing/README.md b/test/fuzzing/README.md
@@ -14,3 +14,7 @@ generated program is deliberately exercising builtin behavior.
 Generated platform/app fuzzers must also generate app-provided names, platform
 aliases, and platform wrapper names. External ABI symbol strings and target names
 are platform data, not userspace Roc identifiers.
+
+On macOS, AFL++ may fail with `shmget() failed` under the default System V
+shared-memory limits. Prefix AFL commands with `AFL_MAP_SIZE=2097152` unless the
+machine has already been configured with `afl-system-config`.
