From 4ad4c885b780287aa5d768f75b69db71dc718b41 Mon Sep 17 00:00:00 2001
From: Marc Herbert <marc.herbert@intel.com>
Date: Tue, 27 Aug 2024 00:07:07 +0000
Subject: [PATCH 1/3] fuzz.sh: add -i3 and -i4; shortcuts for
 -DCONFIG_IPC_MAJOR_$i=y

Only a shortcut for now but allow more IPC version-dependent logic
later.

Signed-off-by: Marc Herbert <marc.herbert@intel.com>
---
 scripts/fuzz.sh | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/scripts/fuzz.sh b/scripts/fuzz.sh
index cd08d980d786..e1b6e2df4a4f 100755
--- a/scripts/fuzz.sh
+++ b/scripts/fuzz.sh
@@ -10,6 +10,8 @@ Usage:
       $0 -b      -- -DEXTRA_CONF_FILE=stub_build_all_ipc4.conf -DEXTRA_CFLAGS="-O0 -g3" ...
       $0 -t 500  -- -DEXTRA_CONF_FILE=stub_build_all_ipc3.conf ...
 
+  -i4        Appends: -- -DCONFIG_IPC_MAJOR_4=y
+  -i3        See above
   -p         Delete build-fuzz/ first ("pristine")
   -b         Do not run/fuzz: stop after the build.
   -t n       Fuzz for n seconds.
@@ -85,10 +87,12 @@ main()
   local BUILD_ONLY=false
   local FUZZER_STDOUT=/dev/stdout # bashism
   local TEST_DURATION=3
+  local IPC
 
   # Parse "$@". getopts stops after '--'
-  while getopts "hj:po:t:b" opt; do
+  while getopts "i:hj:po:t:b" opt; do
       case "$opt" in
+          i) IPC="$OPTARG";;
           h) print_help; exit 0;;
           j) if [ "$OPTARG" -eq 0 ]; then JOBS=$(nproc); else JOBS="$OPTARG"; fi;;
           p) PRISTINE=true;;
@@ -111,11 +115,17 @@ main()
   # especially not when doing unusual toolchain things.
   if $PRISTINE; then rm -rf build-fuzz/; fi
 
+  # When passing conflicting -DVAR='VAL UE1' -DVAR='VAL UE2' to CMake,
+  # the last 'VAL UE2' wins. Previous ones are silently ignored.
+  local cmake_args=( -DCONF_FILE="$conf_files_list" )
+  if [ -n "$IPC" ]; then
+      cmake_args+=( "-DCONFIG_IPC_MAJOR_$IPC=y" )
+  fi
+
+  cmake_args+=( "$@" )
+
   (set -x
-   # When passing conflicting -DVAR='VAL UE1' -DVAR='VAL UE2' to CMake,
-   # the last 'VAL UE2' wins. Previous ones are silently ignored.
-  west build -d build-fuzz -b native_sim "$SOF_TOP"/app/ -- \
-       -DCONF_FILE="$conf_files_list" "$@"
+   west build -d build-fuzz -b native_sim "$SOF_TOP"/app/ -- "${cmake_args[@]}"
   )
 
   if $BUILD_ONLY; then

From 35b2c620b5ad43b357738918a14a2251a8904601 Mon Sep 17 00:00:00 2001
From: Marc Herbert <marc.herbert@intel.com>
Date: Sat, 24 Aug 2024 01:26:48 +0000
Subject: [PATCH 2/3] Add new `fuzz_*features.conf` files to add more CONFIG_
 when fuzzing

The goal of these new files is to:
1. Fuzz more code
2. Reduce the configuration gap between fuzzed SOF and the real thing.

See the fuzz_features.conf header for more details.

Signed-off-by: Marc Herbert <marc.herbert@intel.com>
---
 app/configs/fuzz_IPC3_features.conf |  1 +
 app/configs/fuzz_IPC4_features.conf |  4 +++
 app/configs/fuzz_features.conf      | 48 +++++++++++++++++++++++++++++
 scripts/fuzz.sh                     |  7 ++++-
 4 files changed, 59 insertions(+), 1 deletion(-)
 create mode 100644 app/configs/fuzz_IPC3_features.conf
 create mode 100644 app/configs/fuzz_IPC4_features.conf
 create mode 100644 app/configs/fuzz_features.conf

diff --git a/app/configs/fuzz_IPC3_features.conf b/app/configs/fuzz_IPC3_features.conf
new file mode 100644
index 000000000000..059bae416abc
--- /dev/null
+++ b/app/configs/fuzz_IPC3_features.conf
@@ -0,0 +1 @@
+# See main file fuzz_features.conf
diff --git a/app/configs/fuzz_IPC4_features.conf b/app/configs/fuzz_IPC4_features.conf
new file mode 100644
index 000000000000..a888def77188
--- /dev/null
+++ b/app/configs/fuzz_IPC4_features.conf
@@ -0,0 +1,4 @@
+# See main file fuzz_features.conf
+
+CONFIG_COMP_UP_DOWN_MIXER=y
+CONFIG_COMP_ARIA=y
diff --git a/app/configs/fuzz_features.conf b/app/configs/fuzz_features.conf
new file mode 100644
index 000000000000..c815b42a4cb1
--- /dev/null
+++ b/app/configs/fuzz_features.conf
@@ -0,0 +1,48 @@
+# The goal of this file is to:
+# 1. Fuzz more code
+# 2. Reduce the gap between fuzzed SOF and the real thing.
+
+# KConfig warnings are NOT fatal so you must always INSPECT build logs when changing
+# .conf files. See https://github.com/thesofproject/sof/issues/9386
+
+# Note 1. is not as simple as enabling as many CONFIG_ as possible. Enabling some CONFIG_
+# can technically _disable_ some code paths. But the opposite is more common so let's add
+# more.
+
+# In the longer term we should have some more elaborate configuration framework to reduce
+# duplicate/diverge between fuzzing and production but also across product
+# generations. Something like config fragments including each other? Not something as
+# complicated as Yocto fragments but something more flexible than
+# https://docs.zephyrproject.org/latest/build/kconfig/setting.html#initial-conf
+#
+# Discuss in https://github.com/thesofproject/sof/issues/9386
+
+# Many of these features are too far from IPC to make any fuzzing difference. But as long
+# as they reduce the size of the textual difference between build-fuzz/zephyr/.config and
+# build-xxx/zephyr/.config, they make that manual comparison easier which is still a win.
+
+
+CONFIG_COUNTER=y
+
+CONFIG_PROBE=y
+
+CONFIG_CRYPTO=y
+
+CONFIG_LOG_TIMESTAMP_64BIT=y
+CONFIG_MM_DRV=y
+
+CONFIG_DMA=y
+
+CONFIG_DAI=y
+
+CONFIG_PM_DEVICE=y
+CONFIG_POWER_DOMAIN=y
+
+CONFIG_COMP_SRC_IPC4_FULL_MATRIX=y
+CONFIG_COMP_CROSSOVER=y
+CONFIG_COMP_DRC=y
+CONFIG_COMP_KPB=y
+
+CONFIG_MATH_LUT_SINE_FIXED=y
+CONFIG_MATH_EXP=y
+CONFIG_MATH_IIR_DF2T=y
diff --git a/scripts/fuzz.sh b/scripts/fuzz.sh
index e1b6e2df4a4f..68f3c3cbbbe9 100755
--- a/scripts/fuzz.sh
+++ b/scripts/fuzz.sh
@@ -10,7 +10,7 @@ Usage:
       $0 -b      -- -DEXTRA_CONF_FILE=stub_build_all_ipc4.conf -DEXTRA_CFLAGS="-O0 -g3" ...
       $0 -t 500  -- -DEXTRA_CONF_FILE=stub_build_all_ipc3.conf ...
 
-  -i4        Appends: -- -DCONFIG_IPC_MAJOR_4=y
+  -i4        Appends: -- -DCONFIG_IPC_MAJOR_4=y  + fuzz_IPC4_features.conf
   -i3        See above
   -p         Delete build-fuzz/ first ("pristine")
   -b         Do not run/fuzz: stop after the build.
@@ -110,6 +110,11 @@ main()
   # https://docs.zephyrproject.org/latest/build/kconfig/setting.html#initial-conf
   local conf_files_list='prj.conf;boards/native_sim_libfuzzer.conf'
 
+  conf_files_list+=';configs/fuzz_features.conf'
+  if [ -n "$IPC" ]; then
+      conf_files_list+=";configs/fuzz_IPC${IPC}_features.conf"
+  fi
+
   # Note there's never any reason to delete fuzz_corpus/.
   # Don't trust `west build -p` because it is not 100% unreliable,
   # especially not when doing unusual toolchain things.

From 1f719722449f99b2e09bd70add95e98bb65e5a22 Mon Sep 17 00:00:00 2001
From: Marc Herbert <marc.herbert@intel.com>
Date: Tue, 27 Aug 2024 07:03:22 +0000
Subject: [PATCH 3/3] .github/ipc_fuzzer: use new -i 3 and -i 4 fuzz.sh options

Stop hardcoding -DCONFIG_IPC_MAJOR_x=y and use the new -3 and -4 fuzz.sh
CLI flags.

Signed-off-by: Marc Herbert <marc.herbert@intel.com>
---
 .github/workflows/build_all.yml  | 7 ++++---
 .github/workflows/ipc_fuzzer.yml | 8 ++------
 2 files changed, 6 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/build_all.yml b/.github/workflows/build_all.yml
index 4cce0dc83a1d..bfebeaa26954 100644
--- a/.github/workflows/build_all.yml
+++ b/.github/workflows/build_all.yml
@@ -15,7 +15,7 @@ jobs:
     strategy:
       matrix:
         # Keep these names short due to questionable Github UI choices
-        IPC: [ipc3, ipc4]
+        IPC: [3, 4]
 
     steps:
       - name: add i386 arch
@@ -65,5 +65,6 @@ jobs:
           cd workspace
           clang --verbose
           set -x
-          sof/scripts/fuzz.sh -b -- -DEXTRA_CFLAGS='-Werror' -DEXTRA_CXXFLAGS='-Werror' \
-              -DEXTRA_CONF_FILE='stub_build_all_${{ matrix.IPC }}.conf'
+          sof/scripts/fuzz.sh -b -i '${{ matrix.IPC }}' --                           \
+              -DEXTRA_CFLAGS='-Werror' -DEXTRA_CXXFLAGS='-Werror'                  \
+              -DEXTRA_CONF_FILE='stub_build_all_ipc${{ matrix.IPC }}.conf'
diff --git a/.github/workflows/ipc_fuzzer.yml b/.github/workflows/ipc_fuzzer.yml
index b7b0c6e55f95..6773af045689 100644
--- a/.github/workflows/ipc_fuzzer.yml
+++ b/.github/workflows/ipc_fuzzer.yml
@@ -30,7 +30,7 @@ jobs:
       fail-fast: false
       matrix:
         # Keep these names short due to questionable Github UI choices
-        IPC: [IPC3, IPC4]
+        IPC: [3, 4]
 
     steps:
       - name: add i386 arch
@@ -77,14 +77,10 @@ jobs:
           cd workspace
           clang --verbose
           set -x
-          case '${{ matrix.IPC }}' in
-            IPC3) cmake_arg='-DCONFIG_IPC_MAJOR_3=y' ;;
-            IPC4) cmake_arg='-DCONFIG_IPC_MAJOR_4=y' ;;
-          esac
           duration="${{inputs.fuzzing_duration_s}}"
           duration="${duration:-301}"  # pull_request has not 'inputs.' :-(
           # Note libFuzzer makes a difference between -jobs and -workers (capped at nproc/2)
-          sof/scripts/fuzz.sh -o fuzz-stdout.txt -t "$duration" -j"$(nproc)" -- "$cmake_arg"
+          sof/scripts/fuzz.sh -i '${{ matrix.IPC }}' -o fuzz-stdout.txt -t "$duration" -j"$(nproc)"
 
       - name: Upload stdout
         uses: actions/upload-artifact@v4