fuzz: Use libFuzzer instead of afl-fuzz

This allows us to have faster fuzz cycles since the fuzzer is in-process.

Makefile

@@ -68,10 +68,9 @@ test: $(EXECUTABLE)
 	./$(EXECUTABLE)
 endif
 
-fuzz:
+fuzz_%: $(BUILD)/fuzz_%
-	@mkdir -p $(BUILD)
+	@mkdir -p build/$@
-	$(AFL)/afl-clang++ tests/fuzz_parse.cpp tests/allocator.cpp src/pugixml.cpp $(CXXFLAGS) -o $(BUILD)/fuzz_parse
+	$< build/$@ tests/data_$*
-	$(AFL)/afl-fuzz -i tests/data_fuzz_parse -o $(BUILD)/fuzz_parse_out -x $(AFL)/testcases/_extras/xml/ -- $(BUILD)/fuzz_parse @@
 
 clean:
 	rm -rf $(BUILD)
@@ -87,6 +86,10 @@ build/pugixml-%: .FORCE | $(RELEASE)
 $(EXECUTABLE): $(OBJECTS)
 	$(CXX) $(OBJECTS) $(LDFLAGS) -o $@
 
+$(BUILD)/fuzz_%: tests/fuzz_%.cpp src/pugixml.cpp
+	@mkdir -p $(BUILD)
+	clang++ $(CXXFLAGS) -fsanitize=address -fsanitize-coverage=trace-pc-guard $^ libFuzzer.a -o $@
+
 $(BUILD)/%.o: %
 	@mkdir -p $(dir $@)
 	$(CXX) $< $(CXXFLAGS) -c -MMD -MP -o $@

tests/fuzz_parse.cpp

@@ -1,16 +1,14 @@
 #include "../src/pugixml.hpp"
-#include "allocator.hpp"
 
-int main(int argc, const char** argv)
+#include <stdint.h>
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
 {
-    pugi::set_memory_management_functions(memory_allocate, memory_deallocate);
-
     pugi::xml_document doc;
 
-    for (int i = 1; i < argc; ++i)
+	doc.load_buffer(Data, Size);
-    {
+	doc.load_buffer(Data, Size, pugi::parse_minimal);
-	    doc.load_file(argv[i]);
+	doc.load_buffer(Data, Size, pugi::parse_full);
-	    doc.load_file(argv[i], pugi::parse_minimal);
+
-	    doc.load_file(argv[i], pugi::parse_full);
+	return 0;
-	}
 }