refactor: Standardize Ubuntu image configurations

Aligns ubuntu-20-04 image configurations to match their legacy
counterparts, ensuring consistency and simplifying maintenance.

- Version-specific scripts (e.g., *_ubuntu_20_04.sh) are updated to
  mirror the content of their generic legacy equivalents.
- ubuntu-20-04 Dockerfiles are modified to replicate the logic of the
  legacy Dockerfiles.
- The LLVM version for ubuntu-24-04 images is reverted to the legacy
  version to maintain toolchain consistency across all images.

Adds a new GitHub Actions workflow (sync-checker.yml) to automatically
verify that changes to legacy files are propagated to their Ubuntu
version-specific counterparts in future pull requests.

Author: hunsche

.github/workflows/sync-checker.yml

@@ -0,0 +1,98 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+name: 'Check Ubuntu Config Sync'
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+
+jobs:
+  check-sync:
+    runs-on: ubuntu-latest
+    steps:
+    - name: 'Checkout code'
+      uses: actions/checkout@v4
+      with:
+        # Fetch all history so we can diff against the base branch.
+        fetch-depth: 0
+
+    - name: 'Run sync check'
+      run: |
+        set -e
+        
+        MODIFIED_FILES=$(git diff --name-only ${{ github.event.pull_request.base.sha }}...${{ github.event.pull_request.head.sha }})
+        echo "Checking for synchronized file changes..."
+        echo "Modified files in this PR:"
+        echo "$MODIFIED_FILES"
+        
+        ERRORS=""
+
+        # Define the mapping of legacy files to their versioned counterparts.
+        # Format: "legacy_file;versioned_file_pattern"
+        # The pattern uses {version} which will be replaced with "ubuntu-20-04" and "ubuntu-24-04".
+        # For Dockerfiles, the pattern is different from scripts.
+        declare -A LEGACY_DOCKERFILES
+        LEGACY_DOCKERFILES["infra/base-images/base-builder-fuzzbench/Dockerfile"]="infra/base-images/base-builder-fuzzbench/{version}.Dockerfile"
+        LEGACY_DOCKERFILES["infra/base-images/base-builder-swift/Dockerfile"]="infra/base-images/base-builder-swift/{version}.Dockerfile"
+        LEGACY_DOCKERFILES["infra/base-images/base-builder/Dockerfile"]="infra/base-images/base-builder/{version}.Dockerfile"
+        LEGACY_DOCKERFILES["infra/base-images/base-clang/Dockerfile"]="infra/base-images/base-clang/{version}.Dockerfile"
+        LEGACY_DOCKERFILES["infra/base-images/base-runner/Dockerfile"]="infra/base-images/base-runner/{version}.Dockerfile"
+
+        declare -A LEGACY_SCRIPTS
+        LEGACY_SCRIPTS["infra/base-images/base-builder-fuzzbench/fuzzbench_install_dependencies"]="infra/base-images/base-builder-fuzzbench/fuzzbench_install_dependencies_{version}"
+        LEGACY_SCRIPTS["infra/base-images/base-builder/install_swift.sh"]="infra/base-images/base-builder/install_swift_{version}.sh"
+        LEGACY_SCRIPTS["infra/base-images/base-builder/precompile_honggfuzz"]="infra/base-images/base-builder/precompile_honggfuzz_{version}"
+        LEGACY_SCRIPTS["infra/base-images/base-clang/checkout_build_install_llvm.sh"]="infra/base-images/base-clang/checkout_build_install_llvm_{version}.sh"
+        LEGACY_SCRIPTS["infra/base-images/base-runner/install_deps.sh"]="infra/base-images/base-runner/install_deps_{version}.sh"
+
+        VERSIONS=("ubuntu-20-04" "ubuntu-24-04")
+
+        # Check Dockerfiles
+        for legacy_file in "${{!LEGACY_DOCKERFILES[@]}}"; do
+          if echo "$MODIFIED_FILES" | grep -q "^${legacy_file}$"; then
+            echo "Legacy file changed: $legacy_file. Verifying counterparts..."
+            for version in "${{VERSIONS[@]}}"; do
+              pattern=${{LEGACY_DOCKERFILES[$legacy_file]}}
+              versioned_file="${{pattern/{{version}}/$version}}"
+              if ! echo "$MODIFIED_FILES" | grep -q "^${{versioned_file}}$"; then
+                ERRORS+="\n- Legacy file '${legacy_file}' was changed, but its counterpart '${versioned_file}' was not."
+              fi
+            done
+          fi
+        done
+
+        # Check Scripts
+        for legacy_file in "${{!LEGACY_SCRIPTS[@]}}"; do
+          if echo "$MODIFIED_FILES" | grep -q "^${legacy_file}$"; then
+            echo "Legacy script changed: $legacy_file. Verifying counterparts..."
+            for version in "${{VERSIONS[@]}}"; do
+              pattern=${{LEGACY_SCRIPTS[$legacy_file]}}
+              versioned_file="${{pattern/{{version}}/$version}}"
+              if ! echo "$MODIFIED_FILES" | grep -q "^${{versioned_file}}$"; then
+                ERRORS+="\n- Legacy script '${legacy_file}' was changed, but its counterpart '${versioned_file}' was not."
+              fi
+            done
+          fi
+        done
+
+        if [ -n "$ERRORS" ]; then
+          echo -e "\n\e[31mError: Found synchronization issues between legacy and versioned files.\e[0m"
+          echo -e "Please update the following files to match their legacy counterparts or ensure they are included in this PR:$ERRORS"
+          exit 1
+        else
+          echo -e "\n\e[32mSuccess: All modified legacy files are synchronized with their versioned counterparts.\e[0m"
+        fi

infra/base-images/base-builder-fuzzbench/fuzzbench_install_dependencies_ubuntu_20_04

@@ -19,4 +19,4 @@ apt-get update && apt-get install -y gcc gfortran python-dev libopenblas-dev lib
 wget -O /tmp/requirements.txt https://raw.githubusercontent.com/google/fuzzbench/master/requirements.txt
 pip3 install pip --upgrade
 CFLAGS= CXXFLAGS= pip3 install -r /tmp/requirements.txt
-rm /tmp/requirements.txt
+rm /tmp/requirements.txt

infra/base-images/base-builder-swift/ubuntu-20-04.Dockerfile

@@ -16,7 +16,6 @@
 
 FROM gcr.io/oss-fuzz-base/base-builder:ubuntu-20-04
 
-COPY llvmsymbol.diff /src/
 RUN install_swift_ubuntu_20_04.sh
 
 COPY precompile_swift /usr/local/bin/

infra/base-images/base-builder/install_swift_ubuntu_20_04.sh

@@ -1,5 +1,5 @@
 #!/bin/bash -eux
-# Copyright 2025 Google LLC
+# Copyright 2021 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -64,4 +64,4 @@ rm -rf llvm-project llvmsymbol.diff
 
 # TODO: Cleanup packages
 apt-get remove --purge -y wget zlib1g-dev
-apt-get autoremove -y
+apt-get autoremove -y

infra/base-images/base-builder/precompile_honggfuzz_ubuntu_20_04

@@ -1,4 +1,4 @@
-#!/bin/bash -eu
+#!/bin/bash -eux
 # Copyright 2019 Google Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -33,7 +33,8 @@ make clean
 # These CFLAGs match honggfuzz's default, with the exception of -mtune to
 # improve portability and `-D_HF_LINUX_NO_BFD` to remove assembly instructions
 # from the filenames.
-CC=clang CFLAGS="-O3 -funroll-loops -D_HF_LINUX_NO_BFD" make
+sed -i 's/-Werror//g' Makefile
+CC=clang CFLAGS="-O3 -funroll-loops -D_HF_LINUX_NO_BFD -Wno-unterminated-string-initialization -Wno-error" make
 
 # libhfuzz.a will be added by CC/CXX linker directly during linking,
 # but it's defined here to satisfy the build infrastructure
@@ -42,4 +43,4 @@ popd > /dev/null
 
 apt-get remove -y --purge ${PACKAGES[@]}
 apt-get autoremove -y
-echo "Done."
+echo "Done."

infra/base-images/base-builder/ubuntu-20-04.Dockerfile

@@ -122,10 +122,12 @@ ENV FUZZER_LDFLAGS ""
 
 WORKDIR $SRC
 
+COPY afl_llvm22_patch.diff $SRC/
 RUN git clone https://github.com/AFLplusplus/AFLplusplus.git aflplusplus && \
     cd aflplusplus && \
-    git checkout daaefcddc063b356018c29027494a00bcfc3e240 && \
+    git checkout eadc8a2a7e0fa0338802ee6254bf296489ce4fd7 && \
     wget --no-check-certificate -O oss.sh https://raw.githubusercontent.com/vanhauser-thc/binary_blobs/master/oss.sh && \
+    git apply $SRC/afl_llvm22_patch.diff && \
     rm -rf .git && \
     chmod 755 oss.sh
 

infra/base-images/base-clang/checkout_build_install_llvm_ubuntu_20_04.sh

@@ -1,5 +1,5 @@
 #!/bin/bash -eux
-# Copyright 2025 Google LLC
+# Copyright 2016 Google Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -60,14 +60,15 @@ apt-get update && apt-get install -y $LLVM_DEP_PACKAGES --no-install-recommends
 # languages, projects, ...) is needed.
 # Check CMAKE_VERSION infra/base-images/base-clang/Dockerfile was released
 # recently enough to fully support this clang version.
-OUR_LLVM_REVISION=llvmorg-18.1.8
+OUR_LLVM_REVISION=cb2f0d0a5f14
 
 mkdir $SRC/chromium_tools
 cd $SRC/chromium_tools
 git clone https://chromium.googlesource.com/chromium/src/tools/clang
 cd clang
 # Pin clang script due to https://github.com/google/oss-fuzz/issues/7617
-git checkout 9eb79319239629c1b23cf7a59e5ebb2bab319a34
+OUR_CLANG_REVISION=063d3766486a820c708e888d737b004d11543410
+git checkout $OUR_CLANG_REVISION
 
 LLVM_SRC=$SRC/llvm-project
 # Checkout
@@ -79,7 +80,7 @@ function clone_with_retries {
 
   # Disable exit on error since we might encounter some failures while retrying.
   set +e
-  for i in $(seq 1 $CHECKOUT_RETRIES); do
+  for i in $(seq 1 $CHECKOUT_RETRIES);
     rm -rf $LOCAL_PATH
     git clone $REPOSITORY $LOCAL_PATH
     CHECKOUT_RETURN_CODE=$?
@@ -97,7 +98,16 @@ clone_with_retries https://github.com/llvm/llvm-project.git $LLVM_SRC
 git -C $LLVM_SRC checkout $OUR_LLVM_REVISION
 echo "Using LLVM revision: $OUR_LLVM_REVISION"
 
-# For fuzz introspector.
+# Prepare fuzz introspector.
+echo "Installing fuzz introspector"
+FUZZ_INTROSPECTOR_CHECKOUT=341ebbd72bc9116733bcfcfab5adfd7f9b633e07
+
+git clone https://github.com/ossf/fuzz-introspector.git /fuzz-introspector
+cd /fuzz-introspector
+git checkout $FUZZ_INTROSPECTOR_CHECKOUT
+git submodule init
+git submodule update
+
 echo "Applying introspector changes"
 OLD_WORKING_DIR=$PWD
 cd $LLVM_SRC
@@ -107,6 +117,7 @@ cp -rf /fuzz-introspector/frontends/llvm/lib/Transforms/FuzzIntrospector ./llvm/
 # LLVM currently does not support dynamically loading LTO passes. Thus, we
 # hardcode it into Clang instead. Ref: https://reviews.llvm.org/D77704
 /fuzz-introspector/frontends/llvm/patch-llvm.sh
+
 cd $OLD_WORKING_DIR
 
 mkdir -p $WORK/llvm-stage2 $WORK/llvm-stage1
@@ -134,7 +145,7 @@ if [[ -n "$FULL_LLVM_BUILD" ]]; then
   export LIBRARY_PATH=/usr/local/lib/x86_64-unknown-linux-gnu/
 fi
 
-# Note: LLVM_ENABLE_LIBCXX=ON doesn't break the build even if libcxx doesn't
+# Note: LLVM_ENABLE_LIBCXX=ON doesn't break the build even if libcxx doesn\'t
 # exist.
 cmake -G "Ninja" \
   -DLIBCXX_ENABLE_SHARED=OFF \
@@ -179,6 +190,7 @@ function free_disk_space {
       /usr/local/bin/llvm-as \
       /usr/local/bin/llvm-config \
       /usr/local/bin/llvm-cov \
+      /usr/local/bin/llvm-link \
       /usr/local/bin/llvm-objcopy \
       /usr/local/bin/llvm-nm \
       /usr/local/bin/llvm-profdata \
@@ -281,4 +293,4 @@ ninja -j $NPROC cxx
 ninja install-cxx
 rm -rf $WORK/msan
 
-free_disk_space
+free_disk_space

infra/base-images/base-clang/checkout_build_install_llvm_ubuntu_24_04.sh

@@ -60,14 +60,14 @@ apt-get update && apt-get install -y $LLVM_DEP_PACKAGES --no-install-recommends
 # languages, projects, ...) is needed.
 # Check CMAKE_VERSION infra/base-images/base-clang/Dockerfile was released 
 # recently enough to fully support this clang version.
-OUR_LLVM_REVISION=llvmorg-18.1.8
+OUR_LLVM_REVISION=cb2f0d0a5f14
 
 mkdir $SRC/chromium_tools
 cd $SRC/chromium_tools
 git clone https://chromium.googlesource.com/chromium/src/tools/clang
 cd clang
 # Pin clang script due to https://github.com/google/oss-fuzz/issues/7617
-git checkout 9eb79319239629c1b23cf7a59e5ebb2bab319a34
+git checkout 063d3766486a820c708e888d737b004d11543410
 
 LLVM_SRC=$SRC/llvm-project
 # Checkout

infra/base-images/base-clang/ubuntu-20-04.Dockerfile

@@ -33,15 +33,6 @@ RUN apt-get update && apt-get install -y wget sudo && \
     SUDO_FORCE_REMOVE=yes apt-get autoremove --purge -y wget sudo && \
     rm -rf /usr/local/doc/cmake /usr/local/bin/cmake-gui
 
-RUN apt-get update && apt-get install -y git && \
-    git clone https://github.com/ossf/fuzz-introspector.git fuzz-introspector && \
-    cd fuzz-introspector && \
-    git checkout 332d674f00b8abc4c9ebf10e9c42e5b72b331c63 && \
-    git submodule init && \
-    git submodule update && \
-    apt-get autoremove --purge -y git && \
-    rm -rf .git
-
 COPY checkout_build_install_llvm_ubuntu_20_04.sh /root/
 # Keep all steps in the same script to decrease the number of intermediate
 # layes in docker file.
@@ -67,12 +58,12 @@ ENV CCC "clang++"
 ENV CFLAGS -O1 \
   -fno-omit-frame-pointer \
   -gline-tables-only \
-  -Wno-error=enum-constexpr-conversion \
   -Wno-error=incompatible-function-pointer-types \
   -Wno-error=int-conversion \
   -Wno-error=deprecated-declarations \
   -Wno-error=implicit-function-declaration \
   -Wno-error=implicit-int \
+  -Wno-error=unknown-warning-option \
   -Wno-error=vla-cxx-extension \
   -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
 ENV CXXFLAGS_EXTRA "-stdlib=libc++"

infra/base-images/base-runner/install_deps_ubuntu_20_04.sh

@@ -1,5 +1,5 @@
 #!/bin/bash -eux
-# Copyright 2025 Google LLC
+# Copyright 2022 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -35,4 +35,4 @@ case $(uname -m) in
     # We only need to worry about i386 if we are on x86_64.
     apt-get install -y lib32gcc1 libc6-i386
     ;;
-esac
+esac