Mercurial > hg > CbC > CbC_llvm

annotate docs/LibFuzzer.rst @ 120:1172e4bd9c6f

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
update 4.0.0
author mir3636
date Fri, 25 Nov 2016 19:14:25 +0900
parents 7d135dc70f03
children 803732b1fca8
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
1 =======================================================
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
2 libFuzzer – a library for coverage-guided fuzz testing.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
3 =======================================================
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
4 .. contents::
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
5 :local:
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
6 :depth: 1
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
7
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
8 Introduction
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
9 ============
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
10
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
11 LibFuzzer is in-process, coverage-guided, evolutionary fuzzing engine.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
12
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
13 LibFuzzer is linked with the library under test, and feeds fuzzed inputs to the
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
14 library via a specific fuzzing entrypoint (aka "target function"); the fuzzer
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
15 then tracks which areas of the code are reached, and generates mutations on the
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
16 corpus of input data in order to maximize the code coverage.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
17 The code coverage
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
18 information for libFuzzer is provided by LLVM's SanitizerCoverage_
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
19 instrumentation.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
20
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
21 Contact: libfuzzer(#)googlegroups.com
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
22
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
23 Versions
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
24 ========
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
25
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
26 LibFuzzer is under active development so you will need the current
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
27 (or at least a very recent) version of the Clang compiler.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
28
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
29 (If `building Clang from trunk`_ is too time-consuming or difficult, then
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
30 the Clang binaries that the Chromium developers build are likely to be
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
31 fairly recent:
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
32
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
33 .. code-block:: console
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
34
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
35 mkdir TMP_CLANG
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
36 cd TMP_CLANG
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
37 git clone https://chromium.googlesource.com/chromium/src/tools/clang
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
38 cd ..
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
39 TMP_CLANG/clang/scripts/update.py
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
40
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
41 This installs the Clang binary as
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
42 ``./third_party/llvm-build/Release+Asserts/bin/clang``)
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
43
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
44 The libFuzzer code resides in the LLVM repository, and requires a recent Clang
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
45 compiler to build (and is used to `fuzz various parts of LLVM itself`_).
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
46 However the fuzzer itself does not (and should not) depend on any part of LLVM
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
47 infrastructure and can be used for other projects without requiring the rest
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
48 of LLVM.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
49
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
50
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
51 Getting Started
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
52 ===============
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
53
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
54 .. contents::
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
55 :local:
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
56 :depth: 1
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
57
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
58 Fuzz Target
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
59 -----------
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
60
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
61 The first step in using libFuzzer on a library is to implement a
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
62 *fuzz target* -- a function that accepts an array of bytes and
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
63 does something interesting with these bytes using the API under test.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
64 Like this:
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
65
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
66 .. code-block:: c++
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
67
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
68 // fuzz_target.cc
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
69 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
70 DoSomethingInterestingWithMyAPI(Data, Size);
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
71 return 0; // Non-zero return values are reserved for future use.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
72 }
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
73
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
74 Note that this fuzz target does not depend on libFuzzer in any way
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
75 and so it is possible and even desirable to use it with other fuzzing engines
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
76 e.g. AFL_ and/or Radamsa_.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
77
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
78 Some important things to remember about fuzz targets:
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
79
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
80 * The fuzzing engine will execute the fuzz target many times with different inputs in the same process.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
81 * It must tolerate any kind of input (empty, huge, malformed, etc).
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
82 * It must not `exit()` on any input.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
83 * It may use threads but ideally all threads should be joined at the end of the function.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
84 * It must be as deterministic as possible. Non-determinism (e.g. random decisions not based on the input bytes) will make fuzzing inefficient.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
85 * It must be fast. Try avoiding cubic or greater complexity, logging, or excessive memory consumption.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
86 * Ideally, it should not modify any global state (although that's not strict).
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
87
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
88
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
89 Building
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
90 --------
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
91
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
92 Next, build the libFuzzer library as a static archive, without any sanitizer
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
93 options. Note that the libFuzzer library contains the ``main()`` function:
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
94
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
95 .. code-block:: console
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
96
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
97 svn co http://llvm.org/svn/llvm-project/llvm/trunk/lib/Fuzzer # or git clone https://chromium.googlesource.com/chromium/llvm-project/llvm/lib/Fuzzer
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
98 ./Fuzzer/build.sh # Produces libFuzzer.a
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
99
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
100 Then build the fuzzing target function and the library under test using
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
101 the SanitizerCoverage_ option, which instruments the code so that the fuzzer
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
102 can retrieve code coverage information (to guide the fuzzing). Linking with
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
103 the libFuzzer code then gives a fuzzer executable.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
104
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
105 You should also enable one or more of the *sanitizers*, which help to expose
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
106 latent bugs by making incorrect behavior generate errors at runtime:
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
107
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
108 - AddressSanitizer_ (ASAN) detects memory access errors. Use `-fsanitize=address`.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
109 - UndefinedBehaviorSanitizer_ (UBSAN) detects the use of various features of C/C++ that are explicitly
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
110 listed as resulting in undefined behavior. Use `-fsanitize=undefined -fno-sanitize-recover=undefined`
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
111 or any individual UBSAN check, e.g. `-fsanitize=signed-integer-overflow -fno-sanitize-recover=undefined`.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
112 You may combine ASAN and UBSAN in one build.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
113 - MemorySanitizer_ (MSAN) detects uninitialized reads: code whose behavior relies on memory
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
114 contents that have not been initialized to a specific value. Use `-fsanitize=memory`.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
115 MSAN can not be combined with other sanirizers and should be used as a seprate build.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
116
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
117 Finally, link with ``libFuzzer.a``::
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
118
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
119 clang -fsanitize-coverage=trace-pc-guard -fsanitize=address your_lib.cc fuzz_target.cc libFuzzer.a -o my_fuzzer
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
121 Corpus
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
122 ------
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
123
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
124 Coverage-guided fuzzers like libFuzzer rely on a corpus of sample inputs for the
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
125 code under test. This corpus should ideally be seeded with a varied collection
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
126 of valid and invalid inputs for the code under test; for example, for a graphics
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
127 library the initial corpus might hold a variety of different small PNG/JPG/GIF
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
128 files. The fuzzer generates random mutations based around the sample inputs in
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
129 the current corpus. If a mutation triggers execution of a previously-uncovered
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
130 path in the code under test, then that mutation is saved to the corpus for
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
131 future variations.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
132
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
133 LibFuzzer will work without any initial seeds, but will be less
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
134 efficient if the library under test accepts complex,
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
135 structured inputs.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
136
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
137 The corpus can also act as a sanity/regression check, to confirm that the
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
138 fuzzing entrypoint still works and that all of the sample inputs run through
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
139 the code under test without problems.
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
140
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
141 If you have a large corpus (either generated by fuzzing or acquired by other means)
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
142 you may want to minimize it while still preserving the full coverage. One way to do that
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
143 is to use the `-merge=1` flag:
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
144
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
145 .. code-block:: console
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
146
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
147 mkdir NEW_CORPUS_DIR # Store minimized corpus here.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
148 ./my_fuzzer -merge=1 NEW_CORPUS_DIR FULL_CORPUS_DIR
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
149
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
150 You may use the same flag to add more interesting items to an existing corpus.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
151 Only the inputs that trigger new coverage will be added to the first corpus.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
152
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
153 .. code-block:: console
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
154
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
155 ./my_fuzzer -merge=1 CURRENT_CORPUS_DIR NEW_POTENTIALLY_INTERESTING_INPUTS_DIR
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
156
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
157
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
158 Running
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
159 -------
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
160
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
161 To run the fuzzer, first create a Corpus_ directory that holds the
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
162 initial "seed" sample inputs:
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
163
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
164 .. code-block:: console
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
165
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
166 mkdir CORPUS_DIR
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
167 cp /some/input/samples/* CORPUS_DIR
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
168
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
169 Then run the fuzzer on the corpus directory:
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
170
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
171 .. code-block:: console
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
172
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
173 ./my_fuzzer CORPUS_DIR # -max_len=1000 -jobs=20 ...
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
174
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
175 As the fuzzer discovers new interesting test cases (i.e. test cases that
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
176 trigger coverage of new paths through the code under test), those test cases
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
177 will be added to the corpus directory.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
178
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
179 By default, the fuzzing process will continue indefinitely – at least until
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
180 a bug is found. Any crashes or sanitizer failures will be reported as usual,
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
181 stopping the fuzzing process, and the particular input that triggered the bug
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
182 will be written to disk (typically as ``crash-<sha1>``, ``leak-<sha1>``,
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
183 or ``timeout-<sha1>``).
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
184
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
185
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
186 Parallel Fuzzing
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
187 ----------------
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
188
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
189 Each libFuzzer process is single-threaded, unless the library under test starts
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
190 its own threads. However, it is possible to run multiple libFuzzer processes in
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
191 parallel with a shared corpus directory; this has the advantage that any new
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
192 inputs found by one fuzzer process will be available to the other fuzzer
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
193 processes (unless you disable this with the ``-reload=0`` option).
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
194
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
195 This is primarily controlled by the ``-jobs=N`` option, which indicates that
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
196 that `N` fuzzing jobs should be run to completion (i.e. until a bug is found or
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
197 time/iteration limits are reached). These jobs will be run across a set of
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
198 worker processes, by default using half of the available CPU cores; the count of
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
199 worker processes can be overridden by the ``-workers=N`` option. For example,
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
200 running with ``-jobs=30`` on a 12-core machine would run 6 workers by default,
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
201 with each worker averaging 5 bugs by completion of the entire process.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
202
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
203
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
204 Options
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
205 =======
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
206
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
207 To run the fuzzer, pass zero or more corpus directories as command line
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
208 arguments. The fuzzer will read test inputs from each of these corpus
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
209 directories, and any new test inputs that are generated will be written
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
210 back to the first corpus directory:
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
211
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
212 .. code-block:: console
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
213
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
214 ./fuzzer [-flag1=val1 [-flag2=val2 ...] ] [dir1 [dir2 ...] ]
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
215
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
216 If a list of files (rather than directories) are passed to the fuzzer program,
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
217 then it will re-run those files as test inputs but will not perform any fuzzing.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
218 In this mode the fuzzer binary can be used as a regression test (e.g. on a
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
219 continuous integration system) to check the target function and saved inputs
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
220 still work.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
221
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
222 The most important command line options are:
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
223
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
224 ``-help``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
225 Print help message.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
226 ``-seed``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
227 Random seed. If 0 (the default), the seed is generated.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
228 ``-runs``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
229 Number of individual test runs, -1 (the default) to run indefinitely.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
230 ``-max_len``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
231 Maximum length of a test input. If 0 (the default), libFuzzer tries to guess
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
232 a good value based on the corpus (and reports it).
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
233 ``-timeout``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
234 Timeout in seconds, default 1200. If an input takes longer than this timeout,
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
235 the process is treated as a failure case.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
236 ``-rss_limit_mb``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
237 Memory usage limit in Mb, default 2048. Use 0 to disable the limit.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
238 If an input requires more than this amount of RSS memory to execute,
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
239 the process is treated as a failure case.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
240 The limit is checked in a separate thread every second.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
241 If running w/o ASAN/MSAN, you may use 'ulimit -v' instead.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
242 ``-timeout_exitcode``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
243 Exit code (default 77) used if libFuzzer reports a timeout.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
244 ``-error_exitcode``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
245 Exit code (default 77) used if libFuzzer itself (not a sanitizer) reports a bug (leak, OOM, etc).
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
246 ``-max_total_time``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
247 If positive, indicates the maximum total time in seconds to run the fuzzer.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
248 If 0 (the default), run indefinitely.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
249 ``-merge``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
250 If set to 1, any corpus inputs from the 2nd, 3rd etc. corpus directories
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
251 that trigger new code coverage will be merged into the first corpus
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
252 directory. Defaults to 0. This flag can be used to minimize a corpus.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
253 ``-minimize_crash``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
254 If 1, minimizes the provided crash input.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
255 Use with -runs=N or -max_total_time=N to limit the number of attempts.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
256 ``-reload``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
257 If set to 1 (the default), the corpus directory is re-read periodically to
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
258 check for new inputs; this allows detection of new inputs that were discovered
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
259 by other fuzzing processes.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
260 ``-jobs``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
261 Number of fuzzing jobs to run to completion. Default value is 0, which runs a
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
262 single fuzzing process until completion. If the value is >= 1, then this
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
263 number of jobs performing fuzzing are run, in a collection of parallel
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
264 separate worker processes; each such worker process has its
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
265 ``stdout``/``stderr`` redirected to ``fuzz-<JOB>.log``.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
266 ``-workers``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
267 Number of simultaneous worker processes to run the fuzzing jobs to completion
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
268 in. If 0 (the default), ``min(jobs, NumberOfCpuCores()/2)`` is used.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
269 ``-dict``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
270 Provide a dictionary of input keywords; see Dictionaries_.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
271 ``-use_counters``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
272 Use `coverage counters`_ to generate approximate counts of how often code
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
273 blocks are hit; defaults to 1.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
274 ``-use_value_profile``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
275 Use `value profile`_ to guide corpus expansion; defaults to 0.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
276 ``-only_ascii``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
277 If 1, generate only ASCII (``isprint``+``isspace``) inputs. Defaults to 0.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
278 ``-artifact_prefix``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
279 Provide a prefix to use when saving fuzzing artifacts (crash, timeout, or
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
280 slow inputs) as ``$(artifact_prefix)file``. Defaults to empty.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
281 ``-exact_artifact_path``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
282 Ignored if empty (the default). If non-empty, write the single artifact on
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
283 failure (crash, timeout) as ``$(exact_artifact_path)``. This overrides
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
284 ``-artifact_prefix`` and will not use checksum in the file name. Do not use
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
285 the same path for several parallel processes.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
286 ``-print_pcs``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
287 If 1, print out newly covered PCs. Defaults to 0.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
288 ``-print_final_stats``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
289 If 1, print statistics at exit. Defaults to 0.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
290 ``-detect_leaks``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
291 If 1 (default) and if LeakSanitizer is enabled
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
292 try to detect memory leaks during fuzzing (i.e. not only at shut down).
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
293 ``-close_fd_mask``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
294 Indicate output streams to close at startup. Be careful, this will
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
295 remove diagnostic output from target code (e.g. messages on assert failure).
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
296
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
297 - 0 (default): close neither ``stdout`` nor ``stderr``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
298 - 1 : close ``stdout``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
299 - 2 : close ``stderr``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
300 - 3 : close both ``stdout`` and ``stderr``.
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
301
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
302 For the full list of flags run the fuzzer binary with ``-help=1``.
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
303
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
304 Output
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
305 ======
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
306
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
307 During operation the fuzzer prints information to ``stderr``, for example::
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
308
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
309 INFO: Seed: 1523017872
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
310 INFO: Loaded 1 modules (16 guards): [0x744e60, 0x744ea0),
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
311 INFO: -max_len is not provided, using 64
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
312 INFO: A corpus is not provided, starting from an empty corpus
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
313 #0 READ units: 1
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
314 #1 INITED cov: 3 ft: 2 corp: 1/1b exec/s: 0 rss: 24Mb
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
315 #3811 NEW cov: 4 ft: 3 corp: 2/2b exec/s: 0 rss: 25Mb L: 1 MS: 5 ChangeBit-ChangeByte-ChangeBit-ShuffleBytes-ChangeByte-
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
316 #3827 NEW cov: 5 ft: 4 corp: 3/4b exec/s: 0 rss: 25Mb L: 2 MS: 1 CopyPart-
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
317 #3963 NEW cov: 6 ft: 5 corp: 4/6b exec/s: 0 rss: 25Mb L: 2 MS: 2 ShuffleBytes-ChangeBit-
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
318 #4167 NEW cov: 7 ft: 6 corp: 5/9b exec/s: 0 rss: 25Mb L: 3 MS: 1 InsertByte-
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
319 ...
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
320
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
321 The early parts of the output include information about the fuzzer options and
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
322 configuration, including the current random seed (in the ``Seed:`` line; this
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
323 can be overridden with the ``-seed=N`` flag).
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
324
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
325 Further output lines have the form of an event code and statistics. The
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
326 possible event codes are:
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
327
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
328 ``READ``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
329 The fuzzer has read in all of the provided input samples from the corpus
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
330 directories.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
331 ``INITED``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
332 The fuzzer has completed initialization, which includes running each of
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
333 the initial input samples through the code under test.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
334 ``NEW``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
335 The fuzzer has created a test input that covers new areas of the code
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
336 under test. This input will be saved to the primary corpus directory.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
337 ``pulse``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
338 The fuzzer has generated 2\ :sup:`n` inputs (generated periodically to reassure
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
339 the user that the fuzzer is still working).
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
340 ``DONE``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
341 The fuzzer has completed operation because it has reached the specified
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
342 iteration limit (``-runs``) or time limit (``-max_total_time``).
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
343 ``MIN<n>``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
344 The fuzzer is minimizing the combination of input corpus directories into
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
345 a single unified corpus (due to the ``-merge`` command line option).
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
346 ``RELOAD``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
347 The fuzzer is performing a periodic reload of inputs from the corpus
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
348 directory; this allows it to discover any inputs discovered by other
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
349 fuzzer processes (see `Parallel Fuzzing`_).
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
350
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
351 Each output line also reports the following statistics (when non-zero):
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
352
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
353 ``cov:``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
354 Total number of code blocks or edges covered by the executing the current
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
355 corpus.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
356 ``ft:``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
357 libFuzzer uses different signals to evaluate the code coverage:
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
358 edge coverage, edge counters, value profiles, indirect caller/callee pairs, etc.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
359 These signals combined are called *features* (`ft:`).
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
360 ``corp:``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
361 Number of entries in the current in-memory test corpus and its size in bytes.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
362 ``exec/s:``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
363 Number of fuzzer iterations per second.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
364 ``rss:``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
365 Current memory consumption.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
366
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
367 For ``NEW`` events, the output line also includes information about the mutation
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
368 operation that produced the new input:
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
369
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
370 ``L:``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
371 Size of the new input in bytes.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
372 ``MS: <n> <operations>``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
373 Count and list of the mutation operations used to generate the input.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
374
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
375
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
376 Examples
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
377 ========
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
378 .. contents::
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
379 :local:
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
380 :depth: 1
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
381
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
382 Toy example
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
383 -----------
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
384
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
385 A simple function that does something interesting if it receives the input
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
386 "HI!"::
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
387
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
388 cat << EOF > test_fuzzer.cc
100
7d135dc70f03 LLVM 3.9
Miyagi Mitsuki <e135756@ie.u-ryukyu.ac.jp>
parents: 95
diff changeset
389 #include <stdint.h>
7d135dc70f03 LLVM 3.9
Miyagi Mitsuki <e135756@ie.u-ryukyu.ac.jp>
parents: 95
diff changeset
390 #include <stddef.h>
7d135dc70f03 LLVM 3.9
Miyagi Mitsuki <e135756@ie.u-ryukyu.ac.jp>
parents: 95
diff changeset
391 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
392 if (size > 0 && data[0] == 'H')
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
393 if (size > 1 && data[1] == 'I')
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
394 if (size > 2 && data[2] == '!')
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
395 __builtin_trap();
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
396 return 0;
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
397 }
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
398 EOF
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
399 # Build test_fuzzer.cc with asan and link against libFuzzer.a
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
400 clang++ -fsanitize=address -fsanitize-coverage=trace-pc-guard test_fuzzer.cc libFuzzer.a
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
401 # Run the fuzzer with no corpus.
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
402 ./a.out
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
403
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
404 You should get an error pretty quickly::
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
405
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
406 INFO: Seed: 1523017872
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
407 INFO: Loaded 1 modules (16 guards): [0x744e60, 0x744ea0),
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
408 INFO: -max_len is not provided, using 64
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
409 INFO: A corpus is not provided, starting from an empty corpus
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
410 #0 READ units: 1
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
411 #1 INITED cov: 3 ft: 2 corp: 1/1b exec/s: 0 rss: 24Mb
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
412 #3811 NEW cov: 4 ft: 3 corp: 2/2b exec/s: 0 rss: 25Mb L: 1 MS: 5 ChangeBit-ChangeByte-ChangeBit-ShuffleBytes-ChangeByte-
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
413 #3827 NEW cov: 5 ft: 4 corp: 3/4b exec/s: 0 rss: 25Mb L: 2 MS: 1 CopyPart-
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
414 #3963 NEW cov: 6 ft: 5 corp: 4/6b exec/s: 0 rss: 25Mb L: 2 MS: 2 ShuffleBytes-ChangeBit-
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
415 #4167 NEW cov: 7 ft: 6 corp: 5/9b exec/s: 0 rss: 25Mb L: 3 MS: 1 InsertByte-
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
416 ==31511== ERROR: libFuzzer: deadly signal
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
417 ...
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
418 artifact_prefix='./'; Test unit written to ./crash-b13e8756b13a00cf168300179061fb4b91fefbed
100
7d135dc70f03 LLVM 3.9
Miyagi Mitsuki <e135756@ie.u-ryukyu.ac.jp>
parents: 95
diff changeset
419
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
420
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
421 More examples
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
422 -------------
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
423
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
424 Examples of real-life fuzz targets and the bugs they find can be found
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
425 at http://tutorial.libfuzzer.info. Among other things you can learn how
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
426 to detect Heartbleed_ in one second.
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
427
100
7d135dc70f03 LLVM 3.9
Miyagi Mitsuki <e135756@ie.u-ryukyu.ac.jp>
parents: 95
diff changeset
428
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
429 Advanced features
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
430 =================
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
431 .. contents::
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
432 :local:
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
433 :depth: 1
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
434
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
435 Dictionaries
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
436 ------------
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
437 LibFuzzer supports user-supplied dictionaries with input language keywords
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
438 or other interesting byte sequences (e.g. multi-byte magic values).
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
439 Use ``-dict=DICTIONARY_FILE``. For some input languages using a dictionary
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
440 may significantly improve the search speed.
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
441 The dictionary syntax is similar to that used by AFL_ for its ``-x`` option::
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
442
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
443 # Lines starting with '#' and empty lines are ignored.
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
444
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
445 # Adds "blah" (w/o quotes) to the dictionary.
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
446 kw1="blah"
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
447 # Use \\ for backslash and \" for quotes.
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
448 kw2="\"ac\\dc\""
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
449 # Use \xAB for hex values
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
450 kw3="\xF7\xF8"
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
451 # the name of the keyword followed by '=' may be omitted:
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
452 "foo\x0Abar"
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
453
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
454
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
455
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
456 Tracing CMP instructions
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
457 ------------------------
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
458
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
459 With an additional compiler flag ``-fsanitize-coverage=trace-cmp``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
460 (see SanitizerCoverageTraceDataFlow_)
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
461 libFuzzer will intercept CMP instructions and guide mutations based
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
462 on the arguments of intercepted CMP instructions. This may slow down
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
463 the fuzzing but is very likely to improve the results.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
464
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
465 Value Profile
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
466 -------------
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
467
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
468 *EXPERIMENTAL*.
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
469 With ``-fsanitize-coverage=trace-cmp``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
470 and extra run-time flag ``-use_value_profile=1`` the fuzzer will
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
471 collect value profiles for the parameters of compare instructions
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
472 and treat some new values as new coverage.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
473
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
474 The current imlpementation does roughly the following:
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
475
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
476 * The compiler instruments all CMP instructions with a callback that receives both CMP arguments.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
477 * The callback computes `(caller_pc&4095) | (popcnt(Arg1 ^ Arg2) << 12)` and uses this value to set a bit in a bitset.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
478 * Every new observed bit in the bitset is treated as new coverage.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
479
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
480
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
481 This feature has a potential to discover many interesting inputs,
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
482 but there are two downsides.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
483 First, the extra instrumentation may bring up to 2x additional slowdown.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
484 Second, the corpus may grow by several times.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
485
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
486 Fuzzer-friendly build mode
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
487 ---------------------------
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
488 Sometimes the code under test is not fuzzing-friendly. Examples:
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
489
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
490 - The target code uses a PRNG seeded e.g. by system time and
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
491 thus two consequent invocations may potentially execute different code paths
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
492 even if the end result will be the same. This will cause a fuzzer to treat
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
493 two similar inputs as significantly different and it will blow up the test corpus.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
494 E.g. libxml uses ``rand()`` inside its hash table.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
495 - The target code uses checksums to protect from invalid inputs.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
496 E.g. png checks CRC for every chunk.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
497
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
498 In many cases it makes sense to build a special fuzzing-friendly build
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
499 with certain fuzzing-unfriendly features disabled. We propose to use a common build macro
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
500 for all such cases for consistency: ``FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION``.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
501
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
502 .. code-block:: c++
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
503
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
504 void MyInitPRNG() {
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
505 #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
506 // In fuzzing mode the behavior of the code should be deterministic.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
507 srand(0);
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
508 #else
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
509 srand(time(0));
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
510 #endif
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
511 }
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
512
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
513
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
514
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
515 AFL compatibility
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
516 -----------------
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
517 LibFuzzer can be used together with AFL_ on the same test corpus.
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
518 Both fuzzers expect the test corpus to reside in a directory, one file per input.
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
519 You can run both fuzzers on the same corpus, one after another:
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
520
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
521 .. code-block:: console
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
522
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
523 ./afl-fuzz -i testcase_dir -o findings_dir /path/to/program @@
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
524 ./llvm-fuzz testcase_dir findings_dir # Will write new tests to testcase_dir
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
525
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
526 Periodically restart both fuzzers so that they can use each other's findings.
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
527 Currently, there is no simple way to run both fuzzing engines in parallel while sharing the same corpus dir.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
528
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
529 You may also use AFL on your target function ``LLVMFuzzerTestOneInput``:
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
530 see an example `here <https://github.com/llvm-mirror/llvm/blob/master/lib/Fuzzer/afl/afl_driver.cpp>`__.
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
531
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
532 How good is my fuzzer?
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
533 ----------------------
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
534
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
535 Once you implement your target function ``LLVMFuzzerTestOneInput`` and fuzz it to death,
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
536 you will want to know whether the function or the corpus can be improved further.
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
537 One easy to use metric is, of course, code coverage.
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
538 You can get the coverage for your corpus like this:
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
539
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
540 .. code-block:: console
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
541
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
542 ASAN_OPTIONS=coverage=1 ./fuzzer CORPUS_DIR -runs=0
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
543
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
544 This will run all tests in the CORPUS_DIR but will not perform any fuzzing.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
545 At the end of the process it will dump a single ``.sancov`` file with coverage
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
546 information. See SanitizerCoverage_ for details on querying the file using the
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
547 ``sancov`` tool.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
548
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
549 You may also use other ways to visualize coverage,
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
550 e.g. using `Clang coverage <http://clang.llvm.org/docs/SourceBasedCodeCoverage.html>`_,
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
551 but those will require
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
552 you to rebuild the code with different compiler flags.
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
553
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
554 User-supplied mutators
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
555 ----------------------
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
556
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
557 LibFuzzer allows to use custom (user-supplied) mutators,
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
558 see FuzzerInterface.h_
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
559
100
7d135dc70f03 LLVM 3.9
Miyagi Mitsuki <e135756@ie.u-ryukyu.ac.jp>
parents: 95
diff changeset
560 Startup initialization
7d135dc70f03 LLVM 3.9
Miyagi Mitsuki <e135756@ie.u-ryukyu.ac.jp>
parents: 95
diff changeset
561 ----------------------
7d135dc70f03 LLVM 3.9
Miyagi Mitsuki <e135756@ie.u-ryukyu.ac.jp>
parents: 95
diff changeset
562 If the library being tested needs to be initialized, there are several options.
7d135dc70f03 LLVM 3.9
Miyagi Mitsuki <e135756@ie.u-ryukyu.ac.jp>
parents: 95
diff changeset
563
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
564 The simplest way is to have a statically initialized global object inside
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
565 `LLVMFuzzerTestOneInput` (or in global scope if that works for you):
100
7d135dc70f03 LLVM 3.9
Miyagi Mitsuki <e135756@ie.u-ryukyu.ac.jp>
parents: 95
diff changeset
566
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
567 .. code-block:: c++
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
568
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
569 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
570 static bool Initialized = DoInitialization();
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
571 ...
100
7d135dc70f03 LLVM 3.9
Miyagi Mitsuki <e135756@ie.u-ryukyu.ac.jp>
parents: 95
diff changeset
572
7d135dc70f03 LLVM 3.9
Miyagi Mitsuki <e135756@ie.u-ryukyu.ac.jp>
parents: 95
diff changeset
573 Alternatively, you may define an optional init function and it will receive
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
574 the program arguments that you can read and modify. Do this **only** if you
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
575 realy need to access ``argv``/``argc``.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
576
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
577 .. code-block:: c++
100
7d135dc70f03 LLVM 3.9
Miyagi Mitsuki <e135756@ie.u-ryukyu.ac.jp>
parents: 95
diff changeset
578
7d135dc70f03 LLVM 3.9
Miyagi Mitsuki <e135756@ie.u-ryukyu.ac.jp>
parents: 95
diff changeset
579 extern "C" int LLVMFuzzerInitialize(int *argc, char ***argv) {
7d135dc70f03 LLVM 3.9
Miyagi Mitsuki <e135756@ie.u-ryukyu.ac.jp>
parents: 95
diff changeset
580 ReadAndMaybeModify(argc, argv);
7d135dc70f03 LLVM 3.9
Miyagi Mitsuki <e135756@ie.u-ryukyu.ac.jp>
parents: 95
diff changeset
581 return 0;
7d135dc70f03 LLVM 3.9
Miyagi Mitsuki <e135756@ie.u-ryukyu.ac.jp>
parents: 95
diff changeset
582 }
7d135dc70f03 LLVM 3.9
Miyagi Mitsuki <e135756@ie.u-ryukyu.ac.jp>
parents: 95
diff changeset
583
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
584
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
585 Leaks
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
586 -----
100
7d135dc70f03 LLVM 3.9
Miyagi Mitsuki <e135756@ie.u-ryukyu.ac.jp>
parents: 95
diff changeset
587
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
588 Binaries built with AddressSanitizer_ or LeakSanitizer_ will try to detect
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
589 memory leaks at the process shutdown.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
590 For in-process fuzzing this is inconvenient
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
591 since the fuzzer needs to report a leak with a reproducer as soon as the leaky
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
592 mutation is found. However, running full leak detection after every mutation
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
593 is expensive.
100
7d135dc70f03 LLVM 3.9
Miyagi Mitsuki <e135756@ie.u-ryukyu.ac.jp>
parents: 95
diff changeset
594
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
595 By default (``-detect_leaks=1``) libFuzzer will count the number of
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
596 ``malloc`` and ``free`` calls when executing every mutation.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
597 If the numbers don't match (which by itself doesn't mean there is a leak)
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
598 libFuzzer will invoke the more expensive LeakSanitizer_
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
599 pass and if the actual leak is found, it will be reported with the reproducer
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
600 and the process will exit.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
601
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
602 If your target has massive leaks and the leak detection is disabled
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
603 you will eventually run out of RAM (see the ``-rss_limit_mb`` flag).
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
604
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
605
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
606 Developing libFuzzer
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
607 ====================
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
608
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
609 Building libFuzzer as a part of LLVM project and running its test requires
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
610 fresh clang as the host compiler and special CMake configuration:
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
611
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
612 .. code-block:: console
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
613
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
614 cmake -GNinja -DCMAKE_C_COMPILER=clang -DCMAKE_CXX_COMPILER=clang++ -DLLVM_USE_SANITIZER=Address -DLLVM_USE_SANITIZE_COVERAGE=YES -DCMAKE_BUILD_TYPE=Release -DLLVM_ENABLE_ASSERTIONS=ON /path/to/llvm
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
615 ninja check-fuzzer
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
616
100
7d135dc70f03 LLVM 3.9
Miyagi Mitsuki <e135756@ie.u-ryukyu.ac.jp>
parents: 95
diff changeset
617
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
618 Fuzzing components of LLVM
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
619 ==========================
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
620 .. contents::
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
621 :local:
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
622 :depth: 1
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
623
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
624 To build any of the LLVM fuzz targets use the build instructions above.
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
625
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
626 clang-format-fuzzer
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
627 -------------------
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
628 The inputs are random pieces of C++-like text.
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
629
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
630 .. code-block:: console
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
631
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
632 ninja clang-format-fuzzer
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
633 mkdir CORPUS_DIR
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
634 ./bin/clang-format-fuzzer CORPUS_DIR
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
635
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
636 Optionally build other kinds of binaries (ASan+Debug, MSan, UBSan, etc).
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
637
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
638 Tracking bug: https://llvm.org/bugs/show_bug.cgi?id=23052
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
639
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
640 clang-fuzzer
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
641 ------------
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
642
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
643 The behavior is very similar to ``clang-format-fuzzer``.
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
644
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
645 Tracking bug: https://llvm.org/bugs/show_bug.cgi?id=23057
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
646
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
647 llvm-as-fuzzer
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
648 --------------
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
649
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
650 Tracking bug: https://llvm.org/bugs/show_bug.cgi?id=24639
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
651
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
652 llvm-mc-fuzzer
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
653 --------------
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
654
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
655 This tool fuzzes the MC layer. Currently it is only able to fuzz the
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
656 disassembler but it is hoped that assembly, and round-trip verification will be
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
657 added in future.
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
658
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
659 When run in dissassembly mode, the inputs are opcodes to be disassembled. The
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
660 fuzzer will consume as many instructions as possible and will stop when it
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
661 finds an invalid instruction or runs out of data.
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
662
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
663 Please note that the command line interface differs slightly from that of other
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
664 fuzzers. The fuzzer arguments should follow ``--fuzzer-args`` and should have
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
665 a single dash, while other arguments control the operation mode and target in a
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
666 similar manner to ``llvm-mc`` and should have two dashes. For example:
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
667
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
668 .. code-block:: console
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
669
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
670 llvm-mc-fuzzer --triple=aarch64-linux-gnu --disassemble --fuzzer-args -max_len=4 -jobs=10
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
671
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
672 Buildbot
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
673 --------
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
674
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
675 A buildbot continuously runs the above fuzzers for LLVM components, with results
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
676 shown at http://lab.llvm.org:8011/builders/sanitizer-x86_64-linux-fuzzer .
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
677
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
678 FAQ
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
679 =========================
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
680
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
681 Q. Why doesn't libFuzzer use any of the LLVM support?
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
682 -----------------------------------------------------
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
683
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
684 There are two reasons.
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
685
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
686 First, we want this library to be used outside of the LLVM without users having to
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
687 build the rest of LLVM. This may sound unconvincing for many LLVM folks,
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
688 but in practice the need for building the whole LLVM frightens many potential
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
689 users -- and we want more users to use this code.
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
690
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
691 Second, there is a subtle technical reason not to rely on the rest of LLVM, or
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
692 any other large body of code (maybe not even STL). When coverage instrumentation
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
693 is enabled, it will also instrument the LLVM support code which will blow up the
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
694 coverage set of the process (since the fuzzer is in-process). In other words, by
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
695 using more external dependencies we will slow down the fuzzer while the main
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
696 reason for it to exist is extreme speed.
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
697
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
698 Q. What about Windows then? The fuzzer contains code that does not build on Windows.
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
699 ------------------------------------------------------------------------------------
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
700
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
701 Volunteers are welcome.
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
702
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
703 Q. When libFuzzer is not a good solution for a problem?
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
704 ---------------------------------------------------------
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
705
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
706 * If the test inputs are validated by the target library and the validator
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
707 asserts/crashes on invalid inputs, in-process fuzzing is not applicable.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
708 * Bugs in the target library may accumulate without being detected. E.g. a memory
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
709 corruption that goes undetected at first and then leads to a crash while
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
710 testing another input. This is why it is highly recommended to run this
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
711 in-process fuzzer with all sanitizers to detect most bugs on the spot.
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
712 * It is harder to protect the in-process fuzzer from excessive memory
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
713 consumption and infinite loops in the target library (still possible).
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
714 * The target library should not have significant global state that is not
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
715 reset between the runs.
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
716 * Many interesting target libraries are not designed in a way that supports
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
717 the in-process fuzzer interface (e.g. require a file path instead of a
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
718 byte array).
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
719 * If a single test run takes a considerable fraction of a second (or
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
720 more) the speed benefit from the in-process fuzzer is negligible.
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
721 * If the target library runs persistent threads (that outlive
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
722 execution of one test) the fuzzing results will be unreliable.
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
723
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
724 Q. So, what exactly this Fuzzer is good for?
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
725 --------------------------------------------
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
726
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
727 This Fuzzer might be a good choice for testing libraries that have relatively
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
728 small inputs, each input takes < 10ms to run, and the library code is not expected
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
729 to crash on invalid inputs.
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
730 Examples: regular expression matchers, text or binary format parsers, compression,
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
731 network, crypto.
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
732
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
733 Trophies
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
734 ========
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
735 * GLIBC: https://sourceware.org/glibc/wiki/FuzzingLibc
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
736
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
737 * MUSL LIBC: `[1] <http://git.musl-libc.org/cgit/musl/commit/?id=39dfd58417ef642307d90306e1c7e50aaec5a35c>`__ `[2] <http://www.openwall.com/lists/oss-security/2015/03/30/3>`__
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
738
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
739 * `pugixml <https://github.com/zeux/pugixml/issues/39>`_
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
740
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
741 * PCRE: Search for "LLVM fuzzer" in http://vcs.pcre.org/pcre2/code/trunk/ChangeLog?view=markup;
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
742 also in `bugzilla <https://bugs.exim.org/buglist.cgi?bug_status=__all__&content=libfuzzer&no_redirect=1&order=Importance&product=PCRE&query_format=specific>`_
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
743
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
744 * `ICU <http://bugs.icu-project.org/trac/ticket/11838>`_
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
745
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
746 * `Freetype <https://savannah.nongnu.org/search/?words=LibFuzzer&type_of_search=bugs&Search=Search&exact=1#options>`_
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
747
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
748 * `Harfbuzz <https://github.com/behdad/harfbuzz/issues/139>`_
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
749
100
7d135dc70f03 LLVM 3.9
Miyagi Mitsuki <e135756@ie.u-ryukyu.ac.jp>
parents: 95
diff changeset
750 * `SQLite <http://www3.sqlite.org/cgi/src/info/088009efdd56160b>`_
7d135dc70f03 LLVM 3.9
Miyagi Mitsuki <e135756@ie.u-ryukyu.ac.jp>
parents: 95
diff changeset
751
7d135dc70f03 LLVM 3.9
Miyagi Mitsuki <e135756@ie.u-ryukyu.ac.jp>
parents: 95
diff changeset
752 * `Python <http://bugs.python.org/issue25388>`_
7d135dc70f03 LLVM 3.9
Miyagi Mitsuki <e135756@ie.u-ryukyu.ac.jp>
parents: 95
diff changeset
753
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
754 * OpenSSL/BoringSSL: `[1] <https://boringssl.googlesource.com/boringssl/+/cb852981cd61733a7a1ae4fd8755b7ff950e857d>`_ `[2] <https://openssl.org/news/secadv/20160301.txt>`_ `[3] <https://boringssl.googlesource.com/boringssl/+/2b07fa4b22198ac02e0cee8f37f3337c3dba91bc>`_ `[4] <https://boringssl.googlesource.com/boringssl/+/6b6e0b20893e2be0e68af605a60ffa2cbb0ffa64>`_ `[5] <https://github.com/openssl/openssl/pull/931/commits/dd5ac557f052cc2b7f718ac44a8cb7ac6f77dca8>`_ `[6] <https://github.com/openssl/openssl/pull/931/commits/19b5b9194071d1d84e38ac9a952e715afbc85a81>`_
100
7d135dc70f03 LLVM 3.9
Miyagi Mitsuki <e135756@ie.u-ryukyu.ac.jp>
parents: 95
diff changeset
755
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
756 * `Libxml2
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
757 <https://bugzilla.gnome.org/buglist.cgi?bug_status=__all__&content=libFuzzer&list_id=68957&order=Importance&product=libxml2&query_format=specific>`_ and `[HT206167] <https://support.apple.com/en-gb/HT206167>`_ (CVE-2015-5312, CVE-2015-7500, CVE-2015-7942)
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
758
100
7d135dc70f03 LLVM 3.9
Miyagi Mitsuki <e135756@ie.u-ryukyu.ac.jp>
parents: 95
diff changeset
759 * `Linux Kernel's BPF verifier <https://github.com/iovisor/bpf-fuzzer>`_
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
760
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
761 * Capstone: `[1] <https://github.com/aquynh/capstone/issues/600>`__ `[2] <https://github.com/aquynh/capstone/commit/6b88d1d51eadf7175a8f8a11b690684443b11359>`__
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
762
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
763 * file:`[1] <http://bugs.gw.com/view.php?id=550>`__ `[2] <http://bugs.gw.com/view.php?id=551>`__ `[3] <http://bugs.gw.com/view.php?id=553>`__ `[4] <http://bugs.gw.com/view.php?id=554>`__
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
764
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
765 * Radare2: `[1] <https://github.com/revskills?tab=contributions&from=2016-04-09>`__
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
766
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
767 * gRPC: `[1] <https://github.com/grpc/grpc/pull/6071/commits/df04c1f7f6aec6e95722ec0b023a6b29b6ea871c>`__ `[2] <https://github.com/grpc/grpc/pull/6071/commits/22a3dfd95468daa0db7245a4e8e6679a52847579>`__ `[3] <https://github.com/grpc/grpc/pull/6071/commits/9cac2a12d9e181d130841092e9d40fa3309d7aa7>`__ `[4] <https://github.com/grpc/grpc/pull/6012/commits/82a91c91d01ce9b999c8821ed13515883468e203>`__ `[5] <https://github.com/grpc/grpc/pull/6202/commits/2e3e0039b30edaf89fb93bfb2c1d0909098519fa>`__ `[6] <https://github.com/grpc/grpc/pull/6106/files>`__
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
768
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
769 * WOFF2: `[1] <https://github.com/google/woff2/commit/a15a8ab>`__
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
770
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
771 * LLVM: `Clang <https://llvm.org/bugs/show_bug.cgi?id=23057>`_, `Clang-format <https://llvm.org/bugs/show_bug.cgi?id=23052>`_, `libc++ <https://llvm.org/bugs/show_bug.cgi?id=24411>`_, `llvm-as <https://llvm.org/bugs/show_bug.cgi?id=24639>`_, `Demangler <https://bugs.chromium.org/p/chromium/issues/detail?id=606626>`_, Disassembler: http://reviews.llvm.org/rL247405, http://reviews.llvm.org/rL247414, http://reviews.llvm.org/rL247416, http://reviews.llvm.org/rL247417, http://reviews.llvm.org/rL247420, http://reviews.llvm.org/rL247422.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
772
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
773 * Tensorflow: `[1] <https://github.com/tensorflow/tensorflow/commit/7231d01fcb2cd9ef9ffbfea03b724892c8a4026e>`__
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
774
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
775 * Ffmpeg: `[1] <https://github.com/FFmpeg/FFmpeg/commit/c92f55847a3d9cd12db60bfcd0831ff7f089c37c>`__ `[2] <https://github.com/FFmpeg/FFmpeg/commit/25ab1a65f3acb5ec67b53fb7a2463a7368f1ad16>`__ `[3] <https://github.com/FFmpeg/FFmpeg/commit/85d23e5cbc9ad6835eef870a5b4247de78febe56>`__ `[4] <https://github.com/FFmpeg/FFmpeg/commit/04bd1b38ee6b8df410d0ab8d4949546b6c4af26a>`__
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
776
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
777 .. _pcre2: http://www.pcre.org/
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
778 .. _AFL: http://lcamtuf.coredump.cx/afl/
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
779 .. _Radamsa: https://github.com/aoh/radamsa
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
780 .. _SanitizerCoverage: http://clang.llvm.org/docs/SanitizerCoverage.html
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
781 .. _SanitizerCoverageTraceDataFlow: http://clang.llvm.org/docs/SanitizerCoverage.html#tracing-data-flow
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
782 .. _AddressSanitizer: http://clang.llvm.org/docs/AddressSanitizer.html
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
783 .. _LeakSanitizer: http://clang.llvm.org/docs/LeakSanitizer.html
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
784 .. _Heartbleed: http://en.wikipedia.org/wiki/Heartbleed
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
785 .. _FuzzerInterface.h: https://github.com/llvm-mirror/llvm/blob/master/lib/Fuzzer/FuzzerInterface.h
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
786 .. _3.7.0: http://llvm.org/releases/3.7.0/docs/LibFuzzer.html
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
787 .. _building Clang from trunk: http://clang.llvm.org/get_started.html
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
788 .. _MemorySanitizer: http://clang.llvm.org/docs/MemorySanitizer.html
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
789 .. _UndefinedBehaviorSanitizer: http://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
790 .. _`coverage counters`: http://clang.llvm.org/docs/SanitizerCoverage.html#coverage-counters
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
791 .. _`value profile`: #value-profile
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
792 .. _`caller-callee pairs`: http://clang.llvm.org/docs/SanitizerCoverage.html#caller-callee-coverage
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
793 .. _BoringSSL: https://boringssl.googlesource.com/boringssl/
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
794 .. _`fuzz various parts of LLVM itself`: `Fuzzing components of LLVM`_