Mercurial > hg > CbC > CbC_llvm

annotate docs/LibFuzzer.rst @ 124:4fa72497ed5d

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
fix
author mir3636
date Thu, 30 Nov 2017 20:04:56 +0900
parents 803732b1fca8
children 3a76565eade5
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
1 =======================================================
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
2 libFuzzer – a library for coverage-guided fuzz testing.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
3 =======================================================
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
4 .. contents::
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
5 :local:
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
6 :depth: 1
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
7
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
8 Introduction
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
9 ============
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
10
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
11 LibFuzzer is in-process, coverage-guided, evolutionary fuzzing engine.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
12
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
13 LibFuzzer is linked with the library under test, and feeds fuzzed inputs to the
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
14 library via a specific fuzzing entrypoint (aka "target function"); the fuzzer
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
15 then tracks which areas of the code are reached, and generates mutations on the
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
16 corpus of input data in order to maximize the code coverage.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
17 The code coverage
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
18 information for libFuzzer is provided by LLVM's SanitizerCoverage_
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
19 instrumentation.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
20
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
21 Contact: libfuzzer(#)googlegroups.com
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
22
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
23 Versions
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
24 ========
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
25
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
26 LibFuzzer is under active development so you will need the current
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
27 (or at least a very recent) version of the Clang compiler.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
28
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
29 (If `building Clang from trunk`_ is too time-consuming or difficult, then
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
30 the Clang binaries that the Chromium developers build are likely to be
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
31 fairly recent:
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
32
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
33 .. code-block:: console
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
34
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
35 mkdir TMP_CLANG
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
36 cd TMP_CLANG
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
37 git clone https://chromium.googlesource.com/chromium/src/tools/clang
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
38 cd ..
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
39 TMP_CLANG/clang/scripts/update.py
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
40
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
41 This installs the Clang binary as
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
42 ``./third_party/llvm-build/Release+Asserts/bin/clang``)
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
43
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
44 The libFuzzer code resides in the LLVM repository, and requires a recent Clang
121
803732b1fca8 LLVM 5.0
kono
parents: 120
diff changeset
45 compiler to build (and is used to :doc:`fuzz various parts of LLVM itself
803732b1fca8 LLVM 5.0
kono
parents: 120
diff changeset
46 <FuzzingLLVM>`). However the fuzzer itself does not (and should not) depend on
803732b1fca8 LLVM 5.0
kono
parents: 120
diff changeset
47 any part of LLVM infrastructure and can be used for other projects without
803732b1fca8 LLVM 5.0
kono
parents: 120
diff changeset
48 requiring the rest of LLVM.
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
49
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
50
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
51 Getting Started
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
52 ===============
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
53
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
54 .. contents::
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
55 :local:
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
56 :depth: 1
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
57
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
58 Fuzz Target
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
59 -----------
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
60
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
61 The first step in using libFuzzer on a library is to implement a
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
62 *fuzz target* -- a function that accepts an array of bytes and
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
63 does something interesting with these bytes using the API under test.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
64 Like this:
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
65
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
66 .. code-block:: c++
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
67
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
68 // fuzz_target.cc
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
69 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
70 DoSomethingInterestingWithMyAPI(Data, Size);
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
71 return 0; // Non-zero return values are reserved for future use.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
72 }
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
73
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
74 Note that this fuzz target does not depend on libFuzzer in any way
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
75 and so it is possible and even desirable to use it with other fuzzing engines
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
76 e.g. AFL_ and/or Radamsa_.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
77
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
78 Some important things to remember about fuzz targets:
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
79
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
80 * The fuzzing engine will execute the fuzz target many times with different inputs in the same process.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
81 * It must tolerate any kind of input (empty, huge, malformed, etc).
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
82 * It must not `exit()` on any input.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
83 * It may use threads but ideally all threads should be joined at the end of the function.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
84 * It must be as deterministic as possible. Non-determinism (e.g. random decisions not based on the input bytes) will make fuzzing inefficient.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
85 * It must be fast. Try avoiding cubic or greater complexity, logging, or excessive memory consumption.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
86 * Ideally, it should not modify any global state (although that's not strict).
121
803732b1fca8 LLVM 5.0
kono
parents: 120
diff changeset
87 * Usually, the narrower the target the better. E.g. if your target can parse several data formats, split it into several targets, one per format.
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
88
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
89
121
803732b1fca8 LLVM 5.0
kono
parents: 120
diff changeset
90 Fuzzer Usage
803732b1fca8 LLVM 5.0
kono
parents: 120
diff changeset
91 ------------
803732b1fca8 LLVM 5.0
kono
parents: 120
diff changeset
92
803732b1fca8 LLVM 5.0
kono
parents: 120
diff changeset
93 Very recent versions of Clang (after April 20 2017) include libFuzzer,
803732b1fca8 LLVM 5.0
kono
parents: 120
diff changeset
94 and no installation is necessary.
803732b1fca8 LLVM 5.0
kono
parents: 120
diff changeset
95 In order to fuzz your binary, use the `-fsanitize=fuzzer` flag during the compilation::
803732b1fca8 LLVM 5.0
kono
parents: 120
diff changeset
96
803732b1fca8 LLVM 5.0
kono
parents: 120
diff changeset
97 clang -fsanitize=fuzzer,address mytarget.c
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
98
121
803732b1fca8 LLVM 5.0
kono
parents: 120
diff changeset
99 This will perform the necessary instrumentation, as well as linking in libFuzzer
803732b1fca8 LLVM 5.0
kono
parents: 120
diff changeset
100 library.
803732b1fca8 LLVM 5.0
kono
parents: 120
diff changeset
101 Note that linking in libFuzzer defines the ``main`` symbol.
803732b1fca8 LLVM 5.0
kono
parents: 120
diff changeset
102 If modifying ``CFLAGS`` of a large project, which also compiles executables
803732b1fca8 LLVM 5.0
kono
parents: 120
diff changeset
103 requiring their own ``main`` symbol, it may be desirable to request just the
803732b1fca8 LLVM 5.0
kono
parents: 120
diff changeset
104 instrumentation without linking::
803732b1fca8 LLVM 5.0
kono
parents: 120
diff changeset
105
803732b1fca8 LLVM 5.0
kono
parents: 120
diff changeset
106 clang -fsanitize=fuzzer-no-link mytarget.c
803732b1fca8 LLVM 5.0
kono
parents: 120
diff changeset
107
803732b1fca8 LLVM 5.0
kono
parents: 120
diff changeset
108 Then libFuzzer can be linked to the desired driver by passing in
803732b1fca8 LLVM 5.0
kono
parents: 120
diff changeset
109 ``-fsanitize=fuzzer`` during the linking stage.
803732b1fca8 LLVM 5.0
kono
parents: 120
diff changeset
110
803732b1fca8 LLVM 5.0
kono
parents: 120
diff changeset
111 Otherwise, build the libFuzzer library as a static archive, without any sanitizer
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
112 options. Note that the libFuzzer library contains the ``main()`` function:
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
113
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
114 .. code-block:: console
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
115
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
116 svn co http://llvm.org/svn/llvm-project/llvm/trunk/lib/Fuzzer # or git clone https://chromium.googlesource.com/chromium/llvm-project/llvm/lib/Fuzzer
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
117 ./Fuzzer/build.sh # Produces libFuzzer.a
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
118
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
119 Then build the fuzzing target function and the library under test using
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
120 the SanitizerCoverage_ option, which instruments the code so that the fuzzer
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
121 can retrieve code coverage information (to guide the fuzzing). Linking with
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
122 the libFuzzer code then gives a fuzzer executable.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
123
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
124 You should also enable one or more of the *sanitizers*, which help to expose
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
125 latent bugs by making incorrect behavior generate errors at runtime:
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
126
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
127 - AddressSanitizer_ (ASAN) detects memory access errors. Use `-fsanitize=address`.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
128 - UndefinedBehaviorSanitizer_ (UBSAN) detects the use of various features of C/C++ that are explicitly
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
129 listed as resulting in undefined behavior. Use `-fsanitize=undefined -fno-sanitize-recover=undefined`
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
130 or any individual UBSAN check, e.g. `-fsanitize=signed-integer-overflow -fno-sanitize-recover=undefined`.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
131 You may combine ASAN and UBSAN in one build.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
132 - MemorySanitizer_ (MSAN) detects uninitialized reads: code whose behavior relies on memory
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
133 contents that have not been initialized to a specific value. Use `-fsanitize=memory`.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
134 MSAN can not be combined with other sanirizers and should be used as a seprate build.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
135
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
136 Finally, link with ``libFuzzer.a``::
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
137
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
138 clang -fsanitize-coverage=trace-pc-guard -fsanitize=address your_lib.cc fuzz_target.cc libFuzzer.a -o my_fuzzer
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
139
121
803732b1fca8 LLVM 5.0
kono
parents: 120
diff changeset
140 .. _libfuzzer-corpus:
803732b1fca8 LLVM 5.0
kono
parents: 120
diff changeset
141
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
142 Corpus
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
143 ------
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
144
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
145 Coverage-guided fuzzers like libFuzzer rely on a corpus of sample inputs for the
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
146 code under test. This corpus should ideally be seeded with a varied collection
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
147 of valid and invalid inputs for the code under test; for example, for a graphics
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
148 library the initial corpus might hold a variety of different small PNG/JPG/GIF
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
149 files. The fuzzer generates random mutations based around the sample inputs in
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
150 the current corpus. If a mutation triggers execution of a previously-uncovered
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
151 path in the code under test, then that mutation is saved to the corpus for
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
152 future variations.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
153
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
154 LibFuzzer will work without any initial seeds, but will be less
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
155 efficient if the library under test accepts complex,
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
156 structured inputs.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
157
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
158 The corpus can also act as a sanity/regression check, to confirm that the
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
159 fuzzing entrypoint still works and that all of the sample inputs run through
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
160 the code under test without problems.
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
161
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
162 If you have a large corpus (either generated by fuzzing or acquired by other means)
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
163 you may want to minimize it while still preserving the full coverage. One way to do that
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
164 is to use the `-merge=1` flag:
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
165
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
166 .. code-block:: console
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
167
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
168 mkdir NEW_CORPUS_DIR # Store minimized corpus here.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
169 ./my_fuzzer -merge=1 NEW_CORPUS_DIR FULL_CORPUS_DIR
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
170
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
171 You may use the same flag to add more interesting items to an existing corpus.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
172 Only the inputs that trigger new coverage will be added to the first corpus.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
173
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
174 .. code-block:: console
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
175
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
176 ./my_fuzzer -merge=1 CURRENT_CORPUS_DIR NEW_POTENTIALLY_INTERESTING_INPUTS_DIR
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
177
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
178
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
179 Running
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
180 -------
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
181
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
182 To run the fuzzer, first create a Corpus_ directory that holds the
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
183 initial "seed" sample inputs:
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
184
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
185 .. code-block:: console
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
186
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
187 mkdir CORPUS_DIR
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
188 cp /some/input/samples/* CORPUS_DIR
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
189
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
190 Then run the fuzzer on the corpus directory:
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
191
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
192 .. code-block:: console
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
193
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
194 ./my_fuzzer CORPUS_DIR # -max_len=1000 -jobs=20 ...
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
195
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
196 As the fuzzer discovers new interesting test cases (i.e. test cases that
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
197 trigger coverage of new paths through the code under test), those test cases
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
198 will be added to the corpus directory.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
199
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
200 By default, the fuzzing process will continue indefinitely – at least until
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
201 a bug is found. Any crashes or sanitizer failures will be reported as usual,
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
202 stopping the fuzzing process, and the particular input that triggered the bug
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
203 will be written to disk (typically as ``crash-<sha1>``, ``leak-<sha1>``,
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
204 or ``timeout-<sha1>``).
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
205
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
206
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
207 Parallel Fuzzing
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
208 ----------------
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
209
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
210 Each libFuzzer process is single-threaded, unless the library under test starts
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
211 its own threads. However, it is possible to run multiple libFuzzer processes in
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
212 parallel with a shared corpus directory; this has the advantage that any new
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
213 inputs found by one fuzzer process will be available to the other fuzzer
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
214 processes (unless you disable this with the ``-reload=0`` option).
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
215
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
216 This is primarily controlled by the ``-jobs=N`` option, which indicates that
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
217 that `N` fuzzing jobs should be run to completion (i.e. until a bug is found or
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
218 time/iteration limits are reached). These jobs will be run across a set of
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
219 worker processes, by default using half of the available CPU cores; the count of
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
220 worker processes can be overridden by the ``-workers=N`` option. For example,
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
221 running with ``-jobs=30`` on a 12-core machine would run 6 workers by default,
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
222 with each worker averaging 5 bugs by completion of the entire process.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
223
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
224
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
225 Options
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
226 =======
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
227
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
228 To run the fuzzer, pass zero or more corpus directories as command line
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
229 arguments. The fuzzer will read test inputs from each of these corpus
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
230 directories, and any new test inputs that are generated will be written
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
231 back to the first corpus directory:
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
232
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
233 .. code-block:: console
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
234
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
235 ./fuzzer [-flag1=val1 [-flag2=val2 ...] ] [dir1 [dir2 ...] ]
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
236
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
237 If a list of files (rather than directories) are passed to the fuzzer program,
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
238 then it will re-run those files as test inputs but will not perform any fuzzing.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
239 In this mode the fuzzer binary can be used as a regression test (e.g. on a
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
240 continuous integration system) to check the target function and saved inputs
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
241 still work.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
242
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
243 The most important command line options are:
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
244
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
245 ``-help``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
246 Print help message.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
247 ``-seed``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
248 Random seed. If 0 (the default), the seed is generated.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
249 ``-runs``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
250 Number of individual test runs, -1 (the default) to run indefinitely.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
251 ``-max_len``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
252 Maximum length of a test input. If 0 (the default), libFuzzer tries to guess
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
253 a good value based on the corpus (and reports it).
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
254 ``-timeout``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
255 Timeout in seconds, default 1200. If an input takes longer than this timeout,
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
256 the process is treated as a failure case.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
257 ``-rss_limit_mb``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
258 Memory usage limit in Mb, default 2048. Use 0 to disable the limit.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
259 If an input requires more than this amount of RSS memory to execute,
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
260 the process is treated as a failure case.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
261 The limit is checked in a separate thread every second.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
262 If running w/o ASAN/MSAN, you may use 'ulimit -v' instead.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
263 ``-timeout_exitcode``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
264 Exit code (default 77) used if libFuzzer reports a timeout.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
265 ``-error_exitcode``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
266 Exit code (default 77) used if libFuzzer itself (not a sanitizer) reports a bug (leak, OOM, etc).
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
267 ``-max_total_time``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
268 If positive, indicates the maximum total time in seconds to run the fuzzer.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
269 If 0 (the default), run indefinitely.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
270 ``-merge``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
271 If set to 1, any corpus inputs from the 2nd, 3rd etc. corpus directories
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
272 that trigger new code coverage will be merged into the first corpus
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
273 directory. Defaults to 0. This flag can be used to minimize a corpus.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
274 ``-minimize_crash``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
275 If 1, minimizes the provided crash input.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
276 Use with -runs=N or -max_total_time=N to limit the number of attempts.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
277 ``-reload``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
278 If set to 1 (the default), the corpus directory is re-read periodically to
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
279 check for new inputs; this allows detection of new inputs that were discovered
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
280 by other fuzzing processes.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
281 ``-jobs``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
282 Number of fuzzing jobs to run to completion. Default value is 0, which runs a
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
283 single fuzzing process until completion. If the value is >= 1, then this
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
284 number of jobs performing fuzzing are run, in a collection of parallel
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
285 separate worker processes; each such worker process has its
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
286 ``stdout``/``stderr`` redirected to ``fuzz-<JOB>.log``.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
287 ``-workers``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
288 Number of simultaneous worker processes to run the fuzzing jobs to completion
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
289 in. If 0 (the default), ``min(jobs, NumberOfCpuCores()/2)`` is used.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
290 ``-dict``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
291 Provide a dictionary of input keywords; see Dictionaries_.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
292 ``-use_counters``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
293 Use `coverage counters`_ to generate approximate counts of how often code
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
294 blocks are hit; defaults to 1.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
295 ``-use_value_profile``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
296 Use `value profile`_ to guide corpus expansion; defaults to 0.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
297 ``-only_ascii``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
298 If 1, generate only ASCII (``isprint``+``isspace``) inputs. Defaults to 0.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
299 ``-artifact_prefix``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
300 Provide a prefix to use when saving fuzzing artifacts (crash, timeout, or
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
301 slow inputs) as ``$(artifact_prefix)file``. Defaults to empty.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
302 ``-exact_artifact_path``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
303 Ignored if empty (the default). If non-empty, write the single artifact on
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
304 failure (crash, timeout) as ``$(exact_artifact_path)``. This overrides
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
305 ``-artifact_prefix`` and will not use checksum in the file name. Do not use
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
306 the same path for several parallel processes.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
307 ``-print_pcs``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
308 If 1, print out newly covered PCs. Defaults to 0.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
309 ``-print_final_stats``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
310 If 1, print statistics at exit. Defaults to 0.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
311 ``-detect_leaks``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
312 If 1 (default) and if LeakSanitizer is enabled
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
313 try to detect memory leaks during fuzzing (i.e. not only at shut down).
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
314 ``-close_fd_mask``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
315 Indicate output streams to close at startup. Be careful, this will
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
316 remove diagnostic output from target code (e.g. messages on assert failure).
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
317
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
318 - 0 (default): close neither ``stdout`` nor ``stderr``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
319 - 1 : close ``stdout``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
320 - 2 : close ``stderr``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
321 - 3 : close both ``stdout`` and ``stderr``.
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
322
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
323 For the full list of flags run the fuzzer binary with ``-help=1``.
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
324
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
325 Output
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
326 ======
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
327
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
328 During operation the fuzzer prints information to ``stderr``, for example::
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
329
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
330 INFO: Seed: 1523017872
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
331 INFO: Loaded 1 modules (16 guards): [0x744e60, 0x744ea0),
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
332 INFO: -max_len is not provided, using 64
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
333 INFO: A corpus is not provided, starting from an empty corpus
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
334 #0 READ units: 1
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
335 #1 INITED cov: 3 ft: 2 corp: 1/1b exec/s: 0 rss: 24Mb
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
336 #3811 NEW cov: 4 ft: 3 corp: 2/2b exec/s: 0 rss: 25Mb L: 1 MS: 5 ChangeBit-ChangeByte-ChangeBit-ShuffleBytes-ChangeByte-
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
337 #3827 NEW cov: 5 ft: 4 corp: 3/4b exec/s: 0 rss: 25Mb L: 2 MS: 1 CopyPart-
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
338 #3963 NEW cov: 6 ft: 5 corp: 4/6b exec/s: 0 rss: 25Mb L: 2 MS: 2 ShuffleBytes-ChangeBit-
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
339 #4167 NEW cov: 7 ft: 6 corp: 5/9b exec/s: 0 rss: 25Mb L: 3 MS: 1 InsertByte-
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
340 ...
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
341
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
342 The early parts of the output include information about the fuzzer options and
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
343 configuration, including the current random seed (in the ``Seed:`` line; this
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
344 can be overridden with the ``-seed=N`` flag).
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
345
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
346 Further output lines have the form of an event code and statistics. The
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
347 possible event codes are:
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
348
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
349 ``READ``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
350 The fuzzer has read in all of the provided input samples from the corpus
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
351 directories.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
352 ``INITED``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
353 The fuzzer has completed initialization, which includes running each of
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
354 the initial input samples through the code under test.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
355 ``NEW``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
356 The fuzzer has created a test input that covers new areas of the code
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
357 under test. This input will be saved to the primary corpus directory.
121
803732b1fca8 LLVM 5.0
kono
parents: 120
diff changeset
358 ``REDUCE``
803732b1fca8 LLVM 5.0
kono
parents: 120
diff changeset
359 The fuzzer has found a better (smaller) input that triggers previously
803732b1fca8 LLVM 5.0
kono
parents: 120
diff changeset
360 discovered features (set ``-reduce_inputs=0`` to disable).
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
361 ``pulse``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
362 The fuzzer has generated 2\ :sup:`n` inputs (generated periodically to reassure
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
363 the user that the fuzzer is still working).
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
364 ``DONE``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
365 The fuzzer has completed operation because it has reached the specified
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
366 iteration limit (``-runs``) or time limit (``-max_total_time``).
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
367 ``RELOAD``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
368 The fuzzer is performing a periodic reload of inputs from the corpus
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
369 directory; this allows it to discover any inputs discovered by other
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
370 fuzzer processes (see `Parallel Fuzzing`_).
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
371
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
372 Each output line also reports the following statistics (when non-zero):
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
373
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
374 ``cov:``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
375 Total number of code blocks or edges covered by the executing the current
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
376 corpus.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
377 ``ft:``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
378 libFuzzer uses different signals to evaluate the code coverage:
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
379 edge coverage, edge counters, value profiles, indirect caller/callee pairs, etc.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
380 These signals combined are called *features* (`ft:`).
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
381 ``corp:``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
382 Number of entries in the current in-memory test corpus and its size in bytes.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
383 ``exec/s:``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
384 Number of fuzzer iterations per second.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
385 ``rss:``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
386 Current memory consumption.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
387
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
388 For ``NEW`` events, the output line also includes information about the mutation
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
389 operation that produced the new input:
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
390
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
391 ``L:``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
392 Size of the new input in bytes.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
393 ``MS: <n> <operations>``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
394 Count and list of the mutation operations used to generate the input.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
395
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
396
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
397 Examples
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
398 ========
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
399 .. contents::
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
400 :local:
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
401 :depth: 1
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
402
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
403 Toy example
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
404 -----------
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
405
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
406 A simple function that does something interesting if it receives the input
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
407 "HI!"::
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
408
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
409 cat << EOF > test_fuzzer.cc
100
7d135dc70f03 LLVM 3.9
Miyagi Mitsuki <e135756@ie.u-ryukyu.ac.jp>
parents: 95
diff changeset
410 #include <stdint.h>
7d135dc70f03 LLVM 3.9
Miyagi Mitsuki <e135756@ie.u-ryukyu.ac.jp>
parents: 95
diff changeset
411 #include <stddef.h>
7d135dc70f03 LLVM 3.9
Miyagi Mitsuki <e135756@ie.u-ryukyu.ac.jp>
parents: 95
diff changeset
412 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
413 if (size > 0 && data[0] == 'H')
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
414 if (size > 1 && data[1] == 'I')
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
415 if (size > 2 && data[2] == '!')
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
416 __builtin_trap();
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
417 return 0;
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
418 }
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
419 EOF
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
420 # Build test_fuzzer.cc with asan and link against libFuzzer.a
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
421 clang++ -fsanitize=address -fsanitize-coverage=trace-pc-guard test_fuzzer.cc libFuzzer.a
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
422 # Run the fuzzer with no corpus.
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
423 ./a.out
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
424
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
425 You should get an error pretty quickly::
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
426
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
427 INFO: Seed: 1523017872
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
428 INFO: Loaded 1 modules (16 guards): [0x744e60, 0x744ea0),
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
429 INFO: -max_len is not provided, using 64
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
430 INFO: A corpus is not provided, starting from an empty corpus
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
431 #0 READ units: 1
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
432 #1 INITED cov: 3 ft: 2 corp: 1/1b exec/s: 0 rss: 24Mb
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
433 #3811 NEW cov: 4 ft: 3 corp: 2/2b exec/s: 0 rss: 25Mb L: 1 MS: 5 ChangeBit-ChangeByte-ChangeBit-ShuffleBytes-ChangeByte-
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
434 #3827 NEW cov: 5 ft: 4 corp: 3/4b exec/s: 0 rss: 25Mb L: 2 MS: 1 CopyPart-
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
435 #3963 NEW cov: 6 ft: 5 corp: 4/6b exec/s: 0 rss: 25Mb L: 2 MS: 2 ShuffleBytes-ChangeBit-
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
436 #4167 NEW cov: 7 ft: 6 corp: 5/9b exec/s: 0 rss: 25Mb L: 3 MS: 1 InsertByte-
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
437 ==31511== ERROR: libFuzzer: deadly signal
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
438 ...
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
439 artifact_prefix='./'; Test unit written to ./crash-b13e8756b13a00cf168300179061fb4b91fefbed
100
7d135dc70f03 LLVM 3.9
Miyagi Mitsuki <e135756@ie.u-ryukyu.ac.jp>
parents: 95
diff changeset
440
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
441
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
442 More examples
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
443 -------------
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
444
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
445 Examples of real-life fuzz targets and the bugs they find can be found
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
446 at http://tutorial.libfuzzer.info. Among other things you can learn how
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
447 to detect Heartbleed_ in one second.
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
448
100
7d135dc70f03 LLVM 3.9
Miyagi Mitsuki <e135756@ie.u-ryukyu.ac.jp>
parents: 95
diff changeset
449
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
450 Advanced features
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
451 =================
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
452 .. contents::
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
453 :local:
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
454 :depth: 1
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
455
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
456 Dictionaries
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
457 ------------
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
458 LibFuzzer supports user-supplied dictionaries with input language keywords
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
459 or other interesting byte sequences (e.g. multi-byte magic values).
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
460 Use ``-dict=DICTIONARY_FILE``. For some input languages using a dictionary
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
461 may significantly improve the search speed.
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
462 The dictionary syntax is similar to that used by AFL_ for its ``-x`` option::
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
463
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
464 # Lines starting with '#' and empty lines are ignored.
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
465
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
466 # Adds "blah" (w/o quotes) to the dictionary.
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
467 kw1="blah"
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
468 # Use \\ for backslash and \" for quotes.
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
469 kw2="\"ac\\dc\""
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
470 # Use \xAB for hex values
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
471 kw3="\xF7\xF8"
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
472 # the name of the keyword followed by '=' may be omitted:
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
473 "foo\x0Abar"
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
474
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
475
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
476
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
477 Tracing CMP instructions
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
478 ------------------------
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
479
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
480 With an additional compiler flag ``-fsanitize-coverage=trace-cmp``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
481 (see SanitizerCoverageTraceDataFlow_)
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
482 libFuzzer will intercept CMP instructions and guide mutations based
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
483 on the arguments of intercepted CMP instructions. This may slow down
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
484 the fuzzing but is very likely to improve the results.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
485
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
486 Value Profile
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
487 -------------
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
488
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
489 *EXPERIMENTAL*.
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
490 With ``-fsanitize-coverage=trace-cmp``
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
491 and extra run-time flag ``-use_value_profile=1`` the fuzzer will
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
492 collect value profiles for the parameters of compare instructions
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
493 and treat some new values as new coverage.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
494
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
495 The current imlpementation does roughly the following:
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
496
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
497 * The compiler instruments all CMP instructions with a callback that receives both CMP arguments.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
498 * The callback computes `(caller_pc&4095) | (popcnt(Arg1 ^ Arg2) << 12)` and uses this value to set a bit in a bitset.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
499 * Every new observed bit in the bitset is treated as new coverage.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
500
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
501
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
502 This feature has a potential to discover many interesting inputs,
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
503 but there are two downsides.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
504 First, the extra instrumentation may bring up to 2x additional slowdown.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
505 Second, the corpus may grow by several times.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
506
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
507 Fuzzer-friendly build mode
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
508 ---------------------------
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
509 Sometimes the code under test is not fuzzing-friendly. Examples:
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
510
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
511 - The target code uses a PRNG seeded e.g. by system time and
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
512 thus two consequent invocations may potentially execute different code paths
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
513 even if the end result will be the same. This will cause a fuzzer to treat
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
514 two similar inputs as significantly different and it will blow up the test corpus.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
515 E.g. libxml uses ``rand()`` inside its hash table.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
516 - The target code uses checksums to protect from invalid inputs.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
517 E.g. png checks CRC for every chunk.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
518
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
519 In many cases it makes sense to build a special fuzzing-friendly build
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
520 with certain fuzzing-unfriendly features disabled. We propose to use a common build macro
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
521 for all such cases for consistency: ``FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION``.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
522
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
523 .. code-block:: c++
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
524
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
525 void MyInitPRNG() {
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
526 #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
527 // In fuzzing mode the behavior of the code should be deterministic.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
528 srand(0);
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
529 #else
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
530 srand(time(0));
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
531 #endif
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
532 }
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
533
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
534
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
535
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
536 AFL compatibility
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
537 -----------------
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
538 LibFuzzer can be used together with AFL_ on the same test corpus.
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
539 Both fuzzers expect the test corpus to reside in a directory, one file per input.
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
540 You can run both fuzzers on the same corpus, one after another:
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
541
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
542 .. code-block:: console
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
543
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
544 ./afl-fuzz -i testcase_dir -o findings_dir /path/to/program @@
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
545 ./llvm-fuzz testcase_dir findings_dir # Will write new tests to testcase_dir
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
546
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
547 Periodically restart both fuzzers so that they can use each other's findings.
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
548 Currently, there is no simple way to run both fuzzing engines in parallel while sharing the same corpus dir.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
549
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
550 You may also use AFL on your target function ``LLVMFuzzerTestOneInput``:
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
551 see an example `here <https://github.com/llvm-mirror/llvm/blob/master/lib/Fuzzer/afl/afl_driver.cpp>`__.
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
552
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
553 How good is my fuzzer?
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
554 ----------------------
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
555
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
556 Once you implement your target function ``LLVMFuzzerTestOneInput`` and fuzz it to death,
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
557 you will want to know whether the function or the corpus can be improved further.
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
558 One easy to use metric is, of course, code coverage.
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
559
121
803732b1fca8 LLVM 5.0
kono
parents: 120
diff changeset
560 We recommend to use
803732b1fca8 LLVM 5.0
kono
parents: 120
diff changeset
561 `Clang Coverage <http://clang.llvm.org/docs/SourceBasedCodeCoverage.html>`_,
803732b1fca8 LLVM 5.0
kono
parents: 120
diff changeset
562 to visualize and study your code coverage
803732b1fca8 LLVM 5.0
kono
parents: 120
diff changeset
563 (`example <https://github.com/google/fuzzer-test-suite/blob/master/tutorial/libFuzzerTutorial.md#visualizing-coverage>`_).
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
564
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
565
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
566 User-supplied mutators
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
567 ----------------------
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
568
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
569 LibFuzzer allows to use custom (user-supplied) mutators,
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
570 see FuzzerInterface.h_
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
571
100
7d135dc70f03 LLVM 3.9
Miyagi Mitsuki <e135756@ie.u-ryukyu.ac.jp>
parents: 95
diff changeset
572 Startup initialization
7d135dc70f03 LLVM 3.9
Miyagi Mitsuki <e135756@ie.u-ryukyu.ac.jp>
parents: 95
diff changeset
573 ----------------------
7d135dc70f03 LLVM 3.9
Miyagi Mitsuki <e135756@ie.u-ryukyu.ac.jp>
parents: 95
diff changeset
574 If the library being tested needs to be initialized, there are several options.
7d135dc70f03 LLVM 3.9
Miyagi Mitsuki <e135756@ie.u-ryukyu.ac.jp>
parents: 95
diff changeset
575
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
576 The simplest way is to have a statically initialized global object inside
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
577 `LLVMFuzzerTestOneInput` (or in global scope if that works for you):
100
7d135dc70f03 LLVM 3.9
Miyagi Mitsuki <e135756@ie.u-ryukyu.ac.jp>
parents: 95
diff changeset
578
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
579 .. code-block:: c++
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
580
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
581 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
582 static bool Initialized = DoInitialization();
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
583 ...
100
7d135dc70f03 LLVM 3.9
Miyagi Mitsuki <e135756@ie.u-ryukyu.ac.jp>
parents: 95
diff changeset
584
7d135dc70f03 LLVM 3.9
Miyagi Mitsuki <e135756@ie.u-ryukyu.ac.jp>
parents: 95
diff changeset
585 Alternatively, you may define an optional init function and it will receive
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
586 the program arguments that you can read and modify. Do this **only** if you
121
803732b1fca8 LLVM 5.0
kono
parents: 120
diff changeset
587 really need to access ``argv``/``argc``.
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
588
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
589 .. code-block:: c++
100
7d135dc70f03 LLVM 3.9
Miyagi Mitsuki <e135756@ie.u-ryukyu.ac.jp>
parents: 95
diff changeset
590
7d135dc70f03 LLVM 3.9
Miyagi Mitsuki <e135756@ie.u-ryukyu.ac.jp>
parents: 95
diff changeset
591 extern "C" int LLVMFuzzerInitialize(int *argc, char ***argv) {
7d135dc70f03 LLVM 3.9
Miyagi Mitsuki <e135756@ie.u-ryukyu.ac.jp>
parents: 95
diff changeset
592 ReadAndMaybeModify(argc, argv);
7d135dc70f03 LLVM 3.9
Miyagi Mitsuki <e135756@ie.u-ryukyu.ac.jp>
parents: 95
diff changeset
593 return 0;
7d135dc70f03 LLVM 3.9
Miyagi Mitsuki <e135756@ie.u-ryukyu.ac.jp>
parents: 95
diff changeset
594 }
7d135dc70f03 LLVM 3.9
Miyagi Mitsuki <e135756@ie.u-ryukyu.ac.jp>
parents: 95
diff changeset
595
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
596
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
597 Leaks
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
598 -----
100
7d135dc70f03 LLVM 3.9
Miyagi Mitsuki <e135756@ie.u-ryukyu.ac.jp>
parents: 95
diff changeset
599
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
600 Binaries built with AddressSanitizer_ or LeakSanitizer_ will try to detect
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
601 memory leaks at the process shutdown.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
602 For in-process fuzzing this is inconvenient
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
603 since the fuzzer needs to report a leak with a reproducer as soon as the leaky
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
604 mutation is found. However, running full leak detection after every mutation
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
605 is expensive.
100
7d135dc70f03 LLVM 3.9
Miyagi Mitsuki <e135756@ie.u-ryukyu.ac.jp>
parents: 95
diff changeset
606
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
607 By default (``-detect_leaks=1``) libFuzzer will count the number of
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
608 ``malloc`` and ``free`` calls when executing every mutation.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
609 If the numbers don't match (which by itself doesn't mean there is a leak)
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
610 libFuzzer will invoke the more expensive LeakSanitizer_
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
611 pass and if the actual leak is found, it will be reported with the reproducer
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
612 and the process will exit.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
613
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
614 If your target has massive leaks and the leak detection is disabled
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
615 you will eventually run out of RAM (see the ``-rss_limit_mb`` flag).
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
616
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
617
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
618 Developing libFuzzer
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
619 ====================
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
620
121
803732b1fca8 LLVM 5.0
kono
parents: 120
diff changeset
621 LibFuzzer is built as a part of LLVM project by default on macos and Linux.
803732b1fca8 LLVM 5.0
kono
parents: 120
diff changeset
622 Users of other operating systems can explicitly request compilation using
803732b1fca8 LLVM 5.0
kono
parents: 120
diff changeset
623 ``-DLIBFUZZER_ENABLE=YES`` flag.
803732b1fca8 LLVM 5.0
kono
parents: 120
diff changeset
624 Tests are run using ``check-fuzzer`` target from the build directory
803732b1fca8 LLVM 5.0
kono
parents: 120
diff changeset
625 which was configured with ``-DLIBFUZZER_ENABLE_TESTS=ON`` flag.
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
626
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
627 .. code-block:: console
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
628
121
803732b1fca8 LLVM 5.0
kono
parents: 120
diff changeset
629 ninja check-fuzzer
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
630
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
631
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
632 FAQ
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
633 =========================
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
634
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
635 Q. Why doesn't libFuzzer use any of the LLVM support?
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
636 -----------------------------------------------------
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
637
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
638 There are two reasons.
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
639
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
640 First, we want this library to be used outside of the LLVM without users having to
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
641 build the rest of LLVM. This may sound unconvincing for many LLVM folks,
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
642 but in practice the need for building the whole LLVM frightens many potential
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
643 users -- and we want more users to use this code.
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
644
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
645 Second, there is a subtle technical reason not to rely on the rest of LLVM, or
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
646 any other large body of code (maybe not even STL). When coverage instrumentation
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
647 is enabled, it will also instrument the LLVM support code which will blow up the
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
648 coverage set of the process (since the fuzzer is in-process). In other words, by
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
649 using more external dependencies we will slow down the fuzzer while the main
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
650 reason for it to exist is extreme speed.
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
651
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
652 Q. What about Windows then? The fuzzer contains code that does not build on Windows.
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
653 ------------------------------------------------------------------------------------
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
654
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
655 Volunteers are welcome.
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
656
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
657 Q. When libFuzzer is not a good solution for a problem?
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
658 ---------------------------------------------------------
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
659
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
660 * If the test inputs are validated by the target library and the validator
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
661 asserts/crashes on invalid inputs, in-process fuzzing is not applicable.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
662 * Bugs in the target library may accumulate without being detected. E.g. a memory
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
663 corruption that goes undetected at first and then leads to a crash while
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
664 testing another input. This is why it is highly recommended to run this
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
665 in-process fuzzer with all sanitizers to detect most bugs on the spot.
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
666 * It is harder to protect the in-process fuzzer from excessive memory
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
667 consumption and infinite loops in the target library (still possible).
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
668 * The target library should not have significant global state that is not
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
669 reset between the runs.
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
670 * Many interesting target libraries are not designed in a way that supports
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
671 the in-process fuzzer interface (e.g. require a file path instead of a
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
672 byte array).
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
673 * If a single test run takes a considerable fraction of a second (or
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
674 more) the speed benefit from the in-process fuzzer is negligible.
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
675 * If the target library runs persistent threads (that outlive
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
676 execution of one test) the fuzzing results will be unreliable.
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
677
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
678 Q. So, what exactly this Fuzzer is good for?
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
679 --------------------------------------------
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
680
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
681 This Fuzzer might be a good choice for testing libraries that have relatively
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
682 small inputs, each input takes < 10ms to run, and the library code is not expected
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
683 to crash on invalid inputs.
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
684 Examples: regular expression matchers, text or binary format parsers, compression,
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
685 network, crypto.
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
686
121
803732b1fca8 LLVM 5.0
kono
parents: 120
diff changeset
687
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
688 Trophies
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
689 ========
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
690 * GLIBC: https://sourceware.org/glibc/wiki/FuzzingLibc
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
691
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
692 * MUSL LIBC: `[1] <http://git.musl-libc.org/cgit/musl/commit/?id=39dfd58417ef642307d90306e1c7e50aaec5a35c>`__ `[2] <http://www.openwall.com/lists/oss-security/2015/03/30/3>`__
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
693
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
694 * `pugixml <https://github.com/zeux/pugixml/issues/39>`_
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
695
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
696 * PCRE: Search for "LLVM fuzzer" in http://vcs.pcre.org/pcre2/code/trunk/ChangeLog?view=markup;
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
697 also in `bugzilla <https://bugs.exim.org/buglist.cgi?bug_status=__all__&content=libfuzzer&no_redirect=1&order=Importance&product=PCRE&query_format=specific>`_
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
698
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
699 * `ICU <http://bugs.icu-project.org/trac/ticket/11838>`_
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
700
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
701 * `Freetype <https://savannah.nongnu.org/search/?words=LibFuzzer&type_of_search=bugs&Search=Search&exact=1#options>`_
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
702
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
703 * `Harfbuzz <https://github.com/behdad/harfbuzz/issues/139>`_
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
704
100
7d135dc70f03 LLVM 3.9
Miyagi Mitsuki <e135756@ie.u-ryukyu.ac.jp>
parents: 95
diff changeset
705 * `SQLite <http://www3.sqlite.org/cgi/src/info/088009efdd56160b>`_
7d135dc70f03 LLVM 3.9
Miyagi Mitsuki <e135756@ie.u-ryukyu.ac.jp>
parents: 95
diff changeset
706
7d135dc70f03 LLVM 3.9
Miyagi Mitsuki <e135756@ie.u-ryukyu.ac.jp>
parents: 95
diff changeset
707 * `Python <http://bugs.python.org/issue25388>`_
7d135dc70f03 LLVM 3.9
Miyagi Mitsuki <e135756@ie.u-ryukyu.ac.jp>
parents: 95
diff changeset
708
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
709 * OpenSSL/BoringSSL: `[1] <https://boringssl.googlesource.com/boringssl/+/cb852981cd61733a7a1ae4fd8755b7ff950e857d>`_ `[2] <https://openssl.org/news/secadv/20160301.txt>`_ `[3] <https://boringssl.googlesource.com/boringssl/+/2b07fa4b22198ac02e0cee8f37f3337c3dba91bc>`_ `[4] <https://boringssl.googlesource.com/boringssl/+/6b6e0b20893e2be0e68af605a60ffa2cbb0ffa64>`_ `[5] <https://github.com/openssl/openssl/pull/931/commits/dd5ac557f052cc2b7f718ac44a8cb7ac6f77dca8>`_ `[6] <https://github.com/openssl/openssl/pull/931/commits/19b5b9194071d1d84e38ac9a952e715afbc85a81>`_
100
7d135dc70f03 LLVM 3.9
Miyagi Mitsuki <e135756@ie.u-ryukyu.ac.jp>
parents: 95
diff changeset
710
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
711 * `Libxml2
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
712 <https://bugzilla.gnome.org/buglist.cgi?bug_status=__all__&content=libFuzzer&list_id=68957&order=Importance&product=libxml2&query_format=specific>`_ and `[HT206167] <https://support.apple.com/en-gb/HT206167>`_ (CVE-2015-5312, CVE-2015-7500, CVE-2015-7942)
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
713
100
7d135dc70f03 LLVM 3.9
Miyagi Mitsuki <e135756@ie.u-ryukyu.ac.jp>
parents: 95
diff changeset
714 * `Linux Kernel's BPF verifier <https://github.com/iovisor/bpf-fuzzer>`_
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
715
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
716 * Capstone: `[1] <https://github.com/aquynh/capstone/issues/600>`__ `[2] <https://github.com/aquynh/capstone/commit/6b88d1d51eadf7175a8f8a11b690684443b11359>`__
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
717
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
718 * file:`[1] <http://bugs.gw.com/view.php?id=550>`__ `[2] <http://bugs.gw.com/view.php?id=551>`__ `[3] <http://bugs.gw.com/view.php?id=553>`__ `[4] <http://bugs.gw.com/view.php?id=554>`__
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
719
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
720 * Radare2: `[1] <https://github.com/revskills?tab=contributions&from=2016-04-09>`__
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
721
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
722 * gRPC: `[1] <https://github.com/grpc/grpc/pull/6071/commits/df04c1f7f6aec6e95722ec0b023a6b29b6ea871c>`__ `[2] <https://github.com/grpc/grpc/pull/6071/commits/22a3dfd95468daa0db7245a4e8e6679a52847579>`__ `[3] <https://github.com/grpc/grpc/pull/6071/commits/9cac2a12d9e181d130841092e9d40fa3309d7aa7>`__ `[4] <https://github.com/grpc/grpc/pull/6012/commits/82a91c91d01ce9b999c8821ed13515883468e203>`__ `[5] <https://github.com/grpc/grpc/pull/6202/commits/2e3e0039b30edaf89fb93bfb2c1d0909098519fa>`__ `[6] <https://github.com/grpc/grpc/pull/6106/files>`__
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
723
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
724 * WOFF2: `[1] <https://github.com/google/woff2/commit/a15a8ab>`__
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
725
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
726 * LLVM: `Clang <https://llvm.org/bugs/show_bug.cgi?id=23057>`_, `Clang-format <https://llvm.org/bugs/show_bug.cgi?id=23052>`_, `libc++ <https://llvm.org/bugs/show_bug.cgi?id=24411>`_, `llvm-as <https://llvm.org/bugs/show_bug.cgi?id=24639>`_, `Demangler <https://bugs.chromium.org/p/chromium/issues/detail?id=606626>`_, Disassembler: http://reviews.llvm.org/rL247405, http://reviews.llvm.org/rL247414, http://reviews.llvm.org/rL247416, http://reviews.llvm.org/rL247417, http://reviews.llvm.org/rL247420, http://reviews.llvm.org/rL247422.
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
727
121
803732b1fca8 LLVM 5.0
kono
parents: 120
diff changeset
728 * Tensorflow: `[1] <https://da-data.blogspot.com/2017/01/finding-bugs-in-tensorflow-with.html>`__
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
729
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
730 * Ffmpeg: `[1] <https://github.com/FFmpeg/FFmpeg/commit/c92f55847a3d9cd12db60bfcd0831ff7f089c37c>`__ `[2] <https://github.com/FFmpeg/FFmpeg/commit/25ab1a65f3acb5ec67b53fb7a2463a7368f1ad16>`__ `[3] <https://github.com/FFmpeg/FFmpeg/commit/85d23e5cbc9ad6835eef870a5b4247de78febe56>`__ `[4] <https://github.com/FFmpeg/FFmpeg/commit/04bd1b38ee6b8df410d0ab8d4949546b6c4af26a>`__
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
731
121
803732b1fca8 LLVM 5.0
kono
parents: 120
diff changeset
732 * `Wireshark <https://bugs.wireshark.org/bugzilla/buglist.cgi?bug_status=UNCONFIRMED&bug_status=CONFIRMED&bug_status=IN_PROGRESS&bug_status=INCOMPLETE&bug_status=RESOLVED&bug_status=VERIFIED&f0=OP&f1=OP&f2=product&f3=component&f4=alias&f5=short_desc&f7=content&f8=CP&f9=CP&j1=OR&o2=substring&o3=substring&o4=substring&o5=substring&o6=substring&o7=matches&order=bug_id%20DESC&query_format=advanced&v2=libfuzzer&v3=libfuzzer&v4=libfuzzer&v5=libfuzzer&v6=libfuzzer&v7=%22libfuzzer%22>`_
803732b1fca8 LLVM 5.0
kono
parents: 120
diff changeset
733
803732b1fca8 LLVM 5.0
kono
parents: 120
diff changeset
734 * `QEMU <https://researchcenter.paloaltonetworks.com/2017/09/unit42-palo-alto-networks-discovers-new-qemu-vulnerability/>`_
803732b1fca8 LLVM 5.0
kono
parents: 120
diff changeset
735
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
736 .. _pcre2: http://www.pcre.org/
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
737 .. _AFL: http://lcamtuf.coredump.cx/afl/
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
738 .. _Radamsa: https://github.com/aoh/radamsa
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
739 .. _SanitizerCoverage: http://clang.llvm.org/docs/SanitizerCoverage.html
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
740 .. _SanitizerCoverageTraceDataFlow: http://clang.llvm.org/docs/SanitizerCoverage.html#tracing-data-flow
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
741 .. _AddressSanitizer: http://clang.llvm.org/docs/AddressSanitizer.html
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
742 .. _LeakSanitizer: http://clang.llvm.org/docs/LeakSanitizer.html
95
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
743 .. _Heartbleed: http://en.wikipedia.org/wiki/Heartbleed
afa8332a0e37 LLVM 3.8
Kaito Tokumori <e105711@ie.u-ryukyu.ac.jp>
parents:
diff changeset
744 .. _FuzzerInterface.h: https://github.com/llvm-mirror/llvm/blob/master/lib/Fuzzer/FuzzerInterface.h
120
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
745 .. _3.7.0: http://llvm.org/releases/3.7.0/docs/LibFuzzer.html
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
746 .. _building Clang from trunk: http://clang.llvm.org/get_started.html
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
747 .. _MemorySanitizer: http://clang.llvm.org/docs/MemorySanitizer.html
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
748 .. _UndefinedBehaviorSanitizer: http://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
749 .. _`coverage counters`: http://clang.llvm.org/docs/SanitizerCoverage.html#coverage-counters
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
750 .. _`value profile`: #value-profile
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
751 .. _`caller-callee pairs`: http://clang.llvm.org/docs/SanitizerCoverage.html#caller-callee-coverage
1172e4bd9c6f update 4.0.0
mir3636
parents: 100
diff changeset
752 .. _BoringSSL: https://boringssl.googlesource.com/boringssl/
121
803732b1fca8 LLVM 5.0
kono
parents: 120
diff changeset
753