Mercurial > hg > CbC > CbC_llvm

diff docs/LibFuzzer.rst @ 100:7d135dc70f03 LLVM 3.9

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
LLVM 3.9
author Miyagi Mitsuki <e135756@ie.u-ryukyu.ac.jp>
date Tue, 26 Jan 2016 22:53:40 +0900
parents afa8332a0e37
children 1172e4bd9c6f
line wrap: on
line diff
--- a/docs/LibFuzzer.rst	Tue Oct 13 17:49:56 2015 +0900
+++ b/docs/LibFuzzer.rst	Tue Jan 26 22:53:40 2016 +0900
@@ -61,9 +61,10 @@
   cross_over                         	1	If 1, cross over inputs.
   mutate_depth                       	5	Apply this number of consecutive mutations to each input.
   timeout                            	1200	Timeout in seconds (if positive). If one unit runs more than this number of seconds the process will abort.
+  abort_on_timeout                      0       If positive, call abort on timeout.
   max_total_time                        0       If positive, indicates the maximal total time in seconds to run the fuzzer.
   help                               	0	Print help.
-  save_minimized_corpus              	0	If 1, the minimized corpus is saved into the first input directory. Example: ./fuzzer -save_minimized_corpus=1 NEW_EMPTY_DIR OLD_CORPUS
+  merge                                 0       If 1, the 2-nd, 3-rd, etc corpora will be merged into the 1-st corpus. Only interesting units will be taken.
   jobs                               	0	Number of jobs to run. If jobs >= 1 we spawn this number of jobs in separate worker processes with stdout/stderr redirected to fuzz-JOB.log.
   workers                            	0	Number of simultaneous worker processes to run the jobs. If zero, "min(jobs,NumberOfCpuCores()/2)" is used.
   sync_command                       	0	Execute an external command "<sync_command> <test_corpus>" to synchronize the test corpus.
@@ -72,6 +73,7 @@
   only_ascii                            0       If 1, generate only ASCII (isprint+isspace) inputs.
   test_single_input                     ""      Use specified file content as test input. Test will be run only once. Useful for debugging a particular case.
   artifact_prefix                       ""      Write fuzzing artifacts (crash, timeout, or slow inputs) as $(artifact_prefix)file
+  exact_artifact_path                   ""      Write the single artifact on failure (crash, timeout) as $(exact_artifact_path). This overrides -artifact_prefix and will not use checksum in the file name. Do not use the same path for several parallel processes.
 
 For the full list of flags run the fuzzer binary with ``-help=1``.
 
@@ -84,7 +86,9 @@
 A simple function that does something interesting if it receives the input "HI!"::
 
   cat << EOF >> test_fuzzer.cc
-  extern "C" int LLVMFuzzerTestOneInput(const unsigned char *data, unsigned long size) {
+  #include <stdint.h>
+  #include <stddef.h>
+  extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
     if (size > 0 && data[0] == 'H')
       if (size > 1 && data[1] == 'I')
          if (size > 2 && data[2] == '!')
@@ -120,8 +124,9 @@
   # Build the actual function that does something interesting with PCRE2.
   cat << EOF > pcre_fuzzer.cc
   #include <string.h>
+  #include <stdint.h>
   #include "pcre2posix.h"
-  extern "C" int LLVMFuzzerTestOneInput(const unsigned char *data, size_t size) {
+  extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
     if (size < 1) return 0;
     char *str = new char[size+1];
     memcpy(str, data, size);
@@ -219,6 +224,9 @@
   #include <openssl/ssl.h>
   #include <openssl/err.h>
   #include <assert.h>
+  #include <stdint.h>
+  #include <stddef.h>
+
   SSL_CTX *sctx;
   int Init() {
     SSL_library_init();
@@ -230,7 +238,7 @@
     assert (SSL_CTX_use_PrivateKey_file(sctx, "server.key", SSL_FILETYPE_PEM));
     return 0;
   }
-  extern "C" int LLVMFuzzerTestOneInput(unsigned char *Data, size_t Size) {
+  extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
     static int unused = Init();
     SSL *server = SSL_new(sctx);
     BIO *sinbio = BIO_new(BIO_s_mem());
@@ -259,6 +267,9 @@
       #1 0x4db504 in tls1_process_heartbeat openssl-1.0.1f/ssl/t1_lib.c:2586:3
       #2 0x580be3 in ssl3_read_bytes openssl-1.0.1f/ssl/s3_pkt.c:1092:4
 
+Note: a `similar fuzzer <https://boringssl.googlesource.com/boringssl/+/HEAD/FUZZING.md>`_
+is now a part of the boringssl source tree.
+
 Advanced features
 =================
 
@@ -326,6 +337,35 @@
 LibFuzzer allows to use custom (user-supplied) mutators,
 see FuzzerInterface.h_
 
+Startup initialization
+----------------------
+If the library being tested needs to be initialized, there are several options.
+
+The simplest way is to have a statically initialized global object::
+
+   static bool Initialized = DoInitialization();
+
+Alternatively, you may define an optional init function and it will receive
+the program arguments that you can read and modify::
+
+   extern "C" int LLVMFuzzerInitialize(int *argc, char ***argv) {
+    ReadAndMaybeModify(argc, argv);
+    return 0;
+   }
+
+Finally, you may use your own ``main()`` and call ``FuzzerDriver``
+from there, see FuzzerInterface.h_.
+
+Try to avoid initialization inside the target function itself as
+it will skew the coverage data. Don't do this::
+
+    extern "C" int LLVMFuzzerTestOneInput(...) {
+      static bool initialized = false;
+      if (!initialized) { 
+         ...
+      }
+    }
+
 Fuzzing components of LLVM
 ==========================
 
@@ -468,30 +508,18 @@
 
 * `Harfbuzz <https://github.com/behdad/harfbuzz/issues/139>`_
 
+* `SQLite <http://www3.sqlite.org/cgi/src/info/088009efdd56160b>`_
+
+* `Python <http://bugs.python.org/issue25388>`_
+
+* OpenSSL/BoringSSL: `[1] <https://boringssl.googlesource.com/boringssl/+/cb852981cd61733a7a1ae4fd8755b7ff950e857d>`_
+
 * `Libxml2
   <https://bugzilla.gnome.org/buglist.cgi?bug_status=__all__&content=libFuzzer&list_id=68957&order=Importance&product=libxml2&query_format=specific>`_
 
-* Linux Kernel's BPF verifier: https://github.com/iovisor/bpf-fuzzer
-
-* LLVM:
-
-  * Clang: https://llvm.org/bugs/show_bug.cgi?id=23057
-
-  * Clang-format: https://llvm.org/bugs/show_bug.cgi?id=23052
-
-  * libc++: https://llvm.org/bugs/show_bug.cgi?id=24411
+* `Linux Kernel's BPF verifier <https://github.com/iovisor/bpf-fuzzer>`_
 
-  * llvm-as: https://llvm.org/bugs/show_bug.cgi?id=24639
-
-  * Disassembler:
-
-    * Mips: Discovered a number of untested instructions for the Mips target
-      (see valid-mips*.s in http://reviews.llvm.org/rL247405,
-      http://reviews.llvm.org/rL247414, http://reviews.llvm.org/rL247416,
-      http://reviews.llvm.org/rL247417, http://reviews.llvm.org/rL247420,
-      and http://reviews.llvm.org/rL247422) as well some instructions that
-      successfully disassembled on ISA's where they were not valid (see
-      invalid-xfail.s files in the same commits).
+* LLVM: `Clang <https://llvm.org/bugs/show_bug.cgi?id=23057>`_, `Clang-format <https://llvm.org/bugs/show_bug.cgi?id=23052>`_, `libc++ <https://llvm.org/bugs/show_bug.cgi?id=24411>`_, `llvm-as <https://llvm.org/bugs/show_bug.cgi?id=24639>`_, Disassembler: http://reviews.llvm.org/rL247405, http://reviews.llvm.org/rL247414, http://reviews.llvm.org/rL247416, http://reviews.llvm.org/rL247417, http://reviews.llvm.org/rL247420, http://reviews.llvm.org/rL247422.
 
 .. _pcre2: http://www.pcre.org/