From 8b6af7a9d33af51abdb829350d942e3588faf37c Mon Sep 17 00:00:00 2001 From: Kostya Serebryany Date: Wed, 26 Oct 2016 01:55:17 +0000 Subject: [PATCH] [libFuzzer] refresh docs llvm-svn: 285157 --- llvm/docs/LibFuzzer.rst | 25 +++++++++---------------- 1 file changed, 9 insertions(+), 16 deletions(-) diff --git a/llvm/docs/LibFuzzer.rst b/llvm/docs/LibFuzzer.rst index c46815e..f8cdfbf 100644 --- a/llvm/docs/LibFuzzer.rst +++ b/llvm/docs/LibFuzzer.rst @@ -8,18 +8,13 @@ libFuzzer – a library for coverage-guided fuzz testing. Introduction ============ -LibFuzzer is a library for in-process, coverage-guided, evolutionary fuzzing -of other libraries. +LibFuzzer is in-process, coverage-guided, evolutionary fuzzing engine. -LibFuzzer is similar in concept to American Fuzzy Lop (AFL_), but it performs -all of its fuzzing inside a single process. This in-process fuzzing can be more -restrictive and fragile, but is potentially much faster as there is no overhead -for process start-up. - -The fuzzer is linked with the library under test, and feeds fuzzed inputs to the +LibFuzzer is linked with the library under test, and feeds fuzzed inputs to the library via a specific fuzzing entrypoint (aka "target function"); the fuzzer then tracks which areas of the code are reached, and generates mutations on the -corpus of input data in order to maximize the code coverage. The code coverage +corpus of input data in order to maximize the code coverage. +The code coverage information for libFuzzer is provided by LLVM's SanitizerCoverage_ instrumentation. @@ -28,8 +23,8 @@ Contact: libfuzzer(#)googlegroups.com Versions ======== -LibFuzzer is under active development so a current (or at least very recent) -version of Clang is the only supported variant. +LibFuzzer is under active development so you will need the current +(or at least a very recent) version of the Clang compiler. (If `building Clang from trunk`_ is too time-consuming or difficult, then the Clang binaries that the Chromium developers build are likely to be @@ -53,7 +48,6 @@ infrastructure and can be used for other projects without requiring the rest of LLVM. - Getting Started =============== @@ -83,13 +77,12 @@ options. Note that the libFuzzer library contains the ``main()`` function: svn co http://llvm.org/svn/llvm-project/llvm/trunk/lib/Fuzzer # Alternative: get libFuzzer from a dedicated git mirror: # git clone https://chromium.googlesource.com/chromium/llvm-project/llvm/lib/Fuzzer - clang++ -c -g -O2 -std=c++11 Fuzzer/*.cpp -IFuzzer - ar ruv libFuzzer.a Fuzzer*.o + ./Fuzzer/build.sh # Produces libFuzzer.a Then build the fuzzing target function and the library under test using the SanitizerCoverage_ option, which instruments the code so that the fuzzer can retrieve code coverage information (to guide the fuzzing). Linking with -the libFuzzer code then gives an fuzzer executable. +the libFuzzer code then gives a fuzzer executable. You should also enable one or more of the *sanitizers*, which help to expose latent bugs by making incorrect behavior generate errors at runtime: @@ -834,7 +827,7 @@ Q. What about Windows then? The fuzzer contains code that does not build on Wind Volunteers are welcome. -Q. When this Fuzzer is not a good solution for a problem? +Q. When libFuzzer is not a good solution for a problem? --------------------------------------------------------- * If the test inputs are validated by the target library and the validator -- 2.7.4