diff options
| author | Kostya Serebryany <kcc@google.com> | 2016-10-26 01:55:17 +0000 |
|---|---|---|
| committer | Kostya Serebryany <kcc@google.com> | 2016-10-26 01:55:17 +0000 |
| commit | 95134530d117cb293777a3996e8267986154ffdd (patch) | |
| tree | 198ec1ddb540be7a73d00cf65104b3688ab658ab /docs/LibFuzzer.rst | |
| parent | e9512859eaf4d1a4d68ec5901afa33aa340297d0 (diff) | |
[libFuzzer] refresh docs
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@285157 91177308-0d34-0410-b5e6-96231b3b80d8
Diffstat (limited to 'docs/LibFuzzer.rst')
| -rw-r--r-- | docs/LibFuzzer.rst | 25 |
1 files changed, 9 insertions, 16 deletions
diff --git a/docs/LibFuzzer.rst b/docs/LibFuzzer.rst index c46815ecffbe..f8cdfbfdd5c4 100644 --- a/docs/LibFuzzer.rst +++ b/docs/LibFuzzer.rst @@ -8,18 +8,13 @@ libFuzzer – a library for coverage-guided fuzz testing. Introduction ============ -LibFuzzer is a library for in-process, coverage-guided, evolutionary fuzzing -of other libraries. +LibFuzzer is in-process, coverage-guided, evolutionary fuzzing engine. -LibFuzzer is similar in concept to American Fuzzy Lop (AFL_), but it performs -all of its fuzzing inside a single process. This in-process fuzzing can be more -restrictive and fragile, but is potentially much faster as there is no overhead -for process start-up. - -The fuzzer is linked with the library under test, and feeds fuzzed inputs to the +LibFuzzer is linked with the library under test, and feeds fuzzed inputs to the library via a specific fuzzing entrypoint (aka "target function"); the fuzzer then tracks which areas of the code are reached, and generates mutations on the -corpus of input data in order to maximize the code coverage. The code coverage +corpus of input data in order to maximize the code coverage. +The code coverage information for libFuzzer is provided by LLVM's SanitizerCoverage_ instrumentation. @@ -28,8 +23,8 @@ Contact: libfuzzer(#)googlegroups.com Versions ======== -LibFuzzer is under active development so a current (or at least very recent) -version of Clang is the only supported variant. +LibFuzzer is under active development so you will need the current +(or at least a very recent) version of the Clang compiler. (If `building Clang from trunk`_ is too time-consuming or difficult, then the Clang binaries that the Chromium developers build are likely to be @@ -53,7 +48,6 @@ infrastructure and can be used for other projects without requiring the rest of LLVM. - Getting Started =============== @@ -83,13 +77,12 @@ options. Note that the libFuzzer library contains the ``main()`` function: svn co http://llvm.org/svn/llvm-project/llvm/trunk/lib/Fuzzer # Alternative: get libFuzzer from a dedicated git mirror: # git clone https://chromium.googlesource.com/chromium/llvm-project/llvm/lib/Fuzzer - clang++ -c -g -O2 -std=c++11 Fuzzer/*.cpp -IFuzzer - ar ruv libFuzzer.a Fuzzer*.o + ./Fuzzer/build.sh # Produces libFuzzer.a Then build the fuzzing target function and the library under test using the SanitizerCoverage_ option, which instruments the code so that the fuzzer can retrieve code coverage information (to guide the fuzzing). Linking with -the libFuzzer code then gives an fuzzer executable. +the libFuzzer code then gives a fuzzer executable. You should also enable one or more of the *sanitizers*, which help to expose latent bugs by making incorrect behavior generate errors at runtime: @@ -834,7 +827,7 @@ Q. What about Windows then? The fuzzer contains code that does not build on Wind Volunteers are welcome. -Q. When this Fuzzer is not a good solution for a problem? +Q. When libFuzzer is not a good solution for a problem? --------------------------------------------------------- * If the test inputs are validated by the target library and the validator |