llvm.org GIT mirror llvm / 3506457
Move lib/Fuzzer docs from a README.txt to a proper .rst file. Summary: Move lib/Fuzzer docs from a README.txt to a proper .rst file. This change does not add any content, just formatting. Test Plan: n/a Reviewers: samsonov Reviewed By: samsonov Subscribers: llvm-commits Differential Revision: http://reviews.llvm.org/D8710 git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@233638 91177308-0d34-0410-b5e6-96231b3b80d8 Kostya Serebryany 4 years ago
3 changed file(s) with 133 addition(s) and 111 deletion(s). Raw diff Collapse all Expand all
0 LibFuzzer -- a library for coverage-guided fuzz testing.
1 ========================================================
2
3 This library is intended primarily for in-process coverage-guided fuzz testing
4 (fuzzing) of other libraries. The typical workflow looks like this:
5
6 * Build the Fuzzer library as a static archive (or just a set of .o files).
7 Note that the Fuzzer contains the main() function.
8 Preferably do *not* use sanitizers while building the Fuzzer.
9 * Build the library you are going to test with -fsanitize-coverage=[234]
10 and one of the sanitizers. We recommend to build the library in several
11 different modes (e.g. asan, msan, lsan, ubsan, etc) and even using different
12 optimizations options (e.g. -O0, -O1, -O2) to diversify testing.
13 * Build a test driver using the same options as the library.
14 The test driver is a C/C++ file containing interesting calls to the library
15 inside a single function ``extern "C" void TestOneInput(const uint8_t *Data, size_t Size);``
16 * Link the Fuzzer, the library and the driver together into an executable
17 using the same sanitizer options as for the library.
18 * Collect the initial corpus of inputs for the
19 fuzzer (a directory with test inputs, one file per input).
20 The better your inputs are the faster you will find something interesting.
21 Also try to keep your inputs small, otherwise the Fuzzer will run too slow.
22 * Run the fuzzer with the test corpus. As new interesting test cases are
23 discovered they will be added to the corpus. If a bug is discovered by
24 the sanitizer (asan, etc) it will be reported as usual and the reproducer
25 will be written to disk.
26 Each Fuzzer process is single-threaded (unless the library starts its own
27 threads). You can run the Fuzzer on the same corpus in multiple processes.
28 in parallel. For run-time options run the Fuzzer binary with '-help=1'.
29
30
31 The Fuzzer is similar in concept to AFL (http://lcamtuf.coredump.cx/afl/),
32 but uses in-process Fuzzing, which is more fragile, more restrictive, but
33 potentially much faster as it has no overhead for process start-up.
34 It uses LLVM's "Sanitizer Coverage" instrumentation to get in-process
35 coverage-feedback https://code.google.com/p/address-sanitizer/wiki/AsanCoverage
36
37 The code resides in the LLVM repository and is (or will be) used by various
38 parts of LLVM, but the Fuzzer itself does not (and should not) depend on any
39 part of LLVM and can be used for other projects. Ideally, the Fuzzer's code
40 should not have any external dependencies. Right now it uses STL, which may need
41 to be fixed later. See also FAQ below.
42
43 Examples of usage in LLVM
44 =========================
45
46 clang-format-fuzzer
47 -------------------
48 The inputs are random pieces of C++-like text.
49
50 Build (make sure to use fresh clang as the host compiler)::
51
52 cmake -GNinja -DCMAKE_C_COMPILER=clang -DCMAKE_CXX_COMPILER=clang++ -DLLVM_USE_SANITIZER=Address -DLLVM_USE_SANITIZE_COVERAGE=YES -DCMAKE_BUILD_TYPE=Release /path/to/llvm
53 ninja clang-format-fuzzer
54 mkdir CORPUS_DIR
55 ./bin/clang-format-fuzzer CORPUS_DIR
56
57 Optionally build other kinds of binaries (asan+Debug, msan, ubsan, etc).
58
59 TODO: commit the pre-fuzzed corpus to svn (?).
60
61 Toy example
62 -------------------
63
64 See lib/Fuzzer/test/SimpleTest.cpp.
65 A simple function that does something interesting if it receives bytes "Hi!"::
66
67 # Build the Fuzzer with asan:
68 clang++ -std=c++11 -fsanitize=address -fsanitize-coverage=3 -O1 -g Fuzzer*.cpp test/SimpleTest.cpp
69 # Run the fuzzer with no corpus (assuming on empty input)
70 ./a.out
71
72 FAQ
73 =========================
74
75 Q. Why Fuzzer does not use any of the LLVM support?
76 ---------------------------------------------------
77
78 There are two reasons.
79
80 First, we want this library to be used outside of the LLVM w/o users having to
81 build the rest of LLVM. This may sound unconvincing for many LLVM folks,
82 but in practice the need for building the whole LLVM frightens many potential
83 users -- and we want more users to use this code.
84
85 Second, there is a subtle technical reason not to rely on the rest of LLVM, or
86 any other large body of code (maybe not even STL). When coverage instrumentation
87 is enabled, it will also instrument the LLVM support code which will blow up the
88 coverage set of the process (since the fuzzer is in-process). In other words, by
89 using more external dependencies we will slow down the fuzzer while the main
90 reason for it to exist is extreme speed.
91
92 Q. What about Windows then? The Fuzzer contains code that does not build on Windows.
93 ------------------------------------------------------------------------------------
94
95 The sanitizer coverage support does not work on Windows either as of 01/2015.
96 Once it's there, we'll need to re-implement OS-specific parts (I/O, signals).
97
98 Q. When this Fuzzer is not a good solution for a problem?
99 ---------------------------------------------------------
100
101 * If the test inputs are validated by the target library and the validator
102 asserts/crashes on invalid inputs, the in-process fuzzer is not applicable
103 (we could use fork() w/o exec, but it comes with extra overhead).
104 * Bugs in the target library may accumulate w/o being detected. E.g. a memory
105 corruption that goes undetected at first and then leads to a crash while
106 testing another input. This is why it is highly recommended to run this
107 in-process fuzzer with all sanitizers to detect most bugs on the spot.
108 * It is harder to protect the in-process fuzzer from excessive memory
109 consumption and infinite loops in the target library (still possible).
110 * The target library should not have significant global state that is not
111 reset between the runs.
112 * Many interesting target libs are not designed in a way that supports
113 the in-process fuzzer interface (e.g. require a file path instead of a
114 byte array).
115 * If a single test run takes a considerable fraction of a second (or
116 more) the speed benefit from the in-process fuzzer is negligible.
117 * If the target library runs persistent threads (that outlive
118 execution of one test) the fuzzing results will be unreliable.
119
120 Q. So, what exactly this Fuzzer is good for?
121 --------------------------------------------
122
123 This Fuzzer might be a good choice for testing libraries that have relatively
124 small inputs, each input takes < 1ms to run, and the library code is not expected
125 to crash on invalid inputs.
126 Examples: regular expression matchers, text or binary format parsers.
127
176176 HowToSetUpLLVMStyleRTTI
177177 ProgrammersManual
178178 Extensions
179 LibFuzzer
179180
180181 :doc:`LLVM Language Reference Manual `
181182 Defines the LLVM intermediate representation and the assembly form of the
216217
217218 :doc:`CompilerWriterInfo`
218219 A list of helpful links for compiler writers.
220
221 :doc:`LibFuzzer`
222 A library for writing in-process guided fuzzers.
219223
220224 Subsystem Documentation
221225 =======================
None ===============================
1 Fuzzer -- a library for coverage-guided fuzz testing.
2 ===============================
0 Move to http://llvm.org/docs/LibFuzzer.html
31
4 This library is intended primarily for in-process coverage-guided fuzz testing
5 (fuzzing) of other libraries. The typical workflow looks like this:
6
7 * Build the Fuzzer library as a static archive (or just a set of .o files).
8 Note that the Fuzzer contains the main() function.
9 Preferably do *not* use sanitizers while building the Fuzzer.
10 * Build the library you are going to test with -fsanitize-coverage=[234]
11 and one of the sanitizers. We recommend to build the library in several
12 different modes (e.g. asan, msan, lsan, ubsan, etc) and even using different
13 optimizations options (e.g. -O0, -O1, -O2) to diversify testing.
14 * Build a test driver using the same options as the library.
15 The test driver is a C/C++ file containing interesting calls to the library
16 inside a single function:
17 extern "C" void TestOneInput(const uint8_t *Data, size_t Size);
18 * Link the Fuzzer, the library and the driver together into an executable
19 using the same sanitizer options as for the library.
20 * Collect the initial corpus of inputs for the
21 fuzzer (a directory with test inputs, one file per input).
22 The better your inputs are the faster you will find something interesting.
23 Also try to keep your inputs small, otherwise the Fuzzer will run too slow.
24 * Run the fuzzer with the test corpus. As new interesting test cases are
25 discovered they will be added to the corpus. If a bug is discovered by
26 the sanitizer (asan, etc) it will be reported as usual and the reproducer
27 will be written to disk.
28 Each Fuzzer process is single-threaded (unless the library starts its own
29 threads). You can run the Fuzzer on the same corpus in multiple processes.
30 in parallel. For run-time options run the Fuzzer binary with '-help=1'.
31
32
33 The Fuzzer is similar in concept to AFL (http://lcamtuf.coredump.cx/afl/),
34 but uses in-process Fuzzing, which is more fragile, more restrictive, but
35 potentially much faster as it has no overhead for process start-up.
36 It uses LLVM's "Sanitizer Coverage" instrumentation to get in-process
37 coverage-feedback https://code.google.com/p/address-sanitizer/wiki/AsanCoverage
38
39 The code resides in the LLVM repository and is (or will be) used by various
40 parts of LLVM, but the Fuzzer itself does not (and should not) depend on any
41 part of LLVM and can be used for other projects. Ideally, the Fuzzer's code
42 should not have any external dependencies. Right now it uses STL, which may need
43 to be fixed later. See also F.A.Q. below.
44
45 Examples of usage in LLVM:
46 * clang-format-fuzzer. The inputs are random pieces of C++-like text.
47 * Build (make sure to use fresh clang as the host compiler):
48 cmake -GNinja -DCMAKE_C_COMPILER=clang -DCMAKE_CXX_COMPILER=clang++ \
49 -DLLVM_USE_SANITIZER=Address -DLLVM_USE_SANITIZE_COVERAGE=YES \
50 /path/to/llvm -DCMAKE_BUILD_TYPE=Release
51 ninja clang-format-fuzzer
52 * Optionally build other kinds of binaries (asan+Debug, msan, ubsan, etc)
53 * TODO: commit the pre-fuzzed corpus to svn (?).
54 * Run:
55 clang-format-fuzzer CORPUS_DIR
56
57 Toy example (see SimpleTest.cpp):
58 a simple function that does something interesting if it receives bytes "Hi!".
59 # Build the Fuzzer with asan:
60 % clang++ -std=c++11 -fsanitize=address -fsanitize-coverage=3 -O1 -g \
61 Fuzzer*.cpp test/SimpleTest.cpp
62 # Run the fuzzer with no corpus (assuming on empty input)
63 % ./a.out
64
65 ===============================================================================
66 F.A.Q.
67
68 Q. Why Fuzzer does not use any of the LLVM support?
69 A. There are two reasons.
70 First, we want this library to be used outside of the LLVM w/o users having to
71 build the rest of LLVM. This may sound unconvincing for many LLVM folks,
72 but in practice the need for building the whole LLVM frightens many potential
73 users -- and we want more users to use this code.
74 Second, there is a subtle technical reason not to rely on the rest of LLVM, or
75 any other large body of code (maybe not even STL). When coverage instrumentation
76 is enabled, it will also instrument the LLVM support code which will blow up the
77 coverage set of the process (since the fuzzer is in-process). In other words, by
78 using more external dependencies we will slow down the fuzzer while the main
79 reason for it to exist is extreme speed.
80
81 Q. What about Windows then? The Fuzzer contains code that does not build on
82 Windows.
83 A. The sanitizer coverage support does not work on Windows either as of 01/2015.
84 Once it's there, we'll need to re-implement OS-specific parts (I/O, signals).
85
86 Q. When this Fuzzer is not a good solution for a problem?
87 A.
88 * If the test inputs are validated by the target library and the validator
89 asserts/crashes on invalid inputs, the in-process fuzzer is not applicable
90 (we could use fork() w/o exec, but it comes with extra overhead).
91 * Bugs in the target library may accumulate w/o being detected. E.g. a memory
92 corruption that goes undetected at first and then leads to a crash while
93 testing another input. This is why it is highly recommended to run this
94 in-process fuzzer with all sanitizers to detect most bugs on the spot.
95 * It is harder to protect the in-process fuzzer from excessive memory
96 consumption and infinite loops in the target library (still possible).
97 * The target library should not have significant global state that is not
98 reset between the runs.
99 * Many interesting target libs are not designed in a way that supports
100 the in-process fuzzer interface (e.g. require a file path instead of a
101 byte array).
102 * If a single test run takes a considerable fraction of a second (or
103 more) the speed benefit from the in-process fuzzer is negligible.
104 * If the target library runs persistent threads (that outlive
105 execution of one test) the fuzzing results will be unreliable.
106
107 Q. So, what exactly this Fuzzer is good for?
108 A. This Fuzzer might be a good choice for testing libraries that have relatively
109 small inputs, each input takes < 1ms to run, and the library code is not expected
110 to crash on invalid inputs.
111 Examples: regular expression matchers, text or binary format parsers.