diff options
| author | Kostya Serebryany <kcc@google.com> | 2016-10-26 01:55:17 +0000 |
|---|---|---|
| committer | Kostya Serebryany <kcc@google.com> | 2016-10-26 01:55:17 +0000 |
| commit | 8b6af7a9d33af51abdb829350d942e3588faf37c (patch) | |
| tree | 711e81a1ce2b33ef886d08703a09ce6f61be7488 /llvm/docs/LibFuzzer.rst | |
| parent | f7bdbbcc58f8c07e877ef5e7dc0dddb7c75ebc88 (diff) | |
| download | bcm5719-llvm-8b6af7a9d33af51abdb829350d942e3588faf37c.tar.gz bcm5719-llvm-8b6af7a9d33af51abdb829350d942e3588faf37c.zip | |
[libFuzzer] refresh docs
llvm-svn: 285157
Diffstat (limited to 'llvm/docs/LibFuzzer.rst')
| -rw-r--r-- | llvm/docs/LibFuzzer.rst | 25 |
1 files changed, 9 insertions, 16 deletions
diff --git a/llvm/docs/LibFuzzer.rst b/llvm/docs/LibFuzzer.rst index c46815ecffb..f8cdfbfdd5c 100644 --- a/llvm/docs/LibFuzzer.rst +++ b/llvm/docs/LibFuzzer.rst @@ -8,18 +8,13 @@ libFuzzer – a library for coverage-guided fuzz testing. Introduction ============ -LibFuzzer is a library for in-process, coverage-guided, evolutionary fuzzing -of other libraries. +LibFuzzer is in-process, coverage-guided, evolutionary fuzzing engine. -LibFuzzer is similar in concept to American Fuzzy Lop (AFL_), but it performs -all of its fuzzing inside a single process. This in-process fuzzing can be more -restrictive and fragile, but is potentially much faster as there is no overhead -for process start-up. - -The fuzzer is linked with the library under test, and feeds fuzzed inputs to the +LibFuzzer is linked with the library under test, and feeds fuzzed inputs to the library via a specific fuzzing entrypoint (aka "target function"); the fuzzer then tracks which areas of the code are reached, and generates mutations on the -corpus of input data in order to maximize the code coverage. The code coverage +corpus of input data in order to maximize the code coverage. +The code coverage information for libFuzzer is provided by LLVM's SanitizerCoverage_ instrumentation. @@ -28,8 +23,8 @@ Contact: libfuzzer(#)googlegroups.com Versions ======== -LibFuzzer is under active development so a current (or at least very recent) -version of Clang is the only supported variant. +LibFuzzer is under active development so you will need the current +(or at least a very recent) version of the Clang compiler. (If `building Clang from trunk`_ is too time-consuming or difficult, then the Clang binaries that the Chromium developers build are likely to be @@ -53,7 +48,6 @@ infrastructure and can be used for other projects without requiring the rest of LLVM. - Getting Started =============== @@ -83,13 +77,12 @@ options. Note that the libFuzzer library contains the ``main()`` function: svn co http://llvm.org/svn/llvm-project/llvm/trunk/lib/Fuzzer # Alternative: get libFuzzer from a dedicated git mirror: # git clone https://chromium.googlesource.com/chromium/llvm-project/llvm/lib/Fuzzer - clang++ -c -g -O2 -std=c++11 Fuzzer/*.cpp -IFuzzer - ar ruv libFuzzer.a Fuzzer*.o + ./Fuzzer/build.sh # Produces libFuzzer.a Then build the fuzzing target function and the library under test using the SanitizerCoverage_ option, which instruments the code so that the fuzzer can retrieve code coverage information (to guide the fuzzing). Linking with -the libFuzzer code then gives an fuzzer executable. +the libFuzzer code then gives a fuzzer executable. You should also enable one or more of the *sanitizers*, which help to expose latent bugs by making incorrect behavior generate errors at runtime: @@ -834,7 +827,7 @@ Q. What about Windows then? The fuzzer contains code that does not build on Wind Volunteers are welcome. -Q. When this Fuzzer is not a good solution for a problem? +Q. When libFuzzer is not a good solution for a problem? --------------------------------------------------------- * If the test inputs are validated by the target library and the validator |
