[libFuzzer] reshuffle docs

git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@268959 91177308-0d34-0410-b5e6-96231b3b80d8

diff --git a/docs/LibFuzzer.rst b/docs/LibFuzzer.rst
index e2f6d943b0dae18661718d01078d5a9d7a51dad7..d63f4938e00249af344c201162509141fc5ff117 100644 (file)
--- a/docs/LibFuzzer.rst
+++ b/docs/LibFuzzer.rst
@@ -52,41 +52,6 @@ infrastructure and can be used for other projects without requiring the rest
 of LLVM.
 
 
-Corpus
-======
-
-Coverage-guided fuzzers like libFuzzer rely on a corpus of sample inputs for the
-code under test.  This corpus should ideally be seeded with a varied collection
-of valid and invalid inputs for the code under test; for example, for a graphics
-library the initial corpus might hold a variety of different small PNG/JPG/GIF
-files.  The fuzzer generates random mutations based around the sample inputs in
-the current corpus.  If a mutation triggers execution of a previously-uncovered
-path in the code under test, then that mutation is saved to the corpus for
-future variations.
-
-LibFuzzer will work without any initial seeds, but will be less
-efficient if the library under test accepts complex,
-structured inputs.
-
-The corpus can also act as a sanity/regression check, to confirm that the
-fuzzing entrypoint still works and that all of the sample inputs run through
-the code under test without problems.
-
-If you have a large corpus (either generated by fuzzing or acquired by other means)
-you may want to minimize it while still preserving the full coverage. One way to do that
-is to use the `-merge=1` flag:
-
-.. code-block:: console
-
-  mkdir NEW_CORPUS_DIR  # Store minimized corpus here.
-  ./my-fuzzer -merge=1 NEW_CORPUS_DIR FULL_CORPUS_DIR
-
-You may use the same flag to add more interesting items to an existing corpus.
-Only the inputs that trigger new coverage will be added to the first corpus.
-
-.. code-block:: console
-
-  ./my-fuzzer -merge=1 CURRNT_CORPUS_DIR NEW_POTENTIALLY_INTERESTING_INPUTS_DIR
 
 Getting Started
 ===============
@@ -138,6 +103,43 @@ Finally, link with ``libFuzzer.a``::
 
   clang -fsanitize-coverage=edge -fsanitize=address your_lib.cc fuzz_target.cc libFuzzer.a -o my_fuzzer
 
+Corpus
+======
+
+Coverage-guided fuzzers like libFuzzer rely on a corpus of sample inputs for the
+code under test.  This corpus should ideally be seeded with a varied collection
+of valid and invalid inputs for the code under test; for example, for a graphics
+library the initial corpus might hold a variety of different small PNG/JPG/GIF
+files.  The fuzzer generates random mutations based around the sample inputs in
+the current corpus.  If a mutation triggers execution of a previously-uncovered
+path in the code under test, then that mutation is saved to the corpus for
+future variations.
+
+LibFuzzer will work without any initial seeds, but will be less
+efficient if the library under test accepts complex,
+structured inputs.
+
+The corpus can also act as a sanity/regression check, to confirm that the
+fuzzing entrypoint still works and that all of the sample inputs run through
+the code under test without problems.
+
+If you have a large corpus (either generated by fuzzing or acquired by other means)
+you may want to minimize it while still preserving the full coverage. One way to do that
+is to use the `-merge=1` flag:
+
+.. code-block:: console
+
+  mkdir NEW_CORPUS_DIR  # Store minimized corpus here.
+  ./my_fuzzer -merge=1 NEW_CORPUS_DIR FULL_CORPUS_DIR
+
+You may use the same flag to add more interesting items to an existing corpus.
+Only the inputs that trigger new coverage will be added to the first corpus.
+
+.. code-block:: console
+
+  ./my_fuzzer -merge=1 CURRENT_CORPUS_DIR NEW_POTENTIALLY_INTERESTING_INPUTS_DIR
+
+
 Running
 -------