From: Kostya Serebryany Date: Mon, 9 May 2016 19:29:53 +0000 (+0000) Subject: [libFuzzer] reshuffle docs X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=464c4e89a5fcaee8b10a685109d49046b3578982;p=llvm [libFuzzer] reshuffle docs git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@268959 91177308-0d34-0410-b5e6-96231b3b80d8 --- diff --git a/docs/LibFuzzer.rst b/docs/LibFuzzer.rst index e2f6d943b0d..d63f4938e00 100644 --- a/docs/LibFuzzer.rst +++ b/docs/LibFuzzer.rst @@ -52,41 +52,6 @@ infrastructure and can be used for other projects without requiring the rest of LLVM. -Corpus -====== - -Coverage-guided fuzzers like libFuzzer rely on a corpus of sample inputs for the -code under test. This corpus should ideally be seeded with a varied collection -of valid and invalid inputs for the code under test; for example, for a graphics -library the initial corpus might hold a variety of different small PNG/JPG/GIF -files. The fuzzer generates random mutations based around the sample inputs in -the current corpus. If a mutation triggers execution of a previously-uncovered -path in the code under test, then that mutation is saved to the corpus for -future variations. - -LibFuzzer will work without any initial seeds, but will be less -efficient if the library under test accepts complex, -structured inputs. - -The corpus can also act as a sanity/regression check, to confirm that the -fuzzing entrypoint still works and that all of the sample inputs run through -the code under test without problems. - -If you have a large corpus (either generated by fuzzing or acquired by other means) -you may want to minimize it while still preserving the full coverage. One way to do that -is to use the `-merge=1` flag: - -.. code-block:: console - - mkdir NEW_CORPUS_DIR # Store minimized corpus here. - ./my-fuzzer -merge=1 NEW_CORPUS_DIR FULL_CORPUS_DIR - -You may use the same flag to add more interesting items to an existing corpus. -Only the inputs that trigger new coverage will be added to the first corpus. - -.. code-block:: console - - ./my-fuzzer -merge=1 CURRNT_CORPUS_DIR NEW_POTENTIALLY_INTERESTING_INPUTS_DIR Getting Started =============== @@ -138,6 +103,43 @@ Finally, link with ``libFuzzer.a``:: clang -fsanitize-coverage=edge -fsanitize=address your_lib.cc fuzz_target.cc libFuzzer.a -o my_fuzzer +Corpus +====== + +Coverage-guided fuzzers like libFuzzer rely on a corpus of sample inputs for the +code under test. This corpus should ideally be seeded with a varied collection +of valid and invalid inputs for the code under test; for example, for a graphics +library the initial corpus might hold a variety of different small PNG/JPG/GIF +files. The fuzzer generates random mutations based around the sample inputs in +the current corpus. If a mutation triggers execution of a previously-uncovered +path in the code under test, then that mutation is saved to the corpus for +future variations. + +LibFuzzer will work without any initial seeds, but will be less +efficient if the library under test accepts complex, +structured inputs. + +The corpus can also act as a sanity/regression check, to confirm that the +fuzzing entrypoint still works and that all of the sample inputs run through +the code under test without problems. + +If you have a large corpus (either generated by fuzzing or acquired by other means) +you may want to minimize it while still preserving the full coverage. One way to do that +is to use the `-merge=1` flag: + +.. code-block:: console + + mkdir NEW_CORPUS_DIR # Store minimized corpus here. + ./my_fuzzer -merge=1 NEW_CORPUS_DIR FULL_CORPUS_DIR + +You may use the same flag to add more interesting items to an existing corpus. +Only the inputs that trigger new coverage will be added to the first corpus. + +.. code-block:: console + + ./my_fuzzer -merge=1 CURRENT_CORPUS_DIR NEW_POTENTIALLY_INTERESTING_INPUTS_DIR + + Running -------