Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(160)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: testing/libfuzzer/efficient_fuzzer.md

Issue 1867833002: [libfuzzer] store custom options in .GN build target instead of a separate file. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Update reference.md of libFuzzer & CF documentation. Created 4 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « net/base/unescape_url_component_fuzzer.options ('k') | testing/libfuzzer/fuzzer_test.gni » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 # Efficient Fuzzer 1 # Efficient Fuzzer
2 2
3 This document describes ways to determine your fuzzer efficiency and ways 3 This document describes ways to determine your fuzzer efficiency and ways
4 to improve it. 4 to improve it.
5 5
6 ## Overview 6 ## Overview
7 7
8 Being a coverage-driven fuzzer, libFuzzer considers a certain input *interesting * 8 Being a coverage-driven fuzzer, libFuzzer considers a certain input *interesting *
9 if it results in new coverage. The set of all interesting inputs is called 9 if it results in new coverage. The set of all interesting inputs is called
10 *corpus*. 10 *corpus*.
(...skipping 71 matching lines...) Expand 10 before | Expand all | Expand 10 after
82 should contain hundreds (if not thousands) of items. 82 should contain hundreds (if not thousands) of items.
83 83
84 Too small corpus size indicates some code barrier that 84 Too small corpus size indicates some code barrier that
85 libFuzzer is having problems penetrating. Common cases include: checksums, 85 libFuzzer is having problems penetrating. Common cases include: checksums,
86 magic numbers etc. The easiest way to diagnose this problem is to generate a 86 magic numbers etc. The easiest way to diagnose this problem is to generate a
87 [coverage report](#Coverage). To fix the issue you can: 87 [coverage report](#Coverage). To fix the issue you can:
88 88
89 * change the code (e.g. disable crc checks while fuzzing) 89 * change the code (e.g. disable crc checks while fuzzing)
90 * prepare [corpus seed](#Corpus-Seed) 90 * prepare [corpus seed](#Corpus-Seed)
91 * prepare [fuzzer dictionary](#Fuzzer-Dictionary) 91 * prepare [fuzzer dictionary](#Fuzzer-Dictionary)
92 * specify [custom options](#Custom-Options)
92 93
93 ## Coverage 94 ## Coverage
94 95
95 You can easily generate source-level coverage report for a given corpus: 96 You can easily generate source-level coverage report for a given corpus:
96 97
97 ``` 98 ```
98 ASAN_OPTIONS=html_cov_report=1:sancov_path=./third_party/llvm-build/Release+Asse rts/bin/sancov \ 99 ASAN_OPTIONS=html_cov_report=1:sancov_path=./third_party/llvm-build/Release+Asse rts/bin/sancov \
99 ./out/libfuzzer/my_fuzzer -runs=0 ~/tmp/my_fuzzer_corpus 100 ./out/libfuzzer/my_fuzzer -runs=0 ~/tmp/my_fuzzer_corpus
100 ``` 101 ```
101 102
(...skipping 58 matching lines...) Expand 10 before | Expand all | Expand 10 after
160 fuzzer_test("my_protocol_fuzzer") { 161 fuzzer_test("my_protocol_fuzzer") {
161 ... 162 ...
162 dict = "protocol.dict" 163 dict = "protocol.dict"
163 } 164 }
164 ``` 165 ```
165 166
166 Make sure to submit dictionary file to git. The dictionary will be used 167 Make sure to submit dictionary file to git. The dictionary will be used
167 automatically by ClusterFuzz once it picks up new fuzzer version (once a day). 168 automatically by ClusterFuzz once it picks up new fuzzer version (once a day).
168 169
169 170
171 ### Custom Options
172
173 It is possible to specify [libFuzzer parameters](http://llvm.org/docs/LibFuzzer. html#usage)
174 for any fuzzer being run at ClusterFuzz. Custom options will overwrite default
175 values provided by ClusterFuzz.
176
177 Just list all parameters in `libfuzzer_options` variable of build target:
178
179 ```
180 fuzzer_test("my_protocol_fuzzer") {
181 ...
182 libfuzzer_options = [
183 "max_len=2048",
184 "use_traces=1",
185 ]
186 }
187 ```
188
189 Please note that `dict` parameter should be provided [separately](#Fuzzer-Dictio nary).
190 Other options may be passed through `libfuzzer_options` property.
191
192
170 [ClusterFuzz status]: ./clusterfuzz.md#Status-Links 193 [ClusterFuzz status]: ./clusterfuzz.md#Status-Links
171 [upload corpus to ClusterFuzz]: ./clusterfuzz.md#Upload-Corpus 194 [upload corpus to ClusterFuzz]: ./clusterfuzz.md#Upload-Corpus
172 [AFL]: http://lcamtuf.coredump.cx/afl/ 195 [AFL]: http://lcamtuf.coredump.cx/afl/
OLDNEW
« no previous file with comments | « net/base/unescape_url_component_fuzzer.options ('k') | testing/libfuzzer/fuzzer_test.gni » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698