testing/libfuzzer/getting_started.md - Issue 1896123002: [libfuzzer] Update documentation on UBSan options and Upload Corpus section.

Side by Side Diff: testing/libfuzzer/getting_started.md

Issue 1896123002: [libfuzzer] Update documentation on UBSan options and Upload Corpus section. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Fixed nits, added documentation on seed corpus stored in the repo. Created 4 years, 8 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 # Getting Started with libFuzzer in Chrome	1 # Getting Started with libFuzzer in Chrome

2	2

3 *** note	3 *** note

4 Prerequisites: libFuzzer in Chrome is supported with GN on Linux only.	4 Prerequisites: libFuzzer in Chrome is supported with GN on Linux only.

5 ***	5 ***

6	6

7 This document will walk you through:	7 This document will walk you through:

8	8

9 * setting up your build enviroment.	9 * setting up your build enviroment.

10 * creating your first fuzzer.	10 * creating your first fuzzer.

11 * running the fuzzer and verifying its vitals.	11 * running the fuzzer and verifying its vitals.

12	12

13 ## Configure Build	13 ## Configure Build

14	14

15 Use `use_libfuzzer` GN argument together with sanitizer to generate build files:	15 Use `use_libfuzzer` GN argument together with sanitizer to generate build files:

16	16

17 ```bash	17 ```bash

18 # With address sanitizer	18 # With address sanitizer

19 gn gen out/libfuzzer '--args=use_libfuzzer=true is_asan=true enable_nacl=false' --check	19 gn gen out/libfuzzer '--args=use_libfuzzer=true is_asan=true enable_nacl=false' --check

20 ```	20 ```

21	21

22 Supported sanitizer configurations are:	22 Supported sanitizer configurations are:

23	23

24 \| GN Argument \| Description \|	24 \| GN Argument \| Description \|

25 \|--------------\|----\|	25 \|--------------\|----\|

26 \| is_asan=true \| enables [Address Sanitizer] to catch problems like buffer overr uns. \|	26 \| is_asan=true \| enables [Address Sanitizer] to catch problems like buffer overr uns. \|

27 \| is_msan=true \| enables [Memory Sanitizer] to catch problems like uninitialed r eads. \|	27 \| is_msan=true \| enables [Memory Sanitizer] to catch problems like uninitialed r eads. \|

28 \| is_ubsan_security=true \| enables [Undefined Behavior Sanitizer] to catch undef ined behavior like integer overflow. \|	28 \| is_ubsan_security=true \| enables [Undefined Behavior Sanitizer] to catch<sup>\ [[1](#Notes)\]</sup> undefined behavior like integer overflow. \|

29	29

30	30

31 ## Write Fuzzer Function	31 ## Write Fuzzer Function

32	32

33 Create a new .cc file and define a `LLVMFuzzerTestOneInput` function:	33 Create a new .cc file and define a `LLVMFuzzerTestOneInput` function:

34	34

35 ```cpp	35 ```cpp

36 extern "C" int LLVMFuzzerTestOneInput(const unsigned char *data, size_t size) {	36 extern "C" int LLVMFuzzerTestOneInput(const unsigned char *data, size_t size) {

37 // put your fuzzing code here and use data+size as input.	37 // put your fuzzing code here and use data+size as input.

38 return 0;	38 return 0;

(...skipping 55 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
94 The only thing you should do is to submit a fuzzer into Chrome.	94 The only thing you should do is to submit a fuzzer into Chrome.

95	95

96 ## Next Steps	96 ## Next Steps

97	97

98 * After your fuzzer is submitted, you should check its [ClusterFuzz status] in	98 * After your fuzzer is submitted, you should check its [ClusterFuzz status] in

99 a day or two.	99 a day or two.

100 * Check the [Efficient Fuzzer Guide] to better understand your fuzzer	100 * Check the [Efficient Fuzzer Guide] to better understand your fuzzer

101 performance and for optimization hints.	101 performance and for optimization hints.

102	102

103	103

	104 ## Notes

	105 [1] By default UBSan doesn't crash once undefined behavior has been detected.

	106 To make it crash the following additional option should be provided:

	107

	108 ```bash

	109 UBSAN_OPTIONS=halt_on_error=1 ./fuzzer <corpus_directory_or_single_testcase_path >

	110 ```

	111

	112 Other useful options (used by ClusterFuzz) are:

	113 ```bash

	114 UBSAN_OPTIONS=symbolize=1:halt_on_error=1:print_stacktrace=1 ./fuzzer <corpus_di rectory_or_single_testcase_path>
	aizatsky 2016/04/19 18:42:43 FYI: https://bugs.chromium.org/p/chromium/issues/d FYI: https://bugs.chromium.org/p/chromium/issues/detail?id=604823 mmoroz 2016/04/20 12:38:20 Acknowledged. Show quoted text On 2016/04/19 18:42:43, aizatsky wrote: > FYI: https://bugs.chromium.org/p/chromium/issues/detail?id=604823 Acknowledged.
	115 ```

	116

	117

104 [Address Sanitizer]: http://clang.llvm.org/docs/AddressSanitizer.html	118 [Address Sanitizer]: http://clang.llvm.org/docs/AddressSanitizer.html

105 [Memory Sanitizer]: http://clang.llvm.org/docs/MemorySanitizer.html	119 [Memory Sanitizer]: http://clang.llvm.org/docs/MemorySanitizer.html

106 [Undefined Behavior Sanitizer]: http://clang.llvm.org/docs/UndefinedBehaviorSani tizer.html	120 [Undefined Behavior Sanitizer]: http://clang.llvm.org/docs/UndefinedBehaviorSani tizer.html

107 [url_parse_fuzzer.cc]: https://code.google.com/p/chromium/codesearch#chromium/sr c/testing/libfuzzer/fuzzers/url_parse_fuzzer.cc	121 [url_parse_fuzzer.cc]: https://code.google.com/p/chromium/codesearch#chromium/sr c/testing/libfuzzer/fuzzers/url_parse_fuzzer.cc

108 [ClusterFuzz status]: clusterfuzz.md#Status-Links	122 [ClusterFuzz status]: clusterfuzz.md#Status-Links

109 [Efficient Fuzzer Guide]: efficient_fuzzer.md	123 [Efficient Fuzzer Guide]: efficient_fuzzer.md

110 [crbug/598448]: https://bugs.chromium.org/p/chromium/issues/detail?id=598448	124 [crbug/598448]: https://bugs.chromium.org/p/chromium/issues/detail?id=598448

OLD	NEW

« testing/libfuzzer/clusterfuzz.md ('K') | « testing/libfuzzer/efficient_fuzzer.md ('k') | no next file » | no next file with comments »