Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(137)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: testing/libfuzzer/getting_started.md

Issue 1896123002: [libfuzzer] Update documentation on UBSan options and Upload Corpus section. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Move instructions for corpus uploading into efficient_fuzzer. Created 4 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « testing/libfuzzer/efficient_fuzzer.md ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 # Getting Started with libFuzzer in Chrome 1 # Getting Started with libFuzzer in Chrome
2 2
3 *** note 3 *** note
4 **Prerequisites:** libFuzzer in Chrome is supported with GN on Linux only. 4 **Prerequisites:** libFuzzer in Chrome is supported with GN on Linux only.
5 *** 5 ***
6 6
7 This document will walk you through: 7 This document will walk you through:
8 8
9 * setting up your build enviroment. 9 * setting up your build enviroment.
10 * creating your first fuzzer. 10 * creating your first fuzzer.
11 * running the fuzzer and verifying its vitals. 11 * running the fuzzer and verifying its vitals.
12 12
13 ## Configure Build 13 ## Configure Build
14 14
15 Use `use_libfuzzer` GN argument together with sanitizer to generate build files: 15 Use `use_libfuzzer` GN argument together with sanitizer to generate build files:
16 16
17 ```bash 17 ```bash
18 # With address sanitizer 18 # With address sanitizer
19 gn gen out/libfuzzer '--args=use_libfuzzer=true is_asan=true enable_nacl=false' --check 19 gn gen out/libfuzzer '--args=use_libfuzzer=true is_asan=true enable_nacl=false' --check
20 ``` 20 ```
21 21
22 Supported sanitizer configurations are: 22 Supported sanitizer configurations are:
23 23
24 | GN Argument | Description | 24 | GN Argument | Description |
25 |--------------|----| 25 |--------------|----|
26 | is_asan=true | enables [Address Sanitizer] to catch problems like buffer overr uns. | 26 | is_asan=true | enables [Address Sanitizer] to catch problems like buffer overr uns. |
27 | is_msan=true | enables [Memory Sanitizer] to catch problems like uninitialed r eads. | 27 | is_msan=true | enables [Memory Sanitizer] to catch problems like uninitialed r eads. |
28 | is_ubsan_security=true | enables [Undefined Behavior Sanitizer] to catch undef ined behavior like integer overflow. | 28 | is_ubsan_security=true | enables [Undefined Behavior Sanitizer] to catch<sup>\ [[1](#Notes)\]</sup> undefined behavior like integer overflow. |
29 29
30 30
31 ## Write Fuzzer Function 31 ## Write Fuzzer Function
32 32
33 Create a new .cc file and define a `LLVMFuzzerTestOneInput` function: 33 Create a new .cc file and define a `LLVMFuzzerTestOneInput` function:
34 34
35 ```cpp 35 ```cpp
36 extern "C" int LLVMFuzzerTestOneInput(const unsigned char *data, size_t size) { 36 extern "C" int LLVMFuzzerTestOneInput(const unsigned char *data, size_t size) {
37 // put your fuzzing code here and use data+size as input. 37 // put your fuzzing code here and use data+size as input.
38 return 0; 38 return 0;
(...skipping 55 matching lines...) Expand 10 before | Expand all | Expand 10 after
94 The only thing you should do is to submit a fuzzer into Chrome. 94 The only thing you should do is to submit a fuzzer into Chrome.
95 95
96 ## Next Steps 96 ## Next Steps
97 97
98 * After your fuzzer is submitted, you should check its [ClusterFuzz status] in 98 * After your fuzzer is submitted, you should check its [ClusterFuzz status] in
99 a day or two. 99 a day or two.
100 * Check the [Efficient Fuzzer Guide] to better understand your fuzzer 100 * Check the [Efficient Fuzzer Guide] to better understand your fuzzer
101 performance and for optimization hints. 101 performance and for optimization hints.
102 102
103 103
104 ## Notes
105 [1] By default UBSan doesn't crash once undefined behavior has been detected.
106 To make it crash the following additional option should be provided:
107
108 ```bash
109 UBSAN_OPTIONS=halt_on_error=1 ./fuzzer <corpus_directory_or_single_testcase_path >
110 ```
111
112 Other useful options (used by ClusterFuzz) are:
113 ```bash
114 UBSAN_OPTIONS=symbolize=1:halt_on_error=1:print_stacktrace=1 ./fuzzer <corpus_di rectory_or_single_testcase_path>
115 ```
116
117
104 [Address Sanitizer]: http://clang.llvm.org/docs/AddressSanitizer.html 118 [Address Sanitizer]: http://clang.llvm.org/docs/AddressSanitizer.html
105 [Memory Sanitizer]: http://clang.llvm.org/docs/MemorySanitizer.html 119 [Memory Sanitizer]: http://clang.llvm.org/docs/MemorySanitizer.html
106 [Undefined Behavior Sanitizer]: http://clang.llvm.org/docs/UndefinedBehaviorSani tizer.html 120 [Undefined Behavior Sanitizer]: http://clang.llvm.org/docs/UndefinedBehaviorSani tizer.html
107 [url_parse_fuzzer.cc]: https://code.google.com/p/chromium/codesearch#chromium/sr c/testing/libfuzzer/fuzzers/url_parse_fuzzer.cc 121 [url_parse_fuzzer.cc]: https://code.google.com/p/chromium/codesearch#chromium/sr c/testing/libfuzzer/fuzzers/url_parse_fuzzer.cc
108 [ClusterFuzz status]: clusterfuzz.md#Status-Links 122 [ClusterFuzz status]: clusterfuzz.md#Status-Links
109 [Efficient Fuzzer Guide]: efficient_fuzzer.md 123 [Efficient Fuzzer Guide]: efficient_fuzzer.md
110 [crbug/598448]: https://bugs.chromium.org/p/chromium/issues/detail?id=598448 124 [crbug/598448]: https://bugs.chromium.org/p/chromium/issues/detail?id=598448
OLDNEW
« no previous file with comments | « testing/libfuzzer/efficient_fuzzer.md ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698