Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(74)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: testing/libfuzzer/efficient_fuzzer.md

Issue 2282703002: [libfuzzer] Add a note to the documentation about AFL and max_len parameter. (Closed)
Patch Set: Small fixes (writing in English isn't my best skill). Created 4 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 # Efficient Fuzzer 1 # Efficient Fuzzer
2 2
3 This document describes ways to determine your fuzzer efficiency and ways 3 This document describes ways to determine your fuzzer efficiency and ways
4 to improve it. 4 to improve it.
5 5
6 ## Overview 6 ## Overview
7 7
8 Being a coverage-driven fuzzer, libFuzzer considers a certain input *interesting * 8 Being a coverage-driven fuzzer, libFuzzer considers a certain input *interesting *
9 if it results in new coverage. The set of all interesting inputs is called 9 if it results in new coverage. The set of all interesting inputs is called
10 *corpus*. 10 *corpus*.
(...skipping 56 matching lines...) Expand 10 before | Expand all | Expand 10 after
67 2) Increase the value defined on previous step. Check its influence on execution 67 2) Increase the value defined on previous step. Check its influence on execution
68 speed of fuzzer. If speed doesn't drop significantly for long inputs, it is fine 68 speed of fuzzer. If speed doesn't drop significantly for long inputs, it is fine
69 to have some bigger value for `-max_len`. 69 to have some bigger value for `-max_len`.
70 70
71 In general, bigger `-max_len` value gives better coverage. Coverage is main 71 In general, bigger `-max_len` value gives better coverage. Coverage is main
72 priority for fuzzing. However, low execution speed may result in waste of 72 priority for fuzzing. However, low execution speed may result in waste of
73 resources used for fuzzing. If large inputs make fuzzer too slow you have to 73 resources used for fuzzing. If large inputs make fuzzer too slow you have to
74 adjust value of `-max_len` and find a trade-off between coverage and execution 74 adjust value of `-max_len` and find a trade-off between coverage and execution
75 speed. 75 speed.
76 76
77 *Note:* ClusterFuzz runs two different fuzzing engines (**LibFuzzer** and
78 **AFL**) using the same target functions. AFL doesn't support `-max_len`
79 parameter and may provide input of any length to the target. If your target has
80 an input length limit that you would like to *strictly enforce*, it's
81 recommended to add a sanity check to the beginning of your target function:
82
83 ```
84 if (size > kSizeLimit)
85 return 0;
86 ```
87
88 For more information check out the discussion in [issue 638836].
89
77 90
78 ## Corpus Size 91 ## Corpus Size
79 92
80 After running for a while the fuzzer would reach a plateau and won't discover 93 After running for a while the fuzzer would reach a plateau and won't discover
81 new interesting input. Corpus for a reasonably complex functionality 94 new interesting input. Corpus for a reasonably complex functionality
82 should contain hundreds (if not thousands) of items. 95 should contain hundreds (if not thousands) of items.
83 96
84 Too small corpus size indicates some code barrier that 97 Too small corpus size indicates some code barrier that
85 libFuzzer is having problems penetrating. Common cases include: checksums, 98 libFuzzer is having problems penetrating. Common cases include: checksums,
86 magic numbers etc. The easiest way to diagnose this problem is to generate a 99 magic numbers etc. The easiest way to diagnose this problem is to generate a
(...skipping 128 matching lines...) Expand 10 before | Expand all | Expand 10 after
215 } 228 }
216 ``` 229 ```
217 230
218 Please note that `dict` parameter should be provided [separately](#Fuzzer-Dictio nary). 231 Please note that `dict` parameter should be provided [separately](#Fuzzer-Dictio nary).
219 Other options may be passed through `libfuzzer_options` property. 232 Other options may be passed through `libfuzzer_options` property.
220 233
221 234
222 [AFL]: http://lcamtuf.coredump.cx/afl/ 235 [AFL]: http://lcamtuf.coredump.cx/afl/
223 [ClusterFuzz status]: clusterfuzz.md#Status-Links 236 [ClusterFuzz status]: clusterfuzz.md#Status-Links
224 [Corpus GCS Bucket]: https://goto.google.com/libfuzzer-clusterfuzz-corpus 237 [Corpus GCS Bucket]: https://goto.google.com/libfuzzer-clusterfuzz-corpus
238 [issue 638836]: https://bugs.chromium.org/p/chromium/issues/detail?id=638836
OLDNEW
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698