| OLD | NEW |
|---|
| 1 # Efficient Fuzzer | 1 # Efficient Fuzzer |
| 2 | 2 |
| 3 This document describes ways to determine your fuzzer efficiency and ways | 3 This document describes ways to determine your fuzzer efficiency and ways |
| 4 to improve it. | 4 to improve it. |
| 5 | 5 |
| 6 ## Overview | 6 ## Overview |
| 7 | 7 |
| 8 Being a coverage-driven fuzzer, libFuzzer considers a certain input *interesting
* | 8 Being a coverage-driven fuzzer, libFuzzer considers a certain input *interesting
* |
| 9 if it results in new coverage. The set of all interesting inputs is called | 9 if it results in new coverage. The set of all interesting inputs is called |
| 10 *corpus*. | 10 *corpus*. |
| (...skipping 181 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 192 | 192 |
| 193 You can also access source-level coverage report locally: | 193 You can also access source-level coverage report locally: |
| 194 | 194 |
| 195 ```bash | 195 ```bash |
| 196 # produces binary .sancov file | 196 # produces binary .sancov file |
| 197 ASAN_OPTIONS=coverage=1 ./out/libfuzzer/my_fuzzer -runs=0 ~/tmp/my_fuzzer_corpus | 197 ASAN_OPTIONS=coverage=1 ./out/libfuzzer/my_fuzzer -runs=0 ~/tmp/my_fuzzer_corpus |
| 198 # Convert binary .sancov to symbolized .symcov file. | 198 # Convert binary .sancov to symbolized .symcov file. |
| 199 ./third_party/llvm-build/Release+Asserts/bin/sancov \ | 199 ./third_party/llvm-build/Release+Asserts/bin/sancov \ |
| 200 -symbolize my_fuzzer my_fuzzer.123.sancov > my_fuzzer.symcov | 200 -symbolize my_fuzzer my_fuzzer.123.sancov > my_fuzzer.symcov |
| 201 # Launch coverage report server | 201 # Launch coverage report server |
| 202 curl http://llvm.org/svn/llvm-project/llvm/trunk/tools/sancov/coverage-report-se
rver.py | python3 \ | 202 curl https://llvm.org/svn/llvm-project/llvm/trunk/tools/sancov/coverage-report-s
erver.py | python3 \ |
| 203 --symcov my_fuzzer.symcov --srcpath path_to_chromium_sources | 203 --symcov my_fuzzer.symcov --srcpath path_to_chromium_sources |
| 204 # Navigate to http://localhost:8001/ to view coverage report | 204 # Navigate to http://localhost:8001/ to view coverage report |
| 205 ``` | 205 ``` |
| 206 Replace `ASAN_OPTIONS` by corresponding option variable if your are using | 206 Replace `ASAN_OPTIONS` by corresponding option variable if your are using |
| 207 another sanitizer (e.g. `MSAN_OPTIONS`). | 207 another sanitizer (e.g. `MSAN_OPTIONS`). |
| 208 | 208 |
| 209 *NOTE: This is an experimental feature and an active area of work. We are | 209 *NOTE: This is an experimental feature and an active area of work. We are |
| 210 working on improving this process.* | 210 working on improving this process.* |
| 211 | 211 |
| 212 | 212 |
| (...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 245 ``` | 245 ``` |
| 246 | 246 |
| 247 Please note that `dict` parameter should be provided [separately](#Fuzzer-Dictio
nary). | 247 Please note that `dict` parameter should be provided [separately](#Fuzzer-Dictio
nary). |
| 248 Other options may be passed through `libfuzzer_options` property. | 248 Other options may be passed through `libfuzzer_options` property. |
| 249 | 249 |
| 250 | 250 |
| 251 [AFL]: http://lcamtuf.coredump.cx/afl/ | 251 [AFL]: http://lcamtuf.coredump.cx/afl/ |
| 252 [ClusterFuzz status]: clusterfuzz.md#Status-Links | 252 [ClusterFuzz status]: clusterfuzz.md#Status-Links |
| 253 [Corpus GCS Bucket]: https://goto.google.com/libfuzzer-clusterfuzz-corpus | 253 [Corpus GCS Bucket]: https://goto.google.com/libfuzzer-clusterfuzz-corpus |
| 254 [issue 638836]: https://bugs.chromium.org/p/chromium/issues/detail?id=638836 | 254 [issue 638836]: https://bugs.chromium.org/p/chromium/issues/detail?id=638836 |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2570333002:
Point efficient_fuzzer.md to https://llvm.org. (Closed)
