Kostya Serebryany | 7456af5 | 2016-04-28 15:19:05 +0000 | [diff] [blame] | 1 | ======================================================= |
| 2 | libFuzzer – a library for coverage-guided fuzz testing. |
| 3 | ======================================================= |
Kostya Serebryany | 7967738 | 2015-03-31 21:39:38 +0000 | [diff] [blame] | 4 | .. contents:: |
| 5 | :local: |
Kostya Serebryany | d11dc17 | 2016-03-12 02:56:25 +0000 | [diff] [blame] | 6 | :depth: 1 |
Kostya Serebryany | 7967738 | 2015-03-31 21:39:38 +0000 | [diff] [blame] | 7 | |
| 8 | Introduction |
| 9 | ============ |
Kostya Serebryany | 35ce863 | 2015-03-30 23:05:30 +0000 | [diff] [blame] | 10 | |
Kostya Serebryany | 8b6af7a | 2016-10-26 01:55:17 +0000 | [diff] [blame] | 11 | LibFuzzer is in-process, coverage-guided, evolutionary fuzzing engine. |
Kostya Serebryany | 35ce863 | 2015-03-30 23:05:30 +0000 | [diff] [blame] | 12 | |
Kostya Serebryany | 8b6af7a | 2016-10-26 01:55:17 +0000 | [diff] [blame] | 13 | LibFuzzer is linked with the library under test, and feeds fuzzed inputs to the |
Kostya Serebryany | 7456af5 | 2016-04-28 15:19:05 +0000 | [diff] [blame] | 14 | library via a specific fuzzing entrypoint (aka "target function"); the fuzzer |
| 15 | then tracks which areas of the code are reached, and generates mutations on the |
Kostya Serebryany | 8b6af7a | 2016-10-26 01:55:17 +0000 | [diff] [blame] | 16 | corpus of input data in order to maximize the code coverage. |
| 17 | The code coverage |
Kostya Serebryany | 7456af5 | 2016-04-28 15:19:05 +0000 | [diff] [blame] | 18 | information for libFuzzer is provided by LLVM's SanitizerCoverage_ |
| 19 | instrumentation. |
Kostya Serebryany | 35ce863 | 2015-03-30 23:05:30 +0000 | [diff] [blame] | 20 | |
Kostya Serebryany | 9ded49e | 2016-06-02 05:45:42 +0000 | [diff] [blame] | 21 | Contact: libfuzzer(#)googlegroups.com |
Kostya Serebryany | 35ce863 | 2015-03-30 23:05:30 +0000 | [diff] [blame] | 22 | |
Kostya Serebryany | 7456af5 | 2016-04-28 15:19:05 +0000 | [diff] [blame] | 23 | Versions |
| 24 | ======== |
Kostya Serebryany | d11dc17 | 2016-03-12 02:56:25 +0000 | [diff] [blame] | 25 | |
Kostya Serebryany | 8b6af7a | 2016-10-26 01:55:17 +0000 | [diff] [blame] | 26 | LibFuzzer is under active development so you will need the current |
Kostya Serebryany | 4db445a | 2017-11-09 21:32:02 +0000 | [diff] [blame] | 27 | (or at least a very recent) version of the Clang compiler (see `building Clang from trunk`_) |
Kostya Serebryany | 35ce863 | 2015-03-30 23:05:30 +0000 | [diff] [blame] | 28 | |
Kostya Serebryany | 4db445a | 2017-11-09 21:32:02 +0000 | [diff] [blame] | 29 | Refer to https://releases.llvm.org/5.0.0/docs/LibFuzzer.html for documentation on the older version. |
Kostya Serebryany | bfbe7fc | 2016-02-02 03:03:47 +0000 | [diff] [blame] | 30 | |
Kostya Serebryany | bfbe7fc | 2016-02-02 03:03:47 +0000 | [diff] [blame] | 31 | |
Kostya Serebryany | 7456af5 | 2016-04-28 15:19:05 +0000 | [diff] [blame] | 32 | Getting Started |
| 33 | =============== |
| 34 | |
| 35 | .. contents:: |
| 36 | :local: |
| 37 | :depth: 1 |
| 38 | |
Kostya Serebryany | cbefff7 | 2016-10-27 20:45:35 +0000 | [diff] [blame] | 39 | Fuzz Target |
| 40 | ----------- |
Kostya Serebryany | 7456af5 | 2016-04-28 15:19:05 +0000 | [diff] [blame] | 41 | |
Kostya Serebryany | cbefff7 | 2016-10-27 20:45:35 +0000 | [diff] [blame] | 42 | The first step in using libFuzzer on a library is to implement a |
| 43 | *fuzz target* -- a function that accepts an array of bytes and |
| 44 | does something interesting with these bytes using the API under test. |
| 45 | Like this: |
Kostya Serebryany | 7456af5 | 2016-04-28 15:19:05 +0000 | [diff] [blame] | 46 | |
| 47 | .. code-block:: c++ |
| 48 | |
| 49 | // fuzz_target.cc |
| 50 | extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { |
| 51 | DoSomethingInterestingWithMyAPI(Data, Size); |
| 52 | return 0; // Non-zero return values are reserved for future use. |
| 53 | } |
| 54 | |
Kostya Serebryany | cbefff7 | 2016-10-27 20:45:35 +0000 | [diff] [blame] | 55 | Note that this fuzz target does not depend on libFuzzer in any way |
Kostya Serebryany | b506466 | 2016-11-08 21:57:37 +0000 | [diff] [blame] | 56 | and so it is possible and even desirable to use it with other fuzzing engines |
Kostya Serebryany | cbefff7 | 2016-10-27 20:45:35 +0000 | [diff] [blame] | 57 | e.g. AFL_ and/or Radamsa_. |
| 58 | |
| 59 | Some important things to remember about fuzz targets: |
| 60 | |
| 61 | * The fuzzing engine will execute the fuzz target many times with different inputs in the same process. |
| 62 | * It must tolerate any kind of input (empty, huge, malformed, etc). |
| 63 | * It must not `exit()` on any input. |
Kostya Serebryany | 82ff4e7 | 2016-10-28 16:55:29 +0000 | [diff] [blame] | 64 | * It may use threads but ideally all threads should be joined at the end of the function. |
Kostya Serebryany | b506466 | 2016-11-08 21:57:37 +0000 | [diff] [blame] | 65 | * It must be as deterministic as possible. Non-determinism (e.g. random decisions not based on the input bytes) will make fuzzing inefficient. |
| 66 | * It must be fast. Try avoiding cubic or greater complexity, logging, or excessive memory consumption. |
Kostya Serebryany | cbefff7 | 2016-10-27 20:45:35 +0000 | [diff] [blame] | 67 | * Ideally, it should not modify any global state (although that's not strict). |
Kostya Serebryany | 8efb35b | 2016-12-14 01:31:21 +0000 | [diff] [blame] | 68 | * Usually, the narrower the target the better. E.g. if your target can parse several data formats, split it into several targets, one per format. |
Kostya Serebryany | cbefff7 | 2016-10-27 20:45:35 +0000 | [diff] [blame] | 69 | |
| 70 | |
George Karpenkov | 0d447d5 | 2017-04-24 18:39:52 +0000 | [diff] [blame] | 71 | Fuzzer Usage |
| 72 | ------------ |
Kostya Serebryany | cbefff7 | 2016-10-27 20:45:35 +0000 | [diff] [blame] | 73 | |
Kostya Serebryany | 4db445a | 2017-11-09 21:32:02 +0000 | [diff] [blame] | 74 | Recent versions of Clang (starting from 6.0) include libFuzzer, and no extra installation is necessary. |
George Karpenkov | 0d447d5 | 2017-04-24 18:39:52 +0000 | [diff] [blame] | 75 | |
Kostya Serebryany | 4db445a | 2017-11-09 21:32:02 +0000 | [diff] [blame] | 76 | In order to build your fuzzer binary, use the `-fsanitize=fuzzer` flag during the |
| 77 | compilation and linking. In most cases you may want to combine libFuzzer with |
Matt Morehouse | d7df627 | 2018-07-19 17:59:11 +0000 | [diff] [blame] | 78 | AddressSanitizer_ (ASAN), UndefinedBehaviorSanitizer_ (UBSAN), or both. You can |
| 79 | also build with MemorySanitizer_ (MSAN), but support is experimental:: |
George Karpenkov | 0d447d5 | 2017-04-24 18:39:52 +0000 | [diff] [blame] | 80 | |
Kostya Serebryany | 4db445a | 2017-11-09 21:32:02 +0000 | [diff] [blame] | 81 | clang -g -O1 -fsanitize=fuzzer mytarget.c # Builds the fuzz target w/o sanitizers |
| 82 | clang -g -O1 -fsanitize=fuzzer,address mytarget.c # Builds the fuzz target with ASAN |
| 83 | clang -g -O1 -fsanitize=fuzzer,signed-integer-overflow mytarget.c # Builds the fuzz target with a part of UBSAN |
Matt Morehouse | d7df627 | 2018-07-19 17:59:11 +0000 | [diff] [blame] | 84 | clang -g -O1 -fsanitize=fuzzer,memory mytarget.c # Builds the fuzz target with MSAN |
Kostya Serebryany | 4db445a | 2017-11-09 21:32:02 +0000 | [diff] [blame] | 85 | |
| 86 | This will perform the necessary instrumentation, as well as linking with the libFuzzer library. |
| 87 | Note that ``-fsanitize=fuzzer`` links in the libFuzzer's ``main()`` symbol. |
| 88 | |
George Karpenkov | 73b7e78 | 2017-08-11 17:23:45 +0000 | [diff] [blame] | 89 | If modifying ``CFLAGS`` of a large project, which also compiles executables |
| 90 | requiring their own ``main`` symbol, it may be desirable to request just the |
| 91 | instrumentation without linking:: |
| 92 | |
| 93 | clang -fsanitize=fuzzer-no-link mytarget.c |
| 94 | |
| 95 | Then libFuzzer can be linked to the desired driver by passing in |
| 96 | ``-fsanitize=fuzzer`` during the linking stage. |
| 97 | |
Justin Bogner | fd5b2a0 | 2017-10-12 01:44:24 +0000 | [diff] [blame] | 98 | .. _libfuzzer-corpus: |
Kostya Serebryany | 4db445a | 2017-11-09 21:32:02 +0000 | [diff] [blame] | 99 | |
Kostya Serebryany | abfac46 | 2016-05-09 19:29:53 +0000 | [diff] [blame] | 100 | Corpus |
Kostya Serebryany | a2dfae1 | 2016-05-09 19:32:10 +0000 | [diff] [blame] | 101 | ------ |
Kostya Serebryany | abfac46 | 2016-05-09 19:29:53 +0000 | [diff] [blame] | 102 | |
| 103 | Coverage-guided fuzzers like libFuzzer rely on a corpus of sample inputs for the |
| 104 | code under test. This corpus should ideally be seeded with a varied collection |
| 105 | of valid and invalid inputs for the code under test; for example, for a graphics |
| 106 | library the initial corpus might hold a variety of different small PNG/JPG/GIF |
| 107 | files. The fuzzer generates random mutations based around the sample inputs in |
| 108 | the current corpus. If a mutation triggers execution of a previously-uncovered |
| 109 | path in the code under test, then that mutation is saved to the corpus for |
| 110 | future variations. |
| 111 | |
| 112 | LibFuzzer will work without any initial seeds, but will be less |
| 113 | efficient if the library under test accepts complex, |
| 114 | structured inputs. |
| 115 | |
| 116 | The corpus can also act as a sanity/regression check, to confirm that the |
| 117 | fuzzing entrypoint still works and that all of the sample inputs run through |
| 118 | the code under test without problems. |
| 119 | |
| 120 | If you have a large corpus (either generated by fuzzing or acquired by other means) |
| 121 | you may want to minimize it while still preserving the full coverage. One way to do that |
| 122 | is to use the `-merge=1` flag: |
| 123 | |
| 124 | .. code-block:: console |
| 125 | |
| 126 | mkdir NEW_CORPUS_DIR # Store minimized corpus here. |
| 127 | ./my_fuzzer -merge=1 NEW_CORPUS_DIR FULL_CORPUS_DIR |
| 128 | |
| 129 | You may use the same flag to add more interesting items to an existing corpus. |
| 130 | Only the inputs that trigger new coverage will be added to the first corpus. |
| 131 | |
| 132 | .. code-block:: console |
| 133 | |
| 134 | ./my_fuzzer -merge=1 CURRENT_CORPUS_DIR NEW_POTENTIALLY_INTERESTING_INPUTS_DIR |
| 135 | |
Kostya Serebryany | 7456af5 | 2016-04-28 15:19:05 +0000 | [diff] [blame] | 136 | Running |
| 137 | ------- |
| 138 | |
| 139 | To run the fuzzer, first create a Corpus_ directory that holds the |
| 140 | initial "seed" sample inputs: |
| 141 | |
| 142 | .. code-block:: console |
| 143 | |
| 144 | mkdir CORPUS_DIR |
| 145 | cp /some/input/samples/* CORPUS_DIR |
| 146 | |
| 147 | Then run the fuzzer on the corpus directory: |
| 148 | |
| 149 | .. code-block:: console |
| 150 | |
| 151 | ./my_fuzzer CORPUS_DIR # -max_len=1000 -jobs=20 ... |
| 152 | |
| 153 | As the fuzzer discovers new interesting test cases (i.e. test cases that |
| 154 | trigger coverage of new paths through the code under test), those test cases |
| 155 | will be added to the corpus directory. |
| 156 | |
| 157 | By default, the fuzzing process will continue indefinitely – at least until |
| 158 | a bug is found. Any crashes or sanitizer failures will be reported as usual, |
| 159 | stopping the fuzzing process, and the particular input that triggered the bug |
Kostya Serebryany | 2fe9304 | 2016-04-29 18:49:55 +0000 | [diff] [blame] | 160 | will be written to disk (typically as ``crash-<sha1>``, ``leak-<sha1>``, |
| 161 | or ``timeout-<sha1>``). |
Kostya Serebryany | 7456af5 | 2016-04-28 15:19:05 +0000 | [diff] [blame] | 162 | |
| 163 | |
| 164 | Parallel Fuzzing |
| 165 | ---------------- |
| 166 | |
| 167 | Each libFuzzer process is single-threaded, unless the library under test starts |
| 168 | its own threads. However, it is possible to run multiple libFuzzer processes in |
| 169 | parallel with a shared corpus directory; this has the advantage that any new |
| 170 | inputs found by one fuzzer process will be available to the other fuzzer |
| 171 | processes (unless you disable this with the ``-reload=0`` option). |
| 172 | |
| 173 | This is primarily controlled by the ``-jobs=N`` option, which indicates that |
| 174 | that `N` fuzzing jobs should be run to completion (i.e. until a bug is found or |
| 175 | time/iteration limits are reached). These jobs will be run across a set of |
| 176 | worker processes, by default using half of the available CPU cores; the count of |
| 177 | worker processes can be overridden by the ``-workers=N`` option. For example, |
| 178 | running with ``-jobs=30`` on a 12-core machine would run 6 workers by default, |
| 179 | with each worker averaging 5 bugs by completion of the entire process. |
| 180 | |
Kostya Serebryany | 9c9a8a9 | 2019-02-21 00:32:30 +0000 | [diff] [blame] | 181 | Fork mode |
| 182 | --------- |
| 183 | |
| 184 | **Experimental** mode ``-fork=N`` (where ``N`` is the number of parallel jobs) |
| 185 | enables oom-, timeout-, and crash-resistant |
| 186 | fuzzing with separate processes (using ``fork-exec``, not just ``fork``). |
| 187 | |
| 188 | The top libFuzzer process will not do any fuzzing itself, but will |
| 189 | spawn up to ``N`` concurrent child processes providing them |
| 190 | small random subsets of the corpus. After a child exits, the top process |
| 191 | merges the corpus generated by the child back to the main corpus. |
| 192 | |
| 193 | Related flags: |
Kostya Serebryany | 2ea42b3 | 2019-02-21 00:43:46 +0000 | [diff] [blame] | 194 | |
Kostya Serebryany | 9c9a8a9 | 2019-02-21 00:32:30 +0000 | [diff] [blame] | 195 | ``-ignore_ooms`` |
| 196 | True by default. If an OOM happens during fuzzing in one of the child processes, |
| 197 | the reproducer is saved on disk, and fuzzing continues. |
| 198 | ``-ignore_timeouts`` |
| 199 | True by default, same as ``-ignore_ooms``, but for timeouts. |
| 200 | ``-ignore_crashes`` |
| 201 | False by default, same as ``-ignore_ooms``, but for all other crashes. |
| 202 | |
| 203 | The plan is to eventually replace ``-jobs=N`` and ``-workers=N`` with ``-fork=N``. |
Kostya Serebryany | 7456af5 | 2016-04-28 15:19:05 +0000 | [diff] [blame] | 204 | |
Kostya Serebryany | 4db445a | 2017-11-09 21:32:02 +0000 | [diff] [blame] | 205 | Resuming merge |
| 206 | -------------- |
| 207 | |
| 208 | Merging large corpora may be time consuming, and it is often desirable to do it |
| 209 | on preemptable VMs, where the process may be killed at any time. |
| 210 | In order to seamlessly resume the merge, use the ``-merge_control_file`` flag |
| 211 | and use ``killall -SIGUSR1 /path/to/fuzzer/binary`` to stop the merge gracefully. Example: |
| 212 | |
| 213 | .. code-block:: console |
| 214 | |
| 215 | % rm -f SomeLocalPath |
| 216 | % ./my_fuzzer CORPUS1 CORPUS2 -merge=1 -merge_control_file=SomeLocalPath |
| 217 | ... |
| 218 | MERGE-INNER: using the control file 'SomeLocalPath' |
| 219 | ... |
| 220 | # While this is running, do `killall -SIGUSR1 my_fuzzer` in another console |
| 221 | ==9015== INFO: libFuzzer: exiting as requested |
| 222 | |
| 223 | # This will leave the file SomeLocalPath with the partial state of the merge. |
| 224 | # Now, you can continue the merge by executing the same command. The merge |
| 225 | # will continue from where it has been interrupted. |
| 226 | % ./my_fuzzer CORPUS1 CORPUS2 -merge=1 -merge_control_file=SomeLocalPath |
| 227 | ... |
| 228 | MERGE-OUTER: non-empty control file provided: 'SomeLocalPath' |
| 229 | MERGE-OUTER: control file ok, 32 files total, first not processed file 20 |
| 230 | ... |
| 231 | |
Kostya Serebryany | 7456af5 | 2016-04-28 15:19:05 +0000 | [diff] [blame] | 232 | Options |
| 233 | ======= |
| 234 | |
| 235 | To run the fuzzer, pass zero or more corpus directories as command line |
| 236 | arguments. The fuzzer will read test inputs from each of these corpus |
| 237 | directories, and any new test inputs that are generated will be written |
| 238 | back to the first corpus directory: |
| 239 | |
| 240 | .. code-block:: console |
| 241 | |
| 242 | ./fuzzer [-flag1=val1 [-flag2=val2 ...] ] [dir1 [dir2 ...] ] |
| 243 | |
| 244 | If a list of files (rather than directories) are passed to the fuzzer program, |
| 245 | then it will re-run those files as test inputs but will not perform any fuzzing. |
| 246 | In this mode the fuzzer binary can be used as a regression test (e.g. on a |
| 247 | continuous integration system) to check the target function and saved inputs |
| 248 | still work. |
| 249 | |
| 250 | The most important command line options are: |
| 251 | |
| 252 | ``-help`` |
Max Moroz | 2ddff6f | 2020-02-03 14:40:08 -0800 | [diff] [blame] | 253 | Print help message (``-help=1``). |
Kostya Serebryany | 7456af5 | 2016-04-28 15:19:05 +0000 | [diff] [blame] | 254 | ``-seed`` |
| 255 | Random seed. If 0 (the default), the seed is generated. |
| 256 | ``-runs`` |
| 257 | Number of individual test runs, -1 (the default) to run indefinitely. |
| 258 | ``-max_len`` |
| 259 | Maximum length of a test input. If 0 (the default), libFuzzer tries to guess |
| 260 | a good value based on the corpus (and reports it). |
Max Moroz | 2ddff6f | 2020-02-03 14:40:08 -0800 | [diff] [blame] | 261 | ``-len_control`` |
Kostya Serebryany | 9aac4c1 | 2019-03-18 22:20:47 +0000 | [diff] [blame] | 262 | Try generating small inputs first, then try larger inputs over time. |
| 263 | Specifies the rate at which the length limit is increased (smaller == faster). |
| 264 | Default is 100. If 0, immediately try inputs with size up to max_len. |
Kostya Serebryany | 7456af5 | 2016-04-28 15:19:05 +0000 | [diff] [blame] | 265 | ``-timeout`` |
| 266 | Timeout in seconds, default 1200. If an input takes longer than this timeout, |
| 267 | the process is treated as a failure case. |
Kostya Serebryany | 8b8f7a3 | 2016-05-06 23:38:07 +0000 | [diff] [blame] | 268 | ``-rss_limit_mb`` |
| 269 | Memory usage limit in Mb, default 2048. Use 0 to disable the limit. |
| 270 | If an input requires more than this amount of RSS memory to execute, |
| 271 | the process is treated as a failure case. |
| 272 | The limit is checked in a separate thread every second. |
| 273 | If running w/o ASAN/MSAN, you may use 'ulimit -v' instead. |
Kostya Serebryany | de9bafb | 2017-12-01 22:12:04 +0000 | [diff] [blame] | 274 | ``-malloc_limit_mb`` |
| 275 | If non-zero, the fuzzer will exit if the target tries to allocate this |
| 276 | number of Mb with one malloc call. |
| 277 | If zero (default) same limit as rss_limit_mb is applied. |
Kostya Serebryany | 7456af5 | 2016-04-28 15:19:05 +0000 | [diff] [blame] | 278 | ``-timeout_exitcode`` |
Kostya Serebryany | 8a56917 | 2016-11-03 19:31:18 +0000 | [diff] [blame] | 279 | Exit code (default 77) used if libFuzzer reports a timeout. |
| 280 | ``-error_exitcode`` |
| 281 | Exit code (default 77) used if libFuzzer itself (not a sanitizer) reports a bug (leak, OOM, etc). |
Kostya Serebryany | 7456af5 | 2016-04-28 15:19:05 +0000 | [diff] [blame] | 282 | ``-max_total_time`` |
| 283 | If positive, indicates the maximum total time in seconds to run the fuzzer. |
| 284 | If 0 (the default), run indefinitely. |
| 285 | ``-merge`` |
| 286 | If set to 1, any corpus inputs from the 2nd, 3rd etc. corpus directories |
| 287 | that trigger new code coverage will be merged into the first corpus |
Kostya Serebryany | 61b07ac | 2016-05-09 19:11:36 +0000 | [diff] [blame] | 288 | directory. Defaults to 0. This flag can be used to minimize a corpus. |
Kostya Serebryany | 4db445a | 2017-11-09 21:32:02 +0000 | [diff] [blame] | 289 | ``-merge_control_file`` |
Kazuaki Ishizaki | f65d4aa | 2020-01-22 11:30:57 +0800 | [diff] [blame] | 290 | Specify a control file used for the merge process. |
Kostya Serebryany | 4db445a | 2017-11-09 21:32:02 +0000 | [diff] [blame] | 291 | If a merge process gets killed it tries to leave this file in a state |
| 292 | suitable for resuming the merge. By default a temporary file will be used. |
Kostya Serebryany | dec3949 | 2016-09-08 22:21:13 +0000 | [diff] [blame] | 293 | ``-minimize_crash`` |
| 294 | If 1, minimizes the provided crash input. |
Kostya Serebryany | 5c04bd2 | 2016-09-09 01:17:03 +0000 | [diff] [blame] | 295 | Use with -runs=N or -max_total_time=N to limit the number of attempts. |
Kostya Serebryany | 7456af5 | 2016-04-28 15:19:05 +0000 | [diff] [blame] | 296 | ``-reload`` |
| 297 | If set to 1 (the default), the corpus directory is re-read periodically to |
| 298 | check for new inputs; this allows detection of new inputs that were discovered |
| 299 | by other fuzzing processes. |
| 300 | ``-jobs`` |
| 301 | Number of fuzzing jobs to run to completion. Default value is 0, which runs a |
| 302 | single fuzzing process until completion. If the value is >= 1, then this |
| 303 | number of jobs performing fuzzing are run, in a collection of parallel |
| 304 | separate worker processes; each such worker process has its |
| 305 | ``stdout``/``stderr`` redirected to ``fuzz-<JOB>.log``. |
| 306 | ``-workers`` |
| 307 | Number of simultaneous worker processes to run the fuzzing jobs to completion |
| 308 | in. If 0 (the default), ``min(jobs, NumberOfCpuCores()/2)`` is used. |
| 309 | ``-dict`` |
| 310 | Provide a dictionary of input keywords; see Dictionaries_. |
| 311 | ``-use_counters`` |
| 312 | Use `coverage counters`_ to generate approximate counts of how often code |
| 313 | blocks are hit; defaults to 1. |
Kostya Serebryany | 547fa15 | 2017-11-16 18:58:14 +0000 | [diff] [blame] | 314 | ``-reduce_inputs`` |
| 315 | Try to reduce the size of inputs while preserving their full feature sets; |
| 316 | defaults to 1. |
Kostya Serebryany | b5dad1e | 2016-08-23 23:36:21 +0000 | [diff] [blame] | 317 | ``-use_value_profile`` |
| 318 | Use `value profile`_ to guide corpus expansion; defaults to 0. |
Kostya Serebryany | 7456af5 | 2016-04-28 15:19:05 +0000 | [diff] [blame] | 319 | ``-only_ascii`` |
| 320 | If 1, generate only ASCII (``isprint``+``isspace``) inputs. Defaults to 0. |
| 321 | ``-artifact_prefix`` |
| 322 | Provide a prefix to use when saving fuzzing artifacts (crash, timeout, or |
| 323 | slow inputs) as ``$(artifact_prefix)file``. Defaults to empty. |
| 324 | ``-exact_artifact_path`` |
| 325 | Ignored if empty (the default). If non-empty, write the single artifact on |
| 326 | failure (crash, timeout) as ``$(exact_artifact_path)``. This overrides |
| 327 | ``-artifact_prefix`` and will not use checksum in the file name. Do not use |
| 328 | the same path for several parallel processes. |
Kostya Serebryany | 0f0fa4f | 2016-08-25 22:35:08 +0000 | [diff] [blame] | 329 | ``-print_pcs`` |
| 330 | If 1, print out newly covered PCs. Defaults to 0. |
Kostya Serebryany | 7456af5 | 2016-04-28 15:19:05 +0000 | [diff] [blame] | 331 | ``-print_final_stats`` |
| 332 | If 1, print statistics at exit. Defaults to 0. |
Kostya Serebryany | 5d70d82 | 2016-08-12 20:42:24 +0000 | [diff] [blame] | 333 | ``-detect_leaks`` |
Kostya Serebryany | dced5d3 | 2016-04-29 19:28:24 +0000 | [diff] [blame] | 334 | If 1 (default) and if LeakSanitizer is enabled |
| 335 | try to detect memory leaks during fuzzing (i.e. not only at shut down). |
Kostya Serebryany | 7456af5 | 2016-04-28 15:19:05 +0000 | [diff] [blame] | 336 | ``-close_fd_mask`` |
Kostya Serebryany | 470d044 | 2016-05-27 21:46:22 +0000 | [diff] [blame] | 337 | Indicate output streams to close at startup. Be careful, this will |
| 338 | remove diagnostic output from target code (e.g. messages on assert failure). |
Kostya Serebryany | 7456af5 | 2016-04-28 15:19:05 +0000 | [diff] [blame] | 339 | |
| 340 | - 0 (default): close neither ``stdout`` nor ``stderr`` |
| 341 | - 1 : close ``stdout`` |
| 342 | - 2 : close ``stderr`` |
| 343 | - 3 : close both ``stdout`` and ``stderr``. |
Kostya Serebryany | 2adfa3b | 2015-05-20 21:03:03 +0000 | [diff] [blame] | 344 | |
| 345 | For the full list of flags run the fuzzer binary with ``-help=1``. |
| 346 | |
Kostya Serebryany | 7456af5 | 2016-04-28 15:19:05 +0000 | [diff] [blame] | 347 | Output |
| 348 | ====== |
| 349 | |
| 350 | During operation the fuzzer prints information to ``stderr``, for example:: |
| 351 | |
Kostya Serebryany | c1708b0 | 2016-10-27 21:03:48 +0000 | [diff] [blame] | 352 | INFO: Seed: 1523017872 |
Marek Kurdej | 73cebfe | 2019-10-24 12:04:12 +0200 | [diff] [blame] | 353 | INFO: Loaded 1 modules (16 guards): [0x744e60, 0x744ea0), |
Kostya Serebryany | 7456af5 | 2016-04-28 15:19:05 +0000 | [diff] [blame] | 354 | INFO: -max_len is not provided, using 64 |
Kostya Serebryany | c1708b0 | 2016-10-27 21:03:48 +0000 | [diff] [blame] | 355 | INFO: A corpus is not provided, starting from an empty corpus |
| 356 | #0 READ units: 1 |
| 357 | #1 INITED cov: 3 ft: 2 corp: 1/1b exec/s: 0 rss: 24Mb |
| 358 | #3811 NEW cov: 4 ft: 3 corp: 2/2b exec/s: 0 rss: 25Mb L: 1 MS: 5 ChangeBit-ChangeByte-ChangeBit-ShuffleBytes-ChangeByte- |
| 359 | #3827 NEW cov: 5 ft: 4 corp: 3/4b exec/s: 0 rss: 25Mb L: 2 MS: 1 CopyPart- |
| 360 | #3963 NEW cov: 6 ft: 5 corp: 4/6b exec/s: 0 rss: 25Mb L: 2 MS: 2 ShuffleBytes-ChangeBit- |
| 361 | #4167 NEW cov: 7 ft: 6 corp: 5/9b exec/s: 0 rss: 25Mb L: 3 MS: 1 InsertByte- |
Kostya Serebryany | 7456af5 | 2016-04-28 15:19:05 +0000 | [diff] [blame] | 362 | ... |
| 363 | |
| 364 | The early parts of the output include information about the fuzzer options and |
| 365 | configuration, including the current random seed (in the ``Seed:`` line; this |
| 366 | can be overridden with the ``-seed=N`` flag). |
| 367 | |
| 368 | Further output lines have the form of an event code and statistics. The |
| 369 | possible event codes are: |
| 370 | |
| 371 | ``READ`` |
| 372 | The fuzzer has read in all of the provided input samples from the corpus |
| 373 | directories. |
| 374 | ``INITED`` |
| 375 | The fuzzer has completed initialization, which includes running each of |
| 376 | the initial input samples through the code under test. |
| 377 | ``NEW`` |
| 378 | The fuzzer has created a test input that covers new areas of the code |
| 379 | under test. This input will be saved to the primary corpus directory. |
Kostya Serebryany | 4a27b70 | 2017-07-19 22:10:30 +0000 | [diff] [blame] | 380 | ``REDUCE`` |
| 381 | The fuzzer has found a better (smaller) input that triggers previously |
| 382 | discovered features (set ``-reduce_inputs=0`` to disable). |
Kostya Serebryany | 7456af5 | 2016-04-28 15:19:05 +0000 | [diff] [blame] | 383 | ``pulse`` |
| 384 | The fuzzer has generated 2\ :sup:`n` inputs (generated periodically to reassure |
| 385 | the user that the fuzzer is still working). |
| 386 | ``DONE`` |
| 387 | The fuzzer has completed operation because it has reached the specified |
| 388 | iteration limit (``-runs``) or time limit (``-max_total_time``). |
Kostya Serebryany | 7456af5 | 2016-04-28 15:19:05 +0000 | [diff] [blame] | 389 | ``RELOAD`` |
| 390 | The fuzzer is performing a periodic reload of inputs from the corpus |
| 391 | directory; this allows it to discover any inputs discovered by other |
| 392 | fuzzer processes (see `Parallel Fuzzing`_). |
| 393 | |
| 394 | Each output line also reports the following statistics (when non-zero): |
| 395 | |
| 396 | ``cov:`` |
Matt Morehouse | ddf352b | 2018-02-22 19:00:17 +0000 | [diff] [blame] | 397 | Total number of code blocks or edges covered by executing the current corpus. |
Kostya Serebryany | c1708b0 | 2016-10-27 21:03:48 +0000 | [diff] [blame] | 398 | ``ft:`` |
| 399 | libFuzzer uses different signals to evaluate the code coverage: |
| 400 | edge coverage, edge counters, value profiles, indirect caller/callee pairs, etc. |
| 401 | These signals combined are called *features* (`ft:`). |
| 402 | ``corp:`` |
| 403 | Number of entries in the current in-memory test corpus and its size in bytes. |
Matt Morehouse | ddf352b | 2018-02-22 19:00:17 +0000 | [diff] [blame] | 404 | ``lim:`` |
| 405 | Current limit on the length of new entries in the corpus. Increases over time |
| 406 | until the max length (``-max_len``) is reached. |
Kostya Serebryany | 7456af5 | 2016-04-28 15:19:05 +0000 | [diff] [blame] | 407 | ``exec/s:`` |
| 408 | Number of fuzzer iterations per second. |
Kostya Serebryany | c1708b0 | 2016-10-27 21:03:48 +0000 | [diff] [blame] | 409 | ``rss:`` |
| 410 | Current memory consumption. |
Kostya Serebryany | 7456af5 | 2016-04-28 15:19:05 +0000 | [diff] [blame] | 411 | |
Marek Kurdej | 73cebfe | 2019-10-24 12:04:12 +0200 | [diff] [blame] | 412 | For ``NEW`` and ``REDUCE`` events, the output line also includes information |
| 413 | about the mutation operation that produced the new input: |
Kostya Serebryany | 7456af5 | 2016-04-28 15:19:05 +0000 | [diff] [blame] | 414 | |
| 415 | ``L:`` |
| 416 | Size of the new input in bytes. |
| 417 | ``MS: <n> <operations>`` |
| 418 | Count and list of the mutation operations used to generate the input. |
| 419 | |
| 420 | |
| 421 | Examples |
| 422 | ======== |
Kostya Serebryany | d11dc17 | 2016-03-12 02:56:25 +0000 | [diff] [blame] | 423 | .. contents:: |
| 424 | :local: |
| 425 | :depth: 1 |
Kostya Serebryany | 7967738 | 2015-03-31 21:39:38 +0000 | [diff] [blame] | 426 | |
| 427 | Toy example |
| 428 | ----------- |
| 429 | |
Kostya Serebryany | 7456af5 | 2016-04-28 15:19:05 +0000 | [diff] [blame] | 430 | A simple function that does something interesting if it receives the input |
| 431 | "HI!":: |
Kostya Serebryany | 7967738 | 2015-03-31 21:39:38 +0000 | [diff] [blame] | 432 | |
Kostya Serebryany | 3a48636 | 2016-05-10 23:52:47 +0000 | [diff] [blame] | 433 | cat << EOF > test_fuzzer.cc |
Kostya Serebryany | 1c80b9d | 2015-11-26 00:12:57 +0000 | [diff] [blame] | 434 | #include <stdint.h> |
| 435 | #include <stddef.h> |
| 436 | extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { |
Kostya Serebryany | 7967738 | 2015-03-31 21:39:38 +0000 | [diff] [blame] | 437 | if (size > 0 && data[0] == 'H') |
| 438 | if (size > 1 && data[1] == 'I') |
| 439 | if (size > 2 && data[2] == '!') |
| 440 | __builtin_trap(); |
Kostya Serebryany | 20bb5e7 | 2015-10-02 23:34:06 +0000 | [diff] [blame] | 441 | return 0; |
Kostya Serebryany | 7967738 | 2015-03-31 21:39:38 +0000 | [diff] [blame] | 442 | } |
| 443 | EOF |
Kostya Serebryany | 025e03d6 | 2019-01-31 01:47:29 +0000 | [diff] [blame] | 444 | # Build test_fuzzer.cc with asan and link against libFuzzer. |
| 445 | clang++ -fsanitize=address,fuzzer test_fuzzer.cc |
Kostya Serebryany | 7967738 | 2015-03-31 21:39:38 +0000 | [diff] [blame] | 446 | # Run the fuzzer with no corpus. |
| 447 | ./a.out |
| 448 | |
Kostya Serebryany | abca88e | 2016-03-12 03:05:37 +0000 | [diff] [blame] | 449 | You should get an error pretty quickly:: |
| 450 | |
Kostya Serebryany | c1708b0 | 2016-10-27 21:03:48 +0000 | [diff] [blame] | 451 | INFO: Seed: 1523017872 |
Marek Kurdej | 73cebfe | 2019-10-24 12:04:12 +0200 | [diff] [blame] | 452 | INFO: Loaded 1 modules (16 guards): [0x744e60, 0x744ea0), |
Kostya Serebryany | c1708b0 | 2016-10-27 21:03:48 +0000 | [diff] [blame] | 453 | INFO: -max_len is not provided, using 64 |
| 454 | INFO: A corpus is not provided, starting from an empty corpus |
| 455 | #0 READ units: 1 |
| 456 | #1 INITED cov: 3 ft: 2 corp: 1/1b exec/s: 0 rss: 24Mb |
| 457 | #3811 NEW cov: 4 ft: 3 corp: 2/2b exec/s: 0 rss: 25Mb L: 1 MS: 5 ChangeBit-ChangeByte-ChangeBit-ShuffleBytes-ChangeByte- |
| 458 | #3827 NEW cov: 5 ft: 4 corp: 3/4b exec/s: 0 rss: 25Mb L: 2 MS: 1 CopyPart- |
| 459 | #3963 NEW cov: 6 ft: 5 corp: 4/6b exec/s: 0 rss: 25Mb L: 2 MS: 2 ShuffleBytes-ChangeBit- |
| 460 | #4167 NEW cov: 7 ft: 6 corp: 5/9b exec/s: 0 rss: 25Mb L: 3 MS: 1 InsertByte- |
Kostya Serebryany | abca88e | 2016-03-12 03:05:37 +0000 | [diff] [blame] | 461 | ==31511== ERROR: libFuzzer: deadly signal |
| 462 | ... |
| 463 | artifact_prefix='./'; Test unit written to ./crash-b13e8756b13a00cf168300179061fb4b91fefbed |
| 464 | |
Kostya Serebryany | 7967738 | 2015-03-31 21:39:38 +0000 | [diff] [blame] | 465 | |
Kostya Serebryany | af67fd1 | 2016-10-27 20:14:03 +0000 | [diff] [blame] | 466 | More examples |
| 467 | ------------- |
Kostya Serebryany | 7967738 | 2015-03-31 21:39:38 +0000 | [diff] [blame] | 468 | |
Kostya Serebryany | af67fd1 | 2016-10-27 20:14:03 +0000 | [diff] [blame] | 469 | Examples of real-life fuzz targets and the bugs they find can be found |
| 470 | at http://tutorial.libfuzzer.info. Among other things you can learn how |
| 471 | to detect Heartbleed_ in one second. |
Kostya Serebryany | 7967738 | 2015-03-31 21:39:38 +0000 | [diff] [blame] | 472 | |
Kostya Serebryany | 1c80b9d | 2015-11-26 00:12:57 +0000 | [diff] [blame] | 473 | |
Kostya Serebryany | 043ab1c | 2015-04-01 21:33:20 +0000 | [diff] [blame] | 474 | Advanced features |
| 475 | ================= |
Kostya Serebryany | d11dc17 | 2016-03-12 02:56:25 +0000 | [diff] [blame] | 476 | .. contents:: |
| 477 | :local: |
| 478 | :depth: 1 |
Kostya Serebryany | 043ab1c | 2015-04-01 21:33:20 +0000 | [diff] [blame] | 479 | |
Kostya Serebryany | 7d21166 | 2015-09-04 00:12:11 +0000 | [diff] [blame] | 480 | Dictionaries |
| 481 | ------------ |
Kostya Serebryany | 7d21166 | 2015-09-04 00:12:11 +0000 | [diff] [blame] | 482 | LibFuzzer supports user-supplied dictionaries with input language keywords |
| 483 | or other interesting byte sequences (e.g. multi-byte magic values). |
| 484 | Use ``-dict=DICTIONARY_FILE``. For some input languages using a dictionary |
| 485 | may significantly improve the search speed. |
| 486 | The dictionary syntax is similar to that used by AFL_ for its ``-x`` option:: |
| 487 | |
| 488 | # Lines starting with '#' and empty lines are ignored. |
| 489 | |
| 490 | # Adds "blah" (w/o quotes) to the dictionary. |
| 491 | kw1="blah" |
| 492 | # Use \\ for backslash and \" for quotes. |
| 493 | kw2="\"ac\\dc\"" |
| 494 | # Use \xAB for hex values |
| 495 | kw3="\xF7\xF8" |
| 496 | # the name of the keyword followed by '=' may be omitted: |
| 497 | "foo\x0Abar" |
| 498 | |
Kostya Serebryany | b5dad1e | 2016-08-23 23:36:21 +0000 | [diff] [blame] | 499 | |
Kostya Serebryany | 97ff767 | 2016-11-17 17:31:54 +0000 | [diff] [blame] | 500 | |
| 501 | Tracing CMP instructions |
| 502 | ------------------------ |
| 503 | |
Kostya Serebryany | b5dad1e | 2016-08-23 23:36:21 +0000 | [diff] [blame] | 504 | With an additional compiler flag ``-fsanitize-coverage=trace-cmp`` |
Kostya Serebryany | 4db445a | 2017-11-09 21:32:02 +0000 | [diff] [blame] | 505 | (on by default as part of ``-fsanitize=fuzzer``, see SanitizerCoverageTraceDataFlow_) |
Kostya Serebryany | 97ff767 | 2016-11-17 17:31:54 +0000 | [diff] [blame] | 506 | libFuzzer will intercept CMP instructions and guide mutations based |
| 507 | on the arguments of intercepted CMP instructions. This may slow down |
| 508 | the fuzzing but is very likely to improve the results. |
| 509 | |
| 510 | Value Profile |
| 511 | ------------- |
| 512 | |
Kostya Serebryany | 025e03d6 | 2019-01-31 01:47:29 +0000 | [diff] [blame] | 513 | With ``-fsanitize-coverage=trace-cmp`` (default with ``-fsanitize=fuzzer``) |
Kostya Serebryany | b5dad1e | 2016-08-23 23:36:21 +0000 | [diff] [blame] | 514 | and extra run-time flag ``-use_value_profile=1`` the fuzzer will |
| 515 | collect value profiles for the parameters of compare instructions |
| 516 | and treat some new values as new coverage. |
| 517 | |
Kazuaki Ishizaki | f65d4aa | 2020-01-22 11:30:57 +0800 | [diff] [blame] | 518 | The current implementation does roughly the following: |
Kostya Serebryany | b5dad1e | 2016-08-23 23:36:21 +0000 | [diff] [blame] | 519 | |
| 520 | * The compiler instruments all CMP instructions with a callback that receives both CMP arguments. |
| 521 | * The callback computes `(caller_pc&4095) | (popcnt(Arg1 ^ Arg2) << 12)` and uses this value to set a bit in a bitset. |
| 522 | * Every new observed bit in the bitset is treated as new coverage. |
| 523 | |
| 524 | |
| 525 | This feature has a potential to discover many interesting inputs, |
| 526 | but there are two downsides. |
| 527 | First, the extra instrumentation may bring up to 2x additional slowdown. |
| 528 | Second, the corpus may grow by several times. |
| 529 | |
Kostya Serebryany | 0557675 | 2016-05-25 18:41:53 +0000 | [diff] [blame] | 530 | Fuzzer-friendly build mode |
| 531 | --------------------------- |
| 532 | Sometimes the code under test is not fuzzing-friendly. Examples: |
| 533 | |
| 534 | - The target code uses a PRNG seeded e.g. by system time and |
| 535 | thus two consequent invocations may potentially execute different code paths |
| 536 | even if the end result will be the same. This will cause a fuzzer to treat |
| 537 | two similar inputs as significantly different and it will blow up the test corpus. |
| 538 | E.g. libxml uses ``rand()`` inside its hash table. |
| 539 | - The target code uses checksums to protect from invalid inputs. |
| 540 | E.g. png checks CRC for every chunk. |
| 541 | |
| 542 | In many cases it makes sense to build a special fuzzing-friendly build |
| 543 | with certain fuzzing-unfriendly features disabled. We propose to use a common build macro |
| 544 | for all such cases for consistency: ``FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION``. |
| 545 | |
| 546 | .. code-block:: c++ |
| 547 | |
| 548 | void MyInitPRNG() { |
| 549 | #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION |
| 550 | // In fuzzing mode the behavior of the code should be deterministic. |
| 551 | srand(0); |
| 552 | #else |
| 553 | srand(time(0)); |
| 554 | #endif |
| 555 | } |
| 556 | |
| 557 | |
| 558 | |
Kostya Serebryany | 6bd016b | 2015-04-10 05:44:43 +0000 | [diff] [blame] | 559 | AFL compatibility |
| 560 | ----------------- |
Kostya Serebryany | 9e1a238 | 2016-03-29 23:07:36 +0000 | [diff] [blame] | 561 | LibFuzzer can be used together with AFL_ on the same test corpus. |
Kostya Serebryany | 6bd016b | 2015-04-10 05:44:43 +0000 | [diff] [blame] | 562 | Both fuzzers expect the test corpus to reside in a directory, one file per input. |
Kostya Serebryany | 7456af5 | 2016-04-28 15:19:05 +0000 | [diff] [blame] | 563 | You can run both fuzzers on the same corpus, one after another: |
| 564 | |
| 565 | .. code-block:: console |
Kostya Serebryany | 6bd016b | 2015-04-10 05:44:43 +0000 | [diff] [blame] | 566 | |
Kostya Serebryany | 9e1a238 | 2016-03-29 23:07:36 +0000 | [diff] [blame] | 567 | ./afl-fuzz -i testcase_dir -o findings_dir /path/to/program @@ |
Kostya Serebryany | 6bd016b | 2015-04-10 05:44:43 +0000 | [diff] [blame] | 568 | ./llvm-fuzz testcase_dir findings_dir # Will write new tests to testcase_dir |
| 569 | |
| 570 | Periodically restart both fuzzers so that they can use each other's findings. |
Kostya Serebryany | 9e1a238 | 2016-03-29 23:07:36 +0000 | [diff] [blame] | 571 | Currently, there is no simple way to run both fuzzing engines in parallel while sharing the same corpus dir. |
Kostya Serebryany | 7967738 | 2015-03-31 21:39:38 +0000 | [diff] [blame] | 572 | |
Kostya Serebryany | 3a48636 | 2016-05-10 23:52:47 +0000 | [diff] [blame] | 573 | You may also use AFL on your target function ``LLVMFuzzerTestOneInput``: |
James Y Knight | 5d71fc5 | 2019-01-29 16:37:27 +0000 | [diff] [blame] | 574 | see an example `here <https://github.com/llvm/llvm-project/tree/master/compiler-rt/lib/fuzzer/afl>`__. |
Kostya Serebryany | 3a48636 | 2016-05-10 23:52:47 +0000 | [diff] [blame] | 575 | |
Kostya Serebryany | cd073d5 | 2015-04-10 06:32:29 +0000 | [diff] [blame] | 576 | How good is my fuzzer? |
| 577 | ---------------------- |
| 578 | |
Kostya Serebryany | 566bc5a | 2015-05-06 22:19:00 +0000 | [diff] [blame] | 579 | Once you implement your target function ``LLVMFuzzerTestOneInput`` and fuzz it to death, |
Kostya Serebryany | cd073d5 | 2015-04-10 06:32:29 +0000 | [diff] [blame] | 580 | you will want to know whether the function or the corpus can be improved further. |
| 581 | One easy to use metric is, of course, code coverage. |
Kostya Serebryany | 7456af5 | 2016-04-28 15:19:05 +0000 | [diff] [blame] | 582 | |
Kostya Serebryany | a85ab2e | 2017-08-11 20:32:47 +0000 | [diff] [blame] | 583 | We recommend to use |
Sylvestre Ledru | 72fd103 | 2020-03-22 22:42:03 +0100 | [diff] [blame] | 584 | `Clang Coverage <https://clang.llvm.org/docs/SourceBasedCodeCoverage.html>`_, |
Kostya Serebryany | a85ab2e | 2017-08-11 20:32:47 +0000 | [diff] [blame] | 585 | to visualize and study your code coverage |
| 586 | (`example <https://github.com/google/fuzzer-test-suite/blob/master/tutorial/libFuzzerTutorial.md#visualizing-coverage>`_). |
Kostya Serebryany | cd073d5 | 2015-04-10 06:32:29 +0000 | [diff] [blame] | 587 | |
Kostya Serebryany | cd073d5 | 2015-04-10 06:32:29 +0000 | [diff] [blame] | 588 | |
Kostya Serebryany | 926b9bd | 2015-05-22 22:43:05 +0000 | [diff] [blame] | 589 | User-supplied mutators |
| 590 | ---------------------- |
| 591 | |
Kostya Serebryany | 025e03d6 | 2019-01-31 01:47:29 +0000 | [diff] [blame] | 592 | LibFuzzer allows to use custom (user-supplied) mutators, see |
Matt Morehouse | 949a126 | 2019-09-20 19:39:50 +0000 | [diff] [blame] | 593 | `Structure-Aware Fuzzing <https://github.com/google/fuzzing/blob/master/docs/structure-aware-fuzzing.md>`_ |
Kostya Serebryany | 025e03d6 | 2019-01-31 01:47:29 +0000 | [diff] [blame] | 594 | for more details. |
Kostya Serebryany | 926b9bd | 2015-05-22 22:43:05 +0000 | [diff] [blame] | 595 | |
Kostya Serebryany | aca7696 | 2016-01-16 01:23:12 +0000 | [diff] [blame] | 596 | Startup initialization |
| 597 | ---------------------- |
| 598 | If the library being tested needs to be initialized, there are several options. |
| 599 | |
Kostya Serebryany | ceca476 | 2016-05-06 23:51:28 +0000 | [diff] [blame] | 600 | The simplest way is to have a statically initialized global object inside |
| 601 | `LLVMFuzzerTestOneInput` (or in global scope if that works for you): |
Kostya Serebryany | 7456af5 | 2016-04-28 15:19:05 +0000 | [diff] [blame] | 602 | |
| 603 | .. code-block:: c++ |
Kostya Serebryany | aca7696 | 2016-01-16 01:23:12 +0000 | [diff] [blame] | 604 | |
Kostya Serebryany | ceca476 | 2016-05-06 23:51:28 +0000 | [diff] [blame] | 605 | extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { |
| 606 | static bool Initialized = DoInitialization(); |
| 607 | ... |
Kostya Serebryany | aca7696 | 2016-01-16 01:23:12 +0000 | [diff] [blame] | 608 | |
| 609 | Alternatively, you may define an optional init function and it will receive |
Kostya Serebryany | ceca476 | 2016-05-06 23:51:28 +0000 | [diff] [blame] | 610 | the program arguments that you can read and modify. Do this **only** if you |
Hiroshi Inoue | 7d7df20 | 2017-07-12 12:16:22 +0000 | [diff] [blame] | 611 | really need to access ``argv``/``argc``. |
Kostya Serebryany | 7456af5 | 2016-04-28 15:19:05 +0000 | [diff] [blame] | 612 | |
| 613 | .. code-block:: c++ |
Kostya Serebryany | aca7696 | 2016-01-16 01:23:12 +0000 | [diff] [blame] | 614 | |
| 615 | extern "C" int LLVMFuzzerInitialize(int *argc, char ***argv) { |
| 616 | ReadAndMaybeModify(argc, argv); |
| 617 | return 0; |
| 618 | } |
| 619 | |
Kostya Serebryany | aca7696 | 2016-01-16 01:23:12 +0000 | [diff] [blame] | 620 | |
Kostya Serebryany | 9e1a238 | 2016-03-29 23:07:36 +0000 | [diff] [blame] | 621 | Leaks |
| 622 | ----- |
| 623 | |
Kostya Serebryany | 2fe9304 | 2016-04-29 18:49:55 +0000 | [diff] [blame] | 624 | Binaries built with AddressSanitizer_ or LeakSanitizer_ will try to detect |
| 625 | memory leaks at the process shutdown. |
| 626 | For in-process fuzzing this is inconvenient |
| 627 | since the fuzzer needs to report a leak with a reproducer as soon as the leaky |
| 628 | mutation is found. However, running full leak detection after every mutation |
| 629 | is expensive. |
Kostya Serebryany | 9e1a238 | 2016-03-29 23:07:36 +0000 | [diff] [blame] | 630 | |
Kostya Serebryany | 2fe9304 | 2016-04-29 18:49:55 +0000 | [diff] [blame] | 631 | By default (``-detect_leaks=1``) libFuzzer will count the number of |
| 632 | ``malloc`` and ``free`` calls when executing every mutation. |
| 633 | If the numbers don't match (which by itself doesn't mean there is a leak) |
| 634 | libFuzzer will invoke the more expensive LeakSanitizer_ |
| 635 | pass and if the actual leak is found, it will be reported with the reproducer |
| 636 | and the process will exit. |
| 637 | |
| 638 | If your target has massive leaks and the leak detection is disabled |
Kostya Serebryany | 1ed1aea | 2016-05-06 23:41:11 +0000 | [diff] [blame] | 639 | you will eventually run out of RAM (see the ``-rss_limit_mb`` flag). |
Kostya Serebryany | 9e1a238 | 2016-03-29 23:07:36 +0000 | [diff] [blame] | 640 | |
Kostya Serebryany | 9e1a238 | 2016-03-29 23:07:36 +0000 | [diff] [blame] | 641 | |
Mike Aizatsky | ab885c5 | 2016-05-24 22:25:46 +0000 | [diff] [blame] | 642 | Developing libFuzzer |
| 643 | ==================== |
| 644 | |
George Karpenkov | 8ecdd7b | 2017-08-04 17:19:45 +0000 | [diff] [blame] | 645 | LibFuzzer is built as a part of LLVM project by default on macos and Linux. |
| 646 | Users of other operating systems can explicitly request compilation using |
| 647 | ``-DLIBFUZZER_ENABLE=YES`` flag. |
| 648 | Tests are run using ``check-fuzzer`` target from the build directory |
George Karpenkov | b0c2bb5 | 2017-08-04 19:29:16 +0000 | [diff] [blame] | 649 | which was configured with ``-DLIBFUZZER_ENABLE_TESTS=ON`` flag. |
Mike Aizatsky | ab885c5 | 2016-05-24 22:25:46 +0000 | [diff] [blame] | 650 | |
| 651 | .. code-block:: console |
| 652 | |
Mike Aizatsky | ab885c5 | 2016-05-24 22:25:46 +0000 | [diff] [blame] | 653 | ninja check-fuzzer |
| 654 | |
| 655 | |
Kostya Serebryany | 35ce863 | 2015-03-30 23:05:30 +0000 | [diff] [blame] | 656 | FAQ |
| 657 | ========================= |
| 658 | |
Kostya Serebryany | 7456af5 | 2016-04-28 15:19:05 +0000 | [diff] [blame] | 659 | Q. Why doesn't libFuzzer use any of the LLVM support? |
| 660 | ----------------------------------------------------- |
Kostya Serebryany | 35ce863 | 2015-03-30 23:05:30 +0000 | [diff] [blame] | 661 | |
| 662 | There are two reasons. |
| 663 | |
Kostya Serebryany | 7456af5 | 2016-04-28 15:19:05 +0000 | [diff] [blame] | 664 | First, we want this library to be used outside of the LLVM without users having to |
Kostya Serebryany | 35ce863 | 2015-03-30 23:05:30 +0000 | [diff] [blame] | 665 | build the rest of LLVM. This may sound unconvincing for many LLVM folks, |
| 666 | but in practice the need for building the whole LLVM frightens many potential |
| 667 | users -- and we want more users to use this code. |
| 668 | |
| 669 | Second, there is a subtle technical reason not to rely on the rest of LLVM, or |
| 670 | any other large body of code (maybe not even STL). When coverage instrumentation |
| 671 | is enabled, it will also instrument the LLVM support code which will blow up the |
| 672 | coverage set of the process (since the fuzzer is in-process). In other words, by |
| 673 | using more external dependencies we will slow down the fuzzer while the main |
| 674 | reason for it to exist is extreme speed. |
| 675 | |
Jonathan Metzman | b98fea9 | 2019-02-08 19:35:04 +0000 | [diff] [blame] | 676 | Q. Does libFuzzer Support Windows? |
Kostya Serebryany | 35ce863 | 2015-03-30 23:05:30 +0000 | [diff] [blame] | 677 | ------------------------------------------------------------------------------------ |
| 678 | |
Jonathan Metzman | b98fea9 | 2019-02-08 19:35:04 +0000 | [diff] [blame] | 679 | Yes, libFuzzer now supports Windows. Initial support was added in r341082. |
| 680 | Any build of Clang 9 supports it. You can download a build of Clang for Windows |
| 681 | that has libFuzzer from |
| 682 | `LLVM Snapshot Builds <https://llvm.org/builds/>`_. |
| 683 | |
| 684 | Using libFuzzer on Windows without ASAN is unsupported. Building fuzzers with the |
Hans Wennborg | be4c0ff | 2019-02-12 09:08:52 +0000 | [diff] [blame] | 685 | ``/MD`` (dynamic runtime library) compile option is unsupported. Support for these |
| 686 | may be added in the future. Linking fuzzers with the ``/INCREMENTAL`` link option |
| 687 | (or the ``/DEBUG`` option which implies it) is also unsupported. |
Jonathan Metzman | b98fea9 | 2019-02-08 19:35:04 +0000 | [diff] [blame] | 688 | |
| 689 | Send any questions or comments to the mailing list: libfuzzer(#)googlegroups.com |
Kostya Serebryany | 35ce863 | 2015-03-30 23:05:30 +0000 | [diff] [blame] | 690 | |
Kostya Serebryany | 8b6af7a | 2016-10-26 01:55:17 +0000 | [diff] [blame] | 691 | Q. When libFuzzer is not a good solution for a problem? |
Kostya Serebryany | 35ce863 | 2015-03-30 23:05:30 +0000 | [diff] [blame] | 692 | --------------------------------------------------------- |
| 693 | |
| 694 | * If the test inputs are validated by the target library and the validator |
Kostya Serebryany | 241fb61 | 2016-03-12 03:23:02 +0000 | [diff] [blame] | 695 | asserts/crashes on invalid inputs, in-process fuzzing is not applicable. |
Kostya Serebryany | 7456af5 | 2016-04-28 15:19:05 +0000 | [diff] [blame] | 696 | * Bugs in the target library may accumulate without being detected. E.g. a memory |
Kostya Serebryany | 35ce863 | 2015-03-30 23:05:30 +0000 | [diff] [blame] | 697 | corruption that goes undetected at first and then leads to a crash while |
| 698 | testing another input. This is why it is highly recommended to run this |
| 699 | in-process fuzzer with all sanitizers to detect most bugs on the spot. |
| 700 | * It is harder to protect the in-process fuzzer from excessive memory |
| 701 | consumption and infinite loops in the target library (still possible). |
| 702 | * The target library should not have significant global state that is not |
| 703 | reset between the runs. |
Kostya Serebryany | 7456af5 | 2016-04-28 15:19:05 +0000 | [diff] [blame] | 704 | * Many interesting target libraries are not designed in a way that supports |
Kostya Serebryany | 35ce863 | 2015-03-30 23:05:30 +0000 | [diff] [blame] | 705 | the in-process fuzzer interface (e.g. require a file path instead of a |
| 706 | byte array). |
| 707 | * If a single test run takes a considerable fraction of a second (or |
| 708 | more) the speed benefit from the in-process fuzzer is negligible. |
| 709 | * If the target library runs persistent threads (that outlive |
| 710 | execution of one test) the fuzzing results will be unreliable. |
| 711 | |
| 712 | Q. So, what exactly this Fuzzer is good for? |
| 713 | -------------------------------------------- |
| 714 | |
| 715 | This Fuzzer might be a good choice for testing libraries that have relatively |
Kostya Serebryany | 241fb61 | 2016-03-12 03:23:02 +0000 | [diff] [blame] | 716 | small inputs, each input takes < 10ms to run, and the library code is not expected |
Kostya Serebryany | 35ce863 | 2015-03-30 23:05:30 +0000 | [diff] [blame] | 717 | to crash on invalid inputs. |
Kostya Serebryany | 241fb61 | 2016-03-12 03:23:02 +0000 | [diff] [blame] | 718 | Examples: regular expression matchers, text or binary format parsers, compression, |
| 719 | network, crypto. |
Kostya Serebryany | 35ce863 | 2015-03-30 23:05:30 +0000 | [diff] [blame] | 720 | |
Kostya Serebryany | bf223e9 | 2019-02-19 22:11:50 +0000 | [diff] [blame] | 721 | Q. LibFuzzer crashes on my complicated fuzz target (but works fine for me on smaller targets). |
| 722 | ---------------------------------------------------------------------------------------------- |
| 723 | |
| 724 | Check if your fuzz target uses ``dlclose``. |
| 725 | Currently, libFuzzer doesn't support targets that call ``dlclose``, |
| 726 | this may be fixed in future. |
| 727 | |
George Karpenkov | 0ab4f06 | 2017-04-24 17:28:32 +0000 | [diff] [blame] | 728 | |
Kostya Serebryany | fab4fba | 2015-08-11 01:53:45 +0000 | [diff] [blame] | 729 | Trophies |
| 730 | ======== |
Kostya Serebryany | 4db445a | 2017-11-09 21:32:02 +0000 | [diff] [blame] | 731 | * Thousands of bugs found on OSS-Fuzz: https://opensource.googleblog.com/2017/05/oss-fuzz-five-months-later-and.html |
| 732 | |
Kostya Serebryany | fab4fba | 2015-08-11 01:53:45 +0000 | [diff] [blame] | 733 | * GLIBC: https://sourceware.org/glibc/wiki/FuzzingLibc |
Kostya Serebryany | fdf4418 | 2015-08-11 04:16:37 +0000 | [diff] [blame] | 734 | |
Kostya Serebryany | 6128fcf | 2016-06-02 06:06:34 +0000 | [diff] [blame] | 735 | * MUSL LIBC: `[1] <http://git.musl-libc.org/cgit/musl/commit/?id=39dfd58417ef642307d90306e1c7e50aaec5a35c>`__ `[2] <http://www.openwall.com/lists/oss-security/2015/03/30/3>`__ |
Kostya Serebryany | fdf4418 | 2015-08-11 04:16:37 +0000 | [diff] [blame] | 736 | |
Kostya Serebryany | 928eb33 | 2015-10-12 18:15:42 +0000 | [diff] [blame] | 737 | * `pugixml <https://github.com/zeux/pugixml/issues/39>`_ |
Kostya Serebryany | fdf4418 | 2015-08-11 04:16:37 +0000 | [diff] [blame] | 738 | |
Kostya Serebryany | 45dac2a | 2015-10-10 02:14:18 +0000 | [diff] [blame] | 739 | * PCRE: Search for "LLVM fuzzer" in http://vcs.pcre.org/pcre2/code/trunk/ChangeLog?view=markup; |
Kostya Serebryany | 928eb33 | 2015-10-12 18:15:42 +0000 | [diff] [blame] | 740 | also in `bugzilla <https://bugs.exim.org/buglist.cgi?bug_status=__all__&content=libfuzzer&no_redirect=1&order=Importance&product=PCRE&query_format=specific>`_ |
Kostya Serebryany | fdf4418 | 2015-08-11 04:16:37 +0000 | [diff] [blame] | 741 | |
Kostya Serebryany | 928eb33 | 2015-10-12 18:15:42 +0000 | [diff] [blame] | 742 | * `ICU <http://bugs.icu-project.org/trac/ticket/11838>`_ |
Kostya Serebryany | ed48377 | 2015-08-11 20:34:48 +0000 | [diff] [blame] | 743 | |
Kostya Serebryany | 928eb33 | 2015-10-12 18:15:42 +0000 | [diff] [blame] | 744 | * `Freetype <https://savannah.nongnu.org/search/?words=LibFuzzer&type_of_search=bugs&Search=Search&exact=1#options>`_ |
Kostya Serebryany | 6292128 | 2015-09-11 16:34:14 +0000 | [diff] [blame] | 745 | |
Kostya Serebryany | 928eb33 | 2015-10-12 18:15:42 +0000 | [diff] [blame] | 746 | * `Harfbuzz <https://github.com/behdad/harfbuzz/issues/139>`_ |
| 747 | |
Kostya Serebryany | 240a159 | 2015-11-11 05:25:24 +0000 | [diff] [blame] | 748 | * `SQLite <http://www3.sqlite.org/cgi/src/info/088009efdd56160b>`_ |
Kostya Serebryany | 65e7126 | 2015-11-11 05:20:55 +0000 | [diff] [blame] | 749 | |
Kostya Serebryany | 12fa3b5 | 2015-11-13 02:44:16 +0000 | [diff] [blame] | 750 | * `Python <http://bugs.python.org/issue25388>`_ |
| 751 | |
Kostya Serebryany | fece674 | 2016-04-18 18:41:25 +0000 | [diff] [blame] | 752 | * OpenSSL/BoringSSL: `[1] <https://boringssl.googlesource.com/boringssl/+/cb852981cd61733a7a1ae4fd8755b7ff950e857d>`_ `[2] <https://openssl.org/news/secadv/20160301.txt>`_ `[3] <https://boringssl.googlesource.com/boringssl/+/2b07fa4b22198ac02e0cee8f37f3337c3dba91bc>`_ `[4] <https://boringssl.googlesource.com/boringssl/+/6b6e0b20893e2be0e68af605a60ffa2cbb0ffa64>`_ `[5] <https://github.com/openssl/openssl/pull/931/commits/dd5ac557f052cc2b7f718ac44a8cb7ac6f77dca8>`_ `[6] <https://github.com/openssl/openssl/pull/931/commits/19b5b9194071d1d84e38ac9a952e715afbc85a81>`_ |
Kostya Serebryany | 064a672 | 2015-12-05 02:23:49 +0000 | [diff] [blame] | 753 | |
Kostya Serebryany | 928eb33 | 2015-10-12 18:15:42 +0000 | [diff] [blame] | 754 | * `Libxml2 |
Kostya Serebryany | 0d234c3 | 2016-03-29 23:13:25 +0000 | [diff] [blame] | 755 | <https://bugzilla.gnome.org/buglist.cgi?bug_status=__all__&content=libFuzzer&list_id=68957&order=Importance&product=libxml2&query_format=specific>`_ and `[HT206167] <https://support.apple.com/en-gb/HT206167>`_ (CVE-2015-5312, CVE-2015-7500, CVE-2015-7942) |
Kostya Serebryany | 45dac2a | 2015-10-10 02:14:18 +0000 | [diff] [blame] | 756 | |
Kostya Serebryany | 240a159 | 2015-11-11 05:25:24 +0000 | [diff] [blame] | 757 | * `Linux Kernel's BPF verifier <https://github.com/iovisor/bpf-fuzzer>`_ |
Kostya Serebryany | 6292128 | 2015-09-11 16:34:14 +0000 | [diff] [blame] | 758 | |
Kostya Serebryany | 954cfd5 | 2017-11-30 02:26:47 +0000 | [diff] [blame] | 759 | * `Linux Kernel's Crypto code <https://www.spinics.net/lists/stable/msg199712.html>`_ |
| 760 | |
Kostya Serebryany | 6128fcf | 2016-06-02 06:06:34 +0000 | [diff] [blame] | 761 | * Capstone: `[1] <https://github.com/aquynh/capstone/issues/600>`__ `[2] <https://github.com/aquynh/capstone/commit/6b88d1d51eadf7175a8f8a11b690684443b11359>`__ |
| 762 | |
| 763 | * file:`[1] <http://bugs.gw.com/view.php?id=550>`__ `[2] <http://bugs.gw.com/view.php?id=551>`__ `[3] <http://bugs.gw.com/view.php?id=553>`__ `[4] <http://bugs.gw.com/view.php?id=554>`__ |
Kostya Serebryany | c138b64 | 2016-04-19 22:37:44 +0000 | [diff] [blame] | 764 | |
| 765 | * Radare2: `[1] <https://github.com/revskills?tab=contributions&from=2016-04-09>`__ |
| 766 | |
| 767 | * gRPC: `[1] <https://github.com/grpc/grpc/pull/6071/commits/df04c1f7f6aec6e95722ec0b023a6b29b6ea871c>`__ `[2] <https://github.com/grpc/grpc/pull/6071/commits/22a3dfd95468daa0db7245a4e8e6679a52847579>`__ `[3] <https://github.com/grpc/grpc/pull/6071/commits/9cac2a12d9e181d130841092e9d40fa3309d7aa7>`__ `[4] <https://github.com/grpc/grpc/pull/6012/commits/82a91c91d01ce9b999c8821ed13515883468e203>`__ `[5] <https://github.com/grpc/grpc/pull/6202/commits/2e3e0039b30edaf89fb93bfb2c1d0909098519fa>`__ `[6] <https://github.com/grpc/grpc/pull/6106/files>`__ |
| 768 | |
Kostya Serebryany | 62023f2 | 2016-05-06 20:14:48 +0000 | [diff] [blame] | 769 | * WOFF2: `[1] <https://github.com/google/woff2/commit/a15a8ab>`__ |
| 770 | |
Sylvestre Ledru | 9860517 | 2020-03-22 22:45:15 +0100 | [diff] [blame] | 771 | * LLVM: `Clang <https://bugs.llvm.org/show_bug.cgi?id=23057>`_, `Clang-format <https://bugs.llvm.org/show_bug.cgi?id=23052>`_, `libc++ <https://bugs.llvm.org/show_bug.cgi?id=24411>`_, `llvm-as <https://bugs.llvm.org/show_bug.cgi?id=24639>`_, `Demangler <https://bugs.chromium.org/p/chromium/issues/detail?id=606626>`_, Disassembler: http://reviews.llvm.org/rL247405, http://reviews.llvm.org/rL247414, http://reviews.llvm.org/rL247416, http://reviews.llvm.org/rL247417, http://reviews.llvm.org/rL247420, http://reviews.llvm.org/rL247422. |
Kostya Serebryany | fab4fba | 2015-08-11 01:53:45 +0000 | [diff] [blame] | 772 | |
Kostya Serebryany | 924978b | 2017-01-18 00:45:02 +0000 | [diff] [blame] | 773 | * Tensorflow: `[1] <https://da-data.blogspot.com/2017/01/finding-bugs-in-tensorflow-with.html>`__ |
Kostya Serebryany | 42909a6 | 2016-10-21 20:01:45 +0000 | [diff] [blame] | 774 | |
Kostya Serebryany | 047485e | 2016-11-12 02:55:45 +0000 | [diff] [blame] | 775 | * Ffmpeg: `[1] <https://github.com/FFmpeg/FFmpeg/commit/c92f55847a3d9cd12db60bfcd0831ff7f089c37c>`__ `[2] <https://github.com/FFmpeg/FFmpeg/commit/25ab1a65f3acb5ec67b53fb7a2463a7368f1ad16>`__ `[3] <https://github.com/FFmpeg/FFmpeg/commit/85d23e5cbc9ad6835eef870a5b4247de78febe56>`__ `[4] <https://github.com/FFmpeg/FFmpeg/commit/04bd1b38ee6b8df410d0ab8d4949546b6c4af26a>`__ |
Kostya Serebryany | 8550238 | 2016-10-28 22:03:54 +0000 | [diff] [blame] | 776 | |
Kostya Serebryany | 23f28e6c | 2017-04-14 20:11:16 +0000 | [diff] [blame] | 777 | * `Wireshark <https://bugs.wireshark.org/bugzilla/buglist.cgi?bug_status=UNCONFIRMED&bug_status=CONFIRMED&bug_status=IN_PROGRESS&bug_status=INCOMPLETE&bug_status=RESOLVED&bug_status=VERIFIED&f0=OP&f1=OP&f2=product&f3=component&f4=alias&f5=short_desc&f7=content&f8=CP&f9=CP&j1=OR&o2=substring&o3=substring&o4=substring&o5=substring&o6=substring&o7=matches&order=bug_id%20DESC&query_format=advanced&v2=libfuzzer&v3=libfuzzer&v4=libfuzzer&v5=libfuzzer&v6=libfuzzer&v7=%22libfuzzer%22>`_ |
| 778 | |
Kostya Serebryany | 194d0ed | 2017-09-18 20:48:35 +0000 | [diff] [blame] | 779 | * `QEMU <https://researchcenter.paloaltonetworks.com/2017/09/unit42-palo-alto-networks-discovers-new-qemu-vulnerability/>`_ |
| 780 | |
Kostya Serebryany | 7967738 | 2015-03-31 21:39:38 +0000 | [diff] [blame] | 781 | .. _pcre2: http://www.pcre.org/ |
Kostya Serebryany | 7967738 | 2015-03-31 21:39:38 +0000 | [diff] [blame] | 782 | .. _AFL: http://lcamtuf.coredump.cx/afl/ |
Kostya Serebryany | cbefff7 | 2016-10-27 20:45:35 +0000 | [diff] [blame] | 783 | .. _Radamsa: https://github.com/aoh/radamsa |
Sylvestre Ledru | 72fd103 | 2020-03-22 22:42:03 +0100 | [diff] [blame] | 784 | .. _SanitizerCoverage: https://clang.llvm.org/docs/SanitizerCoverage.html |
| 785 | .. _SanitizerCoverageTraceDataFlow: https://clang.llvm.org/docs/SanitizerCoverage.html#tracing-data-flow |
| 786 | .. _AddressSanitizer: https://clang.llvm.org/docs/AddressSanitizer.html |
| 787 | .. _LeakSanitizer: https://clang.llvm.org/docs/LeakSanitizer.html |
Kostya Serebryany | 5e593a4 | 2015-04-08 06:16:11 +0000 | [diff] [blame] | 788 | .. _Heartbleed: http://en.wikipedia.org/wiki/Heartbleed |
James Y Knight | 5d71fc5 | 2019-01-29 16:37:27 +0000 | [diff] [blame] | 789 | .. _FuzzerInterface.h: https://github.com/llvm/llvm-project/blob/master/compiler-rt/lib/fuzzer/FuzzerInterface.h |
Sylvestre Ledru | 72fd103 | 2020-03-22 22:42:03 +0100 | [diff] [blame] | 790 | .. _3.7.0: https://llvm.org/releases/3.7.0/docs/LibFuzzer.html |
| 791 | .. _building Clang from trunk: https://clang.llvm.org/get_started.html |
| 792 | .. _MemorySanitizer: https://clang.llvm.org/docs/MemorySanitizer.html |
| 793 | .. _UndefinedBehaviorSanitizer: https://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html |
| 794 | .. _`coverage counters`: https://clang.llvm.org/docs/SanitizerCoverage.html#coverage-counters |
Kostya Serebryany | aafa0b0 | 2016-08-23 23:43:08 +0000 | [diff] [blame] | 795 | .. _`value profile`: #value-profile |
Sylvestre Ledru | 72fd103 | 2020-03-22 22:42:03 +0100 | [diff] [blame] | 796 | .. _`caller-callee pairs`: https://clang.llvm.org/docs/SanitizerCoverage.html#caller-callee-coverage |
Kostya Serebryany | 7456af5 | 2016-04-28 15:19:05 +0000 | [diff] [blame] | 797 | .. _BoringSSL: https://boringssl.googlesource.com/boringssl/ |
Justin Bogner | fd5b2a0 | 2017-10-12 01:44:24 +0000 | [diff] [blame] | 798 | |