[libFuzzer] add a flag -max_total_time

[oota-llvm.git] / docs / LibFuzzer.rst

diff --git a/docs/LibFuzzer.rst b/docs/LibFuzzer.rst
index d3e0cb1e31050c08bf9770d18285c18a6bddb15d..4155526ac8461a94816906c4b5223db76a4102d4 100644 (file)
--- a/docs/LibFuzzer.rst
+++ b/docs/LibFuzzer.rst
@@ -60,6 +60,7 @@ The most important flags are::
   cross_over                           1       If 1, cross over inputs.
   mutate_depth                         5       Apply this number of consecutive mutations to each input.
   timeout                              1200    Timeout in seconds (if positive). If one unit runs more than this number of seconds the process will abort.
+  max_total_time                        0       If positive, indicates the maximal total time in seconds to run the fuzzer.
   help                                 0       Print help.
   save_minimized_corpus                0       If 1, the minimized corpus is saved into the first input directory. Example: ./fuzzer -save_minimized_corpus=1 NEW_EMPTY_DIR OLD_CORPUS
   jobs                                 0       Number of jobs to run. If jobs >= 1 we spawn this number of jobs in separate worker processes with stdout/stderr redirected to fuzz-JOB.log.
@@ -68,6 +69,7 @@ The most important flags are::
   sync_timeout                         600     Minimum timeout between syncs.
   use_traces                            0       Experimental: use instruction traces
   only_ascii                            0       If 1, generate only ASCII (isprint+isspace) inputs.
+  test_single_input                     ""      Use specified file content as test input. Test will be run only once. Useful for debugging a particular case.
 
 
 For the full list of flags run the fuzzer binary with ``-help=1``.
@@ -237,7 +239,7 @@ to find Heartbleed with LibFuzzer::
     SSL_free(server);
   }
   EOF
-  # Build the fuzzer. 
+  # Build the fuzzer.
   clang++ -g handshake-fuzz.cc  -fsanitize=address \
     openssl-1.0.1f/libssl.a openssl-1.0.1f/libcrypto.a Fuzzer*.o
   # Run 20 independent fuzzer jobs.
@@ -350,6 +352,24 @@ llvm-as-fuzzer
 
 Tracking bug: https://llvm.org/bugs/show_bug.cgi?id=24639
 
+llvm-mc-fuzzer
+--------------
+
+This tool fuzzes the MC layer. Currently it is only able to fuzz the
+disassembler but it is hoped that assembly, and round-trip verification will be
+added in future.
+
+When run in dissassembly mode, the inputs are opcodes to be disassembled. The
+fuzzer will consume as many instructions as possible and will stop when it
+finds an invalid instruction or runs out of data.
+
+Please note that the command line interface differs slightly from that of other
+fuzzers. The fuzzer arguments should follow ``--fuzzer-args`` and should have
+a single dash, while other arguments control the operation mode and target in a
+similar manner to ``llvm-mc`` and should have two dashes. For example::
+
+  llvm-mc-fuzzer --triple=aarch64-linux-gnu --disassemble --fuzzer-args -max_len=4 -jobs=10
+
 Buildbot
 --------
 
@@ -439,6 +459,10 @@ Trophies
 
 * ICU: http://bugs.icu-project.org/trac/ticket/11838
 
+* Freetype: https://savannah.nongnu.org/search/?words=LibFuzzer&type_of_search=bugs&Search=Search&exact=1#options
+
+* Linux Kernel's BPF verifier: https://github.com/iovisor/bpf-fuzzer
+
 * LLVM:
 
   * Clang: https://llvm.org/bugs/show_bug.cgi?id=23057
@@ -449,7 +473,15 @@ Trophies
 
   * llvm-as: https://llvm.org/bugs/show_bug.cgi?id=24639
 
+  * Disassembler:
 
+    * Mips: Discovered a number of untested instructions for the Mips target
+      (see valid-mips*.s in http://reviews.llvm.org/rL247405,
+      http://reviews.llvm.org/rL247414, http://reviews.llvm.org/rL247416,
+      http://reviews.llvm.org/rL247417, http://reviews.llvm.org/rL247420,
+      and http://reviews.llvm.org/rL247422) as well some instructions that
+      successfully disassembled on ISA's where they were not valid (see
+      invalid-xfail.s files in the same commits).
 
 .. _pcre2: http://www.pcre.org/