optimizations options (e.g. -O0, -O1, -O2) to diversify testing.
* Build a test driver using the same options as the library.
The test driver is a C/C++ file containing interesting calls to the library
- inside a single function ``extern "C" void LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size);``
+ inside a single function ``extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size);``.
+ Currently, the only expected return value is 0, others are reserved for future.
* Link the Fuzzer, the library and the driver together into an executable
using the same sanitizer options as for the library.
* Collect the initial corpus of inputs for the
cross_over 1 If 1, cross over inputs.
mutate_depth 5 Apply this number of consecutive mutations to each input.
timeout 1200 Timeout in seconds (if positive). If one unit runs more than this number of seconds the process will abort.
+ max_total_time 0 If positive, indicates the maximal total time in seconds to run the fuzzer.
help 0 Print help.
save_minimized_corpus 0 If 1, the minimized corpus is saved into the first input directory. Example: ./fuzzer -save_minimized_corpus=1 NEW_EMPTY_DIR OLD_CORPUS
+ merge 0 If 1, the 2-nd, 3-rd, etc corpora will be merged into the 1-st corpus. Only interesting units will be taken.
jobs 0 Number of jobs to run. If jobs >= 1 we spawn this number of jobs in separate worker processes with stdout/stderr redirected to fuzz-JOB.log.
workers 0 Number of simultaneous worker processes to run the jobs. If zero, "min(jobs,NumberOfCpuCores()/2)" is used.
sync_command 0 Execute an external command "<sync_command> <test_corpus>" to synchronize the test corpus.
sync_timeout 600 Minimum timeout between syncs.
use_traces 0 Experimental: use instruction traces
only_ascii 0 If 1, generate only ASCII (isprint+isspace) inputs.
-
+ test_single_input "" Use specified file content as test input. Test will be run only once. Useful for debugging a particular case.
+ artifact_prefix "" Write fuzzing artifacts (crash, timeout, or slow inputs) as $(artifact_prefix)file
+ exact_artifact_path "" Write the single artifact on failure (crash, timeout) as $(exact_artifact_path). This overrides -artifact_prefix and will not use checksum in the file name. Do not use the same path for several parallel processes.
For the full list of flags run the fuzzer binary with ``-help=1``.
A simple function that does something interesting if it receives the input "HI!"::
cat << EOF >> test_fuzzer.cc
- extern "C" void LLVMFuzzerTestOneInput(const unsigned char *data, unsigned long size) {
+ #include <stdint.h>
+ #include <stddef.h>
+ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
if (size > 0 && data[0] == 'H')
if (size > 1 && data[1] == 'I')
if (size > 2 && data[2] == '!')
__builtin_trap();
+ return 0;
}
EOF
# Get lib/Fuzzer. Assuming that you already have fresh clang in PATH.
# Build the actual function that does something interesting with PCRE2.
cat << EOF > pcre_fuzzer.cc
#include <string.h>
+ #include <stdint.h>
#include "pcre2posix.h"
- extern "C" void LLVMFuzzerTestOneInput(const unsigned char *data, size_t size) {
- if (size < 1) return;
+ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+ if (size < 1) return 0;
char *str = new char[size+1];
memcpy(str, data, size);
str[size] = 0;
regfree(&preg);
}
delete [] str;
+ return 0;
}
EOF
clang++ -g -fsanitize=address $COV_FLAGS -c -std=c++11 -I inst/include/ pcre_fuzzer.cc
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <assert.h>
+ #include <stdint.h>
+ #include <stddef.h>
+
SSL_CTX *sctx;
int Init() {
SSL_library_init();
assert (SSL_CTX_use_PrivateKey_file(sctx, "server.key", SSL_FILETYPE_PEM));
return 0;
}
- extern "C" void LLVMFuzzerTestOneInput(unsigned char *Data, size_t Size) {
+ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
static int unused = Init();
SSL *server = SSL_new(sctx);
BIO *sinbio = BIO_new(BIO_s_mem());
BIO_write(sinbio, Data, Size);
SSL_do_handshake(server);
SSL_free(server);
+ return 0;
}
EOF
- # Build the fuzzer.
+ # Build the fuzzer.
clang++ -g handshake-fuzz.cc -fsanitize=address \
openssl-1.0.1f/libssl.a openssl-1.0.1f/libcrypto.a Fuzzer*.o
# Run 20 independent fuzzer jobs.
#1 0x4db504 in tls1_process_heartbeat openssl-1.0.1f/ssl/t1_lib.c:2586:3
#2 0x580be3 in ssl3_read_bytes openssl-1.0.1f/ssl/s3_pkt.c:1092:4
+Note: a `similar fuzzer <https://boringssl.googlesource.com/boringssl/+/HEAD/FUZZING.md>`_
+is now a part of the boringssl source tree.
+
Advanced features
=================
Tracking bug: https://llvm.org/bugs/show_bug.cgi?id=24639
+llvm-mc-fuzzer
+--------------
+
+This tool fuzzes the MC layer. Currently it is only able to fuzz the
+disassembler but it is hoped that assembly, and round-trip verification will be
+added in future.
+
+When run in dissassembly mode, the inputs are opcodes to be disassembled. The
+fuzzer will consume as many instructions as possible and will stop when it
+finds an invalid instruction or runs out of data.
+
+Please note that the command line interface differs slightly from that of other
+fuzzers. The fuzzer arguments should follow ``--fuzzer-args`` and should have
+a single dash, while other arguments control the operation mode and target in a
+similar manner to ``llvm-mc`` and should have two dashes. For example::
+
+ llvm-mc-fuzzer --triple=aarch64-linux-gnu --disassemble --fuzzer-args -max_len=4 -jobs=10
+
Buildbot
--------
* http://git.musl-libc.org/cgit/musl/commit/?id=39dfd58417ef642307d90306e1c7e50aaec5a35c
* http://www.openwall.com/lists/oss-security/2015/03/30/3
-* pugixml: https://github.com/zeux/pugixml/issues/39
-
-* PCRE: Search for "LLVM fuzzer" in http://vcs.pcre.org/pcre2/code/trunk/ChangeLog?view=markup
+* `pugixml <https://github.com/zeux/pugixml/issues/39>`_
-* ICU: http://bugs.icu-project.org/trac/ticket/11838
+* PCRE: Search for "LLVM fuzzer" in http://vcs.pcre.org/pcre2/code/trunk/ChangeLog?view=markup;
+ also in `bugzilla <https://bugs.exim.org/buglist.cgi?bug_status=__all__&content=libfuzzer&no_redirect=1&order=Importance&product=PCRE&query_format=specific>`_
-* Freetype: https://savannah.nongnu.org/search/?words=LibFuzzer&type_of_search=bugs&Search=Search&exact=1#options
+* `ICU <http://bugs.icu-project.org/trac/ticket/11838>`_
-* Linux Kernel's BPF verifier: https://github.com/iovisor/bpf-fuzzer
+* `Freetype <https://savannah.nongnu.org/search/?words=LibFuzzer&type_of_search=bugs&Search=Search&exact=1#options>`_
-* LLVM:
+* `Harfbuzz <https://github.com/behdad/harfbuzz/issues/139>`_
- * Clang: https://llvm.org/bugs/show_bug.cgi?id=23057
+* `SQLite <http://www3.sqlite.org/cgi/src/info/088009efdd56160b>`_
- * Clang-format: https://llvm.org/bugs/show_bug.cgi?id=23052
+* `Python <http://bugs.python.org/issue25388>`_
- * libc++: https://llvm.org/bugs/show_bug.cgi?id=24411
+* `Libxml2
+ <https://bugzilla.gnome.org/buglist.cgi?bug_status=__all__&content=libFuzzer&list_id=68957&order=Importance&product=libxml2&query_format=specific>`_
- * llvm-as: https://llvm.org/bugs/show_bug.cgi?id=24639
+* `Linux Kernel's BPF verifier <https://github.com/iovisor/bpf-fuzzer>`_
- * Disassembler:
- * Mips: Discovered a number of untested instructions for the Mips target
- (see valid-mips*.s in http://reviews.llvm.org/rL247405,
- http://reviews.llvm.org/rL247414, http://reviews.llvm.org/rL247416,
- http://reviews.llvm.org/rL247417, http://reviews.llvm.org/rL247420,
- and http://reviews.llvm.org/rL247422) as well some instructions that
- successfully disassembled on ISA's where they were not valid (see
- invalid-xfail.s files in the same commits).
+* LLVM: `Clang <https://llvm.org/bugs/show_bug.cgi?id=23057>`_, `Clang-format <https://llvm.org/bugs/show_bug.cgi?id=23052>`_, `libc++ <https://llvm.org/bugs/show_bug.cgi?id=24411>`_, `llvm-as <https://llvm.org/bugs/show_bug.cgi?id=24639>`_, Disassembler: http://reviews.llvm.org/rL247405, http://reviews.llvm.org/rL247414, http://reviews.llvm.org/rL247416, http://reviews.llvm.org/rL247417, http://reviews.llvm.org/rL247420, http://reviews.llvm.org/rL247422.
.. _pcre2: http://www.pcre.org/
projects / oota-llvm.git / blobdiff