From c1708b0d9959db2057ae7cfc0f95fb7ecb6adbca Mon Sep 17 00:00:00 2001 From: Kostya Serebryany Date: Thu, 27 Oct 2016 21:03:48 +0000 Subject: [PATCH] [libFuzzer] docs: update the examples llvm-svn: 285344 --- llvm/docs/LibFuzzer.rst | 60 ++++++++++++++++++++--------------------- 1 file changed, 30 insertions(+), 30 deletions(-) diff --git a/llvm/docs/LibFuzzer.rst b/llvm/docs/LibFuzzer.rst index fbf81c0964eb..a467e010d3db 100644 --- a/llvm/docs/LibFuzzer.rst +++ b/llvm/docs/LibFuzzer.rst @@ -92,9 +92,7 @@ options. Note that the libFuzzer library contains the ``main()`` function: .. code-block:: console - svn co http://llvm.org/svn/llvm-project/llvm/trunk/lib/Fuzzer - # Alternative: get libFuzzer from a dedicated git mirror: - # git clone https://chromium.googlesource.com/chromium/llvm-project/llvm/lib/Fuzzer + svn co http://llvm.org/svn/llvm-project/llvm/trunk/lib/Fuzzer # or git clone https://chromium.googlesource.com/chromium/llvm-project/llvm/lib/Fuzzer ./Fuzzer/build.sh # Produces libFuzzer.a Then build the fuzzing target function and the library under test using @@ -116,7 +114,7 @@ latent bugs by making incorrect behavior generate errors at runtime: Finally, link with ``libFuzzer.a``:: - clang -fsanitize-coverage=edge -fsanitize=address your_lib.cc fuzz_target.cc libFuzzer.a -o my_fuzzer + clang -fsanitize-coverage=trace-pc-guard -fsanitize=address your_lib.cc fuzz_target.cc libFuzzer.a -o my_fuzzer Corpus ------ @@ -305,14 +303,16 @@ Output During operation the fuzzer prints information to ``stderr``, for example:: - INFO: Seed: 3338750330 - Loaded 1024/1211 files from corpus/ + INFO: Seed: 1523017872 + INFO: Loaded 1 modules (16 guards): [0x744e60, 0x744ea0), INFO: -max_len is not provided, using 64 - #0 READ units: 1211 exec/s: 0 - #1211 INITED cov: 2575 bits: 8855 indir: 5 units: 830 exec/s: 1211 - #1422 NEW cov: 2580 bits: 8860 indir: 5 units: 831 exec/s: 1422 L: 21 MS: 1 ShuffleBytes- - #1688 NEW cov: 2581 bits: 8865 indir: 5 units: 832 exec/s: 1688 L: 19 MS: 2 EraseByte-CrossOver- - #1734 NEW cov: 2583 bits: 8879 indir: 5 units: 833 exec/s: 1734 L: 27 MS: 3 ChangeBit-EraseByte-ShuffleBytes- + INFO: A corpus is not provided, starting from an empty corpus + #0 READ units: 1 + #1 INITED cov: 3 ft: 2 corp: 1/1b exec/s: 0 rss: 24Mb + #3811 NEW cov: 4 ft: 3 corp: 2/2b exec/s: 0 rss: 25Mb L: 1 MS: 5 ChangeBit-ChangeByte-ChangeBit-ShuffleBytes-ChangeByte- + #3827 NEW cov: 5 ft: 4 corp: 3/4b exec/s: 0 rss: 25Mb L: 2 MS: 1 CopyPart- + #3963 NEW cov: 6 ft: 5 corp: 4/6b exec/s: 0 rss: 25Mb L: 2 MS: 2 ShuffleBytes-ChangeBit- + #4167 NEW cov: 7 ft: 6 corp: 5/9b exec/s: 0 rss: 25Mb L: 3 MS: 1 InsertByte- ... The early parts of the output include information about the fuzzer options and @@ -350,19 +350,16 @@ Each output line also reports the following statistics (when non-zero): ``cov:`` Total number of code blocks or edges covered by the executing the current corpus. -``vp:`` - Size of the `value profile`_. -``bits:`` - Rough measure of the number of code blocks or edges covered, and how often; - only valid if the fuzzer is run with ``-use_counters=1``. -``indir:`` - Number of distinct function `caller-callee pairs`_ executed with the - current corpus; only valid if the code under test was built with - ``-fsanitize-coverage=indirect-calls``. -``units:`` - Number of entries in the current input corpus. +``ft:`` + libFuzzer uses different signals to evaluate the code coverage: + edge coverage, edge counters, value profiles, indirect caller/callee pairs, etc. + These signals combined are called *features* (`ft:`). +``corp:`` + Number of entries in the current in-memory test corpus and its size in bytes. ``exec/s:`` Number of fuzzer iterations per second. +``rss:`` + Current memory consumption. For ``NEW`` events, the output line also includes information about the mutation operation that produced the new input: @@ -397,19 +394,22 @@ A simple function that does something interesting if it receives the input } EOF # Build test_fuzzer.cc with asan and link against libFuzzer.a - clang++ -fsanitize=address -fsanitize-coverage=edge test_fuzzer.cc libFuzzer.a + clang++ -fsanitize=address -fsanitize-coverage=trace-pc-guard test_fuzzer.cc libFuzzer.a # Run the fuzzer with no corpus. ./a.out You should get an error pretty quickly:: - #0 READ units: 1 exec/s: 0 - #1 INITED cov: 3 units: 1 exec/s: 0 - #2 NEW cov: 5 units: 2 exec/s: 0 L: 64 MS: 0 - #19237 NEW cov: 9 units: 3 exec/s: 0 L: 64 MS: 0 - #20595 NEW cov: 10 units: 4 exec/s: 0 L: 1 MS: 4 ChangeASCIIInt-ShuffleBytes-ChangeByte-CrossOver- - #34574 NEW cov: 13 units: 5 exec/s: 0 L: 2 MS: 3 ShuffleBytes-CrossOver-ChangeBit- - #34807 NEW cov: 15 units: 6 exec/s: 0 L: 3 MS: 1 CrossOver- + INFO: Seed: 1523017872 + INFO: Loaded 1 modules (16 guards): [0x744e60, 0x744ea0), + INFO: -max_len is not provided, using 64 + INFO: A corpus is not provided, starting from an empty corpus + #0 READ units: 1 + #1 INITED cov: 3 ft: 2 corp: 1/1b exec/s: 0 rss: 24Mb + #3811 NEW cov: 4 ft: 3 corp: 2/2b exec/s: 0 rss: 25Mb L: 1 MS: 5 ChangeBit-ChangeByte-ChangeBit-ShuffleBytes-ChangeByte- + #3827 NEW cov: 5 ft: 4 corp: 3/4b exec/s: 0 rss: 25Mb L: 2 MS: 1 CopyPart- + #3963 NEW cov: 6 ft: 5 corp: 4/6b exec/s: 0 rss: 25Mb L: 2 MS: 2 ShuffleBytes-ChangeBit- + #4167 NEW cov: 7 ft: 6 corp: 5/9b exec/s: 0 rss: 25Mb L: 3 MS: 1 InsertByte- ==31511== ERROR: libFuzzer: deadly signal ... artifact_prefix='./'; Test unit written to ./crash-b13e8756b13a00cf168300179061fb4b91fefbed