LibFuzzer.rst - OpenGrok cross reference for /external/llvm/docs/LibFuzzer.rst

Lines Matching refs:fuzzer
19 The fuzzer is linked with the library under test, and feeds fuzzed inputs to the
20 library via a specific fuzzing entrypoint (aka "target function"); the fuzzer
51 However the fuzzer itself does not (and should not) depend on any part of LLVM
90 the SanitizerCoverage_ option, which instruments the code so that the fuzzer
92 the libFuzzer code then gives an fuzzer executable.
117 files.  The fuzzer generates random mutations based around the sample inputs in
150 To run the fuzzer, first create a Corpus_ directory that holds the
158 Then run the fuzzer on the corpus directory:
164 As the fuzzer discovers new interesting test cases (i.e. test cases that
181 inputs found by one fuzzer process will be available to the other fuzzer
196 To run the fuzzer, pass zero or more corpus directories as command line
197 arguments.  The fuzzer will read test inputs from each of these corpus
203   ./fuzzer [-flag1=val1 [-flag2=val2 ...] ] [dir1 [dir2 ...] ]
205 If a list of files (rather than directories) are passed to the fuzzer program,
207 In this mode the fuzzer binary can be used as a regression test (e.g. on a
235   If positive, indicates the maximum total time in seconds to run the fuzzer.
285 For the full list of flags run the fuzzer binary with ``-help=1``.
290 During operation the fuzzer prints information to ``stderr``, for example::
302 The early parts of the output include information about the fuzzer options and
310   The fuzzer has read in all of the provided input samples from the corpus
313   The fuzzer has completed initialization, which includes running each of
316   The fuzzer has created a test input that covers new areas of the code
319   The fuzzer has generated 2\ :sup:`n` inputs (generated periodically to reassure
320   the user that the fuzzer is still working).
322   The fuzzer has completed operation because it has reached the specified
325   The fuzzer is minimizing the combination of input corpus directories into
328   The fuzzer is performing a periodic reload of inputs from the corpus
330   fuzzer processes (see `Parallel Fuzzing`_).
339   only valid if the fuzzer is run with ``-use_counters=1``.
347   Number of fuzzer iterations per second.
383   # Run the fuzzer with no corpus.
434 This will give you a binary of the fuzzer, called ``pcre_fuzzer``.
442 For more complicated/structured inputs, the fuzzer works much more efficiently
445 Now run the fuzzer with the corpus directory as the only parameter:
463 Now, interrupt the fuzzer and run it again the same way. You will see::
475 On the second execution the fuzzer has a non-empty input corpus (405 items).  As
476 the first step, the fuzzer minimized this corpus (the ``INITED`` line) to
480 (Aside: although the fuzzer only saves new inputs that hit additional code, this
486 You may run ``N`` independent fuzzer jobs in parallel on ``M`` CPUs:
492 By default (``-reload=1``) the fuzzer processes will periodically scan the corpus directory
547   # Build the fuzzer.
550   # Run 20 independent fuzzer jobs.
563 Note: a `similar fuzzer <https://boringssl.googlesource.com/boringssl/+/HEAD/FUZZING.md>`_
596 and extra run-time flag ``-use_traces=1`` the fuzzer will try to apply *data-flow-guided fuzzing*.
597 That is, the fuzzer will record the inputs to comparison instructions, switch statements,
609     even if the end result will be the same. This will cause a fuzzer to treat
649 How good is my fuzzer?
659   ASAN_OPTIONS=coverage=1:html_cov_report=1 ./fuzzer CORPUS_DIR -runs=0
707 since the fuzzer needs to report a leak with a reproducer as soon as the leaky
731     ninja check-fuzzer
742 clang-format-fuzzer
748     ninja clang-format-fuzzer
750     ./bin/clang-format-fuzzer CORPUS_DIR
756 clang-fuzzer
759 The behavior is very similar to ``clang-format-fuzzer``.
763 llvm-as-fuzzer
768 llvm-mc-fuzzer
776 fuzzer will consume as many instructions as possible and will stop when it
780 fuzzers. The fuzzer arguments should follow ``--fuzzer-args`` and should have
786   llvm-mc-fuzzer --triple=aarch64-linux-gnu --disassemble --fuzzer-args -max_len=4 -jobs=10
792 shown at http://lab.llvm.org:8011/builders/sanitizer-x86_64-linux-fuzzer .
810 coverage set of the process (since the fuzzer is in-process). In other words, by
811 using more external dependencies we will slow down the fuzzer while the main
814 Q. What about Windows then? The fuzzer contains code that does not build on Windows.
827   in-process fuzzer with all sanitizers to detect most bugs on the spot.
828 * It is harder to protect the in-process fuzzer from excessive memory
833   the in-process fuzzer interface (e.g. require a file path instead of a
836   more) the speed benefit from the in-process fuzzer is negligible.
857 * PCRE: Search for "LLVM fuzzer" in http://vcs.pcre.org/pcre2/code/trunk/ChangeLog?view=markup;
875 * `Linux Kernel's BPF verifier <https://github.com/iovisor/bpf-fuzzer>`_