Lines Matching +full:clang +full:- +full:format +full:- +full:3
2 libFuzzer – a library for coverage-guided fuzz testing.
11 LibFuzzer is a library for in-process, coverage-guided, evolutionary fuzzing
15 all of its fuzzing inside a single process. This in-process fuzzing can be more
17 for process start-up.
32 version of Clang is the only supported variant.
34 (If `building Clang from trunk`_ is too time-consuming or difficult, then
35 the Clang binaries that the Chromium developers build are likely to be
38 .. code-block:: console
42 git clone https://chromium.googlesource.com/chromium/src/tools/clang
44 TMP_CLANG/clang/scripts/update.py
46 This installs the Clang binary as
47 ``./third_party/llvm-build/Release+Asserts/bin/clang``)
49 The libFuzzer code resides in the LLVM repository, and requires a recent Clang
65 --------
70 .. code-block:: c++
75 return 0; // Non-zero return values are reserved for future use.
81 .. code-block:: console
83 svn co http://llvm.org/svn/llvm-project/llvm/trunk/lib/Fuzzer
85 # git clone https://chromium.googlesource.com/chromium/llvm-project/llvm/lib/Fuzzer
86 clang++ -c -g -O2 -std=c++11 Fuzzer/*.cpp -IFuzzer
97 - AddressSanitizer_ (ASAN) detects memory access errors. Use `-fsanitize=address`.
98 …- UndefinedBehaviorSanitizer_ (UBSAN) detects the use of various features of C/C++ that are explic…
99 …listed as resulting in undefined behavior. Use `-fsanitize=undefined -fno-sanitize-recover=undefi…
100 …or any individual UBSAN check, e.g. `-fsanitize=signed-integer-overflow -fno-sanitize-recover=und…
102 - MemorySanitizer_ (MSAN) detects uninitialized reads: code whose behavior relies on memory
103 contents that have not been initialized to a specific value. Use `-fsanitize=memory`.
108 …clang -fsanitize-coverage=edge -fsanitize=address your_lib.cc fuzz_target.cc libFuzzer.a -o my_fuz…
111 ------
113 Coverage-guided fuzzers like libFuzzer rely on a corpus of sample inputs for the
118 the current corpus. If a mutation triggers execution of a previously-uncovered
132 is to use the `-merge=1` flag:
134 .. code-block:: console
137 ./my_fuzzer -merge=1 NEW_CORPUS_DIR FULL_CORPUS_DIR
142 .. code-block:: console
144 ./my_fuzzer -merge=1 CURRENT_CORPUS_DIR NEW_POTENTIALLY_INTERESTING_INPUTS_DIR
148 -------
153 .. code-block:: console
160 .. code-block:: console
162 ./my_fuzzer CORPUS_DIR # -max_len=1000 -jobs=20 ...
171 will be written to disk (typically as ``crash-<sha1>``, ``leak-<sha1>``,
172 or ``timeout-<sha1>``).
176 ----------------
178 Each libFuzzer process is single-threaded, unless the library under test starts
182 processes (unless you disable this with the ``-reload=0`` option).
184 This is primarily controlled by the ``-jobs=N`` option, which indicates that
188 worker processes can be overridden by the ``-workers=N`` option. For example,
189 running with ``-jobs=30`` on a 12-core machine would run 6 workers by default,
201 .. code-block:: console
203 ./fuzzer [-flag1=val1 [-flag2=val2 ...] ] [dir1 [dir2 ...] ]
206 then it will re-run those files as test inputs but will not perform any fuzzing.
213 ``-help``
215 ``-seed``
217 ``-runs``
218 Number of individual test runs, -1 (the default) to run indefinitely.
219 ``-max_len``
222 ``-timeout``
225 ``-rss_limit_mb``
230 If running w/o ASAN/MSAN, you may use 'ulimit -v' instead.
231 ``-timeout_exitcode``
233 ``-abort_on_timeout`` is not set.
234 ``-max_total_time``
237 ``-merge``
238 If set to 1, any corpus inputs from the 2nd, 3rd etc. corpus directories
241 ``-reload``
242 If set to 1 (the default), the corpus directory is re-read periodically to
245 ``-jobs``
250 ``stdout``/``stderr`` redirected to ``fuzz-<JOB>.log``.
251 ``-workers``
254 ``-dict``
256 ``-use_counters``
259 ``-use_traces``
260 Use instruction traces (experimental, defaults to 0); see `Data-flow-guided fuzzing`_.
261 ``-only_ascii``
263 ``-artifact_prefix``
266 ``-exact_artifact_path``
267 Ignored if empty (the default). If non-empty, write the single artifact on
269 ``-artifact_prefix`` and will not use checksum in the file name. Do not use
271 ``-print_final_stats``
273 ``-detect-leaks``
276 ``-close_fd_mask``
280 - 0 (default): close neither ``stdout`` nor ``stderr``
281 - 1 : close ``stdout``
282 - 2 : close ``stderr``
283 - 3 : close both ``stdout`` and ``stderr``.
285 For the full list of flags run the fuzzer binary with ``-help=1``.
294 INFO: -max_len is not provided, using 64
297 #1422 NEW cov: 2580 bits: 8860 indir: 5 units: 831 exec/s: 1422 L: 21 MS: 1 ShuffleBytes-
298 …#1688 NEW cov: 2581 bits: 8865 indir: 5 units: 832 exec/s: 1688 L: 19 MS: 2 EraseByte-CrossOver-
299 …cov: 2583 bits: 8879 indir: 5 units: 833 exec/s: 1734 L: 27 MS: 3 ChangeBit-EraseByte-ShuffleBytes-
304 can be overridden with the ``-seed=N`` flag).
323 iteration limit (``-runs``) or time limit (``-max_total_time``).
326 a single unified corpus (due to the ``-merge`` command line option).
332 Each output line also reports the following statistics (when non-zero):
339 only valid if the fuzzer is run with ``-use_counters=1``.
341 Number of distinct function `caller-callee pairs`_ executed with the
343 ``-fsanitize-coverage=indirect-calls``.
365 -----------
382 clang++ -fsanitize=address -fsanitize-coverage=edge test_fuzzer.cc libFuzzer.a
389 #1 INITED cov: 3 units: 1 exec/s: 0
391 #19237 NEW cov: 9 units: 3 exec/s: 0 L: 64 MS: 0
392 …595 NEW cov: 10 units: 4 exec/s: 0 L: 1 MS: 4 ChangeASCIIInt-ShuffleBytes-ChangeByte-CrossOver-
393 #34574 NEW cov: 13 units: 5 exec/s: 0 L: 2 MS: 3 ShuffleBytes-CrossOver-ChangeBit-
394 #34807 NEW cov: 15 units: 6 exec/s: 0 L: 3 MS: 1 CrossOver-
397 artifact_prefix='./'; Test unit written to ./crash-b13e8756b13a00cf168300179061fb4b91fefbed
401 -----
405 COV_FLAGS=" -fsanitize-coverage=edge,indirect-calls,8bit-counters"
407 wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre2-10.20.tar.gz
408 tar xf pcre2-10.20.tar.gz
410 …(cd pcre2-10.20; ./autogen.sh; CC="clang -fsanitize=address $COV_FLAGS" ./configure --prefix=`pwd`…
430 clang++ -g -fsanitize=address $COV_FLAGS -c -std=c++11 -I inst/include/ pcre_fuzzer.cc
432 …clang++ -g -fsanitize=address -Wl,--whole-archive inst/lib/*.a -Wl,-no-whole-archive libFuzzer.a p…
437 .. code-block:: console
439 mkdir -p CORPUS
447 .. code-block:: console
454 INFO: -max_len is not provided, using 64
457 #1 INITED cov: 3 bits: 3 units: 1 exec/s: 0
458 #2 NEW cov: 176 bits: 176 indir: 3 units: 2 exec/s: 0 L: 64 MS: 0
459 #8 NEW cov: 176 bits: 179 indir: 3 units: 3 exec/s: 0 L: 63 MS: 2 ChangeByte-EraseByte-
461 …EW cov: 1500 bits: 4536 indir: 5 units: 406 exec/s: 0 L: 54 MS: 3 ChangeBit-ChangeBit-CrossOver-
466 INFO: -max_len is not provided, using 64
469 #587 NEW cov: 1499 bits: 4540 indir: 5 units: 287 exec/s: 0 L: 52 MS: 2 InsertByte-EraseByte-
470 #667 NEW cov: 1501 bits: 4542 indir: 5 units: 288 exec/s: 0 L: 39 MS: 2 ChangeBit-InsertByte-
471 …672 NEW cov: 1501 bits: 4543 indir: 5 units: 289 exec/s: 0 L: 15 MS: 2 ChangeASCIIInt-ChangeBit-
472 …s: 4544 indir: 5 units: 290 exec/s: 0 L: 64 MS: 4 ShuffleBytes-ChangeASCIIInt-InsertByte-ChangeBit-
475 On the second execution the fuzzer has a non-empty input corpus (405 items). As
482 an input hitting A-B-C then an input that hits A-B-C-D are generated,
488 .. code-block:: console
490 N=100; M=4; ./pcre_fuzzer ./CORPUS -jobs=$N -workers=$M
492 By default (``-reload=1``) the fuzzer processes will periodically scan the corpus directory
496 If ``-workers=$M`` is not supplied, ``min($N,NumberOfCpuCore/2)`` will be used.
499 ----------
501 As it was recently `shown <https://blog.hboeck.de/archives/868-How-Heartbleed-couldve-been-found.ht…
502 fuzzing with AddressSanitizer_ can find Heartbleed. Indeed, here are the step-by-step instructions
505 wget https://www.openssl.org/source/openssl-1.0.1f.tar.gz
506 tar xf openssl-1.0.1f.tar.gz
507 COV_FLAGS="-fsanitize-coverage=edge,indirect-calls" # -fsanitize-coverage=8bit-counters
508 (cd openssl-1.0.1f/ && ./config &&
509 make -j 32 CC="clang -g -fsanitize=address $COV_FLAGS")
511 svn co http://llvm.org/svn/llvm-project/llvm/trunk/lib/Fuzzer
512 clang -c -g -O2 -std=c++11 Fuzzer/*.cpp -IFuzzer
515 cp selftls/server* . -v
516 cat << EOF > handshake-fuzz.cc
548 clang++ -g handshake-fuzz.cc -fsanitize=address \
549 openssl-1.0.1f/libssl.a openssl-1.0.1f/libcrypto.a Fuzzer*.o
551 ./a.out -jobs=20 -workers=20
557 …==17488==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x629000004748 at pc 0x00000048c…
560 #1 0x4db504 in tls1_process_heartbeat openssl-1.0.1f/ssl/t1_lib.c:2586:3
561 #2 0x580be3 in ssl3_read_bytes openssl-1.0.1f/ssl/s3_pkt.c:1092:4
573 ------------
574 LibFuzzer supports user-supplied dictionaries with input language keywords
575 or other interesting byte sequences (e.g. multi-byte magic values).
576 Use ``-dict=DICTIONARY_FILE``. For some input languages using a dictionary
578 The dictionary syntax is similar to that used by AFL_ for its ``-x`` option::
591 Data-flow-guided fuzzing
592 ------------------------
595 With an additional compiler flag ``-fsanitize-coverage=trace-cmp`` (see SanitizerCoverageTraceDataF…
596 and extra run-time flag ``-use_traces=1`` the fuzzer will try to apply *data-flow-guided fuzzing*.
603 Fuzzer-friendly build mode
604 ---------------------------
605 Sometimes the code under test is not fuzzing-friendly. Examples:
607 - The target code uses a PRNG seeded e.g. by system time and
612 - The target code uses checksums to protect from invalid inputs.
615 In many cases it makes sense to build a special fuzzing-friendly build
616 with certain fuzzing-unfriendly features disabled. We propose to use a common build macro
619 .. code-block:: c++
633 -----------------
638 .. code-block:: console
640 ./afl-fuzz -i testcase_dir -o findings_dir /path/to/program @@
641 ./llvm-fuzz testcase_dir findings_dir # Will write new tests to testcase_dir
647 see an example `here <https://github.com/llvm-mirror/llvm/blob/master/lib/Fuzzer/afl/afl_driver.cpp…
650 ----------------------
657 .. code-block:: console
659 ASAN_OPTIONS=coverage=1:html_cov_report=1 ./fuzzer CORPUS_DIR -runs=0
666 e.g. using `Clang coverage <http://clang.llvm.org/docs/SourceBasedCodeCoverage.html>`_,
670 User-supplied mutators
671 ----------------------
673 LibFuzzer allows to use custom (user-supplied) mutators,
677 ----------------------
683 .. code-block:: c++
693 .. code-block:: c++
702 -----
706 For in-process fuzzing this is inconvenient
711 By default (``-detect_leaks=1``) libFuzzer will count the number of
719 you will eventually run out of RAM (see the ``-rss_limit_mb`` flag).
726 fresh clang as the host compiler and special CMake configuration:
728 .. code-block:: console
730 …-GNinja -DCMAKE_C_COMPILER=clang -DCMAKE_CXX_COMPILER=clang++ -DLLVM_USE_SANITIZER=Address -DLLVM…
731 ninja check-fuzzer
742 clang-format-fuzzer
743 -------------------
744 The inputs are random pieces of C++-like text.
746 .. code-block:: console
748 ninja clang-format-fuzzer
750 ./bin/clang-format-fuzzer CORPUS_DIR
756 clang-fuzzer
757 ------------
759 The behavior is very similar to ``clang-format-fuzzer``.
763 llvm-as-fuzzer
764 --------------
768 llvm-mc-fuzzer
769 --------------
772 disassembler but it is hoped that assembly, and round-trip verification will be
780 fuzzers. The fuzzer arguments should follow ``--fuzzer-args`` and should have
782 similar manner to ``llvm-mc`` and should have two dashes. For example:
784 .. code-block:: console
786 llvm-mc-fuzzer --triple=aarch64-linux-gnu --disassemble --fuzzer-args -max_len=4 -jobs=10
789 --------
792 shown at http://lab.llvm.org:8011/builders/sanitizer-x86_64-linux-fuzzer .
798 -----------------------------------------------------
805 users -- and we want more users to use this code.
810 coverage set of the process (since the fuzzer is in-process). In other words, by
815 ------------------------------------------------------------------------------------
820 ---------------------------------------------------------
823 asserts/crashes on invalid inputs, in-process fuzzing is not applicable.
827 in-process fuzzer with all sanitizers to detect most bugs on the spot.
828 * It is harder to protect the in-process fuzzer from excessive memory
833 the in-process fuzzer interface (e.g. require a file path instead of a
836 more) the speed benefit from the in-process fuzzer is negligible.
841 --------------------------------------------
846 Examples: regular expression matchers, text or binary format parsers, compression,
853 …git.musl-libc.org/cgit/musl/commit/?id=39dfd58417ef642307d90306e1c7e50aaec5a35c>`__ `[2] <http://w…
860 * `ICU <http://bugs.icu-project.org/trac/ticket/11838>`_
870 …8755b7ff950e857d>`_ `[2] <https://openssl.org/news/secadv/20160301.txt>`_ `[3] <https://boringssl.…
873 …`_ and `[HT206167] <https://support.apple.com/en-gb/HT206167>`_ (CVE-2015-5312, CVE-2015-7500, CVE…
875 * `Linux Kernel's BPF verifier <https://github.com/iovisor/bpf-fuzzer>`_
879 …gw.com/view.php?id=550>`__ `[2] <http://bugs.gw.com/view.php?id=551>`__ `[3] <http://bugs.gw.com…
881 * Radare2: `[1] <https://github.com/revskills?tab=contributions&from=2016-04-09>`__
883 …/grpc/grpc/pull/6071/commits/22a3dfd95468daa0db7245a4e8e6679a52847579>`__ `[3] <https://github.com…
887 …Clang <https://llvm.org/bugs/show_bug.cgi?id=23057>`_, `Clang-format <https://llvm.org/bugs/show_b…
891 .. _SanitizerCoverage: http://clang.llvm.org/docs/SanitizerCoverage.html
892 .. _SanitizerCoverageTraceDataFlow: http://clang.llvm.org/docs/SanitizerCoverage.html#tracing-data-…
893 .. _DataFlowSanitizer: http://clang.llvm.org/docs/DataFlowSanitizer.html
894 .. _AddressSanitizer: http://clang.llvm.org/docs/AddressSanitizer.html
895 .. _LeakSanitizer: http://clang.llvm.org/docs/LeakSanitizer.html
897 .. _FuzzerInterface.h: https://github.com/llvm-mirror/llvm/blob/master/lib/Fuzzer/FuzzerInterface.h
899 .. _building Clang from trunk: http://clang.llvm.org/get_started.html
900 .. _MemorySanitizer: http://clang.llvm.org/docs/MemorySanitizer.html
901 .. _UndefinedBehaviorSanitizer: http://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html
902 .. _`coverage counters`: http://clang.llvm.org/docs/SanitizerCoverage.html#coverage-counters
903 .. _`caller-callee pairs`: http://clang.llvm.org/docs/SanitizerCoverage.html#caller-callee-coverage