6502/llvm-6502
1
0
Fork 0
mirror of https://github.com/c64scene-ar/llvm-6502.git synced 2025-06-22 10:24:26 +00:00
Code Issues Projects Releases Wiki Activity

[fuzzer] document the -tokens flag. Also change the diagnostic output

Browse Source 
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@233842 91177308-0d34-0410-b5e6-96231b3b80d8
This commit is contained in:
Kostya Serebryany
2015-04-01 21:33:20 +00:00
parent a8d688454d
commit 01055ec7e3
2 changed files with 29 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
docs/LibFuzzer.rst
View File

@ -163,6 +163,27 @@ which will cause the fuzzer to exit on the first new synthesised input::
N=100; M=4; ./pcre_fuzzer ./CORPUS -jobs=$N -workers=$M -exit_on_first=1 N=100; M=4; ./pcre_fuzzer ./CORPUS -jobs=$N -workers=$M -exit_on_first=1
Advanced features
=================
Tokens
------
By default, the fuzzer is not aware of complexities of the input language
and when fuzzing e.g. a C++ parser it will mostly stress the lexer.
It is very hard for the fuzzer to come up with something like ``reinterpret_cast<int>``
from a test corpus that doesn't have it.
See a detailed discussion of this topic at
http://lcamtuf.blogspot.com/2015/01/afl-fuzz-making-up-grammar-with.html.
lib/Fuzzer implements a simple technique that allows to fuzz input languages with
long tokens. All you need is to prepare a text file containing up to 253 tokens, one token per line,
and pass it to the fuzzer as ``-tokens=TOKENS_FILE.txt``.
Three implicit tokens are added: ``" "``, ``"\t"``, and ``"\n"``.
The fuzzer itself will still be mutating a string of bytes
but before passing this input to the target library it will replace every byte ``b`` with the ``b``-th token.
If there are less than ``b`` tokens, a space will be added instead.
Fuzzing components of LLVM Fuzzing components of LLVM
========================== ==========================
@ -188,6 +209,7 @@ clang-fuzzer
------------ ------------
The default behavior is very similar to ``clang-format-fuzzer``. The default behavior is very similar to ``clang-format-fuzzer``.
Clang can also be fuzzed with Tokens_ using ``-tokens=$LLVM/lib/Fuzzer/cxx_fuzzer_tokens.txt`` option.
Tracking bug: https://llvm.org/bugs/show_bug.cgi?id=23057 Tracking bug: https://llvm.org/bugs/show_bug.cgi?id=23057

11
lib/Fuzzer/FuzzerUtil.cpp
View File

@ -19,15 +19,18 @@
namespace fuzzer { namespace fuzzer {
void Print(const Unit &v, const char *PrintAfter) { void Print(const Unit &v, const char *PrintAfter) {
std::cerr << v.size() << ": ";
for (auto x : v) for (auto x : v)
std::cerr << (unsigned) x << " "; std::cerr << "0x" << std::hex << (unsigned) x << std::dec << ",";
std::cerr << PrintAfter; std::cerr << PrintAfter;
} }
void PrintASCII(const Unit &U, const char *PrintAfter) { void PrintASCII(const Unit &U, const char *PrintAfter) {
for (auto X : U) for (auto X : U) {
std::cerr << (char)((isascii(X) && X >= ' ') ? X : '?'); if (isprint(X))
std::cerr << X;
else
std::cerr << "\\x" << std::hex << (int)(unsigned)X << std::dec;
}
std::cerr << PrintAfter; std::cerr << PrintAfter;
} }