Google Git
Sign in
chromium / chromium / src / 00a0620799a7c07caf9e710ef1cd6ea9990abb36^! / . / testing / libfuzzer / getting_started.md
commit00a0620799a7c07caf9e710ef1cd6ea9990abb36[log] [tgz]
authoraizatsky <[email protected]>Mon Oct 10 21:58:52 2016
committerCommit bot <[email protected]>Mon Oct 10 22:01:04 2016
treeddf9b5e44ea62d7d2af08d62ca4be4fb5b77e81b
parent70ffc43ceda0ffba0edf7ea136567af5bed5c819 [diff] [blame]
[libfuzzer][doc] making corpus & dicts more prominent in the documentation

BUG=

Review-Url: https://codereview.chromium.org/2410593002
Cr-Commit-Position: refs/heads/master@{#424256}

diff --git a/testing/libfuzzer/getting_started.md b/testing/libfuzzer/getting_started.md
index fbd9b4c..f8e55f7 100644
--- a/testing/libfuzzer/getting_started.md
+++ b/testing/libfuzzer/getting_started.md

@@ -49,7 +49,7 @@
 
 Define `fuzzer_test` GN target:
 
-```
+```python
 import("//testing/libfuzzer/fuzzer_test.gni")
 fuzzer_test("my_fuzzer") {
   sources = [ "my_fuzzer.cc" ]
@@ -75,35 +75,30 @@
 #0      READ   units: 1 exec/s: 0
 #1      INITED cov: 2361 bits: 95 indir: 29 units: 1 exec/s: 0
 #2      NEW    cov: 2710 bits: 359 indir: 36 units: 2 exec/s: 0 L: 64 MS: 0 
-#3      NEW    cov: 2715 bits: 371 indir: 37 units: 3 exec/s: 0 L: 64 MS: 1 ShuffleBytes-
-#5      NEW    cov: 2728 bits: 375 indir: 38 units: 4 exec/s: 0 L: 63 MS: 3 ShuffleBytes-ShuffleBytes-EraseByte-
-#6      NEW    cov: 2729 bits: 384 indir: 38 units: 5 exec/s: 0 L: 10 MS: 4 ShuffleBytes-ShuffleBytes-EraseByte-CrossOver-
-#7      NEW    cov: 2733 bits: 424 indir: 39 units: 6 exec/s: 0 L: 63 MS: 1 ShuffleBytes-
-#8      NEW    cov: 2733 bits: 426 indir: 39 units: 7 exec/s: 0 L: 63 MS: 2 ShuffleBytes-ChangeByte-
-#11     NEW    cov: 2733 bits: 447 indir: 39 units: 8 exec/s: 0 L: 33 MS: 5 ShuffleBytes-ChangeByte-ChangeASCIIInt-ChangeBit-CrossOver-
-#12     NEW    cov: 2733 bits: 451 indir: 39 units: 9 exec/s: 0 L: 62 MS: 1 CrossOver-
-#16     NEW    cov: 2733 bits: 454 indir: 39 units: 10 exec/s: 0 L: 61 MS: 5 CrossOver-ChangeBit-ChangeBit-EraseByte-ChangeBit-
-#18     NEW    cov: 2733 bits: 458 indir: 39 units: 11 exec/s: 0 L: 24 MS: 2 CrossOver-CrossOver-
 ```
 
 The `... NEW ...` line appears when libFuzzer finds new and interesting input. The 
 efficient fuzzer should be able to finds lots of them rather quickly.
-
 The `... pulse ...` line will appear periodically to show the current status.
 
+## Improving Your Fuzzer
 
-### Default value for maximum testcase length
+Your fuzzer may immediately discover interesting (i.e. crashing) inputs.
+To make it more efficient, several small steps can take you really far:
 
-By default, when run manually, libFuzzer uses `-max_len=64` or takes the length
-of the biggest testcase in corpus if corpus is not empty. ClusterFuzz takes
+* Create seed corpus. Add `seed_corpus = "src/fuzz-testcases/"` attribute
+to your fuzzer targets and add example files in appropriate folder. Read more
+in [Seed Corpus] section of efficient fuzzer guide.
+*Make sure corpus files are appropriately licensed.*
+* Create mutation dictionary. With a `dict = "protocol.dict"` attribute and
+`key=value` dicitionary file format, mutations can be more effective.
+See [Fuzzer Dictionary].
+* Specify maximum testcase length. By default libFuzzer uses `-max_len=64`
+ (or takes the longest testcase in a corpus). ClusterFuzz takes
 random value in range from `1` to `10000` for each fuzzing session and passes
 that value to libFuzzers. If corpus contains testcases of size greater than
-`max_len`, libFuzzer will use only first `max_len` bytes of such testcases.
-
-
-You can specify custom `max_len` value to be used by ClusterFuzz. For more
-information check out [Maximum Testcase Length] section of the [Efficient Fuzzer
-Guide].
+`max_len`, libFuzzer will use only first `max_len` bytes of such testcases. 
+See [Maximum Testcase Length].
 
 ## Disable noisy error message logging
 
@@ -151,10 +146,12 @@
 
 
 [Address Sanitizer]: http://clang.llvm.org/docs/AddressSanitizer.html
-[Memory Sanitizer]: http://clang.llvm.org/docs/MemorySanitizer.html
-[Undefined Behavior Sanitizer]: http://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html
 [ClusterFuzz status]: clusterfuzz.md#Status-Links
-[crbug/598448]: https://bugs.chromium.org/p/chromium/issues/detail?id=598448
 [Efficient Fuzzer Guide]: efficient_fuzzer.md
+[Fuzzer Dictionary]: efficient_fuzzer.md#Fuzzer-Dictionary
 [Maximum Testcase Length]: efficient_fuzzer.md#Maximum-Testcase-Length
+[Memory Sanitizer]: http://clang.llvm.org/docs/MemorySanitizer.html
+[Seed Corpus]: efficient_fuzzer.md#Seed-Corpus
+[Undefined Behavior Sanitizer]: http://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html
+[crbug/598448]: https://bugs.chromium.org/p/chromium/issues/detail?id=598448
 [url_parse_fuzzer.cc]: https://code.google.com/p/chromium/codesearch#chromium/src/testing/libfuzzer/fuzzers/url_parse_fuzzer.cc