[libFuzzer] docs: update the examples

llvm-svn: 285344
2024-11-22 18:54:02 +01:00 · 2016-10-27 21:03:48 +00:00 · 2016-10-27 21:03:48 +00:00 · 20e3021a2f
commit 20e3021a2f
parent bf2ad1b205
1 changed files with 30 additions and 30 deletions
--- a/docs/LibFuzzer.rst
+++ b/docs/LibFuzzer.rst
@ -92,9 +92,7 @@ options. Note that the libFuzzer library contains the ``main()`` function:

 .. code-block:: console

-  svn co http://llvm.org/svn/llvm-project/llvm/trunk/lib/Fuzzer
-  # Alternative: get libFuzzer from a dedicated git mirror:
-  # git clone https://chromium.googlesource.com/chromium/llvm-project/llvm/lib/Fuzzer
+  svn co http://llvm.org/svn/llvm-project/llvm/trunk/lib/Fuzzer  # or git clone https://chromium.googlesource.com/chromium/llvm-project/llvm/lib/Fuzzer
  ./Fuzzer/build.sh  # Produces libFuzzer.a

 Then build the fuzzing target function and the library under test using
@ -116,7 +114,7 @@ latent bugs by making incorrect behavior generate errors at runtime:

 Finally, link with ``libFuzzer.a``::

-  clang -fsanitize-coverage=edge -fsanitize=address your_lib.cc fuzz_target.cc libFuzzer.a -o my_fuzzer
+  clang -fsanitize-coverage=trace-pc-guard -fsanitize=address your_lib.cc fuzz_target.cc libFuzzer.a -o my_fuzzer

 Corpus
 ------
@ -305,14 +303,16 @@ Output

 During operation the fuzzer prints information to ``stderr``, for example::

-  INFO: Seed: 3338750330
-  Loaded 1024/1211 files from corpus/
+  INFO: Seed: 1523017872
+  INFO: Loaded 1 modules (16 guards): [0x744e60, 0x744ea0), 
  INFO: -max_len is not provided, using 64
-  #0	READ   units: 1211 exec/s: 0
-  #1211	INITED cov: 2575 bits: 8855 indir: 5 units: 830 exec/s: 1211
-  #1422	NEW    cov: 2580 bits: 8860 indir: 5 units: 831 exec/s: 1422 L: 21 MS: 1 ShuffleBytes-
-  #1688	NEW    cov: 2581 bits: 8865 indir: 5 units: 832 exec/s: 1688 L: 19 MS: 2 EraseByte-CrossOver-
-  #1734	NEW    cov: 2583 bits: 8879 indir: 5 units: 833 exec/s: 1734 L: 27 MS: 3 ChangeBit-EraseByte-ShuffleBytes-
+  INFO: A corpus is not provided, starting from an empty corpus
+  #0	READ units: 1
+  #1	INITED cov: 3 ft: 2 corp: 1/1b exec/s: 0 rss: 24Mb
+  #3811	NEW    cov: 4 ft: 3 corp: 2/2b exec/s: 0 rss: 25Mb L: 1 MS: 5 ChangeBit-ChangeByte-ChangeBit-ShuffleBytes-ChangeByte-
+  #3827	NEW    cov: 5 ft: 4 corp: 3/4b exec/s: 0 rss: 25Mb L: 2 MS: 1 CopyPart-
+  #3963	NEW    cov: 6 ft: 5 corp: 4/6b exec/s: 0 rss: 25Mb L: 2 MS: 2 ShuffleBytes-ChangeBit-
+  #4167	NEW    cov: 7 ft: 6 corp: 5/9b exec/s: 0 rss: 25Mb L: 3 MS: 1 InsertByte-
  ...

 The early parts of the output include information about the fuzzer options and
@ -350,19 +350,16 @@ Each output line also reports the following statistics (when non-zero):
 ``cov:``
  Total number of code blocks or edges covered by the executing the current
  corpus.
-``vp:``
-  Size of the `value profile`_.
-``bits:``
-  Rough measure of the number of code blocks or edges covered, and how often;
-  only valid if the fuzzer is run with ``-use_counters=1``.
-``indir:``
-  Number of distinct function `caller-callee pairs`_ executed with the
-  current corpus; only valid if the code under test was built with
-  ``-fsanitize-coverage=indirect-calls``.
-``units:``
-  Number of entries in the current input corpus.
+``ft:``
+  libFuzzer uses different signals to evaluate the code coverage:
+  edge coverage, edge counters, value profiles, indirect caller/callee pairs, etc.
+  These signals combined are called *features* (`ft:`).
+``corp:``
+  Number of entries in the current in-memory test corpus and its size in bytes.
 ``exec/s:``
  Number of fuzzer iterations per second.
+``rss:``
+  Current memory consumption.

 For ``NEW`` events, the output line also includes information about the mutation
 operation that produced the new input:
@ -397,19 +394,22 @@ A simple function that does something interesting if it receives the input
  }
  EOF
  # Build test_fuzzer.cc with asan and link against libFuzzer.a
-  clang++ -fsanitize=address -fsanitize-coverage=edge test_fuzzer.cc libFuzzer.a
+  clang++ -fsanitize=address -fsanitize-coverage=trace-pc-guard test_fuzzer.cc libFuzzer.a
  # Run the fuzzer with no corpus.
  ./a.out

 You should get an error pretty quickly::

-  #0  READ   units: 1 exec/s: 0
-  #1  INITED cov: 3 units: 1 exec/s: 0
-  #2  NEW    cov: 5 units: 2 exec/s: 0 L: 64 MS: 0
-  #19237  NEW    cov: 9 units: 3 exec/s: 0 L: 64 MS: 0
-  #20595  NEW    cov: 10 units: 4 exec/s: 0 L: 1 MS: 4 ChangeASCIIInt-ShuffleBytes-ChangeByte-CrossOver-
-  #34574  NEW    cov: 13 units: 5 exec/s: 0 L: 2 MS: 3 ShuffleBytes-CrossOver-ChangeBit-
-  #34807  NEW    cov: 15 units: 6 exec/s: 0 L: 3 MS: 1 CrossOver-
+  INFO: Seed: 1523017872
+  INFO: Loaded 1 modules (16 guards): [0x744e60, 0x744ea0), 
+  INFO: -max_len is not provided, using 64
+  INFO: A corpus is not provided, starting from an empty corpus
+  #0	READ units: 1
+  #1	INITED cov: 3 ft: 2 corp: 1/1b exec/s: 0 rss: 24Mb
+  #3811	NEW    cov: 4 ft: 3 corp: 2/2b exec/s: 0 rss: 25Mb L: 1 MS: 5 ChangeBit-ChangeByte-ChangeBit-ShuffleBytes-ChangeByte-
+  #3827	NEW    cov: 5 ft: 4 corp: 3/4b exec/s: 0 rss: 25Mb L: 2 MS: 1 CopyPart-
+  #3963	NEW    cov: 6 ft: 5 corp: 4/6b exec/s: 0 rss: 25Mb L: 2 MS: 2 ShuffleBytes-ChangeBit-
+  #4167	NEW    cov: 7 ft: 6 corp: 5/9b exec/s: 0 rss: 25Mb L: 3 MS: 1 InsertByte-
  ==31511== ERROR: libFuzzer: deadly signal
  ...
  artifact_prefix='./'; Test unit written to ./crash-b13e8756b13a00cf168300179061fb4b91fefbed