Page MenuHomePhabricator

[tests] Add libFuzzer support.
Changes PlannedPublic

Authored by Fabien on Fri, Nov 29, 17:28.

Details

Reviewers
deadalnix
Group Reviewers
Restricted Project
Summary

This is a backport of core PR10440:
https://github.com/bitcoin/bitcoin/pull/10440/files

I added some modifications to the CMake files to support enabling the
libFuzzer support easily (it requires manual compilation otherwise).
This is natively supported by ECM, but will try to apply to every build
with a main() which is not the desired behavior as it should only
apply to the test_bitcoin_fuzzy target.

Test Plan

Build with Clang >= 6.0:

cmake -GNinja .. -DENABLE_SANITIZERS=fuzzer
ninja test_bitcoin_fuzzy
./src/test/test_bitcoin_fuzzy

Stop it with CTRL+C when you're bored, as it will run indefinitely.

Diff Detail

Repository
rABC Bitcoin ABC
Branch
PR10440
Lint
Lint OK
Unit
No Unit Test Coverage
Build Status
Buildable 8342
Build 14703: Bitcoin ABC Buildbot
Build 14702: arc lint + arc unit

Event Timeline

Fabien created this revision.Fri, Nov 29, 17:28
Herald added a reviewer: Restricted Project. · View Herald TranscriptFri, Nov 29, 17:28
Fabien updated this revision to Diff 14516.Fri, Nov 29, 20:38

Add missing static.

deadalnix requested changes to this revision.Sun, Dec 1, 22:35
deadalnix added inline comments.
src/test/CMakeLists.txt
193

Does building that target without the sanitizer makes any sense at all? Also, are you sure that it doesn't have all to be build with the sanitizer?

This revision now requires changes to proceed.Sun, Dec 1, 22:35
Fabien requested review of this revision.Mon, Dec 2, 07:35
Fabien added inline comments.
src/test/CMakeLists.txt
193

The reason for not setting the option by default is that there are 2 possible ways to use the executable for fuzzing:

    • You can build against an AFL compiler, such as afl-clang-fast then use afl-fuzz to manage the instrumented binary (this is the method described in the fuzzing.md documentation)
  • Or you can use clang's integrated libFuzzer which is what is done by passing the -fsanitize=fuzzer option. I don't think you can do both at the same time, as I don't expect the afl-* enabled compilers to support libFuzzer.

Regarding your second question, there is no need for building anything else with the fuzzer sanitizer (see https://github.com/bitcoin/bitcoin/pull/16338).
But you can (should ?) build with other sanitizers such as ASAN for example, then run with an abort on error option (don't remember the exact syntax). That would allow you to catch the vectors that trigger ASAN faults.

Fabien planned changes to this revision.Mon, Dec 9, 15:06