Changeset View
Changeset View
Standalone View
Standalone View
doc/fuzzing.md
Show First 20 Lines • Show All 42 Lines • ▼ Show 20 Lines | |||||
### Instrumentation | ### Instrumentation | ||||
To build Bitcoin ABC using AFL instrumentation (this assumes that the | To build Bitcoin ABC using AFL instrumentation (this assumes that the | ||||
`AFLPATH` was set as above): | `AFLPATH` was set as above): | ||||
``` | ``` | ||||
mkdir -p buildFuzzer | mkdir -p buildFuzzer | ||||
cd buildFuzzer | cd buildFuzzer | ||||
cmake -GNinja .. -DCCACHE=OFF -DCMAKE_C_COMPILER=afl-gcc -DCMAKE_CXX_COMPILER=afl-g++ | cmake -GNinja .. -DCMAKE_C_COMPILER=afl-gcc -DCMAKE_CXX_COMPILER=afl-g++ | ||||
export AFL_HARDEN=1 | export AFL_HARDEN=1 | ||||
ninja bitcoin-fuzzers | ninja bitcoin-fuzzers | ||||
``` | ``` | ||||
We disable ccache because we don't want to pollute the ccache with instrumented | |||||
objects, and similarly don't want to use non-instrumented cached objects linked | |||||
in. | |||||
The fuzzing can be sped up significantly (~200x) by using `afl-clang-fast` and | The fuzzing can be sped up significantly (~200x) by using `afl-clang-fast` and | ||||
`afl-clang-fast++` in place of `afl-gcc` and `afl-g++` when compiling. When | `afl-clang-fast++` in place of `afl-gcc` and `afl-g++` when compiling. When | ||||
compiling using `afl-clang-fast`/`afl-clang-fast++` the resulting | compiling using `afl-clang-fast`/`afl-clang-fast++` the resulting | ||||
binary will be instrumented in such a way that the AFL features "persistent | binary will be instrumented in such a way that the AFL features "persistent | ||||
mode" and "deferred forkserver" can be used. | mode" and "deferred forkserver" can be used. | ||||
See https://github.com/mcarpenter/afl/tree/master/llvm_mode for details. | See https://github.com/mcarpenter/afl/tree/master/llvm_mode for details. | ||||
### Fuzzing | ### Fuzzing | ||||
Show All 15 Lines | |||||
found in the `compiler-rt` runtime libraries package). | found in the `compiler-rt` runtime libraries package). | ||||
To build all fuzz targets with libFuzzer, run | To build all fuzz targets with libFuzzer, run | ||||
``` | ``` | ||||
mkdir -p buildFuzzer | mkdir -p buildFuzzer | ||||
cd buildFuzzer | cd buildFuzzer | ||||
cmake -GNinja .. \ | cmake -GNinja .. \ | ||||
-DCCACHE=OFF \ | |||||
-DCMAKE_C_COMPILER=clang \ | -DCMAKE_C_COMPILER=clang \ | ||||
-DCMAKE_CXX_COMPILER=clang++ \ | -DCMAKE_CXX_COMPILER=clang++ \ | ||||
-DENABLE_SANITIZERS="fuzzer;address;undefined" | -DENABLE_SANITIZERS="fuzzer;address;undefined" | ||||
ninja bitcoin-fuzzers | ninja bitcoin-fuzzers | ||||
``` | ``` | ||||
The fuzzer needs some inputs to work on, but the inputs or seeds can be used | The fuzzer needs some inputs to work on, but the inputs or seeds can be used | ||||
interchangeably between libFuzzer and AFL. | interchangeably between libFuzzer and AFL. | ||||
See https://llvm.org/docs/LibFuzzer.html#running on how to run the libFuzzer | See https://llvm.org/docs/LibFuzzer.html#running on how to run the libFuzzer | ||||
instrumented executable. | instrumented executable. | ||||
Alternatively run the script in `./test/fuzz/test_runner.py` and provide it | Alternatively run the script in `./test/fuzz/test_runner.py` and provide it | ||||
with the `${DIR_FUZZ_IN}` created earlier. | with the `${DIR_FUZZ_IN}` created earlier. |