Changeset View
Changeset View
Standalone View
Standalone View
doc/fuzzing.md
Show First 20 Lines • Show All 73 Lines • ▼ Show 20 Lines | |||||
$AFLPATH/afl-fuzz -i ${DIR_FUZZ_IN}/${FUZZ_TARGET} -o ${AFLOUT}/${FUZZ_TARGET} -m52 -- src/test/fuzz/${FUZZ_TARGET} | $AFLPATH/afl-fuzz -i ${DIR_FUZZ_IN}/${FUZZ_TARGET} -o ${AFLOUT}/${FUZZ_TARGET} -m52 -- src/test/fuzz/${FUZZ_TARGET} | ||||
``` | ``` | ||||
You may have to change a few kernel parameters to test optimally - `afl-fuzz` | You may have to change a few kernel parameters to test optimally - `afl-fuzz` | ||||
will print an error and suggestion if so. | will print an error and suggestion if so. | ||||
## libFuzzer | ## libFuzzer | ||||
A recent version of `clang`, the address sanitizer and libFuzzer is needed (all | A recent version of `clang`, the address/undefined sanitizers (ASan/UBSan) and libFuzzer is needed (all | ||||
found in the `compiler-rt` runtime libraries package). | found in the `compiler-rt` runtime libraries package). | ||||
To build all fuzz targets with libFuzzer, run | To build all fuzz targets with libFuzzer, run | ||||
``` | ``` | ||||
mkdir -p buildFuzzer | mkdir -p buildFuzzer | ||||
cd buildFuzzer | cd buildFuzzer | ||||
cmake -GNinja .. \ | cmake -GNinja .. \ | ||||
-DCCACHE=OFF \ | -DCCACHE=OFF \ | ||||
-DCMAKE_C_COMPILER=clang \ | -DCMAKE_C_COMPILER=clang \ | ||||
-DCMAKE_CXX_COMPILER=clang++ \ | -DCMAKE_CXX_COMPILER=clang++ \ | ||||
-DENABLE_SANITIZERS="fuzzer;address" | -DENABLE_SANITIZERS="fuzzer;address;undefined" | ||||
ninja bitcoin-fuzzers | ninja bitcoin-fuzzers | ||||
``` | ``` | ||||
The fuzzer needs some inputs to work on, but the inputs or seeds can be used | The fuzzer needs some inputs to work on, but the inputs or seeds can be used | ||||
interchangeably between libFuzzer and AFL. | interchangeably between libFuzzer and AFL. | ||||
See https://llvm.org/docs/LibFuzzer.html#running on how to run the libFuzzer | See https://llvm.org/docs/LibFuzzer.html#running on how to run the libFuzzer | ||||
instrumented executable. | instrumented executable. | ||||
Alternatively run the script in `./test/fuzz/test_runner.py` and provide it | Alternatively run the script in `./test/fuzz/test_runner.py` and provide it | ||||
with the `${DIR_FUZZ_IN}` created earlier. | with the `${DIR_FUZZ_IN}` created earlier. |