diff --git a/fuzzing/README.md b/fuzzing/README.md index c8c4a9340ea5..cbdb2b1628d6 100644 --- a/fuzzing/README.md +++ b/fuzzing/README.md @@ -7,8 +7,8 @@ It has found bugs: - [fmt github #1127](https://github.com/fmtlib/fmt/issues/1127) Unfortunately one has to limit the maximum memory allocation, otherwise -the fuzzing will soon interrupt after trying to allocate many GB of memory. That is why the submodule -does not point to upstream fmt, but instead to a [branch in fmt fork](https://github.com/pauldreik/fmt/tree/fuzz) which introduces the nice blocks like: +the fuzzing will soon interrupt after trying to allocate many GB of memory. +Therefore, the code includes blocks like: ```cpp #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION if(spec.precision>100000) { @@ -18,50 +18,6 @@ if(spec.precision>100000) { ``` This macro is the defacto standard for making fuzzing practically possible, see [the libFuzzer documentation](https://llvm.org/docs/LibFuzzer.html#fuzzer-friendly-build-mode). +To do a variety of builds making sure the build system works as intended, +execute ```./build.sh```. -With afl, reaches about 3000 iterations per second on a single core. -With libFuzzer, about 200000. - -# AFL -Building with afl and undefined behaviour sanitizer: -```sh -mkdir build-afl-ubsan -cd build-afl-ubsan -CXX=afl-g++ CXXFLAGS="-fsanitize=undefined" cmake .. -Dreproduce_mode=on -make -``` - -corpus minimization: -```sh -afl-cmin -i lots/of/files/ -o corpus/ -- ./reproducer_fuzz_two_args @@ -``` - -fuzzing: -```sh -export UBSAN_OPTIONS=abort_on_error=1 -afl-fuzz -i corpus -o out -- ./reproducer_fuzz_two_args @@ -``` - -# libFuzzer - -## with sanitizers - -```sh -mkdir build-libfuzzer-sanitizers -cd build-libfuzzer-sanitizers/ -CXX=clang++ CXXFLAGS="-fsanitize=address,undefined -O3" cmake .. -Dreproduce_mode=off -make -mkdir out -./fuzzer_fuzz_two_args out corpus -``` - -## plain (good for speed, corpus exploration) - -```sh -mkdir build-libfuzzer-plain -cd build-libfuzzer-plain/ -CXX=clang++ CXXFLAGS="-O3" cmake .. -Dreproduce_mode=off -make -mkdir -p out corpus -./fuzzer_fuzz_two_args out corpus -``` diff --git a/fuzzing/build.sh b/fuzzing/build.sh index f209792a8d02..fc11132fc43a 100755 --- a/fuzzing/build.sh +++ b/fuzzing/build.sh @@ -53,5 +53,20 @@ cmake $root -GNinja -DCMAKE_BUILD_TYPE=Debug \ cmake --build $builddir +#builds fuzzers for local fuzzing with afl +builddir=$here/build-fuzzers-afl +mkdir -p $builddir +cd $builddir +CXX="afl-g++" \ +CXXFLAGS="-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION=1 -fsanitize=address,undefined" \ +cmake $root -GNinja -DCMAKE_BUILD_TYPE=Debug \ +-DFMT_DOC=Off \ +-DFMT_TEST=Off \ +-DFMT_FUZZ=On \ +-DFMT_FUZZ_LINKMAIN=On + +cmake --build $builddir + + echo $me: all good