diff options
| author | Wladimir J. van der Laan <laanwj@gmail.com> | 2019-01-30 21:09:39 +0100 |
|---|---|---|
| committer | Wladimir J. van der Laan <laanwj@gmail.com> | 2019-01-30 21:10:21 +0100 |
| commit | 9553102c38c0ba4de48b35f3a13191fbc0e4cf09 (patch) | |
| tree | eee5d1438d89b9eddfd206bcfc2eefb72c3d0171 /doc | |
| parent | 77339e5c244b183dd6e8d93f6b7bdf1d00849024 (diff) | |
| parent | 2ca632e5b44a8385989c8539cc4e30e60fdee16c (diff) | |
| download | bitcoin-9553102c38c0ba4de48b35f3a13191fbc0e4cf09.tar.xz | |
Merge #15043: test: Build fuzz targets into seperate executables
2ca632e5b44a8385989c8539cc4e30e60fdee16c test: Build fuzz targets into seperate executables (MarcoFalke)
fab4bed68a3964ace5620a25d32d62ed87003126 [test] fuzz: make test_one_input return void (MarcoFalke)
Pull request description:
Currently our fuzzer is a single binary that decides on the first few bits of the buffer what target to pick. This is ineffective as the fuzzer needs to "learn" how the fuzz targets are organized and could get easily confused. Not to mention that the (seed) corpus can not be categorized by target, since targets might "leak" into each other. Also the corpus would potentially become invalid if we ever wanted to remove a target...
Solve that by building each fuzz target into their own executable.
Tree-SHA512: a874febc85a3c5e6729199542b65cad10640553fba6f663600c827fe144543744dd0f844fb62b4c95c6a04c670bfce32cdff3d5f26de2dfc25f10b258eda18ab
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/fuzzing.md | 16 |
1 files changed, 8 insertions, 8 deletions
diff --git a/doc/fuzzing.md b/doc/fuzzing.md index 23317e938e..08b73d3b3c 100644 --- a/doc/fuzzing.md +++ b/doc/fuzzing.md @@ -1,9 +1,9 @@ Fuzz-testing Bitcoin Core ========================== -A special test harness `test_bitcoin_fuzzy` is provided to provide an easy -entry point for fuzzers and the like. In this document we'll describe how to -use it with AFL and libFuzzer. +A special test harness in `src/test/fuzz/` is provided for each fuzz target to +provide an easy entry point for fuzzers and the like. In this document we'll +describe how to use it with AFL and libFuzzer. ## AFL @@ -23,10 +23,10 @@ export AFLPATH=$PWD To build Bitcoin Core using AFL instrumentation (this assumes that the `AFLPATH` was set as above): ``` -./configure --disable-ccache --disable-shared --enable-tests CC=${AFLPATH}/afl-gcc CXX=${AFLPATH}/afl-g++ +./configure --disable-ccache --disable-shared --enable-tests --enable-fuzz CC=${AFLPATH}/afl-gcc CXX=${AFLPATH}/afl-g++ export AFL_HARDEN=1 cd src/ -make test/test_bitcoin_fuzzy +make ``` We disable ccache because we don't want to pollute the ccache with instrumented objects, and similarly don't want to use non-instrumented cached objects linked @@ -35,7 +35,7 @@ in. The fuzzing can be sped up significantly (~200x) by using `afl-clang-fast` and `afl-clang-fast++` in place of `afl-gcc` and `afl-g++` when compiling. When compiling using `afl-clang-fast`/`afl-clang-fast++` the resulting -`test_bitcoin_fuzzy` binary will be instrumented in such a way that the AFL +binary will be instrumented in such a way that the AFL features "persistent mode" and "deferred forkserver" can be used. See https://github.com/mcarpenter/afl/tree/master/llvm_mode for details. @@ -63,7 +63,7 @@ Extract these (or other starting inputs) into the `inputs` directory before star To start the actual fuzzing use: ``` -$AFLPATH/afl-fuzz -i ${AFLIN} -o ${AFLOUT} -m52 -- test/test_bitcoin_fuzzy +$AFLPATH/afl-fuzz -i ${AFLIN} -o ${AFLOUT} -m52 -- test/fuzz/fuzz_target_foo ``` You may have to change a few kernel parameters to test optimally - `afl-fuzz` @@ -77,7 +77,7 @@ found in the `compiler-rt` runtime libraries package). To build the `test/test_bitcoin_fuzzy` executable run ``` -./configure --disable-ccache --with-sanitizers=fuzzer,address CC=clang CXX=clang++ +./configure --disable-ccache --enable-fuzz --with-sanitizers=fuzzer,address CC=clang CXX=clang++ make ``` |