aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--doc/fuzzing.md8
-rwxr-xr-xtest/fuzz/test_runner.py48
2 files changed, 37 insertions, 19 deletions
diff --git a/doc/fuzzing.md b/doc/fuzzing.md
index c34ca4cb59..af82371d58 100644
--- a/doc/fuzzing.md
+++ b/doc/fuzzing.md
@@ -52,7 +52,7 @@ For macOS you may need to ignore x86 compilation checks when running `make`:
To build Bitcoin Core using AFL instrumentation (this assumes that the
`AFLPATH` was set as above):
```
-./configure --disable-ccache --disable-shared --enable-tests --enable-fuzz CC=${AFLPATH}/afl-gcc CXX=${AFLPATH}/afl-g++
+./configure --disable-shared --enable-tests --enable-fuzz CC=${AFLPATH}/afl-gcc CXX=${AFLPATH}/afl-g++
export AFL_HARDEN=1
make
```
@@ -60,7 +60,7 @@ make
If you are using clang you will need to substitute `afl-gcc` with `afl-clang`
and `afl-g++` with `afl-clang++`, so the first line above becomes:
```
-./configure --disable-ccache --disable-shared --enable-tests --enable-fuzz CC=${AFLPATH}/afl-clang CXX=${AFLPATH}/afl-clang++
+./configure --disable-shared --enable-tests --enable-fuzz CC=${AFLPATH}/afl-clang CXX=${AFLPATH}/afl-clang++
```
We disable ccache because we don't want to pollute the ccache with instrumented
@@ -102,7 +102,7 @@ libFuzzer is needed (all found in the `compiler-rt` runtime libraries package).
To build all fuzz targets with libFuzzer, run
```
-./configure --disable-ccache --enable-fuzz --with-sanitizers=fuzzer,address,undefined CC=clang CXX=clang++
+./configure --enable-fuzz --with-sanitizers=fuzzer,address,undefined CC=clang CXX=clang++
make
```
@@ -134,5 +134,5 @@ clang does not come first in your path.
Full configure that was tested on macOS Catalina with `brew` installed `llvm`:
```
-./configure --disable-ccache --enable-fuzz --with-sanitizers=fuzzer,address,undefined CC=/usr/local/opt/llvm/bin/clang CXX=/usr/local/opt/llvm/bin/clang++ --disable-asm
+./configure --enable-fuzz --with-sanitizers=fuzzer,address,undefined CC=/usr/local/opt/llvm/bin/clang CXX=/usr/local/opt/llvm/bin/clang++ --disable-asm
```
diff --git a/test/fuzz/test_runner.py b/test/fuzz/test_runner.py
index 520a2b5a95..1786c39c36 100755
--- a/test/fuzz/test_runner.py
+++ b/test/fuzz/test_runner.py
@@ -14,7 +14,10 @@ import logging
def main():
- parser = argparse.ArgumentParser(formatter_class=argparse.ArgumentDefaultsHelpFormatter)
+ parser = argparse.ArgumentParser(
+ formatter_class=argparse.ArgumentDefaultsHelpFormatter,
+ description='''Run the fuzz targets with all inputs from the seed_dir once.''',
+ )
parser.add_argument(
"-l",
"--loglevel",
@@ -23,11 +26,6 @@ def main():
help="log events at this level and higher to the console. Can be set to DEBUG, INFO, WARNING, ERROR or CRITICAL. Passing --loglevel DEBUG will output all logs to console.",
)
parser.add_argument(
- '--export_coverage',
- action='store_true',
- help='If true, export coverage information to files in the seed corpus',
- )
- parser.add_argument(
'--valgrind',
action='store_true',
help='If true, run fuzzing binaries under the valgrind memory error detector',
@@ -46,6 +44,10 @@ def main():
nargs='*',
help='The target(s) to run. Default is to run all targets.',
)
+ parser.add_argument(
+ '--m_dir',
+ help='Merge inputs from this directory into the seed_dir. Needs /target subdirectory.',
+ )
args = parser.parse_args()
@@ -122,16 +124,39 @@ def main():
logging.error("subprocess timed out: Currently only libFuzzer is supported")
sys.exit(1)
+ if args.m_dir:
+ merge_inputs(
+ corpus=args.seed_dir,
+ test_list=test_list_selection,
+ build_dir=config["environment"]["BUILDDIR"],
+ merge_dir=args.m_dir,
+ )
+
run_once(
corpus=args.seed_dir,
test_list=test_list_selection,
build_dir=config["environment"]["BUILDDIR"],
- export_coverage=args.export_coverage,
use_valgrind=args.valgrind,
)
-def run_once(*, corpus, test_list, build_dir, export_coverage, use_valgrind):
+def merge_inputs(*, corpus, test_list, build_dir, merge_dir):
+ logging.info("Merge the inputs in the passed dir into the seed_dir. Passed dir {}".format(merge_dir))
+ for t in test_list:
+ args = [
+ os.path.join(build_dir, 'src', 'test', 'fuzz', t),
+ '-merge=1',
+ os.path.join(corpus, t),
+ os.path.join(merge_dir, t),
+ ]
+ os.makedirs(os.path.join(corpus, t), exist_ok=True)
+ os.makedirs(os.path.join(merge_dir, t), exist_ok=True)
+ logging.debug('Run {} with args {}'.format(t, args))
+ output = subprocess.run(args, check=True, stderr=subprocess.PIPE, universal_newlines=True).stderr
+ logging.debug('Output: {}'.format(output))
+
+
+def run_once(*, corpus, test_list, build_dir, use_valgrind):
for t in test_list:
corpus_path = os.path.join(corpus, t)
os.makedirs(corpus_path, exist_ok=True)
@@ -155,13 +180,6 @@ def run_once(*, corpus, test_list, build_dir, export_coverage, use_valgrind):
logging.info(e.stderr)
logging.info("Target \"{}\" failed with exit code {}: {}".format(t, e.returncode, " ".join(args)))
sys.exit(1)
- if not export_coverage:
- continue
- for l in output.splitlines():
- if 'INITED' in l:
- with open(os.path.join(corpus, t + '_coverage'), 'w', encoding='utf-8') as cov_file:
- cov_file.write(l)
- break
def parse_test_list(makefile):