Skip to content

Commit

Permalink
clean up and add afl
Browse files Browse the repository at this point in the history
  • Loading branch information
pauldreik committed Apr 27, 2019
1 parent ab46241 commit e64c3fb
Show file tree
Hide file tree
Showing 2 changed files with 19 additions and 48 deletions.
52 changes: 4 additions & 48 deletions fuzzing/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,8 @@ It has found bugs:
- [fmt github #1127](https://github.com/fmtlib/fmt/issues/1127)

Unfortunately one has to limit the maximum memory allocation, otherwise
the fuzzing will soon interrupt after trying to allocate many GB of memory. That is why the submodule
does not point to upstream fmt, but instead to a [branch in fmt fork](https://github.com/pauldreik/fmt/tree/fuzz) which introduces the nice blocks like:
the fuzzing will soon interrupt after trying to allocate many GB of memory.
Therefore, the code includes blocks like:
```cpp
#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
if(spec.precision>100000) {
Expand All @@ -18,50 +18,6 @@ if(spec.precision>100000) {
```
This macro is the defacto standard for making fuzzing practically possible, see [the libFuzzer documentation](https://llvm.org/docs/LibFuzzer.html#fuzzer-friendly-build-mode).

To do a variety of builds making sure the build system works as intended,
execute ```./build.sh```.

With afl, reaches about 3000 iterations per second on a single core.
With libFuzzer, about 200000.

# AFL
Building with afl and undefined behaviour sanitizer:
```sh
mkdir build-afl-ubsan
cd build-afl-ubsan
CXX=afl-g++ CXXFLAGS="-fsanitize=undefined" cmake .. -Dreproduce_mode=on
make
```

corpus minimization:
```sh
afl-cmin -i lots/of/files/ -o corpus/ -- ./reproducer_fuzz_two_args @@
```

fuzzing:
```sh
export UBSAN_OPTIONS=abort_on_error=1
afl-fuzz -i corpus -o out -- ./reproducer_fuzz_two_args @@
```

# libFuzzer

## with sanitizers

```sh
mkdir build-libfuzzer-sanitizers
cd build-libfuzzer-sanitizers/
CXX=clang++ CXXFLAGS="-fsanitize=address,undefined -O3" cmake .. -Dreproduce_mode=off
make
mkdir out
./fuzzer_fuzz_two_args out corpus
```

## plain (good for speed, corpus exploration)

```sh
mkdir build-libfuzzer-plain
cd build-libfuzzer-plain/
CXX=clang++ CXXFLAGS="-O3" cmake .. -Dreproduce_mode=off
make
mkdir -p out corpus
./fuzzer_fuzz_two_args out corpus
```
15 changes: 15 additions & 0 deletions fuzzing/build.sh
Original file line number Diff line number Diff line change
Expand Up @@ -53,5 +53,20 @@ cmake $root -GNinja -DCMAKE_BUILD_TYPE=Debug \
cmake --build $builddir


#builds fuzzers for local fuzzing with afl
builddir=$here/build-fuzzers-afl
mkdir -p $builddir
cd $builddir
CXX="afl-g++" \
CXXFLAGS="-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION=1 -fsanitize=address,undefined" \
cmake $root -GNinja -DCMAKE_BUILD_TYPE=Debug \
-DFMT_DOC=Off \
-DFMT_TEST=Off \
-DFMT_FUZZ=On \
-DFMT_FUZZ_LINKMAIN=On

cmake --build $builddir


echo $me: all good

0 comments on commit e64c3fb

Please sign in to comment.