[PATCH] D19585: [libFuzzer] Improve documentation
Kostya Serebryany via llvm-commits
llvm-commits at lists.llvm.org
Wed Apr 27 09:51:55 PDT 2016
kcc added a comment.
This is very cool, thanks!
I've made several minor comments.
The patch does not apply to ToT (arc patch http://reviews.llvm.org/D19585 says 2 out of 14 hunks FAILED), for some reason, you may need to svn up / merge.
================
Comment at: docs/LibFuzzer.rst:2
@@ +1,3 @@
+=======================================================
+LibFuzzer – a library for coverage-guided fuzz testing.
+=======================================================
----------------
For no particular reason I prefer libFuzzer.
================
Comment at: docs/LibFuzzer.rst:20
@@ +19,3 @@
+The fuzzer is linked with the library under test, and feeds fuzzed inputs to
+the library via a specific fuzzing entrypoint; the fuzzer then tracks which
+areas of the code are reached, and generations mutations on the corpus of
----------------
via a specific fuzzing entrypoint (aka "target function");
================
Comment at: docs/LibFuzzer.rst:21
@@ +20,3 @@
+the library via a specific fuzzing entrypoint; the fuzzer then tracks which
+areas of the code are reached, and generations mutations on the corpus of
+input data in order to maximize the code coverage. The code coverage
----------------
s/generations/generates
================
Comment at: docs/LibFuzzer.rst:30
@@ -27,4 +29,3 @@
-Then build the target function and the library you are going to test.
-You should use SanitizerCoverage_ and one of ASan, MSan, or UBSan.
-Link it with `libFuzzer.a`::
+LibFuzzer has been present in Clang since 3.7.0_, but continues to be under
+active development so it is best to use a recent version of Clang.
----------------
I don't want to be this verbose.
Instead we should clearly state that the only supported variant (at least at this point) is trunk (or something very close to trunk).
================
Comment at: docs/LibFuzzer.rst:163
@@ +162,3 @@
+inputs found by one fuzzer process will be available to the other fuzzer
+processes (provided the ``-reload=1`` option is set).
+
----------------
(unless you disable this by ``-reload=0`` command line flag)
================
Comment at: docs/LibFuzzer.rst:186
@@ +185,3 @@
+
+(If a list of files (rather than directories) are passed to the fuzzer program,
+then it will re-run those files as test inputs but will not perform any fuzzing.)
----------------
Remove outer ()
Add something like "in this mode the fuzzer binary could be used as a regression test, i.e. on a continuous integration system"
================
Comment at: docs/LibFuzzer.rst:305
@@ +304,3 @@
+``cov:``
+ Total number of code blocks covered by the executing the current corpus.
+``bits:``
----------------
s/blocks/blocks or edges
================
Comment at: docs/LibFuzzer.rst:376
@@ -159,4 +375,3 @@
# Get PCRE2
- svn co svn://vcs.exim.org/pcre2/code/trunk pcre
- # Build PCRE2 with AddressSanitizer and coverage.
- (cd pcre; ./autogen.sh; CC="clang -fsanitize=address $COV_FLAGS" ./configure --prefix=`pwd`/../inst && make -j && make install)
+ wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre2-10.20.tar.gz
+ tar xf pcre2-10.20.tar.gz
----------------
why not svn?
================
Comment at: docs/LibFuzzer.rst:629
@@ -391,2 +628,3 @@
Try to avoid initialization inside the target function itself as
+it will skew the coverage data. Don't do this:
----------------
While you are at it, remove this part (about function-scope statics).
It's not that bad in fact.
http://reviews.llvm.org/D19585
More information about the llvm-commits
mailing list