[llvm] r268959 - [libFuzzer] reshuffle docs

[Kostya Serebryany via llvm-commits]

Author: kcc
Date: Mon May  9 14:29:53 2016
New Revision: 268959

URL: http://llvm.org/viewvc/llvm-project?rev=268959&view=rev
Log:
[libFuzzer] reshuffle docs 

Modified:
    llvm/trunk/docs/LibFuzzer.rst

Modified: llvm/trunk/docs/LibFuzzer.rst
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/docs/LibFuzzer.rst?rev=268959&r1=268958&r2=268959&view=diff
==============================================================================
--- llvm/trunk/docs/LibFuzzer.rst (original)
+++ llvm/trunk/docs/LibFuzzer.rst Mon May  9 14:29:53 2016
@@ -52,41 +52,6 @@ infrastructure and can be used for other
 of LLVM.
 
 
-Corpus
-======
-
-Coverage-guided fuzzers like libFuzzer rely on a corpus of sample inputs for the
-code under test.  This corpus should ideally be seeded with a varied collection
-of valid and invalid inputs for the code under test; for example, for a graphics
-library the initial corpus might hold a variety of different small PNG/JPG/GIF
-files.  The fuzzer generates random mutations based around the sample inputs in
-the current corpus.  If a mutation triggers execution of a previously-uncovered
-path in the code under test, then that mutation is saved to the corpus for
-future variations.
-
-LibFuzzer will work without any initial seeds, but will be less
-efficient if the library under test accepts complex,
-structured inputs.
-
-The corpus can also act as a sanity/regression check, to confirm that the
-fuzzing entrypoint still works and that all of the sample inputs run through
-the code under test without problems.
-
-If you have a large corpus (either generated by fuzzing or acquired by other means)
-you may want to minimize it while still preserving the full coverage. One way to do that
-is to use the `-merge=1` flag:
-
-.. code-block:: console
-
-  mkdir NEW_CORPUS_DIR  # Store minimized corpus here.
-  ./my-fuzzer -merge=1 NEW_CORPUS_DIR FULL_CORPUS_DIR
-
-You may use the same flag to add more interesting items to an existing corpus.
-Only the inputs that trigger new coverage will be added to the first corpus.
-
-.. code-block:: console
-
-  ./my-fuzzer -merge=1 CURRNT_CORPUS_DIR NEW_POTENTIALLY_INTERESTING_INPUTS_DIR
 
 Getting Started
 ===============
@@ -138,6 +103,43 @@ Finally, link with ``libFuzzer.a``::
 
   clang -fsanitize-coverage=edge -fsanitize=address your_lib.cc fuzz_target.cc libFuzzer.a -o my_fuzzer
 
+Corpus
+======
+
+Coverage-guided fuzzers like libFuzzer rely on a corpus of sample inputs for the
+code under test.  This corpus should ideally be seeded with a varied collection
+of valid and invalid inputs for the code under test; for example, for a graphics
+library the initial corpus might hold a variety of different small PNG/JPG/GIF
+files.  The fuzzer generates random mutations based around the sample inputs in
+the current corpus.  If a mutation triggers execution of a previously-uncovered
+path in the code under test, then that mutation is saved to the corpus for
+future variations.
+
+LibFuzzer will work without any initial seeds, but will be less
+efficient if the library under test accepts complex,
+structured inputs.
+
+The corpus can also act as a sanity/regression check, to confirm that the
+fuzzing entrypoint still works and that all of the sample inputs run through
+the code under test without problems.
+
+If you have a large corpus (either generated by fuzzing or acquired by other means)
+you may want to minimize it while still preserving the full coverage. One way to do that
+is to use the `-merge=1` flag:
+
+.. code-block:: console
+
+  mkdir NEW_CORPUS_DIR  # Store minimized corpus here.
+  ./my_fuzzer -merge=1 NEW_CORPUS_DIR FULL_CORPUS_DIR
+
+You may use the same flag to add more interesting items to an existing corpus.
+Only the inputs that trigger new coverage will be added to the first corpus.
+
+.. code-block:: console
+
+  ./my_fuzzer -merge=1 CURRENT_CORPUS_DIR NEW_POTENTIALLY_INTERESTING_INPUTS_DIR
+
+
 Running
 -------