866 lines · plain
1=======================================================2libFuzzer – a library for coverage-guided fuzz testing.3=======================================================4.. contents::5 :local:6 :depth: 17 8Introduction9============10 11LibFuzzer is an in-process, coverage-guided, evolutionary fuzzing engine.12 13LibFuzzer is linked with the library under test, and feeds fuzzed inputs to the14library via a specific fuzzing entrypoint (aka "target function"); the fuzzer15then tracks which areas of the code are reached, and generates mutations on the16corpus of input data in order to maximize the code coverage.17The code coverage18information for libFuzzer is provided by LLVM's SanitizerCoverage_19instrumentation.20 21Contact: libfuzzer(#)googlegroups.com22 23Status24======25 26The original authors of libFuzzer have stopped active work on it and switched27to working on another fuzzing engine, Centipede_. LibFuzzer is still fully28supported in that important bugs will get fixed. However, please do not expect29major new features or code reviews, other than for bug fixes.30 31Versions32========33 34LibFuzzer requires a matching version of Clang.35 36 37Getting Started38===============39 40.. contents::41 :local:42 :depth: 143 44Fuzz Target45-----------46 47The first step in using libFuzzer on a library is to implement a48*fuzz target* -- a function that accepts an array of bytes and49does something interesting with these bytes using the API under test.50Like this:51 52.. code-block:: c++53 54 // fuzz_target.cc55 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {56 DoSomethingInterestingWithMyAPI(Data, Size);57 return 0; // Values other than 0 and -1 are reserved for future use.58 }59 60Note that this fuzz target does not depend on libFuzzer in any way61and so it is possible and even desirable to use it with other fuzzing engines62e.g. AFL_ and/or Radamsa_.63 64Some important things to remember about fuzz targets:65 66* The fuzzing engine will execute the fuzz target many times with different inputs in the same process.67* It must tolerate any kind of input (empty, huge, malformed, etc).68* It must not `exit()` on any input.69* It may use threads but ideally all threads should be joined at the end of the function.70* It must be as deterministic as possible. Non-determinism (e.g. random decisions not based on the input bytes) will make fuzzing inefficient.71* It must be fast. Try avoiding cubic or greater complexity, logging, or excessive memory consumption.72* Ideally, it should not modify any global state (although that's not strict).73* Usually, the narrower the target the better. E.g. if your target can parse several data formats, split it into several targets, one per format.74 75 76Fuzzer Usage77------------78 79Recent versions of Clang (starting from 6.0) include libFuzzer, and no extra installation is necessary.80 81In order to build your fuzzer binary, use the `-fsanitize=fuzzer` flag during the82compilation and linking. In most cases you may want to combine libFuzzer with83AddressSanitizer_ (ASAN), UndefinedBehaviorSanitizer_ (UBSAN), or both. You can84also build with MemorySanitizer_ (MSAN), but support is experimental::85 86 clang -g -O1 -fsanitize=fuzzer mytarget.c # Builds the fuzz target w/o sanitizers87 clang -g -O1 -fsanitize=fuzzer,address mytarget.c # Builds the fuzz target with ASAN88 clang -g -O1 -fsanitize=fuzzer,signed-integer-overflow mytarget.c # Builds the fuzz target with a part of UBSAN89 clang -g -O1 -fsanitize=fuzzer,memory mytarget.c # Builds the fuzz target with MSAN90 91This will perform the necessary instrumentation, as well as linking with the libFuzzer library.92Note that ``-fsanitize=fuzzer`` links in the libFuzzer's ``main()`` symbol.93 94If modifying ``CFLAGS`` of a large project, which also compiles executables95requiring their own ``main`` symbol, it may be desirable to request just the96instrumentation without linking::97 98 clang -fsanitize=fuzzer-no-link mytarget.c99 100Then libFuzzer can be linked to the desired driver by passing in101``-fsanitize=fuzzer`` during the linking stage.102 103.. _libfuzzer-corpus:104 105Corpus106------107 108Coverage-guided fuzzers like libFuzzer rely on a corpus of sample inputs for the109code under test. This corpus should ideally be seeded with a varied collection110of valid and invalid inputs for the code under test; for example, for a graphics111library the initial corpus might hold a variety of different small PNG/JPG/GIF112files. The fuzzer generates random mutations based around the sample inputs in113the current corpus. If a mutation triggers execution of a previously-uncovered114path in the code under test, then that mutation is saved to the corpus for115future variations.116 117LibFuzzer will work without any initial seeds, but will be less118efficient if the library under test accepts complex,119structured inputs.120 121The corpus can also act as a sanity/regression check, to confirm that the122fuzzing entrypoint still works and that all of the sample inputs run through123the code under test without problems.124 125If you have a large corpus (either generated by fuzzing or acquired by other means)126you may want to minimize it while still preserving the full coverage. One way to do that127is to use the `-merge=1` flag:128 129.. code-block:: console130 131 mkdir NEW_CORPUS_DIR # Store minimized corpus here.132 ./my_fuzzer -merge=1 NEW_CORPUS_DIR FULL_CORPUS_DIR133 134You may use the same flag to add more interesting items to an existing corpus.135Only the inputs that trigger new coverage will be added to the first corpus.136 137.. code-block:: console138 139 ./my_fuzzer -merge=1 CURRENT_CORPUS_DIR NEW_POTENTIALLY_INTERESTING_INPUTS_DIR140 141Running142-------143 144To run the fuzzer, first create a Corpus_ directory that holds the145initial "seed" sample inputs:146 147.. code-block:: console148 149 mkdir CORPUS_DIR150 cp /some/input/samples/* CORPUS_DIR151 152Then run the fuzzer on the corpus directory:153 154.. code-block:: console155 156 ./my_fuzzer CORPUS_DIR # -max_len=1000 -jobs=20 ...157 158As the fuzzer discovers new interesting test cases (i.e. test cases that159trigger coverage of new paths through the code under test), those test cases160will be added to the corpus directory.161 162By default, the fuzzing process will continue indefinitely – at least until163a bug is found. Any crashes or sanitizer failures will be reported as usual,164stopping the fuzzing process, and the particular input that triggered the bug165will be written to disk (typically as ``crash-<sha1>``, ``leak-<sha1>``,166or ``timeout-<sha1>``).167 168 169Parallel Fuzzing170----------------171 172Each libFuzzer process is single-threaded, unless the library under test starts173its own threads. However, it is possible to run multiple libFuzzer processes in174parallel with a shared corpus directory; this has the advantage that any new175inputs found by one fuzzer process will be available to the other fuzzer176processes (unless you disable this with the ``-reload=0`` option).177 178This is primarily controlled by the ``-jobs=N`` option, which indicates that179that `N` fuzzing jobs should be run to completion (i.e. until a bug is found or180time/iteration limits are reached). These jobs will be run across a set of181worker processes, by default using half of the available CPU cores; the count of182worker processes can be overridden by the ``-workers=N`` option. For example,183running with ``-jobs=30`` on a 12-core machine would run 6 workers by default,184with each worker averaging 5 bugs by completion of the entire process.185 186Fork mode187---------188 189**Experimental** mode ``-fork=N`` (where ``N`` is the number of parallel jobs)190enables oom-, timeout-, and crash-resistant191fuzzing with separate processes (using ``fork-exec``, not just ``fork``).192 193The top libFuzzer process will not do any fuzzing itself, but will194spawn up to ``N`` concurrent child processes providing them195small random subsets of the corpus. After a child exits, the top process196merges the corpus generated by the child back to the main corpus.197 198Related flags:199 200``-ignore_ooms``201 True by default. If an OOM happens during fuzzing in one of the child processes,202 the reproducer is saved on disk, and fuzzing continues.203``-ignore_timeouts``204 True by default, same as ``-ignore_ooms``, but for timeouts.205``-ignore_crashes``206 False by default, same as ``-ignore_ooms``, but for all other crashes.207 208The plan is to eventually replace ``-jobs=N`` and ``-workers=N`` with ``-fork=N``.209 210Resuming merge211--------------212 213Merging large corpora may be time consuming, and it is often desirable to do it214on preemptable VMs, where the process may be killed at any time.215In order to seamlessly resume the merge, use the ``-merge_control_file`` flag216and use ``killall -SIGUSR1 /path/to/fuzzer/binary`` to stop the merge gracefully. Example:217 218.. code-block:: console219 220 % rm -f SomeLocalPath221 % ./my_fuzzer CORPUS1 CORPUS2 -merge=1 -merge_control_file=SomeLocalPath222 ...223 MERGE-INNER: using the control file 'SomeLocalPath'224 ...225 # While this is running, do `killall -SIGUSR1 my_fuzzer` in another console226 ==9015== INFO: libFuzzer: exiting as requested227 228 # This will leave the file SomeLocalPath with the partial state of the merge.229 # Now, you can continue the merge by executing the same command. The merge230 # will continue from where it has been interrupted.231 % ./my_fuzzer CORPUS1 CORPUS2 -merge=1 -merge_control_file=SomeLocalPath232 ...233 MERGE-OUTER: non-empty control file provided: 'SomeLocalPath'234 MERGE-OUTER: control file ok, 32 files total, first not processed file 20235 ...236 237Options238=======239 240To run the fuzzer, pass zero or more corpus directories as command line241arguments. The fuzzer will read test inputs from each of these corpus242directories, and any new test inputs that are generated will be written243back to the first corpus directory:244 245.. code-block:: console246 247 ./fuzzer [-flag1=val1 [-flag2=val2 ...] ] [dir1 [dir2 ...] ]248 249If a list of files (rather than directories) are passed to the fuzzer program,250then it will re-run those files as test inputs but will not perform any fuzzing.251In this mode the fuzzer binary can be used as a regression test (e.g. on a252continuous integration system) to check the target function and saved inputs253still work.254 255The most important command line options are:256 257``-help``258 Print help message (``-help=1``).259``-seed``260 Random seed. If 0 (the default), the seed is generated.261``-runs``262 Number of individual test runs, -1 (the default) to run indefinitely.263``-max_len``264 Maximum length of a test input. If 0 (the default), libFuzzer tries to guess265 a good value based on the corpus (and reports it).266``-len_control``267 Try generating small inputs first, then try larger inputs over time.268 Specifies the rate at which the length limit is increased (smaller == faster).269 Default is 100. If 0, immediately try inputs with size up to max_len.270``-timeout``271 Timeout in seconds, default 1200. If an input takes longer than this timeout,272 the process is treated as a failure case.273``-rss_limit_mb``274 Memory usage limit in Mb, default 2048. Use 0 to disable the limit.275 If an input requires more than this amount of RSS memory to execute,276 the process is treated as a failure case.277 The limit is checked in a separate thread every second.278 If running w/o ASAN/MSAN, you may use 'ulimit -v' instead.279``-malloc_limit_mb``280 If non-zero, the fuzzer will exit if the target tries to allocate this281 number of Mb with one malloc call.282 If zero (default) same limit as rss_limit_mb is applied.283``-timeout_exitcode``284 Exit code (default 77) used if libFuzzer reports a timeout.285``-error_exitcode``286 Exit code (default 77) used if libFuzzer itself (not a sanitizer) reports a bug (leak, OOM, etc).287``-max_total_time``288 If positive, indicates the maximum total time in seconds to run the fuzzer.289 If 0 (the default), run indefinitely.290``-merge``291 If set to 1, any corpus inputs from the 2nd, 3rd etc. corpus directories292 that trigger new code coverage will be merged into the first corpus293 directory. Defaults to 0. This flag can be used to minimize a corpus.294``-merge_control_file``295 Specify a control file used for the merge process.296 If a merge process gets killed it tries to leave this file in a state297 suitable for resuming the merge. By default a temporary file will be used.298``-minimize_crash``299 If 1, minimizes the provided crash input.300 Use with -runs=N or -max_total_time=N to limit the number of attempts.301``-reload``302 If set to 1 (the default), the corpus directory is re-read periodically to303 check for new inputs; this allows detection of new inputs that were discovered304 by other fuzzing processes.305``-jobs``306 Number of fuzzing jobs to run to completion. Default value is 0, which runs a307 single fuzzing process until completion. If the value is >= 1, then this308 number of jobs performing fuzzing are run, in a collection of parallel309 separate worker processes; each such worker process has its310 ``stdout``/``stderr`` redirected to ``fuzz-<JOB>.log``.311``-workers``312 Number of simultaneous worker processes to run the fuzzing jobs to completion313 in. If 0 (the default), ``min(jobs, NumberOfCpuCores()/2)`` is used.314``-dict``315 Provide a dictionary of input keywords; see Dictionaries_.316``-use_counters``317 Use `coverage counters`_ to generate approximate counts of how often code318 blocks are hit; defaults to 1.319``-reduce_inputs``320 Try to reduce the size of inputs while preserving their full feature sets;321 defaults to 1.322``-use_value_profile``323 Use `value profile`_ to guide corpus expansion; defaults to 0.324``-only_ascii``325 If 1, generate only ASCII (``isprint``+``isspace``) inputs. Defaults to 0.326``-artifact_prefix``327 Provide a prefix to use when saving fuzzing artifacts (crash, timeout, or328 slow inputs) as ``$(artifact_prefix)file``. Defaults to empty.329``-exact_artifact_path``330 Ignored if empty (the default). If non-empty, write the single artifact on331 failure (crash, timeout) as ``$(exact_artifact_path)``. This overrides332 ``-artifact_prefix`` and will not use checksum in the file name. Do not use333 the same path for several parallel processes.334``-print_pcs``335 If 1, print out newly covered PCs. Defaults to 0.336``-print_final_stats``337 If 1, print statistics at exit. Defaults to 0.338``-detect_leaks``339 If 1 (default) and if LeakSanitizer is enabled340 try to detect memory leaks during fuzzing (i.e. not only at shut down).341``-close_fd_mask``342 Indicate output streams to close at startup. Be careful, this will343 remove diagnostic output from target code (e.g. messages on assert failure).344 345 - 0 (default): close neither ``stdout`` nor ``stderr``346 - 1 : close ``stdout``347 - 2 : close ``stderr``348 - 3 : close both ``stdout`` and ``stderr``.349 350For the full list of flags run the fuzzer binary with ``-help=1``.351 352Output353======354 355During operation the fuzzer prints information to ``stderr``, for example::356 357 INFO: Running with entropic power schedule (0xFF, 100).358 INFO: Seed: 1434179311359 INFO: Loaded 1 modules (8 inline 8-bit counters): 8 [0x5f03d189be90, 0x5f03d189be98),360 INFO: Loaded 1 PC tables (8 PCs): 8 [0x5f03d189be98,0x5f03d189bf18),361 INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes362 INFO: A corpus is not provided, starting from an empty corpus363 #2 INITED cov: 2 ft: 2 corp: 1/1b exec/s: 0 rss: 31Mb364 #144 NEW cov: 3 ft: 3 corp: 2/2b lim: 4 exec/s: 0 rss: 31Mb L: 1/1 MS: 2 ChangeByte-ChangeByte-365 #157 NEW cov: 4 ft: 4 corp: 3/4b lim: 4 exec/s: 0 rss: 31Mb L: 2/2 MS: 3 CrossOver-ChangeBit-CrossOver-366 #1345 NEW cov: 5 ft: 5 corp: 4/8b lim: 14 exec/s: 0 rss: 32Mb L: 4/4 MS: 3 InsertByte-ChangeBit-CrossOver-367 #1696 NEW cov: 6 ft: 6 corp: 5/10b lim: 17 exec/s: 0 rss: 32Mb L: 2/4 MS: 1 EraseBytes-368 #1832 REDUCE cov: 6 ft: 6 corp: 5/9b lim: 17 exec/s: 0 rss: 32Mb L: 3/3 MS: 1 EraseBytes-369 ...370 371The early parts of the output include information about the fuzzer options and372configuration, including the current random seed (in the ``Seed:`` line; this373can be overridden with the ``-seed=N`` flag).374 375Further output lines have the form of an event code and statistics. The376possible event codes are:377 378``READ``379 The fuzzer has read in all of the provided input samples from the corpus380 directories.381``INITED``382 The fuzzer has completed initialization, which includes running each of383 the initial input samples through the code under test.384``NEW``385 The fuzzer has created a test input that covers new areas of the code386 under test. This input will be saved to the primary corpus directory.387``REDUCE``388 The fuzzer has found a better (smaller) input that triggers previously389 discovered features (set ``-reduce_inputs=0`` to disable).390``pulse``391 The fuzzer has generated 2\ :sup:`n` inputs (generated periodically to reassure392 the user that the fuzzer is still working).393``DONE``394 The fuzzer has completed operation because it has reached the specified395 iteration limit (``-runs``) or time limit (``-max_total_time``).396``RELOAD``397 The fuzzer is performing a periodic reload of inputs from the corpus398 directory; this allows it to discover any inputs discovered by other399 fuzzer processes (see `Parallel Fuzzing`_).400 401Each output line also reports the following statistics (when non-zero):402 403``cov:``404 Total number of code blocks or edges covered by executing the current corpus.405``ft:``406 libFuzzer uses different signals to evaluate the code coverage:407 edge coverage, edge counters, value profiles, indirect caller/callee pairs, etc.408 These signals combined are called *features* (`ft:`).409``corp:``410 Number of entries in the current in-memory test corpus and its size in bytes.411``lim:``412 Current limit on the length of new entries in the corpus. Increases over time413 until the max length (``-max_len``) is reached.414``exec/s:``415 Number of fuzzer iterations per second.416``rss:``417 Current memory consumption.418 419For ``NEW`` and ``REDUCE`` events, the output line also includes information420about the mutation operation that produced the new input:421 422``L:``423 Size of the new/reduced input in bytes and the size of the largest input424 in current in-memory test corpus.425``MS: <n> <operations>``426 Count and list of the mutation operations used to generate the input.427 428 429Examples430========431.. contents::432 :local:433 :depth: 1434 435Toy example436-----------437 438A simple function that does something interesting if it receives the input439"HI!"::440 441 cat << EOF > test_fuzzer.cc442 #include <stdint.h>443 #include <stddef.h>444 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {445 if (size > 0 && data[0] == 'H')446 if (size > 1 && data[1] == 'I')447 if (size > 2 && data[2] == '!')448 __builtin_trap();449 return 0;450 }451 EOF452 # Build test_fuzzer.cc with asan and link against libFuzzer.453 clang++ -fsanitize=address,fuzzer test_fuzzer.cc454 # Run the fuzzer with no corpus.455 ./a.out456 457You should get an error pretty quickly::458 459 INFO: Running with entropic power schedule (0xFF, 100).460 INFO: Seed: 1434179311461 INFO: Loaded 1 modules (8 inline 8-bit counters): 8 [0x5f03d189be90, 0x5f03d189be98),462 INFO: Loaded 1 PC tables (8 PCs): 8 [0x5f03d189be98,0x5f03d189bf18),463 INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes464 INFO: A corpus is not provided, starting from an empty corpus465 #2 INITED cov: 2 ft: 2 corp: 1/1b exec/s: 0 rss: 31Mb466 #144 NEW cov: 3 ft: 3 corp: 2/2b lim: 4 exec/s: 0 rss: 31Mb L: 1/1 MS: 2 ChangeByte-ChangeByte-467 #157 NEW cov: 4 ft: 4 corp: 3/4b lim: 4 exec/s: 0 rss: 31Mb L: 2/2 MS: 3 CrossOver-ChangeBit-CrossOver-468 #1345 NEW cov: 5 ft: 5 corp: 4/8b lim: 14 exec/s: 0 rss: 32Mb L: 4/4 MS: 3 InsertByte-ChangeBit-CrossOver-469 #1696 NEW cov: 6 ft: 6 corp: 5/10b lim: 17 exec/s: 0 rss: 32Mb L: 2/4 MS: 1 EraseBytes-470 #1832 REDUCE cov: 6 ft: 6 corp: 5/9b lim: 17 exec/s: 0 rss: 32Mb L: 3/3 MS: 1 EraseBytes-471 ==840148== ERROR: libFuzzer: deadly signal472 ...473 SUMMARY: libFuzzer: deadly signal474 MS: 2 CopyPart-ChangeByte-; base unit: dbee5f8c7a5da845446e75b4a5708e74428b520a475 0x48,0x49,0x21,476 HI!477 artifact_prefix='./'; Test unit written to ./crash-7a8dc3985d2a90fb6e62e94910fc11d31949c348478 Base64: SEkh479 480 481More examples482-------------483 484Examples of real-life fuzz targets and the bugs they find can be found485at http://tutorial.libfuzzer.info. Among other things you can learn how486to detect Heartbleed_ in one second.487 488 489Advanced features490=================491.. contents::492 :local:493 :depth: 1494 495Dictionaries496------------497LibFuzzer supports user-supplied dictionaries with input language keywords498or other interesting byte sequences (e.g. multi-byte magic values).499Use ``-dict=DICTIONARY_FILE``. For some input languages using a dictionary500may significantly improve the search speed.501The dictionary syntax is similar to that used by AFL_ for its ``-x`` option::502 503 # Lines starting with '#' and empty lines are ignored.504 505 # Adds "blah" (w/o quotes) to the dictionary.506 kw1="blah"507 # Use \\ for backslash and \" for quotes.508 kw2="\"ac\\dc\""509 # Use \xAB for hex values510 kw3="\xF7\xF8"511 # the name of the keyword followed by '=' may be omitted:512 "foo\x0Abar"513 514 515 516Tracing CMP instructions517------------------------518 519With an additional compiler flag ``-fsanitize-coverage=trace-cmp``520(on by default as part of ``-fsanitize=fuzzer``, see SanitizerCoverageTraceDataFlow_)521libFuzzer will intercept CMP instructions and guide mutations based522on the arguments of intercepted CMP instructions. This may slow down523the fuzzing but is very likely to improve the results.524 525Value Profile526-------------527 528With ``-fsanitize-coverage=trace-cmp`` (default with ``-fsanitize=fuzzer``)529and extra run-time flag ``-use_value_profile=1`` the fuzzer will530collect value profiles for the parameters of compare instructions531and treat some new values as new coverage.532 533The current implementation does roughly the following:534 535* The compiler instruments all CMP instructions with a callback that receives both CMP arguments.536* The callback computes `(caller_pc&4095) | (popcnt(Arg1 ^ Arg2) << 12)` and uses this value to set a bit in a bitset.537* Every new observed bit in the bitset is treated as new coverage.538 539 540This feature has a potential to discover many interesting inputs,541but there are two downsides.542First, the extra instrumentation may bring up to 2x additional slowdown.543Second, the corpus may grow by several times.544 545Fuzzer-friendly build mode546---------------------------547Sometimes the code under test is not fuzzing-friendly. Examples:548 549 - The target code uses a PRNG seeded e.g. by system time and550 thus two consequent invocations may potentially execute different code paths551 even if the end result will be the same. This will cause a fuzzer to treat552 two similar inputs as significantly different and it will blow up the test corpus.553 E.g. libxml uses ``rand()`` inside its hash table.554 - The target code uses checksums to protect from invalid inputs.555 E.g. png checks CRC for every chunk.556 557In many cases it makes sense to build a special fuzzing-friendly build558with certain fuzzing-unfriendly features disabled. We propose to use a common build macro559for all such cases for consistency: ``FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION``.560 561.. code-block:: c++562 563 void MyInitPRNG() {564 #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION565 // In fuzzing mode the behavior of the code should be deterministic.566 srand(0);567 #else568 srand(time(0));569 #endif570 }571 572 573 574AFL compatibility575-----------------576LibFuzzer can be used together with AFL_ on the same test corpus.577Both fuzzers expect the test corpus to reside in a directory, one file per input.578You can run both fuzzers on the same corpus, one after another:579 580.. code-block:: console581 582 ./afl-fuzz -i testcase_dir -o findings_dir /path/to/program @@583 ./llvm-fuzz testcase_dir findings_dir # Will write new tests to testcase_dir584 585Periodically restart both fuzzers so that they can use each other's findings.586Currently, there is no simple way to run both fuzzing engines in parallel while sharing the same corpus dir.587 588You may also use AFL on your target function ``LLVMFuzzerTestOneInput``:589see an example `here <https://github.com/llvm/llvm-project/tree/main/compiler-rt/lib/fuzzer/afl>`__.590 591How good is my fuzzer?592----------------------593 594Once you implement your target function ``LLVMFuzzerTestOneInput`` and fuzz it to death,595you will want to know whether the function or the corpus can be improved further.596One easy to use metric is, of course, code coverage.597 598We recommend to use599`Clang Coverage <https://clang.llvm.org/docs/SourceBasedCodeCoverage.html>`_,600to visualize and study your code coverage601(`example <https://github.com/google/fuzzer-test-suite/blob/master/tutorial/libFuzzerTutorial.md#visualizing-coverage>`_).602 603 604User-supplied mutators605----------------------606 607LibFuzzer allows to use custom (user-supplied) mutators, see608`Structure-Aware Fuzzing <https://github.com/google/fuzzing/blob/master/docs/structure-aware-fuzzing.md>`_609for more details.610 611Startup initialization612----------------------613If the library being tested needs to be initialized, there are several options.614 615The simplest way is to have a statically initialized global object inside616`LLVMFuzzerTestOneInput` (or in global scope if that works for you):617 618.. code-block:: c++619 620 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {621 static bool Initialized = DoInitialization();622 ...623 624Alternatively, you may define an optional init function and it will receive625the program arguments that you can read and modify. Do this **only** if you626really need to access ``argv``/``argc``.627 628.. code-block:: c++629 630 extern "C" int LLVMFuzzerInitialize(int *argc, char ***argv) {631 ReadAndMaybeModify(argc, argv);632 return 0;633 }634 635Using libFuzzer as a library636----------------------------637If the code being fuzzed must provide its own `main`, it's possible to638invoke libFuzzer as a library. Be sure to pass ``-fsanitize=fuzzer-no-link``639during compilation, and link your binary against the no-main version of640libFuzzer. On Linux installations, this is typically located at:641 642.. code-block:: bash643 644 /usr/lib/<llvm-version>/lib/clang/<clang-version>/lib/linux/libclang_rt.fuzzer_no_main-<architecture>.a645 646If building libFuzzer from source, this is located at the following path647in the build output directory:648 649.. code-block:: bash650 651 lib/linux/libclang_rt.fuzzer_no_main-<architecture>.a652 653From here, the code can do whatever setup it requires, and when it's ready654to start fuzzing, it can call `LLVMFuzzerRunDriver`, passing in the program655arguments and a callback. This callback is invoked just like656`LLVMFuzzerTestOneInput`, and has the same signature.657 658.. code-block:: c++659 660 extern "C" int LLVMFuzzerRunDriver(int *argc, char ***argv,661 int (*UserCb)(const uint8_t *Data, size_t Size));662 663 664Rejecting unwanted inputs665-------------------------666 667It may be desirable to reject some inputs, i.e. to not add them to the corpus.668 669For example, when fuzzing an API consisting of parsing and other logic,670one may want to allow only those inputs into the corpus that parse successfully.671 672If the fuzz target returns -1 on a given input,673libFuzzer will not add that input top the corpus, regardless of what coverage674it triggers.675 676 677.. code-block:: c++678 679 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {680 if (auto *Obj = ParseMe(Data, Size)) {681 Obj->DoSomethingInteresting();682 return 0; // Accept. The input may be added to the corpus.683 }684 return -1; // Reject; The input will not be added to the corpus.685 }686 687Leaks688-----689 690Binaries built with AddressSanitizer_ or LeakSanitizer_ will try to detect691memory leaks at the process shutdown.692For in-process fuzzing this is inconvenient693since the fuzzer needs to report a leak with a reproducer as soon as the leaky694mutation is found. However, running full leak detection after every mutation695is expensive.696 697By default (``-detect_leaks=1``) libFuzzer will count the number of698``malloc`` and ``free`` calls when executing every mutation.699If the numbers don't match (which by itself doesn't mean there is a leak)700libFuzzer will invoke the more expensive LeakSanitizer_701pass and if the actual leak is found, it will be reported with the reproducer702and the process will exit.703 704If your target has massive leaks and the leak detection is disabled705you will eventually run out of RAM (see the ``-rss_limit_mb`` flag).706 707 708Developing libFuzzer709====================710 711LibFuzzer is built as a part of LLVM project by default on macos and Linux.712Users of other operating systems can explicitly request compilation using713``-DCOMPILER_RT_BUILD_LIBFUZZER=ON`` flag.714Tests are run using ``check-fuzzer`` target from the build directory715which was configured with ``-DCOMPILER_RT_INCLUDE_TESTS=ON`` flag.716 717.. code-block:: console718 719 ninja check-fuzzer720 721 722FAQ723=========================724 725Q. Why doesn't libFuzzer use any of the LLVM support?726-----------------------------------------------------727 728There are two reasons.729 730First, we want this library to be used outside of the LLVM without users having to731build the rest of LLVM. This may sound unconvincing for many LLVM folks,732but in practice the need for building the whole LLVM frightens many potential733users -- and we want more users to use this code.734 735Second, there is a subtle technical reason not to rely on the rest of LLVM, or736any other large body of code (maybe not even STL). When coverage instrumentation737is enabled, it will also instrument the LLVM support code which will blow up the738coverage set of the process (since the fuzzer is in-process). In other words, by739using more external dependencies we will slow down the fuzzer while the main740reason for it to exist is extreme speed.741 742Q. Does libFuzzer Support Windows?743------------------------------------------------------------------------------------744 745Yes, libFuzzer now supports Windows. Initial support was added in r341082.746Any build of Clang 9 supports it. You can download a build of Clang for Windows747that has libFuzzer from748`LLVM Snapshot Builds <https://llvm.org/builds/>`_.749 750Using libFuzzer on Windows without ASAN is unsupported. Building fuzzers with the751``/MD`` (dynamic runtime library) compile option is unsupported. Support for these752may be added in the future. Linking fuzzers with the ``/INCREMENTAL`` link option753(or the ``/DEBUG`` option which implies it) is also unsupported.754 755Send any questions or comments to the mailing list: libfuzzer(#)googlegroups.com756 757Q. When libFuzzer is not a good solution for a problem?758---------------------------------------------------------759 760* If the test inputs are validated by the target library and the validator761 asserts/crashes on invalid inputs, in-process fuzzing is not applicable.762* Bugs in the target library may accumulate without being detected. E.g. a memory763 corruption that goes undetected at first and then leads to a crash while764 testing another input. This is why it is highly recommended to run this765 in-process fuzzer with all sanitizers to detect most bugs on the spot.766* It is harder to protect the in-process fuzzer from excessive memory767 consumption and infinite loops in the target library (still possible).768* The target library should not have significant global state that is not769 reset between the runs.770* Many interesting target libraries are not designed in a way that supports771 the in-process fuzzer interface (e.g. require a file path instead of a772 byte array).773* If a single test run takes a considerable fraction of a second (or774 more) the speed benefit from the in-process fuzzer is negligible.775* If the target library runs persistent threads (that outlive776 execution of one test) the fuzzing results will be unreliable.777 778Q. So, what exactly this Fuzzer is good for?779--------------------------------------------780 781This Fuzzer might be a good choice for testing libraries that have relatively782small inputs, each input takes < 10ms to run, and the library code is not expected783to crash on invalid inputs.784Examples: regular expression matchers, text or binary format parsers, compression,785network, crypto.786 787Q. LibFuzzer crashes on my complicated fuzz target (but works fine for me on smaller targets).788----------------------------------------------------------------------------------------------789 790Check if your fuzz target uses ``dlclose``.791Currently, libFuzzer doesn't support targets that call ``dlclose``,792this may be fixed in future.793 794 795Trophies796========797* Thousands of bugs found on OSS-Fuzz: https://opensource.googleblog.com/2017/05/oss-fuzz-five-months-later-and.html798 799* GLIBC: https://sourceware.org/glibc/wiki/FuzzingLibc800 801* MUSL LIBC: `[1] <http://git.musl-libc.org/cgit/musl/commit/?id=39dfd58417ef642307d90306e1c7e50aaec5a35c>`__ `[2] <http://www.openwall.com/lists/oss-security/2015/03/30/3>`__802 803* `pugixml <https://github.com/zeux/pugixml/issues/39>`_804 805* PCRE: Search for "LLVM fuzzer" in http://vcs.pcre.org/pcre2/code/trunk/ChangeLog?view=markup;806 also in `bugzilla <https://bugs.exim.org/buglist.cgi?bug_status=__all__&content=libfuzzer&no_redirect=1&order=Importance&product=PCRE&query_format=specific>`_807 808* `ICU <http://bugs.icu-project.org/trac/ticket/11838>`_809 810* `Freetype <https://savannah.nongnu.org/search/?words=LibFuzzer&type_of_search=bugs&Search=Search&exact=1#options>`_811 812* `Harfbuzz <https://github.com/behdad/harfbuzz/issues/139>`_813 814* `SQLite <http://www3.sqlite.org/cgi/src/info/088009efdd56160b>`_815 816* `Python <http://bugs.python.org/issue25388>`_817 818* OpenSSL/BoringSSL: `[1] <https://boringssl.googlesource.com/boringssl/+/cb852981cd61733a7a1ae4fd8755b7ff950e857d>`_ `[2] <https://openssl.org/news/secadv/20160301.txt>`_ `[3] <https://boringssl.googlesource.com/boringssl/+/2b07fa4b22198ac02e0cee8f37f3337c3dba91bc>`_ `[4] <https://boringssl.googlesource.com/boringssl/+/6b6e0b20893e2be0e68af605a60ffa2cbb0ffa64>`_ `[5] <https://github.com/openssl/openssl/pull/931/commits/dd5ac557f052cc2b7f718ac44a8cb7ac6f77dca8>`_ `[6] <https://github.com/openssl/openssl/pull/931/commits/19b5b9194071d1d84e38ac9a952e715afbc85a81>`_819 820* `Libxml2821 <https://bugzilla.gnome.org/buglist.cgi?bug_status=__all__&content=libFuzzer&list_id=68957&order=Importance&product=libxml2&query_format=specific>`_ and `[HT206167] <https://support.apple.com/en-gb/HT206167>`_ (CVE-2015-5312, CVE-2015-7500, CVE-2015-7942)822 823* `Linux Kernel's BPF verifier <https://github.com/iovisor/bpf-fuzzer>`_824 825* `Linux Kernel's Crypto code <https://www.spinics.net/lists/stable/msg199712.html>`_826 827* Capstone: `[1] <https://github.com/aquynh/capstone/issues/600>`__ `[2] <https://github.com/aquynh/capstone/commit/6b88d1d51eadf7175a8f8a11b690684443b11359>`__828 829* file:`[1] <http://bugs.gw.com/view.php?id=550>`__ `[2] <http://bugs.gw.com/view.php?id=551>`__ `[3] <http://bugs.gw.com/view.php?id=553>`__ `[4] <http://bugs.gw.com/view.php?id=554>`__830 831* Radare2: `[1] <https://github.com/revskills?tab=contributions&from=2016-04-09>`__832 833* gRPC: `[1] <https://github.com/grpc/grpc/pull/6071/commits/df04c1f7f6aec6e95722ec0b023a6b29b6ea871c>`__ `[2] <https://github.com/grpc/grpc/pull/6071/commits/22a3dfd95468daa0db7245a4e8e6679a52847579>`__ `[3] <https://github.com/grpc/grpc/pull/6071/commits/9cac2a12d9e181d130841092e9d40fa3309d7aa7>`__ `[4] <https://github.com/grpc/grpc/pull/6012/commits/82a91c91d01ce9b999c8821ed13515883468e203>`__ `[5] <https://github.com/grpc/grpc/pull/6202/commits/2e3e0039b30edaf89fb93bfb2c1d0909098519fa>`__ `[6] <https://github.com/grpc/grpc/pull/6106/files>`__834 835* WOFF2: `[1] <https://github.com/google/woff2/commit/a15a8ab>`__836 837* LLVM: `Clang <https://bugs.llvm.org/show_bug.cgi?id=23057>`_, `Clang-format <https://bugs.llvm.org/show_bug.cgi?id=23052>`_, `libc++ <https://bugs.llvm.org/show_bug.cgi?id=24411>`_, `llvm-as <https://bugs.llvm.org/show_bug.cgi?id=24639>`_, `Demangler <https://bugs.chromium.org/p/chromium/issues/detail?id=606626>`_, Disassembler: http://reviews.llvm.org/rL247405, http://reviews.llvm.org/rL247414, http://reviews.llvm.org/rL247416, http://reviews.llvm.org/rL247417, http://reviews.llvm.org/rL247420, http://reviews.llvm.org/rL247422.838 839* Tensorflow: `[1] <https://da-data.blogspot.com/2017/01/finding-bugs-in-tensorflow-with.html>`__840 841* Ffmpeg: `[1] <https://github.com/FFmpeg/FFmpeg/commit/c92f55847a3d9cd12db60bfcd0831ff7f089c37c>`__ `[2] <https://github.com/FFmpeg/FFmpeg/commit/25ab1a65f3acb5ec67b53fb7a2463a7368f1ad16>`__ `[3] <https://github.com/FFmpeg/FFmpeg/commit/85d23e5cbc9ad6835eef870a5b4247de78febe56>`__ `[4] <https://github.com/FFmpeg/FFmpeg/commit/04bd1b38ee6b8df410d0ab8d4949546b6c4af26a>`__842 843* `Wireshark <https://bugs.wireshark.org/bugzilla/buglist.cgi?bug_status=UNCONFIRMED&bug_status=CONFIRMED&bug_status=IN_PROGRESS&bug_status=INCOMPLETE&bug_status=RESOLVED&bug_status=VERIFIED&f0=OP&f1=OP&f2=product&f3=component&f4=alias&f5=short_desc&f7=content&f8=CP&f9=CP&j1=OR&o2=substring&o3=substring&o4=substring&o5=substring&o6=substring&o7=matches&order=bug_id%20DESC&query_format=advanced&v2=libfuzzer&v3=libfuzzer&v4=libfuzzer&v5=libfuzzer&v6=libfuzzer&v7=%22libfuzzer%22>`_844 845* `QEMU <https://researchcenter.paloaltonetworks.com/2017/09/unit42-palo-alto-networks-discovers-new-qemu-vulnerability/>`_846 847.. _pcre2: http://www.pcre.org/848.. _AFL: http://lcamtuf.coredump.cx/afl/849.. _Radamsa: https://github.com/aoh/radamsa850.. _SanitizerCoverage: https://clang.llvm.org/docs/SanitizerCoverage.html851.. _SanitizerCoverageTraceDataFlow: https://clang.llvm.org/docs/SanitizerCoverage.html#tracing-data-flow852.. _AddressSanitizer: https://clang.llvm.org/docs/AddressSanitizer.html853.. _LeakSanitizer: https://clang.llvm.org/docs/LeakSanitizer.html854.. _Heartbleed: http://en.wikipedia.org/wiki/Heartbleed855.. _FuzzerInterface.h: https://github.com/llvm/llvm-project/blob/main/compiler-rt/lib/fuzzer/FuzzerInterface.h856.. _3.7.0: https://llvm.org/releases/3.7.0/docs/LibFuzzer.html857.. _building Clang from trunk: https://clang.llvm.org/get_started.html858.. _MemorySanitizer: https://clang.llvm.org/docs/MemorySanitizer.html859.. _UndefinedBehaviorSanitizer: https://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html860.. _`coverage counters`: https://clang.llvm.org/docs/SanitizerCoverage.html#coverage-counters861.. _`value profile`: #value-profile862.. _`caller-callee pairs`: https://clang.llvm.org/docs/SanitizerCoverage.html#caller-callee-coverage863.. _BoringSSL: https://boringssl.googlesource.com/boringssl/864.. _Centipede: https://github.com/google/centipede865 866