接上篇,当然依旧是整理自gist。
libfuzzer是llvm下面的一个项目
LibFuzzer is in-process, coverage-guided, evolutionary fuzzing engine. LibFuzzer is linked with the library under test, and feeds fuzzed inputs to the library via a specific fuzzing entrypoint (aka “target function”); the fuzzer then tracks which areas of the code are reached, and generates mutations on the corpus of input data in order to maximize the code coverage. The code coverage information for libFuzzer is provided by LLVM’s SanitizerCoverage instrumentation.
下面开始搞一搞吧
Chromium fuzzing tutorial
ubuntu16.04:1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
git clone https://chromium.googlesource.com/chromium/tools/depot_tools.git
export PATH="$PATH:/path/to/depot_tools" #使用绝对路径
mkdir ~/chromium && cd ~/chromium
fetch --nohooks chromium # 大概下载10G左右
cd src
./build/install-build-deps.sh # 安装依赖
gclient runhooks # 运行 Chromium-specifices
准备构建
gn gen out/Default # 生成ninja文件准备构建
mount -t tmpfs -o size=20G,nr_inodes=40k,mode=1777 tmpfs /root/chromium/src/out
20G小了,编译没有够用,空间不够重新开大点。
构建
autoninja -C out/Default chrome
8核8G的机器,前面的基本上一秒编译一个,看来可能要9个小时后才能编译完。运气好的话
编译结束,大小也变成了49G
构建libfuzzer
1 | $ gn gen out/libfuzzer '--args=use_libfuzzer=true is_asan=true is_ubsan_security=true is_debug=false enable_nacl=false' --check |
1 | $ ./out/libfuzzer/v8_json_parser_fuzzer ~/chromium/testcases/json_parser_corpus/ --dict=json.dict -jobs=6 -workers=6 |
ToDo
- gn用法
- ninja 用法