diff options
| author | Maxim Yurchuk <maxim-yurchuk@ydb.tech> | 2024-10-20 00:06:50 +0300 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-10-20 00:06:50 +0300 |
| commit | e0b481c6710337ae655271bbb80afe6ac81a5614 (patch) | |
| tree | dba67dc017935800d0c3f8dc967e9522c5302bd2 /contrib/libs/c-ares/FUZZING.md | |
| parent | 07f2e60d02d95eab14a86a4b9469db1af7795001 (diff) | |
| parent | f04ad7e5462f5910ef95f2efd15c509e539ae62d (diff) | |
| download | ydb-e0b481c6710337ae655271bbb80afe6ac81a5614.tar.gz | |
Merge pull request #10642 from ydb-platform/mergelibs-241019-1758
Library import 241019-1758
Diffstat (limited to 'contrib/libs/c-ares/FUZZING.md')
| -rw-r--r-- | contrib/libs/c-ares/FUZZING.md | 91 |
1 files changed, 91 insertions, 0 deletions
diff --git a/contrib/libs/c-ares/FUZZING.md b/contrib/libs/c-ares/FUZZING.md new file mode 100644 index 0000000000..1d6b354ec9 --- /dev/null +++ b/contrib/libs/c-ares/FUZZING.md @@ -0,0 +1,91 @@ +# Fuzzing Hints + +## LibFuzzer + +1. Set compiler that supports fuzzing, this is an example on MacOS using + a homebrew-installed clang/llvm: +``` +export CC="/opt/homebrew/Cellar/llvm/18.1.8/bin/clang" +export CXX="/opt/homebrew/Cellar/llvm/18.1.8/bin/clang++" +``` + +2. Compile c-ares with both ASAN and fuzzing support. We want an optimized + debug build so we will use `RelWithDebInfo`: +``` +export CFLAGS="-fsanitize=address,fuzzer-no-link -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION" +export CXXFLAGS="-fsanitize=address,fuzzer-no-link -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION" +export LDFLAGS="-fsanitize=address,fuzzer-no-link" +mkdir buildfuzz +cd buildfuzz +cmake -DCMAKE_BUILD_TYPE=RelWithDebInfo -G Ninja .. +ninja +``` + +3. Build the fuzz test itself linked against our fuzzing-enabled build: +``` +${CC} -W -Wall -Og -fsanitize=address,fuzzer -I../include -I../src/lib -I. -o ares-test-fuzz ../test/ares-test-fuzz.c -L./lib -Wl,-rpath ./lib -lcares +${CC} -W -Wall -Og -fsanitize=address,fuzzer -I../include -I../src/lib -I. -o ares-test-fuzz-name ../test/ares-test-fuzz-name.c -L./lib -Wl,-rpath ./lib -lcares +``` + +4. Run the fuzzer, its better if you can provide seed input but it does pretty + well on its own since it uses coverage data to determine how to proceed. + You can play with other flags etc, like `-jobs=XX` for parallelism. See + https://llvm.org/docs/LibFuzzer.html +``` +mkdir corpus +cp ../test/fuzzinput/* corpus +./ares-test-fuzz -max_len=65535 corpus +``` +or +``` +mkdir corpus +cp ../test/fuzznames/* corpus +./ares-test-fuzz-name -max_len=1024 corpus +``` + + +## AFL + +To fuzz using AFL, follow the +[AFL quick start guide](http://lcamtuf.coredump.cx/afl/QuickStartGuide.txt): + + - Download and build AFL. + - Configure the c-ares library and test tool to use AFL's compiler wrappers: + + ```console + % export CC=$AFLDIR/afl-gcc + % ./configure --disable-shared && make + % cd test && ./configure && make aresfuzz aresfuzzname + ``` + + - Run the AFL fuzzer against the starting corpus: + + ```console + % mkdir fuzzoutput + % $AFLDIR/afl-fuzz -i fuzzinput -o fuzzoutput -- ./aresfuzz # OR + % $AFLDIR/afl-fuzz -i fuzznames -o fuzzoutput -- ./aresfuzzname + ``` + +## AFL Persistent Mode + +If a recent version of Clang is available, AFL can use its built-in compiler +instrumentation; this configuration also allows the use of a (much) faster +persistent mode, where multiple fuzz inputs are run for each process invocation. + + - Download and build a recent AFL, and run `make` in the `llvm_mode` + subdirectory to ensure that `afl-clang-fast` gets built. + - Configure the c-ares library and test tool to use AFL's clang wrappers that + use compiler instrumentation: + + ```console + % export CC=$AFLDIR/afl-clang-fast + % ./configure --disable-shared && make + % cd test && ./configure && make aresfuzz + ``` + + - Run the AFL fuzzer (in persistent mode) against the starting corpus: + + ```console + % mkdir fuzzoutput + % $AFLDIR/afl-fuzz -i fuzzinput -o fuzzoutput -- ./aresfuzz + ``` |