wget/fuzz/README.md

# Fuzzers

These are fuzzers designed for use with `libFuzzer` or `afl`. They can
be used to run on Google's OSS-Fuzz (https://github.com/google/oss-fuzz/).

The convention used here is that the initial values for each parser fuzzer
are taken from the $NAME.in directory.

Crash reproducers from OSS-Fuzz are put into $NAME.repro directory for
regression testing with top dir 'make check' or 'make check-valgrind'.


# Running a fuzzer using clang

Use the following commands on top dir:
```
export CC=clang
# address sanitizer:
#export CFLAGS="-O1 -g -fno-omit-frame-pointer -gline-tables-only -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=undefined,integer,nullability -fsanitize=address -fsanitize-address-use-after-scope -fsanitize-coverage=trace-pc-guard,trace-cmp"
export CFLAGS="-O1 -fno-omit-frame-pointer -gline-tables-only -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=undefined -fsanitize=address -fsanitize-address-use-after-scope -fsanitize=fuzzer-no-link"
# undefined sanitizer;
export CFLAGS="-O1 -fno-omit-frame-pointer -gline-tables-only -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=bool,array-bounds,float-divide-by-zero,function,integer-divide-by-zero,return,shift,signed-integer-overflow,vla-bound,vptr -fno-sanitize-recover=bool,array-bounds,float-divide-by-zero,function,integer-divide-by-zero,return,shift,signed-integer-overflow,vla-bound,vptr -fsanitize=fuzzer-no-link"
export LIB_FUZZING_ENGINE="-lFuzzer  -lstdc++"
./configure --enable-fuzzing --without-metalink --without-zlib --disable-pcre --without-libuuid --enable-assert
make clean
make -j$(nproc)
cd fuzz

# run wget_options_fuzzer
UBSAN_OPTIONS=print_stacktrace=1 ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer \
  ./run-clang.sh wget_options_fuzzer
```

If you see a crash, then a crash corpora is written that can be used for further
investigation. E.g.
```
==2410==ERROR: AddressSanitizer: heap-use-after-free on address 0x602000004e90 at pc 0x00000049cf9c bp 0x7fffb5543f70 sp 0x7fffb5543720
...
Test unit written to ./crash-adc83b19e793491b1c6ea0fd8b46cd9f32e592fc
```

To reproduce the crash:
```
./wget_options_fuzzer < ./crash-adc83b19e793491b1c6ea0fd8b46cd9f32e592fc
```

You can also copy/move that file into wget_options_fuzzer.repro/
and re-build the project without fuzzing for a valgrind run, if you like that better.
Just a `./configure` and a `make check-valgrind` should reproduce it.


# Running a fuzzer using AFL

Use the following commands on top dir:

```
$ export LIB_FUZZING_ENGINE=""
$ CC=afl-clang-fast ./configure --enable-fuzzing
$ make -j$(nproc) clean all
$ cd fuzz
$ ./run-afl.sh wget_options_fuzzer
```

# Fuzz code coverage using the corpus directories *.in/

Code coverage reports currently work best with gcc+lcov+genhtml.

In the top directory:
```
CC=gcc CFLAGS="-O0 -g" ./configure
make fuzz-coverage
xdg-open lcov/index.html
```

To work on corpora for better coverage, `cd fuzz` and use e.g.
`./view-coverage.sh wget_options_fuzzer`.


# Creating wget_options_fuzzer.dict

```
for i in `../src/wget --help|tr ' ' '\n'|grep ^--|cut -c 3-|sort`;do echo \"$i\"; done >wget_options_fuzzer.dict
```
Add OSS-Fuzz infrastruture * Makefile.am: Add fuzz/ to SUBDIRS * cfg.mk: Fix 'make syntax-check' * configure.ac: Add --enable-fuzzing * fuzz/Makefile.am: New file * fuzz/README.md: New file * fuzz/fuzzer.h: New file * fuzz/get_all_corpora: New file * fuzz/get_ossfuzz_corpora: New file * fuzz/glob_crash.c: New file * fuzz/main.c: New file * fuzz/run-afl.sh: New file * fuzz/run-clang.sh: New file * fuzz/view-coverage.sh: New file * fuzz/wget_options_fuzzer.c: New file * fuzz/wget_options_fuzzer.dict: New file * src/init.c (cleanup): Free more resources * src/main.c (init_switches): Initialize only once, (print_usage): Don't print if TESTING is defined * src/utils.h: Include wget.h 2018-02-09 15:00:07 +08:00			`# Fuzzers`

			These are fuzzers designed for use with `libFuzzer` or `afl`. They can
			`be used to run on Google's OSS-Fuzz (https://github.com/google/oss-fuzz/).`

			`The convention used here is that the initial values for each parser fuzzer`
			`are taken from the $NAME.in directory.`

			`Crash reproducers from OSS-Fuzz are put into $NAME.repro directory for`
			`regression testing with top dir 'make check' or 'make check-valgrind'.`


			`# Running a fuzzer using clang`

			`Use the following commands on top dir:`
			```
* fuzz/README.md: Update clang instructions 2019-12-11 18:54:11 +08:00			`export CC=clang`
* fuzz/README.md: Add CFLAGS for undefined sanitizer 2018-04-24 17:30:06 +08:00			`# address sanitizer:`
* fuzz/README.md: Update clang instructions 2019-12-11 18:54:11 +08:00			`#export CFLAGS="-O1 -g -fno-omit-frame-pointer -gline-tables-only -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=undefined,integer,nullability -fsanitize=address -fsanitize-address-use-after-scope -fsanitize-coverage=trace-pc-guard,trace-cmp"`
			`export CFLAGS="-O1 -fno-omit-frame-pointer -gline-tables-only -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=undefined -fsanitize=address -fsanitize-address-use-after-scope -fsanitize=fuzzer-no-link"`
* fuzz/README.md: Add CFLAGS for undefined sanitizer 2018-04-24 17:30:06 +08:00			`# undefined sanitizer;`
			`export CFLAGS="-O1 -fno-omit-frame-pointer -gline-tables-only -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=bool,array-bounds,float-divide-by-zero,function,integer-divide-by-zero,return,shift,signed-integer-overflow,vla-bound,vptr -fno-sanitize-recover=bool,array-bounds,float-divide-by-zero,function,integer-divide-by-zero,return,shift,signed-integer-overflow,vla-bound,vptr -fsanitize=fuzzer-no-link"`
Switch fuzzing build from C++ to C * Makefile.am (oss-fuzz): Build with $CC instead of $CXX. * README.md: Remove CXX and CXXFLAGS exports. 2021-12-22 02:16:47 +08:00			`export LIB_FUZZING_ENGINE="-lFuzzer -lstdc++"`
* fuzz/README.md: Add --enable-assert to fuzzing build 2019-12-12 22:39:41 +08:00			`./configure --enable-fuzzing --without-metalink --without-zlib --disable-pcre --without-libuuid --enable-assert`
Add OSS-Fuzz infrastruture * Makefile.am: Add fuzz/ to SUBDIRS * cfg.mk: Fix 'make syntax-check' * configure.ac: Add --enable-fuzzing * fuzz/Makefile.am: New file * fuzz/README.md: New file * fuzz/fuzzer.h: New file * fuzz/get_all_corpora: New file * fuzz/get_ossfuzz_corpora: New file * fuzz/glob_crash.c: New file * fuzz/main.c: New file * fuzz/run-afl.sh: New file * fuzz/run-clang.sh: New file * fuzz/view-coverage.sh: New file * fuzz/wget_options_fuzzer.c: New file * fuzz/wget_options_fuzzer.dict: New file * src/init.c (cleanup): Free more resources * src/main.c (init_switches): Initialize only once, (print_usage): Don't print if TESTING is defined * src/utils.h: Include wget.h 2018-02-09 15:00:07 +08:00			`make clean`
			`make -j$(nproc)`
			`cd fuzz`

			`# run wget_options_fuzzer`
* fuzz/README.md: Update clang instructions 2019-12-11 18:54:11 +08:00			`UBSAN_OPTIONS=print_stacktrace=1 ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer \`
Add OSS-Fuzz infrastruture * Makefile.am: Add fuzz/ to SUBDIRS * cfg.mk: Fix 'make syntax-check' * configure.ac: Add --enable-fuzzing * fuzz/Makefile.am: New file * fuzz/README.md: New file * fuzz/fuzzer.h: New file * fuzz/get_all_corpora: New file * fuzz/get_ossfuzz_corpora: New file * fuzz/glob_crash.c: New file * fuzz/main.c: New file * fuzz/run-afl.sh: New file * fuzz/run-clang.sh: New file * fuzz/view-coverage.sh: New file * fuzz/wget_options_fuzzer.c: New file * fuzz/wget_options_fuzzer.dict: New file * src/init.c (cleanup): Free more resources * src/main.c (init_switches): Initialize only once, (print_usage): Don't print if TESTING is defined * src/utils.h: Include wget.h 2018-02-09 15:00:07 +08:00			`./run-clang.sh wget_options_fuzzer`
			```

			`If you see a crash, then a crash corpora is written that can be used for further`
			`investigation. E.g.`
			```
			`==2410==ERROR: AddressSanitizer: heap-use-after-free on address 0x602000004e90 at pc 0x00000049cf9c bp 0x7fffb5543f70 sp 0x7fffb5543720`
			`...`
			`Test unit written to ./crash-adc83b19e793491b1c6ea0fd8b46cd9f32e592fc`
			```

			`To reproduce the crash:`
			```
			`./wget_options_fuzzer < ./crash-adc83b19e793491b1c6ea0fd8b46cd9f32e592fc`
			```

			`You can also copy/move that file into wget_options_fuzzer.repro/`
			`and re-build the project without fuzzing for a valgrind run, if you like that better.`
			Just a `./configure` and a `make check-valgrind` should reproduce it.


			`# Running a fuzzer using AFL`

			`Use the following commands on top dir:`

			```
			`$ export LIB_FUZZING_ENGINE=""`
			`$ CC=afl-clang-fast ./configure --enable-fuzzing`
			`$ make -j$(nproc) clean all`
			`$ cd fuzz`
			`$ ./run-afl.sh wget_options_fuzzer`
			```

			`# Fuzz code coverage using the corpus directories *.in/`

			`Code coverage reports currently work best with gcc+lcov+genhtml.`

			`In the top directory:`
			```
			`CC=gcc CFLAGS="-O0 -g" ./configure`
			`make fuzz-coverage`
			`xdg-open lcov/index.html`
			```

			To work on corpora for better coverage, `cd fuzz` and use e.g.
			`./view-coverage.sh wget_options_fuzzer`.


			`# Creating wget_options_fuzzer.dict`

			```
			for i in `../src/wget --help\|tr ' ' '\n'\|grep ^--\|cut -c 3-\|sort`;do echo \"$i\"; done >wget_options_fuzzer.dict
			```