1libFuzzer instructions for libxml2 2================================== 3 4Set compiler and options. Make sure to enable at least basic optimizations 5to avoid excessive stack usage. Also enable some debug output to get 6meaningful stack traces. 7 8 export CC=clang 9 export CFLAGS=" \ 10 -O1 -gline-tables-only \ 11 -fsanitize=fuzzer-no-link,address,undefined \ 12 -fno-sanitize-recover=all \ 13 -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION" 14 15Other options that can improve stack traces: 16 17 -fno-omit-frame-pointer 18 -fno-inline 19 -fno-optimize-sibling-calls (disables tail call optimization) 20 21Build libxml2 with instrumentation: 22 23 ./configure --without-python 24 make 25 26Run fuzzers: 27 28 make -C fuzz fuzz-xml 29 30The environment variable XML_FUZZ_OPTIONS can be used to pass additional 31flags to the fuzzer. 32 33Malloc failure injection 34------------------------ 35 36Most fuzzers inject malloc failures to cover code paths handling these 37errors. This can lead to surprises when debugging crashes. You can set 38the macro XML_FUZZ_MALLOC_ABORT in fuzz/fuzz.c to make the fuzz target 39abort at the malloc invocation which would fail. This tells you if 40and where a malloc failure was injected. 41 42Some fuzzers also test whether malloc failures are reported. To debug 43failures which aren't reported, it's helpful to enable 44XML_FUZZ_MALLOC_ABORT to see which allocation failed. Debugging 45failures which are erroneously reported can be harder. If the report 46goes through xmlRaiseMemoryError, you can abort() there to get a 47stack trace. 48