1*7c568831SAndroid Build Coastguard WorkerlibFuzzer instructions for libxml2 2*7c568831SAndroid Build Coastguard Worker================================== 3*7c568831SAndroid Build Coastguard Worker 4*7c568831SAndroid Build Coastguard WorkerSet compiler and options. Make sure to enable at least basic optimizations 5*7c568831SAndroid Build Coastguard Workerto avoid excessive stack usage. Also enable some debug output to get 6*7c568831SAndroid Build Coastguard Workermeaningful stack traces. 7*7c568831SAndroid Build Coastguard Worker 8*7c568831SAndroid Build Coastguard Worker export CC=clang 9*7c568831SAndroid Build Coastguard Worker export CFLAGS=" \ 10*7c568831SAndroid Build Coastguard Worker -O1 -gline-tables-only \ 11*7c568831SAndroid Build Coastguard Worker -fsanitize=fuzzer-no-link,address,undefined \ 12*7c568831SAndroid Build Coastguard Worker -fno-sanitize-recover=all \ 13*7c568831SAndroid Build Coastguard Worker -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION" 14*7c568831SAndroid Build Coastguard Worker 15*7c568831SAndroid Build Coastguard WorkerOther options that can improve stack traces: 16*7c568831SAndroid Build Coastguard Worker 17*7c568831SAndroid Build Coastguard Worker -fno-omit-frame-pointer 18*7c568831SAndroid Build Coastguard Worker -fno-inline 19*7c568831SAndroid Build Coastguard Worker -fno-optimize-sibling-calls (disables tail call optimization) 20*7c568831SAndroid Build Coastguard Worker 21*7c568831SAndroid Build Coastguard WorkerBuild libxml2 with instrumentation: 22*7c568831SAndroid Build Coastguard Worker 23*7c568831SAndroid Build Coastguard Worker ./configure --without-python 24*7c568831SAndroid Build Coastguard Worker make 25*7c568831SAndroid Build Coastguard Worker 26*7c568831SAndroid Build Coastguard WorkerRun fuzzers: 27*7c568831SAndroid Build Coastguard Worker 28*7c568831SAndroid Build Coastguard Worker make -C fuzz fuzz-xml 29*7c568831SAndroid Build Coastguard Worker 30*7c568831SAndroid Build Coastguard WorkerThe environment variable XML_FUZZ_OPTIONS can be used to pass additional 31*7c568831SAndroid Build Coastguard Workerflags to the fuzzer. 32*7c568831SAndroid Build Coastguard Worker 33*7c568831SAndroid Build Coastguard WorkerMalloc failure injection 34*7c568831SAndroid Build Coastguard Worker------------------------ 35*7c568831SAndroid Build Coastguard Worker 36*7c568831SAndroid Build Coastguard WorkerMost fuzzers inject malloc failures to cover code paths handling these 37*7c568831SAndroid Build Coastguard Workererrors. This can lead to surprises when debugging crashes. You can set 38*7c568831SAndroid Build Coastguard Workerthe macro XML_FUZZ_MALLOC_ABORT in fuzz/fuzz.c to make the fuzz target 39*7c568831SAndroid Build Coastguard Workerabort at the malloc invocation which would fail. This tells you if 40*7c568831SAndroid Build Coastguard Workerand where a malloc failure was injected. 41*7c568831SAndroid Build Coastguard Worker 42*7c568831SAndroid Build Coastguard WorkerSome fuzzers also test whether malloc failures are reported. To debug 43*7c568831SAndroid Build Coastguard Workerfailures which aren't reported, it's helpful to enable 44*7c568831SAndroid Build Coastguard WorkerXML_FUZZ_MALLOC_ABORT to see which allocation failed. Debugging 45*7c568831SAndroid Build Coastguard Workerfailures which are erroneously reported can be harder. If the report 46*7c568831SAndroid Build Coastguard Workergoes through xmlRaiseMemoryError, you can abort() there to get a 47*7c568831SAndroid Build Coastguard Workerstack trace. 48