From f59d0131cb6fc224aee0a0a92de1f04cdebe97c8 Mon Sep 17 00:00:00 2001
From: Kurt Roeckx <kurt@roeckx.be>
Date: Sat, 7 May 2016 22:09:13 +0200
Subject: Add support for fuzzing with AFL

Reviewed-by: Ben Laurie <ben@links.org>

MR: #2740
---
 fuzz/README.md | 25 ++++++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

(limited to 'fuzz/README.md')

diff --git a/fuzz/README.md b/fuzz/README.md
index 9b6d7d7980..e9ec88b8c6 100644
--- a/fuzz/README.md
+++ b/fuzz/README.md
@@ -1,5 +1,8 @@
 # I Can Haz Fuzz?
 
+LibFuzzer
+=========
+
 Or, how to fuzz OpenSSL with [libfuzzer](llvm.org/docs/LibFuzzer.html).
 
 Starting from a vanilla+OpenSSH server Ubuntu install.
@@ -32,7 +35,10 @@ https://github.com/llvm-mirror/llvm/tree/master/lib/Fuzzer if you prefer):
 
 Configure for fuzzing:
 
-    $ CC=clang ./config enable-fuzz enable-asan enable-ubsan no-shared
+    $ CC=clang ./config enable-fuzz-libfuzzer \
+            --with-fuzzer-include=../../svn-work/Fuzzer \
+            --with-fuzzer-lib=../../svn-work/Fuzzer/libFuzzer \
+            enable-asan enable-ubsan no-shared
     $ sudo apt-get install make
     $ LDCMD=clang++ make -j
     $ fuzz/helper.py <fuzzer> <arguments>
@@ -45,3 +51,20 @@ If you get a crash, you should find a corresponding input file in
 `fuzz/corpora/<fuzzer>-crash/`. You can reproduce the crash with
 
     $ fuzz/<fuzzer> <crashfile>
+
+AFL
+===
+
+Configure for fuzzing:
+
+    $ sudo apt-get install afl-clang
+    $ CC=afl-clang-fast ./config enable-fuzz-afl no-shared
+    $ make
+
+Run one of the fuzzers:
+
+    $ afl-fuzz fuzz/<fuzzer> -i fuzz/corpora/<fuzzer> -o fuzz/corpora/<fuzzer>/out <fuzzer> <arguments>
+
+Where `<fuzzer>` is one of the executables in `fuzz/`. Most fuzzers do not
+need any command line arguments, but, for example, `asn1` needs the name of a
+data type.
-- 
cgit v1.2.3