update README, nicer output from reducer
This commit is contained in:
Alex Groce
52
README.md
52
README.md
@@ -144,6 +144,58 @@ memory during a test, if that memory would not be freed on a test
|
||||
failure. This will leak memory and libFuzzer will run out of memory
|
||||
very quickly in each fuzzing session.
|
||||
|
||||
## Test case reduction
|
||||
|
||||
While tests generated by symbolic execution are likely to be highly
|
||||
concise already, fuzzer-generated tests may be much larger than they
|
||||
need to be.
|
||||
|
||||
DeepState provides a test case reducer to shrink tests intelligently,
|
||||
aware of the structure of a DeepState test. For example, if your
|
||||
executable is named `TestFileSystem` and the test you want to reduce
|
||||
is named `rmdirfail.test` you would use it like this:
|
||||
|
||||
```shell
|
||||
deepstate-reduce ./TestFileSystem rmdirfail.test minrmdirfail.test
|
||||
```
|
||||
|
||||
In many cases, this will result in finding a different failure or
|
||||
crash that allow smaller test cases, so you can also provide a string
|
||||
that controls which test outputs are considered valid reductions (by
|
||||
default, the reducer looks for any test that fails or crashes):
|
||||
|
||||
```shell
|
||||
deepstate-reduce ./TestFileSystem rmdirfail.test minrmdirfail.test "FATAL: /root/testfs/super.c(252)"
|
||||
```
|
||||
|
||||
The output will look something like:
|
||||
```shell
|
||||
ORIGINAL TEST HAS 119 BYTES
|
||||
LAST BYTE READ IS 123
|
||||
ONEOF REMOVAL REDUCED TEST TO 103 BYTES
|
||||
BYTE REDUCTION: BYTE 3 FROM 4 TO 0
|
||||
BYTE REDUCTION: BYTE 7 FROM 2 TO 1
|
||||
BYTE REDUCTION: BYTE 15 FROM 3 TO 2
|
||||
BYTE REDUCTION: BYTE 19 FROM 4 TO 0
|
||||
BYTE REDUCTION: BYTE 55 FROM 3 TO 1
|
||||
BYTE REDUCTION: BYTE 59 FROM 2 TO 0
|
||||
BYTE REDUCTION: BYTE 75 FROM 2 TO 0
|
||||
BYTE REDUCTION: BYTE 79 FROM 4 TO 0
|
||||
ONEOF REMOVAL REDUCED TEST TO 91 BYTES
|
||||
BYTE REDUCTION: BYTE 59 FROM 4 TO 0
|
||||
ONEOF REMOVAL REDUCED TEST TO 87 BYTES
|
||||
ONEOF REMOVAL REDUCED TEST TO 75 BYTES
|
||||
ONEOF REMOVAL REDUCED TEST TO 55 BYTES
|
||||
ONEOF REMOVAL REDUCED TEST TO 51 BYTES
|
||||
NO REDUCTIONS FOUND
|
||||
PADDING TEST WITH 5 ZEROS
|
||||
|
||||
WRITING REDUCED TEST TO minrmdirfail.test
|
||||
```
|
||||
|
||||
You can use `--which <testname>` to specify which test to
|
||||
run, as with the `--input_which_test` options to test replay.
|
||||
|
||||
## Fuzzing with AFL
|
||||
|
||||
DeepState can also be used with a file-based fuzzer (e.g. AFL). There
|
||||
|
||||
@@ -127,7 +127,10 @@ def main():
|
||||
print "PADDING TEST WITH", (s[1] + 1) - len(currentTest), "ZEROS"
|
||||
padding = bytearray('\x00' * ((s[1] + 1) - len(currentTest)))
|
||||
currentTest = currentTest + padding
|
||||
|
||||
|
||||
print
|
||||
print "WRITING REDUCED TEST TO", out
|
||||
|
||||
with open(out, 'wb') as outf:
|
||||
outf.write(currentTest)
|
||||
|
||||
|
||||
Reference in New Issue
Block a user