[libFuzzer] Docs: re-write the main page as per the tech writer feedback.

Bug: 539572 Change-Id: I6c3bfd3e8d3d5776eb9037e315a56d3c4a59651b Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1717019Reviewed-by: Jonathan Metzman <metzman@chromium.org> Commit-Queue: Max Moroz <mmoroz@chromium.org> Cr-Commit-Position: refs/heads/master@{#681461}

[libFuzzer] Docs: re-write the main page as per the tech writer feedback.
Bug: 539572 Change-Id: I6c3bfd3e8d3d5776eb9037e315a56d3c4a59651b Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1717019Reviewed-by: Jonathan Metzman <metzman@chromium.org> Commit-Queue: Max Moroz <mmoroz@chromium.org> Cr-Commit-Position: refs/heads/master@{#681461}
74aad913 · Max Moroz · Commit Bot · f87359ae · 74aad913 · 74aad913
Commit 74aad913 authored Jul 26, 2019 by Max Moroz Committed by Commit Bot Jul 26, 2019
5 changed files
--- a/testing/libfuzzer/AFL.md
+++ b/testing/libfuzzer/AFL.md
--- a/testing/libfuzzer/README.md
+++ b/testing/libfuzzer/README.md
-# libFuzzer in Chromium
+# Fuzzing in Chromium
-[go/libfuzzer-chromium](https://goto.google.com/libfuzzer-chromium) (Googler only)
+[go/chrome-fuzzing](https://goto.google.com/chrome-fuzzing) (Googler only)
-*** aside
+[Fuzzing] is a testing technique that feeds randomized inputs to a target code
-[Getting Started](getting_started.md)
+in an attempt to crash it. It's one of the most effective methods we have for
-| [Buildbot]
+finding security and stability issues ([go/fuzzing-success]).
-| [ClusterFuzz Stats]
-| [Cover Bug]
-***
-This directory contains integration between [libFuzzer] and Chromium.
+This documentation covers the in-process guided fuzzing approach employed by
-LibFuzzer is an in-process coverage-driven evolutionary fuzzing engine. It helps
+different fuzzing engines, such as [libFuzzer] or [AFL]. To learn more about
-engineers to uncover potential security & stability problems.
+out-of-process fuzzers, please refer to the [Blackbox fuzzing] page in the
+ClusterFuzz documentation.
-*** note
+[TOC]
-**Requirements:** libFuzzer in Chromium is supported with Linux, Chrome OS, Mac,
-and Windows.
-***
-## Integration Status
+## Getting Started
-Fuzzer tests are well-integrated with Chromium build system and distributed
+In Chromium, you can easily create and submit fuzz targets. The targets are
-ClusterFuzz fuzzing system. Cover bug: [crbug.com/539572].
+automatically discovered by buildbots, built with different fuzzing engines,
+then uploaded to the distributed [ClusterFuzz] fuzzing system to run at scale.
-## Documentation
+Create your first fuzz target and submit it by stepping through our [Getting
+Started Guide].
-* [Getting Started Guide] walks you through all the steps necessary to create
+## Advanced Topics
-your fuzz target and submit it to ClusterFuzz.
-* [Efficient Fuzzer Guide] explains how to measure fuzz target effectiveness and
-ways to improve it.
-* [Guide to libprotobuf-mutator (LPM)] walks through the steps necessary to
-create a fuzz target that expects a protobuf as input (instead of a byte
-stream). In addition to fuzzing code that accepts protobufs, it can be used to
-fuzz code that requires multiple mutated inputs, or to generate inputs defined
-by a grammar.
-* [ClusterFuzz Integration] describes integration between ClusterFuzz and
-libFuzzer.
-* [Reproducing Bugs] describes how to reproduce bugs found by libFuzzer/AFL
-  and reported by ClusterFuzz.
-* [Fuzzing on Chrome OS] describes how to write fuzzers for the non-browser
-  parts of Chrome OS.
-* [AFL Integration] describes AFL's integration with Chromium and ClusterFuzz.
-* [Reference] contains detailed references for different integration parts.
-## Trophies
+* Improving fuzz target effectiveness: [Efficient Fuzzer Guide].
-* [ClusterFuzz Bugs] - issues found and automatically filed by ClusterFuzz.
+* Creating a fuzz target that expects a protobuf (instead of a byte steam) as
-* [Manual Bugs] - issues that were filed manually after running fuzz targets.
+  input: [Guide to libprotobuf-mutator (LPM)].
-* [Pdfium Bugs] - bugs found in pdfium by manual fuzzing.
-* [OSS Trophies] - bugs found with libFuzzer in open-source projects.
+  **Note**: you can also use LPM to fuzz code that needs multiple mutated
+  inputs, or to generate inputs defined by a grammar.
+* Reproducing bugs found by libFuzzer/AFL and reported by ClusterFuzz:
+  [Reproducing Bugs].
-## Blog Posts
+## Further Reading
-* [Guided in-process fuzzing of Chrome components].
-## Project Links
+* LibFuzzer's integration with Chromium and ClusterFuzz: [LibFuzzer
-* [libFuzzer Infrastructure Bugs]
+  Integration].
+* AFL's integration with Chromium and ClusterFuzz: [AFL Integration].
+* Detailed references for other integration parts: [Reference].
+* Writing fuzzers for the non-browser parts of Chrome OS: [Fuzzing on Chrome
+  OS].
-[Buildbot]: https://ci.chromium.org/p/chromium/g/chromium.fuzz/builders
+## Trophies
-[Cover Bug]: https://bugs.chromium.org/p/chromium/issues/detail?id=539572
+* Issues found with in-process fuzzing and automatically filed by ClusterFuzz:
-[Getting Started Guide]: getting_started.md
+  [ClusterFuzz Bugs].
+* Issues filed manually after running fuzz targets: [Manual Bugs].
+* Bugs found in PDFium by manual fuzzing: [PDFium Bugs].
+* Bugs found with libFuzzer in open-source projects: [OSS Trophies].
+## Other Links
+* [Guided in-process fuzzing of Chrome components] blog post.
+* [ClusterFuzz Stats] for fuzz targets built with AddressSanitizer and
+  libFuzzer.
+[AFL]: http://lcamtuf.coredump.cx/afl/
+[AFL Integration]: AFL_integration.md
+[Blackbox fuzzing]: https://google.github.io/clusterfuzz/setting-up-fuzzing/blackbox-fuzzing/
+[ClusterFuzz]: https://clusterfuzz.com/
+[ClusterFuzz Bugs]: https://bugs.chromium.org/p/chromium/issues/list?sort=-modified&colspec=ID%20Pri%20M%20Stars%20ReleaseBlock%20Component%20Status%20Owner%20Summary%20OS%20Modified&q=label%3AStability-LibFuzzer%2CStability-AFL%20label%3AClusterFuzz%20-status%3AWontFix%2CDuplicate&can=1
+[ClusterFuzz Stats]: https://clusterfuzz.com/fuzzer-stats/by-fuzzer/fuzzer/libFuzzer/job/libfuzzer_chrome_asan
 [Efficient Fuzzer Guide]: efficient_fuzzer.md
+[Fuzzing]: https://en.wikipedia.org/wiki/Fuzzing
+[Fuzzing on Chrome OS]: https://chromium.googlesource.com/chromiumos/docs/+/master/fuzzing.md
+[Getting Started Guide]: getting_started.md
 [Guide to libprotobuf-mutator (LPM)]: libprotobuf-mutator.md
-[ClusterFuzz Integration]: clusterfuzz.md
+[Guided in-process fuzzing of Chrome components]: https://security.googleblog.com/2016/08/guided-in-process-fuzzing-of-chrome.html
-[Reproducing Bugs]: reproducing.md
-[Reference]: reference.md
-[AFL Integration]: AFL.md
-[ClusterFuzz Bugs]: https://bugs.chromium.org/p/chromium/issues/list?can=1&q=label:Stability-LibFuzzer%20label:ClusterFuzz&sort=-modified&colspec=ID%20Pri%20M%20Stars%20ReleaseBlock%20Component%20Status%20Owner%20Summary%20OS%20Modified
-[ClusterFuzz Stats]: https://clusterfuzz.com/fuzzer-stats/by-fuzzer/fuzzer/libFuzzer/job/libfuzzer_chrome_asan
-[Pdfium Bugs]: https://bugs.chromium.org/p/pdfium/issues/list?can=1&q=libfuzzer&colspec=ID+Type+Status+Priority+Milestone+Owner+Summary&cells=tiles
 [Manual Bugs]: https://bugs.chromium.org/p/chromium/issues/list?can=1&q=label%3AStability-LibFuzzer+-label%3AClusterFuzz&sort=-modified&colspec=ID+Pri+M+Stars+ReleaseBlock+Component+Status+Owner+Summary+OS+Modified&x=m&y=releaseblock&cells=ids
 [OSS Trophies]: http://llvm.org/docs/LibFuzzer.html#trophies
-[Guided in-process fuzzing of Chrome components]: https://security.googleblog.com/2016/08/guided-in-process-fuzzing-of-chrome.html
+[PDFium Bugs]: https://bugs.chromium.org/p/pdfium/issues/list?can=1&q=libfuzzer&colspec=ID+Type+Status+Priority+Milestone+Owner+Summary&cells=tiles
+[Reference]: reference.md
+[Reproducing Bugs]: reproducing.md
 [crbug.com/539572]: https://bugs.chromium.org/p/chromium/issues/detail?id=539572
+[go/fuzzing-success]: https://goto.google.com/fuzzing-success
 [libFuzzer]: http://llvm.org/docs/LibFuzzer.html
-[libFuzzer Infrastructure Bugs]: https://bugs.chromium.org/p/chromium/issues/list?q=label:LibFuzzer-Infra
+[libFuzzer Integration]: libFuzzer_integration.md
-[Fuzzing on Chrome OS]: https://chromium.googlesource.com/chromiumos/docs/+/master/fuzzing.md
--- a/testing/libfuzzer/efficient_fuzzer.md
+++ b/testing/libfuzzer/efficient_fuzzer.md
@@ -292,8 +292,8 @@ there is no intended API to disable checksum verification, or when target code
 uses random generator that affects reproducibility of crashes.
 [AFL]: http://lcamtuf.coredump.cx/afl/
-[ClusterFuzz Corpus]: clusterfuzz.md#Corpus
+[ClusterFuzz Corpus]: libFuzzer_integration.md#Corpus
-[ClusterFuzz status]: clusterfuzz.md#Status-Links
+[ClusterFuzz status]: libFuzzer_integration.md#Status-Links
 [Corpus GCS Bucket]: https://console.cloud.google.com/storage/clusterfuzz-corpus/libfuzzer
 [issue 638836]: https://bugs.chromium.org/p/chromium/issues/detail?id=638836
 [coverage script]: https://cs.chromium.org/chromium/src/tools/code_coverage/coverage.py

--- a/testing/libfuzzer/getting_started.md
+++ b/testing/libfuzzer/getting_started.md
@@ -335,7 +335,7 @@ performance and for optimization hints.
 [Address Sanitizer]: http://clang.llvm.org/docs/AddressSanitizer.html
-[ClusterFuzz status]: clusterfuzz.md#Status-Links
+[ClusterFuzz status]: libFuzzer_integration.md#Status-Links
 [Efficient Fuzzer Guide]: efficient_fuzzer.md
 [Fuzzer Dictionary]: efficient_fuzzer.md#Fuzzer-Dictionary
 [Memory Sanitizer]: http://clang.llvm.org/docs/MemorySanitizer.html

--- a/testing/libfuzzer/clusterfuzz.md
+++ b/testing/libfuzzer/clusterfuzz.md