[LPM] Improve docs

1. Remove disclaimer about LPM not having a track record. 2. More consistent line length. 3. Change `targeted_code` to `targeted_function` 4. Improve example for multiple inputs. 5. Fix link. 6. Improve wording. Change-Id: I8486c544773bbbd17dd12591ed1c602213275d98 Bug: 769578 Reviewed-on: https://chromium-review.googlesource.com/c/1394310Reviewed-by: Abhishek Arya <inferno@chromium.org> Reviewed-by: Max Moroz <mmoroz@chromium.org> Commit-Queue: Jonathan Metzman <metzman@chromium.org> Cr-Commit-Position: refs/heads/master@{#619674}

[LPM] Improve docs
1. Remove disclaimer about LPM not having a track record. 2. More consistent line length. 3. Change `targeted_code` to `targeted_function` 4. Improve example for multiple inputs. 5. Fix link. 6. Improve wording. Change-Id: I8486c544773bbbd17dd12591ed1c602213275d98 Bug: 769578 Reviewed-on: https://chromium-review.googlesource.com/c/1394310Reviewed-by: Abhishek Arya <inferno@chromium.org> Reviewed-by: Max Moroz <mmoroz@chromium.org> Commit-Queue: Jonathan Metzman <metzman@chromium.org> Cr-Commit-Position: refs/heads/master@{#619674}
9fddf38b · Jonathan Metzman · Commit Bot · 62c8441b · 9fddf38b
Commit 9fddf38b authored Jan 03, 2019 by Jonathan Metzman Committed by Commit Bot Jan 03, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 24 additions and 25 deletions

testing/libfuzzer/libprotobuf-mutator.md testing/libfuzzer/libprotobuf-mutator.md +24 -25

No files found.
--- a/testing/libfuzzer/libprotobuf-mutator.md
+++ b/testing/libfuzzer/libprotobuf-mutator.md
 # Getting Started with libprotobuf-mutator in Chromium

 *** note
-**Note:** libprotobuf-mutator (LPM) is new to Chromium and does not (yet) have a
-long track record of success. Also, writing grammar fuzzers with
-libprotobuf-mutator requires greater effort than writing fuzzers with libFuzzer
-alone. If you run into problems, send an email to [fuzzing@chromium.org] for
-help.
-
-**Prerequisites:** Knowledge of [libFuzzer in Chromium] and basic understanding of
-[Protocol Buffers].
+**Note:** Writing grammar fuzzers with libprotobuf-mutator requires greater
+effort than writing fuzzers with libFuzzer alone. If you run into problems, send
+an email to [fuzzing@chromium.org] for help.
+
+**Prerequisites:** Knowledge of [libFuzzer in Chromium] and basic understanding
+of [Protocol Buffers].
 ***

 This document will walk you through:
@@ -48,9 +46,9 @@ url_parse_proto_fuzzer.
 ## Write a fuzz target for code that accepts protobufs

 This is almost as easy as writing a standard libFuzzer-based fuzzer. You can
-look at [override_lite_runtime_plugin_test_fuzzer] for an example of a working example of
-this (don't copy the line adding "//testing/libfuzzer:no_clusterfuzz" to
-additional_configs). Or you can follow this walkthrough:
+look at [override_lite_runtime_plugin_test_fuzzer] for an example of a working
+example of this (don't copy the line adding "//testing/libfuzzer:no_clusterfuzz"
+to additional_configs). Or you can follow this walkthrough:

 Start by creating a fuzz target. This is what the .cc file will look like:

@@ -64,7 +62,7 @@ Start by creating a fuzz target. This is what the .cc file will look like:

 DEFINE_BINARY_PROTO_FUZZER(
  const my_proto::MyProtoMessage& my_proto_message) {
-  targeted_code(my_proto_message);
+  targeted_function(my_proto_message);
 }
 ```

@@ -167,14 +165,14 @@ DEFINE_BINARY_PROTO_FUZZER(const my_fuzzer::MyFormat& my_proto_format) {

    // You should provide a way to easily retreive the native input for
    // a given protobuf input. This is useful for debugging and for seeing
-    // the inputs that cause targeted_code to crash (which is the reason we are
-    // here!). Note how this is done before the targeted_code is called since we
-    // can't print after the program has crashed.
+    // the inputs that cause targeted_function to crash (which is the reason we
+    // are here!). Note how this is done before targeted_function is called
+    // since we can't print after the program has crashed.
    if (getenv("LPM_DUMP_NATIVE_INPUT"))
      std::cout << native_input << std::endl;

    // Now test your targeted code using the converted protobuf input.
-    targeted_code(native_input);
+    targeted_function(native_input);
 }
 ```

@@ -190,7 +188,7 @@ env variable is set. This will make it easy to retreive the actual input that
 causes the code to crash instead of the protobuf version of it (eg you can get
 the URL string that causes an input to crash rather than a protobuf). Since it
 is only a convention it is strongly recommended even though it isn't necessary.
-You don't need to do this if the native input of targeted_code is protobufs.
+You don't need to do this if the native input of targeted_function is protobufs.
 Beware that printing a newline can make the output invalid for some formats. In
 this case you should use `fflush(0)` since otherwise the program may crash
 before native_input is actually printed.
@@ -290,8 +288,8 @@ message FuzzerInput {

 ```

-In this example, the function we are fuzzing requires a `bool` and a `string` and
-takes an `int` as an optional argument. Let's define our fuzzer harness:
+In this example, the function we are fuzzing requires a `bool` and a `string`
+and takes an `int` as an optional argument. Let's define our fuzzer harness:

 ```c++
 // my_fuzzer.cc
@@ -304,9 +302,9 @@ takes an `int` as an optional argument. Let's define our fuzzer harness:
 DEFINE_BINARY_PROTO_FUZZER(
  const my_proto::FuzzerInput& fuzzer_input) {
  if (fuzzer_input.has_arg3())
-    targeted_code(fuzzer_input.arg1(), fuzzer_input.arg2(), fuzzer_input.arg3());
+    targeted_function_1(fuzzer_input.arg1(), fuzzer_input.arg2(), fuzzer_input.arg3());
  else
-    targeted_code(fuzzer_input.arg1(), fuzzer_input.arg2());
+    targeted_function_2(fuzzer_input.arg1(), fuzzer_input.arg2());
 }
 ```

@@ -345,9 +343,10 @@ fuzzer (with minor exceptions, like your seed corpus must be in protobuf
 format).

 ## General Tips
-* Check out some of the [existing proto fuzzers], as not only will they be helpful
-examples, but it is possible that your format is already defined or partially
-defined by an existing proto definition (if you are writing a grammar fuzzer).
+* Check out some of the [existing proto fuzzers]. Not only will they be helpful
+examples, it is possible that format you want to fuzz is already defined or
+partially defined by an existing proto definition (if you are writing a grammar
+fuzzer).

 * `DEFINE_TEXT_PROTO_FUZZER` can be used instead of `DEFINE_BINARY_PROTO_FUZZER`
 to have a corpus that is human readable and modifiable (ie: not in protobuf's
@@ -361,5 +360,5 @@ performance penalty, so it may be better to only use it during development.
 [this]: https://github.com/google/libprotobuf-mutator/tree/master/examples/libfuzzer/libfuzzer_example.cc
 [existing proto fuzzers]: https://cs.chromium.org/search/?q=DEFINE_(BINARY_%7CTEXT_)?PROTO_FUZZER+-file:src/third_party/libprotobuf-mutator/src/src/libfuzzer/libfuzzer_macro.h&sq=package:chromium&type=cs
 [here]: https://github.com/google/libprotobuf-mutator/blob/master/README.md#utf-8-strings
-[override_lite_runtime_plugin_test_fuzzer]: https://cs.chromium.org/chromium/src/third_party/libprotobuf-mutator/BUILD.gn?l=78
+[override_lite_runtime_plugin_test_fuzzer]: https://cs.chromium.org/#search&q=override_lite_runtime_plugin_test_fuzzer+file:%5Esrc/third_party/libprotobuf-mutator/BUILD.gn
 [mojo_parse_messages_proto_fuzzer]: https://cs.chromium.org/chromium/src/mojo/public/tools/fuzzers/mojo_parse_message_proto_fuzzer.cc?l=25