[dart/fuzzer] DartLibfuzzer README additions
More links, background, formatting
Change-Id: I5313cbbf30a6167a3533c9fd7a1fb4c31712cf49
Reviewed-on: https://dart-review.googlesource.com/c/sdk/+/100624
Reviewed-by: Ryan Macnak <rmacnak@google.com>
Commit-Queue: Aart Bik <ajcbik@google.com>
diff --git a/runtime/vm/libfuzzer/README.md b/runtime/vm/libfuzzer/README.md
index 8ef964f..f267aeb 100644
--- a/runtime/vm/libfuzzer/README.md
+++ b/runtime/vm/libfuzzer/README.md
@@ -2,23 +2,59 @@
=============
DartLibFuzzer is a fuzzing tool built with LibFuzzer, which
-is an in-process, coverage-guided, evolutionary fuzzing engine
-(https://llvm.org/docs/LibFuzzer.html). The tool consists of a
-collection of "target functions", each of which stresses a
-particular part of the Dart runtime and compiler.
+is an in-process, coverage-guided, evolutionary fuzzing engine.
+The DartLibFuzzer tool consists of a collection of "target
+functions", each of which stresses a particular part of the
+Dart runtime and compiler.
How to build and run DartLibFuzzer
==================================
+
Build the dart_libfuzzer binary as follows (first either export
DART_USE_ASAN=1 or run ./tools/gn.py --mode=debug --asan):
-./tools/build.py --mode debug dart_libfuzzer
+ ./tools/build.py --mode debug dart_libfuzzer
Then, to start a blank fuzzing session, run:
-dart_libfuzzer
+ dart_libfuzzer
To start a fuzzing session with an initial corpus inside
the directory CORPUS, run:
-dart_libfuzzer CORPUS
+ dart_libfuzzer CORPUS
+
+Background
+==========
+
+Although test suites are extremely useful to validate the correctness of a
+system and to ensure that no regressions occur, any test suite is necessarily
+finite in size and scope. Tests typically focus on validating particular
+features by means of code sequences most programmers would expect. Regression
+tests often use slightly less idiomatic code sequences, since they reflect
+problems that were not anticipated originally, but occurred “in the field”.
+Still, any test suite leaves the developer wondering whether undetected bugs
+and flaws still linger in the system.
+
+Over the years, fuzz testing has gained popularity as a testing technique for
+discovering such lingering bugs, including bugs that can bring down a system
+in an unexpected way. Fuzzing refers to feeding a large amount of random data
+as input to a system in an attempt to find bugs or make it crash.
+Generation-based fuzz testing constructs random, but properly formatted input
+data. Mutation-based fuzz testing applies small random changes to existing
+inputs in order to detect shortcomings in a system. Profile-guided or
+coverage-guided fuzz testing adds a direction to the way these random changes
+are applied. Multi-layered approaches generate random inputs that are
+subsequently mutated at various stages of execution.
+
+The randomness of fuzz testing implies that the size and scope of testing is
+no longer bounded. Every new run can potentially discover bugs and crashes
+that were hereto undetected.
+
+Links
+=====
+
+* [Dart bugs found with fuzzing](https://github.com/dart-lang/sdk/issues?utf8=%E2%9C%93&q=label%3Adartfuzz+)
+* [DartFuzz](https://github.com/dart-lang/sdk/tree/master/runtime/tools/dartfuzz)
+* [DartLibFuzzer](https://github.com/dart-lang/sdk/tree/master/runtime/vm/libfuzzer)
+* [LibFuzzer](https://llvm.org/docs/LibFuzzer.html)
