Merge pull request #1081 from llzmb/docs_edit_readme_move_content_to_docs

Edit README.md and move content to docs/

1 files changed, 23 insertions, 0 deletions

diff --git a/docs/beyond_crashes.md b/docs/beyond_crashes.md
new file mode 100644
index 00000000..4836419c
--- /dev/null
+++ b/docs/beyond_crashes.md
@@ -0,0 +1,23 @@
+# Going beyond crashes
+
+Fuzzing is a wonderful and underutilized technique for discovering non-crashing
+design and implementation errors, too. Quite a few interesting bugs have been
+found by modifying the target programs to call abort() when say:
+
+  - Two bignum libraries produce different outputs when given the same
+    fuzzer-generated input,
+
+  - An image library produces different outputs when asked to decode the same
+    input image several times in a row,
+
+  - A serialization / deserialization library fails to produce stable outputs
+    when iteratively serializing and deserializing fuzzer-supplied data,
+
+  - A compression library produces an output inconsistent with the input file
+    when asked to compress and then decompress a particular blob.
+
+Implementing these or similar sanity checks usually takes very little time;
+if you are the maintainer of a particular package, you can make this code
+conditional with `#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION` (a flag also
+shared with libfuzzer and honggfuzz) or `#ifdef __AFL_COMPILER` (this one is
+just for AFL).
\ No newline at end of file