Improve documentation (#381)

This commit expands the project documentation to cover:

* New AFL++ integration support
* grammarinator-decode functionality in the C++ backend
* Overview of key features
* libFuzzer CLI parameter reference
* Updated WeightedModel documentation
* Full list and descriptions of mutation/recombination operators ("creators")
* CLI options for controlling operator selection
  (--allowlist, --blocklist) and memoization behavior
  (--memo-size, --unique-attempts)

Author: renatahodovan

README.rst

@@ -22,12 +22,55 @@ grammar-based approach is to leverage the large variety of publicly
 available `ANTLR v4 grammars`_. It includes both a Python-based and a
 high-performance C++ backend for generation.
 
-The `trophy page`_ of the found issues is available from the wiki.
-
 .. _ANTLR: http://www.antlr.org
 .. _`ANTLR v4 grammars`: https://github.com/antlr/grammars-v4
 .. _`trophy page`: https://github.com/renatahodovan/grammarinator/wiki
 
++--------------------------------------------------------------------------+
+| **TL;DR - KEY FEATURES**                                                 |
++--------------------------------------------------------------------------+
+| *Quick overview of the most important capabilities*                      |
++==========================================================================+
+|                                                                          |
+| * **Generate** test cases from scratch based on `ANTLR v4 grammars`_ or  |
+|   **mutate/recombine** existing test cases after they have been parsed.  |
+|                                                                          |
+| * Beside blackbox test generation, supports guided fuzzing through       |
+|   native integration with `libFuzzer`_ and `AFL++`_.                     |
+|                                                                          |
+|   * The AFL++ integration also enables **grammar-aware test case         |
+|     minimization** via the ``afl-tmin`` utility.                         |
+|                                                                          |
+| * **Grammar-aware mutation and recombination** without slowing down the  |
+|   fuzzing with parsing (using pre-parsed input seeds).                   |
+|                                                                          |
+| * Fine-grained **probabilistic generation control** via inline grammar   |
+|   weights or external JSON-based weight configurations (for alternatives |
+|   and quantifiers).                                                      |
+|                                                                          |
+| * Support for inline **semantic predicates** in grammars to dynamically  |
+|   enable or disable grammar alternatives during generation.              |
+|                                                                          |
+| * Multiple **size-control strategies**, including maximum recursion depth|
+|   and maximum token count limits.                                        |
+|                                                                          |
+| * Built-in **caching** to filter out duplicate generated inputs.         |
+|                                                                          |
+| * Both **grammar-aware and grammar-unaware mutators**, with selective    |
+|   enablement and disabling support.                                      |
+|                                                                          |
+| * Extensible **serialization** pipeline with custom serializers for      |
+|   formatting tree-based outputs into concrete test inputs.               |
+|                                                                          |
+| * Advanced customization hooks:                                          |
+|                                                                          |
+|   * **custom models** for programmatic decision guidance                 |
+|   * **custom listeners** for information collection during generation    |
+|   * **custom transformers** for post-generation tree transformations     |
++--------------------------------------------------------------------------+
+
+.. _libFuzzer: https://llvm.org/docs/LibFuzzer.html
+.. _AFL++: https://aflplus.plus
 
 Requirements
 ============

docs/guide/aflpp_integration.rst

@@ -0,0 +1,147 @@
+.. _aflpp integration:
+
+=================
+AFL++ Integration
+=================
+
+The C++ backend of *Grammarinator* provides seamless integration with
+AFL++ via its custom mutator interface. This allows *Grammarinator*
+to be used not only as a blackbox test case generator, but also as an
+**in-process input synthesizer**, where its internal derivation trees are
+evolved and mutated during fuzzing runs. The mutator operates on serialized
+``.grt*`` trees and performs grammar-aware transformations based on the compiled
+ANTLR grammar.
+
+Overview
+--------
+
+The integration uses the AFL++ custom mutator API `custom mutator hooks`_.
+AFL++ loads a shared library implementing these hooks and delegates mutation
+and related workflow operations to Grammarinator.
+
+This enables grammar-aware, structure-preserving mutation and recombination
+of test cases at runtime -- improving coverage and syntactic correctness
+compared to purely byte-level fuzzing.
+
+.. _`custom mutator hooks`: https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/custom_mutators.md
+
+Building the AFL++-Compatible Mutator
+-------------------------------------
+
+To enable this integration in a real AFL++ fuzzing setup, a specialized
+shared library must be generated from the C++ generator class produced by
+:ref:`grammarinator-process<grammarinator-process>`. This can be compiled
+by the :ref:`the build script<cpp_compilation>` using the ``--grafl`` flag
+(short for *grammarinator-afl*).
+
+Example using the `HTML grammar`_::
+
+    python3 grammarinator-cxx/dev/build.py --clean \
+        --generator HTMLGenerator \
+        --includedir <dir-to-HTMLGenerator> \
+        --afl-includedir <AFLplusplus-root>/include \
+        --serializer SimpleSpaceSerializer \
+        --grafl
+
+This command produces a shared library::
+
+    grammarinator-cxx/build/lib/libgrafl-html.so
+
+AFL++ will load this ``.so`` as the custom mutator library through the
+``AFL_CUSTOM_MUTATOR_LIBRARY`` environment variable.
+
+Test inputs are expected to be encoded as ``.grt*`` trees
+(e.g., FlatBuffer-encoded). During fuzzing, mutations will occur in a
+**grammar-aware** manner, resulting in:
+
+- higher syntactic validity of inputs,
+- better exploration of the structured input space,
+- and potentially deeper semantic bugs found in the target.
+
+Note that only ``.grt*``-style inputs (e.g., ``.grtf`` for FlatBuffer-encoded
+trees) are supported by the AFL++ integration.
+
+Fuzzing Configuration
+---------------------
+
+Unlike the :ref:`grammarinator-generate<grammarinator-generate>` utility, the
+AFL++ custom mutator integration cannot be configured through command-line
+arguments. Instead, the behavior of the mutator can be controlled via
+environment variables prefixed with ``GRAFL_``.
+
+The following options are currently supported:
+
+* **GRAFL_MAX_DEPTH**: Equivalent to ``--max-depth`` (integer)
+* **GRAFL_MAX_TOKENS**: Equivalent to ``--max-tokens`` (integer)
+* **GRAFL_MEMO_SIZE**: Equivalent to ``--memo-size`` (integer)
+* **GRAFL_RANDOM_MUTATORS**: Enables random mutators;  inverse of
+  ``--disable-random-mutators`` (boolean; accepts ``1``, ``true``, or ``yes``
+  case-insensitively)
+* **GRAFL_WEIGHTS**: Equivalent to ``--weights`` (path to a JSON file)
+* **GRAFL_MAX_TRIM_STEPS**: Maximum number of mutation steps performed during
+  trimming of a single test input (integer)
+
+Verifying the Setup
+-------------------
+
+To run a fuzzing session with AFL++ equipped with Grammarinator, a compiler
+wrapper (e.g., ``afl-clang-fast``) and the ``afl-fuzz`` utility must first be
+obtained. Both can be installed or built with following the instruction in the
+official `AFL++ documentation`_.
+
+Once the target application is compiled with the AFL++ compiler wrapper, the
+required instrumentation is automatically injected into the binary. This
+instrumentation is later used by ``afl-fuzz`` to guide the fuzzing process.
+
+Next, select or create a grammar that describes the expected input format (e.g.,
+`HTML grammar`_), then :ref:`build<cpp_compilation>` the required binaries with
+``--grafl``, and optionally also with ``--generate`` and ``--decode`` flags.
+
+The next step is to prepare an initial tree corpus that serves as the starting
+point for the fuzzing session. One option is to generate this corpus from
+scratch using the :ref:`grammarinator-generate<grammarinator-generate>`
+utility. For example::
+
+    grammarinator-generate-html \
+        -n 100 \
+        -o html-src/%d.html \
+        --population html-trees/ \
+        --keep-trees
+
+Alternatively, an initial tree corpus can be created by converting existing
+source files (e.g., HTML documents) into tree format using the
+:ref:`grammarinator-parse<grammarinator-parse>` utility. For example::
+
+    grammarinator-parse html-src \
+        -o html-trees \
+        -g HTMLLexer.g4 HTMLParser.g4 \
+        --tree-format flatbuffers
+
+To test the integration, run AFL++ in custom-mutator-only mode and point it to
+the generated shared library::
+
+    AFL_CUSTOM_MUTATOR_ONLY=1 \
+    AFL_CUSTOM_MUTATOR_LIBRARY=grammarinator-cxx/build/lib/libgrafl-html.so \
+    afl-fuzz -i html-trees -o outdir -- ./target_app @@
+
+Setting ``AFL_CUSTOM_MUTATOR_ONLY=1`` is **mandatory**. Without this flag,
+AFL++ would apply its built-in byte-level mutators to the test cases, which
+would corrupt the encoded tree representation used by Grammarinator.
+
+**Note 1:** When using AFL++ with Grammarinator integration, both the input
+and output corpora must be in tree format. Therefore, any existing input corpus
+must first be converted into trees using the
+:ref:`grammarinator-parse<grammarinator-parse>` utility. After the fuzzing
+session, the resulting tree corpus can be converted back into source-level test
+cases using the :ref:`grammarinator-decode<grammarinator-decode-cpp>` utility.
+
+**Note 2:** The items of a tree corpus can be minimized using the ``afl-tmin``
+tool in a grammar-aware manner by providing the appropriate custom
+mutator-related environment variables. For example::
+
+    AFL_CUSTOM_MUTATOR_ONLY=1 \
+    AFL_CUSTOM_MUTATOR_LIBRARY=grammarinator-cxx/build/lib/libgrafl-html.so \
+    afl-tmin -i html-trees -o html-trimmed -e -- ./target_app @@
+
+.. _AFL++ documentation: https://aflplus.plus/docs/install/
+.. _`HTML grammar`: https://github.com/antlr/grammars-v4/tree/master/html

docs/guide/fuzzer_building.rst

@@ -20,6 +20,8 @@ The following sections describe each step in detail.
 Generator Creation from ANTLR Grammar
 -------------------------------------
 
+.. _grammarinator-process:
+
 In both Python and C++ backends, the first step is to convert the ANTLR grammar
 into a generator class. This generator encapsulates the logic for producing
 derivation trees from the grammar rules.
@@ -34,7 +36,8 @@ header-only C++ file (e.g., ``HTMLGenerator.hpp``). While this class does not
 yet have dedicated API documentation, it mirrors the structure and behavior of
 the Python generator and is used by the compiled fuzzing tools
 (e.g., the ``grammarinator-generate-html`` binary and
-:ref:`libFuzzer integration<libfuzzer integration>`).
+:ref:`libFuzzer integration<libfuzzer integration>` or
+:ref:`AFL++ integration<aflpp integration>`).
 
 The generator class -- whether Python or C++ -- is automatically produced by
 the ``grammarinator-process`` command line utility. This tool loads and
@@ -125,7 +128,7 @@ For example, if using a custom serializer and transformer, your config file
 
 Depending on the build flags, the following outputs may be generated:
 
-- With ``--tools``:
+- With ``--generate``:
 
   - ``grammarinator-generate-<name>``: standalone blackbox generator
 
@@ -135,10 +138,20 @@ Depending on the build flags, the following outputs may be generated:
     ``LLVMFuzzerCustomMutator`` or ``LLVMFuzzerCustomCrossover`` (useful for
     :ref:`libFuzzer integration<libfuzzer integration>`)
 
+- With ``--grafl``:
+
+  - ``libgafl-<name>.so``: shared library to define various hooks for
+    :ref:`AFL++ integration<aflpp integration>`
+
 - With ``--fuzznull``:
 
   - ``fuzznull-<name>``: dummy libFuzzer binary for integration testing
 
+- With ``--decode``:
+
+  - ``grammarinator-decode-<name>``: standalone tool to convert tests from
+    tree to source format with the chosen serializer
+
 All outputs are written to the ``build/<Release|Debug>/bin`` and
 ``build/<Release|Debug>/lib`` directories.
 

docs/guide/libfuzzer_integration.rst

@@ -59,6 +59,27 @@ mutator. Test inputs are expected to be serialized ``.grt*`` trees
 Note that only ``.grt*``-style inputs (e.g., ``.grtf`` for FlatBuffer-encoded
 trees) are supported by the libFuzzer integration.
 
+Fuzzing Configuration
+---------------------
+
+The libFuzzer mutator integration can be configured through command-line
+options, similarly to :ref:`grammarinator-generate<grammarinator-generate>`.
+These arguments **must** be passed after the ``-ignore_remaining_args=1`` flag,
+so that libFuzzer forwards them to Grammarinator.
+
+The following options are supported:
+
+* **-max_depth**: Equivalent to ``--max-depth`` (integer)
+* **-max_tokens**: Equivalent to ``--max-tokens`` (integer)
+* **-memo_size**: Equivalent to ``--memo-size`` (integer)
+* **-random_mutators**: Enable random mutators; equivalent to the
+  inverse of ``--disable-random-mutators`` (0 or 1)
+* **-weights**: Equivalent to ``--weights`` (path to a JSON file)
+* **-allowlist**: Equivalent to ``--allowlist`` (comma-separated list of
+  enabled creators)
+* **-blocklist**: Equivalent to ``--blocklist`` (comma-separated list of
+  disabled creators)
+
 Verifying the Setup
 -------------------
 
@@ -74,5 +95,12 @@ This will create a ``fuzznull-html`` binary under
 ``grammarinator-cxx/build/Release/bin/``, which can be invoked directly to
 verify the setup and test input processing.
 
-Note: clang++ must be used in this case, since other compilers don't support
-libFuzzer.
+**Note 1:** clang++ must be used in this case, since other compilers don't
+support libFuzzer.
+
+**Note 2:** When using LibFuzzer with Grammarinator integration, both the input
+and output corpora must be in tree format. Therefore, any existing input corpus
+must first be converted into trees using the
+:ref:`grammarinator-parse<grammarinator-parse>` utility. After the fuzzing
+session, the resulting tree corpus can be converted back into source-level test
+cases using the :ref:`grammarinator-decode<grammarinator-decode-cpp>` utility.

docs/guide/models.rst

@@ -108,10 +108,12 @@ models are:
 
   3. :class:`grammarinator.runtime.WeightedModel`: This model modifies the
      behavior of another model by adjusting (pre-multiplying) the weights of
-     alternatives. By default, the multiplier of each alternative starts from 1,
-     unless custom values are assigned to specific alternatives. This assignment
-     can happen through the constructor of WeightedModel (when using the API)
-     or with the ``--weigths`` CLI option of the
+     alternatives and by setting the probability of repeating a quantified
+     subexpression. By default, the multiplier of each alternative starts from
+     1 and the probability of each quantifier is 0.5, unless custom values are
+     assigned to specific alternatives or quantifiers. This assignment can
+     happen through the constructor of WeightedModel (when using the API) or
+     with the ``--weigths`` CLI option of the
      :ref:`grammarinator-generate<grammarinator-generate>` utility by providing
      a file containing the weights.
 
@@ -124,4 +126,7 @@ models are:
 
     .. code-block:: text
 
-     { "ruleName_A": {"alternation_B_idx": {"alternative_C_idx": weight_ABC, ...}, ...}, ... }
+      {
+        "alts": { "ruleName_A": {"alternation_B_idx": {"alternative_C_idx": weight_ABC, ...}, ...}, ... ,
+        "quants": { "ruleName_C": {"quant_D_idx": weight_ABC, ...}, ... ,
+      }

docs/guide/population.rst

@@ -23,12 +23,7 @@ Supported Tree Formats
    - Compact and fast to read/write.
    - Cross-language compatible (e.g., usable from Python, C++, etc. with
      FlatBuffer_ bindings).
-   - Supported natively by:
-
-     - ``grammarinator-generate`` (Python)
-     - C++ backend generators (e.g., ``grammarinator-generate-html``)
-     - libFuzzer integration (``libgrlf-html.a``)
-
+   - Supported by both Python and C++ components.
    - Default format when tree codec is not explicitly selected.
 
 2. **JSON-encoded trees** (``.grtj``):
@@ -127,3 +122,14 @@ specified by ``--tree-format``. The resulting trees are then serialized using
 the function defined by ``--serializer`` (or :class:`str` by default). The
 serialized tests are saved into the ``--out`` directory with the ``--ext``
 extension and encoded with ``--encoding``.
+
+.. _grammarinator-decode-cpp:
+
+The decoder functionality can be created not only in Python, but also
+in C++ using serializers written in C++. For this, the ``--decode`` argument
+has to be provided to :ref:`the build script<cpp_compilation>`. When
+converting an output corpus generated by either the
+:ref:`libFuzzer integration<libfuzzer integration>` or the
+:ref:`AFL++ integration<aflpp integration>`, it is recommended to use
+these C++ decoders. When built with the same configuration, they will reproduce
+exactly the same test cases that were observed during fuzzing.