Skip to content

Commit

Permalink
Add documentation for adding a new libfuzzer fuzzer. (project-chip#35158
Browse files Browse the repository at this point in the history
)
  • Loading branch information
bzbarsky-apple authored Sep 11, 2024
1 parent 9a6694f commit edf1f65
Show file tree
Hide file tree
Showing 2 changed files with 108 additions and 1 deletion.
1 change: 1 addition & 0 deletions .github/.wordlist.txt
Original file line number Diff line number Diff line change
Expand Up @@ -572,6 +572,7 @@ fsync
ftd
fullclean
fuzzer
fuzzers
fuzztest
FW
gbl
Expand Down
108 changes: 107 additions & 1 deletion docs/testing/fuzz_testing.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,13 +7,119 @@
thousands of different inputs.
- Fuzz testing is often done with sanitizers enabled; to catch memory errors
and undefined behavior.
- The most commonly used fuzz testing frameworks for C/C++ are LibFuzzer and
- The most commonly used fuzz testing frameworks for C/C++ are libFuzzer and
AFL.
- [Google's FuzzTest](https://github.com/google/fuzztest) is a newer framework
that simplifies writing fuzz tests with user-friendly APIs and offers more
control over input generation. It also integrates seamlessly with Google
Test (GTest).

## Fuzz testing with libFuzzer

The following example demonstrates how to use libFuzzer to write a simple fuzz
test. Each fuzzer function is defined using
`LLVMFuzzerTestOneInput(const uint8_t * data, size_t len)`.

The Fuzzer must be located in a Test Folder : `src/some_directory/tests/`

```
#include <cstddef>
#include <cstdint>
/**
* @file
* This file describes a Fuzzer for ...
*/
extern "C" int LLVMFuzzerTestOneInput(const uint8_t * data, size_t len)
{
// Instantiate values as needed
// Call target function for the fuzzer with the fuzzing input (data and len)
return 0;
}
```

See
[FuzzBase38Decode.cpp](https://github.com/project-chip/connectedhomeip/blob/master/src/setup_payload/tests/FuzzBase38Decode.cpp)
for an example of a simple fuzz test.

### Compiling and running

- Add to `src/some_directory/tests/BUILD.gn`

- Example

```
import("${chip_root}/build/chip/fuzz_test.gni")
if (enable_fuzz_test_targets) {
chip_fuzz_target("FuzzTargetName1") {
sources = [ "Fuzzer1.cpp" ]
public_deps = [
// Dependencies go here.
]
}
chip_fuzz_target("FuzzTargetName2") {
sources = [ "Fuzzer2.cpp" ]
public_deps = [
// Dependencies go here.
]
}
}
```

- CHIP_FUZZ_TARGET : the name of the fuzz target
- SOURCES : file in the test folder containing the fuzzer
implementation
- PUBLIC_DEPS : Code Dependencies needed to build fuzzer

- Another example:
[src/setup_payload/tests/BUILD.gn](https://github.com/project-chip/connectedhomeip/blob/b367512f519e5e109346e81a0d84fd85cd9192f7/src/setup_payload/tests/BUILD.gn#L43)

- Add to `src/BUILD.gn`

- Add the Fuzzing Target in this part of the code :
[src/BUILD.gn](https://github.com/project-chip/connectedhomeip/blob/b367512f519e5e109346e81a0d84fd85cd9192f7/BUILD.gn#L52)

- Add Fuzzing Target like that

```
if (enable_fuzz_test_targets) {
group("fuzz_tests") {
deps = [
"${chip_root}/src/credentials/tests:fuzz-chip-cert",
"${chip_root}/src/lib/core/tests:fuzz-tlv-reader",
"${chip_root}/src/lib/dnssd/minimal_mdns/tests:fuzz-minmdns-packet-parsing",
"${chip_root}/src/lib/format/tests:fuzz-payload-decoder",
"${chip_root}/src/setup_payload/tests:fuzz-setup-payload-base38",
"${chip_root}/src/setup_payload/tests:fuzz-setup-payload-base38-decode",
// ADD HERE YOUR FUZZING TARGET
"${chip_root}/some_directory/tests:FuzzTargetName"
]
}
}
```

- Build all fuzzers
```
./scripts/build/build_examples.py --target <host>-<compiler>-tests-asan-libfuzzer-clang build
```
e.g.
```
./scripts/build/build_examples.py --target darwin-arm64-tests-asan-libfuzzer-clang build
```
\*\* Make sure to put the right host and compiler
- Fuzzers binaries are compiled into:

- `out/<host>-<compiler>-tests-asan-libfuzzer-clang/tests`
- e.g. `darwin-arm64-tests-asan-libfuzzer-clang`

- Running the fuzzer with a corpus
- `path_to_fuzzer_in_test_folder path_to_corpus`

## `Google's FuzzTest`

- Google FuzzTest is integrated through Pigweed
Expand Down

0 comments on commit edf1f65

Please sign in to comment.