|
7 | 7 | thousands of different inputs. |
8 | 8 | - Fuzz testing is often done with sanitizers enabled; to catch memory errors |
9 | 9 | and undefined behavior. |
10 | | -- The most commonly used fuzz testing frameworks for C/C++ are LibFuzzer and |
| 10 | +- The most commonly used fuzz testing frameworks for C/C++ are libFuzzer and |
11 | 11 | AFL. |
12 | 12 | - [Google's FuzzTest](https://github.com/google/fuzztest) is a newer framework |
13 | 13 | that simplifies writing fuzz tests with user-friendly APIs and offers more |
14 | 14 | control over input generation. It also integrates seamlessly with Google |
15 | 15 | Test (GTest). |
16 | 16 |
|
| 17 | +## Fuzz testing with libFuzzer |
| 18 | + |
| 19 | +The following example demonstrates how to use libFuzzer to write a simple fuzz |
| 20 | +test. Each fuzzer function is defined using |
| 21 | +`LLVMFuzzerTestOneInput(const uint8_t * data, size_t len)`. |
| 22 | + |
| 23 | +The Fuzzer must be located in a Test Folder : `src/some_directory/tests/` |
| 24 | + |
| 25 | +``` |
| 26 | +#include <cstddef> |
| 27 | +#include <cstdint> |
| 28 | +
|
| 29 | +/** |
| 30 | + * @file |
| 31 | + * This file describes a Fuzzer for ... |
| 32 | + */ |
| 33 | +
|
| 34 | +extern "C" int LLVMFuzzerTestOneInput(const uint8_t * data, size_t len) |
| 35 | +{ |
| 36 | +
|
| 37 | + // Instantiate values as needed |
| 38 | + // Call target function for the fuzzer with the fuzzing input (data and len) |
| 39 | +
|
| 40 | + return 0; |
| 41 | +} |
| 42 | +
|
| 43 | +``` |
| 44 | + |
| 45 | +See |
| 46 | +[FuzzBase38Decode.cpp](https://github.com/project-chip/connectedhomeip/blob/master/src/setup_payload/tests/FuzzBase38Decode.cpp) |
| 47 | +for an example of a simple fuzz test. |
| 48 | + |
| 49 | +### Compiling and running |
| 50 | + |
| 51 | +- Add to `src/some_directory/tests/BUILD.gn` |
| 52 | + |
| 53 | + - Example |
| 54 | + |
| 55 | + ``` |
| 56 | + import("${chip_root}/build/chip/fuzz_test.gni") |
| 57 | +
|
| 58 | + if (enable_fuzz_test_targets) { |
| 59 | + chip_fuzz_target("FuzzTargetName1") { |
| 60 | + sources = [ "Fuzzer1.cpp" ] |
| 61 | + public_deps = [ |
| 62 | + // Dependencies go here. |
| 63 | + ] |
| 64 | + } |
| 65 | + chip_fuzz_target("FuzzTargetName2") { |
| 66 | + sources = [ "Fuzzer2.cpp" ] |
| 67 | + public_deps = [ |
| 68 | + // Dependencies go here. |
| 69 | + ] |
| 70 | + } |
| 71 | + } |
| 72 | + ``` |
| 73 | +
|
| 74 | + - CHIP_FUZZ_TARGET : the name of the fuzz target |
| 75 | + - SOURCES : file in the test folder containing the fuzzer |
| 76 | + implementation |
| 77 | + - PUBLIC_DEPS : Code Dependencies needed to build fuzzer |
| 78 | +
|
| 79 | + - Another example: |
| 80 | + [src/setup_payload/tests/BUILD.gn](https://github.com/project-chip/connectedhomeip/blob/b367512f519e5e109346e81a0d84fd85cd9192f7/src/setup_payload/tests/BUILD.gn#L43) |
| 81 | +
|
| 82 | +- Add to `src/BUILD.gn` |
| 83 | +
|
| 84 | + - Add the Fuzzing Target in this part of the code : |
| 85 | + [src/BUILD.gn](https://github.com/project-chip/connectedhomeip/blob/b367512f519e5e109346e81a0d84fd85cd9192f7/BUILD.gn#L52) |
| 86 | +
|
| 87 | + - Add Fuzzing Target like that |
| 88 | +
|
| 89 | + ``` |
| 90 | + if (enable_fuzz_test_targets) { |
| 91 | + group("fuzz_tests") { |
| 92 | + deps = [ |
| 93 | + "${chip_root}/src/credentials/tests:fuzz-chip-cert", |
| 94 | + "${chip_root}/src/lib/core/tests:fuzz-tlv-reader", |
| 95 | + "${chip_root}/src/lib/dnssd/minimal_mdns/tests:fuzz-minmdns-packet-parsing", |
| 96 | + "${chip_root}/src/lib/format/tests:fuzz-payload-decoder", |
| 97 | + "${chip_root}/src/setup_payload/tests:fuzz-setup-payload-base38", |
| 98 | + "${chip_root}/src/setup_payload/tests:fuzz-setup-payload-base38-decode", |
| 99 | + // ADD HERE YOUR FUZZING TARGET |
| 100 | + "${chip_root}/some_directory/tests:FuzzTargetName" |
| 101 | + ] |
| 102 | + } |
| 103 | + } |
| 104 | + ``` |
| 105 | +
|
| 106 | +- Build all fuzzers |
| 107 | + ``` |
| 108 | + ./scripts/build/build_examples.py --target <host>-<compiler>-tests-asan-libfuzzer-clang build |
| 109 | + ``` |
| 110 | + e.g. |
| 111 | + ``` |
| 112 | + ./scripts/build/build_examples.py --target darwin-arm64-tests-asan-libfuzzer-clang build |
| 113 | + ``` |
| 114 | + \*\* Make sure to put the right host and compiler |
| 115 | +- Fuzzers binaries are compiled into: |
| 116 | +
|
| 117 | + - `out/<host>-<compiler>-tests-asan-libfuzzer-clang/tests` |
| 118 | + - e.g. `darwin-arm64-tests-asan-libfuzzer-clang` |
| 119 | +
|
| 120 | +- Running the fuzzer with a corpus |
| 121 | + - `path_to_fuzzer_in_test_folder path_to_corpus` |
| 122 | +
|
17 | 123 | ## `Google's FuzzTest` |
18 | 124 |
|
19 | 125 | - Google FuzzTest is integrated through Pigweed |
|
0 commit comments