Easiest way to build and run the fuzzing is using attached Dockerfile. Run the following command from the top directory of the project
docker build -f proton-c/src/tests/fuzz/Dockerfile -t qpid-proton-fuzz .
Then run the built image and execute a fuzzer to check that all works
docker run --cap-add SYS_PTRACE -it qpid-proton-fuzz ./fuzz-url /src/proton-c/src/tests/fuzz/fuzz-url/crash /src/proton-c/src/tests/fuzz/fuzz-url/corpus
You can bind a local directory to the container with the -v local:remote
option. The --rm
option is also useful. See https://docs.docker.com/engine/reference/run/.
The docker image is based on ossfuzz/basebuilder
, which is Ubuntu 16.04 Xenial with clang 5.0 and libc++.
There are two cmake options to control compilation of fuzzers
FUZZ_TEST
(default: OFF
) adds fuzzers to the build and to regression testsFUZZING_ENGINE
(default: OFF
) links fuzzers with libFuzzingEngine
when ON
When FUZZING_ENGINE
is OFF
, fuzzers are linked with a simple driver suitable only for regression testing.
There are no special prerequisites and no extra configuration is necessary.
libFuzzer.a
(from previous step) to libFuzzingEngine.a
CC
and CXX
variables to the same compiler you used to build libFuzzer (some recent clang)CFLAGS
and CXXFLAGS
with the coverage and sanitizer(s) you want to use, see libFuzzer documentation for detailsLDFLAGS
to add the directory with libFuzzingEngine.a
to your link path if necessaryFUZZ_TEST=ON
and FUZZING_ENGINE=ON
For example:
FLAGS="-fsanitize-coverage=trace-pc-guard -fsanitize=address -fno-omit-frame-pointer -fno-optimize-sibling-calls" CC=~/third_party/llvm-build/Release+Asserts/bin/clang \ CXX=~/third_party/llvm-build/Release+Asserts/bin/clang++ \ CFLAGS="$FLAGS" \ CXXFLAGS="$FLAGS" \ LDFLAGS="-L/path/to/libFuzzingEngine/directory" \ cmake .. -DCMAKE_BUILD_TYPE=Debug -DFUZZ_TEST=ON -DFUZZING_ENGINE=ON
Execute one of the fuzz-*
binaries.
When given file paths as command line arguments, it will run the fuzzed function with each of the inputs in turn once and then exit.
When given a folder as first argument, it will load corpus from the folder and also store newly discovered inputs (that extend code coverage) there. See http://llvm.org/docs/LibFuzzer.html for details.
The reason for renaming the fuzzing library to libFuzzingEngine
is to be compatible with https://github.com/google/oss-fuzz.
In fuzzing data directories, corpus and crashes are two different subdirectories, because fuzzers can perform corpus minimization. Crashes should not be subjected to corpus minimization, so they need to be kept separately.