Easiest way to build and run the fuzzing is using attached Dockerfile. Run the following command from the top directory of the project
docker build -f proton-c/src/tests/fuzz/Dockerfile -t qpid-proton-fuzz .
Then run the built image and execute a fuzzer to check that all works
docker run --cap-add SYS_PTRACE -it qpid-proton-fuzz ./fuzz-url /src/proton-c/src/tests/fuzz/fuzz-url/crash /src/proton-c/src/tests/fuzz/fuzz-url/corpus
You can bind a local directory to the container with the
-v local:remote option. The
--rm option is also useful. See https://docs.docker.com/engine/reference/run/.
The docker image is based on
ossfuzz/basebuilder, which is Ubuntu 16.04 Xenial with clang 5.0 and libc++.
There are two cmake options to control compilation of fuzzers
OFF) adds fuzzers to the build and to regression tests
OFF) links fuzzers with
OFF, fuzzers are linked with a simple driver suitable only for regression testing.
There are no special prerequisites and no extra configuration is necessary.
libFuzzer.a (from previous step) to
CXX variables to the same compiler you used to build libFuzzer (some recent clang)
CXXFLAGS with the coverage and sanitizer(s) you want to use, see libFuzzer documentation for details
LDFLAGS to add the directory with
libFuzzingEngine.a to your link path if necessary
FLAGS="-fsanitize-coverage=trace-pc-guard -fsanitize=address -fno-omit-frame-pointer -fno-optimize-sibling-calls" CC=~/third_party/llvm-build/Release+Asserts/bin/clang \ CXX=~/third_party/llvm-build/Release+Asserts/bin/clang++ \ CFLAGS="$FLAGS" \ CXXFLAGS="$FLAGS" \ LDFLAGS="-L/path/to/libFuzzingEngine/directory" \ cmake .. -DCMAKE_BUILD_TYPE=Debug -DFUZZ_TEST=ON -DFUZZING_ENGINE=ON
Execute one of the
When given file paths as command line arguments, it will run the fuzzed function with each of the inputs in turn once and then exit.
When given a folder as first argument, it will load corpus from the folder and also store newly discovered inputs (that extend code coverage) there. See http://llvm.org/docs/LibFuzzer.html for details.
The reason for renaming the fuzzing library to
libFuzzingEngine is to be compatible with https://github.com/google/oss-fuzz.
In fuzzing data directories, corpus and crashes are two different subdirectories, because fuzzers can perform corpus minimization. Crashes should not be subjected to corpus minimization, so they need to be kept separately.