| title | Fuzz testing with libFuzzer |
|---|
The utilities library contains fuzz targets that can be built with LLVM libFuzzer.
Fuzzing is enabled when using the Clang compiler and the UTILS_LIBFUZZER CMake
option.
Configure CMake with Clang and enable the libFuzzer option:
cmake \
-G Ninja \
-S . -B build \
-DCMAKE_C_COMPILER=clang \
-DCMAKE_CXX_COMPILER=clang++ \
-DENABLE_FUZZING=ONBuild the fuzzer executables:
cmake --build build --parallel --target celix_properties_fuzzer celix_version_fuzzer celix_filter_fuzzerThe corpus directories for the fuzzers contain a few seed inputs, which help guide the initial fuzzing process.
More files can be added to these directories to improve coverage. The fuzzer will automatically use all files in the
specified corpus directory as starting points for mutation and exploration.
The resulting fuzzers accept standard libFuzzer command line options. For example, to run each fuzzer for 30 seconds using the provided seed corpus and print coverage information:
./build/libs/utils/celix_filter_fuzzer -max_total_time=30 -print_coverage=1 ./build/libs/utils/filter_corpusReplace celix_filter_fuzzer and filter_corpus with the appropriate fuzzer executable and corpus directory as needed.
To see a list of supported command-line flags, run the fuzzer executable with the -help=1 option. For example:
./build/libs/utils/celix_filter_fuzzer -help=1This will display all available LibFuzzer options.
Each Celix Fuzzing run attempts to download the latest fuzzing artifact from the same branch and unpack any existing corpora before executing the fuzzers so new inputs build on the most recent discoveries.
The Celix Fuzzing workflow uploads the generated corpora files as a build artifact
named fuzzing-corpora-artifact.
The master version of the fuzzing-corpora-artifactz artifact is used to keep
the seed corpus in libs/utils/fuzzing/{filter,properties,version}_corpus updated.