2 releases
0.0.0 | Aug 6, 2019 |
---|---|
0.0.0-sol15 | Jul 27, 2019 |
#20 in #corpus
47KB
497 lines
Fuzzing support for Libra
This crate contains support for fuzzing Libra targets. This support includes:
- corpus generation with
proptest
- automatically running failing examples with
cargo test
Prerequisites
Install cargo-fuzz
if not already available: cargo install cargo-fuzz
.
Fuzzing a target
To list out known fuzz targets, run cargo run list
.
To be effective, fuzzing requires a corpus of existing inputs. This
crate contains support for generating corpuses with proptest
. Generate
a corpus with cargo run generate <target>
.
Once a corpus has been generated, the fuzzer is ready to use: run
cargo run fuzz <target>
.
For more options, run cargo run -- --help
.
Adding a new target
Fuzz targets go in src/fuzz_targets/
. Adding a new target involves
creating a new type and implementing FuzzTargetImpl
for it.
For examples, see the existing implementations in src/fuzz_targets/
.
Remember to add your target to ALL_TARGETS
in src/fuzz_targets.rs
.
Once that has been done, cargo run list
should list your new target.
Debugging and testing artifacts
If the fuzzer finds a failing artifact, it will save the artifact to a
file inside the fuzz
directory and print its path. To add this
artifact to the test suite, copy it to a file inside
artifacts/<target>/
.
cargo test
will now test the deserializer against the new artifact.
The test will likely fail at first use.
Note that cargo test
runs each test in a separate process by default
to isolate failures and memory usage; if you're attaching a debugger and
are running a single test, set NO_FORK=1
to disable forking.
Once the deserializer has been fixed, check the artifact into the
artifacts/<target>/
directory. The artifact will then act as a
regression test in cargo test
runs.
Dependencies
~74MB
~1.5M SLoC