#fuzzer #fuzzing #security #property

bin+lib ziggy-honggfuzz

Fuzz your Rust code with Google-developped Honggfuzz !

1 unstable release

0.5.55 Sep 28, 2023

#370 in Testing



Bitbake 781K SLoC // 0.0% comments C 90K SLoC // 0.1% comments Python 12K SLoC // 0.0% comments C# 11K SLoC OCaml 10K SLoC // 0.0% comments Java 9K SLoC // 0.0% comments VB6 3K SLoC // 0.2% comments GNU Style Assembly 2.5K SLoC // 0.3% comments Visual Studio Project 2.5K SLoC Prolog 2K SLoC Automake 1K SLoC // 0.1% comments Shell 525 SLoC // 0.2% comments Rust 522 SLoC // 0.1% comments C++ 466 SLoC // 0.2% comments Visual Studio Solution 315 SLoC Cython 277 SLoC // 0.1% comments Batch 274 SLoC // 0.0% comments Coq 200 SLoC RPM Specfile 122 SLoC // 0.0% comments SWIG 25 SLoC // 0.4% comments

Contains (Mach-o exe, 335KB) CrashReport_Yosemite.o, (Mach-o exe, 320KB) CrashReport_Mavericks.o, (Mach-o exe, 310KB) CrashReport_Mountain_Lion.o, (Mach-o exe, 335KB) CrashReport_Sierra.o

honggfuzz-rs Build Status Crates.io Documentation

Fuzz your Rust code with Google-developed Honggfuzz !



About Honggfuzz

Honggfuzz is a security oriented fuzzer with powerful analysis options. Supports evolutionary, feedback-driven fuzzing based on code coverage (software- and hardware-based).


  • Rust: stable, beta, nightly
  • OS: GNU/Linux, macOS, FreeBSD, NetBSD, Android, WSL (Windows Subsystem for Linux)
  • Arch: x86_64, x86, arm64-v8a, armeabi-v7a, armeabi
  • Sanitizer: none, address, thread, leak



  • C compiler: cc
  • GNU Make: make
  • GNU Binutils development files for the BFD library: libbfd.h
  • libunwind development files: libunwind.h
  • Blocks runtime library (when compiling with clang)
  • liblzma development files

For example on Debian and its derivatives:

sudo apt install build-essential binutils-dev libunwind-dev libblocksruntime-dev liblzma-dev

How to use this crate

Install honggfuzz commands to build with instrumentation and fuzz

# installs hfuzz and honggfuzz subcommands in cargo
cargo install honggfuzz

Add to your dependencies

honggfuzz = "0.5"

Create a target to fuzz

use ziggy_honggfuzz::fuzz;

fn main() {
    // Here you can parse `std::env::args and
    // setup / initialize your project

    // You have full control over the loop but
    // you're supposed to call `fuzz` ad vitam aeternam
    loop {
        // The fuzz macro gives an arbitrary object (see `arbitrary crate`)
        // to a closure-like block of code.
        // For performance reasons, it is recommended that you use the native type
        // `&[u8]` when possible.
        // Here, this slice will contain a "random" quantity of "random" data.
        fuzz!(|data: &[u8]| {
            if data.len() != 3 {return}
            if data[0] != b'h' {return}
            if data[1] != b'e' {return}
            if data[2] != b'y' {return}

Fuzz for fun and profit !

# builds with fuzzing instrumentation and then fuzz the "example" target
cargo hfuzz run example

Once you got a crash, replay it easily in a debug environment

# builds the target in debug mode and replays automatically the crash in rust-lldb
cargo hfuzz run-debug example hfuzz_workspace/*/*.fuzz

You can also build and run your project without compile-time software instrumentation (LLVM's SanCov passes)

This allows you for example to try hardware-only feedback driven fuzzing:

# builds without fuzzing instrumentation and then fuzz the "example" target using hardware-based feedback
HFUZZ_RUN_ARGS="--linux_perf_ipt_block --linux_perf_instr --linux_perf_branch" cargo hfuzz run-no-instr example


# a wrapper on "cargo clean" which cleans the fuzzing_target directory
cargo hfuzz clean


cargo hfuzz version

Environment variables


You can use RUSTFLAGS to send additional arguments to rustc.

For instance, you can enable the use of LLVM's sanitizers. This is a recommended option if you want to test your unsafe rust code but it will have an impact on performance.

RUSTFLAGS="-Z sanitizer=address" cargo hfuzz run example


You can use HFUZZ_BUILD_ARGS to send additional arguments to cargo build.


You can use HFUZZ_RUN_ARGS to send additional arguments to honggfuzz. See USAGE for the list of those.

For example:

# 1 second of timeout
# use 12 fuzzing thread
# be verbose
# stop after 1000000 fuzzing iteration
# exit upon crash
HFUZZ_RUN_ARGS="-t 1 -n 12 -v -N 1000000 --exit_upon_crash" cargo hfuzz run example


By default we use rust-lldb but you can change it to rust-gdb, gdb, /usr/bin/lldb-7 ...


Target compilation directory, defaults to hfuzz_target to not clash with cargo build's default target directory.


Honggfuzz working directory, defaults to hfuzz_workspace.


Honggfuzz input files (also called "corpus"), defaults to $HFUZZ_WORKSPACE/{TARGET}/input.

Conditional compilation

Sometimes, it is necessary to make some specific adaptation to your code to yield a better fuzzing efficiency.

For instance:

  • Make you software behavior as much as possible deterministic on the fuzzing input
    • PRNGs must be seeded with a constant or the fuzzer input
    • Behavior shouldn't change based on the computer's clock.
    • Avoid potential undeterministic behavior from racing threads.
    • ...
  • Never ever call std::process::exit().
  • Disable logging and other unnecessary functionalities.
  • Try to avoid modifying global state when possible.
  • Do not set up your own panic hook when run with cfg(fuzzing)

When building with cargo hfuzz, the argument --cfg fuzzing is passed to rustc to allow you to condition the compilation of those adaptations thanks to the cfg macro like so:

let mut rng = rand_chacha::ChaCha8Rng::from_seed(&[0]);
let mut rng = rand::thread_rng();

Also, when building in debug mode, the fuzzing_debug argument is added in addition to fuzzing.

For more information about conditional compilation, please see the reference.

Relevant documentation about honggfuzz

About Rust fuzzing

There is other projects providing Rust fuzzing support at github.com/rust-fuzz.

You'll find support for AFL and LLVM's LibFuzzer and there is also a trophy case ;-) .

This crate was inspired by those projects!