|
| 1 | +# Fuzzing |
| 2 | + |
| 3 | +`simplicity` has a fuzzing harness setup for use with honggfuzz. |
| 4 | + |
| 5 | +To run the fuzz-tests as in CI -- briefly fuzzing every target -- simply |
| 6 | +run |
| 7 | + |
| 8 | + ./fuzz.sh |
| 9 | + |
| 10 | +in this directory. |
| 11 | + |
| 12 | +The script builds honggfuzz as part of its startup. |
| 13 | + |
| 14 | +To build honggfuzz you must have libunwind on your system, as well as |
| 15 | +libopcodes and libbfd from binutils **2.38** on your system. The most |
| 16 | +recently-released binutils 2.39 has changed their API in a breaking way. |
| 17 | + |
| 18 | +On Nix, you can use the provided nix shell |
| 19 | + |
| 20 | + nix-shell |
| 21 | + |
| 22 | +Then run fuzz.sh as above. |
| 23 | + |
| 24 | +# Long-term fuzzing |
| 25 | + |
| 26 | +To see the full list of targets, the most straightforward way is to run |
| 27 | + |
| 28 | + source ./fuzz-util.sh |
| 29 | + listTargetNames |
| 30 | + |
| 31 | +To run each target for an hour, run |
| 32 | + |
| 33 | + ./cycle.sh |
| 34 | + |
| 35 | +This script uses the `chrt` utility to try to reduce the priority of the |
| 36 | +jobs. If you would like to run for longer, the most straightforward way |
| 37 | +is to edit `cycle.sh` before starting. To run the fuzz-tests in parallel, |
| 38 | +you will need to implement a custom harness. |
| 39 | + |
| 40 | +To manually run a single target indefinitely, run |
| 41 | + |
| 42 | + cargo hfuzz run <target> |
| 43 | + |
| 44 | +You may need to install cargo-honggfuzz: |
| 45 | + |
| 46 | + cargo install honggfuzz --no-default-features |
| 47 | + |
| 48 | +It is installed by the shell scripts and is available in the provided nix shell. |
| 49 | + |
| 50 | +If you get linker errors, see the above information about libopcodes and libbfd. |
| 51 | + |
| 52 | +On Nix, use the provided nix shell |
| 53 | + |
| 54 | + nix-shell |
| 55 | + |
| 56 | +And then run `cargo hfuzz`. |
| 57 | + |
| 58 | +# Adding fuzz tests |
| 59 | + |
| 60 | +All fuzz tests can be found in the `fuzz_target/` directory. Adding a new |
| 61 | +one is as simple as copying an existing one and editing the `do_test` |
| 62 | +function to do what you want. |
| 63 | + |
| 64 | +If your test clearly belongs to a specific crate, please put it in that |
| 65 | +crate's directory. Otherwise you can put it directly in `fuzz_target/`. |
| 66 | + |
| 67 | +If you need to add dependencies, edit the file `generate-files.sh` to add |
| 68 | +it to the generated `Cargo.toml`. |
| 69 | + |
| 70 | +Once you've added a fuzztest, regenerate the `Cargo.toml` and CI job by |
| 71 | +running |
| 72 | + |
| 73 | + ./generate-files.sh |
| 74 | + |
| 75 | +Then to test your fuzztest, run |
| 76 | + |
| 77 | + ./fuzz.sh <target> |
| 78 | + |
| 79 | +If it is working, you will see a rapid stream of data for many seconds |
| 80 | +(you can hit Ctrl+C to stop it early). If not, you should quickly see |
| 81 | +an error. |
| 82 | + |
| 83 | +# Reproducing Failures |
| 84 | + |
| 85 | +If fuzz.sh or cycle.sh fail, they will exit with a summary which looks something like |
| 86 | + |
| 87 | +``` |
| 88 | +... |
| 89 | + fuzzTarget : hfuzz_target/x86_64-unknown-linux-gnu/release/decode_natural |
| 90 | +CRASH: |
| 91 | +DESCRIPTION: |
| 92 | +ORIG_FNAME: 00000000000000000000000000000000.00000000.honggfuzz.cov |
| 93 | +FUZZ_FNAME: hfuzz_workspace/decode_natural/SIGABRT.PC.7ffff7e42adc.STACK.1a1d230819.CODE.-6.ADDR.0.INSTR.mov____%eax,%ebx.fuzz |
| 94 | +... |
| 95 | +===================================================================== |
| 96 | +fff400610004 |
| 97 | +``` |
| 98 | + |
| 99 | +If you run `cargo hfuzz` manually, run the following to see the report |
| 100 | + |
| 101 | + source ./fuzz-util.sh |
| 102 | + getReport <target> |
| 103 | + |
| 104 | +The final line is a hex-encoded version of the input that caused the crash. You |
| 105 | +can test this directly by editing the `duplicate_crash` test to copy/paste the |
| 106 | +hex output into the call to `extend_vec_from_hex`. Then run the test with |
| 107 | + |
| 108 | + cargo test |
| 109 | + |
| 110 | +Note that if you set your `RUSTFLAGS` while fuzzing (see above) you must make |
| 111 | +sure they are set the same way when running `cargo test`. |
0 commit comments