This crate provides fuzzers based on libfuzzer.
Available fuzzers:
-
packet_recv_client: Processes a single incoming packet (including frames) at a time from the client side.
-
packet_recv_server: Processes a single incoming packet (including frames) at a time from the server side.
-
qpack_decode: Parses a single QPACK header block at a time.
Run tools/gen_fuzz_seeds.sh
from the root of the repository.
Run the following command from the root of the repository:
$ cargo +nightly fuzz coverage <target> fuzz/corpus/<target>
Where <target>
is one of the fuzzers listed above.
An HTML report can be generated using llvm-cov
. Note that the same version as
the one used by cargo-fuzz
must be used. If installing the
llvm-tools-preview
component using rustup
, llvm-cov
can be found somewhere
under ~/.rustup/toolchains
(or wherever the toolchains are installed).
For example:
$ ~/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/x86_64-unknown-linux-gnu/bin/llvm-cov show --ignore-filename-regex='cargo/registry' --ignore-filename-regex='/rustc' --show-instantiations --show-line-counts-or-regions --Xdemangler=rustfilt --instr-profile /home/ghedo/devel/quiche/fuzz/coverage/packet_recv_server/coverage.profdata /home/ghedo/devel/quiche/target/x86_64-unknown-linux-gnu/coverage/x86_64-unknown-linux-gnu/release/packet_recv_server --format=html --output-dir "/tmp/cov"
The index.html
file under /tmp/cov
can then be opened in a browser to view
the report.
Build and publish the fuzzing Docker image:
make docker-fuzz docker-fuzz-publish
Then run the following command under fuzz/mayhem/
:
$ mayhem run --all <target>
Where <target>
is one of the fuzzers listed above.
Run the following command under fuzz/mayhem/
:
$ mayhem sync <target>
Where <target>
is one of the fuzzers listed above.
Then minimize the inputs:
$ cargo +nightly fuzz cmin -Oa <target>