cargo-fuzz icon indicating copy to clipboard operation
cargo-fuzz copied to clipboard

Published 20 hours ago verified publisher icon rust-fuzz

Experiment with a procedural macro fuzz target syntax

Open frewsxcv opened this issue 4 years ago • 4 comments

With the inventory crate, we may be able to accomplish:

#[fuzz_target]
fn fuzz_url_parse(input: <Arbitrary type>) {
    ...
}

We can build up a registry of known fuzz targets, and depending on what the user chose, we can invoke that fuzz target.

frewsxcv avatar Nov 10 '20 14:11 frewsxcv

here's what i'm imagining as a next step here:

cargo fuzz init still generates a new fuzz directory, but now just consists of a main.rs. the user will no longer need to futz with the cargo.toml file whenever they want to add a new fuzz test. the contents of the generated main.rs look like:

#![no_main]

#[cargo_fuzz::fuzz_target(name = "parse")]
fn fuzz_parse(bytes: &[u8]) {
    // Test your crate here
}

cargo_fuzz::init!();

the init! macro wraps around libfuzzer_sys::fuzz_target! macro and uses the inventory crate to build up an index of all the fuzz targets in this file (because you'll able to specify more than one in this file!) and invoke that fuzz target. i'm not sure if this stuff would live in cargo-fuzz or libfuzzer-sys. just spitballing. what do others think?

frewsxcv avatar Nov 18 '20 22:11 frewsxcv

I think this could work!

Manishearth avatar Nov 19 '20 18:11 Manishearth

Looks like @smoelius is working on something similar to this: https://github.com/trailofbits/test-fuzz 👀

frewsxcv avatar Feb 12 '22 04:02 frewsxcv

The ideas do sound similar. Instead of using inventory to generate a list of fuzz targets, though, test-fuzz wraps a fuzz harness in a test and then filters them from the list of all tests.

smoelius avatar Feb 12 '22 11:02 smoelius