cargo-fuzz

cargo-fuzz copied to clipboard

I'm new to libfuzzer, so perhaps there's a simple way to do this, but I've not found a good way to pass a directory of seed files to the fuzzer.

Many projects have a collection of files for use in integration testing, and these can be a good starting point for fuzzing. Of course one can copy them into the corpus directory for the appropriate target, but one has to think of doing that.

Google's tutorial suggests passing additional directories on the fuzzer command line to seed the corpus. However, if I try something like:

cargo +nightly fuzz run <fuzz target name> -- ../test_files

The additional test_files path is placed before the default corpus created by cargo fuzz add. The fuzzer writes test cases to the first directory passed on the command line, so test_files ends up cluttered with fuzz inputs, complicating normal integration testing.

What I'd really like is some way to designate seed directories in fuzz/Cargo.toml so their specification could be checked into version control and included automatically in a naive cargo fuzz run so it's easier to get started and new test files are automatically added to the corpus when re-run.

Related to #194.

It would also be helpful if there was a way to provide a structured input. Like if I'm generating a struct with Arbitrary but I know what specific values I want all the fields to be, how do I make an input file that will cause that result?