mapbox / protozero
100%
master: 100%

LAST BUILD BRANCH: shadow
DEFAULT BRANCH: master
Repo Added
Files 11
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst

LAST BUILD ON BRANCH fuzz-testing
branch: fuzz-testing
CHANGE BRANCH
x

195

push

travis-ci

daniel-j-h 
First try at integrating Fuzz Testing.

This is a first try at Coverage Based Fuzz Testing (plus
Data-flow-guided fuzzing) using LLVM's libFuzzer.

It's building a driver for (at the moment only) the varint zigzag
functions, then compiles it instrumenting thhe binary with coverage
information. It then spins up the test driver (that gets a main from
libFuzzer), dumping the corpus that changes control-flow into the
fuzz/corpus directory. (This can be kept across runs to speed up fuzzing)

It's best to compile the driver with multiple sanitizers (ubsan, asan,
msan, ..), and fuzz the library with those. Set env var

    FUZZ_SANITIZER

for this to e.g. undefined or address or memory, respectively.

Note: -jobs=N can be passed to the driver, letting it fork and run N
jobs in parallel; not doing this at the moment.

I tried this with LLVM 3.8 / libc++ on Linux as it needs a fairly recent
LLVM release; 3.7 should work, too, but I haven't teested this.

Disclaimer: I'm already doing a pull request although it's only fuzzing
the varint zigzag functions to get more traction for fuzzing across
projects.

References:
- http://llvm.org/docs/LibFuzzer.html
- http://llvm.org/releases/3.8.0/docs/LibFuzzer.html
- https://www.youtube.com/watch?v=qTkYDA0En6U
- https://github.com/Project-OSRM/osrm-backend/pull/2251

    env FUZZ_SANITIZER='undefined,integer' CC='clang' CXX='clang++' CXXFLAGS="-stdlib=libc++" LDFLAGS="-stdlib=libc++" make fuzz

    ./fuzz/varint -use_traces=1 fuzz/corpus
    Seed: 1864466908
    PreferSmall: 1
    #0      READ   units: 1 exec/s: 0
    #1      INITED cov: 32 bits: 32 units: 1 exec/s: 0
    #2      NEW    cov: 39 bits: 39 indir: 1 units: 2 exec/s: 0 L: 64 MS: 0
    #112    NEW    cov: 40 bits: 46 indir: 1 units: 3 exec/s: 0 L: 64 MS: 0
    #559    NEW    cov: 66 bits: 72 indir: 1 units: 4 exec/s: 0 L: 1 MS: 3 EraseByte-CrossOver-EraseByte-
    #637    NEW    cov: 66 bits: 74 indir: 1 units: 5 exec/s: 0 L: 2 MS: 1 InsertByte-
    #639    NEW... (continued)

562 of 563 relevant lines covered (99.82%)

2647.54 hits per line

Relevant lines Covered
563 RELEVANT LINES 562 COVERED LINES
2647.54 HITS PER LINE
Source Files on fuzz-testing
Coverage File Lines Relevant Covered Missed Hits/Line

Recent builds

Builds Branch Commit Type Ran Committer Via Coverage
195 fuzz-testing First try at integrating Fuzz Testing. This is a first try at Coverage Based Fuzz Testing (plus Data-flow-guided fuzzing) using LLVM's libFuzzer. It's building a driver for (at the moment only) the varint zigzag functions, then compiles it instr... push daniel-j-h travis-ci pending completion  
See All Builds (164)