• Home
  • History
  • Annotate
Name Date Size #Lines LOC

..03-May-2022-

old_crashes/H03-Dec-2020-108

JamfileH A D03-Dec-2020665 3328

Readme.mdH A D03-Dec-20202.3 KiB6448

fuzz.shH A D03-Dec-20202.8 KiB10862

fuzz_basic_parser.cppH A D03-Dec-20203 KiB10478

fuzz_parse.cppH A D03-Dec-2020793 4127

fuzz_parser.cppH A D03-Dec-20203.2 KiB14099

Readme.md

1# Fuzzing
2
3Boost json has support for fuzzing. Clang/libFuzzer is used.
4
5Fuzzing is made on pull requests, using a github action CI job.
6The job does the following
7
8 - compiles the fuzzers with address and undefined sanitizers turned on
9 - runs all unit test inputs
10 - reruns old crashing input from the old_crashes folder
11 - downloads corpus from the last run (stored on bintray)
12 - fuzzes for a short time (30 seconds per fuzzer)
13 - minimizes the corpus and uploads it to bintray
14
15The idea with storing crashes in the old_crashes folder is that once a bug is detected,
16the offending input can be added so it prevents the CI job from succeeding until the bug
17is fixed.
18
19## Building and running the fuzzers locally
20Execute the fuzzing/fuzz.sh script. You need clang++ installed. The fuzzer script will start fuzzing for a limited time, interrupt it if you wish.
21
22There are several fuzzers, to exercise different parts of the api, following the usage examples in the documentation.
23
24## Running a specific fuzzer manually
25Either modify the fuzz.sh script, or run it first so the fuzzer is compiled with the proper flags.
26
27Each fuzzer is a separate binary, an example with the basic_parser fuzzer is shown below:
28```sh
29mkdir -p out
30./fuzzer_basic_parser out/
31```
32
33If you want to run a specific input (say an old crash), use
34```sh
35./fuzzer_basic_parser path/to/crash.json
36```
37
38## Minimizing a crash
39If a crash is found, it is good to minimize and clean the crashing input.
40This is makes it easier to understand what the problem is.
41
42An example of minimizing and cleaning a real crash:
43```sh
44./fuzzer_basic_parser out
45# ...crashes and writes the crash-... file
46# minimize it:
47./fuzzer_basic_parser crash-1f8f27db1fcb30f32727472867633b7cee66d045 -minimize_crash=1 -exact_artifact_path=minimized_crash.json -max_total_time=100
48# minimized_crash.json shrank from 38493 bytes to 4102
49
50# replace irrelevant parts with space:
51./fuzzer_basic_parser minimized_crash.json -cleanse_crash=1 -exact_artifact_path=cleaned_crash.json
52
53# result is in cleaned_crash.json, commit it
54cp cleaned_crash.json old_crashes/basic_parser/20200903.json
55git add old_crashes/basic_parser/20200903.json
56```
57
58## Rerunning old crashes
59Given a test case testcase.json, build the fuzzer and execute it with the test file:
60```sh
61./fuzzer_basic_parser testcase.json
62```
63
64