flatbuffers/tests/fuzzer
Wouter van Oortmerssen 3cd9b6434a Removed code_generators.cpp from library targets
Change-Id: Ia6e032a77983bf1838b8675f51d1c910acc991d8
2020-01-02 08:50:39 -08:00
..
CMakeLists.txt Removed code_generators.cpp from library targets 2020-01-02 08:50:39 -08:00
flatbuffers_parser_fuzzer.cc Make the Parser independent from the global C-locale (#5028) 2018-11-16 09:24:06 -08:00
flatbuffers_scalar_fuzzer.cc Make the Parser independent from the global C-locale (#5028) 2018-11-16 09:24:06 -08:00
flatbuffers_verifier_fuzzer.cc Add simple libfuzzer based test. 2016-05-25 17:25:40 -07:00
fuzzer_assert.h Add fuzzer test for scalar numbers in json. (#4996) 2018-10-22 15:44:18 -07:00
readme.md Make the Parser independent from the global C-locale (#5028) 2018-11-16 09:24:06 -08:00
test_init.h Remove a static_assert (#5643) 2019-12-02 14:13:28 -08:00

readme.md

Test Flatbuffers library with help of libFuzzer

Test suite of Flatbuffers library has fuzzer section with tests are based on libFuzzer library.

LibFuzzer is in-process, coverage-guided, evolutionary fuzzing engine. LibFuzzer is linked with the library under test, and feeds fuzzed inputs to the library via a specific fuzzing entrypoint (aka “target function”); the fuzzer then tracks which areas of the code are reached, and generates mutations on the corpus of input data in order to maximize the code coverage. The code coverage information for libFuzzer is provided by LLVMs SanitizerCoverage instrumentation.

For details about libFuzzer see: https://llvm.org/docs/LibFuzzer.html

To build and run these tests LLVM compiler (with clang frontend) and CMake should be installed before.

The fuzzer section include three tests:

  • verifier_fuzzer checks stability of deserialization engine for Monster schema;
  • parser_fuzzer checks stability of schema and json parser under various inputs;
  • scalar_parser focused on validation of the parser while parse numeric scalars in schema and/or json files;

Run tests with a specific locale

The grammar of the Flatbuffers library is based on printable-ASCII characters. By design, the Flatbuffers library should be independent of the global or thread locales used by an end-user application. Set environment variable FLATBUFFERS_TEST_LOCALE to run a fuzzer with a specific C-locale:

>FLATBUFFERS_TEST_LOCALE="" ./scalar_parser
>FLATBUFFERS_TEST_LOCALE="ru_RU.CP1251" ./parser_fuzzer

Run fuzzer

These are examples of running a fuzzer. Flags may vary and depend on a version of the libFuzzer library. For details, run a fuzzer with -help flag: ./parser_fuzzer -help=1

./verifier_fuzzer -reduce_depth=1 -use_value_profile=1 -shrink=1 ../.corpus_verifier/

./parser_fuzzer -reduce_depth=1 -use_value_profile=1 -shrink=1 ../.corpus_parser/

./scalar_fuzzer -reduce_depth=1 -use_value_profile=1 -shrink=1 -max_len=3000 ../.corpus_parser/ ../.seed_parser/

Flag -only_ascii=1 is useful for fast number-compatibility checking while run scalar_fuzzer:
./scalar_fuzzer -only_ascii=1 -reduce_depth=1 -use_value_profile=1 -shrink=1 -max_len=3000 -timeout=10 -rss_limit_mb=2048 -jobs=2 ../.corpus_parser/ ../.seed_parser/

Run with a specific C-locale:
FLATBUFFERS_TEST_LOCALE="ru_RU.CP1251" ./scalar_fuzzer -reduce_depth=1 -use_value_profile=1 -shrink=1 -max_len=3000 -timeout=10 -rss_limit_mb=2048 ../.corpus_parser/ ../.seed_parser/

Merge (minimize) corpus

The libFuzzer allow to filter (minimize) corpus with help of -merge flag:

-merge If set to 1, any corpus inputs from the 2nd, 3rd etc. corpus directories that trigger new code coverage will be merged into the first corpus directory. Defaults to 0. This flag can be used to minimize a corpus.

Merge several seeds to one (a new collected corpus to the seed collection, for example): ./scalar_fuzzer -merge=1 ../.seed_parser/ ../.corpus_parser/

Know limitations

  • LLVM 7.0 std::regex library has problem with stack overflow, maximum length of input for scalar_fuzzer run should be limited to 3000. Example: ./scalar_fuzzer -max_len=3000