oss-fuzz/docs/glossary.md

85 lines
3.8 KiB
Markdown
Raw Normal View History

2016-11-29 21:01:24 +00:00
# Glossary
2016-11-21 22:29:12 +00:00
Naming things is hard, so this page tries to reduce confusion around fuzzing-related terminology.
2016-11-21 22:29:12 +00:00
2016-11-29 21:33:19 +00:00
## Corpus
Or **test corpus**, or **fuzzing corpus**.<BR>
A set of [test inputs](#test-input). In most contexts, it refers to a set of minimal test inputs that generate maximal code coverage.
2016-11-29 21:33:19 +00:00
2016-11-21 22:49:57 +00:00
## Fuzz Target
2016-11-29 21:06:36 +00:00
Or **Target Function**, or **Fuzzing Target Function**, or **Fuzzing Entry Point**.<BR>
2016-11-30 03:26:34 +00:00
A function to which we apply fuzzing. A [specific signature](http://libfuzzer.info#fuzz-target) is required for OSS-Fuzz.
2016-11-21 22:37:27 +00:00
Examples: [openssl](https://github.com/openssl/openssl/blob/master/fuzz/x509.c),
2016-11-29 20:36:22 +00:00
[re2](https://github.com/google/re2/blob/master/re2/fuzzing/re2_fuzzer.cc),
[SQLite](https://www.sqlite.org/src/artifact/ad79e867fb504338).
2016-11-21 22:50:42 +00:00
2016-11-29 21:00:57 +00:00
A fuzz target can be used to [reproduce bug reports](reproducing.md).
2016-11-30 03:26:34 +00:00
It is recommended to use it for regression testing as well (see [ideal integration](ideal_integration.md)).
2016-11-21 22:29:58 +00:00
2016-11-29 21:33:19 +00:00
## Fuzzer
2016-11-21 23:16:58 +00:00
2016-11-29 21:33:19 +00:00
The most overloaded term and used in a variety of contexts, which makes it bad.
2016-11-30 03:26:34 +00:00
Sometimes, "Fuzzer" is referred to a [fuzz target](#fuzz-target),
a [fuzzing engine](#fuzzing-engine),
2016-11-29 21:33:19 +00:00
a [mutation engine](#mutation-engine),
a [test generator](#test-generator) or
a [fuzzer build](#job-type).
2016-11-21 23:16:58 +00:00
2016-11-21 22:49:57 +00:00
## Fuzzing Engine
2016-11-29 21:06:10 +00:00
A tool that tries to find interesting inputs for a [fuzz target](#fuzz-target) by executing it.
2016-12-20 14:08:31 +00:00
Examples: [libFuzzer](http://libfuzzer.info),
2016-11-21 22:49:57 +00:00
[AFL](lcamtuf.coredump.cx/afl/),
[honggfuzz](https://github.com/google/honggfuzz), etc
2016-11-30 03:26:34 +00:00
See related terms [Mutation Engine](#mutation-engine) and [Test Generator](#test-generator).
2016-11-21 22:49:57 +00:00
2016-11-22 02:07:12 +00:00
## Job type
2016-11-22 00:29:42 +00:00
2016-11-29 21:06:10 +00:00
Or **Fuzzer Build**.<BR>
A [ClusterFuzz](clusterfuzz.md)-specific term.
2016-11-30 03:26:34 +00:00
This refers to a build that contains all the [fuzz targets](#fuzz-target) for a given [project](#project), is run
with a specific [fuzzing engine](#fuzzing-engine), in a specific build mode (e.g. with enabled/disabled assertions),
2016-11-29 20:54:20 +00:00
and optionally combined with a [sanitizer](#sanitizer).
2016-11-22 00:29:42 +00:00
2016-11-29 21:06:10 +00:00
For example, we have a "libfuzzer_asan_sqlite" job type, indicating a build of all sqlite3 [fuzz targets](#fuzz-target) using
2016-12-20 14:27:42 +00:00
[libFuzzer](http://libfuzzer.info) and [ASan](http://clang.llvm.org/docs/AddressSanitizer.html).
2016-11-22 02:08:18 +00:00
2016-11-21 22:49:57 +00:00
## Mutation Engine
2016-11-30 18:33:45 +00:00
A tool that takes a set of testcases as input and creates their mutated versions.
2016-11-30 03:26:34 +00:00
It is just a generator and does not feed the mutations to [fuzz target](#fuzz-target).
2016-11-29 20:54:20 +00:00
Example: [radamsa](https://github.com/aoh/radamsa) (a generic test mutator).
2016-11-21 22:49:57 +00:00
2016-11-29 21:33:19 +00:00
## Project
A project is an open source software project that is integrated with OSS-Fuzz.
2016-11-30 03:26:34 +00:00
Each project has a single set of configuration files
(example: [expat](https://github.com/google/oss-fuzz/tree/master/projects/expat)) and
may have one or more [fuzz targets](#fuzz-target)
2016-11-29 21:40:42 +00:00
(example: [openssl](https://github.com/openssl/openssl/blob/master/fuzz/)).
2016-11-29 21:33:19 +00:00
## Reproducer
Or a **testcase**.<BR>
A [test input](#test-input) that causes a specific bug to reproduce.
2016-11-21 22:49:57 +00:00
2016-11-29 20:54:20 +00:00
## [Sanitizer](https://github.com/google/sanitizers)
A [dynamic testing](https://en.wikipedia.org/wiki/Dynamic_testing) tool that can detect bugs during program execution.
Examples:
2016-11-22 00:29:42 +00:00
[ASan](http://clang.llvm.org/docs/AddressSanitizer.html),
2016-11-29 20:54:20 +00:00
[DFSan](http://clang.llvm.org/docs/DataFlowSanitizer.html),
[LSan](http://clang.llvm.org/docs/LeakSanitizer.html),
2016-11-22 00:29:42 +00:00
[MSan](http://clang.llvm.org/docs/MemorySanitizer.html),
[TSan](http://clang.llvm.org/docs/ThreadSanitizer.html),
[UBSan](http://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html).
2016-11-29 21:33:19 +00:00
## Test Generator
A tool that generates testcases from scratch according to some rules or grammar.
Examples:
[csmith](https://embed.cs.utah.edu/csmith/) (a test generator for C language),
[cross_fuzz](http://lcamtuf.coredump.cx/cross_fuzz/) (a cross-document DOM binding test generator).
2016-11-21 22:49:57 +00:00
2016-11-29 21:33:19 +00:00
## Test Input
2016-11-30 03:26:34 +00:00
A sequence of bytes that is used as input to a [fuzz target](#fuzz-target).
Typically, a test input is stored in a separate file.