Rooba
/
oss-fuzz
mirror of https://github.com/google/oss-fuzz.git
1
1
Fork 0
Code Issues Packages Projects Releases Wiki Activity
oss-fuzz/docs/glossary.md

3.7 KiB
Raw Blame History

Glossary

Naming things is hard. This page tries to reduce confusion around fuzz-related terminologies.

Corpus

Or test corpus, or fuzzing corpus.
A set of test inputs. In usual context, it is also referred to a set of minimal test inputs that generate maximal code coverage.

Fuzz Target

Or Target Function, or Fuzzing Target Function, or Fuzzing Entry Point.
A function to which we apply fuzzing. A specific signature is needed for OSS-Fuzz. Examples: openssl, re2, SQLite.

A fuzz target can be used to reproduce bug reports. It is recommended to use it for regression testing (see ideal integration).

Fuzzer

The most overloaded term and used in a variety of contexts, which makes it bad. Sometimes, "Fuzzer" is referred to a fuzz target, sometimes to a fuzzing engine, a mutation engine, a test generator or a fuzzer build.

Fuzzing Engine

A tool that tries to find interesting inputs for a fuzz target by executing it. Examples: libFuzzer, AFL, honggfuzz, etc

See also Mutation Engine and Test Generator.

Job type

Or Fuzzer Build.
A ClusterFuzz specific term. This refers to a build that contains all the fuzz targets for a given project with a specific fuzzing engine, in a specific build mode (e.g. with enabled or disabled assertions), and optionally combined with a sanitizer.

For example, we have a "libfuzzer_asan_sqlite" job type, indicating a build of all sqlite3 fuzz targets using libFuzzer and ASan.

Mutation Engine

A tool that take a set of testcases as input and creates their mutated versions. It does not feed the mutations to fuzz target. Example: radamsa (a generic test mutator).

Project

An entity comprising of various fuzz targets that test APIs (or internal functions) of a specific open source project. Each project has a single set of configuration files and may have more than one fuzz target (example: openssl).

Reproducer

Or a testcase.
A test input that causes a specific bug to reproduce.

Sanitizer

A dynamic testing tool that can detect bugs during program execution. Examples: ASan, DFSan, LSan, MSan, TSan, UBSan.

Test Generator

A tool that generates testcases from scratch according to some rules or grammar. Examples: csmith (a test generator for C language), cross_fuzz (a cross-document DOM binding test generator).

Test Input

A sequence of bytes that is used as the input to a fuzz target. Typicaly, a test input is stored in a separate file.