Rooba
/
oss-fuzz
mirror of https://github.com/google/oss-fuzz.git
1
1
Fork 0
Code Issues Packages Projects Releases Wiki Activity
oss-fuzz/docs/glossary.md

3.8 KiB
Raw Blame History

OSS-Fuzz Glossary

Naming things is hard. This page tries to reduce confusion around fuzz-related terminologies.

Fuzz Target

Or Target Function or Fuzzing Target Function, or Fuzzing Entry Point.

A function to which we apply fuzzing. A specific signature is needed for OSS-Fuzz. Examples: openssl, re2, SQLite.

A fuzz target can be used to reproduce bug reports. It is recommended to use it for regression testing (see ideal integration).

Project

OSS-Fuzz applies fuzzing to fuzz targets that test APIs of some specific opensource library (or sometimes, internal functions of some application). One project may have more than one fuzz target (example: openssl), but OSS-Fuzz will have a single set of configuration files for such project.

Fuzzing Engine

A tool that tries to find interesting inputs for a Fuzz Target by executing it. Examples: libFuzzer, AFL, honggfuzz, etc

See also Mutation Engine and Test Generator.

Job type

Or Fuzzer Build.

A ClusterFuzz specific term. This refers to a build that contains all the fuzz targets for a given project with a specific fuzzing engine, in a specific build mode (e.g. with enabled or disabled assertions), and optionally combined with a sanitizer.

For example, we have a "libfuzzer_asan_sqlite" job type, indicating a build of all sqlite3 fuzz target using libFuzzer and ASan.

Test Input

A sequence of bytes that is used as the input to a fuzz target. Typicaly, a test input is stored in a seperate file.

Reproducer

Or a testcase.

A test input that causes a specific bug to reproduce.

Corpus

Or test corpus, or fuzzing corpus.

A set of test inputs. In many context, it is also referred to a set of minimal test inputs that generates maximal code coverage.

Mutation Engine

A tool that take a set of testcases as input and creates their mutated versions. It does not feed the mutations to fuzz target. Example: radamsa (a generic test mutator).

Test Generator

A tool that generates testcases according to some rules or grammar. Examples: csmith (a test generator for C language), cross_fuzz (a cross-document DOM binding test generator),

Sanitizer

A dynamic testing tool that can detect bugs during program execution. Examples: ASan, DFSan, LSan, MSan, TSan, UBSan.

Fuzzer

The most overloaded term and used in a variety of contexts, which makes it bad. Sometimes, "Fuzzer" is referred to a fuzz target, sometimes to a fuzzing engine, a mutation engine, a test generator or a fuzzer build.