xref: /aosp_15_r20/external/pigweed/pw_fuzzer/concepts.rst (revision 61c4878ac05f98d0ceed94b57d316916de578985) 
1.. _module-pw_fuzzer-concepts:
2
3===================
4pw_fuzzer: Concepts
5===================
6.. pigweed-module-subpage::
7   :name: pw_fuzzer
8
9Fuzzing is an approach to testing software with generated data. Guided fuzzing
10uses feedback from the code being tested, such as code coverage, to direct the
11generation of additional inputs. This feedback loop typically has three steps
12that it executes repeatedly:
13
14#. The `fuzzing engine`_ generates a new `test input`_. The details of the
15   test input depend on the engine. For example, `libFuzzer`_ generates
16   sequences of bytes of arbitrary length, while `FuzzTest`_ generates
17   parameters to match a function signature.
18
19#. The `test input`_ is used to exercise the `fuzz target`_. This is targeted
20   interface to the code being tested.
21
22#. The code under test is monitored for feedback or any abnormal conditions.
23   The feedback is commonly code coverage information generated by
24   compiler-added `instrumentation`_.
25
26The loop ends when a configured limit is reached, such as a specific duration or
27number of iterations, or when an abnormal condition is detected. These can be
28failed assertions, bug detections by `sanitizers`_, unhandled signals, etc.
29When a loop terminates due to one of these errors, the fuzzer will typically
30create a `reproducer`_ that developers can use to reproduce the fault.
31
32.. image:: doc_resources/pw_fuzzer_coverage_guided.png
33   :alt: Coverage Guided Fuzzing
34   :align: left
35
36.. Diagram created using Google Drawings:
37   https://docs.google.com/drawings/d/1nGHCNp6iOiz_Qee9XCoIhMH01E_bB6tg3mipC-HJ0bo/edit
38
39To learn more about how effective fuzzing can be or explore some of fuzzing's
40"trophy lists", see `Why fuzz?`_.
41
42.. inclusive-language: disable
43.. _fuzz target: https://github.com/google/fuzzing/blob/master/docs/glossary.md#fuzz-target
44.. _fuzzing engine: https://github.com/google/fuzzing/blob/master/docs/glossary.md#fuzzing-engine
45.. _FuzzTest: https://github.com/google/fuzztest
46.. _instrumentation: https://clang.llvm.org/docs/SanitizerCoverage.html
47.. _libFuzzer: https://llvm.org/docs/LibFuzzer.html
48.. _reproducer: https://github.com/google/fuzzing/blob/master/docs/glossary.md#reproducer
49.. _sanitizers: https://github.com/google/fuzzing/blob/master/docs/glossary.md#sanitizer
50.. _test input: https://github.com/google/fuzzing/blob/master/docs/glossary.md#test-input
51.. _Why fuzz?: https://github.com/google/fuzzing/blob/master/docs/why-fuzz.md
52.. inclusive-language: enable
53