1*61c4878aSAndroid Build Coastguard Worker.. _module-pw_fuzzer-concepts: 2*61c4878aSAndroid Build Coastguard Worker 3*61c4878aSAndroid Build Coastguard Worker=================== 4*61c4878aSAndroid Build Coastguard Workerpw_fuzzer: Concepts 5*61c4878aSAndroid Build Coastguard Worker=================== 6*61c4878aSAndroid Build Coastguard Worker.. pigweed-module-subpage:: 7*61c4878aSAndroid Build Coastguard Worker :name: pw_fuzzer 8*61c4878aSAndroid Build Coastguard Worker 9*61c4878aSAndroid Build Coastguard WorkerFuzzing is an approach to testing software with generated data. Guided fuzzing 10*61c4878aSAndroid Build Coastguard Workeruses feedback from the code being tested, such as code coverage, to direct the 11*61c4878aSAndroid Build Coastguard Workergeneration of additional inputs. This feedback loop typically has three steps 12*61c4878aSAndroid Build Coastguard Workerthat it executes repeatedly: 13*61c4878aSAndroid Build Coastguard Worker 14*61c4878aSAndroid Build Coastguard Worker#. The `fuzzing engine`_ generates a new `test input`_. The details of the 15*61c4878aSAndroid Build Coastguard Worker test input depend on the engine. For example, `libFuzzer`_ generates 16*61c4878aSAndroid Build Coastguard Worker sequences of bytes of arbitrary length, while `FuzzTest`_ generates 17*61c4878aSAndroid Build Coastguard Worker parameters to match a function signature. 18*61c4878aSAndroid Build Coastguard Worker 19*61c4878aSAndroid Build Coastguard Worker#. The `test input`_ is used to exercise the `fuzz target`_. This is targeted 20*61c4878aSAndroid Build Coastguard Worker interface to the code being tested. 21*61c4878aSAndroid Build Coastguard Worker 22*61c4878aSAndroid Build Coastguard Worker#. The code under test is monitored for feedback or any abnormal conditions. 23*61c4878aSAndroid Build Coastguard Worker The feedback is commonly code coverage information generated by 24*61c4878aSAndroid Build Coastguard Worker compiler-added `instrumentation`_. 25*61c4878aSAndroid Build Coastguard Worker 26*61c4878aSAndroid Build Coastguard WorkerThe loop ends when a configured limit is reached, such as a specific duration or 27*61c4878aSAndroid Build Coastguard Workernumber of iterations, or when an abnormal condition is detected. These can be 28*61c4878aSAndroid Build Coastguard Workerfailed assertions, bug detections by `sanitizers`_, unhandled signals, etc. 29*61c4878aSAndroid Build Coastguard WorkerWhen a loop terminates due to one of these errors, the fuzzer will typically 30*61c4878aSAndroid Build Coastguard Workercreate a `reproducer`_ that developers can use to reproduce the fault. 31*61c4878aSAndroid Build Coastguard Worker 32*61c4878aSAndroid Build Coastguard Worker.. image:: doc_resources/pw_fuzzer_coverage_guided.png 33*61c4878aSAndroid Build Coastguard Worker :alt: Coverage Guided Fuzzing 34*61c4878aSAndroid Build Coastguard Worker :align: left 35*61c4878aSAndroid Build Coastguard Worker 36*61c4878aSAndroid Build Coastguard Worker.. Diagram created using Google Drawings: 37*61c4878aSAndroid Build Coastguard Worker https://docs.google.com/drawings/d/1nGHCNp6iOiz_Qee9XCoIhMH01E_bB6tg3mipC-HJ0bo/edit 38*61c4878aSAndroid Build Coastguard Worker 39*61c4878aSAndroid Build Coastguard WorkerTo learn more about how effective fuzzing can be or explore some of fuzzing's 40*61c4878aSAndroid Build Coastguard Worker"trophy lists", see `Why fuzz?`_. 41*61c4878aSAndroid Build Coastguard Worker 42*61c4878aSAndroid Build Coastguard Worker.. inclusive-language: disable 43*61c4878aSAndroid Build Coastguard Worker.. _fuzz target: https://github.com/google/fuzzing/blob/master/docs/glossary.md#fuzz-target 44*61c4878aSAndroid Build Coastguard Worker.. _fuzzing engine: https://github.com/google/fuzzing/blob/master/docs/glossary.md#fuzzing-engine 45*61c4878aSAndroid Build Coastguard Worker.. _FuzzTest: https://github.com/google/fuzztest 46*61c4878aSAndroid Build Coastguard Worker.. _instrumentation: https://clang.llvm.org/docs/SanitizerCoverage.html 47*61c4878aSAndroid Build Coastguard Worker.. _libFuzzer: https://llvm.org/docs/LibFuzzer.html 48*61c4878aSAndroid Build Coastguard Worker.. _reproducer: https://github.com/google/fuzzing/blob/master/docs/glossary.md#reproducer 49*61c4878aSAndroid Build Coastguard Worker.. _sanitizers: https://github.com/google/fuzzing/blob/master/docs/glossary.md#sanitizer 50*61c4878aSAndroid Build Coastguard Worker.. _test input: https://github.com/google/fuzzing/blob/master/docs/glossary.md#test-input 51*61c4878aSAndroid Build Coastguard Worker.. _Why fuzz?: https://github.com/google/fuzzing/blob/master/docs/why-fuzz.md 52*61c4878aSAndroid Build Coastguard Worker.. inclusive-language: enable 53
