1*61c4878aSAndroid Build Coastguard Worker.. _module-pw_fuzzer-guides-using_fuzztest: 2*61c4878aSAndroid Build Coastguard Worker 3*61c4878aSAndroid Build Coastguard Worker======================================== 4*61c4878aSAndroid Build Coastguard Workerpw_fuzzer: Adding Fuzzers Using FuzzTest 5*61c4878aSAndroid Build Coastguard Worker======================================== 6*61c4878aSAndroid Build Coastguard Worker.. pigweed-module-subpage:: 7*61c4878aSAndroid Build Coastguard Worker :name: pw_fuzzer 8*61c4878aSAndroid Build Coastguard Worker 9*61c4878aSAndroid Build Coastguard Worker.. note:: 10*61c4878aSAndroid Build Coastguard Worker 11*61c4878aSAndroid Build Coastguard Worker `FuzzTest`_ is currently only supported on Linux and MacOS using Clang. 12*61c4878aSAndroid Build Coastguard Worker 13*61c4878aSAndroid Build Coastguard Worker.. _module-pw_fuzzer-guides-using_fuzztest-toolchain: 14*61c4878aSAndroid Build Coastguard Worker 15*61c4878aSAndroid Build Coastguard Worker---------------------------------------- 16*61c4878aSAndroid Build Coastguard WorkerStep 0: Set up FuzzTest for your project 17*61c4878aSAndroid Build Coastguard Worker---------------------------------------- 18*61c4878aSAndroid Build Coastguard Worker.. note:: 19*61c4878aSAndroid Build Coastguard Worker 20*61c4878aSAndroid Build Coastguard Worker This workflow only needs to be done once for a project. 21*61c4878aSAndroid Build Coastguard Worker 22*61c4878aSAndroid Build Coastguard WorkerFuzzTest and its dependencies are not included in Pigweed and need to be added. 23*61c4878aSAndroid Build Coastguard Worker 24*61c4878aSAndroid Build Coastguard WorkerSee the following: 25*61c4878aSAndroid Build Coastguard Worker 26*61c4878aSAndroid Build Coastguard Worker* :ref:`module-pw_third_party_abseil_cpp-using_upstream` 27*61c4878aSAndroid Build Coastguard Worker* :ref:`module-pw_third_party_fuzztest-using_upstream` 28*61c4878aSAndroid Build Coastguard Worker* :ref:`module-pw_third_party_googletest-using_upstream` 29*61c4878aSAndroid Build Coastguard Worker* :ref:`module-pw_third_party_re2-using_upstream` 30*61c4878aSAndroid Build Coastguard Worker 31*61c4878aSAndroid Build Coastguard Worker.. tab-set:: 32*61c4878aSAndroid Build Coastguard Worker 33*61c4878aSAndroid Build Coastguard Worker .. tab-item:: GN 34*61c4878aSAndroid Build Coastguard Worker :sync: gn 35*61c4878aSAndroid Build Coastguard Worker 36*61c4878aSAndroid Build Coastguard Worker You may not want to use upstream GoogleTest all the time. For example, it 37*61c4878aSAndroid Build Coastguard Worker may not be supported on your target device. In this case, you can limit it 38*61c4878aSAndroid Build Coastguard Worker to a specific toolchain used for fuzzing. For example: 39*61c4878aSAndroid Build Coastguard Worker 40*61c4878aSAndroid Build Coastguard Worker .. code-block:: 41*61c4878aSAndroid Build Coastguard Worker 42*61c4878aSAndroid Build Coastguard Worker import("$dir_pw_toolchain/host/target_toolchains.gni") 43*61c4878aSAndroid Build Coastguard Worker 44*61c4878aSAndroid Build Coastguard Worker my_toolchains = { 45*61c4878aSAndroid Build Coastguard Worker ... 46*61c4878aSAndroid Build Coastguard Worker clang_fuzz = { 47*61c4878aSAndroid Build Coastguard Worker name = "my_clang_fuzz" 48*61c4878aSAndroid Build Coastguard Worker forward_variables_from(pw_toolchain_host.clang_fuzz, "*", ["name"]) 49*61c4878aSAndroid Build Coastguard Worker pw_unit_test_MAIN = "$dir_pw_fuzzer:fuzztest_main" 50*61c4878aSAndroid Build Coastguard Worker pw_unit_test_BACKEND = "$dir_pw_fuzzer:gtest" 51*61c4878aSAndroid Build Coastguard Worker } 52*61c4878aSAndroid Build Coastguard Worker ... 53*61c4878aSAndroid Build Coastguard Worker } 54*61c4878aSAndroid Build Coastguard Worker 55*61c4878aSAndroid Build Coastguard Worker .. tab-item:: CMake 56*61c4878aSAndroid Build Coastguard Worker :sync: cmake 57*61c4878aSAndroid Build Coastguard Worker 58*61c4878aSAndroid Build Coastguard Worker FuzzTest is enabled by setting several CMake variables. The easiest way to 59*61c4878aSAndroid Build Coastguard Worker set these is to extend your ``toolchain.cmake`` file. 60*61c4878aSAndroid Build Coastguard Worker 61*61c4878aSAndroid Build Coastguard Worker For example: 62*61c4878aSAndroid Build Coastguard Worker 63*61c4878aSAndroid Build Coastguard Worker .. code-block:: 64*61c4878aSAndroid Build Coastguard Worker 65*61c4878aSAndroid Build Coastguard Worker include(my_project_toolchain.cmake) 66*61c4878aSAndroid Build Coastguard Worker 67*61c4878aSAndroid Build Coastguard Worker set(dir_pw_third_party_fuzztest 68*61c4878aSAndroid Build Coastguard Worker "path/to/fuzztest" 69*61c4878aSAndroid Build Coastguard Worker CACHE STRING "" FORCE 70*61c4878aSAndroid Build Coastguard Worker ) 71*61c4878aSAndroid Build Coastguard Worker set(dir_pw_third_party_googletest 72*61c4878aSAndroid Build Coastguard Worker "path/to/googletest" 73*61c4878aSAndroid Build Coastguard Worker CACHE STRING "" FORCE 74*61c4878aSAndroid Build Coastguard Worker ) 75*61c4878aSAndroid Build Coastguard Worker set(pw_unit_test_BACKEND 76*61c4878aSAndroid Build Coastguard Worker "pw_third_party.fuzztest" 77*61c4878aSAndroid Build Coastguard Worker CACHE STRING "" FORCE 78*61c4878aSAndroid Build Coastguard Worker ) 79*61c4878aSAndroid Build Coastguard Worker 80*61c4878aSAndroid Build Coastguard Worker .. tab-item:: Bazel 81*61c4878aSAndroid Build Coastguard Worker :sync: bazel 82*61c4878aSAndroid Build Coastguard Worker 83*61c4878aSAndroid Build Coastguard Worker Include Abseil-C++ and GoogleTest in your ``WORKSPACE`` file. For example: 84*61c4878aSAndroid Build Coastguard Worker 85*61c4878aSAndroid Build Coastguard Worker .. code-block:: 86*61c4878aSAndroid Build Coastguard Worker 87*61c4878aSAndroid Build Coastguard Worker http_archive( 88*61c4878aSAndroid Build Coastguard Worker name = "com_google_absl", 89*61c4878aSAndroid Build Coastguard Worker sha256 = "338420448b140f0dfd1a1ea3c3ce71b3bc172071f24f4d9a57d59b45037da440", 90*61c4878aSAndroid Build Coastguard Worker strip_prefix = "abseil-cpp-20240116.0", 91*61c4878aSAndroid Build Coastguard Worker url = "https://github.com/abseil/abseil-cpp/releases/download/20240116.0/abseil-cpp-20240116.0.tar.gz", 92*61c4878aSAndroid Build Coastguard Worker ) 93*61c4878aSAndroid Build Coastguard Worker 94*61c4878aSAndroid Build Coastguard Worker git_repository( 95*61c4878aSAndroid Build Coastguard Worker name = "com_google_googletest", 96*61c4878aSAndroid Build Coastguard Worker commit = "3b6d48e8d5c1d9b3f9f10ac030a94008bfaf032b", 97*61c4878aSAndroid Build Coastguard Worker remote = "https://pigweed.googlesource.com/third_party/github/google/googletest", 98*61c4878aSAndroid Build Coastguard Worker ) 99*61c4878aSAndroid Build Coastguard Worker 100*61c4878aSAndroid Build Coastguard Worker Then, import the FuzzTest build configurations in your ``.bazelrc`` file 101*61c4878aSAndroid Build Coastguard Worker by adding and adapting the following: 102*61c4878aSAndroid Build Coastguard Worker 103*61c4878aSAndroid Build Coastguard Worker .. code-block:: 104*61c4878aSAndroid Build Coastguard Worker 105*61c4878aSAndroid Build Coastguard Worker # Include FuzzTest build configurations. 106*61c4878aSAndroid Build Coastguard Worker try-import %workspace%/path/to/pigweed/pw_fuzzer/fuzztest.bazelrc 107*61c4878aSAndroid Build Coastguard Worker 108*61c4878aSAndroid Build Coastguard Worker---------------------------------------- 109*61c4878aSAndroid Build Coastguard WorkerStep 1: Write a unit test for the target 110*61c4878aSAndroid Build Coastguard Worker---------------------------------------- 111*61c4878aSAndroid Build Coastguard Worker 112*61c4878aSAndroid Build Coastguard WorkerAs noted previously, the very first step is to identify one or more target 113*61c4878aSAndroid Build Coastguard Workerbehavior that would benefit from testing. See `FuzzTest Use Cases`_ for more 114*61c4878aSAndroid Build Coastguard Workerdetails on how to identify this code. 115*61c4878aSAndroid Build Coastguard Worker 116*61c4878aSAndroid Build Coastguard WorkerOnce identified, it is useful to start from a unit test. You may already have a 117*61c4878aSAndroid Build Coastguard Workerunit test writtern, but if not it is likely still be helpful to write one first. 118*61c4878aSAndroid Build Coastguard WorkerMany developers are more familiar with writing unit tests, and there are 119*61c4878aSAndroid Build Coastguard Workerdetailed guides available. See for example the `GoogleTest documentation`_. 120*61c4878aSAndroid Build Coastguard Worker 121*61c4878aSAndroid Build Coastguard WorkerThis guide will use code from ``//pw_fuzzer/examples/fuzztest/``. This code 122*61c4878aSAndroid Build Coastguard Workerincludes the following object as an example of code that would benefit from 123*61c4878aSAndroid Build Coastguard Workerfuzzing for undefined behavior and from roundtrip fuzzing. 124*61c4878aSAndroid Build Coastguard Worker 125*61c4878aSAndroid Build Coastguard Worker.. note:: 126*61c4878aSAndroid Build Coastguard Worker 127*61c4878aSAndroid Build Coastguard Worker To keep the example simple, this code uses the standard library. As a result, 128*61c4878aSAndroid Build Coastguard Worker this code may not work with certain devices. 129*61c4878aSAndroid Build Coastguard Worker 130*61c4878aSAndroid Build Coastguard Worker.. literalinclude:: ../examples/fuzztest/metrics.h 131*61c4878aSAndroid Build Coastguard Worker :language: cpp 132*61c4878aSAndroid Build Coastguard Worker :linenos: 133*61c4878aSAndroid Build Coastguard Worker :start-after: [pwfuzzer_examples_fuzztest-metrics_h] 134*61c4878aSAndroid Build Coastguard Worker :end-before: [pwfuzzer_examples_fuzztest-metrics_h] 135*61c4878aSAndroid Build Coastguard Worker 136*61c4878aSAndroid Build Coastguard WorkerUnit tests for this class might attempt to deserialize previously serialized 137*61c4878aSAndroid Build Coastguard Workerobjects and to deserialize invalid data: 138*61c4878aSAndroid Build Coastguard Worker 139*61c4878aSAndroid Build Coastguard Worker.. literalinclude:: ../examples/fuzztest/metrics_unittest.cc 140*61c4878aSAndroid Build Coastguard Worker :language: cpp 141*61c4878aSAndroid Build Coastguard Worker :linenos: 142*61c4878aSAndroid Build Coastguard Worker :start-after: [pwfuzzer_examples_fuzztest-metrics_unittest] 143*61c4878aSAndroid Build Coastguard Worker :end-before: [pwfuzzer_examples_fuzztest-metrics_unittest] 144*61c4878aSAndroid Build Coastguard Worker 145*61c4878aSAndroid Build Coastguard Worker-------------------------------------------- 146*61c4878aSAndroid Build Coastguard WorkerStep 2: Convert your unit test to a function 147*61c4878aSAndroid Build Coastguard Worker-------------------------------------------- 148*61c4878aSAndroid Build Coastguard Worker 149*61c4878aSAndroid Build Coastguard WorkerExamine your unit tests and identify any places you have fixed values that could 150*61c4878aSAndroid Build Coastguard Workervary. Turn your unit test into a function that takes those values as parameters. 151*61c4878aSAndroid Build Coastguard WorkerSince fuzzing may not occur on all targets, you should preserve your unit test 152*61c4878aSAndroid Build Coastguard Workerby calling the new function with the previously fixed values. 153*61c4878aSAndroid Build Coastguard Worker 154*61c4878aSAndroid Build Coastguard Worker.. literalinclude:: ../examples/fuzztest/metrics_fuzztest.cc 155*61c4878aSAndroid Build Coastguard Worker :language: cpp 156*61c4878aSAndroid Build Coastguard Worker :linenos: 157*61c4878aSAndroid Build Coastguard Worker :start-after: [pwfuzzer_examples_fuzztest-metrics_fuzztest1] 158*61c4878aSAndroid Build Coastguard Worker :end-before: [pwfuzzer_examples_fuzztest-metrics_fuzztest1] 159*61c4878aSAndroid Build Coastguard Worker 160*61c4878aSAndroid Build Coastguard Worker.. literalinclude:: ../examples/fuzztest/metrics_fuzztest.cc 161*61c4878aSAndroid Build Coastguard Worker :language: cpp 162*61c4878aSAndroid Build Coastguard Worker :linenos: 163*61c4878aSAndroid Build Coastguard Worker :start-after: [pwfuzzer_examples_fuzztest-metrics_fuzztest3] 164*61c4878aSAndroid Build Coastguard Worker :end-before: [pwfuzzer_examples_fuzztest-metrics_fuzztest3] 165*61c4878aSAndroid Build Coastguard Worker 166*61c4878aSAndroid Build Coastguard WorkerNote that in ``ArbitrarySerializeAndDeserialize`` we no longer assume the 167*61c4878aSAndroid Build Coastguard Workermarshalling will always be successful, and exit early if it is not. You may need 168*61c4878aSAndroid Build Coastguard Workerto make similar modifications to your unit tests if constraints on parameters 169*61c4878aSAndroid Build Coastguard Workerare not expressed by `domains`__ as described below. 170*61c4878aSAndroid Build Coastguard Worker 171*61c4878aSAndroid Build Coastguard Worker.. __: `FuzzTest Domain Reference`_ 172*61c4878aSAndroid Build Coastguard Worker 173*61c4878aSAndroid Build Coastguard Worker-------------------------------------------- 174*61c4878aSAndroid Build Coastguard WorkerStep 3: Add a FUZZ_TEST macro invocation 175*61c4878aSAndroid Build Coastguard Worker-------------------------------------------- 176*61c4878aSAndroid Build Coastguard Worker 177*61c4878aSAndroid Build Coastguard WorkerNow, include ``"fuzztest/fuzztest.h"`` and pass the test suite name and your 178*61c4878aSAndroid Build Coastguard Workerfunction name to the ``FUZZ_TEST`` macro. Call ``WithDomains`` on the returned 179*61c4878aSAndroid Build Coastguard Workerobject to specify the input domain for each parameter of the function. For 180*61c4878aSAndroid Build Coastguard Workerexample: 181*61c4878aSAndroid Build Coastguard Worker 182*61c4878aSAndroid Build Coastguard Worker.. literalinclude:: ../examples/fuzztest/metrics_fuzztest.cc 183*61c4878aSAndroid Build Coastguard Worker :language: cpp 184*61c4878aSAndroid Build Coastguard Worker :linenos: 185*61c4878aSAndroid Build Coastguard Worker :start-after: [pwfuzzer_examples_fuzztest-metrics_fuzztest2] 186*61c4878aSAndroid Build Coastguard Worker :end-before: [pwfuzzer_examples_fuzztest-metrics_fuzztest2] 187*61c4878aSAndroid Build Coastguard Worker 188*61c4878aSAndroid Build Coastguard Worker.. literalinclude:: ../examples/fuzztest/metrics_fuzztest.cc 189*61c4878aSAndroid Build Coastguard Worker :language: cpp 190*61c4878aSAndroid Build Coastguard Worker :linenos: 191*61c4878aSAndroid Build Coastguard Worker :start-after: [pwfuzzer_examples_fuzztest-metrics_fuzztest4] 192*61c4878aSAndroid Build Coastguard Worker :end-before: [pwfuzzer_examples_fuzztest-metrics_fuzztest4] 193*61c4878aSAndroid Build Coastguard Worker 194*61c4878aSAndroid Build Coastguard WorkerYou may know of specific values that are "interesting", i.e. that represent 195*61c4878aSAndroid Build Coastguard Workerboundary conditions, involve, special handling, etc. To guide the fuzzer towards 196*61c4878aSAndroid Build Coastguard Workerthese code paths, you can include them as `seeds`_. However, as noted in 197*61c4878aSAndroid Build Coastguard Workerthe comments of the examples, it is recommended to include a unit test with the 198*61c4878aSAndroid Build Coastguard Workeroriginal parameters to ensure the code is tested on target devices. 199*61c4878aSAndroid Build Coastguard Worker 200*61c4878aSAndroid Build Coastguard WorkerFuzzTest provides more detailed documentation on these topics. For example: 201*61c4878aSAndroid Build Coastguard Worker 202*61c4878aSAndroid Build Coastguard Worker* Refer to `The FUZZ_TEST Macro`_ reference for more details on how to use this 203*61c4878aSAndroid Build Coastguard Worker macro. 204*61c4878aSAndroid Build Coastguard Worker 205*61c4878aSAndroid Build Coastguard Worker* Refer to the `FuzzTest Domain Reference`_ for details on all the different 206*61c4878aSAndroid Build Coastguard Worker types of domains supported by FuzzTest and how they can be combined. 207*61c4878aSAndroid Build Coastguard Worker 208*61c4878aSAndroid Build Coastguard Worker* Refer to the `Test Fixtures`_ reference for how to create fuzz tests from unit 209*61c4878aSAndroid Build Coastguard Worker tests that use GoogleTest fixtures. 210*61c4878aSAndroid Build Coastguard Worker 211*61c4878aSAndroid Build Coastguard Worker------------------------------------ 212*61c4878aSAndroid Build Coastguard WorkerStep 4: Add the fuzzer to your build 213*61c4878aSAndroid Build Coastguard Worker------------------------------------ 214*61c4878aSAndroid Build Coastguard WorkerNext, indicate that the unit test includes one or more fuzz tests. 215*61c4878aSAndroid Build Coastguard Worker 216*61c4878aSAndroid Build Coastguard Worker.. tab-set:: 217*61c4878aSAndroid Build Coastguard Worker 218*61c4878aSAndroid Build Coastguard Worker .. tab-item:: GN 219*61c4878aSAndroid Build Coastguard Worker :sync: gn 220*61c4878aSAndroid Build Coastguard Worker 221*61c4878aSAndroid Build Coastguard Worker The ``pw_fuzz_test`` template can be used to add the necessary FuzzTest 222*61c4878aSAndroid Build Coastguard Worker dependency and generate test metadata. 223*61c4878aSAndroid Build Coastguard Worker 224*61c4878aSAndroid Build Coastguard Worker For example, consider the following ``BUILD.gn``: 225*61c4878aSAndroid Build Coastguard Worker 226*61c4878aSAndroid Build Coastguard Worker .. literalinclude:: ../examples/fuzztest/BUILD.gn 227*61c4878aSAndroid Build Coastguard Worker :linenos: 228*61c4878aSAndroid Build Coastguard Worker :start-after: [pwfuzzer_examples_fuzztest-gn] 229*61c4878aSAndroid Build Coastguard Worker :end-before: [pwfuzzer_examples_fuzztest-gn] 230*61c4878aSAndroid Build Coastguard Worker 231*61c4878aSAndroid Build Coastguard Worker .. tab-item:: CMake 232*61c4878aSAndroid Build Coastguard Worker :sync: cmake 233*61c4878aSAndroid Build Coastguard Worker 234*61c4878aSAndroid Build Coastguard Worker Unit tests can support fuzz tests by simply adding a dependency on 235*61c4878aSAndroid Build Coastguard Worker FuzzTest. 236*61c4878aSAndroid Build Coastguard Worker 237*61c4878aSAndroid Build Coastguard Worker For example, consider the following ``CMakeLists.txt``: 238*61c4878aSAndroid Build Coastguard Worker 239*61c4878aSAndroid Build Coastguard Worker .. literalinclude:: ../examples/fuzztest/CMakeLists.txt 240*61c4878aSAndroid Build Coastguard Worker :linenos: 241*61c4878aSAndroid Build Coastguard Worker :start-after: [pwfuzzer_examples_fuzztest-cmake] 242*61c4878aSAndroid Build Coastguard Worker :end-before: [pwfuzzer_examples_fuzztest-cmake] 243*61c4878aSAndroid Build Coastguard Worker 244*61c4878aSAndroid Build Coastguard Worker .. tab-item:: Bazel 245*61c4878aSAndroid Build Coastguard Worker :sync: bazel 246*61c4878aSAndroid Build Coastguard Worker 247*61c4878aSAndroid Build Coastguard Worker Unit tests can support fuzz tests by simply adding a dependency on 248*61c4878aSAndroid Build Coastguard Worker FuzzTest. 249*61c4878aSAndroid Build Coastguard Worker 250*61c4878aSAndroid Build Coastguard Worker For example, consider the following ``BUILD.bazel``: 251*61c4878aSAndroid Build Coastguard Worker 252*61c4878aSAndroid Build Coastguard Worker .. literalinclude:: ../examples/fuzztest/BUILD.bazel 253*61c4878aSAndroid Build Coastguard Worker :linenos: 254*61c4878aSAndroid Build Coastguard Worker :start-after: [pwfuzzer_examples_fuzztest-bazel] 255*61c4878aSAndroid Build Coastguard Worker :end-before: [pwfuzzer_examples_fuzztest-bazel] 256*61c4878aSAndroid Build Coastguard Worker 257*61c4878aSAndroid Build Coastguard Worker------------------------ 258*61c4878aSAndroid Build Coastguard WorkerStep 5: Build the fuzzer 259*61c4878aSAndroid Build Coastguard Worker------------------------ 260*61c4878aSAndroid Build Coastguard Worker.. tab-set:: 261*61c4878aSAndroid Build Coastguard Worker 262*61c4878aSAndroid Build Coastguard Worker .. tab-item:: GN 263*61c4878aSAndroid Build Coastguard Worker :sync: gn 264*61c4878aSAndroid Build Coastguard Worker 265*61c4878aSAndroid Build Coastguard Worker Build using ``ninja`` on a target that includes your fuzzer with a 266*61c4878aSAndroid Build Coastguard Worker :ref:`fuzzing toolchain<module-pw_fuzzer-guides-using_fuzztest-toolchain>`. 267*61c4878aSAndroid Build Coastguard Worker 268*61c4878aSAndroid Build Coastguard Worker Pigweed includes a ``//:fuzzers`` target that builds all tests, including 269*61c4878aSAndroid Build Coastguard Worker those with fuzzers, using a fuzzing toolchain. You may wish to add a 270*61c4878aSAndroid Build Coastguard Worker similar top-level to your project. For example: 271*61c4878aSAndroid Build Coastguard Worker 272*61c4878aSAndroid Build Coastguard Worker .. code-block:: 273*61c4878aSAndroid Build Coastguard Worker 274*61c4878aSAndroid Build Coastguard Worker group("fuzzers") { 275*61c4878aSAndroid Build Coastguard Worker deps = [ ":pw_module_tests.run($dir_pigweed/targets/host:host_clang_fuzz)" ] 276*61c4878aSAndroid Build Coastguard Worker } 277*61c4878aSAndroid Build Coastguard Worker 278*61c4878aSAndroid Build Coastguard Worker .. tab-item:: CMake 279*61c4878aSAndroid Build Coastguard Worker :sync: cmake 280*61c4878aSAndroid Build Coastguard Worker 281*61c4878aSAndroid Build Coastguard Worker Build using ``cmake`` with the FuzzTest and GoogleTest variables set. For 282*61c4878aSAndroid Build Coastguard Worker example: 283*61c4878aSAndroid Build Coastguard Worker 284*61c4878aSAndroid Build Coastguard Worker .. code-block:: 285*61c4878aSAndroid Build Coastguard Worker 286*61c4878aSAndroid Build Coastguard Worker cmake ... \ 287*61c4878aSAndroid Build Coastguard Worker -Ddir_pw_third_party_fuzztest=path/to/fuzztest \ 288*61c4878aSAndroid Build Coastguard Worker -Ddir_pw_third_party_googletest=path/to/googletest \ 289*61c4878aSAndroid Build Coastguard Worker -Dpw_unit_test_BACKEND=pw_third_party.fuzztest 290*61c4878aSAndroid Build Coastguard Worker 291*61c4878aSAndroid Build Coastguard Worker 292*61c4878aSAndroid Build Coastguard Worker .. tab-item:: Bazel 293*61c4878aSAndroid Build Coastguard Worker :sync: bazel 294*61c4878aSAndroid Build Coastguard Worker 295*61c4878aSAndroid Build Coastguard Worker By default, ``bazel`` will simply omit the fuzz tests and build unit 296*61c4878aSAndroid Build Coastguard Worker tests. To build these tests as fuzz tests, specify the ``fuzztest`` 297*61c4878aSAndroid Build Coastguard Worker config. For example: 298*61c4878aSAndroid Build Coastguard Worker 299*61c4878aSAndroid Build Coastguard Worker .. code-block:: sh 300*61c4878aSAndroid Build Coastguard Worker 301*61c4878aSAndroid Build Coastguard Worker bazel build //... --config=fuzztest 302*61c4878aSAndroid Build Coastguard Worker 303*61c4878aSAndroid Build Coastguard Worker---------------------------------- 304*61c4878aSAndroid Build Coastguard WorkerStep 6: Running the fuzzer locally 305*61c4878aSAndroid Build Coastguard Worker---------------------------------- 306*61c4878aSAndroid Build Coastguard Worker.. TODO: b/281138993 - Add tooling to make it easier to find and run fuzzers. 307*61c4878aSAndroid Build Coastguard Worker 308*61c4878aSAndroid Build Coastguard Worker.. tab-set:: 309*61c4878aSAndroid Build Coastguard Worker 310*61c4878aSAndroid Build Coastguard Worker .. tab-item:: GN 311*61c4878aSAndroid Build Coastguard Worker :sync: gn 312*61c4878aSAndroid Build Coastguard Worker 313*61c4878aSAndroid Build Coastguard Worker When building. Most toolchains will simply omit the fuzz tests and build 314*61c4878aSAndroid Build Coastguard Worker and run unit tests. A 315*61c4878aSAndroid Build Coastguard Worker :ref:`fuzzing toolchain<module-pw_fuzzer-guides-using_fuzztest-toolchain>` 316*61c4878aSAndroid Build Coastguard Worker will include the fuzzers, but only run them for a limited time. This makes 317*61c4878aSAndroid Build Coastguard Worker them suitable for automated testing as in CQ. 318*61c4878aSAndroid Build Coastguard Worker 319*61c4878aSAndroid Build Coastguard Worker If you used the top-level ``//:fuzzers`` described in the previous 320*61c4878aSAndroid Build Coastguard Worker section, you can find available fuzzers using the generated JSON test 321*61c4878aSAndroid Build Coastguard Worker metadata file: 322*61c4878aSAndroid Build Coastguard Worker 323*61c4878aSAndroid Build Coastguard Worker .. code-block:: sh 324*61c4878aSAndroid Build Coastguard Worker 325*61c4878aSAndroid Build Coastguard Worker jq '.[] | select(contains({tags: ["fuzztest"]}))' \ 326*61c4878aSAndroid Build Coastguard Worker out/host_clang_fuzz/obj/pw_module_tests.testinfo.json 327*61c4878aSAndroid Build Coastguard Worker 328*61c4878aSAndroid Build Coastguard Worker To run a fuzz with different options, you can pass additional flags to the 329*61c4878aSAndroid Build Coastguard Worker fuzzer binary. This binary will be in a subdirectory related to the 330*61c4878aSAndroid Build Coastguard Worker toolchain. For example: 331*61c4878aSAndroid Build Coastguard Worker 332*61c4878aSAndroid Build Coastguard Worker .. code-block:: sh 333*61c4878aSAndroid Build Coastguard Worker 334*61c4878aSAndroid Build Coastguard Worker out/host_clang_fuzz/obj/my_module/test/metrics_test \ 335*61c4878aSAndroid Build Coastguard Worker --fuzz=MetricsTest.Roundtrip 336*61c4878aSAndroid Build Coastguard Worker 337*61c4878aSAndroid Build Coastguard Worker Additional `sanitizer flags`_ may be passed uisng environment variables. 338*61c4878aSAndroid Build Coastguard Worker 339*61c4878aSAndroid Build Coastguard Worker .. tab-item:: CMake 340*61c4878aSAndroid Build Coastguard Worker :sync: cmake 341*61c4878aSAndroid Build Coastguard Worker 342*61c4878aSAndroid Build Coastguard Worker When built with FuzzTest and GoogleTest, the fuzzer binaries can be run 343*61c4878aSAndroid Build Coastguard Worker directly from the CMake build directory. By default, the fuzzers will only 344*61c4878aSAndroid Build Coastguard Worker run for a limited time. This makes them suitable for automated testing as 345*61c4878aSAndroid Build Coastguard Worker in CQ. To run a fuzz with different options, you can pass additional flags 346*61c4878aSAndroid Build Coastguard Worker to the fuzzer binary. 347*61c4878aSAndroid Build Coastguard Worker 348*61c4878aSAndroid Build Coastguard Worker For example: 349*61c4878aSAndroid Build Coastguard Worker 350*61c4878aSAndroid Build Coastguard Worker .. code-block:: sh 351*61c4878aSAndroid Build Coastguard Worker 352*61c4878aSAndroid Build Coastguard Worker build/my_module/metrics_test --fuzz=MetricsTest.Roundtrip 353*61c4878aSAndroid Build Coastguard Worker 354*61c4878aSAndroid Build Coastguard Worker .. tab-item:: Bazel 355*61c4878aSAndroid Build Coastguard Worker :sync: bazel 356*61c4878aSAndroid Build Coastguard Worker 357*61c4878aSAndroid Build Coastguard Worker By default, ``bazel`` will simply omit the fuzz tests and build and run 358*61c4878aSAndroid Build Coastguard Worker unit tests. To build these tests as fuzz tests, specify the "fuzztest" 359*61c4878aSAndroid Build Coastguard Worker config. For example: 360*61c4878aSAndroid Build Coastguard Worker 361*61c4878aSAndroid Build Coastguard Worker .. code-block:: sh 362*61c4878aSAndroid Build Coastguard Worker 363*61c4878aSAndroid Build Coastguard Worker bazel test //... --config=fuzztest 364*61c4878aSAndroid Build Coastguard Worker 365*61c4878aSAndroid Build Coastguard Worker This will build the tests as fuzz tests, but only run them for a limited 366*61c4878aSAndroid Build Coastguard Worker time. This makes them suitable for automated testing as in CQ. 367*61c4878aSAndroid Build Coastguard Worker 368*61c4878aSAndroid Build Coastguard Worker To run a fuzz with different options, you can use ``run`` and pass 369*61c4878aSAndroid Build Coastguard Worker additional flags to the fuzzer binary. For example: 370*61c4878aSAndroid Build Coastguard Worker 371*61c4878aSAndroid Build Coastguard Worker .. code-block:: sh 372*61c4878aSAndroid Build Coastguard Worker 373*61c4878aSAndroid Build Coastguard Worker bazel run //my_module:metrics_test --config=fuzztest \ 374*61c4878aSAndroid Build Coastguard Worker --fuzz=MetricsTest.Roundtrip 375*61c4878aSAndroid Build Coastguard Worker 376*61c4878aSAndroid Build Coastguard WorkerRunning the fuzzer should produce output similar to the following: 377*61c4878aSAndroid Build Coastguard Worker 378*61c4878aSAndroid Build Coastguard Worker.. code-block:: 379*61c4878aSAndroid Build Coastguard Worker 380*61c4878aSAndroid Build Coastguard Worker [.] Sanitizer coverage enabled. Counter map size: 21290, Cmp map size: 262144 381*61c4878aSAndroid Build Coastguard Worker Note: Google Test filter = MetricsTest.Roundtrip 382*61c4878aSAndroid Build Coastguard Worker [==========] Running 1 test from 1 test suite. 383*61c4878aSAndroid Build Coastguard Worker [----------] Global test environment set-up. 384*61c4878aSAndroid Build Coastguard Worker [----------] 1 test from MetricsTest 385*61c4878aSAndroid Build Coastguard Worker [ RUN ] MetricsTest.Roundtrip 386*61c4878aSAndroid Build Coastguard Worker [*] Corpus size: 1 | Edges covered: 131 | Fuzzing time: 504.798us | Total runs: 1.00e+00 | Runs/secs: 1 387*61c4878aSAndroid Build Coastguard Worker [*] Corpus size: 2 | Edges covered: 133 | Fuzzing time: 934.176us | Total runs: 3.00e+00 | Runs/secs: 3 388*61c4878aSAndroid Build Coastguard Worker [*] Corpus size: 3 | Edges covered: 134 | Fuzzing time: 2.384383ms | Total runs: 5.30e+01 | Runs/secs: 53 389*61c4878aSAndroid Build Coastguard Worker [*] Corpus size: 4 | Edges covered: 137 | Fuzzing time: 2.732274ms | Total runs: 5.40e+01 | Runs/secs: 54 390*61c4878aSAndroid Build Coastguard Worker [*] Corpus size: 5 | Edges covered: 137 | Fuzzing time: 7.275553ms | Total runs: 2.48e+02 | Runs/secs: 248 391*61c4878aSAndroid Build Coastguard Worker 392*61c4878aSAndroid Build Coastguard Worker.. TODO: b/282560789 - Add guides/improve_fuzzers.rst 393*61c4878aSAndroid Build Coastguard Worker.. TODO: b/281139237 - Add guides/continuous_fuzzing.rst 394*61c4878aSAndroid Build Coastguard Worker.. ---------- 395*61c4878aSAndroid Build Coastguard Worker.. Next steps 396*61c4878aSAndroid Build Coastguard Worker.. ---------- 397*61c4878aSAndroid Build Coastguard Worker.. Once you have a working fuzzer, the next steps are to: 398*61c4878aSAndroid Build Coastguard Worker 399*61c4878aSAndroid Build Coastguard Worker.. * `Run it continuously on a fuzzing infrastructure <continuous_fuzzing>`_. 400*61c4878aSAndroid Build Coastguard Worker.. * `Measure its code coverage and improve it <improve_fuzzers>`_. 401*61c4878aSAndroid Build Coastguard Worker 402*61c4878aSAndroid Build Coastguard Worker.. _FuzzTest: https://github.com/google/fuzztest 403*61c4878aSAndroid Build Coastguard Worker.. _FuzzTest Domain Reference: https://github.com/google/fuzztest/blob/main/doc/domains-reference.md 404*61c4878aSAndroid Build Coastguard Worker.. _FuzzTest Use Cases: https://github.com/google/fuzztest/blob/main/doc/use-cases.md 405*61c4878aSAndroid Build Coastguard Worker.. _GoogleTest documentation: https://google.github.io/googletest/ 406*61c4878aSAndroid Build Coastguard Worker.. _Test Fixtures: https://github.com/google/fuzztest/blob/main/doc/fixtures.md 407*61c4878aSAndroid Build Coastguard Worker.. _The FUZZ_TEST Macro: https://github.com/google/fuzztest/blob/main/doc/fuzz-test-macro.md 408*61c4878aSAndroid Build Coastguard Worker.. _sanitizer flags: https://github.com/google/sanitizers/wiki/SanitizerCommonFlags 409*61c4878aSAndroid Build Coastguard Worker.. _seeds: https://github.com/google/fuzztest/blob/main/doc/fuzz-test-macro.md#initial-seeds 410