This implementation is built upon libfuzzer-sys. For more information, check LLVM documentation.
To build the fuzz target, run the following command:
make buildYou can build in release mode via:
make build ARGS=--releaseSome special parameters are required to build the fuzz target. As example, let's build the namespace_group_from_b64 fuzz target:
cargo rustc --bin namespace_group_from_b64 \
--manifest-path fuzz/Cargo.toml -- \
-C debuginfo=full \
-C debug-assertions \
-C passes='sancov-module' \
-C llvm-args='-sanitizer-coverage-level=3' \
-C llvm-args='-sanitizer-coverage-inline-8bit-counters' \
-Z sanitizer=addressWe don't default these options as they depend on the rustc version and might change in the future. For the list of available targets, check Cargo.toml under the bin section. We are currently not using optimized binaries as it might impact on how rocksdb is built. If you want to activate optimization, add --release after rustc.
Unfortunately, rustc doesn't support the --bins argument to build multiple binaries with custom compiler directives. We have to build every target individually. Below is a convenience sed script to build all targets.
for t in `sed -n '/^\[\[bin\]\]/,/^$/ { /name\s*=\s*"\(.*\)"/s//\1/p }' fuzz/Cargo.toml` ; do cargo rustc --bin $t --manifest-path fuzz/Cargo.toml -- -C debuginfo=full -C debug-assertions -C passes='sancov-module' -C llvm-args='-sanitizer-coverage-level=3' -C llvm-args='-sanitizer-coverage-inline-8bit-counters' -Z sanitizer=address ; doneHere is a sample command to fuzz a namespace_group_from_b64:
make run TARGET=namespace_group_from_b64To run in release mode:
make run TARGET=namespace_group_from_b64 PROFILE=releaseTo list the available targets, run:
make targetsOnce built, you can run the targets under the fuzz/target/<profile> directory.
./fuzz/target/debug/namespace_group_from_b64It will run the fuzz until you interrupt the command (i.e. CTRL-C), and will record crashes under fuzz/artifacts/*/crash-*. If you find a crash, please report a new bug.