cpython/Modules/_xxtestfuzz
Miss Islington (bot) 9d21c46e31
[3.13] gh-121023: Improve `_xxtestfuzz/README.rst` (GH-121024) (#124140)
gh-121023: Improve `_xxtestfuzz/README.rst` (GH-121024)
(cherry picked from commit a9c2bc1634)

Co-authored-by: sobolevn <mail@sobolevn.me>
Co-authored-by: Illia Volochii <illia.volochii@gmail.com>
2024-09-23 17:23:54 -07:00
..
dictionaries Add a fuzzer for `Py_CompileStringExFlags` (#111721) 2023-12-10 12:16:15 -05:00
fuzz_csv_reader_corpus
fuzz_elementtree_parsewhole_corpus Add a fuzz target for `_elementtree.XMLParser._parse_whole` (#111477) 2023-11-03 14:01:56 -07:00
fuzz_json_loads_corpus
fuzz_pycompile_corpus Add a fuzzer for `Py_CompileStringExFlags` (#111721) 2023-12-10 12:16:15 -05:00
fuzz_sre_compile_corpus
fuzz_struct_unpack_corpus
README.rst [3.13] gh-121023: Improve `_xxtestfuzz/README.rst` (GH-121024) (#124140) 2024-09-23 17:23:54 -07:00
_xxtestfuzz.c gh-116322: Add Py_mod_gil module slot (#116882) 2024-05-03 11:30:55 -04:00
fuzz_tests.txt Add a fuzzer for `Py_CompileStringExFlags` (#111721) 2023-12-10 12:16:15 -05:00
fuzzer.c When the Py_CompileStringExFlags fuzzer encounters a SystemError, abort (#115147) 2024-02-07 17:21:33 -05:00

README.rst

Fuzz Tests for CPython
======================

These fuzz tests are designed to be included in Google's `oss-fuzz`_ project.

oss-fuzz works against a library exposing a function of the form
``int LLVMFuzzerTestOneInput(const uint8_t* data, size_t length)``. We provide
that library (``fuzzer.c``), and include a ``_fuzz`` module for testing with
some toy values -- no fuzzing occurs in Python's test suite.

oss-fuzz will regularly pull from CPython, discover all the tests in
``fuzz_tests.txt``, and run them -- so adding a new test here means it will
automatically be run in oss-fuzz, while also being smoke-tested as part of
CPython's test suite.

In addition, the tests are run on GitHub Actions using CIFuzz for PRs to the
main branch changing relevant files.

Adding a new fuzz test
----------------------

Add the test name on a new line in ``fuzz_tests.txt``.

In ``fuzzer.c``, add a function to be run::

    static int $fuzz_test_name(const char* data, size_t size) {
        ...
        return 0;
    }


And invoke it from ``LLVMFuzzerTestOneInput``::

    #if !defined(_Py_FUZZ_ONE) || defined(_Py_FUZZ_$fuzz_test_name)
        rv |= _run_fuzz(data, size, $fuzz_test_name);
    #endif

Don't forget to replace ``$fuzz_test_name`` with your actual test name.

``LLVMFuzzerTestOneInput`` will run in oss-fuzz, with each test in
``fuzz_tests.txt`` run separately.

Seed data (corpus) for the test can be provided in a subfolder called
``<test_name>_corpus`` such as ``fuzz_json_loads_corpus``. A wide variety
of good input samples allows the fuzzer to more easily explore a diverse
set of paths and provides a better base to find buggy input from.

Dictionaries of tokens (see oss-fuzz documentation for more details) can
be placed in the ``dictionaries`` folder with the name of the test.
For example, ``dictionaries/fuzz_json_loads.dict`` contains JSON tokens
to guide the fuzzer.

What makes a good fuzz test
---------------------------

Libraries written in C that might handle untrusted data are worthwhile. The
more complex the logic (e.g. parsing), the more likely this is to be a useful
fuzz test. See the existing examples for reference, and refer to the
`oss-fuzz`_ docs.

.. _oss-fuzz: https://github.com/google/oss-fuzz