| Devin Jeanpierre | c5bace2 | 2017-09-06 11:15:35 -0700 | [diff] [blame] | 1 | Fuzz Tests for CPython |
| 2 | ====================== |
| 3 | |
| 4 | These fuzz tests are designed to be included in Google's `oss-fuzz`_ project. |
| 5 | |
| 6 | oss-fuzz works against a library exposing a function of the form |
| 7 | ``int LLVMFuzzerTestOneInput(const uint8_t* data, size_t length)``. We provide |
| 8 | that library (``fuzzer.c``), and include a ``_fuzz`` module for testing with |
| 9 | some toy values -- no fuzzing occurs in Python's test suite. |
| 10 | |
| 11 | oss-fuzz will regularly pull from CPython, discover all the tests in |
| 12 | ``fuzz_tests.txt``, and run them -- so adding a new test here means it will |
| 13 | automatically be run in oss-fuzz, while also being smoke-tested as part of |
| 14 | CPython's test suite. |
| 15 | |
| 16 | Adding a new fuzz test |
| 17 | ---------------------- |
| 18 | |
| 19 | Add the test name on a new line in ``fuzz_tests.txt``. |
| 20 | |
| 21 | In ``fuzzer.c``, add a function to be run:: |
| 22 | |
| 23 | int $test_name (const char* data, size_t size) { |
| 24 | ... |
| 25 | return 0; |
| 26 | } |
| 27 | |
| 28 | |
| 29 | And invoke it from ``LLVMFuzzerTestOneInput``:: |
| 30 | |
| 31 | #if _Py_FUZZ_YES(fuzz_builtin_float) |
| 32 | rv |= _run_fuzz(data, size, fuzz_builtin_float); |
| 33 | #endif |
| 34 | |
| 35 | ``LLVMFuzzerTestOneInput`` will run in oss-fuzz, with each test in |
| 36 | ``fuzz_tests.txt`` run separately. |
| 37 | |
| 38 | What makes a good fuzz test |
| 39 | --------------------------- |
| 40 | |
| 41 | Libraries written in C that might handle untrusted data are worthwhile. The |
| 42 | more complex the logic (e.g. parsing), the more likely this is to be a useful |
| 43 | fuzz test. See the existing examples for reference, and refer to the |
| 44 | `oss-fuzz`_ docs. |
| 45 | |
| 46 | .. _oss-fuzz: https://github.com/google/oss-fuzz |