pw_fuzzer: Concepts#

pw_fuzzer: Better C++ code through easier fuzzing

Fuzzing is an approach to testing software with generated data. Guided fuzzing uses feedback from the code being tested, such as code coverage, to direct the generation of additional inputs. This feedback loop typically has three steps that it executes repeatedly:

  1. The fuzzing engine generates a new test input. The details of the test input depend on the engine. For example, libFuzzer generates sequences of bytes of arbitrary length, while FuzzTest generates parameters to match a function signature.

  2. The test input is used to exercise the fuzz target. This is targeted interface to the code being tested.

  3. The code under test is monitored for feedback or any abnormal conditions. The feedback is commonly code coverage information generated by compiler-added instrumentation.

The loop ends when a configured limit is reached, such as a specific duration or number of iterations, or when an abnormal condition is detected. These can be failed assertions, bug detections by sanitizers, unhandled signals, etc. When a loop terminates due to one of these errors, the fuzzer will typically create a reproducer that developers can use to reproduce the fault.

Coverage Guided Fuzzing

To learn more about how effective fuzzing can be or explore some of fuzzing’s “trophy lists”, see Why fuzz?.