...
Now you can build fuzzing targets with make fuzzing (or you can build them one by one: torii_fuzz, status_fuzz, find_fuzz, mst_fuzz, consensus_fuzz, request_proposal_fuzz, send_batches_fuzz, retrieve_block_fuzz, retrieve_blocks_fuzz - one fuzzing target for every endpoint).
After that if you run any of targets they will exit without any output. It happens because they are intended to reproduce crashes (and to perform fuzzing by itself). To use it download crash file (the typical name looks like clusterfuzz-testcase-minimized-find_fuzz-5745437956374528) and run:
| Code Block |
|---|
./find_fuzz clusterfuzz-testcase-minimized-find_fuzz-574543795637452 |
If crash reproduces successfully you will see a crash. To get a stacktrace run it the target under gdb (lldb).
Sometimes you may want to run a fuzzing process on a localhost. To do this execute
| Code Block |
|---|
export LIB_FUZZING_ENGINE='-fsanitize=fuzzer' |
and rebuild everything. Now you can start fuzzing by simple running the fuzzing executable.
Further reading
Please start at https://github.com/google/oss-fuzz - all the necessary information could be found here (the docs structure could be better though).
Please notice the next comment. It contains information about possible fuzzing improvements - I guess it's worth to do.