...
Build Iroha with -DFUZZING=ON under clang (don. Don't use Apple clang, use mainstream). E.g.:.
If you want to run fuzzing, add LIB_FUZZING_ENGINE='-fsanitize=fuzzer' environment variable. After that you can run fuzzing by executing required fuzz test executable. It is not required if you only want to reproduce and debug a known crash (having a crash file).
| Code Block |
|---|
cmake -DCMAKE_TOOLCHAIN_FILE=/Users/konstantinmunichev/src/vcpkg/dependencies/scripts/buildsystems/vcpkg.cmake -DCMAKE_C_COMPILER=/usr/local/opt/llvm/bin/clang -DCMAKE_CXX_COMPILER=/usr/local/opt/llvm/bin/clang++ -DFUZZING=ON <...> |
Now you can build fuzzing targets with
| Code Block |
|---|
make fuzzing |
...
You can also build them one by one using these names (as of v1.1): torii_fuzz, status_fuzz, find_fuzz, mst_fuzz, consensus_fuzz, request_proposal_fuzz, send_batches_fuzz, retrieve_block_fuzz, retrieve_blocks_fuzz - . There is one fuzzing target for every endpoint).
After that if you run any of targets they will exit without any output. It happens because they are intended to reproduce crashes (and to perform fuzzing by itself). To use it download crash file (the typical name looks like clusterfuzz-testcase-minimized-find_fuzz-5745437956374528) and run:
...
If crash reproduces successfully you will see a crash. To get a stacktrace run it the target under gdb (lldb).
Sometimes you may want to run a fuzzing process on a localhost. To do this execute
| Code Block |
|---|
export LIB_FUZZING_ENGINE='-fsanitize=fuzzer' |
and rebuild everything. Now you can start fuzzing by simple running the fuzzing executable.
Further reading
Please start at https://github.com/google/oss-fuzz - all the necessary information could be found here (the docs structure could be better though).
...