blob: fe7d9a9d47e25cbb665631f310afa6ae605916aa [file] [log] [blame]
.. _module-pw_fuzzer-concepts:
pw_fuzzer: Concepts
.. pigweed-module-subpage::
:name: pw_fuzzer
Fuzzing is an approach to testing software with generated data. Guided fuzzing
uses feedback from the code being tested, such as code coverage, to direct the
generation of additional inputs. This feedback loop typically has three steps
that it executes repeatedly:
#. The `fuzzing engine`_ generates a new `test input`_. The details of the
test input depend on the engine. For example, `libFuzzer`_ generates
sequences of bytes of arbitrary length, while `FuzzTest`_ generates
parameters to match a function signature.
#. The `test input`_ is used to exercise the `fuzz target`_. This is targeted
interface to the code being tested.
#. The code under test is monitored for feedback or any abnormal conditions.
The feedback is commonly code coverage information generated by
compiler-added `instrumentation`_.
The loop ends when a configured limit is reached, such as a specific duration or
number of iterations, or when an abnormal condition is detected. These can be
failed assertions, bug detections by `sanitizers`_, unhandled signals, etc.
When a loop terminates due to one of these errors, the fuzzer will typically
create a `reproducer`_ that developers can use to reproduce the fault.
.. image:: doc_resources/pw_fuzzer_coverage_guided.png
:alt: Coverage Guided Fuzzing
:align: left
.. Diagram created using Google Drawings:
To learn more about how effective fuzzing can be or explore some of fuzzing's
"trophy lists", see `Why fuzz?`_.
.. inclusive-language: disable
.. _fuzz target:
.. _fuzzing engine:
.. _FuzzTest:
.. _instrumentation:
.. _libFuzzer:
.. _reproducer:
.. _sanitizers:
.. _test input:
.. _Why fuzz?:
.. inclusive-language: enable