Fuzzing

This directory contains code and test data for fuzz testing picotls with LLVM's LibFuzzer.

Building the test drivers

To build the fuzz test drivers (AKA “fuzz targets”), pass -DBUILD_FUZZER=ON to cmake. This this will instrument the binary and build fuzz targets. Note that you must have a version of LLVM Clang installed that supports LibFuzzer in order for this build to succeed.

Test corpus information

There are seed test corpuses for some fuzz targets included. They are stored in the fuzz directory in a subdirectory corresponding to the fuzz target binary name. See the LibFuzzer docs for more information on using seed test corpuses.

Submitting new seed files

This project welcomes seed files that exercise new paths in the target programs. Before submitting new seed files, please ensure they add coverage to the existing corpus via the driver -merge flag. For example:

$ ./fuzz-client-hello-merge=1 ./fuzz/fuzz-client-hello-corpus ./fuzz/my-new-seeds

See the LibFuzzer docs for more information on minimizing test corpuses.

Running the fuzzers

You will likely want to tailor fuzzer options to your execution environment, but here is a basic example of running a fuzzer:

./fuzz-client-hello fuzz/fuzz-client-hello-corpus