1. Documentation
  2. Fuzzing C/C++
  3. Finding your first bug in C++

Create a C++ Fuzz Test

How to create your first C/C++ fuzz test

After the initialization is completed (the UI indicates that with a check mark before the item “Initialize Project” in the side view), it is time to create our first fuzz test. To do so we recommend using our “Fuzz This Function” helper. “Fuzz This Function” is a decorator that appears over function definitions and allows you to quickly set up fuzzing for the corresponding function.

With CI Fuzz there are two approaches to creating fuzz targets for C++. We offer a “Fuzz This Function” helper that appears over function definitions in your code and creates fuzz targets on click. This easy to use approach is described below.

Fuzz targets can also be created manually. With manual fuzz target creation, users have to take care of specifying the required build flags and includes. Manual creation is explained below.

Fuzz this function

A common workflow is to inspect already existing unit tests, find the functions they are testing and then use “Fuzz this function” on these function definitions. “Fuzz This Function” automatically takes care of including required headers and linking the fuzz target against the correct libraries.

In the case of CppCMS there are many unit tests in the “tests” subfolder. For this tutorial we want to fuzz test the built in json parser. The corresponding unit test is defined in json_test.cpp:

open

The function json::value::load() is the function being tested, so we go to its definition and make use of “Fuzz this Function”

open

Clicking on “Fuzz this function” will automatically generate a minimal fuzz target for you. For CppCMS json::value::load() it looks like this:

open

This still needs some fine tuning. While we at Code Intelligence are working hard to further automate the process of generating fully working fuzz targets for C++ (as we have already done for different frameworks, such as Springboot). Most of the time the remaining manual effort is very low. In this example, we only need to change the type of the incoming random data from const uint8_t * to const char * and fill in the missing method arguments. The complete fuzz target then looks like this:

open

Manual Fuzz Test creation

Fuzz Targets can be created manually with CI Fuzz. To do so, click on the “Add Fuzz Test” button in the sidebar menu.

Create a Fuzz Target manually

Click on API Fuzz Test to create a Fuzz Test which targets a function call.

API Fuzz Test

Create the fuzz target by filling out the “New API Fuzz Test” Form.

Fuzz Target Creator

Target Name is a name that you can chose to identify the fuzz test.

Select the Programming Language you want to fuzz. If you want to fuzz a C Library you can also create a C++ Fuzz target in order to make use of C++ features in the fuzz test itself. Just remember to surround the C function calls with extern "C" (see the official Documentation on how to mix C and C++)

Run arguments will be passed to the fuzzer during runtime. Most of the time these can stay empty

The Build Flags are important for the compilation of the fuzz target. With “Fuzz This Function” these would be filled out automatically for you. With Manual Fuzz Target Creation you have to fill in the include paths -I, library paths -L and libraries -l needed to build the fuzz target. Enter one Build flag per line, like this example for cppcms:

-Ibuild
-Ibooster
-Isrc
-Iprivate
-Icppcms_boost
-Ibuild/booster
-I.
-Lbuild
-lpthread
-lpcre
-licuuc
-licui18n
-licudata
-ldl
-lcppcms

After saving the fuzz target configuration, click on the fuzz test you created in the Fuzz Tests sidebar.

Fuzz Json

Then click on “Open Source Code” to edit the fuzz target.

Open Source Code

Read next: Run your first C++ Fuzz Test