Fuzz Test Configuration

Fuzz Test Environment Variables, Fuzzing engine options, compilation

Fuzz test .yaml file

For every fuzz test, there is a .yaml file in .code_intelligence/fuzz_targets.

In this file, you can change the options described on this page.

Attention: if you edit this, please be careful about yaml syntax. It is sensitive to indentation (2 spaces per indent). If you introduce a syntax error there, the fuzz test will not be started.

Fixing fuzz test compilation errors

In case you get errors about undefined references to the functions you want to fuzz when building your fuzz test, you may need to add options for the compiler so that it knows what dynamic libraries or object files to link. For this, use the compiler_extra_args section.
Example with an object file:

compiler_extra_args:
- "-I."
- "-Iinclude"
- "-lstdc++"
- "-lm"
- "-L/usr/lib"
- "-Lbuild/apps" # created by "fuzz this function" until here
- "bubbleSort.o" # added manually

For dynamic libraries, use -L to add relative paths to where they are located (if they are not in system library paths), and -l to provide their names (without "lib" and without file extension).

Use -I to provide additional paths with header files that are needed to compile your fuzz test, if any.

Adding environment variables to a fuzz test

If you want to provide environment variables to a fuzz test (e.g. you want to use UBSAN_OPTIONS=print_stacktrace=1 and ASAN_OPTIONS=halt_on_error=0) you can add them in the yaml file of your fuzz test - uncomment the "environment" section.

Example:

## Environment variables to set when executing the target.
environment:
- ASAN_OPTIONS=detect_leaks=0
- UBSAN_OPTIONS=print_stacktrace=1
- ASAN_OPTIONS=halt_on_error=0

Address sanitizer documentation
Undefined behaviour sanitizer documentation
AFL environment variables

Changing fuzzing engine options for a fuzz test

To change the behaviour of the fuzzing engine (libfuzzer or AFL), uncomment the engine_options: section and add the options there. Example:

## Options to pass to the fuzzing engine.
engine_options:
  libfuzzer:
    - -rss_limit_mb=4096

 

Libfuzzer options are documented here.