Bug: 172670888

Clone this repo:
  1. c877c6d Update Android.bp by running cargo_embargo by James Farrell · 10 days ago main master
  2. a1a5bf1 Upgrade libfuzzer-sys to 0.4.7 am: 9b2cd52a95 by Jeff Vander Stoep · 4 months ago
  3. 9b2cd52 Upgrade libfuzzer-sys to 0.4.7 by Jeff Vander Stoep · 4 months ago
  4. 545a472 Migrate to cargo_embargo. am: 1995e408fd am: 778c748120 am: 9e47a4545b by Andrew Walbran · 6 months ago
  5. ae45a77 Migrate to cargo_embargo. am: 1995e408fd am: 74bf7ac500 am: ec155a672f by Andrew Walbran · 6 months ago

The libfuzzer-sys Crate

Barebones wrapper around LLVM's libFuzzer runtime library.

The CPP parts are extracted from compiler-rt git repository with git filter-branch.

libFuzzer relies on LLVM sanitizer support. The Rust compiler has built-in support for LLVM sanitizer support, for now, it's limited to Linux. As a result, libfuzzer-sys only works on Linux.

Usage

Use cargo fuzz!

The recommended way to use this crate with cargo fuzz!.

Manual Usage

This crate can also be used manually as following:

First create a new cargo project:

$ cargo new --bin fuzzed
$ cd fuzzed

Then add a dependency on the fuzzer-sys crate and your own crate:

[dependencies]
libfuzzer-sys = "0.4.0"
your_crate = { path = "../path/to/your/crate" }

Change the fuzzed/src/main.rs to fuzz your code:

#![no_main]

use libfuzzer_sys::fuzz_target;

fuzz_target!(|data: &[u8]| {
    // code to fuzz goes here
});

Build by running the following command:

$ cargo rustc -- \
    -C passes='sancov' \
    -C llvm-args='-sanitizer-coverage-level=3' \
    -C llvm-args='-sanitizer-coverage-inline-8bit-counters' \
    -Z sanitizer=address

And finally, run the fuzzer:

$ ./target/debug/fuzzed

Linking to a local libfuzzer

When using libfuzzer-sys, you can provide your own libfuzzer runtime in two ways.

If you are developing a fuzzer, you can set the CUSTOM_LIBFUZZER_PATH environment variable to the path of your local libfuzzer runtime, which will then be linked instead of building libfuzzer as part of the build stage of libfuzzer-sys. For an example, to link to a prebuilt LLVM 16 libfuzzer, you could use:

$ export CUSTOM_LIBFUZZER_PATH=/usr/lib64/clang/16/lib/libclang_rt.fuzzer-x86_64.a
$ cargo fuzz run ...

Alternatively, you may also disable the default link_libfuzzer feature:

In Cargo.toml:

[dependencies]
libfuzzer-sys = { path = "../../libfuzzer", default-features = false }

Then link to your own runtime in your build.rs.

Updating libfuzzer from upstream

./update-libfuzzer.sh <github.com/llvm-mirror/llvm-project SHA1>

License

All files in libfuzzer directory are licensed NCSA.

Everything else is dual-licensed Apache 2.0 and MIT.