Barebones wrapper around LLVM's libFuzzer runtime library.
The CPP parts are extracted from compiler-rt git repository with git filter-branch
.
libFuzzer relies on LLVM sanitizer support. The Rust compiler has built-in support for LLVM sanitizer support, for now, it's limited to Linux. As a result, libfuzzer-sys
only works on Linux.
The recommended way to use this crate with cargo fuzz
!.
This crate can also be used manually as following:
First create a new cargo project:
$ cargo new --bin fuzzed
$ cd fuzzed
Then add a dependency on the fuzzer-sys
crate and your own crate:
[dependencies]
libfuzzer-sys = "0.4.0"
your_crate = { path = "../path/to/your/crate" }
Change the fuzzed/src/main.rs
to fuzz your code:
#![no_main]
use libfuzzer_sys::fuzz_target;
fuzz_target!(|data: &[u8]| {
// code to fuzz goes here
});
Build by running the following command:
$ cargo rustc -- \
-C passes='sancov-module' \
-C llvm-args='-sanitizer-coverage-level=3' \
-C llvm-args='-sanitizer-coverage-inline-8bit-counters' \
-Z sanitizer=address
And finally, run the fuzzer:
$ ./target/debug/fuzzed
When using libfuzzer-sys
, you can provide your own libfuzzer
runtime in two ways.
If you are developing a fuzzer, you can set the CUSTOM_LIBFUZZER_PATH
environment variable to the path of your local
libfuzzer
runtime, which will then be linked instead of building libfuzzer as part of the build stage of libfuzzer-sys
.
For an example, to link to a prebuilt LLVM 16 libfuzzer
, you could use:
$ export CUSTOM_LIBFUZZER_PATH=/usr/lib64/clang/16/lib/libclang_rt.fuzzer-x86_64.a
$ cargo fuzz run ...
Alternatively, you may also disable the default link_libfuzzer
feature:
In Cargo.toml
:
[dependencies]
libfuzzer-sys = { path = "../../libfuzzer", default-features = false }
Then link to your own runtime in your build.rs
.
-
Update the
COMMIT=...
variable in./update-libfuzzer.sh
with the new commit hash from llvm-mirror/llvm-project that you are vendoring. -
Re-run the script:
$ ./update-libfuzzer.sh <github.com/llvm-mirror/llvm-project SHA1>
All files in the libfuzzer
directory are licensed NCSA.
Everything else is dual-licensed Apache 2.0 and MIT.