Skip to content

Latest commit

 

History

History
executable file
·
121 lines (79 loc) · 7.43 KB

cc-fuzzing-rules.md

File metadata and controls

executable file
·
121 lines (79 loc) · 7.43 KB

cc_fuzzing_engine

cc_fuzzing_engine(name, display_name, launcher, launcher_data, library)

Specifies a fuzzing engine that can be used to run C++ fuzz targets.

ATTRIBUTES

Name Description Type Mandatory Default
name A unique name for this target. Name required
display_name The name of the fuzzing engine, as it should be rendered in human-readable output. String required
launcher A shell script that knows how to launch the fuzzing executable based on configuration specified in the environment. Label required
launcher_data A dict mapping additional runtime dependencies needed by the fuzzing engine to environment variables that will be available inside the launcher, holding the runtime path to the dependency. Dictionary: Label -> String optional {}
library A cc_library target that implements the fuzzing engine entry point. Label required

FuzzingEngineInfo

FuzzingEngineInfo(display_name, launcher, launcher_runfiles, launcher_environment)

Provider for storing the language-independent part of the specification of a fuzzing engine.

FIELDS

Name Description
display_name A string representing the human-readable name of the fuzzing engine.
launcher A file representing the shell script that launches the fuzz target.
launcher_runfiles The runfiles needed by the launcher script on the fuzzing engine side, such as helper tools and their data dependencies.
launcher_environment A dictionary from environment variables to files used by the launcher script.

cc_fuzz_test

cc_fuzz_test(name, corpus, dicts, engine, tags, binary_kwargs)

Defines a C++ fuzz test and a few associated tools and metadata.

For each fuzz test <name>, this macro defines a number of targets. The most relevant ones are:

  • <name>: A test that executes the fuzzer binary against the seed corpus (or on an empty input if no corpus is specified).
  • <name>_bin: The instrumented fuzz test executable. Use this target for debugging or for accessing the complete command line interface of the fuzzing engine. Most developers should only need to use this target rarely.
  • <name>_run: An executable target used to launch the fuzz test using a simpler, engine-agnostic command line interface.
  • <name>_oss_fuzz: Generates a <name>_oss_fuzz.tar archive containing the fuzz target executable and its associated resources (corpus, dictionary, etc.) in a format suitable for unpacking in the $OUT/ directory of an OSS-Fuzz build. This target can be used inside the build.sh script of an OSS-Fuzz project.

PARAMETERS

Name Description Default Value
name A unique name for this target. Required. none
corpus A list containing corpus files. None
dicts A list containing dictionaries. None
engine A label pointing to the fuzzing engine to use. "@rules_fuzzing//fuzzing:cc_engine"
tags Tags set on the fuzzing regression test. None
binary_kwargs Keyword arguments directly forwarded to the fuzz test binary rule. none

fuzzing_decoration

fuzzing_decoration(name, raw_binary, engine, corpus, dicts, instrument_binary,
                   define_regression_test, test_tags)

Generates the standard targets associated to a fuzz test.

This macro can be used to define custom fuzz test rules in case the default cc_fuzz_test macro is not adequate. Refer to the cc_fuzz_test macro documentation for the set of targets generated.

PARAMETERS

Name Description Default Value
name The name prefix of the generated targets. It is normally the fuzz test name in the BUILD file. none
raw_binary The label of the cc_binary or cc_test of fuzz test executable. none
engine The label of the fuzzing engine used to build the binary. none
corpus A list of corpus files. None
dicts A list of fuzzing dictionary files. None
instrument_binary (Experimental, may be removed in the future.)

By default, the generated targets depend on raw_binary through a Bazel configuration using flags from the @rules_fuzzing//fuzzing package to determine the fuzzing build mode, engine, and sanitizer instrumentation.

When this argument is false, the targets assume that raw_binary is already built in the proper configuration and will not apply the transition.

Most users should not need to change this argument. If you think the default instrumentation mode does not work for your use case, please file a Github issue to discuss.
True
define_regression_test If true, generate a regression test rule. True
test_tags Tags set on the fuzzing regression test. None