Skip to content

Latest commit

 

History

History
 
 

fuzz

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
fuzz-testhelper
fuzz-testhelper
 
 
scripts
scripts
 
 
src
src
 
 
CMakeLists.txt
CMakeLists.txt
 
 
README.md
README.md
 
 

README.md

Fuzzing Test Suite

This test suite contains fuzzing tests for libFuzzer fuzzing engine.

Getting Started

Each fuzzing test is an executable. It can run fuzzing to search for new failures and save reproducer in a file. You can later run a fuzzing test with a reproducer to debug a failure found.

Pre-requisites

There are no special pre-requisites to reproduce and debug failures.

To run fuzzing you will need LLVM components:

  • Clang and co.
  • libFuzzer
  • lld (linker)
  • libc++

Building fuzz tests

  1. Build openvino

Build openvino with options ENABLE_FUZZING and ENABLE_SANITIZER enabled. It is recommended to use clang compiler.

(\
mkdir -p build && cd build && \
CC=clang CXX=clang++ cmake .. -DENABLE_FUZZING=ON -DENABLE_SANITIZER=ON -DTREAT_WARNING_AS_ERROR=OFF && \
cmake --build . \
)
  1. Build fuzz tests

Build fuzz tests with options ENABLE_FUZZING and ENABLE_SANITIZER enabled. You should use the same compiler as was used for the openvino build.

(\
mkdir -p tests/fuzz/build && cd tests/fuzz/build && \
CC=clang CXX=clang++ cmake .. -DENABLE_FUZZING=ON -DENABLE_SANITIZER=ON -DTREAT_WARNING_AS_ERROR=OFF -DInferenceEngine_DIR=$(pwd)/../../../build && \
cmake --build . \
)

Running fuzz tests

  1. Prepare fuzzing corpus

Fuzzing engine needs a set of valid inputs to start fuzzing from. Those files are called a fuzzing corpus. Place valid inputs for the fuzzing test into directory.

Intel employees can get the corpus as described here https://wiki.ith.intel.com/x/2N42bg.

  1. Run fuzzing
./read_network-fuzzer -max_total_time=600 ./read_network-corpus

Consider adding those useful command line options:

  • -jobs=$(nproc) runs multiple fuzzing jobs in parallel.
  • -rss_limit_mb=0 to ignore out-of-memory issues.

Analyzing fuzzing quality

Explore code coverage

To build coverage report after fuzz test execution run:

llvm-profdata merge -sparse *.profraw -o default.profdata && \
llvm-cov show ./read_network-fuzzer -instr-profile=default.profdata -format=html -output-dir=read_network-coverage

Reproducing findings

Fuzzing run halts on the first issue identified, prints issue details to stdout and save data to reproduce the issue as a file in the current folder. To debug the issue pass reproducer as command line argument to fuzz test

./read_network-fuzzer crash-409b5eeed46a8445b7f7b7a2ce5b60a9ad895e3b

It is recommended but not required to use binaries built for fuzzing to debug the issues. A binaries built without ENABLE_FUZZING options can also be used to reproduce and debug the issues.