| Hasnain Lakhani | 37f4e0d | 2025-08-25 11:21:33 -0700 | [diff] [blame] | 1 | # C++ Fuzzing README |
| 2 | |
| 3 | To build the fuzz targets, run `make check` in this directory. The build system uses LLVM's libFuzzer for fuzzing the C++ Thrift implementation. |
| 4 | |
| 5 | These are standard libFuzzer targets, so you can run them using the standard libFuzzer interface. After building, you can run a fuzzer using: |
| 6 | ```bash |
| 7 | ./<fuzzer_name> |
| 8 | ``` |
| 9 | |
| 10 | We currently have six fuzz targets: |
| 11 | |
| 12 | * FuzzParseBinary -- fuzzes the deserialization of the Binary protocol |
| 13 | * FuzzParseCompact -- fuzzes the deserialization of the Compact protocol |
| 14 | * FuzzParseJson -- fuzzes the deserialization of the JSON protocol |
| 15 | * FuzzRoundtripBinary -- fuzzes the roundtrip of the Binary protocol (i.e. serializes then deserializes and compares the result) |
| 16 | * FuzzRoundtripCompact -- fuzzes the roundtrip of the Compact protocol |
| 17 | * FuzzRoundtripJson -- fuzzes the roundtrip of the JSON protocol |
| 18 | |
| 19 | The fuzzers use libFuzzer's built-in mutation engine to generate test cases. Each fuzzer implements the standard `LLVMFuzzerTestOneInput` interface and uses common testing code from `FuzzCommon.tcc`. |
| 20 | |
| 21 | For more information about libFuzzer and its options, see the [libFuzzer documentation](https://llvm.org/docs/LibFuzzer.html). |
| 22 | |
| 23 | You can also use the corpus generator from the Rust implementation to generate initial corpus files that can be used with these C++ fuzzers, since the wire formats are identical between implementations. |