Built on top of https://github.com/jruderman/fuzz-rustc, which was based on https://github.com/dwrensha/fuzz-rustc.

This repo contains configuration for fuzz-testing the Rust compiler using libfuzzer-sys, taking inspiration from cargo-fuzz and fuzz-targets.

Because rustc is a bootstrapping compiler, its build process has several stages and involves juggling many flags, attributes, and environment variables. These complications create some difficulties for cleanly setting up fuzz testing. We work around those difficulties with some light modifications to rustc and some additional configuration.

./run-fuzzer.sh

You may add some example inputs in the ./seeds/ directory.

New interesting test cases are automatically written to the ./corpus/ directory as they are found.

The run-fuzzer.sh script passes trailing arguments on to the underlying libfuzzer binary, so you can pass any of these options: https://llvm.org/docs/LibFuzzer.html#options .

For example, this invocation will run 4 jobs in parallel and will only try ascii inputs:

./run_fuzzer.sh -jobs=4 -only_ascii=1

#62524 #62546 #62554 #62863 #62881 #62894 #62895 #62913 #62973 #63116 #63135 #66473 #68629 #68730 #68890 #69130 #69310 #69378 #69396 #69401 #69600 #69602 #70549 #70552 #70594 #70608 #70677 #70724 #70736 #70763 #70813 #70942 #71297 #71471 #71798 #72410 #84104 #84117 #84148 #84149 #86895 #88770 #92267 #102114 #102751 #102878 #103143 #103195 #103202 #103210 #103219 #103411 #103421 #103427 #103429 #103451 #103497 #103599 #103620 #103634 #103708 #103748 #103751 #103770 #103771 #103783 #103790 #103824 #104140 #104162 #104172 #104209 #104213 #104225 #104230 #104249 #104277 #104281 #104287 #104291 #104312 #104327 #104328 #104352 #104367 #104368 #104412 #104510 #104513 #104551 #104562 #104583 #104609 #104613 #104620 #104768 #104769 #104802 #104808 #104871 #104916 #105011 #105047 #105067 #105069 #105097 #105101

Generalize this setup to also work other fuzzing engines, like AFL and Honggfuzz.

All files in this repository are licensed CC0, except for rust-changes.diff, which is licensed like the code it modifies.