Fuzzer Reference

This page contains a reference for Fuzzbuzz's C and C++ fuzzer. If you'd like an introduction to using this fuzzer, we recommend reading the Getting Started guide before using this reference. The aim of this reference is to provide a more in-depth look at the generation capabilities and configuration options of the fuzzer.

Import this library into your fuzz test with: #include "fuzzbuzz.hxx". If you would like to set up completions and type hinting in your IDE, you can add /opt/fuzzbuzz/include to your editor's search path.

Global Namespace

FZBZ_TARGET_CLASS

Used to tell Fuzzbuzz that it should run a fuzz test.

Usage example:

FZBZ_TARGET_CLASS(FuzzTest0);
struct FuzzTest0 {
    FuzzTest0(fzbz::Fuzzer &f)
    {
        // Fuzz test definition goes here.
    }
}

namespace fzbz

Fuzzer

The type used in a fuzz test to communicate configuration to the Fuzzer.

Instance Methods:

addFuzzTarget(T target): communicates to the fuzzer that it should fuzz test a particular target.

Usage example:

struct FuzzTest0 {
    FuzzTest0(fzbz::Fuzzer &f)
    {
        // Define a generator
        auto stringGen = fzbz::generator::string<std::string>();

        // Create a fuzz target
        auto target = fzbz::fuzzTarget([&](auto myStr) {
            // Do something with the fuzzed data
            CallMyCode(myStr);
        }, stringGen);

        // Seed the target
        target.addSeed("Hello, ");
        target.addSeed("World!");

        // Fuzz the target
        f.addFuzzTarget(target);
    }
}

fuzzTarget

fuzzTarget(U fuzz_test, Args ...args)

Combines a fuzz test and a set of fields into a single fuzz target. First argument should be a function that takes n values. Following arguments should be generators, and should correspond to the arguments of the function.

Instance methods:

addSeed(Args::type ...args): Pass in a list of arguments in the same order the fuzz test receives them. This set of inputs will be used as a seed for the fuzzer to generate new values from.

Usage Example:

// Define a set of generators
auto intGen = fzbz::generator::integer<int32_t>();
auto stringGen = fzbz::generator::string<std::string>();
auto floatGen = fzbz::generator::floatingPoint<float>();
auto byteGen = fzbz::generator::byteArray<std::vector<uint8_t>>();

auto target = fzbz::fuzzTarget([&](auto myInt, auto myStr, auto myFloat, auto myBytes) {
    // Do something with the fuzzed data
    CallMyCode(myInt, myStr, myFloat, myBytes);
}, intGen, stringGen, floatGen, byteGen);

target.addSeed(123, "hello", 1.2, std::vector<uint8_t>{41, 42, 43});
target.addSeed(456, "world", 2.6, std::vector<uint8_t>{45, 46, 47});

namespace fzbz::generator

template <T> class byteArray

Creates a new Byte Array generator, and places the generated byte array in a T. Currently a std::vector<uint8_t> is the only supported value for T.

Instance methods:

setMaxLength(int)

Usage example:

// Creates a Byte Array generator that returns the bytes in a uint8_t vector
auto gen = fzbz::generator::byteArray<std::vector<uint8_t>>();
gen.setMaxLength(2048);

template <T> class string

Creates a new string generator, and places the generated string value in a T. Currently std::string and const char * are the supported values for T.

Instance methods:

setMaxLength(int)

Usage example:

// Creates a String generator that returns the string in a std::string
auto gen = fzbz::generator::string<std::string>();
gen.setMaxLength(2048);

template <T> class integer

Creates a new integer generator, and places the generated integer value in a T. All int{8,16,32,64}_t, uint{8,16,32,64}_t types, as well as int are supported values for T.

Instance methods:

setRange(T min, T max)

Usage example:

// Creates an integer generator that returns the integer in an int32_t
auto gen = fzbz::generator::integer<int32_t>();
// Sets the minimum and maximum values for the generated integer
gen.setRange(0, 1024);

template <T> class floatingPoint

Creates a new floating point number generator, and places the generated floating point value in a T. Currently, float is the supported value for T.

Usage example:

// Creates an floating point generator that returns the number in a float
auto gen = fzbz::generator::floatingPoint<float>();
ON THIS PAGE