bufrng
BufRng
is a "random" number generator that simply yields pre-determined values
from a buffer, and yields 0
s once the buffer is exhausted.
Why?
BufRng
is useful for reinterpreting raw input bytes from
libFuzzer or
AFL as an RNG that is used with
structure-aware test case generators (e.g.
quickcheck::Arbitrary
). This
combines the power of coverage-guided fuzzing with structure-aware fuzzing.
Example
Let's say we are developing a crate to convert back and forth between RGB and HSL color representations.
First, we can implement quickcheck::Arbitrary
for our color types to get
structure-aware test case generators. Then, we can use these with quickcheck
's
own test runner infrastructure to assert various properties about our code (such
as it never panics, or that RGB -> HSL -> RGB is the identity function) and
quickcheck
will generate random instances of Rgb
and Hsl
to check this
property against.
/// A color represented with RGB.
/// A color represented with HSL.
// Implementations of `quickcheck::Arbitrary` to create structure-aware test
// case generators for `Rgb` and `Hsl`.
use *;
use ;
// Properties that we can have `quickcheck` assert for us.
Finally, we can reuse our existing structure-aware test case generators (the
Arbitrary
impls) with libFuzzer of AFL inputs with BufRng
. Thus we can
leverage coverage-guided fuzzing — where the fuzzer is observing code
coverage while tests are running, and trying to maximize the paths the inputs
cover — with our existing structure-aware generators.
The following snippet is with cargo fuzz
and
libFuzzer, but the concepts
would apply equally well to AFL, for example.
// my-rgb-to-hsl-crate/fuzz/fuzz_targets/rgb.rs
extern crate libfuzzer_sys;
use BufRng;
use ;
use Arbitrary;
fuzz_target!;