# Cargo-fuzz
Commandline wrapper for using libFuzzer. Easy to use, no need to recompile LLVM!
libFuzzer needs LLVM sanitizer support, so this is Linux-only for now. It also
may not work well with projects that have build scripts due to
https://github.com/rust-lang/cargo/issues/3739
This crate is currently under some churn -- in case stuff isn't working, please reinstall it (`cargo install cargo-fuzz -f`), and delete the cloned `libfuzzer-sys` folder in the `fuzz/` folder. Rerunning `cargo fuzz --init` after moving your `fuzz` folder and updating this crate may get you a better generated `fuzz/Cargo.toml`. Expect this to settle down soon.
## Installation
```sh
$ cargo install cargo-fuzz
```
## Usage
First, set up your project for fuzzing:
```sh
$ cd /path/to/project
$ cargo fuzz --init
```
This will create a `fuzz` folder, containing a fuzzing script called `fuzzer_script_1` in the
`fuzzers/` subfolder. It is generally a good idea to check in the files generated by `--init`.
libFuzzer is going to repeatedly call the `go()` function in the fuzzer script with a byte buffer
`data` of length `size`, until your program hits an error condition (segfault, panic, etc). Write
your `go()` function to hit the entry point you need.
You can add more fuzz target scripts via `cargo fuzz --add name_of_script`. There
is a `Cargo.toml` in the `fuzz/` folder where you can add dependencies.
To fuzz a fuzz target, run:
```sh
$ cd /path/to/project
$ cargo fuzz --fuzz-target fuzzer_script_1 # or whatever the target is named
```
Then, wait till it finds something!
## Trophy case
🏆 🏆 🏆 🏆 🏆 🏆
- [toml-rs panic](https://github.com/alexcrichton/toml-rs/issues/152)
- unicode-segmentation: [grapheme boundary correctness](https://github.com/unicode-rs/unicode-segmentation/issues/19), [word boundary correctness](https://github.com/unicode-rs/unicode-segmentation/issues/20)