dev-fuzz 0.1.0

Fuzzing harness integration for Rust. Wraps cargo-fuzz. Findings emitted as machine-readable reports. Part of the dev-* verification suite.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249

//! # dev-fuzz
//!
//! Fuzzing harness integration for Rust. Part of the `dev-*`
//! verification suite.
//!
//! Wraps `cargo-fuzz` (libFuzzer-based) and emits findings as
//! `dev-report::Report`. Captures crashes, timeouts, and OOM events
//! with reproducer inputs attached.
//!
//! ## What is fuzzing?
//!
//! Fuzzing feeds random or guided-random inputs to your code looking
//! for crashes, panics, or unexpected behavior. It's especially
//! valuable for parsers, deserializers, network protocol handlers,
//! and anything that touches untrusted input.
//!
//! ## Quick example
//!
//! ```no_run
//! use dev_fuzz::{FuzzRun, FuzzBudget};
//! use std::time::Duration;
//!
//! let run = FuzzRun::new("parse_input", "0.1.0")
//!     .budget(FuzzBudget::time(Duration::from_secs(60)));
//! let result = run.execute().unwrap();
//! let report = result.into_report();
//! ```
//!
//! ## Status
//!
//! Pre-1.0. API shape defined; subprocess integration lands in `0.9.1`.

#![cfg_attr(docsrs, feature(doc_cfg))]
#![warn(missing_docs)]
#![warn(rust_2018_idioms)]

use std::time::Duration;

use dev_report::{CheckResult, Evidence, Report, Severity};

/// Type of finding discovered during a fuzz run.
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum FuzzFindingKind {
    /// A crash (panic, segfault, abort).
    Crash,
    /// An iteration exceeded the timeout.
    Timeout,
    /// An iteration exceeded the memory limit.
    OutOfMemory,
}

/// Budget for a fuzz run.
#[derive(Debug, Clone, Copy)]
pub enum FuzzBudget {
    /// Run for the given duration.
    Time(Duration),
    /// Run for the given number of executions.
    Executions(u64),
}

impl FuzzBudget {
    /// Build a time-based budget.
    pub fn time(d: Duration) -> Self {
        Self::Time(d)
    }

    /// Build an execution-count budget.
    pub fn executions(n: u64) -> Self {
        Self::Executions(n)
    }
}

/// Configuration for a fuzz run.
#[derive(Debug, Clone)]
pub struct FuzzRun {
    target: String,
    version: String,
    budget: FuzzBudget,
}

impl FuzzRun {
    /// Begin a new fuzz run against the given fuzz target.
    pub fn new(target: impl Into<String>, version: impl Into<String>) -> Self {
        Self {
            target: target.into(),
            version: version.into(),
            budget: FuzzBudget::Time(Duration::from_secs(60)),
        }
    }

    /// Set the run budget.
    pub fn budget(mut self, budget: FuzzBudget) -> Self {
        self.budget = budget;
        self
    }

    /// Selected budget.
    pub fn fuzz_budget(&self) -> FuzzBudget {
        self.budget
    }

    /// Execute the fuzz run.
    ///
    /// In `0.9.0` this is a stub; subprocess integration lands in `0.9.1`.
    pub fn execute(&self) -> Result<FuzzResult, FuzzError> {
        Ok(FuzzResult {
            target: self.target.clone(),
            version: self.version.clone(),
            executions: 0,
            findings: Vec::new(),
        })
    }
}

/// A single fuzz finding.
#[derive(Debug, Clone)]
pub struct FuzzFinding {
    /// Kind of finding.
    pub kind: FuzzFindingKind,
    /// Path to the input that triggered the finding (a "reproducer").
    pub reproducer_path: String,
    /// Short human-readable summary.
    pub summary: String,
}

/// Result of a fuzz run.
#[derive(Debug, Clone)]
pub struct FuzzResult {
    /// Fuzz target name.
    pub target: String,
    /// Crate version at the time of the run.
    pub version: String,
    /// Total executions completed.
    pub executions: u64,
    /// Findings discovered.
    pub findings: Vec<FuzzFinding>,
}

impl FuzzResult {
    /// Convert this result into a `dev-report::Report`.
    pub fn into_report(self) -> Report {
        let mut report = Report::new(&self.target, &self.version).with_producer("dev-fuzz");
        if self.findings.is_empty() {
            report.push(
                CheckResult::pass(format!("fuzz::{}", self.target))
                    .with_detail(format!("{} executions, 0 findings", self.executions))
                    .with_evidence(Evidence::numeric_int("executions", self.executions as i64)),
            );
        } else {
            for f in &self.findings {
                let sev = match f.kind {
                    FuzzFindingKind::Crash => Severity::Critical,
                    FuzzFindingKind::Timeout => Severity::Warning,
                    FuzzFindingKind::OutOfMemory => Severity::Error,
                };
                let kind_str = match f.kind {
                    FuzzFindingKind::Crash => "crash",
                    FuzzFindingKind::Timeout => "timeout",
                    FuzzFindingKind::OutOfMemory => "oom",
                };
                report.push(
                    CheckResult::fail(format!("fuzz::{}::{kind_str}", self.target), sev)
                        .with_detail(f.summary.clone())
                        .with_evidence(Evidence::file_ref("reproducer", &f.reproducer_path)),
                );
            }
        }
        report.finish();
        report
    }
}

/// Errors that can arise during a fuzz run.
#[derive(Debug)]
pub enum FuzzError {
    /// `cargo-fuzz` is not installed.
    ToolNotInstalled,
    /// Nightly Rust is required but not available.
    NightlyRequired,
    /// Subprocess failure.
    SubprocessFailed(String),
    /// The named fuzz target was not found in the project.
    TargetNotFound(String),
}

impl std::fmt::Display for FuzzError {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        match self {
            Self::ToolNotInstalled => write!(f, "cargo-fuzz is not installed"),
            Self::NightlyRequired => write!(f, "nightly Rust is required"),
            Self::SubprocessFailed(s) => write!(f, "subprocess failed: {s}"),
            Self::TargetNotFound(s) => write!(f, "fuzz target not found: {s}"),
        }
    }
}

impl std::error::Error for FuzzError {}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn run_builds() {
        let r = FuzzRun::new("parse", "0.1.0");
        match r.fuzz_budget() {
            FuzzBudget::Time(_) => {}
            _ => panic!("default should be time-based"),
        }
    }

    #[test]
    fn executions_budget() {
        let r = FuzzRun::new("parse", "0.1.0").budget(FuzzBudget::executions(1_000_000));
        match r.fuzz_budget() {
            FuzzBudget::Executions(n) => assert_eq!(n, 1_000_000),
            _ => panic!("expected executions budget"),
        }
    }

    #[test]
    fn empty_findings_passes() {
        let r = FuzzResult {
            target: "parse".into(),
            version: "0.1.0".into(),
            executions: 1_000_000,
            findings: Vec::new(),
        };
        let report = r.into_report();
        assert!(report.passed());
    }

    #[test]
    fn crash_finding_is_critical() {
        let r = FuzzResult {
            target: "parse".into(),
            version: "0.1.0".into(),
            executions: 500,
            findings: vec![FuzzFinding {
                kind: FuzzFindingKind::Crash,
                reproducer_path: "fuzz/artifacts/crash-deadbeef".into(),
                summary: "panic in parse_input".into(),
            }],
        };
        let report = r.into_report();
        assert!(report.failed());
        assert_eq!(report.checks[0].severity, Some(Severity::Critical));
    }
}