@@ -10,6 +10,11 @@ configured for. Fuzzing is further only effective with a lot of CPU time, indica
1010scenarios are discovered on CI with its low runtime constraints, the crash is caused relatively
1111easily.
1212
13+ The ` fuzz/ ` directory now contains three crates:
14+ - ` fuzz/ ` , the shared fuzz target logic and corpus directories
15+ - ` fuzz/fuzz-fake-hashes ` , the fuzz targets that require ` --cfg=hashes_fuzz `
16+ - ` fuzz/fuzz-real-hashes ` , the real-hashes fuzz targets, currently ` chanmon_consistency_target `
17+
1318## How do I run fuzz tests locally?
1419
1520We support multiple fuzzing engines such as ` honggfuzz ` , ` libFuzzer ` and ` AFL ` . You typically won't
@@ -47,34 +52,45 @@ cargo install --force cargo-fuzz
4752To run fuzzing using ` honggfuzz ` , do
4853
4954``` shell
55+ cd fuzz
5056export CPU_COUNT=1 # replace as needed
5157export HFUZZ_BUILD_ARGS=" --features honggfuzz_fuzz"
5258export HFUZZ_RUN_ARGS=" -n $CPU_COUNT --exit_upon_crash"
5359
5460export TARGET=" msg_ping_target" # replace with the target to be fuzzed
55- cargo hfuzz run $TARGET
61+ export RUSTFLAGS=" --cfg=fuzzing --cfg=secp256k1_fuzz --cfg=hashes_fuzz"
62+ cargo hfuzz run --manifest-path fuzz-fake-hashes/Cargo.toml $TARGET
5663```
5764
58- (Or, for a prettier output, replace the last line with ` cargo --color always hfuzz run $TARGET ` .)
65+ (For ` fuzz-real-hashes ` , use
66+ ` RUSTFLAGS="--cfg=fuzzing --cfg=secp256k1_fuzz" cargo hfuzz run --manifest-path fuzz-real-hashes/Cargo.toml chanmon_consistency_target ` .)
67+ For a prettier output, replace the last line with
68+ ` cargo --color always hfuzz run --manifest-path fuzz-fake-hashes/Cargo.toml $TARGET ` .
5969
6070#### cargo-fuzz / libFuzzer
6171To run fuzzing using ` cargo-fuzz / libFuzzer ` , run
6272
6373``` shell
6474rustup install nightly # Note: libFuzzer requires a nightly version of rust.
75+ cd fuzz
6576export RUSTFLAGS=" --cfg=fuzzing --cfg=secp256k1_fuzz --cfg=hashes_fuzz"
66- cargo +nightly fuzz run --features " libfuzzer_fuzz" msg_ping_target
77+ cargo +nightly fuzz run --fuzz-dir fuzz-fake-hashes -- features " libfuzzer_fuzz" msg_ping_target
6778```
6879Note: If you encounter a ` SIGKILL ` during run/build check for OOM in kernel logs and consider
6980increasing RAM size for VM.
7081
82+ For ` fuzz-real-hashes ` , use
83+ ` RUSTFLAGS="--cfg=fuzzing --cfg=secp256k1_fuzz" cargo +nightly fuzz run --fuzz-dir fuzz-real-hashes --features "libfuzzer_fuzz" chanmon_consistency_target ` .
84+
7185##### Fast builds for development
7286
7387The default build uses LTO and single codegen unit, which is slow. For faster iteration during
7488development, use the ` -D ` (dev) flag:
7589
7690``` shell
77- cargo +nightly fuzz run --features " libfuzzer_fuzz" -D msg_ping_target
91+ cd fuzz
92+ RUSTFLAGS=" --cfg=fuzzing --cfg=secp256k1_fuzz --cfg=hashes_fuzz" \
93+ cargo +nightly fuzz run --fuzz-dir fuzz-fake-hashes --features " libfuzzer_fuzz" -D msg_ping_target
7894```
7995
8096The ` -D ` flag builds in development mode with faster compilation (still has optimizations via
@@ -83,7 +99,9 @@ sanitizer instrumentation, but subsequent builds will be fast.
8399
84100If you wish to just generate fuzzing binary executables for ` libFuzzer ` and not run them:
85101``` shell
86- cargo +nightly fuzz build --features " libfuzzer_fuzz" msg_ping_target
102+ cd fuzz
103+ RUSTFLAGS=" --cfg=fuzzing --cfg=secp256k1_fuzz --cfg=hashes_fuzz" \
104+ cargo +nightly fuzz build --fuzz-dir fuzz-fake-hashes --features " libfuzzer_fuzz" msg_ping_target
87105# Generates binary artifact in path ./target/aarch64-unknown-linux-gnu/release/msg_ping_target
88106# Exact path depends on your system architecture.
89107```
@@ -93,7 +111,8 @@ You can upload the build artifact generated above to `ClusterFuzz` for distribut
93111To see a list of available fuzzing targets, run:
94112
95113``` shell
96- ls ./src/bin/
114+ ls ./fuzz-fake-hashes/src/bin/
115+ ls ./fuzz-real-hashes/src/bin/
97116```
98117
99118## A fuzz test failed, what do I do?
@@ -134,7 +153,8 @@ mkdir -p ./test_cases/$TARGET
134153echo $HEX | xxd -r -p > ./test_cases/$TARGET /any_filename_works
135154
136155export RUST_BACKTRACE=1
137- cargo test
156+ RUSTFLAGS=" --cfg=fuzzing --cfg=secp256k1_fuzz --cfg=hashes_fuzz" \
157+ cargo test --manifest-path fuzz-fake-hashes/Cargo.toml --bin " ${TARGET} _target"
138158```
139159
140160Note that if the fuzz test failed locally, moving the offending run's trace
@@ -151,7 +171,10 @@ Alternatively, you can use the `stdin_fuzz` feature to pipe the crash input dire
151171creating test case files on disk:
152172
153173``` shell
154- echo -ne ' \x2d\x31\x36\x38\x37\x34\x09\x01...' | cargo run --features stdin_fuzz --bin full_stack_target
174+ cd fuzz
175+ echo -ne ' \x2d\x31\x36\x38\x37\x34\x09\x01...' | \
176+ RUSTFLAGS=" --cfg=fuzzing --cfg=secp256k1_fuzz --cfg=hashes_fuzz" \
177+ cargo run --manifest-path fuzz-fake-hashes/Cargo.toml --features stdin_fuzz --bin full_stack_target
155178```
156179
157180Panics will abort the process directly (the crate uses ` panic = "abort" ` ), resulting in a
@@ -171,10 +194,13 @@ file are `do_test`, `my_fuzzy_experiment_test`, and `my_fuzzy_experiment_run`.
171194
1721953 . Adjust the body (not the signature!) of ` do_test ` as necessary for the new fuzz test.
173196
174- 4 . In ` fuzz/src/bin/gen_target.sh ` , add a line reading ` GEN_TEST my_fuzzy_experiment ` to the
175- first group of ` GEN_TEST ` lines (starting in line 9).
197+ 4 . In ` fuzz/src/bin/gen_target.sh ` , add a line reading ` GEN_FAKE_HASHES_TEST my_fuzzy_experiment `
198+ to the appropriate target list. Use ` GEN_REAL_HASHES_TEST ` only for targets that must run without
199+ ` hashes_fuzz ` .
176200
1772015 . If your test relies on a new local crate, add that crate as a dependency to ` fuzz/Cargo.toml ` .
202+ If the dependency is only needed by a specific runner crate or fuzz engine setup, add it to the
203+ matching target crate under ` fuzz/fuzz-fake-hashes/Cargo.toml ` or ` fuzz/fuzz-real-hashes/Cargo.toml ` instead.
178204
1792056 . In ` fuzz/src/lib.rs ` , add the line ` pub mod my_fuzzy_experiment ` . Additionally, if
180206you added a new crate dependency, add the ` extern crate […] ` import line.
0 commit comments