|
1 | | -Fuzz bindgen with `csmith` https://github.com/csmith-project/csmith . |
| 1 | +# Fuzzing `bindgen` with `csmith` |
2 | 2 |
|
3 | | -Run with `python3 driver.py`. It will run until until it encounters an error in `bindgen`. |
| 3 | +[`csmith`][csmith] generates random C and C++ programs that can be used as test |
| 4 | +cases for compilers. When testing `bindgen` with `csmith`, we interpret the |
| 5 | +generated programs as header files, and emit Rust bindings to them. If `bindgen` |
| 6 | +panics, the emitted bindings won't compile with `rustc`, or the generated layout |
| 7 | +tests in the bindings fail, then we report an issue containing the test case! |
| 8 | + |
| 9 | +<!-- START doctoc generated TOC please keep comment here to allow auto update --> |
| 10 | +<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE --> |
| 11 | + |
| 12 | + |
| 13 | +- [Prerequisites](#prerequisites) |
| 14 | +- [Running the Fuzzer](#running-the-fuzzer) |
| 15 | +- [Reporting Issues](#reporting-issues) |
| 16 | + |
| 17 | +<!-- END doctoc generated TOC please keep comment here to allow auto update --> |
| 18 | + |
| 19 | +## Prerequisites |
4 | 20 |
|
5 | 21 | Requires `python3`, `csmith` and `bindgen` to be in `$PATH`. |
6 | 22 |
|
7 | | -csmith is run with `--no-checksum --nomain --max-block-size 1 --max-block-depth 1` which disables the `main` function and makes function bodies as simple as possible as bindgen does not care about them but they cannot be completely disabled in csmith. Run `csmith --help` to see what exactly those options do. |
| 23 | +Many OS package managers have a `csmith` package: |
| 24 | + |
| 25 | +``` |
| 26 | +$ sudo apt install csmith |
| 27 | +$ brew install csmith |
| 28 | +$ # Etc... |
| 29 | +``` |
| 30 | + |
| 31 | +## Running the Fuzzer |
| 32 | + |
| 33 | +Run `csmith` and test `bindgen` on the generated test cases with this command: |
| 34 | + |
| 35 | +``` |
| 36 | +$ ./driver.py |
| 37 | +``` |
| 38 | + |
| 39 | +The driver will keep running until it encounters an error in `bindgen`. |
| 40 | + |
| 41 | +Each invocation of `./driver.py` will use its own temporary directories, so |
| 42 | +running it in multiple terminals in parallel is supported. |
| 43 | + |
| 44 | +`csmith` is run with `--no-checksum --nomain --max-block-size 1 |
| 45 | +--max-block-depth 1` which disables the `main` function, and makes function |
| 46 | +bodies as simple as possible as `bindgen` does not care about them, but they |
| 47 | +cannot be completely disabled in `csmith`. Run `csmith --help` to see what |
| 48 | +exactly those options do. |
| 49 | + |
| 50 | +## Reporting Issues |
| 51 | + |
| 52 | +Once the fuzz driver finds a test case that causes some kind of error in |
| 53 | +`bindgen` or its emitted bindings, it is helpful to |
| 54 | +[run C-Reduce on the test case][creducing] to remove the parts that are |
| 55 | +irrelevant to reproducing the error. This is ***very*** helpful for the folks |
| 56 | +who further investigate the issue and come up with a fix! |
| 57 | + |
| 58 | +Additionally, mention that you discovered the issue via `csmith` and we will add |
| 59 | +the `A-csmith` label. You can find all the issues discovered with `csmith`, and |
| 60 | +related to fuzzing with `csmith`, by looking up |
| 61 | +[all issues tagged with the `A-csmith` label][csmith-issues]. |
| 62 | + |
| 63 | +[csmith]: https://github.com/csmith-project/csmith |
| 64 | +[creducing]: ../CONTRIBUTING.md#using-creduce-to-minimize-test-cases |
| 65 | +[csmith-issues]: https://github.com/rust-lang-nursery/rust-bindgen/issues?q=label%3AA-csmith |
0 commit comments