forked from google/oss-fuzz
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[docs] Update the glossary page to depend on google/fuzzing repo + mi…
…nor tweaks. (google#2659) * [docs] Update the glossary page to depend on google/fuzzing repo + minor tweaks. * fix a broken link
- Loading branch information
Showing
1 changed file
with
36 additions
and
72 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,91 +1,55 @@ | ||
| # Glossary | ||
|
|
||
| Naming things is hard, so this page tries to reduce confusion around fuzzing-related terminology. | ||
| For general fuzzing terms, see the [glossary] from [google/fuzzing] project, | ||
|
|
||
| ## Corpus | ||
| Or **test corpus**, or **fuzzing corpus**.<BR> | ||
| A set of [test inputs](#test-input). In most contexts, it refers to a set of minimal test inputs that generate maximal code coverage. | ||
| [glossary]: https://github.com/google/fuzzing/blob/master/docs/glossary.md | ||
| [google/fuzzing]: https://github.com/google/fuzzing | ||
|
|
||
| ## Cross-pollination | ||
| The term is taken from botany, where one plant pollinates a plant of another variety. | ||
| In fuzzing, cross-pollination means using a corpus for one | ||
| [fuzz target](#fuzz-target) to expand a [corpus](#corpus) for another fuzz target. | ||
| For example, if there are two libraries that process the same common data | ||
| format, it is often benefitial to cross-pollinate their respective corpora. | ||
| ## OSS-Fuzz specific terms | ||
|
|
||
| ## Fuzz Target | ||
| Or **Target Function**, or **Fuzzing Target Function**, or **Fuzzing Entry Point**.<BR> | ||
| A function to which we apply fuzzing. A [specific signature](http://libfuzzer.info#fuzz-target) is required for OSS-Fuzz. | ||
| Examples: [openssl](https://github.com/openssl/openssl/blob/master/fuzz/x509.c), | ||
| [re2](https://github.com/google/re2/blob/master/re2/fuzzing/re2_fuzzer.cc), | ||
| [SQLite](https://www.sqlite.org/src/artifact/ad79e867fb504338). | ||
| ### ClusterFuzz | ||
|
|
||
| A fuzz target can be used to [reproduce bug reports](reproducing.md). | ||
| It is recommended to use it for regression testing as well (see [ideal integration](ideal_integration.md)). | ||
| A scalable fuzzing infrastructure that is used for OSS-Fuzz backend. | ||
| [ClusterFuzz] is also used to fuzz Chrome and many other projects. A quick | ||
| overview of ClusterFuzz user interface is available on this [page]. | ||
|
|
||
| ## Fuzzer | ||
| [page]: clusterfuzz.md | ||
| [ClusterFuzz]: https://github.com/google/clusterfuzz | ||
|
|
||
| The most overloaded term and used in a variety of contexts, which makes it bad. | ||
| Sometimes, "Fuzzer" is referred to a [fuzz target](#fuzz-target), | ||
| a [fuzzing engine](#fuzzing-engine), | ||
| a [mutation engine](#mutation-engine), | ||
| a [test generator](#test-generator) or | ||
| a [fuzzer build](#job-type). | ||
| ### Fuzz Target | ||
|
|
||
| ## Fuzzing Engine | ||
| In addition to its general definition, in OSS-Fuzz a fuzz target can be used to | ||
| [reproduce bug reports](reproducing.md). It is recommended to use it for | ||
| regression testing as well (see [ideal integration](ideal_integration.md)). | ||
|
|
||
| A tool that tries to find interesting inputs for a [fuzz target](#fuzz-target) by executing it. | ||
| Examples: [libFuzzer](http://libfuzzer.info), | ||
| [AFL](lcamtuf.coredump.cx/afl/), | ||
| [honggfuzz](https://github.com/google/honggfuzz), etc | ||
| ### Job type | ||
|
|
||
| See related terms [Mutation Engine](#mutation-engine) and [Test Generator](#test-generator). | ||
| Or **Fuzzer Build**. | ||
|
|
||
| ## Job type | ||
| This refers to a build that contains all the [fuzz targets] for a given | ||
| [project](#project), is run with a specific [fuzzing engine], in a specific | ||
| build mode (e.g. with enabled/disabled assertions), and optionally combined | ||
| with a [sanitizer]. | ||
|
|
||
| Or **Fuzzer Build**.<BR> | ||
| A [ClusterFuzz](clusterfuzz.md)-specific term. | ||
| This refers to a build that contains all the [fuzz targets](#fuzz-target) for a given [project](#project), is run | ||
| with a specific [fuzzing engine](#fuzzing-engine), in a specific build mode (e.g. with enabled/disabled assertions), | ||
| and optionally combined with a [sanitizer](#sanitizer). | ||
| For example, we have a "libfuzzer_asan_sqlite" job type, indicating a build of | ||
| all sqlite3 [fuzz targets] using [libFuzzer](http://libfuzzer.info) and | ||
| [ASan](http://clang.llvm.org/docs/AddressSanitizer.html). | ||
|
|
||
| For example, we have a "libfuzzer_asan_sqlite" job type, indicating a build of all sqlite3 [fuzz targets](#fuzz-target) using | ||
| [libFuzzer](http://libfuzzer.info) and [ASan](http://clang.llvm.org/docs/AddressSanitizer.html). | ||
|
|
||
|
|
||
| ## Mutation Engine | ||
| A tool that takes a set of testcases as input and creates their mutated versions. | ||
| It is just a generator and does not feed the mutations to [fuzz target](#fuzz-target). | ||
| Example: [radamsa](https://github.com/aoh/radamsa) (a generic test mutator). | ||
|
|
||
| ## Project | ||
| ### Project | ||
|
|
||
| A project is an open source software project that is integrated with OSS-Fuzz. | ||
| Each project has a single set of configuration files | ||
| (example: [expat](https://github.com/google/oss-fuzz/tree/master/projects/expat)) and | ||
| may have one or more [fuzz targets](#fuzz-target) | ||
| (example: [expat](https://github.com/google/oss-fuzz/tree/master/projects/expat)) | ||
| and may have one or more [fuzz targets] | ||
| (example: [openssl](https://github.com/openssl/openssl/blob/master/fuzz/)). | ||
|
|
||
| ## Reproducer | ||
| Or a **testcase**.<BR> | ||
| A [test input](#test-input) that causes a specific bug to reproduce. | ||
|
|
||
| ## [Sanitizer](https://github.com/google/sanitizers) | ||
| A [dynamic testing](https://en.wikipedia.org/wiki/Dynamic_testing) tool that can detect bugs during program execution. | ||
| Examples: | ||
| [ASan](http://clang.llvm.org/docs/AddressSanitizer.html), | ||
| [DFSan](http://clang.llvm.org/docs/DataFlowSanitizer.html), | ||
| [LSan](http://clang.llvm.org/docs/LeakSanitizer.html), | ||
| [MSan](http://clang.llvm.org/docs/MemorySanitizer.html), | ||
| [TSan](http://clang.llvm.org/docs/ThreadSanitizer.html), | ||
| [UBSan](http://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html). | ||
|
|
||
| ## Test Generator | ||
| A tool that generates testcases from scratch according to some rules or grammar. | ||
| Examples: | ||
| [csmith](https://embed.cs.utah.edu/csmith/) (a test generator for C language), | ||
| [cross_fuzz](http://lcamtuf.coredump.cx/cross_fuzz/) (a cross-document DOM binding test generator). | ||
|
|
||
| ## Test Input | ||
| A sequence of bytes that is used as input to a [fuzz target](#fuzz-target). | ||
| Typically, a test input is stored in a separate file. | ||
| ### Reproducer | ||
|
|
||
| Or a **testcase**. | ||
|
|
||
| A [test input] that causes a specific bug to reproduce. | ||
|
|
||
| [fuzz targets]: https://github.com/google/fuzzing/blob/master/docs/glossary.md#fuzz-target | ||
| [fuzzing engine]: https://github.com/google/fuzzing/blob/master/docs/glossary.md#fuzzing-engine | ||
| [sanitizer]: https://github.com/google/fuzzing/blob/master/docs/glossary.md#sanitizer | ||
| [test input]: https://github.com/google/fuzzing/blob/master/docs/glossary.md#test-input |