Naming things is hard, so this page tries to reduce confusion around fuzzing-related terminology.
Or test corpus, or fuzzing corpus.
A set of test inputs. In most contexts, it refers to a set of minimal test inputs that generate maximal code coverage.
The term is taken from botany, where one plant pollinates a plant of another variety. In fuzzing, cross-pollination means using a corpus for one fuzz target to expand a corpus for another fuzz target. For example, if there are two libraries that process the same common data format, it is often benefitial to cross-pollinate their respective corpora.
Or Target Function, or Fuzzing Target Function, or Fuzzing Entry Point.
A function to which we apply fuzzing. A specific signature is required for OSS-Fuzz.
Examples: openssl,
re2,
SQLite.
A fuzz target can be used to reproduce bug reports. It is recommended to use it for regression testing as well (see ideal integration).
The most overloaded term and used in a variety of contexts, which makes it bad. Sometimes, "Fuzzer" is referred to a fuzz target, a fuzzing engine, a mutation engine, a test generator or a fuzzer build.
A tool that tries to find interesting inputs for a fuzz target by executing it. Examples: libFuzzer, AFL, honggfuzz, etc
See related terms Mutation Engine and Test Generator.
Or Fuzzer Build.
A ClusterFuzz-specific term.
This refers to a build that contains all the fuzz targets for a given project, is run
with a specific fuzzing engine, in a specific build mode (e.g. with enabled/disabled assertions),
and optionally combined with a sanitizer.
For example, we have a "libfuzzer_asan_sqlite" job type, indicating a build of all sqlite3 fuzz targets using libFuzzer and ASan.
A tool that takes a set of testcases as input and creates their mutated versions. It is just a generator and does not feed the mutations to fuzz target. Example: radamsa (a generic test mutator).
A project is an open source software project that is integrated with OSS-Fuzz. Each project has a single set of configuration files (example: expat) and may have one or more fuzz targets (example: openssl).
Or a testcase.
A test input that causes a specific bug to reproduce.
A dynamic testing tool that can detect bugs during program execution. Examples: ASan, DFSan, LSan, MSan, TSan, UBSan.
A tool that generates testcases from scratch according to some rules or grammar. Examples: csmith (a test generator for C language), cross_fuzz (a cross-document DOM binding test generator).
A sequence of bytes that is used as input to a fuzz target. Typically, a test input is stored in a separate file.