Skip to content

Latest commit

 

History

History
91 lines (70 loc) · 4.19 KB

glossary.md

File metadata and controls

91 lines (70 loc) · 4.19 KB

Glossary

Naming things is hard, so this page tries to reduce confusion around fuzzing-related terminology.

Corpus

Or test corpus, or fuzzing corpus.
A set of test inputs. In most contexts, it refers to a set of minimal test inputs that generate maximal code coverage.

Cross-pollination

The term is taken from botany, where one plant pollinates a plant of another variety. In fuzzing, cross-pollination means using a corpus for one fuzz target to expand a corpus for another fuzz target. For example, if there are two libraries that process the same common data format, it is often benefitial to cross-pollinate their respective corpora.

Fuzz Target

Or Target Function, or Fuzzing Target Function, or Fuzzing Entry Point.
A function to which we apply fuzzing. A specific signature is required for OSS-Fuzz. Examples: openssl, re2, SQLite.

A fuzz target can be used to reproduce bug reports. It is recommended to use it for regression testing as well (see ideal integration).

Fuzzer

The most overloaded term and used in a variety of contexts, which makes it bad. Sometimes, "Fuzzer" is referred to a fuzz target, a fuzzing engine, a mutation engine, a test generator or a fuzzer build.

Fuzzing Engine

A tool that tries to find interesting inputs for a fuzz target by executing it. Examples: libFuzzer, AFL, honggfuzz, etc

See related terms Mutation Engine and Test Generator.

Job type

Or Fuzzer Build.
A ClusterFuzz-specific term. This refers to a build that contains all the fuzz targets for a given project, is run with a specific fuzzing engine, in a specific build mode (e.g. with enabled/disabled assertions), and optionally combined with a sanitizer.

For example, we have a "libfuzzer_asan_sqlite" job type, indicating a build of all sqlite3 fuzz targets using libFuzzer and ASan.

Mutation Engine

A tool that takes a set of testcases as input and creates their mutated versions. It is just a generator and does not feed the mutations to fuzz target. Example: radamsa (a generic test mutator).

Project

A project is an open source software project that is integrated with OSS-Fuzz. Each project has a single set of configuration files (example: expat) and may have one or more fuzz targets (example: openssl).

Reproducer

Or a testcase.
A test input that causes a specific bug to reproduce.

A dynamic testing tool that can detect bugs during program execution. Examples: ASan, DFSan, LSan, MSan, TSan, UBSan.

Test Generator

A tool that generates testcases from scratch according to some rules or grammar. Examples: csmith (a test generator for C language), cross_fuzz (a cross-document DOM binding test generator).

Test Input

A sequence of bytes that is used as input to a fuzz target. Typically, a test input is stored in a separate file.