cpython

mirror of https://github.com/python/cpython.git synced 2026-04-20 02:40:59 +00:00

History

Stan Ulbrych ee5232782f Update and expand the 'Fuzz Tests for CPython' README (#148270 )		2026-04-09 08:52:30 +01:00
..
dictionaries	Fix entry in `fuzz_pycompile.dict` (GH-146069)	2026-03-18 13:43:55 +01:00
fuzz_csv_reader_corpus	bpo-29505: Add more fuzzing for re.compile, re.load and csv.reader (GH-14255)	2019-06-29 22:54:42 -07:00
fuzz_elementtree_parsewhole_corpus	Add a fuzz target for `_elementtree.XMLParser._parse_whole` (#111477 )	2023-11-03 14:01:56 -07:00
fuzz_json_loads_corpus	bpo-29505: Fuzz json module, enforce size limit on int(x) fuzz (GH-13991)	2019-06-11 21:30:34 -07:00
fuzz_pycompile_corpus	Add a fuzzer for `Py_CompileStringExFlags` (#111721 )	2023-12-10 12:16:15 -05:00
fuzz_sre_compile_corpus	bpo-29505: Add more fuzzing for re.compile, re.load and csv.reader (GH-14255)	2019-06-29 22:54:42 -07:00
fuzz_struct_unpack_corpus	Fuzz struct.unpack and catch RecursionError in re.compile (GH-18679)	2020-02-27 23:05:02 -08:00
_xxtestfuzz.c	gh-128341: Use _Py_ABI_SLOT in stdlib modules (#145770 )	2026-03-24 17:47:55 +00:00
fuzz_tests.txt	Add a fuzzer for `Py_CompileStringExFlags` (#111721 )	2023-12-10 12:16:15 -05:00
fuzzer.c	Fix `fuzz_builtin_int` fuzzer reproducibility (#145890 )	2026-03-14 11:11:29 -07:00
README.rst	Update and expand the 'Fuzz Tests for CPython' README (#148270 )	2026-04-09 08:52:30 +01:00

README.rst

Fuzz Tests for CPython
======================

These fuzz tests are designed to be included in Google's `OSS-Fuzz`_ project.

OSS-Fuzz works against a library exposing a function of the form
``int LLVMFuzzerTestOneInput(const uint8_t* data, size_t length)``. We provide
that library (``fuzzer.c``), and include a ``_xxtestfuzz`` module for testing with
some toy values -- no fuzzing occurs in Python's test suite.

OSS-Fuzz will regularly pull from CPython, discover all the tests in
``fuzz_tests.txt``, and run them -- so adding a new test here means it will
automatically be run in OSS-Fuzz, while also being smoke-tested as part of
CPython's test suite.

In addition, the tests are run on GitHub Actions using `CIFuzz
<https://google.github.io/oss-fuzz/getting-started/continuous-integration/>`_
for PRs to the ``main`` branch changing relevant files.


Adding a new fuzz test
----------------------

Add the test name on a new line in ``fuzz_tests.txt``.

In ``fuzzer.c``, add a function to be run::

    static int $fuzz_test_name(const char* data, size_t size) {
        ...
        return 0;
    }

And invoke it from ``LLVMFuzzerTestOneInput``::

    #if !defined(_Py_FUZZ_ONE) || defined(_Py_FUZZ_$fuzz_test_name)
        rv |= _run_fuzz(data, size, $fuzz_test_name);
    #endif

Don't forget to replace ``$fuzz_test_name`` with your actual test name.

``LLVMFuzzerTestOneInput`` will run in OSS-Fuzz, with each test in
``fuzz_tests.txt`` run separately.

Seed data (corpus) for the test can be provided in a subfolder called
``<test_name>_corpus`` such as ``fuzz_json_loads_corpus``. A wide variety
of good input samples allows the fuzzer to more easily explore a diverse
set of paths and provides a better base to find buggy input from.

Dictionaries of tokens (see the `libFuzzer documentation
<https://llvm.org/docs/LibFuzzer.html#dictionaries>`_ for more information) can
be placed in the ``dictionaries/`` folder with the name of the test.
For example, ``dictionaries/fuzz_json_loads.dict`` contains JSON tokens
to guide the fuzzer.


What makes a good fuzz test
---------------------------

Libraries written in C that might handle untrusted data are worthwhile. The
more complex the logic (e.g., parsing), the more likely this is to be a useful
fuzz test. See the existing examples for reference, and refer to the
`OSS-Fuzz`_ docs.

.. _OSS-Fuzz: https://github.com/google/oss-fuzz