gecko-dev/third_party/rust/bindgen/csmith-fuzzing
..
README.md

README.md

Fuzzing bindgen with csmith

csmith generates random C and C++ programs that can be used as test cases for compilers. When testing bindgen with csmith, we interpret the generated programs as header files, and emit Rust bindings to them. If bindgen panics, the emitted bindings won't compile with rustc, or the generated layout tests in the bindings fail, then we report an issue containing the test case!

Prerequisites

Requires python3, csmith, and creduce to be in $PATH.

Many OS package managers have csmith and creduce packages:

$ sudo apt install csmith creduce
$ brew install csmith creduce
$ # Etc...

Running the Fuzzer

Run csmith and test bindgen on the generated test cases with this command:

$ ./driver.py

The driver will keep running until it encounters an error in bindgen.

Each invocation of ./driver.py will use its own temporary directories, so running it in multiple terminals in parallel is supported.

csmith is run with --no-checksum --nomain --max-block-size 1 --max-block-depth 1 which disables the main function, and makes function bodies as simple as possible as bindgen does not care about them, but they cannot be completely disabled in csmith. Run csmith --help to see what exactly those options do.

Reporting Issues

Once the fuzz driver finds a test case that causes some kind of error in bindgen or its emitted bindings, it is helpful to run C-Reduce on the test case to remove the parts that are irrelevant to reproducing the error. This is very helpful for the folks who further investigate the issue and come up with a fix!

Additionally, mention that you discovered the issue via csmith and we will add the A-csmith label. You can find all the issues discovered with csmith, and related to fuzzing with csmith, by looking up all issues tagged with the A-csmith label.