Closed gdiscry closed 2 years ago
Hi Georges, you're right, it would be possible for Fuzz() to take the callback instead of Setup(). Unfortunately, doing so in a backwards-compatible way would mean adding extra complexity to the API and the argument handling. Atheris would have to support the callback argument in either place. If this enabled additional features, that may be worth it; however, as you mentioned you can just use a wrapper function to solve the problem for your use-case. I don't think it's worth adding the complexity to Atheris.
For my projects, I implemented a generic fuzzer based on Atheris that can target any function with
The options with a single dash are consumed by Atheris (for libFuzzer), the options with two dashes are used by my fuzzer and the positional arguments are the corpus (used by both libFuzzer and my fuzzer). Depending on some options, my fuzzer will either call
atheris.Fuzz()
or perform an other action using the target and the corpus files. Here is a simplified version that only callsatheris.Fuzz()
:The separation between
Setup()
andFuzz()
is useful for my use case. However, I cannot understand why the target must be passed toSetup()
. I have read the code ofSetup()
andFuzz()
and found nothing explaining why the target is required as early asSetup()
: the target is simply stored bySetup()
untilFuzz()
is called.As seen above, I have to jump through hoops to fuzz the real target by setting up a proxy target. By passing the target to
Fuzz()
instead ofSetup()
, the code would be greatly simplified:This change wouldn't make things more complicated when the target is hard-coded, and could be introduced in a backward compatible way.