search

hgarrereyn / GraphFuzz

GraphFuzz is an experimental framework for building structure-aware, library API fuzzers.
https://hgarrereyn.github.io/GraphFuzz
MIT License
254 stars 25 forks source link

the `fuzz_exec.cpp` does not contain any function call #7

Closed frokaikan closed 1 year ago

frokaikan commented 2 years ago

Hi, thanks for producing the great work! I'm trying to generate fuzz harness for freetype2. I first build freetype on <freetype-dir>/asan_build with AddressSanitizer, then run graphfuzz in <freetype-dir>/gfuzz_dir with

doxygen config
gfuzz schema infer xml output.yaml
mkdir output
gfuzz gen cpp output.yaml output

The input argument is ... But the output/fuzz_exec.cpp does not contain any function call operation... such as FT_Init_FreeType or FT_New_Face. Here is the fuzz_exec.cpp. (GitHub does not allow upgrade file with .cpp postfix, so I rename it with fuzz_exec.txt) Thanks a lot! fuzz_exec.txt

hgarrereyn commented 2 years ago

Hi, the doxygen tool is still experimental and currently only supports C++ libraries.

Glancing over the freetype2 API surface, it does look like you can use GraphFuzz to fuzz it but you will need to create the schema.yaml yourself.

As a reference, I would recommend looking at the sqlite3 schema.yaml for an example of how to harness a C library: https://github.com/hgarrereyn/GraphFuzz/blob/master/experiments/sqlite3/in/f1/schema.yaml

I'm excited to see what you will be able to do! Please let me know if you have questions about this process or get stuck, I'd be happy to help you get started with appling GraphFuzz to freetype2.