• Home
Name Date Size #Lines LOC

..--

dictionaries/04-Jul-2025-562529

fuzz_csv_reader_corpus/04-Jul-2025-54

fuzz_elementtree_parsewhole_corpus/04-Jul-2025-438333

fuzz_json_loads_corpus/04-Jul-2025-7265

fuzz_pycompile_corpus/04-Jul-2025-4232

fuzz_sre_compile_corpus/04-Jul-2025-84

fuzz_struct_unpack_corpus/04-Jul-2025-

README.rstD04-Jul-20252.2 KiB6243

_xxtestfuzz.cD04-Jul-20251.1 KiB5345

fuzz_tests.txtD04-Jul-2025205 1211

fuzzer.cD04-Jul-202522.7 KiB715520

README.rst

1Fuzz Tests for CPython
2======================
3
4These fuzz tests are designed to be included in Google's `oss-fuzz`_ project.
5
6oss-fuzz works against a library exposing a function of the form
7``int LLVMFuzzerTestOneInput(const uint8_t* data, size_t length)``. We provide
8that library (``fuzzer.c``), and include a ``_fuzz`` module for testing with
9some toy values -- no fuzzing occurs in Python's test suite.
10
11oss-fuzz will regularly pull from CPython, discover all the tests in
12``fuzz_tests.txt``, and run them -- so adding a new test here means it will
13automatically be run in oss-fuzz, while also being smoke-tested as part of
14CPython's test suite.
15
16In addition, the tests are run on GitHub Actions using CIFuzz for PRs to the
17main branch changing relevant files.
18
19Adding a new fuzz test
20----------------------
21
22Add the test name on a new line in ``fuzz_tests.txt``.
23
24In ``fuzzer.c``, add a function to be run::
25
26    static int $fuzz_test_name(const char* data, size_t size) {
27        ...
28        return 0;
29    }
30
31
32And invoke it from ``LLVMFuzzerTestOneInput``::
33
34    #if !defined(_Py_FUZZ_ONE) || defined(_Py_FUZZ_$fuzz_test_name)
35        rv |= _run_fuzz(data, size, $fuzz_test_name);
36    #endif
37
38Don't forget to replace ``$fuzz_test_name`` with your actual test name.
39
40``LLVMFuzzerTestOneInput`` will run in oss-fuzz, with each test in
41``fuzz_tests.txt`` run separately.
42
43Seed data (corpus) for the test can be provided in a subfolder called
44``<test_name>_corpus`` such as ``fuzz_json_loads_corpus``. A wide variety
45of good input samples allows the fuzzer to more easily explore a diverse
46set of paths and provides a better base to find buggy input from.
47
48Dictionaries of tokens (see oss-fuzz documentation for more details) can
49be placed in the ``dictionaries`` folder with the name of the test.
50For example, ``dictionaries/fuzz_json_loads.dict`` contains JSON tokens
51to guide the fuzzer.
52
53What makes a good fuzz test
54---------------------------
55
56Libraries written in C that might handle untrusted data are worthwhile. The
57more complex the logic (e.g. parsing), the more likely this is to be a useful
58fuzz test. See the existing examples for reference, and refer to the
59`oss-fuzz`_ docs.
60
61.. _oss-fuzz: https://github.com/google/oss-fuzz
62