mirrors/ghostty
1
0
Fork 0
mirror of https://github.com/ghostty-org/ghostty.git synced 2026-04-06 07:38:21 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
4f44879c3b044264be558b1bf79e80c8f8bb1fd7
ghostty/test/fuzz-libghostty/AGENTS.md
Mitchell Hashimoto 4f44879c3b Clean up how fuzzers are laid out
2026-03-01 14:55:07 -08:00

1.6 KiB
Raw Blame History

AFL++ Fuzzer for Libghostty

  • Build all fuzzer with zig build
  • The list of available fuzzers is in build.zig (search for fuzzers).
  • Run a specific fuzzer with zig build run-<name> (e.g. zig build run-parser)
  • Corpus directories follow the naming convention corpus/<fuzzer>-<variant> (e.g. corpus/parser-initial, corpus/stream-cmin).
  • After running afl-cmin/afl-tmin, run corpus/sanitize-filenames.sh before committing to replace colons with underscores (colons are invalid on Windows NTFS).

Important: stdin-based input

The instrumented binaries (afl.c harness) read fuzz input from stdin, not from a file argument. This affects how you invoke AFL++ tools:

  • afl-fuzz: Uses shared-memory fuzzing automatically; @@ works because AFL writes directly to shared memory, bypassing file I/O.

  • afl-showmap: Must pipe input via stdin, not @@:

    cat testcase | afl-showmap -o map.txt -- zig-out/bin/fuzz-stream

  • afl-cmin: Do not use @@. Requires AFL_NO_FORKSRV=1 with the bash version due to a bug in the Python afl-cmin (AFL++ 4.35c):

    AFL_NO_FORKSRV=1 /opt/homebrew/Cellar/afl++/4.35c/libexec/afl-cmin.bash \
  -i afl-out/fuzz-stream/default/queue -o corpus/stream-cmin \
  -- zig-out/bin/fuzz-stream

  • afl-tmin: Also requires AFL_NO_FORKSRV=1, no @@:

    AFL_NO_FORKSRV=1 afl-tmin -i <input> -o <output> -- zig-out/bin/fuzz-stream

If you pass @@ or a filename argument, afl-showmap/afl-cmin/afl-tmin will see only ~4 tuples (the C main paths) and produce useless results.