Skip to content

Commit 6e39690

Browse files
MarkoutteMarkoutte
committed
Changes to fuzzer doc
1 parent 09c8479 commit 6e39690

File tree

1 file changed

+15
-10
lines changed

1 file changed

+15
-10
lines changed

docs/Fuzzing Platform.md

Lines changed: 15 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -18,16 +18,21 @@ predefined values.
1818

1919
General API for using fuzzer looks like this:
2020

21-
```kotlin
21+
```
2222
fuzz(
2323
params = "number", "string", "object<object, number>: number, string",
24+
seedGenerator = (type: Type) -> seeds
2425
details: (constants, providers, etc)
25-
).accept { values: List ->
26-
val feedback = exec(values);
26+
).forEveryGeneratedValues { values: List ->
27+
feedback = exec(values);
2728
return feedback
2829
}
2930
```
3031

32+
Fuzzer accepts list of types which can be provided in different formats: string, object or Class<*> in Java. Then seed
33+
generator accepts these types and produces seeds which are used as base objects for value generation and mutations.
34+
Fuzzing logic about how to choose, combine and mutate values from seed set is only fuzzing responsibility. API should not provide such abilities except general fuzzing configuring.
35+
3136
## Parameters
3237

3338
The general fuzzing process gets the list of parameter descriptions as input and returns the corresponding list of values. The simplest description is the specific object type, for example:
@@ -62,13 +67,13 @@ Thus, FP interprets the _Byte_ and _Unsigned Byte_ descriptions in different way
6267

6368
During the fuzzing process, some parameters get the refined description, for example:
6469

65-
```java
66-
public boolean isNaN(Number n) {
67-
if (!(n instanceof Double)) {
68-
return false;
69-
}
70-
return Double.isNaN((Double) n);
70+
```
71+
public boolean isNaN(Number n) {
72+
if (!(n instanceof Double)) {
73+
return false;
7174
}
75+
return Double.isNaN((Double) n);
76+
}
7277
```
7378

7479
In the above example, let the parameter be `Integer`. Considering the feedback, the fuzzer suggests that nothing but `Double` might increase coverage, so the type may be downcasted to `Double`. This allows for filtering out a priori unfitting values.
@@ -88,7 +93,7 @@ _Dynamic_ values are generated in two ways:
8893

8994
Dynamic values should have the higher priority for a sample, that's why they should be chosen either first or at least more likely than the statically generated ones. In general, the algorithm that guides the fuzzing process looks like this:
9095

91-
```python
96+
```
9297
# dynamic values are stored with respect to their return priority
9398
dynamic_values = empty_priority_queue()
9499
# static values are generated beforehand

0 commit comments

Comments
 (0)