How to fuzz a project containing C++ code?

[nbigaouette]

I've been using cargo-fuzz and afl.rs to fuzz my (pure) rust projects, but one of those contains C++ code that I would like to be included in the fuzzing process.

The project structure looks like this:

├── build.rs
├── Cargo.toml
└── src
   ├── cpp
   │  ├── CMakeLists.txt
   │  ├── file.cpp
   │  └── file.hpp
   └── lib.rs

The rust build script will call cmake to build the C++ code which will be linked in the final Rust library.

Can I use cargo afl to fuzz not only the Rust code but also the C++ code? What would be required to do so? Would the C++ code need to be compiled in a certain way that cargo afl cannot control (and thus I'd have to tweak my CMakeLists.txt)? Would I need to install something else (f.e. install/compile afl itself as described here: https://github.com/AFLplusplus/AFLplusplus/blob/stable/instrumentation/README.lto.md)?

I'm on macOS which comes with clang (from XCode). Is that sufficient or should a different llvm/clang should be used (f.e. from homebrew)?

Thanks!

[smoelius]

Hi, @nbigaouette.

Can I use cargo afl to fuzz not only the Rust code but also the C++ code? What would be required to do so?

To be honest, I'm not sure. Here are the flags that cargo-afl passes to rustc:

afl.rs/src/bin/cargo-afl.rs

Lines 277 to 283 in d0e5a6e

	-C passes={passes} \
	-C codegen-units=1 \
	-C llvm-args=-sanitizer-coverage-level=3 \
	-C llvm-args=-sanitizer-coverage-trace-pc-guard \
	-C llvm-args=-sanitizer-coverage-prune-blocks=0 \
	-C llvm-args=-sanitizer-coverage-trace-compares \
	-C opt-level=3 \

I would imagine that if one could determine the corresponding flags for Clang and compile with them, then it would simply be a matter of linking in the resulting object files. But I would need to experiment with this to know for sure.

I'm sorry I can't be of more help right now.