1# Fuzzing the fidl host tools 2 3Some notes on fuzzing the `system/host/fidl` parser using [afl-fuzz](http://lcamtuf.coredump.cx/afl/). 4 5## Build afl-fuzz 6 7Download and build it, then: 8``` 9export AFL_PATH=~/src/afl-2.41b/ 10``` 11with whatever path you downloaded and built it with. 12 13## Patch the parser to not trap on invalid syntax 14 15afl-fuzz treats crashes as interesting but the parser currently calls `__builtin_trap()` when it encounters invalid 16syntax. Remove that line in [parser.h](../system/host/fidl/parser.h) - its in the `Parser::Fail()` method. 17 18## Build the `fidl` tool with afl-fuzz's instrumentation 19 20Clear any existing build and then build with the afl-fuzz compiler wrappers. 21 22``` 23cd $ZIRCON_DIR 24rm -fr build-x86 25PATH=$PWD/prebuilt/downloads/clang+llvm-x86_64-linux/bin/:$PATH:$AFL_PATH make \ 26 build-x86/tools/fidl HOST_TOOLCHAIN_PREFIX=afl- 27``` 28adjusting if you're not building on x86 Linux, etc. 29 30## Run the fuzzer 31 32The parser includes some examples to use as inputs. As fidl becomes adopted we can expand our inputs to include all of 33the different interfaces declared across our tree, but for now we use what's in `system/host/fidl/examples`. 34 35``` 36$AFL_PATH/afl-fuzz -i system/host/fidl/examples -o fidl-fuzz-out build-x86/tools/fidl dump '@@' 37``` 38 39## Results 40 41Running against the source from early May 2017, there were no crashes or hangs after two days of fuzzing on a fairly 42fast machine. It ran over 300 million executions. 43