docs: book: add a page about fuzzing

Link to the oss-fuzz configuration and build dashboard. BUG=None TEST=(cd docs/book; mdbook build) Change-Id: Id87fad6eb5002492b92405a216b57d43fa43bed2 Reviewed-on: https://chromium-review.googlesource.com/c/crosvm/crosvm/+/4669511 Reviewed-by: Dennis Kempin <denniskempin@google.com> Commit-Queue: Daniel Verkamp <dverkamp@chromium.org>
2024-11-25 13:23:08 +00:00 · 2023-07-06 10:51:45 -07:00 · 2023-07-06 10:51:45 -07:00 · 9754eb6222
commit 9754eb6222
parent 0e53e19523
2 changed files with 43 additions and 0 deletions
--- a/docs/book/src/SUMMARY.md
+++ b/docs/book/src/SUMMARY.md
@ -13,6 +13,7 @@
  - [Features](./running_crosvm/features.md)
  - [Programmatic Interaction](./running_crosvm/programmatic_interaction.md)
 - [Testing](./testing/index.md)
+  - [Fuzzing](./testing/fuzzing.md)
 - [Devices](./devices/index.md)
  - [Block](./devices/block.md)
  - [Network](./devices/net.md)
--- a/docs/book/src/testing/fuzzing.md
+++ b/docs/book/src/testing/fuzzing.md
@ -0,0 +1,42 @@
+# Fuzzing
+
+Crosvm contains several [fuzz testing](https://en.wikipedia.org/wiki/Fuzzing) programs that are
+intended to exercise specific subsets of the code with automatically generated inputs to help
+uncover bugs that were not found by human-written unit tests.
+
+The source code for the fuzzer target programs can be found in [`fuzz/fuzz_targets`] in the crosvm
+source tree.
+
+## OSS-Fuzz
+
+Crosvm makes use of the OSS-Fuzz service, which automatically builds and runs fuzzers for many open
+source projects. Once a crosvm change is committed and pushed to the main branch, it will be tested
+automatically by [ClusterFuzz], and if new issues are found, a bug will be filed.
+
+- [crosvm oss-fuzz configuration]
+- [crosvm oss-fuzz build status]
+
+## Running fuzzers locally
+
+It can be useful to run a fuzzer in order to test new changes locally or to reproduce a bug filed by
+ClusterFuzz.
+
+To build and run a specific fuzz target, install [`cargo fuzz`], then run it in the crosvm source
+tree, specifying the desired fuzz target to run. If you have a testcase provided by the automated
+fuzzing infrastructure in a bug report, you can add that file to the fuzzer command line to
+reproduce the same fuzzer execution rather than using randomly generating inputs.
+
+```sh
+# Run virtqueue_fuzzer with randomly-generated input.
+# This will run indefinitely; it can be stopped with Ctrl+C.
+cargo +nightly fuzz run virtqueue_fuzzer
+
+# Run virtqueue_fuzzer with a specific input file from ClusterFuzz.
+cargo +nightly fuzz run virtqueue_fuzzer clusterfuzz-testcase-minimized-...
+```
+
+[clusterfuzz]: https://google.github.io/clusterfuzz/
+[crosvm oss-fuzz build status]: https://oss-fuzz-build-logs.storage.googleapis.com/index.html#crosvm
+[crosvm oss-fuzz configuration]: https://github.com/google/oss-fuzz/tree/master/projects/crosvm
+[`cargo fuzz`]: https://github.com/rust-fuzz/cargo-fuzz
+[`fuzz/fuzz_targets`]: https://chromium.googlesource.com/crosvm/crosvm/+/refs/heads/main/fuzz/fuzz_targets/