/CPython-AST-Fuzzer

A toy project for Python interpreter fuzzing using AST mutators based on LibFuzzer

Primary LanguageCMIT LicenseMIT

pyFuzzer

A toy project for Python interpreter fuzzing using AST-base mutators, based on LibFuzzer.
Started in SEFCOM.

Requirements

  • nix-shell
  • git for pulling source code
  • python for code generation

How to build

./build.sh

arguments:

  • -p / --cpython forces to re-clone, re-patch and rebuild CPython
  • -f / --force forces to re-generate all codgen codes, re-configure cmake and build
  • --clear remove all cache directories
  • -j <core> / --jobs <core> equivalent to make -j<core>

How to run

./main.sh

arguments:

  • -c / --clean removing all log directories
  • -d / --debug using stdout instead of redirecting into log file
  • --cov generate coverage report using llvm-cov
  • -r <turns> / --runs <turns> equivalent to libFuzzer -runs=<turns>
  • -l / --last-case load most recent corpus saved under log folder as dummy AST instead of plain AST.

Executing every known crash

./check.sh

Type hints for VScode

./gen_hints.sh

Designing

pipline.md
For mutators list, check mutators.h.
My goal is to recover and find more similar bugs like the motivation samples in pipline.md.

TODO

  • Using Atheris to extend target modules from only builtin to others (Atheris only support Python <= 3.11 so far)
  • Free useless ASTs in appropriate time
  • Add more guide to mutator picking instead of pure randomness
  • More mutator, more performance
  • Automatically document parse
  • is there any way to enable Corpus?
  • More depth(it's only 2 rn)
  • Multi-inherit class support(risk at conflicted class)