Hi,
I’m creating simple GTK 4 fuzzer - GitHub - qarmin/GtkFuzzer: Simple GTK Fuzzer
For now I’m able only test functions which have 0 arguments.
How can I get info about functions arguments?
E.g. there is function which takes 3 arguments function(a,b,c) - how can I check what type of arguments this functions expects?
My recommendation would be to use the introspection data generated by GTK, but:
- if you don’t know how to write a fuzzer for any generic API, then you might have a problem, and I’d recommend you learn more about the C ABI
- do not run your fuzzer on GTK: it’s pointless. GTK has too much internal state that depends on the state of the windowing system
- GTK follows a strict “garbage in, garbage out” policy; we validate the arguments of public API, and we assert on internal state; sending random garbage into the public API is just going to result in a critical warning and undefined behaviour
You may want to fuzz specific parts of the GTK internals, like the GtkBuilder XML parser; or the icon theme cache parser. That requires knowledge of the internals of the library.
Once one gets into this I think it becomes more of a fuzzer in general for gobject introspection APIs and less about GTK. Personally I’ve noticed some “low-hanging fruit” for bugs there:
- Incorrect/missing asserts on the type of arguments
- Incorrect/missing null checks
- Object/Boxed/String/etc properties that don’t handle null correctly
- Inconsistent
transferandnullableannotations
So maybe those could be an area to start with. It may be possible to make this work by using g_log_set_handler to trigger a test fail if a critical error is printed. I don’t know how you would handle the case of memory leaks, possibly you could try to call the unref or free function twice and fail if it doesn’t trigger a crash.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.