feat(test): add fuzzing test with libFuzzer

MDLZCOOL · MDLZCOOL · commit c0a3c9fc9a64 · 2026-02-21T23:12:44.000+08:00
diff --git a/.github/workflows/fuzzing.yml b/.github/workflows/fuzzing.yml
@@ -0,0 +1,53 @@
+name: Fuzzing
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+  schedule:
+    - cron: '0 0 * * *'
+  workflow_dispatch:
+
+jobs:
+  fuzz_test:
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install build tools
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y clang llvm cmake ninja-build
+
+      - name: Configure fuzz target
+        run: |
+          cmake -S . -B build-fuzz -G Ninja \
+            -DCTSHELL_ENABLE_FUZZING=ON \
+            -DCONFIG_CTSHELL_PORT_POSIX=ON \
+            -DCMAKE_C_COMPILER=clang
+
+      - name: Build fuzz target
+        run: cmake --build build-fuzz --target ctshell_fuzz
+
+      - name: Run fuzz and collect profile
+        run: |
+          LLVM_PROFILE_FILE="ctshell.profraw" ./build-fuzz/ctshell_fuzz \
+            -max_total_time=599
+
+      - name: Generate coverage report
+        run: |
+          llvm-profdata merge -sparse ctshell.profraw -o ctshell.profdata
+          llvm-cov show ./build-fuzz/ctshell_fuzz \
+            -instr-profile=ctshell.profdata \
+            -format=html \
+            -output-dir=coverage_report
+
+      - name: Upload coverage artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: fuzz-coverage-report.zip
+          path: coverage_report
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -8,6 +8,8 @@ set(ctshell_incs
 
 set(CTSHELL_DEFINITIONS "")
 
+option(CTSHELL_ENABLE_FUZZING "Enable libFuzzer based fuzz testing" OFF)
+
 if(ESP_PLATFORM)
     set(CONFIG_CTSHELL_PORT_ESP32 1)
 endif()
@@ -64,4 +66,32 @@ if(ESP_PLATFORM)
     target_link_libraries(${COMPONENT_LIB} INTERFACE "-T ${CMAKE_CURRENT_SOURCE_DIR}/port/esp32/ctshell_cmd.ld")
 else()
     set(CTSHELL_DEFINITIONS ${CTSHELL_DEFINITIONS} CACHE INTERNAL "ctshell definitions")
+
+    if(CTSHELL_ENABLE_FUZZING)
+        if(CMAKE_C_COMPILER_ID MATCHES "Clang")
+            set(CTSHELL_FUZZ_TARGET ctshell_fuzz)
+            set(CTSHELL_FUZZ_SRC "${CMAKE_CURRENT_SOURCE_DIR}/test/fuzz/ctshell_fuzz.c")
+            add_executable(${CTSHELL_FUZZ_TARGET}
+                    ${CTSHELL_FUZZ_SRC}
+                    ${ctshell_srcs}
+            )
+            target_include_directories(${CTSHELL_FUZZ_TARGET} PRIVATE ${ctshell_incs})
+            target_compile_definitions(${CTSHELL_FUZZ_TARGET} PRIVATE ${CTSHELL_DEFINITIONS})
+            target_compile_options(${CTSHELL_FUZZ_TARGET} PRIVATE
+                    -fsanitize=fuzzer,address
+                    -fprofile-instr-generate
+                    -fcoverage-mapping
+                    -g
+                    -O1
+                    -mllvm
+                    -asan-globals=0
+            )
+            target_link_options(${CTSHELL_FUZZ_TARGET} PRIVATE
+                    -fsanitize=fuzzer,address
+                    -fprofile-instr-generate
+            )
+        else()
+            message(FATAL_ERROR "Fuzzing requires Clang compiler. Run with: CC=clang cmake ..")
+        endif()
+    endif()
 endif()
diff --git a/README.md b/README.md
@@ -1,6 +1,6 @@
 # ctshell
 
-[![readthedocs](https://img.shields.io/readthedocs/ctshell)](https://ctshell.readthedocs.io/en/latest/) [![license](https://img.shields.io/github/license/MDLZCOOL/ctshell)](https://github.com/MDLZCOOL/ctshell/blob/main/LICENSE)
+[![readthedocs](https://img.shields.io/readthedocs/ctshell)](https://ctshell.readthedocs.io/en/latest/) [![build test](https://github.com/MDLZCOOL/ctshell/actions/workflows/build_test.yml/badge.svg)](https://github.com/MDLZCOOL/ctshell/actions?query=workflow%3A%22Build+Test%22) [![fuzz test](https://github.com/MDLZCOOL/ctshell/actions/workflows/fuzzing.yml/badge.svg)](https://github.com/MDLZCOOL/ctshell/actions?query=workflow%3AFuzzing) [![license](https://img.shields.io/github/license/MDLZCOOL/ctshell)](https://github.com/MDLZCOOL/ctshell/blob/main/LICENSE)
 
 Ctshell is a low-overhead shell designed specifically for resource-constrained embedded systems.
 
diff --git a/test/fuzz/ctshell_fuzz.c b/test/fuzz/ctshell_fuzz.c
@@ -0,0 +1,116 @@
+/*
+ * Copyright (c) 2026, MDLZCOOL
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+#include <stdint.h>
+#include <stddef.h>
+#include <string.h>
+#include <stdlib.h>
+#include "ctshell.h"
+
+static void dummy_shell_write(const char *str, uint16_t len, void *p) {
+    CTSHELL_UNUSED_PARAM(str);
+    CTSHELL_UNUSED_PARAM(len);
+    CTSHELL_UNUSED_PARAM(p);
+}
+
+static uint32_t dummy_get_tick(void) {
+    static uint32_t tick = 0;
+    return tick++;
+}
+
+static int cmd_fuzz_complex(int argc, char *argv[]) {
+    ctshell_arg_parser_t parser;
+    ctshell_args_init(&parser, argc, argv);
+    ctshell_expect_int(&parser, "-i", "--int");
+    ctshell_expect_str(&parser, "-s", "--str");
+    ctshell_expect_bool(&parser, "-v", "--verbose");
+    ctshell_expect_verb(&parser, "start");
+    ctshell_expect_verb(&parser, "stop");
+#ifdef CONFIG_CTSHELL_USE_DOUBLE
+    ctshell_expect_double(&parser, "-d", "--double");
+#endif
+    ctshell_args_parse(&parser);
+    int i_val = ctshell_get_int(&parser, "-i");
+    char *s_val = ctshell_get_str(&parser, "-s");
+    int b_val = ctshell_get_bool(&parser, "-v");
+
+    CTSHELL_UNUSED_PARAM(i_val);
+    CTSHELL_UNUSED_PARAM(s_val);
+    CTSHELL_UNUSED_PARAM(b_val);
+
+    return 0;
+}
+CTSHELL_EXPORT_CMD(fuzz, cmd_fuzz_complex, "Fuzz complex args parsing", CTSHELL_ATTR_NONE);
+
+/*
+ * 注册根菜单: "net"
+ * func=NULL, attr=MENU, 这是一个纯容器
+ */
+CTSHELL_EXPORT_CMD(net, NULL, "Network tools", CTSHELL_ATTR_MENU);
+
+/*
+ * 注册二级具体命令: "net ip"
+ * parent="net", 挂载在 net 下
+ * 这是一个叶子节点，输入 "net ip" 直接执行
+ */
+int cmd_net_ip(int argc, char *argv[]) {
+    ctshell_printf("IP Address : 192.168.1.100\r\n");
+    ctshell_printf("Subnet Mask: 255.255.255.0\r\n");
+    return 0;
+}
+CTSHELL_EXPORT_SUBCMD(net, ip, cmd_net_ip, "Show IP address");
+
+/*
+ * 注册二级菜单容器: "net wifi"
+ * parent="net"
+ * func=NULL, 这是一个纯容器
+ */
+CTSHELL_EXPORT_SUBCMD(net, wifi, NULL, "WiFi management");
+
+/*
+ * 注册三级具体命令: "net wifi connect"
+ * parent="net_wifi", 注意：父节点名是前两级名称的拼接 (net + _ + wifi)
+ */
+int cmd_wifi_connect(int argc, char *argv[]) {
+    ctshell_arg_parser_t parser;
+    ctshell_args_init(&parser, argc, argv);
+
+    // 定义参数: -s <ssid> 和 -p <password>
+    ctshell_expect_str(&parser, "-s", "ssid");
+    ctshell_expect_str(&parser, "-p", "password");
+
+    ctshell_args_parse(&parser);
+
+    if (ctshell_has(&parser, "ssid") && ctshell_has(&parser, "password")) {
+        char *ssid = ctshell_get_str(&parser, "ssid");
+        char *pwd  = ctshell_get_str(&parser, "password");
+
+        ctshell_printf("Connecting to %s (Key: %s)...\r\n", ssid, pwd);
+    } else {
+        ctshell_printf("Usage: net wifi connect -s <ssid> -p <password>\r\n");
+    }
+    return 0;
+}
+CTSHELL_EXPORT_SUBCMD(net_wifi, connect, cmd_wifi_connect, "Connect to AP");
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+    if (size > 4096) {
+        return 0;
+    }
+
+    ctshell_ctx_t ctx;
+    memset(&ctx, 0, sizeof(ctx));
+    ctshell_io_t io = {
+            .write = dummy_shell_write,
+            .get_tick = dummy_get_tick,
+    };
+    ctshell_init(&ctx, io, NULL);
+    for (size_t i = 0; i < size; i++) {
+        ctshell_input(&ctx, (char)data[i]);
+        ctshell_poll(&ctx);
+    }
+    ctshell_poll(&ctx);
+    return 0;
+}
