Naming things is hard, so this page tries to reduce confusion around fuzzing-related terminology.
Or test corpus, or fuzzing corpus.
A set of test inputs. In most contexts, it refers to a set of minimal test inputs that generate maximal code coverage.
The term is taken from botany, where one plant pollinates a plant of another variety. In fuzzing, cross-pollination means using a corpus for one fuzz target to expand a corpus for another fuzz target. For example, if there are two libraries that process the same common data format, it is often benefitial to cross-pollinate their respective corpora.
A file which specifies interesting tokens for a fuzz target. Most fuzzing engines support dictionaries, and will adjust their mutation strategies to process these tokens together.
Or Target Function, or Fuzzing Target Function, or Fuzzing Entry Point.
A function to which we apply fuzzing. A specific signature is required for OSS-Fuzz.
Examples: openssl,
re2,
SQLite.
The most overloaded term and used in a variety of contexts, which makes it bad. Sometimes, "Fuzzer" is referred to a fuzz target, a fuzzing engine, a mutation engine, a test generator or a fuzzer build.
A build that contains all the fuzz targets for a given project, which is run with a specific fuzzing engine, in a specific build mode (e.g. with enabled/disabled assertions), and optionally combined with a sanitizer. In OSS-Fuzz, it is also known as a job type.
A tool that tries to find interesting inputs for a fuzz target by executing it. Examples: libFuzzer, AFL, honggfuzz, etc.
See related terms Mutation Engine and Test Generator.
A tool that takes a set of testcases as input and creates their mutated versions. It is just a generator and does not feed the mutations to fuzz target. Example: radamsa (a generic test mutator).
Or Test Case.
A test input that can be used to reproduce a bug when processed
by a fuzz target.
A dynamic testing tool that can detect bugs during program execution. Examples: ASan, DFSan, LSan, MSan, TSan, UBSan.
A small initial corpus prepared with the intent of providing initial coverage for fuzzing. Rather than being created by the fuzzers themselves, seed corpora are often prepared from existing test inputs or may be hand-crafted to provide interesting coverage. They are often checked into source alongside fuzz targets.
A tool that generates testcases from scratch according to some rules or grammar. Examples: csmith (a test generator for C language), cross_fuzz (a cross-document DOM binding test generator).
A sequence of bytes that is used as input to a fuzz target. Typically, a test input is stored in a separate file.