How to use libFuzzer to test GUI applications

[NikParam42]

How can I test QT GUI applications that do not accept data or files from the command line?

Will the libfuzzer work with processes running from the program we submit to the libfuzzer? (tracking coverage)

wrapper(manage UI and data transfer) start -> MyGUIapplication

and use like: ./wrapper

Really need advice or any suggestions.

[kcc]

First, libFuzzer is an in-process fuzzing engine, it doesn't work across processes out of the box.
(it can be done, but we don't have ready-to-use examples).

You can try linking your GUI library with a libFuzzer-style fuzz target.
I.e. instead of your main() function you need to implement LLVMFuzzerTestOneInput()
and link it against the rest of your code.
Then, you need to treat the input bytes passes to LLVMFuzzerTestOneInput
as a sequence of GUI events that you want your application to receive.
This would be a flavor of structure-aware-fuzzing

[JulianVolodia]

Hi! I have some Qt-based project on my eyes, but interaction is quite difficult to implement and won't fuzz Qt functions at all.
So when said that, will it be ok to not fuzz GUI lib, nor main app but write fuzz target which uses library as backend and do same thing as user would do (read provided to fuzz target data and treat them as file, change it, save 'file' in-memory after allocation and try to reopen) using lib/backend primitives, as complete app?

[JulianVolodia]

Refering to https://github.com/google/fuzzing/blob/master/docs/good-fuzz-target.md#global-state

It may not be possible in every case (strictly speaking, even calling malloc() modifies a global state).

what is the pro-tip for some justAnotherSaveAs() to not touch global state?

I have only idea to use some fd mockup in-memory (which will dep on malloc() unfortunately) and calling each part of function decomposition in fuzz target.

That is heavily case-dependant but maybe you remember some example where it was problematic and I could learn from that sample.