No setup needed. Let our cloud agents run this skill for you.
Select Provider
Select Model
Claude Sonnet 4.5
$0.20/task
Best for coding tasks
No setup required
cargo-fuzz
cargo-fuzz is the de facto choice for fuzzing Rust projects when using Cargo. It uses libFuzzer as the backend and provides a convenient Cargo subcommand that automatically enables relevant compilation flags for your Rust project, including support for sanitizers like AddressSanitizer.
When to Use
cargo-fuzz is currently the primary and most mature fuzzing solution for Rust projects using Cargo.
Fuzzer
Best For
Complexity
cargo-fuzz
Cargo-based Rust projects, quick setup
Low
AFL++
Multi-core fuzzing, non-Cargo projects
Medium
LibAFL
Custom fuzzers, research, advanced use cases
High
Choose cargo-fuzz when:
Your project uses Cargo (required)
You want simple, quick setup with minimal configuration
You need integrated sanitizer support
You're fuzzing Rust code with or without unsafe blocks
#![no_main]use libfuzzer_sys::fuzz_target;fn harness(data: &[u8]) { // 1. Validate input size if needed if data.is_empty() { return; } // 2. Call target function with fuzz data your_project::target_function(data);}fuzz_target!(
Harness Rules
Do
Don't
Structure code as library crate
Keep everything in main.rs
Use fuzz_target! macro
Write custom main function
Handle Result::Err gracefully
Panic on expected errors
Keep harness deterministic
Use random number generators
See Also: For detailed harness writing techniques and structure-aware fuzzing with the
arbitrary crate, see the fuzz-harness-writing technique skill.
Structure-Aware Fuzzing
cargo-fuzz integrates with the arbitrary crate for structure-aware fuzzing:
// In your library crateuse arbitrary::Arbitrary;#[derive(Debug, Arbitrary)]pub struct Name { data: String}
// In your fuzz target#![no_main]use libfuzzer_sys::fuzz_target;fuzz_target!(|data: your_project::Name| { data.check_buf();});
Add to your library's Cargo.toml:
[dependencies]arbitrary = { version = "1", features = ["derive"] }
Running Campaigns
Basic Run
cargo +nightly fuzz run fuzz_target_1
Without Sanitizers (Safe Rust)
If your project doesn't use unsafe Rust, disable sanitizers for 2x performance boost:
cargo +nightly fuzz run --sanitizer none fuzz_target_1
Check if your project uses unsafe code:
cargo install cargo-geigercargo geiger
Re-executing Test Cases
# Run a specific test case (e.g., a crash)cargo +nightly fuzz run fuzz_target_1 fuzz/artifacts/fuzz_target_1/crash-<hash># Run all corpus entries without fuzzingcargo +nightly fuzz run fuzz_target_1 fuzz/corpus/fuzz_target_1 -- -runs=0
Using Dictionaries
cargo +nightly fuzz run fuzz_target_1 -- -dict=./dict.dict
Interpreting Output
Output
Meaning
NEW
New coverage-increasing input discovered
pulse
Periodic status update
INITED
Fuzzer initialized successfully
Crash with stack trace
Bug found, saved to fuzz/artifacts/
Corpus location: fuzz/corpus/fuzz_target_1/
Crashes location: fuzz/artifacts/fuzz_target_1/
Sanitizer Integration
AddressSanitizer (ASan)
ASan is enabled by default and detects memory errors:
cargo +nightly fuzz run fuzz_target_1
Disabling Sanitizers
For pure safe Rust (no unsafe blocks in your code or dependencies):
cargo +nightly fuzz run --sanitizer none fuzz_target_1
Performance impact: ASan adds ~2x overhead. Disable for safe Rust to improve fuzzing speed.
Checking for Unsafe Code
cargo install cargo-geigercargo geiger
See Also: For detailed sanitizer configuration, flags, and troubleshooting,
see the address-sanitizer technique skill.
Coverage Analysis
cargo-fuzz integrates with Rust's coverage tools to analyze fuzzing effectiveness.
# Generate coverage data from corpuscargo +nightly fuzz coverage fuzz_target_1
Create coverage generation script:
cat <<'EOF' > ./generate_html#!/bin/shif [ $# -lt 1 ]; then echo "Error: Name of fuzz target is required." echo "Usage: $0 fuzz_target [sources...]" exit 1fiFUZZ_TARGET="$1"shiftSRC_FILTER="$@"TARGET=$(rustc -vV | sed -n 's|host: ||p')cargo +nightly cov -- show -Xdemangler=rustfilt \ "target/$TARGET/coverage/$TARGET/release/$FUZZ_TARGET" \ -instr-profile="fuzz/coverage/$FUZZ_TARGET/coverage.profdata" \ -show-line-counts-or-regions -show-instantiations \ -format=html -o fuzz_html/ $SRC_FILTEREOF
Generate HTML report:
./generate_html fuzz_target_1 src/lib.rs
HTML report saved to: fuzz_html/
See Also: For detailed coverage analysis techniques and systematic coverage improvement,
see the coverage-analysis technique skill.
Advanced Usage
Tips and Tricks
Tip
Why It Helps
Start with a seed corpus
Dramatically speeds up initial coverage discovery
Use --sanitizer none for safe Rust
2x performance improvement
Check coverage regularly
Identifies gaps in harness or seed corpus
Use dictionaries for parsers
Helps overcome magic value checks
Structure code as library
Required for cargo-fuzz integration
libFuzzer Options
Pass options to libFuzzer after --:
# See all optionscargo +nightly fuzz run fuzz_target_1 -- -help=1# Set timeout per runcargo +nightly fuzz run fuzz_target_1 -- -timeout=10# Use dictionarycargo +nightly fuzz run fuzz_target_1 -- -dict=dict.dict# Limit maximum input sizecargo +nightly fuzz run fuzz_target_1 --
Multi-Core Fuzzing
# Experimental forking support (not recommended)cargo +nightly fuzz run --jobs 1 fuzz_target_1
Note: The multi-core fuzzing feature is experimental and not recommended. For parallel fuzzing, consider running multiple instances manually or using AFL++.
Real-World Examples
Example: ogg Crate
The ogg crate parses Ogg media container files. Parsers are excellent fuzzing targets because they handle untrusted data.
# Clone and initializegit clone https://github.com/RustAudio/ogg.gitcd ogg/cargo fuzz init
Claude Sonnet 4.5