commit - 211ed630587ce9246996043007a1e907982a33e0
commit + 0fd8b8b21d826a1e4fcca951b705fa6140560dbf
blob - f4c8f98b4d675ca1f1b674f1be803b33d76a8f10
blob + 8341e89a9396212c69033f5df6595986d5aa016a
--- Glossary.md
+++ Glossary.md
### C
-Coverage: Some information about the behaviour of the target when it executes a given input. Coverage is usually represented as the feature set that the input has triggered in the target.
+<strong><a id="Crash_state" href="#Crash_state">Crash state</a></strong>: A signature that we generate from the crash stacktrace for deduplication purposes.
+<strong><a id="Crash_type" href="#Crash_type">Crash type</a></strong>: The type of crash. ClusterFuzz uses this to determine the severity. For security vulnerabilities, this may be (but not limited to): Bad-cast, Heap-buffer-overflow, Heap-double-free, Heap-use-after-free, Stack-buffer-overflow, Stack-use-after-return, Use-after-poison. Other crash types include: Null-dereference, Timeout, Out-of-memory, Stack-overflow, ASSERT.
+
+<strong><a id="Coverage" href="#Coverage">Coverage</a></strong>: Some information about the behavior of the target when it executes a given input. Coverage is usually represented as the feature set that the input has triggered in the target.
+
<strong><a id="Corpus" href="#Corpus">Corpus</a></strong>: (also **test corpus**, or **fuzzing corpus**) (*plural*: corpora) A set of [test inputs](#test-input). In most contexts, it refers to a set of minimal test inputs that generate maximal code coverage.
<strong><a id="Cross-pollination" href="#Cross-pollination">Cross-pollination</a></strong>: The term is taken from botany, where one plant pollinates a plant of another variety. In fuzzing, cross-pollination means using a corpus for one [fuzz target](#fuzz-target) to expand a [corpus](#corpus) for another fuzz target. For example, if there are two libraries that process the same common data format, it is often beneficial to cross-pollinate their respective corpora.
### D
-Distillation (creating a distilled corpus): A process of choosing a subset of a larger corpus, such that the subset has the same coverage features as the original corpus.
+<strong><a id="Distillation" href="#Distillation">Distillation</a></strong> (creating a distilled corpus): A process of choosing a subset of a larger corpus, such that the subset has the same coverage features as the original corpus.
<strong><a id="Dictionary" href="#Dictionary">Dictionary</a></strong>: A file which specifies interesting tokens for a [fuzz target](#fuzz-target). Most [fuzzing engines](#fuzzing-engine) support dictionaries, and will adjust their mutation strategies to process these tokens together.
### F
-<strong><a id="Fuzz_Target" href="#Fuzz_Target">Fuzz Target</a></strong> (also **Target Function**, or **Fuzzing Target Function**, or **Fuzzing Entry Point**): A binary, a library, an API, or rather anything that can consume bytes for input and produce some sort of coverage data as an output. A [libFuzzer](https://llvm.org/docs/LibFuzzer.html)'s target can be a Centipede's target. Read more [here](https://github.com/google/fuzzing/blob/master/docs/good-fuzz-target.md). A [specific signature](http://libfuzzer.info#fuzz-target) is required for OSS-Fuzz. Examples: [openssl](https://github.com/openssl/openssl/blob/master/fuzz/x509.c), [re2](https://github.com/google/re2/blob/master/re2/fuzzing/re2_fuzzer.cc),
-[SQLite](https://www.sqlite.org/src/artifact/ad79e867fb504338).
+<strong><a id="Fuzz_Target" href="#Fuzz_Target">Fuzz Target</a></strong> (also **Target Function**, or **Fuzzing Target Function**, or **Fuzzing Entry Point**): A binary, a library, an API, or rather anything that can consume bytes for input and produce some sort of coverage data as an output. See the [libFuzzer documentation](https://llvm.org/docs/LibFuzzer.html#fuzz-target) for a more detailed explanation. A fuzz target is typically given the array of bytes by [libFuzzer](https://llvm.org/docs/LibFuzzer.html) or [AFL](http://lcamtuf.coredump.cx/afl/) for coverage guided fuzzing. Read more [here](https://github.com/google/fuzzing/blob/master/docs/good-fuzz-target.md). A [specific signature](http://libfuzzer.info#fuzz-target) is required for OSS-Fuzz. Examples: [openssl](https://github.com/openssl/openssl/blob/master/fuzz/x509.c), [re2](https://github.com/google/re2/blob/master/re2/fuzzing/re2_fuzzer.cc), [SQLite](https://www.sqlite.org/src/artifact/ad79e867fb504338).
<strong><a id="Fuzzer" href="#Fuzzer">Fuzzer</a></strong>: The most overloaded term and used in a variety of contexts, which makes it bad. Sometimes, "Fuzzer" is referred to a [fuzz target](#fuzz-target), a [fuzzing engine](#fuzzing-engine), a [mutation engine](#mutation-engine), a [test generator](#test-generator) or
a [fuzzer build](#fuzzer-build).
<strong><a id="Mutator" href="#Mutator">Mutator</a></strong>: A function that takes bytes as input and outputs a small random mutation of the input. See also: [structure-aware fuzzing](https://github.com/google/fuzzing/blob/master/docs/structure-aware-fuzzing.md).
-### T
+<strong><a id="Minimization" href="#Minimization">Minimization</a></strong>: A process that tries to minimize a [testcase](https://google.github.io/clusterfuzz/reference/glossary/#testcase) to its smallest possible size, such that it still triggers the same underlying bug on the target program.
-<strong><a id="Test_Generator" href="#Test_Generator">Test Generator</a></strong>: A tool that generates testcases from scratch according to some rules or grammar. Examples: [csmith](https://embed.cs.utah.edu/csmith/) (a test generator for C language), [cross_fuzz](http://lcamtuf.coredump.cx/cross_fuzz/) (a cross-document DOM binding test generator).
-
-<strong><a id="Test_Input" href="#Test_Input">Test Input</a></strong>: A sequence of bytes that is used as input to a [fuzz target](#fuzz-target). Typically, a test input is stored in a separate file.
-
### R
+<strong><a id="Reliability_of_reproduction" href="#Reliability_of_reproduction">Reliability of reproduction</a></strong>: A crash is reliably reproducible if the target program consistently crashes with the same [crash state](https://google.github.io/clusterfuzz/reference/glossary/#crash-state) for the given input.
+
<strong><a id="Reproducer" href="#Reproducer">Reproducer</a></strong>: (also **Test Case**): A [test input](#test-input) that can be used to reproduce a bug when processed by a fuzz target.
### S
-Shard: A file representing a subset of the corpus and another file representing feature sets for that same subset of the corpus.
+<strong><a id="Shard" href="#Shard">Shard</a></strong>: A file representing a subset of the corpus and another file representing feature sets for that same subset of the corpus.
<strong><a id="Sanitizer" href="#Sanitizer">Sanitizer</a></strong>: A [dynamic testing](https://en.wikipedia.org/wiki/Dynamic_testing) tool that can detect bugs during program execution. Examples: [ASan](http://clang.llvm.org/docs/AddressSanitizer.html), [DFSan](http://clang.llvm.org/docs/DataFlowSanitizer.html), [LSan](http://clang.llvm.org/docs/LeakSanitizer.html), [MSan](http://clang.llvm.org/docs/MemorySanitizer.html), [TSan](http://clang.llvm.org/docs/ThreadSanitizer.html), [UBSan](http://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html). See also: https://github.com/google/sanitizers
<strong><a id="Seed_Corpus" href="#Seed_Corpus">Seed Corpus</a></strong>: A small initial [corpus](#corpus) prepared with the intent of providing initial coverage for fuzzing. Rather than being created by the fuzzers themselves, seed corpora are often prepared from existing test inputs or may be hand-crafted to provide interesting coverage. They are often checked into source alongside [fuzz targets](#fuzz-target).
+### T
+
+<strong><a id="Testcase" href="#Testcase">Testcase</a></strong>: An input for the target program that causes a crash or bug. On a testcase details page, you can download a “Minimized Testcase” or “Unminimized Testcase”, these refer to the input that needs to be passed to the target program.
+
+<strong><a id="Test_Generator" href="#Test_Generator">Test Generator</a></strong>: A tool that generates testcases from scratch according to some rules or grammar. Examples: [csmith](https://embed.cs.utah.edu/csmith/) (a test generator for C language), [cross_fuzz](http://lcamtuf.coredump.cx/cross_fuzz/) (a cross-document DOM binding test generator).
+
+<strong><a id="Test_Input" href="#Test_Input">Test Input</a></strong>: A sequence of bytes that is used as input to a [fuzz target](#fuzz-target). Typically, a test input is stored in a separate file.
+
### References
-- https://github.com/google/centipede#terminology
-- https://github.com/google/fuzzing/blob/master/docs/glossary.md
-- https://google.github.io/clusterfuzz/reference/glossary/
-- https://google.github.io/oss-fuzz/reference/glossary/
-- https://github.com/ligurio/trash-software-bugs
-- https://csrc.nist.gov/glossary
-- https://xlinux.nist.gov/dads/
-- https://github.com/jagracey/Awesome-Unicode/blob/master/GLOSSARY.md#r
-- ISTQB Glossary https://glossary.istqb.org/en/search/
-- https://en.wikipedia.org/wiki/Buffer_overflow
-- https://en.wikipedia.org/wiki/Segmentation_fault
-- https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use
\ No newline at end of file
+- (Fuzzing) https://github.com/google/centipede#terminology
+- (Fuzzing) https://github.com/google/fuzzing/blob/master/docs/glossary.md
+- (Fuzzing) https://google.github.io/clusterfuzz/reference/glossary/
+- (Fuzzing) https://google.github.io/oss-fuzz/reference/glossary/
+- https://csrc.nist.gov/glossary glossary consists of terms and definitions extracted verbatim from NIST's cybersecurity- and privacy-related publications.
+- https://xlinux.nist.gov/dads/ - Dictionary of Algorithms and Data Structures
+- [ISTQB Glossary](https://glossary.istqb.org/en/search/)
+<!-- - https://github.com/ligurio/trash-software-bugs -->
\ No newline at end of file
