new file mode 100644
@@ -0,0 +1,178 @@
+The goal of the image fuzzer is to catch crashes of qemu-io/qemu-img providing
+to them randomly corrupted images.
+Test images are generated from scratch and have valid inner structure with some
+elements, e.g. L1/L2 tables, having random invalid values.
+The test runner generates test images, executes tests utilizing generated
+images, indicates their results and collect all test related artifacts (logs,
+core dumps, test image).
+The test means one start of a system under test (SUT), e.g. qemu-io, with
+specified arguments and one test image.
+By default, the test runner generates new tests and executes them until
+keyboard interruption. But if a test seed is specified via '-s' runner
+parameter, then only one test with this seed will be executed, after its finish
+the runner will exit.
+The runner uses an external image fuzzer to generate test images. An image
+generator should be specified as a mandatory parameter of the test runner.
+Details about interactions between the runner and fuzzers see "Module
+The runner activates generation of core dumps during test executions, but it
+assumes that core dumps will be generated in the current working directory.
+For comprehensive test results, please, set up your test environment
+Path to a binary under test can be specified via environment variables (for now
+only qemu-img) or the runner parameter. For details about environment variables
+Qcow2 image generator
+The 'qcow2' generator is a Python package providing
+'create_image(test_img_path)' method as a single public API. Other methods can
+be accessed by specifying a submodule prefix, e.g.
+ import qcow2
+Qcow2 contains two submodules: fuzz.py and layout.py.
+'fuzz.py' contains all fuzzing functions one per image field. It's assumed that
+after code analysis every field will have own constraints for its value.
+'layout.py' creates a random valid image, fuzzes a random subset of the image
+fields based on their already generated valid values and writes the fuzzed
+image to the file specified.
+For now only header fields are generated, the remaining file is filled with
+* Test runner/image fuzzer
+The runner calls an image generator specifying path to a test image file.
+An image generator is expected to provide 'create_image(test_img_path)' method
+that creates a test image and writes it to the specified file. The file should
+be created if it doesn't exist or overwritten otherwise.
+Random seed is set by the runner at every test execution for the regression
+purpose, so an image generator is not recommended to modify it internally.
+* Test runner/SUT
+For now a full test command is composed from the SUT, SUT arguments specified
+via '-c' runner parameter and the name of generated image, e.g. for qemu-img
+as a SUT and 'check' command the result call will be
+ qemu-img check test_image
+where 'test_image' is predefined name for any generated image.
+Overall fuzzer requirements
+ - image structure template
+ - test run duration (optional)
+ - action vector (optional)
+ - seed (optional)
+ - fuzzing type (optional)
+ - qemu-img arguments (optional)
+1. Should be able to inject random data
+2. Should be able to permutate part of specified data
+3. Should be able to select a random value from the manually pregenerated
+ vector (boundary values, e.g. max/min cluster size)
+4. Image template should describe a general structure invariant for all
+ test images (image format description)
+5. Image template should be autonomous and other fuzzer parts should not
+ relate on it
+6. Image template should contain reference rules (not only block+size
+7. Should generate the test image with the correct structure based on an image
+8. Should accept a seed as an argument (for regression purpose)
+9. Should generate a seed if it is not specified as an input parameter.
+10. The same seed should generate the same image, if no or the same action
+ vector and fuzzing type are specified
+11. Should accept a vector of actions as an argument (for test reproducing and
+ for test case specification, e.g. group of tests for header structure,
+ group of test for snapshots, etc)
+12. Action vector should be randomly generated from the pool of available
+ actions, if it is not specified as an input parameter
+13. Pool of actions should be defined automatically based on an image template
+14. Should accept a fuzzing type: random values or pregenerated ones
+ (if possible).
+15. Should accept qemu-img call parameters as an argument and select them
+ randomly otherwise. As far as it's expected to be rarely changed, the list
+ of possible values will be available in the test runner internally.
+16. Should accept a test run duration as an argument. Tests should be executed
+ during a minimum period from a test run duration and time while fuzzer can
+ generate different test images
+17. Should support an external cancellation of a test run
+18. Seed, action vector and fuzzing type should be logged (for regression
+19. All files related to test result should be collected: a test image,
+ qemu logs, fuzzer logs and crash dumps
+20. Should be compatible with python version 2.4-2.7
+21. Usage of external libraries should be limited as much as possible.
+Main target image format is qcow2, but support of image templates should
+provide an ability to add any other image format.
+Fuzzer can be controlled via template, seed and action vector;
+this make the fuzzer itself invariant to an image format and test logic.
+It should be able to perform rather complex and precise tests, that can be
+specified via action vector. Otherwise, knowledge about an image structure
+allows the fuzzer to generate the pool of all available areas can be fuzzed
+and randomly select some of them and so compose its own action vector.
+Also complexity of a template defines complexity of the fuzzer, so its
+functionality can be varied from simple model-independent fuzzing to smart
+Action vector is a sequence of structure elements retrieved from an image
+format, each of which will be fuzzed for the test image. It's a subset of
+elements of the action pool. Example: header, refcount block, etc.
+Action pool is all available elements of an image structure that generated
+automatically from an image template.
+Image template is a formal description of an image structure and relations
+between image blocks
+Test image is an output image of fuzzer defined by the current seed, fuzz type
+and action vector.