Skip to content

fuzz: execute each file in dir without fuzz engine #24472

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 17, 2022
Merged

fuzz: execute each file in dir without fuzz engine #24472

merged 1 commit into from
Mar 17, 2022

Conversation

ajtowns
Copy link
Contributor

@ajtowns ajtowns commented Mar 4, 2022

Phony fuzzing (phuzzing)! Run the fuzz testing code against known inputs to detect errors. Advantage is you can easily test using the existing qa-assets datasets without having to compile with fuzzing enabled; disadvantage is that it doesn't do any actual fuzzing.

Example usage:

$ for a in ${QA_ASSETS}/fuzz_seed_corpus/*; do echo ${a##*/}; done | xargs -P8 -I {} /bin/sh -c "FUZZ={} test/fuzz/fuzz ${QA_ASSETS}/fuzz_seed_corpus/{}"
No fuzzer for address_deserialize.
No fuzzer for addrdb.
No fuzzer for banentry_deserialize.
addition_overflow: succeeded against 848 files in 0s.
asmap: succeeded against 981 files in 0s.
checkqueue: succeeded against 211 files in 0s.
...

(-P8 says run 8 of the tasks in parallel)

If there are failures, the first one will be reported and the program will abort with output like:

fuzz: test/fuzz/versionbits.cpp:336: void (anonymous namespace)::versionbits_fuzz_target(FuzzBufferType): Assertion `exp_state != ThresholdState::FAILED' failed.
Error processing seed "corpus/versionbits/35345ae8e722234095810b1117a29b63af7621af"

Rebase of #22763, which was a rebase of #21496, but also reports the name of the fuzzer and the time taken.

Fixes #21461

@ajtowns
Copy link
Contributor Author

ajtowns commented Mar 4, 2022

cc @AnthonyRonning @prakash1512 @sipa @practicalswift

@DrahtBot DrahtBot added the Tests label Mar 4, 2022
@maflcko maflcko mentioned this pull request Mar 4, 2022
Closed
@laanwj
Copy link
Member

laanwj commented Mar 7, 2022

Concept ACK.

@ghost
Copy link

ghost commented Mar 9, 2022

ACK.

Looks good to me, sorry for dropping that originally. Ran through some of the same tests I was doing before, all working as expected.

Example of that:

FUZZ=process_messages src/test/fuzz/fuzz ../qa-assets/fuzz_seed_corpus/process_messages/
process_messages: succeeded against 14024 files in 153s.


FUZZ=process_messages src/test/fuzz/fuzz ../qa-assets/fuzz_seed_corpus/process_messages/11265df2b1a0c93629515a880a2a851d6ceb133c
process_messages: succeeded against 1 files in 0s.

for a in ../qa-assets/fuzz_seed_corpus/*; do echo ${a##*/}; done | xargs -P8 -I {} /bin/sh -c "FUZZ={} src/test/fuzz/fuzz ../qa-assets/fuzz_seed_corpus/{}"
addition_overflow: succeeded against 1047 files in 0s.
address_deserialize_v1_withtime: succeeded against 420 files in 0s.
address_deserialize_v1_notime: succeeded against 400 files in 0s.
addr_info_deserialize: succeeded against 1232 files in 1s.
address_deserialize_v2: succeeded against 949 files in 1s.
...

maflcko
maflcko approved these changes Mar 16, 2022
View reviewed changes
Copy link
Member

@maflcko maflcko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

review ACK

Left some nits

src/test/fuzz/fuzz.cpp
if (signal == SIGABRT) {
std::cerr << "Error processing seed " << g_seed_path << std::endl;
} else {
std::cerr << "Unexpected signal " << signal << " received\n";
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unclear if this stl call is allowed? Might be UB, but I guess it doesn't matter either way?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It matches the code in https://en.cppreference.com/w/cpp/utility/program/abort so should be mostly okay hopefully?

I suppose in theory you could setup worker threads, and have a monitor thread watch for them aborting -- then you could do multiple inputs in parallel, and report on multiple failures rather than exiting after the first one.

@maflcko maflcko mentioned this pull request Mar 16, 2022
Closed
@ajtowns
fuzz: execute each file in dir without fuzz engine
f59bee3 
Co-Authored-By: Anthony Ronning <anthonyronning@gmail.com>
@ajtowns ajtowns force-pushed the 202203-phuzztesting branch from 80dd301 to f59bee3 Compare March 16, 2022 21:29
@ajtowns
Copy link
Contributor Author

ajtowns commented Mar 16, 2022

Renamed seed to input, added static/std, switched from signal.h to csignal header.

@maflcko maflcko merged commit bf2c0fb into bitcoin:master Mar 17, 2022
sidhujag pushed a commit to syscoin/syscoin that referenced this pull request Mar 18, 2022
Merge bitcoin#24472: fuzz: execute each file in dir without fuzz engine
16b7f5f 
f59bee3 fuzz: execute each file in dir without fuzz engine (Anthony Towns)

Pull request description:

  Phony fuzzing (phuzzing)! Run the fuzz testing code against known inputs to detect errors. Advantage is you can easily test using the existing qa-assets datasets without having to compile with fuzzing enabled; disadvantage is that it doesn't do any actual fuzzing.

  Example usage:

  ```
  $ for a in ${QA_ASSETS}/fuzz_seed_corpus/*; do echo ${a##*/}; done | xargs -P8 -I {} /bin/sh -c "FUZZ={} test/fuzz/fuzz ${QA_ASSETS}/fuzz_seed_corpus/{}"
  No fuzzer for address_deserialize.
  No fuzzer for addrdb.
  No fuzzer for banentry_deserialize.
  addition_overflow: succeeded against 848 files in 0s.
  asmap: succeeded against 981 files in 0s.
  checkqueue: succeeded against 211 files in 0s.
  ...
  ```

  (`-P8` says run 8 of the tasks in parallel)

  If there are failures, the first one will be reported and the program will abort with output like:

  ```
  fuzz: test/fuzz/versionbits.cpp:336: void (anonymous namespace)::versionbits_fuzz_target(FuzzBufferType): Assertion `exp_state != ThresholdState::FAILED' failed.
  Error processing seed "corpus/versionbits/35345ae8e722234095810b1117a29b63af7621af"
  ```

  Rebase of bitcoin#22763, which was a rebase of bitcoin#21496, but also reports the name of the fuzzer and the time taken.

  Fixes bitcoin#21461

Top commit has no ACKs.

Tree-SHA512: d8d046d4a309652eb13de42116276bf992480bc887ad3535a8ff18b354cb24826bc562b06af63802ec945c637f046563b6a5601d6321b46a5543127daafea09b
@bitcoin bitcoin locked and limited conversation to collaborators Mar 17, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
1 more reviewer

@maflcko maflcko maflcko approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
Tests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

fuzz: Make it possible to execute each file in a directory without fuzz engine
4 participants
@ajtowns @laanwj @maflcko @DrahtBot