fuzz: H2 codec fuzzer. #4017
Merged
fuzz: H2 codec fuzzer. #4017
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Fuzzer for the H2 codec. This is similar in structure to //test/common/http/http2:codec_impl_test, where a client H2 codec is wired via shared memory to a server H2 codec and stream actions are applied. We fuzz the various client/server H2 codec API operations and in addition apply fuzzing at the wire level by modeling explicit mutation, reordering and drain operations on the connection buffers between client and server. Part of envoyproxy#508. Risk Level: Low Testing: Tested with corpus under bazel test and under oss-fuzz Docker image. ~500 cases per second with python infra/helper.py build_fuzzers --sanitizer=address envoy <envoy path> && python infra/helper.py run_fuzzer envoy codec_impl_fuzz_test. Test corpus has 87.9% coverage of http2/codec_impl.cc. Signed-off-by: Harvey Tuch <htuch@google.com>
Signed-off-by: Harvey Tuch <htuch@google.com>
mattklein123
approved these changes
Aug 3, 2018
| uint32_t read_disable_count_{}; | ||
| }; | ||
|
|
||
| // Buffer between client and server H2 codecs. This models each write operation |
There was a problem hiding this comment.
I suppose at some point we might want to actually be able to reorder full h2 frames? I wonder if that would make the fuzzing more effective or not. I'm not sure.
There was a problem hiding this comment.
Yeah; based on experience, some of the time you do get full frame reordering due to 1 write per frame, but some of the time it's only partial. In theory, the fuzzer could generate a series of swap actions that performs a full frame swap, but the chance of that happening is lower as the frame fragmentation grows. I'm planning on looking at coverage and other metrics to try and tune this once we land in oss-fuzz and internal runs.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fuzzer for the H2 codec. This is similar in structure to
//test/common/http/http2:codec_impl_test, where a client H2 codec is wired via
shared memory to a server H2 codec and stream actions are applied. We fuzz the
various client/server H2 codec API operations and in addition apply fuzzing at
the wire level by modeling explicit mutation, reordering and drain operations
on the connection buffers between client and server.
Part of #508.
Risk Level: Low
Testing: Tested with corpus under bazel test and under oss-fuzz Docker image.
~640 cases per second with python infra/helper.py build_fuzzers
--sanitizer=address envoy && python infra/helper.py run_fuzzer
envoy codec_impl_fuzz_test. Test corpus has 87.9% coverage of
http2/codec_impl.cc.
Signed-off-by: Harvey Tuch htuch@google.com