|
| 1 | +# Fuzzing |
| 2 | + |
| 3 | +Fuzz tests generate a ton of random parameter arguments to the program and then validate that none cause it to crash. |
| 4 | + |
| 5 | +## How does it work? |
| 6 | + |
| 7 | +Typically, Travis CI will run `travis-fuzz.sh` on one of the environments the automated tests are configured for. |
| 8 | +This is the most time-consuming component of the continuous integration workflow, so it is recommended that you detect |
| 9 | +issues locally, and Travis merely acts as a sanity check. |
| 10 | + |
| 11 | +## How do I run fuzz tests locally? |
| 12 | + |
| 13 | +You typically won't need to run the entire combination of different fuzzing tools. For local execution, `honggfuzz` |
| 14 | +should be more than sufficient. |
| 15 | + |
| 16 | +### Setup |
| 17 | + |
| 18 | +To install `honggfuzz`, simply run |
| 19 | + |
| 20 | +```shell |
| 21 | +cargo install honggfuzz --force |
| 22 | + |
| 23 | +export HFUZZ_BUILD_ARGS="--features honggfuzz_fuzz" |
| 24 | +cargo hfuzz build |
| 25 | +``` |
| 26 | + |
| 27 | +### Execution |
| 28 | + |
| 29 | +To run the Hongg fuzzer, do |
| 30 | + |
| 31 | +```shell |
| 32 | +export CPU_COUNT=1 # replace as needed |
| 33 | +export HFUZZ_RUN_ARGS="-n $CPU_COUNT --exit_upon_crash" |
| 34 | + |
| 35 | +export TARGET="" # replace with the target to be fuzzed |
| 36 | +cargo hfuzz run $TARGET |
| 37 | +``` |
| 38 | + |
| 39 | +## A fuzz test failed on Travis, what do I do? |
| 40 | + |
| 41 | +You're trying to create a PR, but need to find the underlying cause of that pesky fuzz failure blocking the merge? |
| 42 | + |
| 43 | +Worry not, for this is easily traced. |
| 44 | + |
| 45 | +If your Travis output log looks like this: |
| 46 | + |
| 47 | +``` |
| 48 | +Size:639 (i,b,hw,ed,ip,cmp): 0/0/0/0/0/1, Tot:0/0/0/2036/5/28604 |
| 49 | +Seen a crash. Terminating all fuzzing threads |
| 50 | +
|
| 51 | +… # a lot of lines in between |
| 52 | +
|
| 53 | +<0x0000000000000000> [func:UNKNOWN file: line:0 module:UNKNOWN] |
| 54 | +===================================================================== |
| 55 | +2d3136383734090101010101010101010101010101010101010101010101 |
| 56 | +010101010100040101010101010101010101010103010101010100010101 |
| 57 | +0069d07c319a4961 |
| 58 | +The command "if [ "$(rustup show | grep default | grep stable)" != "" ]; then cd fuzz && cargo test --verbose && ./travis-fuzz.sh; fi" exited with 1. |
| 59 | +``` |
| 60 | + |
| 61 | +Simply copy the hex, and run the following from the `fuzz` directory: |
| 62 | + |
| 63 | +```shell |
| 64 | +export HEX="2d3136383734090101010101010101010101010101010101010101010101\ |
| 65 | +010101010100040101010101010101010101010103010101010100010101\ |
| 66 | +0069d07c319a4961" # adjust for your output |
| 67 | +echo $HEX | xxd -r -p > ./test_cases/full_stack/your_test_case_name |
| 68 | + |
| 69 | +export RUST_BACKTRACE=1 |
| 70 | +cargo test |
| 71 | +``` |
| 72 | + |
| 73 | +This will reproduce the failing fuzz input and yield a usable stack trace. |
0 commit comments