forked from openpgpjs/openpgpjs
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
73 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,73 @@ | ||
| # Fuzz Testing | ||
|
|
||
| Fuzz testing is: | ||
|
|
||
| > An automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a program. | ||
| This `fuzz/` directory contains the configuration and the fuzz tests for openpgp.js. | ||
| To generate and run fuzz tests, we use the [Jazzer.js](https://github.com/CodeIntelligenceTesting/jazzer.js/) library. | ||
|
|
||
| ## Running a fuzzer | ||
|
|
||
| This directory contains fuzzers like for example `createMessageBinary`. | ||
|
|
||
| You can run this fuzz target without options: | ||
| ```sh | ||
| npx jazzer test/fuzz/createMessageBinary | ||
| ``` | ||
|
|
||
| or with the given settings at your package.json: | ||
|
|
||
| ```sh | ||
| TARGET=createMessageBinary npm run fuzz | ||
| ``` | ||
|
|
||
| Notice, that `TARGET` is the path to your fuzz target module. | ||
|
|
||
| You should see output that looks something like this: | ||
|
|
||
| ``` | ||
| #128 pulse corp: 1/1b lim: 4 exec/s: 64 rss: 173Mb | ||
| #256 pulse corp: 1/1b lim: 6 exec/s: 51 rss: 173Mb | ||
| #512 pulse corp: 1/1b lim: 8 exec/s: 46 rss: 174Mb | ||
| #1024 pulse corp: 1/1b lim: 14 exec/s: 40 rss: 178Mb | ||
| #2048 pulse corp: 1/1b lim: 21 exec/s: 40 rss: 179Mb | ||
| ``` | ||
|
|
||
| It will continue to generate random inputs forever, until it finds a bug or is terminated. | ||
| The testcases for bugs it finds can be seen in the form of `crash-*`, `timeout-*` or `oom-*` at `test/fuzz/reports`. | ||
|
|
||
| ## The fuzz target module | ||
| All functions that need to be fuzz-tested are here, at the `test/fuzz/` directory. | ||
|
|
||
| A fuzz target module needs to export a function called fuzz, | ||
| which takes a Buffer parameter and executes the actual code under test. | ||
|
|
||
| Jazzer.js provides the wrapper class FuzzedDataProvider, which allows reading primitive types from the Buffer. | ||
|
|
||
| See further details in [Fuzzing using fuzz targets and the CLI](https://github.com/CodeIntelligenceTesting/jazzer.js/blob/main/docs/fuzz-targets.md) or [Advanced Fuzzing Settings](https://github.com/CodeIntelligenceTesting/jazzer.js/blob/main/docs/fuzz-settings.md#advanced-fuzzing-settings) | ||
|
|
||
| ### Corpus | ||
|
|
||
| The "corpus" directory is optional and can be used to provide initial seed input. | ||
| It is also used to store interesting inputs between fuzzing runs. | ||
|
|
||
| ### Run limitations | ||
|
|
||
| You can pass the `-max_total_time`` flag to the internal fuzzing engine to stop the fuzzing run after 10 seconds. | ||
| ```sh | ||
| npx jazzer test/fuzz/createMessageBinary -- -max_total_time=10 | ||
| ``` | ||
|
|
||
| Or you can limit the number of runs: | ||
| ```sh | ||
| npx jazzer test/fuzz/createMessageBinary -- -runs=4000000 | ||
| ``` | ||
|
|
||
| ### Reproducing errors | ||
|
|
||
| Once Jazzer.js finds a problematic input, it stores it at `test/fuzz/reports`. This is done by the option `-artifact_prefix`. | ||
| This input can then be used to reproduce the issue by specifying it as last parameter in the CLI call: | ||
| ```sh | ||
| npx jazzer test/fuzz/createMessageBinary crash-xyz | ||
| ``` |