README
¶
go-fuzz: randomized testing for Go
Go-fuzz is a coverage-guided fuzzing solution for testing of Go packages. Fuzzing is mainly applicable to packages that parse complex inputs (both text and binary), and is especially useful for hardening of systems that parse inputs from potentially malicious users (e.g. anything accepted over a network).
Usage
First, you need to write a test function of the form:
func Fuzz(data []byte) int
Data is a random input generated by go-fuzz, note that in most cases it is invalid. The function must return 1 if the fuzzer should increase priority of the given input during subsequent fuzzing (for example, the input is lexically correct and was parsed successfully); -1 if the input must not be added to corpus even if gives new coverage; and 0 otherwise; other values are reserved for future use.
The Fuzz function must be in a package that go-fuzz can import. This means
the code you want to test can't be in package main. Fuzzing internal
packages is supported, however.
In its basic form the Fuzz function just parses the input, and go-fuzz ensures that it does not panic, crash the program, allocate insane amount of memory nor hang. Fuzz function can also do application-level checks, which will make testing more efficient (discover more bugs). For example, Fuzz function can serialize all inputs that were successfully deserialized, thus ensuring that serialization can handle everything deserialization can produce. Or, Fuzz function can deserialize-serialize-deserialize-serialize and check that results of first and second serialization are equal. Or, Fuzz function can feed the input into two different implementations (e.g. dumb and optimized) and check that the output is equal. To communicate application-level bugs Fuzz function should panic (os.Exit(1) will work too, but panic message contains more info). Note that Fuzz function should not output to stdout/stderr, it will slow down fuzzing and nobody will see the output anyway. The exception is printing info about a bug just before panicking.
Here is an example of a simple Fuzz function for image/png package:
package png
import (
"bytes"
"image/png"
)
func Fuzz(data []byte) int {
png.Decode(bytes.NewReader(data))
return 0
}
A more useful Fuzz function would look like:
func Fuzz(data []byte) int {
img, err := png.Decode(bytes.NewReader(data))
if err != nil {
if img != nil {
panic("img != nil on error")
}
return 0
}
var w bytes.Buffer
err = png.Encode(&w, img)
if err != nil {
panic(err)
}
return 1
}
The second step is collection of initial input corpus. Ideally, files in the corpus are as small as possible and as diverse as possible. You can use inputs used by unit tests and/or generate them. For example, for an image decoding package you can encode several small bitmaps (black, random noise, white with few non-white pixels) with different levels of compressions and use that as the initial corpus. Go-fuzz will deduplicate and minimize the inputs. So throwing in a thousand of inputs is fine, diversity is more important.
Put the initial corpus into the workdir/corpus directory (in our case
examples/png/corpus). Go-fuzz will add own inputs to the corpus directory.
Consider committing the generated inputs to your source control system, this
will allow you to restart go-fuzz without losing previous work.
Examples directory contains a bunch of examples of test functions and initial input corpuses for various packages.
The next step is to get go-fuzz:
$ go get github.com/dvyukov/go-fuzz/go-fuzz
$ go get github.com/dvyukov/go-fuzz/go-fuzz-build
Then, build the test program with necessary instrumentation:
$ go-fuzz-build github.com/dvyukov/go-fuzz/examples/png
This will produce png-fuzz.zip archive.
Now we are ready to go:
$ go-fuzz -bin=./png-fuzz.zip -workdir=examples/png
Go-fuzz will generate and test various inputs in an infinite loop. Workdir is used to store persistent data like current corpus and crashers, it allows fuzzer to continue after restart. Discovered bad inputs are stored in workdir/crashers dir; where file without a suffix contains binary input, file with .quoted suffix contains quoted input that can be directly copied into a reproducer program or a test, file with .output suffix contains output of the test on this input. Every few seconds go-fuzz prints logs of the form:
2015/04/25 12:39:53 slaves: 500, corpus: 186 (42s ago), crashers: 3,
restarts: 1/8027, execs: 12009519 (121224/sec), cover: 2746, uptime: 1m39s
Where slaves means number of tests running in parallel (set with -procs
flag). corpus is current number of interesting inputs the fuzzer has
discovered, time in brackets says when the last interesting input was
discovered. crashers is number of discovered bugs (check out
workdir/crashers dir). restarts is the rate with which the fuzzer restarts
test processes. The rate should be close to 1/10000 (which is the planned
restart rate); if it is considerably higher than 1/10000, consider fixing already
discovered bugs which lead to frequent restarts. execs is total number of
test executions, and the number in brackets is the average speed of test
executions. cover is number of bits set in a hashed coverage bitmap, if this number
grows fuzzer uncovers new lines of code; size of the bitmap is 64K; ideally cover
value should be less than ~5000, otherwise fuzzer can miss new interesting inputs
due to hash collisions. And finally uptime is uptime of the process. This same
information is also served via http (see the -http flag).
Random Notes
go-fuzz-build builds the program with gofuzz build tag, this allows to put the
Fuzz function implementation directly into the tested package, but exclude it
from normal builds with // +build gofuzz directive.
If your inputs contain a checksum, it can make sense to append/update the checksum
in the Fuzz function. The chances that go-fuzz will generate the correct
checksum are very low, so most work will be in vain otherwise.
Go-fuzz can utilize several machines. To do this, start master process separately:
$ go-fuzz -workdir=examples/png -master=127.0.0.1:8745
It will manage persistent corpus and crashers and coordinate work of slave processes. Then run one or more slave processes as:
$ go-fuzz -bin=./png-fuzz.zip -slave=127.0.0.1:8745 -procs=10
External Articles
- go-fuzz github.com/arolek/ase: A step-by-step tutorial
- DNS parser, meet Go fuzzer: A success story with suggestions on how to write the
Fuzzfunction - Automated Testing with go-fuzz
Credits and technical details
Go-fuzz fuzzing logic is heavily based on american fuzzy lop, so refer to AFL readme if you are interested in technical details. AFL is written and maintained by Michal Zalewski. Some of the mutations employed by go-fuzz are inspired by work done by Mateusz Jurczyk, Gynvael Coldwind and Felix Gröbert.
Trophies
- spec: non-integral constant can be converted to int fixed
- cmd/compile: out of fixed registers
- cmd/compile: truncates constants fixed
- cmd/compile: overflow in int -> string
- cmd/compile: bad HMUL fixed
- cmd/compile: treecopy Name
- cmd/compile: accepts invalid identifiers fixed
- cmd/compile: hangs compiling hex fp constant
- cmd/compile: mishandles int->complex conversion
- cmd/compile: allows to define blank methods on builtin types fixed
- cmd/compile: mis-calculates a constant fixed
- cmd/compile: interface conversion panic fixed
- cmd/compile: nil pointer dereference fixed
- cmd/compile: nil pointer dereference (2) fixed
- cmd/compile: internal compiler error: plain block b3 len(Succs)==2, want 1 fixed
- cmd/compile: internal compiler error: b3.Succs has duplicate block b3 fixed
- cmd/compile: internal compiler error: newname nil fixed
- cmd/compile: accepts invalid function type
- cmd/compile: internal compiler error: getinarg: not a func int fixed
- cmd/compile: hangs converting int const to complex64
- cmd/compile: nil deref in error message fixed
- cmd/compile: use of untyped nil in switch fixed
- cmd/compile: implicitly converts complex constant to integer fixed
- cmd/compile: assignment to entry in nil map fixed
- cmd/compile: does not diagnose constant division by zero
- cmd/compile: does not detect a missing return
- cmd/compile: symbol ""._.args_stackmap listed multiple times fixed
- cmd/compile: "0"[0] should not be a constant
- cmd/compile: unexpected %!(NOVERB) fixed
- cmd/compile: wrong line number in error message fixed
- cmd/compile: not-deterministic output
- cmd/compile: parsing problem fixed
- cmd/compile: compiles incorrect program fixed
- cmd/compile: does not compile correct program
- cmd/compile: compiles incorrect program (2) fixed
- cmd/compile: internal compiler error: want FUNC, but have int
- cmd/asm: index out of range fixed
- cmd/asm: index out of range (2) fixed
- cmd/asm: index out of range (3) fixed
- cmd/asm: index out of range (4)
- cmd/asm: slice bounds out of range fixed
- cmd/asm: hang fixed
- cmd/asm: hang (2) fixed
- cmd/asm: hang (3) fixed
- cmd/asm: nil deref fixed
- cmd/asm: nil deref (2) fixed
- cmd/asm: nil deref (3) fixed
- cmd/asm: nil deref (4) fixed
- cmd/asm: nil deref (5)
- cmd/asm: cannot happen: slice col fixed
- cmd/asm: unactionable "invalid local variable type 0"
- internal/trace: index out of range fixed
- internal/trace: index out of range (2) fixed
- internal/trace: nil deref fixed
- internal/trace: nil deref (2) fixed
- fmt: Printf loops on invalid verb spec fixed
- fmt: incorrect overflow detection fixed
- fmt: index out of range fixed
- fmt: index out of range (2) fixed
- fmt: index out of range (3) fixed
- fmt: index out of range (4) fixed
- fmt: index out of range (5) fixed
- fmt: index out of range (6) fixed
- regexp: slice bounds out of range fixed
- regexp: slice bounds out of range (2) fixed
- regexp: LiteralPrefix lies about completeness
- regexp: LiteralPrefix lies about completeness (2)
- regexp: POSIX regexp takes 4 seconds to execute
- regexp: confusing behavior on invalid utf-8 sequences
- regexp: considers "\Q\E*" as valid regexp fixed
- time: allows signs for year/tz in format string
- math/big: incorrect string->Float conversion
- math/big: MakeFromLiteral with 0 mantissa and large exponent hangs
- net/http: can't send star request fixed
- net/http: allows empty header names fixed
- net/http: allows invalid characters in header values fixed
- net/http: allows %-encoding after [] fixed
- net/mail: ParseAddress/String corrupt address fixed
- net/mail: parses invalid address fixed
- net/mail: fails to escape address fixed
- net/textproto: fails to trim header value fixed
- archive/zip: cap out of range fixed
- archive/zip: bad file size fixed
- archive/zip: unexpected EOF fixed
- archive/zip: file with wrong checksum is successfully decompressed fixed