Add coverage guided fuzzing

Question

Add coverage guided fuzzing

Closed this issue 7 months ago · 10 comments

masih commented 7 months ago

It would be really nice if we could have coverage guided fuzzing.

Do a bunch of fuzzing.
For each input, record the code coverage from that input.
If the input exercises new code, add it to the corpus.

We'll still want random fuzzing, but this will help us make sure we at least cover as many error paths as possible.

Originally posted by @Stebalien in #219 (comment)

Answer 1 · 2024-05-14T21:55:15.000Z

We should first add test coverage to CI! @masih would you look into this?

I predict this will show some holes in our unit testing at the level of explicitly testing message sequences given to the participant. This is a gap between the simple data structure unit tests and sim-level exercises we currently have.

Answer 2 · 2024-05-14T23:53:21.000Z

Ah, actually, go fuzzing already works this way. It just stores the entries in $(go env GOCACHE)/fuzz. We need to upload this somewhere when the test finishes (success or failure) and download it afterwards.

We could use caching but... ideally we'd push it to a git repo somewhere. @Kubuxu should be able to help here.

Answer 3 · 2024-05-15T08:32:46.000Z

We should first add test coverage to CI! @masih would you look into this?

Will do; that should be quick.

ideally we'd push it to a git repo somewhere

I would just push those to testdata next to the tests. That would be easier; no?

Answer 4 · 2024-05-15T11:31:22.000Z

Coverage reporting is added here

Answer 5 · 2024-05-15T13:20:44.000Z

It might be more optimal to move away from seed fuzzing and instead fuzze an array of latencies or something similar, but seed-based fuzzing is a great initial step.

Giving more precise control over latencies to the fuzzer would make it more expressive, allowing it to test more scenarios and allow it to make smaller changes to the scenario as it evolves.

Answer 6 · 2024-05-15T13:52:40.000Z

We could use caching but... ideally we'd push it to a git repo somewhere. @Kubuxu should be able to help here.

In my opinion, we should store minimized fuzz corpus in this repo. The separate repo works but is a bit hacky, and I've done it in the past mostly because the fuzzer used was AFL, and I was fuzzing complex scenarios with large churn.

Answer 7 · 2024-05-15T14:03:25.000Z

Hmm, looks like go doesn't support corpus minimization right now :/

Answer 8 · 2024-05-15T14:47:49.000Z

-fuzzminimizetime not it?

Answer 9 · 2024-05-15T16:57:49.000Z

Nope, that is for minimizing the crash reproducer (essentially, it will take the crasher and fuzz it to reduce its size while keeping the crash).

Answer 10 · 2024-05-15T17:45:49.000Z

I will close this as Golang's fuzzing is coverage-guided. For a more advanced fuzzing strategy (message reordering), we might want to open a new issue.

Also see #218