zolfa
/
tendermint
1
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 221 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
10017 Commits
183 Branches
291 MiB
Branch: master
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'master'
${ noResults }
tendermint/test/fuzz/README.md

72 lines
2.1 KiB
Raw Permalink Normal View History

test/fuzz: move fuzz tests into this repo (#5918) Co-authored-by: Emmanuel T Odeke <emmanuel@orijtech.com> Closes #5907 - add init-corpus to blockchain reactor - remove validator-set FromBytes test now that we have proto, we don't need to test it! bye amino - simplify mempool test do we want to test remote ABCI app? - do not recreate mux on every crash in jsonrpc test - update p2p pex reactor test - remove p2p/listener test the API has changed + I did not understand what it's tested anyway - update secretconnection test - add readme and makefile - list inputs in readme - add nightly workflow - remove blockchain fuzz test EncodeMsg / DecodeMsg no longer exist
3 years ago
 
  1. # fuzz

  2. 

  3. Fuzzing for various packages in Tendermint using [go-fuzz](https://github.com/dvyukov/go-fuzz) library.
  4. 

  5. Inputs:
  6. 

  7. - mempool `CheckTx` (using kvstore in-process ABCI app)
  8. - p2p `Addrbook#AddAddress`
  9. - p2p `pex.Reactor#Receive`
  10. - p2p `SecretConnection#Read` and `SecretConnection#Write`
  11. - rpc jsonrpc server
  12. 

  13. ## Directory structure

  14. 

  15. ```
  16. | test
  17. |  |- corpus/
  18. |  |- crashers/
  19. |  |- init-corpus/
  20. |  |- suppressions/
  21. |  |- testdata/
  22. |  |- <testname>.go
  23. ```
  24. 

  25. `/corpus` directory contains corpus data. The idea is to help the fuzzier to
  26. understand what bytes sequences are semantically valid (e.g. if we're testing
  27. PNG decoder, then we would put black-white PNG into corpus directory; with
  28. blockchain reactor - we would put blockchain messages into corpus).
  29. 

  30. `/init-corpus` (if present) contains a script for generating corpus data.
  31. 

  32. `/testdata` directory may contain an additional data (like `addrbook.json`).
  33. 

  34. Upon running the fuzzier, `/crashers` and `/suppressions` dirs will be created,
  35. along with <testname>.zip archive. `/crashers` will show any inputs, which have
  36. lead to panics (plus a trace). `/suppressions` will show any suppressed inputs.
  37. 

  38. ## Running

  39. 

  40. ```sh
  41. make fuzz-mempool
  42. make fuzz-p2p-addrbook
  43. make fuzz-p2p-pex
  44. make fuzz-p2p-sc
  45. make fuzz-rpc-server
  46. ```
  47. 

  48. Each command will create corpus data (if needed), generate a fuzz archive and
  49. call `go-fuzz` executable.
  50. 

  51. Then watch out for the respective outputs in the fuzzer output to announce new
  52. crashers which can be found in the directory `crashers`.
  53. 

  54. For example if we find
  55. 

  56. ```sh
  57. ls crashers/
  58. 61bde465f47c93254d64d643c3b2480e0a54666e
  59. 61bde465f47c93254d64d643c3b2480e0a54666e.output
  60. 61bde465f47c93254d64d643c3b2480e0a54666e.quoted
  61. da39a3ee5e6b4b0d3255bfef95601890afd80709
  62. da39a3ee5e6b4b0d3255bfef95601890afd80709.output
  63. da39a3ee5e6b4b0d3255bfef95601890afd80709.quoted
  64. ```
  65. 

  66. the crashing bytes generated by the fuzzer will be in
  67. `61bde465f47c93254d64d643c3b2480e0a54666e` the respective crash report in
  68. `61bde465f47c93254d64d643c3b2480e0a54666e.output`
  69. 

  70. and the bug report can be created by retrieving the bytes in
  71. `61bde465f47c93254d64d643c3b2480e0a54666e` and feeding those back into the
  72. `Fuzz` function.