Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fuzzing Testing #1309

Closed
robert-e-davidson3 opened this issue Dec 14, 2021 · 2 comments
Closed

Fuzzing Testing #1309

robert-e-davidson3 opened this issue Dec 14, 2021 · 2 comments
Assignees
@robert-e-davidson3
Labels
Epic Testing

Comments

@robert-e-davidson3
Copy link
Contributor

The goal of fuzzing is to quickly increase test coverage. Concretely this means fuzzing can run for a long time (say, a week) without finding any new bugs.

Our original fuzzing was quick and dirty: feed some bytes to the parser and fail on panics. The search space of this approach is so broad that it cannot run fast enough to provide much test coverage - almost every input it gives is syntactically invalid. This code lives in onflow/cadence and can be ignored.

We needed a grammar-based fuzzer to cut down the search space to just syntactically-valid inputs. The first idea was to write Cadence's grammar into the EBNF format so we could leverage existing tools. Unfortunately Cadence doesn't fit into EBNF cleanly enough to satisfy those tools.

Joe had a solution: modify the Cadence parser so that, at any point, it can give a list of valid tokens that can follow. This "parser-based fuzzer" is an implicit grammar-based fuzzer. That code lives in onflow/fuzzer as an old fork of onflow-cadence and was run on FuzzBuzz.io.

The next step is to evaluate the status of the onflow/fuzzer code and how it integrates with FuzzBuzz.io. Once that's established, rebase the latest Cadence code from onflow/cadence:master to onflow/fuzzer:master and make adjustments so the fuzzer still works.

This epic ends there. However, if that isn't sufficient then there are two additional approaches to take. They're described here for future reference.

We may want to use go-fuzz or the built-in fuzzing support in Go 1.18. The approach here is to use mainnet contracts and transactions as the seed corpus. That will require maintenance because as the Cadence language is developed and so diverges from the deployed contracts.

If that approach isn't sufficient then we need to investigate writing and integrating our own mutation algorithm. Most likely this would merge both prior methods, mutating existing contracts and transactions randomly but based on the existing contracts.
@robert-e-davidson3 robert-e-davidson3 self-assigned this Dec 14, 2021
@robert-e-davidson3
Copy link
Contributor Author

robert-e-davidson3 commented Dec 15, 2021
edited
Loading

This ticket supersedes several stale tickets:

This was referenced Dec 15, 2021
Closed
Closed
Closed
Closed
Closed
@turbolent
Copy link
Member

Next steps:

  • Joe's work seems incomplete, will clarify. Plan top sync with Joe next week

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@robert-e-davidson3 robert-e-davidson3

Labels
Epic Testing
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@turbolent @j1010001 @robert-e-davidson3