go-fuzz icon indicating copy to clipboard operation
go-fuzz copied to clipboard

Published 20 hours ago verified publisher icon dvyukov

Officially deprecate?

Open josharian opened this issue 3 years ago • 19 comments

I propose that we add a paragraph to the top of the readme declaring go-fuzz unmaintained, and then Archive the repo on GitHub.

cc @dvyukov @thepudds @mvdan

josharian avatar Nov 28 '21 00:11 josharian

Agreed, as long as the deprecation is clear that it only applies to Go 1.18 or later. We could perhaps also link to https://pkg.go.dev/golang.org/dl/gotip for testing native fuzzing, and the equivalent for 1.18beta1 or 1.18rc1 as they come out.

mvdan avatar Nov 28 '21 09:11 mvdan

Well, we have a number of unfixed non-trivial bugs that apply to 1.17. The deprecation would be more an acceptance of facts than a statement of policy.

josharian avatar Nov 28 '21 14:11 josharian

That's fair. What I mean is that we need to mention 1.18+ when it comes to switching to native fuzzing as a replacement.

mvdan avatar Nov 28 '21 18:11 mvdan

I don't mind. We could add some bold header, issue template and link them to native fuzzing page.

dvyukov avatar Nov 29 '21 06:11 dvyukov

I have a modest counter proposal, including a couple of quick comments on some of the recent bugs reported against go-fuzz, but I won’t be able to circle back here until this evening…

thepudds avatar Nov 29 '21 15:11 thepudds

Is there an alternative fuzzer that operates the same way as go-fuzz?

huornlmj avatar Nov 29 '21 15:11 huornlmj

@thepudds no rush. :) Will wait to hear what you have to say.

josharian avatar Nov 29 '21 15:11 josharian

@huornlmj the built-in toolchain fuzzer is based on go-fuzz. To get it started they imported much of go-fuzz wholesale. I can't say it's exactly the same, but it is similar.

josharian avatar Nov 29 '21 15:11 josharian

Hi all, some quick comments.

Josh's proposal will very likely be the ultimate outcome here, and that has been the goal... However, I'd like to suggest "maybe not quite yet".

In particular, I'd like to volunteer my time to keep go-fuzz operating for a bit longer, such as maybe another 5-6 months.

As to why:

  • Based on my experience so far with cmd/go fuzzing and given what is not yet implemented, I think cmd/go has not yet caught up to go-fuzz in terms of fuzzing effectiveness. A plausible guess is that won't happen until maybe ~mid Go 1.19 dev cycle (including because we are in the 1.18 freeze now).
  • Comparing go-fuzz vs. cmd/go fuzzing has been helpful for me personally, but more importantly, that comparison I think will help cmd/go mature faster, including likely with concrete issues filed against cmd/go that highlight areas where go-fuzz might be doing better.
  • I think go-fuzz is still "mostly working" rather than "mostly broken".
  • I have a personal interest in seeing go-fuzz continue to work with Go 1.17 and 1.18 ;-)

If we were to adopt "not quite yet" for archiving this repo:

  • I think it still makes sense to update the README (to indicate go-fuzz will ultimately be deprecated in favor of cmd/go, and encourage migration with some links to cmd/go fuzzing and gotip, etc.).
  • In terms of new issues that might come in over the next several months, I think I could hit an SLA of 24-48 hours on replying (which is maybe not as fast as Josh ;-)
  • If something is worthy of a fix, a +2 from someone like Josh and/or Dmitry would be valuable of course.
  • That said, hopefully the +2 burden would be very light in practice, including:
    • There might be only ~2-3 total more fixes in the future before deprecating/archiving.
    • There is not much benefit in aggressively fixing corner cases or making invasive changes at this point.

Finally, sorry for the delayed response. (One thing is I wanted to first send PR #330).

thepudds avatar Dec 03 '21 02:12 thepudds

Yes, I think "Archiving' in the github sense is early (and unnecessary, at least at this point). There seems to be agreement on adding some note to the readme to manage expectations. If you want to fix some bugs that's obviously welcome. Thanks.

dvyukov avatar Dec 03 '21 07:12 dvyukov

The go-fuzz is compatible with libfuzzer, which is supported by oss-fuzz.

AFAIK the go 1.18 fuzzer doesn't have support for external fuzzer formats yet which is an issue.

naveensrinivasan avatar Dec 05 '21 18:12 naveensrinivasan

I've been using both go-fuzz and gofuzzbeta, and the results seemed sometimes wildly different, in ways that I mentally bookmarked as reminiscent of https://github.com/golang/go/issues/47090

I plan on continuing to use dvyukov/go-fuzz for a while longer; +1 for "don't officially deprecate just yet, please".

jsoroka avatar Mar 06 '22 21:03 jsoroka

@naveensrinivasan The Go compiler natively supports coverage instrumentation for libfuzzer since 1.14.

elwint avatar Oct 20 '22 07:10 elwint

Please do not deprecate this project. Native go fuzzer does not support coverage collection while fuzzing. Also, as other users have mentioned, it has no support for binary samples, hence no synchronization with other fuzzers and corpus libraries.

fuzzah avatar Jun 05 '23 08:06 fuzzah

@fuzzah Are there feature requests filed for these things for the standard Go fuzzing? It makes sense to do so. Whether we officially mark go-fuzz as deprecated or not does not change the fact that it is already effectively deprecated and not stuffed. Next time it breaks, nobody fixes it.

dvyukov avatar Jun 13 '23 18:06 dvyukov