envconfig icon indicating copy to clipboard operation
envconfig copied to clipboard

Published 20 hours ago verified publisher icon kelseyhightower

Continuous fuzzing

Open bookmoons opened this issue 5 years ago • 2 comments

Proposing to integrate with Fuzzit to get some bug discovery running.

This patch writes fuzz to envvars then runs Process() to detect any crashes. A local run has found a corpus of ~100 cases. No crashes so far.

There's a successful build under my Travis account. The PR build will fail due to missing the API key. If it seems interesting setup is like this:

  • In Fuzzit create target envconfig.
  • In Fuzzit settings grab an API key. In repo settings in Travis paste it to envvar FUZZIT_API_KEY.

bookmoons avatar Aug 25 '19 05:08 bookmoons

I don’t understand what it benefits for? Could you introduce?

TonyPythoneer avatar Aug 30 '19 15:08 TonyPythoneer

Thanks for looking at it @TonyPythoneer.

Fuzzing runs the program with a bunch of random input and detects crashes. It finds a lot of bugs. It gives you a way to find bugs automatically before your users run into them.

There's a nice article discussing it.

https://docs.google.com/document/d/1N-12_6YBPpF9o4_Zys_E_ZQndmD06wQVAM_0y9nZUIE/edit

go-fuzz has found 200+ bugs in Go stdlib when it was already mature, written by very experienced developers, and used in production for years. Fuzzing has found 15000+ bugs in Chrome; 1500+ bugs in FFMpeg library; and thousands more ([1], [2], [3], [4], [5]). Generally fuzzing finds bugs in any code it is applied for the first time.

bookmoons avatar Aug 30 '19 19:08 bookmoons