X-Git-Url: http://git.bitcoin.ninja/index.cgi?a=blobdiff_plain;f=fuzz%2FREADME.md;h=f59418cfd0c776ab79025ef937eb364126c3581e;hb=HEAD;hp=59a4a8f3da2c0cbb740db8b5166276aedded4932;hpb=df18f99b5a8e677a5adee4ef1c7f8b0954bb9d02;p=rust-lightning diff --git a/fuzz/README.md b/fuzz/README.md index 59a4a8f3..f59418cf 100644 --- a/fuzz/README.md +++ b/fuzz/README.md @@ -6,7 +6,9 @@ Fuzz tests generate a ton of random parameter arguments to the program and then Typically, Travis CI will run `travis-fuzz.sh` on one of the environments the automated tests are configured for. This is the most time-consuming component of the continuous integration workflow, so it is recommended that you detect -issues locally, and Travis merely acts as a sanity check. +issues locally, and Travis merely acts as a sanity check. Fuzzing is further only effective with +a lot of CPU time, indicating that if crash scenarios are discovered on Travis with its low +runtime constraints, the crash is caused relatively easily. ## How do I run fuzz tests locally? @@ -18,10 +20,8 @@ should be more than sufficient. To install `honggfuzz`, simply run ```shell -cargo install honggfuzz --force - -export HFUZZ_BUILD_ARGS="--features honggfuzz_fuzz" -cargo hfuzz build +cargo update +cargo install --force honggfuzz ``` ### Execution @@ -30,12 +30,19 @@ To run the Hongg fuzzer, do ```shell export CPU_COUNT=1 # replace as needed +export HFUZZ_BUILD_ARGS="--features honggfuzz_fuzz" export HFUZZ_RUN_ARGS="-n $CPU_COUNT --exit_upon_crash" -export TARGET="" # replace with the target to be fuzzed +export TARGET="msg_ping_target" # replace with the target to be fuzzed cargo hfuzz run $TARGET ``` +To see a list of available fuzzing targets, run: + +```shell +ls ./src/bin/ +``` + ## A fuzz test failed on Travis, what do I do? You're trying to create a PR, but need to find the underlying cause of that pesky fuzz failure blocking the merge? @@ -50,6 +57,7 @@ Seen a crash. Terminating all fuzzing threads … # a lot of lines in between +<0x0000555555565559> [func:UNKNOWN file: line:0 module:/home/travis/build/rust-bitcoin/rust-lightning/fuzz/hfuzz_target/x86_64-unknown-linux-gnu/release/full_stack_target] <0x0000000000000000> [func:UNKNOWN file: line:0 module:UNKNOWN] ===================================================================== 2d3136383734090101010101010101010101010101010101010101010101 @@ -58,16 +66,21 @@ Seen a crash. Terminating all fuzzing threads The command "if [ "$(rustup show | grep default | grep stable)" != "" ]; then cd fuzz && cargo test --verbose && ./travis-fuzz.sh; fi" exited with 1. ``` -Simply copy the hex, and run the following from the `fuzz` directory: +Note that the penultimate stack trace line ends in `release/full_stack_target]`. That indicates that +the failing target was `full_stack`. To reproduce the error locally, simply copy the hex, +and run the following from the `fuzz` directory: ```shell +export TARGET="full_stack" # adjust for your output export HEX="2d3136383734090101010101010101010101010101010101010101010101\ 010101010100040101010101010101010101010103010101010100010101\ 0069d07c319a4961" # adjust for your output -echo $HEX | xxd -r -p > ./test_cases/full_stack/your_test_case_name + +mkdir -p ./test_cases/$TARGET +echo $HEX | xxd -r -p > ./test_cases/$TARGET/any_filename_works export RUST_BACKTRACE=1 cargo test ``` -This will reproduce the failing fuzz input and yield a usable stack trace. \ No newline at end of file +This will reproduce the failing fuzz input and yield a usable stack trace.