github.com/DFWallet/tendermint-cosmos@v0.0.2/test/fuzz/README.md

github.com/DFWallet/tendermint-cosmos@v0.0.2/test/fuzz/README.md (about)

     1  # fuzz
     2  
     3  Fuzzing for various packages in Tendermint using [go-fuzz](https://github.com/dvyukov/go-fuzz) library.
     4  
     5  Inputs:
     6  
     7  - mempool `CheckTx` (using kvstore in-process ABCI app)
     8  - p2p `Addrbook#AddAddress`
     9  - p2p `pex.Reactor#Receive`
    10  - p2p `SecretConnection#Read` and `SecretConnection#Write`
    11  - rpc jsonrpc server
    12  
    13  ## Directory structure
    14  
    15  ```
    16  | test
    17  |  |- corpus/
    18  |  |- crashers/
    19  |  |- init-corpus/
    20  |  |- suppressions/
    21  |  |- testdata/
    22  |  |- <testname>.go
    23  ```
    24  
    25  `/corpus` directory contains corpus data. The idea is to help the fuzzier to
    26  understand what bytes sequences are semantically valid (e.g. if we're testing
    27  PNG decoder, then we would put black-white PNG into corpus directory; with
    28  blockchain reactor - we would put blockchain messages into corpus).
    29  
    30  `/init-corpus` (if present) contains a script for generating corpus data.
    31  
    32  `/testdata` directory may contain an additional data (like `addrbook.json`).
    33  
    34  Upon running the fuzzier, `/crashers` and `/suppressions` dirs will be created,
    35  along with <testname>.zip archive. `/crashers` will show any inputs, which have
    36  lead to panics (plus a trace). `/suppressions` will show any suppressed inputs.
    37  
    38  ## Running
    39  
    40  ```sh
    41  make fuzz-mempool
    42  make fuzz-p2p-addrbook
    43  make fuzz-p2p-pex
    44  make fuzz-p2p-sc
    45  make fuzz-rpc-server
    46  ```
    47  
    48  Each command will create corpus data (if needed), generate a fuzz archive and
    49  call `go-fuzz` executable.
    50  
    51  Then watch out for the respective outputs in the fuzzer output to announce new
    52  crashers which can be found in the directory `crashers`.
    53  
    54  For example if we find
    55  
    56  ```sh
    57  ls crashers/
    58  61bde465f47c93254d64d643c3b2480e0a54666e
    59  61bde465f47c93254d64d643c3b2480e0a54666e.output
    60  61bde465f47c93254d64d643c3b2480e0a54666e.quoted
    61  da39a3ee5e6b4b0d3255bfef95601890afd80709
    62  da39a3ee5e6b4b0d3255bfef95601890afd80709.output
    63  da39a3ee5e6b4b0d3255bfef95601890afd80709.quoted
    64  ```
    65  
    66  the crashing bytes generated by the fuzzer will be in
    67  `61bde465f47c93254d64d643c3b2480e0a54666e` the respective crash report in
    68  `61bde465f47c93254d64d643c3b2480e0a54666e.output`
    69  
    70  and the bug report can be created by retrieving the bytes in
    71  `61bde465f47c93254d64d643c3b2480e0a54666e` and feeding those back into the
    72  `Fuzz` function.