github.com/badrootd/nibiru-cometbft@v0.37.5-0.20240307173500-2a75559eee9b/test/fuzz/README.md (about) 1 # fuzz 2 3 Fuzzing for various packages in CometBFT using 4 [go-fuzz](https://github.com/dvyukov/go-fuzz) library. 5 6 Inputs: 7 8 - mempool `CheckTx` (using kvstore in-process ABCI app) 9 - p2p `Addrbook#AddAddress` 10 - p2p `pex.Reactor#Receive` 11 - p2p `SecretConnection#Read` and `SecretConnection#Write` 12 - rpc jsonrpc server 13 14 ## Directory structure 15 16 ``` 17 | test 18 | |- corpus/ 19 | |- crashers/ 20 | |- init-corpus/ 21 | |- suppressions/ 22 | |- testdata/ 23 | |- <testname>.go 24 ``` 25 26 `/corpus` directory contains corpus data. The idea is to help the fuzzier to 27 understand what bytes sequences are semantically valid (e.g. if we're testing 28 PNG decoder, then we would put black-white PNG into corpus directory; with 29 blockchain reactor - we would put blockchain messages into corpus). 30 31 `/init-corpus` (if present) contains a script for generating corpus data. 32 33 `/testdata` directory may contain an additional data (like `addrbook.json`). 34 35 Upon running the fuzzier, `/crashers` and `/suppressions` dirs will be created, 36 along with <testname>.zip archive. `/crashers` will show any inputs, which have 37 lead to panics (plus a trace). `/suppressions` will show any suppressed inputs. 38 39 ## Running 40 41 ```sh 42 make fuzz-mempool 43 make fuzz-p2p-addrbook 44 make fuzz-p2p-pex 45 make fuzz-p2p-sc 46 make fuzz-rpc-server 47 ``` 48 49 Each command will create corpus data (if needed), generate a fuzz archive and 50 call `go-fuzz` executable. 51 52 Then watch out for the respective outputs in the fuzzer output to announce new 53 crashers which can be found in the directory `crashers`. 54 55 For example if we find 56 57 ```sh 58 ls crashers/ 59 61bde465f47c93254d64d643c3b2480e0a54666e 60 61bde465f47c93254d64d643c3b2480e0a54666e.output 61 61bde465f47c93254d64d643c3b2480e0a54666e.quoted 62 da39a3ee5e6b4b0d3255bfef95601890afd80709 63 da39a3ee5e6b4b0d3255bfef95601890afd80709.output 64 da39a3ee5e6b4b0d3255bfef95601890afd80709.quoted 65 ``` 66 67 the crashing bytes generated by the fuzzer will be in 68 `61bde465f47c93254d64d643c3b2480e0a54666e` the respective crash report in 69 `61bde465f47c93254d64d643c3b2480e0a54666e.output` 70 71 and the bug report can be created by retrieving the bytes in 72 `61bde465f47c93254d64d643c3b2480e0a54666e` and feeding those back into the 73 `Fuzz` function.