Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Introduce fuzz test in this project #4272

Open
2 tasks done
secsys-go opened this issue Sep 21, 2023 · 2 comments
Open
2 tasks done

Introduce fuzz test in this project #4272

secsys-go opened this issue Sep 21, 2023 · 2 comments

Comments

@secsys-go
Copy link

Checklist

  • I have searched the issue tracker for open issues that relate to the same feature, before opening a new one.
  • This issue only relates to a single feature. I will open new issues for any other features.

Is your feature request related to a problem?

TL;DR

We recommend the adoption of fuzz drivers in this project to continuously enhance its robustness and reliability.

What is Fuzz Testing

Fuzz testing, also known as fuzzing, is a software testing technique that involves providing invalid, unexpected, or random data inputs to a program in order to discover vulnerabilities, bugs, or crashes. The goal of fuzz testing is to uncover errors or security flaws that may not be identified through traditional testing methods. To fuzz fyne, we need to write a driver which carefully invokes fyne's API and passes fuzz data to arguments.

Why We Need Fuzz Testing in fyne

We have written a set of fuzz drivers to test fyne's various APIs. These fuzz drivers have aided fyne in discovering multiple bugs. Most importantly, some of fuzz drivers found bugs in old version, and meanwhile we discoverd other bugs in new version of fyne using the same fuzz drivers again. It means that these fuzz drivers have the potential to continuously discover new bugs. Let's give two cases in follow.

  1. Last year we developed a fuzz driver and used this fuzz driver to successfully discover bug Crash parsing invalid file URI #3275 , which is an OOB bug. Today we fuzzed again using the same driver, and we found another bug Crash because of FromJSON #4270 . We believe our fuzz driver will probably find more bugs in the future, and we want to submit our fuzz driver to fyne project in order to help fyne find potential bugs.

  2. Similar to (1), we developed another fuzz driver to find bug crash in storage.List() #3287 last year, and today we successfully used this same driver to discover bug Crash because of storage.List #4271 .

Is it possible to construct a solution with the existing API?

No response

Describe the solution you'd like to see.

We suggest fyne introduce fuzz test to continuously enhance its robustness and reliability. Now we would like to share our fuzz drivers with fyne. Two possible ways could be considered.

  1. We directly submit a PR to fyne project.

  2. If fyne maintainers feel inconvenient to introduce fuzz driver code in the project now, we could also submit PR to OSS-Fuzz project which is widely used to continuously fuzz open source software and supported by Google. If fyne maintainers consider this way is better, we kindly request supports from the maintainers including helping us review fuzz drivers code and giving us official approval of adding fuzz drivers of fyne to OSS-Fuzz project.
@junmaqiang
Copy link

nice, this is a good idea

@Bluebugs
Copy link
Contributor

I would be interested to see a prototype that use github action job to run some fuzzing on the develop branch, but not as part of the normal PR flow.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Bluebugs @junmaqiang @secsys-go