Slides: https://docs.google.com/presentation/d/1NlTw_n60z9bvqziZqU3H3Jw7Xs5slnQoehYXhEKrzOE
parse_json
function which might crash on some weird input but won’t report invalid json inputs that pass parsing. libFuzzer does coverage guided feedback loop + helps with exploring control flow.Assume()
when continuing is not worse than crashing. Assert()
will crash in production. Assume()
will crash in debug. Throwing all kinds of Assume()
in the code is fine but it slows down production. Place assertions in fuzz target.ProcessMessage()
is 1 giant switch statement for the most part - fuzzing for each individual message is included. libFuzzer is not able to produce valid transactions, blocks, headers due to PoW, signatures, hashes etc.. we could/should mock out validation to enable better fuzzing of net processing.
Boundary testing - not really fuzzing - different technique which is fine to have to new technique to test interactions? You still need to throw wrappers around functions.txrequest
, txorphan
, headerssync
- encapsulate into own modules and test them separately.
We want to fuzz net processing in isolation - by doing more refactoring/mocks. some work already but more fixes needed.FuzzDataProvider
- utility to split fuzz inputs into c++ data structures. For example, if you want to fuzz block processing, use FuzzDataProvider
to parse fuzz inputs into valid blocks.
we could write code for producing valid semantics but too much code on test sideProcessMessage()
module. if only motivation is refactoring maybe we shouldn’t. Fuzzing finds bugs - so important too.ProcessMessage()
to work, they need to be initialised.--generate
option.Community-maintained archive to unlocking knowledge from technical bitcoin transcripts