前言

在翻 Go 官方文件找底层原理的相关文件的时候翻到了 Fuzzing
这也是新的东西，以前是没有看过的，看了一下之后觉得蛮重要的
而且公司有产品是专门在做模糊测试的，没想到程式语言自己有实作
下次主管问要不要别的部门的测试产品直接reject

另外有一些深入自定义的部分需要查一下官网文件会比较清楚，这里就不放了

什么是模糊测试

从 Go Fuzzing Overview 我们可以直接了解

Fuzzing is a type of automated testing which continuously manipulates inputs to a program to find bugs. Go fuzzing uses coverage guidance to intelligently walk through the code being fuzzed to find and report failures to the user. Since it can reach edge cases which humans often miss, fuzz testing can be particularly valuable for finding security exploits and vulnerabilities.

大意上来说就是不断测试你的 input，主要是用来发现会造成 bug 的边际条件或是安全漏洞（e.g., SQL injection）

Fuzzing 支援条件

OSS-Fuzz

由 OSS-Fuzz 支援 Native Go
OSS-Fuzz 是 Google 开源的模糊测试专案（参考资料[3][4]）
OSS-Fuzz 也有支援其他语言进行模糊测试

Go Version

1.18以上版本才支援

Fuzzing Rules

必要规则

A fuzz test must be a function named like FuzzXxx, which accepts only a *testing.F, and has no return value.Fuzz tests must be in *_test.go files to run.A fuzz target must be a method call to (*testing.F).Fuzz which accepts a *testing.T as the first parameter, followed by the fuzzing arguments. There is no return value.There must be exactly one fuzz target per fuzz test.All seed corpus entries must have types which are identical to the fuzzing arguments, in the same order. This is true for calls to (*testing.F).Add and any corpus files in the testdata/fuzz directory of the fuzz test.The fuzzing arguments can only be the following types:
string, []byte
int, int8, int16, int32/rune, int64
uint, uint8/byte, uint16, uint32, uint64
float32, float64
bool

建议

Fuzz targets should be fast and deterministic so the fuzzing engine can work efficiently, and new failures and code coverage can be easily reproduced.Since the fuzz target is invoked in parallel across multiple workers and in nondeterministic order, the state of a fuzz target should not persist past the end of each call, and the behavior of a fuzz target should not depend on global state.

Fuzzing 使用方法

有两种模式可以运行模糊测试

There are two modes of running your fuzz test: as a unit test (default go test), or with fuzzing (go test -fuzz=FuzzTestName).

由你决定要运行多长时间的模糊测试，有可能会发生没有测试到任何错误，此时模糊测试将会无限的运行。

Note that it is up to you to decide how long to run fuzzing. It is very possible that an execution of fuzzing could run indefinitely if it doesn’t find any errors.

Fuzzing Insight

提供了三种指标可以识别

elapsed: the amount of time that has elapsed since the process beganexecs: the total number of inputs that have been run against the fuzz target (with an average execs/sec since the last log line)new interesting: the total number of “interesting” inputs that have been added to the generated corpus during this fuzzing execution (with the total size of the entire corpus)

可能导致模糊测试失败的情况

A panic occurred in the code or the test.The fuzz target called t.Fail, either directly or through methods such as t.Error or t.Fatal.A non-recoverable error occurred, such as an os.Exit or stack overflow.The fuzz target took too long to complete. Currently, the timeout for an execution of a fuzz target is 1 second. This may fail due to a deadlock or infinite loop, or from intended behavior in the code. This is one reason why it is suggested that your fuzz target be fast.

撰写模糊测试

Run Fuzz Testing Repo:https://github.com/whitefloor/go-fuzz
根据参考资料[2]内有整段模糊测试的测试程式码，重点有几个

指定运行的测试指令 go test -run=FuzzReverse运行模糊测试指令 go test -fuzz=Fuzz运行指定的 corpus entry，hash code 会在模糊测试失败的时候告诉你 go test -run=FuzzReverse/15bd0ea6a71e1138505c7d1011410810213bf67d2bdd5ac68d160fddb4d176c7指定模糊测试的持续时间 go test -fuzz=Fuzz -fuzztime 30s

参考资料

https://go.dev/security/fuzz/https://go.dev/doc/tutorial/fuzzhttps://google.github.io/oss-fuzz/https://github.com/google/oss-fuzz