CINXE.COM

Fuzzing — Firefox Source Docs documentation

<!doctype html> <html class="writer-html5" lang="en" data-content_root="../../"> <head> <base href="https://firefox-source-docs.mozilla.org/tools/fuzzing/index.html"> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Fuzzing — Firefox Source Docs documentation</title> <link rel="stylesheet" type="text/css" href="../../_static/pygments.css?v=fa44fd50"> <link rel="stylesheet" type="text/css" href="../../_static/css/theme.css?v=19f00094"> <link rel="stylesheet" type="text/css" href="../../_static/graphviz.css?v=fd3f3429"> <link rel="stylesheet" type="text/css" href="../../_static/copybutton.css?v=76b2166b"> <link rel="stylesheet" type="text/css" href="../../_static/custom_theme.css?v=a7d3e023"> <link rel="stylesheet" type="text/css" href="../../_static/design-style.1e8bd061cd6da7fc9cf755528e8ffc24.min.css?v=0a3b3ea7"> <link rel="shortcut icon" href="../../_static/firefox.ico"><!--[if lt IE 9]> <script src="../../_static/js/html5shiv.min.js"></script> <![endif]--> <script src="../../_static/jquery.js?v=5d32c60e"></script> <script src="../../_static/_sphinx_javascript_frameworks_compat.js?v=2cd50e6c"></script> <script src="../../_static/documentation_options.js?v=5929fcd5"></script> <script src="../../_static/doctools.js?v=9a2dae69"></script> <script src="../../_static/sphinx_highlight.js?v=dc90522c"></script> <script src="../../_static/clipboard.min.js?v=a7894cd8"></script> <script src="../../_static/copybutton.js?v=30646c52"></script> <script src="../../_static/design-tabs.js?v=36754332"></script> <script src="../../_static/js/theme.js"></script> <link rel="index" title="Index" href="../../genindex.html"> <link rel="search" title="Search" href="../../search.html"> <link rel="next" title="Fuzzing Interface" href="fuzzing_interface.html"> <link rel="prev" title="GTest" href="../../gtest/index.html"> <meta http-equiv="X-Translated-By" content="Google"> <meta http-equiv="X-Translated-To" content="tr"> <script type="text/javascript" src="https://www.gstatic.com/_/translate_http/_/js/k=translate_http.tr.en_GB.1hbgkFx4Qn8.O/am=DgY/d=1/rs=AN8SPfqlmAPxwfG457BPbRXwNq39oSMGHg/m=corsproxy" data-sourceurl="https://firefox-source-docs.mozilla.org/tools/fuzzing/index.html"></script> <link href="https://fonts.googleapis.com/css2?family=Material+Symbols+Outlined:opsz,wght,FILL,GRAD@20..48,100..700,0..1,-50..200" rel="stylesheet"> <script type="text/javascript" src="https://www.gstatic.com/_/translate_http/_/js/k=translate_http.tr.en_GB.1hbgkFx4Qn8.O/am=DgY/d=1/exm=corsproxy/ed=1/rs=AN8SPfqlmAPxwfG457BPbRXwNq39oSMGHg/m=phishing_protection" data-phishing-protection-enabled="false" data-forms-warning-enabled="true" data-source-url="https://firefox-source-docs.mozilla.org/tools/fuzzing/index.html"></script> <meta name="robots" content="none"> </head> <body class="wy-body-for-nav"> <script type="text/javascript" src="https://www.gstatic.com/_/translate_http/_/js/k=translate_http.tr.en_GB.1hbgkFx4Qn8.O/am=DgY/d=1/exm=corsproxy,phishing_protection/ed=1/rs=AN8SPfqlmAPxwfG457BPbRXwNq39oSMGHg/m=navigationui" data-environment="prod" data-proxy-url="https://firefox--source--docs-mozilla-org.translate.goog" data-proxy-full-url="https://firefox--source--docs-mozilla-org.translate.goog/tools/fuzzing/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB" data-source-url="https://firefox-source-docs.mozilla.org/tools/fuzzing/index.html" data-source-language="pl" data-target-language="tr" data-display-language="en-GB" data-detected-source-language="" data-is-source-untranslated="false" data-source-untranslated-url="https://translate.google.com/website?sl=pl&amp;tl=tr&amp;hl=en-GB&amp;u=https://firefox-source-docs.mozilla.org/tools/fuzzing/index.html&amp;anno=2" data-client="tr"></script> <div class="wy-grid-for-nav"> <nav data-toggle="wy-nav-shift" class="wy-nav-side"> <div class="wy-side-scroll"> <div class="wy-side-nav-search"><a href="https://firefox--source--docs-mozilla-org.translate.goog/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB" class="icon icon-home"> Firefox Source Docs <img src="../../_static/firefox-wordmark.svg" class="logo" alt="Logo"> </a><!-- -- This code is governed by the BSD license ----> <div> <h3>Quick search</h3> <script> (function () { var cx = "dd12886298f75dbef"; var gcse = document.createElement("script"); gcse.async = true; gcse.src = "https://cse.google.com/cse.js?cx=" + cx; var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(gcse, s); })(); </script><gcse:search></gcse:search> </div> </div> <div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="Navigation menu"> <p class="caption" role="heading"><span class="caption-text">Overview</span></p> <ul> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/glossary/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">A Glossary of Common Terms</a></li> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/overview/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">A Quick Guide to Mozilla Applications</a></li> </ul> <p class="caption" role="heading"><span class="caption-text">Getting Started</span></p> <ul> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/setup/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">Getting Set Up To Work On The Firefox Codebase</a></li> </ul> <p class="caption" role="heading"><span class="caption-text">Working On Firefox</span></p> <ul> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/contributing/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">Working on Firefox</a></li> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/bug-mgmt/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">Bug Handling</a></li> </ul> <p class="caption" role="heading"><span class="caption-text">Firefox User Guide</span></p> <ul> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/devtools-user/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">Firefox DevTools User Docs</a></li> </ul> <p class="caption" role="heading"><span class="caption-text">Source Code Documentation</span></p> <ul> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/mots/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">Governance</a></li> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/browser/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">Firefox Front-end</a></li> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/dom/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">DOM</a></li> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/editor/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">Editor</a></li> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/layout/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">Style system (CSS) &amp; Layout</a></li> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/gfx/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">Graphics</a></li> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/ipc/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">Processes, Threads and IPC</a></li> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/devtools/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">Firefox DevTools Contributor Docs</a></li> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/toolkit/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">Toolkit</a></li> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/js/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">SpiderMonkey</a></li> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/mobile/android/geckoview/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">GeckoView</a></li> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/mobile/android/fenix/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">Fenix</a></li> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/mobile/android/focus-android/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">Focus for Android</a></li> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/dom/bindings/webidl/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">WebIDL</a></li> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/modules/libpref/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">libpref</a></li> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/networking/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">Networking</a></li> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/remote/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">Remote Protocols</a></li> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/services/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">Services</a></li> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/uriloader/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">File Handling</a></li> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/widget/cocoa/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">Firefox on macOS</a></li> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/widget/windows/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">Firefox on Windows</a></li> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/toolkit/components/ml/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">Firefox AI Platform</a></li> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/accessible/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">Accessibility</a></li> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/code-quality/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">Code quality</a></li> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/writing-rust-code/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">Writing Rust Code</a></li> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/rust-components/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">Rust Components</a></li> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/tools/profiler/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">Gecko Profiler</a></li> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/performance/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">Performance</a></li> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/storage/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">Database bindings (SQLite, KV, …)</a></li> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/xpcom/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">XPCOM</a></li> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/nspr/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">NSPR</a></li> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/security/nss/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">Network Security Services (NSS)</a></li> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/content-security/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">Web Security Checks in Gecko</a></li> </ul> <p class="caption" role="heading"><span class="caption-text">The Firefox Build System</span></p> <ul> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/mach/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">Mach</a></li> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/tools/try/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">Pushing to Try</a></li> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/build/buildsystem/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">Build System</a></li> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/taskcluster/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">Firefox CI and Taskgraph</a></li> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/tools/moztreedocs/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">Managing Documentation</a></li> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/mozbuild/vendor/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">Vendoring Third Party Components</a></li> </ul> <p class="caption" role="heading"><span class="caption-text">Testing &amp; Test Infrastructure</span></p> <ul class="current"> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/testing/automated-testing/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">Automated Testing</a></li> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/testing/treeherder-try/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">Understanding Treeherder Results</a></li> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/testing/sheriffed-intermittents/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">Sheriffed intermittent failures</a></li> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/testing/tests-for-new-config/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">Turning on Firefox tests for a new configuration</a></li> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/testing/intermittent/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">Avoiding intermittent tests</a></li> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/testing/testing-policy/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">Testing Policy</a></li> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/testing/ci-configs/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">Configuration Changes</a></li> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/testing/browser-chrome/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">Browser chrome mochitests</a></li> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/testing/chrome-tests/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">Chrome Tests</a></li> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/testing/marionette/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">Marionette</a></li> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/testing/geckodriver/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">geckodriver</a></li> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/testing/test-verification/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">Test Verification</a></li> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/testing/webrender/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">WebRender Tests</a></li> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/testing/mochitest-plain/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">Mochitest</a></li> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/testing/xpcshell/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">XPCShell tests</a></li> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/testing/tps/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">TPS</a></li> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/web-platform/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">web-platform-tests</a></li> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/gtest/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">GTest</a></li> <li class="toctree-l1 current"><a class="current reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/tools/fuzzing/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB#">Fuzzing</a> <ul> <li class="toctree-l2"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/tools/fuzzing/fuzzing_interface.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">Fuzzing Interface</a></li> <li class="toctree-l2"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/tools/fuzzing/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB#what-is-fuzzing">What is Fuzzing?</a> <ul> <li class="toctree-l3"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/tools/fuzzing/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB#random-input-data">Random input data</a></li> <li class="toctree-l3"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/tools/fuzzing/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB#random-api-usage">Random API Usage</a></li> <li class="toctree-l3"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/tools/fuzzing/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB#random-ui-interaction">Random UI Interaction</a></li> </ul></li> <li class="toctree-l2"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/tools/fuzzing/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB#why-fuzzing-helps-you">Why Fuzzing Helps You</a></li> <li class="toctree-l2"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/tools/fuzzing/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB#levels-of-fuzzing-in-firefox-gecko">Levels of Fuzzing in Firefox/Gecko</a> <ul> <li class="toctree-l3"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/tools/fuzzing/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB#full-browser-fuzzing">Full Browser Fuzzing</a></li> <li class="toctree-l3"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/tools/fuzzing/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB#the-fuzzing-interface">The Fuzzing Interface</a></li> <li class="toctree-l3"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/tools/fuzzing/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB#shell-based-fuzzing">Shell-based Fuzzing</a></li> </ul></li> <li class="toctree-l2"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/tools/fuzzing/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB#code-process-requirements-for-fuzzing">Code/Process Requirements for Fuzzing</a> <ul> <li class="toctree-l3"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/tools/fuzzing/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB#defect-oracles">Defect Oracles</a></li> <li class="toctree-l3"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/tools/fuzzing/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB#component-decoupling">Component Decoupling</a></li> <li class="toctree-l3"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/tools/fuzzing/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB#avoiding-external-i-o">Avoiding external I/O</a></li> <li class="toctree-l3"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/tools/fuzzing/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB#well-defined-behavior-and-safety">Well-defined Behavior and Safety</a></li> <li class="toctree-l3"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/tools/fuzzing/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB#reproducibility">Reproducibility</a></li> <li class="toctree-l3"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/tools/fuzzing/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB#supporting-code">Supporting Code</a></li> <li class="toctree-l3"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/tools/fuzzing/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB#test-samples">Test Samples</a></li> <li class="toctree-l3"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/tools/fuzzing/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB#fuzz-blockers">Fuzz Blockers</a></li> <li class="toctree-l3"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/tools/fuzzing/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB#documentation">Documentation</a></li> <li class="toctree-l3"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/tools/fuzzing/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB#contact-us">Contact Us</a></li> </ul></li> </ul></li> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/tools/sanitizer/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">Sanitizer</a></li> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/testing/perfdocs/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">Performance Testing</a></li> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/tools/code-coverage/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">Code coverage</a></li> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/testing-rust-code/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">Testing &amp; Debugging Rust Code</a></li> </ul> <p class="caption" role="heading"><span class="caption-text">Releases &amp; Updates</span></p> <ul> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/update-infrastructure/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">Mozilla Update Infrastructure</a></li> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/update-infrastructure/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB#watershed-updates">Watershed Updates</a></li> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/update-infrastructure/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB#desupport-updates">Desupport Updates</a></li> </ul> <p class="caption" role="heading"><span class="caption-text">Localization &amp; Internationalization</span></p> <ul> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/intl/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">Internationalization</a></li> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/l10n/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">Localization</a></li> </ul> <p class="caption" role="heading"><span class="caption-text">Firefox and Python</span></p> <ul> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/mozbase/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">mozbase</a></li> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/python/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">Using third-party Python packages</a></li> </ul> <p class="caption" role="heading"><span class="caption-text">Metrics Collected in Firefox</span></p> <ul> <li class="toctree-l1"><a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/metrics/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">Metrics</a></li> </ul> </div> </div> </nav> <section data-toggle="wy-nav-shift" class="wy-nav-content-wrap"> <nav class="wy-nav-top" aria-label="Mobile navigation menu"><i data-toggle="wy-nav-top" class="fa fa-bars"></i> <a href="https://firefox--source--docs-mozilla-org.translate.goog/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">Firefox Source Docs</a> </nav> <div class="wy-nav-content"> <div class="rst-content"><!-- This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this file, - You can obtain one at http://mozilla.org/MPL/2.0/. --> <div role="navigation" aria-label="Page navigation"> <ul class="wy-breadcrumbs"> <li><a href="https://firefox--source--docs-mozilla-org.translate.goog/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB" class="icon icon-home" aria-label="Home"></a></li> <li class="breadcrumb-item active">Fuzzing</li> <li class="wy-breadcrumbs-aside"><a href="https://translate.google.com/website?sl=pl&amp;tl=tr&amp;hl=en-GB&amp;u=https://bugzilla.mozilla.org/enter_bug.cgi?product%3DDeveloper%2BInfrastructure%26component%3DFirefox%2BSource%2BDocs%253A%2BContent%26short_desc%3DDocumentation%2Bissue%2Bon%2Btools/fuzzing/index%26comment%3DURL%2B%3D%2Bhttps://firefox-source-docs.mozilla.org/tools/fuzzing/index.html%26bug_file_loc%3Dhttps://firefox-source-docs.mozilla.org/tools/fuzzing/index.html" rel="nofollow">Report an issue</a> / <a href="https://firefox--source--docs-mozilla-org.translate.goog/_sources/tools/fuzzing/index.rst.txt?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB" rel="nofollow"> View page source</a></li> </ul> <hr> </div> <div role="main" class="document" itemscope itemtype="http://schema.org/Article"> <div itemprop="articleBody"> <section id="fuzzing"> <h1>Fuzzing<a class="headerlink" href="https://firefox--source--docs-mozilla-org.translate.goog/tools/fuzzing/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB#fuzzing" title="Link to this heading">¶</a></h1> <div class="toctree-wrapper compound"> </div> <p>This section focuses on explaining the software testing technique called “Fuzzing” or “Fuzz Testing” and its application to the Mozilla codebase. The overall goal is to educate developers about the capabilities and usefulness of fuzzing and also allow them to write their own fuzzing targets. Note that not all fuzzing tools used at Mozilla are open source. Some tools are for internal use only because they can easily find critical security vulnerabilities.</p> <section id="what-is-fuzzing"> <h2>What is Fuzzing?<a class="headerlink" href="https://firefox--source--docs-mozilla-org.translate.goog/tools/fuzzing/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB#what-is-fuzzing" title="Link to this heading">¶</a></h2> <p>Fuzzing (or Fuzz Testing) is a technique to randomly use a program or parts of it with the goal to uncover bugs. Random usage can have a wide variety of forms, a few common ones are</p> <ul class="simple"> <li><p>random input data (e.g. file formats, network data, source code, etc.)</p></li> <li><p>random API usage</p></li> <li><p>random UI interaction</p></li> </ul> <p>with the first two being the most practical methods used in the field. Of course, these methods are not entirely separate, combinations are possible. Fuzzing is a great way to find quality issues, some of them being also security issues.</p> <section id="random-input-data"> <h3>Random input data<a class="headerlink" href="https://firefox--source--docs-mozilla-org.translate.goog/tools/fuzzing/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB#random-input-data" title="Link to this heading">¶</a></h3> <p>This is probably the most obvious fuzzing method: You have code that processes data and you provide it with random or mutated data, hoping that it will uncover bugs in your implementation. Examples are media formats like JPEG or H.264, but basically anything that involves processing a “blob” of data can be a valuable target. Countless security vulnerabilities in a variety of libraries and programs have been found using this method (the AFLFuzz <a class="reference external" href="https://translate.google.com/website?sl=pl&amp;tl=tr&amp;hl=en-GB&amp;u=http://lcamtuf.coredump.cx/afl/%23bugs">bug-o-rama</a> gives a good impression).</p> <p>Common tools for this task are e.g. <a class="reference external" href="https://translate.google.com/website?sl=pl&amp;tl=tr&amp;hl=en-GB&amp;u=https://llvm.org/docs/LibFuzzer.html">libFuzzer</a> and <a class="reference external" href="https://translate.google.com/website?sl=pl&amp;tl=tr&amp;hl=en-GB&amp;u=http://lcamtuf.coredump.cx/afl/">AFLFuzz</a>, but also specialized tools with custom logic like <a class="reference external" href="https://translate.google.com/website?sl=pl&amp;tl=tr&amp;hl=en-GB&amp;u=https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final73.pdf">LangFuzz</a> and <a class="reference external" href="https://translate.google.com/website?sl=pl&amp;tl=tr&amp;hl=en-GB&amp;u=https://github.com/MozillaSecurity/avalanche">Avalanche</a>.</p> </section> <section id="random-api-usage"> <h3>Random API Usage<a class="headerlink" href="https://firefox--source--docs-mozilla-org.translate.goog/tools/fuzzing/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB#random-api-usage" title="Link to this heading">¶</a></h3> <p>Randomly testing APIs is especially helpful with parts of software that expose a well-defined interface (see also <a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/tools/fuzzing/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB#well-defined-behaviour-and-safety"><span class="std std-ref">Well-defined behavior and Safety</span></a>). If this interface is additionally exposed to untrusted parties/content, then this is a strong sign that random API testing would be worthwhile here, also for security reasons. APIs can be anything from C++ layer code to APIs offered in the browser.</p> <p>A good example for a fuzzing target here is the DOM (Document Object Model) and various other browser APIs. The browser exposes a variety of different APIs for working with documents, media, communication, storage, etc. with a growing complexity. Each of these APIs has potential bugs that can be uncovered with fuzzing. At Mozilla, we currently use domino (internal tool) for this purpose.</p> </section> <section id="random-ui-interaction"> <h3>Random UI Interaction<a class="headerlink" href="https://firefox--source--docs-mozilla-org.translate.goog/tools/fuzzing/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB#random-ui-interaction" title="Link to this heading">¶</a></h3> <p>A third way to test programs and in particular user interfaces is by directly interacting with the UI in a random way, typically in combination with other actions the program has to perform. Imagine for example an automated browser that surfs through the web and randomly performs actions such as scrolling, zooming and clicking links. The nice thing about this approach is that you likely find many issues that the end-user also experiences. However, this approach typically suffers from bad reproducibility (see also <a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/tools/fuzzing/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB#reproducibility"><span class="std std-ref">Reproducibility</span></a>) and is therefore often of limited use.</p> <p>An example for a fuzzing tool using this technique is <a class="reference external" href="https://translate.google.com/website?sl=pl&amp;tl=tr&amp;hl=en-GB&amp;u=https://developer.android.com/studio/test/monkey">Android Monkey</a>. At Mozilla however, we currently don’t make much use of this approach.</p> </section> </section> <section id="why-fuzzing-helps-you"> <h2>Why Fuzzing Helps You<a class="headerlink" href="https://firefox--source--docs-mozilla-org.translate.goog/tools/fuzzing/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB#why-fuzzing-helps-you" title="Link to this heading">¶</a></h2> <p>Understanding the value of fuzzing for you as a developer and software quality in general is important to justify the support this testing method might need from you. When your component is fuzzed for the first time there are two common things you will be confronted with:</p> <p><strong>Bug reports that don’t seem real bugs or not important:</strong> Fuzzers find all sorts of bugs in various corners of your component, even obscure ones. This automatically leads to a larger number of bugs that either don’t seem to be bugs (see also the <a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/tools/fuzzing/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB#well-defined-behaviour-and-safety"><span class="std std-ref">Well-defined behavior and safety</span></a> section below) or that don’t seem to be important bugs.</p> <p>Fixing these bugs is still important for the fuzzers because ignoring them in fuzzing costs resources (performance, human resources) and might even prevent the fuzzer from hitting other bugs. For example certain fuzzing tools like libFuzzer run in-process and have to restart on every crash, involving a costly re-read of the fuzzing samples.</p> <p>Also, as some of our code evolves quickly, a corner case might become a hot code path in a few months.</p> <p><strong>New steps to reproduce:</strong> Fuzzing tools are very likely to exercise your component using different methods than an average end-user. A common technique is modify existing parts of a program or write entirely new code to yield a fuzzing “target”. This target is specifically designed to work with the fuzzing tools in use. Reproducing the reported bugs might require you to learn these new steps to reproduce, including building/acquiring that target and having the right environment.</p> <p>Both of these issues might seem like a waste of time in some cases, however, realizing that both steps are a one-time investment for a constant stream of valuable bug reports is paramount here. Helping your security engineers to overcome these issues will ensure that future regressions in your code can be detected at an earlier stage and in a form that is more easily actionable. Especially if you are dealing with regressions in your code already, fuzzing has the potential to make your job as a developer easier.</p> <p>One of the best examples at Mozilla is the JavaScript engine. The JS team has put great quite some effort into getting fuzzing started and supporting our work. Here’s what Jan de Mooij, a senior platform engineer for the JavaScript engine, has to say about it:</p> <p><em>“Bugs in the engine can cause mysterious browser crashes and bugs that are incredibly hard to track down. Fortunately, we don’t have to deal with these time consuming browser issues very often: usually the fuzzers find a reliable shell test long before the bug makes it into a release. Fuzzing is invaluable to us and I cannot imagine working on this project without it.”</em></p> </section> <section id="levels-of-fuzzing-in-firefox-gecko"> <h2>Levels of Fuzzing in Firefox/Gecko<a class="headerlink" href="https://firefox--source--docs-mozilla-org.translate.goog/tools/fuzzing/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB#levels-of-fuzzing-in-firefox-gecko" title="Link to this heading">¶</a></h2> <p>Applying fuzzing to e.g. Firefox happens at different “levels”, similar to the different types of automated tests we have:</p> <section id="full-browser-fuzzing"> <h3>Full Browser Fuzzing<a class="headerlink" href="https://firefox--source--docs-mozilla-org.translate.goog/tools/fuzzing/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB#full-browser-fuzzing" title="Link to this heading">¶</a></h3> <p>The most obvious method of testing would be to test the full browser and doing so is required for certain features like the DOM and other APIs. The advantage here is that we have all the features of the browser available and testing happens closely to what we actually ship. The downside here though is that browser testing is by far the slowest of all testing methods. In addition, it has the most amount of non-determinism involved (resulting e.g. in intermittent testcases). Browser fuzzing at Mozilla is largely done with the <a class="reference external" href="https://translate.google.com/website?sl=pl&amp;tl=tr&amp;hl=en-GB&amp;u=https://blog.mozilla.org/security/2019/07/10/grizzly/">Grizzly framework</a> (<a class="reference external" href="https://translate.google.com/website?sl=pl&amp;tl=tr&amp;hl=en-GB&amp;u=https://bugzilla.mozilla.org/show_bug.cgi?id%3Dgrizzly">meta bug</a>) and one of the most successful fuzzers is the Domino tool (<a class="reference external" href="https://translate.google.com/website?sl=pl&amp;tl=tr&amp;hl=en-GB&amp;u=https://bugzilla.mozilla.org/show_bug.cgi?id%3Ddomino">meta bug</a>).</p> <p>Summarizing, full browser fuzzing is the right technique to investigate if your feature really requires it. Consider using other methods (see below) if your code can be exercised in this way.</p> </section> <section id="the-fuzzing-interface"> <h3>The Fuzzing Interface<a class="headerlink" href="https://firefox--source--docs-mozilla-org.translate.goog/tools/fuzzing/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB#the-fuzzing-interface" title="Link to this heading">¶</a></h3> <p><strong>Fuzzing Interface</strong></p> <p>The fuzzing interface is glue code living in mozilla-central in order to make it easier for developers and security researchers to test C/C++ code with either libFuzzer or afl-fuzz.</p> <p>This interface offers a gtest (C++ unit test) level component based fuzzing approach and is suitable for anything that could also be tested/exercised using a gtest. This method is by far the fastest, but usually limited to testing isolated components that can be instantiated on this level. Utilizing this method requires you to write a fuzzing target similar to writing a gtest. This target will automatically be usable with libFuzzer and AFLFuzz. We offer a <a class="reference internal" href="https://firefox--source--docs-mozilla-org.translate.goog/tools/fuzzing/fuzzing_interface.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB#fuzzing-interface"><span class="std std-ref">comprehensive manual</span></a> that describes how to write and utilize your own target.</p> <p>A simple example here is the <a class="reference external" href="https://translate.google.com/website?sl=pl&amp;tl=tr&amp;hl=en-GB&amp;u=https://searchfox.org/mozilla-central/rev/efdf9bb55789ea782ae3a431bda6be74a87b041e/media/webrtc/signaling/fuzztest/sdp_parser_libfuzz.cpp%2330">SDP parser target</a>, which tests the SipccSdpParser in our codebase.</p> </section> <section id="shell-based-fuzzing"> <h3>Shell-based Fuzzing<a class="headerlink" href="https://firefox--source--docs-mozilla-org.translate.goog/tools/fuzzing/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB#shell-based-fuzzing" title="Link to this heading">¶</a></h3> <p>Some of our fuzzing, e.g. JS Engine testing, happens in a separate shell program. For JS, this is the JS shell also used for most of the JS tests and development. In theory, xpcshell could also be used for testing but so far, there has not been a use case for this (most things that can be reached through xpcshell can also be tested on the gtest level).</p> <p>Identifying the right level of fuzzing is the first step towards continuous fuzz testing of your code.</p> </section> </section> <section id="code-process-requirements-for-fuzzing"> <h2>Code/Process Requirements for Fuzzing<a class="headerlink" href="https://firefox--source--docs-mozilla-org.translate.goog/tools/fuzzing/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB#code-process-requirements-for-fuzzing" title="Link to this heading">¶</a></h2> <p>In this section, we are going to discuss how code should be written in order to yield optimal results with fuzzing.</p> <section id="defect-oracles"> <h3>Defect Oracles<a class="headerlink" href="https://firefox--source--docs-mozilla-org.translate.goog/tools/fuzzing/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB#defect-oracles" title="Link to this heading">¶</a></h3> <p>Fuzzing is only effective if you are able to know when a problem has been found. Crashes are typically problems if the unit being tested is safe for fuzzing (see Well-defined behavior and Safety). But there are many more problems that you would want to find, correctness issues, corruptions that don’t necessarily crash etc. For this, you need an <em>oracle</em> that tells you something is wrong.</p> <p>The simplest defect oracle is the assertion (ex: <code class="docutils literal notranslate"><span class="pre">MOZ_ASSERT</span></code>). Assertions are a very powerful instrument because they can be used to determine if your program is performing correctly, even if the bug would not lead to any sort of crash. They can encode arbitrarily complex information about what is considered correct, information that might otherwise only exist in the developers’ minds.</p> <p>External tools like the sanitizers (AddressSanitizer aka ASan, ThreadSanitizer aka TSan, MemorySanitizer aka MSan and UndefinedBehaviorSanitizer - UBSan) can also serve as oracles for sometimes severe issues that would not necessarily crash. Making sure that these tools can be used on your code is highly useful.</p> <p>Examples for bugs found with sanitizers are <a class="reference external" href="https://translate.google.com/website?sl=pl&amp;tl=tr&amp;hl=en-GB&amp;u=https://bugzilla.mozilla.org/show_bug.cgi?id%3D1419608">bug 1419608</a>, <a class="reference external" href="https://translate.google.com/website?sl=pl&amp;tl=tr&amp;hl=en-GB&amp;u=https://bugzilla.mozilla.org/show_bug.cgi?id%3D1580288">bug 1580288</a> and <a class="reference external" href="https://translate.google.com/website?sl=pl&amp;tl=tr&amp;hl=en-GB&amp;u=https://bugzilla.mozilla.org/show_bug.cgi?id%3D922603">bug 922603</a>, but since we started using sanitizers, we have found over 1000 bugs with these tools.</p> <p>Another defect oracle can be a reference implementation. Comparing program behavior (typically output) between two programs or two modes of the same program that should produce the same outputs can find complex correctness issues. This method is often called differential testing.</p> <p>One example where this is regularly used to find issues is the Mozilla JavaScript engine: Running random programs with and without JIT compilation enabled finds lots of problems with the JIT implementation. One example for such a bug is <a class="reference external" href="https://translate.google.com/website?sl=pl&amp;tl=tr&amp;hl=en-GB&amp;u=https://bugzilla.mozilla.org/show_bug.cgi?id%3D1404636">Bug 1404636</a>.</p> </section> <section id="component-decoupling"> <h3>Component Decoupling<a class="headerlink" href="https://firefox--source--docs-mozilla-org.translate.goog/tools/fuzzing/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB#component-decoupling" title="Link to this heading">¶</a></h3> <p>Being able to test components in isolation can be an advantage for fuzzing (both for performance and reproducibility). Clear boundaries between different components and documentation that explains the contracts usually help with this goal. Sometimes it might be useful to mock a certain component that the target component is interacting with and that is much harder if the components are tightly coupled and their contracts unclear. Of course, this does not mean that one should only test components in isolation. Sometimes, testing the interaction between them is even desirable and does not hurt performance at all.</p> </section> <section id="avoiding-external-i-o"> <h3>Avoiding external I/O<a class="headerlink" href="https://firefox--source--docs-mozilla-org.translate.goog/tools/fuzzing/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB#avoiding-external-i-o" title="Link to this heading">¶</a></h3> <p>External I/O like network or file interactions are bad for performance and can introduce additional non-determinism. Providing interfaces to process data directly from memory instead is usually much more helpful.</p> </section> <section id="well-defined-behavior-and-safety"><span id="well-defined-behaviour-and-safety"></span> <h3>Well-defined Behavior and Safety<a class="headerlink" href="https://firefox--source--docs-mozilla-org.translate.goog/tools/fuzzing/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB#well-defined-behavior-and-safety" title="Link to this heading">¶</a></h3> <p>This requirement mostly ties in where defect oracles ended and is one of the most important problems seen in the wild nowadays with fuzzing. If a part of your program’s behavior is unspecified, then this potentially leads to bad times if the behavior is considered a defect by fuzzing. For example, if your code has crashes that are not considered bugs, then your code might be unsuitable for fuzzing. Your component should be fuzzing safe, meaning that any defect oracle (e.g. assertion or crash) triggered by the fuzzer is considered a bug. This important aspect is often neglected. Be aware that any false positives cause both performance degradation and additional manual work for your fuzzing team. The Mozilla JS developers for example have implemented this concept in a “–fuzzing-safe” switch which disables harmful functions. Sometimes, crashes cannot be avoided for handling certain error conditions. In such situations, it is important to mark these crashes in a way the fuzzer can recognize and distinguish them from undesired crashes. However, keep in mind that crashes in general can be disruptive to the fuzzing process. Performance is an important aspect of fuzzing and frequent crashes can severely degrade performance.</p> </section> <section id="reproducibility"><span id="id1"></span> <h3>Reproducibility<a class="headerlink" href="https://firefox--source--docs-mozilla-org.translate.goog/tools/fuzzing/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB#reproducibility" title="Link to this heading">¶</a></h3> <p>Being able to reproduce issues found with fuzzing is necessary for several reasons: First, you as the developer probably want a test that reproduces the issue so you can debug it better. Our feedback from most developers is that traces without a reproducible test can help to find a problem, but it makes the whole process very complicated. Some of these non-reproducible bugs never get fixed. Second, having a reproducible test also helps the triage process by allowing an automated bisection to find the responsible developer. Last but not least, the test can be added to a test suite, used for automated verification of fixes and even serve as a basis for more fuzzing.</p> <p>Adding functionality to the program that improve reproducibility is therefore a good idea in case non-reproducible issues are found. Some examples are shown in the next section.</p> <p>While many problems with reproducibility are specific for the project you are working on, there is one source of these problems that many programs have in common: Threading. While some bugs only occur in the first place due to concurrency, some other bugs would be perfectly reproducible without threads, but are intermittent and hard to with threading enabled. If the bug is indeed caused by a data race, then tools like ThreadSanitizer will help and we are currently working on making ThreadSanitizer usable on Firefox. For bugs that are not caused by threading, it sometimes makes sense to be able to disable threading or limit the amount of worker threads involved.</p> </section> <section id="supporting-code"> <h3>Supporting Code<a class="headerlink" href="https://firefox--source--docs-mozilla-org.translate.goog/tools/fuzzing/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB#supporting-code" title="Link to this heading">¶</a></h3> <p>Some possibilities of what support implementations for fuzzing can do have already been named in the previous sections: Additional defect oracles and functionality to improve reproducibility and safety. In fact, many features added specifically for fuzzing fit into one of these categories. However, there’s room for more: Often, there are ways to make it easier for fuzzers to exercise complex and hard to reach parts of your code. For example, if a certain optimization feature is only turned on under very specific conditions (that are not a requirement for the optimization), then it makes sense to add a functionality to force it on. Then, a fuzzer can hit the optimization code much more frequently, increasing the chance to find issues. Some examples from Firefox and SpiderMonkey:</p> <ul class="simple"> <li><p>The <a class="reference external" href="https://translate.google.com/website?sl=pl&amp;tl=tr&amp;hl=en-GB&amp;u=https://searchfox.org/mozilla-central/rev/efdf9bb55789ea782ae3a431bda6be74a87b041e/dom/webidl/FuzzingFunctions.webidl%2315">FuzzingFunctions</a> interface in the browser allows fuzzing tools to perform GC/CC, tune various settings related to garbage collection or enable features like accessibility mode. Being able to force a garbage collection at a specific time helped identifying lots of problems in the past.</p></li> <li><p>The –ion-eager and –baseline-eager flags for the JS shell force JIT compilation at various stages, rather than using the builtin heuristic to enable it only for hot functions.</p></li> <li><p>The –no-threads flag disables all threading (if possible) in the JS shell. This makes some bugs reproduce deterministically that would otherwise be intermittent and harder to find. However, some bugs that only occur with threading can’t be found with this option enabled.</p></li> </ul> <p>Another important feature that must be turned off for fuzzing is checksums. Many file formats use checksums to validate a file before processing it. If a checksum feature is still enabled, fuzzers are likely never going to produce valid files. The same often holds for cryptographic signatures. Being able to turn off the validation of these features as part of a fuzzing switch is extremely helpful.</p> <p>An example for such a checksum can be found in the <a class="reference external" href="https://translate.google.com/website?sl=pl&amp;tl=tr&amp;hl=en-GB&amp;u=https://searchfox.org/mozilla-central/rev/efdf9bb55789ea782ae3a431bda6be74a87b041e/dom/media/flac/FlacDemuxer.cpp%23494">FlacDemuxer</a>.</p> </section> <section id="test-samples"> <h3>Test Samples<a class="headerlink" href="https://firefox--source--docs-mozilla-org.translate.goog/tools/fuzzing/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB#test-samples" title="Link to this heading">¶</a></h3> <p>Some fuzzing strategies make use of existing data that is mutated to produce the new random data. In fact, mutation-based strategies are typically superior to others if the original samples are of good quality because the originals carry a lot of semantics that the fuzzer does not have to know about or implement. However, success here really stands and falls with the quality of the samples. If the originals don’t cover certain parts of the implementation, then the fuzzer will also have to do more work to get there.</p> </section> <section id="fuzz-blockers"> <h3>Fuzz Blockers<a class="headerlink" href="https://firefox--source--docs-mozilla-org.translate.goog/tools/fuzzing/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB#fuzz-blockers" title="Link to this heading">¶</a></h3> <p>Fuzz blockers are issues that prevent fuzzers from being as effective as possible. Depending on the fuzzer and its scope a fuzz blocker in one area (or component) can impede performance in other areas and in some cases block the fuzzer all together. Some examples are:</p> <ul class="simple"> <li><p>Frequent crashes - These can block code paths and waste compute resources due to the need to relaunch the fuzzing target and handle the results (regardless of whether it is ignored or reported). This can also include assertions that are mostly benign in many cases are but easily triggered by fuzzers.</p></li> <li><p>Frequent hangs / timeouts - This includes any issue that slows down or blocks execution of the fuzzer or the target.</p></li> <li><p>Hard to bucket - This includes crashes such as stack overflows or any issue that crashes in an inconsistent location. This also includes issues that corrupt logs/debugger output or provide a broken/invalid crash report.</p></li> <li><p>Broken builds - This is fairly straightforward, without up-to-date builds fuzzers are unable to run or verify fixes.</p></li> <li><p>Missing instrumentation - In some cases tools such as ASan are used as defect oracles and are required by the fuzzing tools to allow for proper automation. In other cases incomplete instrumentation can give a false sense of stability or make investigating issues much more time consuming. Although this is not necessarily blocking the fuzzers it should be prioritized appropriately.</p></li> </ul> <p>Since these types of crashes harm the overall fuzzing progress, it is important for them to be addressed in a timely manner. Even if the bug itself might seem trivial and low priority for the product, it can still have devastating effects on fuzzing and hence prevent finding other critical issues.</p> <p>Issues in Bugzilla are marked as fuzz blockers by adding “[fuzzblocker]” to the “Whiteboard” field. A list of open issues marked as fuzz blockers can be found on <a class="reference external" href="https://translate.google.com/website?sl=pl&amp;tl=tr&amp;hl=en-GB&amp;u=https://bugzilla.mozilla.org/buglist.cgi?cmdtype%3Ddorem%26remaction%3Drun%26namedcmd%3Dfuzzblockers%26sharer_id%3D486634">Bugzilla</a>.</p> </section> <section id="documentation"> <h3>Documentation<a class="headerlink" href="https://firefox--source--docs-mozilla-org.translate.goog/tools/fuzzing/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB#documentation" title="Link to this heading">¶</a></h3> <p>It is important for the fuzzing team to know how your software, tests and designs work. Even obvious tasks, like how a test program is supposed to be invoked, which options are safe, etc. might be hard to figure out for the person doing the testing, just as you are reading this manual right now to find out what is important in fuzzing.</p> </section> <section id="contact-us"> <h3>Contact Us<a class="headerlink" href="https://firefox--source--docs-mozilla-org.translate.goog/tools/fuzzing/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB#contact-us" title="Link to this heading">¶</a></h3> <p>The fuzzing team can be reached at <a class="reference external" href="mailto:fuzzing%40mozilla.com?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB">fuzzing<span>@</span>mozilla<span>.</span>com</a> or <a class="reference external" href="https://translate.google.com/website?sl=pl&amp;tl=tr&amp;hl=en-GB&amp;u=https://chat.mozilla.org/%23/room/%23fuzzing:mozilla.org">on Matrix</a> and will be happy to help you with any questions about fuzzing you might have. We can help you find the right method of fuzzing for your feature, collaborate on the implementation and provide the infrastructure to run it and process the results accordingly.</p> </section> </section> </section> </div> </div> <footer> <div class="rst-footer-buttons" role="navigation" aria-label="Footer"><a href="https://firefox--source--docs-mozilla-org.translate.goog/gtest/index.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB" class="btn btn-neutral float-left" title="GTest" accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left" aria-hidden="true"></span> Previous</a> <a href="https://firefox--source--docs-mozilla-org.translate.goog/tools/fuzzing/fuzzing_interface.html?_x_tr_sl=pl&amp;_x_tr_tl=tr&amp;_x_tr_hl=en-GB" class="btn btn-neutral float-right" title="Fuzzing Interface" accesskey="n" rel="next">Next <span class="fa fa-arrow-circle-right" aria-hidden="true"></span></a> </div> <hr> <div role="contentinfo"> <p></p> </div> Built with <a href="https://translate.google.com/website?sl=pl&amp;tl=tr&amp;hl=en-GB&amp;u=https://www.sphinx-doc.org/">Sphinx</a> using a <a href="https://translate.google.com/website?sl=pl&amp;tl=tr&amp;hl=en-GB&amp;u=https://github.com/readthedocs/sphinx_rtd_theme">theme</a> provided by <a href="https://translate.google.com/website?sl=pl&amp;tl=tr&amp;hl=en-GB&amp;u=https://readthedocs.org">Read the Docs</a>. </footer> </div> </div> </section> </div> <script> jQuery(function () { SphinxRtdTheme.Navigation.enable(true); }); </script> <script>function gtElInit() {var lib = new google.translate.TranslateService();lib.translatePage('pl', 'tr', function () {});}</script> <script src="https://translate.google.com/translate_a/element.js?cb=gtElInit&amp;hl=en-GB&amp;client=wt" type="text/javascript"></script> </body> </html>

Pages: 1 2 3 4 5 6 7 8 9 10