-
Notifications
You must be signed in to change notification settings - Fork 7.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
A new fuzz testing tool for PHP #16815
Comments
And thanks for all your reports. I invite you to discuss this matter in the internal mail list, in addition you will garner more attention. |
For reference: https://externals.io/message/125963 |
@YuanchengJiang I just read your paper https://arxiv.org/pdf/2410.21713 and it's super interesting! |
@pospjan thanks! the paper gives more details though it still needs many updates |
Hi @YuanchengJiang, Awesome! I noticed the impressive number of opened issues, and given your background I guessed you were working on some new fuzzer. I’ve been thinking that the fuzzing corpus of this new fuzzer (and of the existing oss-fuzz fuzzer SAPI, currently being ran by Google) may be improved by also adding all of the code of the community libraries (i.e. those defined by the nightly GitHub workflow at https://github.com/php/php-src/blob/master/.github/workflows/nightly.yml#L485). I understand this might cause issues due to the volume of additional code being permutated by the fuzzer, but even running the community tests themselves without fuzzing already uncovers multiple segfaults (some of which are still being failing on master as of today). Some time ago, I submitted #12406, which does multiple things to improve the coverage of the JIT compiler:
I don’t currently have the free time to clean up the pull request and fix the numerous JIT bugs it currently detects (at least without a support contract), but all of these approaches may be reused if you or anyone else decides to upstream FlowFusion (though I would love at least a @danog mention in the pull request :) |
Hi @danog, Good point! Thanks, Involving the peripheral libraries makes the corpus more diverse. I do have some similar insights. I patched the run-tests.php. I also noticed that repeated executions can yield different results. I will surely refer to your experience when updating FlowFusion later ;) |
The tool is now available at https://github.com/php/flowfusion |
Description
Hi all,
I have submitted hundreds of bugs during the past months and I first thank all the developers who take time to fix these issues to make PHP better.
I am thrilled to introduce one fully automated fuzz testing tool, FlowFusion, for discovering various bugs of the PHP interpreter.
The core idea behind FlowFusion is to leverage dataflow as an effective representation of test cases (.phpt files) maintained by PHP developers, merging two (or more) test cases to produce fused test cases with more complex code semantics. We connect two (or more) test cases via interleaving their dataflows, i.e., bringing the code context from one test case to another. This enables interactions among existing test cases, which are mostly the unit tests verifying one single functionality, making fused test cases interesting with merging code semantics.
FlowFusion additionally fuzzes all defined functions and class methods using the code contexts of fused test cases. Available functions, classes, and methods are pre-collected and stored in sqlite3 with necessary information like the number of parameters. FlowFusion will be automatically upgrading if phpt files keep updating. Any new single test can bring thousands of new fused tests.
The search space of FlowFusion is huge, which means it can cover various corner cases. Reasons for the huge search space are three-fold: (i) two random combinations of around 20,000 test cases can generate 400,000,000 test cases, and we can combine even more; (ii) the interleaving has randomness, given two test cases, there could be multiple ways to connect them; and (iii) FlowFusion also mutates the test case, fuzzes the runtime environment/configuration like JIT.
I can open-source the tool under my personal repository. I wonder by any chance if I can contribute it as the official PHP tool under https://github.com/php, and I would be happy to maintain it for a long time.
The text was updated successfully, but these errors were encountered: