Home | History | Annotate | Download | only in jfuzz
      1 JFuzz
      2 =====
      3 
      4 JFuzz is a tool for generating random programs with the objective
      5 of fuzz testing the ART infrastructure. Each randomly generated program
      6 can be run under various modes of execution, such as using the interpreter,
      7 using the optimizing compiler, using an external reference implementation,
      8 or using various target architectures. Any difference between the outputs
      9 (**divergence**) may indicate a bug in one of the execution modes.
     10 
     11 JFuzz can be combined with DexFuzz to get multi-layered fuzz testing.
     12 
     13 How to run JFuzz
     14 ================
     15 
     16     jfuzz [-s seed] [-d expr-depth] [-l stmt-length]
     17              [-i if-nest] [-n loop-nest] [-v] [-h]
     18 
     19 where
     20 
     21     -s : defines a deterministic random seed
     22          (randomized using time by default)
     23     -d : defines a fuzzing depth for expressions
     24          (higher values yield deeper expressions)
     25     -l : defines a fuzzing length for statement lists
     26          (higher values yield longer statement sequences)
     27     -i : defines a fuzzing nest for if/switch statements
     28          (higher values yield deeper nested conditionals)
     29     -n : defines a fuzzing nest for for/while/do-while loops
     30          (higher values yield deeper nested loops)
     31     -t : defines a fuzzing nest for try-catch-finally blocks
     32          (higher values yield deeper nested try-catch-finally blocks)
     33     -v : prints version number and exits
     34     -h : prints help and exits
     35 
     36 The current version of JFuzz sends all output to stdout, and uses
     37 a fixed testing class named Test. So a typical test run looks as follows.
     38 
     39     jfuzz > Test.java
     40     mkdir classes
     41     javac -d classes Test.java
     42     dx --dex --output=classes.dex classes
     43     art -cp classes.dex Test
     44 
     45 How to start JFuzz testing
     46 ==========================
     47 
     48     run_jfuzz_test.py
     49                           [--num_tests=NUM_TESTS]
     50                           [--device=DEVICE]
     51                           [--mode1=MODE] [--mode2=MODE]
     52                           [--report_script=SCRIPT]
     53                           [--jfuzz_arg=ARG]
     54                           [--true_divergence]
     55                           [--dexer=DEXER]
     56                           [--debug_info]
     57 
     58 where
     59 
     60     --num_tests       : number of tests to run (10000 by default)
     61     --device          : target device serial number (passed to adb -s)
     62     --mode1           : m1
     63     --mode2           : m2, with m1 != m2, and values one of
     64       ri   = reference implementation on host (default for m1)
     65       hint = Art interpreter on host
     66       hopt = Art optimizing on host (default for m2)
     67       tint = Art interpreter on target
     68       topt = Art optimizing on target
     69     --report_script   : path to script called for each divergence
     70     --jfuzz_arg       : argument for jfuzz
     71     --true_divergence : don't bisect timeout divergences
     72     --dexer=DEXER     : use either dx or d8 to obtain dex files
     73     --debug_info      : include debugging info
     74 
     75 How to start JFuzz nightly testing
     76 ==================================
     77 
     78     run_jfuzz_test_nightly.py
     79                           [--num_proc NUM_PROC]
     80 
     81 where
     82 
     83     --num_proc      : number of run_jfuzz_test.py instances to run (8 by default)
     84 
     85 Remaining arguments are passed to run\_jfuzz_test.py.
     86 
     87 How to start J/DexFuzz testing (multi-layered)
     88 ==============================================
     89 
     90     run_dex_fuzz_test.py
     91                           [--num_tests=NUM_TESTS]
     92                           [--num_inputs=NUM_INPUTS]
     93                           [--device=DEVICE]
     94                           [--dexer=DEXER]
     95                           [--debug_info]
     96 
     97 where
     98 
     99     --num_tests   : number of tests to run (10000 by default)
    100     --num_inputs  : number of JFuzz programs to generate
    101     --device      : target device serial number (passed to adb -s)
    102     --dexer=DEXER : use either dx or d8 to obtain dex files
    103     --debug_info  : include debugging info
    104 
    105 Background
    106 ==========
    107 
    108 Although test suites are extremely useful to validate the correctness of a
    109 system and to ensure that no regressions occur, any test suite is necessarily
    110 finite in size and scope. Tests typically focus on validating particular
    111 features by means of code sequences most programmers would expect. Regression
    112 tests often use slightly less idiomatic code sequences, since they reflect
    113 problems that were not anticipated originally, but occurred in the field.
    114 Still, any test suite leaves the developer wondering whether undetected bugs
    115 and flaws still linger in the system.
    116 
    117 Over the years, fuzz testing has gained popularity as a testing technique for
    118 discovering such lingering bugs, including bugs that can bring down a system
    119 in an unexpected way. Fuzzing refers to feeding a large amount of random data
    120 as input to a system in an attempt to find bugs or make it crash. Generation-
    121 based fuzz testing constructs random, but properly formatted input data.
    122 Mutation-based fuzz testing applies small random changes to existing inputs
    123 in order to detect shortcomings in a system. Profile-guided or coverage-guided
    124 fuzzing adds a direction to the way these random changes are applied. Multi-
    125 layered approaches generate random inputs that are subsequently mutated at
    126 various stages of execution.
    127 
    128 The randomness of fuzz testing implies that the size and scope of testing is no
    129 longer bounded. Every new run can potentially discover bugs and crashes that were
    130 hereto undetected.
    131