2018-02-17 05:18:25 +00:00
|
|
|
# JSON syntax fuzzing utilities
|
|
|
|
|
|
|
|
This directory contains helper functions and corpuses that can be used to
|
|
|
|
fuzz-test the HCL JSON parser using [go-fuzz](https://github.com/dvyukov/go-fuzz).
|
|
|
|
|
2020-05-14 18:42:50 +00:00
|
|
|
## Work directory
|
|
|
|
|
|
|
|
`go-fuzz` needs a working directory where it can keep state as it works. This
|
|
|
|
should ideally be in a ramdisk for efficiency, and should probably _not_ be on
|
|
|
|
an SSD to avoid thrashing it. Here's how to create a ramdisk:
|
|
|
|
|
|
|
|
### macOS
|
|
|
|
|
|
|
|
```
|
|
|
|
$ SIZE_IN_MB=1024
|
|
|
|
$ DEVICE=`hdiutil attach -nobrowse -nomount ram://$(($SIZE_IN_MB*2048))`
|
|
|
|
$ diskutil erasevolume HFS+ RamDisk $DEVICE
|
|
|
|
$ export RAMDISK=/Volumes/RamDisk
|
|
|
|
```
|
|
|
|
|
|
|
|
### Linux
|
|
|
|
|
|
|
|
```
|
|
|
|
$ mkdir /mnt/ramdisk
|
|
|
|
$ mount -t tmpfs -o size=1024M tmpfs /mnt/ramdisk
|
|
|
|
$ export RAMDISK=/mnt/ramdisk
|
|
|
|
```
|
|
|
|
|
|
|
|
## Running the fuzzer
|
|
|
|
|
|
|
|
Next, install `go-fuzz` and its build tool in your `GOPATH`:
|
2018-02-17 05:18:25 +00:00
|
|
|
|
|
|
|
```
|
2020-05-14 18:42:50 +00:00
|
|
|
$ make tools FUZZ_WORK_DIR=$RAMDISK
|
2018-02-17 05:18:25 +00:00
|
|
|
```
|
|
|
|
|
2020-05-14 18:42:50 +00:00
|
|
|
Now you can fuzz the parser:
|
2018-02-17 05:18:25 +00:00
|
|
|
|
|
|
|
```
|
2020-05-14 18:42:50 +00:00
|
|
|
$ make fuzz-config FUZZ_WORK_DIR=$RAMDISK/json-fuzz-config
|
2018-02-17 05:18:25 +00:00
|
|
|
```
|
|
|
|
|
2020-05-14 18:42:50 +00:00
|
|
|
~> Note: `go-fuzz` does not interact well with `goenv`. If you encounter build
|
|
|
|
errors where the package `go.fuzz.main` could not be found, you may need to use
|
|
|
|
a machine with a direct installation of Go.
|
2018-02-17 05:18:25 +00:00
|
|
|
|
|
|
|
## Understanding the result
|
|
|
|
|
|
|
|
A small number of subdirectories will be created in the work directory.
|
|
|
|
|
|
|
|
If you let `go-fuzz` run for a few minutes (the more minutes the better) it
|
|
|
|
may detect "crashers", which are inputs that caused the parser to panic. Details
|
|
|
|
about these are written to `$FUZZ_WORK_DIR/crashers`:
|
|
|
|
|
|
|
|
```
|
|
|
|
$ ls /tmp/hcl2-fuzz-config/crashers
|
|
|
|
7f5e9ec80c89da14b8b0b238ec88969f658f5a2d
|
|
|
|
7f5e9ec80c89da14b8b0b238ec88969f658f5a2d.output
|
|
|
|
7f5e9ec80c89da14b8b0b238ec88969f658f5a2d.quoted
|
|
|
|
```
|
|
|
|
|
|
|
|
The base file above (with no extension) is the input that caused a crash. The
|
|
|
|
`.output` file contains the panic stack trace, which you can use as a clue to
|
|
|
|
figure out what caused the crash.
|
|
|
|
|
|
|
|
A good first step to fixing a detected crasher is to copy the failing input
|
|
|
|
into one of the unit tests in the `hcl/json` package and see it crash there
|
|
|
|
too. After that, it's easy to re-run the test as you try to fix it. The
|
|
|
|
file with the `.quoted` extension contains a form of the input that is quoted
|
|
|
|
in Go syntax for easy copy-paste into a test case, even if the input contains
|
|
|
|
non-printable characters or other inconvenient symbols.
|
|
|
|
|
|
|
|
## Rebuilding for new Upstream Code
|
|
|
|
|
|
|
|
An archive file is created for `go-fuzz` to use on the first run of each
|
|
|
|
of the above, as a `.zip` file created in this directory. If upstream code
|
|
|
|
is changed these will need to be deleted to cause them to be rebuilt with
|
|
|
|
the latest code:
|
|
|
|
|
|
|
|
```
|
|
|
|
$ make clean
|
|
|
|
```
|