Conversation
Fuzzer for the H2 codec. This is similar in structure to //test/common/http/http2:codec_impl_test, where a client H2 codec is wired via shared memory to a server H2 codec and stream actions are applied. We fuzz the various client/server H2 codec API operations and in addition apply fuzzing at the wire level by modeling explicit mutation, reordering and drain operations on the connection buffers between client and server. Part of envoyproxy#508. Risk Level: Low Testing: Tested with corpus under bazel test and under oss-fuzz Docker image. ~500 cases per second with python infra/helper.py build_fuzzers --sanitizer=address envoy <envoy path> && python infra/helper.py run_fuzzer envoy codec_impl_fuzz_test. Test corpus has 87.9% coverage of http2/codec_impl.cc. Signed-off-by: Harvey Tuch <htuch@google.com>
Signed-off-by: Harvey Tuch <htuch@google.com>
mattklein123
left a comment
There was a problem hiding this comment.
This is super cool and awesome. I would just ship it and we can iterate depending on what it finds. Nice work!
| uint32_t read_disable_count_{}; | ||
| }; | ||
|
|
||
| // Buffer between client and server H2 codecs. This models each write operation |
There was a problem hiding this comment.
I suppose at some point we might want to actually be able to reorder full h2 frames? I wonder if that would make the fuzzing more effective or not. I'm not sure.
There was a problem hiding this comment.
Yeah; based on experience, some of the time you do get full frame reordering due to 1 write per frame, but some of the time it's only partial. In theory, the fuzzer could generate a series of swap actions that performs a full frame swap, but the chance of that happening is lower as the frame fragmentation grows. I'm planning on looking at coverage and other metrics to try and tune this once we land in oss-fuzz and internal runs.
Fuzzer for the H2 codec. This is similar in structure to
//test/common/http/http2:codec_impl_test, where a client H2 codec is wired via
shared memory to a server H2 codec and stream actions are applied. We fuzz the
various client/server H2 codec API operations and in addition apply fuzzing at
the wire level by modeling explicit mutation, reordering and drain operations
on the connection buffers between client and server.
Part of #508.
Risk Level: Low
Testing: Tested with corpus under bazel test and under oss-fuzz Docker image.
~640 cases per second with python infra/helper.py build_fuzzers
--sanitizer=address envoy && python infra/helper.py run_fuzzer
envoy codec_impl_fuzz_test. Test corpus has 87.9% coverage of
http2/codec_impl.cc.
Signed-off-by: Harvey Tuch htuch@google.com