1*795d594fSAndroid Build Coastguard WorkerJFuzz 2*795d594fSAndroid Build Coastguard Worker===== 3*795d594fSAndroid Build Coastguard Worker 4*795d594fSAndroid Build Coastguard WorkerJFuzz is a tool for generating random programs with the objective 5*795d594fSAndroid Build Coastguard Workerof fuzz testing the ART infrastructure. Each randomly generated program 6*795d594fSAndroid Build Coastguard Workercan be run under various modes of execution, such as using the interpreter, 7*795d594fSAndroid Build Coastguard Workerusing the optimizing compiler, using an external reference implementation, 8*795d594fSAndroid Build Coastguard Workeror using various target architectures. Any difference between the outputs 9*795d594fSAndroid Build Coastguard Worker(**divergence**) may indicate a bug in one of the execution modes. 10*795d594fSAndroid Build Coastguard Worker 11*795d594fSAndroid Build Coastguard WorkerJFuzz can be combined with DexFuzz to get multi-layered fuzz testing. 12*795d594fSAndroid Build Coastguard Worker 13*795d594fSAndroid Build Coastguard WorkerHow to run JFuzz 14*795d594fSAndroid Build Coastguard Worker================ 15*795d594fSAndroid Build Coastguard Worker 16*795d594fSAndroid Build Coastguard Worker jfuzz [-s seed] [-d expr-depth] [-l stmt-length] 17*795d594fSAndroid Build Coastguard Worker [-i if-nest] [-n loop-nest] [-v] [-h] 18*795d594fSAndroid Build Coastguard Worker 19*795d594fSAndroid Build Coastguard Workerwhere 20*795d594fSAndroid Build Coastguard Worker 21*795d594fSAndroid Build Coastguard Worker -s : defines a deterministic random seed 22*795d594fSAndroid Build Coastguard Worker (randomized using time by default) 23*795d594fSAndroid Build Coastguard Worker -d : defines a fuzzing depth for expressions 24*795d594fSAndroid Build Coastguard Worker (higher values yield deeper expressions) 25*795d594fSAndroid Build Coastguard Worker -l : defines a fuzzing length for statement lists 26*795d594fSAndroid Build Coastguard Worker (higher values yield longer statement sequences) 27*795d594fSAndroid Build Coastguard Worker -i : defines a fuzzing nest for if/switch statements 28*795d594fSAndroid Build Coastguard Worker (higher values yield deeper nested conditionals) 29*795d594fSAndroid Build Coastguard Worker -n : defines a fuzzing nest for for/while/do-while loops 30*795d594fSAndroid Build Coastguard Worker (higher values yield deeper nested loops) 31*795d594fSAndroid Build Coastguard Worker -t : defines a fuzzing nest for try-catch-finally blocks 32*795d594fSAndroid Build Coastguard Worker (higher values yield deeper nested try-catch-finally blocks) 33*795d594fSAndroid Build Coastguard Worker -v : prints version number and exits 34*795d594fSAndroid Build Coastguard Worker -h : prints help and exits 35*795d594fSAndroid Build Coastguard Worker 36*795d594fSAndroid Build Coastguard WorkerThe current version of JFuzz sends all output to stdout, and uses 37*795d594fSAndroid Build Coastguard Workera fixed testing class named Test. So a typical test run looks as follows. 38*795d594fSAndroid Build Coastguard Worker 39*795d594fSAndroid Build Coastguard Worker jfuzz > Test.java 40*795d594fSAndroid Build Coastguard Worker mkdir classes 41*795d594fSAndroid Build Coastguard Worker javac -d classes Test.java 42*795d594fSAndroid Build Coastguard Worker dx --dex --output=classes.dex classes 43*795d594fSAndroid Build Coastguard Worker art -cp classes.dex Test 44*795d594fSAndroid Build Coastguard Worker 45*795d594fSAndroid Build Coastguard WorkerHow to start JFuzz testing 46*795d594fSAndroid Build Coastguard Worker========================== 47*795d594fSAndroid Build Coastguard Worker 48*795d594fSAndroid Build Coastguard Worker run_jfuzz_test.py 49*795d594fSAndroid Build Coastguard Worker [--num_tests=NUM_TESTS] 50*795d594fSAndroid Build Coastguard Worker [--device=DEVICE] 51*795d594fSAndroid Build Coastguard Worker [--mode1=MODE] [--mode2=MODE] 52*795d594fSAndroid Build Coastguard Worker [--report_script=SCRIPT] 53*795d594fSAndroid Build Coastguard Worker [--jfuzz_arg=ARG] 54*795d594fSAndroid Build Coastguard Worker [--true_divergence] 55*795d594fSAndroid Build Coastguard Worker [--dexer=DEXER] 56*795d594fSAndroid Build Coastguard Worker [--debug_info] 57*795d594fSAndroid Build Coastguard Worker 58*795d594fSAndroid Build Coastguard Workerwhere 59*795d594fSAndroid Build Coastguard Worker 60*795d594fSAndroid Build Coastguard Worker --num_tests : number of tests to run (10000 by default) 61*795d594fSAndroid Build Coastguard Worker --device : target device serial number (passed to adb -s) 62*795d594fSAndroid Build Coastguard Worker --mode1 : m1 63*795d594fSAndroid Build Coastguard Worker --mode2 : m2, with m1 != m2, and values one of 64*795d594fSAndroid Build Coastguard Worker ri = reference implementation on host (default for m1) 65*795d594fSAndroid Build Coastguard Worker hint = Art interpreter on host 66*795d594fSAndroid Build Coastguard Worker hopt = Art optimizing on host (default for m2) 67*795d594fSAndroid Build Coastguard Worker tint = Art interpreter on target 68*795d594fSAndroid Build Coastguard Worker topt = Art optimizing on target 69*795d594fSAndroid Build Coastguard Worker --report_script : path to script called for each divergence 70*795d594fSAndroid Build Coastguard Worker --jfuzz_arg : argument for jfuzz 71*795d594fSAndroid Build Coastguard Worker --true_divergence : don't bisect timeout divergences 72*795d594fSAndroid Build Coastguard Worker --dexer=DEXER : use either dx or d8 to obtain dex files 73*795d594fSAndroid Build Coastguard Worker --debug_info : include debugging info 74*795d594fSAndroid Build Coastguard Worker 75*795d594fSAndroid Build Coastguard WorkerHow to start JFuzz nightly testing 76*795d594fSAndroid Build Coastguard Worker================================== 77*795d594fSAndroid Build Coastguard Worker 78*795d594fSAndroid Build Coastguard Worker run_jfuzz_test_nightly.py 79*795d594fSAndroid Build Coastguard Worker [--num_proc NUM_PROC] 80*795d594fSAndroid Build Coastguard Worker 81*795d594fSAndroid Build Coastguard Workerwhere 82*795d594fSAndroid Build Coastguard Worker 83*795d594fSAndroid Build Coastguard Worker --num_proc : number of run_jfuzz_test.py instances to run (8 by default) 84*795d594fSAndroid Build Coastguard Worker 85*795d594fSAndroid Build Coastguard WorkerRemaining arguments are passed to run\_jfuzz_test.py. 86*795d594fSAndroid Build Coastguard Worker 87*795d594fSAndroid Build Coastguard WorkerHow to start J/DexFuzz testing (multi-layered) 88*795d594fSAndroid Build Coastguard Worker============================================== 89*795d594fSAndroid Build Coastguard Worker 90*795d594fSAndroid Build Coastguard Worker run_dex_fuzz_test.py 91*795d594fSAndroid Build Coastguard Worker [--num_tests=NUM_TESTS] 92*795d594fSAndroid Build Coastguard Worker [--num_inputs=NUM_INPUTS] 93*795d594fSAndroid Build Coastguard Worker [--device=DEVICE] 94*795d594fSAndroid Build Coastguard Worker [--dexer=DEXER] 95*795d594fSAndroid Build Coastguard Worker [--debug_info] 96*795d594fSAndroid Build Coastguard Worker 97*795d594fSAndroid Build Coastguard Workerwhere 98*795d594fSAndroid Build Coastguard Worker 99*795d594fSAndroid Build Coastguard Worker --num_tests : number of tests to run (10000 by default) 100*795d594fSAndroid Build Coastguard Worker --num_inputs : number of JFuzz programs to generate 101*795d594fSAndroid Build Coastguard Worker --device : target device serial number (passed to adb -s) 102*795d594fSAndroid Build Coastguard Worker --dexer=DEXER : use either dx or d8 to obtain dex files 103*795d594fSAndroid Build Coastguard Worker --debug_info : include debugging info 104*795d594fSAndroid Build Coastguard Worker 105*795d594fSAndroid Build Coastguard WorkerBackground 106*795d594fSAndroid Build Coastguard Worker========== 107*795d594fSAndroid Build Coastguard Worker 108*795d594fSAndroid Build Coastguard WorkerAlthough test suites are extremely useful to validate the correctness of a 109*795d594fSAndroid Build Coastguard Workersystem and to ensure that no regressions occur, any test suite is necessarily 110*795d594fSAndroid Build Coastguard Workerfinite in size and scope. Tests typically focus on validating particular 111*795d594fSAndroid Build Coastguard Workerfeatures by means of code sequences most programmers would expect. Regression 112*795d594fSAndroid Build Coastguard Workertests often use slightly less idiomatic code sequences, since they reflect 113*795d594fSAndroid Build Coastguard Workerproblems that were not anticipated originally, but occurred “in the field”. 114*795d594fSAndroid Build Coastguard WorkerStill, any test suite leaves the developer wondering whether undetected bugs 115*795d594fSAndroid Build Coastguard Workerand flaws still linger in the system. 116*795d594fSAndroid Build Coastguard Worker 117*795d594fSAndroid Build Coastguard WorkerOver the years, fuzz testing has gained popularity as a testing technique for 118*795d594fSAndroid Build Coastguard Workerdiscovering such lingering bugs, including bugs that can bring down a system 119*795d594fSAndroid Build Coastguard Workerin an unexpected way. Fuzzing refers to feeding a large amount of random data 120*795d594fSAndroid Build Coastguard Workeras input to a system in an attempt to find bugs or make it crash. Generation- 121*795d594fSAndroid Build Coastguard Workerbased fuzz testing constructs random, but properly formatted input data. 122*795d594fSAndroid Build Coastguard WorkerMutation-based fuzz testing applies small random changes to existing inputs 123*795d594fSAndroid Build Coastguard Workerin order to detect shortcomings in a system. Profile-guided or coverage-guided 124*795d594fSAndroid Build Coastguard Workerfuzzing adds a direction to the way these random changes are applied. Multi- 125*795d594fSAndroid Build Coastguard Workerlayered approaches generate random inputs that are subsequently mutated at 126*795d594fSAndroid Build Coastguard Workervarious stages of execution. 127*795d594fSAndroid Build Coastguard Worker 128*795d594fSAndroid Build Coastguard WorkerThe randomness of fuzz testing implies that the size and scope of testing is no 129*795d594fSAndroid Build Coastguard Workerlonger bounded. Every new run can potentially discover bugs and crashes that were 130*795d594fSAndroid Build Coastguard Workerhereto undetected. 131