> To what extent are we fuzzing things like our url parser and other necko > bits via our existing shell (xpcshell) that exposes all that stuff? > > -Boris
Not at all. xpcshell is not very useful for fuzzing. It is slow, the sample tests (xpcshell-tests) are extremely complicated to adapt and we can't easily use it with AFL. As discussed in #developers, we could maybe have xpcshell work with AFL persistent mode (although it would be complicated I assume), but that still doesn't solve the problem that people have to write the necessary code that we can fuzz then. xpcshell-tests are not that code (I did some fuzzing with an xpcshell-test when we added the new X509 validation code and it was horrible). Right now, the best approach to me seems having gtests and other compiled tests. The have the advantage that they are relatively simple to adapt (I was able to transform some tests image and mp3 decoding in less than 30 minutes) but they often still reflect what we do in the browser. For example for image decoding I saw we have multi-chunk decoding. If we just fuzz libjpeg or libpng we would just miss this part. As for speed, on my gtest I get 500-1000 iterations per second on the GIF decoder for example. That's a good speed for fuzzing and very useful. The only thing that I haven't looked into yet is how I can package the resulting tests easily so they can be sent to fuzzing machines, but that's solvable. _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
