Move to fuzzing with fast-check

Remove jsfuzz and use fast-check for fuzzing instead. There are several advantages to this given the state of the jsfuzz project (i.e. it's not well-maintained). The drawbacks are limited since the fuzzing for this project is largely random(/unguided) anyway. The advantage of fast-check is that 1) it does not introduce a new dependency and 2) like jsfuzz it does not need any system dependency (in contract to Jazzer.js), and 3) it support ESM modules (finally getting rid of the last remaining CJS source code from this project). One major difference between fuzzing with jsfuzz (or Jazzer.js) and fast-check is that test duration is better specified in terms of test runs/iterations rather than duration. This actually seems fine (maybe even better) to me.
ericcornelissen · Jul 14, 2024 · bbf66fe · bbf66fe
1 parent 25067bd
commit bbf66fe
Show file tree

Hide file tree

Showing 26 changed files with 249 additions and 1,457 deletions.
diff --git a/.github/workflows/fuzz-bash.yml b/.github/workflows/fuzz-bash.yml
@@ -25,7 +25,7 @@ jobs:
     name: Fuzz
     uses: ericcornelissen/shescape/.github/workflows/reusable-fuzz.yml@main
     with:
-      duration: 600 # seconds == 10 minutes
+      iterations: 10000
       os: ubuntu-22.04
       shell: /bin/bash
       targets: '["exec", "exec-file", "spawn"]'
diff --git a/.github/workflows/fuzz-cmd.yml b/.github/workflows/fuzz-cmd.yml
@@ -25,7 +25,7 @@ jobs:
     name: Fuzz
     uses: ericcornelissen/shescape/.github/workflows/reusable-fuzz.yml@main
     with:
-      duration: 600 # seconds == 10 minutes
+      iterations: 10000
       os: windows-2022
       shell: cmd.exe
       targets: '["exec", "exec-file", "spawn"]'
diff --git a/.github/workflows/fuzz-csh.yml b/.github/workflows/fuzz-csh.yml
@@ -25,7 +25,7 @@ jobs:
     name: Fuzz
     uses: ericcornelissen/shescape/.github/workflows/reusable-fuzz.yml@main
     with:
-      duration: 600 # seconds == 10 minutes
+      iterations: 10000
       os: ubuntu-22.04
       shell: /bin/csh
       targets: '["exec", "exec-file", "spawn"]'
diff --git a/.github/workflows/fuzz-dash.yml b/.github/workflows/fuzz-dash.yml
@@ -25,7 +25,7 @@ jobs:
     name: Fuzz
     uses: ericcornelissen/shescape/.github/workflows/reusable-fuzz.yml@main
     with:
-      duration: 600 # seconds == 10 minutes
+      iterations: 10000
       os: ubuntu-22.04
       shell: /bin/dash
       targets: '["exec", "exec-file", "spawn"]'
diff --git a/.github/workflows/fuzz-no-shell-unix.yml b/.github/workflows/fuzz-no-shell-unix.yml
@@ -25,7 +25,7 @@ jobs:
     name: Fuzz
     uses: ericcornelissen/shescape/.github/workflows/reusable-fuzz.yml@main
     with:
-      duration: 600 # seconds == 10 minutes
+      iterations: 10000
       os: ubuntu-22.04
       shell: "false"
       targets: '["exec-file", "fork", "spawn"]'
diff --git a/.github/workflows/fuzz-no-shell-win.yml b/.github/workflows/fuzz-no-shell-win.yml
@@ -25,7 +25,7 @@ jobs:
     name: Fuzz
     uses: ericcornelissen/shescape/.github/workflows/reusable-fuzz.yml@main
     with:
-      duration: 600 # seconds == 10 minutes
+      iterations: 10000
       os: windows-2022
       shell: "false"
       targets: '["exec-file", "fork", "spawn"]'
diff --git a/.github/workflows/fuzz-powershell.yml b/.github/workflows/fuzz-powershell.yml
@@ -25,7 +25,7 @@ jobs:
     name: Fuzz
     uses: ericcornelissen/shescape/.github/workflows/reusable-fuzz.yml@main
     with:
-      duration: 600 # seconds == 10 minutes
+      iterations: 10000
       os: windows-2022
       shell: powershell.exe
       targets: '["exec", "exec-file", "spawn"]'
diff --git a/.github/workflows/fuzz-zsh.yml b/.github/workflows/fuzz-zsh.yml
@@ -25,7 +25,7 @@ jobs:
     name: Fuzz
     uses: ericcornelissen/shescape/.github/workflows/reusable-fuzz.yml@main
     with:
-      duration: 600 # seconds == 10 minutes
+      iterations: 10000
       os: ubuntu-22.04
       shell: /bin/zsh
       targets: '["exec", "exec-file", "spawn"]'
diff --git a/.github/workflows/reusable-fuzz.yml b/.github/workflows/reusable-fuzz.yml
@@ -2,7 +2,7 @@ name: Fuzz
 on:
   workflow_call:
     inputs:
-      duration:
+      iterations:
         required: true
         type: string
       os:
@@ -83,14 +83,14 @@ jobs:
         id: fuzz
         shell: bash {0}
         env:
-          DURATION: ${{ inputs.duration }}
+          FUZZ_ITERATIONS: ${{ inputs.iterations }}
           FUZZ_SHELL: ${{ inputs.shell }}
           TARGET: ${{ matrix.target }}
         run: |
-          timeout "${DURATION}s" npm run fuzz "${TARGET}"
+          npm run fuzz "${TARGET}"
           export EXIT_CODE="$?"
           {
-            if [[ ("$EXIT_CODE" == 124) ]]; then
+            if [[ ("$EXIT_CODE" == 0) ]]; then
               echo 'fuzz-error=false'
               echo 'script-error=false'
             elif [[ ("$EXIT_CODE" == 1) ]]; then

diff --git a/.lockfile-lintrc.yml b/.lockfile-lintrc.yml
@@ -3,10 +3,7 @@
 path: package-lock.json
 allowedHosts:
   - npm
-  - gitlab.com
 emptyHostname: false
 validateHttps: true
 validateIntegrity: true
 validatePackageNames: false
-integrityExclude:
-  - "@gitlab-org/jsfuzz"
diff --git a/.npmrc b/.npmrc
@@ -2,4 +2,3 @@ audit=false
 ignore-scripts=true
 lockfile-version=3
 save-exact=true
-@gitlab-org:registry=https://gitlab.com/api/v4/packages/npm/
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -268,22 +268,19 @@ the shell.
 
 ##### End-to-end Fuzz Testing
 
-There are also end-to-end [fuzz tests] (using [Jsfuzz]) for this project. All
-fuzz tests go into the `test/fuzz/` folder. You can start fuzzing using the
-command `npm run fuzz`, which will provide more instructions.
+There are also end-to-end [fuzz tests] for this project. All fuzz tests go into
+the `test/fuzz/` folder. You can start fuzzing using the command `npm run fuzz`,
+which will provide more instructions.
 
 When writing fuzz tests the goal is to find unknown bugs, logic flaws, and
-unhandled error scenarios. Note that fuzz logic must be written in CommonJS (a
-requirement from [Jsfuzz]). Due to the use of CommonJS for fuzz code and ES
-Modules for source code, the coverage report from Jsfuzz is empty and not used
-(and coverage guided fuzzing is also not available).
+unhandled error scenarios.
 
-When you discover a bug by fuzzing please keep the crash file. If you do not
-plan to fix the bug, either follow the [security policy] or file a [bug report]
+When you discover a bug by fuzzing please keep the crash. If you do not plan to
+fix the bug, either follow the [security policy] or file a [bug report]
 (depending on the type of bug) and include the crash file. If you do plan to fix
-the bug, move the crash file to the `test/fuzz/corpus/` folder, remove the
-"crash-" prefix, and include it in the Pull Request fixing the bug. By adding it
-in this folder the bug will automatically be retested when fuzzing again.
+the bug, add the crash to the `test/fuzz/corpus/` folder, and include it in the
+Pull Request fixing the bug. By adding it in this folder the bug will
+automatically be retested when fuzzing again.
 
 ###### Fuzz Test Configuration
 
@@ -306,11 +303,11 @@ FUZZ_SHELL=false
 ```
 
 By default, fuzzing goes on forever - until a problem is found. You can change
-this using the `FUZZ_TIME` environment variable. This enables you to specify how
-long to fuzz as an integer number of seconds. For example, to fuzz 10 seconds:
+this using the `FUZZ_ITERATIONS` environment variable. This allow you to specify
+how many test cases should be run. For example, to fuzz for 1000 iterations:
 
 ```ini
-FUZZ_TIME=10
+FUZZ_ITERATIONS=1000
 ```
 
 #### Compatibility Testing
@@ -466,18 +463,6 @@ testProp("generative test", [fc.string()], (t, input) => {
 });
 ```
 
-or as fuzz tests using [Jsfuzz], for example:
-
-```javascript
-function fuzz(buf) {
-  functionUnderTest(buf);
-}
-
-module.exports = {
-  fuzz,
-};
-```
-
 ### Mutation testing
 
 The effectiveness of some test suites is ensured through [mutation testing
@@ -637,7 +622,6 @@ const john = "John Doe";
 [fuzz tests]: https://en.wikipedia.org/wiki/Fuzzing
 [git]: https://git-scm.com/
 [jsdoc]: https://jsdoc.app/
-[jsfuzz]: https://gitlab.com/gitlab-org/security-products/analyzers/fuzzers/jsfuzz
 [licensee]: https://www.npmjs.com/package/licensee
 [markdown]: https://en.wikipedia.org/wiki/Markdown
 [markdownlint]: https://github.com/DavidAnson/markdownlint

diff --git a/config/eslint.js b/config/eslint.js
@@ -10,15 +10,15 @@ import yml from "eslint-plugin-yml";
 export default [
   {
     name: "Code",
-    files: ["**/*.cjs", "**/*.js"],
+    files: ["**/*.js"],
     languageOptions: {
       ecmaVersion: "latest",
       sourceType: "module",
     },
   },
   {
     name: "JSDoc",
-    files: ["**/*.js", "**/*.cjs"],
+    files: ["**/*.js"],
     plugins: { jsdoc },
     rules: {
       // https://github.com/gajus/eslint-plugin-jsdoc#readme
@@ -548,7 +548,7 @@ export default [
   },
   {
     name: "Tests",
-    files: ["test/**/*.cjs", "test/**/*.js"],
+    files: ["test/**/*.js"],
     plugins: { ava, jsdoc },
     rules: {
       // https://github.com/gajus/eslint-plugin-jsdoc#readme

diff --git a/config/knip.jsonc b/config/knip.jsonc
@@ -5,7 +5,7 @@
   "entry": ["src/modules/*.js"],
   "ignore": ["test/fixtures/*.js"],
   "ignoreBinaries": [],
-  "ignoreDependencies": ["@gitlab-org/jsfuzz"],
+  "ignoreDependencies": [],
   "eslint": ["config/eslint.js"],
   "rollup": ["config/rollup.js"],
   "stryker": ["config/stryker/*.js"],