afl fuzz tests

[danburkert]

#267 shows that the current in-tree fuzzing based on cargo-fuzz has some blindspots. Investigate adding afl-based fuzzing to the in-tree test suite.

[dbrgn]

I could probably contribute something!

Do you already have a "sample language" somewhere? Ideally with a common root message, so that all code paths can be discovered from the same parse entry point.

[danburkert]

Yes, see the existing cargo-fuzz tests in https:/danburkert/prost/tree/master/fuzz, and which use https:/danburkert/prost/blob/master/tests/src/lib.rs#L117-L170 as the success checker.

[danburkert]

@dbrgn more of a point of curiosity than anything, how long did you have to run afl to produce the stack overflow?

[dbrgn]

It was only a few minutes on a single core 🙂 Not sure if I just got lucky.

I was fuzzing a separate project where most (but not all) messages are just a single prefix byte, followed by a protobuf message. I quickly got about half a dozen failures, which were all related to the stack overflow.