Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:125963 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by qa.php.net (Postfix) with ESMTPS id 811641A00BD for ; Fri, 15 Nov 2024 13:21:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1731677030; bh=JKulgfc+6Ul7yATBAPmNiTl1ObKC00Rm2WeM2Ehtlew=; h=From:Subject:Date:Cc:To:From; b=TrPpD8yCkW9Uq//PNa2+noN565coW9DjWhwWfsQWxqm4i76bMO4N1MVKXGTkfnyOH 9NEjzuo26jWd9gIISBHYrTiSRKmX1RuqpA9t5o4H2dPNTK+RCJ2QtWXyN+ICUu1g+1 sd5W/5y3gS5rqY2ImEpxDDZ8qFOQwNf7HQmH1UetBjnBkZUmDKZChO8G1eOdTUYkdD mlAx6SGhsi3S1RYaGyn6Zj64uQKWaybCc36xDfGmHomvxC3sOkchjIEaWQs4g/qwf9 PegeFGO9aHYWUZauu5LJg+cTaDrJp+1gpZe2bhwxe9oS++jTMTUKpNeHLJbXAC9VHz s7/pOF6knJmHg== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 925F618005B for ; Fri, 15 Nov 2024 13:23:49 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net X-Spam-Level: * X-Spam-Status: No, score=1.3 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,FREEMAIL_FROM, FROM_STARTS_WITH_NUMS,HTML_MESSAGE,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,RCVD_IN_VALIDITY_CERTIFIED_BLOCKED, RCVD_IN_VALIDITY_RPBL_BLOCKED,RCVD_IN_VALIDITY_SAFE_BLOCKED, SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=4.0.0 X-Spam-Virus: No X-Envelope-From: <0599jiangyc@gmail.com> Received: from mail-pl1-f177.google.com (mail-pl1-f177.google.com [209.85.214.177]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Fri, 15 Nov 2024 13:23:49 +0000 (UTC) Received: by mail-pl1-f177.google.com with SMTP id d9443c01a7336-20cd76c513cso16606465ad.3 for ; Fri, 15 Nov 2024 05:21:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1731676872; x=1732281672; darn=lists.php.net; h=to:cc:date:message-id:subject:mime-version:from:from:to:cc:subject :date:message-id:reply-to; bh=Ce7nmsX48SvXshOMy/zEyRWL1TcTTzwzBHCMIo5huH4=; b=ZDJzdhRULRulRdfQsXNeKYyXm9uIAVwdT8fV5Jv1gGn/Cza+oGz/k9q4Eqqf9k3vfS 3bU43UmY7dbvwfXMw3rGn4GS9+d3kBvyuwguVMGiVY/ILv8hIirmgLsX7L2rY4aPwxZd oHD7yArSuK56sbaLDcBs6wywA0OVj4lLaKLZZksvWr1VF/g/5GJl0nozPSL8SA0VJn8C Yvu6SS89ix4VMnVHDR2cKp50bQhyhM7BrIdC2RhH+pGAOU1TgRMpqOAoNT4Vl+O5q/db zJbyPCnUX5ZSSUoDq+FAHjuVadkpLfp7xqVP72U81FrrRZasco9mgURWaKDLzBbHOb1F VB1g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1731676872; x=1732281672; h=to:cc:date:message-id:subject:mime-version:from:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=Ce7nmsX48SvXshOMy/zEyRWL1TcTTzwzBHCMIo5huH4=; b=vncntUffdzZxVVlDSOd9L3xxI1W5dvdAtWsK8bpzWpCdX3OVD4eHHT8wi0zVdGpC7+ 5FjSISyaWEXV5t0aM6JrAP+nzSCl/jkoDFXHQHlQBhPo7fKADbCnCjAYB88xo2s6LZfN 652r37FeO05B8NC8nihQldh7x/MtAwLl9+801DUrEfYx6QlYy7JCcNyILoOtCfUeitD5 5waMHOpFHvMPn7kne3eoTmHld2D00Ax8QY2vq+NeZ5QUnxM0sWaRu0ngZ8+it5T2ulfr Xy1WvIUsQhN6AKhwr6a23hVM4mx+YmB3jXtfmjv1upn0DYcn0AAEu3Szdld+U2GqELkW Mfzw== X-Gm-Message-State: AOJu0YxI3BhYYXiGK0nWD4G3WeK+VQPq/Egk0M4gw0ka++CxXn54eMzd lxCE93/F21P2AagD4qg/rhGulofFDIDqAFWJyQmOtmCxerHUY/ir22Rgcg== X-Google-Smtp-Source: AGHT+IHcNqs5Jtx56aAfSy/CWOcWzkmur8cgV/Omw68RSLE05bWOcW00bwKXaEEX78pYe0cn8PN+Yg== X-Received: by 2002:a17:902:f548:b0:20d:f00:bd26 with SMTP id d9443c01a7336-211d0ebd376mr29527305ad.36.1731676871267; Fri, 15 Nov 2024 05:21:11 -0800 (PST) Received: from smtpclient.apple ([137.132.218.133]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-211d0dc3082sm12010505ad.48.2024.11.15.05.21.10 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 15 Nov 2024 05:21:11 -0800 (PST) Content-Type: multipart/alternative; boundary="Apple-Mail=_770ECCEB-CE2A-4D20-A8C2-87370ED371E0" Precedence: bulk list-help: list-post: List-Id: internals.lists.php.net x-ms-reactions: disallow Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3826.200.121\)) Subject: [PHP-DEV] A new fuzz testing tool for PHP Message-ID: <79C53085-9AD8-4E6D-ADAA-38AC1660A57E@gmail.com> Date: Fri, 15 Nov 2024 21:20:58 +0800 Cc: Yuancheng Jiang To: internals@lists.php.net X-Mailer: Apple Mail (2.3826.200.121) From: 0599jiangyc@gmail.com (Yuancheng Jiang) --Apple-Mail=_770ECCEB-CE2A-4D20-A8C2-87370ED371E0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Hi all, I have been submitting hundreds of bugs (see = https://github.com/php/php-src/issues/created_by/YuanchengJiang) during = the past months and I first thank all the developers who take time to = fix these issues to make PHP better. I am thrilled to introduce one fully automated fuzz testing tool, = FlowFusion, for discovering various bugs of the PHP interpreter. The core idea behind FlowFusion is to leverage dataflow as an effective = representation of test cases (.phpt files) maintained by PHP developers, = merging two (or more) test cases to produce fused test cases with more = complex code semantics. We connect two (or more) test cases via = interleaving their dataflows, i.e., bringing the code context from one = test case to another. This enables interactions among existing test = cases, which are mostly the unit tests verifying one single = functionality, making fused test cases interesting with merging code = semantics. FlowFusion additionally fuzzes all defined functions and class methods = using the code contexts of fused test cases. Available functions, = classes, and methods are pre-collected and stored in sqlite3 with = necessary information like the number of parameters. FlowFusion will be = automatically upgrading if phpt files keep updating. Any new single test = can bring thousands of new fused tests. The search space of FlowFusion is huge, which means it can cover various = corner cases. Reasons for the huge search space are three-fold: (i) two = random combinations of around 20,000 test cases can generate 400,000,000 = test cases, and we can combine even more; (ii) the interleaving has = randomness, given two test cases, there could be multiple ways to = connect them; and (iii) FlowFusion also mutates the test case, fuzzes = the runtime environment/configuration like JIT. I can open-source the tool under my personal repository. I wonder by any = chance if I can contribute it as the official PHP tool under = https://github.com/php, and I would be happy to maintain it for a long = time. Best, Yuancheng= --Apple-Mail=_770ECCEB-CE2A-4D20-A8C2-87370ED371E0 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii

Hi all,


I have been submitting hundreds of bugs = (see h= ttps://github.com/php/php-src/issues/created_by/YuanchengJiang) = during the past months and I first thank all the developers who take = time to fix these issues to make PHP better.


I am thrilled to introduce one fully = automated fuzz testing tool, FlowFusion, for discovering various bugs of = the PHP interpreter.


The = core idea behind FlowFusion is to leverage dataflow as an effective = representation of test cases (.phpt files) maintained by PHP developers, = merging two (or more) test cases to produce fused test cases with more = complex code semantics. We connect two (or more) test cases via = interleaving their dataflows, i.e., bringing the code context from one = test case to another. This enables interactions among existing test = cases, which are mostly the unit tests verifying one single = functionality, making fused test cases interesting with merging code = semantics.


FlowFusion additionally fuzzes all defined functions and class = methods using the code contexts of fused test cases. Available = functions, classes, and methods are pre-collected and stored in sqlite3 = with necessary information like the number of parameters. FlowFusion = will be automatically upgrading if phpt files keep updating. Any new = single test can bring thousands of new fused tests.


The search space of FlowFusion is huge, = which means it can cover various corner cases. Reasons for the huge = search space are three-fold: (i) two random combinations of around = 20,000 test cases can generate 400,000,000 test cases, and we can = combine even more; (ii) the interleaving has randomness, given two test = cases, there could be multiple ways to connect them; and (iii) = FlowFusion also mutates the test case, fuzzes the runtime = environment/configuration like JIT.


I can open-source the tool under my = personal repository. I wonder by any chance if I can contribute it as = the official PHP tool under https://github.com/php, and I would = be happy to maintain it for a long time.


Best,

Yuancheng

= --Apple-Mail=_770ECCEB-CE2A-4D20-A8C2-87370ED371E0--