1592485 - Investigate using fuzzing to test the urlbar

Status: NEW

(Firefox :: Address Bar, task, P3)

Description

[Drew Willcoxon :adw]

Following up from the fuzzing discussion in bug 1587867, Tyson has kindly offered to help us with fuzzing the urlbar. From an email:

Regarding bug 1587867 comment 28[1] I think fuzzing is a great way to help find and prevent issues. Since I'm not familiar with this code I'm not sure which approaches are possible but here are my thoughts.

libfuzzer[2]: This is the fastest most direct way of fuzzing and is preferred if it is possible to reach the code in question. For info about on building a libfuzzer target for Firefox have a look here[3]. Pros: Very fast, coverage guided, catches many types of issues (hangs and crashes). Cons: Less flexible.

In browser fuzzing: We could create an Avalanche[4] grammar that would generate random URLs. We would need a template document that would make the appropriate JS calls to hit the code paths we'd like to fuzz. Pros: Flexible. Cons Slow and will not report hangs as failures.

Whichever method we go with I will add the fuzzer to our infrastructure and report issues as they come in. This will include a stack and a minimized test case.

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1587867#c28
[2] https://llvm.org/docs/LibFuzzer.html
[3] https://developer.mozilla.org/en-US/docs/Mozilla/Testing/Fuzzing_Interface
[4] https://github.com/MozillaSecurity/avalanche

This sounds pretty great, especially the CI part. We don't have the resources to devote to this at the moment -- we'd need to plan for it -- but it's an interesting target for the future.

Comment 1

[Florencia Di Ciocco, NI to vbalducci]

Hi, I think that this bug has been fixed. If I'm mistaken, please reopen it.
Regards, Flor.