{"id":13546114,"url":"https://github.com/blt/bughunt-rust","last_synced_at":"2025-04-02T17:32:36.926Z","repository":{"id":137755254,"uuid":"145375395","full_name":"blt/bughunt-rust","owner":"blt","description":"QuickCheck bug hunting in Rust standard library data structures","archived":true,"fork":false,"pushed_at":"2019-03-10T03:51:45.000Z","size":62,"stargazers_count":160,"open_issues_count":4,"forks_count":8,"subscribers_count":14,"default_branch":"master","last_synced_at":"2024-11-03T14:35:04.140Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/blt.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2018-08-20T06:27:32.000Z","updated_at":"2024-05-04T21:51:03.000Z","dependencies_parsed_at":null,"dependency_job_id":"d145c235-5a74-4f08-a1ad-274a26a97d47","html_url":"https://github.com/blt/bughunt-rust","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/blt%2Fbughunt-rust","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/blt%2Fbughunt-rust/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/blt%2Fbughunt-rust/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/blt%2Fbughunt-rust/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/blt","download_url":"https://codeload.github.com/blt/bughunt-rust/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246860270,"owners_count":20845635,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T12:00:31.935Z","updated_at":"2025-04-02T17:32:36.633Z","avatar_url":"https://github.com/blt.png","language":"Rust","funding_links":[],"categories":["Vulnerability Assessment"],"sub_categories":["Property-Based Testing"],"readme":"# BugHunt, Rust\n\n[![Build Status](https://travis-ci.com/blt/bughunt-rust.svg?branch=master)](https://travis-ci.com/blt/bughunt-rust)\n\nThis project is aiming to provide \"stateful\" QuickCheck models for Rust's\nstandard library. That is, we build up a random list of operations against an\nabstract data type, an \"obviously correct\" model of that ADT and apply the\noperations to both the model and the reference implementation of the data\ntype. If the model and reference implementation differ in any way then that's a\ngood sign there's a bug to be diagnosed and reported. This is _different_ from\nfuzzing in that we're interested in higher-level behaviour of data\nstructures--their \"properties\"--and aren't necessarily looking for\ncrashes. (That said, \"do not crash the program\" is a pretty good property for\nmost data structures.)\n\nWe're inspired by the work [**@jlouis**](https://github.com/jlouis) did in the\nErlang community to detect subtle bugs in that language's map implementation and\n[**@shnatsel**](https://github.com/Shnatsel)'s recent work fuzzing Rust crates\nfor crashes.\n\n## Running the Suite\n\nRunning the tests takes a little leg work. The project performs model-based\nfuzzing, which means the tests are driven by a fuzzer, cargo-fuzz (libFuzzer) in\nparticular. We've written about the general approach\n[here](https://blog.troutwine.us/2018/10/08/hunting-for-bugs-in-rust/). Since\nthis post we've switch from AFL to libFuzzer but the broad details remain the\nsame.\n\nThe available targets are listed out in [`fuzz/Cargo.toml`], the binaries of the\nproject. Say you want to run the `str::repeat` target. Make sure you've got\ncargo-fuzz installed by running `cargo install cargo-fuzz`.\n\n```\n\u003e cargo fuzz run str_repeat\n```\n\nA reasonable test run will take hours and as configured the above run will\nexecute forever. Give the flag `--help` to `cargo fuzz` to see its options\nrelating to runtime constriction, corpus definition etc.\n\n### Why does this run outside of Rust itself?\n\nWell! I'm not sure that bundling these long-running tests into the Rust compiler\nproject is something anyone would go for and, working here as an external\nproject, we can avoid needing to fiddle with toolchains and longish build\ncycles. Downside is, the std data structures we're testing don't have any\nsanitizers turned on etc on account of the project is run against the usual Rust\nrelease.\n\n## Contributing\n\nWriting QuickCheck models can be slow work and contributions are _very_ welcome,\neither introducing new models into the project or extending existing ones. We\nhave an experimental [clusterfuzz](https://github.com/google/clusterfuzz) setup\nrunning and if you have credits to donate that would be most welcome. I intend\nto document project balances, money needs once they are clear.\n\n### Would you take CI help?\n\nYes! Right now we have a folder `ci/` which has the build scripts used in\n`.travis.yml`. We're producing test binaries and feeding them directly into the\nclusterfuzz setup the project has. Speaking of, I'll be adding configuration for\nthat cluster to this repository in the coming days.\n\nAny improvements in the build pipeline, clusterfuzz configuration are most\nwelcome.\n\n### Would you take documentation help?\n\nYes!\n\n## Hey, how can I learn more?\n\nRandomized testing is a touch esoteric but there's a lot of reading material\navailable (itself a problem, kind of). In no certain order:\n\n* [\"QuickCheck: A Lightweight Tool for Random Testing of Haskell Programs\"](https://www.cs.tufts.edu/~nr/cs257/archive/john-hughes/quick.pdf)\n* [\"Breaking Erlang Maps #1\"](https://medium.com/@jlouis666/breaking-erlang-maps-1-31952b8729e6)\n* [\"How Rust’s standard library was vulnerable for years and nobody noticed\"](https://medium.com/@shnatsel/how-rusts-standard-library-was-vulnerable-for-years-and-nobody-noticed-aebf0503c3d6)\n* [\"PropEr Testing\"](https://propertesting.com/)\n* [\"Moonconf Papers\"](https://blog.troutwine.us/2016/05/26/moonconf-papers/)\n* [\"Hybrid Fuzz Testing:Discovering Software Bugs viaFuzzing and Symbolic Execution\"](http://reports-archive.adm.cs.cmu.edu/anon/2012/CMU-CS-12-116.pdf)\n* [\"QuickFuzz: An Automatic Random Fuzzer for Common File Formats\"](https://people.seas.harvard.edu/~pbuiras/publications/QFHaskell2016.pdf)\n* [\"Angora: Efficient Fuzzing by Principled Search\"](http://web.cs.ucdavis.edu/~hchen/paper/chen2018angora.pdf)\n\nI, blt, am also happy to answer questions over email. I'm brian@troutwine.us.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fblt%2Fbughunt-rust","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fblt%2Fbughunt-rust","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fblt%2Fbughunt-rust/lists"}