{"id":24068683,"url":"https://github.com/php/flowfusion","last_synced_at":"2025-07-04T14:38:41.151Z","repository":{"id":271649344,"uuid":"894579363","full_name":"php/flowfusion","owner":"php","description":"A Dataflow-Driven and Automated Fuzzer for the PHP Interpreter","archived":false,"fork":false,"pushed_at":"2025-03-17T08:16:58.000Z","size":104,"stargazers_count":27,"open_issues_count":2,"forks_count":2,"subscribers_count":12,"default_branch":"main","last_synced_at":"2025-04-12T23:26:30.291Z","etag":null,"topics":["fuzzing","php"],"latest_commit_sha":null,"homepage":"","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/php.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2024-11-26T15:51:55.000Z","updated_at":"2025-04-04T04:34:03.000Z","dependencies_parsed_at":"2025-01-09T03:45:44.911Z","dependency_job_id":"f6a9a57c-2f93-4842-961d-bcff3ccdf2e0","html_url":"https://github.com/php/flowfusion","commit_stats":null,"previous_names":["php/flowfusion"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/php%2Fflowfusion","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/php%2Fflowfusion/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/php%2Fflowfusion/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/php%2Fflowfusion/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/php","download_url":"https://codeload.github.com/php/flowfusion/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250107952,"owners_count":21376037,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["fuzzing","php"],"created_at":"2025-01-09T13:47:02.610Z","updated_at":"2025-04-24T03:09:39.073Z","avatar_url":"https://github.com/php.png","language":"PHP","readme":"## FlowFusion — A Dataflow-Driven Fuzzer\n\n### What is FlowFusion?\n\nFlowFusion is a fully automated, dataflow-driven fuzzing tool that detects various bugs (e.g., memory errors, undefined behaviors, assertion failures) in the PHP interpreter.\n\n### How Does FlowFusion Work?\n\nThe core idea behind FlowFusion is to leverage **dataflow** as an efficient representation of the official `.phpt` test files maintained by PHP developers. FlowFusion merges two (or more) test cases to produce fused test cases with more complex code semantics. It interleaves the dataflows of multiple test cases, thereby combining their code contexts. This approach enables interactions among existing unit tests (which typically verify a single functionality) to create more intricate code paths—leading to more effective bug-finding.\n\n**Why dataflow?**  \nAround 96.1% of `.phpt` files exhibit sequential control flow (i.e., they execute without branching), which means control flow alone contributes little to the overall code semantics. By focusing on dataflow, FlowFusion captures the essential semantics of these test programs.\n\n**Why effective?**  \n1. With ~20K test cases, pairwise combinations already exceed 400M fused test cases; combining more than two grows this number exponentially. \n2. The interleaving process itself has randomness, offering multiple ways to connect two test cases.  \n3. FlowFusion applies additional mutations and also fuzzes runtime configurations (e.g., JIT settings).\n\nFlowFusion additionally fuzzes all defined functions and class methods in the context of the fused test cases. A SQLite3 database stores information on available functions, classes, methods, and their parameters to guide fuzzing.\n\nBecause FlowFusion relies on the official `.phpt` files, as soon as new tests are added, thousands of new fused tests can be generated. **This ensures FlowFusion remains current and continues to reveal new bugs over time**.\n\n---\n\n### Instructions\n\nBelow are the steps to fuzz the latest commit of `php-src` inside a Docker container.\n\n1. **Start Docker**  \n   ```bash\n   docker run --name phpfuzz -dit 0599jiangyc/flowfusion:latest bash\n   ```\n   - Username: `phpfuzz`\n   - Password: `phpfuzz`\n   \n   Then enter the container:\n   ```bash\n   docker exec -it phpfuzz bash\n   ```\n\n2. **Clone FlowFusion \u0026 Prepare**  \n   Inside the container, clone the FlowFusion repository into `/home/phpfuzz/WorkSpace`:\n   ```bash\n   git clone https://github.com/php/flowfusion.git\n   cd flowfusion\n   ./prepare.sh\n   ```\n   *Note:* The preparation step can take several minutes.\n\n3. **Start Fuzzing**  \n   Use `tmux` to keep the session running in the background:\n   ```bash\n   tmux new-session -s fuzz 'bash'\n   ```\n   Then run FlowFusion:\n   ```bash\n   python3 main.py\n   ```\n\n4. **View Found Bugs**  \n   To check for bugs:\n   ```bash\n   find ./bugs -name \"*.out\" | xargs grep -E \"Sanitizer|Assertion \"\n   ```\n\n---\n\n### Bugs\n\nFlowFusion has already discovered [hundreds of bugs](https://github.com/php/php-src/issues?q=author%3AYuanchengJiang%20) in the PHP interpreter.\n\n### Research Paper\n\nFor a more detailed explanation, see the research paper:  \n[Fuzzing the PHP Interpreter via Dataflow Fusion](https://yuanchengjiang.github.io/docs/flowfusion.pdf).\n\n---","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fphp%2Fflowfusion","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fphp%2Fflowfusion","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fphp%2Fflowfusion/lists"}