#fuzzer — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #fuzzer, aggregated by home.social.
-
AFL++ v4.40c release - best performance ever - optimal hidden coverage instrumentation, FrameShift, LLVM 22 support, IJON fixes, a lot of minor and bigger enhancements! #fuzzer #fuzzing https://github.com/AFLplusplus/AFLplusplus/releases/tag/v4.40c
-
AFL++ v4.40c release - best performance ever - optimal hidden coverage instrumentation, FrameShift, LLVM 22 support, IJON fixes, a lot of minor and bigger enhancements! #fuzzer #fuzzing https://github.com/AFLplusplus/AFLplusplus/releases/tag/v4.40c
-
AFL++ v4.40c release - best performance ever - optimal hidden coverage instrumentation, FrameShift, LLVM 22 support, IJON fixes, a lot of minor and bigger enhancements! #fuzzer #fuzzing https://github.com/AFLplusplus/AFLplusplus/releases/tag/v4.40c
-
AFL++ v4.40c release - best performance ever - optimal hidden coverage instrumentation, FrameShift, LLVM 22 support, IJON fixes, a lot of minor and bigger enhancements! #fuzzer #fuzzing https://github.com/AFLplusplus/AFLplusplus/releases/tag/v4.40c
-
AFL++ v4.40c release - best performance ever - optimal hidden coverage instrumentation, FrameShift, LLVM 22 support, IJON fixes, a lot of minor and bigger enhancements! #fuzzer #fuzzing https://github.com/AFLplusplus/AFLplusplus/releases/tag/v4.40c
-
There's a researcher, Jiang Yuancheng, who's doing a great work finding CPython crashes and memory leaks: https://github.com/python/cpython/issues?q=is%3Aissue%20author%3AYuanchengJiang
They've come up with a very clever idea for a new way of fuzzing, made a fine tool out of it, and are reaping great results.
Fuzzing can be a diminishing returns endeavor: you only have so many bugs to find. Their approach has shown itself to cover different areas and kinds of issues well, as shown by their track record.
-
So someone found a segfault in NumPy and reported it as a security bug: https://huntr.com/bounties/49928a2c-c6bb-4c1c-80ec-5d7bf708bf28. After some back and forth, the NumPy developers agreed it was a security bug (with a low score, but still).
However, since fusil had already found that crash and I had reported it 2 months earlier (https://github.com/numpy/numpy/issues/28829), the report was deemed a duplicate and no CVE was assigned.
We didn't find a CVE, but avoided one :)
Link to fix: https://github.com/numpy/numpy/pull/30071
-
Fuzzing pyhacl (https://codeberg.org/drlazor8/pyhacl), a package of Cython bindings for HACL* (the High Assurance Cryptographic Library), with fusil we only found one crash.
It turned out to actually be a silly bug in #Cython:
Issue: https://github.com/cython/cython/issues/7263
Fix: https://github.com/cython/cython/pull/7264
Goes to show how fuzzing a C-extension can uncover crashes in many different layers.
Thanks @drlazor8 for taking up the call for C-extensions maintainers to fuzz their code.
-
After a pause, we're back to running fusil. This time, to fuzz cereggii, a package of very interesting thread synchronization utilities for #Python, made of C-extensions.
We tailored #fusil to target these #cereggii utilities, finding more issues.
Daniele Parmeggiani (dpdani), the maintainer, has been helping in the effort and being very supportive. That's the best welcome fusil has received in any project :)
Here are the issues we found: https://github.com/dpdani/cereggii/issues?q=label%3A%22fusil-fuzzer%22
-
Been running a fusil campaign for a week, targeting a C-extension. The fuzzer has found 9 issues so far, feels good.
The maintainer is helping with the campaign and eager to fix the issues, which is great.
Some maintainers see us with suspicion and often disregard issues, as if we're after accolades, pointing fingers or complaining about the code.
We fuzz to help, that's all.
Anyway, if you have a C-extension and would like it fuzzed, hit me up :)
-
Posted a topic about lafleur, the CPython JIT fuzzer I'm developing: https://discuss.python.org/t/introducing-lafleur-a-cpython-jit-fuzzer/103452
It has many details about the project, the results (4 JIT crashes so far), calls for help and ideas for the future.
If any of this interests you, please give a read. Boosts welcome :)
-
Here's how lafleur works:
Starts from a corpus of seed files (generated by fusi)l. It runs each file and parses the JIT debug output to record micro ops (UOPs) and edges between them.
Then it applies mutations to these files and when a mutation results in a new UOP or edge, it adds the mutated file to the corpus.
All the while, it monitors the execution of these files for crashes.
And it's smart about which file to mutate next.
Simple, eh?
-
One obvious thing from fuzzing the CPython JIT with the lafleur fuzzer is that finding crashes is much lower probability than fuzzing CPython with fusil.
Whenever fusil found a crash, it would find hits for it again and again pretty quickly.
With lafleur, we only got 3 hits (2 issues) in thousands of fuzzing hours.
I'm throwing more compute at it, but maybe we'll need to improve the core ideas to get better results.
-
Reviewed the 3 PRs we got for lafleur: https://github.com/devdanzin/lafleur/pulls?q=is%3Apr
All 3 marked as "good first issue". They've clear signs of being created by or with help from AI, like tentative code ("# do this in case... ") and removing docstrings.
Merged one and gave feedback on 2, including tips on how to get AI to fix their issues.
I might get unfollows for this, but I welcome AI generated code as long as it's good enough. In fact, AI made this project viable.
-
Busy day, good day: the new CPython fuzzer lafleur found its first 2 crashes this morning!
Happiness only marred by the bad job I did reducing the testcases and making the reports reproducible. Thanks Brandt Bucher and and Ken Jin for the patience! Next bug reports will be more polished and reliable.
Also, we got 3 new PRs for the fuzzer but I didn't have time to review them, will have to leave that for tomorrow.
-
Launching a new project on a Sunday night: lafleur, a CPython JIT fuzzer.
https://github.com/devdanzin/lafleur
It's a feedback driven fuzzer (using JIT debug output) with corpus prioritization and JIT-targeted AST-based mutations. Calling it "evolutionary" may be a stretch, but sounds good.
It's also a fuzzer that so far hasn't found any crashes or bugs. Still working on that ;)
If you want to understand how it works, there is a good amount of docs.
-
Trying real hard to build a fuzzer targeting the CPython JIT, lots of features implemented but not a single crash or bug discovered so far.
Such is life when hunting for crashes in robust code.
This weekend I'll be spinning off a new fuzzer that grew from fusil. Wish me luck 🙂
-
So, what's next for fuzzing CPython with fusil?
The results point to interesting future ideas, including expanding fuzzing to new environments like subinterpreters, using more tools like Thread Sanitizer, and developing more advanced fuzzing techniques.
A huge thank you to everyone who contributed!
And thank you for reading!
P.S.: if you have a C/Rust extension, we can fuzz it too: https://mastodon.social/@danzin/114383188014599269
(5/5)
-
One finding I really like is the bug discovery pattern.
There wasn't a steady stream of bugs, but spikes of findings: 1st, a huge number of crashes as I started testing a CPython that hadn't been fuzzed by fusil in a decade.
Later, a new wave of issues tied to the addition of new features to the fuzzer, like support for "weird classes" and typing objects.
So periodic campaigns may have better cost-benefit than continuous fuzzing.
(4/5)
-
The credit for fusil's effective design goes all to Victor Stinner (@vstinner), who created it nearly two decades ago. It was responsible for finding release blockers way back in 2008. I just contributed a little to revive and enhance it.
Some enhancements included running generated code in threads and adopting new "interesting" objects and values as inputs, helping to discover more crashes.
(3/5)
-
All this was only possible due to the great response from the Python community.
Thanks to the developers efforts to triage, diagnose, and fix the problems, the campaign became a collaborative effort to improve Python.
The impact was considerable, mobilizing Core Devs and contributors to create 98 PRs to fix these bugs. The average time to fix an issue was about 20 days, with a median of just five days.
(2/5)
-
Happy to share the results of a fuzzing campaign targeting CPython that ran from Oct 2024 to May 2025. Using the fusil fuzzer, the goal was to find crashes and improve CPython's robustness.
I really like the results we got: the effort uncovered 52 unique crash-related issues. These reports approached 30% of all "type-crash" issues filed during that period. One of the crashes was classified as a Release Blocker, that was a nice result! :)
(1/5)
-
So, my technical report on fuzzing CPython with fusil is almost done.
I'd really appreciate some help categorizing the found issues by relevance/severity/importance or any other name for impact.
Do you have the chops to help with that? And do you have time and interest? Please get in touch if so! And please boost if you can :)
A plot, some tables, links to the report and some discussion are available in this thread:
https://discuss.python.org/t/feedback-on-the-recent-fusil-fuzzing-campaign-of-cpython/91737
-
🚀✨ In a groundbreaking announcement, #Jepsen reveals that systems are *gasp* difficult to test in the most obvious places—cue the #fuzzer blind spots conspiracy 🤔. But don't worry, they've got #Kyl on the case, so sleep easy knowing your #bugs will continue thriving in the shadows 🐛🔍.
https://tigerbeetle.com/blog/2025-06-06-fuzzer-blind-spots-meet-jepsen/ #testing #blindspots #innovation #HackerNews #ngated -
Trying to gather feedback/opinions, especially from #CPython Core Developers, on the recent #fuzzing campaign using #fusil.
https://discuss.python.org/t/feedback-on-the-recent-fusil-fuzzing-campaign-of-cpython/91737
I'm writing a little tech report on the effort, and having some data about whether it's considered useful, a nuisance, impactful, low value etc. would make it much more interesting.
Please boost for visibility :)
-
Do you maintain or contribute to a #Python package that includes a C extension? Would you like to run a fuzzer against it?
If so, let me know and I will run it, or help you to get it running.
The fuzzer is #fusil, which generates random code calling into your functions and methods. It's useful to check for crashes on invalid inputs or unexpected call patterns.
It has found about 50 crashes in #CPython, 20 in #PyPy, 6 in #Numpy etc.
#fuzzing #fuzzer #testing
See here:
https://github.com/devdanzin/fusil/issues/37 -
We're up to 30 #CPython crashers found using #Fusil this year, about 90% of them considered valid.
In 2008, I had reported 5 cases using the same #fuzzer, 4 of which were release blockers.
@vstinner, Fusil's creator, also reported a bunch of issues with it.
After running for a while (on free AWS and Oracle cloud tiers), crash hits are getting harder to find.
We need new fuzzing inputs. Feel free to suggest improvements that could find new crashers.
-
Boffins from ETH Zurich have devised a novel #fuzzer for finding bugs in #RISCV chips and have used it to find more than three dozen.
When applied to six actual RISC-V #CPU – #VexRiscv, #PicoRV32, #Kronos, #CVA6, Rocket, and BOOM – Cascade found 37 new bugs (translating to 29 #CVE) in five of these six designs. https://www.theregister.com/2023/10/24/cascade_fuzzer_zurich/ -
DIRB is a program that exhaustively checks if a website has hidden resources. DIRB performs checks using wordlists, and checks each and every word in the list to see if it possibly exists. If a directory is found DIRB will recursively search the directory once its parent is finished being scanned.
Website 🔗️: http://dirb.sourceforge.net/
apt 📦️: dirb