fuzz.go

     1  // Copyright 2020 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  package testing
     6  
     7  import (
     8  	"bytes"
     9  	"errors"
    10  	"flag"
    11  	"fmt"
    12  	"io"
    13  	"os"
    14  	"path/filepath"
    15  	"reflect"
    16  	"runtime"
    17  	"sync/atomic"
    18  	"time"
    19  )
    20  
    21  func initFuzzFlags() {
    22  	matchFuzz = flag.String("test.fuzz", "", "run the fuzz test matching `regexp`")
    23  	flag.Var(&fuzzDuration, "test.fuzztime", "time to spend fuzzing; default is to run indefinitely")
    24  	flag.Var(&minimizeDuration, "test.fuzzminimizetime", "time to spend minimizing a value after finding a failing input")
    25  
    26  	fuzzCacheDir = flag.String("test.fuzzcachedir", "", "directory where interesting fuzzing inputs are stored (for use only by cmd/go)")
    27  	isFuzzWorker = flag.Bool("test.fuzzworker", false, "coordinate with the parent process to fuzz random values (for use only by cmd/go)")
    28  }
    29  
    30  var (
    31  	matchFuzz        *string
    32  	fuzzDuration     durationOrCountFlag
    33  	minimizeDuration = durationOrCountFlag{d: 60 * time.Second, allowZero: true}
    34  	fuzzCacheDir     *string
    35  	isFuzzWorker     *bool
    36  
    37  	// corpusDir is the parent directory of the fuzz test's seed corpus within
    38  	// the package.
    39  	corpusDir = "testdata/fuzz"
    40  )
    41  
    42  // fuzzWorkerExitCode is used as an exit code by fuzz worker processes after an
    43  // internal error. This distinguishes internal errors from uncontrolled panics
    44  // and other failiures. Keep in sync with internal/fuzz.workerExitCode.
    45  const fuzzWorkerExitCode = 70
    46  
    47  // InternalFuzzTarget is an internal type but exported because it is
    48  // cross-package; it is part of the implementation of the "go test" command.
    49  type InternalFuzzTarget struct {
    50  	Name string
    51  	Fn   func(f *F)
    52  }
    53  
    54  // F is a type passed to fuzz tests.
    55  //
    56  // Fuzz tests run generated inputs against a provided fuzz target, which can
    57  // find and report potential bugs in the code being tested.
    58  //
    59  // A fuzz test runs the seed corpus by default, which includes entries provided
    60  // by (*F).Add and entries in the testdata/fuzz/<FuzzTestName> directory. After
    61  // any necessary setup and calls to (*F).Add, the fuzz test must then call
    62  // (*F).Fuzz to provide the fuzz target. See the testing package documentation
    63  // for an example, and see the F.Fuzz and F.Add method documentation for
    64  // details.
    65  //
    66  // *F methods can only be called before (*F).Fuzz. Once the test is
    67  // executing the fuzz target, only (*T) methods can be used. The only *F methods
    68  // that are allowed in the (*F).Fuzz function are (*F).Failed and (*F).Name.
    69  type F struct {
    70  	common
    71  	fuzzContext *fuzzContext
    72  	testContext *testContext
    73  
    74  	// inFuzzFn is true when the fuzz function is running. Most F methods cannot
    75  	// be called when inFuzzFn is true.
    76  	inFuzzFn bool
    77  
    78  	// corpus is a set of seed corpus entries, added with F.Add and loaded
    79  	// from testdata.
    80  	corpus []corpusEntry
    81  
    82  	result     fuzzResult
    83  	fuzzCalled bool
    84  }
    85  
    86  var _ TB = (*F)(nil)
    87  
    88  // corpusEntry is an alias to the same type as internal/fuzz.CorpusEntry.
    89  // We use a type alias because we don't want to export this type, and we can't
    90  // import internal/fuzz from testing.
    91  type corpusEntry = struct {
    92  	Parent     string
    93  	Path       string
    94  	Data       []byte
    95  	Values     []any
    96  	Generation int
    97  	IsSeed     bool
    98  }
    99  
   100  // Helper marks the calling function as a test helper function.
   101  // When printing file and line information, that function will be skipped.
   102  // Helper may be called simultaneously from multiple goroutines.
   103  func (f *F) Helper() {
   104  	if f.inFuzzFn {
   105  		panic("testing: f.Helper was called inside the fuzz target, use t.Helper instead")
   106  	}
   107  
   108  	// common.Helper is inlined here.
   109  	// If we called it, it would mark F.Helper as the helper
   110  	// instead of the caller.
   111  	f.mu.Lock()
   112  	defer f.mu.Unlock()
   113  	if f.helperPCs == nil {
   114  		f.helperPCs = make(map[uintptr]struct{})
   115  	}
   116  	// repeating code from callerName here to save walking a stack frame
   117  	var pc [1]uintptr
   118  	n := runtime.Callers(2, pc[:]) // skip runtime.Callers + Helper
   119  	if n == 0 {
   120  		panic("testing: zero callers found")
   121  	}
   122  	if _, found := f.helperPCs[pc[0]]; !found {
   123  		f.helperPCs[pc[0]] = struct{}{}
   124  		f.helperNames = nil // map will be recreated next time it is needed
   125  	}
   126  }
   127  
   128  // Fail marks the function as having failed but continues execution.
   129  func (f *F) Fail() {
   130  	// (*F).Fail may be called by (*T).Fail, which we should allow. However, we
   131  	// shouldn't allow direct (*F).Fail calls from inside the (*F).Fuzz function.
   132  	if f.inFuzzFn {
   133  		panic("testing: f.Fail was called inside the fuzz target, use t.Fail instead")
   134  	}
   135  	f.common.Helper()
   136  	f.common.Fail()
   137  }
   138  
   139  // Skipped reports whether the test was skipped.
   140  func (f *F) Skipped() bool {
   141  	// (*F).Skipped may be called by tRunner, which we should allow. However, we
   142  	// shouldn't allow direct (*F).Skipped calls from inside the (*F).Fuzz function.
   143  	if f.inFuzzFn {
   144  		panic("testing: f.Skipped was called inside the fuzz target, use t.Skipped instead")
   145  	}
   146  	f.common.Helper()
   147  	return f.common.Skipped()
   148  }
   149  
   150  // Add will add the arguments to the seed corpus for the fuzz test. This will be
   151  // a no-op if called after or within the fuzz target, and args must match the
   152  // arguments for the fuzz target.
   153  func (f *F) Add(args ...any) {
   154  	var values []any
   155  	for i := range args {
   156  		if t := reflect.TypeOf(args[i]); !supportedTypes[t] {
   157  			panic(fmt.Sprintf("testing: unsupported type to Add %v", t))
   158  		}
   159  		values = append(values, args[i])
   160  	}
   161  	f.corpus = append(f.corpus, corpusEntry{Values: values, IsSeed: true, Path: fmt.Sprintf("seed#%d", len(f.corpus))})
   162  }
   163  
   164  // supportedTypes represents all of the supported types which can be fuzzed.
   165  var supportedTypes = map[reflect.Type]bool{
   166  	reflect.TypeOf(([]byte)("")):  true,
   167  	reflect.TypeOf((string)("")):  true,
   168  	reflect.TypeOf((bool)(false)): true,
   169  	reflect.TypeOf((byte)(0)):     true,
   170  	reflect.TypeOf((rune)(0)):     true,
   171  	reflect.TypeOf((float32)(0)):  true,
   172  	reflect.TypeOf((float64)(0)):  true,
   173  	reflect.TypeOf((int)(0)):      true,
   174  	reflect.TypeOf((int8)(0)):     true,
   175  	reflect.TypeOf((int16)(0)):    true,
   176  	reflect.TypeOf((int32)(0)):    true,
   177  	reflect.TypeOf((int64)(0)):    true,
   178  	reflect.TypeOf((uint)(0)):     true,
   179  	reflect.TypeOf((uint8)(0)):    true,
   180  	reflect.TypeOf((uint16)(0)):   true,
   181  	reflect.TypeOf((uint32)(0)):   true,
   182  	reflect.TypeOf((uint64)(0)):   true,
   183  }
   184  
   185  // Fuzz runs the fuzz function, ff, for fuzz testing. If ff fails for a set of
   186  // arguments, those arguments will be added to the seed corpus.
   187  //
   188  // ff must be a function with no return value whose first argument is *T and
   189  // whose remaining arguments are the types to be fuzzed.
   190  // For example:
   191  //
   192  //     f.Fuzz(func(t *testing.T, b []byte, i int) { ... })
   193  //
   194  // The following types are allowed: []byte, string, bool, byte, rune, float32,
   195  // float64, int, int8, int16, int32, int64, uint, uint8, uint16, uint32, uint64.
   196  // More types may be supported in the future.
   197  //
   198  // ff must not call any *F methods, e.g. (*F).Log, (*F).Error, (*F).Skip. Use
   199  // the corresponding *T method instead. The only *F methods that are allowed in
   200  // the (*F).Fuzz function are (*F).Failed and (*F).Name.
   201  //
   202  // This function should be fast and deterministic, and its behavior should not
   203  // depend on shared state. No mutatable input arguments, or pointers to them,
   204  // should be retained between executions of the fuzz function, as the memory
   205  // backing them may be mutated during a subsequent invocation. ff must not
   206  // modify the underlying data of the arguments provided by the fuzzing engine.
   207  //
   208  // When fuzzing, F.Fuzz does not return until a problem is found, time runs out
   209  // (set with -fuzztime), or the test process is interrupted by a signal. F.Fuzz
   210  // should be called exactly once, unless F.Skip or F.Fail is called beforehand.
   211  func (f *F) Fuzz(ff any) {
   212  	if f.fuzzCalled {
   213  		panic("testing: F.Fuzz called more than once")
   214  	}
   215  	f.fuzzCalled = true
   216  	if f.failed {
   217  		return
   218  	}
   219  	f.Helper()
   220  
   221  	// ff should be in the form func(*testing.T, ...interface{})
   222  	fn := reflect.ValueOf(ff)
   223  	fnType := fn.Type()
   224  	if fnType.Kind() != reflect.Func {
   225  		panic("testing: F.Fuzz must receive a function")
   226  	}
   227  	if fnType.NumIn() < 2 || fnType.In(0) != reflect.TypeOf((*T)(nil)) {
   228  		panic("testing: fuzz target must receive at least two arguments, where the first argument is a *T")
   229  	}
   230  	if fnType.NumOut() != 0 {
   231  		panic("testing: fuzz target must not return a value")
   232  	}
   233  
   234  	// Save the types of the function to compare against the corpus.
   235  	var types []reflect.Type
   236  	for i := 1; i < fnType.NumIn(); i++ {
   237  		t := fnType.In(i)
   238  		if !supportedTypes[t] {
   239  			panic(fmt.Sprintf("testing: unsupported type for fuzzing %v", t))
   240  		}
   241  		types = append(types, t)
   242  	}
   243  
   244  	// Load the testdata seed corpus. Check types of entries in the testdata
   245  	// corpus and entries declared with F.Add.
   246  	//
   247  	// Don't load the seed corpus if this is a worker process; we won't use it.
   248  	if f.fuzzContext.mode != fuzzWorker {
   249  		for _, c := range f.corpus {
   250  			if err := f.fuzzContext.deps.CheckCorpus(c.Values, types); err != nil {
   251  				// TODO(#48302): Report the source location of the F.Add call.
   252  				f.Fatal(err)
   253  			}
   254  		}
   255  
   256  		// Load seed corpus
   257  		c, err := f.fuzzContext.deps.ReadCorpus(filepath.Join(corpusDir, f.name), types)
   258  		if err != nil {
   259  			f.Fatal(err)
   260  		}
   261  		for i := range c {
   262  			c[i].IsSeed = true // these are all seed corpus values
   263  			if f.fuzzContext.mode == fuzzCoordinator {
   264  				// If this is the coordinator process, zero the values, since we don't need
   265  				// to hold onto them.
   266  				c[i].Values = nil
   267  			}
   268  		}
   269  
   270  		f.corpus = append(f.corpus, c...)
   271  	}
   272  
   273  	// run calls fn on a given input, as a subtest with its own T.
   274  	// run is analogous to T.Run. The test filtering and cleanup works similarly.
   275  	// fn is called in its own goroutine.
   276  	run := func(captureOut io.Writer, e corpusEntry) (ok bool) {
   277  		if e.Values == nil {
   278  			// The corpusEntry must have non-nil Values in order to run the
   279  			// test. If Values is nil, it is a bug in our code.
   280  			panic(fmt.Sprintf("corpus file %q was not unmarshaled", e.Path))
   281  		}
   282  		if shouldFailFast() {
   283  			return true
   284  		}
   285  		testName := f.name
   286  		if e.Path != "" {
   287  			testName = fmt.Sprintf("%s/%s", testName, filepath.Base(e.Path))
   288  		}
   289  		if f.testContext.isFuzzing {
   290  			// Don't preserve subtest names while fuzzing. If fn calls T.Run,
   291  			// there will be a very large number of subtests with duplicate names,
   292  			// which will use a large amount of memory. The subtest names aren't
   293  			// useful since there's no way to re-run them deterministically.
   294  			f.testContext.match.clearSubNames()
   295  		}
   296  
   297  		// Record the stack trace at the point of this call so that if the subtest
   298  		// function - which runs in a separate stack - is marked as a helper, we can
   299  		// continue walking the stack into the parent test.
   300  		var pc [maxStackLen]uintptr
   301  		n := runtime.Callers(2, pc[:])
   302  		t := &T{
   303  			common: common{
   304  				barrier: make(chan bool),
   305  				signal:  make(chan bool),
   306  				name:    testName,
   307  				parent:  &f.common,
   308  				level:   f.level + 1,
   309  				creator: pc[:n],
   310  				chatty:  f.chatty,
   311  			},
   312  			context: f.testContext,
   313  		}
   314  		if captureOut != nil {
   315  			// t.parent aliases f.common.
   316  			t.parent.w = captureOut
   317  		}
   318  		t.w = indenter{&t.common}
   319  		if t.chatty != nil {
   320  			// TODO(#48132): adjust this to work with test2json.
   321  			t.chatty.Updatef(t.name, "=== RUN   %s\n", t.name)
   322  		}
   323  		f.common.inFuzzFn, f.inFuzzFn = true, true
   324  		go tRunner(t, func(t *T) {
   325  			args := []reflect.Value{reflect.ValueOf(t)}
   326  			for _, v := range e.Values {
   327  				args = append(args, reflect.ValueOf(v))
   328  			}
   329  			// Before resetting the current coverage, defer the snapshot so that
   330  			// we make sure it is called right before the tRunner function
   331  			// exits, regardless of whether it was executed cleanly, panicked,
   332  			// or if the fuzzFn called t.Fatal.
   333  			if f.testContext.isFuzzing {
   334  				defer f.fuzzContext.deps.SnapshotCoverage()
   335  				f.fuzzContext.deps.ResetCoverage()
   336  			}
   337  			fn.Call(args)
   338  		})
   339  		<-t.signal
   340  		f.common.inFuzzFn, f.inFuzzFn = false, false
   341  		return !t.Failed()
   342  	}
   343  
   344  	switch f.fuzzContext.mode {
   345  	case fuzzCoordinator:
   346  		// Fuzzing is enabled, and this is the test process started by 'go test'.
   347  		// Act as the coordinator process, and coordinate workers to perform the
   348  		// actual fuzzing.
   349  		corpusTargetDir := filepath.Join(corpusDir, f.name)
   350  		cacheTargetDir := filepath.Join(*fuzzCacheDir, f.name)
   351  		err := f.fuzzContext.deps.CoordinateFuzzing(
   352  			fuzzDuration.d,
   353  			int64(fuzzDuration.n),
   354  			minimizeDuration.d,
   355  			int64(minimizeDuration.n),
   356  			*parallel,
   357  			f.corpus,
   358  			types,
   359  			corpusTargetDir,
   360  			cacheTargetDir)
   361  		if err != nil {
   362  			f.result = fuzzResult{Error: err}
   363  			f.Fail()
   364  			fmt.Fprintf(f.w, "%v\n", err)
   365  			if crashErr, ok := err.(fuzzCrashError); ok {
   366  				crashPath := crashErr.CrashPath()
   367  				fmt.Fprintf(f.w, "Failing input written to %s\n", crashPath)
   368  				testName := filepath.Base(crashPath)
   369  				fmt.Fprintf(f.w, "To re-run:\ngo test -run=%s/%s\n", f.name, testName)
   370  			}
   371  		}
   372  		// TODO(jayconrod,katiehockman): Aggregate statistics across workers
   373  		// and add to FuzzResult (ie. time taken, num iterations)
   374  
   375  	case fuzzWorker:
   376  		// Fuzzing is enabled, and this is a worker process. Follow instructions
   377  		// from the coordinator.
   378  		if err := f.fuzzContext.deps.RunFuzzWorker(func(e corpusEntry) error {
   379  			// Don't write to f.w (which points to Stdout) if running from a
   380  			// fuzz worker. This would become very verbose, particularly during
   381  			// minimization. Return the error instead, and let the caller deal
   382  			// with the output.
   383  			var buf bytes.Buffer
   384  			if ok := run(&buf, e); !ok {
   385  				return errors.New(buf.String())
   386  			}
   387  			return nil
   388  		}); err != nil {
   389  			// Internal errors are marked with f.Fail; user code may call this too, before F.Fuzz.
   390  			// The worker will exit with fuzzWorkerExitCode, indicating this is a failure
   391  			// (and 'go test' should exit non-zero) but a failing input should not be recorded.
   392  			f.Errorf("communicating with fuzzing coordinator: %v", err)
   393  		}
   394  
   395  	default:
   396  		// Fuzzing is not enabled, or will be done later. Only run the seed
   397  		// corpus now.
   398  		for _, e := range f.corpus {
   399  			name := fmt.Sprintf("%s/%s", f.name, filepath.Base(e.Path))
   400  			if _, ok, _ := f.testContext.match.fullName(nil, name); ok {
   401  				run(f.w, e)
   402  			}
   403  		}
   404  	}
   405  }
   406  
   407  func (f *F) report() {
   408  	if *isFuzzWorker || f.parent == nil {
   409  		return
   410  	}
   411  	dstr := fmtDuration(f.duration)
   412  	format := "--- %s: %s (%s)\n"
   413  	if f.Failed() {
   414  		f.flushToParent(f.name, format, "FAIL", f.name, dstr)
   415  	} else if f.chatty != nil {
   416  		if f.Skipped() {
   417  			f.flushToParent(f.name, format, "SKIP", f.name, dstr)
   418  		} else {
   419  			f.flushToParent(f.name, format, "PASS", f.name, dstr)
   420  		}
   421  	}
   422  }
   423  
   424  // fuzzResult contains the results of a fuzz run.
   425  type fuzzResult struct {
   426  	N     int           // The number of iterations.
   427  	T     time.Duration // The total time taken.
   428  	Error error         // Error is the error from the failing input
   429  }
   430  
   431  func (r fuzzResult) String() string {
   432  	if r.Error == nil {
   433  		return ""
   434  	}
   435  	return r.Error.Error()
   436  }
   437  
   438  // fuzzCrashError is satisfied by a failing input detected while fuzzing.
   439  // These errors are written to the seed corpus and can be re-run with 'go test'.
   440  // Errors within the fuzzing framework (like I/O errors between coordinator
   441  // and worker processes) don't satisfy this interface.
   442  type fuzzCrashError interface {
   443  	error
   444  	Unwrap() error
   445  
   446  	// CrashPath returns the path of the subtest that corresponds to the saved
   447  	// crash input file in the seed corpus. The test can be re-run with go test
   448  	// -run=$test/$name $test is the fuzz test name, and $name is the
   449  	// filepath.Base of the string returned here.
   450  	CrashPath() string
   451  }
   452  
   453  // fuzzContext holds fields common to all fuzz tests.
   454  type fuzzContext struct {
   455  	deps testDeps
   456  	mode fuzzMode
   457  }
   458  
   459  type fuzzMode uint8
   460  
   461  const (
   462  	seedCorpusOnly fuzzMode = iota
   463  	fuzzCoordinator
   464  	fuzzWorker
   465  )
   466  
   467  // runFuzzTests runs the fuzz tests matching the pattern for -run. This will
   468  // only run the (*F).Fuzz function for each seed corpus without using the
   469  // fuzzing engine to generate or mutate inputs.
   470  func runFuzzTests(deps testDeps, fuzzTests []InternalFuzzTarget, deadline time.Time) (ran, ok bool) {
   471  	ok = true
   472  	if len(fuzzTests) == 0 || *isFuzzWorker {
   473  		return ran, ok
   474  	}
   475  	m := newMatcher(deps.MatchString, *match, "-test.run")
   476  	tctx := newTestContext(*parallel, m)
   477  	tctx.deadline = deadline
   478  	var mFuzz *matcher
   479  	if *matchFuzz != "" {
   480  		mFuzz = newMatcher(deps.MatchString, *matchFuzz, "-test.fuzz")
   481  	}
   482  	fctx := &fuzzContext{deps: deps, mode: seedCorpusOnly}
   483  	root := common{w: os.Stdout} // gather output in one place
   484  	if Verbose() {
   485  		root.chatty = newChattyPrinter(root.w)
   486  	}
   487  	for _, ft := range fuzzTests {
   488  		if shouldFailFast() {
   489  			break
   490  		}
   491  		testName, matched, _ := tctx.match.fullName(nil, ft.Name)
   492  		if !matched {
   493  			continue
   494  		}
   495  		if mFuzz != nil {
   496  			if _, fuzzMatched, _ := mFuzz.fullName(nil, ft.Name); fuzzMatched {
   497  				// If this will be fuzzed, then don't run the seed corpus
   498  				// right now. That will happen later.
   499  				continue
   500  			}
   501  		}
   502  		f := &F{
   503  			common: common{
   504  				signal:  make(chan bool),
   505  				barrier: make(chan bool),
   506  				name:    testName,
   507  				parent:  &root,
   508  				level:   root.level + 1,
   509  				chatty:  root.chatty,
   510  			},
   511  			testContext: tctx,
   512  			fuzzContext: fctx,
   513  		}
   514  		f.w = indenter{&f.common}
   515  		if f.chatty != nil {
   516  			// TODO(#48132): adjust this to work with test2json.
   517  			f.chatty.Updatef(f.name, "=== RUN   %s\n", f.name)
   518  		}
   519  
   520  		go fRunner(f, ft.Fn)
   521  		<-f.signal
   522  	}
   523  	return root.ran, !root.Failed()
   524  }
   525  
   526  // runFuzzing runs the fuzz test matching the pattern for -fuzz. Only one such
   527  // fuzz test must match. This will run the fuzzing engine to generate and
   528  // mutate new inputs against the fuzz target.
   529  //
   530  // If fuzzing is disabled (-test.fuzz is not set), runFuzzing
   531  // returns immediately.
   532  func runFuzzing(deps testDeps, fuzzTests []InternalFuzzTarget) (ok bool) {
   533  	if len(fuzzTests) == 0 || *matchFuzz == "" {
   534  		return true
   535  	}
   536  	m := newMatcher(deps.MatchString, *matchFuzz, "-test.fuzz")
   537  	tctx := newTestContext(1, m)
   538  	tctx.isFuzzing = true
   539  	fctx := &fuzzContext{
   540  		deps: deps,
   541  	}
   542  	root := common{w: os.Stdout}
   543  	if *isFuzzWorker {
   544  		root.w = io.Discard
   545  		fctx.mode = fuzzWorker
   546  	} else {
   547  		fctx.mode = fuzzCoordinator
   548  	}
   549  	if Verbose() && !*isFuzzWorker {
   550  		root.chatty = newChattyPrinter(root.w)
   551  	}
   552  	var fuzzTest *InternalFuzzTarget
   553  	var testName string
   554  	var matched []string
   555  	for i := range fuzzTests {
   556  		name, ok, _ := tctx.match.fullName(nil, fuzzTests[i].Name)
   557  		if !ok {
   558  			continue
   559  		}
   560  		matched = append(matched, name)
   561  		fuzzTest = &fuzzTests[i]
   562  		testName = name
   563  	}
   564  	if len(matched) == 0 {
   565  		fmt.Fprintln(os.Stderr, "testing: warning: no fuzz tests to fuzz")
   566  		return true
   567  	}
   568  	if len(matched) > 1 {
   569  		fmt.Fprintf(os.Stderr, "testing: will not fuzz, -fuzz matches more than one fuzz test: %v\n", matched)
   570  		return false
   571  	}
   572  
   573  	f := &F{
   574  		common: common{
   575  			signal:  make(chan bool),
   576  			barrier: nil, // T.Parallel has no effect when fuzzing.
   577  			name:    testName,
   578  			parent:  &root,
   579  			level:   root.level + 1,
   580  			chatty:  root.chatty,
   581  		},
   582  		fuzzContext: fctx,
   583  		testContext: tctx,
   584  	}
   585  	f.w = indenter{&f.common}
   586  	if f.chatty != nil {
   587  		// TODO(#48132): adjust this to work with test2json.
   588  		f.chatty.Updatef(f.name, "=== FUZZ  %s\n", f.name)
   589  	}
   590  	go fRunner(f, fuzzTest.Fn)
   591  	<-f.signal
   592  	return !f.failed
   593  }
   594  
   595  // fRunner wraps a call to a fuzz test and ensures that cleanup functions are
   596  // called and status flags are set. fRunner should be called in its own
   597  // goroutine. To wait for its completion, receive from f.signal.
   598  //
   599  // fRunner is analogous to tRunner, which wraps subtests started with T.Run.
   600  // Unit tests and fuzz tests work a little differently, so for now, these
   601  // functions aren't consolidated. In particular, because there are no F.Run and
   602  // F.Parallel methods, i.e., no fuzz sub-tests or parallel fuzz tests, a few
   603  // simplifications are made. We also require that F.Fuzz, F.Skip, or F.Fail is
   604  // called.
   605  func fRunner(f *F, fn func(*F)) {
   606  	// When this goroutine is done, either because runtime.Goexit was called, a
   607  	// panic started, or fn returned normally, record the duration and send
   608  	// t.signal, indicating the fuzz test is done.
   609  	defer func() {
   610  		// Detect whether the fuzz test panicked or called runtime.Goexit
   611  		// without calling F.Fuzz, F.Fail, or F.Skip. If it did, panic (possibly
   612  		// replacing a nil panic value). Nothing should recover after fRunner
   613  		// unwinds, so this should crash the process and print stack.
   614  		// Unfortunately, recovering here adds stack frames, but the location of
   615  		// the original panic should still be
   616  		// clear.
   617  		if f.Failed() {
   618  			atomic.AddUint32(&numFailed, 1)
   619  		}
   620  		err := recover()
   621  		if err == nil {
   622  			f.mu.RLock()
   623  			fuzzNotCalled := !f.fuzzCalled && !f.skipped && !f.failed
   624  			if !f.finished && !f.skipped && !f.failed {
   625  				err = errNilPanicOrGoexit
   626  			}
   627  			f.mu.RUnlock()
   628  			if fuzzNotCalled && err == nil {
   629  				f.Error("returned without calling F.Fuzz, F.Fail, or F.Skip")
   630  			}
   631  		}
   632  
   633  		// Use a deferred call to ensure that we report that the test is
   634  		// complete even if a cleanup function calls F.FailNow. See issue 41355.
   635  		didPanic := false
   636  		defer func() {
   637  			if !didPanic {
   638  				// Only report that the test is complete if it doesn't panic,
   639  				// as otherwise the test binary can exit before the panic is
   640  				// reported to the user. See issue 41479.
   641  				f.signal <- true
   642  			}
   643  		}()
   644  
   645  		// If we recovered a panic or inappropriate runtime.Goexit, fail the test,
   646  		// flush the output log up to the root, then panic.
   647  		doPanic := func(err any) {
   648  			f.Fail()
   649  			if r := f.runCleanup(recoverAndReturnPanic); r != nil {
   650  				f.Logf("cleanup panicked with %v", r)
   651  			}
   652  			for root := &f.common; root.parent != nil; root = root.parent {
   653  				root.mu.Lock()
   654  				root.duration += time.Since(root.start)
   655  				d := root.duration
   656  				root.mu.Unlock()
   657  				root.flushToParent(root.name, "--- FAIL: %s (%s)\n", root.name, fmtDuration(d))
   658  			}
   659  			didPanic = true
   660  			panic(err)
   661  		}
   662  		if err != nil {
   663  			doPanic(err)
   664  		}
   665  
   666  		// No panic or inappropriate Goexit.
   667  		f.duration += time.Since(f.start)
   668  
   669  		if len(f.sub) > 0 {
   670  			// Unblock inputs that called T.Parallel while running the seed corpus.
   671  			// This only affects fuzz tests run as normal tests.
   672  			// While fuzzing, T.Parallel has no effect, so f.sub is empty, and this
   673  			// branch is not taken. f.barrier is nil in that case.
   674  			f.testContext.release()
   675  			close(f.barrier)
   676  			// Wait for the subtests to complete.
   677  			for _, sub := range f.sub {
   678  				<-sub.signal
   679  			}
   680  			cleanupStart := time.Now()
   681  			err := f.runCleanup(recoverAndReturnPanic)
   682  			f.duration += time.Since(cleanupStart)
   683  			if err != nil {
   684  				doPanic(err)
   685  			}
   686  		}
   687  
   688  		// Report after all subtests have finished.
   689  		f.report()
   690  		f.done = true
   691  		f.setRan()
   692  	}()
   693  	defer func() {
   694  		if len(f.sub) == 0 {
   695  			f.runCleanup(normalPanic)
   696  		}
   697  	}()
   698  
   699  	f.start = time.Now()
   700  	fn(f)
   701  
   702  	// Code beyond this point will not be executed when FailNow or SkipNow
   703  	// is invoked.
   704  	f.mu.Lock()
   705  	f.finished = true
   706  	f.mu.Unlock()
   707  }
   708
View as plain text