Wayland protocol fuzzer
@pq
Submitted by Pekka Paalanen Assigned to Pekka Paalanen @pq
Description
Fuzz testing is cool, isn't it? Here's an idea that came to me, but I haven't learnt about the proper ways of fuzzing.
Have a Wayland protocol object pool. Initially you have only wl_display there. Then repeat:
- Pick a random object from the pool.
- Pick a random request from the object's interface.
- Send the request with random arguments:
- Just randomize something for all POD data types.
- Creating a new protocol object? Add it in the pool.
- An object as an argument? Pick one from the pool at random.
- Sync with the compositor:
- If the compositor crashed, win! \o/
- If you got disconnected, backtrack, replay, and try again with something different on this iteration.
- If it went ok, continue from 1.
Of course you need to set listeners for all events in an interface. You need some smarts to make it more likely to hit acceptable parameters. The backtracking on failure or crash should be like a tree depth-search. If an action does not let you continue, repeat the whole earlier sequence but this time pick a different action than the one that stopped you.
Maybe use a deterministic pseudo-random number generator to guide the decisions, so you need only the seed and a { number of steps, chosen decision } for every time you had to backtrack, to be able to replay the sequence.
Or rig it all up to some proper fuzzing framework.