Skip to content

THRIFT-5855: Add netstd fuzzers #3402

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Jens-G merged 1 commit into from
Apr 17, 2026
Merged

THRIFT-5855: Add netstd fuzzers #3402

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 1 addition & 4 deletions FUZZING.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,10 +24,7 @@ We currently maintain fuzzers for the following languages:
- Ruby
- Rust
- Swift

We are working on adding fuzzers for the following languages:

- netstd
- netstd (only supported locally, and not on oss-fuzz)

## Fuzzer Types

Expand Down
20 changes: 20 additions & 0 deletions lib/netstd/Makefile.am
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,23 @@ check-local:
$(DOTNETCORE) test Tests/Thrift.Tests/Thrift.Tests.csproj
$(DOTNETCORE) test Tests/Thrift.IntegrationTests/Thrift.IntegrationTests.csproj

# Opt-in. Not wired into check-local because it requires the
# SharpFuzz.CommandLine global tool and libfuzzer-dotnet binary,
# which are dev-only dependencies. Run manually: `make build-fuzzers`.
build-fuzzers:
$(DOTNETCORE) build Tests/Thrift.FuzzTests/Thrift.FuzzTests.csproj -p:Protocol=Binary -p:FuzzerType=Parse -p:Engine=AFL
$(DOTNETCORE) build Tests/Thrift.FuzzTests/Thrift.FuzzTests.csproj -p:Protocol=Binary -p:FuzzerType=Parse -p:Engine=Libfuzzer
$(DOTNETCORE) build Tests/Thrift.FuzzTests/Thrift.FuzzTests.csproj -p:Protocol=Binary -p:FuzzerType=Roundtrip -p:Engine=AFL
$(DOTNETCORE) build Tests/Thrift.FuzzTests/Thrift.FuzzTests.csproj -p:Protocol=Binary -p:FuzzerType=Roundtrip -p:Engine=Libfuzzer
$(DOTNETCORE) build Tests/Thrift.FuzzTests/Thrift.FuzzTests.csproj -p:Protocol=Compact -p:FuzzerType=Parse -p:Engine=AFL
$(DOTNETCORE) build Tests/Thrift.FuzzTests/Thrift.FuzzTests.csproj -p:Protocol=Compact -p:FuzzerType=Parse -p:Engine=Libfuzzer
$(DOTNETCORE) build Tests/Thrift.FuzzTests/Thrift.FuzzTests.csproj -p:Protocol=Compact -p:FuzzerType=Roundtrip -p:Engine=AFL
$(DOTNETCORE) build Tests/Thrift.FuzzTests/Thrift.FuzzTests.csproj -p:Protocol=Compact -p:FuzzerType=Roundtrip -p:Engine=Libfuzzer
$(DOTNETCORE) build Tests/Thrift.FuzzTests/Thrift.FuzzTests.csproj -p:Protocol=Json -p:FuzzerType=Parse -p:Engine=AFL
$(DOTNETCORE) build Tests/Thrift.FuzzTests/Thrift.FuzzTests.csproj -p:Protocol=Json -p:FuzzerType=Parse -p:Engine=Libfuzzer
$(DOTNETCORE) build Tests/Thrift.FuzzTests/Thrift.FuzzTests.csproj -p:Protocol=Json -p:FuzzerType=Roundtrip -p:Engine=AFL
$(DOTNETCORE) build Tests/Thrift.FuzzTests/Thrift.FuzzTests.csproj -p:Protocol=Json -p:FuzzerType=Roundtrip -p:Engine=Libfuzzer

clean-local:
$(RM) -r Thrift/bin
$(RM) -r Thrift/obj
Expand All @@ -44,6 +61,8 @@ clean-local:
$(RM) -r Tests/Thrift.Compile.Tests/Thrift.Compile.net9/obj
$(RM) -r Tests/Thrift.Compile.Tests/Thrift.Compile.netstd2/bin
$(RM) -r Tests/Thrift.Compile.Tests/Thrift.Compile.netstd2/obj
$(RM) -r Tests/Thrift.FuzzTests/bin
$(RM) -r Tests/Thrift.FuzzTests/obj

distdir:
$(MAKE) $(AM_MAKEFLAGS) distdir-am
Expand All @@ -60,6 +79,7 @@ EXTRA_DIST = \
Tests/Thrift.Compile.Tests/Thrift.Compile.net8/Thrift.Compile.net8.csproj \
Tests/Thrift.Compile.Tests/Thrift.Compile.net9/Thrift.Compile.net9.csproj \
Tests/Thrift.Compile.Tests/Thrift.Compile.netstd2/Thrift.Compile.netstd2.csproj \
Tests/Thrift.FuzzTests \
Tests/Thrift.Tests/Collections \
Tests/Thrift.Tests/DataModel \
Tests/Thrift.Tests/Protocols \
Expand Down
61 changes: 61 additions & 0 deletions lib/netstd/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,3 +53,64 @@ Because of the different environment requirements, migration from C# takes sligh
- In case you are using Thrift server event handlers: the `SetEventHandler` method now starts with an uppercase letter
- and you will also have to revise the method names of all `TServerEventHandler` descendants you have in your code

# Fuzzing

We use [SharpFuzz](https://github.com/Metalnem/sharpfuzz) (and its libfuzzer variant) to fuzz the Thrift protocol parsers. This is **not** integrated with oss-fuzz, so all fuzzing must be run locally. **Supported platform: Linux only.** The fuzzers are opt-in and are **not** built by `make check`; run `make build-fuzzers` (or `./buildfuzzers.sh`) explicitly.
Copy link
Copy Markdown
Contributor

@mhlakhani mhlakhani Apr 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lowpri: is it possible to have a mode where they are built by make check (without fuzz instrumentation)?

the reason I ask is e.g. to avoid cases where we make some change to the code that breaks the fuzzer build, and then we don't realize it because compilation doesn't run in CI


## Prerequisites

1. A .NET 10 SDK (same one used for the rest of `lib/netstd`).

2. The SharpFuzz IL-rewriter CLI, installed as a .NET global tool:

```bash
dotnet tool install --global SharpFuzz.CommandLine
export PATH="$PATH:$HOME/.dotnet/tools"
```

Add the `PATH` export to your shell rc if you want it to persist.

3. The native `libfuzzer-dotnet` driver binary. Grab a prebuilt release from the
[Metalnem/libfuzzer-dotnet releases page](https://github.com/Metalnem/libfuzzer-dotnet/releases)
(or build it from source). Place it in a directory of your choice and point
`SHARPFUZZ_DIR` at that directory:

```bash
export SHARPFUZZ_DIR=/path/to/libfuzzer-dotnet-dir
```

`buildfuzzers.sh` and `runfuzzer.sh` expect to find `$SHARPFUZZ_DIR/libfuzzer-dotnet`.

## A temporary note on `DOTNET_ROLL_FORWARD`

As of SharpFuzz.CommandLine 2.2.0, the global tool's `runtimeconfig.json` pins the
tool to .NET 9, which prevents it from running under a .NET 10-only host. Both
`buildfuzzers.sh` and `runfuzzer.sh` therefore export `DOTNET_ROLL_FORWARD=Major`
at the top of the script as a workaround. Upstream fix:
[SharpFuzz PR #72](https://github.com/Metalnem/sharpfuzz/pull/72) (merged, pending
release as SharpFuzz 2.3.0). Once that release ships, remove the `DOTNET_ROLL_FORWARD`
exports from both shell drivers and update the SharpFuzz package pin in
`Tests/Thrift.FuzzTests/Thrift.FuzzTests.csproj`.

## Running the fuzzers

Build all twelve fuzzer assemblies (3 protocols x 2 fuzzer types x 2 engines) and
instrument them with SharpFuzz:

```bash
./buildfuzzers.sh
```

Run one fuzzer:

```bash
./runfuzzer.sh <fuzzer-name> <engine> [extra-fuzzer-args...]
```

Where `<fuzzer-name>` is one of `binary`, `compact`, `json`, `binary-roundtrip`,
`compact-roundtrip`, `json-roundtrip`, and `<engine>` is `libfuzzer` or `afl`.
Any additional arguments are passed through to the underlying fuzzer engine, e.g.:

```bash
./runfuzzer.sh binary libfuzzer -runs=10000
```
108 changes: 108 additions & 0 deletions lib/netstd/Tests/Thrift.FuzzTests/ProtocolFuzzerBase.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,108 @@
// Licensed to the Apache Software Foundation(ASF) under one
// or more contributor license agreements.See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership.The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.

using System;
using System.IO;
using SharpFuzz;
using Thrift.Protocol;
using Thrift.Transport;
using Thrift.Transport.Client;

namespace Thrift.Tests.Protocols.Fuzzers
{
/// <summary>
/// Base class for protocol fuzzers that handles the common fuzzing logic.
/// </summary>
/// <typeparam name="FuzzProtocol">The type of protocol to use for deserialization.</typeparam>
public abstract class ProtocolFuzzerBase<FuzzProtocol> where FuzzProtocol : TProtocol
{
/// <summary>
/// Environment variable that controls whether to use in-process fuzzing for AFL.
/// When set to "1", uses Fuzzer.Run instead of Fuzzer.OutOfProcess.Run.
/// </summary>
protected const string UseInProcessFuzzingEnvVar = "THRIFT_AFL_IN_PROCESS";

/// <summary>
/// 10MB message size limit to prevent over-allocation during fuzzing
/// </summary>
protected const int FUZZ_MAX_MESSAGE_SIZE = 10 * 1024 * 1024;

/// <summary>
/// Creates a new instance of the protocol for the given transport.
/// </summary>
protected abstract FuzzProtocol CreateProtocol(TTransport transport);

/// <summary>
/// Helper method that contains the core fuzzing logic.
/// </summary>
private void ProcessFuzzStream(Stream stream)
{
try
{
var config = new TConfiguration();
config.MaxMessageSize = FUZZ_MAX_MESSAGE_SIZE;
var transport = new TStreamTransport(stream, null, config);
var protocol = CreateProtocol(transport);

var obj = new FuzzTest();
obj.ReadAsync(protocol, default).GetAwaiter().GetResult();
}
// Narrow catch list: these are the exception families we expect from the
// protocol/transport layer on malformed fuzzer input. Do NOT widen to
// catch (Exception) — a broad catch would swallow legitimate bugs and
// defeat the purpose of fuzzing.
catch (TProtocolException) { /* Expected for malformed fuzzer input */ }
catch (TTransportException) { /* Expected for malformed fuzzer input */ }
catch (TException) { /* Expected for malformed fuzzer input */ }
catch (EndOfStreamException) { /* Expected for malformed fuzzer input */ }
catch (IOException) { /* Expected for malformed fuzzer input */ }
}

/// <summary>
/// The core fuzzing logic that processes a single input.
/// </summary>
protected void ProcessFuzzInput(ReadOnlySpan<byte> span)
{
using var stream = new MemoryStream(span.ToArray());
ProcessFuzzStream(stream);
}

/// <summary>
/// Runs the fuzzer with LibFuzzer.
/// </summary>
protected void RunLibFuzzer()
{
Fuzzer.LibFuzzer.Run(ProcessFuzzInput);
}

/// <summary>
/// Runs the fuzzer with AFL.
/// </summary>
protected void RunAFL()
{
var useInProcess = Environment.GetEnvironmentVariable(UseInProcessFuzzingEnvVar) == "1";
if (useInProcess)
{
Fuzzer.Run(ProcessFuzzStream);
}
else
{
Fuzzer.OutOfProcess.Run(ProcessFuzzStream);
}
}
}
}
133 changes: 133 additions & 0 deletions lib/netstd/Tests/Thrift.FuzzTests/ProtocolRoundtripFuzzerBase.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,133 @@
// Licensed to the Apache Software Foundation(ASF) under one
// or more contributor license agreements.See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership.The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.

using System;
using System.IO;
using SharpFuzz;
using Thrift.Protocol;
using Thrift.Transport;
using Thrift.Transport.Client;

namespace Thrift.Tests.Protocols.Fuzzers
{
/// <summary>
/// Base class for protocol round-trip fuzzers that handles the common fuzzing logic.
/// </summary>
/// <typeparam name="FuzzProtocol">The type of protocol to use for serialization/deserialization.</typeparam>
public abstract class ProtocolRoundtripFuzzerBase<FuzzProtocol> where FuzzProtocol : TProtocol
{
/// <summary>
/// Environment variable that controls whether to use in-process fuzzing for AFL.
/// When set to "1", uses Fuzzer.Run instead of Fuzzer.OutOfProcess.Run.
/// </summary>
protected const string UseInProcessFuzzingEnvVar = "THRIFT_AFL_IN_PROCESS";

/// <summary>
/// 10MB message size limit to prevent over-allocation during fuzzing
/// </summary>
protected const int FUZZ_MAX_MESSAGE_SIZE = 10 * 1024 * 1024;

/// <summary>
/// Creates a new instance of the protocol for the given transport.
/// </summary>
protected abstract FuzzProtocol CreateProtocol(TTransport transport);

/// <summary>
/// Helper method that contains the core fuzzing logic.
/// </summary>
private void ProcessFuzzStream(Stream stream)
{
try
{
// First deserialize the input
var config = new TConfiguration();
config.MaxMessageSize = FUZZ_MAX_MESSAGE_SIZE;
var inputTransport = new TStreamTransport(stream, null, config);
var inputProtocol = CreateProtocol(inputTransport);

var inputObj = new FuzzTest();
inputObj.ReadAsync(inputProtocol, default).GetAwaiter().GetResult();

// Now serialize it back
using var outputStream = new MemoryStream();
var outputTransport = new TStreamTransport(null, outputStream, config);
var outputProtocol = CreateProtocol(outputTransport);
inputObj.WriteAsync(outputProtocol, default).GetAwaiter().GetResult();
outputTransport.FlushAsync(default).GetAwaiter().GetResult();

// Get the serialized bytes and deserialize again
var serialized = outputStream.ToArray();
using var reStream = new MemoryStream(serialized);
var reTransport = new TStreamTransport(reStream, null, config);
var reProtocol = CreateProtocol(reTransport);

var outputObj = new FuzzTest();
outputObj.ReadAsync(reProtocol, default).GetAwaiter().GetResult();

// Compare the objects
if (!inputObj.Equals(outputObj))
{
throw new Exception("Round-trip objects are not equal");
}
}
// Narrow catch list: these are the exception families we expect from the
// protocol/transport layer on malformed fuzzer input. Do NOT widen to
// catch (Exception) — a broad catch would swallow the
// "Round-trip objects are not equal" System.Exception thrown above,
// which is exactly the round-trip divergence the fuzzer is supposed to
// surface as a finding.
catch (TProtocolException) { /* Expected for malformed fuzzer input */ }
catch (TTransportException) { /* Expected for malformed fuzzer input */ }
catch (TException) { /* Expected for malformed fuzzer input */ }
catch (EndOfStreamException) { /* Expected for malformed fuzzer input */ }
catch (IOException) { /* Expected for malformed fuzzer input */ }
}

/// <summary>
/// The core fuzzing logic that processes a single input.
/// </summary>
protected void ProcessFuzzInput(ReadOnlySpan<byte> span)
{
using var stream = new MemoryStream(span.ToArray());
ProcessFuzzStream(stream);
}

/// <summary>
/// Runs the fuzzer with LibFuzzer.
/// </summary>
protected void RunLibFuzzer()
{
Fuzzer.LibFuzzer.Run(ProcessFuzzInput);
}

/// <summary>
/// Runs the fuzzer with AFL.
/// </summary>
protected void RunAFL()
{
var useInProcess = Environment.GetEnvironmentVariable(UseInProcessFuzzingEnvVar) == "1";
if (useInProcess)
{
Fuzzer.Run(ProcessFuzzStream);
}
else
{
Fuzzer.OutOfProcess.Run(ProcessFuzzStream);
}
}
}
}
Loading