Question 1

How do I set up go-fuzz for a Go package?

Accepted Answer

Write a Fuzz function in a non-main package, use go-fuzz-build to create an instrumented archive, and run go-fuzz with a corpus directory. The README provides step-by-step examples, like for the PNG package.

Question 2

go-fuzz vs Go native fuzzing: which is better?

Accepted Answer

go-fuzz is more mature with features like distributed fuzzing and corpus management, but Go 1.18's native fuzzing is integrated into the toolchain. For advanced use cases, go-fuzz offers more control; for simplicity, native fuzzing may suffice.

Question 3

Does go-fuzz work with Go modules?

Accepted Answer

Yes, but support is preliminary. You might need to disable modules via GO111MODULE=off in some cases, and vendor directories are not supported. Check the README for details and issue reporting.

Question 4

How to write a good Fuzz function in go-fuzz?

Accepted Answer

The Fuzz function should parse inputs, return 1 for valid ones to prioritize them, and include application-level checks like serialization round-trips. Examples in the README, such as for image/png, show best practices.

Question 5

Can go-fuzz be used in CI/CD pipelines?

Accepted Answer

Yes, it integrates with services like GitLab and Fuzzbuzz for continuous fuzzing. The README mentions tutorials for setting up ongoing fuzzing in CI/CD to catch bugs automatically.

Question 6

What types of bugs has go-fuzz found?

Accepted Answer

It has discovered crashes, hangs, memory corruption, and logical errors in Go's standard library and third-party packages, as listed in the extensive trophies section, including fixes in fmt, regexp, and encoding libraries.

go-fuzz

What is go-fuzz?

Overview

Use Cases

Best For

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions