Go fuzz to catch hard-to-find bugs in Go

Native fuzzing for the Google-created Go language is ready for beta testing, the Go project announced. The goal behind the new automated testing capability is to help Go developers improve code quality and ensure that systems built with Go are secure and resilient. 

In a bulletin published June 3, Go project developers described fuzzing as a type of automated testing that continuously manipulates inputs to a program to find issues such as panics or bugs that might otherwise go undetected. These semi-random data mutations can discover edge-case bugs that unit tests can miss. Because fuzzing provides more code coverage than traditional testing, it is particularly valuable in finding vulnerabilities and security exploits.

To get started with Go fuzz, developers can run the following:

$ go get golang.org/dl/gotip
$ gotip download dev.fuzz

While the fuzzing feature will not be available in the planned Go 1.17 release expected in August, there are plans to include it in a future release. It is hoped that the working prototype will allow developers to begin writing fuzz targets and offer feedback. Developers can offer feedback on Gophers Slack and file issues on GitHub.

Go project developers advise that fuzzing can consume a lot of memory and could impact machine performance while running go test -fuzz defaults to running fuzzing in SGOMAXPROCS processes in parallel. Developers can lower the processes used while fuzzing by setting the -parallel flag with go test.

Further, developers are advised that the fuzzing engine writes values that expand test coverage to a fuzz cache director within $GOCACHE/fuzz while running. There is no limit currently to the number of files or total bytes that may be written to the fuzz cache, so it could occupy large amounts of storage, as much as several gigabytes. The fuzz cache can be cleared by running gotip clean -fuzzcache.