Skip to content

Conversation

danilrwx
Copy link
Contributor

@danilrwx danilrwx commented Jul 21, 2025

Description

This PR fix bring some fixes for fuzzing tests.

Checklist

  • The code is covered by unit tests.
  • e2e tests passed.
  • Documentation updated according to the changes.
  • Changes were tested in the Kubernetes cluster manually.

Changelog entries

section: module
type: fix
summary: This PR fix bring some fixes for fuzzing tests.
impact_level: low

@danilrwx danilrwx force-pushed the fix/test/fuzz-testing-fail branch from 0031a5a to ec7a88a Compare July 30, 2025 18:30
@danilrwx danilrwx force-pushed the fix/test/fuzz-testing-fail branch from 4b337eb to 9a19147 Compare October 1, 2025 10:45
@danilrwx danilrwx changed the title fix(test): Fuzzing testing fail concurrent fix(test): Fuzzing testing fail Oct 2, 2025
@danilrwx danilrwx modified the milestones: v1.1.0, v1.2.0 Oct 2, 2025
@danilrwx danilrwx marked this pull request as ready for review October 3, 2025 13:12
Copy link

sourcery-ai bot commented Oct 3, 2025

Reviewer's Guide

This PR refines the HTTP fuzzing framework by standardizing on testing.TB, improving error handling for header fuzzing, cleaning up unused code, adjusting upload locking semantics, and updating fuzz scripts and Dockerfiles with dependency and caching enhancements.

Class diagram for updated HTTP fuzzing framework

classDiagram
    class fuzzRequest {
        +Fuzz(tb testing.TB, data []byte, method string, addr string) *http.Request
    }
    class ProcessRequests {
        +ProcessRequests(tb *testing.T, data []byte, addr string, methods ...string)
    }
    class ProcessRequest {
        +ProcessRequest(tb testing.TB, data []byte, addr string, method string)
    }
    class fuzzHTTPRequest {
        +fuzzHTTPRequest(tb testing.TB, fuzzReq *http.Request) *http.Response
    }
    ProcessRequests --> ProcessRequest
    ProcessRequest --> fuzzRequest : uses
    ProcessRequest --> fuzzHTTPRequest : uses
    fuzzRequest --> http.Request : returns
    fuzzHTTPRequest --> http.Response : returns
Loading

Class diagram for uploader locking change

classDiagram
    class uploadServerApp {
        +processUpload(irc imageReadCloser, w http.ResponseWriter, r *http.Request)
        +upload(readCloser, cdiContentType, dvContentType, headers)
        -mutex
    }
    uploadServerApp : processUpload() now locks before calling upload()
Loading

File-Level Changes

Change Details Files
Refactor fuzz test helpers to use testing.TB consistently
  • Rename testing parameter from t to tb across helper functions
  • Replace t.Helper/Errorf/Skipf/Logf calls with tb counterparts
  • Remove unused os import
images/dvcr-artifact/pkg/fuzz/http.go
Improve error handling in header fuzzing
  • Handle error from fuzzConsumer.FuzzMap and skip test on failure
images/dvcr-artifact/pkg/fuzz/http.go
Remove unused port parsing utility
  • Delete GetPortFromEnv function and related imports
images/dvcr-artifact/pkg/fuzz/http.go
Fix uploader lock ordering
  • Move app.upload invocation inside mutex lock to ensure proper error handling context
images/dvcr-artifact/pkg/uploader/uploader.go
Streamline fuzz scripts
  • Remove manual kill logic for fuzzworker processes in fuzz.sh
  • Add Go build cache and fuzz logs volume mounts in docker-fuzz.sh
images/dvcr-artifact/fuzz.sh
images/dvcr-artifact/docker-fuzz.sh
Update Dockerfile for fuzz environment
  • Bump Go base image from 1.23 to 1.24
  • Install qemu-utils alongside libnbd-dev
images/dvcr-artifact/fuzz.Dockerfile

Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

Copy link

@sourcery-ai sourcery-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey there - I've reviewed your changes - here's some feedback:

  • The loop over header values was changed to “for range len(v)”, which won’t compile—iterate directly over the slice/string (e.g. “for range v”) or use a proper index loop.
  • In processUpload you’re holding the mutex for the duration of the upload call; move the app.upload invocation outside the lock so only the state mutation is protected.
  • You removed the fuzzworker cleanup in fuzz.sh—consider reintroducing a cleanup step or refactoring it to avoid orphaned processes after fuzzing.
Prompt for AI Agents
Please address the comments from this code review:

## Overall Comments
- The loop over header values was changed to “for range len(v)”, which won’t compile—iterate directly over the slice/string (e.g. “for range v”) or use a proper index loop.
- In processUpload you’re holding the mutex for the duration of the upload call; move the app.upload invocation outside the lock so only the state mutation is protected.
- You removed the fuzzworker cleanup in fuzz.sh—consider reintroducing a cleanup step or refactoring it to avoid orphaned processes after fuzzing.

## Individual Comments

### Comment 1
<location> `images/dvcr-artifact/fuzz.Dockerfile:6` </location>
<code_context>
   build-essential \
-  libnbd-dev
+  libnbd-dev \
+  qemu-utils

 WORKDIR /app
</code_context>

<issue_to_address>
**🚨 question (security):** Adding qemu-utils increases image size and attack surface.

If qemu-utils is not essential for fuzzing, please reconsider its inclusion due to the increased image size and attack surface.
</issue_to_address>

### Comment 2
<location> `images/dvcr-artifact/pkg/uploader/uploader.go:348` </location>
<code_context>
 		w.WriteHeader(http.StatusBadRequest)
 	}

-	err = app.upload(readCloser, cdiContentType, dvContentType, parseHTTPHeader(r))
-
 	app.mutex.Lock()
 	defer app.mutex.Unlock()

+	err = app.upload(readCloser, cdiContentType, dvContentType, parseHTTPHeader(r))
+
 	if err != nil {
</code_context>

<issue_to_address>
**issue (performance):** Moving upload call inside mutex may affect concurrency.

This change may serialize uploads, impacting performance in high-throughput use cases. Confirm if this is necessary for thread safety.
</issue_to_address>

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant