Gremlin.js: Throw a thousand monkeys at your page (opens in new tab)

Back in the very early days of Palm OS, Palm had a "Quality Certification" you could apply for, and if your app passed, you'd get a bunch of marketing benefits. So we went for the highest-level certification on our products, which required surviving 1,000,000 gremlins.

At first I was very skeptical that it would find any meaningful bugs, but in fact it was very good at finding memory leaks and edge cases. In the end it took us several weeks to finally be able to survive the 1M gremlins without a crash. A single run of 1M gremlins would take about 24 hours.

In later years they added the capability to supply your own dictionary of values to apply to certain inputs so that gremlins could get past validation, and it would also save the entire state of the device every 10K events so that you could easily reproduce errors that Gremlins found.

I could definitely see this as a good way to stress-test certain parts of your app, though it takes a ton of time, and frankly without surrounding tooling (like resource monitoring, saving "state") it wouldn't be practical.

As the author of this lib, I can confirm: it was named after the movie.

Or even more probable, they are both simply named after Gremlins [0]

[0]: http://www.etymonline.com/index.php?search=gremlin

Chromium uses fuzzing extensively: http://blog.chromium.org/2012/04/fuzzing-for-security.html

I wouldn't call this fuzz test because it focuses on simulating legitimate actions. Do random clicking. Do random scrolling. Do random mouseovers. Do random [any DOM event]. Yes, they are doing this at a massive scale, but the key here is that germlin.js can only do things a user can do. In short, Gremlin is just automating actions; basic legal, legitimate actions. Still cool, and great for stress testing or looking for race conditions in your UI code, but not fuzz testing.

Fuzz testing, on the other hand, is about modifying the data, to interacting with the UI. To use an analogy, fuzz testing Microsoft word might involve corrupting various structures in the DOC or DOCX file or in an OLE embed with malformed data and seeing how the parser/program reacts. The Gremlin.js equivlent would be just clicking on a bunch of buttons in the Word UI really really fast.

Both are helpful, but they are testing different things

It's not antiquated at all, it is still very relevant for security testing. If you're hunting memory handling bugs, for example, fuzzing is probably the most cost effective way of doing it, if you can automate instrumentation (sample input and testing oracle, IMHO AddressSanitizer is the best option for the latter ATM). If you're interested, you might want to check the wiki page of Radamsa, a general-purpose fuzzer (shameless plug for my collague): https://code.google.com/p/ouspg/wiki/Radamsa

I'm not sure how up to date the CVE list is, but it probably gives you an idea, if the fuzzing is still relevant or not :-)

Chaos monkeys meet entropy gremlins.

(Watch out for water.)

More info (the open sourced it): http://techblog.netflix.com/2012/07/chaos-monkey-released-in...

You read my mind, that totally looks like anarchy mode applied to to the web :)

All the gremlins are configurable, you can specify which elements they can interact on (and therefore exclude "dangerous" elements).

Relevant doc: https://github.com/marmelab/gremlins.js#configuring-gremlins

The gremlin is older (and broader) than that movie: https://en.wikipedia.org/wiki/Gremlin

Or older perhaps.. https://www.youtube.com/watch?v=D1xqrdtJs8w