Check min size needed with Arbitrary::size_hint and early exit if the data isn't long enough
#59
Comments
|
it feels like libfuzzer should have an option for this? if not perhaps we should ask for one? |
|
What are you imagining that libfuzzer would do? It doesn't know whether it provided enough bytes for |
|
Hello! I'm new to cargo-fuzz but I've encountered similar issues when implementing the Zest algorithm in JQF (a structured-input fuzzer for Java). The solution for this problem was to extend the input on-demand when the Quickcheck generators (analogous to I don't know much about libfuzzer internals, but it would be good if a test driver could actually modify and extend the byte array that libfuzzer provides during test execution, so that cargo-fuzz (or libfuzzer-sys) could just populate any extra bytes with freshly generated random values on demand. That would be such a useful feature for libfuzzer to have in many different scenarios other than powering |
|
@fitzgen |
|
@rohanpadhye Worth proposing to libFuzzer. I suspect that given the general fuzzer focus on fuzzer-driven mutation this may not actually work that well, but worth a shot either way. |
|
Thanks for the insights @rohanpadhye!
@Manishearth, this reminds me of how during the redesign of We could fairly easily start returning zeros after we've exhausted the input (and have a max limit on how many zeros we return just in case something gets in a loop). But if we were to actually pursue this, first I would want to take a real world fuzz target (or multiple targets) and test how much code coverage we get after X period of time with and without the zero extending, when starting from an empty corpus. Unfortunately, I don't have the cycles to run the experiment... Anyways, I'll file an issue for a |
|
Oh another idea is we could do something like this: if data.len() < Arbitrary::<FuzzTargetType>::size_hint().0 {
return;
}
...in the |
|
In fact, I think that would be the best way to handle this. |
fitzgen
changed the title
Arbitrary::size_hint to create initial seeds for corpus or control -max_len and -len_control?Arbitrary::size_hint and early exit if the data isn't long enough
@bnjbvr was reporting that starting fuzzing from scratch with a fuzz target that takes an
Arbtiraryimpl was spending a lot of time on three bytes long inputs, where theArbitraryimplementation required more input bytes than given. The fuzzer wasn't giving more input bytes fast enough to get to the meaty bits of the fuzz target.In theory, we could use
Arbitrary::size_hintto create a bunch of random seeds for the corpus of the appropriate size and/or control the maximum length of inputs that libfuzzer will generate.I'm not sure exactly what this would look like, but it probably requires another env var dance between
cargo fuzzandlibfuzzer-syslike how the debug printing works.As far as how this is exposed to users, maybe we should add
cargo fuzz seed <target>as a new subcommand?Or maybe we can just document that users can do something like
head -c 100 /dev/random > fuzz/corpus/my-target/my-random-seedto add a random 100 bytes seed to their fuzz target's corpus to get things off the ground...The text was updated successfully, but these errors were encountered: