-
Notifications
You must be signed in to change notification settings - Fork 10
-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consider respecting cfg!(fuzzing) #115
Comments
I don't really follow why calculating checksums would be a problem for fuzzing? the checksum is entirely deterministic, and other implementations should generate the same checksum for the same input bytes. Can you elaborate on what exactly we should do differently when |
This would be for the inflate codepath. There the fuzzer would be generating random sequences of bytes and feeding them to the library as zlib bitstreams. Most (at least initially) would be corrupt for one reason or another, but over time the fuzzer would start to find bitstreams that were valid other than the checksum. Rather than forcing the fuzzer to also look for valid checksums, you can instead have the decompressor return success even when the checksum doesn't match. This is where miniz_oxide ignores the checksum and here is a fuzz test that found multiple bugs in fdeflate and miniz_oxide by comparing their behavior to each other. |
that's interesting. I think a lot of code paths are already covered by the raw (so, no header, no footer) deflate stream but control flow does branch on the raw/zlib/gzip mode. So, I just naively tried this, and it doesn't seem to do anything?
so, there must be more to it than that? But the docs suggest to me that the above should just work. |
That is unfortunately expected on recent nightlies. The compiler now "helpfully" prints that even though the fuzzer enables the cfg!(fuzzing) flag |
It turns out this is not as easy as it seems. We currently test against In our So if under fuzzing we allow incorrect checksums, that fuzzer will now no longer detect the case where zlib-ng returns a Is fuzzing against |
That is tricky to deal with. I don't specifically need this for testing I would recommend designing an interface that exposes the precise error cause. Probably isn't that helpful for end users, but it can make fuzzing differences easier to root cause. |
The
cfg!(fuzzing)
flag is designed as a way to disable checksums validation and similar checks when Rust code is run under fuzzing. This would be helpful to enable differential fuzzing between the many existing Rust zlib implementations.The text was updated successfully, but these errors were encountered: