Alternatively use afl-fuzzing

[vch9]

People were kind of fan of Crowbar because of Afl-fuzzing. I'm not fully aware about the witchcraft afl does, but it could be added as an optional way of generating bytes?

[c-cube]

well, the thing is, crowbar calls you, you don't call crowbar 😅 . It requires an instrumented runtime and AFL is always the outer loop.

[vch9]

Instrumented runtime might be easy. Crowbar has

type src = Random of Random.State.t | Fd of Unix.file_descr

Should be pretty simple to copy this behavior

[c-cube]

Instrumented runtime might be easy.

well you have to require that the user uses a specific AFL-enabled switch.

[Gbury]

Instrumented runtime might be easy.

well you have to require that the user uses a specific AFL-enabled switch.

Well, that's not strictly speaking necessary. You can always enable afl instrumentation in your project by using the -afl-instrument cli option of ocamlopt. All the afl switch does is enable instrumentation by default, and in doing so ensure that your dependencies are also instrumented.

[c-cube]

Really? 🤯 good to know!!

[vch9]

I'll make experimentation about that as soon as I can :)

[vch9]

From what I did so far: the issue is that we lose control on generation using bytes only.
For instance (almost like in Crowbar):

let float : t float = fun st ->
    let buf = read_bytes st 8 in
    let x = EndianBytes.LittleEndian.get_double buf 0 in
    let shrink a = fun () -> Shrink.float_towards 0. a () in
    Tree.make_primitive shrink x

We just randomly pick 8 bytes. Therefore, having controls is more delicate than we currently have, for instance, if we want a bounded float:

let x = RS.float st bound in

It's really easy using RS (as they did this work for us), and thus, would require us to break our generation.