Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fuzz the API #59

Open
gnzlbg opened this issue Dec 5, 2018 · 8 comments
Open

Fuzz the API #59

gnzlbg opened this issue Dec 5, 2018 · 8 comments

Comments

@gnzlbg
Copy link
Owner

gnzlbg commented Dec 5, 2018

The std::collections::VecDeque tests are not really enough to catch all bugs with SliceDeque. @Shnatsel had some posts about how to set up fuzzing.
@aldanor
Copy link

aldanor commented Dec 5, 2018

I've actually caught #57 while quickchecking / fuzzing some downstream crate that depended on slice-deque lightly. As a simple test for the quality of the fuzz suite, I'd like to suggest testing if it can catch #57 (were it to be reintroduced).

@Shnatsel
Copy link

Shnatsel commented Dec 6, 2018

There is already a fuzzing setup designed to check correctness of stdlib VecDeque, which was also created after a security bug in it was discovered. The big selling point is that it includes an unoptimized but obviously correct implementation of the same API against which the optimized implementation can be verified. It can be found at https://github.com/blt/bughunt-rust. It might not be 100% functional yet, but adapting it is probably easier than writing a comprehensive fuzzing setup from scratch.

@aldanor aldanor mentioned this issue Dec 15, 2018
Closed
@gnzlbg
Copy link
Owner Author

gnzlbg commented Dec 19, 2018

I've adapted @Shnatsel suggestion to slice-deque here: https://github.com/gnzlbg/slice_deque/tree/fuzz

Fuzzing hasn't found any bugs for me yet.

@Shnatsel
Copy link

With capacity capped to maximum value of u8 you will never allocate more than one page of memory and never exercise the actually interesting codepaths

@Shnatsel
Copy link

I gave it at about 2 million executions (approx. 8 core-hours on my machine) and it also turned up nothing. And it plateau'd pretty hard in discovering new paths through the code.

I'll run the version with u16 capacity for a while more, but I don't expect it to turn up anything.

@gnzlbg
Copy link
Owner Author

gnzlbg commented Dec 20, 2018

Thank you for your help @Shnatsel !

@Shnatsel
Copy link

u8_capacity_seeds.zip
u16_capacity_seeds.zip

These are the fuzzer findings in release mode with u8 and u16 capacities. I've run the u16 capacity for at about 10 million executions. I think the u16 version is much more compact because the fuzzer had enough time to minify the inputs.

Potential next steps would be running it without model validation but with overflow checking, and also without model validation but with address sanitizer. However, trying stuff blindly might not be a great idea. A much better idea would be to run these inputs through some kind of coverage tool to see what code is not excercised, and/or get a reproduction of the issue #57 from @zimond and then alter the fuzzing setup so that it could detect it.

@Shnatsel
Copy link

To clarify, the archives above contain the generated corpus with the most code coverage, not crashing inputs - it didn't find any of those.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Shnatsel @gnzlbg @aldanor