Figure out a solution for the stdlib #5
Comments
|
It is likely that instrumenting libstd itself is counterproductive. Instrumenting libstd and all dependent libraries will increase the workload of sanitizer greatly and may take longer than necessary to yield useful results. Instead we should instrument the target crate only by default and provide options to increase fuzzing scope (instrumenting dependencies, instrumenting libstd, etc.) |
|
idk, lots of panics originate from the stdlib (indexing, etc). While it's true that the branches from these usually get inlined (even though the panic code doesn't), which should be enough for fuzzing, it would be nice to have an instrumented stdlib. rust-san has instructions for setting up an instrumented stdlib with xargo, we could probably just provide links to that and perhaps add a cargo fuzz command for setting that up. You're right that this doesn't have to be the default. |
|
Some clarification to my comment above:
By only instrumenting the crate of interest, what is essentially done is search for bugs within the crate of interest alone (± some inlined code). By instrumenting the dependencies (incl. This may sound desirable, but it is not. The dependencies can be fuzzed on their own. Fuzzing the crates separately both reduces the scope of fuzzing greatly (i.e. fuzzing is faster to find bugs, and if no bugs are found, there’s more confidence about crate being correct for the same investment of time), but also verifies the correctness of the dependency crate independently, which is strictly better than checking correctness of dependency within context of your own crate. So it seems to me that fuzzing crates separately and in isolation is ideal. I recognise that not everybody wants to spend effort to fuzz their dependencies and that fuzzing everything at once is less effort – that’s where the options to increase the scope come in. |
Well, yeah, but the branches in libstd will be opaque to the fuzzer, no? Interesting point about fuzzing dependencies. We're currently using RUSTFLAGS but an option to use cargo rustc would be nice. |
I suspect this is why I can't usefully fuzz the // Search for the start of a ProgramStream packet.
let needle = &[0x00, 0x00, 0x01, 0xba];
let start = self.remaining.windows(needle.len())
.position(|window| needle == window);When I fuzz this, I'm going to try reading the "san" docs to see if I can rebuild |
|
OK, there's some useful information in the Reddit thread announcing I'd really like to fuzz |
|
@emk consider providing at least one starter file to the fuzzer (put into fuzz/corpus).
That’s only for functions monomorphised within libstd. They are few and far between. |
|
@nagisa Thank you for your advice! It turned out I had two problems:
Now I've found 5 issues and I'm looking for more (I'll submit a PR for the trophy case shortly). These kinds of low-level binary decoders are excellent hunting grounds for bugs, even in safe mode. I've provided documentation on how to fuzz-test |
|
Triage: documentation issue, excerpt from above:
|
|
I think this is kinda solved in nightly? https://doc.rust-lang.org/nightly/cargo/reference/unstable.html#build-std |
|
Yeah, you can also use xargo on stable. I'd accept PRs adding support for a build-std mode |
|
FWIW this is strictly required for Memory Sanitizer to work. Right now enabling msan in cargo-fuzz makes any binary immediately abort with a MSAN error. This is documented in more detail here: https://doc.rust-lang.org/nightly/unstable-book/compiler-flags/sanitizer.html#memorysanitizer A recipe for MSAN build that also enables MSAN for C dependencies that are linked into the binary can be found here: rust-lang/rust#39610 (comment) |
|
This is now as simple as Also, #233 automatically enables this option if Memory Sanitizer is enabled. |
|
Should fuzz targets always use |
Libstd isn't built with sanitizer support. Perhaps we should release a version that is.
The text was updated successfully, but these errors were encountered: