Skip to content

use uninitialized output buffers for the fuzzers #112

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
folkertdev merged 1 commit into from
Jun 10, 2025
Merged

use uninitialized output buffers for the fuzzers #112

folkertdev merged 1 commit into from
Jun 10, 2025

Conversation

@folkertdev
Copy link
Member

@folkertdev folkertdev commented Jun 6, 2025

we previously missed a bug in zlib-rs due to only using initialized output buffers. Now we use initialized buffers at least in some places. Because bzip2 doesn't use SIMD, it should never read from these buffers anyway. In effect we test now that the total number of bytes that was written is actually correct.

cc @ros-cr

@folkertdev folkertdev requested a review from bjorn3 June 6, 2025 16:05
@codecov
Copy link

codecov bot commented Jun 6, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Flag Coverage Δ
fuzz-compress_then_decompress 50.95% <ø> (-0.14%) ⬇️
fuzz-decompress_chunked 30.03% <ø> (-2.27%) ⬇️
test-aarch64-apple-darwin 90.08% <ø> (ø)
test-x86_64-apple-darwin 90.18% <ø> (ø)
test-x86_64-unknown-linux-gnu 90.08% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

see 2 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

bjorn3
bjorn3 reviewed Jun 10, 2025
View reviewed changes
fuzz/fuzz_targets/compress_then_decompress_chunked.rs Outdated
unsafe { output.set_len(usize::try_from(total).unwrap()) };

// Just check that this byte is in fact initialized.
_ = output.last() == Some(&0);
Copy link
Collaborator

@bjorn3 bjorn3 Jun 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
_ = output.last() == Some(&0);
std::hint::black_box(output.last() == Some(&0));

otherwise it will be optimized away, which would probably cause asan to not catch uninitialized memory.

bjorn3
bjorn3 reviewed Jun 10, 2025
View reviewed changes
fuzz/fuzz_targets/decompress_chunked.rs Outdated
unsafe { output.set_len(usize::try_from(total).unwrap()) };

// Just check that this byte is in fact initialized.
_ = output.last() == Some(&0);
Copy link
Collaborator

@bjorn3 bjorn3 Jun 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same

@folkertdev
use uninitialized output buffers for the fuzzers
f6c91a5 
we previously missed a bug in zlib-rs due to only using initialized output buffers
@folkertdev folkertdev force-pushed the fuzz-output-uninitialized branch from 03e5689 to f6c91a5 Compare June 10, 2025 10:20
@folkertdev
Copy link
Member Author

folkertdev commented Jun 10, 2025

Just as a note: currently the fuzzer probably won't catch uninitialized memory. For that, we'd need 1) a much more recent version of cargo-fuzz (built from source because they haven't released in quite a while), and 2) pass CC="clang" CFLAGS="-fsanitize=memory" along with -msanitizer=memory. the cflags are so that memory that is written to by C code is not flagged as uninitialized.

@folkertdev folkertdev merged commit ceaf25d into main Jun 10, 2025
23 checks passed
@folkertdev folkertdev deleted the fuzz-output-uninitialized branch June 10, 2025 12:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bjorn3 bjorn3 bjorn3 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@folkertdev @bjorn3