-
Notifications
You must be signed in to change notification settings - Fork 36k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fuzz: Call SendMessages after ProcessMessage to increase coverage #20674
Conversation
Concept ACK: more is more when it comes to coverage :) |
Tested ACK fa09f97 Before:
After:
Net result: Increase in coverage: Decrease in execs/second. In fuzzing we can always add more hardware to the fuzzing farm in order to increase execs/second. Better coverage on the other hand is relatively costly to obtain. Thus we want to optimise for coverage rather than execs/second in the general case. |
tACK fa09f97 I used some additional seeds and ran fuzz tests (took care to remove any further seeds generated between runs):
@MarcoFalke Do I understand correctly that:
If that's all correct, I think there might be more coverage to gain if we can invoke |
@@ -75,6 +75,10 @@ void fuzz_target(const std::vector<uint8_t>& buffer, const std::string& LIMIT_TO | |||
GetTime<std::chrono::microseconds>(), std::atomic<bool>{false}); | |||
} catch (const std::ios_base::failure&) { | |||
} | |||
{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do I understand correctly that we do not need try { ... } catch (const std::ios_base::failure&) {}
here because the inputs to SendMessages()
have effectively been filtered for "sane inputs" by ProcessMessage()
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
std::ios_base::failure is thrown by the serialization framework when deserialization fails. SendMessages AFAIK doesn't deserialize anything, it just acts on already parsed data. So I wouldn't say it's just been "filtered" - it has been completely processed already, and the result of that processing may trigger responses in SendMessages.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That makes sense. Thanks, @sipa !
cr ACK fa09f97 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
utACK fa09f97
@@ -75,6 +75,10 @@ void fuzz_target(const std::vector<uint8_t>& buffer, const std::string& LIMIT_TO | |||
GetTime<std::chrono::microseconds>(), std::atomic<bool>{false}); | |||
} catch (const std::ios_base::failure&) { | |||
} | |||
{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
std::ios_base::failure is thrown by the serialization framework when deserialization fails. SendMessages AFAIK doesn't deserialize anything, it just acts on already parsed data. So I wouldn't say it's just been "filtered" - it has been completely processed already, and the result of that processing may trigger responses in SendMessages.
…increase coverage fa09f97 fuzz: Call SendMessages after ProcessMessage to increase coverage (MarcoFalke) Pull request description: ACKs for top commit: practicalswift: Tested ACK fa09f97 dhruv: tACK fa09f97 Crypt-iQ: cr ACK fa09f97 sipa: utACK fa09f97 Tree-SHA512: 87c52aa38f902c4f6c9c2380f486a3ab21edc0e21e48bb619cdb67cfd698154cc57b170eef31fc940c0bb2c878e155847de03fc6e4cd85bed25f10c4f80c747b
No description provided.