oyvindln
commented
4 years ago Thanks. Could maybe merge this and add more paths later? (and speaking of miniz_oxide, that librarly could also use some more extensive fuzzing.)
Closed aschampion closed 4 years ago
oyvindln
commented
4 years ago Thanks. Could maybe merge this and add more paths later? (and speaking of miniz_oxide, that librarly could also use some more extensive fuzzing.)
aschampion
commented
4 years ago and speaking of miniz_oxide, that librarly could also use some more extensive fuzzing
This could decompress with two libraries (inflate or a different miniz_oxide backend) and compare the results, as a way of both increasing confidence the error is in the compression and also fuzzing those decoders. The downside would be the decoder libraries exploding the path search/coverage space of the fuzzer.
aschampion
commented
4 years ago I've had to terminate the fuzzing temporarily, and this should restart with the changes from #41, so for my reference here was the status of the first run:
american fuzzy lop 2.52b (deflate-fuzz-target)
┌─ process timing ─────────────────────────────────────┬─ overall results ─────┐
│ run time : 72 days, 2 hrs, 21 min, 47 sec │ cycles done : 3 │
│ last new path : 2 days, 2 hrs, 55 min, 16 sec │ total paths : 1021 │
│ last uniq crash : 12 days, 19 hrs, 58 min, 0 sec │ uniq crashes : 46 │
│ last uniq hang : none seen yet │ uniq hangs : 0 │
├─ cycle progress ────────────────────┬─ map coverage ─┴───────────────────────┤
│ now processing : 651* (63.76%) │ map density : 2.96% / 3.59% │
│ paths timed out : 0 (0.00%) │ count coverage : 4.69 bits/tuple │
├─ stage progress ────────────────────┼─ findings in depth ────────────────────┤
│ now trying : interest 16/8 │ favored paths : 28 (2.74%) │
│ stage execs : 688k/1.33M (51.68%) │ new edges on : 53 (5.19%) │
│ total execs : 529M │ total crashes : 976k (46 unique) │
│ exec speed : 85.74/sec (slow!) │ total tmouts : 617 (62 unique) │
├─ fuzzing strategy yields ───────────┴───────────────┬─ path geometry ────────┤
│ bit flips : 167/19.6M, 21/19.6M, 13/19.6M │ levels : 8 │
│ byte flips : 1/2.44M, 3/2.41M, 9/2.41M │ pending : 915 │
│ arithmetics : 21/133M, 2/24.2M, 1/1.17M │ pend fav : 0 │
│ known ints : 5/15.6M, 12/65.0M, 48/104M │ own finds : 1018 │
│ dictionary : 0/0, 0/0, 25/118M │ imported : n/a │
│ havoc : 736/522k, 0/0 │ stability : 99.92% │
│ trim : 0.00%/69.1k, 1.67% ├────────────────────────┘
^C────────────────────────────────────────────────────┘ [cpu000: 10%]
Adding this now, can add further stuff later.
AFL fuzzer started in #37 with roundtrip errors reported in #39. This differs from the fuzzer binary I'm currently running in that it was only testing
CompressionOptions::default(), but since::fast()was used in the original motivating bugs it should be used here too to exercise more code paths.Draft PR for now, since the found code paths from the current fuzz should probably be added as seeds.