[libc-commits] [PATCH] D74091: [libc] Lay out framework for fuzzing libc functions.
Paula Toth via Phabricator via libc-commits
libc-commits at lists.llvm.org
Fri Feb 21 18:18:08 PST 2020
PaulkaToast marked an inline comment as done.
PaulkaToast added inline comments.
================
Comment at: libc/fuzzing/string/strcpy_fuzz.cpp:16
+ size_t i;
+ for (i = 0; src[i] != '\0'; i++){
+ // ensure correctness of strcpy
----------------
abrachet wrote:
> PaulkaToast wrote:
> > abrachet wrote:
> > > Couldn't this just be from i = 0 to size?
> > The length of the string that strcpy copies may not be the same as the size of the fuzzing input due to null-terminators appearing at random in data.
> Then if it is completely random this `if (data[size - 1] != '\0') return 0;` will end the test 255/256 times, no?
>
> Also without removing the 0's like before from the input then the average length will be just 256 then. Is this a problem? Or perhaps a better question is it a smaller problem than the previously raised concerned that the extra allocation was too costly?
Apologies, it wouldn't be completely random, the fuzzer is coverage guided so it'll learn that null-terminated strings are what we expect and it should then provide that more often. This was explained to me offline and it seems that modifying the input isn't necessarily needed and we should leave it up to the fuzzer.
Repository:
rG LLVM Github Monorepo
CHANGES SINCE LAST ACTION
https://reviews.llvm.org/D74091/new/
https://reviews.llvm.org/D74091
More information about the libc-commits
mailing list