| 9 Oct 2025 |
 fzakaria | cool ill take a look | 23:44:10 |
| fzakaria | maybe file bugs worst case | 23:44:14 |
| fzakaria | (I'll make sure they repro) | 23:44:22 |
| fzakaria | they're all kind of similar | 23:45:52 |
| fzakaria | interesting | 23:45:53 |
 lovesegfault | the big issue with the current fuzzing work is i cannot seem to get good coverage, even after I added the dictionary, which helped | 23:54:46 |
| lovesegfault | and i don't know if it's my fault or of that's just how it is | 23:54:57 |
| lovesegfault | i suspect the corpus sucks and needs to be made better | 23:55:07 |
| 10 Oct 2025 |
| fzakaria | maybe there's more instrumentation to help guide it better? | 00:02:48 |
| fzakaria | or yea just feed it tons of derivations | 00:02:59 |
| fzakaria | like 1000s | 00:03:02 |
| fzakaria | nix eval -f ./id:000000,sig:11,src:000046,time:6573454,execs:92972154,op:havoc,rep:2
error: memory exhausted
at /home/fmzakari/Downloads/nix-eval-crashes/id:000000,sig:11,src:000046,time:6573454,execs:92972154,op:havoc,rep:2:1:9999:
| 00:03:04 |
| fzakaria | memory exhausted interesting since it's a bunch of exclamation marks | 00:03:31 |
| fzakaria | Redacted or Malformed Event | 00:07:49 |
| fzakaria | on recent versions that was fixed...
I think your test harness might be too broad in what it's caatching | 00:10:25 |
| fzakaria | /nix/store/9d3ypgdl7h4i7xr4ld7bl745f7fwkz66-nix-2.32.0pre20251006_dirty/bin/nix eval -f id:000000,sig:11,src:000064,time:13566614,execs:193156749,op:havoc,rep:2
error:
… while evaluating the file '/home/fmzakari/Downloads/nix-eval-crashes/id:000000,sig:11,src:000064,time:13566614,execs:193156749,op:havoc,rep:2':
… in the argument of the not operator
at /home/fmzakari/Downloads/nix-eval-crashes/id:000000,sig:11,src:000064,time:13566614,execs:193156749,op:havoc,rep:2:1:5287:
| 00:10:38 |
| fzakaria | That seems like an acceptable error in eval | 00:10:58 |
| lovesegfault | hmmm | 00:21:29 |
| lovesegfault | maybe the harness is borked somehow? | 00:21:36 |
| fzakaria | I think i remember reviewing and you are catching Error or std::exception | 00:21:50 |
| fzakaria | maybe those are normal ?
I thought fuzzing is only looking for things that cause SIGSEGV | 00:22:39 |
| fzakaria | unless you set AFL_CRASH_EXITCODE='-1' | 00:23:23 |
| fzakaria | (or something) | 00:23:27 |
| fzakaria | (or special catching for MSAN/ASAN) | 00:24:12 |
| fzakaria |
Note that in nearly all cases you can never reach full coverage. A lot of functionality is usually dependent on exclusive options that would need individual fuzzing campaigns each with one of these options set. E.g., if you fuzz a library to convert image formats and your target is the png to tiff API, then you will not touch any of the other library APIs and features.
| 00:25:11 |
| lovesegfault | yeah. i've seen coverage go up to ~35% so maybe it's good? | 00:26:02 |
| lovesegfault | honggfuzz seemed to do better, maybe I should rescue that work | 00:26:17 |
| lovesegfault | I had another branch that used honggfuzz instead of afl++ | 00:26:30 |
| lovesegfault | the UI was much nicer | 00:26:34 |
| fzakaria | hmm | 01:40:55 |
