Conversation
fmeum
left a comment
There was a problem hiding this comment.
Can this change the result in any case in which it previously fell within the given bounds? If possible, we should avoid invalidating existing crashing inputs that behaved as expected.
Ahh, I see what you mean, good point. And yes, it can and it will! My motivation for leaving the number as is, if it's already within the requested range So, my claim is that this change makes fuzzing more efficient, but I don't have the data! A compromise solution that considers your point and fixes the bug at the same time would be to always squeeze (aka remove the if-statement) // if (range != std::numeric_limits<T>::max())
// We accept modulo bias in favor of reading a dynamic number of bytes as
// this would make it harder for the fuzzer to mutate towards values from
// the table of recent compares.
result = result % (range + 1);
return static_cast<T>(min + result);
It's inconvenient, but can be addressed by fixing the issues before upgrading to the new Jazzer release, or by running the fuzzer and letting it find the issue again. WDYT? |
src/main/native/com/code_intelligence/jazzer/driver/fuzzed_data_provider.cpp
Outdated
Show resolved
Hide resolved
507ecf6 to
07d24c4
Compare
There was a problem hiding this comment.
Pull Request Overview
This PR fixes a bug in the ConsumeIntegralInRange function to ensure the returned value is always within the specified range [min, max]. The fix optimizes for fuzzer effectiveness by preserving values that are already in range to maintain compatibility with the table of recent compares.
Key changes:
- Adds a check to return values already within range without modification
- Consolidates the modulo operation and range adjustment into a single expression
- Removes the conditional check for
std::numeric_limits<T>::max()
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
src/main/native/com/code_intelligence/jazzer/driver/fuzzed_data_provider.cpp
Show resolved
Hide resolved
07d24c4 to
b072ead
Compare
For cases where FuzzedDataProvider.consume<Byte,Short,Char,Integer,Long>(from, to) sets the range [from; to] to be exactly the maximum value for the type, this methods could return values outside the requested range. This PR makes sure that the returned values are always in range. In addition, this PR boost the performance of these methods by making less use of the modulo operator to reduce fuzzer values into the range. Keeping the number "as is" allows the fuzzer to use the table of recent compares more efficiently. At the same time, this change might invalidate existing crash files and some corpus entries. However, given overall performance boost this change brings, the potential corpus invalidation is considered less important.
b072ead to
ebf207a
Compare
No description provided.