Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

derive: Protect against unbounded recursion when u.is_empty() #109

Merged
merged 1 commit into from
Jun 14, 2022
Merged

derive: Protect against unbounded recursion when u.is_empty() #109

merged 1 commit into from
Jun 14, 2022

Conversation

fitzgen
Copy link
Member

@fitzgen fitzgen commented Jun 14, 2022

Fixes #107

@fitzgen fitzgen requested a review from Manishearth June 14, 2022 18:30
@fitzgen fitzgen force-pushed the derive-recursion-and-empty branch from c8d4708 to 3e3940c Compare June 14, 2022 18:34
@fitzgen fitzgen force-pushed the derive-recursion-and-empty branch from 3e3940c to 3d6b220 Compare June 14, 2022 18:40
@fitzgen fitzgen merged commit c0463a7 into rust-fuzz:master Jun 14, 2022
@fitzgen fitzgen deleted the derive-recursion-and-empty branch June 14, 2022 18:43
@fitzgen
Copy link
Member Author

fitzgen commented Jun 14, 2022

I'll publish a new release with this fix.

@fitzgen
Copy link
Member Author

fitzgen commented Jun 14, 2022

Published 1.1.1

jcaesar
jcaesar reviewed Jun 15, 2022
View reviewed changes
derive/src/lib.rs

count.set(count.get() + 1);
let result = { #expr };
count.set(count.get() - 1);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this work as intended, i.e. is it ok to skip decreasing count if #expr aborts through ??

Generated code for my struct, for consideration 
fn arbitrary(u: &mut Unstructured) -> Result<Self> {
    RECURSIVE_COUNT_Nah.with(|count| {
        if count.get() > 0 && u.is_empty() {
            return Err(arbitrary::Error::NotEnoughData);
        }
        count.set(count.get() + 1);
        let result = {
            Ok(
                match (u64::from(<u32 as Arbitrary>::arbitrary(u)?) * 2u64) >> 32 {
                    0u64 => Nah::Foo(
                        Arbitrary::arbitrary(u)?,
                        Arbitrary::arbitrary(u)?,
                        Arbitrary::arbitrary(u)?,
                    ),
                    1u64 => Nah::Bar(Arbitrary::arbitrary(u)?, Arbitrary::arbitrary(u)?),
                    _ => panic!("internal error: entered unreachable code"),
                },
            )
        };
        count.set(count.get() - 1);
        result
    })
}

Copy link
Contributor

@jcaesar jcaesar Jun 15, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thinking about it further, wouldn't it be better to only modify count when the unstructured is already empty?

  • No need to access the thread local under normal conditions (performance micro-optimization, I know.)
  • It's entirely possible that a recursive struct is benign and does finish generating on zeros only (after recursing a few times from the Unstructured input). But this currently aborts before trying that.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Happy to review a pull request if you want to make one!

@jcaesar jcaesar mentioned this pull request Jun 17, 2022
Merged
@Manishearth Manishearth mentioned this pull request Nov 8, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jcaesar jcaesar jcaesar left review comments

@Manishearth Manishearth Manishearth approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Stack overflow for recursive type
3 participants
@fitzgen @Manishearth @jcaesar