Generate collections via a "continuation byte" rather than reading a length

Question

Generate collections via a "continuation byte" rather than reading a length

fitzgen opened this issue 4 years ago · comments

Rather than doing

let mut collection = Collection::new();
let n = u.arbitrary_len()?;
for _ in 0..n {
    collection.insert(u.arbitrary()?);
}

to create a collection, we should consider doing

let mut collection = Collection::new();
loop {
    let continue = u.arbitrary::<bool>();
    if !continue {
        break;
    }
    collection.insert(u.arbitrary()?);
}

This paper found this second approach to make test case reduction much more effective.

We might not want to do this for strings though, since the fuzzer likely has some smarts around utf-8 sequences that we might break.

Also, we might want to use the size hint to still put an upper limit on how many elements we parse.

Manish Goregaokar · Answer 1 · Mon Aug 10 2020 23:42:29 GMT+0800 (China Standard Time)

Seems good to me.

Manish Goregaokar · Answer 2 · Mon Aug 10 2020 23:43:34 GMT+0800 (China Standard Time)

If continuation bytes are fast I wonder if the same can't be done for strings: basically the string is "parse as much of it as you can, stop when no longer UTF8", and the utf8ness of the byte is basically the continuation byte.

Nick Fitzgerald · Answer 3 · Sat Aug 22 2020 01:22:35 GMT+0800 (China Standard Time)

I've been experimenting with this locally, and it does have a huge benefit for test case reduction. I'll make a PR in a bit with some other tweaks as well.