Reject invalid XML when building libFuzzer corpus
Issue Summary
libfuzzer-sys allows you to shape your fuzzing corpus by returning a Corpus::Keep
or Corpus::Reject
value in your fuzz_target
function: https://docs.rs/libfuzzer-sys/latest/libfuzzer_sys/macro.fuzz_target.html#rejecting-inputs
I think it would be worthwhile to use this approach in fuzz/fuzz_targets/fuzz_target_1.rs
to avoid wasting time on mutations that generate invalid XML. As an experiment, I modified the code to return Corpus::Keep
when read_stream
succeeds and Corpus::Reject
when it fails and was able to find issue #1064 (closed) with the more targeted approach.
Future work
- afl-fuzz does not seem to have a similar mechanism for rejecting files, but perhaps there is another way to generate pertitent mutations in the
afl-fuzz/
target. - This change causes the number of fuzzer executions per second to drop, presumably because invalid files were getting rejected quickly and skewing the throughput value. We should profile
fuzz_target_1.rs
to see if there's a faster way to test the library and/or render images as part of the larger fuzzing effort in #1018.