On 201008 0903, Paolo Bonzini wrote: > On 21/09/20 16:34, Alexander Bulekov wrote: > >> Can you fuzz writing "FUZZ" in memory? Like: > >> OP_WRITE(0x100000, "UsingLibFUZZerString")? > > No.. Hopefully that's not a huge problem. > > > > Instead of always looking for a separator, can you: > > 1) skip over it if you find it naturally at the end of a command (that > is, "FUZZ" is like a comment command) > > 2) actively search for it only if you stumble upon an unrecognized command? >
What is the end goal? Is it to be able to use the "FUZZ" bytes to fuzz devices? My concern is that we want to keep the "stability" added by the FUZZ separators (ie removing a single byte shouldn't completely change the sequence of operations). > In that case, if you have > > AbcFUZZD0x100000UsingLibFUZZerFUZZ > > The first and third instances would be ignored, while the second would > be part of the input. On the other hand if you have > > bcFUZZD0x100000UsingLibFUZZerFUZZ > > "b" is an invalid command and therefore you'd skip directly to "D". There aren't any invalid OPCodes, since we interpret the opcode modulo the size of the OPcode table. We only have invalid/skipped commands when there isn't enough data after the opcode to figure out what we should do. > > Paolo >
