-
Notifications
You must be signed in to change notification settings - Fork 50
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FIXME: node/bindnode: add fuzz failure with dag-cbor floats #389
Conversation
refmt's cbor encoder always emits floats in 64-bit form, as per the dag-cbor spec, but the decoder accepts the 16 and 32 forms as well. This results in a failure, as we can accept a smaller encoding for a float64 value, then re-encode it in a larger form.
FYI @rvagg, this is another dag-cbor Go bug. I do think we need to reach into refmt to fix this one, unfortunately. I thought filing the bug as a PR would be easier, because we record the fuzz corpus entry right here. |
Also FYI @warpfork. |
Note that the PR is green because we don't test with Go 1.18 yet, meaning that the fuzz failure is hidden. |
Add these to the strictness pile. They are only failures in the sense that they aren't round-tripping cleanly, but this is expected. For the record, the two failures here are: An
In hex, it's pushing In the other failure, it's got a map:
In hex, it's pushing Working as expected, but it would be nice for a user to be able to opt-out of this sillyness and say "you give me data that wasn't encoded with a spec-compliant DAG-CBOR encoder then I don't want to trust it". Currently there's no way other than doing a round-trip and comparing bytes/CID. |
respect to the fuzzer for finding these two though, especially the second one |
The fuzzer is generic and pretty dumb, which can make it slow at discovering new code paths, but it also means it can likely discover any ugly corner if given enough time :) These were found after a total of about twenty minutes fuzzing on my laptop. |
2022-04-19 conversation: it would be nice to do, but we don't have anyone clamoring for this. Given priorities and low resources, closing. |
(see commit message)