Wireshark-dev: Re: [Wireshark-dev] Canaries in Wmem

From: Jeff Morriss <jeff.morriss.ws@xxxxxxxxx>
Date: Fri, 21 Dec 2012 15:05:15 -0500
Evan Huus wrote:
On Fri, Dec 21, 2012 at 10:41 AM, Jeff Morriss
<jeff.morriss.ws@xxxxxxxxx> wrote:
Evan Huus wrote:
They've been on my to-do list for a while, as emem provides them.

However, I've never personally used emem's canaries, and I've never
actually heard of or seen anyone else using them. Are they actually
useful anymore, or has Moore's law made valgrind the better tool in
all situations?

Well, the canaries have helped us find (and fix) a *lot* of bugs over the
years.  I have this vague memory of a time when most of the fuzz failures
complained of canary corruption but maybe that's an exaggeration.  Hopefully
the lack of canary corruption these days is a sign of improvement. :-)

I think they're still useful for the automated fuzz testing because we get a
fuzz failure when the fuzz-bot finds a corrupted canary.  Valgrind is useful
to let us humans *find* the memory corruption, but unless we're at a point
where the fuzz-bot can run Valgrind instead of its normal testing, I don't
think we should give up the canaries.

fuzz-test.sh has a -g flag that does exactly this. Is it possible to
enable that flag on the fuzz-bot or would that kill performance too
much?

My experience with Valgrind is that it is *many* times slower. But I guess if it is more likely to detect every memory problem it might not matter.

But, at least in taking a quick look at that "-g" flag, the bot would also need a way to declare failure (so it would know when to raise a bug).