Ideas for fuzzer improvements #32
Description
As part of #31, we looked at fuzz_xml.rs and have some improvement suggestions.
Notably, the cargo-fuzz configuration is quite old, and depends on a long-deprecated version of libfuzzer-sys, which could be replaced by a normal libfuzzer-sys crate reference:
Lines 13 to 14 in d3831fa
Additionally, we've observed that the use of a fuzzer dictionary with XML snippets significantly helps with input synthesis and fuzzer coverage. Some public example collections to use with the -dict= parameter:
- https://raw.githubusercontent.com/rc0r/afl-fuzz/refs/heads/master/dictionaries/xml.dict
- https://chromium.googlesource.com/chromium/src/+/refs/heads/main/testing/libfuzzer/fuzzers/dicts/generated/libxml_xml_read_memory_fuzzer.dict
fuzz_xml.rs has an intentional panic condition to detect endless loops, which runs into false positives when allowing long inputs (no corresponding -max_len= restriction), which could be documented as a known limitation.