Closed
Conversation
This refactors the uncovered lines tracking to properly handle functions that use macros or have code spanning multiple files. Key changes: - Track coverage per file (FileLineCoverage) instead of mixing line numbers - Identify primary file (where function is defined) by CODE region count - Track macro call sites separately with call line + uncovered count - Add UncoveredRanges utility for line set to protobuf conversion - Add UncoveredLinesMap for Redis storage of uncovered lines data The old model mixed lines from different files, making it impossible for an LLM to know which file uncovered line numbers referred to. The new model stores only primary file lines in uncovered ranges, with macro call sites tracked separately. Protobuf changes: - Add MacroCallSite message - Add UncoveredLines message with run-length encoding - Add FunctionUncoveredLines with primary_file_path and macro_sites Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Documents a tree-based coverage representation that mirrors macro expansion structure, designed to provide actionable guidance for LLMs generating targeted fuzzing inputs. Key concepts: - CodeBlock: contiguous non-macro code with line-level coverage - MacroExpansion: call site with recursive children from macro body - FunctionCoverageHierarchy: complete tree for partial coverage functions Only functions with partial coverage (0 < covered < total) are processed, as fully covered or uncovered functions don't benefit from this analysis. Includes algorithm for building the tree from LLVM coverage JSON, protobuf message definitions, and LLM prompt generation format. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Upgrade FastAPI from ~0.115.6 to ~0.128.0 in orchestrator to allow starlette >= 0.49.1, fixing: - CVE-2025-62727 (High): O(n^2) DoS via Range header in FileResponse - CVE-2025-54121 (Medium): DoS via large multipart file parsing The orchestrator uses FileResponse and StaticFiles (the affected components) in the competition API UI. Resolves: Dependabot alerts #33, #34
hbrodin
requested review from
michaelbrownuc,
ret2libc and
reytchison
as code owners
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Security Issues Fixed
FileResponseWhy This Matters
The orchestrator uses
FileResponseandStaticFiles(the vulnerable components) inorchestrator/src/buttercup/orchestrator/ui/competition_api/main.py.Test plan