• cheddar@programming.dev
    link
    fedilink
    English
    arrow-up
    0
    ·
    5 months ago

    You don’t need to prove that no input can crash the code. “Exhaustive testing is not possible” is one of the core testing principles, ISTQB teaches that. As far as we know, the input was a file filled with zeroes, and not some subtle configuration or instruction. That can definitely be expected, tested, and handled.

    • Morphit @feddit.uk
      link
      fedilink
      English
      arrow-up
      0
      ·
      5 months ago

      As far as we know, the input was a file filled with zeroes

      CrowdStrike have said that was not the problem:

      This is not related to null bytes contained within Channel File 291 or any other Channel File.

      That said, their preliminary incident review doesn’t give us much to go on as to what was wrong with the file.

      You’re speculating that it was something easy to test for by a third party. It certainly could have been but I would hope it’s a more subtle bug which, as you say, can’t be exhaustively tested for. Source code analysis definitely would have surfaced this bug so either they didn’t bother looking or didn’t bother fixing it.

      • cheddar@programming.dev
        link
        fedilink
        English
        arrow-up
        0
        ·
        5 months ago

        You’re speculating that it was something easy to test for by a third party.

        Based on the data that I have, which is of course very limited! I didn’t know about the recent news regarding the null bytes, thank you for sharing this info.