Fuzzer to automatically find side-channel (timing) vulnerabilities

Overview

SideFuzz: Fuzzing for side-channel vulnerabilities

docs crates.io docs patreon flattr

SideFuzz is an adaptive fuzzer that uses a genetic-algorithm optimizer in combination with t-statistics to find side-channel (timing) vulnerabilities in cryptography compiled to wasm.

Fuzzing Targets can be found here: https://github.com/phayes/sidefuzz-targets

How it works

SideFuzz works by counting instructions executed in the wasmi wasm interpreter. It works in two phases:

Phase 1. Uses a genetic-algorithm optimizer that tries to maximize the difference in instructions executed between two different inputs. It will continue optimizing until subsequent generations of input-pairs no longer produce any meaningful differences in the number of instructions executed. This means that it will optimize until it finds finds a local optimum in the fitness of input pairs.

Phase 2. Once a local optimum is found, the leading input-pairs are sampled until either:

  • A large t-statistic (p = 0.001) is found, indicating that there is a statistically significant difference in running-time between the two inputs. This is indicative of a timing side-channel vulnerability; or

  • The t-statistic stays low, even after significant sampling. In this case the candidate input pairs are rejected and SideFuzz returns to phase 1, resuming the genetic-algorithm optimizer to find another local optimum.

What it gets you

Fuzzing with SideFuzz shows that your Rust code can be constant-time, but doesn't show that it is constant-time on all architectures. This is because LLVM backends can and will ruin constant-time Rust / LLVM-IR when compiling to machine-code. SideFuzz should be considered a "good first step" to be followed up with dudect-bencher and ctgrind. It should also be noted that proper compiler support for constant-time code-generation is an unsolved problem in the Rust ecosystem. There have been some ideas around using cranelift for constant-time code generation, but things are still in the brainstorming phase.

Installation

rustup target add wasm32-unknown-unknown
git clone [email protected]:phayes/sidefuzz.git
cd sidefuzz && cargo install --path .

(Cannot currently do cargo install sidefuzz because of this issue)

Creating a Rust fuzz target

Creating a target in rust is very easy.

// lib.rs
#[no_mangle]
pub extern "C" fn fuzz() {
  let input = sidefuzz::fetch_input(32); // 32 bytes of of fuzzing input as a &[u8]
  sidefuzz::black_box(my_hopefully_constant_fn(input));
}
# Cargo.toml
[lib]
crate-type = ["cdylib"]

[dependencies]
sidefuzz = "0.1.1"

Compile and fuzz the target like so:

cargo build --release --target wasm32-unknown-unknown                # Always build in release mode
sidefuzz fuzz ./target/wasm32-unknown-unknown/release/my_target.wasm # Fuzzing!

Results can be checked like so:

sidefuzz check my_target.wasm 01250bf9 ff81f7b3

When fixing variable-time code, sidefuzz can also help with sidefuzz count to quickly count the number of instructions executed by the target.

sidefuzz count my_target.wasm 01250bf9

Creating a fuzz target in other languages

SideFuzz works with Go, C, C++ and other langauges that compile to wasm.

The wasm module should provide four exports:

  1. Memory exported to "memory"

  2. A function named "fuzz". This function will be repeatedly called during the fuzzing process.

  3. A function named "input_pointer" that returns an i32 pointer to a location in linear memory where we can can write an array of input bytes. The "fuzz" function should read this array of bytes as input for it's fuzzing.

  4. A function named "input_len" that returns an i32 with the desired length of input in bytes.

FAQ

1. Why wasm?

Web Assembly allows us to precisely track the number of instructions executed, the type of instructions executed, and the amount of memory used. This is much more precise than other methods such as tracking wall-time or counting CPU cycles.

2. Why do I always need to build in release mode?

Many constant-time functions include calls to variable-time debug_assert!() functions that get removed during a release build. Rust's and LLVM optimizer may also mangle supposedly constant-time code in the name of optimization, introducing subtle timing vulnerabilities. Running in release mode let's us surface these issues.

3. I need an RNG (Random Number Generator). What do?

You should make use of a PRNG with a static seed. While this is a bad idea for production code, it's great for fuzzing. See the rsa_encrypt_pkcs1v15_message target for an example on how to do this.

4. What's up with black_box ?

sidefuzz::black_box is used to avoid dead-code elimination. Because we are interested in exercising the fuzzed code instead of getting results from it, the exported fuzz function doesn't return anything. The Rust optimizer sees all functions that don't return as dead-code and will try to eliminate them as part of it's optimizations. black_box is a function that is opaque to the optimizer, allowing us to exercise functions that don't return without them being optimized away. It should be used whenever calling a function that doesn't return anything or where we are ignoring the output returned.

5. The fuzzer gave me invalid inputs, what now?

You should panic (causing a wasm trap). This will signal to the fuzzer that the inputs are invalid.

6. I need to do some variable-time set-up. How do I do that?

You should use lazy_static to do any set-up work (like generating keys etc). The target is always run once to prime lazy statics before the real fuzzing starts.

Related Tools

  1. dudect-bencher. An implementation of the DudeCT constant-time function tester. In comparison to SideFuzz, this tool more closely adheres to the original dudect design. https://crates.io/crates/dudect-bencher

  2. ctgrind. Tool for checking that functions are constant time using Valgrind. https://github.com/RustCrypto/utils/tree/master/ctgrind

Further Reading

  1. "DifFuzz: Differential Fuzzing for Side-Channel Analysis", Nilizadeh, Noller, Păsăreanu. https://arxiv.org/abs/1811.07005

  2. "Dude, is my code constant time?", Reparaz et al. https://eprint.iacr.org/2016/1123.pdf

  3. "Rust, dudect and constant-time crypto in debug mode", brycx. https://brycx.github.io/2019/04/21/rust-dudect-constant-time-crypto.html

Contributors

  1. Patrick Hayes (linkedin) (github) - Available for hire.
Comments
  • Improvement: Provide macro attribute

    Improvement: Provide macro attribute

    It would be nice if we had the following attribute:

    #[sidefuzz = 123]
    fn fuzz_some_stuff(input: &[u8) {
       sidefuzz::blackbox(some_constant_fn(input));
    }
    

    This attribute would expand to:

    use std::ptr;
    use std::slice;
    
    #[no_mangle]
    pub extern "C" fn len() -> i32 {
        return 123;
    }
    
    #[no_mangle]
    pub extern "C" fn sidefuzz(ptr: i32, len: i32) {
      let input: &[u8] = unsafe { slice::from_raw_parts(ptr as _, len as _) };
    
      // Body of function copied here:
      sidefuzz::blackbox(some_constant_fn(input));
    }```
    
    enhancement help wanted 
    opened by phayes 2
  • Update rand requirement from 0.7.3 to 0.8.3

    Update rand requirement from 0.7.3 to 0.8.3

    Updates the requirements on rand to permit the latest version.

    Changelog

    Sourced from rand's changelog.

    [0.8.3] - 2021-01-25

    Fixes

    • Fix no-std + alloc build by gating choose_multiple_weighted on std (#1088)

    [0.8.2] - 2021-01-12

    Fixes

    • Fix panic in UniformInt::sample_single_inclusive and Rng::gen_range when providing a full integer range (eg 0..=MAX) (#1087)

    [0.8.1] - 2020-12-31

    Other

    • Enable all stable features in the playground (#1081)

    [0.8.0] - 2020-12-18

    Platform support

    • The minimum supported Rust version is now 1.36 (#1011)
    • getrandom updated to v0.2 (#1041)
    • Remove wasm-bindgen and stdweb feature flags. For details of WASM support, see the getrandom documentation. (#948)
    • ReadRng::next_u32 and next_u64 now use little-Endian conversion instead of native-Endian, affecting results on Big-Endian platforms (#1061)
    • The nightly feature no longer implies the simd_support feature (#1048)
    • Fix simd_support feature to work on current nightlies (#1056)

    Rngs

    • ThreadRng is no longer Copy to enable safe usage within thread-local destructors (#1035)
    • gen_range(a, b) was replaced with gen_range(a..b). gen_range(a..=b) is also supported. Note that a and b can no longer be references or SIMD types. (#744, #1003)
    • Replace AsByteSliceMut with Fill and add support for [bool], [char], [f32], [f64] (#940)
    • Restrict rand::rngs::adapter to std (#1027; see also #928)
    • StdRng: add new std_rng feature flag (enabled by default, but might need to be used if disabling default crate features) (#948)
    • StdRng: Switch from ChaCha20 to ChaCha12 for better performance (#1028)
    • SmallRng: Replace PCG algorithm with xoshiro{128,256}++ (#1038)

    Sequences

    • Add IteratorRandom::choose_stable as an alternative to choose which does not depend on size hints (#1057)
    • Improve accuracy and performance of IteratorRandom::choose (#1059)
    • Implement IntoIterator for IndexVec, replacing the into_iter method (#1007)
    • Add value stability tests for seq module (#933)

    Misc

    • Support PartialEq and Eq for StdRng, SmallRng and StepRng (#979)
    • Added a serde1 feature and added Serialize/Deserialize to UniformInt and WeightedIndex (#974)
    • Drop some unsafe code (#962, #963, #1011)
    • Reduce packaged crate size (#983)
    • Migrate to GitHub Actions from Travis+AppVeyor (#1073)

    Distributions

    ... (truncated)

    Commits

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
    • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

    Additionally, you can set the following in your Dependabot dashboard:

    • Update frequency (including time of day and day of week)
    • Pull request limits (per update run and/or open at any time)
    • Automerge options (never/patch/minor, and dev/runtime dependencies)
    • Out-of-range updates (receive only lockfile updates, if desired)
    • Security updates (receive only security updates, if desired)
    dependencies 
    opened by dependabot-preview[bot] 1
  • Update rand requirement from 0.7.3 to 0.8.2

    Update rand requirement from 0.7.3 to 0.8.2

    Updates the requirements on rand to permit the latest version.

    Changelog

    Sourced from rand's changelog.

    [0.8.2] - 2021-01-12

    Fixes

    • Fix panic in UniformInt::sample_single_inclusive and Rng::gen_range when providing a full integer range (eg 0..=MAX) (#1087)

    [0.8.1] - 2020-12-31

    Other

    • Enable all stable features in the playground (#1081)

    [0.8.0] - 2020-12-18

    Platform support

    • The minimum supported Rust version is now 1.36 (#1011)
    • getrandom updated to v0.2 (#1041)
    • Remove wasm-bindgen and stdweb feature flags. For details of WASM support, see the getrandom documentation. (#948)
    • ReadRng::next_u32 and next_u64 now use little-Endian conversion instead of native-Endian, affecting results on Big-Endian platforms (#1061)
    • The nightly feature no longer implies the simd_support feature (#1048)
    • Fix simd_support feature to work on current nightlies (#1056)

    Rngs

    • ThreadRng is no longer Copy to enable safe usage within thread-local destructors (#1035)
    • gen_range(a, b) was replaced with gen_range(a..b). gen_range(a..=b) is also supported. Note that a and b can no longer be references or SIMD types. (#744, #1003)
    • Replace AsByteSliceMut with Fill and add support for [bool], [char], [f32], [f64] (#940)
    • Restrict rand::rngs::adapter to std (#1027; see also #928)
    • StdRng: add new std_rng feature flag (enabled by default, but might need to be used if disabling default crate features) (#948)
    • StdRng: Switch from ChaCha20 to ChaCha12 for better performance (#1028)
    • SmallRng: Replace PCG algorithm with xoshiro{128,256}++ (#1038)

    Sequences

    • Add IteratorRandom::choose_stable as an alternative to choose which does not depend on size hints (#1057)
    • Improve accuracy and performance of IteratorRandom::choose (#1059)
    • Implement IntoIterator for IndexVec, replacing the into_iter method (#1007)
    • Add value stability tests for seq module (#933)

    Misc

    • Support PartialEq and Eq for StdRng, SmallRng and StepRng (#979)
    • Added a serde1 feature and added Serialize/Deserialize to UniformInt and WeightedIndex (#974)
    • Drop some unsafe code (#962, #963, #1011)
    • Reduce packaged crate size (#983)
    • Migrate to GitHub Actions from Travis+AppVeyor (#1073)

    Distributions

    • Alphanumeric samples bytes instead of chars (#935)
    • Uniform now supports char, enabling rng.gen_range('A'..='Z') (#1068)
    • Add UniformSampler::sample_single_inclusive (#1003)
    Commits
    • 6a6b9fd Merge pull request #1087 from GautierMinster/fix_uniform_int_panic_on_full_in...
    • 2c9085a Bump to 0.8.2 and update changelog
    • 4e8c7a4 distributions/uniform: fix panic in gen_range(0..=MAX)
    • bda9974 Merge pull request #1083 from dhardy/work
    • 594aed8 seed_from_u64: use newpavlov's suggestion
    • eb4b8a4 Fix #1082 (seed_from_u64 with non multiple of 4)
    • 34aa769 Merge pull request #1081 from taiki-e/playground
    • e5eec8e Prepare rand 0.8.1
    • a63eb3a Prepare rand_core 0.6.1
    • 3c19b97 Enable all stable features in the playground
    • Additional commits viewable in compare view

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
    • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

    Additionally, you can set the following in your Dependabot dashboard:

    • Update frequency (including time of day and day of week)
    • Pull request limits (per update run and/or open at any time)
    • Automerge options (never/patch/minor, and dev/runtime dependencies)
    • Out-of-range updates (receive only lockfile updates, if desired)
    • Security updates (receive only security updates, if desired)
    dependencies 
    opened by dependabot-preview[bot] 1
  • Update rand requirement from 0.7.3 to 0.8.1

    Update rand requirement from 0.7.3 to 0.8.1

    Updates the requirements on rand to permit the latest version.

    Changelog

    Sourced from rand's changelog.

    [0.8.1] - 2020-12-31

    Other

    • Enable all stable features in the playground (#1081)

    [0.8.0] - 2020-12-18

    Platform support

    • The minimum supported Rust version is now 1.36 (#1011)
    • getrandom updated to v0.2 (#1041)
    • Remove wasm-bindgen and stdweb feature flags. For details of WASM support, see the getrandom documentation. (#948)
    • ReadRng::next_u32 and next_u64 now use little-Endian conversion instead of native-Endian, affecting results on Big-Endian platforms (#1061)
    • The nightly feature no longer implies the simd_support feature (#1048)
    • Fix simd_support feature to work on current nightlies (#1056)

    Rngs

    • ThreadRng is no longer Copy to enable safe usage within thread-local destructors (#1035)
    • gen_range(a, b) was replaced with gen_range(a..b). gen_range(a..=b) is also supported. Note that a and b can no longer be references or SIMD types. (#744, #1003)
    • Replace AsByteSliceMut with Fill and add support for [bool], [char], [f32], [f64] (#940)
    • Restrict rand::rngs::adapter to std (#1027; see also #928)
    • StdRng: add new std_rng feature flag (enabled by default, but might need to be used if disabling default crate features) (#948)
    • StdRng: Switch from ChaCha20 to ChaCha12 for better performance (#1028)
    • SmallRng: Replace PCG algorithm with xoshiro{128,256}++ (#1038)

    Sequences

    • Add IteratorRandom::choose_stable as an alternative to choose which does not depend on size hints (#1057)
    • Improve accuracy and performance of IteratorRandom::choose (#1059)
    • Implement IntoIterator for IndexVec, replacing the into_iter method (#1007)
    • Add value stability tests for seq module (#933)

    Misc

    • Support PartialEq and Eq for StdRng, SmallRng and StepRng (#979)
    • Added a serde1 feature and added Serialize/Deserialize to UniformInt and WeightedIndex (#974)
    • Drop some unsafe code (#962, #963, #1011)
    • Reduce packaged crate size (#983)
    • Migrate to GitHub Actions from Travis+AppVeyor (#1073)

    Distributions

    • Alphanumeric samples bytes instead of chars (#935)
    • Uniform now supports char, enabling rng.gen_range('A'..='Z') (#1068)
    • Add UniformSampler::sample_single_inclusive (#1003)

    Weighted sampling

    • Implement weighted sampling without replacement (#976, #1013)
    • rand::distributions::alias_method::WeightedIndex was moved to rand_distr::WeightedAliasIndex. The simpler alternative rand::distribution::WeightedIndex remains. (#945)
    • Improve treatment of rounding errors in WeightedIndex::update_weights (#956)
    Commits

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
    • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

    Additionally, you can set the following in your Dependabot dashboard:

    • Update frequency (including time of day and day of week)
    • Pull request limits (per update run and/or open at any time)
    • Automerge options (never/patch/minor, and dev/runtime dependencies)
    • Out-of-range updates (receive only lockfile updates, if desired)
    • Security updates (receive only security updates, if desired)
    dependencies 
    opened by dependabot-preview[bot] 1
  • Update rand requirement from 0.7.3 to 0.8.0

    Update rand requirement from 0.7.3 to 0.8.0

    Updates the requirements on rand to permit the latest version.

    Changelog

    Sourced from rand's changelog.

    [0.8.0] - 2020-12-18

    Platform support

    • The minimum supported Rust version is now 1.36 (#1011)
    • getrandom updated to v0.2 (#1041)
    • Remove wasm-bindgen and stdweb feature flags. For details of WASM support, see the getrandom documentation. (#948)
    • ReadRng::next_u32 and next_u64 now use little-Endian conversion instead of native-Endian, affecting results on Big-Endian platforms (#1061)
    • The nightly feature no longer implies the simd_support feature (#1048)
    • Fix simd_support feature to work on current nightlies (#1056)

    Rngs

    • ThreadRng is no longer Copy to enable safe usage within thread-local destructors (#1035)
    • gen_range(a, b) was replaced with gen_range(a..b). gen_range(a..=b) is also supported. Note that a and b can no longer be references or SIMD types. (#744, #1003)
    • Replace AsByteSliceMut with Fill and add support for [bool], [char], [f32], [f64] (#940)
    • Restrict rand::rngs::adapter to std (#1027; see also #928)
    • StdRng: add new std_rng feature flag (enabled by default, but might need to be used if disabling default crate features) (#948)
    • StdRng: Switch from ChaCha20 to ChaCha12 for better performance (#1028)
    • SmallRng: Replace PCG algorithm with xoshiro{128,256}++ (#1038)

    Sequences

    • Add IteratorRandom::choose_stable as an alternative to choose which does not depend on size hints (#1057)
    • Improve accuracy and performance of IteratorRandom::choose (#1059)
    • Implement IntoIterator for IndexVec, replacing the into_iter method (#1007)
    • Add value stability tests for seq module (#933)

    Misc

    • Support PartialEq and Eq for StdRng, SmallRng and StepRng (#979)
    • Added a serde1 feature and added Serialize/Deserialize to UniformInt and WeightedIndex (#974)
    • Drop some unsafe code (#962, #963, #1011)
    • Reduce packaged crate size (#983)
    • Migrate to GitHub Actions from Travis+AppVeyor (#1073)

    Distributions

    • Alphanumeric samples bytes instead of chars (#935)
    • Uniform now supports char, enabling rng.gen_range('A'..='Z') (#1068)
    • Add UniformSampler::sample_single_inclusive (#1003)

    Weighted sampling

    • Implement weighted sampling without replacement (#976, #1013)
    • rand::distributions::alias_method::WeightedIndex was moved to rand_distr::WeightedAliasIndex. The simpler alternative rand::distribution::WeightedIndex remains. (#945)
    • Improve treatment of rounding errors in WeightedIndex::update_weights (#956)
    • WeightedIndex: return error on NaN instead of panic (#1005)

    Documentation

    • Document types supported by random (#994)
    Commits

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
    • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

    Additionally, you can set the following in your Dependabot dashboard:

    • Update frequency (including time of day and day of week)
    • Pull request limits (per update run and/or open at any time)
    • Automerge options (never/patch/minor, and dev/runtime dependencies)
    • Out-of-range updates (receive only lockfile updates, if desired)
    • Security updates (receive only security updates, if desired)
    dependencies 
    opened by dependabot-preview[bot] 1
  • Update color-backtrace requirement from 0.4.2 to 0.5.0

    Update color-backtrace requirement from 0.4.2 to 0.5.0

    Updates the requirements on color-backtrace to permit the latest version.

    Changelog

    Sourced from color-backtrace's changelog.

    [v0.5.0] (2020-11-21)

    • Add __rust_begin_short_backtrace filter
    • Remove experimental failure support

    [v0.4.2] (2020-05-19)

    Added

    • Clone and Debug impls for BacktracePrinter
    • COLORBT_SHOW_HIDDEN env variable, disabling frame filtering

    [v0.4.1] (2020-05-08)

    Fixed

    • Use correct verbosity level for string formatting
    • Fix off-by-one in frame hiding code
      • Hides one additional post-panic frame
    • Slightly improved doc

    [v0.4.0] (2020-05-06)

    Added

    • BacktracePrinter::format_trace_to_string
    • Ability to add custom frame filter callbacks
      • BacktracePrinter::add_frame_filter
      • BacktracePrinter::clear_frame_filters
      • default_frame_filter
      • Thanks to [@yaahc] for helping out with this!
    • Prefer RUST_LIB_BACKTRACE env var when determining the default verbosity to print non-panic backtraces
      • Also contributed by [@yaahc]

    Changed

    • Rename SettingsBacktracePrinter
    • Move print_backtraceBacktracePrinter::print_trace
    • Move print_panic_infoBacktracePrinter::print_panic_info
    • Move color_backtrace::failure::print_backtraceBacktracePrinter::print_failure_trace
    • The majority of old APIs have deprecated shims that forward calls to their new place to ease porting
    • The out setting is no longer part of the BacktracePrinter and instead supplied as an argument to all functions that need it
      • The previous design forced Sync + Send + 'static constraints on any output stream since they are required when registering the panic handler, but are unnecessary when printing to strings
      • As a bonus, all format and print functions no longer require mutable access to the BacktracePrinter instance
    Commits

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
    • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

    Additionally, you can set the following in your Dependabot dashboard:

    • Update frequency (including time of day and day of week)
    • Pull request limits (per update run and/or open at any time)
    • Automerge options (never/patch/minor, and dev/runtime dependencies)
    • Out-of-range updates (receive only lockfile updates, if desired)
    • Security updates (receive only security updates, if desired)
    dependencies 
    opened by dependabot-preview[bot] 1
  • Update statrs requirement from 0.10.0 to 0.13.0

    Update statrs requirement from 0.10.0 to 0.13.0

    Updates the requirements on statrs to permit the latest version.

    Changelog

    Sourced from statrs's changelog.

    v0.13.0

    • Implemented MultivariateNormal distribution (depends on nalgebra 0.19)
    • Implemented Dirac distribution
    • Implemented Negative Binomial distribution

    v0.12.0

    • upgrade rand dependency to 0.7

    v0.11.0

    • upgrade rand dependency to 0.6
    • Implement CheckedInverseCDF and InverseCDF for Normal distribution

    v0.10.0

    • upgrade rand dependency to 0.5
    • Removes the Distribution trait in favor of the rand::distributions::Distribution trait
    • Removed functions deprecated in 0.8.0 (periodic, periodic_custom, sinusoidal, sinusoidal_custom)

    v0.9.0

    • implemented infinite sequence generator for periodic sequence
    • implemented infinite sequence generator for sinusoidal sequence
    • implemented infinite sequence generator for square sequence
    • implemented infinite sequence generator for triangle sequence
    • implemented infinite sequence generator for sawtooth sequence
    • deprecate old non-infinite iterators in favor of new infinite iterators with take
    • Implemented Pareto distribution
    • Implemented Entropy trait for the Categorical distribution
    • Add a checked_ interface to all distribution methods and functions that may panic

    v0.8.0

    • cdf(x), pdf(x) and pmf(x) now return the correct value instead of panicking when x is outside the range of values that the distribution can attain.
    • Fixed a bug in the Uniform distribution implementation where samples were drawn from range [min, max + 1) instead of [min, max]. The samples are now drawn correctly from the range [min, max].
    • Implement generate::log_spaced function
    • Implement generate::Periodic iterator
    • Implement generate::Sinusoidal iterator
    • Implement generate::Square iterator
    • Implement generate::Triangle iterator
    • Implement generate::Sawtooth iterator
    • Deprecate generate::periodic and generate::periodic_custom
    • Deprecate generate::sinusoidal and generate::sinusoidal_custom

    Note: A recent commit to the Rust nightly build causes compile errors when using empty slices with the Statistics trait, specifically the Statistics::min and Statistics::max methods. This only affects the case where the compiler must infer the type of the empty slice:

    Commits
    • 1a07238 release 0.13.0
    • 6b2c726 fix: formatting, disable discrete test for nbinom for now
    • 660eb9e feat: Add negative binomial distribution (#113)
    • 72c767f fix: dirac docstring tests
    • e929775 feat: Added Dirac Distribution [Feature Request] (#111)
    • 83aa6b5 maintenance: A stab at removing unsafes (#109)
    • 7b20b39 feat: Implement Multivariate Normal Distribution with nalgebra (#100)
    • 49a5209 format: run rustfmt
    • 372ad4d update travis to install correct rustfmt component
    • 2048dc4 release: 0.12.0
    • Additional commits viewable in compare view

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
    • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

    Additionally, you can set the following in your Dependabot dashboard:

    • Update frequency (including time of day and day of week)
    • Pull request limits (per update run and/or open at any time)
    • Automerge options (never/patch/minor, and dev/runtime dependencies)
    • Out-of-range updates (receive only lockfile updates, if desired)
    • Security updates (receive only security updates, if desired)
    dependencies 
    opened by dependabot-preview[bot] 1
  • Update color-backtrace requirement from 0.1 to 0.4

    Update color-backtrace requirement from 0.1 to 0.4

    Updates the requirements on color-backtrace to permit the latest version.

    Changelog

    Sourced from color-backtrace's changelog.

    [v0.4.0] (2020-05-06)

    Added

    • BacktracePrinter::format_trace_to_string
    • Ability to add custom frame filter callbacks
      • BacktracePrinter::add_frame_filter
      • BacktracePrinter::clear_frame_filters
      • default_frame_filter
      • Thanks to [@yaahc] for helping out with this!
    • Prefer RUST_LIB_BACKTRACE env var when determining the default verbosity to print non-panic backtraces
      • Also contributed by [@yaahc]

    Changed

    • Rename SettingsBacktracePrinter
    • Move print_backtraceBacktracePrinter::print_trace
    • Move print_panic_infoBacktracePrinter::print_panic_info
    • Move color_backtrace::failure::print_backtraceBacktracePrinter::print_failure_trace
    • The majority of old APIs have deprecated shims that forward calls to their new place to ease porting
    • The out setting is no longer part of the BacktracePrinter and instead supplied as an argument to all functions that need it
      • The previous design forced Sync + Send + 'static constraints on any output stream since they are required when registering the panic handler, but are unnecessary when printing to strings
      • As a bonus, all format and print functions no longer require mutable access to the BacktracePrinter instance

    [v0.3.0] (2019-11-12)

    Added

    • Custom ColorScheme support
    • Forward backtrace-rs' gimli-symbolize feature, which is default enabled
      • This is done by adding default-features = false to the Cargo.toml dependency entry for color-backtrace
      • Disabling it reduces transitive dependencies from ~50 → ~10
      • However, you'll pay for it with inaccurate source info on macOS and Linux

    Changed

    • Replace term crate for colorful term printing with termcolor
      • This crate is more actively maintained, has fewer deps and a better API
      • This made adding color scheme support very easy
    • Settings::dim_function_hash_part was replaced
      • Hash part color is now controlled via ColorScheme

    Removed

    • Colorize, ColorizedStderrOutput, StreamOutput, PanicOutputStream
      • This functionality is now all provided by the termcolor crate
    ... (truncated)
    Commits
    • 013102a Semantic versions in since clause of deprecations
    • c23e924 Bump version to v0.4.0 & update changelog
    • 3cdf151 Fix off-by-one in default frame filter
    • eb8ce74 Add support for RUST_LIB_BACKTRACE variable (#38)
    • d8660e9 Provide custom frame filtering options (#37)
    • c5f5e9c Switch CI to GitHub Actions
    • 268b092 Rename PanicPrinterBacktracePrinter
    • ccc2699 Update examples and changelog
    • f7afbc2 Port failure support & add backward compat shims
    • f31fd90 Refactor public interface
    • Additional commits viewable in compare view

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
    • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

    Additionally, you can set the following in your Dependabot dashboard:

    • Update frequency (including time of day and day of week)
    • Pull request limits (per update run and/or open at any time)
    • Automerge options (never/patch/minor, and dev/runtime dependencies)
    • Out-of-range updates (receive only lockfile updates, if desired)
    • Security updates (receive only security updates, if desired)
    dependencies 
    opened by dependabot-preview[bot] 1
  • Update hex requirement from 0.3.2 to 0.4.2

    Update hex requirement from 0.3.2 to 0.4.2

    Updates the requirements on hex to permit the latest version.

    Commits
    • be0c32f fix: Bump to v0.4.2
    • 4bc3e21 Fix compile error on older rustc versions
    • 78359a8 Bump version (v0.4.1)
    • 85fe726 README reworks and copyright dates update
    • 83a0261 tests/serde: Fix test names
    • e8e2506 github-workflows: Improve GitHub Workflow tests.
    • 3b8a77d Add serde support
    • b1d2318 Fix broken tests
    • 764ee61 Fix Error::InvalidHexCharacter::to_string
    • f98cad4 Remove deprecated Error::description implementation
    • Additional commits viewable in compare view

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
    • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

    Additionally, you can set the following in your Dependabot dashboard:

    • Update frequency (including time of day and day of week)
    • Pull request limits (per update run and/or open at any time)
    • Automerge options (never/patch/minor, and dev/runtime dependencies)
    • Out-of-range updates (receive only lockfile updates, if desired)
    • Security updates (receive only security updates, if desired)
    dependencies 
    opened by dependabot-preview[bot] 1
  • Update hex requirement from 0.3.2 to 0.4.1

    Update hex requirement from 0.3.2 to 0.4.1

    Updates the requirements on hex to permit the latest version.

    Commits
    • 78359a8 Bump version (v0.4.1)
    • 85fe726 README reworks and copyright dates update
    • 83a0261 tests/serde: Fix test names
    • e8e2506 github-workflows: Improve GitHub Workflow tests.
    • 3b8a77d Add serde support
    • b1d2318 Fix broken tests
    • 764ee61 Fix Error::InvalidHexCharacter::to_string
    • f98cad4 Remove deprecated Error::description implementation
    • fff3af1 Improvements to tests
    • 34fdc9a Minor improvements to the documentation (#31)
    • Additional commits viewable in compare view

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
    • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

    Additionally, you can set the following in your Dependabot dashboard:

    • Update frequency (including time of day and day of week)
    • Pull request limits (per update run and/or open at any time)
    • Automerge options (never/patch/minor, and dev/runtime dependencies)
    • Out-of-range updates (receive only lockfile updates, if desired)
    • Security updates (receive only security updates, if desired)
    dependencies 
    opened by dependabot-preview[bot] 1
  • Update rand requirement from 0.6.5 to 0.7.3

    Update rand requirement from 0.6.5 to 0.7.3

    Updates the requirements on rand to permit the latest version.

    Changelog

    Sourced from rand's changelog.

    [0.7.3] - 2020-01-10

    Fixes

    • The Bernoulli distribution constructors now reports an error on NaN and on denominator == 0. (#925)
    • Use std::sync::Once to register fork handler, avoiding possible atomicity violation (#928)
    • Fix documentation on the precision of generated floating-point values

    Changes

    • Unix: make libc dependency optional; only use fork protection with std feature (#928)

    Additions

    • Implement std::error::Error for BernoulliError (#919)

    [0.7.2] - 2019-09-16

    Fixes

    • Fix dependency on rand_core 0.5.1 (#890)

    Additions

    • Unit tests for value stability of distributions added (#888)

    [0.7.1] - 2019-09-13

    Yanked

    This release was yanked since it depends on rand_core::OsRng added in 0.5.1 but specifies a dependency on version 0.5.0 (#890), causing a broken builds when updating from rand 0.7.0 without also updating rand_core.

    Fixes

    • Fix no_std behaviour, appropriately enable c2-chacha's std feature (#844)
    • alloc feature in no_std is available since Rust 1.36 (#856)
    • Fix or squelch issues from Clippy lints (#840)

    Additions

    • Add a no_std target to CI to continously evaluate no_std status (#844)
    • WeightedIndex: allow adjusting a sub-set of weights (#866)

    [0.7.0] - 2019-06-28

    Fixes

    • Fix incorrect pointer usages revealed by Miri testing (#780, #781)
    • Fix (tiny!) bias in Uniform for 8- and 16-bit ints (#809)

    Crate

    • Bumped MSRV (min supported Rust version) to 1.32.0
    • Updated to Rust Edition 2018 (#823, #824)
    • Removed dependence on rand_xorshift, rand_isaac, rand_jitter crates (#759, #765)
    • Remove dependency on winapi (#724)
    • Removed all build.rs files (#824)
    • Removed code already deprecated in version 0.6 (#757)
    • Removed the serde1 feature (It's still available for backwards compatibility, but it does not do anything. #830)
    • Many documentation changes
    ... (truncated)
    Commits

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
    • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

    Additionally, you can set the following in your Dependabot dashboard:

    • Update frequency (including time of day and day of week)
    • Pull request limits (per update run and/or open at any time)
    • Automerge options (never/patch/minor, and dev/runtime dependencies)
    • Out-of-range updates (receive only lockfile updates, if desired)
    • Security updates (receive only security updates, if desired)
    dependencies 
    opened by dependabot-preview[bot] 1
  • Update rand requirement from 0.7.3 to 0.8.4

    Update rand requirement from 0.7.3 to 0.8.4

    Updates the requirements on rand to permit the latest version.

    Changelog

    Sourced from rand's changelog.

    [0.8.4] - 2021-06-15

    Additions

    • Use const-generics to support arrays of all sizes (#1104)
    • Implement Clone and Copy for Alphanumeric (#1126)
    • Add Distribution::map to derive a distribution using a closure (#1129)
    • Add Slice distribution (#1107)
    • Add DistString trait with impls for Standard and Alphanumeric (#1133)

    Other

    • Reorder asserts in Uniform float distributions for easier debugging of non-finite arguments (#1094, #1108)
    • Add range overflow check in Uniform float distributions (#1108)
    • Deprecate rngs::adapter::ReadRng (#1130)

    [0.8.3] - 2021-01-25

    Fixes

    • Fix no-std + alloc build by gating choose_multiple_weighted on std (#1088)

    [0.8.2] - 2021-01-12

    Fixes

    • Fix panic in UniformInt::sample_single_inclusive and Rng::gen_range when providing a full integer range (eg 0..=MAX) (#1087)

    [0.8.1] - 2020-12-31

    Other

    • Enable all stable features in the playground (#1081)

    [0.8.0] - 2020-12-18

    Platform support

    • The minimum supported Rust version is now 1.36 (#1011)
    • getrandom updated to v0.2 (#1041)
    • Remove wasm-bindgen and stdweb feature flags. For details of WASM support, see the getrandom documentation. (#948)
    • ReadRng::next_u32 and next_u64 now use little-Endian conversion instead of native-Endian, affecting results on Big-Endian platforms (#1061)
    • The nightly feature no longer implies the simd_support feature (#1048)
    • Fix simd_support feature to work on current nightlies (#1056)

    Rngs

    • ThreadRng is no longer Copy to enable safe usage within thread-local destructors (#1035)
    • gen_range(a, b) was replaced with gen_range(a..b). gen_range(a..=b) is also supported. Note that a and b can no longer be references or SIMD types. (#744, #1003)
    • Replace AsByteSliceMut with Fill and add support for [bool], [char], [f32], [f64] (#940)
    • Restrict rand::rngs::adapter to std (#1027; see also #928)
    • StdRng: add new std_rng feature flag (enabled by default, but might need to be used if disabling default crate features) (#948)
    • StdRng: Switch from ChaCha20 to ChaCha12 for better performance (#1028)
    • SmallRng: Replace PCG algorithm with xoshiro{128,256}++ (#1038)

    Sequences

    ... (truncated)

    Commits
    • 8792268 Merge pull request #1137 from rust-random/work2
    • 1bfc53d Update changelogs and bump version numbers
    • 4534311 Merge pull request #1133 from rust-random/work2
    • 81f1af8 Correct usage of reserve
    • fa17d1c Add comment to append_string for Standard
    • b4c1d66 Add DistString
    • 1947c89 Move Distribution trait and associates to sub-module
    • 98a0339 Merge pull request #1135 from dhardy/work
    • a7f8fb7 Prepare rand_chacha v0.3.1 release
    • 09d3df3 Merge pull request #1130 from dhardy/work
    • Additional commits viewable in compare view

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
    • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

    Additionally, you can set the following in your Dependabot dashboard:

    • Update frequency (including time of day and day of week)
    • Pull request limits (per update run and/or open at any time)
    • Automerge options (never/patch/minor, and dev/runtime dependencies)
    • Out-of-range updates (receive only lockfile updates, if desired)
    • Security updates (receive only security updates, if desired)
    dependencies 
    opened by dependabot-preview[bot] 0
  • Update statrs requirement from 0.13.0 to 0.14.0

    Update statrs requirement from 0.13.0 to 0.14.0

    Updates the requirements on statrs to permit the latest version.

    Changelog

    Sourced from statrs's changelog.

    v0.14.0

    • upgrade rand dependency to 0.8
    • fix inaccurate sampling of Gamma
    • Implemented Empirical distribution
    • Implemented Laplace distribution
    • Removed Checked* traits
    • Almost clippy-clean
    • Almost fully enabled rustfmt
    • Begin applying consistent numeric relative-accuracy targets with the approx crate
    • Introduce macro to generate testing boilerplate, yet not all tests use this yet
    • Moved to dynamic vectors in the MultivariateNormal distribution
    • Reduced a number of distribution-specific traits into the Distribution and DiscreteDistribution traits

    v0.13.0

    • Implemented MultivariateNormal distribution (depends on nalgebra 0.19)
    • Implemented Dirac distribution
    • Implemented Negative Binomial distribution

    v0.12.0

    • upgrade rand dependency to 0.7

    v0.11.0

    • upgrade rand dependency to 0.6
    • Implement CheckedInverseCDF and InverseCDF for Normal distribution

    v0.10.0

    • upgrade rand dependency to 0.5
    • Removes the Distribution trait in favor of the rand::distributions::Distribution trait
    • Removed functions deprecated in 0.8.0 (periodic, periodic_custom, sinusoidal, sinusoidal_custom)

    v0.9.0

    • implemented infinite sequence generator for periodic sequence
    • implemented infinite sequence generator for sinusoidal sequence
    • implemented infinite sequence generator for square sequence
    • implemented infinite sequence generator for triangle sequence
    • implemented infinite sequence generator for sawtooth sequence
    • deprecate old non-infinite iterators in favor of new infinite iterators with take
    • Implemented Pareto distribution
    • Implemented Entropy trait for the Categorical distribution
    • Add a checked_ interface to all distribution methods and functions that may panic

    v0.8.0

    • cdf(x), pdf(x) and pmf(x) now return the correct value instead of panicking when x is outside the range of values that the distribution can attain.
    • Fixed a bug in the Uniform distribution implementation where samples were drawn from range [min, max + 1) instead of [min, max]. The samples are now drawn correctly from the range [min, max].
    • Implement generate::log_spaced function

    ... (truncated)

    Commits

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
    • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

    Additionally, you can set the following in your Dependabot dashboard:

    • Update frequency (including time of day and day of week)
    • Pull request limits (per update run and/or open at any time)
    • Automerge options (never/patch/minor, and dev/runtime dependencies)
    • Out-of-range updates (receive only lockfile updates, if desired)
    • Security updates (receive only security updates, if desired)
    dependencies 
    opened by dependabot-preview[bot] 0
  • Upgrade to GitHub-native Dependabot

    Upgrade to GitHub-native Dependabot

    Dependabot Preview will be shut down on August 3rd, 2021. In order to keep getting Dependabot updates, please merge this PR and migrate to GitHub-native Dependabot before then.

    Dependabot has been fully integrated into GitHub, so you no longer have to install and manage a separate app. This pull request migrates your configuration from Dependabot.com to a config file, using the new syntax. When merged, we'll swap out dependabot-preview (me) for a new dependabot app, and you'll be all set!

    With this change, you'll now use the Dependabot page in GitHub, rather than the Dependabot dashboard, to monitor your version updates, and you'll configure Dependabot through the new config file rather than a UI.

    If you've got any questions or feedback for us, please let us know by creating an issue in the dependabot/dependabot-core repository.

    Learn more about migrating to GitHub-native Dependabot

    Please note that regular @dependabot commands do not work on this pull request.

    dependencies 
    opened by dependabot-preview[bot] 0
  • Update color-backtrace requirement from 0.4.2 to 0.5.1

    Update color-backtrace requirement from 0.4.2 to 0.5.1

    Updates the requirements on color-backtrace to permit the latest version.

    Changelog

    Sourced from color-backtrace's changelog.

    [v0.5.1] (2021-04-25)

    • Add the ability to print module_name:offset, or address of frame

    [v0.5.0] (2020-11-21)

    • Add __rust_begin_short_backtrace filter
    • Remove experimental failure support

    [v0.4.2] (2020-05-19)

    Added

    • Clone and Debug impls for BacktracePrinter
    • COLORBT_SHOW_HIDDEN env variable, disabling frame filtering

    [v0.4.1] (2020-05-08)

    Fixed

    • Use correct verbosity level for string formatting
    • Fix off-by-one in frame hiding code
      • Hides one additional post-panic frame
    • Slightly improved doc

    [v0.4.0] (2020-05-06)

    Added

    • BacktracePrinter::format_trace_to_string
    • Ability to add custom frame filter callbacks
      • BacktracePrinter::add_frame_filter
      • BacktracePrinter::clear_frame_filters
      • default_frame_filter
      • Thanks to [@​yaahc] for helping out with this!
    • Prefer RUST_LIB_BACKTRACE env var when determining the default verbosity to print non-panic backtraces

    Changed

    • Rename SettingsBacktracePrinter
    • Move print_backtraceBacktracePrinter::print_trace
    • Move print_panic_infoBacktracePrinter::print_panic_info
    • Move color_backtrace::failure::print_backtraceBacktracePrinter::print_failure_trace
    • The majority of old APIs have deprecated shims that forward calls to their new place to ease porting
    • The out setting is no longer part of the BacktracePrinter and instead supplied as an argument to all functions that need it
      • The previous design forced Sync + Send + 'static constraints on any output stream since they are required when registering

    ... (truncated)

    Commits
    • f8dbec3 Update CHANGELOG, bump version
    • d25c611 Add the ability to print module_name:offset, or address of frame (#44)
    • dc53c08 Bump version to v0.5
    • a7240e7 Remove experimental failure support
    • c68832a Add badge for Apache license
    • 390e22b Add __rust_begin_short_backtrace filter
    • See full diff in compare view

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
    • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

    Additionally, you can set the following in your Dependabot dashboard:

    • Update frequency (including time of day and day of week)
    • Pull request limits (per update run and/or open at any time)
    • Automerge options (never/patch/minor, and dev/runtime dependencies)
    • Out-of-range updates (receive only lockfile updates, if desired)
    • Security updates (receive only security updates, if desired)
    dependencies 
    opened by dependabot-preview[bot] 0
  • Update rolling-stats requirement from 0.3.0 to 0.4.0

    Update rolling-stats requirement from 0.3.0 to 0.4.0

    Updates the requirements on rolling-stats to permit the latest version.

    Commits
    • 8bb49c9 (cargo-release) version 0.4.0
    • 0c1c23e implement display for stats object, add merge function
    • See full diff in compare view

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
    • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

    Additionally, you can set the following in your Dependabot dashboard:

    • Update frequency (including time of day and day of week)
    • Pull request limits (per update run and/or open at any time)
    • Automerge options (never/patch/minor, and dev/runtime dependencies)
    • Out-of-range updates (receive only lockfile updates, if desired)
    • Security updates (receive only security updates, if desired)
    dependencies 
    opened by dependabot-preview[bot] 0
  • wasm error on `sidefuzz` execution

    wasm error on `sidefuzz` execution

    Hi, I' trying to sidefuzz the sha3 implementation of RustCrypto, but it gives the following error: Error: wasm error: Function: Module doesn't have export input_is_str Here is the code:

    use sha3::{Digest, Sha3_512};
    
    #[no_mangle]
    pub extern "C" fn fuzz() {
      let input = sidefuzz::fetch_input(80);
      sidefuzz::black_box(Sha3_512::default().chain(input).result());
    }
    

    Do you know what is going wrong?

    opened by niluxv 3
Owner
Patrick Hayes
Secure Code, Cryptography, Voting
Patrick Hayes
A library for building tools to determine if vulnerabilities are reachable in a code base.

Overview Vuln Reach is a library for developing tools that determine if a given vulnerability is reachable. Provided to the open source community by P

Phylum 3 May 5, 2023
A Comprehensive Web Fuzzer and Content Discovery Tool

rustbuster A Comprehensive Web Fuzzer and Content Discovery Tool Introduction Check the blog post: Introducing Rustbuster — A Comprehensive Web Fuzzer

Francesco Soncina 467 Dec 26, 2022
Advanced Fuzzing Library - Slot your Fuzzer together in Rust! Scales across cores and machines. For Windows, Android, MacOS, Linux, no_std, ...

LibAFL, the fuzzer library. Advanced Fuzzing Library - Slot your own fuzzers together and extend their features using Rust. LibAFL is written and main

Advanced Fuzzing League ++ 1.2k Jan 6, 2023
A fuzzer framework built in Rust

lain This crate provides functionality one may find useful while developing a fuzzer. A recent nightly Rust build is required for the specialization f

Microsoft 469 Dec 9, 2022
a grammar based feedback fuzzer

Nautilus NOTE: THIS IS AN OUTDATE REPOSITORY, THE CURRENT RELEASE IS AVAILABLE HERE. THIS REPO ONLY SERVES AS A REFERENCE FOR THE PAPER Nautilus is a

Chair for Sys­tems Se­cu­ri­ty 157 Oct 26, 2022
Find the ideal fuzz targets in a Rust codebase

Siderophile Siderophile finds the "most unsafe" functions in your Rust codebase, so you can fuzz them or refactor them out entirely. It checks the cal

Trail of Bits 162 Dec 23, 2022
🕵️‍♀️ Find, locate, and query files for ops and security experts ⚡️⚡️⚡️

Recon Find, locate, and query files for ops and security experts Key Features • How To Use • Download • Contributing • License Key Features Query with

Rusty Ferris Club 11 Dec 16, 2022
Fuzzer to automatically find side-channel (timing) vulnerabilities

SideFuzz: Fuzzing for side-channel vulnerabilities SideFuzz is an adaptive fuzzer that uses a genetic-algorithm optimizer in combination with t-statis

Patrick Hayes 94 Sep 29, 2022
A client-side gRPC channel implementation for tonic

ginepro ginepro provides client-side gRPC load-balancing out of the box by enriching tonic ‘s channel with periodic service discovery. Overview ginepr

TrueLayer 92 Jan 3, 2023
ARM TrustZone-M example application in Rust, both secure world side and non-secure world side

ARM TrustZone-M example application in Rust, both secure world side and non-secure world side; projects are modified from generated result of cortex-m-quickstart.

null 44 Dec 4, 2022
Black-box fuzzer that fuzzes APIs based on OpenAPI specification. Find bugs for free!

OpenAPI fuzzer Black-box fuzzer that fuzzes APIs based on OpenAPI specification. All you need to do is to supply URL of the API and its specification.

Matúš Ferech 406 Dec 31, 2022
fd is a program to find entries in your filesystem. It is a simple, fast and user-friendly alternative to find

fd is a program to find entries in your filesystem. It is a simple, fast and user-friendly alternative to find. While it does not aim to support all of find's powerful functionality, it provides sensible (opinionated) defaults for a majority of use cases.

David Peter 25.9k Jan 9, 2023
fas stand for Find all stuff and it's a go app that simplify the find command and allow you to easily search everything you nedd

fas fas stands for Find all stuff and it's a rust app that simplify the find command and allow you to easily search everything you need. Note: current

M4jrT0m 1 Dec 24, 2021
Audit Cargo.lock files for dependencies with security vulnerabilities

RustSec Crates ?? ??️ ?? The RustSec Advisory Database is a repository of security advisories filed against Rust crates published via crates.io. The a

RustSec 1.2k Dec 30, 2022
Audit Cargo.lock files for dependencies with security vulnerabilities

RustSec Crates ?? ??️ ?? The RustSec Advisory Database is a repository of security advisories filed against Rust crates published via crates.io. The a

RustSec 1.2k Jan 5, 2023
A Solidity static analyzer to identify contract vulnerabilities and gas efficiencies.

solstat A Solidity static analyzer to identify contract vulnerabilities and gas efficiencies. .------. .------. .------. .------. .------. .------. .-

null 345 Feb 18, 2023
zkPoEX enables white hat hackers to report live vulnerabilities in smart contracts while maintaining the confidentiality of the exploit

zkPoEX enables white hat hackers to report live vulnerabilities in smart contracts while maintaining the confidentiality of the exploit, facilitating efficient communication and collaboration between hackers and project owners for a more secure DeFi ecosystem.

zkoranges 135 Apr 16, 2023
A library for building tools to determine if vulnerabilities are reachable in a code base.

Overview Vuln Reach is a library for developing tools that determine if a given vulnerability is reachable. Provided to the open source community by P

Phylum 3 May 5, 2023
A Comprehensive Web Fuzzer and Content Discovery Tool

rustbuster A Comprehensive Web Fuzzer and Content Discovery Tool Introduction Check the blog post: Introducing Rustbuster — A Comprehensive Web Fuzzer

Francesco Soncina 467 Dec 26, 2022
Advanced Fuzzing Library - Slot your Fuzzer together in Rust! Scales across cores and machines. For Windows, Android, MacOS, Linux, no_std, ...

LibAFL, the fuzzer library. Advanced Fuzzing Library - Slot your own fuzzers together and extend their features using Rust. LibAFL is written and main

Advanced Fuzzing League ++ 1.2k Dec 29, 2022