You can use C-Reduce for any language

[bqmjjx0kac]

Yes, and without understanding how it works, I'm left wondering whether it's even safe to use this way. Will creduce execute mutated versions of the input script, potentially deleting my files or eating my lunch?

[None4U]

it will execute whatever script you pass it (immutable) and mutate whatever other files you pass it

[defen]

I think the question is, how do you know C-reduce isn't going to mutate your test case into calling `remove("/path/to/my/important/file");`

[frabert]

C-reduce is meant to... Reduce your files, it would not add stuff that was not there in the first place. Also, I think it's meant to only be run against the "frontend" of most languages, not full execution

[chubot]

Yeah but you could have a shell script that does

    rm -rf /foo/bar

and in theory it could reduce it to

    rm -rf /

The passes are very heuristic, so that doesn't seem like something you can rule out.

(and I actually want to run it on shell scripts! )

[Cieric]

While I've used c-reduce before, I've never done it in a way where it could be destructive. However speculating based on what I do know. I think the 2 things I would do would be in the interesting-ness test, grep for already known harmful instructions and force them to be uninteresting (returning 1). And then if I was still unsure of the potential harm of the program and I had to run it to determine if it's interesting or not (segfault or something similar). I think I would hoist the binary/script into a docker container and run it there. That way the log and result can still be checked, but it's access to actual file system is minimized as much as possible.

TLDR; C-Reduce just gives you text to run/compile, if you're worried about things like that sandbox as much as possible.

[btilly]

So just run it inside of a Docker instance.