[Fuzzing] using cifuzz for PR

[0x34d]

using cifuzz for fuzzing PR.

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[benhoyt]

@0x34d Could you please describe the PR in a bit more detail? Specifically, does the building and fuzzing run happen on Google's servers? Will it just run for 5 minutes and then stop?

What happens on failure? Can we introduce a failure temporarily to test that? What is "SARIF", and where is it uploaded?

[0x34d]

does the building and fuzzing run happen on Google's servers?

The main fuzzing happens on the Google ClusterFuzz servers.

Will it just run for 5 minutes and then stop?

Yes, it will check/fuzz PRs that change the fuzzer coverage code.

What happens on failure?

Well, if it fails, there is a bug in the PR. And it will give you an output file that can reproduce the bug.

Can we introduce a failure temporarily to test that?

Well, you can add an abort to LLVMFuzzerTestOneInput and see what happens.

But not now, after this: google/oss-fuzz#10752.

What is "SARIF", and where is it uploaded?

SARIF is a system used by oss-fuzz to upload fuzzer coverage and bug reports in PRs to the oss-fuzz infrastructure.

[benhoyt]

Hmmm, I'm not sure what I'm signing up for here. Will I need to start interpreting and fixing fuzz test cases, like the one that I was just emailed? https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60878 and https://oss-fuzz.com/testcase-detail/5200064623280128

I like the idea of fuzzing, but I have limited time to decipher and analyse. Maybe (if you're keen on this), it is better to do this based on your fork, and then you can submit bug-fix PRs to my repo if you like.

[0x34d]

Hmmm, I'm not sure what I'm signing up for here.

Well, it's actually complicated.

Will I need to start interpreting and fixing fuzz test cases, like the one that I was just emailed? https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60878 and https://oss-fuzz.com/testcase-detail/5200064623280128

DONE: #156

I like the idea of fuzzing, but I have limited time to decipher and analyse. Maybe (if you're keen on this), it is better to do this based on your fork, and then you can submit bug-fix PRs to my repo if you like.

They have a 90-day timeline. You, I, or anyone else(after 90 days) can fix those bugs.

And if you don't like the idea of PR-fuzzing, you can close this PR.

Update : google/oss-fuzz#10752 is Merged.

[benhoyt]

Sure, why not. I can try it for a while, at any rate.