@fitzgen (he/him) hey so I've been looking again at the fuzzers for other repos other than wasmtime which aren't hooked up to oss-fuzz
and I was struck with an idea, what if we used github actions to fuzz everything?
like on a cron job?
I've got a loose idea that looks like this -- https://github.com/alexcrichton/wasm-tools/blob/fdd674a95ac8aa9963e6f7da316393775e07814e/.github/workflows/fuzz.yml
where you basically drop that file in your repo
and all of a sudden you're continuously running fuzzers
yeah I'm thinking we'd do like a daily cron job
where it builds all the fuzzers then forks off a bunch of parallel targets to run each fuzzer
and if anything fails it automatically uploads crash logs as well as files an issue
e.g. https://github.com/alexcrichton/wasm-tools/issues/1
wdyt about doing this for things like walrus/wasmparser/etc?
one thing I don't know what to do about is the corpus
I'm also not sure whether it's worth it to run all the fuzzers in separate builders
b/c it means I can't easily use cargo fuzz
to run the fuzzers, which seems like a bummer
semi related: I just set up gimli's CI for fuzzing so that it builds all fuzz targets in one job, and then runs each one in N parallel jobs: https://github.com/gimli-rs/gimli/pull/512/commits/b7d1a194c6c4742f69ee77f3c0e3afb532fa84ab
also, if fuzzing finds a crash/panic/etc, it uploads the failing input as an artifact that you can download for debugging
I think you and I just converged on the same thing
one thing I don't know what to do about is the corpus
I think a separate repo, like we do with wasmtime (and I also did with gimli) is the way to go
I think we can be better about triggers tho, than what you have sketched out
one sec
it'd be awesome if we could package this all up and put it in the cargo-fuzz org
so we just slap a "here's a tiny snippet to include" and it just runs
we can actually use a scheduled thing, instead of a weird auto-fuzz branch
it'd be awesome if we could package this all up and put it in the cargo-fuzz org
totally
oh auto-fuzz is just my own local testing
:+1:
I was thinking it might be best to not do this on PRs since it'd slow them down
but should be easy enough to queue it up for pushes to master
in that ideally we'd let the fuzzers run for like an hour
oh nice, you auto open an issue!
that's sweet
the time limit for an action is like 50 minutes or something, right?
we could probably just do a cron job every hour to fuzz for ~40 minutes
also, maybe makes sense to do a corpus minification run once per day, and push that back to the corpus repo
apparently it's 6 hours (!)
this would eat into the max parallism of the repo so I don't think we'd want it running semi-permanently
but man auto-compaction would be nice
I'd ideally like the corpus to auto-expand over time too
for relatively low-volume repos, like wasm-tools, I think it would be fine modulo maybe not running every fuzz target in parallel
so libfuzzer automatically adds to the corpus, right?
expanding the corpus is just
cd corpus
git add .
git commit -m "update corpus"
git push
after fuzzing
so libfuzzer automatically adds to the corpus, right?
when it finds inputs that trigger new code paths, yes
ah ok
I do think a downside of this though is it'll just keep reporting the same bugs once it hits a crash
b/c it won't know it's already reported
yeah, oss-fuzz has a lot of nice bug de-dupe infra, even if it doesn't understand rust's backtraces very well
ideally we'd just hook up more projects to oss-fuzz
but it seems like that's somewhat higher overhead...
I don't think that should be too hard; I saw that serde is in their now too
oh interesting...
I found https://google.github.io/oss-fuzz/getting-started/continuous-integration/ as well btw
which we may want to consider for wasmtime if it doesn't take too too long
Alex Crichton said:
I found https://google.github.io/oss-fuzz/getting-started/continuous-integration/ as well btw
oh nice! I think this is pretty new, because I don't remember seeing it in their docs when I last browsed them
yeah same
hm ok I'll probably hold off on this sort of continuous fuzzing for now
mainly b/c of the issue spam possibility
yeah, I think in conclusion, testing the waters with more oss-fuzz integration is probably the way to go, and if that doesn't work out, then investigate a github actions-based thing
looking at https://github.com/google/oss-fuzz/pull/3785 tbh it looks like you don't even need a formal request
that was just a PR
Do we know GitHub's position on this kind of usage pattern? I.e., could there be a concern of them seeing it as improper use of resources?
We don't know their position, but I find it unlikely that they would think of it as improper use, and even if they did, I don't think they would be angry so much as chagrinned and apologetic.
Last updated: Dec 23 2024 at 14:03 UTC