-
Notifications
You must be signed in to change notification settings - Fork 181
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Integration with google/oss-fuzz for continuous fuzz testing #775
Comments
Fuzzing is definitely welcome! I personally don't know much about setting one up and it is great that you offer to help. Let me know what you need and I can set things up your way. |
Cool, there is an application process for google/oss-fuzz. I'm pretty confident that this project will get accepted as it is quite popular. A few notes that I should have included in my original message;
I can complete the application on your behalf. To do this I'll need the following from you;
I'll put together a draft PR shortly so that you can see what all this would look like. |
Opened a draft PR with oss-fuzz here google/oss-fuzz#11189 once marked as not a draft this will act as both;
|
I have registered |
Yeah that should work :) |
OK, the PR is merged. |
Perfect I've marked the oss-fuzz application/integration as ready for review google/oss-fuzz#11189 |
What should I do now? |
Nothing for the moment, the oss-fuzz team will either reject/accept google/oss-fuzz#11189. Usually they respond within a couple of weeks but if not I'll ping them. Once that all goes through there won't be much more to do except improve the fuzzers and fix bugs. After it's merged you'll start receiving bug reports on the gmail email address you created and you'll get access to the dashboard for rhai here https://oss-fuzz.com/login Thanks for being so responsive with all this it definitely helps when things have some momentum. |
Looks like everything is up and running. I got a couple of emails this morning with bug reports, so you should be able to login in to the the dashboard and take a look at those. Let me know if you have any further questions, or need help interpreting the bug reports:) |
Help will be great, as I don't even know how to login to the dashboard... |
No worries, so head on over to https://oss-fuzz.com/login you'll be able to login with the [email protected] email address that you created. You'll see something like this; Clicking on the "open crashes" will give you a rundown of the bugs that the fuzzer has found. The crash statistics can also be useful to get general trends as to how the fuzzer is handling things. |
I clicked on the links from the emails and I successfully logged on to the dashboard. I can now see the crash reports. They have great! They can really catch edge cases. |
Fuzzing has been great to catch subtle bugs that sneaked through unit testing! Thanks for setting this up! |
No worries. I'm going to take a look at this one tomorrow. Seems like it's either.
Let me know if you need help reproducing any of these bugs these locally. Its not always entirely obvious. |
Well, yes, this one is timed out, but I think probably due to complexity, as by default Rhai does not put a limit on operations count, so very complex expressions can run the parser for a long time... Others, such as the stack overflows, are bugs, which I already fixed. Thanks to fuzzing! |
Yeah I attempted to put a hard limit on the time here. So there is either a bug in my timeout code, or there a single operations is stuck taking more than 60s.
Are you certain that you fixed these bugs? Usually oss-fuzz will automatically detect if a bug is fixed and close each issue. This hasn't happened. So either there is a bug in oss-fuzz's bugfix detection system or the bugs haven't been fixed correctly. Just as a note, there have been a few issues with oss-fuzz's bugfix detection for rust in the last few months, so it's not entirely outlandish to think we might have run into one now. But if you are certain they are fixed but it's not being picked up we should file an issue with oss-fuzz. |
Oh, I fixed the bugs in my own dev repo. I haven't pushed it to master yet. I'll do that. |
@silvergasp I have found that, even though I pushed new commits to the trunk, oss-fuzz continues to use an older commit for new tasks or progression tasks. Do you know how to force it to use the latest commit? |
Hmm it should be using the latest commit. I'll look into it. It has definitely updated recently as I saw that those bugs that you fixed where marked as fixed automatically. But I'll look into it and make sure. |
So I can confirm that it is indeed downloading the latest commit each night. If you go to the build-status page here and ctrl-F search for 'GIT_REV' you'll see the latest commit that was used.
|
Ah OK. I realize that I just have to wait until it builds the latest. Thanks! |
@silvergasp As far as I can tell, the time-out bugs were triggered based on a very very long and very very complicated script that causes the parser to run for a long time. Although Rhai controls run time, it does not control parsing time, because it is easy to reject long scripts before it gets to the parser. I suggest we limit the input script length? Not sure how we can set this in the config... |
Also, I wonder whatever happens to the |
Seems reasonable to me. We can probably just truncate the input string in the fuzzer itself. The fuzzer will learn that passing in larger scripts won't actually improve vicarage. |
You should be able to see which value is used in the debug outputs. I'll post some instructions when I'm in front of a computer. |
Ah apologies this slipped my, mind and now that I'm testing it all, I'm not sure why it's not printing the debug output when in repro mode... It's a little odd. It's easy enough to hack around e.g. just print the ctx object and then run the reproduction again. println!("{ctx:?}"); You just probably wouldn't want to leave print statement in while fuzzing as it'll slow things down unnecesarily. So the steps would look something like this;
For whatever reason, when you find a bug for the first time while running cargo fuzz it'll print the debug representation for the crashing input. However when reproducing the bug as described above it doesn't... I'm going to open up an issue with rust-fuzz, as I feel like this is a bug. I don't see any reason to omit the debug print in reproduce mode. |
Also as mentioned earlier, I've opened up a PR that will add fuzzing to the CI here #790 |
Regarding not being able to see the |
@silvergasp There seems to be a new bug for oss-fuzz. Data that contains invalid UTF8, when converted to String input, will crash at input preparation stage. |
Sorry I missed this one. I'm not sure that I understand the problem you've mentioned do you mind expanding on this a little? Also re your query about printing the Ctx inputs I got a response from oss-fuzz here. Looks like it's pretty simple just |
I believe my problem is not related to |
@silvergasp crash https://oss-fuzz.com/testcase-detail/6378147608068096 is a time-out. However, since it is mocking an object, is there any way to actually print out the object before running the fuzz? What if we put in a Otherwise there won't be any way to tell what is causing the runaway behavior -- although I believe it is probably due to printing large structures over and over again and concatnating into strings... |
I don't think the
|
Well, it says like this:
|
Are you sure you ran it with |
Also this looks like it was run on windows, which doesn't support some sanitizer's maybe that's the problem. Do you have WSL installed? |
No... Maybe I can use it on code space... Or can you run it on your computer? I've attached the two test cases. |
Hey Rhai Team,
I hope this message finds you well. I've been following along with Rhai for some time now, and I've really enjoyed using it in one of my side projects. I'd like to suggest and champion an effort to set up some basic fuzz-testing and combine it with google/oss-fuzz for continuous fuzzing. I'm fully aware that you are very busy and I don't want to overload your review/maintenance capacity by introducing too many new ideas. Is this a bad time to discuss potential security/reliability improvements?
If your not familiar with fuzzing or oss-fuzz I've included a few brief notes below.
Benefits of Fuzz-Testing
Google/oss-fuzz for Continuous Fuzzing
I’d be more than happy to lead the effort in integrating fuzz testing with Rhai and assist in any way required.
As a proof of concept I created a super simple minimal fuzz harness for the Rhai in #774
The text was updated successfully, but these errors were encountered: