Fuzzing - tsafin/tarantool GitHub Wiki

Introduction

Tarantool is integrated with oss-fuzz in scope of ticket #1809. OSS-Fuzz is a Continuous Fuzzing for Open Source Software. To obtain access to the fuzzing results your email must be specified in oss-fuzz project.yml file. The fuzzing results are on the oss-fuzz ClusterFuzz web interface. See the oss-fuzz new project guide on reviewing results for more details. ClusterFuzz web UI contains information about: testcase reports, fuzzer stats, coverage reports, performance analyzer and crash stats. See https://google.github.io/oss-fuzz/further-reading/clusterfuzz/

Add new fuzzers

Fuzzers lie in a main repository in directory test/fuzz/. One can add additional test like existed. Our fuzzers uses LibFuzzer library, it's well documented on LLVM site and it would be good to be familiar with before writing new test. To make testing more effective it is worth to create a corpus that will be used by fuzzer. Corpuses lie in test/static/corpus. Usually corpus consists from files that are real input examples for fuzzed function. For function that parses URI these are different URI examples, for CSV parsers different examples of comma separated strings and symbols and so on. It's important to minimize each example before committing to a repository. It can be done with option -merge=1, see an appropriate section in documentation. Before running fuzzers OSS-Fuzz creates a binary for each fuzzers and builds corpus for each fuzzer to a separate archive, see build.sh.

TO make familiar with LibFuzzer one can take a look on LibFuzzer Tutorial and also it is highly recommended to read what makes a good fuzz target.

Running fuzzers

Fuzzers can be run in a three ways:

• One can easily run fuzzers on a development machine. To build Tarantool with fuzzing tests one can pass option -DENABLE_FUZZERS to CMake. It's highly recommended to enable sanitizers as well to make testing more effective, see options for supported sanitizers. Note that running fuzzers may be time consuming operation. Although you can set a time limit using option passed to fuzzer binary. Fuzzing is available to use with Clang only, GCC has no support for it.

How-To Use:

    $ mkdir build && cd build
    $ cmake -DENABLE_FUZZER=ON \
            -DENABLE_ASAN=ON \
            -DCMAKE_BUILD_TYPE=Debug \
            -DCMAKE_C_COMPILER="/usr/bin/clang" \
            -DCMAKE_CXX_COMPILER="/usr/bin/clang++" ..
    $ make -j
    $ ./test/fuzz/csv_fuzzer -workers=4 ../test/static/corpus/csv

• To make fuzzing testing continuous we run it per push to a master branch in our Continuous Integration tool. There is a separate workflow in Github Actions to trigger running fuzzing on OSS-Fuzz infrastructure. To understanding results see appropriate section in OSS-Fuzz documentation.

• One can run fuzzers like OSS-Fuzz do. See OSS-Fuzz documention - https://google.github.io/oss-fuzz/advanced-topics/reproducing/. Note OSS-Fuzz pass library $LIB_FUZZING_ENGINE to linker and use external CFLAGS and CXXFLAGS. Full description how to integrate with OSS Fuzz is in ideal integration and new project guide.

Fixing fuzzing bugs

It's important note that bugs found during fuzzing on OSS-Fuzz have have a limited time to fix, see bug disclosure guidelines. To fix an issue one need to reproduce issue and debug if it is required and create a patch for review. These sections debugging issues, reproducing issues in documentation would be helpful.