OSS-Fuzz
========
Platform overview
-----------------
`OSS-Fuzz `_ is Google's free fuzzing platform for open source
software.
It runs librsvg's :source:`fuzz targets ` to help
detect reliability issues.
Google provides public `build logs `_
and `fuzzing stats `_, but most
of the details about bug reports and fuzzed testcases require approved access.
Gaining access
^^^^^^^^^^^^^^
The configuration files for the OSS-Fuzz integration can be found in the
`OSS-Fuzz repository `_.
The ``project.yaml`` file controls who has access to bug reports and testcases.
Ping the maintainer if you'd like to be added to the list (note: a Google account is required for
access).
Fuzzing progress
----------------
Once you have access to OSS-Fuzz, you can log in to https://oss-fuzz.com/ with your Google account
to see a dashboard of librsvg's fuzzing progress.
Testcases
^^^^^^^^^
The dashboard contains a link to a `testcases page `_
that lists all testcases that currently trigger a bug in librsvg.
Every testcase has a dedicated page with links to view and download a minimized testcase for
reproducing the failure.
Each testcase page also contains a stacktrace for the failure and stats about how often the failure
is encountered while fuzzing.
Reproducing a failure
"""""""""""""""""""""
You can download a minimized testcase and run it with a local fuzz target to debug a failure on your
machine.
For example, to reproduce a failure with the ``render_document`` fuzz target, you can run a command
like this: ``cargo fuzz run render_document minimized.svg``
Individual fuzz targets can also be run inside of a debugger for further debugging information:
.. code:: bash
FUZZ_TARGET=$(find ./target/*/release/ -type f -name render_document)
gdb --args "$FUZZ_TARGET" minimized.svg
If the failure does not reproduce locally, you can try reproducing the issue in an OSS-Fuzz
container:
.. code:: bash
git clone https://github.com/google/oss-fuzz.git
cd oss-fuzz
python infra/helper.py build_image librsvg
python infra/helper.py build_fuzzers librsvg
python infra/helper.py reproduce librsvg render_document minimized.svg
Code coverage
^^^^^^^^^^^^^
The dashboard also links to code coverage data for individual fuzz targets and combined code
coverage data for all targets (click on the "TOTAL COVERAGE" link for the combined data).
The combined coverage data is helpful for identifying coverage gaps, insufficient corpus data, and
potential candidates for future fuzz targets.
Bug reports
^^^^^^^^^^^
Bug reports for new failures are automatically filed in the OSS-Fuzz bug tracker with a
`librsvg label `_.
Make sure you are logged in to view all existing issues.
Build maintenance
-----------------
Google runs compiled fuzz targets on Google Compute Engine VMs.
This architecture requires each project to provide a ``Dockerfile`` and ``build.sh`` script to
download code, configure dependencies, compile fuzz targets, and package any corpus files.
librsvg's build files can be found in the
`OSS-Fuzz repo `_.
If dependencies change or if new fuzz targets are added, then you may need to modify the build files
and build a new Docker image for OSS-Fuzz.
Building an image
^^^^^^^^^^^^^^^^^
Use the following commands to build librsvg's OSS-Fuzz image and fuzz targets:
.. code:: bash
git clone https://github.com/google/oss-fuzz.git
cd oss-fuzz
python infra/helper.py build_image librsvg
python infra/helper.py build_fuzzers librsvg
Any changes you make to the build files must be submitted as pull requests to the OSS-Fuzz repo.
Debugging build failures
""""""""""""""""""""""""
You can debug build failures during the ``build_fuzzers`` stage by creating a container and manually
running the ``compile`` command:
.. code:: bash
# Create a container for building fuzz targets
python infra/helper.py shell librsvg
# Run this command inside the container to build the fuzz targets
compile
This approach is faster than re-running the ``build_fuzzers`` command, which recompiles everything
from scratch each time the command is run.
The ``build.sh`` script will be located at ``/src/build.sh`` inside the container.
Quick links
-----------
* `OSS-Fuzz dashboard `_
* `OSS-Fuzz configuration files and build scripts for librsvg `_
* `All open OSS-Fuzz bugs for librsvg `_
* `Google's OSS-Fuzz documentation `_