spicedb icon indicating copy to clipboard operation
spicedb copied to clipboard

Published 20 hours ago verified publisher icon authzed

Add ClusterfuzzLite

Open AdamKorcz opened this issue 2 years ago • 14 comments

This PR adds ClusterfuzzLite to the CI.

CFLite will run the fuzzer in this PR - as well as other fuzzers that get added - in the CI when a new PR is made.

AdamKorcz avatar Jul 25 '22 16:07 AdamKorcz

CLA Assistant Lite bot All contributors have signed the CLA ✍️ ✅

github-actions[bot] avatar Jul 25 '22 16:07 github-actions[bot]

I have read the CLA Document and I hereby sign the CLA

AdamKorcz avatar Jul 25 '22 16:07 AdamKorcz

Hello there!

Fuzzing is definitely something we'd like to add to our test suites.

Google's ClusterfuzzLite looks pretty useful -- I like how containerd is leveraging it in their workflows as it doesn't introduce any new files into their repository.

What is the advantage to using the AdaLogistics library over the built-in functionality in Go 1.18?

jzelinskie avatar Jul 25 '22 17:07 jzelinskie

What is the advantage to using the AdaLogistics library over the built-in functionality in Go 1.18?

The go-fuzz-headers library offers a number of useful features for fuzzing, but these do not conflict with the Go 1.18 fuzzing engine. If you would prefer to have a Go 1.18 fuzzer, I can rewrite it.

AdamKorcz avatar Jul 26 '22 10:07 AdamKorcz

I think using the Go 1.18 fuzzing is best until we can justify adding the dependency.

I also took a look at Prometheus's usage of ClusterFuzz and it looks really good.

jzelinskie avatar Jul 28 '22 17:07 jzelinskie

@AdamKorcz any updates here?

jzelinskie avatar Sep 07 '22 15:09 jzelinskie

@AdamKorcz any updates here?

Sorry for the delay. I will look into changing the fuzzers to the 1.18 engine when I get a moment. Thanks for the ping!

AdamKorcz avatar Sep 07 '22 15:09 AdamKorcz

hey @AdamKorcz, thanks again for your contribution! we thought it would be good to get this over the finish line so I started investigating how it works in https://github.com/authzed/spicedb/pull/830.

We thought it would be a good idea to submit our project to oss-fuzz. The latter supports go native fuzzing via a script you wrote 😄 I have the project submission almost ready.

ClusterFuzzLite docs indicate it is based on OSS-fuzz framework, but only supports libFuzzer. Is this outdated documentation? can we also do compile_native_go_fuzzer in ClusterFuzzLite?

EDIT: I found https://github.com/google/clusterfuzzlite/issues/102, I think I can work with your submission and adjust it to use the native fuzzer I wrote in https://github.com/authzed/spicedb/pull/830

vroldanbet avatar Sep 21 '22 12:09 vroldanbet

OSS-Fuzz integration would be great.

can we also do compile_native_go_fuzzer in ClusterFuzzLite?

I assume you mean in OSS-Fuzz? The answer is yes.

AdamKorcz avatar Sep 21 '22 12:09 AdamKorcz

@AdamKorcz I actually meant OssFuzzLite. The reason I ask is that I have doubts oss-fuzz will accept our submission in a promptly manner. There are 210 open PRs in the repository, so running ClusterFuzzLite ourselves in our CI pipeline would allow us to iterate faster. Thoughts?

vroldanbet avatar Sep 21 '22 12:09 vroldanbet

@AdamKorcz I actually meant OssFuzzLite. The reason I ask is that I have doubts oss-fuzz will accept our submission in a promptly manner. There are 210 open PRs in the repository, so running ClusterFuzzLite ourselves in our CI pipeline would allow us to iterate faster. Thoughts?

What is OssFuzzLite?

The reason I ask is that I have doubts oss-fuzz will accept our submission in a promptly manner. There are 210 open PRs in the repository, so running ClusterFuzzLite ourselves in our CI pipeline would allow us to iterate faster. Thoughts?

The OSS-Fuzz project should review the submission fairly fast. Your PR will not be 211 in line. However, do note that OSS-Fuzz will only accept the integration in case SpiceDB can disclosure a critical user base (companies, other open source projects etc)

AdamKorcz avatar Sep 21 '22 13:09 AdamKorcz

OssFuzzLite

whoops meant ClusterFuzzLite

The OSS-Fuzz project should review the submission fairly fast. Your PR will not be 211 in line. However, do note that OSS-Fuzz will only accept the integration in case SpiceDB can disclosure a critical user base (companies, other open source projects etc)

Understood! I think we can get started with ClusterFuzzLite using native go fuzzing, and once we have the submission ready we can move to oss-fuzz if we get accepted

Thanks a ton!

vroldanbet avatar Sep 21 '22 13:09 vroldanbet

compile_native_go_fuzzer

whoops meant ClusterFuzzLite, ah I see. Yes, compile_native_go_fuzzer works in CFL too. It depends heavily on https://github.com/AdamKorcz/go-118-fuzz-build, so if you experience any issues, feel free to open a ticket there.

AdamKorcz avatar Sep 21 '22 13:09 AdamKorcz

@AdamKorcz My PR https://github.com/authzed/spicedb/pull/830 seems to be finally running CFL (added you as co-author 😄 ), although it's running out of memory. Any advice on how to tune it to work with the resources available in Actions runners?

Feel free to close this one!

vroldanbet avatar Sep 21 '22 15:09 vroldanbet

@AdamKorcz ping on this

josephschorr avatar Aug 04 '23 22:08 josephschorr

Closing; feel free to reopen if necessary

josephschorr avatar Nov 16 '23 17:11 josephschorr