oss-fuzz icon indicating copy to clipboard operation
oss-fuzz copied to clipboard

Published 20 hours ago verified publisher icon google

Updating the fuzztest dependency

Open vrabaud opened this issue 7 months ago • 3 comments

Hi, it would be nice to have more frequent updates of the fuzztest library. From what I see in https://github.com/google/oss-fuzz/blob/413bb8be7a15e616dd262b24f53f08a22a19a08a/infra/base-images/base-builder/Dockerfile#L137C18-L137C58, the latest version is from June 2023. For our tests, it would be nice to have at least https://github.com/google/fuzztest/commit/8f82f46e14cc2484ddecf6d55e46243923f9a036 from january 20th 2024.

What is the policy for updating it? Thx

vrabaud avatar Jan 22 '24 10:01 vrabaud

The fuzztest repository cloned here https://github.com/google/oss-fuzz/blob/413bb8be7a15e616dd262b24f53f08a22a19a08a/infra/base-images/base-builder/Dockerfile#L134-L142

is used by OSS-Fuzz to build the centipede fuzzing engine, and not really as the source module for projects using fuzztest fuzzers. As far as I remember all of the projects using fuzztest (with exception of libavif) rely on downloading their own desired version of fuzztest.

I'd recommend not linking your version of fuzztest to the one at the lines above because it's a commit for fetching a given centipede, and I imagine keeping this in sync with the fuzztest version needed by your project won't be super easy (I think the centipede engine will be bumped less frequently).

I suggest adjusting https://github.com/AOMediaCodec/libavif/blob/091c1e2222238b59b2f127c4625854099475c664/tests/oss-fuzz/build.sh#L39 to instead point to your desired version of fuzztest and then just manage that on a project-level basis.

DavidKorczynski avatar Jan 22 '24 14:01 DavidKorczynski

A separate question is whether centipede should be bumped since it hasn't been bumped sine https://github.com/google/oss-fuzz/pull/10248 -- but I still recommend not using $SRC/fuzztest for the fuzztest version your project needs

DavidKorczynski avatar Jan 22 '24 14:01 DavidKorczynski

For the record, we can use any sort of fuzztest version as long as it supports the libfuzzer compatibility. Since the libfuzzer engine will be used at runtime the version of fuzztest at build time does not make a difference from a perspective of OSS-Fuzz running the fuzzers. If later versions of fuzztest has bugfixes then it's definitely ideal to use more recent versions of fuzztest.

DavidKorczynski avatar Jan 22 '24 15:01 DavidKorczynski