oss-fuzz icon indicating copy to clipboard operation
oss-fuzz copied to clipboard
verified publisher icon google

No coverage generated due to corpus format in Golang Native Fuzzing

Open sudiptob2 opened this issue 7 months ago • 1 comments

We are implementing fuzzing in envoy/gateway using Go's native fuzzing support. However, we are seeing no coverage reported in OSS-Fuzz.

Upon investigation, we found that this is due to a mismatch in corpus formats. For fuzzing, OSS-Fuzz uses a libFuzzer-style corpus, while for coverage builds, it expects a corpus in the Go native fuzzing format.
This issue arises because the fuzzing build uses the go-118-fuzz-build library, whereas the coverage build uses Go's native fuzzing implementation.

https://github.com/google/oss-fuzz/blob/74762513ad565f46a4502f390cb0cb64bc9bdf21/infra/base-images/base-builder/compile_native_go_fuzzer#L44-L68

There is a corpus converter that is supposed to transform the libFuzzer corpus into the Go native format during coverage builds. However, it appears that this conversion step is not being triggered.

https://github.com/google/oss-fuzz/blob/8bc2e0b5cfeffaee2cd8f6dd27e0b72ca87bac88/infra/base-images/base-runner/coverage#L145-L146

As a result, the entire generated corpus is not taken into account while building the coverage report. See coverage build logs: https://oss-fuzz-build-logs.storage.googleapis.com/log-5714e769-c3e8-4543-adfb-7ed9e040a8d8.txt

We would appreciate any guidance on how to resolve this issue, as having coverage reports is crucial for us to fine-tune and develop additional fuzzers for envoy/gateway.

sudiptob2 avatar May 06 '25 14:05 sudiptob2

I see this in umoci as well when running ClusterFuzzLite. The log from the coverage job just looks like:

2025-05-27 01:23:08,004 - root - INFO - Deleting builder docker images to save disk space.
Cloning into '.'...
2025-05-27 01:23:08,446 - root - INFO - ClusterFuzzDeployment: <clusterfuzz_deployment.ClusterFuzzLite object at 0x7fe48f398760>.
2025-05-27 01:23:08,446 - root - INFO - run fuzzers MODE is: coverage. Runner: <run_fuzzers.CoverageTargetRunner object at 0x7fe48f3981f0>.
2025-05-27 01:23:08,446 - root - INFO - Using coverage sanitizer.
2025-05-27 01:23:08,446 - root - INFO - Fuzz targets: ['/github/workspace/build-out/fuzz_generate_layer', '/github/workspace/build-out/casext_fuzz', '/github/workspace/build-out/fuzz_hardening', '/github/workspace/build-out/fuzz_mutate', '/github/workspace/build-out/fuzz_unpack']
2025-05-27 01:23:08,447 - root - INFO - Downloading corpus for fuzz_generate_layer to /github/workspace/cifuzz-corpus/fuzz_generate_layer.
Reset branch 'main'
Branch 'main' set up to track remote branch 'main' from 'origin'.
Your branch is up to date with 'origin/main'.
HEAD is now at 61fac8f Corpus upload
2025-05-27 01:23:08,686 - root - INFO - Done downloading corpus. Contains 516 elements.
2025-05-27 01:23:08,686 - root - INFO - Downloading corpus for casext_fuzz to /github/workspace/cifuzz-corpus/casext_fuzz.
Reset branch 'main'
Branch 'main' set up to track remote branch 'main' from 'origin'.
Your branch is up to date with 'origin/main'.
HEAD is now at 61fac8f Corpus upload
2025-05-27 01:23:08,901 - root - INFO - Done downloading corpus. Contains 501 elements.
2025-05-27 01:23:08,901 - root - INFO - Downloading corpus for fuzz_hardening to /github/workspace/cifuzz-corpus/fuzz_hardening.
Reset branch 'main'
Branch 'main' set up to track remote branch 'main' from 'origin'.
Your branch is up to date with 'origin/main'.
HEAD is now at 61fac8f Corpus upload
2025-05-27 01:23:09,046 - root - INFO - Done downloading corpus. Contains 47 elements.
2025-05-27 01:23:09,046 - root - INFO - Downloading corpus for fuzz_mutate to /github/workspace/cifuzz-corpus/fuzz_mutate.
Reset branch 'main'
Branch 'main' set up to track remote branch 'main' from 'origin'.
Your branch is up to date with 'origin/main'.
HEAD is now at 61fac8f Corpus upload
2025-05-27 01:23:09,206 - root - INFO - Done downloading corpus. Contains 579 elements.
2025-05-27 01:23:09,206 - root - INFO - Downloading corpus for fuzz_unpack to /github/workspace/cifuzz-corpus/fuzz_unpack.
Reset branch 'main'
Branch 'main' set up to track remote branch 'main' from 'origin'.
Your branch is up to date with 'origin/main'.
HEAD is now at 61fac8f Corpus upload
2025-05-27 01:23:09,333 - root - INFO - Done downloading corpus. Contains 164 elements.
Switched to a new branch 'gh-pages'
Branch 'gh-pages' set up to track remote branch 'gh-pages' from 'origin'.
HEAD is now at 00d5660 init commit
On branch gh-pages
Your branch is up to date with 'origin/gh-pages'.

nothing to commit, working tree clean

cyphar avatar May 27 '25 05:05 cyphar