oss-fuzz icon indicating copy to clipboard operation
oss-fuzz copied to clipboard
verified publisher icon google

Support Fuzzing JavaScript with Jazzer.js

Open jonathanmetzman opened this issue 3 years ago • 16 comments

jonathanmetzman avatar Aug 23 '22 14:08 jonathanmetzman

CC @fmeum @bertschneider

jonathanmetzman avatar Aug 23 '22 17:08 jonathanmetzman

Some remaining pieces here:

  • [ ] ClusterFuzz side changes for stacktrace parsing and reporting.
  • [x] ClusterFuzz side change for job setup
  • [x] Verify that OSS-Fuzz build automation works and make any changes if needed.

oliverchang avatar Feb 01 '23 02:02 oliverchang

One more thing from my side: We still need to integrate source-based coverage reporting for JavaScript in OSS-Fuzz. This has been recently added to Jazzer.js, and we'll take care of it.

kyakdan avatar Feb 01 '23 08:02 kyakdan

Will this include some way to permanently persist any failing test inputs?

ljharb avatar Feb 02 '23 04:02 ljharb

Will this include some way to permanently persist any failing test inputs?

Not sure I understand, but I think yes, this is how oss-fuzz works. Project maintainers are notified when a bug is found and given the crashing input.

jonathanmetzman avatar Feb 02 '23 14:02 jonathanmetzman

As @jonathanmetzman, this is the workflow in OSS-Fuzz. Bugs, including the crashing inputs, are only disclosed to the public once they are fixed, or the disclosure deadline passes with no fix from the maintainers.

kyakdan avatar Feb 02 '23 14:02 kyakdan

That's great - so it's not automatic, but there's zero chance a failed input will be lost, for example by rerunning a test?

ljharb avatar Feb 02 '23 16:02 ljharb

That's great - so it's not automatic, but there's zero chance a failed input will be lost, for example by rerunning a test?

I don't know what you mean by "automatic".

There's almost no chance. Sometimes we delete testcases that are non-deterministic and infrequently occurring.

jonathanmetzman avatar Feb 02 '23 16:02 jonathanmetzman

I meant like, a github action that preserves somehow - in a database elsewhere - failed inputs.

If it can transmit the failures to me somehow, that suffices, since I can just manually commit them :-)

ljharb avatar Feb 02 '23 16:02 ljharb

Here is the link to all public issues found by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/list?q=&can=1. For each issue, you have several details, including a link to download the test case (failing input). Ideally, you then have a unit test with this input to ensure that you test for regressions and verify your fix for the issue. Which testing framework do you use for JavaScript? Jazzer.js has a Jest integration enabling you to write fuzz tests using the usual syntax and automatically create regression tests for found issues.

kyakdan avatar Feb 03 '23 05:02 kyakdan

I use https://npmjs.com/tape.

ljharb avatar Feb 03 '23 05:02 ljharb

I'm not aware of tape, but see that you are the maintainer of it. Would you be interested in adding support for fuzzing runs using Jazzer.js?

kyakdan avatar Feb 03 '23 06:02 kyakdan

I'm not sure what that would entail, but sure, potentially.

ljharb avatar Feb 03 '23 06:02 ljharb

Sounds great! We can collaborate there and we can provide the support you need regarding Jazzer.js.

kyakdan avatar Feb 03 '23 06:02 kyakdan