Cirq icon indicating copy to clipboard operation
Cirq copied to clipboard
verified publisher icon quantumlib

Add fuzzing where possible

Open mhucka opened this issue 5 months ago • 8 comments

One of the code scanning alerts (https://github.com/quantumlib/Cirq/security/code-scanning/400) recommended the application of code fuzzing to help locate possible vulnerabilities in the code. We could use Google's OSS-Fuzz.

More info about OSS-Fuzz:

Google created OSS-Fuzz to fill this gap: it’s a free service that runs fuzzers for open source projects and privately alerts developers to the bugs detected. Since its launch, OSS-Fuzz has become a critical service for the open source community, growing beyond C/C++ to detect problems in memory-safe languages such as Go, Rust, and Python.

The OSS-Fuzz project has been adding AI-powered fuzzing, and is experimenting with AI-powered vulnerability fixing.

mhucka avatar Jul 19 '25 03:07 mhucka

Hi @mhucka! I'd like to take this one, could you assign to me? :)

ToastCheng avatar Aug 28 '25 15:08 ToastCheng

@ToastCheng Thank you for your interest. Ok, it's assigned to you!

mhucka avatar Aug 29 '25 19:08 mhucka

Thanks! I'll start setting up Cirq project on the OSS-Fuzz side following the OSS-Fuzz guide.

I have some open questions on the configuration:

  1. Contacts I'll put "primary contact" as "[email protected]" based on the Cirq's README.md. As for the CC list, do you have a recommended email list (people on the list will receive crash reports, statistics etc.)?

  2. Sanitizer Default will enable address and undefined sanitizer. Memory sanitizer will not be enabled by default since there could be more false alarm on this one. If there is no preferences, I'll start with the default settings (enable address + undefined, disable memory).

ToastCheng avatar Aug 30 '25 10:08 ToastCheng

@ToastCheng Thank you for getting started. Some replies:

  1. For the cc list, let's at least use mine: [email protected]. (@pavoljuhas should we also add you?)
  2. Since Cirq is a Python project, based on https://google.github.io/oss-fuzz/getting-started/new-project-guide/python-lang/#projectyaml it looks like we can only enable address and undefined anyway. So, yes, please go ahead with those.

mhucka avatar Aug 31 '25 05:08 mhucka

Thanks for the reply!

I drafted a commit adding Cirq to OSS-Fuzz project, and a minimal fuzz test that adds different gates on different LineQubits in a circuit and simulate it. If it looks good, I can create a PR on OSS-Fuzz.

On Cirq side, I also drafted #7625 to enable CI fuzz. This will be needed after OSS-Fuzz side has configured properly.

ToastCheng avatar Sep 01 '25 14:09 ToastCheng

Checking Tensorflow's example, instead of adding fuzz tests into OSS-Fuzz side (some projects do, e.g. ujson), a better way might be having the fuzz tests living in the Cirq codebase (so Cirq maintainers have better control). The OSS fuzzer can simply clone Cirq codebase to run the fuzz tests, just like what Tensorflow did here.

ToastCheng avatar Sep 01 '25 15:09 ToastCheng

Since the integration might need a little more discussion and context, I drafted a mini RFC for the integration plan. If it sounds good, I'll send out a PR for adding Cirq to the OSS-Fuzz project (commits), this will enable Cirq to run fuzzers on OSS-Fuzz container.

ToastCheng avatar Nov 30 '25 02:11 ToastCheng

Created a PR to OSS-Fuzz: https://github.com/google/oss-fuzz/pull/14466

ToastCheng avatar Dec 11 '25 14:12 ToastCheng