-
Notifications
You must be signed in to change notification settings - Fork 634
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OSS-Fuzz integration #2888
OSS-Fuzz integration #2888
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## develop #2888 +/- ##
========================================
Coverage 93.23% 93.23%
========================================
Files 177 177
Lines 13675 13675
========================================
Hits 12750 12750
Misses 925 925 Continue to review full report in Codecov by Sentry.
|
I added a draft version for Here is some information about how to test it locally: https://google.github.io/clusterfuzzlite/build-integration/#testing-locally
|
@tyler92 If I understand correctly, we don't need to add the |
Yes, you are right. There are two options:
The first option should be easier, but the second one is probably more flexible and requires additional effort. Let me know which is better for Beast, and I will move the ClusterFuzzLite-related files accordingly. I would probably ask for your help if we choose the second option because I'm not very familiar with the Beast's build system. |
There is also https://github.com/boostorg/json/blob/develop/fuzzing/Jamfile, which looks solid. I'm currently experimenting with these and testing them in CI. The problem with using ClusterFuzzLite is that it requires an additional repository to save corpus files and cannot use the GHA cache feature. |
OK, just for reference - PR for oss-fuzz google/oss-fuzz#12109 which is WIP until this PR is merged (it requires fuzzing targets and seeds from Beast's repo). |
It looks good thank you. I think we might want to remove this line because the Boost repository is checked out at master:
In the next step, please remove the |
35f9e9c
to
ae70882
Compare
Done
OK, sure, let me do that after we merge this PR to let oss-fuzz checks pass. BTW: do I need to add you to auto_ccs in project.yaml there? |
Sorry, I forgot to mention that there is no need for the
Yes please, [email protected]. |
ae70882
to
ff8b435
Compare
Fixed |
@ashtum Are you sure it's better to use master branch there? E.g. boost-json project has 'develop' branch and master for Boost. I don't know if this is correct, but probably it's better to use 'develop' for both Beast and Boost to detect issues as early as possible before they are merged to master. I might be not so familiar with the branch policy here, what's your opinion? |
There is a possibility that if we get a breaking change in one of the dependencies and update Beast in the develop branch, it will fail when trying to build it against Boost master. However, I would say this is a rare possibility and would be transient if it occurs. So you might want to keep it as it is (checking out the develop branch). |
As we discussed in #2887, we are adding Boost.Beast to OSS-Fuzz. I plan to proceed with several steps and would appreciate your help. The plan is as follows
*.cpp
files withLLVMFuzzerTestOneInput
entry point).zip
or.tar
files. In our case, I can create three files:http_request_fuzzer_seed_and_corpus.zip
,http_response_fuzzer_seed_and_corpus.zip
, andwebsocket_server_fuzzer_seed_and_corpus.zip
. OSS-Fuzz expects this format, but we can store these files in our Git repository in any way that suits us. For example, Boost.URL uses a single tar file with directories inside..clusterfuzzlite
directory and create a workflows file. However, @ashtum mentioned that another approach might be used. An example of clusterfuzzlite usage: link.