[GRASS-dev] GRASS GIS and OSS-FUZZ: automated bug hunting

Even Rouault even.rouault at spatialys.com
Wed May 23 02:36:18 PDT 2018

On mercredi 23 mai 2018 09:21:21 CEST Markus Neteler wrote:
> Hi devs,
> perhaps it would be worthwhile to submit GRASS GIS to Google's
> OSS-FUZZ [1] like GDAL (of course we don't know it we would be
> accepted).
> To get it done, we may learn from GDAL:
> * related GDAL ticket: https://trac.osgeo.org/gdal/ticket/6883
> * application PR: https://github.com/google/oss-fuzz/pull/589
> * https://github.com/google/oss-fuzz/tree/master/projects/gdal
> If not viable/accepted/useful, remember that we still have Coverity
> Scan ("free static code analysis tool") available which I activated
> manually from time to time - yet to be integrated with Travis-CI [2]:
> https://scan.coverity.com/projects/grass?tab=overview  (showing the
> last manual run in 2016)


Note that OSS-Fuzz integration requires that you can build one or several 
static libraries, to link with oss-fuzz' libFuzzingEngine to generate an 

If you want to test a program, you can potentially add a special compilation 
mode (typically testing if FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION macro is 
defined) where you rename main() to some other name, build it as library code, 
and the LLVMFuzzerTestOneInput() entry point would then call this renamed 

With the docker environment they provide (at the core of oss-fuzz, there is 
the open source libfuzzer library https://llvm.org/docs/LibFuzzer.html and afl 
http://lcamtuf.coredump.cx/afl/ ), it is also possible to test almost entirely 
locally the integration and be already able to find bugs. That's convenient to 
check your initial integration is Ok before you submit it to them.
If you setup everything correctly, normally it should find the first bug 
within seconds ;-)
What you don't get when running locally is automatic bug filing and closing.


Spatialys - Geospatial professional services

More information about the grass-dev mailing list