[GRASS-dev] GRASS GIS and OSS-FUZZ: automated bug hunting

[Even Rouault]

On mercredi 23 mai 2018 09:21:21 CEST Markus Neteler wrote:
> Hi devs,
> 
> perhaps it would be worthwhile to submit GRASS GIS to Google's
> OSS-FUZZ [1] like GDAL (of course we don't know it we would be
> accepted).
> 
> To get it done, we may learn from GDAL:
> * related GDAL ticket: https://trac.osgeo.org/gdal/ticket/6883
> * application PR: https://github.com/google/oss-fuzz/pull/589
> * https://github.com/google/oss-fuzz/tree/master/projects/gdal
> 
> If not viable/accepted/useful, remember that we still have Coverity
> Scan ("free static code analysis tool") available which I activated
> manually from time to time - yet to be integrated with Travis-CI [2]:
> https://scan.coverity.com/projects/grass?tab=overview  (showing the
> last manual run in 2016)

Hi,

Note that OSS-Fuzz integration requires that you can build one or several 
static libraries, to link with oss-fuzz' libFuzzingEngine to generate an 
executable:
https://github.com/google/oss-fuzz/blob/master/docs/fuzzer_environment.md

If you want to test a program, you can potentially add a special compilation 
mode (typically testing if FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION macro is 
defined) where you rename main() to some other name, build it as library code, 
and the LLVMFuzzerTestOneInput() entry point would then call this renamed 
main().

With the docker environment they provide (at the core of oss-fuzz, there is 
the open source libfuzzer library https://llvm.org/docs/LibFuzzer.html and afl 
http://lcamtuf.coredump.cx/afl/ ), it is also possible to test almost entirely 
locally the integration and be already able to find bugs. That's convenient to 
check your initial integration is Ok before you submit it to them.
If you setup everything correctly, normally it should find the first bug 
within seconds ;-)
What you don't get when running locally is automatic bug filing and closing.

Even

-- 
Spatialys - Geospatial professional services
http://www.spatialys.com