Proposal: Integrate with google/oss-fuzz for continuous fuzz testing? #1538

New Issue

Open

opened 2024-01-08 12:40:42 -08:00 by nathaniel-brough · 9 comments

nathaniel-brough commented 2024-01-08 12:40:42 -08:00 (Migrated from github.com)

Copy Link

Hey yoga team,

I've recently become interested in yoga. I'd like to suggest and champion an effort to set up some basic fuzz-testing and combine it with google/oss-fuzz for continuous fuzzing. I'm fully aware that you are very busy people and I don't want to overload your review/maintenance capacity. Is this a bad time to discuss potential security/reliability improvements?

If you're not familiar with fuzzing or oss-fuzz I've included a few brief notes below.

Benefits of Fuzz-Testing

• Dynamic Code Testing: Fuzz-testing challenges systems with unexpected data, aiming to identify vulnerabilities or bugs. It’s akin to an exhaustive stress-test for the code.
• Detecting Hidden Vulnerabilities: It can uncover potential weaknesses that may not be evident in routine tests.
• Continuous and Automated Testing: With tools like Google’s OSS-Fuzz, fuzz-testing can be automated, running continuously on distributed systems, ensuring daily resilience checks.

Google/oss-fuzz for Continuous Fuzzing

• Automated Fuzzing: OSS-Fuzz undertakes comprehensive fuzz-testing daily on a distributed cluster.
• Detailed Reporting: OSS-Fuzz offers exhaustive reports in case of detected anomalies, enabling effective action.

I’d be more than happy to lead the effort in integrating fuzz testing with the yoga and assist in any way required.

Prior integrations

There have been a number of previous integrations completed with facebook repositories and google/oss-fuzz including;

• facebook/time
• facebook/zstd
• facebookexperimental/starlark-rust (this was me)
• facebook/proxygen
• facebook/hermes
• facebook/rocksdb

As a proof of concept I created a couple of super simple fuzz harnesses in #1537.

NOTE: Adding fuzz-testing and integrating with google/oss-fuzz was previously suggested here https://github.com/facebook/yoga/pull/1055 and was rejected. I think I've addressed the concerns raised in the first PR. While the original PR contained what was probably a higher performance fuzzer, the new fuzzer should be easier to integrate and doesn't introduce multiple sources of truth.

Hey yoga team, I've recently become interested in yoga. I'd like to suggest and champion an effort to set up some basic fuzz-testing and combine it with google/oss-fuzz for continuous fuzzing. I'm fully aware that you are very busy people and I don't want to overload your review/maintenance capacity. Is this a bad time to discuss potential security/reliability improvements? If you're not familiar with fuzzing or oss-fuzz I've included a few brief notes below. #### **Benefits of Fuzz-Testing** - **Dynamic Code Testing**: Fuzz-testing challenges systems with unexpected data, aiming to identify vulnerabilities or bugs. It’s akin to an exhaustive stress-test for the code. - **Detecting Hidden Vulnerabilities**: It can uncover potential weaknesses that may not be evident in routine tests. - **Continuous and Automated Testing**: With tools like Google’s OSS-Fuzz, fuzz-testing can be automated, running continuously on distributed systems, ensuring daily resilience checks. #### **Google/oss-fuzz for Continuous Fuzzing** - **Automated Fuzzing**: OSS-Fuzz undertakes comprehensive fuzz-testing daily on a distributed cluster. - **Detailed Reporting**: OSS-Fuzz offers exhaustive reports in case of detected anomalies, enabling effective action. I’d be more than happy to lead the effort in integrating fuzz testing with the yoga and assist in any way required. #### Prior integrations There have been a number of previous integrations completed with facebook repositories and google/oss-fuzz including; - facebook/time - facebook/zstd - facebookexperimental/starlark-rust (this was me) - facebook/proxygen - facebook/hermes - facebook/rocksdb As a proof of concept I created a couple of super simple fuzz harnesses in #1537. NOTE: Adding fuzz-testing and integrating with google/oss-fuzz was previously suggested here https://github.com/facebook/yoga/pull/1055 and was rejected. I think I've addressed the concerns raised in the first PR. While the original PR contained what was probably a higher performance fuzzer, the new fuzzer should be easier to integrate and doesn't introduce multiple sources of truth.

NickGerleman commented 2024-01-09 18:53:49 -08:00 (Migrated from github.com)

Copy Link

Thank you for raising this, and contributing a PR implementing it. I think it is a good idea, so long as we make sure it isn't disrupted by any unrelated Yoga changes.

Thank you for raising this, and contributing a PR implementing it. I think it is a good idea, so long as we make sure it isn't disrupted by any unrelated Yoga changes.

nathaniel-brough commented 2024-01-16 09:21:49 -08:00 (Migrated from github.com)

Copy Link

As a follow up I'm going to start the integration with google/oss-fuzz if you are still keen on it. There is an application/integration process which I can complete on your behalf. To do this I'll need a couple of things from you;

• A google/gmail email address that I can use for the primary contact. As far as I'm aware meta/facebook emails meet this requirement.
• You to comment on the PR that I'll create that will form the integration/application saying that you approve of the integration.

Given the popularity of yoga I'm reasonably confident that it'll be accepted into oss-fuzz, but there is a non-zero chance that it could be rejected.

As a follow up I'm going to start the integration with google/oss-fuzz if you are still keen on it. There is an [application/integration process](https://google.github.io/oss-fuzz/getting-started/accepting-new-projects/) which I can complete on your behalf. To do this I'll need a couple of things from you; - A google/gmail email address that I can use for the [primary contact](https://google.github.io/oss-fuzz/getting-started/new-project-guide/#primary). As far as I'm aware meta/facebook emails meet this requirement. - You to comment on the PR that I'll create that will form the integration/application saying that you approve of the integration. Given the popularity of yoga I'm reasonably confident that it'll be accepted into oss-fuzz, but there is a non-zero chance that it could be rejected.

nathaniel-brough commented 2024-01-23 09:50:45 -08:00 (Migrated from github.com)

Copy Link

So I've got a draft PR ready to go integrating with OSS-fuzz in https://github.com/google/oss-fuzz/pull/11533. The only thing I need to do now is add a primary contact. I've added oss-fuzz@fb.com which seems to be CC'd on most of the other facebook integrations.

So I've got a draft PR ready to go integrating with OSS-fuzz in https://github.com/google/oss-fuzz/pull/11533. The only thing I need to do now is add a [primary contact](https://github.com/google/oss-fuzz/pull/11533/files#diff-f3404d217027cbf27922799711f91e93a318e18be1801f5169da9c16dd604d1dR4). I've added [oss-fuzz@fb.com](https://github.com/google/oss-fuzz/pull/11533/files#diff-f3404d217027cbf27922799711f91e93a318e18be1801f5169da9c16dd604d1dR9) which seems to be CC'd on most of the other facebook integrations.

👍 1

NickGerleman commented 2024-02-27 00:16:19 -08:00 (Migrated from github.com)

Copy Link

Thanks @silvergasp. Is there anything left to action on from our side?

Thanks @silvergasp. Is there anything left to action on from our side?

nathaniel-brough commented 2024-02-27 10:22:02 -08:00 (Migrated from github.com)

Copy Link

Yeah, all I need is the email address that you'd like to use to get access to the bug tracker and oss fuzz dashboard. Just as a note, it'll be stored as plain text on the oss fuzz git repo. After that everything should be good to go.

Yeah, all I need is the email address that you'd like to use to get access to the bug tracker and oss fuzz dashboard. Just as a note, it'll be stored as plain text on the oss fuzz git repo. After that everything should be good to go.

NickGerleman commented 2024-02-28 04:01:31 -08:00 (Migrated from github.com)

Copy Link

Reusing oss-fuzz probably makes sense if it is already being used, though I’m not actually sure where it is funelling to. I can try to find that out.

Reusing oss-fuzz probably makes sense if it is already being used, though I’m not actually sure where it is funelling to. I can try to find that out.

nathaniel-brough commented 2024-03-09 15:36:34 -08:00 (Migrated from github.com)

Copy Link

Easy do you want me to add your email to the config? That will give you personal access to the dashboard/bug tracker?

Easy do you want me to add your email to the config? That will give you personal access to the dashboard/bug tracker?

NickGerleman commented 2024-03-10 21:31:44 -07:00 (Migrated from github.com)

Copy Link

I appreciate it. Could you use this address? cc2a87d4f9.patch

I appreciate it. Could you use this address? https://github.com/facebook/yoga/commit/cc2a87d4f95d2deac3f4ffed02ca4c130aec70ba.patch

nathaniel-brough commented 2024-05-23 18:29:31 -07:00 (Migrated from github.com)

Copy Link

Ah sorry I missed this notification. I've pulled the trigger on the PR over at oss-fuzz now. All that is needed is to wait for the oss-fuzz team to approve.

Ah sorry I missed this notification. I've pulled the trigger on the PR over at oss-fuzz now. All that is needed is to wait for the oss-fuzz team to approve.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

export-D80452590

export-D80174965

export-D80174963

export-D70986391

export-D70792047

NickGerleman-ubuntu-24-04

release-v3.2

dependabot/npm_and_yarn/cross-spawn-7.0.6

dependabot/npm_and_yarn/http-proxy-middleware-2.0.7

dependabot/npm_and_yarn/express-4.21.0

dependabot/npm_and_yarn/micromatch-4.0.8

dependabot/npm_and_yarn/webpack-5.94.0

release-v3.1

release-v3.0

release-v2.0

v3.2.1

v3.2.0

v3.1.0

v3.0.4

v3.0.3

v3.0.2

v3.0.1

v3.0.0

v2.0.1

v2.0.0

v2.0.0-beta.2

v2.0.0-beta.1

v1.19.0

1.18.0

v1.17.0

1.17.0

1.15.0

1.16.0

1.14.0

1.12.0-pre.3

1.12.0-pre.2

v1.13.0

v1.12.0-pre.1

1.12.0-pre.1

v1.12.0-pre.0

1.11.0

1.10.0

1.9.0

v1.8.0

1.8.0

1.7.0

1.6.0

1.5.2

1.5.1

1.5.0

1.4.1

1.4.0

1.3.0

1.2.0

v2017.02.07.00

v2017.01.27.00

v2017.01.23.00

v2017.01.16.00

v2017.01.09.00

v2017.01.02.00

v2016.12.26.00

v2016.12.19.00

v2016.12.12.00

v2016.12.05.00

v2016.11.28.00

v2016.11.21.00

v2016.11.14.00

v1.1.1

v1.1.0

v1.0.0

v0.0.6

v0.0.5

v0.0.4

0.0.3

Labels

Clear labels

Algorithm

Build and Infrastructure

C#

C++ Enhancement

CLA Signed

Discussion

Documentation

Feature Request

Java

JavaScript

Merged

Question

Reverted

Shared with Meta

Applied via automation to indicate that an Issue or Pull Request has been shared with the team.

YogaKit

YogaLayout ViewGroup

bug

dependencies

Pull requests that update a dependency file

duplicate

enhancement

fb-exported

fh:direct-merge-enabled

invalid

ruby

Pull requests that update Ruby code

wontfix

No Label

Build and Infrastructure

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

DaddyFrosty

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: DaddyFrosty/yoga#1538

No description provided.