New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Evaluate quality of reports against oss-fuzz projects #43
Comments
These projects fail to generate
A quick check in couple of logs shows: |
For the ones encountering This is the case for |
#52 helped to reduce this number to 19 projects:
checking |
There is a correct way of passing environment variables to bazel builds: google/oss-fuzz#7367 |
Besides the ones that skip introspector pass because of another main() (#66), we have the following 8 projects that the introspector pass is not run at all:
|
Note bitcoin-core has a couple of issues on fuzz-introspector list with details on this. Additionally, they use a neat hack of only compiling a single executable and then substituting the string of a function name which will be the relevant fuzzer entrypoint in the resulting binary, as a way to produce many targets without compiling all targets from scratch -- fuzz-introspector cannot deal with that atm (nor likely in the future). See details here: #44 (comment) |
Ack on bitcoin-core, the rest worth more investigation as it looks like the fuzz introspector pass is being skipped silently. |
The reports for the OSS-Fuzz projects where the introspector successfully runs are now public at:
https://oss-fuzz-introspector.storage.googleapis.com/
We should go and evaluate these to ensure their quality, before we make them more broadly available to users.
e.g. I browsed a few and found some issues/weirdness:
arduinojson has weird fuzzer names (e.g. "srcarduinojsonextrasfuzzingjson_fuzzer.cpp")
libxml2 has no functions hit data for
xml.c
.The text was updated successfully, but these errors were encountered: