-
Notifications
You must be signed in to change notification settings - Fork 378
Fuzzing
Tarantool is integrated with oss-fuzz in scope of ticket #1809. OSS-Fuzz is a Continuous Fuzzing for Open Source Software. To obtain access to the fuzzing results your email must be specified in oss-fuzz project.yml file. The fuzzing results are on the oss-fuzz ClusterFuzz web interface. See the oss-fuzz new project guide on reviewing results for more details. ClusterFuzz web UI contains information about: testcase reports, fuzzer stats, coverage reports, performance analyzer and crash stats. See https://google.github.io/oss-fuzz/further-reading/clusterfuzz/ and reports, generated by Fuzz Introspector - https://oss-fuzz-introspector.storage.googleapis.com/index.html.
Fuzzers lie in a main repository in directory test/fuzz/. One can add additional test like existed.
Our fuzzers uses LibFuzzer library, it's well documented on LLVM site and it would be good to be familiar with before writing new test.
To make testing more effective it is worth to create a corpus that will be used by fuzzer. Corpuses lie in test/static/corpus. Usually corpus consists from files that are real input examples for fuzzed function. For function that parses URI these are different URI examples, for CSV parsers different examples of comma separated strings and symbols and so on. It's important to minimize each example before committing to a repository. It can be done with option -merge=1, see an appropriate section in documentation. Before running fuzzers OSS-Fuzz creates a binary for each fuzzers and builds corpus for each fuzzer to a separate archive, see build.sh.
TO make familiar with LibFuzzer one can take a look on LibFuzzer Tutorial and also it is highly recommended to read what makes a good fuzz target.
Fuzzers can be run in a three ways:
- One can easily run fuzzers on a development machine. To build Tarantool with fuzzing tests one can pass option
-DENABLE_FUZZERSto CMake. It's highly recommended to enable sanitizers as well to make testing more effective, see options for supported sanitizers. Note that running fuzzers may be time consuming operation. Although you can set a time limit using option passed to fuzzer binary. Fuzzing is available to use with Clang only, GCC has no support for it.
How-To Use:
$ mkdir build && cd build
$ cmake -DENABLE_FUZZER=ON \
-DENABLE_ASAN=ON \
-DCMAKE_BUILD_TYPE=Debug \
-DCMAKE_C_COMPILER="/usr/bin/clang" \
-DCMAKE_CXX_COMPILER="/usr/bin/clang++" ..
$ make fuzzers -j
$ ./test/fuzz/csv_fuzzer -workers=4 ../test/static/corpus/csv
-
To make fuzzing testing continuous, we run it per push to a master branch in our Continuous Integration tool. There is a separate workflow in Github Actions to trigger running fuzzing on OSS-Fuzz infrastructure. To understanding results, see appropriate section in OSS-Fuzz documentation.
-
One can run fuzzers like OSS-Fuzz do. See OSS-Fuzz documention - https://google.github.io/oss-fuzz/advanced-topics/reproducing/. Note OSS-Fuzz pass library $LIB_FUZZING_ENGINE to linker and use external CFLAGS and CXXFLAGS. Full description how to integrate with OSS Fuzz is in ideal integration and new project guide.
It's important to note that bugs found during fuzzing on OSS-Fuzz have a limited time to fix, see bug disclosure guidelines. To fix an issue, one need to reproduce the issue and debug if it is required and create a patch for review. These sections debugging issues, reproducing issues in documentation would be helpful.
| Status | Component | Description | Found by |
|---|---|---|---|
| Fixed | LuaJIT | LJ#1168, Heap-use-after-free in lj_gc_finalize_cdata on access to CTState->finalizer #1168 | OSS Fuzz |
| Fixed | LuaJIT | LJ#1173, GC64 mode may overflow the LJ_MAX_JSLOTS limit for a stitched trace. | OSS Fuzz |
| Fixed | LuaJIT | LJ#1169, Down-recursion of a side trace may corrupt the host stack | OSS Fuzz |
| Fixed | LuaJIT |
LJ#1069, oss-fuzz#63911, IR_NEWREF is missing a NaN check |
OSS Fuzz |
| Fixed | IPROTO |
tarantool#9136, Null-dereference READ in error_set_prev, oss-fuzz#62288
|
OSS Fuzz |
| Unconfirmed | App/third_party |
tarantool#9100, Segmentation fault in tnt_dt_weeks_in_year, oss-fuzz#62043
|
OSS Fuzz |
| Fixed | IPROTO |
tarantool#9098, Heap buffer overflow in xrow_decode_error
|
@ligurio |
| Fixed | LuaJIT |
LuaJIT#1054, Incorrect PC value in a function predict_next
|
@ligurio |
| Confirmed | App/third_party |
tarantool#8965, stack-overflow in tzloadbody (src/lib/tzcode /localtime.c), oss-fuzz#61184
|
OSS Fuzz |
| Unconfirmed | App/third_party | tarantool#8948, UBSan: third_party/decNumber/decNumber.c:697:18: runtime error: left shift of 666666666 by 3 places cannot be represented in type 'int32_t' (aka 'int') | @ligurio |
| Fixed | IPROTO |
tarantool#8921, Memory leak in xrow_decode_error/diag_destroy
|
@ligurio |
| Confirmed | LuaJIT | - | @Buristan |
| Fixed | LuaJIT |
LJ#1033 Crash during parsing in the predict_next()
|
@Buristan |
| Confirmed | LuaJIT | LJ#1024, LJ#1046 (fixed by upstream) Use-def analysis for VARG doesn't purge some dead JIT slots | @ligurio |
| Fixed | SQL | tarantool#8640, sql: fix invalid negation | oss-sydr-fuzz |
| Confirmed | SQL | tarantool#125, Memory leak in SQL | oss-sydr-fuzz |
| Confirmed | LuaJIT |
oss-fuzz#58555, LJ#1016, Null-dereference READ in snap_restoreval
|
OSS Fuzz |
| Confirmed | SQL |
oss-fuzz#57677, tarantool#8535, Direct-leak in sql_xmalloc
|
OSS Fuzz |
| Fixed | SQL |
oss-fuzz#57676, tarantool#8487, Direct-leak in sql_xmalloc
|
OSS Fuzz |
| Confirmed | LuaJIT |
oss-fuzz#57548, LJ#913, ASSERT: bc_isret(((BCOp)((ins[-1])&0xff)))
|
OSS Fuzz |
| Confirmed | LuaJIT |
oss-fuzz#57424, LJ#981, ASSERT: itype2irt(tv) == ((IRType)(((&J->fold.ins)->t).irt & IRT_TYPE))
|
OSS Fuzz |
| Confirmed | LuaJIT |
oss-fuzz#57435, LJ#9, ASSERT: lj_obj_equal(tv, &tvk), fixed by upstream |
OSS Fuzz |
| Confirmed | App |
oss-fuzz#57602, ASSERT: mday >= 1 && mday <= 31
|
OSS Fuzz |
| Fixed | App | tarantool#8502, buffer overflow in tnt_strptime | @ligurio |
| Fixed | LuaJIT | tarantool#6776, Fix narrowing of unary minus | @ligurio |
| Confirmed | LuaJIT |
tarantool#4824, Assertion 'ls->p < ls->pe' failed: lj_bcread.c:122: uint32_t bcread_byte(LexState *)
|
@ligurio |
| Fixed | App |
tarantool#6, http_parser() crashes (src/lib/http_parser/http_parser.h) |
@ligurio |
| Fixed | App | tarantool#6614, swim: fix out of bounds access in proto decode | oss-sydr-fuzz |
| Fixed | App | tarantool#6662, swim: fix debug assertion abort in proto decode | oss-sydr-fuzz |
| Fixed | App | tarantool#7155, app: query parameters parsing is slow under ASAN | OSS Fuzz |
| Fixed | App | tarantool#7818, Segmentation fault on msgpack decoding | luzer |
| Confirmed | App | tarantool#7145, Wrong datetime calculation (A - B + B != A) | luzer |
| Fixed | App | tarantool#6882, There is a difference of 1 sec with subtraction of the same datetimes | luzer |
| Confirmed | App | tarantool#7112, Tarantool encode decimal number with unsupported precision | luzer |
Architecture
- Server architecture
- R tree index quick start and usage
- LuaJIT
- Vinyl
- Vinyl Architecture
- Vinyl Disk Layout
- Vinyl math
- Vinyl Cookbook
- Bullet1
- SQL
- Appserver modules
- Testing
- Performance
- Privileges and Access control
How To ...?
- ... update a third party library
- ... configure build system
- ... add new fuzzers
- ... build RPM or Deb package using packpack
- ... calculate memory size
- ... debug core dump of stripped tarantool
- ... debug core from different OS
- ... debug fuzzer
- ... generate new bootstrap snapshot
- ... use Address Sanitizer
- ... collect a coredump
- ... generate luacov report for builtin module
- ... verify modified lua files via luacheck
- ... verify Lua files in third_party?
- ... rerun failed jobs
- ... update a third party repository
- Fix wrong decimal indexing after upgrade to 2.10.1
- Caveats when upgrading a cluster on Tarantool 1.6
- Fix illegal field type in a space format when upgrading to 2.10.4
Useful links