🧪 Add OSS-Fuzz set up

[DavidKorczynski]

This is a follow-up to #254 (comment)

@chrisjsewell I added some documentation which may be helpful to navigate the OSS-Fuzz infra. I hope this should make it easier to e.g. experiment and test with the fuzzing.

I'm the original author of the fuzzers and am happy to license them according to the MIT of this repository.

[welcome]

Thanks for submitting your first pull request! You are awesome! 🤗

If you haven't done so already, check out EBP's Code of Conduct and our Contributing Guide, as this will greatly help the review process.

Welcome to the EBP community! 🎉

[codecov]

Codecov Report

Patch and project coverage have no change.

Comparison is base (d1852a5) 96.07% compared to head (497fee8) 96.07%.

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #255   +/-   ##
=======================================
  Coverage   96.07%   96.07%           
=======================================
  Files          62       62           
  Lines        3236     3236           
=======================================
  Hits         3109     3109           
  Misses        127      127           

Flag	Coverage Δ
pytests	96.07% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

[chrisjsewell]

Thanks @DavidKorczynski!
As you can see, I just added a workflow to get an idea of how it runs; obviously it looks like it takes too long to run for all PRs, and would so would just be run as a maybe weekly cron job

From the README.md, it is not quite clear what the difference is between running the files in tests/fuzz directly, e.g. python tests/fuzz/fuzz_markdown.py, and following the steps to run using the git clone https://github.com/google/oss-fuzz steps, e.g. python infra/helper.py run_fuzzer markdown-it-py fuzz_markdown
What is the difference?
Is the code in google/oss-fuzz more thorough?

For the actual code, I'd like to understand it a little more, the language support is a little lacking 😅:

• Is there a simple way to explain what "instrumenting" actually does?
• what can you actually pass with sys.argv, I tried doing things like --help and it didn't seem to actually do anything
• can you restrict the fuzzing to only a certain module or something? or does it always have to run through everything?
  • is the way I run it in the workflow even right, or is it running through the whole of python's core code or something 😅

[chrisjsewell]

so yeh, the fuzzing hit the 6 hours time limit, is that right!?

[DavidKorczynski]

so yeh, the fuzzing hit the 6 hours time limit, is that right!?

When run as follows python3 ./fuzz_markdown.py the fuzzer will run forever or until a crash is found.

You can limit the fuzzer time using -max_total_time=X where X is the number of seconds to run. python3 ./fuzz_markdown.py -max_total_time=10 runs the fuzzer for 10 seconds where the timer starts post instrumentation.

what can you actually pass with sys.argv, I tried doing things like --help and it didn't seem to actually do anything

atheris uses libFuzzer under the hood, which means you can pass the commandline flags specified here: https://llvm.org/docs/LibFuzzer.html

Is there a simple way to explain what "instrumenting" actually does?

The instrumentation adds code that essentially correspond to counters throughout the Python code. These counters will be used by the fuzzer to trace what code was executed by a given input, and further uses this to check whether a input executes unique parts of markdown-it. This is needed because the fuzzer will find unique inputs that trigger unique parts of the code. Fuzzing is a "genetic mutational algorithm" and the instrumentation is used to separate which which seeds to save, I talk a small bit about here https://youtu.be/zIyIZxAZLzo?t=368 and from [06:08 - 10:30] approximately.

From the README.md, it is not quite clear what the difference is between running the files in tests/fuzz directly, e.g. python tests/fuzz/fuzz_markdown.py, and following the steps to run using the git clone https://github.com/google/oss-fuzz steps, e.g. python infra/helper.py run_fuzzer markdown-it-py fuzz_markdown
What is the difference?
Is the code in google/oss-fuzz more thorough?

No difference as such. It's the same program.

OSS-Fuzz will, however, wrap the code in a package using pyinstaller and offers some additional things e.g. code coverage visualisation to check how much of the target code is executed.

I would not necessarily recommend setting up a cron-job in the CI, as OSS-Fuzz will make sure the fuzzers run continuously. If anything, I'd advice to set it up in a way that tests if the fuzzers work (i.e. run for a short period of time) or use the CIFuzz job that comes accompanied with OSS-Fuzz: https://google.github.io/oss-fuzz/getting-started/continuous-integration/#integrating-into-your-repository

[chrisjsewell]

Thanks for the detailed response!

ERROR: 100.0% of fuzz targets seem to be broken. See the list above for a detailed information: https://github.com/executablebooks/markdown-it-py/actions/runs/4543755476/jobs/8008855531?pr=255

I don't think that I've quite mastered this yet 😅 what did I do wrong?

[DavidKorczynski]

I don't think that I've quite mastered this yet 😅 what did I do wrong?

I think it's the language attribute missing: https://google.github.io/oss-fuzz/getting-started/continuous-integration/#optional-configuration

If you set it to python I think it should work!

[chrisjsewell]

thanks, that seems to have worked: https://github.com/executablebooks/markdown-it-py/actions/runs/4543950408/jobs/8009331193?pr=255

could you explain the result for me:

...
2023-03-28 14:15:20,013 - root - INFO - Trying to reproduce crash using: /tmp/tmp6zgwo3_i/crash-d9e621f7e53a457e0c6b9133b72f77d5e81943e1.
2023-03-28 14:16:50,748 - root - INFO - Reproduce command returned: 1. Reproducible on /github/workspace/cifuzz-prev-build/fuzz_markdown.
2023-03-28 14:16:50,799 - root - INFO - Not uploading crashes because on OSS-Fuzz.

it seems there was a crash, but it did not upload it, so I can't reporoduce it?
are crashes only failing/uploaded if they are caused specifically by the changed code in the PR?

[chrisjsewell]

are crashes only failing/uploaded if they are caused specifically by the changed code in the PR?

oh yeh I should properly read the documentation lol: https://google.github.io/oss-fuzz/getting-started/continuous-integration/#how-it-works

[DavidKorczynski]

it seems there was a crash, but it did not upload it, so I can't reporoduce it?
are crashes only failing/uploaded if they are caused specifically by the changed code in the PR?

Yes -- this given crash was visible before, it seems to be this one: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=55371

[chrisjsewell]

ok great, so from your readme/explanation, it seems:

1. the workflow could be helpful, for "early detection" of failures in PRs, although perhaps I don't want to wait 10 minutes for every PR commit 🤔
2. The command: python3 infra/helper.py reproduce markdown-it-py {FUZZER_NAME} {PATH_TO_MINIMIZED_TESTCASE}, seems the most useful, for quickly reproducing bugs reported by you guys. Perhaps I can set up a "tox env" to git clone + run this

I'm not sure of the usefulness of tests/fuzz/fuzz_markdown.py and tests/fuzz/fuzz_markdown_extended.py though; I'm not sure how/if I would actually ever use them

[DavidKorczynski]

1. Many projects prefer to have a shorter runtime -- I personally have mine on 120sec, but definitely tailor it to your needs and what fits your workflow. OSS-Fuzz will run the fuzzers continuously which will catch bugs that are more complex to reach.

I'm not sure of the usefulness of tests/fuzz/fuzz_markdown.py and tests/fuzz/fuzz_markdown_extended.py though; I'm not sure how/if I would actually ever use them

You're not meant to use them as such. Having a folder with fuzzers in this repo that OSS-Fuzz then fetches to run continuously serves the purpose of you being able to add/modify the fuzzers without having to make PRs on the OSS-Fuzz repo.

[chrisjsewell]

Hey @DavidKorczynski thanks for your patience 😅

In 2d46a43 and d1852a5 I separately added the CI workflow for PRs and a tox environment to reproduce crash files,

Then here, in 497fee8, I rewrote the README as I now understand the process.
If you could have a look and check that this makes sense, then I think this is good to merge!

[DavidKorczynski]

Looks great @chrisjsewell!

[welcome]

Congrats on your first merged pull request in this project! 🎉


Thank you for contributing, we are very proud of you! ❤️