-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CIFuzz/CFLite should warn (or maybe optionally fail) when coverage goes down significantly #7190
Comments
I think this would be interesting to do, just like coverage for unittests. |
As far as I understand those reports will be on OSS-Fuzz (which is great) but I don't think issues like that should reach OSS-Fuzz given that they can be discovered much earlier.
I'm just spitballing but I think it should be possible to download the public OSS-Fuzz corpora, run the latest fuzzers and the fuzzers built in PRs (with coverage) against those corpora and compare their coverage reports. This way, CIFuzz/CFLite could make sure "coverage" isn't broken in general and on top of that it should make it possible to account for the runtime environment (which on Clusterfuzz is different from GHActions). |
Just to clarify, coverage reports on OSS-Fuzz are helpful but I don't think anybody looks at them when fuzz targets are believed to be mature enough. If coverage fluctuations aren't reported explicitly they are ignored until they are discovered by accident. For example, I ran into that accidentally trying to figure out why CIFuzz missed two issues that should have been caught. It was due to #7011 but along the way I looked at the PR where they were introduced and eventually ended up looking at the coverage report. |
I came across https://fitzgeraldnick.com/2022/10/24/how-fuzzy-are-your-fuzzers.html today where basically the same feature was mentioned:
To judge from GHSA-5fhj-g3p3-pq9g that bug could have been caught earlier:
@DavidKorczynski I think it's probably somewhat related to ossf/fuzz-introspector#734 in the sense that it's another example of where diffs between two reports can be used. |
Interesting, thanks for pointing out. FYI, the diffing is being done atm and you can see some documentation here: https://fuzz-introspector.readthedocs.io/en/latest/user-guides/comparing-introspector-reports.html#example-of-runtime-coverage-improvements Am not sure if it's feasible to run Fuzz Introspector in the CI, however:
|
I didn't know that. Thanks for the link!
Agreed.
I think that would probably be ideal in terms of catching those sudden drops in coverage because runtime coverage should indeed be enough in almost all cases probably. Nice! Thanks!
Sounds like a plan! Though I keep forgetting that for example |
For the record FI shows nice graphs. @DavidKorczynski I wonder if FI links are stable and can be embedded into READMEs to make the state of projects more visible and hopefully attract more contributors (at least as long as LLMs aren't quiet there yet :-))? |
Never mind. #10924 is probably what I'm looking for. |
CIFuzz can be used to make sure that PRs don't break fuzz targets and that new bugs aren't introduced, which is helpful assuming coverage is intact. But when PRs introduce changes preventing fuzz targets from covering their usual codepaths CIFuzz can't detect that and passes. I think it would be great if by analogy with, say, coveralls.io CIFuzz could compare coverage reports and at least warn when fuzz targets no longer cover anything. This issue was brought by a systemd fuzz target that was supposed to cover its dhcp-server but didn't actually fuzz much for almost two months as far as I can tell.
The text was updated successfully, but these errors were encountered: