Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#6883 closed task (fixed)

Google oss-fuzz

Reported by: Kurt Schwehr Owned by: warmerdam
Priority: normal Milestone:
Component: default Version: svn-trunk
Severity: normal Keywords:
Cc: Mateusz Łoskot

Description

https://lists.osgeo.org/pipermail/gdal-dev/2017-April/046495.html

https://opensource.googleblog.com/2017/05/oss-fuzz-five-months-later-and.html

Change History (11)

comment:1 by Mateusz Łoskot, 7 years ago

Cc: Mateusz Łoskot added

comment:2 by Even Rouault, 7 years ago

Minimal infrastructure for oss-fuzz added in r38205

comment:4 by Even Rouault, 7 years ago

https://github.com/google/oss-fuzz/pull/589 has been merged

Last edited 7 years ago by Even Rouault (previous) (diff)

comment:5 by Kurt Schwehr, 7 years ago

Woohoo!

comment:6 by Mateusz Łoskot, 7 years ago

Awesome!

I received first run report this morning. https://bugs.chromium.org/p/oss-fuzz/issues/list?q=gdal

How do we go about the issues?

I see possible ways of doing it:

Once an issue is solved, are we supposed to close the bug at https://bugs.chromium.org/p/oss-fuzz ?

comment:7 by Even Rouault, 7 years ago

I think we can directly interact in the chromium bug database to avoid too much overhead (the downside is the lack of transparency, at least during the embargo period. But if someone wants to actively work on bugs we can always add them in the CC list !). It might be good to leave a comment in the bug entry to indicate that one has started to work on it. I think to remember to have read that the bugs are automatically closed when oss-fuzz checks out a new version of the code and sees the bug is no longer reproducible. Commit messages should include "Credit to OSS-Fuzz" as per their request, and it would be good to link to the bug URL in the commit message.

comment:8 by Mateusz Łoskot, 7 years ago

Indeed, it is better to go via the chromium bug database first.

  1. Leave a comment in (chromium database) bug entry to indicate that you work on it
  2. Work
  3. Commit a bug fix with log including "Credit to OSS-Fuzz" and bugs.chromium.org link
  4. Check chromium closed the bug.

comment:9 by Even Rouault, 7 years ago

https://github.com/google/oss-fuzz/pull/605 merged: adds expat and sqlite3 dependencies

comment:10 by Even Rouault, 7 years ago

Resolution: fixed
Status: newclosed

I'm closing this ticket as it is pretty much done. I've added a fuzzers/README.TXT

comment:11 by Kurt Schwehr, 7 years ago

Related projects:

I am hoping that all of the open source libraries GDAL depends on will apply to join.

I see these in the project list: curl, expat, freetype2, icu, libjpeg-turbo, libpng, postgresql, proj4, sqlite3, and zlib

Note: See TracTickets for help on using tickets.