|
From: | Kostya Serebryany |
Subject: | Re: [ft-devel] More fuzzing for freetype2? |
Date: | Sun, 4 Oct 2015 11:40:38 -0700 |
Hello team!
> We are currently setting up an Open Source Security Group at Google
> to provide more structured resources to critical Open Source
> efforts. We’re starting with fuzzing and build infrastructure “as a
> service,” and we’d like to continue collaborating with you and
> FreeType to understand how you can benefit from these resources.
Great!
> On to practicalities: We’re continuing fuzz testing of FreeType.
> The fuzzer has been running for several days, and so far hasn’t
> found any new issues, so we’ve set up an 8-CPU continuously running
> public bot
> <https://github.com/kcc/libfuzzer-example/wiki/FreeType-Fuzzer-Bot>.
>
> Our current plan is to have the bot running indefinitely, with the
> hope that it will help us detect regressions and maybe find some
> more issues over time.
BTW, I completely forgot to tell you that FreeType has a fuzzer on its
own! Please have a look at `src/tools/ftrandom'. Some years ago
George Williams and I run it for some time, and indeed the program
found a lot of bugs.
However, I haven't done this recently, and your
bot approach is far more intensive, of course.
> At the bare minimum expect us to pass you reports when issues are
> discovered. Beyond that, if you’re willing, it would be helpful and
> productive if you could do the following:
>
> * Accept the target function
> <https://github.com/kcc/libfuzzer-example/blob/master/freetype-experiment/freetype2_fuzzer.cc>
> into the FreeType trunk.
This ...
> * Extend it to cover all the interesting functionality, possibly
> split it into several independent functions.
... and that could be based on the `ftrandom' code, so please have a
look first.
> * Point us to a public test corpus that we can use to extend the
> code coverage further. Ideally, it should be maintained in the
> FreeType git or similar.
What exactly do you mean with `test corpus'?
Note that the biggest
problem of testing FreeType (mainly to compare rendering results of
valid fonts)
is that most fonts of big importance are copyrighted so
that I can't add them to a public repository...
> * Look at the coverage reports generated by the bot, see what parts
> of code are not covered, provide test inputs for that code.
Yes, this is very interesting. Are the coverage reports cumulative?
In particular, a single input file normally tests a single font module
only.
This might be another reason to look at `ftrandom' since it
starts with a whole directory of fonts that can cover input files for
all font modules.
> *And, most importantly, we’d love your feedback.* Our goal is for
> this to be actually useful for those doing the hard work developing
> software, such as yourself. We would love your insight on how we
> can make that happen. What's missing in libFuzzer, sanitizers,
> coverage, documentation, bot? How we can make the process simpler
> for you so that you concentrate on the quality of code and not on
> the testing infrastructure? What other similar resources could we
> provide?
This is something that will take time to get acquainted with. Right
now, the current setup, that is, you run the bot and report the bugs,
is ideal for me :-)
> Please let us know if there’s someone else we should be in touch
> with on the FreeType team, if it’s not you.
I suggest that you write to the `freetype-devel' mailing list:
There
you find all the interested people, in particular Behdad Esfahbod
(also from google) – his HarfBuzz library certainly deserves the same
tests as FreeType, BTW.
May I forward this mail to the list? This would be a good start, I
think.
Werner
[Prev in Thread] | Current Thread | [Next in Thread] |