Add github action to enable batch fuzzing with ClusterFuzzLite

Batch fuzzing enables continuous, regular fuzzing on your latest HEAD and allows a corpus of inputs to build up over time, which greatly improves the effectiveness of fuzzing. Batch fuzzing can be run on a cron schedule.

Add github action to enable batch fuzzing with ClusterFuzzLite
96ae86cb · Dominik Loidolt · 5e6d3044 · 96ae86cb · 96ae86cb · 96ae86cb
Commit 96ae86cb authored 1 year ago by Dominik Loidolt
--- a/.clusterfuzzlite/build.sh
+++ b/.clusterfuzzlite/build.sh
@@ -6,8 +6,6 @@ BUILD=$WORK/build
 rm -rf "$BUILD"
 mkdir -p "$BUILD"
-echo "$LIB_FUZZING_ENGINE"
 # setup project
 meson setup "$BUILD" \
  --buildtype=plain \
@@ -15,8 +13,7 @@ meson setup "$BUILD" \
  -Dfuzzer_ldflags="$LIB_FUZZING_ENGINE" \
  -Ddebug_level=0 \
  -Ddefault_library=static \
-  -Db_lundef=false \
+  -Db_lundef=false 
-  --wrap-mode=nodownload
 # build fuzzers
 ninja -v -C "$BUILD" test/fuzz/fuzz_{round_trip,compression}

--- a/.github/workflows/cflite_batch.yml
+++ b/.github/workflows/cflite_batch.yml
+name: ClusterFuzzLite batch fuzzing
+on:
+  schedule:
+    - cron: '0 0/6 * * *'  # Every 6th hour. Change this to whatever is suitable.
+  push:
+    branches: test_batch_fuzzing
+permissions: read-all
+jobs:
+  BatchFuzzing:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        sanitizer:
+        - address
+        - undefined
+        - memory
+    steps:
+    - name: Build Fuzzers (${{ matrix.sanitizer }})
+      id: build
+      uses: google/clusterfuzzlite/actions/build_fuzzers@v1
+      with:
+        language: c
+        sanitizer: ${{ matrix.sanitizer }}
+    - name: Run Fuzzers (${{ matrix.sanitizer }})
+      id: run
+      uses: google/clusterfuzzlite/actions/run_fuzzers@v1
+      with:
+        github-token: ${{ secrets.GITHUB_TOKEN }}
+        fuzz-seconds: 3600
+        mode: 'batch'
+        sanitizer: ${{ matrix.sanitizer }}
+        output-sarif: true
+        storage-repo: https://gh-action:${{ secrets.ACCESS_TOKEN_GITLAB_UNI }}@gitlab.phaidra.org/loidoltd15/cmp_tool_storage.git
+        storage-repo-branch: main
+        storage-repo-branch-coverage: gh-pages
--- a/test/fuzz/download_corpus.sh
+++ b/test/fuzz/download_corpus.sh
+#!/bin/bash
+bin_path=${1:-}
+if [[ -z "$bin_path" ]]; then
+    echo "usage: $0 <fuzz target>"
+    exit 1
+fi
+if [[ "$OSTYPE" == "darwin"* ]]; then
+    DOWNLOAD="curl --silent -L -o"
+else
+    DOWNLOAD="wget --quiet --output-document"
+fi
+ROOT_DIR=${MESON_BUILD_ROOT:-.}"/"
+CORPORA_URL=https://gitlab.phaidra.org/loidoltd15/cmp_tool_storage/-/archive/main/cmp_tool_storage-main.tar.bz2
+CORPUS_COMPRESSED=$ROOT_DIR"cmp_tool_storage.tar.bz2"
+CORPUS="cmp_tool_storage-main"
+CORPUS_ID=$(git ls-remote https://gitlab.phaidra.org/loidoltd15/cmp_tool_storage.git HEAD | head -c 8)
+CORPUS_DIR="$ROOT_DIR"corpus__"$CORPUS_ID"
+if [ ! -d "$CORPUS_DIR" ]; then
+    $DOWNLOAD "$CORPUS_COMPRESSED" "$CORPORA_URL"
+    mkdir "$CORPUS_DIR"
+    tar -xf "$CORPUS_COMPRESSED" -C "$CORPUS_DIR"
+fi
+rm -f "$CORPUS_COMPRESSED"
+for arg in "$@" 
+do
+    find "$CORPUS_DIR"/"$CORPUS"/corpus -name "$arg"
+done
--- a/test/fuzz/fuzz_compression.c
+++ b/test/fuzz/fuzz_compression.c
@@ -95,6 +95,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *src, size_t size)
 	case CMP_ERROR_PAR_SPECIFIC:
 	case CMP_ERROR_PAR_BUFFERS:
 	case CMP_ERROR_PAR_MAX_USED_BITS:
+	case CMP_ERROR_PAR_NULL:
 	/* chunk errors */
 	case CMP_ERROR_CHUNK_NULL:
 	case CMP_ERROR_CHUNK_TOO_LARGE:

--- a/test/fuzz/fuzz_round_trip.c
+++ b/test/fuzz/fuzz_round_trip.c
@@ -175,6 +175,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *src, size_t size)
 	case CMP_ERROR_PAR_SPECIFIC:
 	case CMP_ERROR_PAR_BUFFERS:
 	case CMP_ERROR_PAR_MAX_USED_BITS:
+	case CMP_ERROR_PAR_NULL:
 	/* chunk errors */
 	case CMP_ERROR_CHUNK_NULL:
 	case CMP_ERROR_CHUNK_TOO_LARGE:

--- a/test/fuzz/meson.build
+++ b/test/fuzz/meson.build
@@ -7,8 +7,6 @@ fuzz_targets = ['fuzz_compression.c', 'fuzz_round_trip.c']
 add_languages('cpp', native: false) # libFuzzingEngine needs c++
 foreach target : fuzz_targets
  file_name = target
  target_name = file_name.split('.').get(0)
@@ -21,11 +19,11 @@ foreach target : fuzz_targets
    link_language : 'cpp' # libFuzzingEngine needs c++
  )
-# todo add seed corpus
+   corpus_path = run_command('./download_corpus.sh', target_name, check: true).stdout().split()
  test(target_name + ' 10 min',
    fuzz_exe,
-    args : ['-rss_limit_mb=2560', '-timeout=25', '-max_total_time=600'],
+    args : ['-rss_limit_mb=2560', '-timeout=25', '-max_total_time=600', corpus_path],
-    # args : ['-timeout=25', '-max_total_time=600'],
    env : test_env,
    is_parallel : false,
    # suite : 'fuzzing',
@@ -34,7 +32,7 @@ foreach target : fuzz_targets
  test(target_name + ' non stop',
    fuzz_exe,
-    args : ['-rss_limit_mb=2560', '-timeout=25'],
+    args : ['-rss_limit_mb=2560', '-timeout=25', corpus_path],
    env : test_env,
    is_parallel : false,
    # suite : 'fuzzing',