In my last post I discussed the issues I was having getting ClusterFuzz to accept the targets defined in bughunt. Two people very kindly pointed out – Shnatsel on Reddit and Jonathan Metzman on Twitter – that linking to libFuzzer would be sufficient to get ClusterFuzz to recognize the targets. They were right!
As of this writing I've got all three existing targets running on my ClusterFuzz setup, though we're still only partway through the first real run and so haven't got any results.
All the work to make this possible is contained in a single commit on the project. The high-level details are:
- All bughunt targets are now written for cargo-fuzz (libFuzzer). This solves the linking issue described in the last post.
- Travis CI is used to make build artifacts in the style required by ClusterFuzz, ship these to the cluster's Google Cloud Store.
- ClusterFuzz picks these builds up and runs them for several hours as a part of a continuous build pipeline.
The Travis CI configuration is pegged to rebuild master every 24 hours against nightly. My ambition is to have rolling fuzzes of each nightly to head off any catastrophic issues. This means a couple of things.
- We must seriously increase the number of fuzz targets in bughunt for stateless things. There's a lot of promise in auto-fuzz-test for building coverage quickly, with minimal effort.
- We must increase the number of model checking targets in bughunt for stateful things. This is much more work, requiring a human being to sit around and think up, then implement the models.
- As the number of targets grow, the cost of the ClusterFuzz setup will grow. For now there seem to be plenty of credits for me to use and I'm not really sure which way to turn once the credits run low. Thoughts in this area are very welcome.
Anyway! Feels like a pretty serious milestone. Next steps will be to fine-tune the ClusterFuzz setup to reduce costs as much as possible, ensure we have an actually functional setup. I'll also get the configuration into the project repository as it sitting in my personal Dropbox account is not the best place for such things. Once the ClusterFuzz setup is tuned in, it'll be time to get more targets in place, at long last.