[Development] Submitting Qt to oss-fuzz
Edward Welbourne
edward.welbourne at qt.io
Fri Aug 31 10:27:08 CEST 2018
Albert Astals Cid (30 August 2018 20:42) wrote:
> oss-fuzz is an online fuzzing service run by Google.
Sounds useful.
> They test daily the code base and run fuzzying over it, maintaining a
> list of open and closed bugs.
>
> Found bugs are sent to a list of trusted address and kept private for
> 90 days, then if not fixed then they become public.
>
> Fixed bugs become public 30 days after being fixed.
By "fixed" do they mean "we have told them we've fixed it" or "we've
released all currently releasing branches of Qt with fixes" ? I'm
guessing it's closer to the former than the latter. So we have a month
from fixing it, or perhaps from releasing *one* branch with a fix,
within which to also release all our other live branches. That sounds
like it may stress our release processes. So we have a quarter year in
which to find a fix, then we need to orchestrate releases across all
branches within a month; and this happens for each and every issue
found. That schedule is fine for Chromium, which doesn't support old
versions or care about backwards-compatibility, but may be a poor fit
for our more conservative processes.
So it would be better to run this *ourselves*, if we can, so that the Qt
community has more control over how and when the results get to be
published.
> If you want to test it locally you can do
> python infra/helper.py build_fuzzers --sanitizer undefined qt
> python infra/helper.py run_fuzzer qt qimage_fuzzer
> for the undefined sanitizer and
> python infra/helper.py build_fuzzers --sanitizer address qt
> python infra/helper.py run_fuzzer qt qimage_fuzzer
So it *can* be used locally, without giving Google yet more power ...
Good to know.
Eddy.
More information about the Development
mailing list