Consider integrating with OSS-Fuzz?

[Valloric]

OSS-Fuzz is a Google-provided service that can automatically and continuously fuzz OSS libraries and report bugs for discovered issues. It supports fuzzing Rust.

The requirement for being accepted in OSS-Fuzz is "project must have a significant user base and/or be critical to the global IT infrastructure" which I personally believe definitely includes the Rust regex library, since it's at the core of so much stuff. List of projects that are currently in OSS-Fuzz.

Can't hurt to file a form and ask.

(Disclaimer: I work for Google, but not on anything fuzzing or security-related. I do not speak for my employer. This suggestion comes from "personal Val", not "business Val". 😃)

[Valloric]

Oh, forgot to mention: OSS-Fuzz offers monetary rewards for integration, up to $20k. If this isn't personally interesting, it can be donated to a charity of your choice and Google will double the reward.

$40k to a charity for a few days of work doesn't sound like a bad deal...

[BurntSushi]

Sounds like a good idea to me. Not sure if regex would qualify though or when I'll get to this. It's likely we could crib ideas from RE2: https://github.com/google/re2/tree/master/re2/fuzzing

If someone else wanted to work on this, I'd be happy to give guidance and mentor it.

[miclill]

@Valloric What kind of bugs do you hope to catch by fuzzing? It is my understanding that - since this library written without the use of unsafe - most bugs caught by fuzzing can not occur anyway.

For reference: https://opensource.googleblog.com/2017/05/oss-fuzz-five-months-later-and.html

[BurntSushi]

This was done in #679

@miclill Safety bugs are not the only kind of bugs. Fuzzing is very useful for sussing out panics which should not occur.

[BurntSushi]

@DavidKorczynski The fuzzer reported its first bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26324

The regex it used is pretty gnarly and takes quite a long time to compile in debug mode. I think the fuzzer should run regex in release mode, since this is how the default size limit is mostly tuned. If a regex under the size limit takes more than 60 seconds to compile, then it's likely the size limit (or something else) needs to be tweaked.

I tried to fix this in 9067dfd and 44abc5f, where I changed the fuzz target to compile with optimizations. But arguably, the fuzzer itself should be building the Rust program in release mode.

Is there anything else I'm supposed to do to get the updated configuration into OSS-Fuzz? Or does it just automatically pick up changes on master? Thanks!

[DavidKorczynski]

The fuzzer is built by way of cargo-fuzz and the default of Cargo-fuzz is to build by way of release mode, i.e. the --release flag is used when calling cargo build: https://github.com/rust-fuzz/cargo-fuzz/blob/799bf534b889859b090b76f2ca1cffdca4ee7455/src/project.rs#L138

I did minor changes in a pull here: #720 but once that has been merged we should be good to go with the new set up. OSS-Fuzz automatically pulls the latest, but it may take a few days.