fuzzing: Implement structure-aware Cache fuzzer and improve PFR/Properties coverage #143
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…rties coverage This fills the coverage gaps for FTC_Manager functions and PFR driver metrics. It introduces a command-driven interpreter for the cache target.
Replaces hardcoded 'lib-asan' paths with dynamic suffix resolution based on CFLAGS. This allows building dependencies with MemorySanitizer.
Adds pfr.dict, pfr.options, and cache.options to support efficient fuzzing on OSS-Fuzz.
Adds support for standalone UBSan builds using a lib-ubsan directory, while maintaining lib-asan for the common ASan+UBSan configuration.
Adds the missing seed generator and initial corpus for the cache fuzzer. Ensures build scripts are executable.
Ensures cache, properties, and pfr targets are included in prepare-oss-fuzz.sh and DriverInternals. Adds dedicated properties fuzz target.
Marks previously unfuzzed APIs as fuzzed, reflecting the new targets added in this PR.
Reverts accidental hardcoded absolute paths to ensure the build works in CI and other environments.
Contributor
|
LGTM, thanks (and sorry for the late reply) – however, I've never touched the fuzzing code by myself, so my judgement might by wrong. @bungeman, please have a look. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR significantly expands and modernizes FreeType's fuzzing infrastructure, closing several documented coverage gaps and ensuring robust deployment on OSS-Fuzz.
Key Enhancements:
Structure-Aware Cache Fuzzer:
CacheFuzzTargetfrom a static fuzzer into a bytecode interpreter.FTC_ManagerAPI (Reset, Lookup, Resize, RemoveID, Unref), enabling the exploration of complex state machine transitions.Dedicated Properties Fuzzer:
PropertiesFuzzTargetandFaceVisitorPropertiesto specifically stress theFT_Face_PropertiesAPI.Enhanced PFR Driver Coverage:
FaceVisitorPfrto test a robust range of glyph indices (including intentionally invalid/OOB values) and kerning pairs, moving beyond the previous static check of the first 20 glyphs.Full Multi-Sanitizer Infrastructure (ASan/MSan/UBSan):
zlib.sh,libpng.sh,freetype.sh) to support MemorySanitizer and standalone UBSan.get_lib_suffix.sh) that intelligently switches betweenlib-asan,lib-msan, andlib-ubsanbased onCFLAGS.Full Deployment & CI Integration:
prepare-oss-fuzz.shto include thecache,pfr, andpropertiestargets in the deployment harvest.corporaglobbing logic.Official Documentation Update:
README.mdto reflect the new API coverage, officially marking Cache, PFR, and Properties as fuzzed.Quality-of-Life Assets:
pfr.dict,pfr.options,cache.options, andproperties.optionsto guide the fuzzing engine on the cluster.All changes have been verified locally using
clangwith AddressSanitizer, UBSan, and Coverage instrumentation.