Description
https://github.com/google/oss-fuzz
I'd like to add fuzz tests for simplejson's _speedups extension module, either to oss-fuzz directly, or to simplejson to be imported by oss-fuzz. See Ideal Integration. The idea is to test for possible crashes / memory safety issues in current and future versions of the code. (Admitting, however, that it's simple and unlikely to have problems).
Does this sound like a good plan?
The way a fuzz test works is it's a C library that exports int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size), and gets linked with the fuzz binary which calls it with a random string. I have a draft fuzz test which embeds CPython, imports simplejson, and runs loads on the random string.
I have a few questions before I can turn this into a real PR:
- What would be the best (least likely to break) way to check that
_speedupsis enabled? There's little point to fuzzing Python code. - Would it be reasonable to add the fuzz test to
simplejsonitself, rather than oss-fuzz? This would mean it could be tested as part of the unit tests, and would be less likely to get broken someday. (Not entirely sure about how to integrate it with the tests yet -- in principle, should be able to add an extension module that just gets called with "{}" for testing purposes.) - Who / what email(s) should I list as the contact for fuzz results if a security issue is found? (They have to be connected to a google account for reasons).