On Tue, 2021-10-12 at 15:40 -0400, Eric Gallager wrote: > On Tue, Oct 12, 2021 at 8:55 AM Luís Ferreira > wrote: > > > > On Fri, 2021-10-08 at 22:11 +0200, Iain Buclaw wrote: > > > Excerpts from Luís Ferreira's message of October 8, 2021 7:08 pm: > > > > On Fri, 2021-10-08 at 18:52 +0200, Iain Buclaw wrote: > > > > > Excerpts from Luís Ferreira's message of October 7, 2021 8:29 > > > > > pm: > > > > > > On Tue, 2021-10-05 at 21:49 -0400, Eric Gallager wrote: > > > > > > > > > > > > > > I can help with the autotools part if you can say how > > > > > > > precisely > > > > > > > you'd > > > > > > > like to use them to add address sanitization. And as for > > > > > > > the > > > > > > > OSS > > > > > > > fuzz part, I think someone tried setting up auto-fuzzing > > > > > > > for it > > > > > > > once, > > > > > > > but the main bottleneck was getting the bug reports that > > > > > > > it > > > > > > > generated > > > > > > > properly triaged, so if you could make sure the bug- > > > > > > > submitting > > > > > > > portion > > > > > > > of the process is properly streamlined, that'd probably > > > > > > > go a > > > > > > > long > > > > > > > way > > > > > > > towards helping it be useful. > > > > > > > > > > > > Bugs are normally reported by email or mailing list. Is > > > > > > there any > > > > > > writable mailing list to publish bugs or is it strictly > > > > > > needed to > > > > > > open > > > > > > an entry on bugzilla? > > > > > > > > > > > > > > > > Please open an issue on bugzilla, fixes towards it can then > > > > > be > > > > > referenced in the commit message/patch posted here. > > > > > > > > > > Iain. > > > > > > > > You mean for this current issue? The discussion was about > > > > future bug > > > > reports reported by the OSS fuzzer workers. I can also open an > > > > issue > > > > on > > > > the bugzilla for this issue, please clarify it and let me know > > > > :) > > > > > > > > > > 1. Open one for this issue. > > > > > > 2. Bugs found by the fuzzer would report to bugzilla. > > > https://gcc.gnu.org/bugs/ > > > > > > Iain. > > > > Cross referencing the created issue: > > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102702 > > > > -- > > Sincerely, > > Luís Ferreira @ lsferreira.net > > > > Right, I found the previous time someone tried to set up an > autofuzzer > to report bugs to GCC's Bugzilla; searching for bugs reported by > security-tps@google.com on Bugzilla should find them: > https://gcc.gnu.org/bugzilla/buglist.cgi?email1=security-tps%40google.com&emailassigned_to1=1&emailcc1=1&emaillongdesc1=1&emailreporter1=1&emailtype1=substring&list_id=326459&query_format=advanced Good! Do you know how and where this is being handled? I didn't find anything related to GCC/libiberty on OSS fuzz repository. Existing resources on that can be useful to increment on top instead of designing something from scratch. I also took a look at the fuzzer included in GCC, but it doesn't include any heuristic. -- Sincerely, Luís Ferreira @ lsferreira.net