[FFmpeg-devel] [OSS-Fuzz] Have you considered enabling memory sanitizer?
epirat07 at gmail.com
epirat07 at gmail.com
Mon Jul 15 16:01:08 EEST 2024
On 14 Jul 2024, at 21:55, Michael Niedermayer wrote:
> On Sat, Jul 13, 2024 at 11:12:40PM +0200, Kacper Michajlow wrote:
>> On Thu, 27 Jun 2024 at 02:50, Kacper Michajlow <kasper93 at gmail.com> wrote:
>>>
>>> On Thu, 27 Jun 2024 at 00:45, Michael Niedermayer
>>> <michael at niedermayer.cc> wrote:
>>>>
>>>> On Wed, Jun 26, 2024 at 09:07:42PM +0200, Kacper Michajlow wrote:
>>>>> Hi,
>>>>>
>>>>> Like in the topic. I think it would be useful to enable MSAN on
>>>>> OSS-Fuzz. We get some tiny issues and it would be probably good to
>>>>> have them tracked upstream. All infra is here, so enabling it is as
>>>>> simple as adding it to the project.yaml. Except libbz2.so and libz.so
>>>>> would have to be built inline instead, looking at the build.sh, they
>>>>> are prebuilt. The rest should just work (TM), but needs to be tested.
>>>>> You can set an "experimental' flag to have it not create issues on
>>>>> monorail, initially.
>>>>
>>>> I assumed ossfuzz would enable all sanitizers by default
>>>
>>> They do not do that by default, because MSAN requires all dependencies
>>> to be instrumented too. See
>>> https://google.github.io/oss-fuzz/getting-started/new-project-guide/#sanitizers
>>>
>>> Looking at build.sh for ffmpeg, it should be fine to enable it.
>>> Obviously I have not tested everything, but I was running some tests
>>> locally with MSAN and also tested it with mpv oss-fuzz builds where we
>>> build ffmpeg too with MSAN.
>>>
>>> - Kacper
>>
>> I've sent a PR to enable MSAN and a few other build improvements.
>> Please take a look https://github.com/google/oss-fuzz/pull/12211
>>
>
>> Also, would it be ok to add myself to auto_ccs for ffmpeg? Mostly to
>> monitor what issues are reported upstream, as we get some reports in
>> mpv fuzzing and I never know if I should report it upstream (ffmpeg)
>> or it is already found by first-party fuzzing and I shouldn't make
>> more noise.
>
> you are welcome to submit bug reports, you are welcome to submit bug fixes
> if you find issues in FFmpeg.
>
> If someones work in FFmpeg or rather FFmpeg benefits from someone having
> access to the reports, then (s)he should receive access. This seems not
> to apply here
This seems quite rude… Maybe you did not intend it but thats how
it reads to me…
>
> Also i expect the number of outstanding ossfuzz issues to decrease now
> after the bulk of coverity issues has been dealt with
>
> thx
>
> [...]
> --
> Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
>
> The real ebay dictionary, page 1
> "Used only once" - "Some unspecified defect prevented a second use"
> "In good condition" - "Can be repaird by experienced expert"
> "As is" - "You wouldnt want it even if you were payed for it, if you knew ..."
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel at ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request at ffmpeg.org with subject "unsubscribe".
More information about the ffmpeg-devel
mailing list