Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Label or comment string to request OSS-Fuzz team look at an issue #6974

Open
davidben opened this issue Dec 6, 2021 · 7 comments
Open

Label or comment string to request OSS-Fuzz team look at an issue #6974

davidben opened this issue Dec 6, 2021 · 7 comments

Comments

@davidben
Copy link
Contributor

davidben commented Dec 6, 2021

OSS-Fuzz bug reports say:

This bug tracker is not being monitored by OSS-Fuzz team. If you have any questions, please create an issue at https://github.com/google/oss-fuzz/issues/new.

However, sometimes reports are caused by OSS-Fuzz infrastructure, not the fuzzers. Recently there have been a slew of build issues. Other times, LLVM regressions have triggered false positives in sanitizers. It is tedious to go to a separate system to report an issue, paste links back and forth, and then manually synchronize the two threads. Additionally, since the GitHub tracker is public, posting becomes extra difficult if it's unclear whether something is sanitizer false positive, or true regression.

I noticed myself even ignoring likely infra issues. The process for summoning the OSS-Fuzz team is difficult, infra issues will likely get reported elsewhere, and I may be too busy at the time for a time-consuming report. But that means rare infra issues go unnoticed. Worse, if it was a true positive, it gets lost in the noise.

There should be an easy, inline way for project maintainers to tag an issue as needing OSS-Fuzz team feedback as part of triage.
@maflcko
Copy link
Contributor

maflcko commented Dec 7, 2021

I'd say clang/llvm/libc++ bugs need to be reported upstream, not here.

Though, maybe it could make sense to only bump clang to major versions that are released? There is a new clang release about every 6 months (?), so waiting on new features isn't a lengthy process anymore. The upside would be that all breaking changes hopefully only happen twice a year during a bump and not any time during the year.

@davidben
Copy link
Contributor Author

davidben commented Dec 7, 2021

Certainly they need to be reported upstream, but as OSS-Fuzz manages the LLVM versions here, they're the next hop. As part of managing that bug, they'll need to temporarily rollback the LLVM update, etc.

@maflcko maflcko mentioned this issue Dec 7, 2021
Closed
@maflcko
Copy link
Contributor

maflcko commented Dec 7, 2021

I'd say by using a stable branch, there won't be any need rolling back commits in llvm.

@davidben
Copy link
Contributor Author

davidben commented Dec 7, 2021

Changes in a stable branch can cause problems too. There may also be build problems not caused by LLVM updates.

I don't think the frequency of LLVM updates has anything to do with this feature request, so let's move that to a separate ticket. (Though I definitely disagree with using a stable branch and would consider it a regression in my project's fuzzer coverage.)

@jonathanmetzman
Copy link
Contributor

jonathanmetzman commented Dec 7, 2021
edited

OSS-Fuzz bug reports say:

This bug tracker is not being monitored by OSS-Fuzz team. If you have any questions, please create an issue at https://github.com/google/oss-fuzz/issues/new.

However, sometimes reports are caused by OSS-Fuzz infrastructure, not the fuzzers.

Absolutely.

Recently there have been a slew of build issues.

Very sorry for these, I think they should be fixed in the next build.
See #6978

It is tedious to go to a separate system to report an issue, paste links back and forth, and then manually synchronize the two threads. Additionally, since the GitHub tracker is public, posting becomes extra difficult if it's unclear whether something is sanitizer false positive, or true regression.

I noticed myself even ignoring likely infra issues. The process for summoning the OSS-Fuzz team is difficult, infra issues will likely get reported elsewhere, and I may be too busy at the time for a time-consuming report. But that means rare infra issues go unnoticed. Worse, if it was a true positive, it gets lost in the noise.

There should be an easy, inline way for project maintainers to tag an issue as needing OSS-Fuzz team feedback as part of triage.

I can think of a few ways this can possibly supported:

  1. Allow users to CC oss-fuzz maintainers on bugs. We may need to be selective about this since it can mess up ClusterFuzz if labels are removed.
  2. Have some kind of script that when a certain trigger word is used will create a github issue.
  3. Have some kind of trigger word that we can set a mail filter for.

@oliverchang is 1 really infeasible? I like the idea of users having edit permissions since it lets them mark bugs as duplicate or wontfix and will thus improve the quality of our stats.

@oliverchang
Copy link
Collaborator

Unfortunately 1 isn't possible to do in a secure way. Granting users edit permissions is something that can only be done for the entire issue tracker. We can't scope that permission by OSS-fuzz project.

  1. sounds the most feasible to me.

@davidben davidben mentioned this issue May 8, 2024
Open
@davidben
Copy link
Contributor Author

davidben commented May 8, 2024

The OSV import process has made this a lot more urgent. Some related issues:

Now that there are systems that consume OSS-Fuzz reports, OSS-Fuzz needs tools to manage false positives for running fuzzers to be viable.

@davidben davidben mentioned this issue May 10, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@davidben @oliverchang @maflcko @jonathanmetzman