Support Fuzzing JavaScript with Jazzer.js

[jonathanmetzman]

CC @fmeum @bertschneider

[oliverchang]

Some remaining pieces here:

• [ ] ClusterFuzz side changes for stacktrace parsing and reporting.
• [x] ClusterFuzz side change for job setup
• [x] Verify that OSS-Fuzz build automation works and make any changes if needed.

[kyakdan]

One more thing from my side: We still need to integrate source-based coverage reporting for JavaScript in OSS-Fuzz. This has been recently added to Jazzer.js, and we'll take care of it.

[ljharb]

Will this include some way to permanently persist any failing test inputs?

[jonathanmetzman]

Will this include some way to permanently persist any failing test inputs?

Not sure I understand, but I think yes, this is how oss-fuzz works. Project maintainers are notified when a bug is found and given the crashing input.

[kyakdan]

As @jonathanmetzman, this is the workflow in OSS-Fuzz. Bugs, including the crashing inputs, are only disclosed to the public once they are fixed, or the disclosure deadline passes with no fix from the maintainers.

[ljharb]

That's great - so it's not automatic, but there's zero chance a failed input will be lost, for example by rerunning a test?

[jonathanmetzman]

That's great - so it's not automatic, but there's zero chance a failed input will be lost, for example by rerunning a test?

I don't know what you mean by "automatic".

There's almost no chance. Sometimes we delete testcases that are non-deterministic and infrequently occurring.

[ljharb]

I meant like, a github action that preserves somehow - in a database elsewhere - failed inputs.

If it can transmit the failures to me somehow, that suffices, since I can just manually commit them :-)

[kyakdan]

Here is the link to all public issues found by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/list?q=&can=1. For each issue, you have several details, including a link to download the test case (failing input). Ideally, you then have a unit test with this input to ensure that you test for regressions and verify your fix for the issue. Which testing framework do you use for JavaScript? Jazzer.js has a Jest integration enabling you to write fuzz tests using the usual syntax and automatically create regression tests for found issues.

[ljharb]

I use https://npmjs.com/tape.

[kyakdan]

I'm not aware of tape, but see that you are the maintainer of it. Would you be interested in adding support for fuzzing runs using Jazzer.js?

[ljharb]

I'm not sure what that would entail, but sure, potentially.

[kyakdan]

Sounds great! We can collaborate there and we can provide the support you need regarding Jazzer.js.