Add a fuzzer for Py_CompileStringExFlags#111721
Merged
alex merged 6 commits intopython:mainfrom Dec 10, 2023
Merged
Conversation
Contributor
Author
|
Note that this new fuzz target already uncovers assertion failures in the CPython parser after running for a few minutes under honggfuzz. I probably should open an issue for that? |
Member
|
Yes, please :) |
Contributor
Author
|
In particular, I'm seeing two assertion failures: I will collect the relevant inputs and stack traces and open an issue for each one. |
Member
|
Were those issues filed? |
Contributor
Author
|
@alex no, I haven't filed the issues yet. Let me give that another look this weekend! |
Member
|
Please leave a comment here when you do!
…On Fri, Nov 17, 2023 at 3:33 PM Brad Larsen ***@***.***> wrote:
@alex no, I haven't filed the issues yet. Let me give that another look this weekend!
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you were mentioned.Message ID: ***@***.***>
--
All that is necessary for evil to succeed is for good people to do nothing.
|
This was referenced Nov 25, 2023
Contributor
Author
alex
reviewed
Nov 26, 2023
alex
reviewed
Dec 10, 2023
Member
alex
left a comment
alex
left a comment
There was a problem hiding this comment.
Two small style suggestions, otherwise LGTM.
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
Contributor
Author
|
Thank you @alex! |
alex
approved these changes
Dec 10, 2023
Member
|
FYI, you may be able to apply for a Patch Reward from Google for the fuzzers you've contributed: https://bughunters.google.com/open-source-security/patch-rewards |
aisk
pushed a commit
to aisk/cpython
that referenced
this pull request
Feb 11, 2024
Glyphack
pushed a commit
to Glyphack/cpython
that referenced
this pull request
Sep 2, 2024
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request adds a new fuzz target for the
Py_CompileStringExFlagsfunction in the "Very High Level Layer" C API. This function is essentially a C entry point to the Pythoncompilebuiltin.This pull request also includes a handful of short, mostly nonsensical Python files written to demonstrate a number of syntactic forms that appear in Python.
Also included is a dictionary of most Python syntactic elements, often included with trailing spaces, to aid the fuzzers in producing inputs that have a chance of being syntactically valid.
Future work could include writing a structure-aware input mutator, which would take syntactically valid Python programs as input, and produce syntactically-valid mutated Python programs as outputs. This would likely get much deeper coverage from the fuzzers.
CC @alex @gpshead