search for: llvm_libcxxabi

...M we either need to > > build a separate "real" continuous fuzzing process, > > or use an existing one. Luckily, there is one :) > > As a pilot I've recently added the cxa_demangler_fuzzer to OSS-Fuzz: > > https://github.com/google/oss-fuzz/tree/master/projects/llvm_libcxxabi > > It even found one bug which Mehdi already fixed! > > http://llvm.org/viewvc/llvm-project?view=revision&revision=293330 > > The bug report itself will become public in ~4 days: > > https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=370 > > Thanks for the expl...

...e either need to build a separate "real" continuous fuzzing process, or use an existing one. Luckily, there is one :) As a pilot I've recently added the cxa_demangler_fuzzer to OSS-Fuzz <https://github.com/google/oss-fuzz>: https://github.com/google/oss-fuzz/tree/master/projects/llvm_libcxxabi It even found one bug which Mehdi already fixed! http://llvm.org/viewvc/llvm-project?view=revision&revision=293330 The bug report itself will become public in ~4 days: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=370 If we want to run some more llvm fuzzers on OSS-Fuzz I'd be happ...

...make the bug reports public by default? > > We can set things differently for the llvm project (llvm, clang, etc) > and > > libcxxabi (demangler): > > https://github.com/google/oss-fuzz/tree/master/projects/llvm > > https://github.com/google/oss-fuzz/tree/master/projects/llvm_libcxxabi > > At least some of these should probably just be public by default. Things > like llvm-isel-fuzzer or clang-fuzzer aren't really looking for security > bugs, so I wouldn't expect them to find stuff that falls under the > responsible disclosure umbrella. > So, how about...

...se CC-ed explicitly can see them. Should we make the bug reports public by default? We can set things differently for the llvm project (llvm, clang, etc) and libcxxabi (demangler): https://github.com/google/oss-fuzz/tree/master/projects/llvm https://github.com/google/oss-fuzz/tree/master/projects/llvm_libcxxabi Should we automatically CC the bugs to any of the llvm maliing lists (e.g. llvm-dev)? If a bug is CC-ed to a list, everyone will see the bug report summary in e-mail, but if the bug remains private the reproducer for the bug will remain private. Who wants to be CC-ed explicitly? (please add yours...

Hi all, The blog entry [1] suggest that one of the buildbots constantly fuzzes clang and clang-format. However, the actual bot [2] only tests the fuzzer itself over a well-known set of bugs in standard software (eg. Heartbleed [3] seems to be among them). Has there actually ever been a buildbot that fuzzes clang/LLVM itself? Another (obvious?) fuzzing candidate would be the LLVM's bitcode

...gt; > We can set things differently for the llvm project (llvm, clang, etc) > >> and > >> > libcxxabi (demangler): > >> > https://github.com/google/oss-fuzz/tree/master/projects/llvm > >> > https://github.com/google/oss-fuzz/tree/master/projects/ > llvm_libcxxabi > >> > >> At least some of these should probably just be public by default. Things > >> like llvm-isel-fuzzer or clang-fuzzer aren't really looking for security > >> bugs, so I wouldn't expect them to find stuff that falls under the > >> responsi...