libjxl

fuzzing.md (9155B)

---

 # Fuzzing
 
 Fuzzing is a technique to find potential bugs by providing randomly generated
 invalid inputs. To detect potential bugs such as programming errors we use
 fuzzing in combination with ASan (Address Sanitizer), MSan (Memory Sanitizer),
 UBSan (Undefined Behavior Sanitizer) and asserts in the code. An invalid input
 will likely produce a decoding error (some API function returning error), which
 is absolutely not a problem, but what it should not do is access memory out of
 bounds, use uninitialized memory or hit a false assert condition.
 
 ## Automated Fuzzing with oss-fuzz
 
 libjxl fuzzing is integrated into [oss-fuzz](https://github.com/google/oss-fuzz)
 as the project `libjxl`. oss-fuzz regularly runs the fuzzers on the `main`
 branch and reports bugs into their bug tracker which remains private until the
 bugs are fixed in main.
 
 ## Fuzzer targets
 
 There are several fuzzer executable targets defined in the `tools/` directory
 to fuzz different parts of the code. The main one is `djxl_fuzzer`, which uses
 the public C decoder API to attempt to decode an image. The fuzzer input is not
 directly the .jxl file, the last few bytes of the fuzzer input are used to
 decide *how* will the API be used (if preview is requested, the pixel format
 requested, if the .jxl input data is provided altogether, etc) and the rest of
 the fuzzer input is provided as the .jxl file to the decoder. Some bugs might
 reproduce only if the .jxl input is decoded in certain way.
 
 The remaining fuzzer targets execute a specific portion the codec that might be
 easier to fuzz independently from the whole codec.
 
 ## Reproducing fuzzer bugs
 
 A fuzzer target, like `djxl_fuzzer` accepts as a parameter one or more files
 that will be used as inputs. This runs the fuzzer program in test-only mode
 where no new inputs are generated and only the provided files are tested. This
 is the easiest way to reproduce a bug found by the fuzzer using the generated
 test case from the bug report.
 
 oss-fuzz uses a specific compiler version and flags, and it is built using
 Docker. Different compiler versions will have different support for detecting
 certain actions as errors, so we want to reproduce the build from oss-fuzz as
 close as possible. To reproduce the build as generated by oss-fuzz there are a
 few helper commands in `ci.sh` as explained below.
 
 ### Generate the gcr.io/oss-fuzz/libjxl image
 
 First you need the ossfuzz libjxl builder image. This is the base oss-fuzz
 builder image with a few dependencies installed. To generate it you need to
 check out the oss-fuzz project and build it:
 
 ```bash
 git clone https://github.com/google/oss-fuzz.git ~/oss-fuzz
 cd ~/oss-fuzz
 sudo infra/helper.py build_image libjxl
 ```
 
 This will create the `gcr.io/oss-fuzz/libjxl` docker image. You can check if it
 was created verifying that it is listed in the output of the `sudo docker image
 ls` command.
 
 ### Build the fuzzer targets with oss-fuzz
 
 To build the fuzzer targets from the current libjxl source checkout, use the
 `./ci.sh ossfuzz_msan` command for MSan, `./ci.sh ossfuzz_asan` command for ASan
 or `./ci.sh ossfuzz_ubsan` command for UBSan. All the `JXL_ASSERT` and
 `JXL_DASSERT` calls are enabled in all the three modes. These ci.sh helpers will
 reproduce the oss-fuzz docker call to build libjxl mounting the current source
 directory into the Docker container. Ideally you will run this command in a
 different build directory separated from your regular builds.
 
 For example, for MSan builds run:
 
 ```bash
 BUILD_DIR=build-fuzzmsan ./ci.sh ossfuzz_msan
 ```
 
 After this, the fuzzer program will be generated in the build directory like
 for other build modes: `build-fuzzmsan/tools/djxl_fuzzer`.
 
 ### Iterating changes with oss-fuzz builds
 
 After modifying the source code to fix the fuzzer-found bug, or to include more
 debug information, you can rebuild only a specific fuzzer target to save on
 rebuilding time and immediately run the test case again. For example, for
 rebuilding and testing only `djxl_fuzzer` in MSan mode we can run:
 
 ```bash
 BUILD_DIR=build-fuzzmsan ./ci.sh ossfuzz_msan djxl_fuzzer && build-fuzzmsan/tools/djxl_fuzzer path/to/testcase.bin
 ```
 
 When MSan and ASan fuzzers fail they will print a stack trace at the point where
 the error occurred, and some related information. To make these these stack
 traces useful we need to convert the addresses to function names and source file
 names and lines, which is done with the "symbolizer". For UBSan to print a stack
 trace we need to set the `UBSAN_OPTIONS` environment variables when running the
 fuzzer.
 
 Set the following environment variables when testing the fuzzer binaries. Here
 `clang` should match the compiler version used by the container, you can pass a
 different compiler version in the following example by first installing the
 clang package for that version outside the container and using `clang-NN`
 (for example `clang-11`) instead of `clang` in the following commands:
 
 ```bash
 symbolizer=$($(realpath $(which clang)) -print-prog-name=llvm-symbolizer)
 export MSAN_SYMBOLIZER_PATH="${symbolizer}"
 export UBSAN_SYMBOLIZER_PATH="${symbolizer}"
 export ASAN_SYMBOLIZER_PATH="${symbolizer}"
 export ASAN_OPTIONS=detect_leaks=1
 export UBSAN_OPTIONS=print_stacktrace=1
 ```
 
 Note: The symbolizer binary must be a program called `llvm-symbolizer`, any
 other file name will fail. There are normally symlinks already installed with
 the right name which the `-print-prog-name` would print.
 
 ## Running the fuzzers locally
 
 Running the fuzzer targets in fuzzing mode can be achieved by running them with
 no parameters, or better with a parameter with the path to a *directory*
 containing a seed of files to use as a starting point. Note that passing a
 directory is considered a corpus to use for fuzzing while passing a file is
 considered an input to evaluate. Multi-process fuzzing is also supported. For
 details about all the fuzzing options run:
 
 ```bash
 build-fuzzmsan/tools/djxl_fuzzer -help=1
 ```
 
 ## Writing fuzzer-friendly code
 
 Fuzzing on itself can't find programming bugs unless an input makes the program
 perform an invalid operation (read/write out of bounds, perform an undefined
 behavior operation, etc). You can help the fuzzer find invalid situations by
 adding asserts:
 
  * `JXL_ASSERT()` is enabled in Release mode by default. It can be disabled
    with `-DJXL_ENABLE_ASSERT=0` but the intention is that it will run for all
    the users in released code. If performance of the check is not an issue (like
    checks done once per image, once per channel, once per group, etc) a
    JXL_ASSERT is appropriate. A failed assert is preferable to an out of bounds
    write.
 
  * `JXL_DASSERT()` is only enabled in Debug builds, which includes all the ASan,
    MSan and UBSan builds. Performance of these checks is not an issue if kept
    within reasonable limits (automated msan/asan test should finish withing 1
    hour for example). Fuzzing is more effective when the given input runs
    faster, so keep that in mind when adding a complex DASSERT that runs multiple
    times per output pixel.
 
  * For MSan builds it is also possible to specify that certain values must be
    initialized. This is automatic for values that are used to make decisions
    (like when used in an `if` statement or in the ternary operator condition)
    but those checks can be made explicit for image data using the
    `JXL_CHECK_IMAGE_INITIALIZED(image, rect)` macro. This helps document and
    check (only in MSan builds) that a given portion of the image is expected to
    be initialized, allowing to catch errors earlier in the process.
 
 ## Dealing with use-of-uninitialized memory
 
 In MSan builds it is considered an error to *use* uninitialized memory. Using
 the memory normally requires something like a decision / branch based on the
 uninitialized value, just running `memcpy()` or simple arithmetic over
 uninitialized memory is not a problem. Notably, computing `DemoteTo()`,
 `NearestInt()` or similar expressions that create a branch based on the value of
 the uninitialized memory will trigger an MSan error.
 
 In libjxl we often run vectorized operations over a series of values, rounding
 up to the next multiple of a vector size, thus operating over uninitialized
 values past the end of the requested region. These values are part of the image
 padding but are not initialized. This behavior would not create an MSan error
 unless the processing includes operations like `NearestInt()`. For such cases
 the preferred solution is to use `msan::UnpoisonMemory` over the portion of
 memory of the last SIMD vector before processing, and then running
 `msan::PoisonMemory` over the corresponding value in the output side. A note
 including why this is safe to do must be added, for example if the processing
 doesn't involve any cross-lane computation.
 
 Initializing padding memory in MSan builds is discouraged because it may hide
 bugs in functions that weren't supposed to read from the padding. Initializing
 padding memory in all builds, including Release builds, would mitigate the
 MSan potential security issue but it would hide the logic bug for a longer time
 and potentially incur in a performance hit.