Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:106351 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 15948 invoked from network); 30 Jul 2019 20:03:43 -0000 Received: from unknown (HELO mail-qt1-f169.google.com) (209.85.160.169) by pb1.pair.com with SMTP; 30 Jul 2019 20:03:43 -0000 Received: by mail-qt1-f169.google.com with SMTP id h21so63772134qtn.13 for ; Tue, 30 Jul 2019 10:28:40 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:reply-to :from:date:message-id:subject:to:cc; bh=fRkqHnWNMVfOsKcEXGZzYuImGooWdwY3H1m9smwVl3M=; b=T629JHZf0IhqpX8fccmXOPVRqwnNo+Vhft2kx4nQ4oIITs/YyDCCiKELuNO0Y8wpdG yJGwUkX+bYARyI9b7Q5KFGwAvZoar1Sd6INkFI891U4cITIE6R7IeFQTsI3TXEjse6h3 Gq5T82GtJN0JsaRzNrrjNLZRAKPDOPzlT9LqdGarRVYUH4zNyoCzdlDxItO+Q9gBX8L5 +/U8ySQRTqpwJNLl9MYHMiAFKmKiKyh54XAmsbmQYXUbpUcejPw38kUSttdOxCU8gasa TKvopLPJMGXZjapIdURfeZ8sUCSft6x0uKteQ7QioaLUhpfy0KWsvc5lRziP0n9QHObV np6w== X-Gm-Message-State: APjAAAUWE1le6Mw1JMctzlRKA+MreGog1mTj064CHhTea/eqmM1CPVb2 fRSwfpQUovbpUTG1sCpfSLINuCMjbDySSSc0kGI= X-Google-Smtp-Source: APXvYqyyP1h9Py0BNfMjmncm9AqWJvIP3wvn+JQ4pSvVE6bS3ECjOGUEA0eaGjMxJNlKHkAerQdDPqI9sG0WnCQRMFU= X-Received: by 2002:a0c:ba2c:: with SMTP id w44mr83098225qvf.62.1564507719514; Tue, 30 Jul 2019 10:28:39 -0700 (PDT) MIME-Version: 1.0 References: <35af7db3-5cba-fe59-1d04-960eacb5aba7@gmail.com> In-Reply-To: <35af7db3-5cba-fe59-1d04-960eacb5aba7@gmail.com> Reply-To: bishop@php.net Date: Tue, 30 Jul 2019 13:28:16 -0400 Message-ID: To: Stanislav Malyshev Cc: PHP Internals Content-Type: multipart/alternative; boundary="000000000000debdd2058ee95634" Subject: Re: [PHP-DEV] Merging fuzzing SAPI into core From: bishop@php.net (Bishop Bettini) --000000000000debdd2058ee95634 Content-Type: text/plain; charset="UTF-8" On Sun, Jul 28, 2019 at 8:48 PM Stanislav Malyshev wrote: > > As you probably know, we've been running PHP fuzzing under Google's > OSS-Fuzz[1] project for a while now (and found and fixed some bugs due > to it). > > This has been enabled by the PHP fuzzing API SAPI[2] which currently > lives in a separate repository. Since the setup is working pretty well > for a while now, I would like to propose to merge it into core > repository as a core SAPI, and make Travis CI setup build it as part of > the CI tests. > > This would ensure the fuzzing scripts are not broken by core changes > (happened several times recently) and would provide wider exposure to > the fuzzing setup we have, hopefully prompting extension authors and > other contributors to add more fuzzing modules to it, thus enhancing PHP > security and reliability. > > Are there any objections or suggestions about this? Do we need an RFC > for it? Note that this is only for master branch (only master is being > fuzzed now), though it would not be hard to port to other branches if > there's interest, the fuzzer should work on pretty much any recent > branch with small code changes. > I see benefit both ways. On the one hand, having the fuzzer and engine code together removes the effort of integrating the two, which (as you mention) makes it easier to extend and invoke. This is good for core and extension maintainers. On the other, I've found it refreshing working in a slender repo that doesn't have all the history and process rules. This is good for external (non-core and non-extension) collaborators, particularly allowing write access to those who wouldn't want or need write access to engine code. I lean toward the "keep it separate" option, since the process barriers are much smaller. Couldn't we update Travis to clone the repo, run the build/configure steps, then invoke the fuzzer as part of the make test phase? Or, how about the other way: setup Travis on the fuzzing repo to clone php/php-src:master, integrate it, and run? Either way, I don't think an RFC is applicable. To me, the fuzzer is a dev-dependency (in composer parlance) that doesn't surface to users. --000000000000debdd2058ee95634--