Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:125981 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by qa.php.net (Postfix) with ESMTPS id 5F2F51A00BD for ; Mon, 18 Nov 2024 23:20:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1731972193; bh=h1TXwRkEisGgqtWFM5/epnUExZAJwRphBHK+x7zXVjs=; h=References:In-Reply-To:From:Date:Subject:To:From; b=QUvXhZ/hO7A22omXw9ph38Qxis2G+n2nVczlsCNllaO11lQOCjZAEhbRbnjwzZQlf bcwyMjFnVTl135Dyouuh2wfi+h/Y8rpAakY9QVeDLamby/4b9RnrhG/6eCzlnVGa59 XnX8ncemAqYG8nYRSVkldKKU6IGJUB5t/drvkAjEERz2tDmjhx3BJPiNnec9b7BG8Q NbEYSlvhotxs4uzS9bNOMF2jI6Md90YEzlDShhdmbszVuZi37ZKY01fFJRB1VTlqJJ 8JL3RrTvAPKRp9H8q4+7n/7YMNLa8iXlr/WxkbTAzX7cNdU857rkDDXJXINY186aPe tgCrQVYvbtSRA== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 0C63D18006A for ; Mon, 18 Nov 2024 23:23:13 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=4.0.0 X-Spam-Virus: No X-Envelope-From: Received: from mail-qv1-f44.google.com (mail-qv1-f44.google.com [209.85.219.44]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Mon, 18 Nov 2024 23:23:12 +0000 (UTC) Received: by mail-qv1-f44.google.com with SMTP id 6a1803df08f44-6d413def36cso24567326d6.3 for ; Mon, 18 Nov 2024 15:20:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1731972032; x=1732576832; darn=lists.php.net; h=content-transfer-encoding:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=h1TXwRkEisGgqtWFM5/epnUExZAJwRphBHK+x7zXVjs=; b=mhwpDQmbx074KDhr38og0qHX+iKC+7o4zEIOx3v/+pIRYazjhI+es1IburD/xi0g3E U+9vSsPMag0WuVilT+GR+gnoqXSfmrnF6qZk0ed5WFr95Z2tsV0WuqKDiTtPCTzQQN90 AFb/PfH0/7IOVU+bKS4F+LYM5dY2ubZie3zwBdphGcSWQ0lGvCrjhHwdLpsmCr/d0DA8 TKrvboliBtzYJdqU+XJU/0Gu/HFntwLzd+grf5tZ2EyZEVhc/gbugBQxaqB6jws0aLH6 1bmOWz+eHaTEhriI+70xF16vBTiC9xLV8l/ZTSTDqKivq/4k+2kblQ6MhzMoDxWkJRYz DkCw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1731972032; x=1732576832; h=content-transfer-encoding:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=h1TXwRkEisGgqtWFM5/epnUExZAJwRphBHK+x7zXVjs=; b=nJMPumJDHZ0xRqoB9REVyT7Kh368VPjcEz1ntpCkhg3kyHNPgjMYm9l21v4SPmbHut NGW6VmMtOIAjQ8wm75q3+81pTU63kUxB3bpflOQVZEfILlm+d1UDqREyu9cquEMsE1k6 b4NYSMrOp4ZlYFGB8X05s+ydfdSQ03Px3+/farnTQDdBAojbJvYKXDuNarwvyj+GiZZj nWbyJ5mGY0gktqPwl5RIu/1PKGEnbm40T3JUw0N2ZofWZAVjYZ5aNNFsYvlDYta6AQVw SA4kqo8KRoemsjLum0PEU4CNd2AbjBuDnnprvV/lNkwa1Z9JsIUOXt6lG0SrHces9Gb3 WhNg== X-Forwarded-Encrypted: i=1; AJvYcCUFkFf4TLYiHlS6B4Lag/F+RKawvoLA+Ya3IGl3ma4EKp37h58Aj/K3KiLqsa90xTCRBrgBu7/et4o=@lists.php.net X-Gm-Message-State: AOJu0YyEAcgTovwWAVKutlBpAs5Frh7lnmff7sbAKPVbrL79QgcY0JPD Gjv5gJlakyoLBvXe1gAa6x5L2as+kNShG8+yJjlfyndohZ24QqPW1yr/oC3hsZCl769Wy8xFKRB V6+A9l5AmhyLa+2h1uGDgZDVJmYI= X-Google-Smtp-Source: AGHT+IGJA7xD4wZTzRfutoX5+neEJrcOJfaiI9ZVu5NRZDnwzlu0CojmN/up6N1X7LQBXABmzduK5I2+cIbxkvGnhKY= X-Received: by 2002:a05:6214:300c:b0:6d4:12a8:8257 with SMTP id 6a1803df08f44-6d412a88aa4mr112036596d6.14.1731972032487; Mon, 18 Nov 2024 15:20:32 -0800 (PST) Precedence: bulk list-help: list-post: List-Id: internals.lists.php.net x-ms-reactions: disallow MIME-Version: 1.0 References: <79C53085-9AD8-4E6D-ADAA-38AC1660A57E@gmail.com> In-Reply-To: <79C53085-9AD8-4E6D-ADAA-38AC1660A57E@gmail.com> Date: Tue, 19 Nov 2024 00:20:21 +0100 Message-ID: Subject: Re: [PHP-DEV] A new fuzz testing tool for PHP To: Yuancheng Jiang <0599jiangyc@gmail.com>, PHP internals Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable From: tovilo.ilija@gmail.com (Ilija Tovilo) Hi Yuancheng On Fri, Nov 15, 2024 at 2:21=E2=80=AFPM Yuancheng Jiang <0599jiangyc@gmail.= com> wrote: > > I have been submitting hundreds of bugs (see https://github.com/php/php-s= rc/issues/created_by/YuanchengJiang) during the past months and I first tha= nk all the developers who take time to fix these issues to make PHP better. > > I am thrilled to introduce one fully automated fuzz testing tool, FlowFus= ion, for discovering various bugs of the PHP interpreter. > > I can open-source the tool under my personal repository. I wonder by any = chance if I can contribute it as the official PHP tool under https://github= .com/php, and I would be happy to maintain it for a long time. Thank you very much for your continued effort in finding and reporting these bugs! Congratulations on this impressive tool. It has certainly proven helpful. A few questions: Are you happy adopting an appropriate license, e.g. the PHP license? [1] (Or potentially some other the community agrees with). Can we assume this tool remains a PHP specific tool, or are you planning on expanding it to other programming languages, now that the concept has proven useful? Provided these two things are not a problem, I don't see a reason not to move it into the PHP organization. Could you also expand on hosting? Will infrastructure be provided (assuming we want continuous fuzzing) or is this something we will need to set up? It would also be nice to know how issues are reported, how many false-positives there are, how we can tweak fuzzing configuration, etc. This discussion doesn't need to happen on a big public list like this one. You can contact me directly if you wish to move this forward. Ilija [1] https://opensource.org/license/php-3-01