As you probably know, we've been running PHP fuzzing under Google's
OSS-Fuzz project for a while now (and found and fixed some bugs due
This has been enabled by the PHP fuzzing API SAPI which currently
lives in a separate repository. Since the setup is working pretty well
for a while now, I would like to propose to merge it into core
repository as a core SAPI, and make Travis CI setup build it as part of
the CI tests.
This would ensure the fuzzing scripts are not broken by core changes
(happened several times recently) and would provide wider exposure to
the fuzzing setup we have, hopefully prompting extension authors and
other contributors to add more fuzzing modules to it, thus enhancing PHP
security and reliability.
Are there any objections or suggestions about this? Do we need an RFC
for it? Note that this is only for master branch (only master is being
fuzzed now), though it would not be hard to port to other branches if
there's interest, the fuzzer should work on pretty much any recent
branch with small code changes.