Contributing fuzzing targets to CPython

I see that CPython has some fuzzing targets in its source tree: https://github.com/python/cpython/tree/main/Modules/_xxtestfuzz

What I see there looks like 9 fuzz targets for various APIs, integrated with Google’s OSS-Fuzz. I was semi-seriously and independently fuzzing CPython a few years back, and have a number of additional fuzz test targets for various C APIs. I’d like to contribute these to the Python project.

However, it looks like the fuzzing stuff in CPython hasn’t seen much activity recently. Is anyone actively responsible for that code these days?

Who should I talk to to coordinate this contribution of additional fuzz targets before I spend time cleaning up that code and making PRs?

Thanks,
Brad

@gpshead and I are the PoCs for oss-fuzz, so my recommendation would be to tag us on any PRs or questions you have about adding new fuzzers.

@gpshead and @alex_Gaynor (), Do you want to add this to the experts list (oss-fuzz) in the DevGuide?

Thank you!

@alex_Gaynor @gpshead I will tag you in PRs for new fuzzers. I have one PR with a new fuzz target nearly ready.

I’ve been poking at the online oss-fuzz results though, and don’t see much there for cpython. It sounds like oss-fuzz has been running Python fuzzers for quite a while though. Are the cpython results behind a login somewhere?

I notice also that I have no access to the oss-fuzz.com website.

Any suggestions for how I might see how the new fuzz targets are doing once they are merged in?

First PR here, which adds a fuzz target for _elementtree.XMLParser._parse_whole: Add a fuzz target for `_elementtree.XMLParser._parse_whole` by bradlarsen · Pull Request #111477 · python/cpython · GitHub

You can see all the OSS-Fuzz issues here: Monorail - oss-fuzz - OSS-Fuzz: Fuzzing the planet - Monorail

Unfortunately there’s no mechanism for third party access to oss-fuzz: getting access means being able to see discovered, but undisclosed, vulnerabilities, so access needs tob e limited.

For posterity: here’s the second PR, now merged into main: Add a fuzzer for `Py_CompileStringExFlags` by bradlarsen · Pull Request #111721 · python/cpython · GitHub

For posterity: two interpreter-crashing bugs were found and fixed in the process of adding these fuzz targets:

• Assertion failure in `get_error_line_from_tokenizer_buffers` in `pegen_errors.c` · Issue #112387 · python/cpython · GitHub
• Assertion failure in `Objects/call.c`:342: `!_PyErr_Occurred(tstate)` failed · Issue #112388 · python/cpython · GitHub

For posterity: an interpreter-crashing bug was found by the Py_CompileStringExFlags fuzzer a few days after it was running in OSS-Fuzz:

Also:

• Python/flowgraph.c:497: _Bool no_redundant_jumps(cfg_builder *): Assertion `0' failed. · Issue #114083 · python/cpython · GitHub
• Objects/call.c:342: PyObject *_PyObject_Call(PyThreadState *, PyObject *, PyObject *, PyObject *): Assertion `!_PyErr_Occurred(tstate)' failed. · Issue #113602 · python/cpython · GitHub

As bugs are reported by OSS-Fuzz, I report them in the CPython tracker.