OSSFuzz Integration

[capuanob]

Hello!

I am inquiring to see if the project maintainers would be open to me submitting this project to Google's OSSFuzz program. As part of this effort, I would develop the necessary fuzz harnesses and build scripts needed to integrate the project for nightly fuzz-testing. I would just need the eventual PR review from the maintainers. Currently, I am thinking that time-zone parsing would be a good starting point for fuzz-testing, but am open to any other suggestions!

[HowardHinnant]

I'm not too interested in fuzzing the time zone database, if that is what your intention is. The reason is that the time zone database isn't user input. It is strictly controlled by a very few maintainers under the auspices of the IANA. They don't produce a lot of variation in the database, and on the rare occasions they do, it is a huge deal and often reverted.

If you're referring to fuzz testing other aspects which would model variations in user input, I'd be more interested.

[capuanob]

@HowardHinnant Apologies for the confusion, I was referring specifically to the parse method found in the format conversion section of the timezone documentation. However, I would also add fuzz-testing for whichever entry-points that process user input as well.

Does this sound like a good approach?

[capuanob]

@HowardHinnant If so, I would just need a good Google account email address to serve as the primary contact for the repo . This email will be granted access to the ClusterFuzz dashboard to review security vulnerabilities and crashing testsuites.

[HowardHinnant]

How about if you be the primary contact.

In the past I have made the mistake of agreeing to things with this repo which I don't have the time or expertise to support, and I don't want to make that mistake again.

[capuanob]

@HowardHinnant I could try that and link this conversation as justification. Thank you for your time, I'll get started as soon as they approve

[HowardHinnant]

If they object could you not just point them to your fork of this repo?

[capuanob]

@HowardHinnant The fuzz harness has to be integrated upstream, since they want to continually fuzz the repository as it receives updates. However, I think they will be fine with it as you recommended I do so.

[HowardHinnant]

If we get into this and I want to discontinue, is there an off button?

[capuanob]

@HowardHinnant There is, since the build script will be hosted here- they could simply be deleted to immediately halt any further fuzzing. Furthermore, it'd be as easy as having me or yourself raising the desire to do so and submitting a PR to remove the project folder from upstream to completely stop fuzzing.