1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
|
name: Fuzzing
on:
workflow_dispatch:
inputs:
mode:
description: 'Fuzzing mode'
required: true
default: 'batch'
type: choice
options:
- code-change
- batch
fuzz_seconds:
description: 'Duration (seconds)'
required: true
default: '3600'
pull_request:
branches: [ main ]
schedule:
- cron: '0 1 * * 1'
permissions:
contents: read
security-events: write
jobs:
fuzzing:
name: Run Fuzzing (${{ matrix.fuzzer }} - ${{ matrix.sanitizer }})
runs-on: ubuntu-latest
concurrency:
group: ${{ github.workflow }}-${{ matrix.fuzzer }}-${{ matrix.sanitizer }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
strategy:
fail-fast: false
matrix:
sanitizer: [address, undefined]
fuzzer: [decompress, roundtrip]
steps:
- name: Checkout Repository
uses: actions/checkout@v6
- name: Configure Fuzzer Target
run: |
sed -i '2i export FUZZER_TARGET="${{ matrix.fuzzer }}"' .clusterfuzzlite/build.sh
# TODO: Remove this step once ClusterFuzzLite updates to support Docker 29+
- name: Downgrade Docker (Temporary Workaround)
run: |
# ClusterFuzzLite v1 uses Docker API 1.41 which is incompatible with Docker 29.0+
# Downgrade to Docker 28 until the action is updated
sudo apt-get update
sudo apt-get install -y apt-transport-https ca-certificates curl
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update
# Install Docker 28.0.4 specifically
sudo apt-get install -y --allow-downgrades docker-ce=5:28.0.4-1~ubuntu.$(lsb_release -rs)~$(lsb_release -cs) docker-ce-cli=5:28.0.4-1~ubuntu.$(lsb_release -rs)~$(lsb_release -cs) containerd.io
sudo systemctl restart docker
docker version
- name: Build Fuzzers (${{ matrix.fuzzer }} - ${{ matrix.sanitizer }})
id: build
uses: google/clusterfuzzlite/actions/build_fuzzers@v1
with:
language: c
github-token: ${{ secrets.GITHUB_TOKEN }}
sanitizer: ${{ matrix.sanitizer }}
- name: Run Fuzzers (${{ matrix.fuzzer }} - ${{ matrix.sanitizer }})
id: run
uses: google/clusterfuzzlite/actions/run_fuzzers@v1
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
mode: ${{ github.event_name == 'pull_request' && 'code-change' || inputs.mode || 'batch' }}
fuzz-seconds: ${{ github.event_name == 'pull_request' && 120 || inputs.fuzz_seconds || 3600 }}
sanitizer: ${{ matrix.sanitizer }}
output-sarif: true
storage-repo: https://${{ secrets.CFLITE_CORPUS_TOKEN }}@github.com/hellobertrand/zxc-fuzz-corpus.git
storage-repo-branch: main
- name: Upload SARIF to GitHub Security
if: success() || failure()
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: .
category: clusterfuzzlite-${{ matrix.fuzzer }}-${{ matrix.sanitizer }}
tsan:
name: Thread Sanitizer
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- name: Build with TSan
run: |
cmake -B build -DCMAKE_C_FLAGS="-fsanitize=thread -g -fno-omit-frame-pointer" -DCMAKE_BUILD_TYPE=Debug
cmake --build build
- name: Run Tests
run: ctest --test-dir build --output-on-failure
|
