From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTP id 0DB714BC97 for ; Tue, 16 Jul 2024 12:14:45 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 5996F68DA12; Tue, 16 Jul 2024 15:14:43 +0300 (EEST) Received: from relay3-d.mail.gandi.net (relay3-d.mail.gandi.net [217.70.183.195]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 406C768D8DD for ; Tue, 16 Jul 2024 15:14:36 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id 43E5260008 for ; Tue, 16 Jul 2024 12:14:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1721132075; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=TqhSBDCfRKit/7wy9MXd1qvLU3IRyY1p16l6xzngU24=; b=HJkOgTu6wAFvp6RZEHn92Zg3379B9cRORaSs8grm+eEwd7crHTVczdQBegKW7rLhEvMMlZ cLwsIWxBg+NIDfYq1k6y7Z0qwIVt8KV4bY04pW5VOxsQvosA4FOQ8WNWUPcvM/k8vrJ7hM sJkKHDTq2E8k9mmwwCMVOQzfbTMgvUV4KgaMS2juCEoZppS7VcuU4K5K7LQ3FSf5I0f6TA cnUaOkBEUtKjvb7Om7Tf3I63A5M/Vl6RW9lAQFHRVWNe3/JLcxUJSfR/Do/epAeI95oB3J 8j+EYTL4xWT6Hb/T2HNUXUOAtyVmfRtyNFU0C5y8ujjx0v/EQYTJQlXSt1AXBg== Date: Tue, 16 Jul 2024 14:14:34 +0200 From: Michael Niedermayer To: FFmpeg development discussions and patches Message-ID: <20240716121434.GK4991@pb2> References: <20240626224510.GS4991@pb2> <20240714195541.GE4991@pb2> MIME-Version: 1.0 In-Reply-To: X-GND-Sasl: michael@niedermayer.cc Subject: Re: [FFmpeg-devel] [OSS-Fuzz] Have you considered enabling memory sanitizer? X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Content-Type: multipart/mixed; boundary="===============0851175764129057564==" Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: --===============0851175764129057564== Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="fgTtmruieKHQo6By" Content-Disposition: inline --fgTtmruieKHQo6By Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Jul 15, 2024 at 01:32:20PM +0200, Kacper Michajlow wrote: > On Sun, 14 Jul 2024 at 21:55, Michael Niedermayer > wrote: > > > > On Sat, Jul 13, 2024 at 11:12:40PM +0200, Kacper Michajlow wrote: > > > On Thu, 27 Jun 2024 at 02:50, Kacper Michajlow w= rote: > > > > > > > > On Thu, 27 Jun 2024 at 00:45, Michael Niedermayer > > > > wrote: > > > > > > > > > > On Wed, Jun 26, 2024 at 09:07:42PM +0200, Kacper Michajlow wrote: > > > > > > Hi, > > > > > > > > > > > > Like in the topic. I think it would be useful to enable MSAN on > > > > > > OSS-Fuzz. We get some tiny issues and it would be probably good= to > > > > > > have them tracked upstream. All infra is here, so enabling it i= s as > > > > > > simple as adding it to the project.yaml. Except libbz2.so and l= ibz.so > > > > > > would have to be built inline instead, looking at the build.sh,= they > > > > > > are prebuilt. The rest should just work (TM), but needs to be t= ested. > > > > > > You can set an "experimental' flag to have it not create issues= on > > > > > > monorail, initially. > > > > > > > > > > I assumed ossfuzz would enable all sanitizers by default > > > > > > > > They do not do that by default, because MSAN requires all dependenc= ies > > > > to be instrumented too. See > > > > https://google.github.io/oss-fuzz/getting-started/new-project-guide= /#sanitizers > > > > > > > > Looking at build.sh for ffmpeg, it should be fine to enable it. > > > > Obviously I have not tested everything, but I was running some tests > > > > locally with MSAN and also tested it with mpv oss-fuzz builds where= we > > > > build ffmpeg too with MSAN. > > > > > > > > - Kacper > > > > > > I've sent a PR to enable MSAN and a few other build improvements. > > > Please take a look https://github.com/google/oss-fuzz/pull/12211 > > > > > > > > Also, would it be ok to add myself to auto_ccs for ffmpeg? Mostly to > > > monitor what issues are reported upstream, as we get some reports in > > > mpv fuzzing and I never know if I should report it upstream (ffmpeg) > > > or it is already found by first-party fuzzing and I shouldn't make > > > more noise. > > > > you are welcome to submit bug reports, you are welcome to submit bug fi= xes > > if you find issues in FFmpeg. > > > > If someones work in FFmpeg or rather FFmpeg benefits from someone having > > access to the reports, then (s)he should receive access. This seems not > > to apply here >=20 > I respect your decision. > However, saying that anyone's (or my) > contribution doesn't benefit FFmpeg is a strange thing to say for an > open source project maintainer. And noone made such a statement. You are reading something thats not written there >=20 > It's all about time. I don't get paid to do any of this, so > duplicating issues/reports manually from one system to another, if > they are already reported, is a monkey's job which I'm not willing to > do. ok for reference i find no mail from you to ffmpeg-security Is it correct you never reported any of the issues you talk about neither new nor duplciate ? > This time could be devoted to actually fixing the issues. I'd like > to help, but if it is not required, I will focus on other things. This is the first time i remember you offering to help. Your request previosuly: > > > Mostly to > > > monitor what issues are reported upstream, as we get some reports in > > > mpv fuzzing and I never know if I should report it upstream (ffmpeg) > > > or it is already found by first-party fuzzing and I shouldn't make > > > more noise. And to that my reply was a "no", iam not agreeing to give access to someone who wants to mainly monitor upstream. Also again id like to point out we do not have an issue with duplicate reports ATM, so we would be fixing something that has not actually happened Also if i fix an issue i post the corresponding patch to ffmpeg-devel so the case you write about makes just no sense if no patch is posted the issue is not fixed and any fix you would submit would not be duplicated >=20 > It also doesn't help that trac.ffmpeg is a black hole, where only > Balling seems to be reading those tickets. Frankly, the review process > is not better, as even trivial fixes take months to merge. Yes, we do need to improve this. Directing some funds to people who did maintain trac in the past would solve this. Let me speak blunt and clear here. I think carl should be paid to maintain trac. And the maintaince should switch to a system more similar to linux its more scalable >=20 > > Also i expect the number of outstanding ossfuzz issues to decrease now > > after the bulk of coverity issues has been dealt with >=20 > For some class of issues sure, but Coverity bigfixes are most of the > time workarounding the static analysis limitations. Fuzzing is more > powerful and analyzes the code as a whole, not small snippets of it. You misunderstand. I was doing most ossfuzz fixes, and recently i was switching between a mont= h working "fulltime" on coverity and then a month allocating that time to ossfuzz so ossfuzz only got half of my attention and we have a month or so of unattend= ed issues (because i put the last month time in coverity) thx [...] --=20 Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB Freedom in capitalist society always remains about the same as it was in ancient Greek republics: Freedom for slave owners. -- Vladimir Lenin --fgTtmruieKHQo6By Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iF0EABEKAB0WIQSf8hKLFH72cwut8TNhHseHBAsPqwUCZpZkJgAKCRBhHseHBAsP q4K5AKCZiIxC6CVPpXS7R4XGrD4nYdENdACfesLmyXCoQwfO0001b/Lpi7X+nt8= =EGzx -----END PGP SIGNATURE----- --fgTtmruieKHQo6By-- --===============0851175764129057564== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". --===============0851175764129057564==--