Skip to content

fuzzing: Implement structure-aware Cache fuzzer and improve PFR/Properties coverage#143

Open
skypher wants to merge 8 commits intofreetype:masterfrom
skypher:fuzzing-enhancements
Open

fuzzing: Implement structure-aware Cache fuzzer and improve PFR/Properties coverage#143
skypher wants to merge 8 commits intofreetype:masterfrom
skypher:fuzzing-enhancements

Conversation

@skypher
Copy link

@skypher skypher commented Dec 20, 2025
edited
Loading

This PR significantly expands and modernizes FreeType's fuzzing infrastructure, closing several documented coverage gaps and ensuring robust deployment on OSS-Fuzz.

Key Enhancements:

  1. Structure-Aware Cache Fuzzer:

    • Refactored CacheFuzzTarget from a static fuzzer into a bytecode interpreter.
    • It now parses input streams as a sequence of commands to specifically exercise the FTC_Manager API (Reset, Lookup, Resize, RemoveID, Unref), enabling the exploration of complex state machine transitions.

  2. Dedicated Properties Fuzzer:

    • Implemented PropertiesFuzzTarget and FaceVisitorProperties to specifically stress the FT_Face_Properties API.
    • Tests driver robustness against various property tags and payloads (valid, malformed, and unknown).

  3. Enhanced PFR Driver Coverage:

    • Updated FaceVisitorPfr to test a robust range of glyph indices (including intentionally invalid/OOB values) and kerning pairs, moving beyond the previous static check of the first 20 glyphs.

  4. Full Multi-Sanitizer Infrastructure (ASan/MSan/UBSan):

    • Modernized the build scripts (zlib.sh, libpng.sh, freetype.sh) to support MemorySanitizer and standalone UBSan.
    • Implemented a dynamic library suffix resolver (get_lib_suffix.sh) that intelligently switches between lib-asan, lib-msan, and lib-ubsan based on CFLAGS.

  5. Full Deployment & CI Integration:

    • Updated prepare-oss-fuzz.sh to include the cache, pfr, and properties targets in the deployment harvest.
    • Verified that CMake automatically generates regression tests for the new targets via the corpora globbing logic.

  6. Official Documentation Update:

    • Updated README.md to reflect the new API coverage, officially marking Cache, PFR, and Properties as fuzzed.

  7. Quality-of-Life Assets:

    • Included a Smart Seed Generator script and "polyglot" seeds that combine valid font headers with custom command sequences to maximize fuzzing efficiency.
    • Added pfr.dict, pfr.options, cache.options, and properties.options to guide the fuzzing engine on the cluster.

All changes have been verified locally using clang with AddressSanitizer, UBSan, and Coverage instrumentation.

@skypher
fuzzing: Implement structure-aware Cache fuzzer and improve PFR/Prope…
0d75b47 
…rties coverage

This fills the coverage gaps for FTC_Manager functions and PFR driver metrics. It introduces a command-driven interpreter for the cache target.
@skypher
fuzzing: Generalize build scripts to support MSan (lib-msan)
5dbee73 
Replaces hardcoded 'lib-asan' paths with dynamic suffix resolution based on CFLAGS. This allows building dependencies with MemorySanitizer.
@skypher
fuzzing: Add dictionary and options for PFR and Cache targets
cdc3d7e 
Adds pfr.dict, pfr.options, and cache.options to support efficient fuzzing on OSS-Fuzz.
@skypher
fuzzing: Refine sanitizer directory selection for standalone UBSan
33eb518 
Adds support for standalone UBSan builds using a lib-ubsan directory, while maintaining lib-asan for the common ASan+UBSan configuration.
@skypher
fuzzing: Add cache seed, generator script, and fix script permissions
6b21999 
Adds the missing seed generator and initial corpus for the cache fuzzer. Ensures build scripts are executable.
@skypher
fuzzing: Fully integrate new targets into deployment and driver
41eac9a 
Ensures cache, properties, and pfr targets are included in prepare-oss-fuzz.sh and DriverInternals. Adds dedicated properties fuzz target.
@skypher
docs: Update API coverage table (Cache, PFR, Properties)
8404a4c 
Marks previously unfuzzed APIs as fuzzed, reflecting the new targets added in this PR.
@skypher
fuzzing: Restore portable paths in CMakeLists.txt
537c842 
Reverts accidental hardcoded absolute paths to ensure the build works in CI and other environments.
@lemzwerg
Copy link
Contributor

lemzwerg commented Jan 2, 2026

LGTM, thanks (and sorry for the late reply) – however, I've never touched the fuzzing code by myself, so my judgement might by wrong.

@bungeman, please have a look.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@skypher @lemzwerg