The final report of my Google Summer of Code experience with FreeType in 2018.

gsoc-2018-freetype-oss-fuzz.md

FreeType and Google's OSS-Fuzz
Armin Hasitzka, GSoC 2018

The Mission

The mission I was given for Google Summer of Code this year is simple in theory: take FreeType's legacy fuzz target for OSS-Fuzz and make it fuzz better. No specific restraints or orders, just a few rules of thumb:

• Setup FreeType's own sample corpora to stop depending on external samples files. That also includes adding OSS-Fuzz's findings to the corpora.

• Setup a regression test suite that runs all samples on FreeType's upstream regularly and automatically.

• Split the legacy target into many dedicated targets. This should help OSS-Fuzz's sample generation as it is no longer required to find different font types for a single target.

• Improve the Code Coverage. This bit requires creativity, as there are many different ways to achieve this. The more trivial part is to make sure OSS-Fuzz can actually reach API functions; there must be targets that execute FreeType. It gets trickier when it comes to other ideas though, including working with dictionaries, and separating time-expensive bits (like rendering) from quick ones (like checking values in a certain table).

The Legacy Target

A brief word of appreciation for the geniuses who built this piece of art: covering 69% of FreeType with a target of just 429 lines of source code is magnificent. Sure, the legacy target is a monolith (like gcc compared to clang), but it is impressive to say the least.

The New TargetS

Once I had kissed my loved ones good-bye and set the sails of my trusted ThinkPad to leave for this mission, I had three to five different fuzz targets in mind. After splitting and splitting again, the counter is now at 28 targets and will likely double within the upcoming months. This shows clearly that a monolithic approach was no longer feasible. Honouring many ideas of the legacy target, the result is an object-oriented rebuild from scratch.

Conquests

When working on program verification, the goal is not always to find bugs: sometimes, the job is rather to prove the absence of bugs under certain conditions (for example given certain coverage metrics). Having said that, uncovered bugs are often an easy means to confirm that certain verification tools do their job. Disclaimer: this can easily lead to specialists turning slightly sadist and becoming obsessed with invalidation, rather than verification. Which is not the case with me, of course. Anyways, I am glad to report back both: metrics and bugs.

Listing specific commits or bugs I have encountered throughout my voyage isn't exactly easy, considering the path I chose (highly nonlinear and some serious backtracking involved), so let me give you a short summary instead (interested souls can easily browse the repository and OSS-Fuzz's trophies page):

• I contributed nearly 20,000 lines of code in more than 100 (new) source files.
• The updated fuzzers cover about 88% of FreeType (compared to 67% before).
• The fuzzers found 39 new bugs in FreeType under my watch in the past two months, of which 9 were classified as security risks.

Thank You All, For Real

Thank you, Werner, for running this amazing little crew that builds something as impactful as FreeType. You have gathered so many brilliant individuals around this project and you made me feel like a part of this community from my first email in the mailing list on, long before I even applied for GSoC. You are a big reason why I will not jump ship and leave FreeType alone anytime soon ;)

Thank you, Kostya, for providing deep insight in OSS-Fuzz, and taking the time for extensive personal talks to discuss my theories about OSS-Fuzz and fuzzing in general. I can only hope that our paths will cross again soon :)

Thank you, Alexei, for all the valuable feedback I got along the way.

Cheers, mic drop,
Armin

hello @cherusker, wanna know about this project :) kindly help me out with it

hi @yashigupta4623 ☺️ what would you like to know?

hello, Actually, I too want to participate in GSOC 23 and I am quite new to it, infact I have a knowledge of Python, HTML, CSS and little bit of Java. How could I move forward for it. Can I work on your project for it. Regards, Yashi Gupta

…

On Tue, Nov 22, 2022, 1:58 PM Armin Hasitzka ***@***.***> wrote: ***@***.**** commented on this gist. ------------------------------ hi @yashigupta4623 <https://github.com/yashigupta4623> ☺️ what would you like to know? — Reply to this email directly, view it on GitHub <https://gist.github.com/eba16df5670063f496317d8eb6396112#gistcomment-4377588> or unsubscribe <https://github.com/notifications/unsubscribe-auth/AXOHT4JVAT6PBZ3DOISYZU3WJR74DBFKMF2HI4TJMJ2XIZLTSKBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DFQKSXMYLMOVS2I5DSOVS2I3TBNVS3W5DIOJSWCZC7OBQXE5DJMNUXAYLOORPWCY3UNF3GS5DZVRZXKYTKMVRXIX3UPFYGLK2HNFZXIQ3PNVWWK3TUUZ2G64DJMNZZDAVEOR4XAZNEM5UXG5FFOZQWY5LFVA4TCMRYGYZDEMFHORZGSZ3HMVZKMY3SMVQXIZI> . You are receiving this email because you were mentioned. Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub> .

Actually, I too want to participate in GSOC 23

Oh that's exciting! I partcipated twice as a student (2017 + 2018) and both times I learned a lot while having an awesome time! 💃

How could I move forward for it.

I would recommend to register on https://summerofcode.withgoogle.com and then browse the list of projects that participate next seaon. You will find that there is a wide bandwith of organisations and projects with a large bandwidth of different languages and technologies they are looking for. Do your homework to find projects that look interesting to you (the more you like something, the more you will get out of it!), and reach out to those organsitaions/communities. Note that each organisation has slightly different means of getting in touch with (mailing lists, slack, discord, ...) -- make sure to understand how an organisation/community would prefer to be approached and follow their practices.

A tip along the way: communication is the single most important aspect as far as I am concerned. Communities/organisations are generally very welcoming but would expect to get to know you, get to know your goals, and discuss projects with you ahead of your formal application.

Can I work on your project for it.

Unfortunately I'm not maintaining the project I was working on in 2018 at the moment (due to time constraints); but FreeType (the organisation I was working with) regularly takes part in GSoC - just browse their list of ideas and/or get in touch with them - they are an awesome group of people! Mind, however, that FreeType is written in C and I believe that they expect some sort of interaction with C for (almost) all their projects. That said, there is a large amount of other options for every language (and every set of languages) you can imagine ☺️

I wish you good luck with your application and then a lot of fun with GSoC! 🙌

THANKYOU SO MUCH!!!!! glad, to connect with you :)) definitely, will keep all these points in my mind :)

…

On Tue, Nov 22, 2022, 3:23 PM Armin Hasitzka ***@***.***> wrote: ***@***.**** commented on this gist. ------------------------------ Actually, I too want to participate in GSOC 23 Oh that's exciting! I partcipated twice as a student (2017 + 2018) and both times I learned a lot while having an awesome time! 💃 How could I move forward for it. I would recommend to register on https://summerofcode.withgoogle.com and then browse the list of projects that participate next seaon. You will find that there is a wide bandwith of organisations and projects with a large bandwidth of different languages and technologies they are looking for. Do your homework to find projects that look interesting to you (the more you like something, the more you will get out of it!), and reach out to those organsitaions/communities. Note that each organisation has slightly different means of getting in touch with (mailing lists, slack, discord, ...) -- make sure to understand how an organisation/community would prefer to be approached and follow their practices. A tip along the way: communication is the single most important aspect as far as I am concerned. Communities/organisations are generally very welcoming but would expect to get to know you, get to know your goals, and discuss projects with you ahead of your formal application. Can I work on your project for it. Unfortunately I'm not maintaining the project I was working on in 2018 at the moment (due to time constraints); but FreeType <https://freetype.org> (the organisation I was working with) regularly takes part in GSoC - just browse their list of ideas and/or get in touch with them - they are an awesome group of people! Mind, however, that FreeType is written in C and I *believe* that they expect some sort of interaction with C for (almost) all their projects. That said, there is a large amount of other options for every language (and every set of languages) you can imagine ☺️ I wish you good luck with your application and then a lot of fun with GSoC! 🙌 — Reply to this email directly, view it on GitHub <https://gist.github.com/eba16df5670063f496317d8eb6396112#gistcomment-4377687> or unsubscribe <https://github.com/notifications/unsubscribe-auth/AXOHT4MH7ND3GG43IE5GBA3WJSJZBBFKMF2HI4TJMJ2XIZLTSKBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DFQKSXMYLMOVS2I5DSOVS2I3TBNVS3W5DIOJSWCZC7OBQXE5DJMNUXAYLOORPWCY3UNF3GS5DZVRZXKYTKMVRXIX3UPFYGLK2HNFZXIQ3PNVWWK3TUUZ2G64DJMNZZDAVEOR4XAZNEM5UXG5FFOZQWY5LFVA4TCMRYGYZDEMFHORZGSZ3HMVZKMY3SMVQXIZI> . You are receiving this email because you commented on a thread. Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub> .