added fuzzing job to CI

firewave · firewave · commit e41dbda81f3a · 2025-12-17T14:51:50.000+01:00
diff --git a/.github/workflows/fuzz.yml b/.github/workflows/fuzz.yml
@@ -0,0 +1,57 @@
+# Syntax reference https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions
+# Environment reference https://help.github.com/en/actions/reference/virtual-environments-for-github-hosted-runners
+name: fuzz
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  fuzz:
+    runs-on: ubuntu-24.04
+    if: ${{ github.repository_owner == 'danmar' }}
+
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+
+      # the man-db trigger causes package installations to stall for several minutes at times. so just drop the package.
+      # see https://github.com/actions/runner/issues/4030
+      - name: Remove man-db package
+        run: |
+          sudo apt-get update
+          sudo apt-get remove man-db
+
+      - name: Install missing software
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y make
+
+      - name: Install clang
+        run: |
+          wget https://apt.llvm.org/llvm.sh
+          chmod +x llvm.sh
+          sudo ./llvm.sh 21
+
+      - name: Build fuzzer
+        id: build
+        run: |
+          # TODO: test O/LTO for best speed
+          # TODO: use -stdlib=libc++ -lc++
+          make -j$(nproc) CXX=clang++ CXXOPTS="-O3 -flto -fno-omit-frame-pointer -g -gline-tables-only -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=address,undefined -fsanitize-address-use-after-scope -fno-sanitize=integer -fno-sanitize-recover=undefined" LDOPTS="-flto" LIB_FUZZING_ENGINE="-fsanitize=fuzzer" fuzz
+        env:
+          CXX: clang-21
+
+      - name: Run fuzzer
+        run: |
+          mkdir corpus
+          mkdir artifacts
+          ./fuzz -only_ascii=1 -timeout=5 -fork=$(nproc) -use_value_profile=1 -max_total_time=60-artifact_prefix=./artifacts/ corpus
+
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v6
+        if: failure() && steps.build.outcome == 'success'
+        with:
+          name: failures
+          path: ./artifacts
