Add fuzz package for running go-fuzz

[cuonglm]

While at it, also add oss fuzz build script for to prepare for adding to
oss-fuzz later.

Fixes #31

[cuonglm]

cc @odeke-em

[odeke-em]

LGTM, thank you @cuonglm!

[codecov-commenter]

Codecov Report

Merging #51 (4b57103) into master (ccbebc9) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##           master      #51   +/-   ##
=======================================
  Coverage   85.68%   85.68%           
=======================================
  Files           6        6           
  Lines         468      468           
=======================================
  Hits          401      401           
  Misses         39       39           
  Partials       28       28           

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update ccbebc9...4b57103. Read the comment docs.

[liamsi]

Just to confirm my understanding:

• The action .github/workflows/fuzz_build.yml is necessary to have a build which can then be included in oss-fuzz? And same with oss-fuzz-build.sh?
• the code under fuzz/fuzz.go is some very basic fuzzing to see if we panic on any random input/operation

Is that right?

Looks all good to me. Thanks so much!

[cuonglm]

@liamsi

The action .github/workflows/fuzz_build.yml is necessary to have a build which can then be included in oss-fuzz? And same with oss-fuzz-build.sh?

No, .github/workflows/fuzz_build.yml is just our local testing to make sure the fuzz package can be built. When we submit this repo to oss-fuzz, we will use the oss-fuzz-build.sh script to built the necessary object file for lib fuzzer to work. The idea is that we just submit a PR to oss-fuzz once, then continuously adding fuzzer in our repo, oss-fuzz will checkout the latest and run the fuzzing daily.

See discussion in google/oss-fuzz#5631 (comment) for more details

the code under fuzz/fuzz.go is some very basic fuzzing to see if we panic on any random input/operation

Yes, exactly.

[liamsi]

Thanks for the clarification!

LGTM

[cuonglm]

@liamsi @adlerjohn which email I should use as primary_contact for celestiaorg/smt? And which email you want to be in auto_ccs?

See https://google.github.io/oss-fuzz/getting-started/new-project-guide/#primary for what primary_contact/auto_ccs mean.

[liamsi]

@cuonglm, @musalbas will setup an account / list [email protected] that will notify all relevant people.

[odeke-em]

@cuonglm, @musalbas will setup an account / list [email protected] that will notify all relevant people.

@liamsi I'd highly recommend separating out to say [email protected] lest the dev list get drowned out and folks shall get lots of other messages coming to dev :-)

[cuonglm]

@liamsi Thanks! But to be able to see the dashboard, you need an individual Google Account, according to https://google.github.io/oss-fuzz/getting-started/new-project-guide/#primary

So please list any email you want to be included. I'm currently listing only people from Orijtech https://github.com/google/oss-fuzz/pull/6134/files#diff-93b109d8f5b36384edc36042a809c0afdb84d4361312b1fb0f42cb46d66648e5R2

[liamsi]

OK, for now please just use my email: [email protected]

I guess it's easy to submit a PR oss-fuzz to change that later in case we create a dedicated account for this ([email protected] is also a list not an individual account afaik).

[cuonglm]

OK, for now please just use my email: [email protected]

I guess it's easy to submit a PR oss-fuzz to change that later in case we create a dedicated account for this ([email protected] is also a list not an individual account afaik).

Done.