lua-c-api-tests

Fuzzing Lua runtimes without pain

https://github.com/ligurio/lua-c-api-tests

Science Score: 44.0%

This score indicates how likely this project is to be science-related based on various indicators:

✓
CITATION.cff file
Found CITATION.cff file
✓
codemeta.json file
Found codemeta.json file
✓
.zenodo.json file
Found .zenodo.json file
○
DOI references
○
Academic publication links
○
Academic email domains
○
Institutional organization owner
○
JOSS paper metadata
○
Scientific vocabulary similarity
Low similarity (9.0%) to scientific vocabulary

Keywords

fuzzing libfuzzer lua luajit oss-fuzz

Last synced: 4 months ago · JSON representation ·

Repository

Fuzzing Lua runtimes without pain

Basic Info

Host: GitHub
Owner: ligurio
License: other
Language: C++
Default Branch: master
Homepage:
Size: 271 KB

Statistics

Stars: 10
Watchers: 2
Forks: 3
Open Issues: 16
Releases: 0

Topics

fuzzing libfuzzer lua luajit oss-fuzz

Created almost 3 years ago · Last pushed 4 months ago

Metadata Files

Readme License Citation

README.md

PUC Rio Lua
LuaJIT
Tarantool

Lua C API tests

is a set of fuzzing tests for C implementations of Lua runtime (PUC Rio Lua and LuaJIT).

Building

sh git clone https://github.com/ligurio/lua-c-api-tests cd lua-c-api-tests git clone https://github.com/ligurio/lua-c-api-corpus CC=clang CXX=clang++ cmake -S . -B build -DCMAKE_BUILD_TYPE=Debug -DUSE_LUA=ON [-DUSE_LUAJIT=ON] cmake --build build --parallel

CMake options:

USE_LUA enables building PUC Rio Lua.
USE_LUAJIT enables building LuaJIT.
LUA_VERSION could be a Git branch, tag or commit. By default LUA_VERSION is master for PUC Rio Lua and v2.1 for LuaJIT.
ENABLE_LUAJIT_RANDOM_RA enables randomness in a register allocation. Option is LuaJIT-specific.
ENABLE_ASAN enables AddressSanitizer.
ENABLE_UBSAN enables UndefinedBehaviorSanitizer.
ENABLE_COV enables coverage instrumentation.
ENABLE_LUA_ASSERT enables all assertions inside Lua source code.
ENABLE_LUA_APICHECK enables consistency checks on the C API.
OSS_FUZZ enables support of OSS Fuzz.
ENABLE_BUILD_PROTOBUF enables building Protobuf library, otherwise system library is used.
ENABLE_INTERNAL_TESTS enables internal tests.
ENABLE_LAPI_TESTS enables Lua API tests.

Running

sh cmake --build build --target test cd build && RUNS=100000 ctest -R luaL_gsub_test --verbose <snipped> 1: Done 100000 runs in 5 second(s)

References

Known Issues

Fuzzing can find a wide variety of problems, but not all problems are considered bugs. Some problems are due to known limitations in the implementation. This section contains a list of such limitations in LuaJIT and PUC Rio Lua:

In LuaJIT, the build infrastructure includes a source code that contains memory leaks and other problems. For example, src/host/buildvm.c and src/host/minilua.c, these files are only used during the LuaJIT build process, and they are not a part of the LuaJIT itself. Memory leaks are suppressed in AddressSanitizer with a function __lsan_is_turned_off() that disallows leak checking for the program it is linked into.
In LuaJIT, a function lj_str_new() may read past a buffer end (so-called "dirty" read), and that's ok. Suppressed in AddressSanitizer with __attribute__((no_sanitize_address)).
In LuaJIT, bytecode input is unsafe; see LuaJIT#847 and LuaJIT FAQ. The string "mode" controls whether the chunk can be text or binary (that is, a precompiled chunk). It may be the string "b" (only binary chunks), "t" (only text chunks), or "bt" (both binary and text). The default is "bt". PUC Rio Lua and LuaJIT both have bytecode and Lua source code parsers. It is desired to test both parsers; however, the LuaJIT bytecode parser failed with the assertion: LuaJIT ASSERT lj_bcread.c:123: bcread_byte: buffer read overflow, so with LuaJIT only text mode is used, and therefore only the text parser is tested.
The debug library is defined as unsafe. There are tons of ways to produce a crash with it. This library provides the functionality of the debug interface to Lua programs. Several of its functions violate basic assumptions about Lua code and therefore can compromise otherwise secure code. See LuaJIT#1264 and Lua 5.4 Reference Manual. The debug functions are not a subject of testing, and these functions are used carefully.
In LuaJIT, there are a number of places with undefined behavior ("nonnull-attribute", "signed-integer-overflow", "bounds"). These problems remain unfixed and suppressed in UndefinedBehavior Sanitizer.
In LuaJIT, there is a minimal C declaration parser, and it is not a validating C parser: "The parser ought to return correct results for properly formed C declarations, but it may accept some invalid declarations, too (and return nonsense)".

License

Owner

Name: Sergey Bronnikov
Login: ligurio
Kind: user

Website: https://bronevichok.ru/
Repositories: 69
Profile: https://github.com/ligurio

I make software suck less.

Citation (CITATION.cff)

cff-version: 1.2.0
message: >-
  If you use this software, please cite it using the
  metadata from this file.
authors:
  - given-names: "Sergey"
    family-names: "Bronnikov"
    orcid: https://orcid.org/0009-0003-1545-032X
    email: estetus@gmail.com
type: software
title: "lua-c-api-tests"
abstract: >-
  lua-c-api-tests is an open-source project that provides
  continuous fuzzing for Lua runtimes: PUC Rio Lua and LuaJIT.
  It aims to make these open-source software more secure and
  stable by combining modern fuzzing techniques with scalable,
  distributed execution. As of July 2025, the project has
  helped identify and fix 7 bugs in PUC Rio Lua, 27 bugs in
  LuaJIT, and 6 bugs in Tarantool.
type: software
repository-code: "https://github.com/ligurio/lua-c-api-tests"
keywords:
  - fuzzing
  - lua
  - luajit
  - open-source
  - security
license: ISC

GitHub Events

Total

Issues event: 11
Watch event: 1
Delete event: 25
Issue comment event: 16
Push event: 211
Pull request review event: 170
Pull request review comment event: 190
Pull request event: 63
Fork event: 1
Create event: 27

Last Year

Issues event: 11
Watch event: 1
Delete event: 25
Issue comment event: 16
Push event: 211
Pull request review event: 170
Pull request review comment event: 190
Pull request event: 63
Fork event: 1
Create event: 27

Issues and Pull Requests

Last synced: 4 months ago

All Time

Total issues: 20
Total pull requests: 134
Average time to close issues: about 2 months
Average time to close pull requests: 13 days
Total issue authors: 3
Total pull request authors: 4
Average comments per issue: 0.8
Average comments per pull request: 0.23
Merged pull requests: 114
Bot issues: 0
Bot pull requests: 0

Past Year

Issues: 8
Pull requests: 43
Average time to close issues: 7 days
Average time to close pull requests: 16 days
Issue authors: 2
Pull request authors: 1
Average comments per issue: 0.5
Average comments per pull request: 0.23
Merged pull requests: 27
Bot issues: 0
Bot pull requests: 0

View more stats

Top Authors

Issue Authors

ligurio (19)
kroggen (1)
gal1ium (1)

Pull Request Authors

ligurio (154)
kobrineli (4)
kroggen (1)
SweetVishnya (1)

Top Labels

Issue Labels

Pull Request Labels

Dependencies

.github/workflows/oss-fuzz.yml actions

google/oss-fuzz/infra/cifuzz/actions/build_fuzzers master composite
google/oss-fuzz/infra/cifuzz/actions/run_fuzzers master composite

.github/workflows/test.yaml actions

actions/checkout v3 composite

.github/workflows/cflite_batch.yml actions

google/clusterfuzzlite/actions/build_fuzzers v1 composite
google/clusterfuzzlite/actions/run_fuzzers v1 composite

.github/workflows/cflite_build.yml actions

google/clusterfuzzlite/actions/build_fuzzers v1 composite

.github/workflows/cflite_cron.yml actions

google/clusterfuzzlite/actions/build_fuzzers v1 composite
google/clusterfuzzlite/actions/run_fuzzers v1 composite

.github/workflows/cflite_pr.yml actions

google/clusterfuzzlite/actions/build_fuzzers v1 composite
google/clusterfuzzlite/actions/run_fuzzers v1 composite

.clusterfuzzlite/Dockerfile docker

gcr.io/oss-fuzz-base/base-builder v1 build

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Open Source Science