Skip to content

build(bazel): cut fuzz harness over from Nix to Bazel (DEV-6345)#616

Merged
subotic merged 3 commits intomainfrom
worktree-dev_6345_fuzzing
May 3, 2026
Merged

build(bazel): cut fuzz harness over from Nix to Bazel (DEV-6345)#616
subotic merged 3 commits intomainfrom
worktree-dev_6345_fuzzing

Conversation

@subotic
Copy link
Copy Markdown
Contributor

@subotic subotic commented May 3, 2026
edited
Loading

Fixes DEV-6345

Motivation

PR Y+3 of the Sipi Bazel migration (dasch-specs PR #96, §"PR Y+3"). The libFuzzer IIIF URI parser harness was the last build path still anchored on Nix's .#fuzz derivation; cutting it over completes the per-variant-CI step of the migration before Y+4 (Docker image via rules_oci) and Y+5 (Rust e2e + smoke via rules_rust).

The cutover also restores the local-fuzz UX the prior CMake build supported: developers can fuzz on darwin-aarch64 (Apple Silicon) without spinning up a Linux VM, matching the convenience the deleted .#fuzz Nix variant provided.

Summary

  • libFuzzer harness now runs through Bazel: just bazel-build-fuzz / just bazel-run-fuzz replace nix-build-fuzz / nix-run-fuzz. CI (linux-x86_64 nightly + workflow_dispatch) and local development (linux-x86_64 or darwin-aarch64) both supported.
  • flake.nix's .#fuzz package output, package.nix's enableFuzzing parameter, and the CMake-side SIPI_ENABLE_FUZZ option + fuzz/{,handlers/}CMakeLists.txt are deleted. The nix develop .#fuzz dev shell is preserved.
  • Two latent bugs in the Bazel cutover surfaced and were fixed: a silent libstdc++-toolchain no-op on Linux (registration order) and an under-scoped fuzz constraint that would have matched plain darwin builds (extra_target_compatible_with targets = filter).

Key Changes

Bazel build graph

  • MODULE.bazel: register llvm_toolchain_fuzz (libstdc++) sharing the LLVM 19.1.7 download via llvm.toolchain_root(label = "@llvm_toolchain_llvm//:BUILD"). Gated on //tools/fuzz:fuzz_enabled via extra_target_compatible_with (no targets = filter — applies to all platform entries the toolchain auto-registers for). Registered BEFORE the default llvm_toolchain so it wins toolchain resolution on *_fuzz platforms.
  • tools/fuzz/BUILD.bazel (new): constraint_setting(fuzz) + constraint_value(fuzz_enabled) + two platforms (linux_x86_64_fuzz, darwin_aarch64_fuzz).
  • .bazelrc: build:fuzz block — --per_file_copt=^(src|shttps|fuzz|test)/.* for -fsanitize=fuzzer-no-link / -fsanitize-coverage=trace-cmp / -fsanitize=address (matches asan/ubsan blocks; foreign_cc deps stay uninstrumented), and --linkopt=-fsanitize=fuzzer / -fsanitize=address. --platforms= is not in .bazelrc — the recipe sets it from uname.
  • shttps/BUILD.bazel: split :shttps into header-only :shttps_headers (full include graph + foreign_cc deps) and a thin :shttps cc_library that depends on it. Adds :fuzz_subset cc_library — explicit 4-cpp slice (ChunkReader, Connection, Error, SockStream) plus iiif_handler.cpp from //src/handlers. Lives in the shttps package because four of its five sources are native there.
  • src/BUILD.bazel: exports_files(["handlers/iiif_handler.cpp"]) plus :iiif_handler_hdrs cc_library so #include "handlers/iiif_handler.hpp" resolves explicitly.
  • fuzz/handlers/BUILD.bazel (new): cc_binary(iiif_handler_uri_parser_fuzz) deps-only on //shttps:fuzz_subset. target_compatible_with = ["//tools/fuzz:fuzz_enabled"] skips the target on non-fuzz platforms.

Justfile

  • bazel-build-fuzz and bazel-run-fuzz recipes (3-arg interface preserved verbatim from nix-run-fuzz so fuzz.yml only needs the recipe-name swap).
  • _fuzz-platform private recipe resolves --platforms=//tools/fuzz:<host>_fuzz from uname -s/-m. Both linux-x86_64 (CI) and darwin-aarch64 (local dev) are supported; linux-aarch64 and other tuples are rejected with a clear message.
  • bazel-run-fuzz builds first then execs the binary directly (matches the prior nix-run-fuzz shape) — avoids the macOS SIP + bazel run interaction described in Challenges below.
  • nix-build-fuzz and nix-run-fuzz removed. Stale rm -rf build-fuzz/ dropped from just clean.

CI (.github/workflows/fuzz.yml)

  • Build step: just nix-build-fuzzjust bazel-build-fuzz. Run step: just nix-run-fuzzjust bazel-run-fuzz. Both wrapped with nix develop --command so bazelisk + foreign_cc host tools (cmake, perl, pkg-config, autotools) and gh (kakadu repository_rule) reach the build.
  • Adds actions/cache@v5 Bazel disk cache (mirroring bazel-build.yml/sanitizer.yml under DEV-6371) and jlumbroso/free-disk-space step. Removes the now-redundant nix profile install nixpkgs#just step (just is in the dev shell).
  • All other steps unchanged: Find last successful fuzz run, Restore corpus from previous run, Prepare live corpus, Save corpus for next run, Collect crash details, Upload crash artifacts. Both fuzz-corpus and fuzz-crashes GHA artifact names + retentions preserved.

Cleanup

  • flake.nix: drop .#fuzz package output + overrideAttrs block (libstdc++ stdenv override gymnastics). nix develop .#fuzz dev shell preserved.
  • package.nix: remove enableFuzzing parameter + -DSIPI_ENABLE_FUZZ=ON cmakeFlag.
  • CMakeLists.txt: remove option(SIPI_ENABLE_FUZZ ...) + add_subdirectory(fuzz). Delete fuzz/CMakeLists.txt and fuzz/handlers/CMakeLists.txt.

Docs

  • CLAUDE.md, docs/src/development/{building,ci,fuzzing,nix}.md: rename nix-build-fuzz/nix-run-fuzzbazel-*, document the per-host fuzz routing and the macOS rpath/SIP rationale, drop stale .#fuzz enumerations.

Challenges and Decisions

fuzz_subset package placement

Problem: the plan literally placed fuzz_subset cc_library in fuzz/handlers/BUILD.bazel, which forced cross-package srcs = ["//shttps:ChunkReader.cpp", …] for four of five sources via exports_files.
Tried: initial implementation followed the plan literally — four exports_files entries in shttps/BUILD.bazel, two in src/BUILD.bazel, plus visibility plumbing on :shttps_headers.
Solution: code-simplicity-reviewer flagged the cross-package reach. Moved fuzz_subset into shttps/BUILD.bazel where four of its five sources are native. Only iiif_handler.cpp from //src/handlers stays cross-package. Same precedent as bazel/magic_database.bzl: build-graph machinery lives where the inputs live.

iiif_handler.hpp resolution fragility

Problem: with the cpps in srcs and the hpp listed as a sibling, the harness's #include "handlers/iiif_handler.hpp" relied on Bazel's workspace-root quote_includes default — fragile under future sandbox-strip changes (cpp-reviewer Major finding).
Solution: added //src:iiif_handler_hdrs cc_library exposing handlers/iiif_handler.hpp under includes = ["."]. Both :fuzz_subset (compiling iiif_handler.cpp) and the cc_binary (whose harness #includes it directly) depend on it. Include resolution is now explicit and survives sandbox layout changes.

Toolchain registration order — silent libstdc++ no-op on Linux

Problem: initial implementation registered llvm_toolchain (default, libc++) BEFORE llvm_toolchain_fuzz (libstdc++). On linux_x86_64_fuzz BOTH match — the default's [os:linux, cpu:x86_64] is a subset of the fuzz platform's [os:linux, cpu:x86_64, fuzz_enabled] constraint set. Bazel's first-registered-wins rule then picks the default, so the libstdc++ override the second toolchain was supposed to provide was silently a no-op on Linux.
Tried: verifying with bazel cquery --config=fuzz only confirms analysis succeeds — toolchain selection is invisible without --toolchain_resolution_debug.
Solution: reverse the registration order. llvm_toolchain_fuzz first (it requires fuzz_enabled, so it skips on non-fuzz platforms), llvm_toolchain second (catches everything else). Now linux-x86_64-fuzz actually picks libstdc++; default Linux builds keep libc++.

extra_target_compatible_with constraint scoping

Problem: the initial llvm.extra_target_compatible_with call used targets = ["linux-x86_64"], so only the linux-x86_64 entry of llvm_toolchain_fuzz got the fuzz_enabled constraint. Toolchains_llvm auto-creates entries for every platform tuple (linux/{x86_64,aarch64} + darwin/{x86_64,aarch64}); the unscoped darwin entries would silently match plain darwin builds.
Solution: drop the targets = filter. The constraint applies to all entries the toolchain registers, so it only matches fuzz_enabled platforms regardless of OS/CPU. Now the fuzz toolchain is properly inert on non-fuzz builds.

macOS ASan + @rpath + SIP

Problem: Apple's ASan runtime (libclang_rt.asan_osx_dynamic.dylib) is always dynamically linked. The Bazel-built fuzz binary references it via @rpath/libclang_rt.asan_osx_dynamic.dylib, where the @rpath entries are relative paths into the toolchain's resource dir (external/toolchains_llvm++llvm+llvm_toolchain_llvm/lib/clang/19/lib/darwin). Under bazel run, cwd is the workspace root, so the relative rpath does not resolve and dyld fails.
Tried: setting DYLD_LIBRARY_PATH and going through nix develop --command bazelisk run — macOS SIP strips DYLD_* env vars across the subprocess chain (any system-shipped binary like /bin/bash triggers the strip).
Solution: bazel-run-fuzz builds first then execs the binary directly (matches the prior nix-run-fuzz shape — bazel run was an unnecessary indirection added by the Bazel cutover). The recipe sets DYLD_LIBRARY_PATH in its own shell on darwin and execs the binary with the env var inherited. cwd stays the workspace root, so corpus paths and crash-file globs keep working unchanged.

Host-OS gate vs Bazel target_compatible_with

Problem: target_compatible_with = ["//tools/fuzz:fuzz_enabled"] on the cc_binary is supposed to make Bazel skip the target on non-fuzz platforms. But --config=fuzz explicitly sets --platforms=//tools/fuzz:<host>_fuzz (which DOES carry fuzz_enabled), so the auto-skip never triggers — Bazel proceeds to compile under the chosen platform. On hosts other than linux-x86_64 / darwin-aarch64, that means cross-compilation through a native-only toolchain, which fails deep inside foreign_cc Lua's make linux (-Wl,-E rejected by Apple ld).
Solution: the _fuzz-platform recipe enumerates the supported (os, arch) tuples in a case statement and exits 1 with a clear message on anything else. Failing fast at the recipe layer is cleaner than a 5-minute cross-compile crash.

Gotchas

  • Don't move the DYLD_LIBRARY_PATH export inside nix develop --command. macOS SIP strips DYLD_* across nix develop's subprocess chain (and bazel run's, hence the direct exec). Setting it in the recipe shell BEFORE entering nix-develop also doesn't survive — must be in the immediate parent shell of the binary exec. The current recipe is correct; restructuring it is a footgun.
  • Toolchain registration order matters. Adding a third toolchain with the same [os, cpu] constraints requires explicit ordering decision. Bazel's first-registered-wins rule does NOT prefer "more specific" automatically. Use --toolchain_resolution_debug=//path:to:type to verify if in doubt.
  • extra_target_compatible_with(targets = […]) filters which auto-created entries get the extra constraint. An empty/absent targets = applies to ALL entries — usually what you want for "this toolchain only matches when the constraint is present".
  • foreign_cc deps under --config=fuzz build with default toolchain flags, not fuzz instrumentation. The --per_file_copt=^(src|shttps|fuzz|test)/.* regex scoping is what prevents poisoning their CFLAGS forwarding. If a future ext lib adds C/C++ sources matching the regex by accident, ASan would slip in. Restrict the regex if needed.
  • linux-aarch64 is intentionally out of scope for the fuzz harness. The _fuzz-platform recipe rejects it; the deployment target is amd64 only and fuzz CI never runs on aarch64. Adding it later would mean wiring an aarch64 sysroot for the fuzz toolchain (the linux-x86_64 sysroot is fuzz-toolchain-pinned today).
  • The libstdc++ override on Linux is "belt-and-suspenders" parity with the prior CMake build. Modern libFuzzer (LLVM ≥ 16) ships its own private libc++; the second toolchain registration could be removed in a later refactor and Linux fuzz would still work via the default libc++ toolchain. Reverse-validate before doing so.

Test Plan

  • bazel build //src:sipi --lockfile_mode=error --nobuild — green analysis on darwin (proves the :shttps_headers split preserves //src:sipi_lib's public consumer contract).
  • bazel build --config=fuzz --platforms=//tools/fuzz:darwin_aarch64_fuzz //fuzz/handlers:iiif_handler_uri_parser_fuzz --lockfile_mode=error --nobuild — green analysis on darwin.
  • bazel build --config=fuzz --platforms=//tools/fuzz:linux_x86_64_fuzz //fuzz/handlers:iiif_handler_uri_parser_fuzz --lockfile_mode=error --nobuild — green analysis under cross-platform target on darwin host.
  • bazel test //test/unit/... — all 12 unit tests pass post-shttps-split (fully cached after first run; action keys for :shttps are stable across the split).
  • just bazel-run-fuzz fuzz-corpus-live 5 fuzz/handlers/corpus on darwin — 153 806 runs in 6 seconds, ~25k execs/sec, 961 new corpus inputs. Confirms the binary loads (no @rpath dyld error) and libFuzzer is functional.
  • bazel mod deps --lockfile_mode=updateMODULE.bazel.lock unchanged (the second llvm.toolchain reuses @llvm_toolchain_llvm via toolchain_root, no new repos materialised).
  • Acceptance gate (CI-only on linux-x86_64): just bazel-run-fuzz fuzz-corpus-live 60 fuzz/handlers/corpus produces libFuzzer output identical in shape to today's run (header line with INFO: Seed:, periodic #NN pulse cov: / exec/s: lines).
  • Acceptance gate (CI-only): objdump -t bazel-bin/fuzz/handlers/iiif_handler_uri_parser_fuzz | grep -c sancov returns non-zero (coverage instrumentation present).
  • Acceptance gate (CI-only): Inspect bazel-out/external/ after a clean fetch — only one llvm_toolchain_llvm directory; the second toolchain shares the LLVM artifact.
  • Acceptance gate (CI-only): Manual workflow_dispatch run of fuzz.yml with duration=60 — corpus restore non-empty, corpus upload size grows or stays flat, deliberately-broken seed produces fuzz-crashes artifact with crash-summary.md containing xxd reproducer bytes.

@linear-code
Copy link
Copy Markdown

linear-code Bot commented May 3, 2026

DEV-6345 Bazel migration PR Y+3 — Fuzz harness via Bazel; fuzz.yml build+run cutover

@codecov
Copy link
Copy Markdown

codecov Bot commented May 3, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 17.3%. Comparing base (0b810ed) to head (fb6132b).
⚠️ Report is 10 commits behind head on main.

Additional details and impacted files

see 1 file with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 3, 2026
edited
Loading

Overview

Image reference daschswiss/sipi:v4.1.1 daschswiss/sipi:latest
- digest 65b287d0ceae c3be458d09c6
- tag v4.1.1 latest
- environment production
- provenance 444ed9e
- vulnerabilities critical: 0 high: 0 medium: 72 low: 18 critical: 0 high: 0 medium: 0 low: 0
- platform linux/amd64 linux/amd64
- size 217 MB 144 MB (-73 MB)
- packages 486 123 (-363)
Environment Variables (6 changes)
  • + 2 added
  • - 2 removed
  • ± 2 changed
  • 1 unchanged
-LANG=en_US.UTF-8
+LANG=C.UTF-8
-LANGUAGE=en_US.UTF-8
-LC_ALL=en_US.UTF-8
+LC_ALL=C.UTF-8
-PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+SSL_CERT_FILE=/nix/store/zp564phiicll8d53d973gbh8y3iiwlm7-nss-cacert-3.121/etc/ssl/certs/ca-bundle.crt
 TZ=Europe/Zurich
+TZDIR=/nix/store/cxjmhdbpy3bk12jc6lwpmcvlas76a7zm-tzdata-2026a/share/zoneinfo
Labels (7 changes)
  • + 5 added
  • - 1 removed
  • ± 1 changed
-maintainer=support@dasch.swiss
+org.opencontainers.image.description=IIIF-compatible media server.
+org.opencontainers.image.licenses=AGPL-3.0-only
+org.opencontainers.image.revision=444ed9e851d409a5738f5aafe746ed522c7e2473
+org.opencontainers.image.source=https://github.com/dasch-swiss/sipi
+org.opencontainers.image.title=Sipi
-org.opencontainers.image.version=24.04
+org.opencontainers.image.version=v4.1.1
Config (1 changes)
  • ± 1 changed
  • 3 unchanged
 1024/tcp=
 cmd=--config=/sipi/config/sipi.config.lua
-entrypoint=/usr/sbin/pid1 --verbose -- /sipi/sipi
+entrypoint=/nix/store/lzx3vwggc3y2diwpkql7a5k425x46pvz-tini-0.19.0/bin/tini -- /nix/store/jr3xy2wpq585g24m05ra631j2l2hpaxs-sipi-4.1.1/bin/sipi
 workdir=/sipi
Policies (0 improved, 0 worsened, 2 missing data)
Policy Name daschswiss/sipi:v4.1.1 daschswiss/sipi:latest Change Standing
Default non-root user ⚠️ ⚠️ No Change
No AGPL v3 licenses No Change
No fixable critical or high vulnerabilities No Change
No high-profile vulnerabilities No Change
No outdated base images ❓ No data ❓ No data
No unapproved base images ❓ No data ❓ No data
Supply chain attestations ⚠️ 2 ⚠️ 2 No Change
Packages and Vulnerabilities (609 package changes and 0 vulnerability changes)
  • ➕ 123 packages added
  • ➖ 486 packages removed
Changes for packages of type deb (486 changes)
Package Version
daschswiss/sipi:v4.1.1		 Version
daschswiss/sipi:latest
acl 2.3.2-1build1.1
alsa-lib 1.2.11-1ubuntu0.2
aom 3.8.2-2ubuntu0.1
apparmor 4.0.1really4.0.1-0ubuntu0.24.04.6
apt 2.8.3
attr 1:2.5.2-1build1.1
audit 1:3.1.2-2.1build1.1
base-files 13ubuntu10.4
base-passwd 3.6.3build1
bash 5.2.21-2ubuntu4
brotli 1.1.0-2build2
bsdutils 1:2.39.3-9ubuntu6.5
bzip2 1.0.8-5.1build0.1
ca-certificates 20240203
cairo 1.18.0-3build1
cdebconf 0.271ubuntu3
chromaprint 1.5.1-5
cjson 1.7.17-1
codec2 1.2.0-2build1
coreutils 9.4-3ubuntu6.2
curl 8.5.0-2ubuntu10.8
cyrus-sasl2 2.1.28+dfsg1-5ubuntu3.1
dash 0.5.12-6ubuntu5
dav1d 1.4.1-1build1
db5.3 5.3.28+dfsg2-7
dbus 1.14.10-4ubuntu4.1
debconf 1.5.86ubuntu1
debianutils 5.17build1
diffutils 1:3.10-1build1
dpkg 1.22.6ubuntu6.5
e2fsprogs 1.47.0-2.4~exp1ubuntu4.1
elfutils 0.190-1.1ubuntu0.1
expat 2.6.1-2ubuntu0.4
ffmpeg 7:6.1.1-3ubuntu5
fftw3 3.3.10-1ubuntu3
findutils 4.9.0-5build1
flac 1.4.3+ds-2.1ubuntu2
flite 2.2-6build3
fontconfig 2.15.0-1.1ubuntu2
fontconfig-config 2.15.0-1.1ubuntu2
fonts-dejavu 2.37-8
fonts-dejavu-core 2.37-8
fonts-dejavu-mono 2.37-8
freetype 2.13.2+dfsg-1ubuntu0.1
fribidi 1.0.13-3build1
game-music-emu 0.6.3-7build1
gcc-14 14.2.0-4ubuntu2~24.04.1
gcc-14-base 14.2.0-4ubuntu2~24.04.1
gdk-pixbuf 2.42.10+dfsg-3ubuntu3.3
glib2.0 2.80.0-6ubuntu3.8
glibc 2.39-0ubuntu8.7
gmp 2:6.3.0+dfsg-2ubuntu6.1
gnupg2 2.4.4-2ubuntu17.4
gnutls28 3.8.3-1.1ubuntu3.5
gpgv 2.4.4-2ubuntu17.4
graphite2 1.3.14-2build1
grep 3.11-4build1
gzip 1.12-1ubuntu3.1
harfbuzz 8.3.0-2build2
highway 1.0.7-8.1build1
hostname 3.23+nmu2ubuntu2
icu 74.2-1ubuntu3.1
init-system-helpers 1.66ubuntu1
jackd2 1.9.21~dfsg-3ubuntu3
jbigkit 2.1-6.1ubuntu2
jpeg-xl 0.7.0-10.2ubuntu6.1
keyutils 1.6.3-3build1
krb5 1.20.1-6ubuntu2.6
lame 3.100-6build1
lapack 3.12.0-3build1.1
lcms2 2.14-2build1
lerc 4.0.0+ds-4ubuntu2
libacl1 2.3.2-1build1.1
libaom3 3.8.2-2ubuntu0.1
libapparmor1 4.0.1really4.0.1-0ubuntu0.24.04.6
libapt-pkg6.0t64 2.8.3
libasound2-data 1.2.11-1ubuntu0.2
libasound2t64 1.2.11-1ubuntu0.2
libass 1:0.17.1-2build1
libass9 1:0.17.1-2build1
libassuan 2.5.6-1build1
libassuan0 2.5.6-1build1
libasyncns 0.8-6build4
libasyncns0 0.8-6build4
libattr1 1:2.5.2-1build1.1
libaudit-common 1:3.1.2-2.1build1.1
libaudit1 1:3.1.2-2.1build1.1
libavc1394 0.5.4-5build3
libavc1394-0 0.5.4-5build3
libavcodec60 7:6.1.1-3ubuntu5
libavdevice60 7:6.1.1-3ubuntu5
libavfilter9 7:6.1.1-3ubuntu5
libavformat60 7:6.1.1-3ubuntu5
libavutil58 7:6.1.1-3ubuntu5
libblas3 3.12.0-3build1.1
libblkid1 2.39.3-9ubuntu6.5
libbluray 1:1.3.4-1build1
libbluray2 1:1.3.4-1build1
libbrotli1 1.1.0-2build2
libbs2b 3.1.0+dfsg-7build1
libbs2b0 3.1.0+dfsg-7build1
libbsd 0.12.1-1build1.1
libbsd0 0.12.1-1build1.1
libbz2-1.0 1.0.8-5.1build0.1
libc-bin 2.39-0ubuntu8.7
libc6 2.39-0ubuntu8.7
libcaca 0.99.beta20-4ubuntu0.1
libcaca0 0.99.beta20-4ubuntu0.1
libcairo-gobject2 1.18.0-3build1
libcairo2 1.18.0-3build1
libcap-ng 0.8.4-2build2
libcap-ng0 0.8.4-2build2
libcap2 1:2.66-5ubuntu2.2
libcdio 2.1.0-4.1ubuntu1.2
libcdio-cdda2t64 10.2+2.0.1-1.1build2
libcdio-paranoia 10.2+2.0.1-1.1build2
libcdio-paranoia2t64 10.2+2.0.1-1.1build2
libcdio19t64 2.1.0-4.1ubuntu1.2
libchromaprint1 1.5.1-5
libcjson1 1.7.17-1
libcodec2-1.2 1.2.0-2build1
libcom-err2 1.47.0-2.4~exp1ubuntu4.1
libcrypt1 1:4.4.36-4build1
libcurl4t64 8.5.0-2ubuntu10.8
libdatrie 0.2.13-3build1
libdatrie1 0.2.13-3build1
libdav1d7 1.4.1-1build1
libdb5.3t64 5.3.28+dfsg2-7
libdbus-1-3 1.14.10-4ubuntu4.1
libdc1394 2.2.6-4build1
libdc1394-25 2.2.6-4build1
libdebconfclient0 0.271ubuntu3
libdecor-0 0.2.2-1build2
libdecor-0-0 0.2.2-1build2
libdeflate 1.19-1build1.1
libdeflate0 1.19-1build1.1
libdrm 2.4.125-1ubuntu0.1~24.04.1
libdrm-amdgpu1 2.4.125-1ubuntu0.1~24.04.1
libdrm-common 2.4.125-1ubuntu0.1~24.04.1
libdrm-intel1 2.4.125-1ubuntu0.1~24.04.1
libdrm2 2.4.125-1ubuntu0.1~24.04.1
libedit 3.1-20230828-1build1
libedit2 3.1-20230828-1build1
libelf1t64 0.190-1.1ubuntu0.1
libexpat1 2.6.1-2ubuntu0.4
libext2fs2t64 1.47.0-2.4~exp1ubuntu4.1
libffi 3.4.6-1build1
libffi8 3.4.6-1build1
libfftw3-double3 3.3.10-1ubuntu3
libflac12t64 1.4.3+ds-2.1ubuntu2
libflite1 2.2-6build3
libfontconfig1 2.15.0-1.1ubuntu2
libfreetype6 2.13.2+dfsg-1ubuntu0.1
libfribidi0 1.0.13-3build1
libgbm1 25.2.8-0ubuntu0.24.04.1
libgcc-s1 14.2.0-4ubuntu2~24.04.1
libgcrypt20 1.10.3-2build1
libgdk-pixbuf-2.0-0 2.42.10+dfsg-3ubuntu3.3
libgdk-pixbuf2.0-common 2.42.10+dfsg-3ubuntu3.3
libgfortran5 14.2.0-4ubuntu2~24.04.1
libgl1 1.7.0-1build1
libgl1-mesa-dri 25.2.8-0ubuntu0.24.04.1
libglib2.0-0t64 2.80.0-6ubuntu3.8
libglvnd 1.7.0-1build1
libglvnd0 1.7.0-1build1
libglx-mesa0 25.2.8-0ubuntu0.24.04.1
libglx0 1.7.0-1build1
libgme0 0.6.3-7build1
libgmp10 2:6.3.0+dfsg-2ubuntu6.1
libgnutls30t64 3.8.3-1.1ubuntu3.5
libgomp1 14.2.0-4ubuntu2~24.04.1
libgpg-error 1.47-3build2.1
libgpg-error0 1.47-3build2.1
libgraphite2-3 1.3.14-2build1
libgsm 1.0.22-1build1
libgsm1 1.0.22-1build1
libgssapi-krb5-2 1.20.1-6ubuntu2.6
libharfbuzz0b 8.3.0-2build2
libhogweed6t64 3.9.1-2.2build1.1
libhwy1t64 1.0.7-8.1build1
libicu74 74.2-1ubuntu3.1
libidn2 2.3.7-2build1.1
libidn2-0 2.3.7-2build1.1
libiec61883 1.2.0-6build1
libiec61883-0 1.2.0-6build1
libjack-jackd2-0 1.9.21~dfsg-3ubuntu3
libjbig0 2.1-6.1ubuntu2
libjpeg-turbo 2.1.5-2ubuntu2
libjpeg-turbo8 2.1.5-2ubuntu2
libjpeg8 8c-2ubuntu11
libjpeg8-empty 8c-2ubuntu11
libjxl0.7 0.7.0-10.2ubuntu6.1
libk5crypto3 1.20.1-6ubuntu2.6
libkeyutils1 1.6.3-3build1
libkrb5-3 1.20.1-6ubuntu2.6
libkrb5support0 1.20.1-6ubuntu2.6
liblapack3 3.12.0-3build1.1
liblcms2-2 2.14-2build1
libldap2 2.6.10+dfsg-0ubuntu0.24.04.1
liblerc4 4.0.0+ds-4ubuntu2
liblilv-0-0 0.24.22-1build1
libllvm20 1:20.1.2-0ubuntu1~24.04.2
liblz4-1 1.9.4-1build1.1
liblzma5 5.6.1+really5.4.5-1ubuntu0.2
libmbedcrypto7t64 2.28.8-1
libmd 1.1.0-2build1.1
libmd0 1.1.0-2build1.1
libmount1 2.39.3-9ubuntu6.5
libmp3lame0 3.100-6build1
libmpg123-0t64 1.32.5-1ubuntu1.1
libmysofa 1.3.2+dfsg-2ubuntu2
libmysofa1 1.3.2+dfsg-2ubuntu2
libncursesw6 6.4+20240113-1ubuntu2
libnettle8t64 3.9.1-2.2build1.1
libnghttp2-14 1.59.0-1ubuntu0.2
libnorm1t64 1.5.9+dfsg-3.1build1
libnpth0t64 1.6-3.1build1
libnuma1 2.0.18-1ubuntu0.24.04.1
libogg 1.3.5-3build1
libogg0 1.3.5-3build1
libopenal-data 1:1.23.1-4build1
libopenal1 1:1.23.1-4build1
libopenjp2-7 2.5.0-2ubuntu0.4
libopenmpt 0.7.3-1.1build3
libopenmpt0t64 0.7.3-1.1build3
libopus0 1.4-1build1
libp11-kit0 0.25.3-4ubuntu2.1
libpam-modules 1.5.3-5ubuntu5.5
libpam-modules-bin 1.5.3-5ubuntu5.5
libpam-runtime 1.5.3-5ubuntu5.5
libpam0g 1.5.3-5ubuntu5.5
libpango-1.0-0 1.52.1+ds-1build1
libpangocairo-1.0-0 1.52.1+ds-1build1
libpangoft2-1.0-0 1.52.1+ds-1build1
libpciaccess 0.17-3ubuntu0.24.04.2
libpciaccess0 0.17-3ubuntu0.24.04.2
libpcre2-8-0 10.42-4ubuntu2.1
libpgm 5.3.128~dfsg-2.1build1
libpgm-5.3-0t64 5.3.128~dfsg-2.1build1
libpixman-1-0 0.42.2-1build1
libplacebo 6.338.2-2build1
libplacebo338 6.338.2-2build1
libpng1.6 1.6.43-5ubuntu0.5
libpng16-16t64 1.6.43-5ubuntu0.5
libpocketsphinx3 0.8.0+real5prealpha+1-15ubuntu5
libpostproc57 7:6.1.1-3ubuntu5
libproc2-0 2:4.0.4-4ubuntu3.2
libpsl 0.21.2-1.1build1
libpsl5t64 0.21.2-1.1build1
libpulse0 1:16.1+dfsg1-2ubuntu10.1
librabbitmq 0.11.0-1build2
librabbitmq4 0.11.0-1build2
librav1e0 0.7.1-2
libraw1394 2.1.2-2build3
libraw1394-11 2.1.2-2build3
librist 0.2.10+dfsg-2
librist4 0.2.10+dfsg-2
librsvg 2.58.0+dfsg-1build1
librsvg2-2 2.58.0+dfsg-1build1
librtmp1 2.4+20151223.gitfa8646d.1-2build7
librubberband2 3.3.0+dfsg-2build1
libsamplerate 0.2.2-4build1
libsamplerate0 0.2.2-4build1
libsasl2-2 2.1.28+dfsg1-5ubuntu3.1
libsasl2-modules-db 2.1.28+dfsg1-5ubuntu3.1
libsdl2 2.30.0+dfsg-1ubuntu3.1
libsdl2-2.0-0 2.30.0+dfsg-1ubuntu3.1
libseccomp 2.5.5-1ubuntu3.1
libseccomp2 2.5.5-1ubuntu3.1
libselinux 3.5-2ubuntu2.1
libselinux1 3.5-2ubuntu2.1
libsemanage 3.5-1build5
libsemanage-common 3.5-1build5
libsemanage2 3.5-1build5
libsensors-config 1:3.6.0-9build1
libsensors5 1:3.6.0-9build1
libsepol 3.5-2build1
libsepol2 3.5-2build1
libserd-0-0 0.32.2-1
libsharpyuv0 1.3.2-0.4build3
libshine3 3.1.1-2build1
libslang2 2.3.3-3build2
libsmartcols1 2.39.3-9ubuntu6.5
libsnappy1v5 1.1.10-1build1
libsndfile 1.2.2-1ubuntu5.24.04.1
libsndfile1 1.2.2-1ubuntu5.24.04.1
libsndio7.0 1.9.0-0.3build3
libsodium 1.0.18-1ubuntu0.24.04.1
libsodium23 1.0.18-1ubuntu0.24.04.1
libsord-0-0 0.16.16-2build1
libsoxr 0.1.3-4build3
libsoxr0 0.1.3-4build3
libspeex1 1.2.1-2ubuntu2.24.04.1
libsphinxbase3t64 0.8+5prealpha+1-17build2
libsratom-0-0 0.6.16-1build1
libsrt1.5-gnutls 1.5.3-1build2
libss2 1.47.0-2.4~exp1ubuntu4.1
libssh 0.10.6-2ubuntu0.4
libssh-4 0.10.6-2ubuntu0.4
libssh-gcrypt-4 0.10.6-2ubuntu0.4
libssl3t64 3.0.13-0ubuntu3.9
libstdc++6 14.2.0-4ubuntu2~24.04.1
libsvtav1enc1d1 1.7.0+dfsg-2build1
libswresample4 7:6.1.1-3ubuntu5
libswscale7 7:6.1.1-3ubuntu5
libsystemd0 255.4-1ubuntu8.15
libtasn1-6 4.19.0-3ubuntu0.24.04.2
libthai 0.1.29-2build1
libthai-data 0.1.29-2build1
libthai0 0.1.29-2build1
libtheora 1.1.1+dfsg.1-16.1build3
libtheora0 1.1.1+dfsg.1-16.1build3
libtiff6 4.5.1+git230720-4ubuntu2.5
libtinfo6 6.4+20240113-1ubuntu2
libtwolame0 0.4.0-2build3
libudev1 255.4-1ubuntu8.15
libudfread 1.1.2-1build1
libudfread0 1.1.2-1build1
libunibreak 5.1-2build1
libunibreak5 5.1-2build1
libunistring 1.1-2build1.1
libunistring5 1.1-2build1.1
libusb-1.0 2:1.0.27-1
libusb-1.0-0 2:1.0.27-1
libuuid1 2.39.3-9ubuntu6.5
libva 2.20.0-2ubuntu0.1
libva-drm2 2.20.0-2ubuntu0.1
libva-x11-2 2.20.0-2ubuntu0.1
libva2 2.20.0-2ubuntu0.1
libvdpau 1.5-2build1
libvdpau1 1.5-2build1
libvidstab 1.1.0-2build1
libvidstab1.1 1.1.0-2build1
libvorbis 1.3.7-1build3
libvorbis0a 1.3.7-1build3
libvorbisenc2 1.3.7-1build3
libvorbisfile3 1.3.7-1build3
libvpl2 2023.3.0-1build1
libvpx 1.14.0-1ubuntu2.3
libvpx9 1.14.0-1ubuntu2.3
libvulkan1 1.3.275.0-1build1
libwayland-client0 1.22.0-2.1build1
libwayland-cursor0 1.22.0-2.1build1
libwayland-egl1 1.22.0-2.1build1
libwebp 1.3.2-0.4build3
libwebp7 1.3.2-0.4build3
libwebpmux3 1.3.2-0.4build3
libx11 2:1.8.7-1build1
libx11-6 2:1.8.7-1build1
libx11-data 2:1.8.7-1build1
libx11-xcb1 2:1.8.7-1build1
libx264-164 2:0.164.3108+git31e19f9-1
libx265-199 3.5-2build1
libxau 1:1.0.9-1build6
libxau6 1:1.0.9-1build6
libxcb 1.15-1ubuntu2
libxcb-dri3-0 1.15-1ubuntu2
libxcb-glx0 1.15-1ubuntu2
libxcb-present0 1.15-1ubuntu2
libxcb-randr0 1.15-1ubuntu2
libxcb-render0 1.15-1ubuntu2
libxcb-shape0 1.15-1ubuntu2
libxcb-shm0 1.15-1ubuntu2
libxcb-sync1 1.15-1ubuntu2
libxcb-xfixes0 1.15-1ubuntu2
libxcb1 1.15-1ubuntu2
libxcrypt 1:4.4.36-4build1
libxcursor 1:1.2.1-1build1
libxcursor1 1:1.2.1-1build1
libxdmcp 1:1.1.3-0ubuntu6
libxdmcp6 1:1.1.3-0ubuntu6
libxext 2:1.3.4-1build2
libxext6 2:1.3.4-1build2
libxfixes 1:6.0.0-2build1
libxfixes3 1:6.0.0-2build1
libxi 2:1.8.1-1build1
libxi6 2:1.8.1-1build1
libxkbcommon 1.6.0-1build1
libxkbcommon0 1.6.0-1build1
libxml2 2.9.14+dfsg-1.3ubuntu3.7
libxrandr 2:1.5.2-2build1
libxrandr2 2:1.5.2-2build1
libxrender 1:0.9.10-1.1build1
libxrender1 1:0.9.10-1.1build1
libxshmfence 1.3-1build5
libxshmfence1 1.3-1build5
libxss 1:1.2.3-1build3
libxss1 1:1.2.3-1build3
libxv 2:1.0.11-1.1build1
libxv1 2:1.0.11-1.1build1
libxvidcore4 2:1.3.7-1build1
libxxf86vm 1:1.1.4-1build4
libxxf86vm1 1:1.1.4-1build4
libxxhash0 0.8.2-2build1
libzimg2 3.0.5+ds1-1build1
libzix-0-0 0.4.2-2build1
libzmq5 4.3.5-1build2
libzstd 1.5.5+dfsg2-2build1.1
libzstd1 1.5.5+dfsg2-2build1.1
libzvbi-common 0.2.42-2
libzvbi0t64 0.2.42-2
lilv 0.24.22-1build1
llvm-toolchain-20 1:20.1.2-0ubuntu1~24.04.2
lm-sensors 1:3.6.0-9build1
locales 2.39-0ubuntu8.7
login 1:4.13+dfsg1-4ubuntu3.2
logsave 1.47.0-2.4~exp1ubuntu4.1
lz4 1.9.4-1build1.1
mawk 1.3.4.20240123-1build1
mbedtls 2.28.8-1
mesa 25.2.8-0ubuntu0.24.04.1
mesa-libgallium 25.2.8-0ubuntu0.24.04.1
mount 2.39.3-9ubuntu6.5
mpg123 1.32.5-1ubuntu1.1
ncurses 6.4+20240113-1ubuntu2
ncurses-base 6.4+20240113-1ubuntu2
ncurses-bin 6.4+20240113-1ubuntu2
nettle 3.9.1-2.2build1.1
nghttp2 1.59.0-1ubuntu0.2
norm 1.5.9+dfsg-3.1build1
npth 1.6-3.1build1
numactl 2.0.18-1ubuntu0.24.04.1
ocl-icd 2.3.2-1build1
ocl-icd-libopencl1 2.3.2-1build1
onevpl 2023.3.0-1build1
openal-soft 1:1.23.1-4build1
openjpeg2 2.5.0-2ubuntu0.4
openldap 2.6.10+dfsg-0ubuntu0.24.04.1
openssl 3.0.13-0ubuntu3.9
opus 1.4-1build1
p11-kit 0.25.3-4ubuntu2.1
pam 1.5.3-5ubuntu5.5
pango1.0 1.52.1+ds-1build1
passwd 1:4.13+dfsg1-4ubuntu3.2
pcre2 10.42-4ubuntu2.1
perl 5.38.2-3.2ubuntu0.2
perl-base 5.38.2-3.2ubuntu0.2
pixman 0.42.2-1build1
pocketsphinx 0.8.0+real5prealpha+1-15ubuntu5
procps 2:4.0.4-4ubuntu3.2
pulseaudio 1:16.1+dfsg1-2ubuntu10.1
rtmpdump 2.4+20151223.gitfa8646d.1-2build7
rubberband 3.3.0+dfsg-2build1
rust-rav1e 0.7.1-2
sed 4.9-2build1
sensible-utils 0.0.22
serd 0.32.2-1
shadow 1:4.13+dfsg1-4ubuntu3.2
shared-mime-info 2.4-4
shine 3.1.1-2build1
slang2 2.3.3-3build2
snappy 1.1.10-1build1
sndio 1.9.0-0.3build3
sord 0.16.16-2build1
speex 1.2.1-2ubuntu2.24.04.1
sphinxbase 0.8+5prealpha+1-17build2
sratom 0.6.16-1build1
srt 1.5.3-1build2
svt-av1 1.7.0+dfsg-2build1
systemd 255.4-1ubuntu8.15
sysvinit 3.08-6ubuntu3
sysvinit-utils 3.08-6ubuntu3
tar 1.35+dfsg-3build1
tiff 4.5.1+git230720-4ubuntu2.5
twolame 0.4.0-2build3
tzdata 2026a-0ubuntu0.24.04.1
ubuntu-keyring 2023.11.28.1
unminimize 0.2.1
util-linux 2.39.3-9ubuntu6.5
vulkan-loader 1.3.275.0-1build1
wayland 1.22.0-2.1build1
x11-common 1:7.7+23ubuntu3
x264 2:0.164.3108+git31e19f9-1
x265 3.5-2build1
xkb-data 2.41-2ubuntu1.1
xkeyboard-config 2.41-2ubuntu1.1
xorg 1:7.7+23ubuntu3
xvidcore 2:1.3.7-1build1
xxhash 0.8.2-2build1
xz-utils 5.6.1+really5.4.5-1ubuntu0.2
zeromq3 4.3.5-1build2
zimg 3.0.5+ds1-1build1
zix 0.4.2-2build1
zlib 1:1.3.dfsg-3.1ubuntu2.1
zlib1g 1:1.3.dfsg-3.1ubuntu2.1
zvbi 0.2.42-2
Changes for packages of type generic (3 changes)
Package Version
daschswiss/sipi:v4.1.1		 Version
daschswiss/sipi:latest
bash 5.3.9
curl 8.19.0
ffmpeg 8.0.1
Changes for packages of type nix (120 changes)
Package Version
daschswiss/sipi:v4.1.1		 Version
daschswiss/sipi:latest
acl 2.3.2
alsa-lib 1.2.15.3
alsa-topology-conf 1.2.5.1
alsa-ucm-conf 1.2.15.3
attr 2.5.2
bash 5.3p9
bash-interactive 5.3p9
brotli 1.2.0
bzip2 1.0.8
cjson 1.7.19
coreutils 9.10
curl 8.19.0
dav1d 1.5.3
dbus 1.16.2
dconf 0.49.0
dejavu-fonts-minimal 2.37
dns-root-data 2025-04-14
expat 2.7.5
ffmpeg-headless 8.0.1
fftw-single 3.3.10
flac 1.5.0
fontconfig 2.17.1
freetype 2.14.2
fribidi 1.0.16
gcc 15.2.0
giflib 5.2.2
glib 2.86.3
glibc 2.42-61
gmp-with-cxx 6.3.0
gnutls 3.8.12
graphite2 1.3.14
harfbuzz 12.3.0
hwdata 0.406
keyutils 1.6.3
kmod 31
krb5 1.22.1
lame 3.100
lcms2 2.18
lerc 4.1.0
libaom 3.12.1
libass 0.17.4
libbluray 1.4.1
libdeflate 1.25
libdrm 2.4.131
libevent 2.1.12
libffi 3.5.2
libidn2 2.3.8
libjack2 1.9.22
libjpeg-turbo 3.1.4
libmpg123 1.33.4
libogg 1.3.6
libopenmpt 0.8.6
libopus 1.6.1
libpciaccess 0.19
libpng-apng 1.6.56
libpsl 0.21.5
libpulseaudio 17.0
librist 0.2.11
libsamplerate 0.2.2
libselinux 3.10
libsndfile 1.2.2
libssh 0.12.0
libssh2 1.11.1
libtasn1 4.21.0
libtheora 1.2.0
libtiff 4.7.1
libtool 2.5.4
libunistring 1.4.2
libva-minimal 2.23.0
libvmaf 3.0.0
libvorbis 1.3.7
libvpx 1.16.0
libwebp 1.6.0
libx11 1.8.13
libxau 1.0.12
libxcb 1.17.0
libxcrypt 4.5.2
libxdmcp 1.1.5
libxml2 2.15.1
mbedtls 3.6.5
mpg123 1.33.4
ncurses 6.6
nettle 3.10.2
nghttp2 1.68.1
nghttp3 1.15.0
ngtcp2 1.22.0
nss-cacert 3.121
numactl 2.0.18
ocl-icd 2.3.4
openapv 0.2.1.2
openjpeg 2.5.4
openssl 3.6.1
p11-kit 0.26.2
pcre2 10.46
publicsuffix-list-0 unstable-2026-03-26
readline 8.3p3
sipi 4.1.1
soxr 0.1.3
speex 1.2.1
speexdsp 1.2.1
srt 1.5.4
svt-av1 3.1.2
systemd-minimal 260.1
systemd-minimal-libs 260.1
tini 0.19.0
tzdata 2026a
unbound 1.24.2
util-linux-minimal 2.42
v4l-utils 1.32.0
vid.stab-1.1.1 unstable-2025-08-21
vulkan-loader 1.4.341.0
x264 0-unstable-2025-01-03
x265 4.1
xgcc 15.2.0
xvidcore 1.3.7
xz 5.8.3
zimg 3.0.6
zlib 1.3.2
zstd 1.5.7
zvbi 0.2.44

subotic and others added 3 commits May 3, 2026 22:36
@subotic @claude
build(bazel): cut fuzz harness over from Nix to Bazel (DEV-6345)
f0dd27c 
Implements PR Y+3 of the Sipi Bazel migration (DEV-6341). The libFuzzer
IIIF URI parser harness now runs through Bazel via `--config=fuzz` plus
two registered LLVM toolchains sharing a single LLVM 19.1.7 download:
linux-x86_64 routes to a libstdc++ toolchain (libFuzzer ABI parity with
the prior Nix-driven build); darwin-aarch64 falls through to the default
libc++ toolchain (libFuzzer's ABI on darwin). The `bazel-build-fuzz` /
`bazel-run-fuzz` justfile recipes detect the host via `uname` and select
the matching `//tools/fuzz:<host>_fuzz` platform. linux-aarch64 is out of
scope for the harness — deployment target is amd64 and fuzz CI never
runs there.

CI's `fuzz.yml` workflow's Build and Run steps cut over to the new
recipes, wrapped with `nix develop --command` so bazelisk plus the
foreign_cc host tools (cmake, perl, pkg-config, autotools) and `gh`
(used by the kakadu repository_rule) reach the build. Adds the
`actions/cache@v5` Bazel disk cache and `jlumbroso/free-disk-space`
steps that bazel-build.yml and sanitizer.yml already use under DEV-6371.
Corpus persistence (`fuzz-corpus` artifact downloaded from the prior
successful run via `gh api`) and crash collection (`crash-*` / `oom-*` /
`timeout-*` glob plus `crash-summary.md` xxd writeup, uploaded as
`fuzz-crashes` with 90-day retention) are unchanged in mechanism.

The fuzz cc_binary is a deliberate subset of shttps + iiif_handler:
only four shttps cpps the harness exercises (ChunkReader, Connection,
Error, SockStream) plus `iiif_handler.cpp` go into the link line.
Linking the full `//shttps:shttps` archive under `-fsanitize=fuzzer`
would pull Lua VM / prometheus / sentry symbols the harness never
reaches and inflate the libFuzzer corpus search-space cost. Mirrors
`lib_iiif_handler_uri_parser_fuzz` in `fuzz/handlers/CMakeLists.txt:18-30`.
The cc_library lives in `shttps/BUILD.bazel` (not `fuzz/handlers/`)
because four of its five sources are native to that package — keeping it
there avoids a cross-package `exports_files` reach for the bulk of its
inputs. The single cross-package source from `//src/handlers/` is
exposed via `exports_files` plus a small `//src:iiif_handler_hdrs`
cc_library that makes `#include "handlers/iiif_handler.hpp"` resolution
explicit instead of relying on Bazel's workspace-root quote_includes
default (fragile under future sandbox-strip changes).

`//shttps:shttps` is split into a header-only `:shttps_headers`
cc_library (full include graph + foreign_cc deps) plus a thin `:shttps`
that picks up the cpps and re-exports the headers via `deps`. The split
gives `:fuzz_subset` access to the full shttps include graph (sibling-
relative `#include "Server.h"` chains pull Logger.h, LuaServer.h, etc.)
without linking shttps's compiled archive. Downstream consumers of
`//shttps:shttps` (notably `//src:sipi_lib`) keep working unchanged.

`.bazelrc`'s `build:fuzz` block carries `-fsanitize=fuzzer-no-link`,
`-fsanitize-coverage=trace-cmp`, and `-fsanitize=address` (compile,
scoped via `--per_file_copt=^(src|shttps|fuzz|test)/.*` so foreign_cc
deps' CFLAGS forwarding stays clean — same pattern as the asan/ubsan
blocks); `-fsanitize=fuzzer` and `-fsanitize=address` (link, global —
foreign_cc rules don't read Bazel linkopts). `--platforms` is set by
the recipe based on `uname` (linux→`linux_x86_64_fuzz`, darwin→
`darwin_aarch64_fuzz`), not in `.bazelrc` — `.bazelrc` cannot pick a
platform from host detection but the recipe can.

Two toolchain-resolution subtleties land here:

1. `llvm.extra_target_compatible_with` on `llvm_toolchain_fuzz` adds the
   `fuzz_enabled` constraint to ALL platform entries the toolchain
   auto-registers for (no `targets =` filter). Without the broad
   scoping, the auto-created darwin entries would silently match plain
   darwin builds.

2. Toolchain registration order: `llvm_toolchain_fuzz` is registered
   BEFORE the default `llvm_toolchain`. Bazel picks the first-registered
   matching toolchain. On `linux_x86_64_fuzz` both match (the default's
   `[os:linux, cpu:x86_64]` is a subset of the fuzz platform's
   `[os:linux, cpu:x86_64, fuzz_enabled]`); first-registered wins, so
   we register the fuzz toolchain first. Non-fuzz builds skip past it
   (their platform lacks `fuzz_enabled`) and fall through to the
   default.

`bazel-run-fuzz` execs the built binary directly (matching the prior
`nix-run-fuzz` shape) rather than going through `bazel run`. Apple's
ASan runtime (`libclang_rt.asan_osx_dynamic.dylib`) is dynamically
linked via `@rpath`, and `bazel run` cwd's at the workspace root where
the toolchain's relative rpath does not resolve. macOS SIP also strips
`DYLD_*` env vars across the `bazel run` subprocess chain. The recipe
sets `DYLD_LIBRARY_PATH` on darwin to the toolchain's clang resource
dir and `exec`s the binary directly. cwd stays the workspace root so
corpus paths and crash-file globs keep working unchanged.

Removes:
- `flake.nix` `.#fuzz` package output and its `overrideAttrs` block
  (the libstdc++ stdenv override gymnastics).
- `package.nix` `enableFuzzing` parameter and its `-DSIPI_ENABLE_FUZZ=ON`
  cmakeFlag — no remaining caller.
- `just nix-build-fuzz` and `just nix-run-fuzz` recipes.
- The `nix profile install nixpkgs#just` step in `fuzz.yml` (`just` is
  in the dev shell so the wrap inherits it).
- Stale `rm -rf build-fuzz/` from `just clean` (the CMake fuzz build
  tree no longer exists post-cutover).

Preserves the `nix develop .#fuzz` dev shell (still useful for ad-hoc
Clang+libstdc++ work). The CMake-side `SIPI_ENABLE_FUZZ` option and the
two `fuzz/CMakeLists.txt` files become dead code as of this commit and
get removed in the immediately following commit.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@subotic @claude
build(cmake): remove now-dead SIPI_ENABLE_FUZZ option (DEV-6345)
659cc05 
The prior commit cut the libFuzzer harness over from `.#fuzz` /
`nix-build-fuzz` to `--config=fuzz` / `bazel-build-fuzz`. The CMake-side
opt-in option and the two `CMakeLists.txt` files under `fuzz/` are now
unused — neither `package.nix` (no caller passes `enableFuzzing = true`
after the prior commit) nor any `just` recipe references them.

The `fuzz/handlers/corpus/` directory is preserved — it is the seed
corpus for both the Bazel-driven libFuzzer harness
(`//fuzz/handlers/corpus:seed_corpus`, runfile of the new `cc_binary`)
and the existing `parse_iiif_uri_corpus_test.cpp` unit test (CMake side,
via `SIPI_FUZZ_CORPUS_DIR`).

Mirrors the DEV-6344 split that removed `ENABLE_SANITIZERS` in a
separate small commit after the Bazel cutover landed.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@subotic @claude
docs: align fuzz references with Bazel cutover (DEV-6345)
fb6132b 
PR Y+3 of the Bazel migration moved the libFuzzer harness from
`.#fuzz` / `nix-build-fuzz` / `nix-run-fuzz` to `--config=fuzz` /
`bazel-build-fuzz` / `bazel-run-fuzz`. This commit propagates the
rename and the new linux-x86_64 + darwin-aarch64 host model across:

- `CLAUDE.md` build-completeness invariant and Quick Reference: drop
  `.#fuzz` from the Nix package list, document the per-host fuzz
  routing (linux-x86_64 in CI, darwin-aarch64 for local dev).
- `docs/src/development/building.md` justfile target table: rename
  recipes, document host detection.
- `docs/src/development/ci.md` Local Reproduction section: update fuzz
  build/run example.
- `docs/src/development/fuzzing.md`: full developer guide refresh —
  Architecture (BUILD.bazel + tools/fuzz layout), Requirements (two
  toolchains, host detection rationale), Running Locally (now also
  covers darwin), CI Integration (Bazel recipes), Adding New Fuzz
  Targets (BUILD.bazel pattern). Also documents why `bazel-run-fuzz`
  exec's the binary directly on darwin (Apple ASan dylib + macOS SIP).
- `docs/src/development/nix.md` Quick Reference and platform-portability
  section: remove `.#fuzz` from package enumerations; the `nix develop
  .#fuzz` dev shell is preserved.

The deleted `enableFuzzing` parameter and `SIPI_ENABLE_FUZZ` cmake
option no longer appear in any prose.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@subotic subotic force-pushed the worktree-dev_6345_fuzzing branch from 9f8874e to fb6132b Compare May 3, 2026 20:38
@subotic subotic merged commit 9574ef6 into main May 3, 2026
11 checks passed
@subotic subotic deleted the worktree-dev_6345_fuzzing branch May 3, 2026 20:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@subotic