webpx 0.3.3

Complete WebP encoding/decoding with ICC profiles, streaming, and animation support
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160

name: Fuzz & Sanitizers

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
  schedule:
    # Daily at 03:00 UTC — separate from the weekly remote agent that
    # runs longer per-target sweeps and opens regression PRs.
    - cron: '0 3 * * *'
  workflow_dispatch:
    inputs:
      duration:
        description: 'Seconds per fuzz target (cron run only)'
        required: false
        default: '180'

concurrency:
  group: fuzz-${{ github.ref }}
  cancel-in-progress: true

env:
  CARGO_TERM_COLOR: always

jobs:
  # Build every fuzz target. Cheap, runs on every push — keeps targets
  # from bit-rotting against API changes.
  fuzz-build:
    name: Fuzz build
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6
      - uses: dtolnay/rust-toolchain@nightly
      - uses: Swatinem/rust-cache@v2
        with:
          key: fuzz-build
          workspaces: fuzz
      - name: Install cargo-fuzz
        run: cargo install cargo-fuzz --locked
      - name: Build all fuzz targets
        run: cd fuzz && cargo +nightly fuzz build

  # Cron-only short fuzz pass per target. PR/push runs are 60s,
  # cron runs use the workflow_dispatch input or 180s default.
  fuzz-run:
    name: Fuzz (${{ matrix.target }})
    if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        target:
          - image_info
          - decode_static
          - decode_into
          - decoder_builder
          - decode_streaming
          - decode_animation
          - mux_metadata
          - encode_roundtrip
          - stride_extremes
          - dim_extremes
          - limits_boundaries
          - yuv_planes
    steps:
      - uses: actions/checkout@v6
      - uses: dtolnay/rust-toolchain@nightly
      - uses: Swatinem/rust-cache@v2
        with:
          key: fuzz-${{ matrix.target }}
          workspaces: fuzz
      - name: Install cargo-fuzz
        run: cargo install cargo-fuzz --locked
      - name: Determine duration
        id: duration
        run: |
          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
            echo "seconds=${{ github.event.inputs.duration || '180' }}" >> "$GITHUB_OUTPUT"
          else
            echo "seconds=180" >> "$GITHUB_OUTPUT"
          fi
      - name: Seed corpus
        run: |
          mkdir -p fuzz/corpus/${{ matrix.target }}
          cp fuzz/seeds/* fuzz/corpus/${{ matrix.target }}/ 2>/dev/null || true
          cp fuzz/regression/* fuzz/corpus/${{ matrix.target }}/ 2>/dev/null || true
      - name: Fuzz ${{ matrix.target }}
        run: |
          cd fuzz && cargo +nightly fuzz run ${{ matrix.target }} corpus/${{ matrix.target }} \
            -- -max_total_time=${{ steps.duration.outputs.seconds }} \
               -dict=webp.dict \
               -rss_limit_mb=2048
      - name: Upload crashes
        if: failure()
        uses: actions/upload-artifact@v4
        with:
          name: fuzz-crashes-${{ matrix.target }}
          path: fuzz/artifacts/
          retention-days: 30

  # Stable-toolchain regression gate — runs every push.
  regression:
    name: Fuzz regression seeds
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6
      - uses: dtolnay/rust-toolchain@stable
      - uses: Swatinem/rust-cache@v2
      - name: Run regression harness
        run: cargo test --all-features --test fuzz_regression

  # AddressSanitizer pass on the soundness + integration tests.
  # Catches use-after-free, OOB writes, and other libwebp-FFI memory
  # bugs that a normal cargo test would miss.
  asan:
    name: ASAN (x86_64)
    runs-on: ubuntu-latest
    env:
      RUSTFLAGS: '-Zsanitizer=address'
      RUSTDOCFLAGS: '-Zsanitizer=address'
      ASAN_OPTIONS: 'detect_odr_violation=0:detect_leaks=0'
    steps:
      - uses: actions/checkout@v6
      - uses: dtolnay/rust-toolchain@nightly
        with:
          components: rust-src
      - uses: Swatinem/rust-cache@v2
        with:
          key: asan
      - name: Soundness tests under ASAN
        run: |
          cargo +nightly test -Zbuild-std --release \
            --target x86_64-unknown-linux-gnu --all-features \
            --test soundness
      - name: Integration tests under ASAN
        run: |
          cargo +nightly test -Zbuild-std --release \
            --target x86_64-unknown-linux-gnu --all-features \
            --test integration
      - name: Fuzz regression under ASAN
        run: |
          cargo +nightly test -Zbuild-std --release \
            --target x86_64-unknown-linux-gnu --all-features \
            --test fuzz_regression
      - name: Leak test under ASAN (detect_leaks=1)
        env:
          # detect_leaks=1 enabled here so any libwebp allocation that
          # escapes the FFI RAII wrappers shows up as a CI failure.
          # Suppression list filters known non-webpx artifacts (std
          # thread-local stack-overflow info on Linux).
          ASAN_OPTIONS: 'detect_odr_violation=0:detect_leaks=1'
          LSAN_OPTIONS: 'suppressions=lsan-suppressions.txt'
        run: |
          cat > lsan-suppressions.txt <<'EOF'
          leak:set_current_info
          EOF
          WEBPX_LEAK_ITERS=10 cargo +nightly run -Zbuild-std --release \
            --target x86_64-unknown-linux-gnu --all-features \
            --example leak_test