Add fuzzing where possible

[mhucka]

One of the code scanning alerts (https://github.com/quantumlib/Cirq/security/code-scanning/400) recommended the application of code fuzzing to help locate possible vulnerabilities in the code. We could use Google's OSS-Fuzz.

More info about OSS-Fuzz:

Google created OSS-Fuzz to fill this gap: it’s a free service that runs fuzzers for open source projects and privately alerts developers to the bugs detected. Since its launch, OSS-Fuzz has become a critical service for the open source community, growing beyond C/C++ to detect problems in memory-safe languages such as Go, Rust, and Python.

The OSS-Fuzz project has been adding AI-powered fuzzing, and is experimenting with AI-powered vulnerability fixing.

[ToastCheng]

Hi @mhucka! I'd like to take this one, could you assign to me? :)

[mhucka]

@ToastCheng Thank you for your interest. Ok, it's assigned to you!

[ToastCheng]

Thanks! I'll start setting up Cirq project on the OSS-Fuzz side following the OSS-Fuzz guide.

I have some open questions on the configuration:

1. Contacts
   I'll put "primary contact" as "quantum-oss-maintainers@google.com" based on the Cirq's README.md. As for the CC list, do you have a recommended email list (people on the list will receive crash reports, statistics etc.)?

2. Sanitizer
   Default will enable address and undefined sanitizer. Memory sanitizer will not be enabled by default since there could be more false alarm on this one. If there is no preferences, I'll start with the default settings (enable address + undefined, disable memory).

[mhucka]

@ToastCheng Thank you for getting started. Some replies:

1. For the cc list, let's at least use mine: mhucka@google.com. (@pavoljuhas should we also add you?)
2. Since Cirq is a Python project, based on https://google.github.io/oss-fuzz/getting-started/new-project-guide/python-lang/#projectyaml it looks like we can only enable address and undefined anyway. So, yes, please go ahead with those.

[ToastCheng]

Thanks for the reply!

I drafted a commit adding Cirq to OSS-Fuzz project, and a minimal fuzz test that adds different gates on different LineQubits in a circuit and simulate it. If it looks good, I can create a PR on OSS-Fuzz.

On Cirq side, I also drafted #7625 to enable CI fuzz. This will be needed after OSS-Fuzz side has configured properly.

[ToastCheng]

Checking Tensorflow's example, instead of adding fuzz tests into OSS-Fuzz side (some projects do, e.g. ujson), a better way might be having the fuzz tests living in the Cirq codebase (so Cirq maintainers have better control). The OSS fuzzer can simply clone Cirq codebase to run the fuzz tests, just like what Tensorflow did here.