Update FUZZING documentation about max_len.

Maintain the max_len values in foo.options files which ClusterFuzz can process.
Also recompute the recommended client and server lengths as they've since
gotten much more extensive.

Change-Id: Ie87a80d8a4a0c41e215f0537c8ccf82b38c4de09
Reviewed-on: https://boringssl-review.googlesource.com/7509
Reviewed-by: Mike Aizatsky <aizatsky@chromium.org>
Reviewed-by: David Benjamin <davidben@google.com>
This commit is contained in:
David Benjamin 2016-03-21 18:24:53 -04:00
parent 78f8aabe44
commit 9539ebbf70
5 changed files with 12 additions and 11 deletions

View File

@ -23,22 +23,15 @@ Then copy `libFuzzer.a` to the top-level of your BoringSSL source directory.
From the `build/` directory, you can then run the fuzzers. For example:
```
./fuzz/cert -max_len=4000 -jobs=32 -workers=32 ../fuzz/cert_corpus/
./fuzz/cert -max_len=3072 -jobs=32 -workers=32 ../fuzz/cert_corpus/
```
The `max_len` argument is often important because, without it, libFuzzer defaults to limiting all test cases to 64 bytes, which is often insufficient for the formats that we wish to fuzz. The arguments to `jobs` and `workers` should be the number of cores that you wish to dedicate to fuzzing.
The arguments to `jobs` and `workers` should be the number of cores that you wish to dedicate to fuzzing. By default, libFuzzer uses the largest test in the corpus (or 64 if empty) as the maximum test case length. The `max_len` argument overrides this.
The recommended values of `max_len` for each test may be found in `.options` files alongside the test source. These were determined by rounding up the length of the largest case in the corpus. When writing a new fuzzer, configure `max_len` in a similar file.
There are directories in `fuzz/` for each of the fuzzing tests which contain seed files for fuzzing. Some of the seed files were generated manually but many of them are “interesting” results generated by the fuzzing itself. (Where “interesting” means that it triggered a previously unknown path in the code.)
Here are the recommended values of `max_len` for each test.
| Test | `max_len` value |
|-----------|-----------------|
| `privkey` | 2048 |
| `cert` | 3072 |
| `server` | 1024 |
| `client` | 4096 |
## Minimising the corpuses
When a large number of new seeds are available, it's a good idea to minimise the corpus so that different seeds that trigger the same code paths can be deduplicated.

2
fuzz/cert.options Normal file
View File

@ -0,0 +1,2 @@
[libfuzzer]
max_len = 3072

2
fuzz/client.options Normal file
View File

@ -0,0 +1,2 @@
[libfuzzer]
max_len = 20000

2
fuzz/privkey.options Normal file
View File

@ -0,0 +1,2 @@
[libfuzzer]
max_len = 2048

2
fuzz/server.options Normal file
View File

@ -0,0 +1,2 @@
[libfuzzer]
max_len = 4096