Update FUZZING documentation about max_len.
Maintain the max_len values in foo.options files which ClusterFuzz can process. Also recompute the recommended client and server lengths as they've since gotten much more extensive. Change-Id: Ie87a80d8a4a0c41e215f0537c8ccf82b38c4de09 Reviewed-on: https://boringssl-review.googlesource.com/7509 Reviewed-by: Mike Aizatsky <aizatsky@chromium.org> Reviewed-by: David Benjamin <davidben@google.com>
This commit is contained in:
parent
78f8aabe44
commit
9539ebbf70
15
FUZZING.md
15
FUZZING.md
@ -23,22 +23,15 @@ Then copy `libFuzzer.a` to the top-level of your BoringSSL source directory.
|
||||
From the `build/` directory, you can then run the fuzzers. For example:
|
||||
|
||||
```
|
||||
./fuzz/cert -max_len=4000 -jobs=32 -workers=32 ../fuzz/cert_corpus/
|
||||
./fuzz/cert -max_len=3072 -jobs=32 -workers=32 ../fuzz/cert_corpus/
|
||||
```
|
||||
|
||||
The `max_len` argument is often important because, without it, libFuzzer defaults to limiting all test cases to 64 bytes, which is often insufficient for the formats that we wish to fuzz. The arguments to `jobs` and `workers` should be the number of cores that you wish to dedicate to fuzzing.
|
||||
The arguments to `jobs` and `workers` should be the number of cores that you wish to dedicate to fuzzing. By default, libFuzzer uses the largest test in the corpus (or 64 if empty) as the maximum test case length. The `max_len` argument overrides this.
|
||||
|
||||
The recommended values of `max_len` for each test may be found in `.options` files alongside the test source. These were determined by rounding up the length of the largest case in the corpus. When writing a new fuzzer, configure `max_len` in a similar file.
|
||||
|
||||
There are directories in `fuzz/` for each of the fuzzing tests which contain seed files for fuzzing. Some of the seed files were generated manually but many of them are “interesting” results generated by the fuzzing itself. (Where “interesting” means that it triggered a previously unknown path in the code.)
|
||||
|
||||
Here are the recommended values of `max_len` for each test.
|
||||
|
||||
| Test | `max_len` value |
|
||||
|-----------|-----------------|
|
||||
| `privkey` | 2048 |
|
||||
| `cert` | 3072 |
|
||||
| `server` | 1024 |
|
||||
| `client` | 4096 |
|
||||
|
||||
## Minimising the corpuses
|
||||
|
||||
When a large number of new seeds are available, it's a good idea to minimise the corpus so that different seeds that trigger the same code paths can be deduplicated.
|
||||
|
2
fuzz/cert.options
Normal file
2
fuzz/cert.options
Normal file
@ -0,0 +1,2 @@
|
||||
[libfuzzer]
|
||||
max_len = 3072
|
2
fuzz/client.options
Normal file
2
fuzz/client.options
Normal file
@ -0,0 +1,2 @@
|
||||
[libfuzzer]
|
||||
max_len = 20000
|
2
fuzz/privkey.options
Normal file
2
fuzz/privkey.options
Normal file
@ -0,0 +1,2 @@
|
||||
[libfuzzer]
|
||||
max_len = 2048
|
2
fuzz/server.options
Normal file
2
fuzz/server.options
Normal file
@ -0,0 +1,2 @@
|
||||
[libfuzzer]
|
||||
max_len = 4096
|
Loading…
Reference in New Issue
Block a user