-
Notifications
You must be signed in to change notification settings - Fork 78
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Save the corpus and use later as seed #633
Comments
There appears to be a command line flag for this (I found it by running my test binary with the
Unfortunately, I have not been able to get it to work. |
There is an undocumented environment variable that helps us along one step:
will create
However, the directory structure described in the
Later, to use the corpus, run
You cannot skip the As far as I can tell, we cannot make fuzztest write samples to the fuzztest/fuzztest/init_fuzztest.cc Lines 154 to 162 in 4c3852b
to create a CorpusDatabase object:fuzztest/fuzztest/internal/configuration.h Lines 14 to 41 in 4c3852b
And as you can see, CorpusDatabase has no public API to get the database_path_ which would be necessary to write the new corpus files to it.
|
Some way of seeding with a corpus, and minimizing a corpus of seeds is really needed. For example, these workflows are well supported with libFuzzer already: I'm trying to migrate from libFuzzer to FuzzTest, and currently this is the biggest issue I'm facing. |
Same. FuzzTest's model of putting all the fuzzers in one build target would be really attractive for BoringSSL (it would simplify keeping the same build across multiple build systems). But one of our workflows is that we record transcripts from our tests (a good sample of different TLS protocol flow and other hand-crafted interesting cases) and then minimize them as the starting corpus for the fuzzer, so it doesn't need to discover how the TLS protocol works from scratch. |
Hi there!
A. Is it possible to save or dump the corpus that's been found so far? E.g. when I terminate the fuzzing run, it should save the corpus that's been discovered so far. Presumably the corpus path would be a command line flag.
B. When I fuzz the same target again later, using the same Domains and all that, can I reuse a previously saved corpus?
Obviously, this is not a new idea. For example, Chromium fuzzing talks about it.
A on its own is useful, even if B isn't done. I think it would be very useful to take the corpus from A, and create a unit test for every corpus element, and add that to continuous Integration and pre-commit testing.
The text was updated successfully, but these errors were encountered: