fuzz: document faster throughput configuration #22573

agroce commented at 8:05 PM on July 28, 2021: contributor

This is a small change to the fuzzing doc that I think might help more people improve the corpus coverage, which I think is low partly just due to lack of long, low-overhead, runs, in addition to the need to apply a more diverse set of fuzzers and coverage notions.

Document faster throughput configuration 8a4f0fcd3f

agroce renamed this:
~~Document faster throughput configuration~~
fuzz: document faster throughput configuration
on Jul 28, 2021

DrahtBot added the label Docs on Jul 28, 2021

MarcoFalke commented at 6:45 AM on July 29, 2021: member

Concept ACK. I do the same. On my servers I run without sanitizers to find logic bugs and with sanitizers to find memory bugs.

practicalswift commented at 9:00 AM on July 29, 2021: contributor

I do the same too :)

ACK 8a4f0fcd3fc1a35c1482975114555b0fed75a1c0

Thanks for improving the fuzzing documentation!

tryphe commented at 3:16 AM on July 30, 2021: contributor

ACK 8a4f0fcd3fc1a35c1482975114555b0fed75a1c0

in doc/fuzzing.md:88 in 8a4f0fcd3f

  82 | @@ -83,6 +83,10 @@ INFO: seed corpus: files: 991 min: 1b max: 1858b total: 288291b rss: 150Mb
  83 |  …
  84 |  ```
  85 |  
  86 | +## Run without sanitizers for increased throughput
  87 | +
  88 | +Fuzzing on a harness compiled with `--with-sanitizers=address,fuzzer,undefined` is good for finding bugs. However, the very slow execution even under libFuzzer will limit the ability to find new coverage. A good approach is to perform occasional long runs without the additional bug-detectors (configure `--with-sanitizers=fuzzer`) and then merge new inputs into a corpus as described in the qa-assets repo (https://github.com/bitcoin-core/qa-assets/blob/main/.github/PULL_REQUEST_TEMPLATE.md).  Patience is useful; even with improved throughput, libFuzzer may need days and 10s of millions of executions to reach deep/hard targets.

jonatack commented at 2:11 PM on July 30, 2021:

nit, s/10s/tens/

Fuzzing on a harness compiled with `--with-sanitizers=address,fuzzer,undefined` is good for finding bugs. However, the very slow execution even under libFuzzer will limit the ability to find new coverage. A good approach is to perform occasional long runs without the additional bug-detectors (configure `--with-sanitizers=fuzzer`) and then merge new inputs into a corpus as described in the qa-assets repo (https://github.com/bitcoin-core/qa-assets/blob/main/.github/PULL_REQUEST_TEMPLATE.md).  Patience is useful; even with improved throughput, libFuzzer may need days and tens of millions of executions to reach deep/hard targets.

also could line-break, e.g.

Fuzzing on a harness compiled with `--with-sanitizers=address,fuzzer,undefined`
is good for finding bugs. However, the very slow execution even under libFuzzer
will limit the ability to find new coverage. A good approach is to perform
occasional long runs without the additional bug-detectors (configure
`--with-sanitizers=fuzzer`) and then merge new inputs into a corpus as described
in the qa-assets repo (https://github.com/bitcoin-core/qa-assets/blob/main/.github/PULL_REQUEST_TEMPLATE.md).
Patience is useful; even with improved throughput, libFuzzer may need days and
tens of millions of executions to reach deep/hard targets.

jonatack commented at 2:12 PM on July 30, 2021: member

ACK, useful addition. Feel free to ignore the comments that follow.

MarcoFalke merged this on Jul 31, 2021

MarcoFalke closed this on Jul 31, 2021

sidhujag referenced this in commit 35e4d95459 on Aug 1, 2021

DrahtBot locked this on Aug 16, 2022