diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 482525f949d..73ead66f217 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -224,7 +224,7 @@ jobs: env: BITCOINFUZZ: '${{ github.workspace }}\build\src\test\fuzz\Release\fuzz.exe' shell: cmd - run: py -3 test\fuzz\test_runner.py --par %NUMBER_OF_PROCESSORS% --loglevel DEBUG %RUNNER_TEMP%\qa-assets\fuzz_seed_corpus + run: py -3 test\fuzz\test_runner.py --par %NUMBER_OF_PROCESSORS% --loglevel DEBUG %RUNNER_TEMP%\qa-assets\fuzz_corpora asan-lsan-ubsan-integer-no-depends-usdt: name: 'ASan + LSan + UBSan + integer, no depends, USDT' diff --git a/ci/test/03_test_script.sh b/ci/test/03_test_script.sh index baeeca4814d..7fca724a77e 100755 --- a/ci/test/03_test_script.sh +++ b/ci/test/03_test_script.sh @@ -54,7 +54,7 @@ EOF ) if [ "$RUN_FUZZ_TESTS" = "true" ]; then - export DIR_FUZZ_IN=${DIR_QA_ASSETS}/fuzz_seed_corpus/ + export DIR_FUZZ_IN=${DIR_QA_ASSETS}/fuzz_corpora/ if [ ! -d "$DIR_FUZZ_IN" ]; then ${CI_RETRY_EXE} git clone --depth=1 https://github.com/bitcoin-core/qa-assets "${DIR_QA_ASSETS}" fi diff --git a/cmake/script/CoverageFuzz.cmake b/cmake/script/CoverageFuzz.cmake index 2626ea0cb5d..82b39a25355 100644 --- a/cmake/script/CoverageFuzz.cmake +++ b/cmake/script/CoverageFuzz.cmake @@ -4,12 +4,12 @@ include(${CMAKE_CURRENT_LIST_DIR}/CoverageInclude.cmake) -if(NOT DEFINED FUZZ_SEED_CORPUS_DIR) - set(FUZZ_SEED_CORPUS_DIR ${CMAKE_CURRENT_SOURCE_DIR}/qa-assets/fuzz_seed_corpus) +if(NOT DEFINED FUZZ_CORPORA_DIR) + set(FUZZ_CORPORA_DIR ${CMAKE_CURRENT_SOURCE_DIR}/qa-assets/fuzz_corpora) endif() execute_process( - COMMAND test/fuzz/test_runner.py ${FUZZ_SEED_CORPUS_DIR} --loglevel DEBUG + COMMAND test/fuzz/test_runner.py ${FUZZ_CORPORA_DIR} --loglevel DEBUG WORKING_DIRECTORY ${CMAKE_CURRENT_LIST_DIR} COMMAND_ERROR_IS_FATAL ANY ) diff --git a/doc/fuzzing.md b/doc/fuzzing.md index 4da9f5c3a20..50b99c9473a 100644 --- a/doc/fuzzing.md +++ b/doc/fuzzing.md @@ -80,7 +80,7 @@ of the test. Just make sure to use double-dash to distinguish them from the fuzzer's own arguments: ```sh -$ FUZZ=address_deserialize_v2 build_fuzz/src/test/fuzz/fuzz -runs=1 fuzz_seed_corpus/address_deserialize_v2 --checkaddrman=5 --printtoconsole=1 +$ FUZZ=address_deserialize_v2 build_fuzz/src/test/fuzz/fuzz -runs=1 fuzz_corpora/address_deserialize_v2 --checkaddrman=5 --printtoconsole=1 ``` ## Fuzzing corpora @@ -91,11 +91,11 @@ To fuzz `process_message` using the [`bitcoin-core/qa-assets`](https://github.co ```sh $ git clone https://github.com/bitcoin-core/qa-assets -$ FUZZ=process_message build_fuzz/src/test/fuzz/fuzz qa-assets/fuzz_seed_corpus/process_message/ +$ FUZZ=process_message build_fuzz/src/test/fuzz/fuzz qa-assets/fuzz_corpora/process_message/ INFO: Seed: 1346407872 INFO: Loaded 1 modules (424174 inline 8-bit counters): 424174 [0x55d8a9004ab8, 0x55d8a906c3a6), INFO: Loaded 1 PC tables (424174 PCs): 424174 [0x55d8a906c3a8,0x55d8a96e5288), -INFO: 991 files found in qa-assets/fuzz_seed_corpus/process_message/ +INFO: 991 files found in qa-assets/fuzz_corpora/process_message/ INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes INFO: seed corpus: files: 991 min: 1b max: 1858b total: 288291b rss: 150Mb #993 INITED cov: 7063 ft: 8236 corp: 25/3821b exec/s: 0 rss: 181Mb @@ -124,7 +124,7 @@ Patience is useful; even with improved throughput, libFuzzer may need days and quickly from a crash case) - run the fuzzer with the case number appended to the seed corpus path: `FUZZ=process_message build_fuzz/src/test/fuzz/fuzz - qa-assets/fuzz_seed_corpus/process_message/1bc91feec9fc00b107d97dc225a9f2cdaa078eb6` + qa-assets/fuzz_corpora/process_message/1bc91feec9fc00b107d97dc225a9f2cdaa078eb6` ## Submit improved coverage @@ -340,7 +340,7 @@ Fuzzing with Eclipser will likely be much more effective if using an existing co ```sh $ git clone https://github.com/bitcoin-core/qa-assets -$ FUZZ=bech32 dotnet Eclipser/build/Eclipser.dll fuzz -p build_fuzz/src/test/fuzz/fuzz -t 36000 -i qa-assets/fuzz_seed_corpus/bech32 outputs --src stdin +$ FUZZ=bech32 dotnet Eclipser/build/Eclipser.dll fuzz -p build_fuzz/src/test/fuzz/fuzz -t 36000 -i qa-assets/fuzz_corpora/bech32 outputs --src stdin ``` Note that fuzzing with Eclipser on certain targets (those that create 'full nodes', e.g. `process_message*`) will, diff --git a/src/test/fuzz/fuzz.cpp b/src/test/fuzz/fuzz.cpp index fdad0a287af..bba2dd8e3a3 100644 --- a/src/test/fuzz/fuzz.cpp +++ b/src/test/fuzz/fuzz.cpp @@ -49,7 +49,7 @@ static std::vector g_args; static void SetArgs(int argc, char** argv) { for (int i = 1; i < argc; ++i) { // Only take into account arguments that start with `--`. The others are for the fuzz engine: - // `fuzz -runs=1 fuzz_seed_corpus/address_deserialize_v2 --checkaddrman=5` + // `fuzz -runs=1 fuzz_corpora/address_deserialize_v2 --checkaddrman=5` if (strlen(argv[i]) > 2 && argv[i][0] == '-' && argv[i][1] == '-') { g_args.push_back(argv[i]); }