On 201002 1715, Thomas Huth wrote: > On 02/10/2020 16.35, Alexander Bulekov wrote: > > With 1000 runs, there is a non-negligible chance that the fuzzer can > > trigger a crash. With this CI job, we care about catching build/runtime > > issues in the core fuzzing code. Actual device fuzzing takes place on > > oss-fuzz. For these purposes, only running one input should be > > sufficient. > > > > Signed-off-by: Alexander Bulekov <alx...@bu.edu> > > Suggested-by: Philippe Mathieu-Daudé <phi...@redhat.com> > > --- > > .gitlab-ci.yml | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml > > index a51c89554f..075c15d45c 100644 > > --- a/.gitlab-ci.yml > > +++ b/.gitlab-ci.yml > > @@ -303,7 +303,7 @@ build-oss-fuzz: > > | grep -v slirp); do > > grep "LLVMFuzzerTestOneInput" ${fuzzer} > /dev/null 2>&1 || > > continue ; > > echo Testing ${fuzzer} ... ; > > - "${fuzzer}" -runs=1000 -seed=1 || exit 1 ; > > + "${fuzzer}" -runs=1 -seed=1 || exit 1 ; > > ... but we're apparently already using a fixed seed for running the > test, so it should be pretty much deterministic, shouldn't it? So the > chance that the fuzzer hits a crash here for a pre-existing problem > should be close to zero? ... so I'm not quite sure whether we really > need this? Anyway, I certainly also won't object this patch, so in case > anybody wants to merge it:
In addition to using an RNG+seed, libfuzzer also uses coverage information to guide mutations. My guess is that as QEMU changes, this coverage can change as well, so I wouldn't assume that using the same seed will result in the same inputs generated, in the longer term. Its true that the main benefit will probably be a few minutes shaved off the 400 minute limit... Thanks -Alex > > Acked-by: Thomas Huth <th...@redhat.com> >