jazzer icon indicating copy to clipboard operation
jazzer copied to clipboard

Published 20 hours ago verified publisher icon CodeIntelligenceTesting

Increasing Fuzz Input Size

Open l0s opened this issue 3 years ago • 2 comments

What is the right way to increase the input size?

Similar to the example in the README, I see the log message:

INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes

In addition, when calling FuzzedDataProvider::consumeBytes(int), I get fewer bytes than requested. Per the documentation, this is because the input size is not sufficiently long. The command I'm executing looks like this:

/tmp/not-out/tmpzysle9uu/jazzer_driver --agent_path=/tmp/not-out/tmpzysle9uu/jazzer_agent_deploy.jar --cp=/tmp/not-out/tmpzysle9uu/myapp.jar:/tmp/not-out/tmpzysle9uu/myfuzzer.jar --target_class=MyFuzzer --jvm_args=-Xmx2048m:-Djava.awt.headless=true -max_len=8192 --alsologtostderr=true -rss_limit_mb=2560 -timeout=25 -seed=1337 -runs=4

In case it's relevant, jazzer_driver is being called through oss-fuzz.

l0s avatar Jul 31 '22 18:07 l0s

I am able to reproduce this issue, but am still pretty clueless as to the root cause. I don't think there is anything obviously wrong in FuzzedDataProvider. I will take a deeper look.

fmeum avatar Aug 01 '22 19:08 fmeum

I can reproduce this even with -len_control=0, but it no longer reproduces with -mutation_depth=100.

My best guess is that without any coverage feedback, a large input size can only be reached if it can be attained from an existing corpus input within a single mutation chain (default length of 5 individual mutations). Individual mutations are limited in the length delta they can cause, e.g. sequences of random bytes are capped at length 128.

@l0s Could you check whether this goes away if you add a corpus entry that has the required size?

fmeum avatar Aug 12 '22 14:08 fmeum

@fmeum can you share documentation on how to add a corpus entry? It was not clear to me how to do that.

l0s avatar Aug 14 '22 23:08 l0s

oss-fuzz requires you to add files to a directory next to your fuzz test: https://google.github.io/oss-fuzz/getting-started/new-project-guide/#seed-corpus.

Usually, this is one by downloading the corpus in the Dockerfile and then moving it into the correct location in build.sh.

Feel free to reopen if you should encounter problems getting this set up.

fmeum avatar Aug 15 '22 06:08 fmeum