From 7e8d53bc9974afa6823c2aa25571e661d133d980 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philipp=20G=C3=B6rz?= Date: Mon, 27 Jan 2025 11:30:14 +0100 Subject: [PATCH] Improve documentation to discourage non-zero returncodes (#12955) This PR adds a small documentation change to discourage the use of non-zero return values. Based on this issue https://github.com/google/oss-fuzz/issues/11983, Honggfuzz does not support other return values, while libFuzzer, in my opinion unexpectedly, discards inputs for return values other than zero which can cause creation of faulty harnesses. As a result I think it is fair to discourage all uses of non-zero return values from LLVMFuzzerTestOneInput. --- docs/advanced-topics/ideal_integration.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/docs/advanced-topics/ideal_integration.md b/docs/advanced-topics/ideal_integration.md index b86ff3bf5544..85785ab8150c 100644 --- a/docs/advanced-topics/ideal_integration.md +++ b/docs/advanced-topics/ideal_integration.md @@ -45,13 +45,13 @@ This makes it easy to maintain the fuzzers and minimizes breakages that can arise as source code changes over time. Make sure to fuzz the target locally for a small period of time to ensure that -it does not crash, hang, or run out of memory instantly. If you're having -trouble, read about [what makes a good fuzz +it does not crash, hang, or run out of memory instantly. Also make sure that the fuzzer can +make at least some progress. If you're having trouble, read about [what makes a good fuzz target](https://github.com/google/fuzzing/blob/master/docs/good-fuzz-target.md). The interface between the [fuzz target](https://llvm.org/docs/LibFuzzer.html#fuzz-target) and the fuzzing engines is C, so you can use either C or C++ to implement the -fuzz target. +fuzz target. Make sure to not return values other than **zero** [^1]. Examples: [boringssl](https://github.com/google/boringssl/tree/master/fuzz), @@ -64,6 +64,10 @@ Examples: [pcre2](https://vcs.pcre.org/pcre2/code/trunk/src/pcre2_fuzzsupport.c?view=markup), [ffmpeg](https://github.com/FFmpeg/FFmpeg/blob/master/tools/target_dec_fuzzer.c). +[^1]: While LibFuzzer uses a non-zero value as a signal to discard inputs other fuzzers in +use by OSS-Fuzz do not necessarily support this behavior. (Discarding inputs can be used +to stop a fuzzer from exploring further, which should only be used with good reason.) + ## Build support Many different build systems exist in the open-source world. The less OSS-Fuzz