Skip to content

Commit 40ab689

Browse files
pitroupitrou
authored
docs: Explain how to instrument dependencies (#14394)
Try to prevent misunderstandings such as in #14358 (comment)
1 parent 9b17c6d commit 40ab689

File tree

2 files changed

+12
-4
lines changed

2 files changed

+12
-4
lines changed

docs/further-reading/fuzzer_environment.md

Lines changed: 8 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -25,13 +25,17 @@ or built as part of
2525
are not available on the bot runtime environment (where the fuzz targets run).
2626

2727
If you need these dependencies in the runtime environment, you can either:
28-
- Install the packages via Dockerfile
28+
29+
- (recommended) Build the dependencies statically in
30+
[build.sh]({{ site.baseurl }}/getting-started/new-project-guide/#buildsh)
31+
([example](https://github.com/google/oss-fuzz/blob/64f8b6593da141b97c98c7bc6f07df92c42ee010/projects/ffmpeg/build.sh#L26)).
32+
33+
- Or install the packages via Dockerfile
2934
([example](https://github.com/google/oss-fuzz/blob/2d5e2ef84f281e6ab789055aa735606d3122fda9/projects/tor/Dockerfile#L19))
3035
and then link statically against them
3136
([example](https://github.com/google/oss-fuzz/blob/2d5e2ef84f281e6ab789055aa735606d3122fda9/projects/tor/build.sh#L40)).
32-
- Or build the dependencies statically in
33-
[build.sh]({{ site.baseurl }}/getting-started/new-project-guide/#buildsh)
34-
([example](https://github.com/google/oss-fuzz/blob/64f8b6593da141b97c98c7bc6f07df92c42ee010/projects/ffmpeg/build.sh#L26)).
37+
**Dependencies built in this way will not be instrumented** and may prevent
38+
the fuzzer from finding bugs if they are involved in the execution of a fuzz target.
3539

3640
All build artifacts needed during fuzz target execution should be inside the
3741
`$OUT` directory. Only those artifacts are archived and used on the bots.

docs/getting-started/new_project_guide.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -237,6 +237,10 @@ For an example, see
237237
[ecc-diff-fuzzer/Dockerfile](https://github.com/google/oss-fuzz/blob/master/projects/ecc-diff-fuzzer/Dockerfile).
238238
where we use `base-builder-rust`and install golang
239239

240+
Runtime dependencies of your project, such as third-party static libraries, will
241+
not be instrumented if you build them in the Dockerfile. In most cases, you will
242+
want to build them in `build.sh` instead.
243+
240244
## build.sh {#buildsh}
241245

242246
This file defines how to build binaries for [fuzz targets]({{ site.baseurl }}/reference/glossary/#fuzz-target) in your project.

0 commit comments

Comments
 (0)