diff --git a/docs/further-reading/fuzzer_environment.md b/docs/further-reading/fuzzer_environment.md index c42bf454ee34..b7d3b5fd121a 100644 --- a/docs/further-reading/fuzzer_environment.md +++ b/docs/further-reading/fuzzer_environment.md @@ -25,13 +25,17 @@ or built as part of are not available on the bot runtime environment (where the fuzz targets run). If you need these dependencies in the runtime environment, you can either: -- Install the packages via Dockerfile + +- (recommended) Build the dependencies statically in +[build.sh]({{ site.baseurl }}/getting-started/new-project-guide/#buildsh) +([example](https://github.com/google/oss-fuzz/blob/64f8b6593da141b97c98c7bc6f07df92c42ee010/projects/ffmpeg/build.sh#L26)). + +- Or install the packages via Dockerfile ([example](https://github.com/google/oss-fuzz/blob/2d5e2ef84f281e6ab789055aa735606d3122fda9/projects/tor/Dockerfile#L19)) and then link statically against them ([example](https://github.com/google/oss-fuzz/blob/2d5e2ef84f281e6ab789055aa735606d3122fda9/projects/tor/build.sh#L40)). -- Or build the dependencies statically in -[build.sh]({{ site.baseurl }}/getting-started/new-project-guide/#buildsh) -([example](https://github.com/google/oss-fuzz/blob/64f8b6593da141b97c98c7bc6f07df92c42ee010/projects/ffmpeg/build.sh#L26)). +**Dependencies built in this way will not be instrumented** and may prevent +the fuzzer from finding bugs if they are involved in the execution of a fuzz target. All build artifacts needed during fuzz target execution should be inside the `$OUT` directory. Only those artifacts are archived and used on the bots. diff --git a/docs/getting-started/new_project_guide.md b/docs/getting-started/new_project_guide.md index 65441bee1158..1cdd23fa92ad 100644 --- a/docs/getting-started/new_project_guide.md +++ b/docs/getting-started/new_project_guide.md @@ -237,6 +237,10 @@ For an example, see [ecc-diff-fuzzer/Dockerfile](https://github.com/google/oss-fuzz/blob/master/projects/ecc-diff-fuzzer/Dockerfile). where we use `base-builder-rust`and install golang +Runtime dependencies of your project, such as third-party static libraries, will +not be instrumented if you build them in the Dockerfile. In most cases, you will +want to build them in `build.sh` instead. + ## build.sh {#buildsh} This file defines how to build binaries for [fuzz targets]({{ site.baseurl }}/reference/glossary/#fuzz-target) in your project.