The most important thing to know, when you are using go-fuzz, is that the cover metric should be increasing.
I didn’t know that and I wasted one 12 hour run of fuzzing because my fuzzing function was misbehaving in a way that made it return the same useless error for every input no matter what. That meant that no matter what go-fuzz mutated in the input, it could not find a way to explore more code, and could not find any interesting bugs. It was trying to tell me this by not incrementing the cover metric it was reporting.
Do not do like I did. Watch that cover is going up before leaving your go-fuzz to go spend hours and hours wasting time.
Leave a Reply