chore: prepare v0.1.3-rc.13 release branch#50
Merged
Conversation
|
Warning Rate limit exceeded
Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 31 minutes and 56 seconds. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Repository UI (base), Organization UI (inherited) Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (22)
📝 WalkthroughWalkthrough本PR为项目引入完整的模糊测试基础设施。添加了5个fuzz目标、对应的语料库和词典配置,新增GitHub Actions工作流支持夜间和发布阶段的模糊测试,引入属性测试覆盖,并更新了相关文档和脚本。 Changes
Sequence Diagram(s)sequenceDiagram
actor Workflow as GitHub Workflow<br/>(nightly.yml)
participant Staging as Corpus Staging
participant Executor as Cargo Fuzz
participant Target as Fuzz Target<br/>(e.g., proxy_protocol)
participant Module as Tested Module<br/>(rginx_http)
participant Report as Test Report
Workflow->>Staging: fuzz_stage_seed_corpus()
Staging->>Staging: Copy *.seed files<br/>to temp directory
Staging-->>Workflow: Return staged corpus path
Workflow->>Executor: cargo +nightly fuzz run<br/>--target=TARGET<br/>-max_total_time=10<br/>-dict=*.dict
loop Each fuzz input
Executor->>Target: Invoke fuzz_target!<br/>with generated input
Target->>Target: Write input to temp file<br/>(if file-based target)
Target->>Module: Call inspect/parse/validate<br/>function
Module-->>Target: Return result<br/>(or panic if crash)
Target-->>Executor: Return (no panic = success)
end
Executor->>Report: Aggregate results
Report-->>Workflow: Pass/Fail + Coverage
Workflow->>Workflow: Exit with status
sequenceDiagram
actor User as Release Manager
participant Prepare as scripts/prepare-release.sh
participant Smoke as scripts/run-fuzz-smoke.sh
participant Fuzz as Cargo Fuzz
participant Gate as Release Gate<br/>(verify job)
participant Publish as Publish Job
User->>Prepare: ./scripts/prepare-release.sh<br/>(for prerelease tag)
Prepare->>Smoke: Check if prerelease
alt Prerelease tag detected
Smoke->>Fuzz: Run 5 fuzz targets
Fuzz-->>Smoke: Pass/Fail
Smoke-->>Prepare: Return status
else Stable release
Smoke-->>Prepare: Skip fuzz check
end
Prepare-->>User: Return (continue if pass)
User->>Gate: Trigger release workflow
Gate->>Smoke: Run fuzz smoke again<br/>(prerelease gate)
Smoke->>Fuzz: Execute targets<br/>-max_total_time=10
Fuzz-->>Smoke: Results
Smoke-->>Gate: Pass/Fail
alt All checks pass
Gate-->>Publish: Enable publish job
Publish->>Publish: Merge curated notes<br/>(if RELEASE_NOTES_TAG.md exists)
Publish-->>User: Publish to GitHub Release
else Checks fail
Gate-->>User: Block release
end
Estimated code review effort🎯 4 (Complex) | ⏱️ ~45 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 1a431cef6d
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
There was a problem hiding this comment.
Pull request overview
Prepares the v0.1.3-rc.13 release branch by bumping versions, tightening prerelease verification with deterministic fuzz smoke/coverage tooling, and aligning docs/workflows/release notes around the new release gate expectations.
Changes:
- Bump workspace/crate version metadata to
0.1.3-rc.13and add curatedRELEASE_NOTES_v0.1.3-rc.13.md. - Add a
cargo-fuzzharness (targets, dictionaries, options, versioned seed corpora) plus smoke/coverage/seed-refresh scripts. - Update release + nightly GitHub workflows and HTTP/3/release documentation to include prerelease fuzz smoke and curated release notes prepending.
Reviewed changes
Copilot reviewed 54 out of 60 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| scripts/run-fuzz-smoke.sh | New deterministic fuzz-smoke runner (seed-staging by default, optional full corpus). |
| scripts/run-fuzz-coverage.sh | New coverage runner that replays corpus and generates llvm-cov reports. |
| scripts/refresh-fuzz-seeds.sh | Seed corpus regeneration script for versioned .seed inputs. |
| scripts/prepare-release.sh | Adds prerelease-only fuzz smoke step into release preparation. |
| scripts/fuzz-common.sh | Shared helpers for staging seed corpora and loading per-target options. |
| fuzz/rust-toolchain.toml | Pins the fuzz/ workspace to nightly. |
| fuzz/options/proxy_protocol.options | Adds target-scoped libFuzzer limits for proxy protocol. |
| fuzz/options/ocsp_response.options | Adds target-scoped libFuzzer limits for OCSP response validation. |
| fuzz/options/ocsp_responder_discovery.options | Adds target-scoped libFuzzer limits for AIA responder discovery. |
| fuzz/options/config_preprocess.options | Adds target-scoped libFuzzer limits for config preprocessing. |
| fuzz/options/certificate_inspect.options | Adds target-scoped libFuzzer limits for certificate inspection. |
| fuzz/fuzz_targets/proxy_protocol.rs | Fuzz target for PROXY protocol v1 parsing entrypoint. |
| fuzz/fuzz_targets/ocsp_response.rs | Fuzz target for OCSP response validation entrypoint (with generated chain). |
| fuzz/fuzz_targets/ocsp_responder_discovery.rs | Fuzz target for OCSP responder URL discovery from cert bytes. |
| fuzz/fuzz_targets/config_preprocess.rs | Fuzz target for config load/preprocess (env expansion + RON parsing). |
| fuzz/fuzz_targets/certificate_inspect.rs | Fuzz target for certificate inspection/diagnostics entrypoint. |
| fuzz/dictionaries/proxy_protocol.dict | Dictionary hints for proxy protocol grammar tokens. |
| fuzz/dictionaries/ocsp_response.dict | Dictionary hints for common OCSP DER fragments. |
| fuzz/dictionaries/ocsp_responder_discovery.dict | Dictionary hints for PEM/AIA/URI discovery. |
| fuzz/dictionaries/config_preprocess.dict | Dictionary hints for RON config structures and env placeholders. |
| fuzz/dictionaries/certificate_inspect.dict | Dictionary hints for PEM and x509-ish tokens. |
| fuzz/corpus/proxy_protocol/untrusted_tcp6.seed | Adds versioned PROXY protocol seed input. |
| fuzz/corpus/proxy_protocol/unknown.seed | Adds versioned PROXY protocol seed input. |
| fuzz/corpus/proxy_protocol/trusted_tcp4.seed | Adds versioned PROXY protocol seed input. |
| fuzz/corpus/proxy_protocol/invalid_prefix.seed | Adds versioned PROXY protocol seed input. |
| fuzz/corpus/ocsp_response/unsupported_response_type.seed | Adds versioned OCSP seed input. |
| fuzz/corpus/ocsp_response/status_unauthorized.seed | Adds versioned OCSP seed input. |
| fuzz/corpus/ocsp_response/status_success_no_body.seed | Adds versioned OCSP seed input. |
| fuzz/corpus/ocsp_response/basic_response_empty_octet.seed | Adds versioned OCSP seed input. |
| fuzz/corpus/ocsp_responder_discovery/no_pem_items.seed | Adds versioned responder-discovery seed input. |
| fuzz/corpus/ocsp_responder_discovery/aia_pem.seed | Adds versioned responder-discovery seed input. |
| fuzz/corpus/config_preprocess/minimal_return.seed | Adds versioned config preprocessing seed input. |
| fuzz/corpus/config_preprocess/include_glob.seed | Adds versioned config preprocessing seed input. |
| fuzz/corpus/config_preprocess/env_defaults.seed | Adds versioned config preprocessing seed input. |
| fuzz/corpus/certificate_inspect/self_signed_pem.seed | Adds versioned certificate-inspect seed input. |
| fuzz/corpus/certificate_inspect/invalid_pem.seed | Adds versioned certificate-inspect seed input. |
| fuzz/README.md | Documents fuzz targets, smoke, coverage, corpora/dictionaries/options conventions. |
| fuzz/Cargo.toml | Defines the dedicated fuzz workspace and fuzz target bins. |
| fuzz/Cargo.lock | Lockfile for the dedicated fuzz workspace. |
| docs/README.md | Adds a docs index and maintenance notes for documentation structure. |
| docs/HTTP3_PHASE7_RELEASE.md | Documents how release gates relate to prerelease fuzz smoke and workflows. |
| docs/HTTP3_PHASE0_BASELINE.md | Adds archived baseline doc for HTTP/3 phase 0. |
| docs/ARCHITECTURE_UPSTREAM_HTTP3_PRODUCTION_PLAN.md | Adds archived upstream HTTP/3 plan and validation entrypoints. |
| docs/ARCHITECTURE_UPSTREAM_HTTP3_PHASE0_BASELINE.md | Adds archived upstream HTTP/3 baseline/constraints doc. |
| docs/ARCHITECTURE_HTTP3_NGINX_ALIGNMENT_PLAN.md | Adds archived HTTP/3 alignment plan with current completion notes. |
| crates/rginx-http/src/tls/ocsp/mod.rs | Adds proptest coverage for responder discovery and OCSP parse rejection cases. |
| crates/rginx-http/src/server/tests.rs | Adds proptest coverage for proxy protocol parsing behavior. |
| crates/rginx-http/src/server/mod.rs | Exposes a doc-hidden proxy protocol parsing entrypoint for fuzzing. |
| crates/rginx-http/src/pki/certificate.rs | Adds proptest coverage for certificate inspection and TLS identity parsing. |
| crates/rginx-http/src/lib.rs | Exposes doc-hidden certificate/OCSP discovery entrypoints for fuzzing. |
| crates/rginx-http/Cargo.toml | Adds proptest dev-dependency for new property tests. |
| crates/rginx-config/src/load.rs | Adds proptest coverage for env placeholder expansion and env-value round-trips. |
| crates/rginx-config/Cargo.toml | Adds proptest dev-dependency via workspace. |
| RELEASE_NOTES_v0.1.3-rc.13.md | Adds curated release notes for the v0.1.3-rc.13 candidate. |
| README.md | Bumps displayed version and documents fuzz/prerelease workflow behavior + docs/fuzz dirs. |
| Cargo.toml | Bumps workspace version and adds proptest to workspace deps. |
| Cargo.lock | Updates lockfile for version bump and proptest dependency graph. |
| .gitignore | Ignores fuzz artifacts/target/coverage and non-versioned corpus content while keeping .seed. |
| .github/workflows/release.yml | Installs nightly + cargo-fuzz and runs fuzz smoke for prereleases; prepends curated notes. |
| .github/workflows/nightly.yml | Adds scheduled HTTP/3 release gate and optional dispatch-only fuzz smoke job. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 5
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
.github/workflows/release.yml (1)
101-109:⚠️ Potential issue | 🟠 Majornightly 工具链安装位置导致后续 verify 步骤也使用 nightly 作为默认工具链。
dtolnay/rust-toolchain 操作每次执行都会将安装的工具链设置为 rustup 的默认值。当前顺序在:
- Line 102: 安装
@stable+components: rustfmt, clippy- Line 108: 安装
@nightly(仅在预发布时)- Line 113 起:
cargo fmt --all --check、run-clippy-gate.sh、test-fast.sh等这导致预发布版本的所有验证步骤(lint、gate、test)都在 nightly 上运行,与稳定版本构建的语义不一致,且 nightly 工具链的行为漂移可能随时阻塞发布。
建议将 nightly 安装移至"Install cargo-fuzz For Prerelease Verify"(line 134)之前,使其不影响前面的验证步骤。
♻️ 建议改动
- - name: Install Nightly Rust Toolchain For Prerelease Fuzzing - if: ${{ steps.meta.outputs.prerelease == 'true' }} - uses: dtolnay/rust-toolchain@nightly - - name: Restore Rust Cache uses: Swatinem/rust-cache@v2.9.1 @@ - name: Run Control Plane Compose Smoke Test run: ./scripts/test-control-plane-compose.sh + - name: Install Nightly Rust Toolchain For Prerelease Fuzzing + if: ${{ steps.meta.outputs.prerelease == 'true' }} + uses: dtolnay/rust-toolchain@nightly + - name: Install cargo-fuzz For Prerelease Verify if: ${{ steps.meta.outputs.prerelease == 'true' }} run: cargo install cargo-fuzz --locked🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/release.yml around lines 101 - 109, The "Install Nightly Rust Toolchain For Prerelease Fuzzing" step currently runs before the verification steps and thus makes nightly the rustup default for subsequent commands; move the conditional dtolnay/rust-toolchain@nightly step so it runs after the verification steps (cargo fmt --all --check, run-clippy-gate.sh, test-fast.sh) and immediately before the "Install cargo-fuzz For Prerelease Verify" step, keeping the "Install Rust Toolchain" (dtolnay/rust-toolchain@stable with components rustfmt, clippy) unchanged; ensure the step name "Install Nightly Rust Toolchain For Prerelease Fuzzing" and its if: condition remain the same but are relocated to avoid affecting earlier checks.
🧹 Nitpick comments (13)
fuzz/rust-toolchain.toml (1)
1-3: 将channel固定到特定日期的 nightly 版本以提升可重现性。使用
channel = "nightly"会每次解析时拉取当天最新的 nightly,导致构建不可重现。考虑到本 PR 在发布流水线中强制运行 fuzz smoke 测试(依赖 nightly),偶发的编译器 ICE 或库变更会直接中断发布流程,且难以复现旧版本的 fuzz 行为。建议使用具体日期的 nightly 版本,并定期手动更新:建议的变更
[toolchain] -channel = "nightly" +channel = "nightly-2026-04-20" profile = "minimal"同时建议将
Cargo.lock一并提交,以确保依赖兼容性的完整锁定。🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@fuzz/rust-toolchain.toml` around lines 1 - 3, 当前的 toolchain 配置使用不固定的 channel = "nightly" 导致构建不可重现;请将 fuzz/rust-toolchain.toml 中 [toolchain] 的 channel 改为具体日期格式例如 "nightly-YYYY-MM-DD"(替换为最近已验证的 nightly 日期)以锁定编译器版本,并将项目的 Cargo.lock 提交到仓库以锁定依赖,以便复现和稳定在 CI 中运行的 fuzz smoke 测试;在提交说明中注明所选 nightly 日期和更新频率以便未来维护(参考文件内的 channel 字段和 Cargo.lock)。Cargo.toml (1)
53-53: 建议:统一rginx-http对proptest的引用方式以贯彻 workspace 依赖管理。新增的
proptest = "1"已作为 workspace 依赖统一声明,但crates/rginx-http/Cargo.toml仍以proptest = "1"直接指定版本,与crates/rginx-config/Cargo.toml中proptest.workspace = true不一致,后续升级 proptest 时存在版本漂移风险。♻️ 建议改动(在 `crates/rginx-http/Cargo.toml` 的 `[dev-dependencies]` 中)
[dev-dependencies] ctor.workspace = true -proptest = "1" +proptest.workspace = true rcgen = "0.14" tempfile = "3.27"🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@Cargo.toml` at line 53, 当前在 crates/rginx-http 的 [dev-dependencies] 中直接指定了 proptest = "1",与 workspace 里将 proptest 作为工作区依赖(proptest.workspace = true)的做法不一致;请在 crates/rginx-http/Cargo.toml 的 [dev-dependencies] 中将对 proptest 的声明改为使用 workspace 引用(即移除固定版本,改为 proptest.workspace = true),以确保所有子 crate 共享同一 proptest 版本并避免后续版本漂移。scripts/prepare-release.sh (1)
158-160: 建议:为 prerelease 路径增加cargo-fuzz/ nightly 的早期预检,避免在所有重型 gate 跑完后才失败。
run-fuzz-smoke.sh依赖 nightly 工具链和cargo-fuzz,但该步骤位于流水线最末端,前面已经跑过test-fast、clippy、test-slow、tls-gate、http3-release-gate、control-plane-compose(可能耗时数十分钟)。本地准备 prerelease 时若缺少工具链,会在最后才失败,体验较差。♻️ 建议在现有 `have` 块附近(约 86-87 行)针对 prerelease 提前校验
have git || die "git is required" have cargo || die "cargo is required" + +if [[ "${PRERELEASE}" -eq 1 ]]; then + have rustup || die "rustup is required for prerelease fuzz smoke" + rustup run nightly cargo --version >/dev/null 2>&1 \ + || die "nightly toolchain is required for prerelease fuzz smoke (run: rustup toolchain install nightly)" + cargo +nightly fuzz --version >/dev/null 2>&1 \ + || die "cargo-fuzz is required for prerelease fuzz smoke (run: cargo +nightly install cargo-fuzz)" +fi🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@scripts/prepare-release.sh` around lines 158 - 160, Add an early prerelease prereq check near the existing "have" block (around the lines where tools presence is validated) that, when PRERELEASE is set (PRERELEASE=1), verifies the nightly toolchain and cargo-fuzz are available (e.g., check rustup toolchain list for nightly and that cargo-fuzz is on PATH) and fails fast with a clear message if missing; this ensures the later run_step ./scripts/run-fuzz-smoke.sh invocation does not run only at the end and cause late failures.fuzz/options/ocsp_response.options (1)
1-3: 建议添加 RSS 限制以保持一致性。此选项文件缺少
rss_limit_mb设置,而certificate_inspect.options和ocsp_responder_discovery.options都设置了rss_limit_mb=768。由于 OCSP 响应解析也可能扩展内存分配(类似于证书解析),建议添加此限制以保持一致性并防止烟雾测试期间的内存膨胀。♻️ 建议添加 RSS 限制
# OCSP responses are binary and can be moderately sized, but smoke should stay bounded. -max_len=4096 +-rss_limit_mb=768 -timeout=5🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@fuzz/options/ocsp_response.options` around lines 1 - 3, Add an RSS memory cap to keep OCSP fuzzing consistent with the other option files: insert rss_limit_mb=768 into the ocsp_response.options alongside the existing max_len and timeout settings; match the value used in certificate_inspect.options and ocsp_responder_discovery.options so OCSP response parsing cannot exceed the same RSS bound during smoke tests.crates/rginx-http/src/server/mod.rs (1)
13-20: 可考虑将 fuzz 专用入口放到fuzzingfeature 后面。虽然
#[doc(hidden)]已隐藏文档,但该函数仍是稳定的pubAPI,会进入发布构建的符号表,外部使用者也可能直接调用从而对稳定性形成隐式约束。建议加一个[features] fuzzing = []并把这个 wrapper(以及lib.rs中两个同类入口)cfg-gate 起来,仅在fuzz/Cargo.toml中启用。♻️ 参考改写
-#[doc(hidden)] -pub fn parse_proxy_protocol_v1_for_fuzzing( +#[cfg(feature = "fuzzing")] +#[doc(hidden)] +pub fn parse_proxy_protocol_v1_for_fuzzing( header: &str, remote_addr: std::net::SocketAddr, trust_remote_addr: bool, ) -> std::io::Result<Option<std::net::SocketAddr>> { proxy_protocol::parse_proxy_protocol_v1(header, remote_addr, trust_remote_addr) }🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@crates/rginx-http/src/server/mod.rs` around lines 13 - 20, 将供 fuzz 用的公开 wrapper parse_proxy_protocol_v1_for_fuzzing(以及 lib.rs 中的另外两个同类入口)从稳定公 API 隐藏在一个可选特性下:在 crate 的 Cargo.toml 增加 [features] fuzzing = [],然后在这些函数上用 #[cfg(feature = "fuzzing")](或 #[cfg_attr(not(feature = "fuzzing"), allow(dead_code))] 视需要)替换当前的 pub 可见性/导出,使其只在启用 fuzzing 特性时编译;最后在 fuzz/Cargo.toml(fuzz 的 workspace crate)启用该特性 so that only the fuzz build exposes these wrappers.crates/rginx-http/src/tls/ocsp/mod.rs (1)
1250-1268: 建议将证书与 OCSP 响应的构造提到 proptest 块外,避免每个 case 重复生成密钥对。
generate_ca_cert/generate_leaf_cert/build_ocsp_response_for_certificate在每个 case 内被重新调用 48 次,但它们与被收缩的tag完全无关;密钥对生成是测试中最重的开销,重复执行会显著拖慢cargo test,在 CI 上对每个目标平台都会被放大。可以在 proptest 外构造一次(cert_path, response_template)后在闭包里克隆response,再修改首字节。♻️ 参考改写
- #[test] - fn validate_ocsp_response_rejects_corrupted_top_level_der_tags( - tag in any::<u8>().prop_filter("DER sequence tag must change", |tag| *tag != 0x30) - ) { - let temp_dir = temp_dir("rginx-ocsp-corrupt-tag"); - std::fs::create_dir_all(&temp_dir).expect("temp dir should exist"); - - let ca = generate_ca_cert("ocsp-test-ca"); - let leaf = generate_leaf_cert("localhost", &ca); - let cert_path = write_cert_chain(&temp_dir, "server", &leaf, &ca); - let mut response = build_ocsp_response_for_certificate(&cert_path, &ca); - response[0] = tag; - - let error = validate_ocsp_response_for_certificate(&cert_path, &response) - .expect_err("corrupted top-level DER tag should be rejected"); - prop_assert!(error.to_string().contains("failed to parse OCSP response")); - - let _ = std::fs::remove_dir_all(temp_dir); - } + // 把昂贵的证书/响应构造一次性完成后,在闭包内仅做字节翻转。 + // 见上方 fixture 初始化(建议改为 once_cell / 普通 #[test] 内的 setup)。🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@crates/rginx-http/src/tls/ocsp/mod.rs` around lines 1250 - 1268, The test currently regenerates keys and OCSP data on every proptest case; move the expensive setup out of the proptest closure by creating the CA and leaf certs, calling generate_ca_cert, generate_leaf_cert, write_cert_chain and build_ocsp_response_for_certificate once (e.g. before the proptest! invocation or at the top of the test), store a response_template and cert_path, and inside the proptest closure clone the response_template, mutate response[0] to the fuzzed tag, then call validate_ocsp_response_for_certificate on the cloned response; ensure temp_dir setup/cleanup still happens once and keep function references to generate_ca_cert, generate_leaf_cert, write_cert_chain, build_ocsp_response_for_certificate and validate_ocsp_response_for_certificate to locate the code to change.crates/rginx-http/src/server/tests.rs (1)
126-128: 辅助函数位置可以挪到文件顶部或底部。
remote_proxy_peer_addr被插在两个#[test]函数之间,阅读时容易打断测试用例的视觉连续性。建议将该 helper 与文件其它测试用 helper 一起聚集到文件末尾或紧跟在use语句之后。🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@crates/rginx-http/src/server/tests.rs` around lines 126 - 128, The helper function remote_proxy_peer_addr() is placed between two #[test] functions and interrupts test flow; move this function so all test helpers are grouped together (either immediately after the use imports or consolidated at the bottom of the file with other helpers) to restore visual continuity and keep tests contiguous; update any references to remote_proxy_peer_addr() accordingly.fuzz/fuzz_targets/ocsp_responder_discovery.rs (1)
10-24: 多 worker/并发场景下共享同一 PEM 文件存在竞态。
responder_cert_path()通过OnceLock在进程内缓存了一个固定的server.pem路径。当使用cargo fuzz run --jobs N或 libFuzzer-workers=N启动多个 fuzz 进程时,它们都会落在同一个共享目录下并互相覆盖;同时let _ = std::fs::write(...)的失败也会被静默吞掉,导致inspect_ocsp_responder_urls_for_fuzzing实际读到的是上一轮的内容,复现出的崩溃就难以稳定重放。建议在路径里至少加上
std::process::id(),或者直接改为tempfile::NamedTempFile每次迭代独立生成,并在写入失败时return跳过本轮。♻️ 参考实现
fn responder_cert_path() -> &'static Path { CERT_PATH .get_or_init(|| { - let root = std::env::temp_dir().join("rginx-fuzz-ocsp-responder-discovery"); + let root = std::env::temp_dir() + .join("rginx-fuzz-ocsp-responder-discovery") + .join(std::process::id().to_string()); let _ = std::fs::create_dir_all(&root); root.join("server.pem") }) .as_path() }fuzz_target!(|data: &[u8]| { let path = responder_cert_path(); - let _ = std::fs::write(path, data); - rginx_http::discover_ocsp_responder_urls_for_fuzzing(path); + if std::fs::write(path, data).is_err() { + return; + } + rginx_http::discover_ocsp_responder_urls_for_fuzzing(path); });🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@fuzz/fuzz_targets/ocsp_responder_discovery.rs` around lines 10 - 24, responder_cert_path() and the fuzz target write share a static CERT_PATH which causes races across fuzz workers; change the fuzzer to create a unique per-iteration temp file (e.g., include std::process::id() in the path or use tempfile::NamedTempFile) instead of reusing CERT_PATH, and make the fuzz target check the result of std::fs::write(path, data) and return/skip the iteration on error; update references in the fuzz target (the fuzz_target closure and the call to rginx_http::discover_ocsp_responder_urls_for_fuzzing) to use the new per-iteration path or NamedTempFile as the input..github/workflows/release.yml (1)
134-140:cargo install cargo-fuzz --locked没有缓存,会拖慢每次 prerelease。
cargo install cargo-fuzz --locked在 ubuntu-24.04 上从源码编译,通常需要 1–3 分钟。建议改用taiki-e/install-action的预编译二进制以减少 CI 时长,例如:- name: Install cargo-fuzz For Prerelease Verify if: ${{ steps.meta.outputs.prerelease == 'true' }} uses: taiki-e/install-action@v2 with: tool: cargo-fuzz不修也不影响正确性,仅作为流水线优化。
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/release.yml around lines 134 - 140, Replace the step that runs the slow source build ("Install cargo-fuzz For Prerelease Verify" which currently executes `cargo install cargo-fuzz --locked`) with the prebuilt binary installer action; change the step to use `taiki-e/install-action@v2` and pass `tool: cargo-fuzz` while preserving the existing `if: ${{ steps.meta.outputs.prerelease == 'true' }}` condition and the subsequent "Run Prerelease Fuzz Smoke" step so the prerelease check still runs but uses the cached/prebuilt installer instead of compiling from source.fuzz/fuzz_targets/certificate_inspect.rs (1)
10-24: 与ocsp_responder_discovery.rs高度重复,且共享同样的并发写竞态风险。本 harness 的
OnceLock+ 固定bundle.pem路径与fuzz/fuzz_targets/ocsp_responder_discovery.rs几乎逐行一致,存在以下两点:
- 多 worker /
--jobs N场景下不同 fuzz 进程会写同一个文件(详见对ocsp_responder_discovery.rs的评论)。修复时也建议在temp_dir路径上拼接std::process::id(),或在fs::write失败时直接return跳过本轮迭代。- 这两个 target 的临时文件初始化逻辑可以抽到
fuzz/fuzz_targets/common/(或一个mod common;)里,避免后续再加新 target 时继续 copy/paste。🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@fuzz/fuzz_targets/certificate_inspect.rs` around lines 10 - 24, 当前 harness 与 ocsp_responder_discovery.rs 在 certificate_path/临时文件使用上重复且有并发写竞态:在 fuzz_target 的写入(std::fs::write)和 certificate_path 的 OnceLock 固定 bundle.pem 会导致多 worker 进程冲突。请修改 certificate_inspect.rs:在 certificate_path()/OnceLock 的 temp_dir 路径上拼接 std::process::id()(或其他唯一后缀)以避免跨进程冲突,并在调用 std::fs::write(path, data) 后检测错误并在写入失败时直接 return 跳过当前迭代;同时将重复的 certificate_path/OnceLock 逻辑提取到一个共享模块(例如 fuzz/fuzz_targets/common 或 mod common)并在两个 target 中复用(参考函数/符号 certificate_path 和 fuzz_target)。scripts/refresh-fuzz-seeds.sh (1)
21-33:write_text_seed用了非引号 heredoc,对未来扩展 seed 时存在轻微注入风险。
cat >"${path}" <<EOF+$*是非引号 heredoc,会对 body 做命令替换 / 反斜杠转义。当前 caller 都用单引号字符串,且内容里也没有`或$(...)形态,所以没问题。但如果将来有人加一个种子里包含$(date)之类的字面量,就会被 shell 执行。更稳妥的写法是
cat >"${path}" <<'EOF'配合$2直接 stdin 注入,或者干脆printf '%s\n' "$2" >"${path}"。属于纯防御性建议,不阻塞合并。🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@scripts/refresh-fuzz-seeds.sh` around lines 21 - 33, The heredoc in write_text_seed is unquoted and can perform command/escape expansion on $*; change write_text_seed to write the provided content safely by either using a quoted heredoc (<<'EOF') so the body is treated literally, or replace the heredoc with a safe printf/redirect pattern (e.g., printf '%s\n' "$*" >"${path}") to avoid command substitution and backslash expansion; keep write_binary_seed as-is but ensure you still use the same "$*" handling for path and content variables consistently.scripts/run-fuzz-smoke.sh (1)
77-91: 前置检查可以更稳健一点(可选)两个小点:
- 第 79 行直接调用
rustup但没有先command -v rustup校验;如果环境里没有装rustup,用户拿到的会是 bash 的command not found报错,而不是脚本自己的[fuzz-smoke] error: ...信息,调试体验稍差。- 第 86 行
mapfile -t targets < <(cargo fuzz list)进程替换不会把cargo fuzz list的退出码传给父 shell;当cargo fuzz list因为fuzz/Cargo.toml损坏等原因失败时,最终用户看到的仍然是「no fuzz targets found」,定位起来会绕一点。♻️ 建议改动
command -v cargo >/dev/null 2>&1 || die "cargo is required" cargo fuzz --help >/dev/null 2>&1 || die "cargo-fuzz is not installed; run: cargo install cargo-fuzz" +command -v rustup >/dev/null 2>&1 || die "rustup is required" rustup toolchain list | grep -q '^nightly' || die "nightly toolchain is not installed; run: rustup toolchain install nightly" @@ if [[ "${`#EXPLICIT_TARGETS`[@]}" -eq 0 ]]; then - mapfile -t targets < <(cargo fuzz list) + if ! cargo_fuzz_list_output="$(cargo fuzz list)"; then + die "cargo fuzz list failed; check ${FUZZ_DIR}/Cargo.toml" + fi + mapfile -t targets <<<"${cargo_fuzz_list_output}" else targets=("${EXPLICIT_TARGETS[@]}") fi🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@scripts/run-fuzz-smoke.sh` around lines 77 - 91, Add a preflight check for rustup (use command -v rustup) before invoking it and replace the process-substitution call to populate targets with an explicit capture of the cargo fuzz list output and its exit status: run `cargo fuzz list`, save its stdout to a variable (e.g., fuzz_output) and check its exit code; if non-zero, call die with a clear error mentioning cargo fuzz list failed and include the captured stderr/exit info, otherwise split fuzz_output into the targets array (or fall back to EXPLICIT_TARGETS). Reference symbols: rustup, cargo fuzz list, mapfile/targets, EXPLICIT_TARGETS, die.scripts/run-fuzz-coverage.sh (1)
141-152: 确认 coverage 阶段复用的.options文件中是否包含会截断回放的参数查看了
fuzz/options/下的实际内容。好消息是不存在-max_total_time(会截断整个 coverage 运行),但仍有一些需要注意的参数:
- 所有文件都含
-timeout=5(单个输入的超时上限)- 部分文件含
-rss_limit_mb=768(内存限制)- 所有文件都含
-max_len(输入长度限制)在 coverage 回放时,如果单个语料库样本的处理超过 5 秒,或者 RSS 超过 768 MB,覆盖率运行就会被截断或杀死进程,从而低估实际覆盖率。这些参数虽然不如
-max_total_time那么明显有害,但仍有可能导致 coverage 数据偏差。建议要么在 coverage 运行时只传递明确安全的子集(如
-max_len和-dict),要么在脚本或 README 中明确说明.options对 coverage 的适用约束。🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@scripts/run-fuzz-coverage.sh` around lines 141 - 152, The coverage run currently reuses all entries in target_options (populated by fuzz_load_target_options) which can include runtime-limiting flags like -timeout, -rss_limit_mb or -max_total_time that will truncate or kill coverage replay; change the logic before building coverage_cmd to filter target_options to an allow-list (e.g., only permit safe flags such as -max_len and -dict or other proven-safe prefixes) and use that filtered list when appending to coverage_cmd, and update the log message around fuzz_load_target_options/coverage to indicate only safe options are passed for coverage runs; reference symbols: fuzz_load_target_options, target_options, coverage_cmd, FUZZ_DIR, TARGET, CORPUS_DIR.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@crates/rginx-http/Cargo.toml`:
- Line 50: 在 rginx-http 的 Cargo.toml 中将 dev-dependencies 下的 proptest 从硬编码版本改为
workspace 形式:替换掉当前的 proptest = "1" 条目,像 ctor.workspace = true 或 base64.workspace
= true 那样使用 proptest.workspace = true,以便与 workspace 根声明一致并统一依赖声明风格;确保只在
dev-dependencies 部分修改该条目,不更改其他依赖声明。
In `@fuzz/corpus/certificate_inspect/self_signed_pem.seed`:
- Around line 1-21: 当前种子中的自签名证书有效期仅 ~24 小时,会让 inspect_certificate()(触发
"cert[{index}] expired" 分支并依据 TLS_EXPIRY_WARNING_DAYS 判断到期告警)在短时间后总是走过期分支,破坏长期
fuzz 覆盖;请将该 PEM 种子替换为有效期 ≥10 年的自签名证书(更新 notBefore/notAfter 字段),或在 fuzz
初始化脚本中添加自动生成长期有效自签证书的代码并将其写入该种子位置,确保 inspect_certificate()、"cert[{index}]
expired" 分支及基于 TLS_EXPIRY_WARNING_DAYS 的告警分支能被长期覆盖。
In `@fuzz/fuzz_targets/ocsp_response.rs`:
- Around line 15-29: The ocsp_cert_chain_path initializer silently ignores IO
errors and uses a fixed temp path which causes TOCTOU/race issues; change the
create_dir_all and fs::write calls in ocsp_cert_chain_path to unwrap or
.expect(...) so initialization failures abort fast, and create a process-private
temporary directory (e.g., include PID or use a TempDir/unique UUID) instead of
std::env::temp_dir().join("rginx-fuzz-ocsp-root") to avoid cross-process
collisions; keep using CERT_CHAIN_PATH, generate_ca_cert and generate_leaf_cert
but ensure cert file write errors bubble up so
validate_ocsp_response_for_certificate exercises the intended OCSP logic.
In `@scripts/refresh-fuzz-seeds.sh`:
- Around line 150-204: The hardcoded PEM used for self_signed_pem.seed and
aia_pem.seed is short-lived and duplicated; update the PEM to have a long
validity (e.g., 10 years) and remove duplication by defining a single shell
variable (e.g., SELF_SIGNED_PEM) and reuse it in both write_text_seed calls;
modify the write_text_seed invocations for the certificate_inspect and
ocsp_responder_discovery targets to reference that variable instead of embedding
the PEM twice, and ensure the invalid_pem.seed remains unchanged.
---
Outside diff comments:
In @.github/workflows/release.yml:
- Around line 101-109: The "Install Nightly Rust Toolchain For Prerelease
Fuzzing" step currently runs before the verification steps and thus makes
nightly the rustup default for subsequent commands; move the conditional
dtolnay/rust-toolchain@nightly step so it runs after the verification steps
(cargo fmt --all --check, run-clippy-gate.sh, test-fast.sh) and immediately
before the "Install cargo-fuzz For Prerelease Verify" step, keeping the "Install
Rust Toolchain" (dtolnay/rust-toolchain@stable with components rustfmt, clippy)
unchanged; ensure the step name "Install Nightly Rust Toolchain For Prerelease
Fuzzing" and its if: condition remain the same but are relocated to avoid
affecting earlier checks.
---
Nitpick comments:
In @.github/workflows/release.yml:
- Around line 134-140: Replace the step that runs the slow source build
("Install cargo-fuzz For Prerelease Verify" which currently executes `cargo
install cargo-fuzz --locked`) with the prebuilt binary installer action; change
the step to use `taiki-e/install-action@v2` and pass `tool: cargo-fuzz` while
preserving the existing `if: ${{ steps.meta.outputs.prerelease == 'true' }}`
condition and the subsequent "Run Prerelease Fuzz Smoke" step so the prerelease
check still runs but uses the cached/prebuilt installer instead of compiling
from source.
In `@Cargo.toml`:
- Line 53: 当前在 crates/rginx-http 的 [dev-dependencies] 中直接指定了 proptest = "1",与
workspace 里将 proptest 作为工作区依赖(proptest.workspace = true)的做法不一致;请在
crates/rginx-http/Cargo.toml 的 [dev-dependencies] 中将对 proptest 的声明改为使用 workspace
引用(即移除固定版本,改为 proptest.workspace = true),以确保所有子 crate 共享同一 proptest 版本并避免后续版本漂移。
In `@crates/rginx-http/src/server/mod.rs`:
- Around line 13-20: 将供 fuzz 用的公开 wrapper parse_proxy_protocol_v1_for_fuzzing(以及
lib.rs 中的另外两个同类入口)从稳定公 API 隐藏在一个可选特性下:在 crate 的 Cargo.toml 增加 [features] fuzzing
= [],然后在这些函数上用 #[cfg(feature = "fuzzing")](或 #[cfg_attr(not(feature =
"fuzzing"), allow(dead_code))] 视需要)替换当前的 pub 可见性/导出,使其只在启用 fuzzing 特性时编译;最后在
fuzz/Cargo.toml(fuzz 的 workspace crate)启用该特性 so that only the fuzz build exposes
these wrappers.
In `@crates/rginx-http/src/server/tests.rs`:
- Around line 126-128: The helper function remote_proxy_peer_addr() is placed
between two #[test] functions and interrupts test flow; move this function so
all test helpers are grouped together (either immediately after the use imports
or consolidated at the bottom of the file with other helpers) to restore visual
continuity and keep tests contiguous; update any references to
remote_proxy_peer_addr() accordingly.
In `@crates/rginx-http/src/tls/ocsp/mod.rs`:
- Around line 1250-1268: The test currently regenerates keys and OCSP data on
every proptest case; move the expensive setup out of the proptest closure by
creating the CA and leaf certs, calling generate_ca_cert, generate_leaf_cert,
write_cert_chain and build_ocsp_response_for_certificate once (e.g. before the
proptest! invocation or at the top of the test), store a response_template and
cert_path, and inside the proptest closure clone the response_template, mutate
response[0] to the fuzzed tag, then call validate_ocsp_response_for_certificate
on the cloned response; ensure temp_dir setup/cleanup still happens once and
keep function references to generate_ca_cert, generate_leaf_cert,
write_cert_chain, build_ocsp_response_for_certificate and
validate_ocsp_response_for_certificate to locate the code to change.
In `@fuzz/fuzz_targets/certificate_inspect.rs`:
- Around line 10-24: 当前 harness 与 ocsp_responder_discovery.rs 在
certificate_path/临时文件使用上重复且有并发写竞态:在 fuzz_target 的写入(std::fs::write)和
certificate_path 的 OnceLock 固定 bundle.pem 会导致多 worker 进程冲突。请修改
certificate_inspect.rs:在 certificate_path()/OnceLock 的 temp_dir 路径上拼接
std::process::id()(或其他唯一后缀)以避免跨进程冲突,并在调用 std::fs::write(path, data)
后检测错误并在写入失败时直接 return 跳过当前迭代;同时将重复的 certificate_path/OnceLock 逻辑提取到一个共享模块(例如
fuzz/fuzz_targets/common 或 mod common)并在两个 target 中复用(参考函数/符号 certificate_path 和
fuzz_target)。
In `@fuzz/fuzz_targets/ocsp_responder_discovery.rs`:
- Around line 10-24: responder_cert_path() and the fuzz target write share a
static CERT_PATH which causes races across fuzz workers; change the fuzzer to
create a unique per-iteration temp file (e.g., include std::process::id() in the
path or use tempfile::NamedTempFile) instead of reusing CERT_PATH, and make the
fuzz target check the result of std::fs::write(path, data) and return/skip the
iteration on error; update references in the fuzz target (the fuzz_target
closure and the call to rginx_http::discover_ocsp_responder_urls_for_fuzzing) to
use the new per-iteration path or NamedTempFile as the input.
In `@fuzz/options/ocsp_response.options`:
- Around line 1-3: Add an RSS memory cap to keep OCSP fuzzing consistent with
the other option files: insert rss_limit_mb=768 into the ocsp_response.options
alongside the existing max_len and timeout settings; match the value used in
certificate_inspect.options and ocsp_responder_discovery.options so OCSP
response parsing cannot exceed the same RSS bound during smoke tests.
In `@fuzz/rust-toolchain.toml`:
- Around line 1-3: 当前的 toolchain 配置使用不固定的 channel = "nightly" 导致构建不可重现;请将
fuzz/rust-toolchain.toml 中 [toolchain] 的 channel 改为具体日期格式例如
"nightly-YYYY-MM-DD"(替换为最近已验证的 nightly 日期)以锁定编译器版本,并将项目的 Cargo.lock
提交到仓库以锁定依赖,以便复现和稳定在 CI 中运行的 fuzz smoke 测试;在提交说明中注明所选 nightly
日期和更新频率以便未来维护(参考文件内的 channel 字段和 Cargo.lock)。
In `@scripts/prepare-release.sh`:
- Around line 158-160: Add an early prerelease prereq check near the existing
"have" block (around the lines where tools presence is validated) that, when
PRERELEASE is set (PRERELEASE=1), verifies the nightly toolchain and cargo-fuzz
are available (e.g., check rustup toolchain list for nightly and that cargo-fuzz
is on PATH) and fails fast with a clear message if missing; this ensures the
later run_step ./scripts/run-fuzz-smoke.sh invocation does not run only at the
end and cause late failures.
In `@scripts/refresh-fuzz-seeds.sh`:
- Around line 21-33: The heredoc in write_text_seed is unquoted and can perform
command/escape expansion on $*; change write_text_seed to write the provided
content safely by either using a quoted heredoc (<<'EOF') so the body is treated
literally, or replace the heredoc with a safe printf/redirect pattern (e.g.,
printf '%s\n' "$*" >"${path}") to avoid command substitution and backslash
expansion; keep write_binary_seed as-is but ensure you still use the same "$*"
handling for path and content variables consistently.
In `@scripts/run-fuzz-coverage.sh`:
- Around line 141-152: The coverage run currently reuses all entries in
target_options (populated by fuzz_load_target_options) which can include
runtime-limiting flags like -timeout, -rss_limit_mb or -max_total_time that will
truncate or kill coverage replay; change the logic before building coverage_cmd
to filter target_options to an allow-list (e.g., only permit safe flags such as
-max_len and -dict or other proven-safe prefixes) and use that filtered list
when appending to coverage_cmd, and update the log message around
fuzz_load_target_options/coverage to indicate only safe options are passed for
coverage runs; reference symbols: fuzz_load_target_options, target_options,
coverage_cmd, FUZZ_DIR, TARGET, CORPUS_DIR.
In `@scripts/run-fuzz-smoke.sh`:
- Around line 77-91: Add a preflight check for rustup (use command -v rustup)
before invoking it and replace the process-substitution call to populate targets
with an explicit capture of the cargo fuzz list output and its exit status: run
`cargo fuzz list`, save its stdout to a variable (e.g., fuzz_output) and check
its exit code; if non-zero, call die with a clear error mentioning cargo fuzz
list failed and include the captured stderr/exit info, otherwise split
fuzz_output into the targets array (or fall back to EXPLICIT_TARGETS). Reference
symbols: rustup, cargo fuzz list, mapfile/targets, EXPLICIT_TARGETS, die.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI (base), Organization UI (inherited)
Review profile: CHILL
Plan: Pro
Run ID: 70f20178-7fbf-4bf3-8fb3-9508659b06ff
⛔ Files ignored due to path filters (2)
Cargo.lockis excluded by!**/*.lockfuzz/Cargo.lockis excluded by!**/*.lock
📒 Files selected for processing (58)
.github/workflows/nightly.yml.github/workflows/release.yml.gitignoreCargo.tomlREADME.mdRELEASE_NOTES_v0.1.3-rc.13.mdcrates/rginx-config/Cargo.tomlcrates/rginx-config/src/load.rscrates/rginx-http/Cargo.tomlcrates/rginx-http/src/lib.rscrates/rginx-http/src/pki/certificate.rscrates/rginx-http/src/server/mod.rscrates/rginx-http/src/server/tests.rscrates/rginx-http/src/tls/ocsp/mod.rsdocs/ARCHITECTURE_HTTP3_NGINX_ALIGNMENT_PLAN.mddocs/ARCHITECTURE_UPSTREAM_HTTP3_PHASE0_BASELINE.mddocs/ARCHITECTURE_UPSTREAM_HTTP3_PRODUCTION_PLAN.mddocs/HTTP3_PHASE0_BASELINE.mddocs/HTTP3_PHASE7_RELEASE.mddocs/README.mdfuzz/Cargo.tomlfuzz/README.mdfuzz/corpus/certificate_inspect/invalid_pem.seedfuzz/corpus/certificate_inspect/self_signed_pem.seedfuzz/corpus/config_preprocess/env_defaults.seedfuzz/corpus/config_preprocess/include_glob.seedfuzz/corpus/config_preprocess/minimal_return.seedfuzz/corpus/ocsp_responder_discovery/aia_pem.seedfuzz/corpus/ocsp_responder_discovery/no_pem_items.seedfuzz/corpus/ocsp_response/basic_response_empty_octet.seedfuzz/corpus/ocsp_response/status_success_no_body.seedfuzz/corpus/ocsp_response/status_unauthorized.seedfuzz/corpus/ocsp_response/unsupported_response_type.seedfuzz/corpus/proxy_protocol/invalid_prefix.seedfuzz/corpus/proxy_protocol/trusted_tcp4.seedfuzz/corpus/proxy_protocol/unknown.seedfuzz/corpus/proxy_protocol/untrusted_tcp6.seedfuzz/dictionaries/certificate_inspect.dictfuzz/dictionaries/config_preprocess.dictfuzz/dictionaries/ocsp_responder_discovery.dictfuzz/dictionaries/ocsp_response.dictfuzz/dictionaries/proxy_protocol.dictfuzz/fuzz_targets/certificate_inspect.rsfuzz/fuzz_targets/config_preprocess.rsfuzz/fuzz_targets/ocsp_responder_discovery.rsfuzz/fuzz_targets/ocsp_response.rsfuzz/fuzz_targets/proxy_protocol.rsfuzz/options/certificate_inspect.optionsfuzz/options/config_preprocess.optionsfuzz/options/ocsp_responder_discovery.optionsfuzz/options/ocsp_response.optionsfuzz/options/proxy_protocol.optionsfuzz/rust-toolchain.tomlscripts/fuzz-common.shscripts/prepare-release.shscripts/refresh-fuzz-seeds.shscripts/run-fuzz-coverage.shscripts/run-fuzz-smoke.sh
Owner
Author
|
Addressed the latest review feedback in 69f97bc. Resolved items:
Validation run locally:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Validation