Thanks @vanhauser-thc for clarifying about fastresume.bin, things are much clearer now.

About CI-Fuzzing, you are spot on about the PR blocking issue. The way things are set up now is to not run on every PR (because as you said- 1. it's time consuming, and 2. a crash may not be due to the PR commits). Instead, we do one daily scheduled run for 4 hours on master. That way, any crash due to fuzzing can be picked up by engineering on-call for debugging just like production issues or other test suites.

Another factor that led to CI-Fuzzing: Being a startup, engineering velocity is currently too fast, and therefore renders harness outdated pretty quickly. If anything is more frustrating that not finding bugs- it is harness that fails to build because something changes in the dependencies/target class every now and then. Hence, we are also planning to build the fuzz targets using ccache on every PR (but not fuzz them), so that if it fails to build, the dev knows it's prolly due to their changes and they can update the harness before the next CI-Fuzz run.

So tl;dr: Do you think it can slightly improve efficiency if we upload the queue at the end of every CI run, then on the next run, we merge it temporarily with the seed inputs (on the CI runner) and just let AFL++ run its course w/o bothering much about the state? The way I see it- if we seed with the queue data, we are also providing patterns that were mutated based on previous feedbacks so AFL++ is perhaps getting a leg up in the next cycle (in terms of finding those paths quickly). WDYT?

Sounds like a good apporach to me, but why only fuzz for 4 hours instead of 23-24?
requiring a successful harness build in the CI is a very good idea.
Of course keep the generated corpus! do a minimization on the new compiled harness before you run and keep backups.
Also have a specific reviewer if the harness changes (because this can invalidate the existing corpus and if the change is good then you need a rewriter for the existing corpus)

4 hours because Github Actions limits self-hosted runner jobs to 6 hours. We are currently building harnesses w/o ccache, so factoring all the pre-fuzzer steps (deps installation + harness build) and post-fuzzing steps (crash detection + corpus and crash uploads), we are quite limited on the runtime. Guess once we turn on caching, we can bump that to 5 hours easy.

Thanks for reminding about corpus trimming, it def makes no sense to seed AFL++ with redundant test cases. Maybe I'll run afl-cmin on the downloaded queue (from prev run), redirect the output to the project seed corpus dir, which is then passed to AFL++ to start the fuzzing.

Regarding corpus maintenance, this is really another important aspect. Right now, we don't foresee a situation where a harness rewrite will completely make the existing seed useless. There are other interfaces we fuzz (like file format parsers) where corpus maintenance is really important and needs to be structured/maintained around the harness logic.

I am planning a fun PoC with LLMs to seed fuzzers on the fly, that will eliminate the onus of maintaining extensive corpuses at repo level. We could extend the wrapper script(s) that control the CI-fuzzing campaigns, to also generate LLM prompts for creating input seeds before starting the fuzzer. :)