Google Git
Sign in
chromium / chromium / src.git / 3817e991821f7a5404cd623adc340455d30cbac2 / . / testing / libfuzzer / reference.md
blob: dddada81eb85b0f2ac382e6fed1ea817e80f6ed6 [file] [log] [blame] [view]
aizatsky9c8c5b02016-03-30 22:09:09[diff] [blame]1# libFuzzer Integration Reference
aizatsky88a677d2016-03-18 23:18:24[diff] [blame]2
Max Moroz9b370752018-03-20 22:05:32[diff] [blame]3## Additional Sanitizer Configuration
Oliver Changd6ead472017-10-02 19:50:34[diff] [blame]4
5### MSan
6
7You need to [download prebuilt instrumented libraries](https://www.chromium.org/developers/testing/memorysanitizer#TOC-How-to-build-and-run)
8to use MSan ([crbug/653712](https://bugs.chromium.org/p/chromium/issues/detail?id=653712)):
9```bash
10GYP_DEFINES='use_goma=1 msan=1 use_prebuilt_instrumented_libraries=1' gclient runhooks
11```
12
13### UBSan
14
Abhishek Arya9e4a72c2017-11-29 16:23:33[diff] [blame]15By default, UBSan does not crash when undefined behavior is detected.
16To make it crash, the following option needs to be set in environment:
Oliver Changd6ead472017-10-02 19:50:34[diff] [blame]17```bash
18UBSAN_OPTIONS=halt_on_error=1 ./fuzzer <corpus_directory_or_single_testcase_path>
Oliver Changd6ead472017-10-02 19:50:34[diff] [blame]19```
Abhishek Arya9e4a72c2017-11-29 16:23:33[diff] [blame]20Other useful options are (also used by ClusterFuzz):
Oliver Changd6ead472017-10-02 19:50:34[diff] [blame]21```bash
22UBSAN_OPTIONS=symbolize=1:halt_on_error=1:print_stacktrace=1 ./fuzzer <corpus_directory_or_single_testcase_path>
23```
24
aizatsky62c7a842016-05-13 19:23:01[diff] [blame]25## Supported Platforms and Configurations
26
Oliver Changd6ead472017-10-02 19:50:34[diff] [blame]27### Builder configurations
aizatsky62c7a842016-05-13 19:23:01[diff] [blame]28
Oliver Changd6ead472017-10-02 19:50:34[diff] [blame]29The exact GN arguments that are used on our builders can be generated by
30running:
31
32| Builder | Description |
33|---------|-------------|
34|Linux ASan | `tools/mb/mb.py gen -m chromium.fyi -b 'Libfuzzer Upload Linux ASan' out/Directory` |
35|Linux ASan Debug | `tools/mb/mb.py gen -m chromium.fyi -b 'Libfuzzer Upload Linux ASan Debug' out/Directory` |
36|Linux MSan \[[*](#MSan)\] | `tools/mb/mb.py gen -m chromium.fyi -b 'Libfuzzer Upload Linux MSan' out/Directory` |
37|Linux UBSan \[[*](#UBSan)\]| `tools/mb/mb.py gen -m chromium.fyi -b 'Libfuzzer Upload Linux UBSan' out/Directory` |
38|Mac ASan | `tools/mb/mb.py gen -m chromium.fyi -b 'Libfuzzer Upload Mac ASan' out/Directory` |
Jonathan Metzmandf29cec2018-10-11 23:12:41[diff] [blame]39|Windows ASan | `tools/mb/mb.py gen -m chromium.fyi -b 'Libfuzzer Upload Windows ASan' out/Directory` |
Oliver Changd6ead472017-10-02 19:50:34[diff] [blame]40
41
42### Linux
Oliver Chang93dae57a2017-10-02 16:41:58[diff] [blame]43Linux is fully supported by libFuzzer and ClusterFuzz with following sanitizer
aizatsky62c7a842016-05-13 19:23:01[diff] [blame]44configurations:
45
46| GN Argument | Description |
47|--------------|----|
48| is_asan=true | enables [Address Sanitizer] to catch problems like buffer overruns. |
Oliver Changd6ead472017-10-02 19:50:34[diff] [blame]49| is_msan=true | enables [Memory Sanitizer] to catch problems like uninitialized reads. \[[*](#MSan)\] |
50| is_ubsan_security=true | enables [Undefined Behavior Sanitizer] to catch undefined behavior like integer overflow. \[[*](#UBSan)\] |
aizatsky62c7a842016-05-13 19:23:01[diff] [blame]51
52Configuration example:
53
54```bash
55# With address sanitizer
Jonathan Metzmandf29cec2018-10-11 23:12:41[diff] [blame]56gn gen out/libfuzzer '--args=use_libfuzzer=true is_asan=true' --check
aizatsky62c7a842016-05-13 19:23:01[diff] [blame]57```
58
59### Mac
60
Oliver Chang93dae57a2017-10-02 16:41:58[diff] [blame]61Mac is supported by libFuzzer with `is_asan` configuration.
aizatsky62c7a842016-05-13 19:23:01[diff] [blame]62
63Configuration example:
64
65```bash
Jonathan Metzmandf29cec2018-10-11 23:12:41[diff] [blame]66gn gen out/libfuzzer '--args=use_libfuzzer=true is_asan=true mac_deployment_target="10.7"' --check
aizatsky62c7a842016-05-13 19:23:01[diff] [blame]67```
68
Jonathan Metzmandf29cec2018-10-11 23:12:41[diff] [blame]69### Windows
70
71Windows is supported by libFuzzer with `is_asan` configuration.
72
73Configuration example:
74
75```bash
Bruce Dawson3817e992018-10-31 23:36:55[diff] [blame^]76gn gen out/libfuzzer "--args=use_libfuzzer=true is_asan=true is_debug=false is_component_build=false" --check
Jonathan Metzmandf29cec2018-10-11 23:12:41[diff] [blame]77```
78
79On Windows you must use `is_component_build=true` as libFuzzer does not support
80component builds on Windows. If you are using `is_asan=true` then you must use
81`is_debug=false` as ASan does not support debug builds on Windows.
82You may also want to consider using `symbol_level=1` which will reduce build
83size by reducing symbol level to the level necessary for libFuzzer (useful
84if building many fuzz targets).
85
aizatsky88a677d2016-03-18 23:18:24[diff] [blame]86## fuzzer_test GN Template
87
aizatsky9c8c5b02016-03-30 22:09:09[diff] [blame]88Use `fuzzer_test` to define libFuzzer targets:
aizatsky88a677d2016-03-18 23:18:24[diff] [blame]89
90```
91fuzzer_test("my_fuzzer") {
92 ...
93}
94```
95
96Following arguments are supported:
97
98| Argument | Description |
99|----------|-------------|
Max Moroz9b370752018-03-20 22:05:32[diff] [blame]100| `sources` | **required** list of fuzzer test source files |
101| `deps` | fuzzer dependencies |
102| `additional_configs` | additional GN configurations to be used for compilation |
103| `dict` | a dictionary file for the fuzzer |
104| `libfuzzer_options` | runtime options file for the fuzzer. See [Fuzzer Runtime Options](#Fuzzer-Runtime-Options) |
105| `seed_corpus` | single directory containing test inputs, parsed recursively |
106| `seed_corpuses` | multiple directories with the same purpose as `seed_corpus` |
aizatsky88a677d2016-03-18 23:18:24[diff] [blame]107
108
109## Fuzzer Runtime Options
110
aizatsky9c8c5b02016-03-30 22:09:09[diff] [blame]111There are many different runtime options supported by libFuzzer. Options
aizatsky88a677d2016-03-18 23:18:24[diff] [blame]112are passed as command line arguments:
113
114```
115./fuzzer [-flag1=val1 [-flag2=val2 ...] ] [dir1 [dir2 ...] ]
116```
117
118Most common flags are:
119
120| Flag | Description |
121|------|-------------|
122| max_len | Maximum length of test input. |
123| timeout | Timeout of seconds. Units slower than this value will be reported as bugs. |
124
Abhishek Arya9e4a72c2017-11-29 16:23:33[diff] [blame]125Full list of options can be found at [libFuzzer options] page and by running
aizatsky88a677d2016-03-18 23:18:24[diff] [blame]126the binary with `-help=1`.
127
mmoroz062a4a62016-04-12 09:02:33[diff] [blame]128To specify these options for ClusterFuzz, list all parameters in
129`libfuzzer_options` target attribute:
aizatsky88a677d2016-03-18 23:18:24[diff] [blame]130
131```
mmoroz062a4a62016-04-12 09:02:33[diff] [blame]132fuzzer_test("my_fuzzer") {
133 ...
134 libfuzzer_options = [
135 "max_len=2048",
136 "use_traces=1",
137 ]
138}
aizatsky88a677d2016-03-18 23:18:24[diff] [blame]139```
140
Abhishek Arya9e4a72c2017-11-29 16:23:33[diff] [blame]141[libFuzzer options]: http://llvm.org/docs/LibFuzzer.html#options
aizatsky62c7a842016-05-13 19:23:01[diff] [blame]142[Address Sanitizer]: http://clang.llvm.org/docs/AddressSanitizer.html
143[Memory Sanitizer]: http://clang.llvm.org/docs/MemorySanitizer.html
144[Undefined Behavior Sanitizer]: http://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html
aizatsky88a677d2016-03-18 23:18:24[diff] [blame]145