1*6777b538SAndroid Build Coastguard Worker# libFuzzer Integration Reference 2*6777b538SAndroid Build Coastguard Worker 3*6777b538SAndroid Build Coastguard Worker## Additional Sanitizer Configuration 4*6777b538SAndroid Build Coastguard Worker 5*6777b538SAndroid Build Coastguard Worker### MSan 6*6777b538SAndroid Build Coastguard Worker 7*6777b538SAndroid Build Coastguard WorkerMemory Sanitizer (MSan) in Chromium only supports Ubuntu Precise/Trusty and not 8*6777b538SAndroid Build Coastguard WorkerRodete. 9*6777b538SAndroid Build Coastguard WorkerThus, our [reproduce tool] cannot reproduce bugs found using MSan. 10*6777b538SAndroid Build Coastguard WorkerYou can try to reproduce them manually by using [these instructions] on how to 11*6777b538SAndroid Build Coastguard Workerrun MSan-instrumented code in docker. 12*6777b538SAndroid Build Coastguard Worker 13*6777b538SAndroid Build Coastguard Worker### UBSan 14*6777b538SAndroid Build Coastguard Worker 15*6777b538SAndroid Build Coastguard WorkerBy default, UBSan does not crash when undefined behavior is detected. 16*6777b538SAndroid Build Coastguard WorkerTo make it crash, the following option needs to be set in environment: 17*6777b538SAndroid Build Coastguard Worker```bash 18*6777b538SAndroid Build Coastguard WorkerUBSAN_OPTIONS=halt_on_error=1 ./fuzzer <corpus_directory_or_single_testcase_path> 19*6777b538SAndroid Build Coastguard Worker``` 20*6777b538SAndroid Build Coastguard WorkerOther useful options are (also used by ClusterFuzz): 21*6777b538SAndroid Build Coastguard Worker```bash 22*6777b538SAndroid Build Coastguard WorkerUBSAN_OPTIONS=symbolize=1:halt_on_error=1:print_stacktrace=1 ./fuzzer <corpus_directory_or_single_testcase_path> 23*6777b538SAndroid Build Coastguard Worker``` 24*6777b538SAndroid Build Coastguard Worker 25*6777b538SAndroid Build Coastguard Worker## Supported Platforms and Configurations 26*6777b538SAndroid Build Coastguard Worker 27*6777b538SAndroid Build Coastguard Worker### Builder configurations 28*6777b538SAndroid Build Coastguard Worker 29*6777b538SAndroid Build Coastguard WorkerThe exact GN arguments that are used on our builders can be generated by running 30*6777b538SAndroid Build Coastguard Worker(from Chromium's `src` directory): 31*6777b538SAndroid Build Coastguard Worker 32*6777b538SAndroid Build Coastguard Worker| Builder | Description | 33*6777b538SAndroid Build Coastguard Worker|---------|-------------| 34*6777b538SAndroid Build Coastguard Worker|Linux ASan | `tools/mb/mb.py gen -m chromium.fuzz -b 'Libfuzzer Upload Linux ASan' out/libfuzzer` | 35*6777b538SAndroid Build Coastguard Worker|Linux ASan (x86) | `tools/mb/mb.py gen -m chromium.fuzz -b 'Libfuzzer Upload Linux32 ASan' out/libfuzzer` | 36*6777b538SAndroid Build Coastguard Worker|Linux ASan Debug | `tools/mb/mb.py gen -m chromium.fuzz -b 'Libfuzzer Upload Linux ASan Debug' out/libfuzzer` | 37*6777b538SAndroid Build Coastguard Worker|Linux MSan[*](#MSan) | `tools/mb/mb.py gen -m chromium.fuzz -b 'Libfuzzer Upload Linux MSan' out/libfuzzer` | 38*6777b538SAndroid Build Coastguard Worker|Linux UBSan[*](#UBSan)| `tools/mb/mb.py gen -m chromium.fuzz -b 'Libfuzzer Upload Linux UBSan' out/libfuzzer` | 39*6777b538SAndroid Build Coastguard Worker|Chrome OS ASan | `tools/mb/mb.py gen -m chromium.fuzz -b 'Libfuzzer Upload Chrome OS ASan' out/libfuzzer` | 40*6777b538SAndroid Build Coastguard Worker|Mac ASan | `tools/mb/mb.py gen -m chromium.fuzz -b 'Libfuzzer Upload Mac ASan' out/libfuzzer` | 41*6777b538SAndroid Build Coastguard Worker|Windows ASan | `python tools\mb\mb.py gen -m chromium.fuzz -b "Libfuzzer Upload Windows ASan" out\libfuzzer` | 42*6777b538SAndroid Build Coastguard Worker|Linux ASan V8 ARM Simulator[*](#ARM-and-ARM64)| `tools/mb/mb.py gen -m chromium.fuzz -b 'Libfuzzer Upload Linux32 V8-ARM ASan' out/libfuzzer` | 43*6777b538SAndroid Build Coastguard Worker|Linux ASan V8 ARM64 Simulator[*](#ARM-and-ARM64)| `tools/mb/mb.py gen -m chromium.fuzz -b 'Libfuzzer Upload Linux V8-ARM64 ASan' out/libfuzzer` | 44*6777b538SAndroid Build Coastguard Worker|Linux ASan Debug V8 ARM Simulator[*](#ARM-and-ARM64)| `tools/mb/mb.py gen -m chromium.fuzz -b 'Libfuzzer Upload Linux32 V8-ARM ASan Debug' out/libfuzzer` | 45*6777b538SAndroid Build Coastguard Worker|Linux ASan Debug V8 ARM64 Simulator[*](#ARM-and-ARM64)| `tools/mb/mb.py gen -m chromium.fuzz -b 'Libfuzzer Upload Linux V8-ARM64 ASan Debug' out/libfuzzer` | 46*6777b538SAndroid Build Coastguard Worker 47*6777b538SAndroid Build Coastguard Worker 48*6777b538SAndroid Build Coastguard Worker### Linux 49*6777b538SAndroid Build Coastguard WorkerLinux is fully supported by libFuzzer and ClusterFuzz with following sanitizer 50*6777b538SAndroid Build Coastguard Workerconfigurations: 51*6777b538SAndroid Build Coastguard Worker 52*6777b538SAndroid Build Coastguard Worker| GN Argument | Description | 53*6777b538SAndroid Build Coastguard Worker|--------------|----| 54*6777b538SAndroid Build Coastguard Worker| is_asan=true | enables [Address Sanitizer] to catch problems like buffer overruns. | 55*6777b538SAndroid Build Coastguard Worker| is_msan=true | enables [Memory Sanitizer] to catch problems like uninitialized reads. \[[*](#MSan)\] | 56*6777b538SAndroid Build Coastguard Worker| is_ubsan_security=true | enables [Undefined Behavior Sanitizer] to catch undefined behavior like integer overflow. \[[*](#UBSan)\] | 57*6777b538SAndroid Build Coastguard Worker 58*6777b538SAndroid Build Coastguard WorkerConfiguration example: 59*6777b538SAndroid Build Coastguard Worker 60*6777b538SAndroid Build Coastguard Worker```bash 61*6777b538SAndroid Build Coastguard Worker# With address sanitizer 62*6777b538SAndroid Build Coastguard Workergn gen out/libfuzzer '--args=use_libfuzzer=true is_asan=true' --check 63*6777b538SAndroid Build Coastguard Worker``` 64*6777b538SAndroid Build Coastguard Worker 65*6777b538SAndroid Build Coastguard Worker### Linux x86 (32-bit) 66*6777b538SAndroid Build Coastguard WorkerFuzzing targets built for x86 can discover bugs that are not found by x64 67*6777b538SAndroid Build Coastguard Workerbuilds. Linux x86 is supported by libFuzzer with `is_asan` configuration. 68*6777b538SAndroid Build Coastguard Worker 69*6777b538SAndroid Build Coastguard WorkerConfiguration example: 70*6777b538SAndroid Build Coastguard Worker 71*6777b538SAndroid Build Coastguard Worker```bash 72*6777b538SAndroid Build Coastguard Workergn gen out/libfuzzer --args="use_libfuzzer=true is_asan=true host_cpu=\"x86\" target_cpu=\"x86\"" --check 73*6777b538SAndroid Build Coastguard Worker``` 74*6777b538SAndroid Build Coastguard Worker 75*6777b538SAndroid Build Coastguard Worker### Chrome OS 76*6777b538SAndroid Build Coastguard WorkerChrome OS is supported by libFuzzer with `is_asan` configuration. 77*6777b538SAndroid Build Coastguard Worker 78*6777b538SAndroid Build Coastguard WorkerConfiguration example: 79*6777b538SAndroid Build Coastguard Worker 80*6777b538SAndroid Build Coastguard Worker```bash 81*6777b538SAndroid Build Coastguard Workergn gen out/libfuzzer '--args=use_libfuzzer=true is_asan=true target_os="chromeos"' --check 82*6777b538SAndroid Build Coastguard Worker``` 83*6777b538SAndroid Build Coastguard Worker 84*6777b538SAndroid Build Coastguard WorkerTo do a Chrome OS build on Linux (not just for libFuzzer), your `.gclient` file 85*6777b538SAndroid Build Coastguard Workermust be configured appropriately, see the [Chrome OS build docs] for more 86*6777b538SAndroid Build Coastguard Workerdetails. 87*6777b538SAndroid Build Coastguard Worker 88*6777b538SAndroid Build Coastguard Worker### Mac 89*6777b538SAndroid Build Coastguard Worker 90*6777b538SAndroid Build Coastguard WorkerMac is supported by libFuzzer with `is_asan` configuration. 91*6777b538SAndroid Build Coastguard Worker 92*6777b538SAndroid Build Coastguard WorkerConfiguration example: 93*6777b538SAndroid Build Coastguard Worker 94*6777b538SAndroid Build Coastguard Worker```bash 95*6777b538SAndroid Build Coastguard Workergn gen out/libfuzzer '--args=use_libfuzzer=true is_asan=true mac_deployment_target="10.7"' --check 96*6777b538SAndroid Build Coastguard Worker``` 97*6777b538SAndroid Build Coastguard Worker 98*6777b538SAndroid Build Coastguard Worker### Windows 99*6777b538SAndroid Build Coastguard Worker 100*6777b538SAndroid Build Coastguard WorkerWindows is supported by libFuzzer with `is_asan` configuration. 101*6777b538SAndroid Build Coastguard Worker 102*6777b538SAndroid Build Coastguard WorkerConfiguration example: 103*6777b538SAndroid Build Coastguard Worker 104*6777b538SAndroid Build Coastguard Worker```bash 105*6777b538SAndroid Build Coastguard Workergn gen out/libfuzzer "--args=use_libfuzzer=true is_asan=true is_debug=false is_component_build=false" --check 106*6777b538SAndroid Build Coastguard Worker``` 107*6777b538SAndroid Build Coastguard Worker 108*6777b538SAndroid Build Coastguard WorkerOn Windows you must use `is_component_build=false` as libFuzzer does not support 109*6777b538SAndroid Build Coastguard Workercomponent builds on Windows. If you are using `is_asan=true` then you must use 110*6777b538SAndroid Build Coastguard Worker`is_debug=false` as ASan does not support debug builds on Windows. 111*6777b538SAndroid Build Coastguard WorkerYou may also want to consider using `symbol_level=1` which will reduce build 112*6777b538SAndroid Build Coastguard Workersize by reducing symbol level to the level necessary for libFuzzer (useful 113*6777b538SAndroid Build Coastguard Workerif building many fuzz targets). 114*6777b538SAndroid Build Coastguard Worker 115*6777b538SAndroid Build Coastguard Worker### ARM and ARM64 116*6777b538SAndroid Build Coastguard Worker 117*6777b538SAndroid Build Coastguard WorkerThe V8 ARM and ARM64 simulators are supported by libFuzzer with `is_asan` 118*6777b538SAndroid Build Coastguard Workerconfiguration. Note that there is nothing special about these builds for non-V8 119*6777b538SAndroid Build Coastguard Workerfuzz targets. 120*6777b538SAndroid Build Coastguard Worker 121*6777b538SAndroid Build Coastguard WorkerARM configuration example: 122*6777b538SAndroid Build Coastguard Worker 123*6777b538SAndroid Build Coastguard Worker 124*6777b538SAndroid Build Coastguard Worker```bash 125*6777b538SAndroid Build Coastguard Workergn gen out/libfuzzer --args="use_libfuzzer=true is_asan=true host_cpu=\"x86\" target_cpu=\"x86\" v8_target_cpu=\"arm\"" --check 126*6777b538SAndroid Build Coastguard Worker``` 127*6777b538SAndroid Build Coastguard Worker 128*6777b538SAndroid Build Coastguard WorkerARM64 configuration example: 129*6777b538SAndroid Build Coastguard Worker 130*6777b538SAndroid Build Coastguard Worker```bash 131*6777b538SAndroid Build Coastguard Workergn gen out/libfuzzer --args="use_libfuzzer=true is_asan=true target_cpu=\"x64\" v8_target_cpu=\"arm64\"" --check 132*6777b538SAndroid Build Coastguard Worker``` 133*6777b538SAndroid Build Coastguard Worker 134*6777b538SAndroid Build Coastguard Worker## fuzzer_test GN Template 135*6777b538SAndroid Build Coastguard Worker 136*6777b538SAndroid Build Coastguard WorkerUse `fuzzer_test` to define libFuzzer targets: 137*6777b538SAndroid Build Coastguard Worker 138*6777b538SAndroid Build Coastguard Worker``` 139*6777b538SAndroid Build Coastguard Workerfuzzer_test("my_fuzzer") { 140*6777b538SAndroid Build Coastguard Worker ... 141*6777b538SAndroid Build Coastguard Worker} 142*6777b538SAndroid Build Coastguard Worker``` 143*6777b538SAndroid Build Coastguard Worker 144*6777b538SAndroid Build Coastguard WorkerFollowing arguments are supported: 145*6777b538SAndroid Build Coastguard Worker 146*6777b538SAndroid Build Coastguard Worker| Argument | Description | 147*6777b538SAndroid Build Coastguard Worker|----------|-------------| 148*6777b538SAndroid Build Coastguard Worker| `sources` | **required** list of fuzzer test source files | 149*6777b538SAndroid Build Coastguard Worker| `deps` | fuzzer dependencies | 150*6777b538SAndroid Build Coastguard Worker| `additional_configs` | additional GN configurations to be used for compilation | 151*6777b538SAndroid Build Coastguard Worker| `dict` | a dictionary file for the fuzzer | 152*6777b538SAndroid Build Coastguard Worker| `libfuzzer_options` | runtime options file for the fuzzer. See [Fuzzer Runtime Options](#Fuzzer-Runtime-Options) | 153*6777b538SAndroid Build Coastguard Worker| `seed_corpus` | single directory containing test inputs, parsed recursively | 154*6777b538SAndroid Build Coastguard Worker| `seed_corpuses` | multiple directories with the same purpose as `seed_corpus` | 155*6777b538SAndroid Build Coastguard Worker| `libs` | additional libraries to link. Same as [libs] for gn targets. | 156*6777b538SAndroid Build Coastguard Worker 157*6777b538SAndroid Build Coastguard Worker 158*6777b538SAndroid Build Coastguard Worker## Fuzzer Runtime Options 159*6777b538SAndroid Build Coastguard Worker 160*6777b538SAndroid Build Coastguard WorkerThere are many different runtime options supported by libFuzzer. Options 161*6777b538SAndroid Build Coastguard Workerare passed as command line arguments: 162*6777b538SAndroid Build Coastguard Worker 163*6777b538SAndroid Build Coastguard Worker``` 164*6777b538SAndroid Build Coastguard Worker./fuzzer [-flag1=val1 [-flag2=val2 ...] ] [dir1 [dir2 ...] ] 165*6777b538SAndroid Build Coastguard Worker``` 166*6777b538SAndroid Build Coastguard Worker 167*6777b538SAndroid Build Coastguard WorkerMost common flags are: 168*6777b538SAndroid Build Coastguard Worker 169*6777b538SAndroid Build Coastguard Worker| Flag | Description | 170*6777b538SAndroid Build Coastguard Worker|------|-------------| 171*6777b538SAndroid Build Coastguard Worker| max_len | Maximum length of test input. | 172*6777b538SAndroid Build Coastguard Worker| timeout | Timeout of seconds. Units slower than this value will be reported as bugs. | 173*6777b538SAndroid Build Coastguard Worker| rss_limit_mb | Memory usage limit in Mb, default 2048. Some Chrome targets, such as Blink, require more than the default to initialize. | 174*6777b538SAndroid Build Coastguard Worker 175*6777b538SAndroid Build Coastguard WorkerFull list of options can be found at [libFuzzer options] page and by running 176*6777b538SAndroid Build Coastguard Workerthe binary with `-help=1`. 177*6777b538SAndroid Build Coastguard Worker 178*6777b538SAndroid Build Coastguard WorkerTo specify these options for ClusterFuzz, list all parameters in 179*6777b538SAndroid Build Coastguard Worker`libfuzzer_options` target attribute: 180*6777b538SAndroid Build Coastguard Worker 181*6777b538SAndroid Build Coastguard Worker``` 182*6777b538SAndroid Build Coastguard Workerfuzzer_test("my_fuzzer") { 183*6777b538SAndroid Build Coastguard Worker ... 184*6777b538SAndroid Build Coastguard Worker libfuzzer_options = [ 185*6777b538SAndroid Build Coastguard Worker # Suppress stdout and stderr output (not recommended, as it may silence useful info). 186*6777b538SAndroid Build Coastguard Worker "close_fd_mask=3", 187*6777b538SAndroid Build Coastguard Worker ] 188*6777b538SAndroid Build Coastguard Worker} 189*6777b538SAndroid Build Coastguard Worker``` 190*6777b538SAndroid Build Coastguard Worker 191*6777b538SAndroid Build Coastguard Worker[libFuzzer options]: http://llvm.org/docs/LibFuzzer.html#options 192*6777b538SAndroid Build Coastguard Worker[Address Sanitizer]: http://clang.llvm.org/docs/AddressSanitizer.html 193*6777b538SAndroid Build Coastguard Worker[Memory Sanitizer]: http://clang.llvm.org/docs/MemorySanitizer.html 194*6777b538SAndroid Build Coastguard Worker[Undefined Behavior Sanitizer]: http://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html 195*6777b538SAndroid Build Coastguard Worker[reproduce tool]: https://github.com/google/clusterfuzz-tools 196*6777b538SAndroid Build Coastguard Worker[these instructions]: https://www.chromium.org/developers/testing/memorysanitizer#TOC-Running-on-other-distros-using-Docker 197*6777b538SAndroid Build Coastguard Worker[Chrome OS build docs]: https://chromium.googlesource.com/chromium/src/+/HEAD/docs/chromeos_build_instructions.md#updating-your-gclient-config 198*6777b538SAndroid Build Coastguard Worker[libs]: https://gn.googlesource.com/gn/+/master/docs/reference.md#libs 199