Testing in Chromium

IPC Fuzzer

A Chromium IPC fuzzer is under development by aedla and tsepez. The fuzzer lives under src/tools/ipc_fuzzer/ and is running on ClusterFuzz. A previous version of the fuzzer was a simple bitflipper, which caught around 10 bugs. A new version is doing smarter mutations and generational fuzzing. To do so, each ParamTraits<Type> needs a corresponding FuzzTraits<Type>. Feel free to contribute.

Working with the fuzzer

Build instructions

  • Run gn args and add enable_ipc_fuzzer = true to your args.gn.
  • build ipc_fuzzer_all target
  • component builds are currently broken, sorry
  • Debug builds are broken; only Release mode works.

Replaying ipcdumps

  • tools/ipc_fuzzer/scripts/play_testcase.py path/to/testcase.ipcdump
  • more help: tools/ipc_fuzzer/scripts/play_testcase.py -h

Listing messages in ipcdump

  • out/<Build>/ipc_message_util --dump path/to/testcase.ipcdump

Updating fuzzers in ClusterFuzz

  • tools/ipc_fuzzer/scripts/cf_package_builder.py
  • upload ipc_fuzzer_mut.zip and ipc_fuzzer_gen.zip under build directory to ClusterFuzz

Contributing FuzzTraits

  • add them to tools/ipc_fuzzer/fuzzer/fuzzer.cc
  • thanks!

Components

ipcdump logger

  • add enable_ipc_fuzzer = true to args.gn
  • build chrome and ipc_message_dump targets
  • run chrome with --no-sandbox --ipc-dump-directory=/path/to/ipcdump/directory
  • ipcdumps will be created in this directory for each renderer using the format _pid_.ipcdump

ipcdump replay

Lives under ipc_fuzzer/replay. The renderer is replaced with ipc_fuzzer_replay using --renderer-cmd-prefix. This is done automatically with the ipc_fuzzer/play_testcase.py convenience script.

ipcdump mutator / generator

Lives under ipc_fuzzer/fuzzer. This is the code that runs on ClusterFuzz. It uses FuzzTraits<Type> to mutate ipcdumps or generate them out of thin air.

Problems, questions, suggestions

Send them to mbarbella@chromium.org.