You need to download prebuilt instrumented libraries to use MSan (crbug/653712):
GYP_DEFINES='use_goma=1 msan=1 use_prebuilt_instrumented_libraries=1' gclient runhooks
By default UBSan doesn't crash once undefined behavior has been detected. To make it crash the following additional option should be provided:
UBSAN_OPTIONS=halt_on_error=1 ./fuzzer <corpus_directory_or_single_testcase_path>
Other useful options (used by ClusterFuzz) are:
UBSAN_OPTIONS=symbolize=1:halt_on_error=1:print_stacktrace=1 ./fuzzer <corpus_directory_or_single_testcase_path>
The exact GN arguments that are used on our builders can be generated by running:
Builder | Description |
---|---|
Linux ASan | tools/mb/mb.py gen -m chromium.fyi -b 'Libfuzzer Upload Linux ASan' out/Directory |
Linux ASan Debug | tools/mb/mb.py gen -m chromium.fyi -b 'Libfuzzer Upload Linux ASan Debug' out/Directory |
Linux MSan [*] | tools/mb/mb.py gen -m chromium.fyi -b 'Libfuzzer Upload Linux MSan' out/Directory |
Linux UBSan [*] | tools/mb/mb.py gen -m chromium.fyi -b 'Libfuzzer Upload Linux UBSan' out/Directory |
Mac ASan | tools/mb/mb.py gen -m chromium.fyi -b 'Libfuzzer Upload Mac ASan' out/Directory |
Linux is fully supported by libFuzzer and ClusterFuzz with following sanitizer configurations:
GN Argument | Description |
---|---|
is_asan=true | enables Address Sanitizer to catch problems like buffer overruns. |
is_msan=true | enables Memory Sanitizer to catch problems like uninitialized reads. [*] |
is_ubsan_security=true | enables Undefined Behavior Sanitizer to catch undefined behavior like integer overflow. [*] |
Configuration example:
# With address sanitizer gn gen out/libfuzzer '--args=use_libfuzzer=true is_asan=true enable_nacl=false' --check
Mac is supported by libFuzzer with is_asan
configuration.
Configuration example:
gn gen out/libfuzzer '--args=use_libfuzzer=true is_asan=true enable_nacl=false mac_deployment_target="10.7"' --check
Use fuzzer_test
to define libFuzzer targets:
fuzzer_test("my_fuzzer") { ... }
Following arguments are supported:
Argument | Description |
---|---|
sources | required list of fuzzer test source files. |
deps | fuzzer dependencies |
additional_configs | additional GN configurations to be used for compilation |
dict | a dictionary file for the fuzzer |
libfuzzer_options | runtime options file for the fuzzer. See Fuzzer Runtime Options |
There are many different runtime options supported by libFuzzer. Options are passed as command line arguments:
./fuzzer [-flag1=val1 [-flag2=val2 ...] ] [dir1 [dir2 ...] ]
Most common flags are:
Flag | Description |
---|---|
max_len | Maximum length of test input. |
timeout | Timeout of seconds. Units slower than this value will be reported as bugs. |
A fuller list of options can be found at libFuzzer Usage page and by running the binary with -help=1
.
To specify these options for ClusterFuzz, list all parameters in libfuzzer_options
target attribute:
fuzzer_test("my_fuzzer") { ... libfuzzer_options = [ "max_len=2048", "use_traces=1", ] }