libFuzzer Integration Reference

Extra sanitizer configuration

MSan

You need to download prebuilt instrumented libraries to use MSan (crbug/653712):

GYP_DEFINES='use_goma=1 msan=1 use_prebuilt_instrumented_libraries=1' gclient runhooks

UBSan

By default UBSan doesn't crash once undefined behavior has been detected. To make it crash the following additional option should be provided:

UBSAN_OPTIONS=halt_on_error=1 ./fuzzer <corpus_directory_or_single_testcase_path>

Other useful options (used by ClusterFuzz) are:

UBSAN_OPTIONS=symbolize=1:halt_on_error=1:print_stacktrace=1 ./fuzzer <corpus_directory_or_single_testcase_path>

Supported Platforms and Configurations

Builder configurations

The exact GN arguments that are used on our builders can be generated by running:

BuilderDescription
Linux ASantools/mb/mb.py gen -m chromium.fyi -b 'Libfuzzer Upload Linux ASan' out/Directory
Linux ASan Debugtools/mb/mb.py gen -m chromium.fyi -b 'Libfuzzer Upload Linux ASan Debug' out/Directory
Linux MSan [*]tools/mb/mb.py gen -m chromium.fyi -b 'Libfuzzer Upload Linux MSan' out/Directory
Linux UBSan [*]tools/mb/mb.py gen -m chromium.fyi -b 'Libfuzzer Upload Linux UBSan' out/Directory
Mac ASantools/mb/mb.py gen -m chromium.fyi -b 'Libfuzzer Upload Mac ASan' out/Directory

Linux

Linux is fully supported by libFuzzer and ClusterFuzz with following sanitizer configurations:

GN ArgumentDescription
is_asan=trueenables Address Sanitizer to catch problems like buffer overruns.
is_msan=trueenables Memory Sanitizer to catch problems like uninitialized reads. [*]
is_ubsan_security=trueenables Undefined Behavior Sanitizer to catch undefined behavior like integer overflow. [*]

Configuration example:

# With address sanitizer
gn gen out/libfuzzer '--args=use_libfuzzer=true is_asan=true enable_nacl=false' --check

Mac

Mac is supported by libFuzzer with is_asan configuration.

Configuration example:

gn gen out/libfuzzer '--args=use_libfuzzer=true is_asan=true enable_nacl=false mac_deployment_target="10.7"' --check

fuzzer_test GN Template

Use fuzzer_test to define libFuzzer targets:

fuzzer_test("my_fuzzer") {
  ...
}

Following arguments are supported:

ArgumentDescription
sourcesrequired list of fuzzer test source files.
depsfuzzer dependencies
additional_configsadditional GN configurations to be used for compilation
dicta dictionary file for the fuzzer
libfuzzer_optionsruntime options file for the fuzzer. See Fuzzer Runtime Options

Fuzzer Runtime Options

There are many different runtime options supported by libFuzzer. Options are passed as command line arguments:

./fuzzer [-flag1=val1 [-flag2=val2 ...] ] [dir1 [dir2 ...] ]

Most common flags are:

FlagDescription
max_lenMaximum length of test input.
timeoutTimeout of seconds. Units slower than this value will be reported as bugs.

A fuller list of options can be found at libFuzzer Usage page and by running the binary with -help=1.

To specify these options for ClusterFuzz, list all parameters in libfuzzer_options target attribute:

fuzzer_test("my_fuzzer") {
  ...
  libfuzzer_options = [
    "max_len=2048",
    "use_traces=1",
  ]
}