This page has instructions for Security Sheriffs in how best to use ClusterFuzz to reproduce and label bugs.
https://clusterfuzz.com/upload-testcase allows you to upload files to reproduce crashes on various platforms and will identify revision ranges when the regression was introduced. If a test case requires multiple files, they can be uploaded together in a zip or tar archive: the main file needs to contain the words index
, crash
or test
.
Please do specify the crbug number when uploading the test case. This will allow ClusterFuzz to keep the crbug updated with progress.
You should chose the right job type depending on the format of file you want to test:
MojoJS is a means for a renderer process to use Mojo IPCs directly from JavaScript. Although it‘s not enabled in normal production Chrome builds, it’s a great way to simulate how a compromised renderer can attack other processes over IPC.
Because Mojo IPCs change with each version of Chrome, the test case needs to use exactly the right MojoJS bindings. MojoJS bugs typically specify to use python ./copy_mojo_bindings.py
to put such bindings in place, but that does not work for ClusterFuzz where it will need to bisect across many versions of Chrome with many versions of Mojo.
Therefore, do this instead:
file:///gen
instead. For example:<script src="file:///gen/mojo/public/js/mojo_bindings_lite.js">This works because most of the ClusterFuzz Chrome binaries are now built with
enable_ipc_fuzzer=true
.--enable-blink-features=MojoJS
. In this case, ClusterFuzz might declare that a browser process crash is Critical severity, whereas because of the precondition of a compromised renderer you may wish to adjust it down to High.