Linux is fully supported by libFuzzer and ClusterFuzz with following sanitizer configurations:
GN Argument | Description |
---|---|
is_asan=true | enables Address Sanitizer to catch problems like buffer overruns. |
is_msan=true | enables Memory Sanitizer to catch problems like uninitialed reads. |
is_ubsan_security=true | enables Undefined Behavior Sanitizer to catch[1] undefined behavior like integer overflow. |
Configuration example:
# With address sanitizer gn gen out/libfuzzer '--args=use_libfuzzer=true is_asan=true enable_nacl=false' --check
Mac is experimentally supported by libFuzzer with is_asan
configuration. Mac support is not provided by ClusterFuzz.
Configuration example:
gn gen out/libfuzzer '--args=use_libfuzzer=true is_asan=true enable_nacl=false mac_deployment_target="10.7"' --check
Use fuzzer_test
to define libFuzzer targets:
fuzzer_test("my_fuzzer") { ... }
Following arguments are supported:
Argument | Description |
---|---|
sources | required list of fuzzer test source files. |
deps | fuzzer dependencies |
additional_configs | additional GN configurations to be used for compilation |
dict | a dictionary file for the fuzzer |
libfuzzer_options | runtime options file for the fuzzer. See Fuzzer Runtime Options |
There are many different runtime options supported by libFuzzer. Options are passed as command line arguments:
./fuzzer [-flag1=val1 [-flag2=val2 ...] ] [dir1 [dir2 ...] ]
Most common flags are:
Flag | Description |
---|---|
max_len | Maximum length of test input. |
timeout | Timeout of seconds. Units slower than this value will be reported as bugs. |
A fuller list of options can be found at libFuzzer Usage page and by running the binary with -help=1
.
To specify these options for ClusterFuzz, list all parameters in libfuzzer_options
target attribute:
fuzzer_test("my_fuzzer") { ... libfuzzer_options = [ "max_len=2048", "use_traces=1", ] }