libFuzzer and ClusterFuzz Integration
ClusterFuzz is a distributed fuzzing infrastructure that automatically executes libFuzzer powered fuzzer tests on scale.
Googlers can read more here.
The integration between libFuzzer and ClusterFuzz consists of:
- Build rules definition in fuzzer_test.gni.
- Buildbot that automatically discovers fuzz targets using
gn refs, builds fuzz targets with multiple sanitizers and uploads binaries to a GCS bucket. Recipe is defined in fuzz.py.
- ClusterFuzz downloads builds and runs fuzz targets continuously.
- Fuzz target run logs are uploaded to ClusterFuzz libFuzzer Logs GCS bucket.
- Fuzzing corpus is maintained for each fuzz target in Corpus GCS Bucket. Once a day, the corpus is minimized to reduce number of duplicates and/or reduce effect of parasitic coverage.
- ClusterFuzz Fuzzer Stats displays fuzzer runtime metrics as well as provides links to crashes and coverage reports.
Chromium developers can access the corpus stored in the Corpus GCS Bucket via web interface or by using
gsutil tool (the latter is easier for downloading):
gsutil -m cp -r gs://clusterfuzz-corpus/libfuzzer/<fuzz_target> local_corpus_dir