libFuzzer and ClusterFuzz Integration

ClusterFuzz is a distributed fuzzing infrastructure that automatically executes libFuzzer powered fuzzer tests on scale.

Googlers can read more here.

Status Links

Integration Details

The integration between libFuzzer and ClusterFuzz consists of:

  • Build rules definition in fuzzer_test.gni.
  • Buildbot that automatically discovers fuzz targets using gn refs, builds fuzz targets with multiple sanitizers and uploads binaries to a GCS bucket. Recipe is defined in
  • ClusterFuzz downloads builds and runs fuzz targets continuously.
  • Fuzz target run logs are uploaded to ClusterFuzz libFuzzer Logs GCS bucket.
  • Fuzzing corpus is maintained for each fuzz target in Corpus GCS Bucket. Once a day, the corpus is minimized to reduce number of duplicates and/or reduce effect of parasitic coverage.
  • ClusterFuzz Fuzzer Status displays fuzzer runtime metrics as well as provides links to crashes and coverage reports.


ClusterFuzz uses two corpus types with libFuzzer:

  • Seed (or static) corpus: files manually uploaded by developers. ClusterFuzz uses these files for fuzzing but doesn't delete/overwrite them.

  • General (or working) corpus: files generated by fuzzers themselves. These corpus files are frequently modified during fuzzing sessions and can be deleted during corpus minimization.

A fuzz target has two input corpus directories, seed and general, but its output goes into general corpus directory. Seed corpus is read-only.