ClusterFuzz will report bugs in the bug tracker in the following form:
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=...
Fuzzer: libfuzzer_media_pipeline_integration_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux
Crash Type: Heap-buffer-overflow READ {*}
Crash Address: 0x60500000c64d
Crash State:
stack_frame1
stack_frame2
stack_frame3
Recommended Security Severity: Medium
Regressed: <LINK>
Minimized Testcase (6.86 Kb): <LINK>
Filer: ...
You can click the “Detailed report” link for the full stack trace, and additional information/links.
Download the testcase given by the “Minimized Testcase” link.
(Important) In the following sections, $FUZZER_NAME will be the the string specified after the “Fuzzer :” in the report, but without the “libfuzzer_” or “afl_” prefix. In this case, the $FUZZER_NAME is “media_pipeline_integration_fuzzer”.
Follow the steps in one of the subsequent sections (from a chromium checkout). The string specified after the "Job Type: " will be either afl_chrome_asan, libfuzzer_chrome_asan, libfuzzer_chrome_msan, or libfuzzer_chrome_ubsan, indicating which one to use.
Notes:
is_debug: ClusterFuzz uses release builds by default (is_debug=false). For ASan builds, both Debug and Release configurations are supported. Check a job type of the report for presence of _debug suffix.
ffmpeg_branding: For Linux ffmpeg_branding should be set to ChromeOS. For other platforms, use ffmpeg_branding=Chrome.
$ gn gen out/afl '--args=is_debug=false use_afl=true is_asan=true enable_nacl=false proprietary_codecs=true ffmpeg_branding="ChromeOS"' $ ninja -C out/afl $FUZZER_NAME $ out/afl/$FUZZER_NAME < /path/to/repro
$ gn gen out/libfuzzer '--args=is_debug=false use_libfuzzer=true is_asan=true enable_nacl=false proprietary_codecs=true ffmpeg_branding="ChromeOS"' $ ninja -C out/libfuzzer $FUZZER_NAME $ out/libfuzzer/$FUZZER_NAME /path/to/repro
# The gclient sync is necessary to pull in instrumented libraries. $ GYP_DEFINES='msan=1 use_prebuilt_instrumented_libraries=1' gclient sync $ gn gen out/libfuzzer '--args=is_debug=false use_libfuzzer=true is_msan=true msan_track_origins=2 use_prebuilt_instrumented_libraries=true enable_nacl=false proprietary_codecs=true ffmpeg_branding="ChromeOS"' $ ninja -C out/libfuzzer $FUZZER_NAME $ out/libfuzzer/$FUZZER_NAME /path/to/repro
$ gn gen out/libfuzzer '--args=is_debug=false use_libfuzzer=true is_ubsan_security=true enable_nacl=false proprietary_codecs=true ffmpeg_branding="ChromeOS"' $ ninja -C out/libfuzzer $FUZZER_NAME $ export UBSAN_OPTIONS=halt_on_error=1:print_stacktrace=1 $ out/libfuzzer/$FUZZER_NAME /path/to/repro
Memory tools (ASan, MSan, UBSan) use llvm-symbolizer binary from the Clang distribution to symbolize the stack traces. To get a symbolized crash report, make sure llvm-symbolizer is in PATH or provide it in separate ASAN_SYMBOLIZER_PATH environment variable.
In Chromium repository llvm-symbolizer is located in third_party/llvm-build/Release+Asserts/bin directory.
$ export ASAN_SYMBOLIZER_PATH=/path/to/chromium/src/third_party/llvm-build/Release+Asserts/bin/llvm-symbolizer $ out/libfuzzer/$FUZZER_NAME /path/to/repro
The same approach works for MSAN_SYMBOLIZER_PATH and UBSAN_SYMBOLIZER_PATH.
Additional information regarding symbolization is available in sanitizers documentation: AddressSanitizerCallStack.
Please look at AddressSanitizerAndDebugger page for some tips on debugging of binaries built with ASan.
If you want gdb to stop after an error has been reported, use:
ASAN_OPTIONS=abort_on_error=1 for binaries built with ASan.MSAN_OPTIONS=abort_on_error=1 for binaries built with MSan.