This guide provides step-by-step instructions for reproducing crashes found by ClusterFuzz. Reproducing a crash locally is the first step toward debugging and fixing it.
set command instead of export to set the environment variable (step 4). Note that these commands are intended to be used with cmd.exe, not PowerShell. Also, you may find these tips on how to debug an ASAN instrumented binary helpful.The first step is to identify how the crash was found. Look at the ClusterFuzz bug report:
If the report specifies a “Fuzz Target” and mentions a fuzzing engine (like libFuzzer, AFL, Centipede, etc.), you should follow the steps under Reproducing a Crash from a Fuzzing Engine.
Otherwise, the crash was likely caused by a blackbox fuzzer that produced a file to crash a larger application (like content_shell). You should follow the steps under Reproducing a Crash from a Blackbox Fuzzer.
The majority of the bugs reported by ClusterFuzz have the Reproducible label. This workflow applies to those cases.
Download the testcase from ClusterFuzz. If you are CCed on an issue filed by ClusterFuzz, a link to it is next to “Reproducer testcase” in the bug description.
For the rest of this section, we call the path of this file: $TESTCASE_PATH and the fuzz target you want to reproduce a crash on: $FUZZER_NAME (provided as “Fuzz Target” in the bug description).
Generate gn build configuration:
gn args out/fuzz
This will open up an editor. Copy the gn configuration parameters from the values provided in GN Config section in the ClusterFuzz testcase report.
Build the fuzzer:
autoninja -C out/fuzz $FUZZER_NAME
Set the *SAN_OPTIONS environment variable as provided in the Crash Stacktrace section in the testcase report. Here is an example value of ASAN_OPTIONS that is similar to its value on ClusterFuzz:
export ASAN_OPTIONS=redzone=256:print_summary=1:handle_sigill=1:allocator_release_to_os_interval_ms=500:print_suppressions=0:strict_memcmp=1:allow_user_segv_handler=0:use_sigaltstack=1:handle_sigfpe=1:handle_sigbus=1:detect_stack_use_after_return=0:alloc_dealloc_mismatch=0:detect_leaks=0:print_scariness=1:allocator_may_return_null=1:handle_abort=1:check_malloc_usable_size=0:detect_container_overflow=0:quarantine_size_mb=256:detect_odr_violation=0:symbolize=1:handle_segv=1:fast_unwind_on_fatal=0
Note: The sanitizer options may reference suppressions files. You can find those at go/crfuzz-clusterfuzz-suppressions (google-internal).
Run the fuzz target with the downloaded testcase. The -runs=100 flag helps ensure reproduction even if the crash has minor flakiness.
out/fuzz/$FUZZER_NAME -runs=100 $TESTCASE_PATH
File a bug if you run into any issues.
Get info from the report.
Reproducer testcase. We'll call its path $TESTCASE_PATH.Job Type (e.g., linux_asan_content_shell_drt means the target is content_shell).Configure and build the application:
Generate the build configuration using the arguments from the “GN Config” section.
gn args out/fuzz
Build the target application binary (e.g., content_shell).
autoninja -C out/fuzz content_shell
Set environment variables:
Export all variables listed under [Environment] in the stack trace of the report.
export ASAN_OPTIONS=... # Also export any other variables listed.
Construct and run the command:
In the stack trace, find the line beginning with Command line:. Construct your local command by replacing the executable path (e.g., /proc/self/exe or /mnt/.../content_shell) with the path to your built binary (e.g., out/fuzz/content_shell), copying all the flags, and appending the $TESTCASE_PATH at the end.
# Example command based on a content_shell crash out/fuzz/content_shell \ --run-web-tests \ --disable-in-process-stack-traces \ --autoplay-policy=no-user-gesture-required \ --lang=en-US \ $TESTCASE_PATH
ClusterFuzz generally does not report issues that it cannot reliably reproduce, unless the following condition is met. If a certain crash is occurring often enough, such a crash might be reported with Unreproducible label and an explicit clarification that there is no convenient way to reproduce it. There are two ways to work with such crashes.
Try a speculative fix based on the stacktrace. Once the fix is landed, wait a couple days and then check Crash Statistics section on the ClusterFuzz testcase report page. If the fix works out, you will see that the crash is not happening anymore. If the crash does not occur again for a little while, ClusterFuzz will automatically close the issue as Verified.
Try to reproduce the whole fuzzing session. This workflow is very similar to the one described above for reproducing a crash from a fuzzing engine. The only differences are:
Instead of downloading a single testcase, you need to download corpus backup. This can be done using the following command:
gsutil cp gs://clusterfuzz-libfuzzer-backup/corpus/libfuzzer/$FUZZER_NAME/latest.zip .
Alternatively, you can navigate to the following URL in your browser and download the latest.zip file:
https://pantheon.corp.google.com/storage/browser/clusterfuzz-libfuzzer-backup/corpus/libfuzzer/$FUZZER_NAME
Create an empty directory and unpack the corpus into it.
Follow steps 2-4 in the reproducing a crash from a fuzzing engine section above.
On step 5, use the following command:
out/fuzz/$FUZZER_NAME -timeout=25 -rss_limit_mb=2048 -print_final_stats=1 $CORPUS_DIRECTORY_FROM_THE_PREVIOUS_STEP
Wait and hope that the fuzzer will crash.
Waiting for a crash to occur may take some time (up to 1hr), but if it happens, you will be able to test the fix locally and/or somehow debug the issue.
Stack traces from ASAN builds are not symbolized by default. However, you can symbolize them by piping the output into:
src/tools/valgrind/asan/asan_symbolize.py
ClusterFuzz does crash input minimization automatically, and a typical crash report has two testcases available for downloading:
If you would like to further minimize a testcase, run the fuzz target with the two additional arguments:
-minimize_crash=1-exact_artifact_path=<output_filename_for_minimized_testcase>The full command would be:
out/fuzz/$FUZZER_NAME -minimize_crash=1 -exact_artifact_path=<minimized_testcase_path> $TESTCASE_PATH
This might be useful for large testcases that make it hard to identify a root cause of a crash. You can leave the minimization running locally for a while (e.g. overnight) for better results.